cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
24698
Views
8
Helpful
4
Replies

TCP 445 and 139

ciscothejam00
Level 1
Level 1

hi,

on the edge PIX, i noticed a lot of traffic generating on port TCP 445 and 139, and when i checked on the internet i found that these ports are malicious and dangerous but when i block them on the internal interface the browsing stops.

Please advice, should i keep them open???

regards

Fady

4 Replies 4

hemendoz
Cisco Employee
Cisco Employee

Hello Fady,

Ports 139 & 445 are Windows ports.

Port 139 NetBIOS

NetBIOS Session (TCP), Windows File and Printer Sharing

This is one of the most dangerous port on the Internet. All "File and Printer Sharing" on a Windows machine runs over this port. About 10% of all users on the Internet leave their hard disks exposed on this port.

Port 445 SMB

In Windows 2000, Microsoft has created a new transport for SMB over TCP and UDP on port 445. This replaces the older implementation that was over ports 137, 138, 139.

Your Pix should be by default be blocking these inbound. If you block these outbound as well, you will loose browsing capabilities to networks past the internat network. I would say a security conscientious individual would block these outbound as well. It basically boils down to risk assessment. Do your users really need this functionality? What happens if there is an intrusion as a result? etc.

Hope this helps! If so, please rate.

Thanks

Well the browsing is very important for them.

the inbound traffic on PIX is already blocked by default but i have aattached an ACL on the outside interface to block these ports on the inbound traffic as well.

Hope this will help preventing attacks.

I'm planning to plug an IPS4240 in the next couple of weeks. i hope that the ACL and PIX will help in the mean time.

please advice

regards

Fady

What browsing are you doing outbound? if you are browsing computers outside you need to be careful. you can put in an access list that permits it outbbound only to specific hosts or networks. You need to set up a unified defense and the IPS must work in concert with the PIX.

lissacoffey
Level 1
Level 1

Blocking 445 at the firewall is relatively easy and solves many problems.  The real issue with 445 internal.

445 needs to be open in Windows environments and is a prime conduit for the spread of malware internally. apart from this i have enlisted few more ways here which are also useful in preventing the malware spread.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: