RE: how to block connections running on non-default ports
From: Roger A. Grimes (roger_at_banneretcs.com)
Date: 08/18/05
- Previous message: Joe George: "FW: Your opinion on Skype"
- Maybe in reply to: Niranjan S Patil: "how to block connections running on non-default ports"
- Next in thread: abretten_at_kroger.com: "RE: how to block connections running on non-default ports"
- Reply: abretten_at_kroger.com: "RE: how to block connections running on non-default ports"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 18 Aug 2005 07:50:16 -0400 To: "Niranjan S Patil" <niranjan.patil@gmail.com>, <security-basics@securityfocus.com>
This is a common issue and a proxy device is needed. By definition a
proxy firewall, with a service proxy, would review and strip out all
"malformed" data from a communication's stream. Unfortunately, because
443 is normally encrypted, I'm not sure how accurate any 443 proxy
firewall service would be...but many firewalls let you build your own
proxy filters and I'm sure you could be fairly accurate with a little
research.
Also, many network traffic analyzers, like Ethereal, can sometimes not
the correct traffic type even when running on non-default ports. It
depends on the sniffer and the protocol.
Roger
************************************************************************
***
*Roger A. Grimes, Banneret Computer Security, Computer Security
Consultant
*CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), CEH, CHFI
*email: roger@banneretcs.com
*cell: 757-615-3355
*Author of Malicious Mobile Code: Virus Protection for Windows by
O'Reilly
*http://www.oreilly.com/catalog/malmobcode
*Author of Honeypots for Windows (Apress)
*http://www.apress.com/book/bookDisplay.html?bID=281
************************************************************************
****
-----Original Message-----
From: Niranjan S Patil [mailto:niranjan.patil@gmail.com]
Sent: Monday, August 15, 2005 11:36 AM
To: security-basics@securityfocus.com
Subject: how to block connections running on non-default ports
Hi list,
I recently noticed that our corporate IDS could not block some of
connections that are seemingly unauthorised.
I launched a telnet connection to a remote server on Internet on port
23 and it was successfully blocked by our firewall. I change the
listening port of the telnet server to 443 and launched another telnet
connection on port 443. Neither our firewall or IDS was able to block
this connection.
Aren't IDS supposed to block such masqueraded connections, i.e.,
protocols with non-default ports.
I have less knowledge on IDS, but isn't it simple for them to check
packet headers and block/filter if they are not on right protocol/port?
Is this normal with all IDS?
Any help is appreciated.
-- Regards, Niranjan S Patil
- Previous message: Joe George: "FW: Your opinion on Skype"
- Maybe in reply to: Niranjan S Patil: "how to block connections running on non-default ports"
- Next in thread: abretten_at_kroger.com: "RE: how to block connections running on non-default ports"
- Reply: abretten_at_kroger.com: "RE: how to block connections running on non-default ports"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
