Announcement

Collapse
No announcement yet.

open ports - security and locking to IP's

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • open ports - security and locking to IP's

    Hi Guys,

    On visiting a new customer an audit found 3389 (RDP) port open to all IP's. not necessarily the customers fault and more of the existing support company's.

    my suggestion was that it should be locked down to the support company's external ip (standard practice for myself) i also noticed that LDAP and 25 SMTP were also wide open (he was being spammed direct on port 25, i suggested he needed to lock this down to his mail providers external IP also). the current firewall does not allow to specify a wan IP so i quoted for a firewall that does.

    I have recieved a call from the existing support company saying that i am wrong and the firewall is secure.

    I just wondered what your thoughts and practices were and what advice you would give to the customer?

  • #2
    Re: open ports - security and locking to IP's

    It depends on the details. Did you perform an outside to inside scan or did you do an inside scan only? Is port 3389 open from the outside to the inside to all internal ip's? Can you do a port scan on their public ip range and see ports open that you think should not be open? Is port 25 open from the outside to the inside for ip's other than for the internal mail server? Is LDAP open from the outside to the inside? Does the firewall allow inbound ping and trace route packets?

    Your concerns are valid if you are seeing these results after doing an outside to inside scan. If you are only doing an internal scan, then that's a different bird altogether.

    Comment


    • #3
      Re: open ports - security and locking to IP's

      It doesn't matter if the firewall is secure or not surely? It is the access-lists that are being discussed. If the 3389 can be tied down to certain remote IP addresses that is definitely better plus it can be better to nominate a remote access PC and only allow RDP to that machine therefore using it to bounce to others.

      If you receive mail specifically from an ISP (or something like MessageLabs) then you can restrict SMTP traffic to their IP addresses. If you don't then you will have to leave it open unfortunately.

      I can't imagine why they want LDAP access externally?

      EDIT: (joeqwerty has good points)
      cheers
      Andy

      Please read this before you post:


      Quis custodiet ipsos custodes?

      Comment


      • #4
        Re: open ports - security and locking to IP's

        external to internal scan was performed.

        RDC, LDAP and SMTP are open to all WAN IP's but only point to one internal IP. this ip is there microsoft SBS server.

        Further tests show i can RDC from any public IP and get the windows server 2003 login screen. nothing major but in my opinnion this should be restricted to the WAN ip of the supporting company?

        Also LDAP is open for no known reason, and as he is being spammed directly on his ip (avoiding message labs) this should also be locked to only recieve from message labs IP range.

        in my mind its not as secure as it could be!

        Comment


        • #5
          Re: open ports - security and locking to IP's

          I would ask the support company and the business. If neither know then lock down the LDAP one. The SMTP, assuming you use message labs, should be restricted to their IP addresses (they can provide an up to date list), I would also restrict outbound SMTP to only that Exchange server to message labs to stop viruses being able to send. RDP, depending on your requirements, should be locked to specific IP addresses as well. More secure is better. Personal opinion of course
          cheers
          Andy

          Please read this before you post:


          Quis custodiet ipsos custodes?

          Comment


          • #6
            Re: open ports - security and locking to IP's

            I don't understand what you mean by "RDC, LDAP and SMTP are open to all WAN IP's but only point to one internal IP". Do you mean that the firewall rule has a statement that allows these ports to any internal ip address? Then how could it point to one internal ip?

            LDAP has nothing to do with email or spam. You should not allow LDAP traffic inbound on the firewall for any reason.

            Since they are using MessageLabs, you should restrict inbound and outbound SMTP traffic to the MessageLabs ip and your internal email server ip only.

            I too would restrict inbound RDP for only the ip of the support company.

            Comment


            • #7
              Re: open ports - security and locking to IP's

              I am thinking he means any host is allowed inbound to a public ip and that ip is mapped to a single server (guessing SBS here).
              cheers
              Andy

              Please read this before you post:


              Quis custodiet ipsos custodes?

              Comment


              • #8
                Re: open ports - security and locking to IP's

                Originally posted by joeqwerty View Post
                I don't understand what you mean by "RDC, LDAP and SMTP are open to all WAN IP's but only point to one internal IP". Do you mean that the firewall rule has a statement that allows these ports to any internal ip address? Then how could it point to one internal ip?
                Methinks he means that anyone on the interwebs can RDC through that firewall, but the firewall forwards all RDC traffic to one specific IP addresses on the LAN. What would seem to be better, as you and others have mentioned, is to restrict RDC connections to only those public IP addresses that actually need it.

                EDIT: AndyJG247 beat me to it! He said it more succinctly as well.


                Originally posted by mordzy View Post
                Further tests show i can RDC from any public IP and get the windows server 2003 login screen. nothing major but in my opinnion this should be restricted to the WAN ip of the supporting company?
                Your proposed restriction sounds reasonable. What firewall model are we talking about here? ASA, PIX, NetScreen, etc.?


                Originally posted by mordzy View Post
                Also LDAP is open for no known reason, and as he is being spammed directly on his ip (avoiding message labs) this should also be locked to only recieve from message labs IP range.
                What's the correlation between LDAP and spam? Am I missing something (which is quite likely)? What is LDAP traffic being forwarded to? A domain controller?
                Wesley David
                LinkedIn | Careers 2.0
                -------------------------------
                Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
                Vendor Neutral Certifications: CWNA
                Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
                Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

                Comment

                Working...
                X