Solved

Please help with my list....

Posted on 2002-07-29
8
318 Views
Last Modified: 2012-08-30
I really appreciate the information that you've provided so here I am again looking for more help. I need help. I have to create a list of most of the more popular file sharing programs and their respective defaulted/common ports. I need to do this to help block these programs from my little network. Can anyone help me? All answers are greatly appriciated.
0
Comment
Question by:sadcomputeruser
8 Comments
 
LVL 3

Accepted Solution

by:
mbruner earned 65 total points
ID: 7186405
0
 
LVL 2

Expert Comment

by:scott_renton
ID: 7186416
This seems to be fairly complete & usable:
http://www.oofle.com/filesharing/index.htm

You need to read through the explainations, since this is somewhat geared toward a specific system, but which IP's & ports to block seem fairly weel documented.
0
 
LVL 3

Expert Comment

by:ITsheresomewhere
ID: 7186963
A two cents worth comment

This is really a less than preferred approach to handling a open ports issue.  Here is why,

One, you are blocking only for the "more popular file sharing programs".  Are you starting with a list of "popular file sharing programs" as of today, or was 8 months ago, or 2 years, or ???  What if the usage is by a less popular one, will you just think no one will ever use that one so why worry about it?  Or that 'xyx' application won't become the "most popular" by the time you get your list made.  What if it is really evil but not popular, would that make it on the list somewhere?

Two, you are blocking on a port by port basis, assuming that the "commonly" used port is only port that can be used, which is not the case.  Further more, there are around 65 thousand port numbers, most in a range that rarely are seen as common but are as equally effective and are certainly open for use unless designated otherwise.  Lots of work to individually "control" each port.

The more common approach, and one which makes more sense, is to put up a strong firewall, blocking ports in general  and only OPEN those ports that are deemed needed for specific authorized applications.  Thus the only entries that would be required are two, maybe three per application.

Just a couple thoughts to consider.
0
 
LVL 3

Expert Comment

by:mbruner
ID: 7188131
I agree 100% with ITsy.  Locking down everything and opening the ports you use is certainly more secure than the alternative.  This can be very difficult, as you need to baseline and document your network to determine exactly what needs to be allowed.

Of course, its still nice to know the ports that these programs use, so you can monitor your LAN for attempts to use these programs and then "speak" with the offenders running them.

I guess between us, we got about 4 cents in the pot.  ;-)
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:sadcomputeruser
ID: 7188892
ITsheresomewhere---

I understand the essence of what you and mbruner are saying. But, at home I have IMesh, WinMX, AIM, Yahoo Messenger and Microsoft Messenger (.NET) and when I got to the option to use  a proxy (if I wanted to use one) one has to know what server to use and with SOCKS 5 you need a password and ID. It gets pretty confussing and conplicated from what I see. Even using the port 80 I would have to know the server's name. Now, if I don't know the server's name (and/or ID and password), I cannot change ports right? Plus, is this information on the web? The Iana.org link is very informative but if I wanted to change ports, I would need way more info than that, right?

---SCU
0
 
LVL 3

Expert Comment

by:mbruner
ID: 7189002
I'm confused a little by your latest post, so if I'm explaining something you already know, I apologize in advance.

A Proxy is a server that authenticates users before they are allowed to access certain services on an external network (e.g. http, https traffic).  It also acts as a type of PAT device, in that all allowed outbound traffic is sent with the proxy's IP address information.

In order to use a proxy, you would have to have one installed on your local network.  If you haven't installed one on your network, then you don't need to worry about setting your apps up to use one, nor do you have to worry about using non-standard ports.

If you are trying to get around the proxy or a firewall, then many times you can tunnel your traffic through allowed ports (e.g. port 80).  In the case of a proxy, you usually need a valid username and password on the proxy to access the web with (port 80).

If users are bypassing the firewall or proxy as described above, you can implement IDS solutions to pick out and disallow these types of traffic.  We use ISS Scanner at work and it performs wonderfully.  
0
 

Author Comment

by:sadcomputeruser
ID: 7189055
Mbruner---

I'm sorry if I confused you. Remember that I'm a "Sad Computer User" :) This is the list of the P2P's targeted:
KAZAA, GNUTELLA, AIMSTER (madster, whathaveyou), NAPSTER (??), LIMEWIRE, BEARSHARE, GROAKSTER, IMESH (:( ), MORPHEUS, WINMX, AUDIOGALAXY, FREENET, HOTLINE and SCOUR (??). These are the 14 P2P applications (for starters) that the guys here are trying to block. These are the ones that they are trying to get port numbers for. These are the ones that are most frequently used here. They want to keep the network available but just want to rid it of all the extra traffic and virual dangers. That's why they didn't want to shut down so many ports (I'm not too tech savvy so, I'm likening the 65K+ ports to nautical ports, like those around San Fran or NYC, am I right?. A firewall would equal a Berlin wall of sorts with the ports on the outside and only at certain ports do they have a road leading directly into the "city" via a checkpoint, in the wall.) I put a question mark next to some apps because I thought that they were "unpopular" or fee based. I just wanted to know what ports did these apps use for whatever they do. Then, when you brought up the ability to change ports, now I'm wondering if a citizen in the city can get around the Berlin wall to reach a ship that's not a port with a checkpoint? If they can, exactly how can they do it and if you know of any Web info that details this, like the links you gave me before. you mentioned an IDS solution to this workaround, but I don't know just how it fits into my port/wall/city analogy. Please help. Thanks.
0
 
LVL 3

Expert Comment

by:mbruner
ID: 7189221
Your analogy is fitting.  I always use one that goes something like this:

Network of IP Addresses = Nation
IP Address = City
Port = Street Address for a Store
Firewall = Guarded wall around nation (your network)
Proxy = Border Patrol
IDS = Military (can be outside or inside firewall)

If you are trying to connect to a specific service on the network (e.g. store within a city), you need to know the server and port number.  

If I don't want users to access a certain service, I check for traffic leaving (or entering) the network.  If it is going to a non-allowed port, then I block it.  In my analog, if you are going to a store in another nation (or foreigner is trying to go to that store within my nation) and I don't want you to, I stop you at the wall.

Also, there are some instances when I want to authenticate users before they can access services outside the network.  I could then implement a proxy server.  The proxy would require you to prove who you are before you are allowed to access that service.  I could then keep logs on where you've been, etc.  Also, if I don't want certain service to be used by you, then I can disallow you access to it through the proxy.  In the analogy, this could be seen like this:  You are trying to leave the city.  The border patrol stops you to check your passport and asks which nation, city and store you are destined for.  If your passport doesn't allow you to access that nation, city or store, you are stopped and the attempt is recorded.

Some applications try to get around proxies and firewalls by disguising themselves as legitimate traffic.  For instance, you can change AIM to use port 80 instead of its default port.  This can fool firewalls and proxies into allowing the traffic.  Firewalls and proxies can combat this on a limited basis by disallowing access to networks or individual IP addresses (e.g. don't allow any traffic to the AIM servers).  Analogy:  I try to exit the nation.  The border patrol and guards at the wall stop me and ask me where I'm going.  I lie to them and tell them that I'm going to a legitimate store in a particular city and nation.  My passport is good for that particular store to any city or nation, so I am allowed.  The only way to be stopped would be if they didn't allow me to go to that particular nation or city, my passport was bad, or the legitimate store I lied about wasn't allowed to be visited.

One way to get stop people from taking advantage of using lying about the port you are destine for is to examine the actual data being sent.  This is where IDS comes into play.  IDS is primarily used to protect your network from external attacks.  Another value added feature is that it allows you to more closely check traffic leaving the network.  If upon closer inspection, you aren't using the service that is expected to be on that port, the IDS can reset the connection and you are effectively blocked.  Analogy:  You finally get out of the nation by lying about where you are going.  You come upon a military inspection point.  They ask you what you are carrying.  Upon looking at what you've got, they notice telltale signs that show you are not accessing the store you originally told in the expected manner.  You are apprehended and sent back to your own nation.  Again, this can be recorded.

Anyway, that's my analogy.  I'm sure there are a zillion different spins.

I doubt this helps much...  The IANA website is where you will find the default ports for most everything.  Search www.google.com for anything that is missing.
0

Featured Post

New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

Join & Write a Comment

Suggested Solutions

Even if you have implemented a Mobile Device Management solution company wide, it is a good idea to make sure you are taking into account all of the major risks to your electronic protected health information (ePHI).
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now