Please offer advice on this scenario: There is a server located behind a firewall, and a client that is in a DMZ. The client needs to access a backup service, but when connecting to the server, it requires a range of ports, which will often vary with each backup. If four open ports are necessary for backup services to run, the server can be compromised from those four open ports. But if 40 ports need to be opened, will that increase the risk ten-fold? In other words, is a network's total security risk related to the number of ports open between a client and server, and if so, is there another way around this conundrum?
I would hesitate to draw a direct parallel between the number of open ports and the overall security risk. I'm more comfortable expressing risk in terms of the number of available services and the range of hosts that those services are exposed to. If all 40 ports are proprietary services used by the backup application, as opposed to Windows file sharing and other more general-purpose ports, the risk of exposing all of them is probably not much greater than the risk of exposing a handful. Exposing a large number of well-known ports, however, could be a substantial risk, depending upon the nature of those ports.
I'm going to assume that you're using a protocol that has a single arbitrary port for each connection negotiated...
between the client and the server. That's the case for a number of backup systems. If so, you may be able to configure and narrow down the port range to just high-numbered ones, those unused by other services. Once you limit the number of ports, be sure to also tightly control and reduce the IP range of systems that may connect to the server.
It's important to remember that security and convenience often have an inverse relationship. The true art of security is balancing the two and reaching compromises that effectively secure an organization's data while still allowing the company to meet its business objectives.
A company may claim it has an "application" that allows computers to communicate without opening any ports. Should you believe the hype?
See how open ports can increase LAN exposure.
Dig Deeper on Data security strategies and governance
Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ...
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ...
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ...