Meraki

Community

Port 80 open on firewall

AnkitSharma1
Here to help
‎Apr 15 2024 2:06 PM
‎Apr 15 2024 2:06 PM

Port 80 open on firewall

Team, We have opened port 80 to access our internal website via windows server, Should i disable it? What is the best practice allowing outside traffic to access our internal website. Please share your thoughts 

 

AnkitSharma1_1-1713215178142.png

 

 

0 Kudos
7 Replies 7
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 15 2024 5:38 PM
‎Apr 15 2024 5:38 PM

Honestly, this is a huge security flaw, especially since you are allowing any origin.

 

To expose your website you should have at least one WAF solution.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
AnkitSharma1
Here to help
‎Apr 15 2024 6:03 PM
‎Apr 15 2024 6:03 PM

Is there any alternative to protect if we dont have WAF solutions?  

0 Kudos
In response to AnkitSharma1
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 15 2024 6:08 PM
‎Apr 15 2024 6:08 PM

Allow access only via client VPN or only allow IPs from a specific origin.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
In response to alemabrahao
AnkitSharma1
Here to help
‎Apr 15 2024 6:44 PM
‎Apr 15 2024 6:44 PM

If I remove 80 and keep 443 then? Is it fine?

0 Kudos
In response to AnkitSharma1
alemabrahao
Kind of a big deal
Kind of a big deal
‎Apr 15 2024 6:57 PM
‎Apr 15 2024 6:57 PM

Any application exposed to the internet is a risk, I can say that it is a little better, but at least ensure that all system patches are up to date.

 

And think about investing in a WAF solution in the near future.

  One option is to host your website on AWS and use their WAF solution.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Apr 16 2024 1:14 AM
‎Apr 16 2024 1:14 AM

What I have been doing recently is using an Amazon AWS Application Load Balancer with a backend target type of "IP Address".  You then enable WAF for that.  Typically I run the connection back to the on-premise site via VPN.  It costs about USD$30/month.
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html... 

This is on the assumption you can't just move the entire web site to the cloud - which would be my first choice.

0 Kudos
K2_Josh
Building a reputation
‎Apr 16 2024 3:56 PM
‎Apr 16 2024 3:56 PM

I recommend Cloudlare as a WAF for its ease of use, security and cost effectiveness. Whether you go with Cloudflare or another SaaS-based WAF, you would setup your MX to only allow HTTPS ingress from the vendors IP ranges.

Another option that might work in some cases, in conjunction with or in place of VPN-solutions, is to allowlist IP ranges from remote sites with static IPs on the MX. In this case, the traffic is still flowing directly over the internet but the data is encrypted and it can only originate from specific locations.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.