cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1946
Views
0
Helpful
6
Replies

Ensure NetBios traffic is not permitted to leave our network

krubb
Level 1
Level 1

Hello!

 

I've been asked to verify that NetBios traffic is not able to leave our network; specifically ports 445 and 139. My basic understanding makes me think that is the case but I'm not sure how to verify that. We are using ASA5525's in a HA configuration. 

The request is to make sure NetBios traffic is blocked from leaving our network. Is that not already the default?

6 Replies 6

johnd2310
Level 8
Level 8

Hi,

 

Configure an access list on the firewall and you will be sure the traffic is not leaving the network.

 

Thanks

John

**Please rate posts you find helpful**

Just for understanding, this is a screen grab of my Firewall --> Access Rules. There are 2 rules, each allowing ANY/ANY. However, this ACL is labeled as "Incoming". Shouldn't I be seeing "Outgoing" somewhere?

 

ACL_Incoming.PNG

Hi,

Incoming is correct. You need to deny the traffic inbound on the Inside interface.Create a rule on line 1 and only deny the ports you require.

 

Thanks

John

**Please rate posts you find helpful**

Like @johnd2310 said, we deny traffic incoming on the inside interface. That drops it as soon as it is received by the ASA and keeps it from being processed further (thus no need for an outbound ACL entry).

So add a new rule before the current line 1. Best is to create a service object group when building the rule to equal NetBIOS (tcp/445 and tcp/139). To do that, note that the GUI allows you to "add new group" when specifying the destination port(s)/service(s).

Also ensure you haven't allowed the traffic inbound from the Internet. That is the more high risk threat by far. I have seen customers allow all ports to a given Windows server thus exposing it to exploits and, by extension, compromising their entire internal network. Once you can "own" a given server from the outside you can usually use it to springboard to other resources.

Marvin Rhoads
Hall of Fame
Hall of Fame

By default all traffic is allowed to transit from a higher security level (inside) to a lower security level (outside).

If there is an ACL applied to the inside interface, an implicit deny is then used for any traffic not specified.

You can always check an ASA firewall's handling of a given traffic flow using the packet tracer utility. for example:

packet-tracer input inside tcp <some inside address> 1025 <any outside address - e.g. 8.8.8.8> 445

...will check if tcp/445 is allowed outbound.

 

Thanks Marvin,

 

I did the packet tracing and that traffic is certainly able to get out of our network. I started looking at creating an ACL to block Netbios but I'm struggling to figure that out. I'm not a CLI wizard by any stretch and mostly work from within the ASDM. When I go to ACL Manager I can create a new ACL but I don't see where I configure that ACL. All I can do is name it. Thoughts?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: