Firewall madness?

Discussion in 'Server Networking' started by Mickel, May 17, 2010.

  1. Mickel

    Mickel Guest

    Is is just me who thinks the way we block outgoing ports is madness? The
    justification I see for this is usually that it stops viruses that might
    get onto local PCs contacting the outside world. This is all well and
    good except that it seems to be having the effect that everything is
    being migrated to port 80 anyway. Surely viruses too. The problem now is
    that because everything is now moving to port 80 you can't block certain
    functionality just based on port anymore which is defeating the entire
    purpose in the first place. Eventually everything it seems will be on
    port 80. I've worked at several companies that don't block any outside
    ports except maybe a few specific ones (eg 25) and the company hasn't
    run into any disasters.

    Thoughts?

    Thanks,
    Michael
     
    Mickel, May 17, 2010
    #1
    1. Advertisements

  2. Mickel

    Chris M Guest

    The basic rule of firewalls is that you start by blocking everything and
    then open up only what you need. If all your traffic is going via port
    80, why would you need the other ports open anyway?

    Blocking everything except what you absolutely need will also give you
    insight into what's happening on your network. For example, if your
    firewall logs show hundreds of denied outgoing connection requests on
    port 135/137, you might want to check the source machine for viruses and
    worms.

    With regards to everything going via port 80 (and 443) these days, a lot
    of Enterprise firewalls will now do application level filtering whereby
    it can look inside the traffic and figure out what protocol has been
    encapsulated inside the HTTP stream. For example, in ISA server you can
    block MSN over HTTP without blocking normal web traffic. Some
    firewalls/filters will also do TLS bridging which enables them to filter
    traffic using a secured connection too.

    One final point, remember that since the days of the Blaster worm (which
    transferred itself via the RPC protocol - port 135), it's generally seen
    as a good idea not only to firewall your network from the outside world,
    but also to firewall your internal clients from each other.
     
    Chris M, May 17, 2010
    #2
    1. Advertisements

  3. Mickel

    Mickel Guest

    There's 2 problems I can see with that. The first is that people found
    ways to slack off long before the internet existed and will continue to
    do so. Providing a working environment that gives people the right
    atmosphere where they want to work is going to be more effective.

    The second problem is that it more often than not restricts people who
    are trying to do, oh, say, WORK. A perfect example was the other day I
    needed to log into a client's router on 8081. This was part of my job
    but was blocked. Other clients have had RDP sessions available on 3390,
    3391 etc for a group of machines.

    If that needs to be done then that is fine bit isn't that a different issue?
    No problems yet and in the mean time I've been able to get my job done :)

    Michael
     
    Mickel, May 17, 2010
    #3
  4. Mickel

    Chris M Guest

    It sounds to me like the following is happening here:

    1. A client has their router's configuration interface exposed to the
    Internet on port 8081

    2. A client is exposing RDP connections to the Internet (using port
    mapping on the router so you can connect to different machines using the
    other port numbers)

    I hope I'm wrong because neither of these are good things, point 1 in
    particular.

    What's wrong with using a VPN for each client? This will secure your
    clients networks and also mean that you don't need to open up arbitrary
    outbound port numbers depending on your clients needs.
     
    Chris M, May 17, 2010
    #4
  5. Mickel

    Mickel Guest

    The problem is I've never worked in an environment or met someone who
    has where stuff that you need unblocked for your daily work actually
    gets unblocked. No one is following your basic rule. The other problem
    is that you don't know what you're going to need.
    That's a circular argument. I'm saying it's bad that everything is going
    to 80 and you're replying "see you only need 80, everything's there".
    That just doesn't make sense.

    My opinion would be it would be better to leave everything open except
    what you know might be an issue and no one is likely to need. Eg 25, 135 etc
    Can't you log this without it being blocked?
    I guess this makes sense and it is a good thing to have but isn't this a
    symptom of the problem? By blocking everything and having all these
    companies move their traffic to port 80 we are just bringing this extra
    complexity apon ourselves. If ports were generally left open then stuff
    wouldn't be slowly migrating to 80 and we wouldn't need firewalls to
    inspect packets to determine what the traffic was.

    The other problem with this is you need to have a firewall that does
    this. In my case I was asked by a client to block internet on several
    PCs but leave several other services open (eg virus scan update). The
    problem is that *every* service they asked me to leave open is on 80.
    I can see the issue but think it would be better just to block ports
    that are considered dangerous. We're going to end up with so many
    services on 80 that the viruses just use 80 anyway.
     
    Mickel, May 17, 2010
    #5
  6. Mickel

    Chris M Guest

    I don't quite understand what you're getting at. Why do you need all
    your ports open if you agree that everything uses port 80. Even if you
    think it's a bad thing, opening other ports up isn't going to change the
    way those things work. They're still using port 80 but now you have a
    load of ports open that don't need to be open.
    This is bad security practise. I'm not going to explain why.
    Of course.
    That's the way things are. I don't see how you're going to get around it
    by opening up more ports. Your AV software will still be using port 80
    to update regardless of the other ports you have open.
    OK, I'm starting to sense trolling now. Again, if you agree that
    everything is starting to use the HTTP/S ports (regardless of whether
    that's good or not), why would opening up a load of other ports make
    things better and not worse?
     
