What traffic shoudl I block/allow on a networked laptop?

Morning,
I'm currently looking at Sophos Client Firewall for our laptop users, but my question is more related to networking in general I think. I'm running it in default mode for now to analyse the type of traffic coming in/out of the client. Our LAN is on 192.168.0.x, 255.255.255.0.

The following entries have been blocked, I'm ideally looking for a brief explanation of what they might be and whether I should be allowing them; the time period (9.03 to 9.10am) included powering on, logging on, and loading up Outlook. I've got VMWare installed on the laptop, but no VMs running at powerup.

09:09:57      netbios      IN REFUSED       UDP      172.50.10.1      NETBIOS_DGM      Block NetBIOS Traffic
09:09:57      netbios      IN REFUSED       UDP      172.50.10.3      NETBIOS_DGM      Block NetBIOS Traffic
09:09:57      netbios      IN REFUSED       UDP      172.50.10.5      NETBIOS_DGM      Block NetBIOS Traffic
09:09:57      netbios      IN REFUSED       UDP      172.50.10.4      NETBIOS_DGM      Block NetBIOS Traffic
09:09:57      netbios      IN REFUSED       UDP      172.50.10.2      NETBIOS_DGM      Block NetBIOS Traffic
09:08:40      svchost.exe      IN REFUSED       UDP      192.168.1.254      1900      Block All Activity
09:07:23      system      IN REFUSED       UDP      localhost(any)      BOOTPC      Block All Activity
09:06:54      netbios      IN REFUSED       UDP      172.50.10.4      NETBIOS_DGM      Block NetBIOS Traffic
09:05:42      system      IN REFUSED       UDP      localhost(any)      BOOTPC      Block All Activity
09:04:32      netbios      OUT REFUSED       UDP      192.168.234.255      NETBIOS_NS      Block NetBIOS Traffic
09:04:29      netbios      OUT REFUSED       UDP      192.168.198.255      NETBIOS_NS      Block NetBIOS Traffic
09:04:27      system      IN REFUSED       UDP      192.168.198.1      1119      Block All Activity
09:04:27      system      IN REFUSED       UDP      192.168.234.1      1120      Block All Activity
09:04:18      svchost.exe      IN REFUSED       UDP      192.168.198.1      1119      Block All Activity
09:04:18      system      IN REFUSED       UDP      localhost      1122      Block Transit Packets
09:04:18      svchost.exe      IN REFUSED       UDP      192.168.234.1      1120      Block All Activity
09:04:09      system      IN REFUSED       UDP      localhost      1099      Block Transit Packets
09:04:08      system      OUT REFUSED       IGMP      224.0.0.22      0      Learning Mode
09:04:08      system      OUT REFUSED       IGMP      224.0.0.22      0      Learning Mode
09:04:08      system      OUT REFUSED       IGMP      224.0.0.22      0      Learning Mode
09:03:44      netbios      OUT REFUSED       UDP      192.168.198.1      NETBIOS_NS      Block NetBIOS Traffic
09:03:44      netbios      OUT REFUSED       UDP      192.168.198.1      NETBIOS_NS      Block NetBIOS Traffic
09:03:44      netbios      OUT REFUSED       UDP      192.168.198.1      NETBIOS_NS      Block NetBIOS Traffic
09:03:39      netbios      OUT REFUSED       UDP      192.168.234.1      NETBIOS_NS      Block NetBIOS Traffic
09:03:39      netbios      OUT REFUSED       UDP      192.168.234.1      NETBIOS_NS      Block NetBIOS Traffic
09:03:39      netbios      OUT REFUSED       UDP      192.168.234.1      NETBIOS_NS      Block NetBIOS Traffic
09:03:33      netbios      OUT REFUSED       UDP      192.168.234.255      NETBIOS_DGM      Block NetBIOS Traffic
09:03:33      netbios      OUT REFUSED       UDP      192.168.198.255      NETBIOS_DGM      Block NetBIOS Traffic
09:03:09      netbios      OUT REFUSED       UDP      192.168.234.255      NETBIOS_NS      Block NetBIOS Traffic
09:03:06      netbios      OUT REFUSED       UDP      192.168.198.255      NETBIOS_NS      Block NetBIOS Traffic

Regards,
Chris.
LVL 1
ChrisCranieAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

cdesignerCommented:
135-139 UDP ports from outside LAN
1024-1030 IP ports from outside LAN
0
ChrisCranieAuthor Commented:
Am looking for a little more detail cdesigner, for example.

1. OUT REFUSED netbios calls from Netbios from an IP which isn't my laptop (e.g. 192.168.198.x). Where could this originate from?

2. IN REFUSED system calls from local IP addresses, but still not on the lan (e.g. 192.168.198.x), similarly where might these originate from?

3.  What might OUT REFUSED IIGMP traffic be?

Regards,
Chris.
0
cdesignerCommented:
do this in the command line:
tracert 192.168.198.1
and you will see where this address.
0
Check Out How Miercom Evaluates Wi-Fi Security!

It's not just about Wi-Fi connectivity anymore. A wireless security breach can cost your business large amounts of time, trouble, and expense. Plus, hear first-hand from Miercom on how WatchGuard's Wi-Fi security stacks up against the competition plus a LIVE demo!

Darr247Commented:
I would use a network other than 192.168.0.0 since microsoft hard-coded that as the subnet their Internet Connection Sharing service's DHCP uses.

All of the outbound traffic from 192.168.x.x IPs not belonging to your network should continue to be disallowed, and located/eliminated, if possible. You could turn on Wireshark to gather more info about them (http://www.wireshark.org/download.html) - if you have a 1 or 2 GB thumbdrive that uses the U3 operating system (e.g. SanDisk Cruzer, et al) I highly recommend the U3 version. Prepare to be surprised how much traffic actually occurs when you see the output.  :-)

The 1119 and 1120 port traffic *appears* to be gaming:
bnetgame        1119/tcp   Battle.net Chat/Game Protocol
bnetgame        1119/udp   Battle.net Chat/Game Protocol
bnetfile        1120/tcp   Battle.net File Transfer Protocol
bnetfile        1120/udp   Battle.net File Transfer Protocol

You can look up such 'registered' ports at http://www.iana.org/assignments/port-numbers for clues on what the traffic might be. Of course, just because an application uses a certain port doesn't mean it's the program registered to do so.

As far as what to block/allow - a good firewall should block everything not specifically allowed.
You are proceeding in the right direction. Put it in Learning mode, see what you need to allow for a few days, export the resulting rules, then import those rules to other laptops as you deploy it. For your internet connection you should have a hardware firewall appliance, of course, but the standalone software firewalls are a necessity if the laptops are also used outside the corporate firewall.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ChrisCranieAuthor Commented:
Darr247 - thanks for the detailed response and links, this was helpful and has got the ball rolling on how I can investigate links such as this.

Regards,
Chris.
0
Darr247Commented:
The Internet Assigned Numbers Authority (IANA) has changed the link to the list of well-known/assigned ports...
here are the new URLs:

XML version - http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml
Text version - http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.txt

The new versions have fields that note when the assignment was made and/or modified, along with a glossary of the acronymns used and a list of contact emails after the ports list.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocols

From novice to tech pro — start learning today.