Network security is the new buzz word around town.
Most people think a network firewall that is setup with the default will protect
their network. The simple fact is no it will not. Not until you are hack will
you know this fact. Of course this comes a little too late. All operating systems
need ports open in order to communicate information regarding active directory,
DNS, DHCP, booting of a computer and more. Some applications need ports open to
work. So where do you reach a safe point where your applications work and they
are secure. The following will address the working ports and what to be
concerned about. Later I will address how to secure it.
Ports to be concerned about are 3389 which is
terminal services ports. If you do not have a firewall in place blocking public
IP address from forwarding to private IP address using this port then you will
want to call a security professional right away. Other ports to be concerned
about are 139 which gives access to network shares.
Barracuda Spam Firewall
Another area of concern is the SMB or the
(Server Message Block) protocol. This protocol is used among other things for
file sharing in Windows NT/2000/XP. In Windows NT it ran on top of NetBT
(NetBIOS over TCP/IP), which used the famous ports 137, 138 (UDP) and 139 (TCP).
In Windows 2000/XP/2003, Microsoft added the possibility to run SMB directly
over TCP/IP, without the extra layer of NetBT. For this they use TCP port 445.
Again all these ports should remain in the private network and your firewall
should block access.
Note: The NETSTAT command will show you
whatever ports are open or in use, but it is NOT a port scanning tool! If you
want to have your computer scanned for open ports see this page instead (link
will follow shortly).
C:>netstat -an |find /i "listening"
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1723 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING
TCP 127.0.0.1:4664 0.0.0.0:0 LISTENING
TCP 192.168.50.127:139 0.0.0.0:0 LISTENING
TCP 192.168.100.193:139 0.0.0.0:0 LISTENING
The netstat command will also show you who is active on your computer. This will
show you what spyware or trojan horses that may have installed on your machine.
Active Connections
Proto Local Address Foreign Address State
TCP argonas:epmap argonas:0 LISTENING
TCP argonas:microsoft-ds argonas:0 LISTENING
TCP argonas:pptp argonas:0 LISTENING
TCP argonas:3389 argonas:0 LISTENING
TCP argonas:1026 argonas:0 LISTENING
TCP argonas:2617 localhost:2618 ESTABLISHED
TCP argonas:2618 localhost:2617 ESTABLISHED
TCP argonas:2619 localhost:2620 ESTABLISHED
TCP argonas:2620 localhost:2619 ESTABLISHED
TCP argonas:4664 argonas:0 LISTENING
TCP argonas:netbios-ssn argonas:0 LISTENING
TCP argonas:2958 an-in-f104.google.com:http ESTABLISHED
TCP argonas:3011 va-in-f104.google.com:http TIME_WAIT
TCP argonas:3014 eo-in-f147.google.com:http ESTABLISHED
TCP argonas:3081 unknown.xeex.net:http TIME_WAIT
TCP argonas:3104 unknown.xeex.net:http ESTABLISHED
TCP argonas:3903 web1.allaboutsingles.com:http CLOSE_WAIT
TCP argonas:4449 static-71-116-207-166.lsanca.dsl-w.verizon.net:pptp ESTABLISHED
TCP argonas:4762 va-in-f104.google.com:http CLOSE_WAIT
TCP argonas:netbios-ssn argonas:0 LISTENING
TCP argonas:2939 192.168.100.202:1025 ESTABLISHED
TCP argonas:2957 exchange01.intercore.local:1419 ESTABLISHED
Once you have locked down all ports then you must be
concerned with internal security. No one in your organization will be allowed to
talk to anyone about any secure information. Even giving out there email
address. Next use devices like honey pots, barracuda spam appliance, Symantec
anti-virus hardware and software. A properly configured network can allow your
workers to work and disallow hackers to work.
Microsoft added the how to block spam possibility to run SMB directly
ReplyDeleteover TCP/IP, without the extra layer of NetBT.