If all outbound connections are denied, open the following ports: TCP 443 (RPC(HTTP)), TCP 445 (SMB), TCP 88 (Kerberos), TCP 53 (DNS), UDP 53 (DNS). Show
By default, Windows firewall allows all inbound connections for which no denying rules have been set. If the default settings are applied, no rule should be created for outbound connections. When you enable the media sharing option, users and devices on the network can access shared music, pictures, and videos stored on your computer. When media sharing is enabled the following ports and services are required: ■ Windows Media Player Network Sharing Service (HTTP-Streaming-In) Accepts inbound connections on TCP port 10243 from the local subnet. ■svchost.exe Accepts inbound QoS traffic on TCP and UDP ports 2177 from the local subnet. ■Simple Service Discovery Protocol Accepts inbound traffic on UDP port 1900 from the local subnet. ■wmpnetwk.exe Configured to accept inbound TCP and UDP connections on all ports from the local subnet. ■The Windows Media Player Network Sharing Service (UPnP-In) Accepts inbound TCP traffic on port 2869 from the local subnet. Read moreNavigate DownView chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781597491747500070 FirewallsMark Osborne, in How to Cheat at Managing Information Security, 2006 Cut-Through ProxyThe cut-through proxy provides a method for user-based authentication. Both inbound and outbound connections can be authenticated. The method is superior to a traditional proxy filter because it uses fewer resources—no sockets are not terminated and reopened; the device never becomes an endpoint. Instead, it monitors defined streams for authentication messages. When it spots one, it doesn’t forward that packet immediately. Instead, it triggers the authentication mechanism, prompting the user for a user ID and password. After authentication by a TACACS + or RADIUS server, per-user connection state information is maintained by the firewall. For protocols that don’t support authentication, a virtual Telnet server exists. Just Telnet to a specific address and validate your user ID and password by signing on—then your PCs address will be authenticated for a specified time period. View chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781597491105500154 Transferring Files Using NetcatIn Netcat Power Tools, 2008 Transferring Files with the Original NetcatOn the server side you will need to specify that Netcat should be listening for inbound connections with the –l option, and specify which port to listen on via the –p option. You also need to specify the file to direct the output to. This can be accomplished with the following command: nc –l –p 4444 > /test/outfile.txt This command would tell Netcat to listen on port 4444 (over Transmission Control Protocol [TCP] by default), and send the output from the connection to /test/infile.txt. On the client side, the format is similar. All you need is a destination Internet Protocol (IP) address and port number, as well as the file you wish to redirect to the network socket. On *nix systems you can use the cat command to read the file into Netcat or the </> redirection. Examples in this chapter will use the < or > format because they will work on Windows or Linux. Both are shown here: nc 192.168.1.99 4444 < C:\test\infile.txt cat /test/infile.txt | nc 192.168.1.99 4444 This would connect to the host at 192.168.1.99 over port 4444 and send the C:\test\outfile.txt over the socket thus created. That is all it takes to move a file. The file in question does not have to have the same name at each end, though it can. The direction of the file transfer is from the client to the server in this example and all examples used in this chapter. You can also “push” a file from the server to the client just as easily, by reversing the direction of the < and > symbols. The –p option specifying the port will work with or without a space between the –p and the port number. You can use the –u option to use Netcat over UDP instead of TCP, though for file transfers this is rarely needed or advisable. When using the redirect option to transfer a file, you will receive no warning or error if you attempt to overwrite an existing file. You can use a >> to output to a file instead of >, and the file will be appended to instead of overwritten. Beyond these simple steps, it is left to the user to ensure that old data is not inadvertently overwritten via Netcat's redirection capabilities. If this is a concern, see some of the Netcat variants that offer more control over how files are handled later in this chapter. Closing Netcat When the Transfer is CompletedOne of the first things you will notice as you play with Netcat, is that the file never seems to finish. At least it gives no indication that the file transfer is complete. Unfortunately, it will sit there indefinitely. If you break out (normally CTRL+C), you will find that the file is there in it's entirety, assuming you allowed enough time to complete the transfer. This raises the question of how do I make the socket close when the file transfer is complete? If you use the –w option, it will allow you to specify the delay in seconds after the end of the file is reached before Netcat will close the connection. On Windows systems, the –w option can be used on the server or the client with identical results. Both of these commands would result in the connection closing five seconds after the file transfer is completed. Here are commands for Windows and Linux: nc –l –w5 –p 4444 > /test/infile.txt nc –w5 192.168.1.99 4444 < C:\test\outfile.txt The behavior of the –w option is a little different on Linux. On Linux, the –w option used on the Netcat server specifies how long to wait for a connection before closing. This can be useful if you want to only keep the port open for a short time before closing it, perhaps to increase security. The –w option used on the client side will act as a timeout before the connection closes, but after the file transfer, the same as on Windows systems. This means the –w option behaves differently depending on which end of the connection you use it on (as the help output describes). nc –l –w5 –p4444 > /test/infile.txt This will cause the listening server to wait five seconds for a connection to be made before shutting down the listening port. If –w is used only on the server, the connection will not close by itself and will instead stay open when the file transfer is completed. nc –w5 192.168.1.99 4444 < C:\test\outfile.txt This will cause the client to send the file specified, and then wait five seconds after the file is transferred before shutting itself down. When you are mixing Linux and Windows Netcat servers and clients, you get the above behavior based on who is the client and who is the server. In other words, because the –w option as an initial connection timeout is a server-based option, it will act as a connection timeout if Linux is the server. If it is a windows server, it will act as an end-of-file timeout. Either system will honor the end of file (EOF) timeout as a client option. Other Options and ConsiderationsThe –L option is specific to the Windows version of Netcat when used in server mode. This tells Netcat to continue listening on the indicated port even after the client disconnects. This is a departure from the standard behavior, which is to shut down the server side when the client disconnects. This option could be useful if you want to send data to the server from multiple clients, or if you want to send multiple files to the server over different sessions to be appended to the same output file. From a scripting perspective, it is worth pointing out that on Windows the file you are using for redirection will be locked by the file system. This means an attempted move or renaming of the redirected file while Netcat is still running will result in an error. Linux does not share this behavior, and will happily let you rename the file out from under Netcat. The file locking behavior may sometimes work to your advantage. Suppose you are sending a Windows host some type of log, perhaps from a custom written script. You can have an automated batch file loop and attempt to rename the file with the current date, for example, and you will not have to worry about figuring out if the Netcat portion of the script is completed or not. If Netcat has not closed, you will not be able to rename the file. The –q option is only available on Linux and has no effect when run on the server, at least as far as file transfers are concerned. When used on a Linux client for a file transfer, it has the effect of closing the connection as soon as the file transfer is completed regardless of the number you specify, much the same as using –w1 on the client would (using zero seconds for the wait time will result in an error). This behavior is a little odd, but considering the option it is intended to be used with, stdin, it really isn't that surprising. Timing Transfers, Throughput, etc…An additional option that could be of benefit when scripting file transfers, is the –v (for verbose) option. This tells Netcat to give you more feedback on the connection process. With a single –v, Netcat will tell you the IP and port being used. With an additional v, Netcat will also tell you the amount of data transferred in bits, similar to the following: F:\netcat>nc -v -l -p4444 > F:\small.txt listening on [any] 4444 ... connect to [192.168.1.99] from (UNKNOWN) [192.168.1.112] 53442: NO_DATA F:\netcat>nc -vv -l -p4444 > F:\small.txt listening on [any] 4444 ... connect to [192.168.1.99] from (UNKNOWN) [192.168.1.112] 53492: NO_DATA sent 0, rcvd 147 Note the final line that is added with the second v. This can be particularly handy if you want to grab the file size after the transfer. If necessary, you could script the timestamp before and after the transfer, and combined with the file size and a little math you could determine the throughput, much like an FTP file transfer. The Windows 2000 resource kit (and likely others) includes timethis.exe, which will accept another command as an argument and time how long it takes to complete the command. As an example, timethis.exe produces the following output for a netcat file transfer: timethis “nc 192.168.1.99 4444 < C:\test.txt” timeThis : Command Line: nc 192.168.1.112 4444 < F:\test.txt timeThis : Start Time: Tue Apr 01 17:50:21 2008 timeThis : End Time: Tue Apr 01 17:50:24 2008 timeThis : Elapsed Time: 00:00:02.021 Remember that you will need to time the transfer on the client host. If you are planning on the server continuing to listen after the file is transferred, timethis would never see the command “complete” and know to stop the timer. Even if you are allowing the server to close after the transfer is completed, there would still be the extra time recorded while the server was listening, but before the client connected. This additional time would skew your total time and alter any calculations for throughput you might do. Linux also offers the pv utility. If you do not already have it installed, it has some very cool options for monitoring the performance of a pipe. You can use the –b option to display the amount of bytes transferred, and the –t option to show the elapsed time. This allows you to get both time and byte counts in a single tool. The following line would provide both the time elapsed and the bytes transferred: cat test.txt | pv –bt | nc 192.168.1.99 4444 177MB 0:00:19 See Chapter 8 for more details on transfer speeds. Tunneling a Transfer Through an IntermediaryAnother option is to use a host in between your client and server to bounce the Netcat session off. This could be helpful if you need to change the port you are using somewhere in the middle of the data path. While not supported natively, you can accomplish this by piping Netcat into Netcat on the intermediary system as follows: nc -l -p4444 | nc 192.168.1.99 6666 This uses the same syntax you are familiar with, but sends the output of the listening Netcat into the client session as input. The creative uses you can put this type of simple redirection too are nearly endless. Netcat has what it takes to move a file easily from one system to another without too much fuss. While not sophisticated in it's capabilities, it can still get the job done. Of course, these simple file transfers are only the tip of the iceberg. You may still need to find ways to handle file integrity, because Netcat does not verify your data was transferred without errors. You will also want to ensure that the data you are transferring is protected from authorized viewing via encryption. Both of these options will be discussed later in this chapter. The next step is to examine some of the Netcat variants and what options they offer when it comes to transferring files. View chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781597492577000066 ISA 2004 Stateful Inspection and Application Layer FilteringDr.Thomas W. Shinder, Debra Littlejohn Shinder, in Dr. Tom Shinder's Configuring ISA Server 2004, 2005 The PPTP FilterThe PPTP filter supports PPTP connections through the ISA firewall for outbound connections made through Access Rules and inbound connections made through Server Publishing Rules. The ISA firewall's PPTP filter differs from the ISA Server 2000 PPTP filter in that it supports both inbound and outbound PPTP connections. The ISA Server 2000 PPTP filter only supports outbound PPTP connections. The PPTP filter is required by both SecureNAT and Firewall clients. In fact, a machine located on an ISA firewall protected network must be configured as a SecureNAT client to use the PPTP filter to connect to PPTP VPN servers through the ISA firewall. The reason for this is that the Firewall client does not mediate non-TCP/UDP protocols. The PPTP VPN protocol requires the use of the Generic Routing Encapsulation (GRE) protocol (IP Protocol 47) and TCP protocol 1723. The TCP session is used by PPTP for tunnel management. When the outbound access to the PPTP protocol is enabled, the PPTP filter automatically intercepts the GRE and TCP connections made by the PPTP VPN client. You do not need to create an Access Rule allowing outbound access to TCP 1723 for VPN clients. View chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781931836197500174 Installing Windows Server 2008 and Hyper-VThomas Olzak, ... James Sabovik, in Microsoft Virtualization, 2010 Installing the Hyper-V management console on a workstationIf Hyper-V is installed on Windows Server 2008 Standard or Enterprise, the management console is available on the server after reboot. However, you may be using Server Core, or simply prefer to manage your Hyper-V installation remotely by installing the management console on a Windows Vista or a Windows 7 workstation. To enable remote management, the server must be able to accept management connections through the firewall. On Windows Server 2008 Standard/Enterprise, the installation of the Hyper-V role also enables the inbound connections for client-side management. Enable Network Discovery and Browsing for full functionality. If the server has been used for any file or print sharing previous to being used for Hyper-V, this will already be enabled. Otherwise, the easiest method is to open up the Network browsing window, and follow the prompts. Note If you do not wish to run the remote management console as a domain administrator, there are a few additional steps required, including enabling remote management, adding the user to the Remote Administration user group, and adding the user to the AZman group. There is a script available at http://code.msdn.microsoft.com/HVRemote that will assist in performing the necessary setup. Download and install the Hyper-V management tools for Windows Vista, also called KB952627. You need to validate your installation of Windows Vista before you will be allowed to download the tool. After the installation of the management console (if you are running Microsoft Vista SP2 or later), you also need to download and install KB970203. When the installation completes, you will have a new Hyper-V Manager shortcut in your Administrative Tools menu. Launch the console as a user with permissions to access the server, typically a domain or server administrator (see Figure 3.5).  ▪ Figure 3.5. Hyper-V Manager. From the Action menu, select Connect to Server. Choose to connect to Another Computer and either browse to the server running Hyper-V or enter the name or IP address of the server (in our case the name is Server). A successful connection will give you a screen similar to the one shown in Figure 3.6. ▪ Figure 3.6. The Action menu. View chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781597494311000035 Plug-ins, Plug-ins, and More Plug-insMax Schubert, in Nagios 3 Enterprise Network Monitoring, 2008 OIDS usedTCP connection state: .1.3.6.1.2.1.6.13.1.1 There are three types of TCP connection metric tests and collections we find useful. The first is numbers of connections inbound and outbound along with unique source and destination IP addresses. The second is TCP connections states. The third is connections to the server by service, where a service is defined as a set of one or more ports (for example, “mail” might comprise ports 25, 26, 465, and 587. For