Yes, in order to prevent many of the common attacks from the Internet, we use incoming packet filters (ACLs) in our high-performance layer 3 Cisco switches.
Over time we have established these basic filtering rules, which provide the best combination of functionality and security for our customers. These basic filtering rules are usually sufficient for most of our customers.
The summary of what we allow or filter by default is below. Just because something is not listed here does not mean it is or is not filtered, please check with us if you are unsure:
Remote Desktop is allowed on TCP 3389
ICMP protocol is allowed (ping,traceroute,etc).
DNS is allowed (both outbound queries and your server acting as a DNS server).
Active FTP on standard ports is allowed. For passive FTP you will need to set the passive port range to 8000-8400 in IIS or other FTP servers.
WWW and SSL is allowed on TCP ports 80 and 443.
SMTP is allowed on TCP port 25 and 587.
IMAP4 is allowed on TCP port 143.
POP3 is allowed on TCP port 110.
NTP (network time protocol) is allowed so your server can update its clock.
GRE protocol 47 and TCP/IP 1723 is allowed (for incoming PPTP tunnels).
Flash Communications Server is allowed on 1935
Windows Media Services is allowed on TCP port 554, 1755, and 5005
Incoming MS SQL and MySQL connections are blocked. This includes TCP and UDP ports 1433,1434, and 3306. We suggest using an alternate port for SQL if you need to connect to it from the Internet. See below for choosing an alternate port.
The MS Cluster Service heartbeat port, UDP (3343) is blocked. This prevents denial service attacks on clusters by flooding the port.
MS Global catalog TCP ports 3268 and 3269 are blocked to prevent attacks of Active Directory Domain Controllers.
Except for the ports mentioned above the rest of the ports are handled in the following manner:
TCP and UDP ports < 8000 are generally blocked. This blocks most of the Windows ports that get attacked often such as 135,137,139,445, etc.
TCP and UDP ports >= 8000 are generally allowed.
If you need to select custom ports for a specific application to function, we would recommend using random ports > 8000 for this purpose.
One final note... This firewall will protect you from Internet attacks. It will not protect you from other servers on the same IP subnet. If you would like to secure your server against those, we would suggest disabling the Client for Microsoft Networks and File and Print Sharing for Microsoft Networks services from your Network Settings. DO NOT REMOVE THE SERVICES, just uncheck the box to disable for that connection.
If you are interested in hardware firewalls, please contact us at sales@activeserve.com for information and pricing.
Article ID: 15, Created On: 3/6/2006, Modified: 10/20/2011