Because of course you know all of the ports that your business, users, and attackers are going to use for various network protocols.
In recent years, firewalls and network security devices have gotten a little bit smarter. In addition to defining firewall rules, traffic analysis, and/or IDS rules based on port numbers and IP addresses, many of these tools began to include protocol parsers. A protocol parser is a piece of software that can be used to detect network applications and protocols regardless of the TCP or UDP port their traffic is observed on. The integration of these parsers as well as the integration of firewall, IDS/IPS, and network analysis software onto a single platform gave birth to “Next Generation” firewalls and/or IDS/IPS.
For an example of a software that includes protocol parsers, I’m going to pick on another IDS/IPS suite, Suricata, next.
In addition to being able to define IP address ranges and port variables, Suricata allows its users to define detection rules based on the network service protocol, referred to as Layer 7 Protocols. Some examples include http, nfs, and rdp. There is a whole host of layer 7 protocols that Suricata supports. In general, the ability to define firewall and/or IDS/IPS rules by the network service’s protocol, regardless of the TCP or UDP port it is running on, is a game-changer. Now, instead of defining IDS rules or firewall rules based on TCP or UDP port numbers, security engineers can define rules based on the protocol parsed, or the service detected.
On to Metadata
In addition to protocol parsers, some firewalls and/or modern IDS/IPS solutions rely on collecting metadata about connections in order to be able to identify the service. Metadata about network connections may include destination ports numbers, number of packets transferred, IP addresses or DNS domains the client communicated with, SSL certificate details from HTTPS conversations, and many more details. From this metadata, an intelligent guess is made to determine the service a client is communicating with.
Why is this necessary? Because now, more than ever, there are several services and applications that overlap and use the same service port, with port 443/HTTPS being the biggest offender.
For example, many streaming services like Twitch.tv, Hulu, and Netflix are viewable in a web browser–and all communicate over HTTPS. Many chat programs such as Discord or Slack have web-based HTTPS clients and/or communicate over HTTPS. DNS over HTTPS relies on HTTPS communication and is the default DNS service for the Mozilla Firefox web browser.
All of these services using port 443 and the HTTP protocol for their communication makes them exceptionally hard to set limits and boundaries for if all you have are firewalls or IDS/IPS appliances that identify services by port number. In many cases, these design choices are intentional to make the services easier for consumers to access without worrying about poking holes in their firewalls–or they are intentionally designed to be harder to block in order to get around internet censorship.
For examples of software that attempts to perform network service detection, check out Snort 3’s openappID, or for a more enterprise example, palo alto next gen firewalls rely heavily on application detection.
In this lesson, we learned what a port number is and how it’s used to define and identify the various network services we interact with on a daily basis.
We also learned that the Internet Assigned Numbers Authority defines a set of TCP and UDP ports and their designated services, but that ultimately, users with the proper authorization can redefine them at will. This has resulted in a cat and mouse game when it comes to evading network security appliances such as IDS/IPS and firewalls, but this is overcome through the use of protocol parsers and application detection through metadata analysis.
Stay tuned for part two of this series, where we’ll learn more about the network security implications for service port numbers and how they impact network forensics, penetration testing, and vulnerability management.