How dangerous is opening a firewall port?
Posted by jazzy-jackal@reddit | sysadmin | View on Reddit | 91 comments
Hoping some people with more cybersec/networking experience can give me some advice…
Our new physical security system has an onsite “server”. The machine is not domain-joined as we treat it more like an “appliance”. The software also has a mobile app which managers will use to monitor alarms and cameras remotely.
Annoyingly, the server communicates directly with the mobile app over the internet, and requires us to open port 443 (or another port)
My question is basically, how risky is this?
We can mitigate the risk of brute forcing the security software login by using secure (40+ character) passwords. But does opening this port allow other types of unwanted traffic into our network? What types of things can we do to ensure this is done securely?
tinkx_blaze@reddit
So many comments dick swinging on this thread, he ask for help not to be belittled by some. If the guy posting genuinely wants some coaching please DM me.
CCIE although it's expired still got a better d swing.😂😂
karwreck@reddit
kurbycar32@reddit
Have you considered a cloudflare zero trust tunnel? You punch zero holes in your firewall and can apply restrictions to who can access the tunnel.
Twinsen343@reddit
regardless of what services are running, its good practice to limit the attack surface as much as possible, geoblock open ports if possible on firewall ect
Significant_Lynx_827@reddit
I would take it a step further, if you can limit the IPs that can connect. Becomes an issue / impossibility if they are using the app offsite.
Chuffed_Canadian@reddit
443 itself isn’t a problem, but you’re putting trust in whatever web server/firewall/whatevs are going on under the hood of that server. If someone exploits some sort of vulnerability you’ll have a hole in your armour.
If that port must be open best practice would be to isolate that box from the rest of your network as much as practicable. I’d also put some sort of proxy server in front (like nginx) as another layer of protection. If possible using an entirely dedicated IP wouldn’t hurt either (if you have one to spare).
Perhaps something like a cloudflare proxy could work too; that way the port wouldn’t be ‘wide’ open at least.
Cheomesh@reddit
Don't modern firewalls not allow inbound connections without an outbound request? I.e. the exploit would have to come from one of the (otherwise controlled) endpoints communicating with the server over 443?
RoundFood@reddit
That's the point of "opening up" a firewall. You allow incoming requests to establish a session. Usually because you're providing a service to the outside world.
Can't really run a web server if you don't allow people outside your firewall to establish sessions with the web server.
Cheomesh@reddit
I was thinking about stateful firewalls
RoundFood@reddit
Sure, but basically every firewall has been stateful for the last 20 years to the point that nobody is ever talking about stateless firewalls because they don't really exist anymore... at the very least they shouldn't and I've never even come in contact with one. Stateless or stateful doesn't really matter you probably need to expose the port (or better, proxy it), but you can be sure everyone is talking about stateful anyway.
ExceptionEX@reddit
Some can, but generally that isn't something automatic without config in my experience. Granted I only interact with a very tiny segment of firewalls available.
Cheomesh@reddit
Stateful firewalls are what I am thinking of.
TheInterestingGroup@reddit
Cloudflare would be a bad move because you are accepting any traffic from their whole IP range. So any user from free to enterprise user could theoretically have access. Any type of anycast network software will have that same architecture vulnerability
totmacher12000@reddit
Not if you setup a tunnel with an IDP such as Azure and require group membership and MFA. Also blocking all but what is allowed on the Gateway Firewall policies. IP and group can access to IP a b c
TheInterestingGroup@reddit
Having an IDP and MFA requirements are certainly crucial. But you still have to accept all of CF IP ranges to that port. Leaving it susceptible. There have been exploits with this use case
totmacher12000@reddit
Care to share these exploits?
TheInterestingGroup@reddit
For the record I do not work for Cado. But they have a decent write up.
https://www.cadosecurity.com/news-and-events/warpscan-cloudflare-warp-abused-to-hijack-cloud-services?hs_amp=true
totmacher12000@reddit
Interesting. I am using zero trust via tunnels but I will take this into consideration. Thank you.
reegz@reddit
My experience with security camera vendors is they're cameras 1st and web security 5th. Obviously some vendors are better than others, but this will show up on Shodan and be profiled with all of the other appliances that also run that software and people will constantly be knocking on that door.
Enough_Pattern8875@reddit
It depends on a multitude of factors.
x-TheMysticGoose-x@reddit
It’s as secure as the software is that listens on that port.
hihcadore@reddit
Opening a port is like cutting a hole in a wall of a building.
443 / 80 are both common ports that are open to facilitate communication with external sources.
Imagine people start delivering packages to your building and are now coming through the fresh hole you just opened up in the wall. If your building is configured correctly and you have the right security in place around the area, you’re fine. But imagine you don’t, or someone knows a way to bypass your security controls (like if they can steal a key to a locked door or just going around your security controls all together). Sure you might get alerted, you might be able to patch the hole and make it secure again, but you have no idea what the attacker might have done or other holes or tunnels they might have made out of your building to make accessing your space, easier.
It’s a really complex problem you have. The best thing you can do is hire an expert to do this for you. There’s too much to learn on the fly to make this secure.
ISeeDeadPackets@reddit
If you have to host it internally, it needs to be in a DMZ and only allow inside connections that are 100% essential to its operation. Also consider adding some layer 7 rules to block traffic from areas outside of the geography of your intended users.
Candidly though, if you're asking this question (which is a fantastic question btw), you should really consult with a qualified outside party to help you get this properly segmented and monitored. It's certainly stuff you can learn but not if you're on a tight time table.
iamoldbutididit@reddit
Considering that hackers at Pwn2Own Berlin exploited 29 zero day vulnerabilities I'd say that opening any port to the world, even on a fully patched system, is a non-starter.
If the phone app can only work by communicating directly to the server then the answer is to have the phones use VPN to access the network.
excitedsolutions@reddit
Hosting anything yourself and opening a port puts vulnerabilities for that app into play. Also any unknown/yet discovered vulnerabilities. Having a WAF in front of that is also advisable to somewhat control what is allowed through that port instead of just relying on the appliance to have this down.
If having access to this platform is required for your company, you could consider creating a separate network with nothing in it but this appliance. Then by design the only thing that can be compromised is this appliance. It’s far better to have multi-layered security, capable security systems (with intrusion detection), and someone/a team of people responsible for monitoring and administering security for your network…but you know your reality.
To everyone else’s credit - once you open that port (assuming no other ports are open yet) if you have any security in place you can look at the logs and see the port scanning and login attempts start rolling in.
h311m4n000@reddit
Put it on an isolated dmz sounds like the most obvious path to me.
Ivy1974@reddit
Depends on what is on the other end. We have done this primarily for mailing machines. Nothing to hack and it has its own dedicated port on the firewall.
I used to use RDP Ports picking random numbers but eventually hackers would find the open port and brute force attack. Most times it was either coming from India or China.
qejfjfiemd@reddit
I wouldn’t trust it, find a way to proxy it.
whatever09204@reddit
Any resource you connect to the internet:
If any of the above questions is No, then I would say don’t do it blindly, look into all of above questions as a baseline and see if you accept the risks of not doing them.
Avas_Accumulator@reddit
It's about pre-authentication to that port. If we have mobile apps they must authenticate the user via Entra ID first via something like Cloudflare One, before the server (outbound only) connects to Cloudflare One, which then brokers the connection.
If you open any ports exposed to the internet inbound you start having to pratice public web exposure security which is a lot harder to get right than never exposing anything with Zero trust principles.
ZT is what is saving my bacon these days.
bobnla14@reddit
Just to be clear, when you are opening a port on the firewall for a specific IP address, you were pointing all of the traffic on that port to that device. So any traffic on 443 will not go to your file server as you specify at the firewall that it only goes to the appliance server.
So if it is not the main joint, there are no accounts that can be exploited to gain access to the active directory domain. Can they explore the network, yes but at a rudimentary level. Think pinging and looking up each devices actual name.
Sometimes people call these pinholes because they are for a given IP address and a given port number. Nothing else gets through
Does that help?
