Hi All,

I have configured a Pix ASA and opened some ports to dmz and inside for 
e.g. mail, www and rdp.

Is it possible to have the pix hide these open ports from portscans 
originated from outside? If so, how can it be done?

Thanks in advance

Edwin

Edwin schrieb:
> Hi All,
> 
> I have configured a Pix ASA and opened some ports to dmz and inside for 
> e.g. mail, www and rdp.
> 
> Is it possible to have the pix hide these open ports from portscans 
> originated from outside? If so, how can it be done?

Can be done by ACL denying access to these ports or by shutting down the 
WAN interface ;-) This is most probably not what you want.

If your PIX refuses to connect to the port the listener of the daemon of 
DMZ' server will not be reachable anymore from the outside This is due 
to the nature of tcp and not related to any special firewall.

-- 
Uli

Uli Link <VonRechts.NachLinks@usenet.arcornews.de> wrote in news:483fd23d$0
$27444$9b4e6d93@newsspool4.arcor-online.net:

> Edwin schrieb:
>> Hi All,
>> 
>> I have configured a Pix ASA and opened some ports to dmz and inside for 
>> e.g. mail, www and rdp.
>> 
>> Is it possible to have the pix hide these open ports from portscans 
>> originated from outside? If so, how can it be done?
> 
> Can be done by ACL denying access to these ports or by shutting down the 
> WAN interface ;-) This is most probably not what you want.
> 
> If your PIX refuses to connect to the port the listener of the daemon of 
> DMZ' server will not be reachable anymore from the outside This is due 
> to the nature of tcp and not related to any special firewall.
> 


I fully agree with you. something needs to respond to requests for a 
certain port.
I was actually hoping that the Pix had some feature that deals with certain 
characteristics of a portscan. Portscans are recognizeable in general...but 
maybe not by a pix?

Edwin wrote:
>>
> 
> 
> I fully agree with you. something needs to respond to requests for a 
> certain port.
> I was actually hoping that the Pix had some feature that deals with certain 
> characteristics of a portscan. Portscans are recognizeable in general...but 
> maybe not by a pix?

So I know that with IPTABLES you can do things like reject access after
certain connection attempts in a specific time frame from the same IP or
any other combination you can dream up. I presume that is what you want?
I am not sure if the PIX can do this or not.

There are millions of port scans performed on a daily basis. Its much
noise.

If I am after your network, a quick gander of the nmap manual page gives
me several ways to get around you blocking me. And I probably wouldn't
compromise your network from the same netblock I am scanning you from.

I will say that restricting access to ports can back fire on you.

If I want to give you a really bad day, I'll just hijack some CLASS C
(and maybe a couple class b) subnets and do a really aggressive NMAP
scan from a wide variety of compromised hosts and sit back and smile as
your customer support line rings off the hook. :)

I would look at rate limiting and other measures before implementing
something like automated port blocking.

If this is a Linux box you can always use portsentry. It may have been
ported to other versions of UNIX not sure.

Windows may have something similar not sure.


Charles