RE: how to block connections running on non-default ports

From: Smith, Ryan (Ryan.Smith_at_MWAA.com)
Date: 08/17/05

  • Next message: CSO: "Looking for good Bulk Reverse Lookup (Whois/Arin)" 
    Date: Wed, 17 Aug 2005 14:33:31 -0400
To: "Niranjan S Patil" <niranjan.patil@gmail.com>

    Hi Niranjan,

    Intrusion Detection Systems are designed to passively monitor your
    network, and them depending on how your IDS is configured, it will
    generate an alert when a particular traffic pattern has been detected as
    a possible attack and/or intrusion into the network . To get the
    capability to block ports you would need something more along the lines
    of an IPS (Intrusion Prevention System) which is used inline similar to
    firewall technology. Just my $.02.

    Ryan Smith
    -----Original Message-----
    From: Niranjan S Patil [mailto:niranjan.patil@gmail.com]
    Sent: Monday, August 15, 2005 11:36 AM
    To: security-basics@securityfocus.com
    Subject: how to block connections running on non-default ports

    Hi list,

    I recently noticed that our corporate IDS could not block some of
    connections that are seemingly unauthorised.

    I launched a telnet connection to a remote server on Internet on port
    23 and it was successfully blocked by our firewall. I change the
    listening port of the telnet server to 443 and launched another telnet
    connection on port 443. Neither our firewall or IDS was able to block
    this connection.

    Aren't IDS supposed to block such masqueraded connections, i.e.,
    protocols with non-default ports.

    I have less knowledge on IDS, but isn't it simple for them to check
    packet headers and block/filter if they are not on right protocol/port?

    Is this normal with all IDS?

    Any help is appreciated. 

    --
Regards,
Niranjan S Patil
  • Next message: CSO: "Looking for good Bulk Reverse Lookup (Whois/Arin)"

    Relevant Pages

    • RE: False Positives
      ... > when no actual exploited attack has ... > when attackers attempt to overload an IDS' alert processing ... > Subject: False Positives ... > IntruShield now offers unprecedented Intrusion IntelligenceTM ...
      (Focus-IDS)
    • RE: IDS failures and avoiding them (WAS: Rather funny; looks like page defacement to me)
      ... Intrusion Analyst aboard an Aircraft Carrier, where my full time job was ... doing Intrusion Detection, I would tend to agree with the assessment ... of false positives that are being generated by your "MUST HAVE" IDS ... your network load is maxing out your 100 Mbps cards on the periphery, ...
      (Focus-IDS)
    • RE: Rather funny; looks like page defacement to me
      ... another security tool (VA, AV, firewall, etc.) that could have done the job ... I am not saying the IDS are always useless, but they are most useful as ... they denigrate Intrusion Prevention Systems and hail ...
      (Focus-IDS)
    • Re: "false positive" inanity
      ... So Mr. Snyder is asking for an IDS that does not need to be configured? ... maximum control of his/her network. ... attack. ... > assuming that it is not an intrusion. ...
      (Focus-IDS)
    • RE: False Positives
      ... There isn't an IDS system that will not report "false positives" ... tools are not actually attacking but testing, and they report an attack, ... > IntruShield now offers unprecedented Intrusion IntelligenceTM ...
      (Focus-IDS)
    • Quantcast