Imhereforthechips@reddit
Can you implement a VPN or nginx? I’d recommend a proxy or a tunnel
TheInterestingGroup@reddit
This. Just whitelist specific traffic from a specific IP or cert on approved device(s). All other access denied
Protholl@reddit
Put the appliance in a DMZ and make sure it is constantly patched.
goishen@reddit
Dude, if you're using 40+ character passwords, open the port all damn day. Just be sure to include some IDS that ban anything that attempts over one p/w attempt on it.
Sagail@reddit
Just be ready for lots of log spam.
I'm a high port ssh refuge on my homeserver. I only use keys and disabled password auth.the log spam was to great.
Due_Peak_6428@reddit
Neeed more info
800oz_gorilla@reddit
It's very dangerous.
An open port confirms your existence on the internet.
A lot of firewalls have undiscovered zero days being exploited. Then once they are in, they leave crap like this sitting and waiting
https://www.bleepingcomputer.com/news/security/stealthy-magic-packet-malware-targets-juniper-vpn-gateways/
https://www.assetnote.io/resources/research/two-bytes-is-plenty-fortigate-rce-with-cve-2024-21762
Even if the service sitting behind the open port isn't exploited, you still run the risk of your firewall being targeted.
Due_Peak_6428@reddit
The internet is full of web servers they are ok
SJSJSSS@reddit
Opening a port by itself doesn’t pose a danger. The real risk lies in who’s listening on that port and what software is running behind it. From experience, there’s no such thing as unhackable software. Especially when it comes to things like NVRs or legacy systems, sometimes even complex passwords don’t help—because the vulnerabilities are in outdated software that hasn’t been updated in years.
If you have to open a port, my recommendation is to at least minimize the risk by strictly defining a whitelist of IP addresses allowed to access it. That way, it can be reasonably safe.
Unfortunately, in some cases, the other side can’t provide a fixed list of IP addresses.
BrainWaveCC@reddit
To whom must this port be opened? Who needs access to it?
Not directly.
But allowing access to that specific device on your network means that if it has any vulnerabilities, then someone who can get access to it could possibly exploit those vulnerabilities to begin their journey on the inside of your network.
So, my first two questions come into play again...
ethnicman1971@reddit
Even if the device does not allow traffic onto your network directly it shows camera feeds and I assume disables alarms. Do you really want access to that type of data from the internet?
ExceptionEX@reddit
Most systems purchased and managed by a security company require this. There hardware is trash, and never properly updated, and 90% rebranded shit on the fed banned list.
I won't connect a DVR to our lan, and unhappy about the state of "security" systems.
Forsaken-Discount154@reddit
Yes, we have a separate network for cameras, access control, and HVAC. Firewalls, switches, the whole 9 yards. it does not touch the domain network.
SavageFromSpace@reddit
Honestly outside of security concerns those devices tend to be extremely chatty and should be separated anyway
Maelefique@reddit
And even if that device is totally secure today... what about tomorrow?
BrainWaveCC@reddit
Not broadly, no. Hence my first two questions.
technomancing_monkey@reddit
Its about as dangerous as leaving the front door of your home unlocked.
cheMist132@reddit
You should create a DMZ with your firewall and only allow traffic from your LAN to this server and block traffic that would come from this server/DMZ to your LAN. That way at least attackers could not compromise the rest of your network.
overkillsd@reddit
When they say 443 needs to be open to communicate with their servers, they usually mean outbound from your network.
Difficult_Macaron963@reddit
Not if it’s a web server as seems to be the case here
Weary_Patience_7778@reddit
Let me guess. Dahua? Hikvision? Any others?
No. Don’t do it. Segment the beheezus out of your network and put the appliance on its own island.
Other than cameras, it should not be able to talk to anything on your internal network, and certainly shouldn’t be reachable from the outside world.
Use a VPN or something if you need to get to it from home.
Even then there’s no guarantees. Just do not trust that the vendor has your best interests at heart.
