What traffic shoudl I block/allow on a networked laptop?

Morning,
I'm currently looking at Sophos Client Firewall for our laptop users, but my question is more related to networking in general I think. I'm running it in default mode for now to analyse the type of traffic coming in/out of the client. Our LAN is on 192.168.0.x, 255.255.255.0.

The following entries have been blocked, I'm ideally looking for a brief explanation of what they might be and whether I should be allowing them; the time period (9.03 to 9.10am) included powering on, logging on, and loading up Outlook. I've got VMWare installed on the laptop, but no VMs running at powerup.

09:09:57      netbios      IN REFUSED       UDP      172.50.10.1      NETBIOS_DGM      Block NetBIOS Traffic
09:09:57      netbios      IN REFUSED       UDP      172.50.10.3      NETBIOS_DGM      Block NetBIOS Traffic
09:09:57      netbios      IN REFUSED       UDP      172.50.10.5      NETBIOS_DGM      Block NetBIOS Traffic
09:09:57      netbios      IN REFUSED       UDP      172.50.10.4      NETBIOS_DGM      Block NetBIOS Traffic
09:09:57      netbios      IN REFUSED       UDP      172.50.10.2      NETBIOS_DGM      Block NetBIOS Traffic
09:08:40      svchost.exe      IN REFUSED       UDP      192.168.1.254      1900      Block All Activity
09:07:23      system      IN REFUSED       UDP      localhost(any)      BOOTPC      Block All Activity
09:06:54      netbios      IN REFUSED       UDP      172.50.10.4      NETBIOS_DGM      Block NetBIOS Traffic
09:05:42      system      IN REFUSED       UDP      localhost(any)      BOOTPC      Block All Activity
09:04:32      netbios      OUT REFUSED       UDP      192.168.234.255      NETBIOS_NS      Block NetBIOS Traffic
09:04:29      netbios      OUT REFUSED       UDP      192.168.198.255      NETBIOS_NS      Block NetBIOS Traffic
09:04:27      system      IN REFUSED       UDP      192.168.198.1      1119      Block All Activity
09:04:27      system      IN REFUSED       UDP      192.168.234.1      1120      Block All Activity
09:04:18      svchost.exe      IN REFUSED       UDP      192.168.198.1      1119      Block All Activity
09:04:18      system      IN REFUSED       UDP      localhost      1122      Block Transit Packets
09:04:18      svchost.exe      IN REFUSED       UDP      192.168.234.1      1120      Block All Activity
09:04:09      system      IN REFUSED       UDP      localhost      1099      Block Transit Packets
09:04:08      system      OUT REFUSED       IGMP      224.0.0.22      0      Learning Mode
09:04:08      system      OUT REFUSED       IGMP      224.0.0.22      0      Learning Mode
09:04:08      system      OUT REFUSED       IGMP      224.0.0.22      0      Learning Mode
09:03:44      netbios      OUT REFUSED       UDP      192.168.198.1      NETBIOS_NS      Block NetBIOS Traffic
09:03:44      netbios      OUT REFUSED       UDP      192.168.198.1      NETBIOS_NS      Block NetBIOS Traffic
09:03:44      netbios      OUT REFUSED       UDP      192.168.198.1      NETBIOS_NS      Block NetBIOS Traffic
09:03:39      netbios      OUT REFUSED       UDP      192.168.234.1      NETBIOS_NS      Block NetBIOS Traffic
09:03:39      netbios      OUT REFUSED       UDP      192.168.234.1      NETBIOS_NS      Block NetBIOS Traffic
09:03:39      netbios      OUT REFUSED       UDP      192.168.234.1      NETBIOS_NS      Block NetBIOS Traffic
09:03:33      netbios      OUT REFUSED       UDP      192.168.234.255      NETBIOS_DGM      Block NetBIOS Traffic
09:03:33      netbios      OUT REFUSED       UDP      192.168.198.255      NETBIOS_DGM      Block NetBIOS Traffic
09:03:09      netbios      OUT REFUSED       UDP      192.168.234.255      NETBIOS_NS      Block NetBIOS Traffic
09:03:06      netbios      OUT REFUSED       UDP      192.168.198.255      NETBIOS_NS      Block NetBIOS Traffic

Regards,
Chris.
LVL 1
ChrisCranieAsked:
Who is Participating?
 
Darr247Connect With a Mentor Commented:
I would use a network other than 192.168.0.0 since microsoft hard-coded that as the subnet their Internet Connection Sharing service's DHCP uses.

All of the outbound traffic from 192.168.x.x IPs not belonging to your network should continue to be disallowed, and located/eliminated, if possible. You could turn on Wireshark to gather more info about them (http://www.wireshark.org/download.html) - if you have a 1 or 2 GB thumbdrive that uses the U3 operating system (e.g. SanDisk Cruzer, et al) I highly recommend the U3 version. Prepare to be surprised how much traffic actually occurs when you see the output.  :-)

The 1119 and 1120 port traffic *appears* to be gaming:
bnetgame        1119/tcp   Battle.net Chat/Game Protocol
bnetgame        1119/udp   Battle.net Chat/Game Protocol
bnetfile        1120/tcp   Battle.net File Transfer Protocol
bnetfile        1120/udp   Battle.net File Transfer Protocol

You can look up such 'registered' ports at http://www.iana.org/assignments/port-numbers for clues on what the traffic might be. Of course, just because an application uses a certain port doesn't mean it's the program registered to do so.

As far as what to block/allow - a good firewall should block everything not specifically allowed.
You are proceeding in the right direction. Put it in Learning mode, see what you need to allow for a few days, export the resulting rules, then import those rules to other laptops as you deploy it. For your internet connection you should have a hardware firewall appliance, of course, but the standalone software firewalls are a necessity if the laptops are also used outside the corporate firewall.
0
 
cdesignerCommented:
135-139 UDP ports from outside LAN
1024-1030 IP ports from outside LAN
0
 
ChrisCranieAuthor Commented:
Am looking for a little more detail cdesigner, for example.

1. OUT REFUSED netbios calls from Netbios from an IP which isn't my laptop (e.g. 192.168.198.x). Where could this originate from?

2. IN REFUSED system calls from local IP addresses, but still not on the lan (e.g. 192.168.198.x), similarly where might these originate from?

3.  What might OUT REFUSED IIGMP traffic be?

Regards,
Chris.
0
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

 
cdesignerCommented:
do this in the command line:
tracert 192.168.198.1
and you will see where this address.
0
 
ChrisCranieAuthor Commented:
Darr247 - thanks for the detailed response and links, this was helpful and has got the ball rolling on how I can investigate links such as this.

Regards,
Chris.
0
 
Darr247Commented:
The Internet Assigned Numbers Authority (IANA) has changed the link to the list of well-known/assigned ports...
here are the new URLs:

XML version - http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml
Text version - http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt

The new versions have fields that note when the assignment was made and/or modified, along with a glossary of the acronymns used and a list of contact emails after the ports list.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.