[Dshield] Closing ports

Jon R. Kibler Jon.Kibler at aset.com
Wed Sep 10 22:38:13 GMT 2003


Exactly what firewall are you using?

The firewalls I am familiar with allow you to control access based upon:
	Incoming Packets
	Outgoing Packets
	Forwarded Packets

And within each of these categories, you can control access based upon protocol. Within each protocol, you have protocol-specific degrees of control. For example, with TCP, you call permit or deny access based upon whether it is an established session. Such capabilities generally eliminates the worry about ports > 1024.

The usual (very general) rules are:
	Allow establishment of new incoming connections only on supported services
	Allow incoming responses to outgoing initiated sessions
	Block everything else incoming
	Block unsafe outgoing ports < 1024 (somewhat O/S dependent)
	Block unsafe outgoing protocols (ARP, RIP, etc.)
	Block forwarding
	Allow everything else outgoing

Naturally, you need to be more specific, and the above is not complete.

Hope this gets you started and answers some of your questions.

Jon R. Kibler
A.S.E.T., Inc.
Charleston, SC  USA

Alan Frayer wrote:
> I understand that some processes, such as http, not only require their
> own port (80 in this case), but ports in a range over 1023 for, shall we
> say, housekeeping?
> Documentation I read recently suggested these upper range ports can be
> controlled by telling the firewall to handle them dynamically, where an
> upper range port request returning with an expected port 80 reply is
> given a brief hole to pass through. Fine.
> But what if your firewall doesn't support dymanic port handling? What if
> the firewall expects you to leave open that upper range for those
> dynamic requests?
> When replacing the firewall isn't an option because management doesn't
> see or recognize a threat (and I'm more replaceable than the firewall),
> how should one secure the ports over 1023 and still make the standard
> services available to the employees?
> ________________________________________________________________________
> Alan Frayer,CNE,CNI,CIW CI,MCP,Net+ - afrayer at frayernet.com
> Seeking an IT Mgmt/Network Admin position in the Tampa Bay Region
> If you would like to discuss an opportunity with me, please e-mail.

Filtered by: TRUSTEM.COM's Email Filtering Service
No Spam. No Viruses. Just Good Clean Email.

More information about the list mailing list