VacatedSum@reddit
With a lot of firewalls you can restrict access to the port to certain remote IPs. Get a list from the vendor and only allow those.
harubax@reddit
You do not, unless the supplier of that piece of software assumes all responsibility for data security and management signs off on it.
The safe way is a VPN, you might already have something rolled out to company devices.
ihaxr@reddit
Bad idea, require a VPN
ArchonTheta@reddit
Have you ever opened a door in a submerged submarine?
desmond_koh@reddit
It depends entirely how good the software running on that port is. Most software, like Apache or IIS, that is meant to be exposed over the internet is pretty well hardened although even in those cases there have been remotely exploitable vulnerabilities.
So, what do you know about this software? How good is it? What is it built on?
If someone found a way to exploit the software and execute arbitrary code on your "appliance", how far could they go? Does the appliance have access to other things on the network? If so, what kind of things?
You can stick the appliance (and the alarms and cameras it talks to) on a separate VLAN from your main in-house network. Then you have to harden the appliance itself and make sure it is kept fully up to date.
DM me if you're interested in a consult. I work in Ontario, Canada.
christv011@reddit
I'm a security expert
Probably no great way to do it but here are best options
You should only allow ips you have to
The_Doodder@reddit
Play a game of find out
BlackV@reddit
It's more dangerous than NOT doing it.
But it depends on the app answering that port request how bad it is, it depends on who/what you allow IN on that port
All of which is a YOU decision, not reddit
HellzillaQ@reddit
This would be a good candidate for a jump box where to get access to the box requires a 2FA then have said machine only have this program on it and locked down.
UNAHTMU@reddit
I am by far not an security and probably should be answering this, but I wanted to jump into the conversation for learning purposes.
This is what I would do...
VLAN 10: Home/office devices
VLAN 20: Security/IoT devices
Devices get internet access via NAT
No unsolicited inbound access without port forwarding
Port forwarding only for specific IPs
Inter-VLAN routing only when needed (e.g., allow VLAN 10 to reach device in VLAN 20, but not vice versa)
Set up a VPN server in VLAN 10
Access the device in VLAN 20 via VPN, with no public exposure
Great-University-956@reddit
Depends on if you have a supported and patched appliance. If not then don't do it.
TheMightyMisanthrope@reddit
I just found ports 80 and 443 open in Google. Now what?
ExceptionEX@reddit
Now you stop wasting everyone's time trying to be a smart ass ;)
TheMightyMisanthrope@reddit
:( okay.
It was explained to me like that like 20 years ago when asking about the danger of open ports.
It was supposed to be followed by some sort of "well, nothing because there's proper security behind"
ExceptionEX@reddit
oh man don't take me seriously I'm just a grumpy old man on the internet, I just meant it as a bit of picking on in good fun.
Sorry if it came off as mean.
TheMightyMisanthrope@reddit
Jaja not mean at all. Also, I think port 80 is open in the website of the NSA, not that I would recommend nmapping it.
beaucoup_dinky_dau@reddit
Next you are going to tell me 8080 is open madness I say
mikeyflyguy@reddit
Wouldn’t recommend. The changes of that software being updated and maintained is slim to none. If i had to open it up I’d put it in a DMZ where it’s not touching anything else in my network. Otherwise I’d look at vpn or something like cloudfare to expose it though which could reduce the attack surface significantly.
ShadowCVL@reddit
Yep, was gonna suggest dmz and maybe even something like a cloudflare tunnel for this. It’s a good use case.
lurkerfox@reddit
its as risky or safe as the service is thats running on the opened port.
photosofmycatmandog@reddit
It's not called a fireport. You are confusing ports and firewalls. You secure your systems and only allow what is necessary or trusted. It takes more than an on or off solution depending on what you need.
bottleofmtdew@reddit
Could you separate the equipment to its own VLAN and have no cross traffic with the corporate network?
ExceptionEX@reddit
This should be minimum default, I honestly would just add another switch and firewall and physically separate them.
ExceptionEX@reddit
We usually physically make two networks, one the traditional office lan, the other has things like appliances and guest Wi-Fi.
