When used in construction or engineering, the term "firewall" means what it seems to mean: a wall capable of withstanding fire. It evokes something impenetrable, like a sheet of steel or a brick wall. However, in computer networking the term "firewall" means something porous. Like the strainer a chef pours his soup stock through, a firewall stops all the bones (bad stuff), but lets all the broth (good stuff) through -- at least, in theory.
But how does a firewall know what's bad, and what's good? How can it tell whether a data packet contains an attack, or information you've been eagerly awaiting? It can't. The firewall just follows a set of rules, often referred to as policy, that you define. You're the one who categorizes types of network traffic as "good" or "bad."
Reading that, you might moan, "Argh! This box was supposed to solve my security problems! Now it's waiting for me to tell it what to do! What do I do?" Nowadays, next generation firewalls (NGFW) allow you to make policies using many attributes, including ports and services, users and groups, and even by defining granular access policies to specific network applications (using something referred to as application control). However, the primary mechanism firewalls used to rely on for allowing or denying network traffic is ports and services. So, a good first step in managing your firewall is to get a quick and dirty understanding of how ports work, and what a given port is used for. This knowledge provides you a starting point for figuring out what Internet traffic to permit through the firewall, and what to deny.
The Quick and Dirty about Ports
Since the whole Internet comes to your system over one big wire, how does your network distinguish streaming video from a Web page, and an email from a sound file? The answer is complex, but part of it is, the geek gods (read: inventors of Internet Protocol, or IP) came up with services and ports.
What are services? The five most commonly-used Internet services are:
- World Wide Web access (using the Hyper-Text Transfer Protocol, or HTTP)
- E-mail (using the Simple Mail Transfer Protocol, or SMTP)
- File transfer (using the File Transfer Protocol, or FTP)
- Translating a host name into an Internet address (using the Domain Name Service, or DNS)
- Remote terminal access (For example, Telnet, Secure Shell, RDP, or VNC)
In order to help systems understand what to do with the data that flows into them, the geek gods conceived ports. The term "port" can refer to a physical hole in a device where you plug something in (such as, "serial port" or "ethernet port"). But when used in relation to IP services, "ports" are not physical. Ports are a highly structured game of "Let's Pretend" (the geek term is logical construct), that Internet users agree to if they want to play with one another. Ports do what they do simply because early Internet users reached consensus concerning them. If that seems abstract, remember that money works the same way. Why is a green-tinted picture of Benjamin Franklin worth a hundred US dollars? Because we all agree that it is. Why do ports work? Because we all want them to.
So, some geek god arbitrarily decreed in basso profundo tones, "When we send information to each other's systems and address it to port number 25, let us herewith agree to assume that information is SMTP data, and thus treat it as e-mail."
Another geek god responded in kind, saying, "So let it be written. And when we send information to each other's systems and address it to fictitious port number, um, 80, let us agree to treat that information as HTTP data, so that we may have Web pages." And the other geek gods chorused, "So let it be done."
Okay, it wasn't quite that simple. It actually involved lots of boring committees sorting things out over decades and recording them in dull RFCs, but what my version lacks in accuracy, it gains in brevity. My point is, a port is a made-up, or logical, endpoint for a connection, and ports allow the Internet to handle multiple applications over the same wires. Your system figures out how to treat data coming at it partially by looking at what port the data is destined for.
Bartender, more port for everyone!
Since there are five commonly used Internet services, the geek gods could've made up 20 or 30 ports (to allow room for future technologies), and called it an epoch. But apparently, making up ports is addictive, because today, RFC 1700 and the Internet Assigned Number Authority (IANA) have defined no less than 1,023 official "well-known ports," and many other unofficial ones to boot. And those are just a subset of a grand total of 65,535 ports.
What in the world are all those ports used for? See for yourself by consulting the official IANA list.
But here's a key concept: physically, we're still dealing with nothing more than a wire running from your ISP to your machine. IANA can specify how the geek gods officially intend the ports to be used, but nothing stops anyone from doing whatever they want with any port. For example, HTTP traffic (Web pages and HTML), by convention, uses port 80. But if I want to send HTTP data to your port 8080 or 8888 just to see what happens, I can. In fact, if you and I agree to use 8080 for HTTP traffic in either direction, and configure our systems to follow that convention, it will work.
Which is where the fun begins for all those evil hackers as they cackle maliciously, wash their hands in the air, and contemplate breaking your system.
Ports exist either in allow (open) mode, or deny (closed; blocked) mode. If your mail server is in a state of readiness to receive SMTP traffic, we call that "listening on port 25." That means port 25 is open. The main reason you interject a firewall between the Internet and your system is to get in the way of outsiders trying to access open ports. The applications on your network's machines can open ports without waiting for your knowledge or permission. Some, like peer-to-peer file sharing or video conferencing software, open ports with the single-minded obsession of a frenzied border collie. Each of those open ports becomes another potential hole in your security, gullibly accepting whatever is sent to it, unless you take proactive steps to block it.
Now, back to the evil hackers. They count on you being clueless about ports. Hoping you've left something "listening," they experimentally send code to your network addressed to ports you never thought of (such as port 31337, because in the dyslexic nomenclature of script kiddies, the numbers look like ElEET -- as in, "elite" hacker). Researchers have posted several lists of ports that hackers consistently abuse. Search for such lists and consult them for real help when you interpret your firewall logs.
So here's the point of this entire article: if you leave ports open, your network could accept whatever a hacker sends. Your goal is to block every port you can. Managing your firewall largely means playing around with ports and services, blocking whole ranges of ports -- everything that your business does not require open. Although the default stance of the Firebox is to deny everything, since the day it was installed at your office, someone has opened it -- that is, instructed it to allow network traffic through to certain ports on certain machines in your network. Was the firewall opened selectively and carefully? Or did someone mumble, "I don't have time for this," and create rules so the firewall permits everything, from anywhere, to anywhere? If so, you don't really have a firewall. You have an expensive red paperweight.
Now that I know about ports, what should I do?
- Look at your Firebox log entries, learn which fields indicate ports, and monitor your network traffic to see what hits your system daily from the outside Internet. Compare anything unusual with a list of abused ports.
- Learn how to manually allow and deny services and ports on your Firewall, and get used to adjusting them frequently.
- Establish a regular time (at least twice a month) when you scan your network to find all open ports. Close anything you can. If in doubt, block the port. The worst that can happen is an angry co-worker saying, "I can't listen to Internet radio!" Fifty such complaints are more desirable than one successful virus or Trojan horse.
- Once you get familiar with allowing and denying outside-in access to network ports, consider also egress filtering, which means controlling inside-out access from your network as well. Egress filtering furthers protect you from client-based network attacks.
Ports are a foundational building block of the Internet, and thus, of Internet security. Have fun researching them. The more you learn, the smarter your firewall configuration will become. With a little practice, you'll get it looking less like Swiss cheese, and more like the steel barrier "firewall" implies.
- One of the most respected books on this subject, Firewalls and Internet Security: Repelling the Wily Hacker, by William Cheswick and Steve Bellovin, has been posted on the Web in full at www.wilyhacker.com.