For network applications/services the random unpriviliged ports above
1024 are used by the client computer to set up a session with the server
computer on one of the "well known" ports available on the server. You can
view that using netstat -an where you will see a list of connected and
listening ports. Another computer/application trying to establish a session
would have to attempt to connect to a "listening port" and would not have a
choice of ports to connect to. When a client computer attempts the
connection it tells the server computer what random port it has selected to
listen for return responses, and that port stays open only for as long as
the connection lasts. There is also a set of squence numbers exchanged with
the packets during the connection between the two computers that drastically
reduces the risk of another computer to try to connect to the open random
port on the client.
Apparently the anti virus application you use scans the above 1024 ports
to see if any unusual ones are listening because that is where the trojans
would be listening [just my guess]. So yes, you would not want to block
those ports from the computers running that application or it could not do
its job. You could however create a rule in your ipsec policy that would
exempt just that icmp traffic. Find out what port the application uses
[fport will tell you - free download], and create a permit rule for that
icmp traffic for: source - lan, destination - my address, source port -
whatever the application uses, destination port - any, protocol - whatever
icmp the application uses. I think such a rule would cause very minimal risk
on a lan even though it can not be of the dynamic nature that you desire.
Using ipsec filtering on a lan to protect from the lan may have some
merit as far as reducing the spread of trojans and keeping malicious users
from from trying to hack vulnerable services that they would not otherwise
need to access, however by design a lot of ports need to still be open to
conduct business with netbios/smb being the most vulnerable. It could be
used as part of an overall hardening strategy that incorporates effective
password policy, physically securing sensitive computers/equipment, keeping
up with critical updates, diabling uneeded services, assigning users minimum
needed rights and permissions, guarding the administrator accounts, enabling
an audit policy, etc. -- Steve
http://securityadmin.info/faq.asp#harden ---FAQ.
https://www.unc.edu/security/fport.html -- Fport.
Bill Tomlinson said:
Steven,
Thanks for your response.
I am still confused about the "random" nature of port assignment that this
anti-virus and other applications utilize in their programming.
If an application calls the Remote Procedure Call and asks for any available
port above 1025, then how can I create an IPSec filter that blocks all
traffic to ports that are not specifically configured, (such as those above
port 1025), and also allows these kinds of applications to function? The
assumption here is that if you don't block all traffic to ports that are not
specifically configured to allow traffic to pass, that the filter is not a
filter at all.
I would like to re-state that this question concerns my Local Area Network,
and using IPSec to create a packet filter for the LAN. What I have
heard
is
that IPSec packet filtering in a LAN is not recommended because applications
such as my anti-virus product are designed to depend on "random" ports being
available on request, and this is in direct conflict with blocking all ports
that are not specifically configured ahead of time.
The question could be restated as: "Are IPSec packet filters only practical
on the WAN side of your router?" OR "Is it recommended by Microsoft to
secure your LAN using the IPSec rules/filters that are configured to request
or require negotiated secure connections without using IPSec packet
filtering?"
I have read about the "dynamic" block policy for a specific Protocol and
Port, but this also appears to be a CATCH-22. If the port is assigned
randomly, and there could be multiple applications requesting a random port
via RPC, then how do you know which specific ports to configure statically
or dynamically for these applications?
I have read the white paper: "Instant Message Polling and Fixed Port
Callback Delivery," in this paper the method of configuring Fixed Port
Callback Delivery appears to be specifically programmed into SP1 of Exchange
2000 and clients, does this imply that other software vendors could also
design these features into their products to allow for Fixed Port Callback
Delivery, or is this a generic technique that can be applied to any
application that needs random port assignments?
What I am looking for is a IPSec rule that could allow a known application
to request a random port, that could then be 'dynamically' "allowed" for
that connection's lifetime only, and then blocked again after the connection
is no longer in use (sounds a bit like fixed port callback to me).
In my test network, I currently have no IPSec rules/filters 'assigned'
and
I
am concerned that using the IPSec Filtering (which by definition means that
there is no security negotiation, just blocking and allowing certain ports
to function) with the recommended ports open, and blocking all others will
cause these "randomly" assigned ports to be blocked, causing the
applications to fail.
I must be missing the point somewhere, is there any way you could explain
how to determine a packet filter for ports that are assigned randomly
for
me
in more basic terminology?
Thanks
Bill
created
with
packets?