PACKET RAT: They who control ports can keep the worms at bay
The Zotob worm, which attacks mostly Windows 2000 systems through the Plug and Play architecture of the operating system, and its misshapen offspring are hardly as nasty as, say, Code Red. But many major news organizations started running around like the sky was falling when Zotob reared its ugly wormlike head.
'Haven't any of these people ever heard of port blocking?' the whiskered one wondered aloud as he watched the hysterics on CNN from his network operations bunker. 'Whatever happened to blocking all nonstandard ports by default?'
Zotob, in its initial instantiation, used TCP port 333 to worm its way into unsuspecting networks. Windows networking uses Port 333 too, so blocking it inside the corporate network can cause ... issues. But typically speaking, it's not good security hygiene to let people poke around your Windows network across the firewall.
'Is that what we do?' asked one help desk acolyte. 'So how do we decide which ports need to be opened for legitimate Internet applications, like streaming video and stuff?'
'Well, first of all, Grasshopper,' the wirebiter replied, rocking back in his Aeron-knockoff chair, his feet up on his console, 'I'm the one who'll be deciding what's a legitimate Internet application around here. Streaming video? We let that into the executive network, the conference room network, and down here for 'testing purposes.' But the unwashed masses get nothing but outgoing port 80 access'if we like them.'
The acolyte paused and thought. 'OK, then, so what's the process for getting a port opened for an application? Do we run it through the test lab or something?'
The cyberrodent smiled. 'It's simple. We block all ports at the boundary firewall unless somebody begs us to open one. Then we keep it blocked until they go to the CIO to beg to have it opened. He asks them to generate an IT change request through the help desk system. Then, when we get it, we defer action for one fiscal quarter and blame it on workload. If the requestor hasn't upgraded to a version of the application that can use a port 80 Web proxy, and hasn't retired yet, we then make the change.'
'But it only takes a few changes to the firewall config to open ...' the acolyte began, but the Rat waved him off.
'Nothing ever takes just a few changes to do,' the Rat rebuffed. 'Everything we do to change our security profile opens up our enterprise to a whole new set of security threats. If we don't keep an iron grip on what we allow to pass through our DMZ to our assets, we'll spend every waking moment running down worms and malware and never be able to focus on the really important improvements to our infrastructure.'
The furry one paused and pulled a piece of paper from his pocket. 'Speaking of which, I have a high-priority set of changes we need to make to the firewalls for the NOC here.'
'What application's using this port range?' asked the humbled help desk jockey.
The Rat smirked. 'The night shift has a big Halo match tonight, and they need to be able to connect to the XBox Live network with as little latency as possible.'The Packet Rat once managed networks but now spends his time ferreting out bad packets in cyberspace. E-mail him at firstname.lastname@example.org.