This article will explain the basic premise behind how your network is secured against unauthorized access by the configuration of the Firewall ports and the services supported by them.
TCP and UDP port numbers
If you were to take a look at your basic Firewall set up you would notice two types of ports available for configuration:
- Transmission Control Protocol (TCP) and
- User Datagram Protocol (UDP)
These ports are used to give people outside of your network access to services such as Email, Websites and Remote Desktop access from the Internet.
Some ports are “Official” ports registered with Internet Assigned Numbers Authority (IANA) for use with specific applications and services. “Unofficial” ports are not registered with IANA for use with specific applications and services. The remaining ports are “Multiple use”, meaning multiple applications are known to potentially use those same ports.
The port numbers in the range from 0 to 1023 are the well-known ports or system ports. They are used by system processes to provide widely used types of network services.
The range of port numbers from 1024 to 49151 are the registered ports. They are assigned by IANA for specific service upon application by a requesting entity.
The range 49152–65535 contains dynamic or private ports that cannot be registered with IANA. This range is used for private, or customized services, temporary purposes, and for automatic allocation of ephemeral ports.
A few common Firewall Ports are…
20, 21 = FTP (File Transfer Protocol) related ports
25 = Simple Mail Transfer Protocol (SMTP), used for e-mail routing between mail servers
80 = Hypertext Transfer Protocol (HTTP)
3389 = Microsoft Terminal Server (RDP) officially registered as Windows Based Terminal (WBT)
Port Forwarding & Security
Think of a Firewall like a Condo building with a Concierge Security desk. When the Mail Carrier arrives to deliver the mail, they first need to be let in by the Security Guard, and then each parcel needs the Suite number in order to reach its recipient, otherwise all mail would just end up at the Condo’s Front Desk with no final destination.
Firewall routers work on similar principals. When you are at home on your computer and need to access your email outside the office, your email software would be setup to reach out to your mail server on the Internet, and then the request would eventually reach a Firewall Router. The email software would be configured to request access to certain ports; if these ports are also configured on the Firewall to allow pass-through then the software can communicate with the email server. Once it reaches the email server, then the user’s credentials would get verified and the resulting response would be sent back to the software on your home computer, in this case meaning that you would receive your email.
Inside the Network, there may be many servers and computers. How does the software used outside the network know which server it needs to access for that particular application or service? The Firewall would need to be configured to take the external requested port and forward that request to the correct server internally by the server’s internal IP address, and the server would need that port activated internally for use as well.
Port scanning software exists today that allows anyone to scan your Internet modem and check for open ports, and potentially hack into a network by gaining access to unsecured ports. The best way to prevent this is not to open a port if it is not needed. This is why, if you have a Web server, it may only have port 80 open, and nothing else. This minimizes the risk. Some businesses cannot afford to have a separate server for every application port that they need, so they may use only one server, but have their Web Server, Email or other services running on it and require multiple ports to be open on one server. This is where security plays an important role in managing these ports correctly and effectively.
Every hacker out there knows what the default common application ports are. It’s no secret; it’s available all over the Internet. One way around this is to not use a common port on the Firewall if it can be avoided, and instead changing to a random port that only the authorized users and their applications would know about. The Firewall would then take this random port and re-direct it to the common port on the inside of the network, establishing the service communication link.
There are endless websites that you can find to do an external port scan of your own Internet Firewall. (No downloading of any software, this should always be avoided). Here is just one of them you can safely try… (Use it in a Google, Mozilla or Safari browser)
Paul Comtois is a Client Support Specialist at Triella, a technology consulting company specializing in providing technology audits, planning advice, project management and other CIO-related services to small and medium sized firms. Paul can be reached at 647.426.1004. For additional articles, go to www.triella.com/publications. Triella is a VMware Professional Partner, Microsoft Certified Partner, Citrix Solution Advisor – Silver, Dell Preferred Partner, Authorized Worldox Reseller and a Kaspersky Reseller.
© 2016 by Triella Corp. All rights reserved. Reproduction with credit is permitted.