RE: Open Ports

  • From: "Greg Mulholland" <greg@xxxxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Fri, 20 Jan 2006 10:28:25 +1100

I understand both points of view. My personal 2c's worth is that i sleep better 
at night knowing that you need the "secret knock" as it were and that i have 
done other little things that, whilst they might not deter a true hacker, they 
stop than their fare share. Its the same analogy with spam. It also gives me a 
little bit more of a window to catch such attacks and deal with them 
appropriately.
 
Now there are some who would say that i am going to bed with a false sense of 
security, because i don't understand that its not going to stop the "good" bad 
guys. But unless I become a huge target for the Russian Mob (borrowed that 
mate!) then I will not worry so much. I've kindof always stood with thor on 
this one and those "security/obscurity" minded folk.
 
Mind you if I wanted to be totally secure, I wouldn't run anything and would 
read and have sex all day long...mmm sex...
 
 
Greg Mulholland

________________________________

From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
Sent: Fri 20/01/2006 8:49 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Open Ports



http://www.ISAserver.org

You and I always seem to disagree on stuff like this... I mean, I see your
point, but this is like the "source port rule" thing I do.

To me, it is not "loosening" at all.  Having a box that only allows 3389
after a series of port failures in the right order (secret knock) is a more
secure posture than a machine that has 3389 open all the time.   Having a
machine that only allows 3389 when the source port is 43223 is a more secure
posture than one that allows 3389 from any source port.

The secret knock ports don't even have to be open- you just identify the
failed attempts in the right order, or however you want to do it... It's
just another layer.

t

-----
"I'll see your Llama and up you a Badger."
John T



----- Original Message -----
From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, January 19, 2006 1:25 PM
Subject: [isalist] RE: Open Ports


http://www.ISAserver.org

This isn't sever hardening; it's server loosening.
If you want to muck about in ISA policies, log onto the machine.

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------


-----Original Message-----
From: Geldrop, Paul van [mailto:paul.van.geldrop@xxxxxxxxxxxxx]
Sent: Thursday, January 19, 2006 13:07
To: [ISAserver.org Discussion List]
Subject: RE: [isalist] RE: Open Ports

Hi Tom,

The greatest value I see in the concept is server hardening. There are
plenty of scenarios when inbound connections are only used sporadically for,
say, remote management on back-end servers. Still, I'd rather not show my
firewall as listening on certain inbound ports.. let us say, security by
obscurity ? :) Personally, I've always been a rather big fan of that.
On the other side, I'm also extremely paranoid. Even the most secure of
services are, in my opinion vulnerable. Less vulnerable, yes, but still,
vulnerable. Only exposing those services to the outside world when I desire
it sounds good to me. ;o) Combining port knocking with OTPs, shaped packets,
etc, increases the difficulty to expose the service to the outside.

A colleague of mine mentioned today that the most secure server is offline,
in a box, locked far away in a bunker. Very true, as that may be, it'll
never quite be a reality (apart from root CAs, of course. ;o) ). Until that
time, I still wish to hide as much information from the outside world as
possible. If I can use a port knocking mechanism to decrease the chance of
an attacker noticing listening ports on my firewall, I'd surely say 'yes' to
that. :P

My two cents on the matter.

Regards,

Paul.

________________________________

From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Thu 19-1-2006 21:50
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Open Ports


http://www.ISAserver.org

Hi Paul,

Never heard of port knocking until you mentioned it here. I read a few
articles on it today and I'm not clear what value this would add to the ISA
firewall. Care to teach the teacher? :)

Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA
Firewalls **Who is John Galt?**




________________________________

From: Geldrop, Paul van [mailto:paul.van.geldrop@xxxxxxxxxxxxx]
Sent: Thursday, January 19, 2006 2:08 PM
To: [ISAserver.org Discussion List]
Subject: RE: [isalist] RE: Open Ports


True. However, with the assumption that a) you actually own the system and
b) you want to use the port-knocking mechanism (therefore making it wanted
code), the concept isn't bogus.
My intention is to have a go at it on my testing environment, just because
it'd be fun to try. :P
I wouldn't dream of even mentioning the concept at a customer.
As far as 'owning the machine', I can imagine you're also referring to the
fact I don't 'own' the ISA server's internals. True. Combining an ISA server
as back-end with, say, a UNIX machine in front with port-knocking on it,
however, would solve that problem. I'm also aware there are plenty of progs
available to do that for me, but, ah hell, I like playing around with code
at times. ;)


________________________________

From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Thu 19-1-2006 20:56
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Open Ports



http://www.ISAserver.org

The basic idea behind port-knocking is that you have installed an agent that
can control your (local or remote) firewall policies.   If you've
accomplished the task of installing unwanted code on a machine that you
don't (actually) own, you've wasting time simply dorking about with firewall
policies.

-------------------------------------------------------
   Jim Harrison
   MCP(NT4, W2K), A+, Network+, PCG
   http://isaserver.org/Jim_Harrison/
   http://isatools.org
   Read the help / books / articles!
-------------------------------------------------------




All mail to and from this domain is GFI-scanned.


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
thor@xxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
greg@xxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 01-2006