Security Basics mailing list archives
RE: how to block connections running on non-default ports
From: abretten () kroger com
Date: Mon, 22 Aug 2005 10:44:08 -0400
If people are trying to run SSL on a non-standard port (e.g. not tcp 443) a proxy level firewall or in this specific example a decent web proxy with access lists WILL block access based on port #. Even in SSL the HTTP method still has to reference the host name and non-standard port number and thus can be used as part of the ACL logic. Andy "The most exciting phrase to hear in science, the one that heralds new discoveries, is not 'Eureka!' but 'That's funny ... ' Isaac Asimov Andrew P Bretten andrew.bretten () kroger com Office (513) 459 9519 - 9am-5pm EST (Embedded image moved to file: pic22830.jpg) "Roger A. Grimes" <roger@banneretcs .com> To "Niranjan S Patil" 08/18/2005 07:50 <niranjan.patil () gmail com>, AM <security-basics () securityfocus com> cc Subject RE: how to block connections running on non-default ports This is a common issue and a proxy device is needed. By definition a proxy firewall, with a service proxy, would review and strip out all "malformed" data from a communication's stream. Unfortunately, because 443 is normally encrypted, I'm not sure how accurate any 443 proxy firewall service would be...but many firewalls let you build your own proxy filters and I'm sure you could be fairly accurate with a little research. Also, many network traffic analyzers, like Ethereal, can sometimes not the correct traffic type even when running on non-default ports. It depends on the sniffer and the protocol. Roger ************************************************************************ *** *Roger A. Grimes, Banneret Computer Security, Computer Security Consultant *CPA, CISSP, MCSE: Security (NT/2000/2003/MVP), CNE (3/4), CEH, CHFI *email: roger () banneretcs com *cell: 757-615-3355 *Author of Malicious Mobile Code: Virus Protection for Windows by O'Reilly *http://www.oreilly.com/catalog/malmobcode *Author of Honeypots for Windows (Apress) *http://www.apress.com/book/bookDisplay.html?bID=281 ************************************************************************ **** -----Original Message----- From: Niranjan S Patil [mailto:niranjan.patil () gmail com] Sent: Monday, August 15, 2005 11:36 AM To: security-basics () securityfocus com Subject: how to block connections running on non-default ports Hi list, I recently noticed that our corporate IDS could not block some of connections that are seemingly unauthorised. I launched a telnet connection to a remote server on Internet on port 23 and it was successfully blocked by our firewall. I change the listening port of the telnet server to 443 and launched another telnet connection on port 443. Neither our firewall or IDS was able to block this connection. Aren't IDS supposed to block such masqueraded connections, i.e., protocols with non-default ports. I have less knowledge on IDS, but isn't it simple for them to check packet headers and block/filter if they are not on right protocol/port? Is this normal with all IDS? Any help is appreciated. -- Regards, Niranjan S Patil
Current thread:
- how to block connections running on non-default ports Niranjan S Patil (Aug 16)
- RE: how to block connections running on non-default ports Burton Strauss (Aug 22)
- RE: how to block connections running on non-default ports AMOL (Aug 22)
- RE: how to block connections running on non-default ports James Scott-Brown (Aug 22)
- <Possible follow-ups>
- RE: how to block connections running on non-default ports Smith, Ryan (Aug 22)
- RE: how to block connections running on non-default ports Roger A. Grimes (Aug 22)
- RE: how to block connections running on non-default ports abretten (Aug 23)
- Re: RE: how to block connections running on non-default ports nospam_securityfocuscom (Aug 23)