
	Home > Ask the Security Experts > Network Security Questions & Answers > What is the relationship between open port range and overall security risk?

Ask The Security Expert: Questions & Answers

EMAIL THIS

What is the relationship between open port range and overall security risk?

EXPERT RESPONSE FROM: Mike Chapple

		Pose a Question

		Other Security Categories

		Meet all Security Experts
		Become an Expert for this site

Digg This!

StumbleUpon

Del.icio.us

QUESTION POSED ON: 12 August 2007
Please offer advice on this scenario: There is a server located behind a firewall, and a client that is in a DMZ. The client needs to access a backup service, but when connecting to the server, it requires a range of ports, which will often vary with each backup. If four open ports are necessary for backup services to run, the server can be compromised from those four open ports. But if 40 ports need to be opened, will that increase the risk ten-fold? In other words, is a network's total security risk related to the number of ports open between a client and server, and if so, is there another way around this conundrum?

EXPERT RESPONSE
I would hesitate to draw a direct parallel between the number of open ports and the overall security risk. I'm more comfortable expressing risk in terms of the number of available services and the range of hosts that those services are exposed to. If all 40 ports are proprietary services used by the backup application, as opposed to Windows file sharing and other more general-purpose ports, the risk of exposing all of them is probably not much greater than the risk of exposing a handful. Exposing a large number of well-known ports, however, could be a substantial risk, depending upon the nature of those ports.

I'm going to assume that you're using a protocol that has a single arbitrary port for each connection negotiated between the client and the server. That's the case for a number of backup systems. If so, you may be able to configure and narrow down the port range to just high-numbered ones, those unused by other services. Once you limit the number of ports, be sure to also tightly control and reduce the IP range of systems that may connect to the server.

It's important to remember that security and convenience often have an inverse relationship. The true art of security is balancing the two and reaching compromises that effectively secure an organization's data while still allowing the company to meet its business objectives.

More information:

A company may claim it has an "application" that allows computers to communicate without opening any ports. Should you believe the hype?

See how open ports can increase LAN exposure.

Digg This!

StumbleUpon

Del.icio.us

RELATED CONTENT

	Network Security
	What warning signs will indicate the presence of a P2P botnet?
	What reporting tools are available for an enterprise IDS?
	Is it possible to allow select access to IP addresses using Windows Server 2003?
	Is an IPsec VPN necessary when connecting remote servers that process financial transactions?
	What are best practices for creating an IDS and maintaining a signature database?
	What are the best ways to hide system information from network scanning software?
	What are the security risks of opening all the ports on an internal router?
	Will Cisco's plan to open access to the IOS improve network security?
	Will VoIP attacks result in more than just spam?
	Should enterprises implement a mandatory iPhone VPN?

TCP/IP

Are open recursive DNS servers inherently insecure?

How to protect DNS servers

What to consider before opening a port

Will iptables screen UDP traffic?

Troubleshooting proxy firewall connections

Admins run into trouble with Microsoft updates

Microsoft to release DNS patch Tuesday

Database security undermined by protocol loopholes, lax defenses

'Worm' targets Sun Solaris Telnet flaw

Can a TCP connection be made without an open port?

Data Backup

Should users have a removable boot drive for online banking?

Should whole disk encryption products be used with data backup software?

Will one failed drive corrupt the rest of a RAID-5 array?

The Craft of System Security

Can confidential data be accessed once it is deleted for free space?

Examining DoD-level secure erasure guidelines

Compliance, data breaches heighten database security needs

Are encryption products better than self-destructing data?

What is a logic bomb?

What should be done with a RAID-5 array's failed drives?

RELATED GLOSSARY TERMS

Terms from Whatis.com − the technology online dictionary

digest authentication (SearchSecurity.com)

IGP (SearchSecurity.com)

IP spoofing (SearchSecurity.com)

Secure Sockets Layer (SearchSecurity.com)

smurfing (SearchSecurity.com)

Transport Layer Security (SearchSecurity.com)

RELATED RESOURCES

2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems

Search Bitpipe.com for the latest white papers and business webcasts

Whatis.com, the online computer dictionary

Search and Browse the Expert Answer Center
Search and browse more than 25,000 question and answer pairs from more than 250 TechTarget industry experts.

Browse our Expert Advice
Operating Systems IT Management Networking Database	Security Servers and Storage Applications and Development Career Center

Find Security Solutions for Your Business
Targeted Security Channel Tips for Resellers, Integrators and Consultants

View this month\\'s issue and subscribe today.

Apply online for free conference admission.

SEARCH :

Advanced Search | Site Index

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.


TechTarget Corporate Web Site \| Media Kits \| Reprints \| Site Map All Rights Reserved, Copyright 2003 - 2008, TechTarget \| Read our Privacy Policy