router port open

Hi,

Is it normal that a tcp port 21 or pop3 port on a router is open? By the way i have a firewall which my security control is done there.

thanks.

Find more posts tagged with

Comments

GodHand

need advise pls...

RussS

Since TCP port 21 is the FTP control port I would ask .......... Is there any FTP used at that site?

GodHand

yes we have ftp servers within our LAN connected to this router. also smtp is open. do i have to worry about this?

GodHand

isn't it that port mapping done in upper layer and layer 3 doesn't care about that.

GodHand

what port/ports are normally open to a router?

except telnet?

EdTheLad

You enable or disable ftp on ports with access-lists,the access-lists give you the choice which source and dest addresses can use ftp.For security,a good policy would be to disable ports that are not needed including ftp etc, if needed in the future at any point modifying the assigned access-list will allow
whichever access is desired.

GodHand

my security control is managed in the firewall below my router and access to the ftp is assigned there. however when i scan my router ftp port is open.

what happen when i block this port?

EdTheLad

GodHand wrote:

my security control is managed in the firewall below my router and access to the ftp is assigned there. however when i scan my router ftp port is open.

what happen when i block this port?

From what i understand, you have a firewall controlling external access, if the firewall blocks ftp, no ftp can enter your network.If you block ftp on your router you might effect ftp users internally in your network.It all depends what you wanna do,if you block ftp on the firewall and the router you must remember to enable on both devices when needed.If you have no security concerns internally then you wont need to block ftp on the router.

RussS

Sound advice

GodHand

Thanks.

port 21, 23, smtp and pop3 are open on the router because they are used inside my network. right?

Any access to my servers from outside are block/allowed by my pix, my security is i assigned specific ip's that can remotely connect to them.

And when i blocked these ports on the router my pix has no use at all, even if i allow ftp or telnet on the firewall it can't pass. right? So the they should be open both.

EdTheLad

Yes to all

GodHand

thanks buddy.

the thing is one of my client want me to close the ports, which i cannot do for them.

they worry about it and they think these might cause security issues. im not a security pro, just want know your opinion.

RussS

Hey, if they demand it ... who are you to argue

BTW - how did they know it was open? I don't let any of my clients access their gear as it causes too much grief.

keatron

RussS wrote:

Hey, if they demand it ... who are you to argue

BTW - how did they know it was open? I don't let any of my clients access their gear as it causes too much grief.

lol..AMEN!!!!

GodHand

I said one of my client and i have many clients who are going to use that port they want me to close.

the thing is they port scan my gear which of course not ethical and everyone will be mad of knowing that. aren't you?

RussS

Man oh man - if I had a client playing with port scanners I would **** slap them into tomorrow

GodHand

Is there a way to block port scanner tools on the router?

forbesl

GodHand wrote:

Is there a way to block port scanner tools on the router?

Of course. It's called "deny all, permit by exception". The administrator determines what traffic is/is not allowed by controlling it with access lists. Determine what type of traffic is allowed, permit that through and deny everything else. The drawback to this is that it can be very admin-intensive. But hey...no more unauthorized port scans!

For even better security, flash a firewall feature set IOS on the router and configure CBAC.