[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [cobalt-security] Security concern or not?

Subject: Re: [cobalt-security] Security concern or not?
From: Scott Genevish <genevish@xxxxxxx>
Date: Tue, 31 Oct 2000 15:55:49 -0500
List-id: Mailing list for users to address network security on Cobalt products. <cobalt-security.list.cobalt.com>

Thanks for the info.  It seemed a little flakey.  I'm checking into having
them run a different scan.

One thing I did notice was that finger is running.  How would I disable it?
I know Linux would use rc.d scripts.  Is it the same for the Cobalt?

-Scott

> From: Damian Gerow <dgerow@xxxxxxxxxxx>
> Reply-To: dgerow@xxxxxxxxxxx
> Date: Tue, 31 Oct 2000 15:35:22 -0500
> To: cobalt-security@xxxxxxxxxxxxxxx
> Subject: Re: [cobalt-security] Security concern or not?
> 
> 
> On Tuesday, October 31, 2000, at 03:11 PM, Scott Genevish wrote:
> 
>> The training department recently got our IT department to install a RaQ 3i
>> for us so we can host our training site, with the caveat that we support it
>> ourselves. 
>> 
>> The did a port scan using CyberCop's TCP FIN scan.  The definition of this
>> scan by CyberCop is:
>> 
>> "This check can be used as a much faster alternative to regular TCP port
>> scanning. This check scans a target host for listening TCP ports by
>> observing how the target replies to a TCP FIN packet. Because the target
>> host replies only when a FIN is sent to a non-listening port, and not
>> when an FIN is sent to a listening port, the scanner can infer which
>> ports are being listened on. Because ports are checked without actually
>> initiating a TCP connection, this type of scan is sometimes referred to
>> as a "stealth" scan.
>> "The drawback in using this method is that it may be unreliable due to
>> packet loss on the network and differing behavior of different target
>> systems. Because this method assumes that a target port is listening
>> whenever a reply is not received, it is particularly prone to packet
>> loss. As a result this scan may mistakenly report some non-listening ports
>> as being active."
>> 
>> This scan shows EVERY port open on the server.  Is this correct?  How can I
>> shut some of these down?
>> 
>> Thanks, 
>> 
>> -Scott 
> 
> FIN scans are, from my experience, ENTIRELY unreliable.  I wasn't aware that
> they were called "stealth" - usually SYN scans are (at least in the nmap
> world.)  My view on CyberCop is that it's quite bloated and doesn't always do
> what you want it to.  If you want to see open ports, and you're on the same
> LAN, there's no problem with using a full TCP connect scan.  To be a bit more
> stealthy, choose SYN scan.  To walk firewall rules (on non-stateful firewalls,
> I believe), use the ACK scan (if CyberCop still supports it).
> 
> BTW: What version are you running?
> 
> If all you want to do is portscan, use nmap (http://www.insecure.org/nmap).
> It's an incredibly useful tool.
> _______________________________________________
> cobalt-security mailing list
> cobalt-security@xxxxxxxxxxxxxxx
> http://list.cobalt.com/mailman/listinfo/cobalt-security

References:
- Re: [cobalt-security] Security concern or not?
  - From: Damian Gerow

Prev by Date: Re: [cobalt-security] Security concern or not?
Next by Date: Re: [cobalt-security] Security concern or not?
Previous by thread: Re: [cobalt-security] Security concern or not?
Next by thread: Re: [cobalt-security] Security concern or not?

Sun Cobalt Security Message Index

Sun Cobalt Security Thread Index