[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Security concern or not?

Subject: Re: [cobalt-security] Security concern or not?
From: Damian Gerow <dgerow@xxxxxxxxxxx>
Date: Tue, 31 Oct 2000 15:35:22 -0500
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

On Tuesday, October 31, 2000, at 03:11 PM, Scott Genevish wrote:

> The training department recently got our IT department to install a RaQ 3i 
> for us so we can host our training site, with the caveat that we support it 
> ourselves. 
>  
> The did a port scan using CyberCop's TCP FIN scan.  The definition of this 
> scan by CyberCop is: 
>  
> "This check can be used as a much faster alternative to regular TCP port 
> scanning. This check scans a target host for listening TCP ports by 
> observing how the target replies to a TCP FIN packet. Because the target 
> host replies only when a FIN is sent to a non-listening port, and not 
> when an FIN is sent to a listening port, the scanner can infer which 
> ports are being listened on. Because ports are checked without actually 
> initiating a TCP connection, this type of scan is sometimes referred to 
> as a "stealth" scan. 
> "The drawback in using this method is that it may be unreliable due to 
> packet loss on the network and differing behavior of different target 
> systems. Because this method assumes that a target port is listening 
> whenever a reply is not received, it is particularly prone to packet 
> loss. As a result this scan may mistakenly report some non-listening ports 
> as being active." 
>  
> This scan shows EVERY port open on the server.  Is this correct?  How can I 
> shut some of these down? 
>  
> Thanks, 
>  
> -Scott 

FIN scans are, from my experience, ENTIRELY unreliable.  I wasn't aware that they were called "stealth" - usually SYN scans are (at least in the nmap world.)  My view on CyberCop is that it's quite bloated and doesn't always do what you want it to.  If you want to see open ports, and you're on the same LAN, there's no problem with using a full TCP connect scan.  To be a bit more stealthy, choose SYN scan.  To walk firewall rules (on non-stateful firewalls, I believe), use the ACK scan (if CyberCop still supports it).

BTW: What version are you running?

If all you want to do is portscan, use nmap (http://www.insecure.org/nmap).  It's an incredibly useful tool.

Follow-Ups:
- Re: [cobalt-security] Security concern or not?
  - From: Scott Genevish

Prev by Date: [cobalt-security] Security concern or not?
Next by Date: Re: [cobalt-security] Security concern or not?
Previous by thread: [cobalt-security] Security concern or not?
Next by thread: Re: [cobalt-security] Security concern or not?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index