[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

how secure is port forwarding?

Posted on 2011-10-17
8
Medium Priority
?
365 Views
Last Modified: 2012-05-12
Hello Experts,

I am trying to change my default port number on the public side for FTP (port 21); I want to use a different port like "9999" or similar, but then change the port inside the firewall. This way I would connect to ftp://mydomain:9999 and go to my ftp to upload files.

My boss want's to know if that is a safe move and if there will be any ramifications.

Your help is greatly appreciated!
0
Comment
Question by:Newco
8 Comments
 
LVL 37

Expert Comment

by:Neil Russell
ID: 36980529
Define safe? It makes simple direct attempts at FTP into your systems harder by virtue of the fact that there is nothing on port 21. But a quick simple port scan of your system will reveal an ftp system on port 9999.

Firstly I hope mean SFTP and not FTP?
Secondly can you not tie the port forward to only specific incoming IP addresses? If you know WHO will be coming in you can stop everyone else.
0
 
LVL 2

Author Comment

by:Newco
ID: 36980735
Thank you Neil,

I really meant FTP, but the port 9999 was just an example, it could be 59999 or so.
But now I have this question:
"If you know WHO will be coming in you can stop everyone else" - how do do accomplish that?
0
 
LVL 16

Expert Comment

by:AlexPace
ID: 36981947
Most FTP Server software has a feature that will allow you to specify a list of addresses that are allowed to connect.  See also: Whitelist
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
LVL 2

Author Comment

by:Newco
ID: 36982154
Thank you Alex,
So, going back to the original question; what you guys suggest is that changing the default port number on the firewall doesn't really make a difference?

Thank you!
0
 
LVL 3

Accepted Solution

by:
danielswanson earned 2000 total points
ID: 36982447
Serving ftp over 9999 is just as "safe" as using the standard port 21. By changing ports you're really securing through obscurity. If this is internet facing it's less likely to get discovered as an ftp service than if you used the standard port. The scripting engines out there search for ftp on port 21 by default and you'll probablly see a decrease in the number of scan attempts if you change the port.

Neither port is any more secure than the other though. If your serving out a service it can be discovered by a port scanner and someone could still figure out that port 9999 is an ftp server.

To be secure you need control access to the ftp site by forcing users to authenticate and using firewalls to control what sources can access the service.
0
 
LVL 2

Author Closing Comment

by:Newco
ID: 36982467
Thank you!  That's a very good explanation.
0
 
LVL 16

Expert Comment

by:AlexPace
ID: 36982539
Not really because when you open the connection to that port the server says "Hi, I'm Newco's FTP Server!"  or something like that.

The people that you really need to keep out are not using their browser or the command-line DOS client but rather they are scanning all your ports so they will find it easily.
0
 
LVL 16

Expert Comment

by:AlexPace
ID: 36982552
Ignore my last response, I started wring it half an hour ago then got a phone call and forgot to submit... but now you've got your answer
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question