# Ports

Firewall Ports are open network ports corresponding to externally accessible services. It’s common to see many open ports related to services like web or mail servers, but it’s important to monitor for risky services which should not be open to the Internet.

## Port Risk

Risk score is calculated by a combination of total open ports that were observed, as well as what services were identified on those ports. “Risky” services such as remote desktop or database servers will create a higher risk score as these should not be exposed to the Internet. By only allowing necessary ports to be exposed you reduce your risk score and overall attack surface.

* (<mark style="color:green;">●</mark> **Green**): Common services like SSH or HTTPS.
* (<mark style="color:yellow;">●</mark> **Yellow**): Unknown services or ports where a service could not be identified.
* (<mark style="color:red;">●</mark> **Red**): Risky services like MySQL and Remote Desktop.

{% hint style="info" %}
If your server is behind a Content Delivery Network (CDN) such as Cloudflare or others, there may be additional open ports that would otherwise be closed. Halo Security maintains a database of common ports that are open on CDNs so that risk is not unnecessarily assigned to these assets.
{% endhint %}

## Port Prevalence

An icon is displayed next to open port listings indicating how common a port is found to be open across all scans on the platform. Ports that are rarely open could be legitimate services running on non-standard ports but may warrant a second look to ensure these services are authorized and should be exposed to the internet. This value is calculated based on the number of instances using the following:

* \>3000 - Very common
* 500 - 3000 - Somewhat common
* 50 - 500 - Less common
* < 50 - Rare

## Port Detection

Targets are scanned for all 65,535 TCP ports and the top 1,000 UDP ports.

## Product Detection

We identify products based on the banner or response they give to common types of queries. For example, if an open port responds to an HTTP request, we extract the product from the Server header of the response.

## Ciphers

During the port scanning process, we probe for TLS-enabled services such as web servers on non-standard ports or TLS FTP or mail services. When one of these services has been identified, we attempt to enumerate the ciphers that are in use.

## Reports

* [Summary](https://app.halosecurity.com/user/security/firewall/ports/summary)**:** Navigating to the *Summary* view we find a breakdown by target that displays the name of the asset and ports that were found, as well as the Organization of the target. Clicking the hourglass at the end of any finding will bring us to the *List* view for that target.
* [List](https://app.halosecurity.com/user/security/firewall/ports/list): The *List* view provides detailed information about every port that was identified. This includes the service, product name, and version (where they are possible to detect), and the scan date when first detected.
* [Products](https://app.halosecurity.com/user/security/firewall/ports/products)*:* The *Products* view provides insight into the software that was detected on open ports. This optionally includes the version of the detected software when it is available. Clicking the results in the Instances or Targets columns brings us back to the *List* view, showing all findings that are using the given product.
* [Ciphers](https://app.halosecurity.com/user/security/firewall/ports/ciphers): Finally, the *Ciphers* view lists any ciphers that were offered by TLS-enabled services.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.halosecurity.com/docs/platform/firewalls/ports.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.