Firewall Questions

[blueshoes]

I work at a small company with two locations and about 50 employees. The so called IT guy knows nothing about security. I did a Shields Up scan of both locations.

Location B has port 541 open.

Location A has two gateways.

A-1 has port 541 open

A-2 has these ports open

21
22
80
143
443
541


There are a couple that are closed and the rest are Stealth

Is there a major security problem here? I think so.

When I scan my gateway at home, I come up all green or stealth when both my wife and daughter are surfing the internet. I don't know enterprise firewalling so that is why I am posting this to get your input. The company is in the graphic industry and ftps all day long on and off. Do we really need all these ports open?

I assume automated black hat scanners can pick these open ports up and walk right in?? Can I assume a flash of each router's firmware is in order, or at least the one with 6 open ports? Or is it all ok and I just mind my own business.

[sky-knight]

First of all given that you said "shields up" know that all you did was scan the TCP ports. You haven't done jack for UDP to get a whole picture.

Then again you're asking, so I think you realize that you're barely scraping the tip of the iceberg.

The real question is... Why are those ports open? Are they forwarded to a device / server? Why are they forwarded? Do we need those functions open?

That's a network audit. You go through it from the public interface in, figure out what's exposed, why it's exposed, and determine if there is a better way to do things.

I know plenty of "IT people" that know nothing of "security". And, to be frank, they aren't "IT" people. They have just fooled many people into thinking they are.

A real IT person studies their networks and is constantly auditing things and dreaming up better ways to mitigate risk, and provide the services their organization needs more efficiently.

At least that's the definition I hold myself to. You'll find that in reality it's just the varying levels that different people devote themselves to the job. Some are good at it, some aren't good at it, and there is a ton of variability in the middle.

Given the list of ports you have listed it looks to me like you have a SBS installation, and something that needs SSH for management, and an FTP server running somewhere.

[blueshoes]

I know they need to keep in contact with the server between the two buildings that are 6 blocks apart. I know they stay linked into a customers ftp server to download files to print.

Does the firewall have to have open ports to do this, or can the two hold "state" while stealthing the ports for a shields up scan?

Like I said, my wife and daughter are surfing the web and port 80 shows itself as stealth will state is held and data from the two is coming and going from both through port 80 and who knows what other ports are getting services coming and going at the very same time, yet all my ports scan as stealth.

I have specific firewall rules for my daughters online games to access my network and all else is blocked. As you know it is a pain in the but to be game specific with firewall rules. Could they just be opening it up with any to any and not IP # to port#?

The guy did say it was password protected, I assume SSH login. But wouldn't that show as closed till you give the right password?

To top it off he is a 3-6 LETTER password kind of guy.

I just know my home network and have not farted around with even a SOHO network. I run Ut in bridge and run a SOHO/enterprise router as the gatway. I am also known as "the over the top guy" on computer security at work and they don't want to hear it after a point. "Nothing has happened to us yet......." They are so clueless it almost makes me sick at times as you can see above.

But as you know from our past threads I listen to a lot security podcast during the day, but have no education in it. So I can be dangerous with some knowledge, but no experience other then my home network.

[sky-knight]

If you're seeing ports open after that scan, that means those ports are open and listening for connections. This usually means you're operating a server of some kind that needs to respond to public requests on those ports.

Using the Internet doesn't require having those ports open, the ports are open for the server not the client.

If SSH is password protected, just like say RDP is password protected, the services are always online, always open. When you connect you are prompted for a password, if you give the right stuff you get in, if you don't you're disconnected.

So again if you see those ports open it's because you have a service listening on those ports. I can't even tell you WHAT services you have open because while TCP 80 is USUALLY a web server, it doesn't have to be a web server!

All you know is these TCP ports have SOMETHING listening on them. Why? and Is this a bad thing? are completely different questions that must be answered independently.

[legendvpn]

Quote:

Originally Posted by blueshoes

I work at a small company with two locations and about 50 employees. The so called IT guy knows nothing about security. I did a Shields Up scan of both locations.

How did he get hired then? What was his qualifications?