A firewall may be generally defined as a hardware or software filter that prevents data packets from either entering or leaving a network unless specifically authorized. To control the flow of network traffic, data packets sent from or received at numbered ports in the firewall are either permitted or denied depending upon policy rules that are applied by the firewall. Such rules are generally set by an administrative entity such as a system administrator, and are used to implement a firewall policy. These rules specify when traffic may pass through the firewall based upon various firewall filtering parameters (“firewall parameters”), such as allowed port numbers, network addresses, and the like.
However, the “attack surface” of a firewall, or the exposure of the firewall to attack by malicious code, increases with the number of ports allowed to pass network traffic. Therefore, it may be beneficial to reduce a number of ports open at any time to reduce the attack surface of the firewall.
Ports may be opened either statically or dynamically. The static opening of ports is generally performed by an administrative entity prior to runtime, and may result in the port remaining open for all traffic until the port is closed manually. This may increase the number of openings in the firewall, and therefore may increase the attack surface of the firewall.
On the other hand, the dynamic opening of ports may be performed at runtime by an application or service. Thus, an inbound port is not opened until requested by the application or service. However, such an application or service may utilize administrative-level firewall policy rights to allow it to create policy exceptions to open ports for traffic. For example, an application or service with dynamic port definition capabilities may create firewall exceptions for every port on which it will pass incoming or outgoing traffic, or may create a blanket exception allowing the application or service to pass traffic through any transmission control protocol (TCP) or user datagram protocol (UDP) port. Therefore, large numbers of firewall exceptions may be created by various applications and services, with little visibility to an administrative entity. As a result, many more firewall ports may be open at any given time than allowed under the entity's firewall policy.