Request to open port

Printable View

July 31st, 2003, 04:51 PM
the19man

Request to open port

I have been requested to open a particular port on my firewall for my CRM software developer and have done so in order to conduct business with them. (They also use PC Anywhere to remotely access a machine on my network). I know that these were probably not the wisest decisions, but live and learn. I have lived, now I hope to learn.

I have closed off their access to PC Anywhere (ie closed those well know ports on my firewall), but they installed Dameware (apparently over the other port they asked I open??) and accessed the computer on my network. I can close this other port and the situation goes away, but as I am trying to learn here, what are the implications of having that port open to TCP traffic? Hpw big a hole do I open up when I open up this port? I have it linked to a particualr machine on my LAN. I tried to mimic what they did, by installing Dameware from outside my network and could not make it happen. Install doesn't fail, but it doesn't succeed either.

Any suggestions and help in gaining a better understanding of what is going on here would be much appreciated. Thanks.
July 31st, 2003, 04:59 PM
Tiger Shark

Which port were they asking you to open? Which ports did you open and which ports do you now have closed?

Did they ask your permission to install anything other than their own product?
July 31st, 2003, 05:18 PM
RoadClosed

I am in the same boat as you. I have many many B2B alliances that have open ports, actually you don't have to open any ports if you set it up to allow incoming connections that are initiated from the inside. But they have PC anywhere access the is OUTGOING only and I keep the application shut off until they need it and then I (or my operators) initiate the connection. If you want to do business with additional companies it's inevitable. That is where monitoring and security procedures come in place along with contacts and non-disclosure agreements in addition to adding lines like, do not access aditional files shares etc. in liabilty contracts.

As for the additional product... that would piss me off drastically. I have problems with users calling vendor tech support and then letting them in using webx. It makes me turn red but at the same time, not fixing the problem could cost thousands in lost revenue.
July 31st, 2003, 07:19 PM
the19man

Tiger Shark & RoadClosed

They asked me to open a specific port, which I still have open. The other ports they wanted open were the default PC Anywhere ports (5631 & 5632), which are now closed.

I could not allow them access more specifically or on an as needed basis, becasue they said the do not connect from specific IP each time, and they do not know what time of the day (or night) they will need to be on.

The did not ask to install additional software (ie Dameware) on my machine. Kinda pisses me off.

What kind of risk is that open port exposing me to? Is there a reason I can't replicate theor Dameware install? If you knew the port and my IP what would keep you from installing Dameware as well (Windows Authentication?)

Thanks for your help
July 31st, 2003, 07:27 PM
thehorse13

This is why we have a VPN solution for B2B relationships. It significantly reduces our exposure at the perimeter and we can *closely* watch and control what they can and cannot do. If you plan to continue with vendors, I'd recommend looking into a VPN solution.

Keep in mind, by simply opening ports through the firewall (unencrypted traffic) you may expose sensitive corporate data.

Anyhow, my two cents.
July 31st, 2003, 08:01 PM
Tiger Shark

I'm with Hoss on this..... Punching holes through a firewall for every Tom, Dick and Harry is asking for trouble. The biggest issue is that you forget to reblock a port when a contract ends.... or worse still no-one tells you the contract has ended..... :mad:

Now lemme see..... The open port on you system leads me right to a remote administration system on one of your servers...... Hmmmmm...... My suggestion would be that if I find the port and IP you are hosed..... If it is the standard port for Dameware per their web site FAQ it's quite possible that someone who was really interested in your network could find it during an extensive footprinting session.

I would suggest that you close the port and force them to VPN in. Once VPN'ed they can use the client to tunnel to the server through the VPN.... It's more secure and you have better control and monitoring ability over the VPN. I would also REAM THEIR @$$3$ for installing anything on your systems.... period! I'm guessing this is a production server and as such there should only be one entity loading and unloading stuff.... Your IT department.....
July 31st, 2003, 08:06 PM
thehorse13

The one good thing about working for the Government is that we have a stack of agreements that vendors must sign before they can even walk in the door. Another way to combat this awfulness is to make them sign an agreement as to what exactly they can and cannot install. Technology will protect you to a point, I'd say leverage other tools like the legal dept. :)
July 31st, 2003, 08:41 PM
the19man

Thanks - that port has now been closed. But why we are discussing ports...

Whats is the difference between what I described above and allowing SMTP or OWA traffic in? Are these holes of the same type as described above and should be done away with or secured differently. I guess since I am a newbie, I am naive about potential risks.
July 31st, 2003, 08:54 PM
Tiger Shark

the19man: Ports for OWA, SMTP, HTTP, FTP etc. _should_ lead to server running services that only provide files. They should be secured and monitored. Your port was open to a service that provides remote control of the system in the context of the logged in user. That would be a high priority target for anyone if they found it. There are a million web/mail/ftp servers out there and none of them _should_ provide the potential for system administration like yours did.

Remember for the future:- your contractors don't give a $h1t about your security. There only care is to get their job done as quickly and cost effectively as they can so that they can get paid and move on to the next contract. They will not be the ones suffering the consequences of a compromise of your systems - in fact - if their program gets damaged they might be able to make some additional cash off it - even though it was their hole the compromise took place through.
July 31st, 2003, 09:05 PM
the19man

Thanks for your help Tiger Shark (and others). Beginning to understand.
July 31st, 2003, 09:22 PM
thehorse13

Yes, and to add to the OWA question, best practice dictates that you should use SSL connections to OWA, not clear text via port 80, which is the default method. Now, as far as placement of the servers behind the firewall, that's another conversation altogether. :)
July 31st, 2003, 11:59 PM
RoadClosed

Quote:

I could not allow them access more specifically or on an as needed basis, because they said the do not connect from specific IP each time, and they do not know what time of the day (or night) they will need to be on.

dOOd! I would NOT put up with that.

1. You WILL connect on an as needed basis.
2. You will inform me when you connect and you will get my permission (this isn't a persistent connection and that is BS on their part)
3. You will comply, there is no option.

I am very lenient with B2B, I mean you have to sometimes, but that is just unprofessional and if they are a consultant or something I would seriously consider their future and value. Business card in the TRASH!

Are these guys telecommuters or something or is this an entirely different company telling you this? If it’s another company I would never let them walk on me like that. You did the right thing.