How much extra security comes from closing ports on internal network

We have a service which has several application servers (windows 2008, JBOSS)  and a windows 2008, JBOSS web server.

The web server is accessed by https and has a server certificate.  It is configured to only allow access to users with a local user SSL cert issued by Digi-Sign and registered on the server.

The web server connects to the other application server on the internal network.  The application is provided by a third party and their recommendation is to configure the firewall between the web and application servers with all ports open.  They cannot provide a definitive list of ports used by the application and JBOSS.

The service is hosted by another third party who recommend closing all unused ports on the firewall.  There is a risk that if we do this we may cause a problem with some seldom used part of the application.

To justify the risk of ignoring venor advice on configuration we need to get some feel for the level of security risk we would be carrying.

Note that the external facing server does not have a lot of open ports and is protected by SSL.  The ports in question are on the internal network connecting 2 servers within the data centre.

My (non-expert) view is that given the wide availability of port scanners which easily identify which ports are open we can assume that any intruder competent enough to get past the outward facing security could easily find open ports on the internal network.  Obviously we cannot operate with all ports closed.   So, since an intruder could find an open port, the key question becomes:

How much more secure is a network with say, 10 open ports than one with 100 open ports than one with all open ports  (given that they are all internal to the network) against an intruder who can get past external security and find open ports on the network?

I would be grateful for any advice on this
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dave BaldwinFixer of ProblemsCommented:
The issue is not really the ports but the services that use them.  Technically, a port is open only if there is a service that listens to it.  You can use something like TCPView to see what ports are in use by the services on the computer.  It's probably more than you would think.
isenseAuthor Commented:

That's interesting and useful.  My main concern at the moment is to get some feel for the effectiveness (from the network security perspective) of closing ports.  My gut feel is that an intruder who gets past the initial web server will know enough to try using the ports which JBOSS uses, so closing other ports will have limited (approaching zero?) effect.  My hosting service providers seem to think it is the holy grail for network security.  Am I missing something or are they deluding themselves?
Dave BaldwinFixer of ProblemsCommented:
No, they are basically right because most people just leave every service running whether it is used or not.  Details are important.  Obviously you don't shutdown things you are using but until you do the scans, you don't know what else is running and open.
IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

This is no matter of opinion. You have a service that is made available to certain parties. To these, the ports that this service uses, need to be open, and of course to other parties or networks, closed. Any firewall can be configured so that for example the executable of the jboss service can only be contacted by certain IP ranges, and that is what you should do.
In general, a firewall should be setup to close all ports and then you configure exceptions.

We cannot measure the risk. Attackers work like this: they scan your network for open ports and try to identify what is behind those ports. So somewhere in any company, there is a file server, which will (in windows networks) have port 445 (SMB) open. After they found some server with 445 open, they let their hacking tool test if the SMB service is vulnerable (patches not installed) and if so, try to get in control of it. If they succeed, they can read the data and compromise the whole server. What a smart admin would do, is use a firewall rule set to limit the access to that server to people who can authenticate (client authentication by using IPsec with certificates). That way, the attacker will have a very hard time, because he will first have to aquire such a certificate, which is all but easy.
Of course, the same could be done with any other port/service, too. Look into firewall concepts, so you don't have to think twice on such a question.
isenseAuthor Commented:
Thanks guys,

I can understand how disabling unused services is good, and I can understand the benefit of sophisticated firewall rules as mentioned by McKnife.

What I do not yet understand is how simply blocking some of the ports in the firewall will have any significant benefit.

I guess my question becomes:  By concentrating on simple port blocking is the network security enhanced to any significant degree?
Dave BaldwinFixer of ProblemsCommented:
Not unless you are blocking ports that are used by vulnerable services .  Remember, a port that does not have a service listening to it is not open.
"By concentrating on simple port blocking is the network security enhanced to any significant degree?"
-> A server software (that opens ports on that server to let clients communicate with it)  that has no vulnerabilities cannot be exploited. Is this ever the case? No, never even, because we simply cannot know for sure that an attacker would not be more of an insider than we are. He could know ways to attack that port that are not common knowledge and that are not prevented by patches yet! That's why you need to limit the access to these open ports to those that need to work with that service and no one else.

The value of this measure is not subject to discussion. If you don't do it, any security expert will tell you, you're at fault.

The server software itself needs to be patched at any time, too, because we don't want that any of the guys entitled to communicate with that software to do become capable of more than what we let them.
isenseAuthor Commented:
Let me try to summarise, to see if I have things right in my head:

1. It is a good idea to close services on a server which are not required
2. Closing a port which does not have a service has zero effect
3. Restricting access to enabled services to the applications or users which need them is a good idea
1 yes
2 nothing to close. without a service, no port open.
3 yes

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
isenseAuthor Commented:
Thanks fro your responses guys.  I feel much better informed
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.