Ports open?

[hinesjrh]

We are implementing a new Wyse thin client set-up at some of our remote sites. One aspect of this implementation is to get WAKE-ON-LAN working over our WAN to the thin clients. Wyse is telling us that we need to have ports 16962 and 2344 open on our routers (routers are a 3640 @ my / corporate location and 2610's or 2811 at my remote sites). Do you see any security issues with opening these ports (my WAN is a PRN to each remote site provided by Qwest).

I am a bit new to this, but I am thinking that I need to identify (allow) this in the ACL's on both ends. Is this correct? How can I see if these ports are already allowed or blocked?

 

[lgarner]

sh access-list" displays the current acl configuration.

Yes, there are always security issues, but they must be weighed against required funcionality. If you need it, you need it.

Just create an ACL to allow traffic from certain addresses to certain addresses over certain ports, and you're about as secure as you're going to get. Whether you need to modify the configurations at one or both ends depends on how they're set up.

 

[hinesjrh]

If I need to allow UDP on ports 2344 and 16962, what would the permit statement(s) look like?

On the router at my location, I currently have the following in the *access list statements (where 100 is the out, and 104 is the in):

Extended IP access list 100
permit tcp host 10.1.1.119 any
permit udp host 10.1.1.119 any
deny udp any any eq 8998 log
deny udp any any eq tftp log

Extended IP access list 104
permit tcp any host 10.1.1.119 (213967 matches)
permit udp any host 10.1.1.119 (10213279 matches)
deny udp any any eq 8998 log (3 matches)
deny udp any any eq tftp log
deny udp any any eq 995 log
deny udp any any eq 996 log
deny udp any any eq 997 log
deny udp any any eq 998 log
deny udp any any eq 999 log

These are the only mentions of UDP in the statements.

*these is not the whole access lists, as I didn't want to post the whole things here.