all of these checks/metric collections we also want to be able to filter by server port. As with the other SNMP performance-based scripts in this section, use the first_notification_delay_period option with the service or host group the service is a part of to keep Nagios from sending out notifications until the performance issue requires human intervention. Figure 4.2 is a graph showing the output from the TCP connection count script over 24 hours (using the PNP plug-in for Nagios). Figure 4.2. TCP Connections Count Graph Figure 4.3 is a graph showing the output from the TCP connection state script over 24 hours for a server with a misconfigured service (using the PNP plug-in for Nagios); a high number of connections in FIN_WAIT2 state relative to the total number of connections is a sure sign of a TCP service problem. Figure 4.3. TCP Connection States Graph Finally, Figure 4.4 is a graph showing the output from the TCP service mode of this script over 24 hours (using the PNP plug-in for Nagios). This is a Web server, so the warning and critical thresholds are set to alert if HTTP/HTTPS exceed normal counts for the server (although you can see from the graph that IMAP is by far the most popular TCP-based service on the server). In service mode, each graph item can represent one or more ports; for example, in Figure 4.4, “mail” represents TCP ports 25, 26, 465, and 587. Figure 4.4. TCP Connections by Service Graph View chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781597492676000048 Securing Network AccessDerrick Rountree, in Windows 2012 Server Network Security, 2013 Creating a Server-to-Server IPSec Connection RuleRight-clicking on Connection Security Rules and selecting New Rule will bring up the Rule Type screen of the New Connection Security Rule Wizard, as seen in Figure 3.21. Here you decide what type of connection rule you want to create. Select Server-to-server. Click Next. Figure 3.21. Windows Firewall New Connection Security Rule Type Screen This will bring up the Endpoints screen, as seen in Figure 3.22. Here you specify which endpoint systems will have their communication secured. Add the endpoints you want secured and click Next. Figure 3.22. Windows Firewall New Connection Security Rule Endpoints Screen This will bring up the Requirements screen, as seen in Figure 3.23. This is where you specify the conditions where the rule be applied. You can choose between three options: Figure 3.23. Windows Firewall New Connection Security Rule Requirements Screen ▪Request authentication for inbound and outbound connections: With this option, authentication is requested but not required. ▪Require authentication for inbound connections and request authentication for outbound connections: Inbound connections must use authentication. Outbound connections request authentication, but it is not required. ▪Require authentication for inbound and outbound connections: Inbound and outbound connections must use authentication. Choose your desired option and click Next. This brings up the Authentication method screen, as seen in Figure 3.24. You can choose to either use a computer certificate for authentication or choose a custom method. Figure 3.24. Windows Firewall New Connection Security Rule Authentication Method Screen If you choose Computer Certificate, all computers must have certificates issued by the designated certificate authority. You also have the option to require health certificates. Health certificates are issued by Network Access Protection health certificate servers. If you select the Advanced option, you have to specify at one custom authentication method. Clicking the Customize button, will bring up the Customize Advanced Authentication Methods screen as seen in Figure 3.25. Figure 3.25. Windows Firewall New Connection Security Rule Custom Authentication Method Screen Here you can set up a first and a second authentication method. You can configure multiple authentication methods for the each. If you select Add under First authentication, you will see the Add First Authentication Method window as seen in Figure 3.26. Figure 3.26. Windows Firewall New Connection First Authentication Method Window You can choose to authenticate using Kerberos v5, NTLMv2, a computer certificate, or a preshared key. If you choose the computer certificate option, you must select the certificate authority that the computer certificates must have been issued from. If you choose the computer certificate option, you also have the option to configure advanced properties. Clicking the Advanced button, will bring up the Advanced Certificate Criteria Properties window, as seen in Figure 3.27. Figure 3.27. Windows Firewall New Connection Advanced Certificate Criteria Properties Window Here you can specify additional restrictions on the certificate. You specify a specific key usage that must be specified in the certificate. You can also configure certain name values, like a subject OU that must be used in the certificate. These additional settings are particularly useful if you specified a public CA. You have no control over who can receive certificates from a public CA, so being able to add further restrictions is a good way to enhance security. Note: Caution should be used when selecting preshared key as the authentication method. Preshared keys are stored in plaintext; and therefore are subject to theft. Next is the Profile screen as seen in Figure 3.28. Here you specify the network type(s) for which you want the rule to apply. Your choices are Domain, Private, and Public. Figure 3.28. Windows Firewall New Connection Profile Screen Finally, you must give your new security rule a name. You can also add an optional description if you like. Note: Inbound and Outbound firewall rules must still