Options
no stealthing of open ports????
itdaddy
Member Posts: 2,089 ■■■■□□□□□□
hey guys
you mean noone knows how to stealth an open port? I mean I am not sure if it can be done.
but I use certain ports at home on my home system. I have an asa 5505 I just config.
I am not running a DMz not sure why I would need one? but I use static config statements to route protocols like smtp, ssh, https, www to certain servers inside. but
seems my firewall is decent protection but what of my open ports that I need that are not stealthed? is this and issue? can a person stealth open ports or is this not possible?
then are they inspected and watch for bad activity if not stealthed??
Thanks
come on guys some of you guys know?I am totally new this asa stuff. It is fun but need your guidance. thanks
Robert
you mean noone knows how to stealth an open port? I mean I am not sure if it can be done.
but I use certain ports at home on my home system. I have an asa 5505 I just config.
I am not running a DMz not sure why I would need one? but I use static config statements to route protocols like smtp, ssh, https, www to certain servers inside. but
seems my firewall is decent protection but what of my open ports that I need that are not stealthed? is this and issue? can a person stealth open ports or is this not possible?
then are they inspected and watch for bad activity if not stealthed??
Thanks
come on guys some of you guys know?I am totally new this asa stuff. It is fun but need your guidance. thanks
Robert
Comments
-
Options
mikej412
Member Posts: 10,086 ■■■■■■■■■■
I guess you achieve it by closing the open port and not responding to anything, powering off the ASA, or redirecting the port traffic to a non-existent host.you mean noone knows how to stealth an open port?:mike: Cisco Certifications -- Collect the Entire Set! -
Options
Ahriakin
Member Posts: 1,799 ■■■■■■■■□□
If you stealth it then how is anyone supposed to reach those services?
If you know the allowed public hosts then included them in your ACLs and the ports will show as closed to any host not on that list. Otherwise you're asking if you can hide the things that you have deliberately made public....
If these are services just for yourself and you want remote access from anywhere consider setting up a VPN instead.
If these are publicly available then consider placing an IPS inline if you can so that even though you are accepting connections you can police the data. There are also a number of things you can do on the ASA to tighten things a bit like setting up strict protocol inspection for Web, FTP and SMTP services (as long as this does not break anything offered by the servers) - The Cisco PIX/ASA Handbook 2nd edition is a great resource for working on policy-maps. Also simple things like setting tighter TCP/UDP/ICMP timeouts etc.We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place? -
Optionsitdaddy
Member Posts: 2,089 ■■■■□□□□□□
Ahriakin
thanks a lot. I appreciate what you have said. That really opens my eyes. I will try to find that book..Yeah I am setting up vpn now. The ssl one. I think it is cleaner.
I wasnt sure I know many system have open ports for services running and I just wanted make sure I wasnt too faroff..I do know they need to be open for services to run..
and I will look in to inspection policies thanks
mike:
you are funny guy! I believe everything you say. and I have pulled that Stick out too! hahahha hahahahah hah
you kill me! you guidance is fantastic! hahah You should do standup! haha;
Robert;) -
Options
mikearama
Member Posts: 749
I guess you achieve it by... powering off the ASA.
Here we call that the "super-duper-stealthy-maximum-security" mode... works like a charm! Stops them bad guys cold!There are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project. -
Options
gojericho0
Member Posts: 1,059 ■■■□□□□□□□
itdaddy,
when you are playing around with stuff you'll quickly realize the delicate balance between functionality and security. seems like you are off to a good start though -
Options
shednik
Member Posts: 2,005
The Cisco PIX/ASA Handbook 2nd edition is a great resource for working on policy-maps. Also simple things like setting tighter TCP/UDP/ICMP timeouts etc.
Is this the book you are referring to??
Amazon.com: Cisco ASA, PIX, and FWSM Firewall Handbook (2nd Edition) (Networking Technology: Security): Dave Hucaby: Books
