App is able to connect without firewall rule defined

[jzar2104 0]

Hi everyone,

I'm setting up a new set of firewall rules from scratch. At the moment, I'm working with the default configuration of ESET Endpoint, which only includes the built-in rule set. I have the option 'Also evaluate local Windows Firewall rules' disabled.

I ran netstat -an to check which ports are open on my Windows test workstation:

 

1. I tested the first application, Radmin Server, which requires port 4899 to be open.

Without a firewall rule for it, despite the netstat result mentioned earlier, I cannot connect to the app, which behaves as expected. After applying a rule to allow incoming connections on local port 4899, it works properly.

2. As you can see in the picture above, there is an application listening on port 7070. This is the AnyDesk Client.

There is no built-in rule for port 7070, nor any custom rule allowing this app to connect on that port. However, AnyDesk works, and connections are accepted without issue. I used Wireshark to verify that it's indeed using port 7070:

What am I missing?

Is there another mechanism that could be allowing AnyDesk to connect?

Kind Regards,
J

Edited September 18 by jzar2104
said 'Hi' twice

[Marcos 5,343]

Why is the foreign address 0.0.0.0? If you were connecting from a remote machine, such connection should be blocked in automatic mode.

[jzar2104 0]

39 minutes ago, Marcos said:

Why is the foreign address 0.0.0.0? If you were connecting from a remote machine, such connection should be blocked in automatic mode.

This is actaully what I am trying to figure out. It just should not happen...
I use 'Automatic mode' with  'Also evaluate local Windows Firewall rules' disabled.

Besides in netstat you have even:



It's open only in trusted networks by Eset Endpoint default rule.

0:0:0:0 in netstat means 'any network'.

Its really strange. Radmin is blocked on port 4899 without custom rule applied for it, whereas Anydesk not on port 7070. 

My Eset Endpoint version is 11.1.2039.2.

[Marcos 5,343]

Please carry on as follows:

1. Enable advanced logging under Help and support -> Technical support
2. Connect with Anydesk to reproduce the issue
3. Stop logging
4. Collect logs with ESET Log Collector and upload the generated archive here.

[jzar2104 0]

40 minutes ago, Marcos said:

Please carry on as follows:

1. Enable advanced logging under Help and support -> Technical support
2. Connect with Anydesk to reproduce the issue
3. Stop logging
4. Collect logs with ESET Log Collector and upload the generated archive here.

@Marcos

I send you the collected log via private message.

[Marcos 5,343]

My understanding is that in case of AnyDesk it's not a peer-to-peer communication but the AnyDesk client (C1) connects to your company's server (10.11.12.6) to establish a connection. Outbound communication is allowed by default in automatic mode. If you connect to the machine from another client, the communication is routed through the server which already has a connection with the machine (C1) established.

[jzar2104 0]

@Marcos

It seems you're right. The same issue occurs with TeamViewer—these applications appear to need explicit blocking by their certificate signer. It's surprising how clever they are in bypassing security measures.

Seems that the best and hardest approach for configuring a firewall is to block everything by default and manually control both inbound and outbound traffic.

[Grid 0]

It's not really an issue, it's by design, a basic firewall policy will deny all inbound and permit all outbound. You can naturally try to control your outbound traffic, but be ready to respond to the flood of the phone rings heading your way. Access-list updates and blocked traffic log reviews is what you'll be looking at most of your day. You will find that many network apps and services are difficult to tie to a single port, or even port ranges.

It's better to just segment your network with VLANs and limit traffic to high security resources only.