Ports and Paranoia

I run an intranet and a staging server on non-standard ports (8000 and 8080). This works great for our internal purposes, but every now and then a student will want to show a work-in-progress to an external organization. And every now and then, that organization lives behind one of those Stalinist corporate firewalls that blocks everything but port 80, which means they can’t access the content, which means the student comes to me baffled, I explain the situation, and no one understands what I’m talking about. Somehow it always comes off as if I’m the one blocking the traffic. Ports are hard to explain to non-tech people. If I ask them to ask their sysadmins to back off a bit and open up traffic on these ports, I always get the same “we don’t do that for security reasons.” Well, duh.

Does it really make security sense for organizations to blindly block everything but port 80? The internet runs on ports. It’s all about ports. There’s got to be a more sensible way to accomplish your security goals than to slam the door in the face of other services. Are they being paranoid or am I expecting too much?

Music: Bright Eyes :: Bowl Of Oranges

5 Replies to “Ports and Paranoia”

  1. I think there are a lot of reasons that don’t have anything to do with “security” why those ports are blocked. Here are two of ’em:

    1) A lot of companies like to make SURE that their employees aren’t using the internet for goofing off. They use their firewalls to block ports, as well as specific sites. (Some of us get around this problem by being the guy in the company running the firewall.)

    2) A lot of Network Admins have a (probably hard won) God complex about what goes on in their network. They keep things as locked down as possible because it’s a pretty easy thing to do, and they’ll fight pretty hard to keep things the way they’ve set them up, regardless of what some outsider is telling them they should do. I’ve had to deal with these guys over and over, and they always try to turn it into an I-know-more-than-you contest. Most of the time those guys are talking out their asses, and I recognize that, at which point it’s frequently a lost cause.

  2. >they always try to turn it into an I-know-more-than-you contest

    Well, firewall rules are one of the only areas where a network guy’s word reigns supreme. Everywhere else they have to take orders from up top, in the firewall they are god, and act like it. I could never figure out an adequate reason why *outbound* connections on any old port pose a security threat, but that’s me.

  3. Any suggestions for online resources that might help a feller edjercate himself a bit more on what you’re talking about? One of my projects this year is (maybe) going to be setting up an in-house web and email server, and ports have come up as something I do not know about but probably should.

    It’s been hard to tweak a google search to come up with something useful when my main keyword is “port”.

    Any suggestion would be appreciated. Disdain will only make me suspect you’re French.

    Thank you.

  4. Here’s an excellent description of how ports work — analogy summarized as “IP # is the street address but we still need to know to whom in this house the letter is addressed.” IOTW, which service on the machine (which server software) shall handle the request? How do we determine whether this is an inbound email or an http request? Ports give us this.

    Open ports are not inherently dangerous, but unknown services can be seen as suspicious. If I run a web server on port 8080 rather than on teh standard 80, someone might think it’s an unusual / suspicious service even if it’s not.

    For your security purposes, all you need to know is: Run only the services (open only the ports) you actually need and use. But beyond that, *understand* the services you run and how to configure them. e.g. know what it takes to not become an open mail relay before setting up a mail server.

Leave a Reply

Your email address will not be published. Required fields are marked *