What Is a Port?

As we all know, IP addresses are used to identify computers on a network. The TCP/IP protocol connects one IP address to another to form a network. Many services typically run on a computer, such as web services that allow users to access web pages, SSH services that allow administrators to configure servers, or FTP services that are used to transfer files. So, how do you distinguish between different services on the same computer?

Therefore, the concept of port is invented. A port is specified by a number, that is, the port number. Each type of service on the computer needs to provide a port to wait for the data packets sent by the peer end from a dynamic port. For example, the common port number for web services is 80 (for HTTP) or 443 (for HTTPS). When you browse a web page, your browser randomly selects a port and sends data packets to port 80 or 443 of the web server. One computer sends data packets through a port, and the other computer receives data packets through another port. The ports of the two communication parties are the end points for sending and receiving data packets.

When delivering a package, a courier first finds the community according to the street address, then finds the recipient according to the house number in the community, and delivers the package. The street address and house number form a complete delivery address. In the cyber world, if we compare an IP address to a street address and a service to a courier, then port is the house number. An IP address and a port form a complete communication address, which is used to identify the destination of data packets.

What Are Open Ports?

Open ports actively receive data packets. Conversely, ports that reject all data packets are called closed ports. As mentioned above, when a computer needs to provide services for external systems, a specific port needs to be opened. After all, if you want to receive the date (package), you have to open the port (door) for the service (courier).

After a service is enabled on a specific port, the port can be used only for this service and cannot be used for other purposes (services). Ports are classified into three types:

• Well-known ports: also called system ports. The port number ranges from 0 to 1023. Well-known ports are allocated by the Internet Corporation for Assigned Names and Numbers (ICANN) to common services. Well-known ports are closely related to services. Typically, a well-known port is used for communication, that is, the service corresponding to the port is used. For example, number 22 indicates SSH and number 23 indicates Telnet.
• Registered ports: also called user ports. The port number ranges from 1024 to 49151. Registered ports are managed by Internet Assigned Numbers Authority (IANA). An organization can apply to the IANA for a port as the registered port of an application. For example, 3389 is a registered port number applied by Microsoft for Remote Desktop Protocol (RDP).
• Private ports: also called dynamic ports. The port number ranges from 49152 to 65535. Dynamic ports should not be allocated to services. A dynamic port is temporarily allocated to an application when the host communicates with the server. After the communication is complete, the port is released. However, in actual applications, the host usually allocates dynamic ports starting from 1024.

For details about the allocation relationship between port numbers and services, see IANA website.

What Are the Risks of Opening Ports?

Strictly speaking, opening a port does not necessarily bring risks, and any specific port is not necessarily more secure or dangerous than other ports.

The port itself is neutral. Whether opening a port has risks is determined by the service that uses the port and the person who manages the service. If the service that uses the port has vulnerabilities and is not patched promptly, or the service configuration is incorrect and the security policy is improper, it is dangerous to open the corresponding port.

Cyber attacks usually start from port scanning. Attackers search for security vulnerabilities from services with open ports and use vulnerabilities to gain unauthorized access to resources. For example, the SMB protocol is used to share folders, printers, and serial ports within an organization. Due to defects in the protocol design, the SMB protocol is exploited by the zero-day vulnerability called EternalBlue, which leads to the WannaCry outbreak. Disclosure of such services on the Internet will inevitably pose security risks. In addition to searching for vulnerabilities, attackers often use brute force cracking. For example, brute force cracking against RDP is often used for ransomware attacks and is one of the most common intrusion methods.

If opening a port is risky, the port is vulnerable to attacks. Opening any port increases the attack surface and the likelihood of being threatened due to vulnerabilities, configuration errors, and insufficient management.

Why Do Security Experts Recommend that Only Necessary Ports Be Opened?

Ports exist for communication. An organization shall implement the necessary audit procedures to determine whether to open a port. If a service needs to be run, it is meaningful to enable the corresponding port. In this case, you need to obtain application software from legal channels, check security vulnerabilities promptly, implement security hardening measures, and then open ports.

As mentioned above, opening any port increases the attack surface and the possibility of being threatened. If there is no proper communication requirement, do not open the corresponding port.

There are a large number of computers on the internal network of an organization, and unnecessary ports may be opened on each computer. You can disable the ports on each computer, or you can hand over the work to firewalls, which are usually deployed at the network egress to block the communication between such ports and external networks. Imagine that you have a courtyard (network), you can close the doors and windows (ports) of each room (computer), you can also rely on the courtyard wall, and then guard the gate of the courtyard.

How Do I Evaluate Port Security Risks?

1. Check the open ports. Open ports on the network can be detected by using an open-source port scanning tool (such as Nmap) or deploying Huawei vulnerability scanning product VSCAN.
2. Evaluate the necessity of opening ports. Security experts recommend that only necessary ports be enabled on specific devices and unnecessary ports be disabled immediately. If the scanning result contains ports that are not proactively opened, check whether the host is implanted with Trojan horses.
3. Evaluate the security of opening ports. Understand the services carried on each port and the possible risks of the port. The security risks of ports can be evaluated from the following aspects:
   1. Exploitable: If the services and applications carried by the port have security vulnerabilities, the port may be exploited by attackers.
   2. Frequently exploited: Ports that are frequently used by attackers are more risky. Typical applications include the RDP, FTP, and web applications that are widely used by network administrators.
   3. Open scope: All ports opened on the public network may be attacked. Unnecessary ports cannot be exposed to the public network. Security protection must be provided for ports that are required by services.

Ports can be classified into the following types based on risk levels. The risk levels are in descending order.

• High-risk ports: ports that are opened on the public network and are extremely risky. The services carried by these ports once caused a wide range of security events. Therefore, these ports are favored by attackers and are scanned by various automatic attack tools all the time, which results in high risks. For details, see How Do I Block High-Risk Ports? to block common high-risk ports on a firewall.
• High-risk services: high-risk services that are opened on the public network and use non-standard ports. For example, the RDP service opens on port number 3399. The default port number of the RDP service is 3389. Changing the port number increases the time cost for attackers to detect risky services and improves security to some extent. Therefore, the risk level of high-risk services is lower than that of high-risk ports. However, this improvement is limited. For details, see How Do I Protect Risky Ports? to enhance security protection for high-risk services.
• Risky ports: ports that are opened on the public network. If these open ports are required by normal services, perform security protection by referring to How Do I Protect Risky Ports?.

Use secure protocols and software.

Non-encryption protocols transmit data packets in plaintext. Attackers can use tools such as Wireshark to easily capture network traffic and view sensitive information such as passwords transmitted in plaintext. Therefore, use encryption protocols instead of non-encryption protocols. For example, use SSH to replace Telnet and FTP/TFTP, use SSL to encrypt HTTP and email protocols, and use VPN to protect communication.

Use the latest protocol and software version. Early versions of many protocols pose security risks. For example, SSHv1 uses an insecure key exchange algorithm. Therefore, you need to configure the SSH services to accept connections only using SSHv2. Similarly, all services and applications must use official versions and be updated in a timely manner. Outdated versions and versions that are no longer maintained may have known vulnerabilities that cannot be fixed promptly.

Using Strong Password Policies and Strong Authentication

Many intrusions start with cracking user passwords. Strong password policies prevent usage of weak passwords. As a result, passwords are not leaked. The policies help organizations defend against brute force cracking more effectively. Different application software supports different password policies, including:

• Password complexity: A password must contain at least three types of the following characters: uppercase letters, lowercase letters, digits, and special characters.
• Minimum password length: A password must contain at least eight characters.
• Password validity period: Setting the password validity period. After the password expires, the password becomes invalid and cannot be used for login. A user must change the password before the password expires.
• Password history: The application software records the history passwords of users. The new password must be different from the recorded historical passwords to prevent the user from using the old password again.
• Number of incorrect password attempts: When the number of incorrect password attempts reaches the specified threshold, the account or login IP address is locked for a period of time to prevent brute force cracking.

Deploying the In-depth Defense System

The network is divided into security zones of different levels, and security devices are deployed to check communication between zones. For example:

• Internet-oriented public services are deployed in the DMZ. All traffic for accessing the public services must pass the security checks of a firewall. For services that can be accessed only by specific users, you can set source IP address-based or user-based security policies to restrict the accessible groups.
• Sensitive services that are not directly oriented to the Internet, such as database systems, are deployed in zones with higher security levels, and security policies are used to strictly restrict accessible source IP addresses. In this way, even if an attacker destroys the public service port in the DMZ, the attacker still faces inter-zone security check, which enhances the protection capability to some extent and increases the attack cost of the attacker.
• For common web services, firewalls dedicated to web applications, such as Huawei WAF5000 series, can be deployed to protect servers.