• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

Should I open Valve's Steam ports on our corporate firewall?

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> General Software

View previous topic :: View next topic  

Should I open Valve's Steam ports on our corporate firewall?
yes
0%
 0%  [ 0 ]
no
100%
 100%  [ 3 ]
Total Votes : 3

Author Message
unhitched
Just Arrived
Just Arrived


Joined: 27 Jun 2010
Posts: 0


Offline

PostPosted: Sun Jun 27, 2010 3:05 pm    Post subject: Should I open Valve's Steam ports on our corporate firewall? Reply with quote

Hi,

I have a request from some of our employees to open the Steam ports so they can play online games.

I really don't like punching holes in my firewalls - but want to accommodate their requests whenever possible.

Most google search results are all about HOW to punch holes - I would like to know the general opinion of whether I should in this case.

Steam Client:
UDP 27000 to 27015 inclusive (Game client traffic)
UDP 27015 to 27030 inclusive (Typically Matchmaking and HLTV)
TCP 27014 to 27050 inclusive (Steam downloads)
UDP 4380


cheers
Back to top
View user's profile Send private message
Groovicus
Trusted SF Member
Trusted SF Member


Joined: 19 May 2004
Posts: 9
Location: Centerville, South Dakota

Offline

PostPosted: Sun Jun 27, 2010 9:44 pm    Post subject: Reply with quote

Let me make sure I am clear on this. Do employees get paid to play games? Do you work for a company that does game reviews, or tests hardware compatibility with various games? Do you sign the paychecks and have the authority to authorize people to play games at work?
Back to top
View user's profile Send private message Visit poster's website
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Sun Jun 27, 2010 10:06 pm    Post subject: Reply with quote

Yikes...

I believe the first question is what the company policy says on the matter. Are employees actually allowed to play online games on the job? Is it openly allowed and accepted (as part of a relaxed attitude from management towards stress relief or whatever), is it a "look the other way" kind of thing, or is it expressly forbidden? Specifically, if management finds out, will they turn to you asking for an explanation?

That said and assuming this is somehow okay from above. I would say it depends on context... how your infrastructure is set up, who's responsible for the employee workstations and how the employees come into play. Are these their personal machines/laptops they will be playing on? Or are they workstations administered by you? Is it normal in your company for people to have their own arbitrary software installed on the workstations?

I have to say the prospect of having random online games installed on work computers inside my infrastructure would leave me extremely uneasy. That said, it all depends on context. It depends on how security-critical these workstations are, and the systems to which they have direct access. It depends on the technical level of the employees themselves, and how much you can/need to trust them. It depends on what the corporate culture is, and exactly what your mandate is -- whether you are only in a support role, and not expected to enforce any policies, or if you're considered responsible for the infrastructure and its good functioning.

For me, if I'm responsible for the infrastructure and have to answer for its security, I would say absolutely not. If your corporate culture is laxer and self-regulating, however, and people already have their own random software installed on their computers, it might not make too much of a difference...

Still... yikes!
Back to top
View user's profile Send private message
unhitched
Just Arrived
Just Arrived


Joined: 27 Jun 2010
Posts: 0


Offline

PostPosted: Mon Jun 28, 2010 2:09 am    Post subject: Reply with quote

hey guys,

thanks for your comments!

The company has a fairly relaxed nature, is technology based (web, email, seo, etc) and management don't mind game playing as long as it doesn't affect workload.

I'm responsible for the IT environment - so yes, the easy way to cover my butt would be to just say NO...

But I'd like to do some due-diligence before I make a decision and have some facts and/or peer opinions to back it up.

My main concern is I know nothing about Steam - except what I recently read on their site. I know there are lots of people who use it regularly, mostly from home or internet cafes.

What I can't seem to find is any risk assessment of using the Steam network.

- can viruses/trojans/whatever be spread over the Steam network?
- have there been any cases of this?
- do any of the common virus protection programs evaluate traffic over these ports? (we use Forefront)

They also want to use the XBox gaming network so same questions apply if you have any related opinions.

I was thinking of creating a separate LAN and using a different interface on our firewall to allow this access - but if a PC is infected then they'll get to the corporate LAN when they reconnect to it anyway...


cheers!
Back to top
View user's profile Send private message
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Mon Jun 28, 2010 2:18 pm    Post subject: Reply with quote

I can understand where you're coming from.

I don't really know Steam's technical details, but I know they have systems in place to check for cheats and so on, at the client's computer (see VAC). Presumably, they check the installed binaries for some kind of checksum, but I believe it goes beyond that. They are reported to be able to catch DLL hook injections and so on, so they probably check the process's address space too. Whether this is triggered by a remote procedure call, or simply a local function of the installed binary, I don't know. That is, I don't know whether they can remotely execute arbitrary code on your system, but that's enough to make me weary.

I do know some online game servers have a TOS when you enter, stating that your system will be scanned for known cheats and whatnot. I suspect that only covers in-game configurations (whether you have "fog" turned off, weird settings for the camera angle, etc.), but I can't say for sure without knowing how it works.

Then there is the question of the game mods themselves. In Half-Life-based games, for example, the game can automatically download and install new "maps", when the player connects to a server where the map is being played. I don't know exactly the level of flexibility that the game engine gives to the map makers, but I do know that the map has at least some scripting abilities. Presumably they won't be able to execute anything at the system level, but again, not knowing would make me weary.

Then of course, besides the intended flexibility provided by the game, there may always be unintended vulnerabilities and so on -- as with any other Internet-facing program. It would indeed be interesting to see an actual risk analysis for using Steam -- although that may be hard to find, being as though your situation is somewhat uncommon. We tend to err on the side of caution in this kind of thing.

Perhaps a compromise? Could you dedicate a few machines to online gaming and nothing else? Then you could place them in an untrusted DMZ, separate from the rest.
Back to top
View user's profile Send private message
graycat
SF Mod
SF Mod


Joined: 29 Apr 2005
Posts: 16777195
Location: London, UK

Offline

PostPosted: Mon Jun 28, 2010 3:33 pm    Post subject: Reply with quote

not knowing the specifics about the site / game in question all I'd really say is: if in doubt, say no.

I like the fact you're looking into the site before allowing it through but beyond a technical level it has to be kicked up the chain for a business decision by the bosses. As long as you make your point clear regarding the technical side then it should all be good.
Back to top
View user's profile Send private message Visit poster's website MSN Messenger
CoreDefend
Forum Fanatic
Forum Fanatic


Joined: 25 May 2010
Posts: 16777215
Location: USA

Offline

PostPosted: Wed Jun 30, 2010 2:16 pm    Post subject: Reply with quote

Best recommendation was from capi:

Quote:
Perhaps a compromise? Could you dedicate a few machines to online gaming and nothing else? Then you could place them in an untrusted DMZ, separate from the rest.


If you have a couple of PCs to spare, place them on a separate segment and if they need to be recouped and joined back to your corporate LAN, they should be wiped completely.

Personally, I am against opening gaming ports. Their servers are untrusted connections, if they get compromised; it could affect your network as well.

It's awesome that management is okay with this setup.
Back to top
View user's profile Send private message Visit poster's website
unhitched
Just Arrived
Just Arrived


Joined: 27 Jun 2010
Posts: 0


Offline

PostPosted: Wed Jun 30, 2010 3:17 pm    Post subject: Reply with quote

thanks guys for all your feedback.

You're right, that machines in the DMZ would be the go. I can hear the arguments already!

It's tough though - when so many exploits come from simply browsing websites these days over standard ports.

It'd be great to see someone with greater knowledge than I to undertake that risk assessment and publish the results!

I'll inform management that it's a gamble I'm not willing to take and let them decide.

cheers!
Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> General Software All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register