Port Exposure Summary Checker

Exposure inventory:

Summarize firewall, scanner, or cloud security group exports. Open/allow rows with public-facing zones are risk-ranked locally in the browser.

{{ params.source_rows.length.toLocaleString() }} chars

Internet-facing markers:

Use the words your inventories use for public, external, internet, DMZ, or any-source rules.

High-risk ports and services:

Include local policy ports such as admin consoles, database listeners, remote access, and device management interfaces.

{{ error }}

Use review mode for handoff lists and all rows for audit evidence.

Unknown service handling:

Keep on for inventories that mix scanner output and firewall exports.

{{ unknownMediumBool ? 'Flag unknown public services' : 'Keep unknown services low' }}

Missing context bump:

Use this to keep undocumented public services in the review queue.

{{ contextBumpBool ? 'Escalate undocumented exposure' : 'Do not escalate missing context' }}

{{ header }}	Copy
{{ cell }}
No {{ tab.label.toLowerCase() }} rows Load exposure inventory rows that match this artifact.

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

Internet-facing services need a different review habit from internal services because anyone on the public internet may be able to reach the listener before authentication, patching, or logging controls have a chance to help. A firewall rule, cloud security group, load balancer listener, or scanner export may only show a small row of text, but that row can represent a database socket, a remote desktop service, an appliance console, or a temporary exception that has outlived its purpose.

Port exposure work starts by separating three ideas that are often mixed together. A port number identifies where traffic is sent on a host. Reachability describes who can get to that port from a network location. Service risk depends on what is listening there, how it is protected, and whether the exposure has a clear owner and business reason. Port 443 is often ordinary HTTPS, for example, but the same port can also front a VPN portal or firewall administration page.

Port: A transport endpoint from 0 through 65535. Port conventions are useful clues, but they do not prove which application is running.
Exposure: A listener that is reachable from a public, external, DMZ, any-source, or otherwise internet-facing path.
Context: The owner, reason, source range, authentication model, compensating control, and approval evidence that explain why the listener exists.

Port exposure review flow from inventory rows through public marker, open state, service risk, and missing context checks into a review queue and cleanup scope.

The usual failure is treating a port inventory as a vulnerability scan. It is not. A public row can be properly hardened, and a closed row can still be wrong if the export is stale or the state label is misleading. The useful outcome is a shorter, better ordered review list: confirm the highest-risk public listeners first, find undocumented exceptions, and group repeated exposure by host so cleanup work can be assigned.

A port exposure summary is most useful before firewall recertification, cloud security group cleanup, internet attack-surface review, or ransomware exposure reduction. It gives reviewers a practical first pass, then leaves final judgment to current firewall rules, asset ownership, service authentication, patch status, logging, and approved exception records.

How to Use This Tool:

Start with one inventory scope, such as one firewall export, one scanner extract, one cloud account, or one application boundary. Mixing unrelated environments can hide which owner or network boundary needs attention.

Paste rows into Exposure inventory, drop a CSV or TXT file on the field, or use Browse inventory. Browser file reads are limited to inventory files under 2 MB.
Check the column shape. A header row may use common names for host, zone, protocol, port, state, owner, and justification. Headerless rows are read in that same order.
Review Internet-facing markers. Add the words your exports use for public exposure, such as external, DMZ, any-source, or a public CIDR notation.
Adjust High-risk ports and services for local policy. Numeric ports, ranges, and supported service names can raise matching public open rows to at least High.
Use Normalize rows after pasting or loading data if the input has blank lines or extra spacing. It does not convert an unrelated report format into a new CSV schema.
Open Advanced when you need a stricter handoff. Register filter changes only the displayed register rows, while Unknown service handling and Missing context bump control whether unclear or undocumented public rows stay in the review queue.
Read the summary badges first, then inspect Port Exposure Register. Fix any invalid port warning before relying on the risk label for that row.
Use Exposure Review Queue for Medium, High, and Critical public open rows. Use Host Risk Rollup and Host Exposure Map when several exposed services belong to the same host.

For a cleanup ticket, export the table that matches the job. The register is best for evidence, the queue is best for remediation work, the rollup is best for host ownership, and JSON is best when another system needs the parsed result.

Interpreting Results:

The summary answers three first-pass questions: how many service rows were parsed, how many are public and open, and how many require review. Critical and High rows deserve the earliest attention because they commonly represent remote administration, file sharing, management planes, or data services exposed beyond the trusted boundary.

Port exposure severity meanings
Label	Meaning	Usual next check
`Critical`	Direct public reachability matched a service class that should rarely be exposed without strong mediation.	Remove public access or require VPN, bastion, allowlist, multifactor access, and owner approval.
`High`	A sensitive service, local high-risk policy match, or management-web hint needs strict review.	Verify source restriction, authentication, patching, logging, and compensating controls.
`Medium`	The exposure needs service identity, ownership, justification, or ingress-scope confirmation.	Confirm the listener and document who owns the exception before accepting it.
`Low`	The row is public and open, but no higher rule matched.	Keep normal service hygiene evidence and check that the exposure is intentional.
`None`	The row was closed, filtered, or not marked public-facing by the current marker list.	Retain deny or segmentation evidence and watch for rule drift.

Severity is a triage label, not proof of exploitability. A High SSH row might be tightly allowlisted, logged, and approved. A Low web row might still be wrong if it is an undocumented administrative portal. Use the risk label to choose review order, then confirm the actual firewall rule, source range, service identity, owner, and business reason.

If the summary reports no public exposure when the original export clearly includes public rules, check the marker list and state wording first. If many rows land in Medium, review whether unknown public services should remain flagged and whether missing owner or justification fields are being escalated as intended.

Technical Details:

Port exposure classification combines text parsing with ordered security rules. Transport ports are only hints. The same port number may carry different applications, and registered port assignments do not guarantee that the observed traffic is safe or that it matches the assigned service. For exposure review, reachability and context matter as much as the numeric port.

Open-state interpretation is intentionally conservative. Empty state values are treated as open, and state words such as open, allow, permit, reachable, listening, and exposed count as open. Closed, deny, dropped, blocked, rejected, filtered, and disabled wording keeps the row out of the public-open queue. Public reachability is inferred from configured marker text in the host, zone, owner, and justification fields.

Rule Core:

Sensitive-port rules run only after a row is both open and public-facing. That prevents internal database listeners and denied firewall evidence from being mixed into the internet-exposure cleanup queue.

Ordered rule core for port exposure classification
Rule stage	Condition	Effect
Closed or filtered	State text contains closed, deny, denied, drop, dropped, blocked, reject, filtered, or disabled.	Risk stays `None`, and the row remains evidence rather than a cleanup item.
Internal only	The row is open, but the checked text has no configured public marker.	Risk stays `None`, and the row stays outside the public review queue.
Public open default	The row is open and contains an internet-facing marker.	Unknown public services start at `Medium` when that option is enabled, otherwise `Low`.
Built-in sensitive service	The port or range overlaps known remote access, file sharing, management, or data-service ports.	The row is raised to the matching catalog severity when that severity is higher.
Local policy match	The port or range overlaps a custom high-risk entry.	The row is raised to at least `High`.
Management web hint	Management, admin, console, iLO, iDRAC, BMC, switch, router, or firewall wording appears with ports 80, 443, 8080, or 8443.	The row is raised to at least `High` because the web listener likely represents administration.
Missing context	The row is public and open, the context bump is enabled, and owner or justification is blank.	`Low` becomes `Medium`; non-Critical rows receive a 10-point sorting bump.

Formula Core:

The risk score is a sorting aid for rows and host rollups. It is capped so that Critical rows remain at the top and missing context does not push any score beyond the maximum.

riskScore = \min (100, severityBase + contextBump)

Severity base scores and built-in examples
Severity	Base score	Built-in examples	Why it matters
`Critical`	100	Telnet `23`, SMB or NetBIOS `445`/`139`, RDP `3389`, Docker API `2375`.	These services commonly expose direct administration, file sharing, or control-plane access.
`High`	70	FTP, SSH, TFTP, SNMP, WinRM, VNC, X11, database and data-store ports, policy hits, and web management hints.	These listeners need strict source control, hardening evidence, and current ownership.
`Medium`	40	LDAP, Windows RPC or NetBIOS exposure, unknown public services, and low rows raised by missing context.	These rows need identification and approval before they should be accepted.
`Low`	15	Common web listener ports when no higher rule applies.	Low still means public and open; it does not mean approved.
`None`	0	Closed, filtered, denied, or internal-only rows.	These rows are useful as audit context but are not public-open cleanup items.

Port parsing accepts single numbers, ranges such as 137-139 and 6000:6010, all-port tokens such as any and *, common service names such as ssh, https, rdp, postgres, and mongodb, and text that includes an embedded valid port number. Valid numeric ports run from 0 through 65535. Invalid values stay visible through warnings so the inventory row can be corrected before review.

Host-level rollup adds the row scores for public open services on the same host, counts Critical, High, Medium, and Low rows, and lists the top exposed ports. The rollup is useful because one host with several risky listeners may need a boundary fix, bastion pattern, or owner escalation before individual row cleanup will stick.