be configured in order to use IPSec. IPSec will secure the connection, but it must first be allowed through the firewall. View chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781597499583000030 Microsoft Vista: Networking EssentialsIn Microsoft Vista for IT Security Professionals, 2007 Configuring a Server-to-Server Connection Security RuleTo configure a connection security rule that defines how authentication should take place between a specific set of servers or devices, select Server-to-Server from the screen shown in Figure 6.29 and click Next. You’ll see the screen shown in Figure 6.31. Figure 6.31. Configuring a Server-to-Server Rule To specify individual devices to which this rule should apply, click Add. You’ll be taken to the IP Address screen shown in Figure 6.30, where you’ll be able to specify one or more single IP addresses, a range of IP addresses, or one of the predefined sets of devices discussed in the “Configuring an Authentication Exemption Rule” section. You can also select Customize to specify the type of interface to which the rule should apply: LAN, remote access, or wireless. The rule can be applied to one, two, or all three of these interface types; it will be applied to all interface types by default. Click Next once you have specified the endpoints to which this rule should apply.You will then be prompted to select one of the following three authentication requirements for the new isolation rule: ■Request authentication for inbound and outbound connections ■Require authentication for inbound connections and request authentication for outbound connections ■Require authentication for inbound and outbound connections Click Next once you’ve made your selection. You can then choose from one of the following three authentication methods: ■Computer Certificate If you select this option, you will be prompted to enter the name of a CA on your network. You will also have the option to accept only NAP health certificates. ■Preshared key As we discussed earlier, this is a low-security authentication method that Microsoft does not recommend; it is included only for backward compatibility and to ensure compliance with the IPSec RFC standards. ■Advanced If you select this option, you will be prompted to configure a custom authentication method as described earlier, in the “Authentication Method” section. When you’ve selected the authentication method that this rule should use, click Next. You will then be prompted to select which Windows Firewall profile will apply this rule: Domain, Public, and/or Private. You can configure this rule to be enforced under one, two, three, or none of the Windows Firewall profiles. Click Next to continue. You’ll be prompted to enter a name and an optional description for this rule. Click Finish when you’re done. You’ll be returned to the main MMC snap-in window, where you will see the newly created rule listed in the main window. From here, you can right-click on the rule to disable or delete it, or you can select Properties to modify any of the settings that you configured in the wizard. View chapterPurchase book Read full chapter URL: https://www.sciencedirect.com/science/article/pii/B9781597491396500108 Protecting Your PerimeterEric Seagren, in Secure Your Network for Free, 2007 Simulating the Windows FirewallNow let’s configure the firewall. The built-in firewall on Windows XP is enabled by default with service pack 2 or better. The standard configuration is to allow outbound connections from the host system, and deny inbound connections unless they are explicitly configured. The Windows firewall also allows any traffic that is a reply to traffic that the host originally generated outbound. After you execute the iptables –F command to flush out all of the previously configured rules, the following commands would configure the Linux host similarly: iptables -P OUTPUT ACCEPT iptables -P INPUT DROP iptables -P FORWARD DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT The --state extensions track the current status of the connections. By specifying ESTABLISHED or RELATED, the firewall allows packets that are part of a currently established session, or packets that are starting a new session, but where the session is related to an existing session (such as an FTP data session). If you were hosting a service on this system, such as a Web server, you would need to configure the INPUT chain appropriately. This configuration would afford any Linux system a minimum level of firewall security with virtually no impact to its overall functionality. What is inbound and outbound in firewall?What are inbound and outbound rules? Inbound firewall rules protect the network against incoming traffic, such as disallowed connections, malware, and denial-of-service (DoS) attacks. Outbound firewall rules protect against outgoing traffic, originating inside a network.
What is the difference between inbound and outbound connections?Outbound means you initiate the connection and the traffic starts flowing outward of your computer to the destination you intended. Example you connect to a server. Inbound means someone else from outside of your computer initiate the connection to your computer, so the traffic starts flowing inward to your machine.
What does inbound mean in networking?Inbound or Outbound is the direction traffic moves between networks. It is relative to whichever network you are referencing. Inbound traffic refers to information coming-in to a network.
What direction is an inbound connection?What's an Inbound Connection? From the perspective of Private Connect, any HTTP/s traffic that's coming from an external provider, such as AWS, into Salesforce over the private internet is referred to as the inbound direction (inbound to Salesforce).
|
