Firewall Configuration

Being online without a firewall is asking to be hacked, infected by a worm, or attacked.

Last millennium firewalls were often seen as an unnecessary expense and management headache because they prevented users from accessing things they wanted or needed to perform their job functions or have a little fun online. Today, firewalls are mandatory because they filter out malicious traffic. A firewall is nothing more than a port filter, it either allows or denies traffic based on source and destination ports. A simple concept, yet many people have a hard time understanding how a firewall works because over the years more and more functions have been added to firewalls, like routing, network address translation and attack protection. Setting those advanced features aside for now, this discussion will focus on simple firewall dos and don'ts.

There are two basic types of firewalls, host-based and network-based firewalls. Host-based firewalls are software applications that run on clients and protect individual systems from the network. Network-based firewalls sit inline on the network segmenting the network and filtering traffic. Most small and medium businesses have a single perimeter-based firewall. With the introduction of Windows XP Service Pack 2, Microsoft has incorporated a host-based firewall into the operating system. Perimeter-based firewalls provide granular control of traffic entering and leaving the network. The greatest challenge with host-based firewalls is managing them, allowing traffic necessary for network functionality while denying potentially harmful traffic. Defining perimeter rules is much easier because there are only a few protocols that need access in or out through a network-based firewall.

The ideal perimeter firewall limits traffic to as few ports as possible. Limiting the hosts that can connect on the allowed ports is the other part of securing a firewall. For example, if an application must be accessible on the Internet, but only from a handful of hosts, then create the rule allowing that traffic inbound limiting those requests to the specific hosts. Create rules that are as restrictive as possible. It is better to put extra time into management than expose hosts to potential attack. The greatest challenge of limiting inbound traffic is dealing with remote systems without static IP addresses because it is impossible to properly limit the connecting hosts. A best effort can be made by restricting the source of traffic the host networks that those clients connect from. Look up network addressing through the American Registry for Internet Numbers (ARIN).

Common Server Configurations

The following section outlines the ports that are necessary for functionality of common systems. A list of the ports for common applications is available from the Internet Assigned Number Authority. The port assignment list from IANA is useful as a reference, though most manufacturers provide this information for applications not on the list. Basically, the range of ports between 1024-65535 is open to anyone to publish services and there is sometimes duplication in that range.

  1. Microsoft IIS - Internet Information Server can host web, FTP, mail, and network news servers; IIS is only available on Windows operating systems.

    Inbound Ports - FTP:20-21, HTTP:80, NNTP:119, HTTPS:443.

    Outbound Ports - SMTP:25 if the system sends mail using the SMTP service, and DNS:53 for resolving remote hosts for logging.

  2. Microsoft PWS - Peer Web Server can host web, FTP, and mail; PWS is only available on Windows client operating systems.

    Inbound Ports - FTP:20-21, SMTP:25, HTTP:80, HTTPS:443.

    Outbound Ports - SMTP:25 if the system sends mail using the SMTP service, DNS:53 for resolving remote hosts for logging, HTTP:80 to browse the web

  3. Microsoft Exchange - Exchange front end servers integrate all the functionality of IIS including web, and network news servers as well as the mail services SMTP, POP3, IMAP, Secure POP, and Secure IMAP.

    Inbound Ports - SMTP:25, HTTP:80, POP3:110, NNTP:119, IMAP:143, HTTPS:443, IMAP-SSL:993, POP3 Secure:995.

    Outbound Ports - SMTP:25 to send outgoing mail, and DNS:53 for resolving remote hosts for mail delivery.

  4. Microsoft Remote Desktop Protocol - accessing a terminal server or Windows XP Professional requires the RDP protocol.
  5. Inbound Ports - RDP: 3389.

    Outbound Ports - no outbound protocols must be configured because the connection is unidirectional.

  6. Microsoft Remote Procedure Calls - Windows client/server communications are the core of Windows networking. Without RPC clients cannot effectively communicate with servers; RPC communications are bidirectional so both sides must be open. Security Best Practices recommend against opening RPC ports, so you should only open RPC between specific hosts as a last resort.

    Inbound Ports - 135, 389, 445, udp 3268-3269.

    Outbound Ports - 135, 389, 445, udp 3268-3269.

Some systems will require additional outbound access; the list above covers only the minimum protocol requirements for functionality. Adding additional protocols improves functionality at the cost of security. The fewer protocols that critical systems can connect to the Internet through, the better because malicious programs can use common ports to send and receive commands from their remote hosts.

