RE: Open Ports

Hi Paul,
 
Never heard of port knocking until you mentioned it here. I read a few articles 
on it today and I'm not clear what value this would add to the ISA firewall. 
Care to teach the teacher? :)
 
Tom
 
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/> 
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> 
MVP -- ISA Firewalls
**Who is John Galt?**

 


________________________________

        From: Geldrop, Paul van [mailto:paul.van.geldrop@xxxxxxxxxxxxx] 
        Sent: Thursday, January 19, 2006 2:08 PM
        To: [ISAserver.org Discussion List]
        Subject: RE: [isalist] RE: Open Ports
        
        
        True. However, with the assumption that a) you actually own the system 
and b) you want to use the port-knocking mechanism (therefore making it wanted 
code), the concept isn't bogus.
        My intention is to have a go at it on my testing environment, just 
because it'd be fun to try. :P 
        I wouldn't dream of even mentioning the concept at a customer.
        As far as 'owning the machine', I can imagine you're also referring to 
the fact I don't 'own' the ISA server's internals. True. Combining an ISA 
server as back-end with, say, a UNIX machine in front with port-knocking on it, 
however, would solve that problem. I'm also aware there are plenty of progs 
available to do that for me, but, ah hell, I like playing around with code at 
times. ;)

         
________________________________

        From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
        Sent: Thu 19-1-2006 20:56
        To: [ISAserver.org Discussion List]
        Subject: [isalist] RE: Open Ports
        
        

        http://www.ISAserver.org
        
        The basic idea behind port-knocking is that you have installed an agent 
that can control your (local or remote) firewall policies.   If you've 
accomplished the task of installing unwanted code on a machine that you don't 
(actually) own, you've wasting time simply dorking about with firewall policies.
        
        -------------------------------------------------------
           Jim Harrison
           MCP(NT4, W2K), A+, Network+, PCG
           http://isaserver.org/Jim_Harrison/
           http://isatools.org
           Read the help / books / articles!
        -------------------------------------------------------
        
        
        -----Original Message-----
        From: Geldrop, Paul van [mailto:paul.van.geldrop@xxxxxxxxxxxxx]
        Sent: Thursday, January 19, 2006 11:45
        To: [ISAserver.org Discussion List]
        Subject: RE: [isalist] RE: Open Ports
        
        
        Why bogus ?
        
        ________________________________
        
        From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
        Sent: Thu 19-1-2006 20:41
        To: [ISAserver.org Discussion List]
        Subject: [isalist] RE: Open Ports
        
        
        
        http://www.ISAserver.org
        
        Port-knocking is a bogus concept.
        If you can place your agent on the firewall, it's game over anyway.
        
        -------------------------------------------------------
           Jim Harrison
           MCP(NT4, W2K), A+, Network+, PCG
           http://isaserver.org/Jim_Harrison/
           http://isatools.org
           Read the help / books / articles!
        -------------------------------------------------------
        
        
        -----Original Message-----
        From: Geldrop, Paul van [mailto:paul.van.geldrop@xxxxxxxxxxxxx]
        Sent: Thursday, January 19, 2006 11:34
        To: [ISAserver.org Discussion List]
        Subject: RE: [isalist] RE: Open Ports
        
        Actually, the concept of port-knocking applies to this example rather 
beautifully.. shame it's not available for ISA 2004. Though I do plan to have a 
go at a script for that, just because I wanna. :P
        
        Paul
        
        http://blogs.dirteam.com/blogs/paul
        
        
        ________________________________
        
        From: Alexandre Gauthier [mailto:gauthiera@xxxxxxxxxxxxxxxxx]
        Sent: Thu 19-1-2006 19:59
        To: [ISAserver.org Discussion List]
        Subject: [isalist] RE: Open Ports
        
        
        
        http://www.ISAserver.org
        
        Whenever I hear GRC.com I shudder and start loosing hair. The vision of 
Gibson's plump moustache brings vile, unspeakable things back to rise around 
the taste buds on the back of my tongue.
        
        And indeed "opening a port" (haha one more kitten/isa just died)only 
when requested... wouldn't that be the equivalent of leaving it open?
        
        It's akin to plugging your ears shut and opening them only when the 
phone rings. How will you know it is ringing and that someone attempts to 
communicate with you?
        
        Either I misunderstood or something here is clearly illogical.
        
        -----Message d'origine-----
        De : Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Envoyé : 19 janvier 2006 
12:09 À : [ISAserver.org Discussion List] Objet : [isalist] RE: Open Ports
        
        http://www.ISAserver.org
        
        You've been to GRC.com again, haven't you?
        :-P
        Both HTTP and FTP use the TCP protocol to get where they're going.
        It's a basic precept of TCP communications that you can't respond to a 
connection request if you don't accept them.
        
        -------------------------------------------------------
           Jim Harrison
           MCP(NT4, W2K), A+, Network+, PCG
           http://isaserver.org/Jim_Harrison/
           http://isatools.org
           Read the help / books / articles!
        -------------------------------------------------------
        
        
        -----Original Message-----
        From: Tom Rogers [mailto:trogers@xxxxxxxxxxxxxxxxxx]
        Sent: Thursday, January 19, 2006 08:59
        To: [ISAserver.org Discussion List]
        Subject: [isalist] Open Ports
        
        Ports 80 and 21 are open statically on my ISA 2000 SP-2 server. I 
publish websites through ISA and a single FTP site. How do I make these ports 
open dynamically - only when proper access is needed?
        
        TIA,
        
        -Tom Rogers
         ISA Rookie
        
        
        
        
        
        All mail to and from this domain is GFI-scanned.
        
        
        ------------------------------------------------------
        List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
        ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
        ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
        ------------------------------------------------------
        Visit TechGenix.com for more information about our other sites:
        http://www.techgenix.com
        ------------------------------------------------------
        You are currently subscribed to this ISAserver.org Discussion List as:
        gauthiera@xxxxxxxxxxxxxxxxx
        To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
        Report abuse to listadmin@xxxxxxxxxxxxx
        
        ------------------------------------------------------
        List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
        ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
        ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
        ------------------------------------------------------
        Visit TechGenix.com for more information about our other sites:
        http://www.techgenix.com
        ------------------------------------------------------
        You are currently subscribed to this ISAserver.org Discussion List as: 
paul.van.geldrop@xxxxxxxxxxxxx To unsubscribe visit 
http://www.webelists.com/cgi/lyris.pl?enter=isalist
        Report abuse to listadmin@xxxxxxxxxxxxx
        
        
        
        All mail to and from this domain is GFI-scanned.
        
        
        ------------------------------------------------------
        List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
        ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
        ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
        ------------------------------------------------------
        Visit TechGenix.com for more information about our other sites:
        http://www.techgenix.com
        ------------------------------------------------------
        You are currently subscribed to this ISAserver.org Discussion List as: 
paul.van.geldrop@xxxxxxxxxxxxx To unsubscribe visit 
http://www.webelists.com/cgi/lyris.pl?enter=isalist
        Report abuse to listadmin@xxxxxxxxxxxxx
        
        
        
        All mail to and from this domain is GFI-scanned.
        
        
        ------------------------------------------------------
        List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
        ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
        ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
        ------------------------------------------------------
        Visit TechGenix.com for more information about our other sites:
        http://www.techgenix.com
        ------------------------------------------------------
        You are currently subscribed to this ISAserver.org Discussion List as: 
paul.van.geldrop@xxxxxxxxxxxxx
        To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
        Report abuse to listadmin@xxxxxxxxxxxxx
        

Other related posts: