Besides the basic physical security of a site, the next most important aspect is controlling digital access into and out of the organization’s network. In most cases this means controlling the points of connectivity to the outside world, typically the Internet. Partitioning the boundary between the outside Internet and the internal intranet is a critical security piece. Any services not actually needed should be turned off so that they will not become avenues of attack for security threats. Different systems will have different services running by default.
The firewall process can tightly control what is allowed to traverse from one side to the other. As with most aspects of security, deciding what type of firewall to use will depend upon factors such as traffic levels, services needing protection and the complexity of rules required. The difficulty for firewalls is distinguishing between legitimate and illegitimate traffic. Firewalls, if configured correctly, can be a reasonable form of protection from external threats including some denial of service (DOS) attacks. If not configured correctly they can be major security holes in an organization. The most basic protection a firewall provides is the ability to block network traffic to certain destinations. This includes both IP addresses and particular network service ports.
Many network devices and computer hosts startup network services by default, each of these services could represent an opportunity for attackers, worms and Trojans. Very often all of these default services are not needed. Doing port lockdown by turning off services reduces this exposure.
Port 25: Is the virtual pathway that most e-mail traffic follows when it travels from your computer to a server. Port 25 can get clogged with spam e-mails when computers on a network become infected with a virus or other malicious software. Because of the potential threat our host computers sending spam email Port 25 will remain closed. Port 80: This is the primary port used by the World Wide Web (www) system. Web servers open this port then listen for incoming connections from web browsers. Similarly, when a web browser is given a remote address (like grc.com or amazon.com), it assumes that a remote web server will be listening for connections on port 80 at that location. This port will generally be open only when a web server of some sort is running on the machine. Due to the popularity of this port for malicious exploitation, it should never be open unless it is being actively and deliberately used to serve web pages.
Port 139: Is typically used for file/printer sharing, including directory replication with Active Directory, trusts, remote access of event logs, etc. This port should be open. If you block port 139 on a Domain Controller you will kill AD replication. If you block 139 in a typical business network, you will lose the ability to do much of anything on a remote computer such as remotely manage clients/servers, install software, share printers, or files. Since the NetBIOS vulnerability is quite well-known a long time ago and heavily popularized, patches have been already released. The last remote exploits that targeted NetBIOS/139 were in the Windows NT/2000 era. Ports 1900 and Port 2869: These UDP port are opened and used by Universal Plug N’ Play (UPnP) devices to receive broadcasted messages from other UPnP devices. UPnP devices broadcast subnet-wide messages to simultaneously reach all other UPnP devices.
UPnP Internet servers were found to have remotely exploitable unchecked buffers that would allow, in principle, remote malicious hackers. Microsoft Windows is vulnerable to a buffer overflow, caused by improper bounds checking by the Universal Plug and Play (UPnP) service. By sending a specially-crafted HTTP request, a remote attacker could overflow a buffer and execute arbitrary code on the system with elevated privileges when combined with another exploit. Unused Internet servers and services should not be left running if they are not actively needed, for this reason this port should be closed until needed. Port 5357: This port is opened because you have Network Discovery enabled in a Public Network profile. The port is vulnerable to info leak problems allowing it to be accessed remotely by malicious authors. This port should be closed if network discovery is not required. Port 6839: This port is not associated with any particular services and should be closed unless it is associated and used. Port 7435: This port is not associated with any particular services and should be closed unless it is associated and used.
Port 9100: This TCP port is used for printing. Port numbers 9101 and 9102 are for parallel ports 2 and 3 on the three-port HP Jetdirect external print servers. It is used for network-connected print devices. This port should remain open to allow print services. Ports 9101 and 9102: Is the Bacula Director. This TCP port is used for printing. Port numbers 9101 and 9102 are for parallel ports 2 and 3 on the three-port HP Jetdirect external print servers. It is used for network-connected print devices. This port should remain open to allow print services. Port 9110: SSMP Message protocol – This protocol is intended to be used to implement thread-to-thread messaging locally or over the Internet. Ports registered with IANA are shown as official ports. The same port number may be unofficially used by various services or applications.
Unofficially or sometimes with conflict, the same port may be used by different applications. This port is not associated with any particular services and should be closed unless it is associated and used. Port 9220: This port is for raw scanning to peripherals with IEEE 1284.4 specifications. On three port HP Jetdirects, the scan ports are 9290, 9291, and 9292. It is used for network-connected print devices. This port should remain open to allow print services. Port 9500: TCP Port 9500 may use a defined protocol to communicate depending on the application. In our case we are using port 9500 to access the ISM Server.
The ISM Server is used for exchanging backup and recovery information between storage devices. This port should remain open while services are in use. Port 62078: This port is used by iPhone while syncing. The Port used by UPnP for multimedia files sharing, also used for synchronizing iTunes files between devices. Port 62078 has a known vulnerability in that a service named lockdownd sits and listens on the iPhone on port 62078. By connecting to this port and speaking the correct protocol, it’s possible to spawn a number of different services on an iPhone or iPad. This port should be blocked or closed when service is not required on the device.
Gibson, S. (n.d.). GRC | Port Authority, for Internet Port 139 . Retrieved October 10, 2014, from https://www.grc.com/port_139.htm Gibson, S. (n.d.). GRC | Port Authority, for Internet Port 2869 . Retrieved October 10, 2014, from https://www.grc.com/port_2869.html Gibson, S. (n.d.). GRC | Port Authority, for Internet Port 80 . Retrieved October 10, 2014, from https://www.grc.com/port_80.htm Gibson, S. (n.d.). GRC | Port Authority, for Internet Port 9101 . Retrieved October 10, 2014, from https://www.grc.com/port_9101.html HP Support document – HP Support Center. (n.d.). Retrieved October 10, 2014, from http://h20565.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay/?sp4ts.oid=412144&spf_p.tpst=kbDocDisplay&spf_p.prp_kbDocDisplay=wsrp-navigationalState%3DdocId%253Demr_na-c02480766-2%257CdocLocale%253D%257CcalledBy%253D&javax.portlet.begCacheTok=com.vignette.cachetoken&javax.portlet.endCacheTok=com.vignette.cachetoken HP Support document – HP Support Center. (n.d.). Retrieved October 10, 2014, from http://h20566.www2.hp.com/portal/site/hpsc/template.PAGE/public/kb/docDisplay?docId=bps53634&ac.admitted=1413144875821.876444892.199480143 Network Printer Ports. (2003, March 28). Retrieved October 10, 2014, from http://technet.microsoft.com/en-us/library/cc728404(v=ws.10).aspx networking – Is port 139 still vulnerable? – Server Fault. (2009, June 20). Retrieved October 10, 2014, from http://serverfault.com/questions/29065/is-port-139-still-vulnerable Port 5357 TCP on Windows 7 professional 64 bit? – Super User. (2009, October 18). Retrieved October 10, 2014, from http://superuser.com/questions/56781/port-5357-tcp-on-windows-7-professional-64-bit Port 62078 (tcp/udp) :: SpeedGuide.net. (n.d.). Retrieved October 10, 2014, from http://www.speedguide.net/port.php?port=62078 Port 6839 (tcp/udp) – Online TCP UDP port finder – adminsub.net. (2014, August 26). Retrieved October 10, 2014, from http://www.adminsubnet.net/tcp-udp-port-finder/6839 Port 7435 (tcp/udp) – Online TCP UDP port finder – adminsub.net. (2014, August 26).