Re: trusted & untrusted ports

["Monkey Boy" <hydra291 () hotmail com>]

> Q1 - How to identifiy trust vs untrusted ports. As sometimes, users working 
> within our network will ask to open certain ports in the firewall in order 
> to allow communication to a certain application outside the coorporate 
> network. From security prespective, based on what evaluation should i 
> accept or reject opening the requested port(s) ? maybe it will know to be 
> used by hackers, or viruses as a threat.

You would have to ask management what is and is not acceptable to them. Most 
ports that are opened by an application within your network will hand off 
that request on an ephemeral port as well. It is not as if say IE will hand 
off a browser request on port 80, it will handled by an ephemeral port. If 
you are going to be running services such as FTP, SMTP and the such then 
they do listen on a generally well known port such as 21 or 25 respectively. 
Those types of issues are fairly straight forward to resolve. However say 
running an irc server on 6667 is something your being asked I would have to 
take that up with management. That will definitely impact security, 
bandwidth, among other things. Bottom line each service which you are being 
asked to allow out has to be evaluated separately.

> Q2 -  Reading some technical documents about accessing applications over 
> the net, I noticed that sometimes the connection is not a client/server 
> technique, it could be through the http port, in other words, no need to 
> open specific port in order to be able to access the net application from 
> within our network coorporate since it is using the http port.

All communications outside of peer to peer stuff is based on a client/server 
model Hilal. Even if you are tunneling traffic out over port 80 it is still 
going out that port as a client request to a server somewhere. That does not 
change at all. Most services operate on well known ports such as the 
afore-mentioned FTP and SMTP. If you have employee's tunnelling traffic out 
over http then it may be time to have a chat with them and human resources 
over that being forbidden by company policy. Speaking of company policy you 
would need to have a clear and concise one which everyone has to read and 
sign off on.

regards,

Don

_________________________________________________________________
MSN 8 with e-mail virus protection service: 2 months FREE*  
http://join.msn.com/?page=features/virus&pgmarket=en-ca&RU=http%3a%2f%2fjoin.msn.com%2f%3fpage%3dmisc%2fspecialoffers%26pgmarket%3den-ca

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards