RE: [fw-wiz] False results to DMZ



Actually no RSt is received. My scanner has to send the RST to close the
port. The destination host does said a reset, but the firewall ignores
it and makes the connection anyways.




On Tue, 2006-01-24 at 14:04 +0100, Ralf.Zessin@xxxxxxxxxx wrote:
> Hello David,
>
> with firewalls or other security devices between scanner and target
> you have always a Problem with malformed IP-Packets. The behaviour
> depends on firewall-settings.
>
> Please check the behavior in your case with tcpdump. I assume
> that your pix first pretends that all ports are open and if
> the Ack-Flag is received ( which never comes with the syn-scan ),
> the real connection was established and if fails, the RST-Flag
> comes back. This behaviour was one kind of protection against
> SYN-Flood attacks .
>
> Try the following:
> Connection to an open port with telnet ( telnet <target> <portnum> )
> With tcpdump you shoul see the normal three-way handshake
>
> Connection to a unavail port/host
> If you thee the three-way handshake with an additional RST Packet,
> you know, it works like described above.
>
> Therefore you have to use the tcp-connect() scan to check your systems.
>
> - Ralf
>
>
> > -----Original Message-----
> > From: firewall-wizards-admin@xxxxxxxxxxxxxxxxxx
> > [mailto:firewall-wizards-admin@xxxxxxxxxxxxxxxxxx]On Behalf
> > Of David U.
> > Haltinner
> > Sent: Friday, January 20, 2006 4:14 PM
> > To: firewall-wizards@xxxxxxxxxxxxxxxxxx
> > Subject: [fw-wiz] False results to DMZ
> >
> >
> > First off, the DMZ is setup with virtual interfaces (PIX), and the
> > scanning source is inside. The firewall allows anything IP from this
> > scanner. If I scan most of the DMZ's, I get normal results,
> > with all of
> > the scans.
> > Using NMAP, If I scan one specific DMZ, I only get results
> > with the SYN
> > scan and TCP window scans, AND it says every port is open (what the
> > firewall allows). Cisco support is not being helpful. Does anyone have
> > any idea why this is? It's weird. Im trying to automate Nessus against
> > the DMZ servers, and its giving too many false positives about open
> > ports.
> > I have taken packet traces, and the only thing weird is that I am
> > getting an ACK back for eveyr port, but they are Zero Window
> > (TCP Window
> > Scan brings back every port open).
> > Any ideas?
> > _______________________________________________
> > firewall-wizards mailing list
> > firewall-wizards@xxxxxxxxxxxxxxxxxx
> > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
> >
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: keeping ports open
    ... If a port is open, it means that 1) a software or service is running on your ... and 2) you're not using a firewall or your firewall isn't ... Use firewall software and hardware and antivirus software that is ... Follow the instructions for hardening Windows and IIS at ...
    (microsoft.public.security)
  • Re: How to Maintain an IIS Server?
    ... > server running on a Windows 2000 server. ... before a firewall and antivirus have been installed]. ... open ports; however, this will not identify which program is using the port. ...
    (microsoft.public.inetserver.iis.security)
  • Re: CEICW fails at firewall config
    ... ISA Server prevents connection to a remote desktop when you connect through ... Remote Web Workplace on a Windows Small Business Server 2003-based computer ... Acceleration Server as a firewall. ... connection uses TCP port 4125. ...
    (microsoft.public.windows.server.sbs)
  • Re: How to Maintain an IIS Server?
    ... >> server running on a Windows 2000 server. ... > before a firewall and antivirus have been installed]. ... > program or executable using that port. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Is secedit.exe left by a hacker?
    ... > tested on port 445. ... > I have a Linksys router that I use as a firewall to my ... Secedit.exe is the name of a legitimate Windows file, ... investigate the files on your computer - antivirus with the latest updates ...
    (microsoft.public.win2000.security)