MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.
Solved
strange port communication
Posted on 2013-01-04
Hi,
I have two computer communicating (one inside the network, the other on the outside the network).
The are both using strange port numbers that are not commonly used. (Port 52497 for the external IP address and 9678 internally)
My question is
1. Shouldn't the firewall be configured to prevent outgoing ports except for typical ports (80, 443, etc?)
2. Should the firewall be configured to only allow in commonly used ports (port 80, 443)?
Thanks.
I have two computer communicating (one inside the network, the other on the outside the network).
The are both using strange port numbers that are not commonly used. (Port 52497 for the external IP address and 9678 internally)
My question is
1. Shouldn't the firewall be configured to prevent outgoing ports except for typical ports (80, 443, etc?)
2. Should the firewall be configured to only allow in commonly used ports (port 80, 443)?
Thanks.
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
2
4 Comments
1. Most firewalls allow outgoing traffic through most ports, especially when the traffic is initiated internally as a request, which might then be sent out on a different port, depending on the service.
The default action for a firewall is to block all unsolicited traffic coming in to your network.
2. Even if you configure a firewall to allow say, port 80, 443, 3389, to come in as an example, the originating port could be a random port (such as 52497 in your case.) The important port is the *destination*. And that is the port that is the focus when setting up your firewall rules.
The default action for a firewall is to block all unsolicited traffic coming in to your network.
2. Even if you configure a firewall to allow say, port 80, 443, 3389, to come in as an example, the originating port could be a random port (such as 52497 in your case.) The important port is the *destination*. And that is the port that is the focus when setting up your firewall rules.
Port 9678 is registered to EMC2 (Legato) Networker or Sun Solcitice Backup (Official) processes. Do you know if any of these backup services are supposed to be running to/from your network?
Depending on the type of firewall in your environment, most of the outgoing ports are going to be open to allow internal clients to connect to various external resources. Unless you are hosting a site/application/etc from your local network, almost all of the incoming ports to your network should be closed by the firewall to prevent incoming connections.
To get a better indication of who you are connecting to, you should check for the external IP address and then check it against whois
Depending on the type of firewall in your environment, most of the outgoing ports are going to be open to allow internal clients to connect to various external resources. Unless you are hosting a site/application/etc from your local network, almost all of the incoming ports to your network should be closed by the firewall to prevent incoming connections.
To get a better indication of who you are connecting to, you should check for the external IP address and then check it against whois
Active today
Some protocols also negotiate to use different ports. Example: FTP.
FTP has two connections, a command/control connection and a data connection.
There are two types of data connections: active and passive. If doing active FTP, the server initiates a outbound connection to the client from port 20 to a random high port. When doing active the client tells the server what port it is listening on buy the FTP PORT/EPRT commands over the command/control connections.
If doing passive the client initiates a connection to the server from a random high port to a random high port. In this situation the server tells the client what port it will be listening on using the PASV/EPSV commands.
Most firewalls "listen" in on the command/control connection (typically port 21) for the PORT/EPRT/PASV/EPSV commands and dynamically create a rule to allow the data connection. Once the transfer is done, based on the data connection being reset, the firewall dynamically removes this rule.
I believe there are other protocols/products that do this also.
FTP has two connections, a command/control connection and a data connection.
There are two types of data connections: active and passive. If doing active FTP, the server initiates a outbound connection to the client from port 20 to a random high port. When doing active the client tells the server what port it is listening on buy the FTP PORT/EPRT commands over the command/control connections.
If doing passive the client initiates a connection to the server from a random high port to a random high port. In this situation the server tells the client what port it will be listening on using the PASV/EPSV commands.
Most firewalls "listen" in on the command/control connection (typically port 21) for the PORT/EPRT/PASV/EPSV commands and dynamically create a rule to allow the data connection. Once the transfer is done, based on the data connection being reset, the firewall dynamically removes this rule.
I believe there are other protocols/products that do this also.
Featured Post
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data.
But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses
Course of the Month11 days, 2 hours left to enroll
719 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.