The average enterprise firewall has dozens of open inbound ports. Each one is an attack vector. Here is how to close them — and why most tools cannot.
Figure: Legacy perimeter firewall setup vs. Secure Zero Trust access with TAC
Figure: Legacy perimeter firewall setup vs. Secure Zero Trust access with TAC
Ask a security engineer how many inbound ports their organisation has open, and watch them pause. Most cannot answer from memory. The number, when they find it, is almost always larger than they expected.
The typical enterprise has somewhere between 20 and 60 open inbound firewall ports in active use. Each one represents a decision — someone, at some point, needed that port open for a legitimate reason. Together, they form an attack surface that port scanners can map in seconds.
How Attackers Use Open Ports
Automated port scanning is cheap, fast, and relentless. Tools like Shodan index the open ports of every internet-connected device on the planet continuously. Attackers do not need to perform their own reconnaissance — they can query a database that is already up to date.
An open port does not mean immediate compromise. It means an entry point. What attackers do with an entry point:
- Service fingerprinting — determine the software and version running on the port, then check for known vulnerabilities
- Credential attacks — brute force or credential stuffing against any authentication prompt
- Protocol exploitation — exploit weaknesses in the protocol itself
- Misconfiguration probing — test for default credentials or debugging interfaces left enabled
The Port Proliferation Problem
Ports do not open themselves. Every open port is the result of a decision — usually a legitimate one. The problem is that these decisions accumulate over years and decades. Common culprits include VPN infrastructure, remote desktop services, application connectors, legacy integrations, and temporary firewall rules that became permanent. That last category is the most dangerous.
Why “Close the Ports” Is Harder Than It Sounds
Closing a port that something depends on breaks that something. Without comprehensive discovery of what is using each port, closing them creates outages.
More importantly: most security tools require open ports to function. VPN concentrators need their ports. Cloud security gateways maintain persistent connections. The only way to genuinely reduce inbound port exposure is to change the architecture entirely.
The Reverse Proxy Architecture
A reverse proxy architecture inverts the connection model. Instead of users connecting directly to applications — which requires applications to be reachable on specific ports — the proxy handles all inbound connections on a single port, then proxies verified traffic to backend applications that never need to be directly reachable.
If all inbound traffic flows through a single proxy on a single port, every other inbound port can be closed. The VPN concentrator no longer needs its ports open. The RDP server no longer needs its port exposed. The application servers behind the proxy are never directly reachable from the internet.
TAC implements this architecture through the Secure Virtual Appliance — a dedicated reverse proxy that accepts all application traffic through a single TLS 1.3 encrypted port and enforces identity verification, MFA, device posture, and policy before proxying traffic to backend applications. Organisations that have deployed TAC have closed every inbound firewall port except one.
What This Means for Your Risk Profile
Closing inbound ports removes an entire class of attack — the class that begins with “scanner found an interesting port.” It also simplifies compliance. A firewall policy with one open inbound port is substantially easier to audit and defend than one with 47.
TAC closes every inbound access port except one. No competitor can make the same claim. See how it works →