awakenings
asked on
What is to be gained by closing ports on a network aboe 1024?
This is a theoretical question and now I find it interesting. On a corporate network, if one is already blocking all well-known tcp ports on every VLAN that are not explicitly required for business, what is to be gained by blocking tcp ports 1024 to 65,535? Assume in this scenario that outbound traffic to the Internet is limited to HTTP, SSL, FTP, mail etc. What are the risks to windows boxes? What kinds of problems should one expect to inter-VLAN traffic? At first glance, worms seem like they may be an issue. Obviously high level hackers will have a hay day with that many open ports, but for average risks, what should one expect for Windows to Windows traffic?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Rich,
You bring up alot of good points and I appreciate your input. I am still in the process of thinking about it. On a side note, the page I was really thinking of is;
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/confeat/adrepfir.mspx
We currently have most of our TCP and UDP ports blocked. Apparently on the AD server (we are beginning to impliment) they did not set the registry entry for RPC to 1 port. It is part of a trusted network so all AD servers across the company would need to be set. We have requirements that need us to limit our port usage to those required by business. Obviously the requirement could be argued either way. Obviously there is more than one approach to handling the issue. I am in favor of changing the registry entry across the enterprise on AD servers. I was then asked, what is the risk of opening up 60 plus thousand tcp ports. They are considering opening all TCP ports. I don't think that is a smart idea from more than one standpoint.
So what do you think the risk is of opening up the more ports? Is it 100 times worse? Twice as bad? A million times as bad? I am also not sure why you think that the well-known verses ephemeral ports is not really an important distinction in terms of blocking or not blocking TCP ports. Tell me more about your opinion.
Awakenings
You bring up alot of good points and I appreciate your input. I am still in the process of thinking about it. On a side note, the page I was really thinking of is;
http://www.microsoft.com/technet/prodtechnol/windows2000serv/technologies/activedirectory/deploy/confeat/adrepfir.mspx
We currently have most of our TCP and UDP ports blocked. Apparently on the AD server (we are beginning to impliment) they did not set the registry entry for RPC to 1 port. It is part of a trusted network so all AD servers across the company would need to be set. We have requirements that need us to limit our port usage to those required by business. Obviously the requirement could be argued either way. Obviously there is more than one approach to handling the issue. I am in favor of changing the registry entry across the enterprise on AD servers. I was then asked, what is the risk of opening up 60 plus thousand tcp ports. They are considering opening all TCP ports. I don't think that is a smart idea from more than one standpoint.
So what do you think the risk is of opening up the more ports? Is it 100 times worse? Twice as bad? A million times as bad? I am also not sure why you think that the well-known verses ephemeral ports is not really an important distinction in terms of blocking or not blocking TCP ports. Tell me more about your opinion.
Awakenings
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks. Interestingly enough, it is RPC that makes me wonder. By default, it needs all those ports open for communication. With a simple reg change, the ports can be brought down to one port we would open across the network. I am very aware of the theory and the potential and I can list hackers tools that someone on the inside might use, but I'm trying to understand the risk. At first glance, it actually seems pretty low given our patching schedule and hardening standards. I guess I look at the it this way. On one level one could have 60,000+ ports open. On the other level, it seems that risks are both unknown and possibly fairly low except for the very real threat of worms. But an RPC worm, say a new variant of blaster, could be a zero day exploit and would hit our systems no matter if the ports are open or closed because it is moving over RPC. Does anyone think there are any real threats in keeping the tcp ports above 1023 open. Are there any examples?