Re: Re: Strange ports

From: R. DuFresne (dufresne@sysinfo.com)
Date: Sat Jun 23 2007 - 01:56:29 EDT


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Fri, 22 Jun 2007, Tim Shea wrote:

>
> Per the original note - this was a scan of an external firewall.
>
> There is no reason for udp/53 to be open unless this is a stateless
> firewall (doubtful per the scan). Internal clients would be coming
> through the internal interface of the firewall and udp/53 would need to be
> opened on that interface not the external interface.
>
> But to be quite frank - I am shocked how many people are weighing in on
> what "needs to be opened" without knowing one single requirement. He
> asked an opinion on a couple of ports. What is opened or not depends upon
> that companies architecture and how they have things deployed. He needs
> to work with those folks to determine what is valid or not.
>

Wasn;t here only concerned about a single port? the 3k range port?

I was under the impression he said it was his home firewall, scanned from
work, perhaps I misread. If I did not, sure looks alot like a windows
based firewalled system, from the tcp side. Others sugggested outright
port 53 should be blocked or was unnessecary, and in most cases access to
port 53 to some extent is pretty muych required for a smooth comfy cruise
of the net. Gets cludgy in the head otherwise. 53 can be restrictive and
still show open, either upd or tcp, and might well be very nessecary,
likle extremely nessecary without a HUGE brain, or lasrge /etc/hosts
file...

Thing is though, again if I was right, the FW owner should know his
settings quite well one would think, and so know all the port reported as
open on it? Or have an idea of what was allowed as well to pass through?

Here, I was more concerned about the other windows based ports that
appeared to be open then 53 <tcp or udp>. I'm not one to allow windows
based services to pass inside out nor outside in <not even to the DMZ in
most cases>, keep em local, or pass through VPN only in select cases.
But, that's me and I know what I allow input and forward via the FW.

With the limited info provided, perhaps all responding made some
assumptions? <shrug> Kinda like a blind pen test!

My blanket merely covered the first one tossed out! <gryn>

Thanks,

Ron DuFresne
- --
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
         admin & senior security consultant: sysinfo.com
                         http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629

...We waste time looking for the perfect lover
instead of creating the perfect love.

                 -Tom Robbins <Still Life With Woodpecker>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iD8DBQFGfLYPst+vzJSwZikRAvOIAKCVy5IEyJvj++h1lMZYW5bo0sK/OQCcClmW
ypO2vOrWc9Y9O2r8HOAYZLQ=
=gBZP
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Are you using SPI, Watchfire or WhiteHat?
Consider getting clear vision with Cenzic
See HOW Now with our 20/20 program!

http://www.cenzic.com/c/2020
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:53 EDT