>>Some of the newest and most complex Trojans utilize the "port knocking" method.
I have seen examples of port knocking code but never a trojan in the wild. Do you know of any or is your opening sentence FUD?
------------------------------------------------------------------------
Troy Sorzano, Director www.Netforcement.com
610.260.9989 office
PGP KeyID: 0x29D52802 285E 1829 10C1 7AC0 9D27 7077 F423 B289 29D5 2802
Network Security, Remediation and Monitoring in the Philadelphia area
------------------------------------------------------------------------
Discussion on:
View:
Show:
If the code exist, I'd bet the Trojans exist.
Just because you haven't seen it, proves nothing.
I'd bet back in 2003, not many were talking about or had seen rootkits, but if you read the story about UCONN, the original rootkit (that was just recently discovered) was planted in 2003.
Just because you haven't seen it, proves nothing.
I'd bet back in 2003, not many were talking about or had seen rootkits, but if you read the story about UCONN, the original rootkit (that was just recently discovered) was planted in 2003.
The article starts off with
"Some of the newest and most complex Trojans utilize the "port knocking" method"
Not listing any examples makes the whole article sound, at best, like FUD designed to attract more eyeballs to the site. (Hey LOOK!! The sky is falling!!!! Here's the link: http://techrepublic... )
I wonder... If the author can't list any Trojans in the wild that use port knocking will TechRepublic post a retraction?
"Some of the newest and most complex Trojans utilize the "port knocking" method"
Not listing any examples makes the whole article sound, at best, like FUD designed to attract more eyeballs to the site. (Hey LOOK!! The sky is falling!!!! Here's the link: http://techrepublic... )
I wonder... If the author can't list any Trojans in the wild that use port knocking will TechRepublic post a retraction?
OK already. The author admitted in one of these discussion posts that he is not aware of any Trojans "in the wild" that use this technique. Yes it IS a significant flaw in the article but it is the one and only error in an otherwise useful article.
Since the author has admitted this error in this discussion forum that should provide as much "retraction" or clarification as anyone would want. Why keep beating this already dead horse? The issue has been resolved by Mike Mullins in his discussion forum post entitled "Port Knocking Trojans" entered on July 01, 2005.
Why not save your energy for something useful like debating whether Linux is better than Windows? I don't believe that we've achieved a concensus of opinion on that issue yet.
Since the author has admitted this error in this discussion forum that should provide as much "retraction" or clarification as anyone would want. Why keep beating this already dead horse? The issue has been resolved by Mike Mullins in his discussion forum post entitled "Port Knocking Trojans" entered on July 01, 2005.
Why not save your energy for something useful like debating whether Linux is better than Windows? I don't believe that we've achieved a concensus of opinion on that issue yet.
Not quite, Mike Mullins exaggerated what Troy said.
If you read Troy's message, he only questions the hyperbole in the first sentence. Nowhere does he say that port knocking is not a topic of concern or that Mike should "wait till there is a mass compromise".
The sarcasm evident in Mike Mullins' "Thanks for the post" clearly shows that he still doesn't get it. Until then, his credibility is right up there with the boy who cried wolf.
Mike seems to have a thing for hyperbole and exaggeration. If a security professional is going to sound an alarm, they have an obligation to keep it real.
If you read Troy's message, he only questions the hyperbole in the first sentence. Nowhere does he say that port knocking is not a topic of concern or that Mike should "wait till there is a mass compromise".
The sarcasm evident in Mike Mullins' "Thanks for the post" clearly shows that he still doesn't get it. Until then, his credibility is right up there with the boy who cried wolf.
Mike seems to have a thing for hyperbole and exaggeration. If a security professional is going to sound an alarm, they have an obligation to keep it real.
True - I have yet to see one in the wild. But as you acknowledged (I also have examined some code samples as well), they do exist.
Would you rather I wait till there is a mass compromise or is it ok to identify threats BEFORE they happen?
As I said, "Port-knocking back doors are cutting-edge virus technology." I live in a pro-active world. I'll warn people before hand.
Thanks for the post.
Mike Mullins
Security Solutions Columnist
Would you rather I wait till there is a mass compromise or is it ok to identify threats BEFORE they happen?
As I said, "Port-knocking back doors are cutting-edge virus technology." I live in a pro-active world. I'll warn people before hand.
Thanks for the post.
Mike Mullins
Security Solutions Columnist
Mike, If your readers are still doubting about "there are none in the wild" then they ought to turn up at the convention that provides the hacker community with a forum where they can specialise and delight in the whole approach and the challenge of "breaking in". Have a look at the following. The e-mails "calling for papers and speakers" are currently being circulated in Forensics and Secuity group maillists. Toorcon is the reversal of Rootcon to try and hide their presence as Rootcon was well known in the past for exploit developments and releases!
"http://www.toorcon.org/
ToorCon is just around the corner again this year. In its 7th running year, it is still San Diego's exclusive hacker convention, bringing together Southern California's hacker community year after year to attend the high quality presentations and participate in the annual festivities. This year we are still aiming to provide the same highly technical lectures you've come to know and love, but also set the theme as "Smoke & Mirrors" which will highlight the voodoo magic behind computer security and have a focus on Anonymity, Spoofing Techniques, Phishing, and other kung foo exploitation methods. "
Wake up folks, they are out there, an ounce of prevention through forewarning is far better than having all the data, IP and corporate information sucked out via ports from your systems!
"http://www.toorcon.org/
ToorCon is just around the corner again this year. In its 7th running year, it is still San Diego's exclusive hacker convention, bringing together Southern California's hacker community year after year to attend the high quality presentations and participate in the annual festivities. This year we are still aiming to provide the same highly technical lectures you've come to know and love, but also set the theme as "Smoke & Mirrors" which will highlight the voodoo magic behind computer security and have a focus on Anonymity, Spoofing Techniques, Phishing, and other kung foo exploitation methods. "
Wake up folks, they are out there, an ounce of prevention through forewarning is far better than having all the data, IP and corporate information sucked out via ports from your systems!
I'm with you on being proactive. I'd rather know this ability is out there and plan accordingly while I have some time rather then go into DR mode, which uses more energy.
And thats why I advise everyone in using Opensource Software instead.
With regards,
Marc Janssen
With regards,
Marc Janssen
switch to the lower security of commercial operating systems?
the open source solutions are less vulnerable because they were designed from the ground up to be networking, multiuser operating systems.
everyhting is completely separated into it's own sandbox.
only one user account had the ability to damage the system, and that account ( root ) is only used for admin purposes, usually with a temporary assignment of power ( su ) rather than the m$ requirement of usefull computing only as administrator.
the open source solutions are less vulnerable because they were designed from the ground up to be networking, multiuser operating systems.
everyhting is completely separated into it's own sandbox.
only one user account had the ability to damage the system, and that account ( root ) is only used for admin purposes, usually with a temporary assignment of power ( su ) rather than the m$ requirement of usefull computing only as administrator.
I believe Marc was saying that he advises everyone TO use Open Source, not AGAINST using it.
I got the impression he was differentiating that from pre-compiled freeware.
I got the impression he was differentiating that from pre-compiled freeware.
that's why I asked what he recommended, it's not clear. I will use freeware, such as open office, even though it's not completely open source.
( sun's Star Office has some shared code with it that is proprietary. )
or a tool that is just to usefull to not have.
( sun's Star Office has some shared code with it that is proprietary. )
or a tool that is just to usefull to not have.
Interesting artile, but I would have liked to see some remarks about the possibilty of active protection against such a trojan. "Just say no" sounds like the war on (illegal) drugs.
I shoud think a separate hardware firewall could prevent the activation of such a trojan. Or am I missing something?
I shoud think a separate hardware firewall could prevent the activation of such a trojan. Or am I missing something?
If the activation sequence uses port(s) the hardware firewall allows, then it won't help.
I'm thinking that for this method to work, the trojan would require hooking in deeper than a software firewall to monitor ports for its wake up sequence. That should require admin level privileges. So if users could do their daily work with user level privileges, such a trojan could be halted.
I'm thinking that for this method to work, the trojan would require hooking in deeper than a software firewall to monitor ports for its wake up sequence. That should require admin level privileges. So if users could do their daily work with user level privileges, such a trojan could be halted.
If Windows Admins would set up the computers right in the first place we wouldn't have half the problems we do right now. It's very common practice to just give all users administrative rights. Some software programs actually require it to run correctly (Autocad 2004 is one I believe). If developers and Admins would both work harder to restrict user rights many problems would disapear.
is that microsoft built windows to require admin rights in order to use any software.
only admin can access an im client, only admin can add an email account to outbreak.....
operating any installed software as non priveledged user is normal for *x systems, but not for m$ systems.
only admin can access an im client, only admin can add an email account to outbreak.....
operating any installed software as non priveledged user is normal for *x systems, but not for m$ systems.
Your anti-Bill attitude definitely shows through and taints any logical discussion you attempt. I have my workstations locked down so that the users do not have any admin abilities on their systems and yet they can add an e-mail account to "outbreak." By the way, I've yet to have any viruses hit my network in the 6 years I've been at this position. So your moniker of "outbreak" in reference to Outlook has no play if you do a couple of things:
1. Keep workstations up to date on system patches.
2. Keep the virus scan program up to date.
3. Keep the Office program patched.
4. Educate your users on being proactive on e-mail attachments and phishing schemes.
5. Educate your users on surfing the Internet.
1. Keep workstations up to date on system patches.
2. Keep the virus scan program up to date.
3. Keep the Office program patched.
4. Educate your users on being proactive on e-mail attachments and phishing schemes.
5. Educate your users on surfing the Internet.
I had to install an older version of Autocad and it's printed release notes stated the very same admin rights requirement. No mention in any other documentation except online FAQs.
The issue was with the installer package not granting permissions for users in certain folders and/or registry keys. Very common problem from what I have seen. Certain versions of MS Office had the exact same installer problem with some of the optional programs like photo editor.
Not very hard to track down with good testing. Not very hard to resolve either.
The issue was with the installer package not granting permissions for users in certain folders and/or registry keys. Very common problem from what I have seen. Certain versions of MS Office had the exact same installer problem with some of the optional programs like photo editor.
Not very hard to track down with good testing. Not very hard to resolve either.
There are a number of hardware devices that can do this using a combinaion of hueristics and signature patterns.
Heres my problem with the article.
1.) Ok, if it can be dreamed up. It exists. The article does tell me how to protect against such an attack. No mention of limiting your port traffic by IDS/IPS. This is really simple to defeat this way. However nothing specific was listed, i.e. Trojan_XYZ does this. No, its "cutting-edge" so watch out falls pretty flat.
2.) So, this new cutting-edge trojan is so good that it somehow makes its way through: Hardware based firewall, Traffic engines, IDS, IPS, et. al. According to the author we must all be hosed. Theres nothing we can do about it. How do you detect such a beastie? Well, having all of the above and this beastie is assumed to exist and nothing else catches it... yet. I must be the first who has ever been hit by such a virus and needs to be reported. I think I'd start with something like TCPView or Port Explorer and or Ethereal to capture and log the incident. Now, thats what IT folks call a SOLUTION! If you have other ideas or methods please post them. I am always willing to listen and learn. Again, the article basically tells us we are all hosed and to go home.
3.) If your going to write an article on a problem have a solution in which to fix the problem as well. Otherwise it becomes an asteroid hitting the Earth scenario and theres nothing we can do about it, type thing. In this case I am left with the feeling that we are all defensely short of deleting a rouge app after we install it. Smarter to say: Just don't use it if your not comfortable with the risks.
- beads
Heres my problem with the article.
1.) Ok, if it can be dreamed up. It exists. The article does tell me how to protect against such an attack. No mention of limiting your port traffic by IDS/IPS. This is really simple to defeat this way. However nothing specific was listed, i.e. Trojan_XYZ does this. No, its "cutting-edge" so watch out falls pretty flat.
2.) So, this new cutting-edge trojan is so good that it somehow makes its way through: Hardware based firewall, Traffic engines, IDS, IPS, et. al. According to the author we must all be hosed. Theres nothing we can do about it. How do you detect such a beastie? Well, having all of the above and this beastie is assumed to exist and nothing else catches it... yet. I must be the first who has ever been hit by such a virus and needs to be reported. I think I'd start with something like TCPView or Port Explorer and or Ethereal to capture and log the incident. Now, thats what IT folks call a SOLUTION! If you have other ideas or methods please post them. I am always willing to listen and learn. Again, the article basically tells us we are all hosed and to go home.
3.) If your going to write an article on a problem have a solution in which to fix the problem as well. Otherwise it becomes an asteroid hitting the Earth scenario and theres nothing we can do about it, type thing. In this case I am left with the feeling that we are all defensely short of deleting a rouge app after we install it. Smarter to say: Just don't use it if your not comfortable with the risks.
- beads
If this is cutting edge it's been cutting edge for at least a year. Mike Mullins posted this EXACT or at least extremely close, almost word for word article about this time last year. It seems there is nothing new to write about these days, at least if you only read Tech Republic articles.
I don't think that the article is a useless as you seem to be saying. Being made aware of an attack vector has some benefit in and of itself. We may be able to program our IDS software to look for patterns of port connect requests or port reset requests. I don't think that articles about security alerts or other technical problems should be deferred until the author has a solution. Maybe someone who reads the article will invent a solution.
I like your mention of rouge applications though. Rouge, of course, is French for red so we need to be looking for red applications. I'll do that. I'll not let any more red applications escape my scrutiny.
I like your mention of rouge applications though. Rouge, of course, is French for red so we need to be looking for red applications. I'll do that. I'll not let any more red applications escape my scrutiny.
after all microsoft doesn't want literate users, so spelling rogue as rouge is what they want to happen.
One spelling mistake that you jump all over. My appologies. Luckily, I didn't catch the mistake half way through. Think red thief or something.
- beads
- beads
It seems to me that the Trojan would have to be receiving network connection signals for this to work. I suppose that it could have infected the network control software. Firewall and portmapper seem to be good candidates to implement this.
This could be easier to implement in Windows. Any deamon process can "hear" all signals from any process to any other process. This is one of the most serious attack vectors in Windows. Therefore this could run in a user privileged daemon process and still work.
In order to get this to work in Unix you would have to overcome the separation of privileges for network connections. For instance, if a Unix system is configured correctly then a normal user isn't allowed to run tcpdump or other network packet monitoring tools due to insufficient privileges. The Unix implementation of this idea would have to infect a process that runs with privileges.
I'm not saying that it can't be done in Unix. Viruses were around before Windows existed. Unix was one of the first platforms for viruses, sometimes referred to as "root kits" if the virus manages to obtain root privileges.
Anyway this idea puts the kybosh on any plans that I may have been considering for using port knocking to implement a VPN. I know, port knocking is a bad idea simply because anyone sniffing packets can detect your port knocking scheme. This is just one more reason that port knocking is a bad idea for legitimate security schemes.
This could be easier to implement in Windows. Any deamon process can "hear" all signals from any process to any other process. This is one of the most serious attack vectors in Windows. Therefore this could run in a user privileged daemon process and still work.
In order to get this to work in Unix you would have to overcome the separation of privileges for network connections. For instance, if a Unix system is configured correctly then a normal user isn't allowed to run tcpdump or other network packet monitoring tools due to insufficient privileges. The Unix implementation of this idea would have to infect a process that runs with privileges.
I'm not saying that it can't be done in Unix. Viruses were around before Windows existed. Unix was one of the first platforms for viruses, sometimes referred to as "root kits" if the virus manages to obtain root privileges.
Anyway this idea puts the kybosh on any plans that I may have been considering for using port knocking to implement a VPN. I know, port knocking is a bad idea simply because anyone sniffing packets can detect your port knocking scheme. This is just one more reason that port knocking is a bad idea for legitimate security schemes.
I have to agree with the BassPlayer because I too play the same instrument, have the same name, and am involved with IT - how about that for coincidences?
So, what about the effectiveness of an extrernal hardware firewall he mentions or even something like "zone alarm" to prevent the activation attempts you mention in your article?
So, what about the effectiveness of an extrernal hardware firewall he mentions or even something like "zone alarm" to prevent the activation attempts you mention in your article?
I have a number of ports I simply do not forward or out of the network. Heres a small sample: 23 (Telnet),137, 138, 139 (All netbios), 445(SMB), 5000 (Scan port), 8000 (Scan port), Blackjack, etc. In fact not only do I list those as specific but I list what I will allow through the firewall as well as from who, where and when. Cuts down on the log crap I have to look at in the morning.
Still annoucing that the sky is falling without some sort of proactive measure is not the answer. The answers are already available and easy enough to get to. As stated above this is nearly word for word an article posted a year earlier. I take it the author is no closer to finding a solution a year later?
Its not meant to be mean spirited, just pragmatic. If the author were looking for ways to defeat these attacks that would be more on target.
- beads
Still annoucing that the sky is falling without some sort of proactive measure is not the answer. The answers are already available and easy enough to get to. As stated above this is nearly word for word an article posted a year earlier. I take it the author is no closer to finding a solution a year later?
Its not meant to be mean spirited, just pragmatic. If the author were looking for ways to defeat these attacks that would be more on target.
- beads
"However, don't bet your network or your reputation on a program from someone you don't know"
I only want to ask Mr. Mullin this:
Do you know the people who make the software you paid for?
With people thinking like Mr. Mullin, no one would ever use Apache Web Server, MY SQL, PHP or Sendmail.
Thanks
Jose Carrasco from Panama (third world)
I only want to ask Mr. Mullin this:
Do you know the people who make the software you paid for?
With people thinking like Mr. Mullin, no one would ever use Apache Web Server, MY SQL, PHP or Sendmail.
Thanks
Jose Carrasco from Panama (third world)
According to a wiki definition of port knocking:
"Port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specified port(s). This is usually implemented by configuring a daemon to watch the firewall log file for said connection attempts then modify the firewall configuration accordingly."
It seems like a properly designed stateful firewall should mostly stop this. Also killing port forwarding and having a proxy will stop this dead in its tracks.
While I agree port knocking could be an issue, I just don't see it gaining any momentum other than on the theoretical basis.
"Port knocking is a method of externally opening ports on a firewall by generating a connection attempt on a set of prespecified closed ports. Once a correct sequence of connection attempts is received the firewall rules are dynamically modified to allow the host which sent the connection attempts to connect over specified port(s). This is usually implemented by configuring a daemon to watch the firewall log file for said connection attempts then modify the firewall configuration accordingly."
It seems like a properly designed stateful firewall should mostly stop this. Also killing port forwarding and having a proxy will stop this dead in its tracks.
While I agree port knocking could be an issue, I just don't see it gaining any momentum other than on the theoretical basis.
It seems that the Trojan would have to be integrated into the firewall software on most platforms. Whether we are talking about a dedicated firewall appliance or a computer running firewall software the Trojan would have to detect the port connect requests (or reset requests). If the computer is running an OS that separates interprocess communication properly then the Trojan would have to at least have system privileges to catch the kernal signals to the firewall software. However, as I mentioned in my other post the Windows platform probably allows for any process on a Windows machine to catch the kernel signals that are intended for the firewall software. If I'm correct then it would be trivial to implement this on Windows.
I would assume if you are like windows firewalls that only the egress ports are open, than you could easily setup an established connection to an outside host via a trojan. Yet, this would negate port knocking. Maybe I just can't see it past the academic context, but it seems like a pointless exersise in something along the lines of "reverse port mapping."
You are correct though that the trojan would somehow have to attach itself to the firewall. How it would do this is beyond me.
You are correct though that the trojan would somehow have to attach itself to the firewall. How it would do this is beyond me.
iptables or ipchains you don't have to worry about this.
after all, they do not alter the allowed ports dynamically, you have to intentionally alter them.
if a port is closed then nothing in or out through it.
only ports expilcitly opened can have traffic.
if rtkit is running any attempt at infection by a bot would be dectected, and shut down.
*x has had rootkit virus attacks for years, it's the only type of attack that can damage the system.
to further reduce velnerability from them sudo is being phased out of *x systems. as an app using sudo could hand a rootkit the data it's looking for.
after all, they do not alter the allowed ports dynamically, you have to intentionally alter them.
if a port is closed then nothing in or out through it.
only ports expilcitly opened can have traffic.
if rtkit is running any attempt at infection by a bot would be dectected, and shut down.
*x has had rootkit virus attacks for years, it's the only type of attack that can damage the system.
to further reduce velnerability from them sudo is being phased out of *x systems. as an app using sudo could hand a rootkit the data it's looking for.
*nix boxes are safe, but the crappy windows firewall that doesn't look at egress WILL be an issue.
The nice thing about stateful firewalls is that you don't have to worry about anything and just let the states take care of it!
The nice thing about stateful firewalls is that you don't have to worry about anything and just let the states take care of it!
Although I will admit I am a little lazy to go as far as I should towards port configuration - I also like to see just how much I can get away with, to see what kind of network behaviour that results. I use Norton Internet Security with Alert Tracker to get real time observation of port activity. My ISP receives occasional port scans from all over the world and I had learned to ignore any that were not repeating and in some kind of numerical order. A few days after I had downloaded some codecs I began to notice a flurry of port knocks all in rapid succession and within just about any existing range you could think up. All were coming in threes and equadistant in range and timing. Using my task manager and Windows viewer I saw my processes suddenly going crazy and a lot of network activity that I, nor any of my applications had initiated. Soon I was sending a ton of outgoing packets and I wasn't going to take the time to finish analyzing it - I just shut down and reformated the hardrive. I was already planning to do this anyway and I had just got SP2 disk so I reinstalled everything and started over. I was logged on as a restricted user during this incident but it didn't help.
