Security Basics mailing list archives

RE: how to block connections running on non-default ports

From: "AMOL" <amol.sable () capsilon com>
Date: Mon, 22 Aug 2005 14:53:26 +0530



Hi Niranjan,
Nice question!

Any IDS in inline mode, or Firewall will block the packets as per the rules
defined for blocking/allowing.
Generally,Port 80-HTTP and 443-HTTPS are among the most common ports in the
"allowed" ones.
And yes; your Firewall doesn't know more than source (IP:PORT) destination
(IP:PORT) and state (if you have an option of a stateful inspection of
packets).

From your scenario it looks like you have a packet filter Firewall.A

firewall implemented with the Packet Filters work at Network Layer of
ISO/OSI stack.
Hence it cant stop telnet connection to the server listening on "allowed"
port.

Similar is the case for Inline IDS.

But as a security measure you can make sure that hosts on your network are
NOT practicing things like: running telnet server on port 443. Strictly. And
you can implement ALG (or simply enable it if its already present)option in
your Firewall.
A firewall implemented with the Application Layer Gateways(ALG) work at the
Application Layer of ISO/OSI stack.

Hope this may help a little.


Regards
--Amol.

-----Original Message-----
From: Niranjan S Patil [mailto:niranjan.patil () gmail com]
Sent: Monday, August 15, 2005 9:06 PM
To: security-basics () securityfocus com
Subject: how to block connections running on non-default ports


Hi list,

I recently noticed that our corporate IDS could not block some of
connections that are seemingly unauthorised.

I launched a telnet connection to a remote server on Internet on port
23 and it was successfully blocked by our firewall. I change the
listening port of the telnet server to 443 and launched another telnet
connection on port 443. Neither our firewall or IDS was able to block
this connection.

Aren't IDS supposed to block such masqueraded connections, i.e.,
protocols with non-default ports.

I have less knowledge on IDS, but isn't it simple for them to check
packet headers and block/filter if they are not on right
protocol/port?

Is this normal with all IDS?

Any help is appreciated.

--
Regards,
Niranjan S Patil

Current thread:

how to block connections running on non-default ports Niranjan S Patil (Aug 16)
- RE: how to block connections running on non-default ports Burton Strauss (Aug 22)
- RE: how to block connections running on non-default ports AMOL (Aug 22)
- RE: how to block connections running on non-default ports James Scott-Brown (Aug 22)
- <Possible follow-ups>
- RE: how to block connections running on non-default ports Smith, Ryan (Aug 22)
- RE: how to block connections running on non-default ports Roger A. Grimes (Aug 22)
  - RE: how to block connections running on non-default ports abretten (Aug 23)
- Re: RE: how to block connections running on non-default ports nospam_securityfocuscom (Aug 23)