I'm writing a network application for enterprises wherein I intend to run an HTTP server on almost all hosts within a LAN. Some people have told me that this is a huge security hole because HTTP is often allowed through corporate firewalls and therefore by running an HTTP server on every node I'll potentially expose all of them to the outside. Is this a genuine risk?
As per my understanding the firewall exception for HTTP is generally based on the port number 80, not based on the inspection of packet contents. Therefore, if I run my HTTP server on a port other than 80 then the firewall will not allow access to it and hence I should be fine. Is this understanding correct?
I know there are application firewalls, but I'm not quite able to fathom how they operate within a typical corporate network or how common they are in the enterprise world. Any information on this will be helpful.
The application referred to above is a P2P content sharing application whose operation is entirely confined within a subnet. I wish to use HTTP for the transfer for content from one node to another. The reason for choosing HTTP is that it is simple to implement and provides many application level features such as PUTs and DELETEs out of the box. My concern here is if choosing HTTP automatically puts all nodes at a security risk because typically corporate firewalls (by which I mean NATs) typically allow inbound HTTP traffic from outside the network.