Firewall Wizards mailing list archives
RE: RE: In defense of non standard ports
From: "Bill Royds" <bill () royds net>
Date: Mon, 23 Jan 2006 19:32:16 -0500
A good firewall should have the capability of allowing its firewall rules to label traffic through a non-standard port as HTTP (or HTTPS) and properly analyze it. So, even though it is a port other than 80/443, there should be the same rules and restrictions applied to it as for normal HTTP. For example, some application firewalls allow on to have a IP specific rule such as
From internal:any to specifichost(or subnet):1234 allow HTTPS
This would be set on the outgoing firewall and only allow approved traffic to that host and port. Creating this rule would then follow the standard policy process for allowing outgoing traffic. It is not the non-standard port that is the problem, but the concept that one should somehow ignore policy because of their use. As a postscript, when I managed a corporate firewall, I found that a number of sites and applications were trying to pass arbitrary traffic through HTTPS by just believing that it would not be examined by an application proxy more than checking the headers. Our particular firewall (Symantec SEF) actually had an HTTPS proxy and complained that the handshake was not correct and refused it. -----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Behm, Jeffrey L. Sent: Monday, January 23, 2006 10:25 AM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] RE: In defense of non standard ports On Friday, January 20, 2006 8:02 PM, Hawkins, Michael so spake:
Using non standard ports actually makes it easier to control and maintain a strong security policy.
For perhaps a few/limited number of instances...see below
Let's face it, port 80 is now one of the most insecure holes that you punch through your firewall.
How does running the same traffic across another port automatically make it more secure? Also, we don't just have it punched through...one must go through a proxy, and they do not have direct-through-the-firewall-port-80-access. Explaining the reasoning behind that to most vendors is many times an exercise in futility.
All those hard earned dollars needed to control content and you are never able to get completely on top of it. Along comes a real time trading application. Financial services company X wants to use financial services company Y's application. It's so much easier to have a registered port, a short list of host IP's A,B and C and a strong security policy document and X is now much happier opening up registered port to hosts A,B and C.
Again, why is traffic on port 12345 automatically more secure than going across port 80? I'd argue that since we block *direct* port 80/443 access (you have to go through the proxy) that port 80/443 web traffic is more secure than running on some other port that doesn't go through the proxy. It also makes it more difficult to know how much actual web traffic is going on, if it is now running across multiple (non-standard) ports. Additionally, if it's only one company connecting to one other company, than running traffic on a different port could be manageable. But, extrapolate that out to thousands of companies connecting to thousands of companies and how do I effectively manage that? What if two (or twenty, or two hundred) external companies that I want to connect to all choose to run their web app across the same non-standard port? Then, I'm right back to the port 80/443 scenario again. It's only a matter of time...why not just use port 80/443, since it's all just web traffic anyways...Aren't those the registered ports for web traffic?
No content filtering needed. No megabucks involved. No content filtering overloading your http processes.
It's web traffic...I'm still content filtering it. Perhaps my OP wasn't clear. I'm talking about developers moving *web* traffic off the standard 80/443 ports.
I am NOT defending shoddy developers that don't know a port from a dock.
A port? Someone going on a cruise? Sign me up...
But ports are part of IP and I'm glad there are 65535 of 'em! Mike H
Hopefully, I've made my question of *web* traffic being moved off the standard ports a bit more clear ...I'm still interested to hear what wording you use when you talk to vendors about why they chose to run web traffic off these ports. Oh, yeah, and I'd like to hear what their responses are, too. Jeff _ _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: In defense of non standard ports Behm, Jeffrey L. (Jan 23)
- RE: RE: In defense of non standard ports Bill Royds (Jan 23)
- Re: RE: In defense of non standard ports Tobias Reckhard (Jan 24)
- Re: RE: In defense of non standard ports James (Jan 24)
- Re: RE: In defense of non standard ports ArkanoiD (Jan 24)
- Re: RE: In defense of non standard ports Chuck Swiger (Jan 24)
- Re: RE: In defense of non standard ports Marcus J. Ranum (Jan 24)
- Re: RE: In defense of non standard ports Paul D. Robertson (Jan 24)
- Re: RE: In defense of non standard ports Tim Shea (Jan 24)
- Re: RE: In defense of non standard ports Paul D. Robertson (Jan 24)
- Message not available
- RE: In defense of non standard ports Brian Loe (Jan 24)
- Message not available
- Re: RE: In defense of non standard ports Marcus J. Ranum (Jan 24)
- RE: RE: In defense of non standard ports Bill Royds (Jan 23)