[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2991
  • Last Modified:

What traffic shoudl I block/allow on a networked laptop?

Morning,
I'm currently looking at Sophos Client Firewall for our laptop users, but my question is more related to networking in general I think. I'm running it in default mode for now to analyse the type of traffic coming in/out of the client. Our LAN is on 192.168.0.x, 255.255.255.0.

The following entries have been blocked, I'm ideally looking for a brief explanation of what they might be and whether I should be allowing them; the time period (9.03 to 9.10am) included powering on, logging on, and loading up Outlook. I've got VMWare installed on the laptop, but no VMs running at powerup.

09:09:57      netbios      IN REFUSED       UDP      172.50.10.1      NETBIOS_DGM      Block NetBIOS Traffic
09:09:57      netbios      IN REFUSED       UDP      172.50.10.3      NETBIOS_DGM      Block NetBIOS Traffic
09:09:57      netbios      IN REFUSED       UDP      172.50.10.5      NETBIOS_DGM      Block NetBIOS Traffic
09:09:57      netbios      IN REFUSED       UDP      172.50.10.4      NETBIOS_DGM      Block NetBIOS Traffic
09:09:57      netbios      IN REFUSED       UDP      172.50.10.2      NETBIOS_DGM      Block NetBIOS Traffic
09:08:40      svchost.exe      IN REFUSED       UDP      192.168.1.254      1900      Block All Activity
09:07:23      system      IN REFUSED       UDP      localhost(any)      BOOTPC      Block All Activity
09:06:54      netbios      IN REFUSED       UDP      172.50.10.4      NETBIOS_DGM      Block NetBIOS Traffic
09:05:42      system      IN REFUSED       UDP      localhost(any)      BOOTPC      Block All Activity
09:04:32      netbios      OUT REFUSED       UDP      192.168.234.255      NETBIOS_NS      Block NetBIOS Traffic
09:04:29      netbios      OUT REFUSED       UDP      192.168.198.255      NETBIOS_NS      Block NetBIOS Traffic
09:04:27      system      IN REFUSED       UDP      192.168.198.1      1119      Block All Activity
09:04:27      system      IN REFUSED       UDP      192.168.234.1      1120      Block All Activity
09:04:18      svchost.exe      IN REFUSED       UDP      192.168.198.1      1119      Block All Activity
09:04:18      system      IN REFUSED       UDP      localhost      1122      Block Transit Packets
09:04:18      svchost.exe      IN REFUSED       UDP      192.168.234.1      1120      Block All Activity
09:04:09      system      IN REFUSED       UDP      localhost      1099      Block Transit Packets
09:04:08      system      OUT REFUSED       IGMP      224.0.0.22      0      Learning Mode
09:04:08      system      OUT REFUSED       IGMP      224.0.0.22      0      Learning Mode
09:04:08      system      OUT REFUSED       IGMP      224.0.0.22      0      Learning Mode
09:03:44      netbios      OUT REFUSED       UDP      192.168.198.1      NETBIOS_NS      Block NetBIOS Traffic
09:03:44      netbios      OUT REFUSED       UDP      192.168.198.1      NETBIOS_NS      Block NetBIOS Traffic
09:03:44      netbios      OUT REFUSED       UDP      192.168.198.1      NETBIOS_NS      Block NetBIOS Traffic
09:03:39      netbios      OUT REFUSED       UDP      192.168.234.1      NETBIOS_NS      Block NetBIOS Traffic
09:03:39      netbios      OUT REFUSED       UDP      192.168.234.1      NETBIOS_NS      Block NetBIOS Traffic
09:03:39      netbios      OUT REFUSED       UDP      192.168.234.1      NETBIOS_NS      Block NetBIOS Traffic
09:03:33      netbios      OUT REFUSED       UDP      192.168.234.255      NETBIOS_DGM      Block NetBIOS Traffic
09:03:33      netbios      OUT REFUSED       UDP      192.168.198.255      NETBIOS_DGM      Block NetBIOS Traffic
09:03:09      netbios      OUT REFUSED       UDP      192.168.234.255      NETBIOS_NS      Block NetBIOS Traffic
09:03:06      netbios      OUT REFUSED       UDP      192.168.198.255      NETBIOS_NS      Block NetBIOS Traffic

Regards,
Chris.
0
ChrisCranie
Asked:
ChrisCranie
  • 2
  • 2
  • 2
1 Solution
 
cdesignerCommented:
135-139 UDP ports from outside LAN
1024-1030 IP ports from outside LAN
0
 
ChrisCranieAuthor Commented:
Am looking for a little more detail cdesigner, for example.

1. OUT REFUSED netbios calls from Netbios from an IP which isn't my laptop (e.g. 192.168.198.x). Where could this originate from?

2. IN REFUSED system calls from local IP addresses, but still not on the lan (e.g. 192.168.198.x), similarly where might these originate from?

3.  What might OUT REFUSED IIGMP traffic be?

Regards,
Chris.
0
 
cdesignerCommented:
do this in the command line:
tracert 192.168.198.1
and you will see where this address.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
Darr247Commented:
I would use a network other than 192.168.0.0 since microsoft hard-coded that as the subnet their Internet Connection Sharing service's DHCP uses.

All of the outbound traffic from 192.168.x.x IPs not belonging to your network should continue to be disallowed, and located/eliminated, if possible. You could turn on Wireshark to gather more info about them (http://www.wireshark.org/download.html) - if you have a 1 or 2 GB thumbdrive that uses the U3 operating system (e.g. SanDisk Cruzer, et al) I highly recommend the U3 version. Prepare to be surprised how much traffic actually occurs when you see the output.  :-)

The 1119 and 1120 port traffic *appears* to be gaming:
bnetgame        1119/tcp   Battle.net Chat/Game Protocol
bnetgame        1119/udp   Battle.net Chat/Game Protocol
bnetfile        1120/tcp   Battle.net File Transfer Protocol
bnetfile        1120/udp   Battle.net File Transfer Protocol

You can look up such 'registered' ports at http://www.iana.org/assignments/port-numbers for clues on what the traffic might be. Of course, just because an application uses a certain port doesn't mean it's the program registered to do so.

As far as what to block/allow - a good firewall should block everything not specifically allowed.
You are proceeding in the right direction. Put it in Learning mode, see what you need to allow for a few days, export the resulting rules, then import those rules to other laptops as you deploy it. For your internet connection you should have a hardware firewall appliance, of course, but the standalone software firewalls are a necessity if the laptops are also used outside the corporate firewall.
0
 
ChrisCranieAuthor Commented:
Darr247 - thanks for the detailed response and links, this was helpful and has got the ball rolling on how I can investigate links such as this.

Regards,
Chris.
0
 
Darr247Commented:
The Internet Assigned Numbers Authority (IANA) has changed the link to the list of well-known/assigned ports...
here are the new URLs:

XML version - http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml
Text version - http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt

The new versions have fields that note when the assignment was made and/or modified, along with a glossary of the acronymns used and a list of contact emails after the ports list.
0

Featured Post

Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

  • 2
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now