kickarse Posted August 20, 2009 Share Posted August 20, 2009 So we have a vendor who wants us to basically open up all Ephemeral ports to about 1,300+ IP addresses on 6 subnets. How would you guys feel about that? I know that I feel pissed off that they want us to do this or buy a dedicated T1 to them to bypass this hole. They keep giving the run around that we somehow need all of this. Please chime in with your thoughts. I love to get the security/hacking communities view on this. Quote Link to comment Share on other sites More sharing options...
Jason Cooper Posted August 20, 2009 Share Posted August 20, 2009 What is there reasoning behind all of this? I am sure there are lot of better ways of doing this than opening up your system to such a large number of IP Addresses. Recently we had a supplier that told us that to run their system we needed to make sure that IP Tables wasn't running. Strangely enough once I had figured out the ports they used and actually added in the required rules, then IPTables worked fine. Quote Link to comment Share on other sites More sharing options...
digip Posted August 20, 2009 Share Posted August 20, 2009 Im confused, you need to open ports for the internal lan, or is this for some sort of NAT translation so the outside (1300+ sites) can reach your internal network/extranent/subnets? That doesn't make sense since those ports are used on the clients side, and are not tied to any service or well know ports a client might be trying to reach. Where are the ports being opened? and for what purpose? The upper ephemeral ports are automatically used during the clients session and will randomly be picked by the device/client stack creating the session to the remote IP. The stack should then discard and only reuse that port when it has used up all other session ports. There are thousands of ports that can be used, and these upper ports are usually not blocked to begin with, per say. Firewalls will usually just drop packets for any IP trying to reach something on the inside using those ports if its not an already established session between two end points, in other words, any anonymous requests for something on the inside using the ephemeral port range will/should be dropped anyway. Quote Link to comment Share on other sites More sharing options...
kickarse Posted August 20, 2009 Author Share Posted August 20, 2009 Their reasoning is that they deploy services and functionality that uses these ports and various ip addresses. I disagree and call bullshit. I asked them to supply a list of a few ports and ip addresses to connect to and they said they can't. I called bullshit. I asked them to supply technical references for other companies and they told me they can't and that all companies either open the ports or t1 to them. I called bullshit. There's a third option that uses port 80/443 for a connection to a Citrix presented application. The install rep tells me that it doesn't have the same functionality as the locally installed client. I ask if he can provide a list of functionality that it does not provide. He tells me that it's to long to list. So I request the "list". I call bullshit, again, and quote the install doc telling me that the the citrix presented application is the EXACT same application installed locally. He then tells me to talk to our sales rep and leads me to believe that he's obviously trying to pull something. This is bloomberg.com btw and their wonderful Bloomberg service. ----------- Believe me I know the issues with the ephemeral ports. He wants us to open the ports, including various other ports, on our firewall to the WAN. From internal sources to external sources and vice versa. We actually have a firewall vendor which is a great company. It's a Squid proxy firewall, btw. They've stated that they block that port range. It's one of the reasons why we don't use regular FTP sessions. Quote Link to comment Share on other sites More sharing options...
decepticon_eazy_e Posted August 22, 2009 Share Posted August 22, 2009 Their reasoning is that they deploy services and functionality that uses these ports and various ip addresses. I disagree and call bullshit. I asked them to supply a list of a few ports and ip addresses to connect to and they said they can't. I called bullshit. I asked them to supply technical references for other companies and they told me they can't and that all companies either open the ports or t1 to them. I called bullshit. There's a third option that uses port 80/443 for a connection to a Citrix presented application. The install rep tells me that it doesn't have the same functionality as the locally installed client. I ask if he can provide a list of functionality that it does not provide. He tells me that it's to long to list. So I request the "list". I call bullshit, again, and quote the install doc telling me that the the citrix presented application is the EXACT same application installed locally. He then tells me to talk to our sales rep and leads me to believe that he's obviously trying to pull something. This is bloomberg.com btw and their wonderful Bloomberg service. ----------- Believe me I know the issues with the ephemeral ports. He wants us to open the ports, including various other ports, on our firewall to the WAN. From internal sources to external sources and vice versa. We actually have a firewall vendor which is a great company. It's a Squid proxy firewall, btw. They've stated that they block that port range. It's one of the reasons why we don't use regular FTP sessions. All these hoops to jump through to get a T1 installed? I call BS, I assume they also are arranging an IDS service for you (and will charge you for it). I've had to work around those situations before, however I was always given a very clear (and short) list of firewall rules to configure. The ones I've dealt with drop an appliance on the network, have me configure a mirror port on a switch or put the device inline and allow them remote access to the device. The customer pays them for active network monitoring and that's what they get. No ISP should request you open ports or install anything for them, so I assume you've left something out in this story and might have a similar situation that I ran into. Either way, you should be allowed to get a full, technical, explanation of any changes you need to make to YOUR equipment. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.