no stealthing of open ports????

hey guys
you mean noone knows how to stealth an open port? I mean I am not sure if it can be done.
but I use certain ports at home on my home system. I have an asa 5505 I just config.

I am not running a DMz not sure why I would need one? but I use static config statements to route protocols like smtp, ssh, https, www to certain servers inside. but
seems my firewall is decent protection but what of my open ports that I need that are not stealthed? is this and issue? can a person stealth open ports or is this not possible?
then are they inspected and watch for bad activity if not stealthed??
Thanks
come on guys some of you guys know?I am totally new this asa stuff. It is fun but need your guidance. thanks
Robert

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

mikej412

itdaddy wrote: »

you mean noone knows how to stealth an open port?

I guess you achieve it by closing the open port and not responding to anything, powering off the ASA, or redirecting the port traffic to a non-existent host.

Ahriakin

If you stealth it then how is anyone supposed to reach those services?
If you know the allowed public hosts then included them in your ACLs and the ports will show as closed to any host not on that list. Otherwise you're asking if you can hide the things that you have deliberately made public....

If these are services just for yourself and you want remote access from anywhere consider setting up a VPN instead.
If these are publicly available then consider placing an IPS inline if you can so that even though you are accepting connections you can police the data. There are also a number of things you can do on the ASA to tighten things a bit like setting up strict protocol inspection for Web, FTP and SMTP services (as long as this does not break anything offered by the servers) - The Cisco PIX/ASA Handbook 2nd edition is a great resource for working on policy-maps. Also simple things like setting tighter TCP/UDP/ICMP timeouts etc.

itdaddy

Ahriakin

thanks a lot. I appreciate what you have said. That really opens my eyes. I will try to find that book..Yeah I am setting up vpn now. The ssl one. I think it is cleaner.
I wasnt sure I know many system have open ports for services running and I just wanted make sure I wasnt too faroff..I do know they need to be open for services to run..
and I will look in to inspection policies thanks

mike:

you are funny guy! I believe everything you say. and I have pulled that Stick out too! hahahha hahahahah hah
you kill me! you guidance is fantastic! hahah You should do standup! haha;

Robert;)

mikearama

mikej412 wrote: »

I guess you achieve it by... powering off the ASA.

Here we call that the "super-duper-stealthy-maximum-security" mode... works like a charm! Stops them bad guys cold!

gojericho0

itdaddy,

when you are playing around with stuff you'll quickly realize the delicate balance between functionality and security. seems like you are off to a good start though

shednik

Ahriakin wrote: »

The Cisco PIX/ASA Handbook 2nd edition is a great resource for working on policy-maps. Also simple things like setting tighter TCP/UDP/ICMP timeouts etc.

Is this the book you are referring to??

Amazon.com: Cisco ASA, PIX, and FWSM Firewall Handbook (2nd Edition) (Networking Technology: Security): Dave Hucaby: Books