router port open

GodHandGodHand Member Posts: 46 ■■□□□□□□□□
in CCNP Security
Hi,

Is it normal that a tcp port 21 or pop3 port on a router is open? By the way i have a firewall which my security control is done there.

thanks.
Most of the important things in the world have been accomplished by people who have kept on trying when there seemed to be no hope at all.
· Share on FacebookShare on Twitter

Comments

  • GodHandGodHand Member Posts: 46 ■■□□□□□□□□
    need advise pls... icon_cry.gif
    Most of the important things in the world have been accomplished by people who have kept on trying when there seemed to be no hope at all.
    · Share on FacebookShare on Twitter
  • RussSRussS Member Posts: 2,068 ■■■□□□□□□□
    Since TCP port 21 is the FTP control port I would ask .......... Is there any FTP used at that site?
    www.supercross.com
    FIM website of the year 2007
    · Share on FacebookShare on Twitter
  • GodHandGodHand Member Posts: 46 ■■□□□□□□□□
    yes we have ftp servers within our LAN connected to this router. also smtp is open. do i have to worry about this? icon_sad.gif
    Most of the important things in the world have been accomplished by people who have kept on trying when there seemed to be no hope at all.
    · Share on FacebookShare on Twitter
  • GodHandGodHand Member Posts: 46 ■■□□□□□□□□
    isn't it that port mapping done in upper layer and layer 3 doesn't care about that.
    Most of the important things in the world have been accomplished by people who have kept on trying when there seemed to be no hope at all.
    · Share on FacebookShare on Twitter
  • GodHandGodHand Member Posts: 46 ■■□□□□□□□□
    what port/ports are normally open to a router?

    except telnet?
    Most of the important things in the world have been accomplished by people who have kept on trying when there seemed to be no hope at all.
    · Share on FacebookShare on Twitter
  • EdTheLadEdTheLad Member Posts: 2,111 ■■■■□□□□□□
    You enable or disable ftp on ports with access-lists,the access-lists give you the choice which source and dest addresses can use ftp.For security,a good policy would be to disable ports that are not needed including ftp etc, if needed in the future at any point modifying the assigned access-list will allow
    whichever access is desired.
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
    · Share on FacebookShare on Twitter
  • GodHandGodHand Member Posts: 46 ■■□□□□□□□□
    my security control is managed in the firewall below my router and access to the ftp is assigned there. however when i scan my router ftp port is open.

    what happen when i block this port?
    Most of the important things in the world have been accomplished by people who have kept on trying when there seemed to be no hope at all.
    · Share on FacebookShare on Twitter
  • EdTheLadEdTheLad Member Posts: 2,111 ■■■■□□□□□□
    GodHand wrote:
    my security control is managed in the firewall below my router and access to the ftp is assigned there. however when i scan my router ftp port is open.

    what happen when i block this port?

    From what i understand, you have a firewall controlling external access, if the firewall blocks ftp, no ftp can enter your network.If you block ftp on your router you might effect ftp users internally in your network.It all depends what you wanna do,if you block ftp on the firewall and the router you must remember to enable on both devices when needed.If you have no security concerns internally then you wont need to block ftp on the router.
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
    · Share on FacebookShare on Twitter
  • RussSRussS Member Posts: 2,068 ■■■□□□□□□□
    Sound advice icon_wink.gif
    www.supercross.com
    FIM website of the year 2007
    · Share on FacebookShare on Twitter
  • GodHandGodHand Member Posts: 46 ■■□□□□□□□□
    Thanks. icon_wink.gif

    port 21, 23, smtp and pop3 are open on the router because they are used inside my network. right?

    Any access to my servers from outside are block/allowed by my pix, my security is i assigned specific ip's that can remotely connect to them.

    And when i blocked these ports on the router my pix has no use at all, even if i allow ftp or telnet on the firewall it can't pass. right? So the they should be open both.

    icon_wink.gif
    Most of the important things in the world have been accomplished by people who have kept on trying when there seemed to be no hope at all.
    · Share on FacebookShare on Twitter
  • EdTheLadEdTheLad Member Posts: 2,111 ■■■■□□□□□□
    Yes to all
    Networking, sometimes i love it, mostly i hate it.Its all about the $$$$
    · Share on FacebookShare on Twitter
  • GodHandGodHand Member Posts: 46 ■■□□□□□□□□
    thanks buddy.

    the thing is one of my client want me to close the ports, which i cannot do for them.

    they worry about it and they think these might cause security issues. im not a security pro, just want know your opinion. icon_wink.gif
    Most of the important things in the world have been accomplished by people who have kept on trying when there seemed to be no hope at all.
    · Share on FacebookShare on Twitter
  • RussSRussS Member Posts: 2,068 ■■■□□□□□□□
    Hey, if they demand it ... who are you to argue icon_lol.gif

    BTW - how did they know it was open? I don't let any of my clients access their gear as it causes too much grief.
    www.supercross.com
    FIM website of the year 2007
    · Share on FacebookShare on Twitter
  • keatronkeatron Member Posts: 1,213 ■■■■■■□□□□
    RussS wrote:
    Hey, if they demand it ... who are you to argue icon_lol.gif

    BTW - how did they know it was open? I don't let any of my clients access their gear as it causes too much grief.

    lol..AMEN!!!! icon_lol.gif
    http://resources.infosecinstitute.com/author/keatron
    · Share on FacebookShare on Twitter
  • GodHandGodHand Member Posts: 46 ■■□□□□□□□□
    I said one of my client and i have many clients who are going to use that port they want me to close.

    the thing is they port scan my gear which of course not ethical and everyone will be mad of knowing that. aren't you?
    Most of the important things in the world have been accomplished by people who have kept on trying when there seemed to be no hope at all.
    · Share on FacebookShare on Twitter
  • RussSRussS Member Posts: 2,068 ■■■□□□□□□□
    Man oh man - if I had a client playing with port scanners I would **** slap them into tomorrow icon_lol.gif
    www.supercross.com
    FIM website of the year 2007
    · Share on FacebookShare on Twitter
  • GodHandGodHand Member Posts: 46 ■■□□□□□□□□
    Is there a way to block port scanner tools on the router?
    Most of the important things in the world have been accomplished by people who have kept on trying when there seemed to be no hope at all.
    · Share on FacebookShare on Twitter
  • forbeslforbesl Member Posts: 454
    GodHand wrote:
    Is there a way to block port scanner tools on the router?
    Of course. It's called "deny all, permit by exception". The administrator determines what traffic is/is not allowed by controlling it with access lists. Determine what type of traffic is allowed, permit that through and deny everything else. The drawback to this is that it can be very admin-intensive. But hey...no more unauthorized port scans!

    For even better security, flash a firewall feature set IOS on the router and configure CBAC.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.