Security Basics mailing list archives
RE: Scanning--more then one side to the argument
From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 31 Mar 2005 11:36:38 -0800
A good configuration starts with all ports filtered or closed, and then opens the ones that actually need to be opened -- which it appears, for this destination device, should start at "None". Certainly none of the current open ports should be unfiltered unless you know what they are and that it is safe (or at least, allowed by policy) to do that. Client devices may need to accept inbound connections as part of, for instance, FTP. That's why you want a stateful firewall that monitors FTP conversations so it can open data ports for them only as necessary. They shouldn't show up on a routine scan. David Gillett
-----Original Message----- From: Shand [mailto:shand () adelphia net] Sent: Wednesday, March 30, 2005 1:17 PM To: Steve Fletcher; security-basics () securityfocus com Subject: Re: Scanning--more then one side to the argument Example of customer scan nmap -sV -P0 -p 1- Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2005-03-30 16:59 EST Interesting ports on (The 65522 ports scanned but not shown below are in state: closed) PORT STATE SERVICE VERSION 80/tcp filtered http 135/tcp filtered msrpc 136/tcp filtered profile 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 5000/tcp open upnp Microsoft Windows UPnP 5241/tcp open unknown 7177/tcp open unknown 8031/tcp open unknown 9491/tcp open unknown 27374/tcp filtered subseven Nmap run completed -- 1 IP address (1 host up) scanned in 438.716 seconds Now I see this as a issue? Other don't? The filtered ones are filtered by us. The others they have open? ( Not firewall?) ( No security?) Sherman ----- Original Message ----- From: "Steve Fletcher" <safletcher () insightbb com> To: "'Shand'" <shand () adelphia net>; <security-basics () securityfocus com> Sent: Wednesday, March 30, 2005 3:41 PM Subject: RE: Scanning--more then one side to the argumentThat would depend on the port and what function it serves.For example,you might show port 25 as open because they have an SMTP serverand it is notbehind a firewall. Here is a definition of the different states, straight fromthe nmap manpage: "The state is either "open", "filtered", or "unfiltered". Open means that the target machine will accept()connections on thatport. Filtered means that a firewall, filter, or othernetwork obstacleis covering the port and preventing nmap from determiningwhether the portis open. Unfiltered means that the port is known by nmap to be closed and no firewall/filter seems to be interfering with nmap's attempts to determine this. Unfiltered ports are thecommon case and areonly shown when most of the scanned ports are in thefiltered state."Hope this helps. Steve Fletcher MCSE (NT4/Win2k), MCSE: Security (Win2k), HP Master ASE,CCNA, Security+safletcher () insightbb com -----Original Message----- From: Shand [mailto:shand () adelphia net] Sent: Wednesday, March 30, 2005 2:33 PM To: Steve Fletcher; security-basics () securityfocus com Subject: Re: Scanning--more then one side to the argument External scans. Against customer using our internet service. Does a port have to show as "open" or can they forusability show only asfiltered, closed? Thoughts? Shand ----- Original Message ----- From: "Steve Fletcher" <safletcher () insightbb com> To: "'Sherman Hand'" <shand () adelphia net>; <security-basics () securityfocus com> Sent: Wednesday, March 30, 2005 3:18 PM Subject: RE: Scanning--more then one side to the argumentI have a question regarding this. Are you talking aboutdoing an externalscan or an internal scan? I assume an external, becausean internal scanshould show a LOT of open ports. I would say that any open port POTENTIALLY could be asecurity issuewaiting to happen, but common sense dictates that some ports mustbe open forusability reasons. Plus, if you're going to follow thisline of thought,the fact that the systems are connected to the Internet ATALL poses apotential risk. Or, just being networked could be a risk.Or, beingpowered on poses a potential risk. So, based on this, sure it COULD be a security riskwaiting to happen,but more information needs to be gathered to determine thetrue extent of therisk. And, it must be reevaluated at regular intervals tocatch newissues that might have come up since the last scan. What is safenow might notbe 6 months from now. Hope this helps. Steve Fletcher MCSE (NT4/Win2k), MCSE: Security (Win2k), HP Master ASE,CCNA, Security+safletcher () insightbb com -----Original Message----- From: Sherman Hand [mailto:shand () adelphia net] Sent: Wednesday, March 30, 2005 5:05 PM To: security-basics () securityfocus com Subject: Scanning--more then one side to the argument There has been a on going discussion about the scanningresults on ourcustomers. Thought one says that "any" port on a standard nmap,showing as "open" isa security risk. Thought two says, no since some things need to show in astate of open.Should we be stating that through proactive scan, when wefind any portshowing as open, that it is a security issue waiting to happen? Or only if we can show a issue? Thoughts? Shand-------------------------------------------------------------- ------------- Earn your MS in Information Security ONLINE Organizations worldwide are in need of highly qualified information security professionals. Norwich University is fulfilling this demand with its MS in Information Security offered online. Recognized by the NSA as an academically excellent program, NU offers you the opportunity to earn your degree without disrupting your home or work life. http://www.msia.norwich.edu/secfocus_en -------------------------------------------------------------- --------------
--------------------------------------------------------------------------- Earn your MS in Information Security ONLINE Organizations worldwide are in need of highly qualified information security professionals. Norwich University is fulfilling this demand with its MS in Information Security offered online. Recognized by the NSA as an academically excellent program, NU offers you the opportunity to earn your degree without disrupting your home or work life. http://www.msia.norwich.edu/secfocus_en ----------------------------------------------------------------------------
Current thread:
- RE: Scanning--more then one side to the argument David Gillett (Apr 04)
- <Possible follow-ups>
- Re: Scanning--more then one side to the argument Antonio Weber (Apr 04)
- Re: Scanning--more then one side to the argument Steven DeFord (Apr 04)
- Re: Scanning--more then one side to the argument Steve (Apr 04)
- Re: Scanning--more then one side to the argument Steven DeFord (Apr 04)
- Re: Scanning--more then one side to the argument routerg (Apr 04)