Not responding necessarily to Christian, but more to the fallacy
that blocking ports (paraphrased) "...doesn't achieve anything."

That's a ridiculous assumption.

When threat intelligence is gleaned in (near) real-time, and
aged appropriately (bad stuff is taken off-line), blocking it
(or perhaps, access to it, as the case may be) achives a great
deal. Depending on what you want to achive.

The question of well-known ports is kind of moot in this case,
given that you consistently track threats in real-time, react to
them in kind, etc. So it really doesn't matter what port, or
transport, they use.

$.02,

- ferg


-- Christian Huitema <huitema@windows.microsoft.com> wrote:

> In fact, blocking ports achieves no security to speak of.   But you'd
> be threatening to expose the Emperor's nakedness with this proposal.

Blocking ports is a "black list" approach, i.e. mark something as
dangerous, and then block it. Many edge firewalls follow a "white list"
approach, i.e. mark something as innocuous and then allow it. In that
case, being able to quickly identify the application actually enhances
connectivity.

Of course, I am well aware of the games that can be played, e.g. running
HTTP on some random port number, or running some random application on
port 80...

-- Christian Huitema


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg(at)netzero.net
 ferg's tech blog: http://fergdawg.blogspot.com/