Security Basics: RE: Scanning--more then one side to the argument

["David Gillett" <gillettdavid () fhda edu>]

  A good configuration starts with all ports filtered or closed,
and then opens the ones that actually need to be opened -- which
it appears, for this destination device, should start at "None".
Certainly none of the current open ports should be unfiltered 
unless you know what they are and that it is safe (or at least,
allowed by policy) to do that.
  Client devices may need to accept inbound connections as part of,
for instance, FTP.  That's why you want a stateful firewall that
monitors FTP conversations so it can open data ports for them only
as necessary.  They shouldn't show up on a routine scan.

David Gillett


> -----Original Message-----
> From: Shand [mailto:shand () adelphia net]
> Sent: Wednesday, March 30, 2005 1:17 PM
> To: Steve Fletcher; security-basics () securityfocus com
> Subject: Re: Scanning--more then one side to the argument
>
>
> Example of customer scan
>
> nmap -sV -P0 -p 1-
>
> Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 
> 2005-03-30 16:59 EST
> Interesting ports on
> (The 65522 ports scanned but not shown below are in state: closed)
> PORT      STATE    SERVICE      VERSION
> 80/tcp    filtered http
> 135/tcp   filtered msrpc
> 136/tcp   filtered profile
> 137/tcp   filtered netbios-ns
> 138/tcp   filtered netbios-dgm
> 139/tcp   filtered netbios-ssn
> 445/tcp   filtered microsoft-ds
> 5000/tcp  open     upnp         Microsoft Windows UPnP
> 5241/tcp  open     unknown
> 7177/tcp  open     unknown
> 8031/tcp  open     unknown
> 9491/tcp  open     unknown
> 27374/tcp filtered subseven
>
> Nmap run completed -- 1 IP address (1 host up) scanned in 
> 438.716 seconds
>
>
> Now I see this as a issue?
>
> Other don't?
>
> The filtered ones are filtered by us.
>
> The others they have open? ( Not firewall?) ( No security?)
>
> Sherman
>
>
> ----- Original Message ----- 
> From: "Steve Fletcher" <safletcher () insightbb com>
> To: "'Shand'" <shand () adelphia net>; 
> <security-basics () securityfocus com>
> Sent: Wednesday, March 30, 2005 3:41 PM
> Subject: RE: Scanning--more then one side to the argument
>
>
> > That would depend on the port and what function it serves.  
> For example,
> > you
> > might show port 25 as open because they have an SMTP server 
> and it is not
> > behind a firewall.
> >
> > Here is a definition of the different states, straight from 
> the nmap man
> > page:
> >
> > "The state is either "open", "filtered", or "unfiltered".  Open
> > means that       the target machine will accept() 
> connections on that
> > port.  Filtered means that a firewall, filter, or other 
> network obstacle
> > is
> > covering the port and preventing nmap from determining 
> whether the port
> > is open.  Unfiltered means that the port is known by nmap to  be
> > closed  and  no firewall/filter seems to be interfering with nmap's
> > attempts to determine this.  Unfiltered ports are the 
> common case and are
> > only shown when most of the scanned ports are in the 
> filtered state."
> > Hope this helps.
> >
> > Steve Fletcher
> > MCSE (NT4/Win2k), MCSE: Security (Win2k), HP Master ASE, 
> CCNA, Security+
> > safletcher () insightbb com
> >
> > -----Original Message-----
> > From: Shand [mailto:shand () adelphia net]
> > Sent: Wednesday, March 30, 2005 2:33 PM
> > To: Steve Fletcher; security-basics () securityfocus com
> > Subject: Re: Scanning--more then one side to the argument
> >
> > External scans.
> >
> > Against customer using our internet service.
> >
> > Does a port have to show as "open" or can they for 
> usability show only as
> > filtered, closed?
> >
> > Thoughts?
> >
> > Shand
> >
> >
> >
> >
> > ----- Original Message ----- 
> > From: "Steve Fletcher" <safletcher () insightbb com>
> > To: "'Sherman Hand'" <shand () adelphia net>;
> > <security-basics () securityfocus com>
> > Sent: Wednesday, March 30, 2005 3:18 PM
> > Subject: RE: Scanning--more then one side to the argument
> >
> >
> > > I have a question regarding this.  Are you talking about 
> doing an external
> > > scan or an internal scan?  I assume an external, because 
> an internal scan
> > > should show a LOT of open ports.
> > >
> > > I would say that any open port POTENTIALLY could be a 
> security issue
> > > waiting
> > > to happen, but common sense dictates that some ports must 
> be open for
> > > usability reasons.  Plus, if you're going to follow this 
> line of thought,
> > > the fact that the systems are connected to the Internet AT 
> ALL poses a
> > > potential risk.  Or, just being networked could be a risk. 
>  Or, being
> > > powered on poses a potential risk.
> > >
> > > So, based on this, sure it COULD be a security risk 
> waiting to happen,
> > > but
> > > more information needs to be gathered to determine the 
> true extent of the
> > > risk.  And, it must be reevaluated at regular intervals to 
> catch new
> > > issues
> > > that might have come up since the last scan.  What is safe 
> now might not
> > > be
> > > 6 months from now.
> > >
> > > Hope this helps.
> > >
> > > Steve Fletcher
> > > MCSE (NT4/Win2k), MCSE: Security (Win2k), HP Master ASE, 
> CCNA, Security+
> > > safletcher () insightbb com
> > >
> > > -----Original Message-----
> > > From: Sherman Hand [mailto:shand () adelphia net]
> > > Sent: Wednesday, March 30, 2005 5:05 PM
> > > To: security-basics () securityfocus com
> > > Subject: Scanning--more then one side to the argument
> > >
> > >
> > >
> > > There has been a on going discussion about the scanning 
> results on our
> > > customers.
> > >
> > > Thought one says that "any" port on a standard nmap, 
> showing as "open" is
> > > a
> > > security risk.
> > >
> > > Thought two says, no since some things need to show in a 
> state of open.
> > > Should we be stating that through proactive scan, when we 
> find any port
> > > showing as open, that it is a security issue waiting to happen?
> > >
> > > Or only if we can show a issue?
> > >
> > > Thoughts?
> > >
> > > Shand
>
>
> --------------------------------------------------------------
> -------------
> Earn your MS in Information Security ONLINE
> Organizations worldwide are in need of highly qualified 
> information security 
> professionals.  Norwich University is fulfilling this demand 
> with its MS in 
> Information Security offered online.  Recognized by the NSA as an 
> academically excellent program, NU offers you the opportunity 
> to earn your 
> degree without disrupting your home or work life.
>
> http://www.msia.norwich.edu/secfocus_en
> --------------------------------------------------------------
> --------------
---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security 
professionals.  Norwich University is fulfilling this demand with its MS in 
Information Security offered online.  Recognized by the NSA as an 
academically excellent program, NU offers you the opportunity to earn your 
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------