Port Exposure Summary Checker

Exposure inventory:

Summarize firewall, scanner, or cloud security group exports. Open/allow rows with public-facing zones are risk-ranked locally in the browser.

{{ params.source_rows.length.toLocaleString() }} chars

Internet-facing markers:

Use the words your inventories use for public, external, internet, DMZ, or any-source rules.

High-risk ports and services:

Include local policy ports such as admin consoles, database listeners, remote access, and device management interfaces.

{{ error }}

Use review mode for handoff lists and all rows for audit evidence.

Unknown service handling:

Keep on for inventories that mix scanner output and firewall exports.

{{ unknownMediumBool ? 'Flag unknown public services' : 'Keep unknown services low' }}

Missing context bump:

Use this to keep undocumented public services in the review queue.

{{ contextBumpBool ? 'Escalate undocumented exposure' : 'Do not escalate missing context' }}

{{ header }}	Copy
{{ cell }}
No rows for the current input.

Export to PDF Fullscreen

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

Port exposure review turns firewall, scanner, and cloud security group exports into a focused list of services that deserve attention. The important question is not only which port number appears in a row. Reachability, service type, owner evidence, and the stated business reason all affect whether an exposed listener is normal web traffic, an undocumented exception, or a remote access path that should be closed or tightly restricted.

Publicly reachable management, file sharing, database, and remote desktop services carry a different review burden from ordinary web listeners. RDP, SMB, Telnet, SSH, VNC, WinRM, Docker API, SNMP, and database ports are common examples where a short inventory row can hide a large operational risk. A port exposure summary helps reviewers separate closed or internal rows from public open rows, then sort the public rows by severity before approval or cleanup work begins.

Diagram showing inventory rows flowing through public marker, open state, and port risk checks into a review queue and host rollup.

Inventory data is still only evidence. An open port row does not prove that the service is vulnerable, and a low-risk row does not prove that the exposure is approved. The strongest review pairs the summary with current firewall rules, asset ownership, service authentication, patch status, logging, and the compensating controls that limit who can reach the listener.

The result is best read as a triage aid for exposure reduction. It highlights public open services, flags sensitive ports, and gives teams a compact handoff list for removing access, narrowing source ranges, documenting ownership, or proving that an allowed service is intentionally exposed.

Technical Details:

Port exposure analysis starts with four linked facts: the host, the network zone or reachability text, the transport protocol, and the destination port or service name. The port number identifies a listener only by convention. A TCP 443 row is often HTTPS, but the row still needs context because management consoles and administrative web interfaces can also use 443, 8443, 8080, or 80.

Reachability is inferred from words in the inventory row, not from a live network probe. Public markers such as internet, public, external, dmz, 0.0.0.0/0, ::/0, and anywhere are matched against host, zone, owner, and justification text. State text decides whether the service is treated as open. Empty state values are treated as open; closed, denied, dropped, blocked, rejected, filtered, and disabled states are treated as not open.

The checker uses a rule pipeline rather than a vulnerability database. A row must be both open and public-facing before sensitive-port severity is applied. Closed or filtered rows and internal-only rows stay visible for evidence, but they do not enter the review queue unless their state and marker text indicate public reachability.

Port exposure rule pipeline
Rule stage	Condition	Resulting cue
Closed or filtered	State includes closed, deny, drop, blocked, reject, filtered, or disabled wording.	Exposure reads `Closed or filtered`, severity stays `None`, and the recommended action is to keep the deny or filtered state as audit evidence.
Internal only	The row is open but no public marker appears in host, zone, owner, or justification text.	Exposure reads `Internal only`, severity stays `None`, and the row remains outside the public review queue.
Public open	The row is open and public marker text is found.	Exposure reads `Public open`. The default public-service severity is `Medium` when unknown services are flagged, otherwise `Low`.
Known sensitive port	The numeric port or range overlaps the built-in risk catalog.	Severity is raised to the catalog level when that level is higher than the default public-service level.
Local high-risk policy	The port or range overlaps a custom high-risk entry.	Severity is raised to at least `High` for that public open row.
Web management hint	Host, zone, owner, or justification mentions management, admin, console, iLO, iDRAC, BMC, switch, router, or firewall, and the port overlaps 80, 443, 8080, or 8443.	Severity is raised to at least `High` with a web management interface reason.
Missing context	The row is public open and owner or justification is blank while the missing-context bump is enabled.	Low severity becomes `Medium`, and the score receives a 10-point bump unless the row is already Critical.

Severity is then converted into a simple score. The score supports sorting and host rollups; it is not a probability of compromise.

score = \min (100, severityBase + contextBump)

Severity base scores and common port reasons
Severity	Base score	Built-in examples	Typical review meaning
`Critical`	100	Telnet `23`, SMB or NetBIOS `445`/`139`, RDP `3389`, Docker API `2375`.	Remove public access or require strong isolation such as VPN, bastion, allowlist, and multifactor controls.
`High`	70	FTP, SSH, TFTP, SNMP, WinRM, VNC, X11, database and data-store ports, custom high-risk policy hits, and web management hints.	Restrict source ranges and verify patching, authentication, logging, and compensating controls.
`Medium`	40	LDAP, Windows RPC or NetBIOS service exposure, default unknown public services, or low rows escalated by missing context.	Confirm service identity, owner, ingress scope, and exposure approval.
`Low`	15	Common web listener ports when unknown public services are not forced to Medium and no higher rule applies.	Keep the service documented and monitor normal hygiene.
`None`	0	Closed, filtered, or internal-only rows.	Retain segmentation or deny evidence and watch for rule drift.

Port parsing accepts numeric ports, ranges such as 137-139 or 6000:6010, all-port tokens such as any and *, common service names such as ssh, https, rdp, postgres, and mongodb, and text with an embedded valid port number. Valid numeric ports run from 0 through 65535. Invalid values remain visible and generate validation messages so the source row can be fixed.

Parsed fields and result surfaces
Item	Accepted or returned values	Why it matters
`Exposure inventory`	CSV rows with recognized headers, or headerless rows in host, zone, protocol, port, state, owner, justification order.	Header detection keeps scanner, firewall, and cloud exports usable while preserving row evidence.
`Internet-facing markers`	Comma-separated words or source tokens used to mark public exposure.	The marker list decides which open rows are treated as public-facing.
`High-risk ports and services`	Comma-separated ports, ranges, or service names.	Local policy can raise a public open row to High even when the built-in catalog does not.
`Port Exposure Register`	Host, zone, protocol, port, state, exposure, risk, owner, reason, and next action.	The register is the full sortable evidence list, with optional filtering for all rows, public open rows, or review items.
`Exposure Review Queue`	Medium or higher public open rows with priority, host and port, service, reason, owner, and next action.	The queue shows what to handle first during exposure cleanup.
`Host Risk Rollup`	Public open count, Critical, High, Medium, highest risk, top exposed ports, and host-level next action.	The rollup groups repeated findings by host so one overloaded asset does not get lost in row-level output.
`Host Exposure Map`	Stacked host bars for Critical, High, Medium, and Low public open counts, sorted from the host rollup.	The chart helps reviewers see which hosts carry the largest visible exposure load.
`JSON`	Parsed entries, header detection, policy count, marker count, tables, and chart rows.	The structured output supports evidence handoff or repeat review outside the visual tables.

Everyday Use & Decision Guide:

Start with one inventory source at a time. Paste or load the firewall export, scanner CSV, or cloud rule list into Exposure inventory, then leave the default marker list in place for the first pass. Rows that contain public, external, DMZ, 0.0.0.0/0, ::/0, or similar wording should move into the public review set when their state is open or allowed.

Use High-risk ports and services for local policy. The built-in list already covers common remote access, file sharing, management, and data-service ports, but many environments have custom admin consoles, appliance ports, or legacy services that need stricter review. Add those values before reading the review queue so the same policy is applied across every row.

Keep Unknown service handling on when scanner and firewall rows are mixed. Unknown public services become Medium instead of looking harmless.
Keep Missing context bump on for approval work. Public open rows without an owner or justification stay in the queue until someone can explain them.
Use Register filter only to change the displayed table. It does not change the summary, chart, JSON, or severity analysis.
Use Normalize rows to remove blank lines and extra spacing after the inventory loads. It does not rewrite columns into a new schema.
Check the summary badges before opening the detailed tables. A nonzero Critical or High count should slow approval down.

A common misread is treating the port number as the whole answer. Public TCP 443 may be a normal web listener, a VPN portal, or a firewall management page. If the row text mentions admin, console, iLO, iDRAC, BMC, router, switch, or firewall, web ports are raised because the reachable service is likely more sensitive than ordinary web content.

For cleanup work, start with Exposure Review Queue, then confirm host-level concentration in Host Risk Rollup. If one host has several public open services, fixing the host boundary can remove more risk than closing one row at a time.

Step-by-Step Guide:

Review a single environment or policy surface per run so the summary and host rollup describe one coherent exposure question.

Paste CSV text into Exposure inventory, drop a CSV or TXT file onto the field, or use Browse inventory. Files larger than 2 MB are rejected with a browser-side message.
Confirm the source columns. A header row can use labels such as host, zone, protocol, port, state, owner, and justification; headerless rows follow that same order.
Adjust Internet-facing markers if your exports use different reachability words. The summary changes when marker text changes which rows count as public-facing.
Add local sensitive values to High-risk ports and services. Use ports, ranges, or service names, then check whether affected rows move to High in the Risk column.
Open Advanced for review policy choices. Set Register filter, Unknown service handling, and Missing context bump before copying evidence into a ticket.
Read the summary box. Port exposure audit shows the top count as Critical, High risk, public open, or no public exposure, followed by parsed row count, public open count, and review item count.
Open Port Exposure Register to confirm parsing. If a validation message names an invalid port, fix the value so it falls within 0 through 65535 or use a recognized service name.
Open Exposure Review Queue and handle Medium, High, and Critical rows first. The Why flagged and Next action columns are the fastest handoff notes.
Open Host Risk Rollup and Host Exposure Map to find hosts with repeated public exposure. Use JSON when the parsed entries need to move into another review record.

