Can anyone confirm that using a persistent outgoing TCP connection on port 80 will not be blocked by the vast majority of consumer firewalls?
That has been assumption based on the fact that HTTP runs over TCP, but of course it is theoretically possible to analyze the packets. Question is do most CONSUMER firewalls do this or not?
The feature is called ALG, Application Layer Gateway. This is where the firewall is aware of and perhaps even participates in an application protocol
There are two main reasons a firewall may do this:
Protocol support, in order to support the protocol it is necessary to snoop/participate, e.g. opening up additional ports for non passive FTP or media ports for SIP+SDP
Additional security, an ALG may function as a transparent proxy and filter protocol commands and actions to enforce policy. E.g. preventing the HTTP CONNECT method
ALGs have been a common feature of stateful firewalls for many years, though often the source of instability.
For security proscriptive environments expect HTTP to be validated and filtered either by a firewall or other dedicated policy enforcement appliance.
Residential broadband routers do not tend to have advanced firewall features. I would be surprised to find any with HTTP validation / filtering on port 80.
Personal software firewalls come in two flavours, basic and advanced. Most consumers will have a basic one that probably comes with their operating system and will not do any HTTP validation / filtering.
However, there is a rising trend in antivirus product differentiation of advanced internet content filtering for threat protection, there is significant possibility these may filter HTTP activity (but is difficult to determine with certainty from their Feature Lists).
It's almost impossible to answer this question with anything other than "it depends".
Most leading firewall vendor solutions will do this through their configuration.
You will find paranoid organisations (financial, government, military, gambling etc) will typically have such application intelligence enabled. They will detect the traffic as not valid HTTP and so block it for both security and performance reasons.
This type of feature is (these days) typically turned on by default and as you know, most people don't change a default configuration after the vendor or consultant has left.
However, some companies, where the techies don't understand or they have no power in the decision-making, will turn such application intelligence off because it interferes with business, i.e. internal apps or external apps (running on the LAN and connecting back), developed as bespoke solutions, work over TCP port 80 (hey, it's always open) and are non-http.
You don't just have to worry about firewalls though, most companies run internal proxy servers for outgoing traffic and these typically now only allow valid HTTP on port 80 and their configuration isn't changed as a proxy server is usually requested by the infrastructure and security teams and they don't want non-http over port 80. Additionally, there's also load balancers and they're typically configured for HTTP on port 80, for a variety of reasons such as content switching, rewrites, load-balancing and security.
To summarise, in my experience, that'd be a yes but I haven't worked a lot with SMEs, primarily larger corporates.
port 80 is blocked by many firewalls for example you have to add exceptions like i allow Skype or msn messenger to use port 80 for out going traffic
Related
Recently, I was having a chat with a much experienced engineer. We had a service on the server that only initiated requests to a partner. I suggested that this service requires us to configure a port and he turned down my suggestion. I believe he said something on the line of "Since we are not hosting a service that is not accessed by anyone rather we are accessing a partner's service, we don't require a port." It got me thinking, given on the same server, we have so many services, how does the server know that this response is for this given service?
broadly, the server is really acting as a client and the ports used for connections are assigned dynamically by the networking stack
under normal conditions, the port
is numbered >1000 (low ports are reserved for root processes)
not in use
Should I use HTTP or HTTPS to communicate between services on my virtual private network (VPC)? What are the risks (if any) of using HTTP in such scenario?
My naive reasoning is that given the inherent privacy of the network, HTTP should be suffice for internal communication between servers inside of said network. Am I wrong to make such assumption?
I've searched through GCloud VPC documentation, yet can't find anything regarding this question. I've also found this article on AWS HTTPS, yet again no indication as to whether one or other should be preferred.
I'd link up more sources, but I can not find any articles arguing for either.
As per my understanding, a VPC network isolates the traffic and puts some security measures in place that prevent your traffic from being seen from a different VPC. That being said, the security of the resources is a shared responsibility in cloud environments. In case there is a security breach inside GCP that allows someone to gain access to my VPC and sniff the traffic, if I'm using HTTPS, the communication is encrypted and I am adding another layer of security. Therefore, I would always go with the safest option (HTTPS).
I have a situation where messages are being generated by an internal application but the consumers for the messages are outside our enterprise network. Will either of http(s) transport or REST connectivity work in this scenario, with HTTP reverse proxy on DMZ? If not, is it safe to have a broker on the DMZ which can act as gateway to outside consumers?
Well, the rest/http approach to connect to ActiveMQ is very limited as it does not support true messaging semantics.
Exposing an ActiveMQ broker is no less secure than any other communication software if precautions are taken (TLS, default passwords changed, high entropy passwords are used and/or mutual authentication, recent patches applied, web console/jolokia not exposed externally without precautions etc etc).
In fact - you can buy online ActiveMQ instances from Amazon - which indicates that at least they think it's not such a bad idea to put them on the Internet.
My question is the same as this one but hopefully adds clarity to get an answer. After reading this fantastic article on the specifics behind NAT Traversal along with a general summary of methods found here, I'm wondering if the scenario has been accomplished or is possible. I'm writing software that serves web pages on any specified port, and am wondering if it is possible to have a web client from the WAN side connect to this server that is behind a NAT router. The reason this I'm finding this difficult is because:
I don't want to tell the user (who owns the web server) to configure their router to port forward (and many cases the user may not have privileges to do so).
UPnP I believe is often default-disabled, and is another configuration privilege not afforded to the user.
UDP Hole Punching looked promising until I realized the client is using a browser with http, and thus can communicate only through TCP, and limits my capability further by restricting options to browser-scripts.
I haven not found a successful implementation of TCP Hole Punching, considering the difficulties of maintaining state information (currently I'm looking at chownat, but am wondering how to implement TCP over a UDP tunnel from a web browser (or if that's even possible?).
Using a proxy to forward all traffic doesn't scale well (though using an external server, that is not behind a NAT, would be perfectly fine for setting up the initial connection or NAT traversal). By Scaling, I mean if many many users have their own web servers, not for the one user's web server to have high traffic (which is not a concern given the user's upload-bandwidth is often severely limited).
Right now I'm starting to think there will have to be some client-side browser script to help implement this, so the task won't be completely handled by the server. If anybody has any ideas or experience with trying to have a user connect to a web server behind a NAT router, I'd greatly help some direction! Thanks!
I want my client program to communicate with a server without making the user add an exception to Windows Firewall in elevated mode. Is there a way to do this? HTTP? For instance, uTorrent and Google Chrome can both be installed by a regular (non-admin) user, and both programs network quite extensively - how do they do this? Am I missing something about how the firewall and/or ports works?
Yes there is a way. Assuming that your client program is the one running on the users machine and that your client program is the one initiating communication with the server then your client program generally would not need to require end user to open any exceptions in the windows firewall as long as you stick to using http over port 80. Http on port 80 is generally open for outbound traffic (initiated by the client) and therefor you could build your communication (and if needed your own protocol) on top of the http protocol. This is the typical scenario for webserver and webbrowsers (clients).
If you need the server to initiate the communication it becomes more complex and a lot of different approaches could be used. Choice of communication channels and structure should depend on factors like whether you would want to communicate to one client at a time or many (broadcast/multicast), do you need encryption, what are your needs for speed (throughput and latency), what kind of system are you trying to build and so on.
Many webapplications achieve an effect of a server initiated communication by using special techniques called polling, long polls, comet, websockets and so on. these work through http on top of tcp/ip on port 80. Other systems employs subscription mechanisms to be able to get notified through a third part if something new has happened. If you need server initiated communications please let me now and i will try to give a better explanation on the options.