Contact:[email protected]
Which Protocols to Filter The decision to filter certain protocols and fields depends on the network access policy, i.e., which systems should have Internet access and what type of accesses to permit. The following services are inherently vulnerable to abuse and are usually blocked at a firewall from entering or leaving the site tftp, port 69, trivial FTP, (which might all be used for booting diskless workstations, terminal servers and routers) can also be used to read any file on the system if set up incorrectly. X Windows, Open Windows, ports 6000+, port 2000, can leak information from X window displays including all keystrokes. RPC, port 111, Remote Procedure Call services including NIS and NFS, which can be used to steal system information such as passwords and read and write to files rlogin, rsh, and rexec, ports 513, 514, and 512, are all services that if improperly configured can permit unauthorised access to accounts and commands. Other services, whether inherently dangerous or not, are usually filtered and possibly restricted to only those systems that need them. These would include: - TELNET, port 23, often restricted to only certain systems. FTP, ports 20 and 21, like TELNET, often restricted to only certain systems. SMTP, port 25, often restricted to a central e-mail server. POP3, port 110, Email clients retrieve mail by POP3 from port 110 on the mail server IMAP, port 143, Email clients retrieve mail by IMAP from port 143 on the mail server LDAP, port 389, Lightweight Directory Access Protocol uses port 389 on the directory server RIP, port 520, (routing information protocol) can be spoofed to redirect packet routing. DNS, port 53, domain names service zone transfers, contains names of hosts and information about hosts that could be helpful to attackers, could be spoofed. UUCP, port 540, (UNIX-to-UNIX Copy) if improperly configured can be used for unauthorised access. NNTP, port 119, (Network News Transfer Protocol) for accessing and reading network news. GOPHER, http (for Mosaic), ports 70 and 80, information servers and client programs for gopher and WWW clients, should be restricted to an application gateway that contains proxy services. PPTP Microsoft, port 1723 both directions, uses protocol 47 (the GRE protocol Version 2.0). FILEMAKER IP, port 5003, both directions. Port published by Filemaker Pro Server. REAL AUDIO, tcp port 7070, udp ports 6170-7170, Rather than just opening these ports a slightly safer configuration can be achieved by careful configuration of the TCP port connection. The TCP port 7070 is used by the client to initiate a conversation with an external RealServer, to authenticate the player to the server, and to pass control messages during playback (e.g., pausing or stopping the audio stream). Since you do not want incoming connection attempts on this port, you should configure the router's access control list to allow TCP connections on port 7070 to be initiated from the inside network exclusively. Incoming traffic, on the other hand, should only be allowed if it is part of an ongoing connection. This is assured by requiring incoming TCP packets to have the ACK bit set in the TCP header carried by every packet. The syntax for specifying that the ACK bit must be set varies with the kind of router you own, but for Cisco routers the flag "ESTABLISHED" can be put at the end of the line in an access rule to specify that an incoming packet must be part of an ongoing conversation. TIMBUKTU PRO, uses the following ports, UDP port 407 and TCP ports 1417 through 1420 must be open. Timbuktu Pro uses UDP port 407 for connection handshaking and then switches to the TCP ports for Timbuktu Services: Control (1417), Observe(1418), Send (1419), and Exchange (1420). Chat, Notify, and Intercom use Dynamic TCP ports. Mirabilis ICQ, must be able to communicate with the ICQ server. This is done via port 4000 UDP to icq.mirabilis.com and needs a bidirectional connection on this port number. ICQ Client to client connection is done using the TCP protocol, using port range 1024 - 65535. This means that the client needs an open listening ports within the mentioned range - 1024 to 65535. Opening all these ports is obviously impractical. The ICQ client can be configured to work with a firewall or proxy server see http://www.icq.com, but generally results in ICQ functionality. If your using IP masquerading i.e NAT as most firewalls will, you will need a SOCKS proxy server to implement ICQ connectivity for more than one internal user. pcANYWHERE The default ports for pcAnywhere are 5631 (TCP) and 5632 (UDP) but it can be configured to use another port by editing the registry see http://www.symantec.com Back to the Index