8

I'm doing an internship in a very little company and I need to configure the network. They have a Cisco router. I couldn't find the logs to login so I called their internet provider. Apparently they configured the Cisco router and doesn't allow customers to configure it. Only them can configure the router when asked.

I need to setup a server that will be accessed from the internet so I asked them about port forwarding (in a first time, before implementing some kind of DMZ later). I know that port forwarding is pretty insecure but temporally, I asked them to forward some port to my server. They accepted all my request, except for port 80 as they told me it was really insecure. Why would forwarding port 80 be more insecure than the others ports?

Xavier59
  • 2,874
  • 3
  • 17
  • 34
  • 1
    It's hard to tell unless you disclose what other ports were allowed? Were other ports associated with SSL/TLS enabled protocols? – Krishna Pandey Nov 16 '17 at 12:53
  • @KrishnaPandey No, they weren't. I asked for a range of ports (1000-1020) and some classics ports like 21, 443, 3389, 8080 ... – Xavier59 Nov 16 '17 at 19:53
  • web browsers can turn an IP into a port 80 fetch w/o user knowledge. – dandavis Nov 17 '17 at 20:04

2 Answers2

6

Forwarding port 80 is no more insecure than any other port. In fact, port forwarding itself is not inherently insecure. The security concern is that it allows services that are normally protected behind some kind of firewall to be accessible publicly. If the exposed service has any vulnerabilities or misconfigurations, it can and and often will be quickly exploited by attackers.

Seeing how a mix of other ports were allowed (notably 21 - FTP and 8080 - HTTP alt/proxy, which don't typically use TLS and could be considered insecure), it seems like the concerns aren't really security oriented, and are fallacious at best. Perhaps there is some business reason they do not want to expose port 80, but there is no valid technical reason I can see to disallow port 80 while allowing other common ports.

multithr3at3d
  • 12,355
  • 3
  • 29
  • 42
4

Port 80 is not more insecure by itself than any other port. Simply it is the common HTTP port so it has very high risks of being scanned, and applications behind it are expected to be web applications.

That is were security admins begin to see red flashing lights. It is possible to make secure web apps, but that is a real work, that commonly involves reverse proxies, admin restricted servers, and a strong configuration review. When you ask that for tests, and at the same time explain that you have not set up a DMZ, that let think that you will have some web server running in your normal machine, that probably has full access to internal network and a lot of tools installed. If you run some old PHP script on it, chances are that flaws in the script of the libraries open a breach that an attacker could use to reach any other machine of the network.

Port 21 on the other hand is for FTP. FTP has very poor reputation because it often leaks client credentials by passing password in clear text. But on a server point of view, it is a very simple protocol and current implementations have been extensively reviewed for decades and are considered secure on a server point of view.

Long story short, HTTPS is considered very secure for the client and HTTP is acceptable, but both require strong security knowledge server side while FTP is a security nightmare for the client but is harmless for the server. And the proxy admin's job is to protect the server side...

Serge Ballesta
  • 25,636
  • 4
  • 42
  • 84