Pix ASA hide ports for portscan?

Pix ASA hide ports for portscan?
NewsGroups | Search | Tools
User Password
Register Now! Lost Password?
 comp.dcom.sys.cisco  Post an article  get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content  add this group's latest topics to your Google content  YahooMyWeb Yahoo!  Google Google  Windows Live Favorites Windows Live  del.icio.us del.icio.us  digg digg  Add to Netscape Netscape
Subject Author Date
Pix ASA hide ports for portscan? Edwin 05-30-2008
Posted by Edwin on May 30, 2008, 4:49 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Hi All,

I have configured a Pix ASA and opened some ports to dmz and inside for
e.g. mail, www and rdp.

Is it possible to have the pix hide these open ports from portscans
originated from outside? If so, how can it be done?

Thanks in advance

Edwin

home networking made easy, greater protection, less stress, introducing nm 5.0, 728x90
Posted by Uli Link on May 30, 2008, 6:09 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Edwin schrieb:
> Hi All,
>
> I have configured a Pix ASA and opened some ports to dmz and inside for
> e.g. mail, www and rdp.
>
> Is it possible to have the pix hide these open ports from portscans
> originated from outside? If so, how can it be done?

Can be done by ACL denying access to these ports or by shutting down the
WAN interface ;-) This is most probably not what you want.

If your PIX refuses to connect to the port the listener of the daemon of
DMZ' server will not be reachable anymore from the outside This is due
to the nature of tcp and not related to any special firewall.

--
Uli

Posted by Edwin on May 30, 2008, 11:20 am
If you were  Registered and logged in, you could reply and use other advanced thread options
$27444$9b4e6d93@newsspool4.arcor-online.net:

> Edwin schrieb:
>> Hi All,
>>
>> I have configured a Pix ASA and opened some ports to dmz and inside for
>> e.g. mail, www and rdp.
>>
>> Is it possible to have the pix hide these open ports from portscans
>> originated from outside? If so, how can it be done?
>
> Can be done by ACL denying access to these ports or by shutting down the
> WAN interface ;-) This is most probably not what you want.
>
> If your PIX refuses to connect to the port the listener of the daemon of
> DMZ' server will not be reachable anymore from the outside This is due
> to the nature of tcp and not related to any special firewall.
>


I fully agree with you. something needs to respond to requests for a
certain port.
I was actually hoping that the Pix had some feature that deals with certain
characteristics of a portscan. Portscans are recognizeable in general...but
maybe not by a pix?


Posted by Charles N Wyble on June 3, 2008, 3:32 am
If you were  Registered and logged in, you could reply and use other advanced thread options
Edwin wrote:
>>
>
>
> I fully agree with you. something needs to respond to requests for a
> certain port.
> I was actually hoping that the Pix had some feature that deals with certain
> characteristics of a portscan. Portscans are recognizeable in general...but
> maybe not by a pix?

So I know that with IPTABLES you can do things like reject access after
certain connection attempts in a specific time frame from the same IP or
any other combination you can dream up. I presume that is what you want?
I am not sure if the PIX can do this or not.

There are millions of port scans performed on a daily basis. Its much
noise.

If I am after your network, a quick gander of the nmap manual page gives
me several ways to get around you blocking me. And I probably wouldn't
compromise your network from the same netblock I am scanning you from.

I will say that restricting access to ports can back fire on you.

If I want to give you a really bad day, I'll just hijack some CLASS C
(and maybe a couple class b) subnets and do a really aggressive NMAP
scan from a wide variety of compromised hosts and sit back and smile as
your customer support line rings off the hook. :)

I would look at rate limiting and other measures before implementing
something like automated port blocking.

If this is a Linux box you can always use portsentry. It may have been
ported to other versions of UNIX not sure.

Windows may have something similar not sure.


Charles


Similar ThreadsPosted
GRE, hide nat on PIX August 14, 2005, 3:38 pm
PIX 6.3.4 - Hide NAT before VPN August 14, 2005, 8:05 pm
Hide-Nat will never clash... September 21, 2005, 10:04 pm
hide uptime of systems in DMZ May 14, 2007, 8:10 am
VPN ports April 4, 2005, 2:36 pm
871 and USB ports September 9, 2005, 3:58 pm
ports in pix November 1, 2005, 3:44 pm
PIX & Ports August 18, 2006, 2:17 pm
QoS on some ports April 6, 2007, 8:23 am
PIX 501 LAN Ports May 5, 2008, 11:48 pm

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com

Contact Us | Privacy Policy
The site map in XML format XML site map