So we don't end up having any more than is needed punches, sure this could be handles with proper rules and vlans and all that, but sometimes just putting a couple hundred dollars worth of hardware is a much more manageable solution.
JustinHoMi@reddit
Head over to Shodan and Censys, then come back and tell us what you think.
ABotelho23@reddit
Are you a junior?
lebean@reddit
Tailscale or some similar client, zero open ports required (Tailscale will handle getting everyone connected) and you can ACL the users' phones to only talk to that one specific appliance, no other internal access allowed or needed.
MaNoCooper@reddit
Where does the traffic initiate? Does the port need to be open inbound or outbound.?
FutbolFan-84@reddit
This is a big security risk if you are planning to use a public IP. You need to either restrict access only to a very limited source IP list or require a VPN to access the server. All it takes is an unpatched vulnerability on this equipment and an attacker is inside the network.
lweinmunson@reddit
I'm assuming that it needs to present itself as a server to the client devices over the internet. In that case, it's not just a port, but publishing a two way NAT that will permanently open it to the attack. That would be a complete non-starter for us. The proper way is to assign VPN to the uses who need it so that they must authenticate with MFA into the network to gain access. Yes, they will complain and go up the management chain. This is where your CSO or equivalent has to go to the board and put their foot down. Long passwords are exactly zero protection on the internet. Phishing and undisclosed bugs in whatever that appliance is using for a web server would probably be exposed in an hour or two. If you really have to explain this to management, install something like Kali Linux on a laptop and set it up as a honey pot. Put it on the internet with no DNS or anything pointing at it and log all the requests it gets. A VPN solution will pretty much keep it isolated and make it much more secure. You still shouldn't trust it. Put it in a DMZ with strict rules that it can talk to the VPN devices and only those internal card readers and door controllers it needs too. I've dealt with door controllers and card readers enough to know that the physical security sector has no clue about network security. And frankly, I think most of them don't know physical security nearly well enough.
noxbos@reddit
Would you leave a window to the business or house open so any passerby can sort of poke their head in and try to take what they can get?
changework@reddit
Only as risky as exposing what’s on the other side to the public internet.
Example: opening port to a non existent address = virtually zero risk
Opening port 80,443 to Microsoft iis version 4 you’ll be hacked in minutes.
mr_data_lore@reddit
Don't do it. I'd never open ports to the internet. Use a VPN instead. I would at least restrict any port forwards to certain known source addresses.
sysadmin_dot_py@reddit
You need to check whether that is port 443 inbound or outbound. If outbound, no problem. If inbound, big problem. If inbound, you need a reverse proxy in front of it or a VPN, or something like Cloudflare Access.
FuRyZee@reddit
Basically what you want is a Web Application Firewall, these are designed to protect servers hosting applications on HTTP/HTTPS ports. There are physical network appliances that can do this, there are software based ones as well. Does your gateway potentially support setting up a WAF on it?
Infninfn@reddit
Yes this is risky because the internet is full of bots scanning entire public IP address subnets for open ports, which can be followed up with exploit attacks that ignore authentication. You need to ensure that the server is fully security patched and up to date, and hope that it doesn’t have unaddressed security vulnerabilities.
This is the reason why you have a DMZ network in-between the internal network and the internet to host these public facing servers. If a server in the DMZ gets compromised, there is still another firewall protecting the internal network.
CeBlu3@reddit
Do you have to assign a public IP to it? So it’s literally accessible (well, that port) for the whole Internet?
I wouldn’t do this.
Server should be placed in a DMZ. Open just that one port to the outside. Hopefully the devices on the inside will connect to that server, so you only need to allow outbound, not inbound from that server to your network.
Would look something like this:
Public Internet — Port 443 —> FW —> Server <— FW <— Security System (Sensors, …)
And ideally, these sensors are segregated, they talk on their VLAN only and to that server.
smc0881@reddit
Not really the port that is the issue it's the software on the back-end that is running. I am assuming it's some sort of web server serving up an app or similar. You want to find more details about the application itself.
TheBestHawksFan@reddit
The app requires 443 to be open for inbound traffic?