Jump to content

Ephemeral Ports


kickarse
 Share

Recommended Posts

So we have a vendor who wants us to basically open up all Ephemeral ports to about 1,300+ IP addresses on 6 subnets.

How would you guys feel about that? I know that I feel pissed off that they want us to do this or buy a dedicated T1 to them to bypass this hole. They keep giving the run around that we somehow need all of this.

Please chime in with your thoughts. I love to get the security/hacking communities view on this.

Link to comment
Share on other sites

What is there reasoning behind all of this? I am sure there are lot of better ways of doing this than opening up your system to such a large number of IP Addresses.

Recently we had a supplier that told us that to run their system we needed to make sure that IP Tables wasn't running. Strangely enough once I had figured out the ports they used and actually added in the required rules, then IPTables worked fine.

Link to comment
Share on other sites

Im confused, you need to open ports for the internal lan, or is this for some sort of NAT translation so the outside (1300+ sites) can reach your internal network/extranent/subnets? That doesn't make sense since those ports are used on the clients side, and are not tied to any service or well know ports a client might be trying to reach.

Where are the ports being opened? and for what purpose? The upper ephemeral ports are automatically used during the clients session and will randomly be picked by the device/client stack creating the session to the remote IP. The stack should then discard and only reuse that port when it has used up all other session ports. There are thousands of ports that can be used, and these upper ports are usually not blocked to begin with, per say. Firewalls will usually just drop packets for any IP trying to reach something on the inside using those ports if its not an already established session between two end points, in other words, any anonymous requests for something on the inside using the ephemeral port range will/should be dropped anyway.

Link to comment
Share on other sites

Their reasoning is that they deploy services and functionality that uses these ports and various ip addresses. I disagree and call bullshit.

I asked them to supply a list of a few ports and ip addresses to connect to and they said they can't. I called bullshit.

I asked them to supply technical references for other companies and they told me they can't and that all companies either open the ports or t1 to them. I called bullshit.

There's a third option that uses port 80/443 for a connection to a Citrix presented application. The install rep tells me that it doesn't have the same functionality as the locally installed client. I ask if he can provide a list of functionality that it does not provide. He tells me that it's to long to list.

So I request the "list". I call bullshit, again, and quote the install doc telling me that the the citrix presented application is the EXACT same application installed locally.

He then tells me to talk to our sales rep and leads me to believe that he's obviously trying to pull something.

This is bloomberg.com btw and their wonderful Bloomberg service.

-----------

Believe me I know the issues with the ephemeral ports. He wants us to open the ports, including various other ports, on our firewall to the WAN. From internal sources to external sources and vice versa.

We actually have a firewall vendor which is a great company. It's a Squid proxy firewall, btw. They've stated that they block that port range. It's one of the reasons why we don't use regular FTP sessions.

Link to comment
Share on other sites

Their reasoning is that they deploy services and functionality that uses these ports and various ip addresses. I disagree and call bullshit.

I asked them to supply a list of a few ports and ip addresses to connect to and they said they can't. I called bullshit.

I asked them to supply technical references for other companies and they told me they can't and that all companies either open the ports or t1 to them. I called bullshit.

There's a third option that uses port 80/443 for a connection to a Citrix presented application. The install rep tells me that it doesn't have the same functionality as the locally installed client. I ask if he can provide a list of functionality that it does not provide. He tells me that it's to long to list.

So I request the "list". I call bullshit, again, and quote the install doc telling me that the the citrix presented application is the EXACT same application installed locally.

He then tells me to talk to our sales rep and leads me to believe that he's obviously trying to pull something.

This is bloomberg.com btw and their wonderful Bloomberg service.

-----------

Believe me I know the issues with the ephemeral ports. He wants us to open the ports, including various other ports, on our firewall to the WAN. From internal sources to external sources and vice versa.

We actually have a firewall vendor which is a great company. It's a Squid proxy firewall, btw. They've stated that they block that port range. It's one of the reasons why we don't use regular FTP sessions.

All these hoops to jump through to get a T1 installed? I call BS, I assume they also are arranging an IDS service for you (and will charge you for it). I've had to work around those situations before, however I was always given a very clear (and short) list of firewall rules to configure. The ones I've dealt with drop an appliance on the network, have me configure a mirror port on a switch or put the device inline and allow them remote access to the device. The customer pays them for active network monitoring and that's what they get.

No ISP should request you open ports or install anything for them, so I assume you've left something out in this story and might have a similar situation that I ran into. Either way, you should be allowed to get a full, technical, explanation of any changes you need to make to YOUR equipment.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...