Solved: Dynamic ports

Bob Greer · ‎02-03-2014

Hi there,

Thanks for reading!

We have an outside user who's been impacted by an improper deploy of SFTP. The workaround allowing them to connect is this rule:

access-list outside_access_in_1 extended permit tcp any host <my server's outside ip> range 49000 65535

I entered an FTP rule opening ports 50000 50010 (according to documentation) but no success.

Is there a "dynamic ports" type of rule which would allow me to open fewer than the 16535 ports? The incoming FTP connection has generates a dynamic port <50000.

I'd like to furhter close the hole by naming the protocol.

Thanks again for reading!
Bob

David White · ‎02-03-2014

Hi Bob,

In the ACE you defined, the range is from 49000 - 65535, but later in your question you mention less than 50,000. I'm a little confused by what you are asking.

However, if you are hosting the server, then the client should be connecting to your server's IP on port 22, and sourced from some dynamic port. Therefore, the ACL should be something like:

access-list outside permit tcp any host eq 22

But, what your ACL says, is that anyone can connect to your server on ports from 49000 to 65535. Which doesn't make sense.

Now, if the client used source ports <50000, and your server was hosting SFTP on port 22, then you could write an ACL such as:

access-list outside permit tcp host lt 50000 host eq 22

Which would be about as locked down as you could get it.

Sincerely,

David.

View solution in original post

David White · ‎02-03-2014

Hi Bob,

In the ACE you defined, the range is from 49000 - 65535, but later in your question you mention less than 50,000. I'm a little confused by what you are asking.

However, if you are hosting the server, then the client should be connecting to your server's IP on port 22, and sourced from some dynamic port. Therefore, the ACL should be something like:

access-list outside permit tcp any host eq 22

But, what your ACL says, is that anyone can connect to your server on ports from 49000 to 65535. Which doesn't make sense.

Now, if the client used source ports <50000, and your server was hosting SFTP on port 22, then you could write an ACL such as:

access-list outside permit tcp host lt 50000 host eq 22

Which would be about as locked down as you could get it.

Sincerely,

David.

Bob Greer · ‎02-04-2014

Hi David,

Thanks for writing. Sorry for leaving out details.

The server team originally asked for ten ports: 50000 50010. The tcp rule specifying any host to over that range never incremented the hit count.

Now that 16 thousand ports are open to any host, the traffic is flowing.

The senior network guys (i'm a junior net admin) don't seem to have a problem with the rule. I think you and I see it similarly: anyone can connect and that doesn't make security sense.

But I think you've answered my question: I need to push for a single ip. Heck, maybe we just narrow it to the ISP range of our user! Even THAT's better.

Thanks again!

Bob

David White · ‎02-04-2014

Hi Bob,

Yes, I find it highly odd that the clients would need to *connect* to a possible 16k ports!

The narrower you can make the hole, the more secure you are. So, if you can reduce the number of ports open and reduce the client IPs which can access the server, both improve the security of the policy.

You can look at your syslogs to see who is connecting to the server, and on what IPs/ports.

Sincerely,

David.