Understanding Port Exposure
Each Win2K service uses one or more protocols to implement network connections. When a service is running, it listens for incoming requests on the port associated with the protocol. Because 65,535 ports exist, to maintain order for worldwide communication, international standards associate a specific port number with a specific protocol (e.g., FTP, HTTP) and thus, with the service that uses the protocol. You can see the port assignments at http://www.isi.edu/in-notes/iana/assignments/port-numbers. (For information about the two types of ports that exist, see the Web-exclusive sidebar "TCP vs. UDP Ports.")
The standards further divide these 65,535 ports into three groups: well-known ports (0 to 1023), user-registered ports (1024 to 49,151), and dynamic or private ports (49,152 to 65,535). Well-known ports facilitate common network communication between similar and disparate network operating systems. So, for example, the Telnet service uses the Telnet protocol, which listens on port 23 for incoming connections. Likewise, the FTP service responds to incoming and outgoing requests on port 21, the SMTP service you activate when you send mail listens on port 25, the POP3 service you activate when you receive mail listens on port 110, and the HTTP service listens for nonsecure connections (i.e., http:// requests) on port 80 and secure connections (i.e., https://) on port 443. NetBIOS broadcasts names on port 137 and creates connections to local shares on port 139.
When you stop a Win2K service, you must be aware of two important concerns. First, when you stop a service, you stop responses to incoming requests on the companion port. When the service doesn't respond to an incoming request, you eliminate intrusive and legitimate attempts to access your system. When you disable the FTP service on your Internet system, you can no longer store or retrieve files from your machine when you're at a remote location, and you might not be able to live with this restriction. Second, even when you stop multiple services, you don't deter access to higher-numbered ports. Most personal firewalls, however, let you filter or restrict incoming connections for standard services such as Telnet and FTP so that you can permit legitimate connections from known addresses as well as deny connections to unknown addresses. Firewalls also have built-in rules that stop known Trojan-horse attacks by prohibiting access to ports in the user-registered and dynamic port ranges.
Closing the Gaps with a Personal Firewall
In Part 2, I'll discuss how you can significantly reduce remaining vulnerabilities by installing a personal firewall. I'll explain how firewalls implement realtime protection with a set of port rules that permit or deny access, and I'll review three important features that you should evaluate before you select a personal firewall product. I'll also discuss intrusion alerts and show you logs of known Trojan-horse and port-scanner attacks. I have lengthy logs of repeated attempts to invade my network, launched from places as far away as Asia and as near as Silicon Valley. If you don't think Internet intrusion is a reality, these examples will convince you that a firewall is a mandatory component of a well-protected SOHO network.
Related Articles in Previous Issues
You can obtain the following articles from Windows 2000 Magazine's Web site at http://www.win2000mag.com/articles.
RANDY FRANKLIN SMITH
"Audit Account Logon Events," March 2001, InstantDoc ID 19677
You can obtain the following articles from the Windows IT Security Web site at http://www.WindowsITsecurity.com.
RANDY FRANKLIN SMITH
"Dangerous Services, Part 3," January 2001, InstantDoc ID 16476
"Dangerous Services, Part 2," December 2000, InstantDoc ID 16363
"Dangerous Services, Part 1," December 2000, InstantDoc ID 16301Lab Guys, "Thin Client
Prev. page