Security Basics mailing list archives
RE: how to block connections running on non-default ports
From: "Burton Strauss" <Burton () FelisCatus org>
Date: Wed, 17 Aug 2005 09:16:05 -0500
No. The short answer is that if you open a port, and allow internal users to setup servers using that port, you can't control what goes through. You opened the port, remember?? A packet is just a collection of bits, which the receiver can interpret any way they want. The meaning of a packet is in that interpretation and that is determined SOLELY by the receiver. In your case, you setup a server on a port, and sent a packet the server understood (both ends speaking the same language, as it were), which the firewall was told to let through and so you got a telnet session. Great - things worked as designed... Your firewall is open on 443 because that's normally used for https:// web connections. Many firewalls don't inspect more than the addresses and port numbers, i.e. they don't look any deeper into the packet. Even if they did, they may not be able to interpret what's in a packet. You are confused about how IDSes work. At best they work by looking at packet contents as well as port #s. Sometimes they can recognize what looks like a connection (say a web server request) on an unusual port and report it. But sometimes they can't. Most simple commands could be aimed at many different servers and so you can't say what they mean just from the packet contents. Sometimes, such as an HTTP get request, it's more 'obvious' and so the IDS will guess and report it, but that's really all it is - a guess. -----Burton -----Original Message----- From: Niranjan S Patil [mailto:niranjan.patil () gmail com] Sent: Monday, August 15, 2005 10:36 AM To: security-basics () securityfocus com Subject: how to block connections running on non-default ports Hi list, I recently noticed that our corporate IDS could not block some of connections that are seemingly unauthorised. I launched a telnet connection to a remote server on Internet on port 23 and it was successfully blocked by our firewall. I change the listening port of the telnet server to 443 and launched another telnet connection on port 443. Neither our firewall or IDS was able to block this connection. Aren't IDS supposed to block such masqueraded connections, i.e., protocols with non-default ports. I have less knowledge on IDS, but isn't it simple for them to check packet headers and block/filter if they are not on right protocol/port? Is this normal with all IDS? Any help is appreciated. -- Regards, Niranjan S Patil
Current thread:
- how to block connections running on non-default ports Niranjan S Patil (Aug 16)
- RE: how to block connections running on non-default ports Burton Strauss (Aug 22)
- RE: how to block connections running on non-default ports AMOL (Aug 22)
- RE: how to block connections running on non-default ports James Scott-Brown (Aug 22)
- <Possible follow-ups>
- RE: how to block connections running on non-default ports Smith, Ryan (Aug 22)
- RE: how to block connections running on non-default ports Roger A. Grimes (Aug 22)
- RE: how to block connections running on non-default ports abretten (Aug 23)
- Re: RE: how to block connections running on non-default ports nospam_securityfocuscom (Aug 23)