Interpreting the Output from an Inside-Out Scan
|
Interpreting the Output from an Inside->Out ScanThis really depends on your rules, but to assume that you're following the basic "unless allow, deny" policy, you'll want to ensure that the data you see being allowed outbound is only to a valid policy. For example, a DMZ web server with a firewall policy configured to only allow traffic outbound in a response to web requests should never be allowed to connect outbound with source ports other than the ports the web server is running (default, port 80, and port 443 for HTTPS). The following output logged on Host-B shows this example policy in violation: Note nmap randomizes the ports it connects onso don't be surprised when things are not sequential. TCP Open scan: (nmap -sT -P0 -p 1-65535 Host-B) Host-B iplog[26016]: TCP: port 834 connection attempt to Host-B from Host-A:42259 Host-B iplog[26016]: TCP: supfilesrv connection attempt to Host-B from Host-A:42260 Host-B iplog[26016]: TCP: port 428 connection attempt to Host-B from Host-A:42261 Host-B iplog[26016]: TCP: port 936 connection attempt to Host-B from Host-A:42262 Host-B iplog[26016]: TCP: gdomap connection attempt to Host-B from Host-A:42263 SYN scan: (nmap -sS -P0 -p 1-65535 Host-B) Host-B iplog[26016]: TCP: SYN scan detected to Host-B [ports 691,654,689,140,288,889,918,115,151,917,...] from Host-A [port 39596] FIN scan: (nmap -sF -P0 -p 1-65535 Host-B) Host-B iplog[26016]: TCP: FIN scan detected to Host-B [ports 759,639,579,37,541,647,358,884,879,826,...] from Host-A [port 59479] NULL scan: (nmap -sN -P0 -p 1-65535 Host-B) Host-B iplog[14801]: TCP: null scan detected to Host-B (216.218.240.133) [ports 662,660,118,106,829,800,461,278,907,330,...] from Host-A [port 45662] XMAS Scan: (nmap -sX -P0 -p 1-65535 Host-B) Host-B iplog[26016]: TCP: Xmas scan detected to Host-B [ports 411,180,808,746,788,603,413,145,406,388,...] from Host-A [port 62702] UDP scan: (nmap -sU -P0 -p 1-65535 Host-B) Host-B iplog[14801]: UDP: dgram to Host-B:port 429 from Host-A (0 data bytes) Host-B iplog[14801]: UDP: dgram to Host-B:port 338 from Host-A (0 data bytes) Host-B iplog[14801]: UDP: dgram to Host-B:port 465 from Host-A (0 data bytes) Host-B iplog[14801]: UDP: scan/flood detected to Host-B [ports 966,478,601,906,987,677,798,864,67,712,...] from Host-A [ports 49408,49409] Note UDP scans are highly unreliable. Sometimes you need to do these multiple times. This is due to a great many factors. In this particular example, UDP scans can miss open UDP ports due to timeout issues. So the short-short version of reading this output is that if it looks wrong, it probably is. It's time to test your rules again. |
|
- ERP Systems Impact on Organizations
- Enterprise Application Integration: New Solutions for a Solved Problem or a Challenging Research Field?
- Context Management of ERP Processes in Virtual Communities
- Distributed Data Warehouse for Geo-spatial Services
- Relevance and Micro-Relevance for the Professional as Determinants of IT-Diffusion and IT-Use in Healthcare
- Article 354 Nonmetallic Underground Conduit with Conductors Type NUCC
- Article 360 Flexible Metallic Tubing Type FMT
- Article 427: Fixed Electric Heating Equipment for Pipelines and Vessels
- Article 440: Air Conditioning and Refrigerating Equipment
- Annex C. Conduit and Tubing Fill Tables for Conductors and Fixture Wires of the Same Size