Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Opening ports for syncronization

Status
Not open for further replies.
rphips

rphips

IS-IT--Management
Sep 12, 2003
590
US
Good day

I don't know if this question belongs here but here goes.

I have a program that needs to syncronize over the web. The problem is the routers on the customers end.

The program will syncronize when the router is unpluged(bypassed) but the customers believe doing this is a security risk.

What I need is the ability to open a port on the router(unknowns) and do the syncronization then close the port.

Is there anyway of doing this securly.

bob
 
Sort by date Sort by votes
If the router is unplugged, how are you getting to the net? Or do you mean that the filter rules are turned off?

The customer is absolutely right that bypassing filtering rules is a seurity risk, but the question is always, how much of one?

What ports do you use for communication? If you run your server on a standard port, it shouldn't be any problem to implement a rule that allows their machines on any ephemeral port (assuming that you use dynamic port allocation on that end) to connect to your machine on that port.

But some companies just have so many of these niche "pin hole" requests, that they are concerned with their filtering rules getting too large (they really do slow a router).

Depending on the situation, you may want to use a static port that is already allowed through their filters, like 80 or 443, but that can cause another set of problems when you are using a "well known" port for a non-standard purpose.

If you are using ephemeral ports on both ends, you are generally just SOL. That really is just way too dangerous to allow any source port to any destination port.

I am also assuming that you are having the program on their end connect to your server periodically, not having your server contact them autonomously. I would be really hard pressed to ever allow a vendor to connect into my network. I am much more comfortable when my machine initiates the contact. Not that it is really all that different, it is just more common to block everything incoming except what is destined for a DMZ. And then filter outbound requests as needed.


pansophic
 
Upvote 0 Downvote
Hello Just back from christmas break
Thanks for answering me guys

Its a new program and how it is used - salesman connect up via modem, DSL, or High speed Internet (which ever) and syncronize thier data. the problem is it doesn't work unless we disconnect the routers. Can anybody explain how the live updates manage this.

bob
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
658
Johnkite
Johnkite
XLNTech1
  • Locked
  • Question
iptables port forwarding
Replies
0
Views
591
XLNTech1
XLNTech1
Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
800
Shmid
Shmid
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
184
WhosYourDiffie
WhosYourDiffie
acabezas2014
  • Locked
  • Question
Configuring ASA for Network Segmentation
Replies
1
Views
287
acabezas2014
acabezas2014

Part and Inventory Search

Sponsor

Back
Top