Firewall Wizards mailing list archives
RE: False results to DMZ
From: "David U. Haltinner" <dhaltinner () altaresources com>
Date: Tue, 24 Jan 2006 07:59:22 -0600
Actually no RSt is received. My scanner has to send the RST to close the port. The destination host does said a reset, but the firewall ignores it and makes the connection anyways. On Tue, 2006-01-24 at 14:04 +0100, Ralf.Zessin () maxpert de wrote:
Hello David, with firewalls or other security devices between scanner and target you have always a Problem with malformed IP-Packets. The behaviour depends on firewall-settings. Please check the behavior in your case with tcpdump. I assume that your pix first pretends that all ports are open and if the Ack-Flag is received ( which never comes with the syn-scan ), the real connection was established and if fails, the RST-Flag comes back. This behaviour was one kind of protection against SYN-Flood attacks . Try the following: Connection to an open port with telnet ( telnet <target> <portnum> ) With tcpdump you shoul see the normal three-way handshake Connection to a unavail port/host If you thee the three-way handshake with an additional RST Packet, you know, it works like described above. Therefore you have to use the tcp-connect() scan to check your systems. - Ralf-----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com]On Behalf Of David U. Haltinner Sent: Friday, January 20, 2006 4:14 PM To: firewall-wizards () honor icsalabs com Subject: [fw-wiz] False results to DMZ First off, the DMZ is setup with virtual interfaces (PIX), and the scanning source is inside. The firewall allows anything IP from this scanner. If I scan most of the DMZ's, I get normal results, with all of the scans. Using NMAP, If I scan one specific DMZ, I only get results with the SYN scan and TCP window scans, AND it says every port is open (what the firewall allows). Cisco support is not being helpful. Does anyone have any idea why this is? It's weird. Im trying to automate Nessus against the DMZ servers, and its giving too many false positives about open ports. I have taken packet traces, and the only thing weird is that I am getting an ACK back for eveyr port, but they are Zero Window (TCP Window Scan brings back every port open). Any ideas? _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- False results to DMZ David U. Haltinner (Jan 20)
- RE: False results to DMZ Paul Melson (Jan 23)
- RE: False results to DMZ David U. Haltinner (Jan 23)
- <Possible follow-ups>
- RE: False results to DMZ Ralf . Zessin (Jan 24)
- RE: False results to DMZ David U. Haltinner (Jan 24)
- RE: False results to DMZ Paul Melson (Jan 23)