RE: an error in the NMAP docs?

["Fields, James" <James.Fields () bcbsfl com>]

The nmap docs are referring to an unusual but possible firewall
configuration that would be in use only on the most basic of
packet-filtering firewalls (ie. No stateful inspection capabilities at
all).  There are some operations that come *from* established ports.
DNS zone transfers should be request *from* port 53 for example; and
normal "non-passive" FTP connections create a connection FROM the server
FROM port 20 back to an ephemeral port on the client for data transfers.
Since there is no way to predict the necessary client ports, you'd allow
(under this type of system) connections FROM port 20 to ALL high ports
inbound.  Obviously modern firewalls have many more capabilities like
scanning FTP control connections to monitor for clients advertising port
numbers...

-----Original Message-----
From: Michael Herz [mailto:mherz () uwaterloo ca] 
Sent: Friday, April 01, 2005 11:05 AM
To: security-basics () securityfocus com
Subject: an error in the NMAP docs?

Hi all,

Is there an error in the NMAP docs? The --source_port section says:

"Many naive firewall and packet filter installations make an exception
in
their rule-set to allow DNS (53) or FTP-DATA (20) packets to  come
through
and establish a connection. Obviously this completely subverts the
security
advantages of the firewall since intruders can just masquerade  as FTP
or
DNS by modifying their source port."

This implies that the hole in a packet filtered machine exists if it has
allowed inbound DNS or FTP connections. I don't believe this is true. I
think the hole only exists if the machine has allowed outbound (ie
client)
connections from the machine. For example if the machine allowed
outbound
DNS client requests to the world, using --source_port 53 would exploit
the
hole.

Any comments would be appreciated.
Mike


------------------------------------------------------------------------
---
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information
security 
professionals.  Norwich University is fulfilling this demand with its MS
in 
Information Security offered online.  Recognized by the NSA as an 
academically excellent program, NU offers you the opportunity to earn
your 
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
------------------------------------------------------------------------
----





Blue Cross Blue Shield of Florida, Inc., and its subsidiary and affiliate companies are not responsible for errors or 
omissions in this e-mail message. Any personal comments made in this e-mail do not reflect the views of Blue Cross Blue 
Shield of Florida, Inc.  The information contained in this document may be confidential and intended solely for the use 
of the individual or entity to whom it is addressed.  This document may contain material that is privileged or 
protected from disclosure under applicable law.  If you are not the intended recipient or the individual responsible 
for delivering to the intended recipient, please (1) be advised that any use, dissemination, forwarding, or copying of 
this document IS STRICTLY PROHIBITED; and (2) notify sender immediately by telephone and destroy the document. THANK 
YOU.



---------------------------------------------------------------------------
Earn your MS in Information Security ONLINE
Organizations worldwide are in need of highly qualified information security
professionals.  Norwich University is fulfilling this demand with its MS in
Information Security offered online.  Recognized by the NSA as an
academically excellent program, NU offers you the opportunity to earn your
degree without disrupting your home or work life.

http://www.msia.norwich.edu/secfocus_en
----------------------------------------------------------------------------