Port 80 open on firewall

AnkitSharma1
Here to help

Port 80 open on firewall

Team, We have opened port 80 to access our internal website via windows server, Should i disable it? What is the best practice allowing outside traffic to access our internal website. Please share your thoughts 

 

AnkitSharma1_1-1713215178142.png

 

 

7 Replies 7
alemabrahao
Kind of a big deal
Kind of a big deal

Honestly, this is a huge security flaw, especially since you are allowing any origin.

 

To expose your website you should have at least one WAF solution.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
AnkitSharma1
Here to help

Is there any alternative to protect if we dont have WAF solutions?  

alemabrahao
Kind of a big deal
Kind of a big deal

Allow access only via client VPN or only allow IPs from a specific origin.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
AnkitSharma1
Here to help

If I remove 80 and keep 443 then? Is it fine?

alemabrahao
Kind of a big deal
Kind of a big deal

Any application exposed to the internet is a risk, I can say that it is a little better, but at least ensure that all system patches are up to date.

 

And think about investing in a WAF solution in the near future.

  One option is to host your website on AWS and use their WAF solution.

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
PhilipDAth
Kind of a big deal
Kind of a big deal

What I have been doing recently is using an Amazon AWS Application Load Balancer with a backend target type of "IP Address".  You then enable WAF for that.  Typically I run the connection back to the on-premise site via VPN.  It costs about USD$30/month.
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-target-groups.html... 

This is on the assumption you can't just move the entire web site to the cloud - which would be my first choice.

K2_Josh
Building a reputation

I recommend Cloudlare as a WAF for its ease of use, security and cost effectiveness. Whether you go with Cloudflare or another SaaS-based WAF, you would setup your MX to only allow HTTPS ingress from the vendors IP ranges.

Another option that might work in some cases, in conjunction with or in place of VPN-solutions, is to allowlist IP ranges from remote sites with static IPs on the MX. In this case, the traffic is still flowing directly over the internet but the data is encrypted and it can only originate from specific locations.

Get notified when there are additional replies to this discussion.