Risky ports

SumitB
L1 Bithead

‎06-01-2018 03:43 AM - edited ‎06-01-2018 03:44 AM

What are the risky ports we should not allow from user zone (internal network) to external network (internet / external network)? Like we don't allow 21/23 etc, please suggest other ports too.....

1 person had this problem.
0 Likes Likes

santonic
L6 Presenter

‎06-01-2018 04:09 AM

Go the other way, only allow 80, 443 and maybe few others on explicit requests. And implement app policy.

0 Likes Likes

SumitB
L1 Bithead
In response to santonic

‎06-01-2018 04:13 AM

I think 80 is also should not be allowed, we used to allow http/https app id instead of ports but what are the most critical ports we should allow anyhow like 21/23.

0 Likes Likes

reaper
Cyber Elite
Cyber Elite
In response to SumitB

‎06-01-2018 05:18 AM

in the new age of Next Generation firewalls, ports do not matter as much as they used to

 

today a lot more protocols and applications use port 80 and 443 where older, more traditional, protocols would use their own port

 

App-ID will assist tremendously in identifying exactly what is traversing the firewall, versus simply monitoring the ports

each application comes with "application default" ports which will also help to close off 'unusual' ports

 

So if you create, for example, a rule that allows web-browsing, ssl and DNS and set the service ports to 'application default', only ports 80,443 and 53 will be 'open' for this rule

 

'threat' wise, ports 80 and 443 pose far more risks than any other ports combined, so leveraging App-ID with content scanning and threat protection would be a more secure route than relying on just ports

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post