8

There was another good question here on why you should block outgoing traffic: Why block outgoing network traffic with a firewall?

But I was hoping to get an answer on why it is a good idea to block incoming ports or ports in general.

In particular I was thinking what difference there is between managing which applications are listening for traffic on a port on your machine, and blocking that port in your firewall.

3 Answers3

11

On the surface, it's pretty silly: if you don't want traffic inbound on a given port, then just don't listen on that port. As such, host-based firewalls have traditionally been largely ingored. But recently (as in, last 20 years) the practice has picked up quite a bit. Here are a few common reasons:

Because you can't control what's listening on your computer
Host-based firewalls have been the traditional mechanism for controlling the behavior of Microsoft core services, such as port 135 and 445. In the interest of simplicity and ease-of-use, Microsoft traditionally did not allow those services to be at all controlled, which meant that a firewall was the only way to control access.

Because you want to restrict but not prevent access
Firewalls allow you to filter traffic based on more than just the listening port number, which means that you can do fancy things like allowing access only from a given range of IPs or other criteria. While not a foolproof security measure, it does eliminate the vast majority of malicious traffic, allowing you to focus your attention on the more advanced attackers.

Because you might already be compromised
This is probably the most commonly-cited reason, but also probably not the most valuable. The idea is that if you block access to additional ports beyond what you're already expected, then it's more difficult for an attacker to leverage an initial compromise to gain more complete access to the server (e.g. by binding a remote shell to an additional port). While it's true that this does make it more difficult, any average-skilled attacker can work around this restriction, so the incremental security it provides is minor.

To enforce policy
The idea here is you have a specific set of applications that are allowed to listen on the network according to your security policy, and you don't want an admin to add to that list. In the unlikely scenario that the rogue admin knows how to install software but doesn't know how to reconfigure the firewall, this would stop him.

Looking at this list, it's clear that all of these scenarios (except perhaps the first) are best met using an edge firewall as opposed to a host firewall, since filtering at the gateway cannot easily be changed by someone with admin rights on the host.

Still, just because it's better to do at the edge doesn't mean you shouldn't also do it on the host. Remember that a truly secure network is one that remains secure even without perimeter protection. Layering your defense will help keep you protected even when parts of that defense fail.

tylerl
  • 82,665
  • 26
  • 149
  • 230
  • 2
    I still don't understand. Can't you specify any service to run on any port? Like I can bittorrent on port 80 if I truly desire even though by convention it is used by HTTP – Kellen Stuart Sep 19 '16 at 17:41
2

For the same reason as with outgoing traffic. Attackers might start running services which bind to a certain port. If you allow incoming traffic any remote server can just connect to this service. In case of an attacker this might be the so called "bind shell".

It's also part of the security in depth approach. Consider default running services such as mDNS or RPC. You do not want to advertise these services on the net, so you disable them. Using incoming firewall rules you can put an additional defense mechanism in place so that you do not leak information should someone have enabled this service by accident.

The nice part of incoming firewall rules is that it's very easy to implement a whitelist approach. You can decide which ports should be reachable on a certain IP using a certain protocol. You can also fine-tune this even more by only allowing a certain amount of packets at a time (rate limiting). This gives you a lot more control and will allow for less "dirty-word-ups" when disabling unnecessary services.

Lucas Kauffman
  • 54,229
  • 17
  • 113
  • 196
1

Many reasons, but probably one of the biggest for me would be that malware is one of the biggest threats we deal with, and open ports allow malware to run a service on those ports.

Closing ports also stops users running their own servers, for file sharing, gaming or anything else they shouldn't be doing on your network, but may want to anyway.

Owen
  • 1,076
  • 5
  • 9
  • The idea that closing ports will stop users from running unwanted applications is absurd. I can just as easily do file-sharing over HTTP (especially with Web-Torrent), pass my games through an SSH Tunnel on port 22, and even run Tor on port 80 if I choose. Port numbers for specific applications are just conventions to make networking easier. In reality you can remap ports however you like. – slang Jan 15 '16 at 05:33