Re: Scan of TCP 552-554

From: Chris Shepherd (chrissat_private)
Date: Fri Aug 01 2003 - 05:25:08 PDT

Next message: Russell Fulton: "ISS command line scanner for RPC/DCOM vulnerability"

Previous message: Makoto Shiotsuki: "Re: Command Line RPC vulnerability scanner?"
Next in thread: Rodrigo Barbosa: "Re: Scan of TCP 552-554"
Reply: Rodrigo Barbosa: "Re: Scan of TCP 552-554"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Quoting Rodrigo Barbosa <rodrigobat_private>:
> > In this case, it may make sense to keep your traps on a honeypot box. I'm
> > having a bit of a difficult time understanding exactly what you mean
> > by 'hit my traps faster, so I can react faster'. React how? What would your
> > reaction to a port scan be? If you cite an example, I'll probably have a
> >much clearer idea about what kinds of traps you're talking about. :)
>
> Errr, filter the address or network on the border router ? That is one.
> Contact the admin of the network about the scan is another.

Why take that action for a port scan? You're going to be a very busy admin if
you do all that just for a simple port scan. Those things are unimportant, but
might be useful if logged, or better yet, dropped. :) There's nothing wrong
with a port scan in and of itself, it is just a simple check to see which
services you have listening.

A policy of having a live person react to a port scan is a little farther than
I'd be willing to go ever, which is why I simply have my firewall refuse to
talk on any port that doesn't have a service running. Closed ports are not a
security risk, nor are portscans. The security risks come into play on the
services you already are running. The biggest reason why someone in your shoes
might want to consider using DROP vs REJECT is that it offers a higher delay in
accessing those services. Regardless of your firewall, if you have a service in
place, that is far more likely to become the subject of attack, and wanting to
conceal those services from port scanning is a more intelligent approach (IMO)
than wanting to try and conceal the firewall's existence. The point of
intrusion shouldn't be at the firewall if it is properly configured, but
rather, the hosts behind it that are by necessity running servers (Apache or
IIS for example).

I'm not really sure you gain anything by making your firewall pretend to be a
live host, other than speed up target acquisition for an unfriendly host.

--
Chris Shepherd



---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Russell Fulton: "ISS command line scanner for RPC/DCOM vulnerability"
Previous message: Makoto Shiotsuki: "Re: Command Line RPC vulnerability scanner?"
Next in thread: Rodrigo Barbosa: "Re: Scan of TCP 552-554"
Reply: Rodrigo Barbosa: "Re: Scan of TCP 552-554"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 01 2003 - 09:41:59 PDT