RE: an error in the NMAP docs?

From: Fields, James (James.Fields_at_bcbsfl.com)
Date: 04/05/05

  • Next message: Pat Smith: "RE: Microsoft Software Auditing ?" 
    Date: Tue, 5 Apr 2005 08:39:36 -0400
To: "Michael Herz" <mherz@uwaterloo.ca>, security-basics@securityfocus.com

    The nmap docs are referring to an unusual but possible firewall
    configuration that would be in use only on the most basic of
    packet-filtering firewalls (ie. No stateful inspection capabilities at
    all). There are some operations that come *from* established ports.
    DNS zone transfers should be request *from* port 53 for example; and
    normal "non-passive" FTP connections create a connection FROM the server
    FROM port 20 back to an ephemeral port on the client for data transfers.
    Since there is no way to predict the necessary client ports, you'd allow
    (under this type of system) connections FROM port 20 to ALL high ports
    inbound. Obviously modern firewalls have many more capabilities like
    scanning FTP control connections to monitor for clients advertising port
    numbers...

    -----Original Message-----
    From: Michael Herz [mailto:mherz@uwaterloo.ca]
    Sent: Friday, April 01, 2005 11:05 AM
    To: security-basics@securityfocus.com
    Subject: an error in the NMAP docs?

    Hi all,

    Is there an error in the NMAP docs? The --source_port section says:

    "Many naive firewall and packet filter installations make an exception
    in
    their rule-set to allow DNS (53) or FTP-DATA (20) packets to come
    through
    and establish a connection. Obviously this completely subverts the
    security
    advantages of the firewall since intruders can just masquerade as FTP
    or
    DNS by modifying their source port."

    This implies that the hole in a packet filtered machine exists if it has
    allowed inbound DNS or FTP connections. I don't believe this is true. I
    think the hole only exists if the machine has allowed outbound (ie
    client)
    connections from the machine. For example if the machine allowed
    outbound
    DNS client requests to the world, using --source_port 53 would exploit
    the
    hole.

    Any comments would be appreciated.
    Mike

    ------------------------------------------------------------------------ 

    ---
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information
security 
professionals.  Norwich University is fulfilling this demand with its MS
in 
Information Security offered online.  Recognized by the NSA as an 
academically excellent program, NU offers you the opportunity to earn
your 
degree without disrupting your home or work life.
http://www.msia.norwich.edu/secfocus_en
------------------------------------------------------------------------
----
Blue Cross Blue Shield of Florida, Inc., and its subsidiary and affiliate companies are not responsible for errors or omissions in this e-mail message. Any personal comments made in this e-mail do not reflect the views of Blue Cross Blue Shield of Florida, Inc.  The information contained in this document may be confidential and intended solely for the use of the individual or entity to whom it is addressed.  This document may contain material that is privileged or protected from disclosure under applicable law.  If you are not the intended recipient or the individual responsible for delivering to the intended recipient, please (1) be advised that any use, dissemination, forwarding, or copying of this document IS STRICTLY PROHIBITED; and (2) notify sender immediately by telephone and destroy the document. THANK YOU.
---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security 
professionals.  Norwich University is fulfilling this demand with its MS in 
Information Security offered online.  Recognized by the NSA as an 
academically excellent program, NU offers you the opportunity to earn your 
degree without disrupting your home or work life.
http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------
  • Next message: Pat Smith: "RE: Microsoft Software Auditing ?"

    Relevant Pages

    • RE: FTP Window of opportunity?
      ... does it seemingly accept the connections and drop them once the response ... Subject: FTP Window of opportunity? ... blocked by the firewall. ... the FTP port shows up. ...
      (Pen-Test)
    • Re: Firewalls: whats the use?
      ... > local connections and it is not possible to connect to it from the ... > Since it is a web server I obviously need to allow traffic from anyone ... > to port 80. ... The basic thing that a firewall does is limit what you have to worry about. ...
      (comp.os.linux.security)
    • Re: Help with undetectable Worm?!
      ... Yesterday i noticed a ton of firewall connections coming from 7 ... Issuing 1 byte TCP Keep Alive requests from port 1911 to port 135 on ... he told me to call my SysAdmin and then to ...
      (microsoft.public.windowsxp.help_and_support)
    • Re: lsass.exe fails and reboots
      ... If your firewall is allowing connections to port 445 or other unauthorized ... Management to manage the server assuming it is enabled. ...
      (microsoft.public.security)
    • Re: keeping ports open
      ... If a port is open, it means that 1) a software or service is running on your ... and 2) you're not using a firewall or your firewall isn't ... Use firewall software and hardware and antivirus software that is ... Follow the instructions for hardening Windows and IIS at ...
      (microsoft.public.security)