We have a service which has several application servers (windows 2008, JBOSS) and a windows 2008, JBOSS web server.
The web server is accessed by https and has a server certificate. It is configured to only allow access to users with a local user SSL cert issued by Digi-Sign and registered on the server.
The web server connects to the other application server on the internal network. The application is provided by a third party and their recommendation is to configure the firewall between the web and application servers with all ports open. They cannot provide a definitive list of ports used by the application and JBOSS.
The service is hosted by another third party who recommend closing all unused ports on the firewall. There is a risk that if we do this we may cause a problem with some seldom used part of the application.
To justify the risk of ignoring venor advice on configuration we need to get some feel for the level of security risk we would be carrying.
Note that the external facing server does not have a lot of open ports and is protected by SSL. The ports in question are on the internal network connecting 2 servers within the data centre.
My (non-expert) view is that given the wide availability of port scanners which easily identify which ports are open we can assume that any intruder competent enough to get past the outward facing security could easily find open ports on the internal network. Obviously we cannot operate with all ports closed. So, since an intruder could find an open port, the key question becomes:
How much more secure is a network with say, 10 open ports than one with 100 open ports than one with all open ports (given that they are all internal to the network) against an intruder who can get past external security and find open ports on the network?
I would be grateful for any advice on this