RE: Block access to ports

  • From: "Mike Liddekee" <mliddekee@xxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Wed, 27 Aug 2003 16:06:29 -0500

If you're running Exchange 2003/Win2003 and Outlook 2003, M$ added a capability 
called RPC over HTTPS to allow secure Outlook access over the internet without 
a VPN.  If you're running anything previous, you can use a VPN.  We have a Pix 
firewall that allows VPN out of the box.  Lots of other firewall products out 
there offer VPN capabilities as well.  I have about 8 users who travel on the 
road frequently (2 are full-time outside sales) that use the VPN to get in and 
connect to outlook.  It requires some "user training" to get them used to the 
fact that Outlook isn't quite as fast over a 56K dialup as it is on the 100mb/s 
LAN.  You're other option is OWA (just make sure you're using SSL) which works 
well, especially if a remote user needs a quick update.

You can certainly do POP3/IMAP to an exchange but I don't really like these 
solutions very well, especially if you're remote.  You don't know who could be 
looking at your network traffic.  Any cheap freebie sniffer on the internet can 
get pop3 passwords in 2 seconds.  I had to sound like a paranoid but I like to 
lean to the side of caution.  Plus that means you have more ports open to the 
Internet for someone to hack.  My rule of thumb is to open as little as 
possible.  Your company will thank you for it.

 
Regards,
Mike Liddekee
Network Engineer

Humco Holding Group, Inc.
7400 Alumax Dr. 
Texarkana, TX  75501
Ph:  (903) 831-7808 ext 697


-----Original Message-----
From: Lloyd Williams [mailto:Williams@xxxxxxxxxxxxxxxxxxxxxxx] 
Sent: Wednesday, August 27, 2003 11:56 AM
To: [ExchangeList]
Subject: [exchangelist] RE: Block access to ports

http://www.MSExchange.org/

Mike when you say <<There are numerous ways to make outlook available to
users over the Internet without opening ports. >>
Are you referring to POP & IMAP, or ways to configure your server/firewall
such that Outlook users can choose "connect to exchange server" in their
mail profile. If the latter do you have any references/ knowledge base
articles
Lloyd 

-----Original Message-----
From: Mike Liddekee [mailto:mliddekee@xxxxxxxxx] 
Sent: Wednesday, August 27, 2003 10:38 AM
To: [ExchangeList]
Subject: [exchangelist] RE: Block access to ports

http://www.MSExchange.org/
That's correct.  135 is a critical port that is used by Windows and numerous
applications.  Its something you should never have open to the Internet. 
There are numerous ways to make outlook available to users over the Internet
without opening ports.  However there is no way to block this port
internally on your network.  You could certainly lock down servers using
tcp/ip filtering on each individual machine buts that's time-consuming and
its one of those things that is a mixed bag.  You could block everything
except on the essentials but if you try to rely on that alone and never do
any more work, next week a hacker will find a vulnerability in one of those
essentials that you left open and shut you down.  Any company that's on the
internet today and doesn't have a properly configured firewall is just
asking for trouble.  But in the same sense, you can't rely on a firewall
alone.  You have to have a multi-teir security setup in place to order to
maximize your level of protection.  It costs money but you need to weigh the
costs of your operations being down for hours or even days when someone
sends you the next nasty virus that you could have been protected from. 
Hindsight is always 20-20.
 
 
Regards,
Mike Liddekee
Network Engineer
 
Humco Holding Group, Inc.
7400 Alumax Dr. 
Texarkana, TX  75501
Ph:  (903) 831-7808 ext 697
 
-----Original Message-----
From: Lloyd Williams [mailto:Williams@xxxxxxxxxxxxxxxxxxxxxxx] 
Sent: Wednesday, August 27, 2003 9:31 AM
To: [ExchangeList]
Subject: [exchangelist] RE: Block access to ports
 
http://www.MSExchange.org/
I might not have a good understanding of how to handle ports, but is it a
fundamental problem that port 135 is one of the most vulnerable ports, but
it is also the port that exchange uses to communicate with Outlook. So if
you close down access to this port you are limiting your self to use
exchange just for POP IMAP and Web Access
Lloyd Williams
 
-----Original Message-----
From: Mike Liddekee [mailto:mliddekee@xxxxxxxxx] 
Sent: Wednesday, August 27, 2003 9:52 AM
To: [ExchangeList]
Subject: [exchangelist] RE: Block access to ports
 
http://www.MSExchange.org/
It all depends on your setup.  If you're trying to block at the firewall
level, you need to determine what type firewall you're using and its setup. 
Most firewalls (unless misconfigured) should be set up to not allow any
traffic in unless specifically allowed.  If you're running a router w/ NAT
and no "real" firewall, then that's where most people get burned.  If anyone
tells you NAT is a firewall, run the other direction as fast as you can. 
The other way people I know have gotten burned on the latest bug its that
their outer perimeter is great but someone w/ a laptop goes home, dials up,
gets infected, goes back to work and plugs in.  These types of back doors
will kill you every time.  You can block these ports for this one but the
next virus that comes out will require different ports, the next one will
then require different ones, and so on.  It'll be a never ending game of cat
and house.  The thing to do is to make sure things are locked down on your
network to prevent these types of events and that all the proper systems are
in place.  You still can't guarantee yourself 100% (nothing in IT is 100%)
but if you don't have the systems in place you'll be fighting for days every
time a new event comes out.  When I arrived at my current job we had none of
these in place.  After months of fighting, we now how these things in place
and have had no viruses or Trojans of any type (knock on wood). 
 
 
Regards,
Mike Liddekee
Network Engineer
 
Humco Holding Group, Inc.
7400 Alumax Dr. 
Texarkana, TX  75501
Ph:  (903) 831-7808 ext 697
 
-----Original Message-----
From: satish garimalla [mailto:satishgarimalla@xxxxxxxxxxx] 
Sent: Wednesday, August 27, 2003 8:33 AM
To: [ExchangeList]
Subject: [exchangelist] Block access to ports
 
http://www.MSExchange.org/
Hi All,
          I know this is a bit off the topic.But, we are having problems
with the recent virus attacks.We are in the process of eliminating this.
As recommended by symantic web site, Iam supposed to block access to TCP
port 4444 at the firewall level and also block  tcp port 135 "DCOM RPC" and
UDP port 69 , "TFTP"
Can any body explain me how to do this as I am not so familiar with this.All
I want to know is that how to block these ports(from command prompt ?? or
from windows itself  ??) Either may be the case, could you please explain me
the steps in doing so ...
Thanking you very much ,
Satish Garimalla



Narain Karthikeyan. He's fast, really fast. Want to meet him?
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
mliddekee@xxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub') 
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
williams@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub') 
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
mliddekee@xxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub') 
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as:
williams@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub') 

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=exchangelist
Exchange Newsletters: http://www.msexchange.org/pages/newsletter.asp
Exchange FAQ: http://www.msexchange.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 ISA Server Resource Site: http://www.isaserver.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this MSExchange.org Discussion List as: 
mliddekee@xxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


Other related posts: