Monday, July 7, 2008

TCP/UDP Ports for XBOX360

As you know, XBOX360 is one of the latest console gaming platforms available with network capability. Suppose you are network security consultant and you want restrict the ports used in the subnet used by your XBOX360 devices, which ports are you going to open?

Here are the required ports for the XBOX360 to properly connect to the network/Internet:

Outgoing ports:Description
UDP 53DNS queries
UDP 88Kerberos
UDP/TCP 3074XBox live
UDP 6500Peer queries
UDP 13139Peer ping
UDP 22042Server queries
TCP/UDP 22043-22050Voice chat


Incoming ports:Description
UDP/TCP 3074Xbox live


Given the above information, you can then create the access-lists as necessary.


EXAMPLE with Cat6000 as the gateway:
Below is a snippet of an actual access-list configured on a real-live Cat6000 device serving as the gateway for subnet 10.10.180.0/25:

ip access-list extended SUBNET_XBOX_IN
 remark <<Permit outbound XBOX360 ports>>
 permit udp 10.10.180.0 0.0.0.127 any eq 88
 permit tcp 10.10.180.0 0.0.0.127 any eq 3074
 permit udp 10.10.180.0 0.0.0.127 any eq 3074
 permit udp 10.10.180.0 0.0.0.127 any eq 6500
 permit udp 10.10.180.0 0.0.0.127 any eq 13139
 permit udp 10.10.180.0 0.0.0.127 any range 22042 22050
 permit tcp 10.10.180.0 0.0.0.127 any range 22043 22050
 deny ip any any

...

ip access-list extended SUBNET_XBOX_OUT
 remark <<Permit inbound XBOX360 ports>>
 permit tcp 10.10.180.0 0.0.0.127 any eq 3074
 permit udp 10.10.180.0 0.0.0.127 any eq 3074
 deny ip any any

...

interface Vlan180
 description "XBOX360 Subnet"
 ip address 10.10.180.254 255.255.255.128
 ip access-group SUBNET_XBOX_IN in
 ip access-group SUBNET_XBOX_OUT out
...


Note that in the above examples, outbound XBOX ports are in the inbound switch access-list; likewise, inbound XBOX ports are in the outbound switch access-list. This is with respect to the point of view of the Cat6000 where the ACLs are defined. The XBox "outbound" ports go out from the Xbox into the switch, hence we use the inbound access-list. Similarly, Xbox inbound ports come from the switch out to the XBox subnet.

Of course, the access-lists would be slightly different if the subnet's default gateway is, say, a PIX/ASA, or a checkpoint firewall, or a CatOS switch. Regardless, the same requirements apply; the above listed ports should be permitted.
Posted by at
Labels: , ,

1 comment:

Fredrik said...

Thank you! Finally I found someone that, like me, wanted to minimize the open outgoing ports. Worked like a sharm. Good work!

December 6, 2011 at 10:19 PM

Post a Comment

Subscribe to: Post Comments (Atom)