RE: Scanning--more then one side to the argument

• Previous message: Price, Robert H: "RE: Win32 Firewalls."
• Maybe in reply to: Sherman Hand: "Scanning--more then one side to the argument"
• Next in thread: Steve Fletcher: "RE: Scanning--more then one side to the argument"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: "'Shand'" <shand@adelphia.net>, <security-basics@securityfocus.com>
Date: Thu, 31 Mar 2005 00:36:41 -0600

Yes, I would consider the open ports an issue. I won't disagree with that.
However, I'm curious why those ports are showing as open when the others are
filtered. Are you firewalling some ports, but not all?

One thing, too. You might want to upgrade to a newer version of nmap.
Version 3.81 has been out for a little while. There have been a number of
improvements since 3.50. I'm not sure if it would affect your results, but
it's possible.

Steve
 

-----Original Message-----
From: Shand [mailto:shand@adelphia.net]
Sent: Wednesday, March 30, 2005 3:17 PM
To: Steve Fletcher; security-basics@securityfocus.com
Subject: Re: Scanning--more then one side to the argument

Example of customer scan

nmap -sV -P0 -p 1-

Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2005-03-30 16:59 EST
Interesting ports on
(The 65522 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE VERSION
80/tcp filtered http
135/tcp filtered msrpc
136/tcp filtered profile
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
5000/tcp open upnp Microsoft Windows UPnP
5241/tcp open unknown
7177/tcp open unknown
8031/tcp open unknown
9491/tcp open unknown
27374/tcp filtered subseven

Nmap run completed -- 1 IP address (1 host up) scanned in 438.716 seconds

Now I see this as a issue?

Other don't?

The filtered ones are filtered by us.

The others they have open? ( Not firewall?) ( No security?)

Sherman

----- Original Message -----
From: "Steve Fletcher" <safletcher@insightbb.com>
To: "'Shand'" <shand@adelphia.net>; <security-basics@securityfocus.com>
Sent: Wednesday, March 30, 2005 3:41 PM
Subject: RE: Scanning--more then one side to the argument

> That would depend on the port and what function it serves. For example,
> you
> might show port 25 as open because they have an SMTP server and it is not
> behind a firewall.
>
> Here is a definition of the different states, straight from the nmap man
> page:
>
> "The state is either "open", "filtered", or "unfiltered". Open
> means that the target machine will accept() connections on that
> port. Filtered means that a firewall, filter, or other network obstacle
> is
> covering the port and preventing nmap from determining whether the port
> is open. Unfiltered means that the port is known by nmap to be
> closed and no firewall/filter seems to be interfering with nmap's
> attempts to determine this. Unfiltered ports are the common case and are
> only shown when most of the scanned ports are in the filtered state."
>
> Hope this helps.
>
> Steve Fletcher
> MCSE (NT4/Win2k), MCSE: Security (Win2k), HP Master ASE, CCNA, Security+
> safletcher@insightbb.com
>
> -----Original Message-----
> From: Shand [mailto:shand@adelphia.net]
> Sent: Wednesday, March 30, 2005 2:33 PM
> To: Steve Fletcher; security-basics@securityfocus.com
> Subject: Re: Scanning--more then one side to the argument
>
> External scans.
>
> Against customer using our internet service.
>
> Does a port have to show as "open" or can they for usability show only as
> filtered, closed?
>
> Thoughts?
>
> Shand
>
>
>
>
> ----- Original Message -----
> From: "Steve Fletcher" <safletcher@insightbb.com>
> To: "'Sherman Hand'" <shand@adelphia.net>;
> <security-basics@securityfocus.com>
> Sent: Wednesday, March 30, 2005 3:18 PM
> Subject: RE: Scanning--more then one side to the argument
>
>
>>I have a question regarding this. Are you talking about doing an external
>> scan or an internal scan? I assume an external, because an internal scan
>> should show a LOT of open ports.
>>
>> I would say that any open port POTENTIALLY could be a security issue
>> waiting
>> to happen, but common sense dictates that some ports must be open for
>> usability reasons. Plus, if you're going to follow this line of thought,
>> the fact that the systems are connected to the Internet AT ALL poses a
>> potential risk. Or, just being networked could be a risk. Or, being
>> powered on poses a potential risk.
>>
>> So, based on this, sure it COULD be a security risk waiting to happen,
>> but
>> more information needs to be gathered to determine the true extent of the
>> risk. And, it must be reevaluated at regular intervals to catch new
>> issues
>> that might have come up since the last scan. What is safe now might not
>> be
>> 6 months from now.
>>
>> Hope this helps.
>>
>> Steve Fletcher
>> MCSE (NT4/Win2k), MCSE: Security (Win2k), HP Master ASE, CCNA, Security+
>> safletcher@insightbb.com
>>
>> -----Original Message-----
>> From: Sherman Hand [mailto:shand@adelphia.net]
>> Sent: Wednesday, March 30, 2005 5:05 PM
>> To: security-basics@securityfocus.com
>> Subject: Scanning--more then one side to the argument
>>
>>
>>
>> There has been a on going discussion about the scanning results on our
>> customers.
>>
>> Thought one says that "any" port on a standard nmap, showing as "open" is
>> a
>> security risk.
>>
>> Thought two says, no since some things need to show in a state of open.
>>
>> Should we be stating that through proactive scan, when we find any port
>> showing as open, that it is a security issue waiting to happen?
>>
>> Or only if we can show a issue?
>>
>> Thoughts?
>>
>> Shand
>>
>>
>
>
>

---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security
professionals. Norwich University is fulfilling this demand with its MS in
Information Security offered online. Recognized by the NSA as an
academically excellent program, NU offers you the opportunity to earn your
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------

• Previous message: Price, Robert H: "RE: Win32 Firewalls."
• Maybe in reply to: Sherman Hand: "Scanning--more then one side to the argument"
• Next in thread: Steve Fletcher: "RE: Scanning--more then one side to the argument"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Concepts: Security and Obscurity ... Adding a false sense of security is not adding security. ... "Why does the presidential motorcade not disclose which car the ... Scanning additional ports is not a linear probability function. ... I suggest that you learn a little more on risk and check the facts about ... (Security-Basics) Win 2K Pro Service Pack 1 and Blaster ... What are the ports to block? ... IP DSL system with a 3Com fast Ethernet controller and a WAN Network Driver ... I went through Control Panel/Administrative Tools/Local Security Policy/IP Security Policies on Local Machine. ... So by going to the IPSec route, I associated the Blaster Filter I had just created with the 3Com ... (microsoft.public.win2000.security) Re: Bush hates east coast port cities... ... risk whereas the other is not. ... How does this help to justify allowing the UAE manage our ports? ... thinking other states have no business rejecting U.S. business or culture ... sensitive to security concerns in the midst of the so-called "war on ... (rec.music.gdead) Re: Source Code to Filter out WindowsMessenger POP-UPS ... rejecting all traffic on those same ports from any other IP. ... I just want to filter out ... >>sample code that compiles on Linux, ... >>apply pass/fail rules to - provided the router isn't one ... (microsoft.public.inetserver.iis.security) Re: controling ports ... I have a dedicated filter up, ... Personal firewalls ... and do a few reg. ... > what ports it can and can't use. ... (microsoft.public.win2000.security)