[OPLINTECH] Wi-Fi ports

Nathan Eady eady at galion.lib.oh.us
Thu Jul 3 13:58:26 EDT 2008 

"Avery Shifflett" <shifflav at oplin.org> writes:

> Id like some opinions from library techs operating a Wi-Fi hotspot.
> After receiving a suggestion from a patron who thought our wireless
> was too restrictive, Im curious what ports others leave open or
> closed..  Any reasons why you've chosen to close or open specific
> ports would be appreciated.

We treat the wireless access point essentially the same as any other
system on the patron network.  At the moment we have open the
following:

 * Outgoing traffic to TCP or UDP port 53 is forwarded, and
   established/related traffic back.

   Rationale: the internet is pretty hard to use without DNS.

 * Outgoing traffic to TCP port 80 is transparently proxied, so that
   patrons can browse the web through our content filter.
   
   Rationale: the web is the main reason people want to use the
   internet.
 
 * Outgoing traffic to TCP port 443 is forwarded, and
   established/related traffic back, for HTTPS.
   
   Rationale:  a lot of quite popular websites require https for
   login, and they have pretty good reasons for doing so.

 * Outgoing traffic to TCP port 21 is forwarded, and
   established/related traffic back, for the FTP control channel.
 * Established/related traffic on TCP port 20 is also forwarded
   both directions, for the active FTP data channel.
   
   Rationale: This is more of a judgment call, but I felt we wanted to
   support such a long-standing and well-established feature of the
   internet.  I can discuss my rationale for _not_ enabling passive
   ftp, if anyone is interested.

 * ICPM echo-request and echo-reply are forwarded both directions.
   
   Rationale: I use this to diagnose network problems and stuff.
   
 * Anything not explicitely allowed is verbotten.
   
   Rationale: Default-deny is the only sane security policy.  It's
   much easier to enumerate what is needed than to enumerate all the
   possible threats.  Anyone who tells you otherwise either doesn't
   understand security or is trying to sell you a product that will
   not perform as advertised.
 
> 99% of our patrons are quite satisfied and dont feel restricted in
> the least.  It may be restrictive to the other 1% who want FTP, VPN,
> etc., but I dont want to needlessly compromise security or allow the
> filter to be bypassed.

In general, this policy (allow what is needed, disallow everything
else) is exactly right.

We could argue about the finer points of exactly what is needed, but
that's details, and it's going to vary from site to site depending on
stuff.

I sort of expected to get requests for ports 110 and 25, but so far
nobody has asked about this.  Then again, our uptake has been gradual
since we put in the access point a few months ago, so the issue may
yet come up.  If it does come up, then we'll have to go over pros and
cons and stuff.

It should also be noted that standard port numbers are *conventions*.
With port 443 open, for instance, there's no technical reason why a
patron, or some malware on their computer for that matter, can't pass
any random traffic it wants through the firewall via port 443,
provided the system being contacted is listening on port 443.  As has
been pointed out, https traffic is encrypted, so although you could
block port-443 traffic to specific destination addresses, there isn't
a whole lot beyond that that can be done, unless you want to block the
port outright, which would break a very significant portion of the
web.  Port 80 cannot be abused in this fashion because it's proxied,
and if we wanted to get fancy we could also proxy DNS and ftp traffic,
but you can't proxy https.  (Err, you can pass it through a proxy that
doesn't do anything but pass it on (or drop it if the destination is
blacklisted), but you can't inspect the actual traffic to see that
it's really encrypted web traffic that you're passing on.)  My
firewall rules *pretend* that all traffic follows the conventions and
uses the standard ports.  This is *usually* the case, for *most*
user-initiated traffic, but it's not 100%.  So I have port 443 open
because I consider it necessary, not because I consider it safe.

-- 
Nathan Eady
Galion Public Library

More information about the OPLINTECH mailing list