Understanding Port Scans

Generally speaking, few people on the Internet are out to get you specifically. In truth, they’re out to get anyone whose systems they can possibly gain access to. Obviously the Internet is a huge, immense place, so how do they find people? Well, the most basic tool employed by automated bots and those out to hack user systems is known as a port scanner. This software allows a hacker to input a range of IP addresses (typically those on high-speed networks like DSL), and then scan for a particular open port, or all open ports. In most cases, a hacker will scan for a single port associated with a known exploit, such as a virus or Trojan horse program that allows them to gain access to your PC. Using a port scanner allows then to look for that open port on thousands of systems in very little time. In fact, they can set up the scan, head to bed, and then be presented with a very comprehensive list of “attackable” systems in the morning.

In case you’re curious, this is one of the ways that providers also check to see whether you have servers on your home network, which is often not allowed under their terms of service.
One of the best ways for you to defend yourself is to scan your own public IP address looking for open ports. One easy (and free) piece of software to accomplish this is SuperScan, shown above. It can be downloaded from http://www.foundstone.com/resources/scanning.htm. Additionally, a number of web-based port scanners are available online, often referred to as firewall testing tools.

Traffic Filtering Basics

Earlier in this article we mentioned that a firewall could also be used to control the services that internal hosts can access on the Internet. While most hardware routers are initially configured to allow all hosts access to any Internet services by default, you can also control who can access the Internet, or certain services, using filtering features.

On a hardware router like the Linksys model we used for this article, both IP address and port filtering can be accomplished via the Filtering tab in the router configuration program. This tab allows you to configure both IP addresses that cannot access the Internet, along with ports that cannot be connected to. For example, if you were to filter the IP address 192.168.1.50, the client system with that address would not be able to access the Internet at all. This can be useful in situations where you need to control children accessing the Internet, for example.

Similarly, you can also block internal users from accessing certain ranges of ports. For example, blocking port 80 would stop internal users from accessing external websites, while blocking all ports except for port 80 would stop users from accessing anything except Web sites. Ultimately, the ability to control Internet access by IP address and port numbers gives you a higher degree of control over how people use your Internet connection, and most importantly, your bandwidth.

Getting Familiar with TCP/IP Port Numbers

Certainly you don’t need to know anything about port numbers if you never plan to allow external users to access your network, or if you don’t plan to control the types of Internet services that your internal users can use. However, if you do plan to make use of either feature, you’ll need to know something about port numbers.

Different types of applications use different port numbers to communicate. Port numbers come in two flavors, namely TCP and UDP. Transmission Control Protocol (TCP) is a reliable protocol used by some applications (such as Web, FTP, and Email servers), while User Datagram Protocol (UDP) is a faster (but unreliable) protocol used by services like DNS. You don’t get to choose which is used – the specifications for different services define which protocol is used which individual applications.

A total of 65536 TCP/UDP port numbers exist. Certainly no one could remember all of them, but some of them are much more common than others. For example, the list below outlines some of the port numbers used by common services:

HTTP (Web servers) – TCP 80
FTP (FTP servers) – TCP 21
SMTP (Email servers) – TCP 25
POP3 (Email servers) – TCP 110
DNS (Name resolution) – UDP 53

This is far from a comprehensive list, but gives you the idea. So, if you plan on having your own internal FTP server that should be accessible from the Internet, port forwarding would need to be enabled on your router for TCP ports 20 and 21. If you’re using ICF, a definition for FTP already exists which you can simply check off to accomplish the same task. For a complete and very comprehensive list of port numbers, see http://www.iana.org/assignments/port-numbers.

Port Forwarding Basics

Although a firewall will block all requests from the outside world by default, there may be times when you actually want to allow external users into your network. For example, maybe you’re running an FTP server internally that you want to gain access to while on the road, or maybe you have a Web server configured that you want to allow Internet users to access. Because the default configuration of most firewalls blocks all external requests, you’ll need to open things up using a feature known as port forwarding.
Remember that in almost all cases, your internal network will be configured to use private IP addresses. Because of this, you’ll need to configure your firewall to take requests destined for your public or “real” IP address and forward them to the appropriate internal server. For example, let’s say that you have a Web server configured on a system with the IP address 192.168.1.50, a private address. In order to allow external users to access this server, you’ll need to configure your firewall to “listen” for Web server requests on the external IP address, and then forward them to the internal server at 192.168.1.50. Unfortunately, to make all this work, you need to know one additional piece of information – namely the port to which Web requests are made.
When a user on the Internet needs to contact a Web server, the request is forwarded to the IP address of the server, and the port on which the Web server service is running. By default, all Web server software (such as IIS or Apache) listens for requests on TCP port 80. So, what you would need to do in this case is tell the firewall that every time your public IP address receives a request destined for TCP port 80, it should forward the request to TCP port 80 on the Web server running on 192.168.1.50. The manner in which this is configured depends upon the firewall you are using. The stepped instructions below provide details for configuring port forwarding on a hardware device, in this case a Linksys router – note that the exact steps will probably be different based on your hardware.

If you don’t see the service that you want to configure on the list, you can define your own forwarding rules by clicking the Add button and specifying a name for the service, as well as an IP address and port number(s).

Example: Allow access to your internal FTP server from the Internet using your Linksys router.

Step 1: Open a web browser and access address http://192.168.1.1. This is the default address to access the router configuration. Enter your password (check your documentation) and press Enter.

Step 2: Click on the Advanced tab at the top of the screen. This will bring you into advanced configuration options for the router, such as port forwarding and filtering. Click the forwarding tab.

Step 3: In the first line of Service Port Range numbers, enter 21 in both boxes, and then the IP address of your internal FTP server in the IP Address box. In this case, an FTP server is located at 192.168.1.150. Click Apply. Test everything by attempting to connect to your external IP with an FTP client program and see if you reach your internal server.

Network Address Translation (NAT) Basics

If you’re planning to connect your network to the Internet, chances are good that your ISP will provide you with only a single “real” IP address. The good news is that’s all you’ll need for multiple internal PCs to connect to the Internet. Network Address Translation (NAT) is a feature that allows systems on an internal network to use private IP addresses (such as those in the 192.168.0.0 range) to connect to the Internet using only one “real” IP address. When an internal system needs to access an Internet resource such as a Web server, the request is sent to the default gateway, which would be running NAT. The NAT server would take that request, translate the “source” IP address in the request to be the “real” IP address assigned by your ISP, and then forward the request along to the site you are trying to connect to. The reply will be sent back to this “real” address as well, where the NAT server will change the destination address to b