    Chris M, May 17, 2010
    #6
  7. That is correct.

    That is why firewalls worth buying don't simply look at the ports. Good
    firewalls look at the traffic itself. Using ISA (TMG) Server for
    example,...if you tell it that some traffic is using port 80 then it expects
    the traffic to be true HTTP,...and not only that but the HTTP must follow
    RFC specs exactly or it is dropped. It does FTP the same way.

    Many product vendors have fallen in to a trap on this by their faulty view
    of firewalls. They think,..."Well, everyone allows port 80 outbound, so we
    will just make out product "do it's thing" on port 80 and it will be fine".
    The problem is that their product is not using HTTP (or a sloppy HTTP) when
    it does it and so it fails going through the firewall. Had they just simply
    came up with a port all their own to use then it would have been a simple
    thing to configure the firewall to work with it and it would have worked
    fine.

    BTW - "Virus" are hardly ever seen anymore. Most of the threats now are
    some form of malware. The malware does not "come into" the LAN,...the user
    goes to it,...gets it,...and brings it in.

    --
    Phillip Windell

    The views expressed, are my own and not those of my employer, or Microsoft,
    or anyone else associated with me, including my cats.
    -----------------------------------------------------
     
    Phillip Windell, May 17, 2010
    #7
  8. Mickel

    Mickel Guest

    I never said everything is using port 80. I have specifically mentioned
    services that don't use 80 such as RDP. I said everything is slowly
    moving towards 80.
    No, opening up 1433 will enable sqlserver for example.
    Yes but the point I'm making is that if we didn't have this closed
    policy of blocking all ports then the virus software would likely not be
    using 80.
    Slow down and read what I'm saying. I am not trolling.

    Michael
     
    Mickel, May 17, 2010
    #8
  9. Mickel

    Mickel Guest

    Maybe these things are bad but I didn't set them up. This was something
    the client did, they just want me to connect. In these cases they were
    home users. The point was that I had a requirement to use a port which I
    could not have predicted ahead of time.

    Michael
     
    Mickel, May 17, 2010
    #9
  10. Mickel

    Chris M Guest

    It certainly will. That would imply that you'd need to connect to a SQL
    server that's allowing incoming connections on 1433 from the Internet? I
    don't think anyone would agree that's a good idea.

    Traffic such that you have described (RDP, SQL Server etc) that needs to
    go via the Internet is much better served via a VPN. Not least because
    those protocols can be easily sniffed for useful information - not least
    the username and password that you're using to connect. A VPN tunnel
    would encrypt this information. You also then only have to configure
    your firewall to allow VPN connections, and you can then allow any
    protocol between the two endpoints. Much easier, safer and enormously
    less risky.
     
    Chris M, May 17, 2010
    #10
  11. Mickel

    Mickel Guest

    I never said it was, this is just an example.
    That's all true and I completely agree but this is something for the
    network admin at the other end to sort out. I can't control what they
    do. As it stands I will need a connection to do my job and I can't ask
    the client to install a VPN before I continue.

    Michael
     
    Mickel, May 19, 2010
    #11
  12. Mickel

    Mickel Guest

    Chris, you haven't really responded to what I've actually said. You've
    raised some good points but I don't think you've responded to the
    original question. We have a situation where we have this invention
    called ports, however it appears this invention is *highly* restricted
    these days to the point where only port 80 can be guaranteed to work. As
    a result of this services are slowly all migrating to port 80. This
    doesn't seem crazy to you?
     
    Mickel, May 19, 2010
    #12
  13. Mickel

    Chris M Guest

    It does seem a little silly, although I can kind of see why it's done in
    some situations. WebEx, LiveMeeting and TeamViewer are classic examples
    of software that 'just works' - and this is a huge selling point for
    people providing remote support to people behind firewalls over which
    they have no control.

    I suppose the reasons why we have this 'HTTP everywhere' culture is that:

    - Opening up firewall ports adds an extra layer of complexity that
    people can do without, especially if they don't know what you're talking
    about. Using port 80 probably reduces the software vendor's support
    costs by a huge factor just based on the fact that people won't be
    calling them with firewall problems.

    - Bureaucracy. Getting ports opened in a large company could take
    weeks, months even. Probably would require several people's signatures
    and possibly the ritual sacrifice of an animal before it was approved.

    - Port 80 is allowed anywhere. Employees on the road can be connected
    via a hotel wireless connection and still receive Anti Virus updates.


    There are some things that lend themselves quite well to being used over
    port 80 though - antivirus updates are one example - it's just an HTTP
    download after all, why not use the HTTP port?

    What you've described is a sign of the times I think... Application
    layer-aware firewalls will probably become more and more prevalent.
    Exploiting vulnerabilities of software listening on port 80 will
    probably become more commonplace too.
     
    Chris M, May 19, 2010
    #13
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.