According to research by Palo Alto Networks, malware is increasingly targeting "old" ports like FTP because nobody is watching them. What's the best way for organizations to monitor such non-standard ports?
Ask the expert
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
I'm not sure what you mean by "old" ports, but if you're saying that malware is increasingly targeting "old" protocols, then I agree -- to a point. To be clear, a protocol is a standardized method that computers use to exchange information. File Transfer Protocol (FTP) and HTTP are two of the most commonly known protocols. Protocols use various ports to send information. If an enterprise network were a highway, ports would be the different lanes; only certain lanes take data where it needs to go.
The Palo Alto Networks research seems to indicate that the FTP has been successfully used as a vehicle for malware on ports other than TCP ports 20 and 21, the ports FTP typically uses. This is certainly feasible, as many enterprises leave some of their high-numbered network ports open (and hence unsecured) for testing and management purposes. So an attacker may be able to sneak into a network that isn't properly secured by using FTP on non-standard ports. If proper security monitoring isn't implemented, the malicious traffic could be easily mistaken for standard FTP traffic.
However, a properly configured firewall should be able to defeat such intrusions by triggering an alert when any kind of non-standard FTP traffic is observed. For instance, alerting on certain unencrypted FTP commands like USER, PASS, LIST and RETR is a best practice worth considering. Similarly, consider alerting on common FTP return codes, including 331 (username OK, need password) and 125 (data connection already open; transfer starting). If this hasn't been done before in your organization, begin by monitoring FTP traffic for a period of time, map all traffic (and port use) to legitimate business uses, and then block FTP to ports that it doesn't normally use. This will ensure FTP malware can't sneak in through a "backdoor" port in the network.
This was first published in November 2013