A clean pass has no unexpected Critical or High rows, no blank owner or justification on accepted public services, and no validation errors left in the input area.

Interpreting Results:

The most important number is the count of public open rows that require review. Critical and High rows should be checked before Medium rows because they usually involve remote access, management, file sharing, or data-service listeners. The host rollup then shows whether several rows point to one boundary problem.

Critical means the service type is risky enough that direct public reachability should normally be removed or put behind strong access controls.
High means a sensitive service, custom policy hit, or management hint needs source restriction and compensating-control evidence.
Medium means the row needs service identity, ownership, justification, or ingress-scope review before acceptance.
Low means no higher rule matched, not that the service is approved.
None means the row was closed, filtered, or not marked public-facing under the current marker list.

A high severity label does not prove a live exploit path, and a low label does not prove safety. Verify the current firewall rule, source ranges, service authentication, patch level, and owner evidence before closing the review. If the summary says no public exposure but the original export clearly contains public rules, check the marker list and state wording first.

Treat Next action as a starting point. It is useful for ticket wording, but the final decision should come from the owner, the actual network boundary, and the controls that restrict the reachable service.

Worked Examples:

Remote desktop on a public rule

A row such as jump01,public,tcp,3389,open,IT Ops,Emergency RDP rule is public-facing, open, and mapped to RDP. Port Exposure Register shows Public open, Risk becomes Critical, and Reason reads remote desktop exposure. The same row appears in Exposure Review Queue with a next action to remove public access or place the service behind VPN, bastion, allowlist, and multifactor controls.

Web port that is really a management console

A row like edge-fw,dmz,tcp,443,open,Network,Firewall admin console uses a common web port, but the justification contains firewall and admin wording. Instead of reading as ordinary web traffic, the rule is raised to High with a web management interface reason. Host Risk Rollup uses that High row when calculating the host's highest risk and next action.

Public web listener with missing context

web01,internet,tcp,80,open,,Temporary redirect is public and open. Port 80 maps to a web service, but the owner is blank. With Missing context bump enabled, the row remains in the Medium-or-higher review set until the owner is added. The corrective path is to update the owner field or remove the exposure if no team accepts it.

Bad port value in an export

api01,internet,tcp,70000,open,Platform,Test row cannot represent a valid TCP or UDP port because numeric ports stop at 65535. The validation area reports Row 1: Invalid port: 70000. Correct the row to a valid port, range, or supported service name, then recheck Port Exposure Register so the risk reason is based on a valid listener.

FAQ:

Does this scan my network?

No. It summarizes rows you paste, drop, or browse into the inventory field. It does not discover hosts, test reachability, fingerprint services, or confirm whether a firewall rule is currently deployed.

What columns can my CSV use?

A header row can use common aliases for host, zone, protocol, port, state, owner, and justification. Without headers, rows are read in that same order, and blank lines or comment lines are ignored.

Why did a row become public-facing?

The marker list is searched in host, zone, owner, and justification text. If those fields contain a configured marker and the state reads as open or allowed, the row is treated as public open.

Why is HTTPS sometimes High?

Plain HTTPS listener rows are not automatically High, but web ports are raised when the row text suggests a management interface such as admin, console, iLO, iDRAC, BMC, switch, router, or firewall.

Why is my unknown service Medium?

Unknown service handling is enabled by default, so public open services with unclear identity stay in the review queue. Turn it off only when your inventory reliably names services elsewhere.

Are inventory rows sent away for scoring?

The rows are parsed and scored in the browser session. The checker has no server-side scoring step, and the selected file is read through the browser file reader before the tables, chart, and JSON are generated.

Glossary:

Internet-facing marker: A word or source token that tells the checker a row should be treated as public exposure when the service is open.
Open state: A row state such as open, allow, permit, reachable, listening, or exposed; empty state values are treated as open.
High-risk port: A port, range, or service name that should receive stricter review when it is public-facing and open.
Management interface: An administrative service for routers, switches, firewalls, servers, consoles, or remote management tools.
Review queue: The Medium, High, and Critical public open rows that need owner, scope, and control review.
Risk score: A sorting score derived from severity base value and missing-context bump, capped at 100.

References:

BOD 23-02 implementation guidance for mitigating the risk from internet-exposed management interfaces, CISA, June 2023.
Internet Exposure Reduction Guidance, CISA, June 4, 2025.
#StopRansomware Guide, CISA.
Guidelines on Firewalls and Firewall Policy, NIST, September 2009.
Service Name and Transport Protocol Port Number Registry, IANA.