Feedback
Did this article resolve your question/issue?

   

Article

Progress' position on the use of port scanners

« Go Back

Information

 
TitleProgress' position on the use of port scanners
URL NameP88724
Article Number000139492
EnvironmentProduct: Progress
Version: 9.x
Product: OpenEdge
Version: All supported versions
OS: All supported platforms
Other: Port Scan, Nmap, Qualys, Nessus, Netcat
Question/Problem Description
What is Progress' position on the use of port scanners?
Are port scanners acceptable for monitoring ports being used by Progress Server executables?
Is it okay to use port scanner packages with Progress?
Steps to Reproduce
Clarifying Information
Error Message
Defect NumberEnhancement
Enhancement Number
Cause
Resolution
Progress Software does not recommend the use of port scanning software.

Port scanning software can send packets to a remote host as a TCP ping. These types of packets could cause Progress database servers to terminate. The Progress database server verifies each message it receives on the socket it is listening on. If that message does not contain the identifiers that confirm the expected origin of the message (a remote client), the server considers the socket unreliable and will close down the connection. Handling a port scanner gracefully is not viewed as a "security concern on our product", but rather a concern on our product's ability to work with other security products.

Port Scanning Product Enhancements:

We understand that port scanners are used due to required vulnerability checks by various compliance ordinances, where regulatory requirements, corporate policy and security best practices require vulnerability scanning to run periodically against all systems without exclusions. To prevent business interruption, not scanning our (OpenEdge) ports is becoming less of an option in order to workaround OpenEdge's ability to work with security products.

1. Upgrade to at least OpenEdge 11.5.1 or later

Enhancements specific to port-scanning software have been added to some Server products:

Enhancement PSC00319199; OpenEdge 11.5.1 / 11.6.0: SQLSRV communication layers harden the Server from failing when unexpected messages are received: Enhancement PSC00311786; OpenEdge 11.5.0: messages other than those received from an AppServer type connection are ignored Enhancement PSC00159897; 9.1E02, 10.0B02, 10.1A, For the database Broker 2. Add OpenEdge Listening Ports to Port Scanner exclusions 

This Product Enhancement part of a larger rollout on a case by case basis as raised by customer demand. Until these have been implemented, Progress Software does not recommend the use of port scanning software.

Configure the required port ranges used by OpenEdge that are affected by site-specific port scanning requirements to be excluded in the port vulnerability scans. 

For example refine the -minport -maxport range in use for the remote ABL servers and add these to the port scan exclusions to avoid these processes from terminating unexpectedly along with connected clients. For further information the same considerations for firewall ports relates to ports that need to be excluded by port scanning in Article:
3. Contact your Progress Account Manager

Discuss site specific compliance ordinances where portscan requirements are used as part of the Vulnerability Management strategy and specifically the concerns raised when OpenEdge Server Products ports are excluded from Port Scanning. Up-vote and comment on the existing Enhancement request submitted as an Idea on the Progress Community to raise the priority of this Enhancement.  To promote the Idea, click on this link and login with your credentials:

https://community.progress.com/community_groups/products_enhancements/i/openedge/allow_port_scanning.aspx
Workaround
Notes

 
Last Modified Date11/20/2020 7:01 AM
Attachment 
Files
Disclaimer The origins of the information on this site may be internal or external to Progress Software Corporation (“Progress”). Progress Software Corporation makes all reasonable efforts to verify this information. However, the information provided is for your information only. Progress Software Corporation makes no explicit or implied claims to the validity of this information.

Any sample code provided on this site is not supported under any Progress support program or service. The sample code is provided on an "AS IS" basis. Progress makes no warranties, express or implied, and disclaims all implied warranties including, without limitation, the implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample code is borne by the user. In no event shall Progress, its employees, or anyone else involved in the creation, production, or delivery of the code be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample code, even if Progress has been advised of the possibility of such damages.