Risky ports

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Risky ports

L1 Bithead

What are the risky ports we should not allow from user zone (internal network) to external network (internet / external network)? Like we don't allow 21/23 etc, please suggest other ports too.....

1 accepted solution

Accepted Solutions

in the new age of Next Generation firewalls, ports do not matter as much as they used to

 

today a lot more protocols and applications use port 80 and 443 where older, more traditional, protocols would use their own port

 

App-ID will assist tremendously in identifying exactly what is traversing the firewall, versus simply monitoring the ports

each application comes with "application default" ports which will also help to close off 'unusual' ports

 

So if you create, for example, a rule that allows web-browsing, ssl and DNS and set the service ports to 'application default', only ports 80,443 and 53 will be 'open' for this rule

 

'threat' wise, ports 80 and 443 pose far more risks than any other ports combined, so leveraging App-ID with content scanning and threat protection would be a more secure route than relying on just ports

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

3 REPLIES 3

L6 Presenter

Go the other way, only allow 80, 443 and maybe few others on explicit requests. And implement app policy.

I think 80 is also should not be allowed, we used to allow http/https app id instead of ports but what are the most critical ports we should allow anyhow like 21/23.

in the new age of Next Generation firewalls, ports do not matter as much as they used to

 

today a lot more protocols and applications use port 80 and 443 where older, more traditional, protocols would use their own port

 

App-ID will assist tremendously in identifying exactly what is traversing the firewall, versus simply monitoring the ports

each application comes with "application default" ports which will also help to close off 'unusual' ports

 

So if you create, for example, a rule that allows web-browsing, ssl and DNS and set the service ports to 'application default', only ports 80,443 and 53 will be 'open' for this rule

 

'threat' wise, ports 80 and 443 pose far more risks than any other ports combined, so leveraging App-ID with content scanning and threat protection would be a more secure route than relying on just ports

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 1 accepted solution
  • 2768 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!