The best starting point for any firewall is to block anything from anything at anytime, this is usually the defauly configuration.
The decision to filter certain protocols and fields depends on the network access policy, i.e., which systems should have Internet access and what type of accesses to permit. The following services are inherently vulnerable to abuse and are usually blocked at a firewall from entering or leaving the site
| Progam | Port | Description |
| tftp | 69 | Trivial FTP is usually used for booting disk less workstations, terminal servers, routers etc. However it can also be used to read any file on the system if set up incorrectly. It is usual not install and/or available under Windows |
|
X Windows Open Windows |
2000 6000+ | can leak information from X window displays including all keystrokes. |
| RPC | 111 | Remote Procedure Call services which include NIS and NFS etc. These can be used read information such as passwords and read and write to files |
|
rlogin rsh exec |
513 514 512 | are all services that if improperly configured can permit unauthorised access to accounts and commands. |
Other services, whether inherently dangerous or not, should be blocked and/or filtered to restrict only those systems that need them.
| Progam | Port | Description |
| Telnet | 23 | often restricted to only certain systems. |
| FTP | 20, 21 | Like TELNET, often restricted to only certain systems. |
| SMTP | 25 | often restricted to a central E-mail server. |
| POP3 | 110 | Email clients retrieve mail by POP3 from port 110 on the mail server |
| IDENT | 113 | The IDENT protocol is often used by POP mail, FTP, and HTTP servers to identify incoming users. Most users consider the IDENT protocol a security violation, because it could allow an outsider to gain confidential knowledge of your secured network. But for speed it is probably worth enabling inbound from a Email server on a DMZ to the internal network clients, to speed up POP accessing |
| IMAP | 143 | Email clients retrieve mail by IMAP from port 143 on the mail server |
| LDAP | 389 | Lightweight Directory Access Protocol uses port 389 on the directory server |
| RIP | 520 | (routing information protocol) can be spoofed to redirect packet routing. |
| DNS | 53 | domain names service zone transfers, contains names of hosts and information about hosts that could be helpful to attackers, could be spoofed. |
| UUCP | 540 | (UNIX-to-UNIX Copy) if improperly configured can be used for unauthorised access. |
| NNTP | port 119 | (Network News Transfer Protocol) for accessing and reading network news. |
| HTTP | 70, 80, 443 | http information servers and client programs for gopher and WWW clients, should be restricted to an application gateway that contains proxy services. |
| PPTP Microsoft | 1723, 47 | 1723 both directions, uses protocol 47 (the GRE protocol Version 2.0). |
| FILEMAKER IP | 5003 | both directions. Port published by Filemaker Pro Server. |
| REAL AUDIO | tcp 7070, udp 6170-7170 | Rather than just opening these ports a slightly safer configuration can be achieved by careful configuration of the TCP port connection. The TCP port 7070 is used by the client to initiate a conversation with an external RealServer, to authenticate the player to the server, and to pass control messages during playback (e.g., pausing or stopping the audio stream). Since you do not want incoming connection attempts on this port, you should configure the router's access control list to allow TCP connections on port 7070 to be initiated from the inside network exclusively. Incoming traffic, on the other hand, should only be allowed if it is part of an ongoing connection. This is assured by requiring incoming TCP packets to have the ACK bit set in the TCP header carried by every packet. The syntax for specifying that the ACK bit must be set varies with the kind of router you own, but for Cisco routers the flag "ESTABLISHED" can be put at the end of the line in an access rule to specify that an incoming packet must be part of an ongoing conversation. |
| TIMBUKTU PRO | udp 407, tcp 1417 - 1420 | Timbuktu Pro uses UDP port 407 for connection handshaking and then switches to the TCP ports for Timbuktu Services: Control (1417), Observe(1418), Send (1419), and Exchange (1420). Chat, Notify, and Intercom use Dynamic TCP ports. |
| ICQ Messaging | 5190, 1024-65535 | must be able to communicate with the ICQ server. This was done via port TCP 5190 to login.icq.com (previously 4000 UDP icq.mirabilis.com) and needs a bidirectional connection on this port number. ICQ Client to client connection is done using the TCP protocol, using port range 1024 - 65535. This means that the client needs an open listening ports within the mentioned range - 1024 to 65535. Opening all these ports is obviously impractical. The ICQ client can be configured to work with a firewall or proxy server see www.icq.com, but generally results in reduced ICQ functionality. If your using IP masquerading i.e NAT as most firewalls will, you will need a SOCKS proxy server to implement ICQ connectivity for more than one internal user. |
| pcANYWHERE | tcp 5631, 5632 udp [default] | The default ports can be changed by editing the registry |
| Windows 2000 Terminal Services |
tcp 3389 inbound dynamic outbound | |
| Microsoft Netmeeting (H.323) |
tcp 522, 389, 1503, 1720, 1731 plus two secondary dynamically negotiated udp ports in the range 1024-65535 | for the H.323 streaming protocol transmission of audio and video. For transmission of audio and video you only have to enable outgoing for these ports. Unfortunately to allow incoming audio and video you need to open up the entire 1024-65536 range as well as tcp 1503, 1720, 1731. Due to the complexity of the H.323 protocol which pre-dates the introduction of network address translation. Unless you have a firewall or proxy that specially supports the H.323 protocol at the application level, and thus supports the virtual opening of dynamic incoming udp ports, you are stuck opening them all up. See Microsoft's Knowledge Base "How to Establish NetMeeting Connections Through a Firewall" Q158623. |
To fully block Instant messaging you need a double edge attack of blocking IP addresses of the servers and the default ports
|
| ||||||||||||||||||||||||||||||||||||||||||||||||
|
| ||||||||||||||||||||||||||||||||||||||||||||||||
Note some messaging services like AOL have a tendency to change their servers IP addresses once or twice a year.
To discuss how Oninit ® can assist please call on +1-913-674-0360 or alternatively just send an email specifying your requirements.