Random High Ports – Firewall Config
I'm from a digital forensics background and it has been a while since I studied networking and so am a little rusty on a few aspects. I am looking to implement a remote forensics solution within an organisation and the vendor in question has specified that there will be two servers that will require connectivity to any endpoint/server on the network.
The first server authenticates and does this by sending various cryptographic keys via a specified port. This part is fine, I understand how this should be configured.
The second server pulls back the data, but it does so using "TCP Random High Ports", which I am assuming means any port >1024, whichever is available at the time, will be used to transfer the forensic acquisition to the server from the endpoint.
I'm not quite sure how this would work from a firewall perspective. The organisation was happy enough to open one port for this specific reason, but would this mean that ALL ports ?1024 need to be opened to allow for any random connection to take place? I'm surely missing something here, unless I am fundamentally misunderstanding things and high ports being open is common practice? I remember reading about stateless firewalls, and how they can "remember" legitimate traffic, would this be utilised here?
