copyright notice
accesses since January 4, 2007

Better-than-Nothing Security Practices™

for Firewalls

v 0.0.10

Hal Berghel

Jacob Uecker

 

In this document, we have tried to codify a number of basic rules that most firewalls should follow. While it is not possible to create a set of rules that would secure all networks or hosts while allowing maximum usability, we have tried to provide a number of rules that should cover 90%+ of major security vulnerabilities. It is important to look at the consequences of each rule to determine whether or not your network or host will be affected.

We make no guarantee, written or implied, for these rules.

For further information on ports, we encourage use of our Internet Ports Pass

If you have any suggestions or comments please let us know.

 

Copyright (c) 2003 by Hal Berghel and Jacob Uecker. All Rights Reserved.

 

 

Port Protocol Direction OS Service Short Explanation
0 TCP/UDP Both All Reserved No legitimate service should use this port
7 TCP/UDP Ingress *NIX Echo Can be used for DDoS
13 TCP/UDP Ingress *NIX daytime Can be used for network mapping
19 TCP/UDP Ingress *NIX chargen Can be used for DDoS
20 TCP Both All FTP data port Data/authentication sent in plaintext
21 TCP Both All FTP Data sent in plaintext
23 TCP Both All telnet Data/authentication sent in plaintext
37 TCP/UDP Both *NIX time Can be used for network mapping
53 TCP Both All DNS TCP used for zone transfers
69 TCP Both All TFTP Trivial FTP - no authentication
79 TCP Ingress *NIX Finger Used to obtain user information
95 TCP Both *NIX supdup Extension to telnet
111 TCP/UDP Both *NIX RPC Sun portmapper
119 TCP

Ingress

All NNTP News protocol
123 TCP/UDP Ingress *NIX NTP Network Time Protocol
135 TCP/UDP Both Windows Microsoft RPC RPC/DCE Endpoint mapper
137 TCP/UDP Both Windows NetBIOS Name Service Name Service
138 TCP/UDP Both Windows Datagram Service Datagram Service
139 TCP/UDP Both Windows Session Service Session Service
161 UDP Both All SNMP Simple Network Management Protocol
162 UDP Both All SNMP trap Simple Network Management Protocol Trap
179 TCP/UDP Both All BGP Border Gateway Protocol
389 TCP Both Windows

Win 2000 AD

NetMeeting

Windows 2000 Active Directory

Microsoft NetMeeting Internet Locator Server

445 TCP/UDP Both Windows NetBIOS Can be used to exploit MS Windows
512 TCP/UDP Both *NIX rexec Remote Execution
513 TCP/UDP Both *NIX rlogin Remote login
514 TCP/UDP Both *NIX rsh/syslog Remote shell/syslog
515 TCP/UDP Both *NIX LPD Line Printer Daemon
520 UDP Both All RIP Routing Information Protocol
522 TCP Both Windows NetMeeting Microsoft NetMeeting User Location Server
1024-1028 UDP Ingress Windows Windows Messenger Windows Messenger Spam
1214 TCP Both All KaZaa KaZaa file sharing
1433 TCP Both Windows MS-SQL Microsoft SQL Server
1503 TCP Both Windows Microsoft .NET Messenger

Microsoft .NET Messenger

Microsoft NetMeeting T.120

1720 TCP Both Windows Microsoft NetMeeting Microsoft NetMeeting H.323 Call Setup
1731 TCP Both Windows Microsoft NetMeeting Microsoft NetMeeting Audio Call Control
1863 TCP Both Windows Microsoft .NET Messenger Microsoft .NET Messenger
1900 TCP/UDP Both Windows UPnP Windows Universal Plug and Play
1993 UDP Egress Cisco Devices Cisco SNMP Cisco SNMP
2000 TCP Both *NIX Openwin Sun's Openwin
2049 TCP/UDP Both *NIX NFS Network File System
3389 TCP Ingress Windows Windows Terminal Services Windows Remote Desktop
3574 TCP Both All ICQ Chat Program File Transfer
4000 UDP Both All ICQ Chat program
4001 TCP Both All ICQ Chat program
4045 TCP/UDP Both *NIX lockd File Locking Daemon
4443 TCP Both All AIM AOL Instant Messenger
5010 TCP Both All Yahoo! Messenger Yahoo! Chat program
5190 TCP Both All AIM AOL Instant Messenger
6000-6255 TCP/UDP Both   X X Window Manager
6346 TCP/UDP Both All Gnutella P2P File Sharing
6665-6669 TCP/UDP Both All IRC Internet Relay Chat
6891 TCP Both Windows Microsoft .NET Messenger Microsoft .NET Messenger
7320 TCP Both All ICQ Chat Program File Sharing
13324-13325 UDP Both Windows Microsoft .NET Messenger

Microsoft .NET Messenger

32771 TCP Both All RPC Remote Procedure
           
  ICMP Ingress All Echo Request Type 0 - used for network mapping
  ICMP Egress All Destination Unreachable Type 4- used for network mapping
  ICMP Egress All Echo Reply Type 8 - used for network mapping
  ICMP Egress All Time exceeded Type 11 - used for network mapping
  ICMP Both All Timestamp Request Type 13 - used for network mapping
  ICMP Both All Timestamp Reply Type 14 - used for network mapping
  ICMP Ingress All Address mask Request Type 17 - used for network mapping
  ICMP Egress All Address mask Reply Type 18 - used for network mapping
           
Source: 10.0.0.0 to 10.255.255.255 IP Ingress All Reserved IP Addresses Spoofed addresses
Source: 172.16.0.0 to 172.31.255.255 IP Ingress All Reserved IP Addresses Spoofed addresses
Source: 192.168.0.0 to 192.168.255.255 IP Ingress All Reserved IP Addresses Spoofed addresses
Source: 169.254.0.0 to 169.254.255.255 IP Ingress All Reserved IP Addresses Spoofed addresses
Source: 127.0.0.1 IP Both All Reserved IP Addresses Spoofed localhost address
Destination: x.x.x.255, x.x.255.255 IP Ingress All Broadcast IP Address DoS Attack
           
Source Routed Packets IP Both All Source Route Possible attack

 

Port 0 - Reserved

Why shut down this port?

This port is reserved and in that regard is not used by any legitimate application. It can be used for OS fingerprinting, on the other hand, as each operating system handles requests for this service differently. Based on the response given, the OS can be determined. This activity is part of the first stages an attacker goes through before hacking a system. It is recommended that this service be blocked to increase security.

What consequences will this have on my network?

There should be no noticeable consequences on your network as this port is not used by an legitimate service.

Back

Port 7 - Echo

Why shut down this port?

If you send information to this port, the same information will be sent right back to you. If an attacker were to spoof an IP address and send information to this port, the same information would be sent to the spoofed address. This ability could be used, among other things, to hide the tracks of an attacker. The attacker could bounce commands off one computer to the victim.

What consequences will this have on my network?

When information is sent to this port is immediately repeated right back to the source. This will no longer be available. Although this service is not used widely, if your network requires it, you may experience problems. However, on most networks this should not be a problem.

Back

Port 13 - daytime

Why shut down this port?

When connected to, this port will send back the current time as known to that computer. While this isn't a very highly insecure port, it can be used for network mapping. If the attacker can get your computer or network to return the time of day, he or she knows that there is a live machine at that address. Furthermore, there isn't a specific format for the time so fingerprinting can be done using the information sent back.

What consequences will this have on my network?

When this port is closed, no response will be given when someone tries to connect to it. There is very little reason to allow someone look up the time from your network or machine. It is very unlikely that there will be any noticeable consequences to your network. This service is very rarely used for practical purposes.

Back

Port 19 - chargen

Why shut down this port?

When this port is connected to, the service will generate random characters and send them back to the machine that connected to it. There are a number or reasons that this should not back allowed. The classic denial-of-service attack involves spoofing the victims address and sending a packet from the echo port. This packet is sent to the chargen port of another machine. This other machine sends random characters back to the echo port of the victim which are echoed back to the chargen port. This process quickly consumes much of the bandwidth available causing a denial-of-service on two computers. This port can also be used for network mapping. If an attacker can get a computer to respond on this port, he or she knows that a computer is running at that address. Furthermore, it's obvious that precautions have not been taken to secure the box/network.

What consequences will this have on my network?

The chargen port is not used in networks any longer. There will be no ill-effects if this port is shut.

Back

Port 20 - FTP data port

Why shut down this port?

FTP uses this port to transfer data after the connection is established using port 21. Any files that are transferred back and forth are sent using this port. The problem with FTP is that there is no confidentiality. All communications take place in plaintext where anyone who can sniff the traffic can see the data that is transferred. This means that all usernames and passwords are not protected. If any sensitive information is sent over FTP, it is not secure because it can be easily sniffed. Data transfer should take place over a secure connection like SSH. This way all transactions are encrypted and thus, protected from prying eyes.

What consequences will this have on my network?

If your network relies on FTP for data transfer, it will no longer be possible. This includes some downloads over the Internet. Many times, companies who post their products or services online will create an anonymous FTP site to download this information from. While this type of connection poses very little threat to those who do the downloading of information, it will no longer be possible.

Back

Port 21 - FTP

Why shut down this port?

This port handles everything in FTP that is not passed in port 20. This is the port where an FTP session starts and a user authentication occurs. The same rules for FTP hold true on this port as well. This means that all communication is done in the clear, visible for anyone in the path of the two hosts. The username and password is ripe for the picking. Again, for security, SSH should be used for file transfer as it provides a higher level of security.

What consequences will this have on my network?

The same rules are true here as stated above. If any file transfer is attempted over FTP, the attempt will be rejected by the firewall. This includes anonymous sessions that are started simply to download a file from the Internet.

Back

Port 23 - telnet

Why shut down this port?

This port is used for terminal emulation. A user can connect to another computer and type commands on the terminal exactly as if he or she were sitting at the console. And, like at the console, the user is usually required to authenticate themselves. This is done by providing a username and password. Like FTP, telnet does not provide encryption so all information, including authentication information, is sent over-the-wire in plaintext. Any computer in the path between the two hosts could intercept this data and use it to login as someone else. Also like FTP, SSH provides terminal emulation that is encrypted and should be used instead.

What consequences will this have on my network?

One of the possible problems that could occur when blocking telnet is the loss of the ability to configure some routers. Cisco routers, for example, are configured using telnet. This is true of other routers and other services. Should this service be required, the telnet port would have to be reopened. If at all possible, however, do not use telnet.

Back

Port 37 - time

Why shut down this port?

This protocol is described in RFC 868. The service essentially listens on port 37 for any incoming connection. Upon connection, the service will return the current system time in seconds since 12:00am on January 1st, 1900. After this transfer, the connection is simply closed. Much like the daytime service on port 13, this service does not serve much purpose in current computing. This also allows an attacker to essentially determine whether a computer is active. If a computer returns a time, the attacker knows that that computer is active.

What consequences will this have on my network?

Blocking this port will have no ill affect on your network because this service is not used for any practical purpose.

Back

Port 53 - DNS

Why shut down this port?

DNS is the service that is used to resolve human-readable format addresses to machine-readable addresses. This part of the service usually takes place with the UDP protocol. DNS switches to TCP when it is does zone transfers. Zone transfers are the moving of a zone of information to another DNS server. A zone is the address conversion information for a set of computers. If an attacker can convince a DNS server to do a zone transfer, he or she can get all the IP addresses for the network that the DNS server serves. This can be a tremendous amount of information for an attacker because it provides an entire network topology for the network. Nearly all the reconnaissance work for the attacker is done. As a result, it is wise to disable zone transfers outside your network. This is particularly true of your network contains a DNS server.

What consequences will this have on my network?

Sometimes DNS uses TCP to transfer a large domain lookup. If a lookup is done and it must be transferred by TCP, it will be blocked and the lookup will not complete. Usually, however, this does not happen and the lookup is done using UDP.

Back

Port 69 - tftp

Why shut down this port?

Trivial FTP works much the same way as regular FTP except that no authentication is required. In other words, all sessions that are created are anonymous. It also only uses one port, whereas FTP uses both 20 and 21. While FTP is sometimes used for file transfer through web pages, TFTP is very rarely, if ever used. It should be blocked simply because there are more secure ways of transferring files. SSH is the obvious substitute.

What consequences will this have on my network?

There will be no connections allowed through port 69, which shouldn't be a problem because tftp is not used very often. If, however, there is an application that requires the use of tftp, a choice must be made between the application and firewall security.

Back

Port 79 - Finger

Why shut down this port?

This port is used to gather information about users on a system. On systems which support finger will allow a user to lookup another user to obtain their phone number, e-mail status, real name, last login information, and a personal message from the user. Obviously this service could come in handy when working in a large network situation. One user would be able to lookup another's e-mail address given their name, or find their office. But this information can also be used by an attacker to learn information about the network. They can determine when and from where certain users login, they can gather usernames for a password attack, or they could learn information for a social engineering attack. In most cases, the risks far outweigh the benefits of this service and it should be blocked.

What consequences will this have on my network?

As stated above, this service is handy for many users for legitimate purposes. With this port blocked, this information will not be available.

Back

Port 95 - supdup

Why shut down this port?

This port is an old port that was used by UNIX as an extension to telnet which would allow graphics displayed. Occasionally, you will find a scan of this port by a hacker, but it is pretty uncommon now. While the security risk of this port is somewhat minimal, it should be blocked because it shouldn't be used.

What consequences will this have on my network?

In some documents, it's written that this port is also used by Cisco, but it isn't widely published. If, in a Cisco environment, you encounter network errors, the port could be part of the problem.

Back

Port 111 - RPC

Why shut down this port?

This port is the port mapper which dynamically maps Remote Procedure calls to specific ports so one computer can remotely call procedures on another computer. There are numerous vulnerabilities found on these services and more being found all the time. For security reasons, it is a good idea to disallow this type of activity on your network. An attacker can use these remote procedure calls to exploit your machine and ultimately, your entire network.

What consequences will this have on my network?

If your network relies on this information traffic, it is very likely that some functions on your network will no longer operate properly. For some networks, this includes NFS ( the Network File System) or NIS. There are ways to strengthen the security of such protocols, but that is outside the scope of this guide.

Back

Port 119 - NNTP

Why shut down this port?

The Network News Transfer Protocol is a service that transfers Usenet forums to and from a network. The use of Usenet has somewhat diminished, although it still enjoys a loyal fan base. This port isn't highly scanned or exploited, but unless you need this service, the port should be shut. For the most part, it is important to disable any port for a well-known service, when the service is not is use. That will ensure that if an attacker tries to scan your network, he or she will get no information from the scan.

What consequences will this have on my network?

If part of your network provides a Usenet server, access to it will be blocked. If this is the case, it might be worthwhile to change the port that the service is offered on to thrawt any attacks against it.

Back

Port 123 - NTP

Why shut down this port?

This protocol is used to synochronize time over the Internet. Computers can connect to one another and request the current time on the remote machine. This port again isn't a big threat but it is important to minimize the information given to a potential attacker. As with many of the above ports, if the attacker can get a response from a computer on this, or any port, he or she knows the computer is active and listening.

