RE: how to block connections running on non-default ports

["Smith, Ryan" <Ryan.Smith () MWAA com>]

Hi Niranjan, 


Intrusion Detection Systems are designed to passively monitor your
network, and them depending on how your IDS is configured, it will
generate an alert when a particular traffic pattern has been detected as
a possible attack and/or intrusion into the network .  To get the
capability to block ports you would need something more along the lines
of an IPS (Intrusion Prevention System) which is used inline similar to
firewall technology.  Just my $.02.

Ryan Smith    
-----Original Message-----
From: Niranjan S Patil [mailto:niranjan.patil () gmail com] 
Sent: Monday, August 15, 2005 11:36 AM
To: security-basics () securityfocus com
Subject: how to block connections running on non-default ports

Hi list,

I recently noticed that our corporate IDS could not block some of
connections that are seemingly unauthorised.

I launched a telnet connection to a remote server on Internet on port
23 and it was successfully blocked by our firewall. I change the
listening port of the telnet server to 443 and launched another telnet
connection on port 443. Neither our firewall or IDS was able to block
this connection.

Aren't IDS supposed to block such masqueraded connections, i.e.,
protocols with non-default ports.

I have less knowledge on IDS, but isn't it simple for them to check
packet headers and block/filter if they are not on right protocol/port?

Is this normal with all IDS? 

Any help is appreciated.

--
Regards,
Niranjan S Patil