10 Replies Latest reply: Oct 25, 2011 12:53 PM by Paul Stewart - CCIE Security RSS

    Hide an Open port

    CCIE_2B

      I have port 3386 open in my ASA.

      and I would like to hide it from port scan.

       

      since when I use port scan it shows that port is open....

       

      how do I hide that port while keep it open ?

       

      thanks

        • 1. Re: Hide an Open port
          Conwyn

          HI 2B

           

          Port scan only "works" if you reply.

           

          Regards Conwyn

          • 2. Re: Hide an Open port
            Paul Stewart  -  CCIE Security

            An open port has a couple of different meanings.  One is that it is open on the firewall and the other is that it is listening on a host.  If you are wanting port that is open to a listen port on a host to be stealth, you might need to custom code the IP stack or application.  For example, if we are talking about TCP, there is a three way handshake that happens and is typically not under the control of the application.  In that case, you'd need an IP stack that doesn't respond (unless there is some criteria met tell it otherwise).  If it is UDP or something else, the application could choose not to respond to invalid data.  From a firewall or network filter perspective, all you can do is drop or permit traffic based on criteria that can be contained in an acl.  So in other words, it is open, exposed and visible.  Otherwise, it is closed and unusable (unless you can build some exception).  So if PC A is scanning Server B, it will see any open ports that it can use.  If you block this, it can't use those ports.  However, we could write an ACL that prevents PC C from seeing those ports, assuming that PC C should not be connecting to them.  HTH.

            • 3. Re: Hide an Open port
              CCIE_2B

              Conwyn,

               

              I am not sure I understood you reply. Can you explain? Thank you

              • 4. Re: Hide an Open port
                CCIE_2B

                Paul, the open port is on the ASA, and what I don't want is someone to scan my ASA (from outside) and see that the port is open.

                • 5. Re: Hide an Open port
                  Aaron

                  Hi,

                   

                  Try to research and play with threat-detection. Maybe threat-detection scanning-threat shun could help you.

                   

                  Cheers,

                  • 6. Re: Hide an Open port
                    CCIE_2B

                    Aaron, threat detection , detect the scanning and can take apropriate action as shun the host.

                    but even with the threat detection is port is still visible to an attacker.

                    • 7. Re: Hide an Open port
                      Paul Stewart  -  CCIE Security

                      You can't do much about that. If its open, it will behave like that. TCP is especially easy to scan for. Its just how the protocol works.

                      • 8. Re: Hide an Open port
                        Aaron

                        I already knew that and I agree completely with Paul. Cannot "hide" a port. We can only try to minimize damage if there is going to be an attack. Someone scanning a host for open ports, will hope to find some open, and then will try to exploit or bruteforce services on it. You can evade this behavior by changing the default listening port, ie changing ssh port from 22 to 22022. Or maybe masking the server replies on the ports.

                         

                        Cheers,

                        • 9. Re: Hide an Open port
                          CCIE_2B

                          Thank you all for you point, I was quite agree with all of you, but the clients is saying it was able to hide an open port using non cisco device, so I thought I should ask here.

                           

                           

                          Thank you all for answer

                          • 10. Re: Hide an Open port
                            Paul Stewart  -  CCIE Security

                            I would ask the client what the traffic should look like to warrant a response (vs a TCP connect scan). Now there are ways to drop the IP once it has been detected as a scanning source. There are only a very few ways to be completely stealth to a scan. Untangled does some of this for its own VPN service, but I doubt it extends to TCP. If the customer says a TCP connection is only valid if it looks like x, y and z, then we'd have something to work with. I doubt this will be the case since there aren't too many ways to hide variables in a SYN.