Add Security by Filtering TCP/IP Packets

By Brien M. Posey | Nov 26, 2000 | Print this Page
http://www.enterprisenetworkingplanet.com/netsecur/article.php/625111/Add-Security-by-Filtering-TCPIP-Packets.htm

Practically everyone knows that the TCP/IP protocol is a little complicated. Part of this complexity is due to the fact that TCP/IP is made up of many subcomponents, which consist of ports and protocols. Many of these ports and protocols are necessary for accomplishing day-to-day tasks; others are seldom (if ever) used. These obscure protocols can endanger your network's security, because a hacker can exploit them to gain access to your network.

To deny a hacker such an opportunity, most administrators implement a firewall to block unused ports and protocols. However, you may not know that Windows 2000 has many of these firewall capabilities built in. In this article, I'll show you how to block ports and protocols through Windows 2000. (Note that this technique is no substitute for a true firewall--it's only a method of making your network a little more secure.)

Packets to Permit

Windows 2000 packet filtering works by blocking all packets except the ones you permit. You may use protocols and packets besides the ones I'm recommending, and that's fine. But for everyone else, I recommend blocking all packets except those traveling on the following port numbers.

TCP port numbers:

  • Port 20--FTP Server Data Channel

  • Port 21--FTP Server Control Channel

  • Port 23--Telnet

  • Port 80--HTTP

  • Port 139--NetBIOS

UDP port numbers:

  • Port 53--DNS Lookup

  • Port 69--TFTP

  • Port 137--NBNS

  • Port 161--SNMP

  • Port 520--RIP

IP port numbers:

  • Port 1--ICMP

  • Port 2--IGMP

  • Port 3--GGP

  • Port 4--IP in IP encapsulation

  • Port 5--ST stream

  • Port 6--TCP

  • Port 7--Often used for Computer Based Training

  • Port 8--EGP

If you've been working with TCP/IP for a while, you probably recognize most of these. If you don't recognize some, don't worry about it--you won't have to do anything to the protocol directly except add a number to a list.

Blocking Other Packets

Follow these steps:

  1. Open Control Panel and double-click on the Network and Dial Up Connections icon. In the Network and Dial Up Connections window, right-click on the connection you want to configure, and select Properties from the resulting context menu.

  2. In the connection's properties sheet, select Internet Protocol (TCP/IP) from the list of installed components. Click the Properties button.

  3. In the Internet Protocol (TCP/IP) Properties sheet, click Advanced to reveal the Advanced TCP/IP Settings properties sheet.

  4. Click the Options tab and select TCP/IP Filtering from the Optional Settings list. Click the Properties button to open the TCP/IP Filtering window.

  5. At the top of the window is a check box labeled Enable TCP/IP Filtering (All Adapters). I recommend deselecting this check box, because it affects all your connections. Instead, it's more effective to apply filtering on an individual basis.

  6. The TCP/IP Filtering window is divided into three columns: TCP Ports, UDP Ports, and IP Protocols. Each column has a set of radio buttons. By default, these radio buttons are set to Permit All. This setting allows all packets to flow freely. However, you can set any or all of a column's radio buttons to Permit Only, which will permit only the port numbers specified in the list I gave you earlier to pass through the connection. Use each column's Add and Remove buttons to edit the list of allowed ports. For example, to permit the connection to access Web pages, add port 80 to the TCP Ports section.
    CrossLinks

    As you can see, packet filtering can add security to your network by blocking unauthorized types of packets. If you implement packet filtering and things don't seem to work right, you may be using a port other than the ones I listed. If this happens to you, you can either add the missing port number to the list, or disable packet filtering all together--it's up to you. //

    Brien M. Posey is an MCSE who works as a freelance writer. His past experience includes working as the Director of Information Systems for a national chain of health care facilities and as a network engineer for the Department of Defense. Because of the extremely high volume of e-mail that Brien receives, it's impossible for him to respond to every message, although he does read them all.