Now there is no doubt I created the problem with my cavalier attitude but Norton seems to be on top of things now and I receive fewer scans even on our ISP now. They tell me they have improved their hardware and clamped down with server updates and configuration. Now of course I am just a lazy newbie but I am convinced of this threat!
Now there is no doubt I created the problem with my cavalier attitude but Norton seems to be on top of things now and I receive fewer scans even on our ISP now. They tell me they have improved their hardware and clamped down with server updates and configuration. Now of course I am just a lazy newbie but I am convinced of this threat!
concern with nortons though, it does not always catch irc bots already on your system.
GRC found this out with nortons black ice when investigating irc bots shortly after they were discovered by them... right after they started getting ddos attacks. they found that zone alarm is actually a more effective firewall than nortons.
GRC found this out with nortons black ice when investigating irc bots shortly after they were discovered by them... right after they started getting ddos attacks. they found that zone alarm is actually a more effective firewall than nortons.
My concern with zone alarm is that you REALLY have to know what you're doing or have a good technique for answering zone alarms questions about allowing this or that executable to access the Internet. Since I do not profess to being a M$ network guru I developed a technique to make up for my ignorance.
I found that when zone alarm asks if a service or executable should be allowed to access the network I say no. However, I set the decision to apply only to that instance. Then I see if there is any undesireable fall out from this decision. If the network continues to work properly then the next time that zone alarm notifies me that this service or executable is attempting to access the network I know that I can safely deny it access from that point onward. So I make "deny access" the default answer from that point onward.
The problem with this approach, aside from the occassional network dysfunction, is that most people will consider this to be way too much trouble.
I have also found with other firewall software such as Norton and McAffee that I can spend hours tightening up the default installation. I once spent several man days creating a very long list of explicit rules for Norton.
Overall I'm very unhappy with the firewalls that I have tried with Windows. You can spend a lot of time working with them and still not have any confidence that you have closed most attack vectors.
I won't talk about other OSes here. I'm tempted but I won't do it. Not a peep out of me. Not even if you ask. Nope. Not one word about other OSes and how much more confident I feel about firewalls available for those platforms.
I found that when zone alarm asks if a service or executable should be allowed to access the network I say no. However, I set the decision to apply only to that instance. Then I see if there is any undesireable fall out from this decision. If the network continues to work properly then the next time that zone alarm notifies me that this service or executable is attempting to access the network I know that I can safely deny it access from that point onward. So I make "deny access" the default answer from that point onward.
The problem with this approach, aside from the occassional network dysfunction, is that most people will consider this to be way too much trouble.
I have also found with other firewall software such as Norton and McAffee that I can spend hours tightening up the default installation. I once spent several man days creating a very long list of explicit rules for Norton.
Overall I'm very unhappy with the firewalls that I have tried with Windows. You can spend a lot of time working with them and still not have any confidence that you have closed most attack vectors.
I won't talk about other OSes here. I'm tempted but I won't do it. Not a peep out of me. Not even if you ask. Nope. Not one word about other OSes and how much more confident I feel about firewalls available for those platforms.
The problem with many of these products is that they don't allow you to close wide swaths of ports easily.
Reverse or closing everything first and opening things up second would be my favored way of configuring. Even if vendors had to add a (*gasp!*) a 'wizard' to tell you what ports went where and why. Not that I am expecting the average user to go out to IANA or Shields UP!! to parse through 65,000+ port records, let alone understand what a port is in the first place.
Most users would be lucky to get ports 25, 80 and 443 open without calling tech support. The rest they probably don't need in the first place.
- beads
Reverse or closing everything first and opening things up second would be my favored way of configuring. Even if vendors had to add a (*gasp!*) a 'wizard' to tell you what ports went where and why. Not that I am expecting the average user to go out to IANA or Shields UP!! to parse through 65,000+ port records, let alone understand what a port is in the first place.
Most users would be lucky to get ports 25, 80 and 443 open without calling tech support. The rest they probably don't need in the first place.
- beads
Unless Symantec bought ISS, (Internet Security Systems) Black Ice is not a Norton product and you are confusing it with Norton Internet Security, or are you saying that GRC found this problem with both NIS and Black Ice? That would be news to me, as would the purchase of ISS.
