Locking down your Firewall with Port Based Rules
It doesn’t matter what firewall you have, be it Cisco, Zyxel, Sonicwall etc you need to put rules in place to ensure that your network is properly protected.
There are a number of services you may also want to consider depending on your needs. These include content filtering, email filtering, anti-virus, and VPN licences. But the basics of a firewall require you to put rules in place that prevent / permit traffic to / from your network.
The most secure method would be to block all ports and then permit through only those ports that you require. The same goes for outbound as computers inside your network that get infected can use your network to launch other attacks or send information out to the unsavory types out there.
There are 65,535 ports in IPv4, and if you were to go through them all it would only lead to a headache and very little extra understanding. The basic idea however is that each port can be used by a service for example ‘http’ which you are using right now to read this is on port 80, whereas ‘https’ which you see on shopping sites to show they’re secure (or at least somewhat so) comes over port 443. I’ve included the most common items below and a few tips to make the rules more secure.
|25||SMTP||Both||SMTP is secure email, if you are using an email filtering company then only allow in from that direction, and only allow out from your email server.|
|80||HTTP||Outbound||Standard web browsing.|
|110||POP3||Both||For when users access email via POP3 – if you access an external site for POP3 then outbound may also apply.|
|143 / 993||IMAP / Secure IMAP||Both||For when users access email via IMAP – if you access an external site for IMAP then outbound may also apply.|
|443||HTTPS||Both||Outbound as per port 80 however if you have phones etc accessing email via OWA / Active Sync then you will want both in and out, though it should then be locked to the mail server for inbound.|
|3389||Terminal Services||Both||To access remote desktops either inbound or outbound.|