PIX/Remote Desktop Question

wagnerbmwagnerbm Member Posts: 38 ■■□□□□□□□□
in CCNP Security
Okay everyone knows that 3389 is the port used for a remote desktop connection. For security purposes I change the port to something else unless it is to one of our remote locations through a pix to pix tunnel. Well we have a vendor that will not change the port to something else. We have to allow it (government) so my question is even though it is from 1 ip directly to ours would you recommend only allowing the access when they call or just leave it open since it is only 1 ip to ip.

Thanks icon_confused.gif
· Share on FacebookShare on Twitter

Comments

  • dynamikdynamik Banned Posts: 12,312 ■■■■■■■■■□
    Where does your vendor fit into the equation?

    I wouldn't worry too much about leaving it at 3389. I change mine as well, but that only stops casual "hackers" who are just scanning for IPs with 3389 open. If someone is determined, they'll find what port you're using. I wouldn't consider it a genuine security measure.

    Obviously only opening it when necessary would be the most secure solution. It's up to you to determine what's the proper balance of security and convenience. I would think that something like leaving it open all the time and just allowing certain IPs, or an IP range, would be sufficient, but it really depends on what type of information you're trying to protect.
    · Share on FacebookShare on Twitter
  • shednikshednik Member Posts: 2,005
    writing an acl on the edge firewall to only allow port 3389 from their public ip space to the subnets they need to hit on your network is best IMO.
    · Share on FacebookShare on Twitter
  • AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    Agreed, set it from their IP only and audit access to the end server rigorously (put LOG on the end of your ACL rule for one, if you have an IDS you could easily write a rule to monitor the same traffic internall as well as finally auditing that process on the server itself).

    Changing ports while initially seeming like a good idea will only keep casual snoopers unaware for a while. Obscurity is not security and considering other security monitors (like an IDS) will expect RDP on that port and won't inspect it properly otherwise you may actually weaken your security posture unless you are obsessive about keeping every logging/monitoring and security tool up to date with your port changes.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
    · Share on FacebookShare on Twitter
Sign In or Register to comment.