• Subject: RE: TCPIP port restriction for network security
  • From: "Sims, Ken" <KSIMS@xxxxxxxxxxxxxxxx>
  • Date: Tue, 23 Jan 2001 12:43:41 -0500

Hi Michael -

>For security purposes our firewall has most of the 
>ports closed to the outside world.  I know when we 
>started some outside work with a  consulting company 
>I had to pull teeth to get port 1352 (Notes) open 
>for some people in our company.
>
>My question is, and I realize this isn't necessarily 
>AS/400 (umm...iSeries) related but what do people do 
>and why with regards to their firewall and ports?  
>Is it that bad to really open up a port across the 
>board?  Let me back up a little.  We are starting to 
>use SameTime with the same consulting firm and it has 
>a chat function.  This chat function does not by 
>default use port 80.  So, my options are either open 
>up the port or investigate the changing of the default 
>port.  Typically, I hate to mess around with changing 
>default ports because it always seems to cause me some 
>sort of problem later.

The first question is, does the port need to be open for outgoing
connections, incoming connections, or both?

By default firewalls tend to come configured to allow outgoing connections
on all ports and deny incoming connections on all ports.  Firewall
administrators tend to lock down ports for outgoing connections as well,
except for 80 (HTTP), 443 (HTTPS), and whatever else is determined to be
needed for business purposes.

If all you need is outgoing connections on a particular port, it should not
be that big of a deal for the firewall administrator to open that port for
outgoing connections.  If you use static IP addresses, it could be opened
only for particular addresses.

If you need incoming connections on that port, that's a different matter.
Then you start expoing your network to the outside world.  However if the
consulting company is using NAT, then all of the incoming connections are
going to be from the same IP address.  The port could be opened for incoming
connections only from that IP address.  Likewise, it could be opened for
incoming connections from a range of IP addresses.  Another consideration is
that if you are using NAT with private network addresses behind the
firewall, how are incoming connections going to be directed to the correct
PC?

A possibility to consider is setting up a VPN connection between your
company and the consulting company.  Using IPSEC and IKE all traffic across
the connection would be secured and encrypted.  The firewall would only have
be opened for the VPN connection, everything else would be encapsulated
within the VPN traffic.  This protects your company from the outside world
while allowing the consulting company access.  Unfortunately it allows the
consulting company a LOT of access which has its own security
considerations.

Ken
Southern Wine and Spirits of Nevada, Inc.
Opinions expressed are my own and do not necessarily represent the views of
my employer or anyone in their right mind.

+---
| This is the Midrange System Mailing List!
| To submit a new message, send your mail to MIDRANGE-L@midrange.com.
| To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com.
| To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com.
| Questions should be directed to the list owner/operator: david@midrange.com
+---

As an Amazon Associate we earn from qualifying purchases.

This thread ...


Follow On AppleNews
Return to Archive home page | Return to MIDRANGE.COM home page

This mailing list archive is Copyright 1997-2022 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].

Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.