What consequences will this have on my network?

Other computers who try to connect to a computer on your network through this port will be blocked. Computers from your network will be able to contact a time server, but the response from that server will be blocked. Any communication over this port behind the firewall will work fine, so if synchronized time within your network is important, you will have to set up an internal server.

Back

Port 135 - Microsoft RPC

Why shut down this port?

This port is the Microsoft Windows version of the RPC port mapper found on port 111. When a computer tries to connect to a service on a Microsoft machine, it is mapped through this port. It then redirects the user to the proper port or named pipe. It is an essential port when using Microsoft Exchange and Active Directory. It was also the target of numerous denial of service (DoS) attacks by attackers.

What consequences will this have on my network?

When this port is closed, there is a definate possiblilty that some services used by Microsoft Windows will no longer function properly. Windows does many things "behind the scenes" that might use this port. At the bare minimum, this port should be blocked from going outside your outer firewall and all incoming requests from the outside Internet for this port should be block. This will ensure that the internal network will still be able to utilize the RPC service, while being protected from outside attack.

Back

Port 137 - NetBIOS Name Service

Why shut down this port?

This port is used by Microsoft Windows in it's local area network file sharing technology. Windows uses a naming convention that is differnet from any other network technology. This port is where the service resides that converts this naming convention to a form that is readable by the machine. A computer will connect to another at this port and ask for the set of NetBIOS names running on that computer. This information can be used by an attacker to learn about and attack that machine. None of the communicated information is encrypted and, if not filtered by the firewall, open to any Internet user.

What consequences will this have on my network?

Windows needs this service to establish a file sharing connection with another Windows computer. Without this service, it will be difficult to establish a NetBIOS connection with another Windows computer. While there are many better ways to go about file sharing, this is probably the most popular. If another solution can not be found, this port should be blocked in both directions by the outermost firewall. Never let traffic on this port to pass through the outer layer of defenses.

Back

Port 138 - Datagram Service

Why shut down this port?

This port is used for a number of purposes. The first is network browsing with Microsoft Windows, such as with Network Neighboorhood. Microsoft also uses this port for it's version of UDP. It shoots out packets in an unreliable manner that can be used for chat programs and anything that can handle such delivery mechanisms. Samba will also use this port using SMB to connect to Windows computer, printers, etc. As part of the "NetBIOS Trio", ports 137, 138, and 139 this port should be blocked. It has a history of being exploited by attackers.

What consequences will this have on my network?

Any communication that uses this port will no longer be passed through the firewall. If Windows file sharing or Samba is used, this port will need to be reopened. But no packets bound for this port should be let through the outer firewall to protect the internal network.

Back

Port 139 - Session Service

Why shut down this port?

This is a quote for the ISS webpage:

This is the single most dangerous port on the Internet. All "File and Printer Sharing" on a Windows machine runs over this port. About 10% of all users on the Internet leave their hard disks exposed on this port. This is the first port hackers want to connect to, and the port that firewalls block.

What consequences will this have on my network?

Like the quote above states, Windows does it's actual file and printer sharing over this port. When this port is blocked, such sharing can not take place. Like the other ports of it's kind, at the very minimum make sure that no traffic bound for this port is let out of the outer firewall.

Back

Port 161 - SNMP

Why shut down this port?

This port is used for management of devices like copiers, printers, switches, hubs, routers, and many other similar devices. Hackers can perform numerous attacks against these devices because very little protection is done by the protocol itself. It is relatively easy for an attacker to perfrom a denial of service attack or completely take control of the device. As a result, this protocol should be protected by the firewall.

What consequences will this have on my network?

With this port blocked, any management of devices through SNMP will not be possible.

Back

Port 162 - SNMP trap

Why shut down this port?

This port is used in conjunction with port 161 for management of devices like copiers, printers, switches, hubs, routers, and many other similar devices. Hackers can perform numerous attacks against these devices because very little protection is done by the protocol itself. It is relatively easy for an attacker to perfrom a denial of service attack or completely take control of the device. As a result, this protocol should be protected by the firewall.

What consequences will this have on my network?

With this port blocked, any management of devices through SNMP will not be possible.

Back

Port 179 - BGP

Why shut down this port?

This exerpt was taken from a GIAC practical by Michael Porter:

BGP, Border Gateway Protocol systems/routers, are usually located at the perimeter of an autonomous system (AS).  Their function is to facilitate the routing of all packets having a destination network address outside of the AS.  Most Autonomous Systems have only a single BGP router making a single point of failure and a likely target for malicious activity.  To protect a BGP router from compromise the options are not too attractive.  BGP routers are vulnerable to TCP SYN flooding, RST attacks, DATA insertion attacks, and “Session Hijacking” attacks.  Attempts have been mage to secure BGP connections through encryption, but the algorithm is judged weak against a well-coordinated, concerted attack.  If your border router requires running BGP to exchange routing table information with other internet backbone routers, it cannot be blocked.  Recommendation is to block port 179 over TCP.

What consequences will this have on my network?

Blocking this port will most likely have no adverse consequences on your system because unless you probably have no need for Border Gateway Protocol.

Port 389 - Win 2000 AD

Why shut down this port?

This port runs the lightweight directory access protocol unencrypted. This type of service contains a plethra of information about a network. Best of all it's all sent encrypted over port 389. Since this type of traffic should be kept internal to the network, it should not be allowed through the firewall. The traffic should not be allowed onto the open Internet and traffic from the Internet to internal computers should not be allowed on this port.

What consequences will this have on my network?

The only way this would affect your network is if the firewall was placed in such a location that necessary internal traffic was blocked. This port should be blocked on the perimeter firewall.

Back

Port 389, 522, 1720, 1731 - Microsoft NetMeeting

Why shut down these ports?

These ports are used for Microsoft's NetMeeting program. It is an alternative to programs like Yahoo! Messenger. With it, users can video conference, chat, share programs, and share desktops. While there is an obvious amount of functionality, there is a number of security vulnerabilites. These ports should be blocked especially if there isn't a need for this type of program. This is common in corportate settings, where a chat program can tempt employees into wasting company hours.

What consequences will this have on my network?

If this program and it's functionality is necessary in your network, these ports will have to be reopened. Otherwise there will be no adverse consequences.

Back

Port 445 - NetBIOS

Why shut down this port?

This port is much like port 139 and serves much the same purpose. All communication is done over port 445 if NetBIOS over TCP/IP is disabled. As you can read from the vulnerabilites in port 139, it is a good idea to disable this port at the firewall.

What consequences will this have on my network?

There should be no ill-effects on your network if this port is blocked at the perimeter firewall. It probably should be block at every host as well but if file sharing is necessary, it should be blocked at the firewall.

Back

Port 512, 513, 514 - rexec, rlogin, and rsh

Why shut down these ports?

These ports are used to setup a trusted environment between computers. Administrators are able to place an computer addresses in a .rhost file which allows those hosts to remotely execute commands (rexec), login (rlogin), and create a command shell (rsh) without authentication. Authentication is always a good idea, even between two trusted hosts. By having one of these ports active and listening creates a huge security hole which could allow an attacker to completely own your box. These ports should be blocked.

What consequences will this have on my network?

Since all functionality of these ports can be accomplished with a secure alternative like SSH, there is always a safe alternative. If they are not needed, there should be no loss of functionality.

Back

Port 515 - Line Printing Daemon

Why shut down this port?

This port is used by *NIX networks to run certain types of network printing. There are numerous vulnerabilites included with the software such as buffer overflows. When a printer is networked, there is very little reason to allow every computer on the Internet access the resource. The port should be blocked at the firewall so that computers on the Internet can not print to the printers and attack the server software and such attacks can't be sent out to other networks.

What consequences will this have on my network?

Since printing is something that happens on the local network, there should be no problems with your network.

Back

Port 520 - Routing Information Protocol

Why shut down this port?

This port is used by a routing protocol called Routing Information Protocol. It is an essential service to most routers. However, must of a network is not made up of routers, so it probably does not need the use of RIP. It can be spoofed to redirect packets which can be used, in turn, to wreak havoc on the network. This port should be blocked because the traffic on this port is usually RIP and if found on the local network represents anomolous activity.

What consequences will this have on my network?

There should be no consequence to disabling this port on the network as long as the devices that need it (routers) have it.

Back

Port 1024-1028 Windows Messenger Spam

Why shut down these ports?

These ports are used by a new type of spammer to send messages to individual computers. They use Windows Messenger to create a message that will make a popup window appear on a remote machine. This gets quite annoying and bandwidth consuming. If these ports are blocked, all spam messages will stop with them, but it will affect the Windows Messenger service.

What consequences will this have on my network?

Blocking this port will possibly stop all messages from coming into Windows Messenger. If this service is used for legitamate purposes, it is possible that it will not after the port is blocked.

Back

Port 1214 - KaZaa

Why shut down this port?

This port is used for peer-to-peer (P2P) file sharing using the KaZaa network. Common application include the swapping of .mp3 music files and various applications. Largely this sharing violates copyright infringment which is a prosecutable offense. It is also possible to download virii from the files that are downloaded. Blocking this port will allow some control over illegal file sharing and help stop the spread of malicious code.

What consequences will this have on my network?

No P2P file sharing will be allowed over the KaZaa network. If this service is required, the port will have to be reopened.

Back

Port 1433 - Microsoft SQL Server

Why shut down this port?

This port is used for communication with Microsoft's SQL Server. The database is used for many applications, many of which hold mission-critical information. Unfortunately, this information is quite vulnerable due to the number of holes associated with this port. This port should be well guarded, even from the internal network. But access should be explictly denied from outside the internal network.

What consequences will this have on my network?

Depending on the application that the database is used for, a trusted server might have to act as an intermediary between the public Internet and private lan. If the block is put in place at the permeter firewall, the internal network will still have access to the database.

Back

Port 1503, 1863, 6891, 13324-13325 - Microsoft .NET Messenger

Why shut down these ports?

These ports are what Microsoft .NET Messenger uses to communciate. .NET Messenger is a program that is used to chat with other people who are logged into the .NET service. It is much the same as many other chat programs, and thus shares many of the same vulnerabilites. There are buffer overflows and many other attacks against them. Because this service is not essential to the functioning of Windows and it involves much non-essential risk, it should be blocked.

