Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Shield's Up - ports open?
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Shield's Up - ports open? - 16.Nov.2006 2:30:41 PM
|
|
|
agentlive
Posts: 2
Joined: 16.Nov.2006
Status: offline
|
Newbie question:
Shield's Up! show open ports for HTTP, POP3 and SMTP. How do I get these hidden?
Basic website & mail server - Server 2003/ISAServer 2006 Standard
|
|
|
|
|
RE: Shield's Up - ports open? - 17.Nov.2006 12:20:18 PM
|
|
|
agentlive
Posts: 2
Joined: 16.Nov.2006
Status: offline
|
Thanks Tom.
I understand that. Maybe it was my wording.
As a test, I have a simple web server and email server, using standard ports 80,25 & 110.
On a typical hardware firewall, I can open up these ports, but I still get the Shield's Up "sea of green" showing everything stealth.
With ISAServer, nothing is stealth and my ports are exposed.
Am I making sense?
|
|
|
|
|
RE: Shield's Up - ports open? - 17.Nov.2006 1:15:09 PM
|
|
|
Jim Harrison
Posts: 232
Joined: 5.May2001
From: Redmond, WA
Status: offline
|
Tom is correct; not only is it impossible to "hide" your public services while simultaneously making them available, you're also wasting your time using a distant "port-scanner" to evaluate your "ports".
Use something like portqry from a host on the same external network to make these scans and you'll know for certain what the ISA (as opposed to some device along the way) is allowing or blocking.
"Stealth firewall" is a non-term invented by Steve Gibson to further his nonsensical networking theories (nano-code indeed).
_____________________________
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
My ISAServer.org Stuff
My Site
|
|
|
|
|
RE: Shield's Up - ports open? - 24.Nov.2006 6:29:03 AM
|
|
|
Guest
|
Yep, you can have your ports only open or closed no matter how they are showed up(this is all about your skills to see them).
Sometime they are closed and they come up as filtered or actually open but come up again as filtered. or open but come up as closed.
let's play a little game(with no purpose, just to look at how ports are showing up).
to make it easy(I'm just reffering to the port state here) let's say I'm on the Internal network of ISA 2004. On ISA I have IDS alerts turn on and port scanning on.
So let's scan the port open on ISA internal interface. Since I'm playing with ISA here I'll go for a toy like nmap(I don't care about nmap signatures in this case).
So I'm not going to use nmap from an MCSE point of view , doing for example an Xmas Scan which lights the packet up like a Christmas tree(in clear words this tells the firewall that the remote computer is beginning to close the connection(no more data to send), pass the data immediately and also it has urgent data needed to be forward on the normal stream of data.). Normally only a poor firewall will passed this.
I'm going to use the "basic" nmap scan sS(stealth scan). This one is very noisy though so I'm going to scan here for one port, let's say port 53(DNS) because I know that you must allow port 53 on your ISA in order to resolve names. I don't mind causing a "Port Scanning" alert(catch me if you can ). But using only one port at a time while scanning won't trigger any alerts on ISA.
So I'm doing this scan and nmap will come up showing: 53/tcp filtered domain.
Well since is a lot to write here I'm not going to explain these showings from nmap(figure out them yourself ).
Well no luck here so let's try using the address of the DNS server(pretty easy to figure what is that IP address). We have more options to do this: spoof it(I'm on the same Ethernet broadcast domain) or using idle scan. If I'm going to spoof it I will also have to spoof my mac address othewise this will cause quote:
The system detected an address conflict for IP address x.x.x.x with the system having network hardware address x:x:x:x:x:x. Network operations on this system may be disrupted as a result. on the DNS server and you can see in event viewer my mac address.
The result of the spoof scan is: 53/tcp filtered domain.
Good.
Now with the idle scan: the zombie host will be the DNS server itself(no problem here with a Windows 2003 Server). The result:
53/tcp closed|filtered domain.
Well something has change, but the hack I'm doing wrong?
Well let's try to scan with nmap(idle scan again) the DNS server used as forwarder(or maybe just a public DNS server-not a nice thing to do but the hacker doesn't care-, this depends on some factors) with the request coming from our zombie host:
Et voila:
53/tcp open domain.(it is open on that remote DNS but for seeing this ISA allowed my scan through so ISA allows connections on port 53 from that ip address).
When scanning that DNS server I know that he is up so should respond to my request(no matter if it is the public DNS or your own resolver if I'm doing the right thing).
If for example I'm scanning for an IP which is on the Internet from the internal network of ISA I'm not going to get any "Port scanning" alerts. ISA will drop the traffic that it is not allowed and forward what it is allowed.
I said I don't mind causing a "Port scan" alert because I do not care about IP addresses. in other words you won't see me or if I'm going to allow you to see me you still won't see me. I can scan your computers with the ISA server internal IP address(since I'm on the same Ethernet broadcast domain) and if I'm using the right commands I will get the result without actually sending packets from my real IP address.
Nmap may be not so stealth but it has plenty of commads to play with.
Enough, this is not the point of my post.
As you can see the port is either open or closed. If you have published them for everybody(like a public web server port 80) you can bet they are open.
< Message edited by adrian_dimcev -- 24.Nov.2006 11:11:06 AM >
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
