Re: Open Ports on a hardware firewall

From: x y (jamescagney90210@excite.com)
Date: 06/04/02 

From: "x y" <jamescagney90210@excite.com>
Date: Tue, 04 Jun 2002 20:34:56 GMT

If you have the ports open, e.g. people are allowed to initiate connections
from the internet to your computer, state doesn't enter into it. Unless
your firewall has some sort of content inspection set up, it's not looking
for queso. If you read the definition for stateful packet inspection, it
isn't about detecting queso, but more about tracking past data
communications to be able to verify that incoming packets that claim to be
replies to existing connections really are.
http://www.webopedia.com/TERM/S/stateful_inspection.html

By opening the port, you're telling the firewall that every incoming packet
is valid and you're more or less removing stateful inspection from that
port. A queso packet is a legitimate connection as far as your firewall is
concerned, unless your firewall lets you set up a rule or a setting telling
it to block queso packets.

It's been ages since I've seen a queso scan, so it may be a false alarm. I
have a supposed queso detecting rule on a Checkpoint FW-1 and it seems to
detect queso in incoming email connections that I believe are not queso.

"Shortly" <th1nkhowmanydays@hotmail.com> wrote in message
news:ee9fc263.0206012139.20be7bdf@posting.google.com...
> I have a 2wire homeportal, and I have some ports open for p2p, etc. I
> have blackice running behind it. The hardware performs NAT and SPI.
>
> I noticed an alert on blackice: A queso scan, and an NMAP OS
> Fingerprint request were sent to those open ports.
>
> Shouldn't the hardware firewall have filtered this out before it
> reached the software firewall? I thought I was paying for "stateful
> packet inspection" on open ports.
>
> Any suggestions?
>
> Thanks.

Relevant Pages

  • Re: Port 135
    ... The patch doesn't disable DCOM / RPC, so connections can still be made. ... That's why you need a firewall. ... the patch is not the thing to control ... control over your TCP/IP ports and services, ...
    (microsoft.public.security)
  • Re: Got Active Ports, now what?
    ... have services running and ports open does not in ANY way shape or form mean ... vulnerabilities and links to plenty of other ... Why do I need 23 connections to the ... > You should get a 'Application' Filtering Firewall for your XP box. ...
    (comp.security.firewalls)
  • Re: File sharing
    ... Instead of creating exceptions for individual ports for FPS I suggest that you try Group Policy and configuring the exemption for file and print sharing and probably the remote administration exemption. ... If there are do domain level Group Policies being applied to these computers currently for Windows Firewall, which you could verify by running rsop.msc on the client computer, you could try using local Group Policy to see if it does what you want. ... So then I went back and put in a custom setting to accept connections on the local subnet plus connections from my subnet, ...
    (microsoft.public.windowsxp.security_admin)
  • Re: On passwords, securtiy and real -sweat, blook and tears- life
    ... given that all ports are closed to external contact through a physical allbeit consumer oriented firewall, just means I am safe for port-scanners. ... connections reduces the risk a lot. ... you can boot in single user mode and change the password. ...
    (Fedora)
  • Re: Open Ports on a hardware firewall
    ... If you have the ports open, e.g. people are allowed to initiate connections ... isn't about detecting queso, but more about tracking past data ... you're telling the firewall that every incoming packet ...
    (comp.security.misc)