IP and port numbers

[Nick Arnett]

At 07:01 AM 5/28/98 -0700, Kirk_Nims at michcon.com wrote:

>This is my very problem.  Our security and network folks are affraid to
>open ports 210 and 2210 for outbound traffic so I can use z39.50 through
>our firewall.  Does anyone comprehend the security risks of enabling
>traffic over ports 210 and 2210 to support z39.50 activity?  I posted this
>question several weeks ago and had virtually no input.

There is nothing inherently dangerous about opening a port. The question is
how secure the z39.50 server itself is. That's what they should be
concerned about. It's a bit of a Catch-22 -- unless a service is widely
used, there's an assumption that it may have unknown security problems.
Unknown = not secure, the way most security people think. On the other
hand, the very fact that it isn't widely used means that hackers aren't so
likely to try to figure out how to use it to penetrate your system, since
whatever they learn won't be useful on very many other sites.

If your security people aren't looking at the server or talking to the
company that developed it, then they're just stonewalling you to avoid
work. If they have looked at the server and talked to the developer and
still have security concerns, then there may be a real issue. But it sounds
like the former if they're focusing on the simple issue of opening the
ports. If you challenge them, you are very safe to insist that there is no
inherent security risk in opening the ports; they have to justify their
actions on the basis of the risks associated with any services on those
ports (presumably your z39.50 server(s)) inside your firewall.

You are in a common situation with your IS people -- the first response is
virtually always to say no to opening ports. If you can present them with
security information from the vendor, that should get them moving.

Nick
--

Phone/fax: (408) 733-7613  E-mail: narnett at mccmedia.com

"Defy Demographics!"