Recommended Client Configurations

This section outlines the minimum ports required for typical client functionality. These recommendations err on the side of caution at the cost of some functionality. Most common applications will work with these configurations; some non-standard applications will be broken by the ports that are not allowed through the firewall.

  1. Minimal - these protocols will allow most clients access to the web, without unduly exposing the client to risks.

    Outbound Ports - HTTP, and HTTPS.

    Note: Clients that are members of an Active Directory domain will not need access to outside DNS servers because they should be using the internal Dynamic DNS servers for name resolution. The same is true of NTP services. Clients that are not members of an Active Directory domain will probably require DNS and possibly NTP access for functionality.

    Troubleshooting: allowing clients unrestricted access to PING and Trace Route will aid troubleshooting without compromising security too much.

  2. Internet - these protocols are an enhancement of the minimal group, adding support for non-standard HTTP ports and Windows Media player.

    Outbound Ports - FTP, HTTP, HTTPS, HTTP non-standard (ports 8000-8003, 8080-8088, and 81), and Windows Media (port 1755).

    Note: see above concerning DNS and NTP.

    Troubleshooting: see above.

  3. Administrators - these protocols are commonly used by administrators, adding support for SSH, Telnet, RDP, IKE and PPTP.

    Outbound Ports - DNS, FTP, HTTP, HTTPS, IKE, NNTP, NTP, PING, POP3, PPTP, RDP, SMTP, SSH, Telnet, and Trace Route.

    Note: The inclusion of IKE, NTP, PPTP, and Telnet are only necessary if administrators access systems outside the LAN using those protocols. Restrict telnet and VPN access to specific host when possible.

    Troubleshooting: administrators live and die by Ping and Trace Route, therefore they must have access to those critical tools.

  4. Instant Messaging - each Instant Messaging client requires ports to be opened in the firewall in order to work properly. These ports are bidirectional, meaning that the traffic must be allowed out from the client with the assumption that the firewall is a stateful protection firewall and will properly return outbound requests to the originating host. These protocols are optional, not required for normal functionality.

    Outbound Ports - MSN TCP:1863 and 6891-6900; AIM and ICQ TCP:5190; Yahoo Messenger has its own port, check Yahoo documentation for specifics.

    Note: Allowing Instant Messaging clients access to the Internet creates a massive security hole because these messages bypass perimeter firewalls, virus scanners, and content filters presenting a major risk exposure. Weigh the productivity gains of IM versus the increased cost of managing the new risks before allowing IM access.

Some systems will require additional outbound access; the list above covers only the minimum protocol requirements for functionality. Adding additional protocols improves functionality at the cost of security. The fewer protocols that critical systems can connect to the Internet through, the better because malicious programs often use common ports to send and receive commands from their remote hosts.

Our rave reviews:

Contact ESX Inc.

"ESX, Inc.'s customer service is incredible - when we need something, we don't need it a month from now - we need it now. And we get it. Improvements are made immediately; they are open to new ideas, move quickly, and have unbelievable response time."

Jean Maddalon
CFO
American Business Media

Contact ESX Inc.

"ESX, Inc. took the time to understand what our needs were. The final thing that sold me were the glowing client references. They were just spectacular!"

Melinda Eggenberger
Vice President
Lex Mundi

Contact ESX Inc. "ESX, Inc. is always there for me 100% of the time. I know they can think out of the box - they are good at that!"

Suzanne Gschwind
Rice University

Contact ESX Inc. "ESX, Inc., with its renowned expertise in serving education and non-profit communities, offered HACU the software and support to better, and most cost-efficiently serve our fast-growing community of members and partners."

John Moder
Senior Vice President and COO
Hispanic Association of Colleges and Universities

Contact ESX Inc. "ESX, Inc. seemed to understand our business better than I did. When we were talking about the system design they were able to connect all the dots. They just get it."

Jean Maddalon
CFO
American Business Media

Contact ESX Inc. "The do-it-yourself function of the Website Management System definitely has made it easier to make immediate changes to our website, that would have taken several days to be completed by a webmaster."

Rachael Negron
Executive Secretary
The International Air Cargo Association

Contact ESX Inc. "The greatest asset of Association Catalyst is the promise of customization and flexibility. ESX promised the resources, both human and intellectually, that made our decision an easy one. And, they delivered on their promise."

Richard Ducharme
Membership Administrator
North Carolina Dental Society

Contact ESX Inc.

"Once again ESX exceeds my expectations! Thanks for the good work and the quick response time."

Lawanda Sanders
Rice University
Development Services

Connect with us on: