Educause Security Discussion mailing list archives
Re: The Wisdom of Allowing an Open Port
From: Kevin Wilcox <wilcoxkm () APPSTATE EDU>
Date: Wed, 28 Nov 2012 17:31:19 -0500
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, Nov 28, 2012 at 04:18:35PM -0600, Jim Pardonek wrote:
On our hospital campus we have an "open" wlan that requires the usual rudimentary form of authentication (some email address and your name) to gain access, similar to a hotel portal. Some of the medical staff want us to open port 1373 TCP so that they can access our GroupWise (I know) servers using the regular client application. Other than the normal reasons for keeping everything except 80 and 443 closed, I'm looking to see if anyone would like to weigh in on reasons for and against opening this up.
All you need is one port to exfiltrate data. When you can tunnel anything over SSL VPN connections on 443 then the point is proven that just closing ports doesn't always have the intended result. That said, if you block 6667 - 6669, and someone comes in with a nasty that only tries to phone home via IRC on those ports, you've done some good. Is there a reason you can't open 1373 to just your GroupWise servers? kmw -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iEYEARECAAYFAlC2kLUACgkQsKMTOtQ3fKEX0ACfcgtC83Tn9bBvCNhWLaSkpbCN +koAnAk/8sJG5IxjQS7SYtmlkCi0ovw5 =cfni -----END PGP SIGNATURE-----
Current thread:
- The Wisdom of Allowing an Open Port Jim Pardonek (Nov 28)
- Re: The Wisdom of Allowing an Open Port Jeff Kell (Nov 28)
- Re: The Wisdom of Allowing an Open Port Julian Y Koh (Nov 28)
- Re: The Wisdom of Allowing an Open Port Kevin Wilcox (Nov 28)
- Re: The Wisdom of Allowing an Open Port Roger A Safian (Nov 28)
- Re: The Wisdom of Allowing an Open Port Will Froning (Nov 28)
- Re: The Wisdom of Allowing an Open Port Roger A Safian (Nov 29)
- Re: The Wisdom of Allowing an Open Port Russ Leathe (Nov 29)