Open Ports.......

[evo22]

We have approxamatly 300 IP40/45/60 at different retail locations of ours. We would like to build a new rulebase for these firewalls.

When I filter all traffic in Tracker comming from the stores....there are alot of ports open. How would you suggest I'd begin to start identifing an locking down these ports?

Here is just a sample of some of the open ports:

59929
10838
19523
49211
5588
7811
52492
31787
13964
7988
3470
14228
58151
7574
1886
8294
40364
3524
40364
26108
11393
13748
3563
37649
7661
16439
20414
57110
3509
57110
53600
46655
55388
18974
3479
10346
32789
19640
8033
63911
50618
60170
36581


There are many more.

I know we need to know which ones we use often. Like 21, 22, 443, 80 etc.
but I don't want to block ports that I haven't identified as port we use.

any input or direction would be appricated!

thanks

[RayPesek]

Are you looking in the Source Port column or the Service column? Those are normal for the Source Port.

The computer initiating the connection generally picks a random source port up high to initiate the connection to the destinations Service port.

Ray

[evo22]

Thank you for your quick reply; I was looking at the source port.

In regards to the service column, how would you suggest I start this process of eliminating questionable ports?

[RayPesek]

If your log files cover a fair amount of time, a couple of months or so, you could export them to a text file from the File menu and import it into Excel. Use " as the delimiter.

Then sort on Destination and you'll see what hosts are getting traffic on what ports.

Sort on Source and you'll see what hosts are trying to use which services.

Then sort on Services and you'll see all that are in use by which source and destination.

Assuming you know what the allowed destinations are, it should be pretty easy to get it all sorted out, so to speak. :-)

Take care,

Ray

[evo22]

I have port 1301 connecting to our exchange server and when I block it. Our remote users can't connect. What is this port used for? I've tried to search for information.

thank you in advance!

[vijayant]

iad2 1031/tcp BBN IAD
iad2 1031/udp BBN IAD


This is the BBN (Bolt, Beranek and Newman) Interface Access Device,
which operates as a bridge/router between IP, X.25, asynch links, etc.

Re: What is BBN IAD?

[melipla]

Quote:

Originally Posted by evo22

I have port 1301 connecting to our exchange server and when I block it. Our remote users can't connect. What is this port used for? I've tried to search for information.

Since its an Exchange server, its most likely a RPC connection. Microsoft is notoriously hard to lock down via port restrictions, there are a lot of server side & client side changes you need to make in order to do it right.

By RPC connection I'm referring to the client accessing the server via DCOM (135/tcp), in that DCOM connection the server will respond a new port (>1024/tcp aka tcp-high-ports) which the client will use for the rest of the session. So you will then see the client access the server on whichever port the server specified (in this case 1301).

If you have no server side / client side modifications in place then you will most likely see each client using a different port. In some cases it can be sequential, depends on how long the port is used for and how many clients you have.

As for working your way through the list of ports, I would recommend with starting with ports that are < 1024, as these are more than likely to be tied to a valid service. While there are services in port ranges higher then 1024 (such as SQL ports) they are more likely to be back connection ports and in some cases can be safely dropped.