Your ISP is most likely taking port scans 7/24/365 - easily.
If your not taking port scans your probably not logging information correctly.
Most kiddie scripts simply run through the entire gamut of IP ranges, all 4 Billion of them routinely several times a day till finding something of interest then sends that information off to another script that looks for more specific entry points, etc.
- beads
If your not taking port scans your probably not logging information correctly.
Most kiddie scripts simply run through the entire gamut of IP ranges, all 4 Billion of them routinely several times a day till finding something of interest then sends that information off to another script that looks for more specific entry points, etc.
- beads
"It is not necessary for the firewall log file to be involved in the process. A robust implementation interfaces with the server's IP stack more closely."
http://portknocking.org/
http://portknocking.org/
If a process is listening then netstat or TCPView from http://www.sysinternals.com/Utilities/TcpView.html should help find it.
Also I have gone away from software/personal firewalls to router/firewalls. With the settings recomended here at TechRepublic I do not have any problems.
Also I have gone away from software/personal firewalls to router/firewalls. With the settings recomended here at TechRepublic I do not have any problems.
But its a $20.00 program still worth it.
Heres how I use it though. I limit what traffic I will ALLOW OUT of the network just like that traffic allowed in, only in reverse. Thats where TCPView, PE and IDS come in. Those three pieces tell me exactly what traffic is atleast trying to go out. If I say it can leave then it can leave and to where. In other words don't allow port 514 to anywhere but to your syslog server, etc. If that server is remote then specify the IP address to which it goes.
Do this for all network segments and unless there is something using really standardized ports, offending traffic should be imediately spoted if not stopped.
- beads
Heres how I use it though. I limit what traffic I will ALLOW OUT of the network just like that traffic allowed in, only in reverse. Thats where TCPView, PE and IDS come in. Those three pieces tell me exactly what traffic is atleast trying to go out. If I say it can leave then it can leave and to where. In other words don't allow port 514 to anywhere but to your syslog server, etc. If that server is remote then specify the IP address to which it goes.
Do this for all network segments and unless there is something using really standardized ports, offending traffic should be imediately spoted if not stopped.
- beads
should maybe be a topic of its own. Hardware firewalls are much more robust and reliable but that doesn't stop you running firewall software on your pc in addition. As you say, if you follow some guidance on best practice for configuring a router, it will eliminate most problems. Running Ipsec, DHCP & NAT is a good start but remember that these devices are not immune to security flaws, so change the admin password regularly.
I am part of a team looking at some hardware devices to serve as DMZ in my organisation. .(4 sites, about 500 internal users, 15-20 external users ..) Since I come from a from a software background, I am at a loss to understand how a DMZ port on a hardware device can be strengthened enough to act a a DMZ or perimeter device. Is there anything specific in the firmware of the DMZ port? Is it just a matter of configuration? How is it safer than having a separate device to act as a DMZ? Is it really faster?
In general, I would like to know the characteristincs of a hardware solution so that I can take informed decisions.
End
In general, I would like to know the characteristincs of a hardware solution so that I can take informed decisions.
End
In some software license agreements (EULAs) they stipulate the vendor will audit your PCs using a specific port. Have a look at the list of port assignments at http://www.iana.org/assignments/port-numbers and you will be surprised at just how many ports have an allocation for this technique. Blocking all ports can create an issue by rendering specific software (that relies on a specific port open) usless unless the audit port is opened when in use. Its a calculated risk you need to weigh up and take, depending on the nature of what the software and the usage rate is and the level of acceptance by you of the EULA terms and conditions. PCProfile web site has lots of information on EULAs and audit conditions etc at http://www.pcprofile.com covering topical issues around licensing and how to manage staff issues. Its worth a look and they have recently bundled all the information into a CDROM toolkit for in-house use.
All such licensing "monitoring" ports I have experience with are associated with an in-house licensing server. These ports do not need to be exposed beyond the perimeter so block them at the perimeter firewall. Do not block them on any internal or client firewalls between the application client and the internal license server.
I have yet to see the same license enforcement utilizing the Internet. Activation - yes, runtime verification - no.
I have yet to see the same license enforcement utilizing the Internet. Activation - yes, runtime verification - no.
You warn of shareware and freeware, and then say you're not against these products. I just wanted to add that there are better shareware and freeware sites, that while they may not offer EVERY software package, they do offer better quality ones, with which you have at least a little more comfort that the software is not infected or contains a trojan.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
