Port Scan White Paper

The "No Network is 100% Secure" series
- Port Scanning -
A White Paper

What is port scanning?: Port scanning is similar to a thief going through your neighborhood and checking every door and window on each house to see which ones are open and which ones are locked.

TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are two of the protocols that make up the TCP/IP protocol suite which is used to communicate on the Internet. Each of these has ports 0 through 65535 available so essentially there are more than 130,000 doorknobs for burglars to jiggle.

The first 1024 TCP ports are called the Well-Known Ports and are associated with standard services such as FTP, HTTP, SMTP or DNS. Some of the addresses over 1023 also have commonly associated services, but the majority of these ports are not associated with any service and are available for a program or application to use to communicate on.

Port scanning software, in its most basic state, simply sends out a request to connect to the target computer on each port sequentially and makes a note of which ports responded or seem open to more in-depth probing.

If a port scan is being done with malicious intent, the intruder would generally prefer to go undetected. Network security applications can be configured to alert administrators if they detect connection requests across a broad range of ports from a single host. However, many port scanning programs provide the ability for an intruder to perform these scans and not be detected.

Port scanning will determine which ports are open and which are not. An intruder can then come back and target the open ports to see if they are vulnerable to exploitation.

To help ensure that your network is protected and secure you may wish to perform your own port scans. Once you find out what ports respond as being open you should then determine whether its actually necessary for those ports to be accessible from outside your network. If they're not necessary you should shut them down or block them. Some (but very few) ports will indeed be required to be open. You should then research what sorts of vulnerabilities and exploits your network is open to by having these ports accessible and then apply the appropriate patches or mitigation to protect your network as much as possible.

Having firewalls in place is no guarantee that your network is secure. If firewall rules are lax or if logs are not being monitored, it can be very easy for a cyber-burglar to learn all about your network, what kind of computers are in it, what software is running and so on. And if an intruder can probe a port, they can exploit it! Implementing tight firewall rules, shutting down services that aren't needed and closing all unnecessary ports should be just the first steps in your overall enterprise security plan. If you fail to do this, it will only be a question of "when", not "if" your network will be broken into.

Easyrider LAN Pro has a lot of experience auditing sites and determining how vulnerable they are to exploits. We also put on security seminars in conjunction with our partner, Tektal, to help educate the IT community regarding threats to their networks.

Next in the security white paper series:

Firewall White Paper
Virus White Paper
SPAM White Paper
Best Practices White Paper
Denial of Service DoS White Paper
Trojan Virus Attacks White Paper
Port Scanning White Paper
Shelfware White Paper