As others have pointed out, opening ports is an essential feature of establishing communications from behind a firewall. Yes, every additional service you choose to run creates some additional theoretical risk, and some create some actual risk (some much more than others). That is a question of individual protocol and application design, not of the fact that to use the service, you need a hole. The alternative approach is akin to embedding your PC in a block of concrete; probably very secure, but also totally useless.

In fact ~given~ that you want to establish some communication, requiring the opening of a port specifically for it is the best way; far worse is if you try to avoid the issue by skulking along on some other well-known port that you expect to find already open (usually, port 80). That approach provides no additional security and also prevents the firewall (and any other routing based security you may have) from locking down access to the service based on its particular characteristics.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/articles/11248/32119#32119