Lock IT Down: Block TCP/IP ports to increase security

Improve network security by blocking TCP/IP ports

When setting up a firewall or proxy server, one of the most important tasks is to block undesirable incoming and outgoing ports and allow only the ones you need. Besides being time-consuming, this task can also be frustrating, because the basic information isn't readily at hand. Two weeks ago, I asked TechRepublic members to help me compile an authoritative and comprehensive list of TCP/IP and UDP ports. Boy, did you all come through!

Delivering a succinct analysis of the problem, huba writes, "In the perfect scenario, you would deny all connections (any connection from anywhere to any port) and allow only those connections to ports that you find out you really need to open up. Of course, this perfect security world is an unusable system from a user's perspective...Your best bet is to find a peer at an organization that does similar work and ask them what they block, what they allow, and why." Excellent advice.

Suggested links
The most popular link, by far, is the official list of port numbers maintained by the Internet Assigned Numbers Authority. (Save this bookmark, because it takes far too many clicks to get to this important resource from the IANA home page.) By definition, of course, this list is authoritative, but it lacks even the most basic ease-of-use features or any sort of explanation to accompany its terse listing. Every Windows NT/2000-based machine includes a Windows-centric excerpt from the IANA list in a file called Services (no extension). You'll find this file in the %systemroot%\system32\drivers\etc directory.

I was impressed with the sheer number of unofficial sites that TechRepublic members suggested. After reviewing most of them, however, I offer this caution: Most such sites are poorly maintained and do little more than duplicate the information found elsewhere. Among the suggested links, I found sites that were last updated in mid 1999, 1997, 1996, and even 1995. Needless to say, any port listing that doesn't get an update at least a few times a year is likely to contain some significant gaps.

Of all the "volunteer" sites, I was most impressed by the source that calves suggested. Richard Akerman's list of TCP/IP ports for Internet services comes from the Great White North. It's an excellent compendium, and the site is updated frequently. While not comprehensive or especially authoritative, it does do a good job of covering the ports used by popular messaging programs (NetMeeting, AOL Instant Messenger) and data-streaming applications (Liquid Audio, VDOLive). I especially enjoyed Mr. Akerman's wry sense of humor—he titled the page "Any Port in a Datastorm." And his mission statement is spot-on: "It seems like every day there is a new Internet service that uses some new set of poorly documented, unregistered ports. I created this page to gather together all the information I could find about the ports used by these new services, for use by firewall administrators and other network monitors." Yes, calves, you do get the TechPoints this time—500 of them, to be precise.

Two TechRepublic members offered pointers to sites that help you keep the forces of darkness at bay. As pshannon points out, there's no substitute for recent experience. "I have three offices connected in a VPN using Netscreen's product, and I'm in the process of blocking the unused ports myself." Besides the authoritative IANA list, he recommends the full list of ports maintained by NetworkICE, makers of the BlackIce Defender security software. Mixed in with the well-known ports (FTP, SMTP, and the like) are ports commonly used by Trojan horses and other malware. That reference is worth 500 TechPoints.

An even more extensive list of ports used by trojans is available courtesy of a Swedish firm called Simovits Consulting. The list was updated as recently as March of this year, and the author includes a link for e-mail. Props (and 500 TechPoints) to florinpetrescu for the link.

And finally, a TechRepublic T-shirt to jeff, who added a touch of class to the discussion with a well-chosen stanza from Dante's Inferno:

"Before we start to struggle out of here,

'O master,' I said when I was on my feet,

'I wish you would explain some things to me.'"

-Dante Alighieri, Inferno, Canto XXXIV, 100-2

Like several TechRepublic members, he suggests a dead-tree alternative to online information sources. Unfortunately, the recommended volume (Internet Security Professional Reference, Second Edition, published in 1997 by New Riders Publishing) is no longer in print. Most good TCP/IP references will have a list of the well-known TCP and UDP ports, but for up-to-date information, the Web has a huge edge.

Here's Ed's new Challenge
According to Microsoft, you should never use an administrative account for everyday use, especially if you're connected to the Internet. But that causes big headaches for power users who want to install new applications. In fact, many install programs simply won't run unless you have administrative rights. What sort of best practices should Windows 2000 Professional users follow when installing new software? Click here to tackle this week's Microsoft Challenge and help me put together the setup do's and don'ts.

Editor's Picks