Comprehensive data protection for all workloads
Post Reply
mikeely
Expert
Posts: 232
Liked: 71 times
Joined: Nov 07, 2016 7:39 pm
Full Name: Mike Ely
Contact:

PLEASE please stop requiring so many port ranges!

Post by mikeely » 2 people like this post

I think I first asked about this in 2017 and three years later, here I am yet again stymied by the fact that somebody didn't bother considering the needs of sysadmins when they decided to assign 800 ports here, 30 ports there, 28000 ports yet elsewhere... which is all the more frustrating when many of these port ranges are just simple control data. There's no justification for it other than lazy implementation and it's maddening to have to bother three different departments to get firewall rules added. Just set up SOAP and send all your control data over 443 instead of the current madness. Enough already!
'If you truly love Veeam, then you should not let us do this :D' --Gostev, in a particularly Blazing Saddles moment
Andreas Neufert
VP, Product Management
Posts: 7076
Liked: 1510 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: PLEASE please stop requiring so many port ranges!

Post by Andreas Neufert » 2 people like this post

Hi Mike, thanks for the feedback. Yes, this is something we all feel when interacting with security departments in the field.
You will see some changes in v11 that go in the needed direction.

Based on my tests we got nearly completely rid of the internal requirement for dynamic RPC port range.
The main point here is that if you want to login into a blank windows, then you have to use what is already there and that is RemoteRPC with all the port madness.
Our guest processing in v11 has the option to use a helper client that reduces the port range to 2 ports for the guest interaction (3 if you want to use log shipping).
This was the most critical part reported by the security admins (get rid or RPC/CIFS port range requirements).

I think v10 reduced our transport port range already to not include the RDP port anymore. That was the most critical one as more than a 1/3 of the ransomware is spread over RDP.

You will see changes on other places as well in v11 and over time.
Post Reply

Who is online

Users browsing this forum: acmeconsulting, d.artzen, gojain, Mildur and 123 guests