Republished with permission from WatchGuard Technologies, Inc. Originally published December 30, 2000.
WatchGuard LiveSecurity

Network Applications: A Security Guy's Wish
by Fred Avolio, Avolio Consulting
 

Imagine that I provide an office cleaning service. I have about a thousand cleaners working for me, and my people will clean your office virtually for free, if you're willing to overlook a few of my practices:

    I cannot tell you who will be showing up on any given night, nor am I sure of the time they will show up -- just sometime during the night. Any night.

    I cannot tell you what office they will service what night.

    I do not issue photo identification cards, because my people are so transient.

    You need to leave all the doors and windows unlocked, because my workers might want to get in by any of them.

Ready to sign up for my cleaning service? No? But if this approach to business is unwise, why do we run our network Internet connections this same way?

Actually, this illustration is unfair. The situation is actually much worse than this, because when we're talking Internet, we're talking about thousands of doors and windows, and millions of possible entities coming through those doors.

If we want to run our networks more securely, we have to lock as many of those doors and windows as possible. That's tough enough to do in any corporation. But the people who develop the applications that we all use make it even tougher. This article alerts you to the issues, and contains my plea to developers to give security a chance.

What Lies Beneath
As I wrote in my previous editorial, " One Size Never Fits All," "We tend to set our firewalls up with coarse rather than fine granularity. If three people need access to an Internet service, we give every employee access to it. We can do better. In fact, we must." Even if you close every unnecessary port you can, having a suitable security policy with matching firewall configuration is only the beginning. As an Internet security practitioner, you are always one step behind the next new whiz bang Internet service. And it seems that every new service introduces vulnerabilities or potential avenues of attack.

Internet applications use connections and ports to facilitate communication. TCP services make connections with more reliability than UDP, mainly because TCP has a notion of a connection including a handshake and response, while UDP merrily blasts away without any guarantee that something on the other end is listening. TCP packets usually make use of specific well-known ports that are related to the particular Internet service. So, for example, if you want Internet mail to work, you have your e-mail server listen for connections on port 25, and a client only works if it connects to port 25 of the target system.

The problems start when an application protocol developer creates a new service for which there are no registered or well-known ports, or when that service needs to make connections back to many client processes. Developers like to use UDP packets for the same reasons that make them less reliable communicators: their communication is simpler than TCP's, so they're smaller. They are most useful for communications where speed is more important than loss of data (streaming audio or video come to mind). So a vendor might utilize random UDP ports to make connections.

From a security guy's standpoint, using random ports for communication is a Very Bad Thing. Remember, every service we allow through the firewall is a potential avenue of attack. If we must allow services through our firewall in order to meet our business requirements, and those services require large ranges of ports to be open, our job is more complicated, and an attacker's job is easier.

The Bad and the Ugly: NetMeeting
One of the worst examples of this I can find is Microsoft NetMeeting. Fellow LiveSecurity™ Advisory Council member David Piscitello and I decided we would set up NetMeeting between our offices, then write about how to do it without compromising the security of either of our networks. It would have been a very short column.

We struggled for awhile, unable to make our two NetMeeting processes fully connect. So, I ran tcpdump (a packet sniffer) on my network. I found that NetMeeting was using the following ports: 1151, 1152, 1503, 1695, 1696, 1697, 1698, 1699, 1700, 1720, 49606, 49607, 49608, and 49609. A few of these are registered and will not change. For example, 1503 is what NetMeeting uses for the T.120 service (a standard that provides support for real-time, multipoint data communication). And 1720 is for the H.323 (the standard for Internet telephony) call setup. Both use TCP. But the others are neither standard nor set. To get NetMeeting up, basically you need to open up all ports between 1024 and 65535. That's a lot of open doors and windows!

Did NetMeeting have to be written this way? Couldn't it have been more securable? To quote Dr. Brian Reid, a director at Bell Labs Silicon Valley, "Programmer convenience is the antithesis of security."

The Good (or at least Better)
Real Media -- RealAudio and RealVideo -- was created with firewalls in mind. If you fire up RealPlayer and look at View/Preferences you'll see controls for defining proxies (if you sit behind a Firebox, for example) as well as for specifying what transports to use. I picked "Use TCP to Connect to Server;" I specified UDP port 7070 as a static UDP port to use for receiving data, and that's the only "window" I had to open for RealMedia.

This is the way an application should be written -- allowing the service to work in conjunction with a security policy and firewall.

What I Wish For
We should ask product vendors and application developers to develop services for today's Internet -- that is to say, to develop services knowing that clients and servers will be separated by firewalls. We should remind them that every usability decision they make may have a negative impact on our security, and may result in an application we cannot use (or, more probably, we'll have to use, making our network insecure). I want applications that use specific ports, or tell us as part of the protocol what extra ports to use. I want applications that may sacrifice performance for security, but never security for usability. I want application developers to talk to security people and have a security architecture for any network-based application, and I want it there before they loose their wonderful, marvelous, cannot-live-without application on users whose network I am supposed to secure. It's a new millennium. Maybe if we all keep asking for these things, we'll get them.

Epilogue: From Theory to Practice
With the subject of this month and last month's columns in mind, I decided to follow my own advice and batten down my WatchGuard SOHO. I don't allow any inbound connections (connections initiated on the outside), but I wanted to see what outbound connections we required. "We" is my business and my family, using the same connection to the Internet. What were we actually using?

I ran tcpdump, sorted through the output, and got these results:

Port Type Use
13 TCP daytime service used
22 TCP SSH, secure shell
23 TCP telnet
25 TCP SMTP (Internet e-mail)
53 TCP DNS (domain name system)
53 UDP DNS (domain name system)
80 TCP HTTP
110 TCP pop3 (retrieving e-mail)
119 TCP NNTP (Usenet news)
123 UDP NTP (network time protocol)
389 TCP unknown
443 TCP SSL (https)
554 TCP Real Media
7070 TCP Real Media
11371 TCP unknown
Armed with this information, I configured my SOHO to match:

Allowed Incoming Services--none installed

Block TCP requests to port 139 SMB Networking
Block UDP requests to port 137 SMB Networking
Block TCP requests to port 137 SMB Networking
Block UDP requests to port 138 SMB Networking
Block TCP port range from port 1 to port 12
Block TCP port range from port 14 to port 21
Block TCP port range from port 26 to port 52
Block TCP port range from port 54 to port 79
Block TCP port range from port 81 to port 109
Block TCP port range from port 111 to port 118
Block TCP port range from port 120 to port 442
Block TCP port range from port 444 to port 553
Block TCP port range from port 555 to port 7069
Block TCP port range from port 7071 to port 65535
Block UDP port range from port 1 to port 52
Block UDP port range from port 54 to port 122
Block UDP port range from port 124 to port 7069
Block UDP port range from port 7071 to port 65535

Now I have a firewall configured as tightly as possible while still allowing the services we use from the inside. Even Steve Gibson's recently publicized LeakTest told me my site was secure. So, if you've been agreeing with the theory behind my suggestions but wondering what they look like when worked out in real life, this is the best example I can provide. Go slam those doors and shutter those windows; you'll be glad you did -- especially the next time you hear of someone else being taken to the cleaners. ##