Recently I replaced my Netgear DG834G v4 router with a new Netgear DGND3700. The installation went well and I was happy with the improved performance. However, when I subjected the new installation to the Gibson ShieldsUp! Tests it reported that ports 21 and 443 are open on the DGND3700. Previously all of the ports had been in stealth mode so this was quite a surprise. I immediately contacted Netgear Support and was advised that this may have something to do with the antivirus software installed on the computer, although the antivirus vendor disagrees. Back again to Netgear who now advise that ports 21 and 443 must be left open. I await further explanation, but do not hold out much hope. Could you bring some of your common sense expertise to the problem? The computer is running Windows XP. The router has an inbuilt firewall but the Windows firewall is also turned-on. I understand that two firewalls are not desirable but I am reluctant to disable the Windows Firewall until my faith in the Netgear protection is restored.

This is a very interesting question since, in theory, no ports should be open on your router unless you are specifically running an internet server within your internal network. Before launching into the specifics of your particular problem it would be worthwhile giving a general overview of how this system should operate under normal circumstances. By virtue of a broadband router being a broadband router, it actually has inherent firewall capabilities. A common reason that most people purchase a router is so that their single internet connection can be shared by multiple computers, and also because the router can manage the internet connection so you don’t need to manually establish a connection each time you wish to use the internet (instead, the router detects when you wish to access the internet and then establishes the connection). As you can see, the router provides somewhat of a middle-man between your computer(s) and the internet. However, this does have inherent challenges. Imagine that there are multiple computers connected to the router (e.g. all the computers in your home network). If one of those computers sends an internet request for a web page the request will be received by the router and then sent onto the internet, on behalf of the computer. When the requested data is returned from the internet the router receives this data, but how does it know which computer it should send the data to (i.e. which computer originally requested the data)? Routers use a clever system known as Network Address Translation (NAT) to overcome this problem. Without going into the technical details, this allows the router to keep track of requests sent from a computer to the internet, so that data which is returned in response to that request can be routed to the appropriate computer.

However, NAT does not just have benefits when sharing an internet connection. It also gives you firewall capabilities. This is because if any unsolicited data is received by the router it will not have any knowledge of this data, or be expecting the data, since it was not received in response to a specific request by a computer connected to the router. As such, the received data will simply be discarded and will never reach the computer. Contrast this with a situation where your internet is directly connected to a computer – this means that the unsolicited (potentially malicious data) is reaching the computer. If you are running appropriate firewall software then hopefully that would prevent the malicious traffic from harming your computer, but this is still a much less optimal situation than using a router which would prevent the traffic from getting anywhere near your computer. As you can see, even if you don’t wish to share your internet connection with other computers using a broadband router is still a very good idea purely for the security benefits.

In your question you also mentioned that the computer is running the Windows XP firewall. Rest assured, this is perfectly fine and is exactly what most people (including myself) do. The hardware firewall on the router is good at protecting you from internet-based threats, but it is always a good idea to run a software based firewall as that will protect you from threats which may be present on your own network. For example, if a computer on your network is infected with a virus then the hardware firewall on the router will not help since the source of the threat is not from the internet, but a software firewall on the computers could assist in preventing the infection from spreading. So, running both hardware and software firewalls are fine and the Windows XP firewall is generally good enough since you just need relatively basic protection, given that the router is protecting you from the nasties on the internet. However, you should not run two software based firewalls on the same computer as it is highly likely that they will conflict and cause unexpected behaviour.

So, with that background understanding we will now move onto your specific question. Port 21 is used for FTP servers to listen for incoming connections. FTP is File Transfer Protocol and is essentially the equivalent of HTTP (used to transfer web pages) but is exclusively for files. Port 443 is commonly used for secure websites (e.g. when you visit a website with https:// in the address the traffic will be sent encrypted through port 443 on the receiving web server). It is strange that these ports are open but there could be a few explanations for the issue. Fortunately I managed to download a PDF of the router manual from the Netgear website so hopefully I should be able to guide you through some of the procedures (as best as possible, without having an actual router to experiment with).

Generally when ports are open on a router that indicates you have setup port forwarding. Essentially this means that if someone from the internet connects to your router on a particular port then the incoming traffic on that port will be directed to a particular computer. For example, if there are four computers on your network and one is running a web server then you would setup port forwarding on the router to direct incoming traffic on port 80 (i.e. the web server port) to go through to the computer running the web server. This is necessary otherwise the router would not know where to direct that traffic. You should first check that no port forwarding has been setup on the router. Go into the administration interface for the router and then go to “Content Filtering” > “Port Forwarding/Port Triggering”. Select radio button for “Port Forwarding” and check whether anything is configured. Should something be configured for ports 21 or 443, and you have not set that up yourself, then you should be able to delete those entries. However, I would recommend that you write them down before deletion just in case you do find they are necessary and need to re-establish them.

Should no port forwarding be configured then it is possible that the port forwarding is being automatically setup by your router. There is a feature provided on modern routers called Universal Plug and Play (UPnP). This allows port forwarding to be automatically configured – if UPnP is supported by a device on your network (such as a computer, printer, network storage device, etc.) then that device can negotiate with the router (which also supports UPnP) to automatically open the required ports on the router. While this can be a convenience it can also be a potential security risk, if not understood correctly, and can also potentially result in questions as to why certain ports are open, such as the circumstances currently being experienced. To check whether UPnP is enabled on your router in the configuration, go to “Advanced” > “UPnP” and then ensure that “Turn UPnP On” is unticked and (if you needed to change the setting) click the “Apply” button to save the changes. I suggest that you then reboot the router to clear any UPnP forwarding which may be currently active. You can reboot the router by going to “Maintenance” > “Diagnostics” and then click the “Reboot” button.

Another possible reason that ports could be open on the router is because remote management has been enabled. Usually routers are configured so that they can only be managed (i.e. access to the administration interface) through a computer directly connected to the router. This is mainly for security as you don’t want the router to be accessible across the internet, since the only protection in this situation is a username or password which (depending on the complexity) could be compromised, giving an outsider full administrative access to the router. However, there could be various reasons that you do wish to enable remote management, the main reason being if you are responsible for managing a remote site and need access to their router for maintenance and troubleshooting purposes. However, in your case (as a home user) you should not enable remote management since there is really no reason. Looking at the manual for the router it seems that remote management only uses port 8080 – not 21 and 443, so it is probably unlikely that this is the cause of the problem. That said, if you have reached this point we are somewhat clutching at straws as to the root cause, so it is worthwhile investigating anything which could result in any ports being opened on the router. To check remote management, go to “Advanced” > “Remote Management” and ensure that “Turn Remote Management On” is disabled (unticked). If any settings have changed click the “Apply” button to save.

By this point if the ports are still open you are probably guessing that our options for finding a legitimate reason is starting to decrease. I have Googled these particular ports together with the model of router and not gained any particularly useful results, so it seems that other users are either not experiencing this problem or simply do not realise that these ports are open (most users are probably not as conscientious as yourself in doing a port scan to double-check that their ports are closed). As a final suggestion you should double-check that your router is running the latest firmware. It is entirely possible that some bug in the version of firmware currently running on your router could be causing these ports to be open. You can check for new firmware within the router administration interface by turning on automatic firmware checking which will automatically check for new firmware. Go to “Maintenance” > “Router Upgrade” and ensure that “Check for Updated Firmware Upon Log-in” is ticked. Now whenever you logon to the router administration interface it will check for new firmware.

Finally, it could also be worthwhile doing a factory default on the router in case any settings are corrupted and inadvertently opening the ports. Be aware, this will erase all settings on the router so make sure you either know how to re-setup the router, or have written down all the settings so that you can re-input those into the router. Obviously when you erase all settings on the router this will kill your internet connection until the router is re-setup, so make sure you have all the resources you need locally and don’t need to refer to anything on the internet. Should you wish to proceed, go to “Maintenance” > “Backup Settings” and click “Erase”. Your router will be reset to all the default settings, as per when it was originally purchased, so you can follow the instructions in the manual to setup the router from scratch.