I was wondering if someone could give me a bit of advice. We have a NAT firewall on our Internet connection. There are a couple of servers behind this that provide services to users from the Internet. These are connected to with HTTPS connections on ports 81 and 443.
These ports are obviously open on the firewall.
Is there any danger in opening up further ports? If I open up port 80, will I be at any more risk than having the other ports open? As long as the servers are patched and have AV will I be ok?
Is there any greater risk involved in having port 80 open than any other port?
Yes, but they don't lead TO the firewall, but to some other boxes behind the firewall.
"That depends". You are offering greater _opportunities_ for dangers, but the order of magnitude depends on the skill of the person who programs those servers - what is allowed, what is not - as well as the quality of the server software and any dependencies it may have. For example, if the extra port leads to a server that returns files from read-only media, you are at substantial less risk than if the request generates interactive data responses based on files that are located on another server that really shouldn't even have Internet access, or from a workstation run by a user who always clicks the OK button without reading anything.
Above. If you are concerned about a "drive by attack", then it is much more likely that port 80 will be attacked than port 81 or 79 - merely because less people will be looking at random port numbers compared to those looking at ports where they can _expect_ to find a server.
No. Most risk occurs because of totally incompetent programmers setting up servers and not having the first clue as to how to do so in a secure manner. Why do you need AV? Are you allowing outsiders to install or upload stuff on your server? Probably not the most secure method. Worried that the server may catch something from the crap on the programmers system? Fire that idiot, and get someone less incompetent. There is no such thing as a "Mal-Ware Fairy" that sneaks up while you aren't watching, waves a magic wand, and installs bad stuff - that's done by the people you trust doing something stupid.
Only because your average Internet luser expects every computer they can connect to to be running a web server. There are other ports that are exploited on servers not correctly configured.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.