Port Monitors...

Networking/Security Forums -> Firewalls // Intrusion Detection - External Security

Author: SkygeeLocation: Bay Area, CA USA PostPosted: Mon Nov 01, 2010 12:34 am    Post subject: Port Monitors...
    ----
Anyone know a brand/model number of port monitor able to detect connection & intrusion attempts without opening or exposing any ports?

Author: CoreDefendLocation: USA PostPosted: Fri Nov 05, 2010 5:18 pm    Post subject:
    ----
Most intrusion detection systems have this capability.

It depends where you are placing the IDS and what you need it to monitor.

For example, if you are monitoring inbound Internet traffic that is allowed by your firewall, the traffic simply passes through the IDS/IPS for inspection.

Typically, the only ports that are opened are internal for web admin interface and maybe database connection (if the DB is on a separate server).

Author: abrahamj PostPosted: Thu Dec 02, 2010 5:24 am    Post subject:
    ----
You try the Ax3soft sax2, it is a professional network intrusion prevention (IPS) and intrusion detection system (IDS) to detect variety of attacks, including SQL inject attacks, worms, backdoor Trojans, ARP spoof, CGI/WWW attacks, DoS/DDoS, password guessing and so on, for more information, pls visit http://www.ids-sax2.com/index.asp

Author: SkygeeLocation: Bay Area, CA USA PostPosted: Sun Dec 05, 2010 12:42 am    Post subject: Many thanks...
    ----
abrahamj wrote:
You try the Ax3soft sax2, it is a professional network intrusion prevention (IPS) and intrusion detection system (IDS) to detect variety of attacks, including SQL inject attacks, worms, backdoor Trojans, ARP spoof, CGI/WWW attacks, DoS/DDoS, password guessing and so on, for more information, pls visit http://www.ids-sax2.com/index.asp


I'll need to research it more (reviews, system requirements, etc.) but it looks exactly like what I'm needing!

Author: SkygeeLocation: Bay Area, CA USA PostPosted: Sun Dec 05, 2010 12:49 am    Post subject: Thanks for your answer...
    ----
CoreDefend wrote:
Most intrusion detection systems have this capability.

It depends where you are placing the IDS and what you need it to monitor.

For example, if you are monitoring inbound Internet traffic that is allowed by your firewall, the traffic simply passes through the IDS/IPS for inspection.

Typically, the only ports that are opened are internal for web admin interface and maybe database connection (if the DB is on a separate server).


Was researching this, and stumbled onto site (www.grc.com) that suggested most port monitors open various ports to lure hackers, and only a few port monitors have more secure means of testing. If you've time, could you take a look-see on that site, and let me know if its accurate or not?

Author: capiLocation: Portugal PostPosted: Sun Dec 05, 2010 5:45 am    Post subject: Re: Thanks for your answer...
    ----
Skygee wrote:
Was researching this, and stumbled onto site (www.grc.com) that suggested most port monitors open various ports to lure hackers, and only a few port monitors have more secure means of testing. If you've time, could you take a look-see on that site, and let me know if its accurate or not?

I take it you refer to this page on Steve Gibson's GRC site.

Do NOT be fooled by the technobabble pseudo-terms and slick presentation... the GRC website is full of hype, misinformation, half-truths and -- in some places -- outright lies. I cannot begin to tell you how dangerous I (and anyone else who knows enough about IT to be able to tell when they're being BSed) consider that site to be, especially for someone who is new and trying to learn about computers and security in general. The problem is that Steve Gibson proclaims himself as a guru, and he actually gets a legion of followers who blindly buy everything he says.

If you are curious about some of this, try reading this thread for starters, followed by Steve Gibson invents broken SYNcookies or Dissecting GRC's NanoProbes, to name a couple of links. Really, just read the October 2000 version of GRC's own NanoProbes page... it's a bloody joke all by itself. He actually has the nerve to say "This has never been done" when he's just aping what port scanners had done for years before him... nmap already did three times as much as his NanoProbes back then, and it had been in existence for over three years.


Let's take a look at some quotes from that "Evil Port Monitors" page which you've read...
GRC wrote:
But many companies are leveraging customer ignorance and trading on hype. With much less investment in technology and much more in marketing, they are taking advantage of Internet security hysteria to score a fast buck.

This is beyond ironic, when the GRC website is pretty much the definition of hype and hysteria applied to customer ignorance.

GRC wrote:
"Ports" are just what they sound like: PORTALS into your computer. Entry points to give intruders a foothold.

Uh, no. A TCP port is a means of inter-process communication. It's a channel though which a program running on one computer (like a web browser) can talk to a program running on another computer (like a webserver). A TCP port, by itself, doesn't do or provide anyone with anything. The only thing that matters what kind of program you're running on your computer that wants to use that port, and what it plans to send or receive through it. A TCP port is as dangerous to your computer as a telephone is to you; what matters is who's holding the telephone, and how the conversation goes.

I should probably do a parenthesis to explain a little why Steve Gibson worries so much about open ports, closed ports and what he calls "stealth" ports. In other pages of the GRC website, he writes in bright colored letters that TCP ports should be "stealthed" and that you're supposedly terribly vulnerable to attackers if you don't do that. Well, that's just nonsense.

