D
DAN
How do I manually close open ports
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
S
Steven L Umbach
Ports are opened and closed by the services and applications that use them. For
instance WWW service opens at least port 80. You can get an idea of port to service
mapping using netstat -an or better yet Fport. Keep in mind that may ports need to be
open for network services. A firewall is used to block access to open ports from
unwanted networks and ip addresses based on rules for port, protocol, and ip address.
If you are unsure of a port listed as connected or listening on your computer, do a
search for it on http://google.com such as tcp port xxx which will usually give
your more information. --- Steve
http://www.microsoft.com/security/protect/
http://packetstormsecurity.nl/filedesc/fport.zip.html
http://www.governmentsecurity.org/articles/CommonPorts.php
http://www.granneman.com/techinfo/networki/commonpo
instance WWW service opens at least port 80. You can get an idea of port to service
mapping using netstat -an or better yet Fport. Keep in mind that may ports need to be
open for network services. A firewall is used to block access to open ports from
unwanted networks and ip addresses based on rules for port, protocol, and ip address.
If you are unsure of a port listed as connected or listening on your computer, do a
search for it on http://google.com such as tcp port xxx which will usually give
your more information. --- Steve
http://www.microsoft.com/security/protect/
http://packetstormsecurity.nl/filedesc/fport.zip.html
http://www.governmentsecurity.org/articles/CommonPorts.php
http://www.granneman.com/techinfo/networki/commonpo
K
Karl Levinson [x y] mvp
J
j
Couldn't you use IPSec IP filter lists to block open ports
as well?
as well?
S
Steven L Umbach
Sure you can, but it may not be the best solution for securing traffic from the
internet. Ipsec by default allows certain ports to remain open, is difficult to
implement securely for certain applications, and the rules do not follow conventional
firewall configurations as far a ordering. Here are some comments from Microsoft
KB811832 --
****************************************************************
The Internet Protocol Security (IPsec) feature in Windows 2000, Windows XP and
Windows Server 2003 was not designed as a full-featured host-based firewall. It was
designed to provide basic permit and block filtering by using address, protocol and
port information in network packets.
As IPsec is increasingly used for basic host-firewall packet filtering, particularly
in Internet-exposed scenarios, the affect of these default exemptions has not been
fully understood. Because of this, some IPsec administrators may create IPsec
policies that they think are secure, but are not actually secure against inbound
attacks that use the default exemptions.
****************************************************************
Ipsec certainly has it's place and is excellent in managing/securing traffic for the
lan, is built in, and can be managed remotely and for large numbers of computers via
Group policy.
If you are talking about controlling traffic in and out of the internet, I prefer a
hardware device first. They are easy to set up, usually low maintenance, reliable,
and your first line of defense. Netgear makes an inexpensive true SPI certified
nat/firewall device that is suitable for small networks and can even control outbound
traffic to some degree. A personal firewall is also better suited at guarding a
computer from internet attacks than ipsec. Firewalls such as Sygate and Kerio have
many more options including mapping firewall rules to applications, port use
reporting, extensive logging, and intrusion detection. These two firewalls are also
free for personal use. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;811832
http://www.netgear.com/products/prod_details.asp?prodID=140&view=
http://www.webattack.com/Freeware/security/fwfirewall.shtml
internet. Ipsec by default allows certain ports to remain open, is difficult to
implement securely for certain applications, and the rules do not follow conventional
firewall configurations as far a ordering. Here are some comments from Microsoft
KB811832 --
****************************************************************
The Internet Protocol Security (IPsec) feature in Windows 2000, Windows XP and
Windows Server 2003 was not designed as a full-featured host-based firewall. It was
designed to provide basic permit and block filtering by using address, protocol and
port information in network packets.
As IPsec is increasingly used for basic host-firewall packet filtering, particularly
in Internet-exposed scenarios, the affect of these default exemptions has not been
fully understood. Because of this, some IPsec administrators may create IPsec
policies that they think are secure, but are not actually secure against inbound
attacks that use the default exemptions.
****************************************************************
Ipsec certainly has it's place and is excellent in managing/securing traffic for the
lan, is built in, and can be managed remotely and for large numbers of computers via
Group policy.
If you are talking about controlling traffic in and out of the internet, I prefer a
hardware device first. They are easy to set up, usually low maintenance, reliable,
and your first line of defense. Netgear makes an inexpensive true SPI certified
nat/firewall device that is suitable for small networks and can even control outbound
traffic to some degree. A personal firewall is also better suited at guarding a
computer from internet attacks than ipsec. Firewalls such as Sygate and Kerio have
many more options including mapping firewall rules to applications, port use
reporting, extensive logging, and intrusion detection. These two firewalls are also
free for personal use. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;811832
http://www.netgear.com/products/prod_details.asp?prodID=140&view=
http://www.webattack.com/Freeware/security/fwfirewall.shtml
K
Karl Levinson [x y] mvp
There's no logging, so if you're hacked, you've no idea who did it, and if
there's a problem, you've no idea what port you need to open up. There's no
simple GUI like a firewall management console to easily set up multiple
rules. There's no reporting or alerting or intrusion detection. And
dynamic protocols like FTP don't work well through such rules, unless you
open up a whole lot of ports you didn't really want to open. And, a trojan
or virus could potentially disable IPsec. And IPsec can't tell you which
executable is generating network traffic or block traffic by executable,
like many free personal firewalls can. By comparison, the XP ICF firewall
is arguably way better than IPsec rules in a number of ways.
Bottom line, IPSec is not a good firewall, especially if you're not already
a TCP/IP filtering expert and can troubleshoot setup problems without a log
of blocked packets. You can always get better functionality and more
security by going to a real firewall.
there's a problem, you've no idea what port you need to open up. There's no
simple GUI like a firewall management console to easily set up multiple
rules. There's no reporting or alerting or intrusion detection. And
dynamic protocols like FTP don't work well through such rules, unless you
open up a whole lot of ports you didn't really want to open. And, a trojan
or virus could potentially disable IPsec. And IPsec can't tell you which
executable is generating network traffic or block traffic by executable,
like many free personal firewalls can. By comparison, the XP ICF firewall
is arguably way better than IPsec rules in a number of ways.
Bottom line, IPSec is not a good firewall, especially if you're not already
a TCP/IP filtering expert and can troubleshoot setup problems without a log
of blocked packets. You can always get better functionality and more
security by going to a real firewall.