Announcement

Collapse
No announcement yet.

The Great Port Debate

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • The Great Port Debate

    Hi All,

    We operate a Multimaster Domain with AD and Group Policy enabled. We have decided to set up a DMZ server on one of our Cisco routers. This DMZ server will facilitate an ordering process from our customers.
    During one of our meetings the subject of ports came up for the apps that need to be open to the DMZ server. The default ports were supplied for the apps that will be running on the DMZ server (backup, agent and client apps). Don't jump on me about the configuration (although any info would be useful) as that 's not my call to make, just the issue regarding ports. (any links you can supply would be appreciated)

    Apparently, the engineer seems to think that ports opened for the DMZ server going into our Data Center will be different on the servers receiving the data inside the Data Center, than those of the default ports.

    I think he's off the mark, if our backup, or client app talks on ports 111 - 445 - 1024 TCP, then those ports should be opened on both the DMZ and Data Center servers to allow communication from the DMZ box into the Data Center servers receiving the data. Unless you wanted to configure PAT (Port Address Translation) on the Cisco router to redirect data to a different port other than the default ports as listed by the manufacturer.

    Or do I owe this guy an apology?

    ...thanks in advance!
    Regards,
    Randerso




    "Education is not the filling of a pail, but the lighting of a fire." W. B. Yeats

  • #2
    Re: The Great Port Debate

    It's really an issue that can be determined by looking at the client applications in question. If the backup agent says it communicates on port 111 then... *gasp* ...it communicates on port 111! Destination ports can't change while the electrons are on the wire. Now, as you mentioned, things like PAT can change the situation. However, barring PAT or similar techniques, something being sent from port 111 will need to be received on port 111.

    Launch Wireshark and see for yourself. That way you'll have the bits in black and white to boost your understanding of networking and his too.
    Last edited by Nonapeptide; 1st April 2008, 16:16. Reason: spelilng
    Wesley David
    LinkedIn | Careers 2.0
    -------------------------------
    Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
    Vendor Neutral Certifications: CWNA
    Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
    Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

    Comment


    • #3
      Re: The Great Port Debate

      Something sent on 111 might have a destination of another port surely? Do you mean something sent with a specific destination port isn't going to change it on the wire?
      I may be misreading what you wrote though, apologies if that is the case.
      cheers
      Andy

      Please read this before you post:


      Quis custodiet ipsos custodes?

      Comment


      • #4
        Re: The Great Port Debate

        ..that's great!

        We happen to have WireShark on the domain.

        Let me ask you, do you know of any links where this information is specifically stated, so I can forward that to him?

        I appreciate your input Nonapeptide!

        Thanks.....
        Regards,
        Randerso




        "Education is not the filling of a pail, but the lighting of a fire." W. B. Yeats

        Comment


        • #5
          Re: The Great Port Debate

          You really have to look at it from a destination host/port perspective. What host is the destination traffic going to and what port on the destination host is the source host expecting to connect to? If the DMZ host is the source and the Data Center host is the destination and the source host expects to communicate to the detination host on port 111 then you need to allow traffic originating from the DMZ host to go to the Data Center host on port 111. Ports do not change in the midst of a session. For instance when I open my web browser to www.google.com my host opens a connection on a random port and connects to port 80 on the google web server. My port and the google port do not change while that session is active.

          Comment


          • #6
            Re: The Great Port Debate

            Originally posted by AndyJG247 View Post
            Something sent on 111 might have a destination of another port surely? Do you mean something sent with a specific destination port isn't going to change it on the wire?
            I may be misreading what you wrote though, apologies if that is the case.
            True, source and destination ports don't have to be the same. I took that into account, but didn't verbalize it like I probably should have. I figured that that would be an exception to a standard practice. Unless the applications specifically state that outgoing traffic is on port 111 but is addressed to incoming port 222, it would be safe to assume that both source and destination ports are the same. No?




            Quoth Randerso
            We happen to have WireShark on the domain.
            Personally, I'd take the switch / router ports that the DMZ server and destination server are plugged into and mirror it to another port and sniff that traffic. Makes it easy.




            Quoth Randerso
            Let me ask you, do you know of any links where this information is specifically stated, so I can forward that to him?
            Info about the uniformity of source and destination ports? Well, nothing formal comes to mind. As AndyJG247 pointed out, source and destination ports don't have to match. The best thing I can think of is to look at the documentation for the applications in question. To my knowledge, the only reason that a destination port would differ from the source port would be because the specific application does things that way, which BTW would be nonstandard and most certainly documented. Of course, PAT can also do this but you've ruled that out in your situation. So check some of the app's documentation, check for a KB on their website or put a call in to their help desk and see if you can get some specific answers.

            Of course, the 900 pound gorilla in this argument would be the little 1's and 0's that Wireshark sniffs.





            I appreciate your input Nonapeptide!
            Please, no 's... only 's


            Wesley David
            LinkedIn | Careers 2.0
            -------------------------------
            Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
            Vendor Neutral Certifications: CWNA
            Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
            Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

            Comment


            • #7
              Re: The Great Port Debate

              ...I'll second the 900 pound Gorilla!

              I have sent queries to the vendors regarding the specific port requirements of their products in the same scenario as described, using the same verbage I've used on this forum (why change?). three days now and no response, and yet we have corporate level support SLA's from these vendors....that is very telling in and of itself.

              I promise no more....

              Any links for documentation I can refer to?


              I really appreciate the support....
              Regards,
              Randerso




              "Education is not the filling of a pail, but the lighting of a fire." W. B. Yeats

              Comment


              • #8
                Re: The Great Port Debate

                Maybe your colleague is thinking of Ephemeral Ports? If those applications use such a scheme, then yes, source and destination ports would be different. However, if EPs are used, you'd have to open up the whole range of EP ports.

                "Unless a client program explicitly requests a specific port number, the port number used is an ephemeral port number." --Quoted from http://www.ncftp.com/ncftpd/doc/misc...ral_ports.html

                It comes back down to what the vendor's applications do. Can you give us a hint as to which apps are in question? Like for instance, the backup agent... Backup Exec, ArcServ, etc..



                three days now and no response, and yet we have corporate level support SLA's from these vendors....that is very telling in and of itself.
                ::double-take:: Is there a guaranteed turnaround time for your calls? Yikes.


                I hope that helps.
                Last edited by Nonapeptide; 1st April 2008, 19:36.
                Wesley David
                LinkedIn | Careers 2.0
                -------------------------------
                Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                Vendor Neutral Certifications: CWNA
                Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                Comment


                • #9
                  Re: The Great Port Debate

                  Nonapeptide,

                  The article you referrenced on "Ephemeral Ports" has cleared up and solved the debate regarding the DMZ vs secured Data Center configuration. The documentation provided was "spot-on" with configuration references and best practices.
                  Everything is now working as expected.

                  Thank you, for all of your help!

                  Until next time...
                  Regards,
                  Randerso




                  "Education is not the filling of a pail, but the lighting of a fire." W. B. Yeats

                  Comment

                  Working...
                  X