What consequences will this have on my network?

If the .NET messenger service is required, these ports will need to be reopened.

Back

Port 1900 - UPnP

Why shut down this port?

According to an article on SecurityFocus.com, universal plug-and-play is:

"The purpose of UPnP is to establish seamless peer to peer networking between disparate devices on a TCP/IP network."

However, this leads to a number of known vulnerabilities in the Windows operating system. It is also seen by port scanners which can then identify the machine as a Windows machine. This is one of the first goals of an attacker -- OS detection. This service is not used all that often by most people and can safely be disabled.

What consequences will this have on my network?

In most situations, the port can be safely disabled without experiencing any differences in functionality.

Back

Port 1993 - Cisco SNMP

Why shut down this port?

This port is used for SNMP applications (see SNMP) on Cisco devices. There have also been a number of vulnerabilites discovered in the software running the protocol. Due to the nature of the application, it should be blocked at the perimeter. No administration SNMP traffic for Cisco devices should be allowed from the Internet, only the private local network. Likewise, this traffic should not be let out on the Internet.

What consequences will this have on my network?

There should be no consequences on your network as long as administration is taken care of on the local network not the Internet.

Back

Port 2000 - Openwin

Why shut down this port?

This port is used by Sun's Openwin which is an older version of X-Windows. It allows connections to remote computers so windows can be displayed on remote computers. An attacker could take advantage of this technology if he or she can see all the information that is being transferred between the two computers. This port should be blocked to stop this type of vulnerability.

What consequences will this have on my network?

If communication over this port is required due to remote desktop connections, it will no longer be possible. At the very least, block this port at the border firewall and this communication will be possible on the local network.

Back

Port 2049 - NFS

Why shut down this port?

This port is used with Network File System to create a remote disk. In a network, it is sometimes necessary to mount a drive that is not actually physically connected to the computer. This is done using NFS. While the technology is quite handy, it is somewhat vulnerable to attack. There have been quite a number of attacks against NFS over the years. It is extremely important to make sure no communication happens over this port to and from the public Internet.

What consequences will this have on my network?

Unless NFS is used in mounting filesystems beyond the private network, there should be no affect on the system.

Back

Ports 3574, 4000, 4001, 7320 - ICQ

Why shut down these ports?

These ports are used for the online chat and file transfer program ICQ. This program is like Yahoo! Messenger, AIM, and Windows Messenger in that it allows peers to talk to each other in real-time. However, there are some consequences to these actions. Vulnerabilites in the software can allow an attacker to compromise a machine running the software. If in a corporate setting, these ports should also be blocked because of the loss of productive time.

What consequences will this have on my network?

ICQ traffic will no longer be allowed on the network. Should this application be needed, these ports will need to be reopened.

Back

Port 3389 - Windows Remote Desktop

Why shut down this port?

This port can be used by Windows to facilitate the remote connection of two computers. One computer can have the control of the desktop of a remote computer. This is useful in helping to fix problems that might come about, but it also could allow an attacker to take contorl of your desktop. It is highly recommended to block this port.

What consequences will this have on my network?

No remote desktop cababilities will be possible with this port blocked. If they are required, the port will have to be reopened.

Back

Port 4045 - File Locking Daemon

Why shut down this port?

This port is used by a file locking daemon which makes sure that the file locking is correctly accomplished over a network situation. File locking can cause problems if either the server or client goes down while they hold a file lock. This daemon facilitates the communication between the file sharing clients. There are, however, a number of vulnerabilites which enable an attacker to mount a denial-of-service against the computers. This type of file sharing is not recommended and should not be used, the ports shut down.

What consequences will this have on my network?

Unless your network uses this type of file sharing, it will not be affected.

Back

Port 4443, 5190 - AOL Instant Messenger

Why shut down these ports?

AOL Instant Messenger or (AIM) is a chat program that has become very popular. It allows users to communicate in real-time in a chat-room like environment. AOL designed AIM so that it can be used to chat with any AOL member. Because of this and it's relative ease of install, it has become very common on workplace computers. Not only does chat programs take away from productive work hours, but it opens the door to attacks on the software. Recently there has been an increase in buffer overflows and similar attacks on chat programs that allow an attacker to execute commands on the remote machine. By blocking these ports, AIM will not be able to communciate with AOL and these vulnerabilities will be protected against.

What consequences will this have on my network?

Quite simply, AIM will no longer be usuable on the network, unless it is send through some sort of proxy or tunnel which could go around the blocked ports. The biggest side-effect is by far the denial of use of AIM. If this is a necessary application to your network, these ports will have to be reopened.

Back

Port 5010 - Yahoo! Messenger

Why shut down this port?

This port is used for Yahoo! Messenger which is a chat program for the Yahoo! network. It allows users to communicate with one another in real-time over the Internet. This is terrific for people who want to stay in touch with friend or family overseas, but it has some consequences as well. There are attacks against the program which can lead to remote execution of code. In some networks, it can lead to a decrease in productivity as well. If you wish to stop this, block port 5010.

What consequences will this have on my network?

Yahoo! Messenger will no longer be abel to operate. Should this be required, simply reopen the port.

Back

Port 6000 - X11

Why shut down this port?

This port is used by the X11 or X-Window System to communcate over networks. It can send the drawing information to any host that is enabled to accept it. Giving this kind of information to an attacker could all but give them the machine. Such information should not be allowed through the firewall.

What consequences will this have on my network?

You will not be able to have a situation where a computer in your network transmits X information to another computer on the Internet. This is rarely used and should not create any problems on your network.

Back

Port 6346 - Gnutella

Why shut down this port?

This port is used for peer-to-peer (P2P) file sharing using the Gnutella network. Common application include the swapping of .mp3 music files and various applications. Largely this sharing violates copyright infringment which is a prosecutable offense. It is also possible to download virii from the files that are downloaded. Blocking this port will allow some control over illegal file sharing and help stop the spread of malicious code.

What consequences will this have on my network?

No P2P file sharing will be allowed over the Gnutella network. If this service is required, the port will have to be reopened.

Back

Port 6665-6669 - IRC

Why shut down these ports?

These ports are used for Internet Relay Chat which is the electronic version of CB radio. While there is a legitmate purpose to it, there is much that is a little less than legal that can be found with IRC. In most environments it is probably a good idea to block this traffic.

What consequences will this have on my network?

Computers on your network will no longer be able to communicate using IRC. If this is needed, the ports will have to be reopened.

Back

Port 32771 - RPC

Why shut down this port?

This was taken from sans.org:

Remote procedure calls (RPCs) allow programs on one computer to execute procedures on a second computer by passing data and retrieving the results. RPC is therefore widely used for many distributed network services such as remote administration, NFS file sharing, and NIS. However there are numerous flaws in RPC which are being actively exploited. Many RPC services execute with elevated privileges that can provide an attacker unauthorized remote root access to vulnerable systems.

There is compelling evidence that the majority of the distributed denial of service attacks launched during 1999 and early 2000 were executed by systems that had been victimized through these RPC vulnerabilities. The broadly successful attack on U.S. Military systems during the Solar Sunrise incident also exploited an RPC flaw found on hundreds of Department of Defense computer systems. More recently, an MS Windows DCOM Remote Procedure Call vulnerability has played a role in one of the most significant worm propagation events to this date.

What consequences will this have on my network?

Unless your network relies on RPC, there will be no ill affect on your network. If your network does rely on RPC, consider switching to an alternative.

Back

ICMP - Echo Request

Why shut down this service?

This service is used to determine whether or not a host is active and can receive packets from the sender. If the host can, it will send back an echo reply. While this is helpful in finding problems within a network, it provides an attacker with a mechanism for finding live hosts. Thus, there is little reason to allow incoming echo requests into your network from the outside.

What consequences will this have on my network?

Any attempts to ping (echo request/reply pair) the internal network from the outside will fail because the request is blocked at the firewall. This means that if someone is trying to find a problem with the network and wants to do an unmalicious ping to the network, it will fail but not necessarily because the network is down.

Back

ICMP - Destination Unreachable

Why shut down this service?

This service simply lets a sender know that the address that they are sending the packet to doesn't exist. In a perfect world, this is a pretty nice feature, but in the current Internet-world it helps the attackers more than it helps everyone else. An attacker can send a number of packets to a network each of which is to a different host. If the attacker knows that for each of the packets with invalid destinations they will be sent a destination unreachable packet, they have an easy mapping of the network. Because of this, all outgoing destination unreachables should be blocked at the firewall.

What consequences will this have on my network?

This should not affect the network because the packets that it responds to do not have valid destinations in the first place.

Back

ICMP - Echo Reply

Why shut down this service?

ICMP echo reply messages are simply a reply to an echo request. The set of echo reply/request is commonly called a "ping". When an incoming echo request is captured by a host, the response is an echo reply which simply says, "Yeah, I'm here". This service is extremely handy when trying to diagnose network problems because you can determine if the host is active, listening, and able to communicate with the sender. Like everything, however, it has it's sinister side. An attacker uses this service to find hosts that are alive. Ideally, you want to keep the attacker in the dark as much as possible about the topology of the network and which hosts are actually listening. By sending out ICMP echo replies, the attacker knows at which addresses computers are listening.

What consequences will this have on my network?

As stated above, echo request/replies are very common when trying to diagnose network problems. Depending on where the firewall sits, network problem diagnosis using pings will no longer be possible. It is recommended to block outgoing echo replies at the border firewall so internal network diagnosis is still possible while still eliminating the threat from the outside.

Back

ICMP - Time Exceeded

Why shut down this service?

This ICMP message is used to indicate that the time-to-live field in the IP packet has gone to zero. At every node along the packets path, the value is decremented by one. If it reaches zero, the packet will be dropped. When it is dropped, the host will send an ICMP time exceeded packet to the source of the dropped packet. While this service is handy for indicating network failures, it can be used for malicious purposes. Some network mapping tools take advantage of this service and send out packets will small TTL (time-to-live) fields. As they expire on the way to the destination, the entire path to the destination is mapped. It is a good idea to not allow this type of mapping happen in your network. By blocking these packets from leaving your network, you thwart mapping techniques of this type.

