Re: Blocking Port scans

• Previous message: Talisker: "RE: Vuln Scanner"
• In reply to: Geelen, Ruud: "RE: Blocking Port scans"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 2 Nov 2005 13:30:54 -0500
To: "Geelen, Ruud" <ruud.geelen@logicacmg.com>

Agreed. It is easy to bypass firewall portscan protection and even IDS
/ IPS portscan protection with a tool such as Nmap... you will never
see an intruder scan your network if he / she is even remotely
competent at pre-attack probing. Don't bother blocking SYN scans, but
monitor unusual traffic inside your network such as SYN-FYN scans or
FIN scans (I personally have never seen a legitimate SF packet). If
you want blocking of scans, look for an IPS but be warned... as others
have mentioned you leave a possible DoS condition available for an
attacker to exploit.

IMO, scans are very low priority... its what comes afterwards that you
need to be concerned about. Have an IPS monitor and log scans, then
watch for any unusual activity from those machines following the
scans.

Let the firewall do what it does best: drop or accept traffic based on
a strict security policy.

-J

On 10/31/05, Geelen, Ruud <ruud.geelen@logicacmg.com> wrote:
> Hi all,
>
> I agree with Georgi: it is not a function of a firewall to block /
> detect port scans. The PIX is designed to protect your network. So
> (D)DOS attacks would be blocked by your firewall if configured correctly
> amongst other things. (using the "static" commands)
> Scans are noticed but if legitimate not blocked.
>
> If you want to detect port scans you need IDS functionality, if you need
> to block it think about an IPS. Your PIX will not let you do this, the
> IDS it uses is much to weak to do so (version 6.3 and below), although
> since v7.x a lot has changed.
> And even there: if it is a very slow scan not many IDS/IPS will detect
> them.
>
> So forget about being able to block port scans on a firewall and think
> about IDS/IPS equipment.
>
> Cheers,
> Ruud
> CCIE #12793 security
>
> -----Original Message-----
> From: Georgi Alexandrov [mailto:georgi.alexandrov@gmail.com]
> Sent: donderdag 27 oktober 2005 7:48
> To: pen-test@securityfocus.com
> Subject: Re: Blocking Port scans
>
> BSK wrote:
>
> >Hello Everyone,
> >
> >Just wanted some feedback from you people. I'm doing a
> >Firewall Assessment for a CISCO PIX firewall. The
> >firewall allows SYN, FIN, NULL and XMAS scans but
> >blocks ACK scans (largely means its a stateful
> >firewall).
> >
> >Now what do we do to block the scans that are allowed.
> >I think it should be easy to block FIN, NULL and XMAS
> >scans but how do we block or limit or workaround a SYN
> >scan. 1 way that I think is probably blocking or
> >limiting the packets from the source (using IDS/IPS)
> >
> >Looking ahead to some ideas, thoughts, hints.
> >
> >thns bshan
> >
> >
> >
> Hello,
>
> I think that wasting your time searching for a (complex?) mechanism to
> block port scans is useless.
> If a person wants to know what services a host is running - he will find
>
> them ... one way or another.
>
> Nmap for example has alot of options that can make any port scan
> detecting system suffer: decoys,
> paranoid scanning option, etc .. etc. But maybe a person doesn't even
> need the internet to figure out
> the services - there are phones, not so knowledgable support personnel,
> etc.
>
> I would prefer researching and intergrating more serious and interesting
>
> security policies
> than wondering how to block port scans.
>
> Otherwise if you still insist on trying to detect port scans (and block
> them after that),
> you can try scanlogd by Solar Designer.
>
> Maybe i get the whole picture wrong and my opinion is useless, you will
> decide that ;-)
>
>
> regards,
> Georgi Alexandrov
>
> ------------------------------------------------------------------------
> ------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on
> your
> website. Up to 75% of cyber attacks are launched on shopping carts,
> forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers
> are
> futile against web application hacking. Check your website for
> vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before
> hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> ------------------------------------------------------------------------
> -------
>
>
>
> This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
>
> ------------------------------------------------------------------------------
> Audit your website security with Acunetix Web Vulnerability Scanner:
>
> Hackers are concentrating their efforts on attacking applications on your
> website. Up to 75% of cyber attacks are launched on shopping carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
> futile against web application hacking. Check your website for vulnerabilities
> to SQL injection, Cross site scripting and other web attacks before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------------------
>
>

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Previous message: Talisker: "RE: Vuln Scanner"
• In reply to: Geelen, Ruud: "RE: Blocking Port scans"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]