Pix ASA hide ports for portscan?

Discussion in 'Cisco' started by Edwin, May 30, 2008.

  1. Edwin

    Edwin Guest

    Hi All,

    I have configured a Pix ASA and opened some ports to dmz and inside for
    e.g. mail, www and rdp.

    Is it possible to have the pix hide these open ports from portscans
    originated from outside? If so, how can it be done?

    Thanks in advance

    Edwin
     
    Edwin, May 30, 2008
    #1
    1. Advertisements

  2. Edwin

    Uli Link Guest

    Can be done by ACL denying access to these ports or by shutting down the
    WAN interface ;-) This is most probably not what you want.

    If your PIX refuses to connect to the port the listener of the daemon of
    DMZ' server will not be reachable anymore from the outside This is due
    to the nature of tcp and not related to any special firewall.
     
    Uli Link, May 30, 2008
    #2
    1. Advertisements

  3. Edwin

    Edwin Guest


    I fully agree with you. something needs to respond to requests for a
    certain port.
    I was actually hoping that the Pix had some feature that deals with certain
    characteristics of a portscan. Portscans are recognizeable in general...but
    maybe not by a pix?
     
    Edwin, May 30, 2008
    #3
  4. So I know that with IPTABLES you can do things like reject access after
    certain connection attempts in a specific time frame from the same IP or
    any other combination you can dream up. I presume that is what you want?
    I am not sure if the PIX can do this or not.

    There are millions of port scans performed on a daily basis. Its much
    noise.

    If I am after your network, a quick gander of the nmap manual page gives
    me several ways to get around you blocking me. And I probably wouldn't
    compromise your network from the same netblock I am scanning you from.

    I will say that restricting access to ports can back fire on you.

    If I want to give you a really bad day, I'll just hijack some CLASS C
    (and maybe a couple class b) subnets and do a really aggressive NMAP
    scan from a wide variety of compromised hosts and sit back and smile as
    your customer support line rings off the hook. :)

    I would look at rate limiting and other measures before implementing
    something like automated port blocking.

    If this is a Linux box you can always use portsentry. It may have been
    ported to other versions of UNIX not sure.

    Windows may have something similar not sure.


    Charles
     
    Charles N Wyble, Jun 3, 2008
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.