Request to open port
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Request to open port

  1. #1
    Junior Member
    Join Date
    Jul 2002
    Posts
    8

    Request to open port

    I have been requested to open a particular port on my firewall for my CRM software developer and have done so in order to conduct business with them. (They also use PC Anywhere to remotely access a machine on my network). I know that these were probably not the wisest decisions, but live and learn. I have lived, now I hope to learn.

    I have closed off their access to PC Anywhere (ie closed those well know ports on my firewall), but they installed Dameware (apparently over the other port they asked I open??) and accessed the computer on my network. I can close this other port and the situation goes away, but as I am trying to learn here, what are the implications of having that port open to TCP traffic? Hpw big a hole do I open up when I open up this port? I have it linked to a particualr machine on my LAN. I tried to mimic what they did, by installing Dameware from outside my network and could not make it happen. Install doesn't fail, but it doesn't succeed either.

    Any suggestions and help in gaining a better understanding of what is going on here would be much appreciated. Thanks.
    Not all those who wander are lost - J.R.R. Tolkien

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Which port were they asking you to open? Which ports did you open and which ports do you now have closed?

    Did they ask your permission to install anything other than their own product?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    I am in the same boat as you. I have many many B2B alliances that have open ports, actually you don't have to open any ports if you set it up to allow incoming connections that are initiated from the inside. But they have PC anywhere access the is OUTGOING only and I keep the application shut off until they need it and then I (or my operators) initiate the connection. If you want to do business with additional companies it's inevitable. That is where monitoring and security procedures come in place along with contacts and non-disclosure agreements in addition to adding lines like, do not access aditional files shares etc. in liabilty contracts.

    As for the additional product... that would piss me off drastically. I have problems with users calling vendor tech support and then letting them in using webx. It makes me turn red but at the same time, not fixing the problem could cost thousands in lost revenue.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  4. #4
    Junior Member
    Join Date
    Jul 2002
    Posts
    8
    Tiger Shark & RoadClosed

    They asked me to open a specific port, which I still have open. The other ports they wanted open were the default PC Anywhere ports (5631 & 5632), which are now closed.

    I could not allow them access more specifically or on an as needed basis, becasue they said the do not connect from specific IP each time, and they do not know what time of the day (or night) they will need to be on.

    The did not ask to install additional software (ie Dameware) on my machine. Kinda pisses me off.

    What kind of risk is that open port exposing me to? Is there a reason I can't replicate theor Dameware install? If you knew the port and my IP what would keep you from installing Dameware as well (Windows Authentication?)

    Thanks for your help
    Not all those who wander are lost - J.R.R. Tolkien

  5. #5
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    This is why we have a VPN solution for B2B relationships. It significantly reduces our exposure at the perimeter and we can *closely* watch and control what they can and cannot do. If you plan to continue with vendors, I'd recommend looking into a VPN solution.

    Keep in mind, by simply opening ports through the firewall (unencrypted traffic) you may expose sensitive corporate data.

    Anyhow, my two cents.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I'm with Hoss on this..... Punching holes through a firewall for every Tom, Dick and Harry is asking for trouble. The biggest issue is that you forget to reblock a port when a contract ends.... or worse still no-one tells you the contract has ended.....

    Now lemme see..... The open port on you system leads me right to a remote administration system on one of your servers...... Hmmmmm...... My suggestion would be that if I find the port and IP you are hosed..... If it is the standard port for Dameware per their web site FAQ it's quite possible that someone who was really interested in your network could find it during an extensive footprinting session.

    I would suggest that you close the port and force them to VPN in. Once VPN'ed they can use the client to tunnel to the server through the VPN.... It's more secure and you have better control and monitoring ability over the VPN. I would also REAM THEIR @$$3$ for installing anything on your systems.... period! I'm guessing this is a production server and as such there should only be one entity loading and unloading stuff.... Your IT department.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    The one good thing about working for the Government is that we have a stack of agreements that vendors must sign before they can even walk in the door. Another way to combat this awfulness is to make them sign an agreement as to what exactly they can and cannot install. Technology will protect you to a point, I'd say leverage other tools like the legal dept.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  8. #8
    Junior Member
    Join Date
    Jul 2002
    Posts
    8
    Thanks - that port has now been closed. But why we are discussing ports...

    Whats is the difference between what I described above and allowing SMTP or OWA traffic in? Are these holes of the same type as described above and should be done away with or secured differently. I guess since I am a newbie, I am naive about potential risks.
    Not all those who wander are lost - J.R.R. Tolkien

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    the19man: Ports for OWA, SMTP, HTTP, FTP etc. _should_ lead to server running services that only provide files. They should be secured and monitored. Your port was open to a service that provides remote control of the system in the context of the logged in user. That would be a high priority target for anyone if they found it. There are a million web/mail/ftp servers out there and none of them _should_ provide the potential for system administration like yours did.

    Remember for the future:- your contractors don't give a $h1t about your security. There only care is to get their job done as quickly and cost effectively as they can so that they can get paid and move on to the next contract. They will not be the ones suffering the consequences of a compromise of your systems - in fact - if their program gets damaged they might be able to make some additional cash off it - even though it was their hole the compromise took place through.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #10
    Junior Member
    Join Date
    Jul 2002
    Posts
    8
    Thanks for your help Tiger Shark (and others). Beginning to understand.
    Not all those who wander are lost - J.R.R. Tolkien

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •