ASA predefined services and MS Ports

Answered Question
Jun 19th, 2008

For a long time now I've been trying to get a handle on what is really required for MS hosts to talk to to other MS hosts but googled doco is scant.

The MS site does not seem to acknowledge the existence of UDP or TCP (surprised: Not me!)

Also in the predefined services of the ASA there is nothing for 135 (both tcp and UDP i believe) ... this is pretty weird as it is the MS end point mapper and therefore very common.

Any info or links to definitive stuff would be useful.

BTW: I am, of course not letting this MS chatter move over OUTSIDE interfaces .. we have many internal FW's and pvt links into customers where some of this dodgy MS stuff is required in order to support the customers.

Thanks in advance,

Mike

I have this problem too.
0 votes
Correct Answer by Farrukh Haroon about 8 years 7 months ago

Yup we used this document to make security policies for our customers.

Don't focus too much on the pre-defined ports of the ASA/PIX, it seems this is an issue they don't focus much on.

Please rate helpful posts. Regards

Farrukh

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Farrukh Haroon Fri, 06/20/2008 - 03:35

Actually most organizations which are conscious about security don't even allow file sharing directly between hosts. A file-sharing server is setup for this (do a google search for Microsoft DFS). Users are given access to this (with personal folders for each). This makes access-control relatively easy. This also reduces the damage caused by worms and other malware

Regards

Farrukh

m.surtees Sun, 06/22/2008 - 16:47

Thanks Farrukh,

I'm well aware of the dangers of the basic microsoft ports unfortunately there are a number of apps used by our organization that require some or all of NetBios gunk - the HP-OVO suite and Radia most specifically.

I'm just finding it really difficult, even with the help of everyone's friend Google, to determine whether these ports are UDP or TCP. Microsoft documentation seems to not realize there is a difference; and HP doco does not seem to provide any information at all.

Also I'm still looking for an index of of the predefined ports in the ASA OS. I can't understand why there would be several predefined netbios ports but 135 (seemingly UDP & TCP) - the vital MS end-point mapper - is not defined. Nor the newer SMB tcp&udp-445 port

So my query is not only about these 'common' (but ill-defined) MS ports, but what is in the list and why are there glaring omissions?

Regards,

Mike

m.surtees Sun, 06/22/2008 - 17:09

Hi again,

Just had a look at DFS .. we already use it across our multiple sites but these are 'internal' and connected by pvt WAN.

Despite my last post and references to other apps using the annoying netbios stuff, there is still a need for file sharing across FW boundries - internal & various levels of DMZ (most of these not accessible to the 'outside' but rather cordoned off areas of server groups).

But even using DFS there is a need for prts opened on a FW - possibly both directions for DFS. Do you know what these are?

Mike

Farrukh Haroon Sun, 06/22/2008 - 22:16

Please check the ports listed under DFS on this link:

http://support.microsoft.com/kb/832017#

Distributed File System

The Distributed File System (DFS) integrates disparate file shares that are located across a local area network (LAN) or wide area network (WAN) into a single logical namespace. The DFS service is required for Active Directory domain controllers to advertise the SYSVOL shared folder.

System service name: Dfs

Application protocol Protocol Ports

NetBIOS Datagram Service UDP 138

NetBIOS Session Service TCP 139

LDAP Server TCP 389

LDAP Server UDP 389

SMB TCP 445 ****

RPC TCP 135 ****

Randomly allocated high TCP ports TCP random port number between 1024 - 65535*

* For more information about how to customize this port, see the "Remote Procedure Calls and DCOM" section in the "References" section.

Regards

Farrukh

m.surtees Mon, 06/23/2008 - 00:16

Thanks Farrukh, useful link.

See my attachment if you want a handy excel speadsheet of same (but without the useful tips your link provides)

Still got all the MS gunk though; looks like we'll never escape it.

And still no reason why Cisco have not predefined TCP-135, the most used MS port (they have Sun's version). Oh well, chalk it down as an oversight.

Also no listing/index of ASA predefined ports that I can find. I'll just have to hold my mouse cursor over each item and wait for the pop-up. Or hope they call the port the same thing as everyone else.

Regards,

Mike

Correct Answer
Farrukh Haroon Mon, 06/23/2008 - 00:55

Yup we used this document to make security policies for our customers.

Don't focus too much on the pre-defined ports of the ASA/PIX, it seems this is an issue they don't focus much on.

Please rate helpful posts. Regards

Farrukh

Actions

This Discussion