What is a server?
In client-server processes that use Transmission Control Protocol/Internet Protocol (TCP/IP) or User Datagram Protocol (UDP), the client initiates communication with a server through one of the many well-known ports. In computer networking, a port is an endpoint of communication in an operating system. While the term is also used for physical devices, in software, it is a logical construct that identifies a specific process or a type of network service. For example, HTTP traffic typically uses TCP port 80.
What makes a server is that it is the one that accepts a connection from a client. Typically, this port is left open or running so that clients can connect at any time. It is good security policy to restrict the number of ports that are open on a server. Each open port is a way to gain access to that server. In recent times, several ransomware variants spread around networks by exploiting a vulnerability in SMBv1. Infected clients searched for any host with TCP port 445 active and then tried to communicate using the SMBv1 protocol.
Why worry about new server ports?
Opening new ports on a server increases that server’s attack surface. Keeping the attack surface as small as possible is a basic security measure. New ports become active if you install new software or if you enable a new service on the server. Enabling something such as RDP (remote desktop protocol) can compromise the entire server and provides a way for data to be transferred off.
For important servers on your network, you should have an inventory of what applications or services are running so that changes can be detected. You can do this by constantly polling the server on every port number or monitor network traffic going to and from the server. The polling method can be problematic, as you will need to constantly bombard the server with connection requests and you may miss something if the application or service was only active for a short time.
If compliance standards such as GDPR are a concern, server monitoring is not just a nice-to-have—it becomes mandatory. You must maintain an inventory of who is connecting to what if you store sensitive or personal data.
Detecting new server ports by monitoring network traffic
If you monitor network traffic going to and from your important servers, you can build up an inventory of what ports are open without the need to interact with the servers. One way to do this is to use a SPAN or mirror port to get a copy of the network traffic going to and from your servers. You would then need a solution that includes network traffic analysis, such as InsightIDR, to process this data and extract the relevant metadata from the network packets.
Once you have your SPAN or mirror port in place and you have a solution deployed that monitors network traffic, you can start to build up an inventory of new server ports. You can then monitor for server ports over time. Fields may include: sensors (processing traffic from multiple network points), server addresses (accepting client requests), ports (what the server is listening to), date and time of detection, and server reply.