Many attackers and hosts infected with malware try to infect other hosts by scanning networks for open ports exposed to the Internet. After finding an open port, a malicious third party will attack software running on that port using known vulnerabilities. These published software flaws can cause damage or allow unauthorized access to hosts and networks. Often vendors publish information about software flaws and offer patches directly to customers. Third parties also track and publish information about common vulnerabilities on web sites like https://cve.mitre.org and https://nvd.nist.gov/.
Although there are some new and sophisticated attacks, many breaches involve vulnerabilities that security professionals and vendors notified the public about years prior to the attack. For example, in the case of WannaCry, the malware used SMB vulnerabilities accessed via port 445. A SANS Internet Storm Center article dating back to October 2009 tells readers they should already know that port 445 needs to be blocked on the firewall.
In some cases, patching all the hosts in a network to fix vulnerable software is not feasible due to the number of hosts, or even possibly due to systems that require outdated software. Knowledge of the ports needed for common vulnerability exploits to work is useful because it allows network administrators to block problematic ports. Even if software is unpatched, the malware will be unable to function correctly if it cannot communicate on required ports.
The WatchGuard Firebox has a feature which allows administrators to easily block a network port. In the WatchGuard Firebox Admin Web Site, click on “Firewall” on the left menu, then “Blocked Ports” to see the list of blocked ports.
Use the buttons at the bottom of the page to add new ports:
The auto-block feature allows administrators to automatically reject connections from hosts generating suspicious traffic. Check the box at the top of the list to auto-block any host that tries to connect to a disallowed port. The Firebox adds the host to the “Blocked Sites” list and rejects any future attempts by the blocked host to connect on any port.
For example, if a network administrator has blocked ports 445, 137, 138, 139 and 23 and a host tries to connect to those blocked ports, there’s a good chance that traffic is coming from an attacker server, an infected or misconfigured host. With the auto-block feature, the WatchGuard Firebox will automatically add that host to the “Blocked Sites” list and block any further connection attempts from that host. Note that this feature will disallow the port on the entire network so make sure it is not required internally or externally by hosts served by that firewall.
With these features enabled, network administers can periodically review the list of hosts that the Firebox automatically blocked by clicking on “System Status” in the left menu and then “Blocked Sites.” This list will tell the administrator which hosts tried to connect on blocked ports. An auto-blocked host will show up with the reason “blocked port.” This information may be useful in creating new firewall rules or troubleshooting network problems.
Auto-blocking rogue hosts not only helps protect the network, it may improve the performance of the firewall as well. If the firewall is completely blocking all traffic from a host, it will not have to perform further inspection on any traffic from that host. The firewall can immediately drop the traffic. This saves processing power and hopefully improves performance for valid hosts on the network. — Teri Radichel (@teriradichel)