What consequences will this have on my network?

Since this service lets a sender know that a packet never made it to it's destination, the sender has no way of knowing that it got there. If the transmission is done in some unreliable manner (such as UDP), the packet may be lost forever. However, with the way the Internet is setup currently, the time-to-live should never expire. Thus, there should be no adverse affects to your network.

Back

ICMP - Timestamp Request

Why shut down this port?

Using this service, someone can request that a host send back a packet with a timestamp in it. While this has a number of legitimate applications, an attacker can use this to determine where on a network there are active hosts. It simply provides the attacker with another network mapping tool. That coupled with the fact that timestamp requests can be safely blocked means that they should be blocked at the firewall. All incoming timestamp requests should be blocked.

What consequences will this have on my network?

Timestamp requests from outside can be blocked with no adverse affects on the internal network. It won't change operations one bit (except in very exotic networks).

Back

ICMP - Timestamp Reply

Why shut down this service?

This ICMP message sends the requesting host a packet containing a timestamp. This value can be used to determine a number of things about a network. It can be used to find bottlenecks in the network, turn around time of a packet in a host, and the current time, just to name a few. Unfortunately, it also tells an attacker a number of things. It tells him or her that the computer is alive and responding to traffic. It also, obviously, tells the attacker that this particular service (and probably others) is not blocked at the firewall. It simply provides an attacker with more information, that they don't need, about your network. Consequently, all replys to timestamp requests should be blocked from leaving the internal network.

What consequences will this have on my network?

Blocking this type of traffic from leaving the internal network will have no affect on your network. All internal hosts will be able to send and receive these messages and there aren't any circumstances in which an external host would need a timestamp from your internal network.

Back

ICMP - Address mask Request

Why shut down this service?

This packet is a request for the subnet mask of the destination machine. It is often used by attackers to learn more information about their victim network. Given the subnet mask, they can narrow down the number of machines on the network and the internal IP ranges. This simply helps in carrying out an attack on your network. It is a good idea to give an attacker as little information as possible so these requests should be blocked.

What consequences will this have on my network?

This type of traffic is not usually part of normal network traffic so it should not have any adverse affects on your network. Usually the internal hosts of a network know the subnet mask that is being used on the network and consequently don't need to ask other machines on the network.

Back

ICMP - Address mask Reply

Why shut down this service?

This ICMP service is a reply to an ICMP message of type 17 (address mask request). A router or host will return the subnet mask that it is using in ICMP message to the requesting computer. An attacker can use the subnet mask to help built a network topology of the victim's network. Given the address mask, the attacker can determine where the broadcast addresses are for the network and use those to find live hosts on the network. Since it is not really used in normal network traffic, it can be safely blocked. It should not be allowed out of the internal network.

What consequences will this have on my network?

This type of traffic is not usually seen in legitimate network traffic so it is unlikely to break anything.

Back

Spoofed Addresses

Why block these packets?

These address ranges are part of the reserved address space. No packet with a destination in the reserved address space should be allowed out onto the Internet. They should be only used on the private internal networks. Thus any packet that comes from the outside with a reserved address is anomalous and should not be allowed into the private network. Likewise, reserved addresses should not be allowed through the firewall out into the Internet.

What consequences will this have on my network?

There should be no affect on your network because these addresses should not be passed through any router on the Internet. These rules simply follow this standard.

Back

Spoofed localhost Address

Why block these packets?

Every modern computer comes packed with what's called the loopback address. This address is almost always 127.0.0.1. This address refers to the computer itself. So if you type in the IP address 127.0.0.1, the computer will contact itself. Because this is the de-facto standard, there is no reason that a packet from or to your network should pass through the firewall. It classifies as abnormal activity and it should be blocked.

What consequences will this have on my network?

This should not affect your network because the loopback address is only used to contact itself and should not be seen going across the firewall.

Back

Broadcast IP Address

Why block these packets?

The IP address with a .255 is a broadcast address. This means that all hosts on the subnet will accept the packet. This is sometimes used by attackers to send a packet to a broadcast address so that every host on the network will respond. If the packet is crafted, the response from all the hosts bombard the computer that was spoofed. This causes a denial-of-service. No packets should come from the outside bound for broadcast addresses.

What consequences will this have on my network?

There will be no consequence on your network because under normal operations incoming broadcast packets are not used. By explicitly blocking these packets, you really shouldn't be changing anything, only stopping attacks.

Back

Source Routed Packets

Why block these packets?

Source routing is the specifing of a path that the packet must travel during it's journey from source to destination. The source routing can either be loose or strict but must of the vulnerabilites are the same. Source routing can be used by an attacker to ensure that the packet will be sent through a compromised machine. If the attacker has control of the machine that the packet is sent through, he or she can manipulate the packet and perform a man-in-the-middle attack. There really isn't a good reason to accept source routed messages, so they should be dropped at the firewall.

What consequences will this have on my network?

Any packet that has source routing enabled will be dropped. This should not have an affect on your network because it isn't really used for a legitimate purpose.

Back

 


Last Modified on: April 20, 2005

Top