RE: [fw-wiz] False results to DMZ



Hello David,

with firewalls or other security devices between scanner and target
you have always a Problem with malformed IP-Packets. The behaviour
depends on firewall-settings.

Please check the behavior in your case with tcpdump. I assume
that your pix first pretends that all ports are open and if
the Ack-Flag is received ( which never comes with the syn-scan ),
the real connection was established and if fails, the RST-Flag
comes back. This behaviour was one kind of protection against
SYN-Flood attacks .

Try the following:
Connection to an open port with telnet ( telnet <target> <portnum> )
With tcpdump you shoul see the normal three-way handshake

Connection to a unavail port/host
If you thee the three-way handshake with an additional RST Packet,
you know, it works like described above.

Therefore you have to use the tcp-connect() scan to check your systems.

- Ralf


> -----Original Message-----
> From: firewall-wizards-admin@xxxxxxxxxxxxxxxxxx
> [mailto:firewall-wizards-admin@xxxxxxxxxxxxxxxxxx]On Behalf
> Of David U.
> Haltinner
> Sent: Friday, January 20, 2006 4:14 PM
> To: firewall-wizards@xxxxxxxxxxxxxxxxxx
> Subject: [fw-wiz] False results to DMZ
>
>
> First off, the DMZ is setup with virtual interfaces (PIX), and the
> scanning source is inside. The firewall allows anything IP from this
> scanner. If I scan most of the DMZ's, I get normal results,
> with all of
> the scans.
> Using NMAP, If I scan one specific DMZ, I only get results
> with the SYN
> scan and TCP window scans, AND it says every port is open (what the
> firewall allows). Cisco support is not being helpful. Does anyone have
> any idea why this is? It's weird. Im trying to automate Nessus against
> the DMZ servers, and its giving too many false positives about open
> ports.
> I have taken packet traces, and the only thing weird is that I am
> getting an ACK back for eveyr port, but they are Zero Window
> (TCP Window
> Scan brings back every port open).
> Any ideas?
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@xxxxxxxxxxxxxxxxxx
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: keeping ports open
    ... If a port is open, it means that 1) a software or service is running on your ... and 2) you're not using a firewall or your firewall isn't ... Use firewall software and hardware and antivirus software that is ... Follow the instructions for hardening Windows and IIS at ...
    (microsoft.public.security)
  • Re: How to Maintain an IIS Server?
    ... > server running on a Windows 2000 server. ... before a firewall and antivirus have been installed]. ... open ports; however, this will not identify which program is using the port. ...
    (microsoft.public.inetserver.iis.security)
  • Re: CEICW fails at firewall config
    ... ISA Server prevents connection to a remote desktop when you connect through ... Remote Web Workplace on a Windows Small Business Server 2003-based computer ... Acceleration Server as a firewall. ... connection uses TCP port 4125. ...
    (microsoft.public.windows.server.sbs)
  • Re: How to Maintain an IIS Server?
    ... >> server running on a Windows 2000 server. ... > before a firewall and antivirus have been installed]. ... > program or executable using that port. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Is secedit.exe left by a hacker?
    ... > tested on port 445. ... > I have a Linksys router that I use as a firewall to my ... Secedit.exe is the name of a legitimate Windows file, ... investigate the files on your computer - antivirus with the latest updates ...
    (microsoft.public.win2000.security)