Connect to other ports than 80 and 443 from Online?

Hi, 

the limitation that Online only allows outbound traffic on port 80 and 443 is a bit problematic. Often, when we're integrating from SuperOffice Online to an external system, that system is hosted on various ports. This means that we have to get the external system to be reconfigured to get it talking with SuperOffice.

It is said here that the port 80 and 443 restriction is for security reasons. What is the reason for this? Why is it unsafe for us to connect to other ports, as long as we make sure we use HTTPS protocol?

Example

HTTP http;
String result = String(http.get("https://www.example.com:8080"));

RE: Connect to other ports than 80 and 443 from Online?

Hello Frode.

Using egress filtering is commonly deployed to mitigate malware (especially worms) capabilities for lateral movement and information exfiltration once a system has been compromised. 

We are interested in knowing if there are any ports that are recurring. I assume you mentioned 8080 for a reason. :) 

 

--

HansO

By: Hans Oluf Waaler 1 Feb 2019

RE: Connect to other ports than 80 and 443 from Online?

Hi HansO, thank for the feedback.

I was so focused on trying to understand how this could cause an attacker to gain access, that I forgot that this is a measure to reduce the impact of an attack after it has happened. I understand now that using egress filtering (filtering of outgoing traffic) can help to reduce the damage once an attack has happened.

Having spent some time on pen-testing lately I have a better understanding of the effect egress filtering can have.

The issue with the ports came up twice in one week. One of them as a generic question since they only have one external IP and wanted to figure out how to setup test and prod enviroments on their end, and using different ports was a potential solution. That is the customer Jens has been involved with, by the way. The other customer had an existing system running on port 8083, since they wanted to put it on a less-known port for security reasons. I've convinced them to move it to 443 instead.

8080 in the example was just a simplified example, not more relevant port than others we might encounter.

I'm sure the question will keep on appearing from time to time, so a way of getting it to work would be appreciated. Perhaps some way to open specific outgoing ports pr CustId, or something like that.

By: Frode Lillerud 7 Feb 2019