Blocking SMB Traffic

Reply
Highlighted
L3 Networker

Blocking SMB Traffic

I was doing a review of some firewall policies and noticed the company I am consulting for is allowing all applications risk 1 through 3 from their trust to untrust zones.  Not sure why it's setup that way yet, but in doing so, SMB traffic is alllowed out. 

 

I want to immediately put a control in that blocks SMB traffic outbound. Is it recommended to create the policy using only ports, tcp/udp port 445, or should I block via SMB application?   My thought is block via ports, but I'll do whatever is the recommended way.

 

What about tcp/udp port 137 and 139?  Should these also be added to the blocked 'from trust to untrust' rule?

 

I'm curious to what you all are doing.

 

thanks

 

Highlighted
L6 Presenter

Re: Blocking SMB Traffic

They are not mutually exclusive. You can do both. Just leave the rule where you define application SMB, set to application 'any', so if SMB is used evasively through different ports, it can also be blocked.

Highlighted
L3 Networker

Re: Blocking SMB Traffic

Not sure I'm following your response. Do you mean if you choose SMB for application, set the Service to Any?

 

Is it common practice to create multiple rules to block SMB?

Highlighted
L6 Presenter

Re: Blocking SMB Traffic

Yes, SMB for application, Service to Any.

 

Not sure what common practice is, but some environments require that *no* packets leave out on specific ports.

The app-id engine needs to allow a few packets through before it identifies the application, so if you go solely with an app-id rule, a few packets will always leave the firewall before there's a block action enforced.

Highlighted
L3 Networker

Re: Blocking SMB Traffic

thanks. what method do you use on your firewalls (if you don't mind me asking)

Highlighted
L6 Presenter

Re: Blocking SMB Traffic

I'm with Palo Alto Networks Support, so I will allow other members of the community to provide that answer.

Highlighted
Cyber Elite

Re: Blocking SMB Traffic

Hello,

We have a strict deny all allow by exception policy at our company. So we only allow appplications/ports/urls etc., based on approval from the executives. If you are looking to block traffic, start with the logs and see what is being allowed out and start blocking on it. The ACC tab can help you with this as well. 

 

As for writing policies, I try to use applications rather than actual ports.

 

Hope that helps.

Highlighted
L3 Networker

Re: Blocking SMB Traffic

Hi,

 

The deny all, allow by exception would be ideal. Possibly can convince that for the future.

 

Right now, I want to focus only on blocking SMB

Highlighted
L1 Bithead

Re: Blocking SMB Traffic

Risk 1 through 3 from their trust to untrust zones is not a great way to allow traffic to the Internet.

There are 58 pages of applications when I look at this on my firewall.

 

I found this out the hard way when someone set this up for our guest networks and we had a big netbios attacks launch from a rogue machine on our network.   Whittle it down to what you actually need.

 

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!