Firewalls, Servers, and Ports?

D

damarious25

Limp Gawd
Joined
Dec 27, 2010
Messages
227
Ok, situation. I've taken over a network with a small number of servers. This network has never had a firewall... :( I now have firewalls, but am having trouble finding out what ports to open.

I have used "netstat -a -n -o" to try and get a list but the list for each server is massive and I'm not sure I'm using the netstat command properly for this task. If this is correct, then I have to sort through every entry, match it with a PID, then edit a rule on the firewall. Tedious. Is it the only way?

looking on the net I see lots of port sniffers more so than a definitive way to find out "these are your open ports".

Anyone face this where they had to set to up a firewall from scratch on a new network with absolutely no documentation on what's currently in place?
 
Services should only be open to the world through firewalls that have a business justification. The first conversation to have is with your users and leadership to understand what their use cases are for the data and services on the servers.
 
just keep everything closed until someone complains about something not working...

i mean check the obvious things... running a VPN server? running a web server?

that's how you gotta do it if there isn't any documentation...

there should be a document somewhere saying what should be externally accessible, if there isn't, then too bad
 
Running NMAP/ZenMap can give you a list of open ports for each machine, but like green91 said, only open ports to the public that need to be opened. 3 servers running Apache? 1 internal wiki, 1 test site, and 1 company site. Only forward to the company site. Don't give the public access to more than they need.
 
You should first compile a list of what services are offered to the outside world by each server, and on what IP address each one is offered. I'm assuming that there was no port forwarding involved if there was no firewall previously. With that list, open the necessary inbound ports, only to those specific addresses.

Then wait to see if you get any reports of services being unavailable. Investigate and open additional ports as necessary.
 
I will usually do a:
netstat -an|find "LISTEN"|find "192.168"
(or whatever your ip octet begins with)

This will filter only the listening ports bound to the IP address (no looback connections)
 
Anyone face this where they had to set to up a firewall from scratch on a new network with absolutely no documentation on what's currently in place?
Click to expand...

lol yes its called onboarding just about any new client with <200 users.



Is there an existing domain? if yes, then DNS should be on the Domain Controler. The DC will need 53 TCP/UDP open.

Is there a local email server? port 25 to the mail server is needed

Is it Exchange on premises? possibly need some MRS or autodiscovery ports... google what numbers; they are all on technet in a neat little article.

got an internal web server? 80 and/or 443 to that local IP...
(the regular stuff...)

Do they use RDP? port 3389, then

Then, when people say "My xxx-application doesnt work?!?!?" you just google: "What ports does xxx-application require". Hopefully you have already asked several people what types of software they use on a typical day, so you know most of what to google from those conversations, and can plan your firewall policy mostly in advance.
 
Since you haven't had a firewall before, don't assume that all traffic is legit. It is possible that one or more machines have unwanted software running.

When faced with a similar situation where I worked, I got IT manager's approval and added the default block everything to everywhere rule after sending an agency wide email to notify IT if something stopped working. Didn't take long to figure out what ports were needed. Just check the logs on the default policy. Found a few things running on servers and workstations that were not approved software.:rolleyes:
 
You must log in or register to reply here.
Back
Top