Should I open Valve's Steam ports on our corporate firewall?

Networking/Security Forums -> General Software
Should I open Valve's Steam ports on our corporate firewall?
 0%  [ 0 ]
 100%  [ 3 ]
Total Votes : 3

Author: unhitched PostPosted: Sun Jun 27, 2010 3:05 pm    Post subject: Should I open Valve's Steam ports on our corporate firewall?

I have a request from some of our employees to open the Steam ports so they can play online games.

I really don't like punching holes in my firewalls - but want to accommodate their requests whenever possible.

Most google search results are all about HOW to punch holes - I would like to know the general opinion of whether I should in this case.

Steam Client:
UDP 27000 to 27015 inclusive (Game client traffic)
UDP 27015 to 27030 inclusive (Typically Matchmaking and HLTV)
TCP 27014 to 27050 inclusive (Steam downloads)
UDP 4380


Author: GroovicusLocation: Centerville, South Dakota PostPosted: Sun Jun 27, 2010 9:44 pm    Post subject:
Let me make sure I am clear on this. Do employees get paid to play games? Do you work for a company that does game reviews, or tests hardware compatibility with various games? Do you sign the paychecks and have the authority to authorize people to play games at work?

Author: capiLocation: Portugal PostPosted: Sun Jun 27, 2010 10:06 pm    Post subject:

I believe the first question is what the company policy says on the matter. Are employees actually allowed to play online games on the job? Is it openly allowed and accepted (as part of a relaxed attitude from management towards stress relief or whatever), is it a "look the other way" kind of thing, or is it expressly forbidden? Specifically, if management finds out, will they turn to you asking for an explanation?

That said and assuming this is somehow okay from above. I would say it depends on context... how your infrastructure is set up, who's responsible for the employee workstations and how the employees come into play. Are these their personal machines/laptops they will be playing on? Or are they workstations administered by you? Is it normal in your company for people to have their own arbitrary software installed on the workstations?

I have to say the prospect of having random online games installed on work computers inside my infrastructure would leave me extremely uneasy. That said, it all depends on context. It depends on how security-critical these workstations are, and the systems to which they have direct access. It depends on the technical level of the employees themselves, and how much you can/need to trust them. It depends on what the corporate culture is, and exactly what your mandate is -- whether you are only in a support role, and not expected to enforce any policies, or if you're considered responsible for the infrastructure and its good functioning.

For me, if I'm responsible for the infrastructure and have to answer for its security, I would say absolutely not. If your corporate culture is laxer and self-regulating, however, and people already have their own random software installed on their computers, it might not make too much of a difference...

Still... yikes!

Author: unhitched PostPosted: Mon Jun 28, 2010 2:09 am    Post subject:
hey guys,

thanks for your comments!

The company has a fairly relaxed nature, is technology based (web, email, seo, etc) and management don't mind game playing as long as it doesn't affect workload.

I'm responsible for the IT environment - so yes, the easy way to cover my butt would be to just say NO...

But I'd like to do some due-diligence before I make a decision and have some facts and/or peer opinions to back it up.

My main concern is I know nothing about Steam - except what I recently read on their site. I know there are lots of people who use it regularly, mostly from home or internet cafes.

What I can't seem to find is any risk assessment of using the Steam network.

- can viruses/trojans/whatever be spread over the Steam network?
- have there been any cases of this?
- do any of the common virus protection programs evaluate traffic over these ports? (we use Forefront)

They also want to use the XBox gaming network so same questions apply if you have any related opinions.

I was thinking of creating a separate LAN and using a different interface on our firewall to allow this access - but if a PC is infected then they'll get to the corporate LAN when they reconnect to it anyway...


Author: capiLocation: Portugal PostPosted: Mon Jun 28, 2010 2:18 pm    Post subject:
I can understand where you're coming from.

I don't really know Steam's technical details, but I know they have systems in place to check for cheats and so on, at the client's computer (see VAC). Presumably, they check the installed binaries for some kind of checksum, but I believe it goes beyond that. They are reported to be able to catch DLL hook injections and so on, so they probably check the process's address space too. Whether this is triggered by a remote procedure call, or simply a local function of the installed binary, I don't know. That is, I don't know whether they can remotely execute arbitrary code on your system, but that's enough to make me weary.

I do know some online game servers have a TOS when you enter, stating that your system will be scanned for known cheats and whatnot. I suspect that only covers in-game configurations (whether you have "fog" turned off, weird settings for the camera angle, etc.), but I can't say for sure without knowing how it works.

Then there is the question of the game mods themselves. In Half-Life-based games, for example, the game can automatically download and install new "maps", when the player connects to a server where the map is being played. I don't know exactly the level of flexibility that the game engine gives to the map makers, but I do know that the map has at least some scripting abilities. Presumably they won't be able to execute anything at the system level, but again, not knowing would make me weary.

Then of course, besides the intended flexibility provided by the game, there may always be unintended vulnerabilities and so on -- as with any other Internet-facing program. It would indeed be interesting to see an actual risk analysis for using Steam -- although that may be hard to find, being as though your situation is somewhat uncommon. We tend to err on the side of caution in this kind of thing.

Perhaps a compromise? Could you dedicate a few machines to online gaming and nothing else? Then you could place them in an untrusted DMZ, separate from the rest.

Author: graycatLocation: London, UK PostPosted: Mon Jun 28, 2010 3:33 pm    Post subject:
not knowing the specifics about the site / game in question all I'd really say is: if in doubt, say no.

I like the fact you're looking into the site before allowing it through but beyond a technical level it has to be kicked up the chain for a business decision by the bosses. As long as you make your point clear regarding the technical side then it should all be good.

Author: CoreDefendLocation: USA PostPosted: Wed Jun 30, 2010 2:16 pm    Post subject:
Best recommendation was from capi:

Perhaps a compromise? Could you dedicate a few machines to online gaming and nothing else? Then you could place them in an untrusted DMZ, separate from the rest.

If you have a couple of PCs to spare, place them on a separate segment and if they need to be recouped and joined back to your corporate LAN, they should be wiped completely.

Personally, I am against opening gaming ports. Their servers are untrusted connections, if they get compromised; it could affect your network as well.

It's awesome that management is okay with this setup.

Author: unhitched PostPosted: Wed Jun 30, 2010 3:17 pm    Post subject:
thanks guys for all your feedback.

You're right, that machines in the DMZ would be the go. I can hear the arguments already!

It's tough though - when so many exploits come from simply browsing websites these days over standard ports.

It'd be great to see someone with greater knowledge than I to undertake that risk assessment and publish the results!

I'll inform management that it's a gamble I'm not willing to take and let them decide.


Networking/Security Forums -> General Software

output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group