RE: Blocking Port scans

From: Geelen, Ruud (ruud.geelen@logicacmg.com)
Date: Mon Oct 31 2005 - 04:01:18 EST


Hi all,

I agree with Georgi: it is not a function of a firewall to block /
detect port scans. The PIX is designed to protect your network. So
(D)DOS attacks would be blocked by your firewall if configured correctly
amongst other things. (using the "static" commands)
Scans are noticed but if legitimate not blocked.

If you want to detect port scans you need IDS functionality, if you need
to block it think about an IPS. Your PIX will not let you do this, the
IDS it uses is much to weak to do so (version 6.3 and below), although
since v7.x a lot has changed.
And even there: if it is a very slow scan not many IDS/IPS will detect
them.

So forget about being able to block port scans on a firewall and think
about IDS/IPS equipment.

Cheers,
Ruud
CCIE #12793 security

-----Original Message-----
From: Georgi Alexandrov [mailto:georgi.alexandrov@gmail.com]
Sent: donderdag 27 oktober 2005 7:48
To: pen-test@securityfocus.com
Subject: Re: Blocking Port scans

BSK wrote:

>Hello Everyone,
>
>Just wanted some feedback from you people. I'm doing a
>Firewall Assessment for a CISCO PIX firewall. The
>firewall allows SYN, FIN, NULL and XMAS scans but
>blocks ACK scans (largely means its a stateful
>firewall).
>
>Now what do we do to block the scans that are allowed.
>I think it should be easy to block FIN, NULL and XMAS
>scans but how do we block or limit or workaround a SYN
>scan. 1 way that I think is probably blocking or
>limiting the packets from the source (using IDS/IPS)
>
>Looking ahead to some ideas, thoughts, hints.
>
>thns bshan
>
>
>
Hello,

I think that wasting your time searching for a (complex?) mechanism to
block port scans is useless.
If a person wants to know what services a host is running - he will find

them ... one way or another.

Nmap for example has alot of options that can make any port scan
detecting system suffer: decoys,
paranoid scanning option, etc .. etc. But maybe a person doesn't even
need the internet to figure out
the services - there are phones, not so knowledgable support personnel,
etc.

I would prefer researching and intergrating more serious and interesting

security policies
than wondering how to block port scans.

Otherwise if you still insist on trying to detect port scans (and block
them after that),
you can try scanlogd by Solar Designer.

Maybe i get the whole picture wrong and my opinion is useless, you will
decide that ;-)

regards,
Georgi Alexandrov

------------------------------------------------------------------------
------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on
your
website. Up to 75% of cyber attacks are launched on shopping carts,
forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers
are
futile against web application hacking. Check your website for
vulnerabilities
to SQL injection, Cross site scripting and other web attacks before
hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
------------------------------------------------------------------------
-------

This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:06 EDT