Port Filtering With BrowseControl

Block Unused Network Ports

• Deny by Default: All ports should be closed by default unless there is a documented, reviewed, and approved business case.
• Defense in Depth: Combine BrowseControl’s host-based port filtering with a perimeter-based firewall for a defense-in-depth approach.
• Risk Assessment: Any port can be exploited by an attacker. Blocking unused ports reduces the attack surface of your network.

What is Port Filtering?

The internet and applications use predetermined TCP/UDP ports to transmit network protocol packets (data).

Port filtering is the practice of allowing or blocking (opening/closing) network packets into or out of a device or the network based on their port number.

Blocking network ports allows administrators to restrict specific operations such as file transfers through ports used for FTP and torrents.

What Ports Need to Be Left Open?

Port requirements are unique to each organization and its networks. The ports required by business applications will evolve over time as well. Here are some ways to determine what ports you need to keep open.

• Product Documentation: Consult the manuals of any software and hardware used in your organization and see if they require specific ports to be left open.
• Netstat & Resource Monitor: Use a netstat command and Windows resource monitor to identify ports that are currently in use by a specific computer.
• Trial & Error: If you only use internet-connected computers and have no other special needs, try blocking all ports except for port 80 (HTTP internet) and port 443 (HTTPS internet). Test all services and applications in your organization to see if there are any connection issues and monitor IT support tickets for any unforeseen issues.
• Research Ports: If you need to perform special actions such as file transfers over FTP or hosting your own email servers you’ll need to consult this list to see the ports that are required by each of them.