Hi Michael - >For security purposes our firewall has most of the >ports closed to the outside world. I know when we >started some outside work with a consulting company >I had to pull teeth to get port 1352 (Notes) open >for some people in our company. > >My question is, and I realize this isn't necessarily >AS/400 (umm...iSeries) related but what do people do >and why with regards to their firewall and ports? >Is it that bad to really open up a port across the >board? Let me back up a little. We are starting to >use SameTime with the same consulting firm and it has >a chat function. This chat function does not by >default use port 80. So, my options are either open >up the port or investigate the changing of the default >port. Typically, I hate to mess around with changing >default ports because it always seems to cause me some >sort of problem later. The first question is, does the port need to be open for outgoing connections, incoming connections, or both? By default firewalls tend to come configured to allow outgoing connections on all ports and deny incoming connections on all ports. Firewall administrators tend to lock down ports for outgoing connections as well, except for 80 (HTTP), 443 (HTTPS), and whatever else is determined to be needed for business purposes. If all you need is outgoing connections on a particular port, it should not be that big of a deal for the firewall administrator to open that port for outgoing connections. If you use static IP addresses, it could be opened only for particular addresses. If you need incoming connections on that port, that's a different matter. Then you start expoing your network to the outside world. However if the consulting company is using NAT, then all of the incoming connections are going to be from the same IP address. The port could be opened for incoming connections only from that IP address. Likewise, it could be opened for incoming connections from a range of IP addresses. Another consideration is that if you are using NAT with private network addresses behind the firewall, how are incoming connections going to be directed to the correct PC? A possibility to consider is setting up a VPN connection between your company and the consulting company. Using IPSEC and IKE all traffic across the connection would be secured and encrypted. The firewall would only have be opened for the VPN connection, everything else would be encapsulated within the VPN traffic. This protects your company from the outside world while allowing the consulting company access. Unfortunately it allows the consulting company a LOT of access which has its own security considerations. Ken Southern Wine and Spirits of Nevada, Inc. Opinions expressed are my own and do not necessarily represent the views of my employer or anyone in their right mind. +--- | This is the Midrange System Mailing List! | To submit a new message, send your mail to MIDRANGE-L@midrange.com. | To subscribe to this list send email to MIDRANGE-L-SUB@midrange.com. | To unsubscribe from this list send email to MIDRANGE-L-UNSUB@midrange.com. | Questions should be directed to the list owner/operator: firstname.lastname@example.org +---
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.