Port Blocking for Security? 4

[Spirit]

Can someone tell me why port blocking adds security?

Specifically lets say you do Port Forwarding to lets say from 80 to 3080 or from 443 to 3443.

I can run a very simple port scan from either inside or outside the network and see that port 80 is blocked and 3080 is open.

And since I know that port 3080 is open I can force any traffic I like through that port (as long as I don't switch packet filtering on, although I can use something like HTTP-Tunnel to hide its true content).

So my question whats the point? I am sick of reading that you should do this but I don;t truely understand why!!!!

Please tell me why!

Cheers,
Iain

P.S. this isn't a home work question!

 

[Roadki11]

You talk about port blocking but reference examples of port redirection. The benifits of port blocking should be evident, if you dont allow traffic on a port then you should be pretty safe. Conversely, I dont think the advice was meant to imply that port redirection makes your servers bullet proof either. If an exploit for IIS comes out it should be common knowledge that it will be exploited on port 80 or 443. even script kiddies are lazy and are not going to scan 65 thousand plus ports to exploit your IIS server listening on port 3080 on the outside world. They will scan the vast reaches of the internet for exploitable machines listening on port 80.

That make any sense?

RoadKi11

 

[Spirit]

Sorry for not making much sense, not unusual for me!

Lets say I don't want people to browse the internet so I block port 80 but I leave SMTP open for my mail I can then force HTTP through port 25.

Or even I block every port except 25 I can still force traffic to use this port.

I just need to find the open port?

I guess the same is true of anything, viruses, trojans etc?

My servers don't need to repel script kiddies they need to repel ME and I know the passwords!

Thanks again for any pointers / help / advice.

Iain

 

[mrdenny]

Port blocking is used to block access to services from the internet. For example you don't want internet users to access your MS SQL Servers so you would want to block access to port 1433. With no redirection from the outside to the internal port 1433 there isn't any way to access the SQL Server from the outside.

Denny
MCSA (2003) / MCDBA (SQL 2000) / MCTS (SQL 2005) / MCITP Database Administrator (SQL 2005)

--Anything is possible. All it takes is a little research. (Me)

http://www.mrdenny.com

 

[Roadki11]

Well you bring up a good point, the real threat to your network is not going to come from outside, its going to come from inside. Either from intended malice or gross retardedness. In any case it proves you need a balanced security plan, port block/redirection, strict user controls, and probably most importantly a very good monitoring system. We are the masters of our networks we sure as hell should know what traffic is traveling accross it.

RoadKi11

 

[Spirit]

So from outside if I say have port 25 open for my mail.

I force a sql request through that open port.

Once its inside theres no way to then get that to connect to the SQL server? Unless of course I allow my sql server to specifically accept traffic to port 25?

Sorry if this sounds like a hackers guide for Spirits sorry dummies!

"gross retardedness"
Lol, insint that just another definition of for users?

I think I am getting it! Thanks,

Iain

 

[LawnBoy]

Lets say you have sendmail running on port 25. It is listening for connection requests, ostensibly to handle your mail.

Now you "force an SQL request through that open port". Since sendmail is listening on that port, and you didn't send a request that sendmail understands, sendmail will send you a reset (disconnect).

If your SQL server is listening on port 25, your request would get answered.

 

[Roadki11]

lawnboy is right, if you forward in a port doesnt matter what port to a server that has a service that will respond on that port it will only answer in the fashion it was designed. You could setup your sql server to listen on port 25 if you wanted, forward port 25 from the internet to that server and it could get hacked with a sql exploit on port 25. but i dont think anyone would try to exploit sql on port 25, they would be trying to exploit port 1433 for MS SQL. what you would see is people hitting your sql server with smtp exploits more than likely and your sql server would just drop the connection attempts.

RoadKi11

 

[trojanman]

Port blocking is used to block access to services from the internet.

Not just for that reason. You can block services or machines internally i.e. blocking port 20/21 of an internal ftp box.

 

[eyec]

all ports are potential security risks. however, users (internal and external) need to operate by given rules of the internet.

like traffic laws someone always finds the time and ways to get tickets or even hurt.

check out what historically hit certain ports at this link:

http://www.simovits.com/trojans/trojans.html

 

[Spirit]

Thanks for all the help.

Now I can discuss this with people without regurgatation!#

Many Thanks,
Iain