What is the relationship between open port range and overall risk?
Please offer advice on this scenario: There is a server located behind a firewall, and a client that is in a DMZ. The client needs to access a backup service, but when connecting to the server, it requires a range of ports, which will often vary with each backup. If four open ports are necessary for backup services to run, the server can be compromised from those four open ports. But if 40 ports need to be opened, will that increase the risk ten-fold? In other words, is a network's total security risk related to the number of ports open between a client and server, and if so, is there another way around this conundrum?
I would hesitate to draw a direct parallel between the number of open ports and the overall security risk. I'm more comfortable expressing risk in terms of the number of available services and the range of hosts that those services are exposed to. If all 40 ports are proprietary services used by the backup application, as opposed to Windows file sharing and other more general-purpose ports, the risk of exposing all of them is probably not much greater than the risk of exposing a handful. Exposing a large number of well-known ports, however, could be a substantial risk, depending upon the nature of those ports.
I'm going to assume that you're using a protocol that has a single arbitrary port for each connection negotiated between the client and the server. That's the case for a number of backup systems. If so, you may be able to configure and narrow down the port range to just high-numbered ones, those unused by other services. Once you limit the number of ports, be sure to also tightly control and reduce the IP range of systems that may connect to the server.
It's important to remember that security and convenience often have an inverse relationship. The true art of security is balancing the two and reaching compromises that effectively secure an organization's data while still allowing the company to meet its business objectives.
More information:A company may claim it has an "application" that allows computers to communicate without opening any ports. Should you believe the hype?
See how open ports can increase LAN exposure.
This was first published in September 2007