What are the general rules of Port Forwarding

aocaocxbox

Reputable
Apr 15, 2015
45
0
4,530
Hi, I know a little bit about networking but i am by no means an expert!!

I've spoke to many people who have told me not to open ports such as 80 when i wanted to make a web server.

Others have told me that i should open ports when i need to.

What are the reasons for opening / not opening the ports and whats the harm in opening ports that you need? How do enterprise environments open port 80 safely yet im advised not too? Thanks.
 
Solution
Port 80 is a little different than most others. Because this is used for web servers and these are common there are lots more people working on finding exploits that say a minecraft game server.

In enterprise you assume the machines can be compromised to a point and rig it so even if it is compromised that the web server machine can not then be used to attack other things within the company. This means you do not run anything on the server that is not directly used for that function, you also restrict all traffic to and from the server to other machines in the internal network to only the very minimum it takes for the web server to function.

So even if you were to put a dedicated web server in your house that you never used say...
Port 80 is a little different than most others. Because this is used for web servers and these are common there are lots more people working on finding exploits that say a minecraft game server.

In enterprise you assume the machines can be compromised to a point and rig it so even if it is compromised that the web server machine can not then be used to attack other things within the company. This means you do not run anything on the server that is not directly used for that function, you also restrict all traffic to and from the server to other machines in the internal network to only the very minimum it takes for the web server to function.

So even if you were to put a dedicated web server in your house that you never used say to log into your bank do you have the firewalls to prevent that web server from attacking your other machines that you do for example log into your bank account.

Opening ports is always a risk no matter what port it is. There is always a chance that there is a bug that will allow a external person to take control of the machine. Even without bugs very complex servers take a high level of skill to configure securely. All it takes is clicking one box you do not fully understand to open huge security holes.
 
Solution
Well, let me see if I can make some of this make sense for you...

Lets start by relating a web server to a building and a business. If you want to general public to come to your business, you must do the following:

a) Build or rent a building
b) Advertise to let them know what you business does, and where to go to get to your business
c) Open the door so they can walk into your business.
d) Have sales people that have been trained on the products and/or services that you offer.
e) Be prepared to sell the products and/or services you offer, which includes accepting their payments.

Now, if any of those 5 are not in place, you cannot successfully conduct business. There are other things like needing an accountant, a bank account, and all that other stuff, but I'm trying to keep this simple.

Now you might be asking what does that have to do with a Web site? A lot. Lets take the 5 points above, and see what happens.

a) Buy a server, or pay to use part of a server in the cloud. Then install your web server on it.
b) Advertise so people know you have your web site, and what they can find there.
c) Open port 80 so people can access your web site. Port 80 is the default port to use.
d) Offer forums or help staff to answer peoples questions.
e) Have a digital shopping cart setup to accept orders and to process their payments.

If you take step c away from either example, it complicates people being able to get to you, since they cannot simply walk in the door. Could you use a different port? Yes, but again, it complicates things needlessly.

If you decide to do this, I highly recommend leasing space either in the cloud, or from a professional company that is responsible for the security of the server. Otherwise you will most likely end up with serious problems on your server, and from the sound of things, you would not know what to do to correct that. Running a web site these days is a challenging affair, even for the best in the business.
 

aocaocxbox

Reputable
Apr 15, 2015
45
0
4,530
Thanks both for your reply, I understand.

Would you say opening the VPN port for a small home / business server is relatively safe? I need to be able to access the files on iPads which would be outside the office.

Thanks
 
It is not the port it is the device running the VPN. If you were to load say openvpn on a generic windows user machine that someone also used as a desktop it is much more at risk than a dedicated vpn appliance or firewall that only can run VPN and all other software has been removed.

VPN is almost a different problem. In those cases your biggest risk is someone obtain credentials that should not have them. You at the very minimum want every person to have their own id and password and you want to force that password to change. Many large companies are paranoid on this and require a password and then some form of dynamically generated one time use key.