RE: Open Ports
- From: "Geldrop, Paul van" <paul.van.geldrop@xxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 19 Jan 2006 22:33:45 +0100
Personally, I'd see, for example, an RDP service listening only for 10 minutes
after a knock as more 'hardened' than the same service listening constantly.
________________________________
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Thu 19-1-2006 22:25
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Open Ports
http://www.ISAserver.org
This isn't sever hardening; it's server loosening.
If you want to muck about in ISA policies, log onto the machine.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
-----Original Message-----
From: Geldrop, Paul van [mailto:paul.van.geldrop@xxxxxxxxxxxxx]
Sent: Thursday, January 19, 2006 13:07
To: [ISAserver.org Discussion List]
Subject: RE: [isalist] RE: Open Ports
Hi Tom,
The greatest value I see in the concept is server hardening. There are plenty
of scenarios when inbound connections are only used sporadically for, say,
remote management on back-end servers. Still, I'd rather not show my firewall
as listening on certain inbound ports.. let us say, security by obscurity ? :)
Personally, I've always been a rather big fan of that.
On the other side, I'm also extremely paranoid. Even the most secure of
services are, in my opinion vulnerable. Less vulnerable, yes, but still,
vulnerable. Only exposing those services to the outside world when I desire it
sounds good to me. ;o) Combining port knocking with OTPs, shaped packets, etc,
increases the difficulty to expose the service to the outside.
A colleague of mine mentioned today that the most secure server is offline, in
a box, locked far away in a bunker. Very true, as that may be, it'll never
quite be a reality (apart from root CAs, of course. ;o) ). Until that time, I
still wish to hide as much information from the outside world as possible. If I
can use a port knocking mechanism to decrease the chance of an attacker
noticing listening ports on my firewall, I'd surely say 'yes' to that. :P
My two cents on the matter.
Regards,
Paul.
________________________________
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Thu 19-1-2006 21:50
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Open Ports
http://www.ISAserver.org
Hi Paul,
Never heard of port knocking until you mentioned it here. I read a few articles
on it today and I'm not clear what value this would add to the ISA firewall.
Care to teach the teacher? :)
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls
**Who is John Galt?**
________________________________
From: Geldrop, Paul van [mailto:paul.van.geldrop@xxxxxxxxxxxxx]
Sent: Thursday, January 19, 2006 2:08 PM
To: [ISAserver.org Discussion List]
Subject: RE: [isalist] RE: Open Ports
True. However, with the assumption that a) you actually own the system
and b) you want to use the port-knocking mechanism (therefore making it wanted
code), the concept isn't bogus.
My intention is to have a go at it on my testing environment, just
because it'd be fun to try. :P
I wouldn't dream of even mentioning the concept at a customer.
As far as 'owning the machine', I can imagine you're also referring to
the fact I don't 'own' the ISA server's internals. True. Combining an ISA
server as back-end with, say, a UNIX machine in front with port-knocking on it,
however, would solve that problem. I'm also aware there are plenty of progs
available to do that for me, but, ah hell, I like playing around with code at
times. ;)
________________________________
From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx]
Sent: Thu 19-1-2006 20:56
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Open Ports
http://www.ISAserver.org
The basic idea behind port-knocking is that you have installed an agent
that can control your (local or remote) firewall policies. If you've
accomplished the task of installing unwanted code on a machine that you don't
(actually) own, you've wasting time simply dorking about with firewall policies.
-------------------------------------------------------
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
-------------------------------------------------------
All mail to and from this domain is GFI-scanned.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
paul.van.geldrop@xxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an intended
recipient then please promptly delete this e-mail and any attachment and all
copies and inform the sender. Thank you.
Other related posts:
