Problem solve Get help with specific problems with your technologies, process and projects.

What to consider before opening a port

Recently, a reader asked network expert Mike Chapple, "What would be the security implications of opening six ports through a firewall?" Chapple reviews what questions need to be addressed before an organization exposes any network ports.

What would be the security implications of opening ports 2189, 2190, 2192, 2193, 2194 and 2196?
In this question, you're asking about the risk associated with opening six ports through a firewall. There's not really an easy way to answer that question, for two reasons. First, the decision to allow any traffic through a firewall is a business decision specific to an organization. It must be based upon balancing security and risk management objectives with business objectives. A firewall rule that might be completely appropriate in one organization might cause a dramatic undermining of security policy in another.

Second, any application can run on any port. Rather than basing the decision solely upon the port number, the decision makers must consider the applications that will run on those ports.

For example, consider two different organizations running Web servers on port 80. One is an e-commerce site using the Web server to sell goods to the public. The other is a military intelligence organization using the Web server for internal sharing of highly classified information. In this black-and-white example, it's fairly obvious that the e-commerce site needs a firewall rule allowing port 80 from the Internet to the Web server. On the other hand, the military intelligence outfit would definitely not want to allow a similar kind of inbound access.

The best answer I can offer you is that you need to consider the risks and make a decision appropriate for your enterprise. Here are a few questions you should ask yourself that will help inform your decision:

  • What is the business case for opening these ports?
  • What service(s) will run on the exposed ports?
  • What is the destination scope of the rule? Will it be limited to systems in the DMZ? Will it be limited to a single system or a broad group of systems?
  • What is the source scope of the rule? Will it be limited to a single system or network, or will it be exposed to the entire Internet? Who controls those system(s)?
  • What type of information will be transferred over this connection? Will it be encrypted?
The answers to these questions will help you form the basis of a risk assessment. When you balance the business objectives facilitated by this rule against the security risk inherent in their creation, you should be able to reach a sound business decision regarding their appropriateness for your environment.

For more information:

  • Learn more about the relationship between open port range and overall security risk?
  • A company may claim it has an "application" that allows computers to communicate without opening any ports. Should you believe the hype?
  • This was last published in January 2008

    Dig Deeper on Network device security: Appliances, firewalls and switches