Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Best practices network security ports/protocols

Hi - Is there any referance to what might be considered common network security best practices - specific to which ports/protocols to allow or block from the internet. I've been checking cert, sans, cisco - but unable to find any reference. I know such a reference is dynamic, but am looking for some basic guidelines - blocking netbios, x-win etc if not required from internet type of examples



New Member

Re: Best practices network security ports/protocols

Apart from that, you should also employ Anti-Spoofing techniques

For networks employing legitimate IP public address space, traffic arriving inbound on an external connection sourced from common, internal IP address ranges should be considered ?spoofed? and should be denied.

Anti-spoofing should be done at every point in the network where it's practical, but is usually both easiest and most effective at the borders between large address blocks, or between domains of network administration. It's usually impractical to do anti-spoofing on every router in a network, because of the difficulty of determining which source addresses may legitimately appear on any given interface.

When employing the explicit-deny strategy, the list of denied networks should be as comprehensive and thorough as possible. Most of, if not all, the following network ranges should be denied when employing the explicit deny strategy:

RFC 1918 Private Address Range

RFC 1918 Reserved/Special Address Range

TCP/IP Auto-configuration (RFC 1918) Address Range

Functionally-Illegitimate Address Range

Source-Broadcast Address Range

Multicast Address Range

New Member

Re: Best practices network security ports/protocols

Check out the NSA references at this address:

If the link doesn't work just go to the NSA site and click on the Information Assurance link. They have a lot of information on hardening IT systems.

New Member

Re: Best practices network security ports/protocols

General rule with inbound Internet traffic is to block everything with exception to ports that are commonly required such as the following:

-TCP 80 (if you are hosting a web server)

-TCP 443 (hosting a secure web server)

-UDP 53 (external DNS)

-TCP 20,21 (hosting an FTP server)

And so may require additional ports to be opened depending on your specific environment. Also, as mentioned earlier, anti-spoofing techniques should be implemented as well to avoid potential anit-spoofing attacks using invalid IP addresses.

Please rate if you have found this post useful. Thanks!

CreatePlease to create content