03-03-2014 12:20 AM - edited 03-18-2019 02:40 AM
Dear All,
I am currently working on the VCS Expressway deployment with a public sector client who’s security team is unwilling to open the below ports (between Internet & VCS Expressway)
UDP 50000 to 52399
UDP 30000 to 39999
UDP 60000 to 61399
TCP 25000 to 29999
TCP 15000 to 19999
TCP 40000 to 49999
They believes this are lot of ports to be opened on the Internet FW which can be a high security risk.
Is there any way we can use few ports instead of the large number of range?
Have anyone encountered any security risk opening this port range?
Is there anyway I can convince the security team that this is a safe way and they will not have any security challenges with this approach.
Thanks.
03-03-2014 05:59 AM
Hi,
you can modify the ports under maintenance-->tools-->port usage, here you can modify the local inbound & outbound port range.
its implications depends on traffic you have in your enviornment. i remember a case where customer modified the sip port range which stopped presence to be shown on endpoints .
regards
Alok
03-03-2014 08:44 AM
I am not really sure where they see the big issue.
Voice / Video over IP (h323/sip) is a very chatty protocol, yes, so many ports needs to be open,
This is used for media connection (udp) and parts of signaling (h323).
Thats the intention to use the VCS-C and -E combination so that this huge range of ports
does not need to be open from the out to the inside.
If a port is used then its fine, if its not used it will simply not be used. If you want to have
something malicious running on the VCS on any of these ports or if its a security issue
in the application it does not really matter if its one or dozens of ports.
Ports also changed in between versions, especially towards X8.1, so I would already prepare for that!
There are ports which will be used as the source port and only on an outbound connection
your firewall needs to allow an answer back in, but I can not really picture that if you have
a firewall team that you do not have a stateful firewall.
These ports would be for example 40000-499999 udp/tcp.
Limiting the ports can be a problem if you have a lot of calls or sip messages, as they need ports for this
communication. A single call can for example use a two digit number of ports.
The big port ranges I would expect to see to be open on the VCS-E to the internet are X8.1 (X7.2.2):
* TCP (h.245) 15000-19999 (stayed the same)
* UDP (Media) 36002-59999 (that was before 50000-54999)
* UDP (TURN) 24000-29999 (that was before 60000-61799)
* B2BUA (most likely not used on the VCS-E): (56000-57000)
So your ports do not look 100% correct anyhow. Which vcs version did you initially start and upgrade with,
what do you have currently running and what do you think these port ranges do and where did you take them from?
A handy thing on the vcs are the Local inbound and outbound ports pages found under maintenance>Tools>Port usage
Please remember to rate helpful responses and identify helpful or correct answers.
Please remember to rate helpful responses and identify
03-06-2014 02:17 PM
Hi mkazim,
I will agree here with Martin. We have multiple (50+) VCS-C to VCS-E deployments in the public sector organisations throughout our country (as this is what we do). The point of the VCS-C to VCS-E deployments are to reduce the number of ports required to be opened so only a handfull of out bound ports (assuming established traffic is allowed back) need to be opened.
You could then either deploy the VCS-C internally, with the VCS-E ina DMZ, or the VCS-C in the DMZ with the VCS-E on the public internet.
Chris
03-06-2014 06:28 PM
mkazim wrote:
They believes this are lot of ports to be opened on the Internet FW which can be a high security risk.
Is there any way we can use few ports instead of the large number of range?
Have anyone encountered any security risk opening this port range?
Is there anyway I can convince the security team that this is a safe way and they will not have any security challenges with this approach.
Yes, tell them that you are only opening the port range to the single IP address of the expressway box - not multiple destinations.
All the ports are handled by the same application... so opening 1 vs 100 it doesn't really change the security exposure because it's all to the same service.
The reason the range is large is two fold
1) to support concurrent connections you need more ports
2) The standards for H323 and SIP require the use of dynamic ports in the unrestricted range. The port range is not the same for all implementations or vendors because it is not standardized on WHICH ports to use.. just that it should be the unreserved ports.
The safety comes because the Expressway works as your application level proxy... you expose IT to the outside world, so you don't expose your internal elements directly. Unlike a webserver, etc... H323/SIP traffic is not restricted to reserved, defined ports.
Efforts to narrow the port range expose you to potential interoperability or capacity issues
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: