Firewall ports and how they are assigned risk.

Firewall Ports are open network ports corresponding to externally accessible services. It’s common to see many open ports related to services like web or mail servers, but it’s important to monitor for risky services which should not be open to the Internet.

Port Risk

Risk score is calculated by a combination of total open ports that were observed, as well as what services were identified on those ports. “Risky” services such as remote desktop or database servers will create a higher risk score as these should not be exposed to the Internet. By only allowing necessary ports to be exposed you reduce your risk score and overall attack surface.

  • ( Green): Common services like SSH or HTTPS.

  • ( Yellow): Unknown services or ports where a service could not be identified.

  • ( Red): Risky services like MySQL and Remote Desktop.

If your server is behind a Content Delivery Network (CDN) such as Cloudflare or others, there may be additional open ports that would otherwise be closed. Halo Security maintains a database of common ports that are open on CDNs so that risk is not unnecessarily assigned to these assets.

Port Prevalence

An icon is displayed next to open port listings indicating how common a port is found to be open across all scans on the platform. Ports that are rarely open could be legitimate services running on non-standard ports but may warrant a second look to ensure these services are authorized and should be exposed to the internet. This value is calculated based on the number of instances using the following:

  • >3000 - Very common

  • 500 - 3000 - Somewhat common

  • 50 - 500 - Less common

  • < 50 - Rare

Port Detection

Targets are scanned for all 65,535 TCP ports and the top 1,000 UDP ports.

Product Detection

We identify products based on the banner or response they give to common types of queries. For example, if an open port responds to an HTTP request, we extract the product from the Server header of the response.


During the port scanning process, we probe for TLS-enabled services such as web servers on non-standard ports or TLS FTP or mail services. When one of these services has been identified, we attempt to enumerate the ciphers that are in use.


  • Summary: Navigating to the Summary view we find a breakdown by target that displays the name of the asset and ports that were found, as well as the Organization of the target. Clicking the hourglass at the end of any finding will bring us to the List view for that target.

  • List: The List view provides detailed information about every port that was identified. This includes the service, product name, and version (where they are possible to detect), and the scan date when first detected.

  • Products: The Products view provides insight into the software that was detected on open ports. This optionally includes the version of the detected software when it is available. Clicking the results in the Instances or Targets columns brings us back to the List view, showing all findings that are using the given product.

  • Ciphers: Finally, the Ciphers view lists any ciphers that were offered by TLS-enabled services.

Last updated