|
Posted by a_monk on March 11, 2006, 8:32 am
If you were Registered and logged in, you could reply and use other advanced thread options
As I understand, when the external interface of a firewall is being
scanned by "nessus", "nmap", or/and other scanning tools, one should
not be able to "see" any opening services, EVEN though services, e.g.,
web, mail, ftp, are published their services using the IP address of
the external interface of the firewall.
Recently, a security consultant explained to me that the stealth mode
of a firewall is meant just that the firewall does not respond to ICMP
only, therefore when the firewall is scanned, the services published
using that IP address are still visible/reported.
Any comments are appreciated.
A Monk
|
|
Posted by Sebastian Gottschalk on March 11, 2006, 8:37 am
If you were Registered and logged in, you could reply and use other advanced thread options
a_monk wrote:
> As I understand, when the external interface of a firewall is being
> scanned by "nessus", "nmap", or/and other scanning tools, one should
> not be able to "see" any opening services, EVEN though services, e.g.,
> web, mail, ftp, are published their services using the IP address of
> the external interface of the firewall.
>
> Recently, a security consultant explained to me that the stealth mode
> of a firewall is meant just that the firewall does not respond to ICMP
> only, therefore when the firewall is scanned, the services published
> using that IP address are still visible/reported.
Both your understanding, the explaination and the "stealth mode" itself
are nonsense.
|
|
Posted by Sebastian Gottschalk on March 11, 2006, 8:38 am
If you were Registered and logged in, you could reply and use other advanced thread options
are nonsense.
|
|
Posted by Volker Birk on March 11, 2006, 11:07 am
If you were Registered and logged in, you could reply and use other advanced thread options > As I understand, when the external interface of a firewall is being
> scanned by "nessus", "nmap", or/and other scanning tools, one should
> not be able to "see" any opening services, EVEN though services, e.g.,
> web, mail, ftp, are published their services using the IP address of
> the external interface of the firewall.
This is wrong.
> Recently, a security consultant explained to me that the stealth mode
> of a firewall is meant just that the firewall does not respond to ICMP
> only, therefore when the firewall is scanned, the services published
> using that IP address are still visible/reported.
Hm... sounds like you didn't understand what he was telling you, or he
was confused ;-)
But "stealthing" is nonsense anyways.
Yours,
VB.
--
Wenn Du "Ich sehe die Mathematik als einzigen Bereich an, wo es klare
Beweise gibt." und "Ich fuehle mich in einem Anzug unwohl." als Aussagen
mit aequivalentem Meinungsinhalt betrachtest, hast Du mit Deinem Gleichnis
recht. (Michail Bachmann zu Thomas Wallutis in d.a.s.r)
|
|
Posted by Moe Trin on March 11, 2006, 2:02 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>As I understand, when the external interface of a firewall is being
>scanned by "nessus", "nmap", or/and other scanning tools, one should
>not be able to "see" any opening services, EVEN though services, e.g.,
>web, mail, ftp, are published their services using the IP address of
>the external interface of the firewall.
Posting from... windoze. No, a scanning tool will get one of three
results looking at a single port.
CLOSED The remote host said "no service here" either because there is
no server running on that port, or a firewall is restricting
what addresses may connect.
OPEN There is a server running, and at least the initial stage of
a connection is made.
FILTERED No answer received (open _or_ closed) because of a firewall.
Thing is, there are 65000+ TCP ports, _another_ 65000+ UDP ports, and 135+
other protocols besides TCP and UDP. If you want to remain invisible,
not only does your firewall have to remain silent for all of those ports
and all of those protocols, but your _upstream_ has also got to remain
silent as well. Think how the Internet works. You don't connect via a
direct wire to every system. You send packets to a router, and that
router sends it to another, and that one sends it to another... this
continues until it reaches the destination. At any step along the way,
a router can go down, and then the router _before_ it sends back a message
that says "can't get there". Where "stealth" fails is that message. Your
ISP sees that you are connected, so it _doesn't_ send back that message. So
if I get nothing at all - I know you exist, but are trying to hide.
>Recently, a security consultant explained to me that the stealth mode
>of a firewall is meant just that the firewall does not respond to ICMP
>only, therefore when the firewall is scanned, the services published
>using that IP address are still visible/reported.
If that's really what was said, find a new conslutant - this one has
serious knowledge problems. That is like ignoring someone who speaks using
language A - say Armenian, and then when the person tries to speak using
language B - say Belgian, you act normally.
http://www.ietf.org/rfc/rfc1180.txt
http://www.faqs.org/rfcs/rfc1180.html
http://www.rfc-editor.org/rfc/rfc1180.txt
http://www.ccd.bnl.gov/network/general/rfc1180.html
http://www.cis.ohio-state.edu/htbin/rfc/rfc1180.html
Old guy
|
| Similar Threads | Posted | | OSX Leopard: Firewall in stealth mode | February 24, 2008, 10:57 pm |
| Transparent mode in NS 5GT (Port mode Extended) | April 27, 2006, 3:41 am |
| Failover mode on Arkoon Firewall | March 8, 2005, 4:07 pm |
| "Transparent" Mode in IPCop / smoothwall / MNF (real IP inside firewall) | July 21, 2005, 11:43 pm |
| Tiny Firewall Pro 6.0: How do I stealth RPC Port 135 ? | August 8, 2004, 10:30 am |
| No firewall, no router, but all ports are "stealth"? | April 29, 2005, 11:22 am |
| Firewall/antivirus software to detect stealth malware | February 5, 2007, 3:37 am |
| Checkpoint - Visitor mode | May 12, 2005, 2:35 pm |
| Netscreen 5GT in Extended Mode | May 17, 2005, 8:53 pm |
| Netscreen in Transparent Mode. | June 1, 2005, 9:15 am |
|
XML site map