Advanced Tips:

Keep Internet-facing markers aligned with the words your exports actually use. Add local terms such as public, external, DMZ, any-source, internet, or a public CIDR only when they really mean outside reachability.
Add local policy entries to High-risk ports and services for administration consoles, databases, device management listeners, or temporary exception ports that are sensitive in your environment.
Use Register filter to narrow the displayed evidence without changing the parsed inventory. The full register remains useful for audit evidence, while the review queue is better for remediation tickets.
Leave Unknown service handling on when scanner output and firewall exports are mixed. Turn it off only when another inventory field reliably identifies the service behind each public listener.
Use Missing context bump when blank owner or justification fields should keep public rows in the queue. If too many rows become Medium, fill ownership and business-reason fields before relaxing the setting.
Check invalid port warnings before using severity labels. A bad value such as 70000 or a malformed range can make the row unsuitable for cleanup assignment until the source export is corrected.

Limitations and Privacy Notes:

This checker summarizes inventory rows. It does not scan a network, verify that a host is currently reachable, fingerprint the running service, test authentication, or confirm that a firewall rule is still deployed. Use it before live validation, not instead of live validation.

Rows are parsed and scored in the browser session. Dropped or browsed files are read by the browser file reader, and the tool generates tables, chart data, and JSON from that local input. Still, pasted inventories can contain hostnames, owner names, network zones, and business reasons, so treat exported reports as sensitive operational records.

The rule list is intentionally conservative for review work. Organizations with compensating controls, private source ranges, identity-aware access, or approved internet-facing services should keep those facts in the exception record rather than relying on the severity label alone.

Worked Examples:

Remote desktop on a public rule

A row such as jump01,public,tcp,3389,open,IT Ops,Emergency RDP rule is public-facing, open, and mapped to RDP. The row becomes Critical, appears in Exposure Review Queue, and receives a recommendation to remove direct public access or place the service behind strong access controls.

HTTPS that is actually an admin console

edge-fw,dmz,tcp,443,open,Network,Firewall admin console uses a common web port, but the text points to firewall administration. The web management hint raises the row to High instead of treating it as ordinary public web traffic.

Public web listener with missing ownership

web01,internet,tcp,80,open,,Temporary redirect is public and open. Port 80 normally stays Low when no higher rule applies, but a blank owner raises it to Medium when the missing-context bump is enabled. The practical fix is either to add the accountable owner and approval reason or remove the exposure.

Invalid port in an export

api01,internet,tcp,70000,open,Platform,Test row cannot represent a valid TCP or UDP port because numeric ports stop at 65535. Correct the value to a valid port, range, or supported service name before using the resulting severity and recommendation.

FAQ:

Does this scan my public IP range?

No. It only analyzes the rows you paste, drop, or browse into the inventory field. It does not discover hosts, open sockets, or confirm live reachability.

What CSV columns are recognized?

Header rows can use common names for host, zone, protocol, port, state, owner, and justification. Without a detected header, rows are read in that order.

Why was an internal-looking row marked public?

The configured public markers are searched in host, zone, owner, and justification text. Remove or refine a marker if it matches local wording that does not actually mean internet-facing.

Why are unknown services treated as Medium?

Unknown service handling is enabled by default because a public listener with unclear identity should usually be reviewed before acceptance. Turn it off only when your inventory reliably identifies services elsewhere.

Can a Critical row be acceptable?

It can be accepted only with strong evidence, such as tight source restriction, mediated access, patching, logging, multifactor controls, owner approval, and a current business reason. The label is meant to force review order, not replace the exception process.

Which result should I export?

Use the register for full evidence, the review queue for cleanup tickets, the host rollup for ownership or boundary work, the chart image for a management snapshot, and JSON when another workflow needs structured output.

Glossary:

Internet-facing marker: A word or token that marks a row as public exposure when the service is open.
Open state: A state such as open, allow, permit, reachable, listening, or exposed. Empty state text is treated as open.
High-risk port: A port, range, or service name that receives stricter review when it is public-facing and open.
Management interface: An administrative listener for a device, system, application, or infrastructure control plane.
Review queue: The Medium, High, and Critical public open rows that need owner, scope, and control review.
Risk score: A sorting score based on severity and missing context, capped at 100.

References:

BOD 23-02: Mitigating the Risk from Internet-Exposed Management Interfaces, CISA, June 13, 2023.
Internet Exposure Reduction Guidance, CISA, June 4, 2025.
Guidelines on Firewalls and Firewall Policy, NIST SP 800-41 Rev. 1, September 28, 2009.
Service Name and Transport Protocol Port Number Registry, IANA, last updated May 29, 2026.
How to remove a firewall port allow rule in Linux, Simplified Guide.
How to block a network port in Windows Firewall, Simplified Guide.