topic Re: Ensure NetBios traffic is not permitted to leave our network in Network Security

Ensure NetBios traffic is not permitted to leave our network

krubb — Fri, 21 Feb 2020 17:06:41 GMT

Hello!

I've been asked to verify that NetBios traffic is not able to leave our network; specifically ports 445 and 139. My basic understanding makes me think that is the case but I'm not sure how to verify that. We are using ASA5525's in a HA configuration.

The request is to make sure NetBios traffic is blocked from leaving our network. Is that not already the default?

Re: Ensure NetBios traffic is not permitted to leave our network

johnd2310 — Tue, 07 May 2019 01:32:12 GMT

Hi,

Configure an access list on the firewall and you will be sure the traffic is not leaving the network.

Thanks

John

Re: Ensure NetBios traffic is not permitted to leave our network

Marvin Rhoads — Tue, 07 May 2019 02:15:58 GMT

By default all traffic is allowed to transit from a higher security level (inside) to a lower security level (outside).

If there is an ACL applied to the inside interface, an implicit deny is then used for any traffic not specified.

You can always check an ASA firewall's handling of a given traffic flow using the packet tracer utility. for example:

packet-tracer input inside tcp <some inside address> 1025 <any outside address - e.g. 8.8.8.8> 445

...will check if tcp/445 is allowed outbound.

Re: Ensure NetBios traffic is not permitted to leave our network

krubb — Tue, 07 May 2019 13:17:29 GMT

Thanks Marvin,

I did the packet tracing and that traffic is certainly able to get out of our network. I started looking at creating an ACL to block Netbios but I'm struggling to figure that out. I'm not a CLI wizard by any stretch and mostly work from within the ASDM. When I go to ACL Manager I can create a new ACL but I don't see where I configure that ACL. All I can do is name it. Thoughts?

Re: Ensure NetBios traffic is not permitted to leave our network

krubb — Tue, 07 May 2019 13:32:43 GMT

Just for understanding, this is a screen grab of my Firewall --> Access Rules. There are 2 rules, each allowing ANY/ANY. However, this ACL is labeled as "Incoming". Shouldn't I be seeing "Outgoing" somewhere?

Re: Ensure NetBios traffic is not permitted to leave our network

johnd2310 — Wed, 08 May 2019 00:46:54 GMT

Hi,

Incoming is correct. You need to deny the traffic inbound on the Inside interface.Create a rule on line 1 and only deny the ports you require.

Thanks

John

Re: Ensure NetBios traffic is not permitted to leave our network

Marvin Rhoads — Wed, 08 May 2019 02:11:58 GMT

Like @johnd2310 said, we deny traffic incoming on the inside interface. That drops it as soon as it is received by the ASA and keeps it from being processed further (thus no need for an outbound ACL entry).

So add a new rule before the current line 1. Best is to create a service object group when building the rule to equal NetBIOS (tcp/445 and tcp/139). To do that, note that the GUI allows you to "add new group" when specifying the destination port(s)/service(s).

Also ensure you haven't allowed the traffic inbound from the Internet. That is the more high risk threat by far. I have seen customers allow all ports to a given Windows server thus exposing it to exploits and, by extension, compromising their entire internal network. Once you can "own" a given server from the outside you can usually use it to springboard to other resources.