What is the relationship between open port range and overall risk?

What is the relationship between open port range and overall risk?

Please offer advice on this scenario: There is a server located behind a firewall, and a client that is in a DMZ. The client needs to access a backup service, but when connecting to the server, it requires a range of ports, which will often vary with each backup. If four open ports are necessary for backup services to run, the server can be compromised from those four open ports. But if 40 ports need to be opened, will that increase the risk ten-fold? In other words, is a network's total security risk related to the number of ports open between a client and server, and if so, is there another way around this conundrum?

    Requires Free Membership to View

    Login

    SearchSecurity.com members gain immediate and unlimited access to breaking industry news, virus alerts, new hacker threats, highly focused security newsletters, and more -- all at no cost. Join me on SearchSecurity.com today!

    Michael S. Mimoso, Editorial Director

    By submitting your registration information to SearchSecurity.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchSecurity.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

I would hesitate to draw a direct parallel between the number of open ports and the overall security risk. I'm more comfortable expressing risk in terms of the number of available services and the range of hosts that those services are exposed to. If all 40 ports are proprietary services used by the backup application, as opposed to Windows file sharing and other more general-purpose ports, the risk of exposing all of them is probably not much greater than the risk of exposing a handful. Exposing a large number of well-known ports, however, could be a substantial risk, depending upon the nature of those ports.

I'm going to assume that you're using a protocol that has a single arbitrary port for each connection negotiated between the client and the server. That's the case for a number of backup systems. If so, you may be able to configure and narrow down the port range to just high-numbered ones, those unused by other services. Once you limit the number of ports, be sure to also tightly control and reduce the IP range of systems that may connect to the server.

It's important to remember that security and convenience often have an inverse relationship. The true art of security is balancing the two and reaching compromises that effectively secure an organization's data while still allowing the company to meet its business objectives.

More information:

  • A company may claim it has an "application" that allows computers to communicate without opening any ports. Should you believe the hype?
  • See how open ports can increase LAN exposure.

    • This was first published in September 2007