Re: TCPIP port restriction for network security -- MIDRANGE-L

IF you are doing mail relay then ports 25 and 110 have to be open to
each box that you will relay from.  For an ISP that means just about all
of them.  There are things you can do to protect yourself even if you
leave 25 and 110 wide open.  Disable EXPN and RPLY, alter the sendmail
rules so that the FROM addy must resolve to a valid user id...  Ditch
sendmail and replace it with qmail.

Larry Bolhuis wrote:
> 
> Opening ports always creates a security risk, even well know ones like
> 25, 80, 110. What you need to do is balance the need for the port to be
> opened with the relative exposure.  Often you can open the port to only
> specific machines thus reducing the risk. When opening a port across the
> board, you should have a very good understanding of what that port is
> used for. If there are multiple uses and an open system is using one
> different from that intended, that is a much greater risk.
> 
> Personally I prefer chat tools which do not require open inbound ports
> like AOL Instant messenger, or ICQ.
> 
>  my $.02
> 
>  - Larry
> 
> mcrump@sgcontainers.com wrote:
> >
> > I need some opinions - ok, dumb statement :-)
> >
> > For security purposes our firewall has most of the ports closed to the 
>outside
> > world.  I know when we started some outside work with a  consulting company 
>I
> > had to pull teeth to get port 1352 (Notes) open for some people in our 
>company.
> >
> > My question is, and I realize this isn't necessarily AS/400 (umm...iSeries)
> > related but what do people do and why with regards to their firewall and 
>ports?
> > Is it that bad to really open up a port across the board?  Let me back up a
> > little.  We are starting to use SameTime with the same consulting firm and 
>it
> > has a chat function.  This chat function does not by default use port 80.  
>So,
> > my options are either open up the port or investigate the changing of the
> > default port.  Typically, I hate to mess around with changing default ports
> > because it always seems to cause me some sort of problem later.
> >
> > Any thoughts/ideas/opinions from you security and network minded people?  
>If I
> > go to my network people all they do is give me grief.  They may be right 
>but I'd
> > like to hear what anyone else has to say.
> >
> > Thanks.
> >
> > Michael Crump
> > Saint-Gobain Containers
> > 1509 S. Macedonia Ave.
> > Muncie, IN  47302
> > (765)741-7696
> > (765)741-7012 f
> > (800)428-8642
> >
> > +---
> > | This is the Midrange System Mailing List!
> > | To submit a new message, send your mail to MIDRANGE-L@midrange.com.
> > | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
> > | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
> > | Questions should be directed to the list owner/operator: 
>david@midrange.com
> > +---
> 
> --
> Larry Bolhuis
> Arbor Solutions, Inc.
> (616) 451-2500
> (616) 451-2571 -fax
> lbolhuis@arbsol.com
> +---
> | This is the Midrange System Mailing List!
> | To submit a new message, send your mail to MIDRANGE-L@midrange.com.
> | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
> | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
> | Questions should be directed to the list owner/operator: david@midrange.com
> +---
+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---