- Posts: 63
- Thank you received: 0
Any suggestion on other ports to deny?
18 years 10 months ago #8851
by UHSsncmrm
A scapegoat is often as welcome as a solution...never memorize what you can look up.
Replied by UHSsncmrm on topic Re: Any suggestion on other ports to deny?
Thanks TheBishop and eddyreni. The suggestion is more viable than my plan. My issue with this is that it will be a break fix situation with me running around like a chicken trying to discover all of the ephemeral ports that our vendors' custom apps are running on.
We support centralized clinical applications that run in our data center and are served to 100 or so hospitals across the country on a private WAN. Many of our apps, are "patient care" affecting when they are down ie. pharmacy orders and cross referencing, test results, radiology and the like. I would certainly be under the gun to open the ports and would create a storm of helpdesk calls (and I like the helpdesk girls
otherwise I wouldn't care (joke).) Coordinating the list of ports that these custom apps run on would be a nightmare, sometimes vendors leave ports out or aren't aware of some of the ports when you request a comprehensive list. They forget they are running on this or that database or that their app is based on...blah blah... technology (Jave, activeX...etc.) the list goes on and on.
It's bad enough having to school vendors when they bring up apps and call me to find out why they aren't working. Most clinical apps are written for local traffic and developers don't take into consideration that someone may want to run them over a WAN. I have ongoing battles on TCP optimization with developers to get them to make their apps WAN friendly.
Now, I'm not against work, like you say TheBishop, "...work pays the bills!" but I think if I added as many known abused ports as I could muster, there would be much less downtime and pain for me while protecting my sites. Now on the other hand our edges to the public for Internet/VPN traffic are pessimistically filtered which is a better fit for the public edges.
So, while I think your plan is way better (pessimistic filtering), I really need to be gentle in this situation (optimistic filtering) or there will be many a doctor/hospital administrator taking note of my name.
We support centralized clinical applications that run in our data center and are served to 100 or so hospitals across the country on a private WAN. Many of our apps, are "patient care" affecting when they are down ie. pharmacy orders and cross referencing, test results, radiology and the like. I would certainly be under the gun to open the ports and would create a storm of helpdesk calls (and I like the helpdesk girls
otherwise I wouldn't care (joke).) Coordinating the list of ports that these custom apps run on would be a nightmare, sometimes vendors leave ports out or aren't aware of some of the ports when you request a comprehensive list. They forget they are running on this or that database or that their app is based on...blah blah... technology (Jave, activeX...etc.) the list goes on and on.It's bad enough having to school vendors when they bring up apps and call me to find out why they aren't working. Most clinical apps are written for local traffic and developers don't take into consideration that someone may want to run them over a WAN. I have ongoing battles on TCP optimization with developers to get them to make their apps WAN friendly.
Now, I'm not against work, like you say TheBishop, "...work pays the bills!" but I think if I added as many known abused ports as I could muster, there would be much less downtime and pain for me while protecting my sites. Now on the other hand our edges to the public for Internet/VPN traffic are pessimistically filtered which is a better fit for the public edges.
So, while I think your plan is way better (pessimistic filtering), I really need to be gentle in this situation (optimistic filtering) or there will be many a doctor/hospital administrator taking note of my name.
A scapegoat is often as welcome as a solution...never memorize what you can look up.
18 years 10 months ago #8852
by eddydreni
Replied by eddydreni on topic Re: Any suggestion on other ports to deny?
Alright, I have a few suggestions then.
I have a little cool app called, "Advanced Administrative Tools" - This has a nice port scanner built with it. What you can do, is port scan your own firewall and it will show you all the open ports and vulnerabilities / available attacks on those ports.
Here is what mine looks like:
As you can see, I have most ports closed down, except the ones I use.
You can get the following application by visiting:
mirror1.glocksoft.com/aatools.zip
After you port scan your server, you can decide to close down the ports you desire that might harm your company in any way possible. I hope that helps.
I have a little cool app called, "Advanced Administrative Tools" - This has a nice port scanner built with it. What you can do, is port scan your own firewall and it will show you all the open ports and vulnerabilities / available attacks on those ports.
Here is what mine looks like:
As you can see, I have most ports closed down, except the ones I use.
You can get the following application by visiting:
mirror1.glocksoft.com/aatools.zip
After you port scan your server, you can decide to close down the ports you desire that might harm your company in any way possible. I hope that helps.
Time to create page: 0.150 seconds