[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-security] Security concern or not?
- Subject: Re: [cobalt-security] Security concern or not?
- From: Scott Genevish <genevish@xxxxxxx>
- Date: Tue, 31 Oct 2000 15:55:49 -0500
- List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>
Thanks for the info. It seemed a little flakey. I'm checking into having
them run a different scan.
One thing I did notice was that finger is running. How would I disable it?
I know Linux would use rc.d scripts. Is it the same for the Cobalt?
-Scott
> From: Damian Gerow <dgerow@xxxxxxxxxxx>
> Reply-To: dgerow@xxxxxxxxxxx
> Date: Tue, 31 Oct 2000 15:35:22 -0500
> To: cobalt-security@xxxxxxxxxxxxxxx
> Subject: Re: [cobalt-security] Security concern or not?
>
>
> On Tuesday, October 31, 2000, at 03:11 PM, Scott Genevish wrote:
>
>> The training department recently got our IT department to install a RaQ 3i
>> for us so we can host our training site, with the caveat that we support it
>> ourselves.
>>
>> The did a port scan using CyberCop's TCP FIN scan. The definition of this
>> scan by CyberCop is:
>>
>> "This check can be used as a much faster alternative to regular TCP port
>> scanning. This check scans a target host for listening TCP ports by
>> observing how the target replies to a TCP FIN packet. Because the target
>> host replies only when a FIN is sent to a non-listening port, and not
>> when an FIN is sent to a listening port, the scanner can infer which
>> ports are being listened on. Because ports are checked without actually
>> initiating a TCP connection, this type of scan is sometimes referred to
>> as a "stealth" scan.
>> "The drawback in using this method is that it may be unreliable due to
>> packet loss on the network and differing behavior of different target
>> systems. Because this method assumes that a target port is listening
>> whenever a reply is not received, it is particularly prone to packet
>> loss. As a result this scan may mistakenly report some non-listening ports
>> as being active."
>>
>> This scan shows EVERY port open on the server. Is this correct? How can I
>> shut some of these down?
>>
>> Thanks,
>>
>> -Scott
>
> FIN scans are, from my experience, ENTIRELY unreliable. I wasn't aware that
> they were called "stealth" - usually SYN scans are (at least in the nmap
> world.) My view on CyberCop is that it's quite bloated and doesn't always do
> what you want it to. If you want to see open ports, and you're on the same
> LAN, there's no problem with using a full TCP connect scan. To be a bit more
> stealthy, choose SYN scan. To walk firewall rules (on non-stateful firewalls,
> I believe), use the ACK scan (if CyberCop still supports it).
>
> BTW: What version are you running?
>
> If all you want to do is portscan, use nmap (http://www.insecure.org/nmap).
> It's an incredibly useful tool.
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security