Defend your firewall - ask why before opening the door

One of the questions that you might be asked in any review of your company’s IT security procedures, is what ports are open on the firewall that protects your business.

All companies with internet have a firewall. It’s often part of the same router/modem combination that maintains your internet connection. By default, these firewalls restrict all inbound traffic and allow all outbound. In this rather simplistic view, for traffic to pass there has to be a request made from inside the firewall.

There are situations, however, where you might want inbound traffic to pass in to your network without this initial request. An inbound email message for instance. To allow it to pass through the firewall we need to open a door or port. We need that port to only allow emails through and not anything else. So traffic that passes through a firewall is therefore divided in to numbered ports, each associated with a type of traffic. There are many ‘standard’ ports and many more that are undefined or used by different traffic types or vendors.

So using email as an example and assuming that you have some sort of mail server on your network, we would open a particular port (door) on the inbound firewall and send any data arriving at port to your mail server. We create a rule for this so that it happens automatically, which might look like this;

When an inbound email message arrives at the firewall send it to the mail server

Most email is sent on port 25 so if your mail server’s address is 10.1.20.200 then the rule might say;

25           >             10.1.20.200         (mail server)

So now you have a firewall that stops all unsolicited inbound traffic, with the exception of port 25 (email).

If you run your own small server, then there are probably a few more that you’ll have. Quite quickly you can end up with a list that might conceivably look like this.

25           >             10.1.20.200         (email is sent to the mail server)
1723       >             10.1.20.200         (allow VPN access – for home access for example)
443         >             10.1.20.200         (https web access for smartphone connections to email)

This all forms part of the configuration of your firewall and is entirely normal. These are holes in your firewall but you need them for your business to function.

You should write this list down and keep it somewhere safe. You will need it if ever you need to rebuild your router and you find you can’t rely on a backup.

Suppose you now install a phone system and the phone company requests a slew of ports to be opened to allow the system to work. I pick on phone companies for this as they always seem to request the most changes, but equally copier companies and web designers also make such requests.

25           >             10.1.20.200         (email is sent to the mail server)
1723       >             10.1.20.200         (allow VPN access – for home access for example)
443         >             10.1.20.200         (https web access for smartphone connections to email)
5060       >             10.1.20.201         (Phone system SIP traffic)
6000       >             10.1.20.201         (IP phone connections)
3389       >             10.1.20.200         (Requested by software support company)
21           >             10.1.20.202         (Copier company requested)

Suddenly your list looks much more complex and has entries that are both non-standard and largely unexplained. Your solid firewall now has a bunch of enforced holes and you may only have a cursory explanation as to why they are needed.

At this point the best you feel you can do is to update your hardcopy list and assume that the companies that have requested this access know what they’re doing.

We prefer to take a slightly more cautious approach when responding to requests for ports to be opened in our customer’s firewalls. What we haven’t mentioned above is that it’s possible (on all but the most basic hardware) to specify that the port is only opened when the request comes from a particular source.

So if the phone company needs port 5060 open, then you could specify that it’s only open from their public IP address. This locks the port down to traffic coming from the phone company and no one else. The same applies to the copier company – lock it to the company address. If they want to update the firmware on your copiers, then they have to do it from their office. If they refuse, then close the port and only open it when needed, which is unlikely to be very often.

Finally, understand that many of these ports can be changed. The copier company probably doesn’t have to use port 21, which is the standard port for FTP and is notoriously insecure. They could probably choose another undefined port and reconfigure the equipment accordingly.

The key is to question every item on the list. Does it need to be there and does it need to be there all the time. Can we restrict where the inbound traffic comes from? Can we change to a non-standard port?

Once you’ve done that, write up your master list and get someone in authority to agree it. Do the same every time a change is requested and you’ll have better network security as a result.