RE: how to block connections running on non-default ports

From: AMOL (
Date: 08/22/05

  • Next message: "ToorCon 7 Lineup Finalized & Pre-Registration Ending"
    To: "Niranjan S Patil" <>
    Date: Mon, 22 Aug 2005 14:53:26 +0530

    Hi Niranjan,
    Nice question!

    Any IDS in inline mode, or Firewall will block the packets as per the rules
    defined for blocking/allowing.
    Generally,Port 80-HTTP and 443-HTTPS are among the most common ports in the
    "allowed" ones.
    And yes; your Firewall doesn't know more than source (IP:PORT) destination
    (IP:PORT) and state (if you have an option of a stateful inspection of
    From your scenario it looks like you have a packet filter Firewall.A
    firewall implemented with the Packet Filters work at Network Layer of
    ISO/OSI stack.
    Hence it cant stop telnet connection to the server listening on "allowed"

    Similar is the case for Inline IDS.

    But as a security measure you can make sure that hosts on your network are
    NOT practicing things like: running telnet server on port 443. Strictly. And
    you can implement ALG (or simply enable it if its already present)option in
    your Firewall.
    A firewall implemented with the Application Layer Gateways(ALG) work at the
    Application Layer of ISO/OSI stack.

    Hope this may help a little.


    -----Original Message-----
    From: Niranjan S Patil []
    Sent: Monday, August 15, 2005 9:06 PM
    Subject: how to block connections running on non-default ports

    Hi list,

    I recently noticed that our corporate IDS could not block some of
    connections that are seemingly unauthorised.

    I launched a telnet connection to a remote server on Internet on port
    23 and it was successfully blocked by our firewall. I change the
    listening port of the telnet server to 443 and launched another telnet
    connection on port 443. Neither our firewall or IDS was able to block
    this connection.

    Aren't IDS supposed to block such masqueraded connections, i.e.,
    protocols with non-default ports.

    I have less knowledge on IDS, but isn't it simple for them to check
    packet headers and block/filter if they are not on right

    Is this normal with all IDS?

    Any help is appreciated.

    Niranjan S Patil

  • Next message: "ToorCon 7 Lineup Finalized & Pre-Registration Ending"

    Relevant Pages

    • Re: port scan to juniper fw
      ... If the packet with SRC-IP a.b.c.d ... enters firewall via interface 'X' and the route on the firewall for ... the below default behavior of Juniper SSG for a port scan. ... Information Assurance Certification Review ...
    • RE: Strange replies on closed port
      ... port should be a RST - not dropping the packet. ... receiving an UDP datagram to a non 'listening' port. ... that message isn't generated by the end host, ... Connecting to a closed Port w/o Firewall: ...
    • Re: Firewall questions -- what is ...?
      ... packet payload inspection. ... IDS is not a firewall and does not necessarily protect you. ... port number for a well known service and the destination port is above 1023, ... Firewalls and IDS are prone to frequent false alarms. ...
    • Re: Basic NAT / Firewall Question
      ... There are two basic types of NAT (Network Address Translation) which you ... NAPT simply maps port numbers to a given address. ... Your firewall will make a note from where the connection was ... with its own address and then sends this "new" packet out on its local ...
    • RE: Packet Payload
      ... The main use is to verify what the firewall and IDS logs are trying to tell me. ... my first wonderful experience using packet capturing systems was when a customer denounced to my employeer about DNS poisoning. ... Im trying to explain to my management how useful the payloads could be ...