Oninit Logo
The Down System Specialists
Partnerships Contact

Which Protocols to Filter

The best starting point for any firewall is to block anything from anything at anytime, this is usually the defauly configuration.

The decision to filter certain protocols and fields depends on the network access policy, i.e., which systems should have Internet access and what type of accesses to permit. The following services are inherently vulnerable to abuse and are usually blocked at a firewall from entering or leaving the site

tftp 69 Trivial FTP is usually used for booting disk less workstations, terminal servers, routers etc. However it can also be used to read any file on the system if set up incorrectly. It is usual not install and/or available under Windows
X Windows
Open Windows
can leak information from X window displays including all keystrokes.
RPC 111 Remote Procedure Call services which include NIS and NFS etc. These can be used read information such as passwords and read and write to files
are all services that if improperly configured can permit unauthorised access to accounts and commands.

Other services, whether inherently dangerous or not, should be blocked and/or filtered to restrict only those systems that need them.

Telnet 23 often restricted to only certain systems.
FTP 20, 21 Like TELNET, often restricted to only certain systems.
SMTP 25 often restricted to a central E-mail server.
POP3 110 Email clients retrieve mail by POP3 from port 110 on the mail server
IDENT 113 The IDENT protocol is often used by POP mail, FTP, and HTTP servers to identify incoming users. Most users consider the IDENT protocol a security violation, because it could allow an outsider to gain confidential knowledge of your secured network. But for speed it is probably worth enabling inbound from a Email server on a DMZ to the internal network clients, to speed up POP accessing
IMAP 143 Email clients retrieve mail by IMAP from port 143 on the mail server
LDAP 389 Lightweight Directory Access Protocol uses port 389 on the directory server
RIP 520 (routing information protocol) can be spoofed to redirect packet routing.
DNS 53 domain names service zone transfers, contains names of hosts and information about hosts that could be helpful to attackers, could be spoofed.
UUCP 540 (UNIX-to-UNIX Copy) if improperly configured can be used for unauthorised access.
NNTP port 119 (Network News Transfer Protocol) for accessing and reading network news.
HTTP 70, 80, 443 http information servers and client programs for gopher and WWW clients, should be restricted to an application gateway that contains proxy services.
PPTP Microsoft 1723, 47 1723 both directions, uses protocol 47 (the GRE protocol Version 2.0).
FILEMAKER IP 5003 both directions. Port published by Filemaker Pro Server.
REAL AUDIO tcp 7070, udp 6170-7170 Rather than just opening these ports a slightly safer configuration can be achieved by careful configuration of the TCP port connection. The TCP port 7070 is used by the client to initiate a conversation with an external RealServer, to authenticate the player to the server, and to pass control messages during playback (e.g., pausing or stopping the audio stream). Since you do not want incoming connection attempts on this port, you should configure the router's access control list to allow TCP connections on port 7070 to be initiated from the inside network exclusively. Incoming traffic, on the other hand, should only be allowed if it is part of an ongoing connection. This is assured by requiring incoming TCP packets to have the ACK bit set in the TCP header carried by every packet. The syntax for specifying that the ACK bit must be set varies with the kind of router you own, but for Cisco routers the flag "ESTABLISHED" can be put at the end of the line in an access rule to specify that an incoming packet must be part of an ongoing conversation.
TIMBUKTU PRO udp 407, tcp 1417 - 1420 Timbuktu Pro uses UDP port 407 for connection handshaking and then switches to the TCP ports for Timbuktu Services: Control (1417), Observe(1418), Send (1419), and Exchange (1420). Chat, Notify, and Intercom use Dynamic TCP ports.
ICQ Messaging 5190, 1024-65535 must be able to communicate with the ICQ server. This was done via port TCP 5190 to login.icq.com (previously 4000 UDP icq.mirabilis.com) and needs a bidirectional connection on this port number. ICQ Client to client connection is done using the TCP protocol, using port range 1024 - 65535. This means that the client needs an open listening ports within the mentioned range - 1024 to 65535. Opening all these ports is obviously impractical. The ICQ client can be configured to work with a firewall or proxy server see www.icq.com, but generally results in reduced ICQ functionality. If your using IP masquerading i.e NAT as most firewalls will, you will need a SOCKS proxy server to implement ICQ connectivity for more than one internal user.
pcANYWHERE tcp 5631, 5632 udp [default] The default ports can be changed by editing the registry
Windows 2000 Terminal Services tcp 3389 inbound
dynamic outbound
Microsoft Netmeeting (H.323) tcp 522, 389, 1503, 1720, 1731 plus
two secondary dynamically negotiated udp ports in the range 1024-65535
for the H.323 streaming protocol transmission of audio and video. For transmission of audio and video you only have to enable outgoing for these ports. Unfortunately to allow incoming audio and video you need to open up the entire 1024-65536 range as well as tcp 1503, 1720, 1731. Due to the complexity of the H.323 protocol which pre-dates the introduction of network address translation. Unless you have a firewall or proxy that specially supports the H.323 protocol at the application level, and thus supports the virtual opening of dynamic incoming udp ports, you are stuck opening them all up. See Microsoft's Knowledge Base "How to Establish NetMeeting Connections Through a Firewall" Q158623.

How to Block Instant Messaging

To fully block Instant messaging you need a double edge attack of blocking IP addresses of the servers and the default ports

login.oscar.aol.comDefault Port: 5190 
login.icq.comDefault Port: 5190 
MSN Messenger
.. .. .. .. 
.. .. .. ..
cs.yahoo.comDefault Port: 5050  

Note some messaging services like AOL have a tendency to change their servers IP addresses once or twice a year.

To discuss how Oninit ® can assist please call on +1-913-674-0360 or alternatively just send an email specifying your requirements.