Having the ports open is not a big deal if you are a server in a data center. Or a server running multiple hosts.
The CCNA also tends to push cisco ideals. Not always what reality is. While it is nice to close down ports that are not being used it isn't always practicle. Servers that run financial programs such as shopping carts,bloomberg financial traffic, or vpn access require hundreds of ports.
If they use passive ftp servers they may have a block of high port numbers for example. I have :
# Allow remote FTP clients to respond to use passive ftp with proftpd
pass in quick on $ext_if inet proto tcp from any port 49152 >< 65535 user proxy flags S/SA keep state
You can read a list of port assignments here:
http://www.iana.org/assignments/port-numbersCindi
The best way to explain ports is like roads on a highway. But the roads are geared toward specfic traffic. The idea behind closing certain ports is that you don't allow certain traffic to access you. Not all traffic is viewed as good. Many home computer users are recommended to close certain ports to avoid bad people who use common traffic routes to do malicious things.
That is the reason many people use firewalls. However a home use computer is not generally a server and the security on a home computer can be comprimised easier than servers.
This is another reason that I don't like windoze. M$ makes crap and markets it well. The standard windows user has a firewall, anti-virus, anti-trojan, spyware software to help protect them. I run a firewall and that is it. But I don't run windoze. I run a firewall that is designed to route, limit, and log traffic. That way the nasty people get nowhere.
The problem is Apis629 is taking a course designed by a manufacture to help feed that paranoia. Cisco makes money that way. Cisco of course say they do other things and they do Cisco switches and routers are the most popular brand out there. And there are nasty people out there who do mean things. The problem is that Cisco's brand of paranoia doesn't always fit the reality. It does work in many cases but a well set up server and router tables with a decent firewall can do just as well as anything out there. The problem is that it takes a lot of studying and knowledge to do it right.
Windoze was designed to make things easy so users don't have to think a lot. The problem is the users than make dumb mistakes.
A good example in the real world of this is driving a stick shift car. My wife didn't know how to drive one when I met her. She had been driving an automatic for years. She was intimidated by the idea of driving a stick not only that both her parents told her she would never be able to drive a stick. I gave her a few lessons, she stalled the first few times but making those mistakes are what helped her learn. She now drives a Toyota Supra with a 5 speed stick and now hates automatics.
So sometimes setting up a good safe computer system means having to learn how to right you own firewall rules and your own routing tables. But when you are done you will know exactly how things work.
Cisco will charge you a lot of money to teach their way of doing it and they have convinced businesses that having their piece of paper when you look for a job. And as I said before they have a huge chunk of the market so they have the money they make the rules. And make no bones about it Apis629 will probably make some good money if he gets his certifications. And making money is not a bad thing.
Yet it still amazes me when I have to access one of their pieces of equipment and I have deal with their software, what a pile I am having to deal with.
So somehow for a few years here beemaster has been running the most popular beekeeper forum with wide open ports. This must cause Cisco account executives to lose sleep at night.
And still beekeepers get an education everyday. Provided they don't trip over the power cord.
Sincerely,
Brendhan