John Pescatore

I regularly take a look at the SANS Top10 report, which shows the top 10 ports that are currently the target of attacks. There are a few ports that are always under attack – the Microsoft SQL Server (1433/1434) and Windows RPC (135) Netbios (139) and SMB (445) ports, as well as the major protocols like HTTP, Telnet, etc. Those are basically the front doors – if you leave those unlocked or unguarded, you pretty much deserve what happens to you.

But it is also interesting to look at the lesser known ports when they pop up in the SANS Top 10. As I look now, 1024 is number 2 as an attack source. This port is often used for DNS and Windows DCOM services, but is also a favorite of malware like NetSpy and RAT. Number three in incident reports is port 8906, which is most commonly associated with Cisco’s Clean Access NAC appliance. Number two in attack targets is 4899, which usually targets users of Famatech’s Radmin remote control software, but is also used by various forms of malware.

It all comes back to the old “deny all except what is explicitly allowed” philosophy of firewall policy. But it is actually pretty rare to find a firewall rule set that is actually implementing that. Actually, it is pretty rare to find an enterprise firewall policy that anyone is really sure about exactly what policy the rule set actually implements. Most firewall rule sets have mutated through incremental adds/drops/changes over the years and have turned into gargantuan linear lists that now have a life of their own.

If you are making any kind of major firewall transition due to refresh, consolidation, virtualization, merger/acquisition, its a great idea to take the opportunity to take a greenfield approach to firewall policies and start from scratch. Often you’ll find that easily 30% of the exceptions are no longer needed – most of those old legacy apps now sneak through on port 80 anyway…