Opera’s announcement of in-browser support for Bittorent highlights the trend for common desktop applications requesting an ever-larger number of TCP ports to be opened up for them, essentially poking holes into firewalls. File transfer apps, VoIP, games, and other programs routinely request open ports, and that’s a security risk, say some security experts.
Connecting your pc to the internet is a security risk.
While the firewall tells you exacly witch and what ports ar used i think everithing will be ok.
๐
—————————————–
http://www.estorilmotor.net
http://www.apoiar.org
…it’s an organization issue.
If you can’t trust the programs you are using to run on any port or expose them to the rest of the world, you should deal with the problem and eliminate the untrustworthy program.
If you plug all ports except for, say — 80, and you don’t trus the apps that like to open ports…what is stopping them from using port 80?
If you plug all ports except for, say — 80, and you don’t trus the apps that like to open ports…what is stopping them from using port 80?
———————————————————————- —————————-
This a management issue, not a technology issue. Here are a few simple questions:
1) Why are users installing unauthorized applications?
2) Why do they have Admin rights to install apps
For business, the firewall is the last line of defense, while home users, it is their first line of defense. This basically translates into:
Business should have the internal network hardened while depending last on the firewall. Now for home users, the firewall is their first line of protection and typically it is the only line of defense (IE Joe six pack).
Giving admin rights is a sign of trust and responsiblity, now if users violate that trust then:
1) Should they still have admin rights? A resounding “No” is the correct answer.
Keep in mind that the user should have 2 accounts,
1 for admin work and a 2nd for day to day tasks.
2) Why do they have Admin rights to install apps
Even if the user is denied admin priveleges, many apps can be set up locally in the user’s home folder.
Even if the user is denied admin priveleges, many apps can be set up locally in the user’s home folder.
But only an admin or root can either bind or open the ports needed by those apps.
only below 1024 or so. above that its free world. that is, as long as you dont run i paranoid mode. alltho, these days paranoid admin is a requirement, not a liability…
But only an admin or root can either bind or open the ports needed by those apps.
… uPNP, anyone? ๐
There are many services such as NFS (which uses RPC and portmap) that do not run on a standard port. Obscurity and randomization are a security *benefit* — these services are harder to sniff and intercept.
Port-based firewalls only give the illusion of security. The applications you should be afraid of — IM, malware — can all work over ports like 80 that are always open outgoing. And 25 is always left open, so your owned zombies can spam away.
2) Why do they have Admin rights to install apps
Even if the user is denied admin priveleges, many apps can be set up locally in the user’s home folder.
———————————————————————- —————–
As (Anonymous (IP: 65.219.160.—) stated:
But only an admin or root can either bind or open the ports needed by those apps.
In addition to anon’s comment, critical system files don’t get replaced if the user installs into his/her own direcotor.
PS: Don’t forget the guest account, it maintians no profile.
True enough. Theoretically a program installed in a users home directory shouldn’t have system access, but exploits do occasionally happen.
(I’m the AC you responded to.)
This a management issue, not a technology issue. Here are a few simple questions:
No argument from me.
1) Why are users installing unauthorized applications?
2) Why do they have Admin rights to install apps
Your implied answer is one I’ve already advocated.
For business, the firewall is the last line of defense,
You lost me. Firewalls aren’t defensive, they are permissive. If you want to really block something, you turn the thing off so it can’t be accessed.
There was a good article a few days ago with basicially ‘do not trust any machine not under your control; treat systems on the inside of the network as if they were hostile unless you have direct control over them’.
while home users, it is their first line of defense. This basically translates into:
Business should have the internal network hardened while depending last on the firewall. Now for home users, the firewall is their first line of protection and typically it is the only line of defense (IE Joe six pack).
Agreed on corporate networks. Disagree on home users. The home users have gotten into this mode, though it’s the wrong way to go about it. In sum: If any system absolutely requires a firewall to protect it, it is not secure. Firewalls are management features and should be used only as a minor complement to any network.
Giving admin rights is a sign of trust and responsiblity, now if users violate that trust then:
1) Should they still have admin rights? A resounding “No” is the correct answer.
Keep in mind that the user should have 2 accounts,
1 for admin work and a 2nd for day to day tasks.
I mostly agree…minus the reliance on firewalls as any level of defense. They are a necessity for contractual issues (some folks require them for the wrong reasons) and as a final little bit extra, though they are intened to permit access not block it…leading back to the need to know what’s running and is it trustworthy.
Wasn’t this article about the risk in opening incoming ports? The threat is for home users becoming trained to start opening ports on their personal firewalls or cable/dsl routers, without realizing the risks in doing so. Or even worse, those users without any sort of protection running server-type apps blindly. Certain VoIP, P2P, gaming et al. apps require incoming connections to work properly, which requires a hole to be opened in any security defences in place.
Organizations that haven’t figured out how to lock down their desktops and prevent users from installing apps are in a whole different kettle of trouble. But even for them, a firewall mitigates this threat by preventing incoming connections to those employees installing these apps.