What are the ports required to be opened on a firewall to allow access to the MAA ?

book

Article ID: 169595

calendar_today

Updated On:

Products

Malware Analysis Software - MA

Issue/Introduction

There may be some internal firewall deployed that sits between the MAA and internal network. Configuration/Rules on the firewall may be required to allow the MAA to function and managed by the System Administrator. This Solution provides a general guideline on how a firewall could be configured.

Resolution

A firewall that sits between the MAA and internal/backend network should be configured to allow access :

  1. to the MAA IP address' TCP Ports : 22, 80, 139, 443, 445, and 3389 from the internal network.
  2. from the MAA IP address to the syslog server and port. Both syslog server and port are configurable on the MAA. Both TCP and UDP protocol should be allowed for the configured port.
  3. from the MAA IP address to the configured DNS server(s) TCP and UDP Port 53.
  4. from the MAA IP address to the HTTP Proxy's IP address and TCP Port, if an HTTP Proxy is required for Internet access. When an HTTP Proxy is used, subsequent steps are not required.
  5. from the MAA IP address to the list of IP addresses of sp.cwfservice.net, webpulse.es.bluecoat.com, bchashlookup.es.bluecoat.com, maa-updates.es.bluecoat.com, ma-updates-us-west-1.s3.amazonaws.com on TCP Ports 80 and 443.
  6. from the MAA IP address to third party service providers, such as VirusTotal, and the corresponding TCP and/or UDP ports given.


For the dirty line, it's best to allow full access from the MA to the Internet. If that is not possible, we can start with TCP and UDP 53, TCP-80, and TCP-443. If some malware tries to access some inaccessible ports, it might affect the Risk Score. This is why full access is recommended.