Which Protocols to Filter

The decision to filter certain protocols and fields depends on the network access policy, i.e., which systems should have Internet access and the type of access to permit. The following services are inherently vulnerable to abuse and are usually blocked at a firewall from entering or leaving the site [Chap92], [Garf92]:

• tftp, port 69, trivial FTP, used for booting diskless workstations, terminal servers and routers, can also be used to read any file on the system if set up incorrectly,

• X Windows, OpenWindows, ports 6000+, port 2000, can leak information from X window displays including all keystrokes,

• RPC, port 111, Remote Procedure Call services including NIS and NFS, which can be used to steal system information such as passwords and read and write to files, and

• rlogin, rsh, and rexec, ports 513, 514, and 512, services that if improperly configured can permit unauthorized access to accounts and commands.

Other services, whether inherently dangerous or not, are usually filtered and possibly restricted to only those systems that need them. These would include:

• TELNET, port 23, often restricted to only certain systems,

• FTP, ports 20 and 21, like TELNET, often restricted to only certain systems,

• SMTP, port 25, often restricted to a central e-mail server,

• RIP, port 520, routing information protocol, can be spoofed to redirect packet routing,

• DNS, port 53, domain names service zone transfers, contains names of hosts and information about hosts that could be helpful to attackers, could be spoofed,

• UUCP, port 540, UNIX-to-UNIX CoPy, if improperly configured can be used for unauthorized access,

• NNTP, port 119, Network News Transfer Protocol, for accessing and reading network news, and

• gopher, http (for Mosaic), ports 70 and 80, information servers and client programs for gopher and WWW clients, should be restricted to an application gateway that contains proxy services.

While some of these services such as TELNET or FTP are inherently risky, blocking access to these services completely may be too drastic a policy for many sites. Not all systems, though, generally require access to all services. For example, restricting TELNET or FTP access from the Internet to only those systems that require the access can improve security at no cost to user convenience. Services such as NNTP may seem to pose little threat, but restricting these services to only those systems that need them helps to create a cleaner network environment and reduces the likelihood of exploitation from yet-to-be-discovered vulnerabilities and threats.