TCP ports are communication mechanisms; they can either be in an open state, or a closed state. For a port to be in the open state, a program has to be running on your computer to open it. The port will accept incoming packets and deliver them to the program. When a port is in the closed state, that means no program is using it; any incoming packets will be rejected, with an error message sent back. What Steve Gibson argues is that this error message "reveals your presence" and that you should "stealth" your ports. "Stealthing" simply means filtering the incoming packets so that they are dropped before reaching the part of the operating system that would send back the error message. Of course, the accurate description is less exciting than the stealth ninjas and whatnot...

Filtering (stealthing) ports may have a marginal effect on your visibility to a very low skilled attacker. However, that's as far as it goes: if you don't have any server software listening on a given port, and just send the error message back, there is absolutely nothing more that the attacker can "do" to the port. He can't "force it open" or "jam his foot in" or whatever GRC implies.

In fact, the truth is that regardless of all the filtering you do on your computer individually, you still can't stop a half-skilled attacker from easily detecting whether there is an online computer behind your IP... unless your ISP does some filtering at their level, the attacker simply has to ping your IP and see if he gets back a "destination host unreachable" message from your ISP's routers. If your computer is online and sending normal Internet traffic (browsing, email, etc.), your ISP's routers will know (because you're talking to them). If you're not online, your ISPs routers will be unable to find you, so they will send back an error message to the attacker saying "sorry I don't know what to do with your packets". Unless your ISP does their own filtering, the attacker knows that as long as he doesn't receive the error from their routers, your computer is there. So much for the "stealth"...

By the way, for a real (albeit rather technical) explanation of TCP ports, filters, firewalls and how all of this comes together to make the Internet work, read my post IPC: Ports, Services and Connections Explained.


GRC wrote:
When viewed from across the Internet, computers running Evil Port Monitors give the appearance of being the Grand Central Station of servers with a wide array of exploitable resources. [...]

In this paragraph he just describes a honeypot and he actually manages to give a pretty good idea of why these things are useful for a security professional trying to trap a cracker or detect new exploits in the wild. Except he chooses to call it a "technologically challenged port monitor" and proceeds to explain how home users shouldn't do that. Yeah, I can call a hammer a "technologically challenged spoon" and explain how you shouldn't try to use a hammer to eat your soup. It still doesn't make the hammer any less useful for what it's meant to do.


GRC wrote:
Using one of these so-called monitors is like leaving your front door unlocked and slightly ajar in the hopes of catching a burglar: You might well lure someone into your home, but then you have an entirely different problem!

Uh, no. Using a program which behaves like a honeypot is like having a bunch of fake doors on your house and when the burglar opens them, all he finds is a wall behind. It's not the best approach for the home owner (it's more useful if you're the police and trying to catch the burglar coming in). Still, it certainly doesn't have anything to do with letting anyone inside of anything.


GRC wrote:
But it doesn't have to be that way! By comparison, high-quality port monitors — which do exist but are not free — can sense connection and intrusion attempts without opening or exposing any ports.

And here we just have a flat out lie. I happen to know a thing or two about what I'm talking about here... I not only administer and configure enterprise routers and firewalls for a living, but I also do system programming. Any one of a number of Windows-based software firewalls do that and have done so for many years. Agnitum Outpost does that; ZoneAlarm does that; any McAfee/Symantec/Whatever security bundle you find nowadays does that. Even the Windows Firewall that comes builtin for free since Windows XP SP3 can block connection attempts without opening or "exposing" any ports (presumedly, "exposing" here means un-"stealthing").

All this not even to mention the builtin firewalls in quality operating systems such as GNU/Linux, FreeBSD, NetBSD or OpenBSD... I happen to be using iptables (which is free) on GNU/Linux (which is also free) on my computer as I type this post... According to GRC, my computer doesn't exist. Nor do more than half of the servers on the Internet, or many core routers and traffic filters based on GNU/Linux.

If you're interested in details about the design of Windows-based software firewalls, you might find the following articles I wrote interesting: Software Firewalls: Made of Straw? Part 1 of 2 and Software Firewalls: Made of Straw? Part 2 of 2.


Bottom line... GRC may be fun for a few chuckles, but take what you read with a very large grain of salt. There is much hype, self-promoting, inaccuracies, ignorance and flamboyant braggery on that site. On another page, he makes the ridiculous claim of having written no more no less than a full IP stack, a TCP implementation (which he refers to as a "custom super-hardened TCP protocol"), an UDP implementation, and an HTTP webserver. All of it from scratch, in assembly. And then he wrote the underlying ARP and ICMP protocols, from scratch, in assembly. Obviously because he had nothing better to do (ARP and ICMP are so absurdly simple when compared to any of the other components that it would just be silly to waste time reinventing them, let alone doing so in assembly). And then he re-created the Earth, hand-picking the molecules one by one -- because that's about as ridiculous as anyone even wanting to write any of the above components in assembly, let alone being foolish enough to try to do it. As in, real-life operating systems don't do it, because it would take ungodly amounts of man-hours and there are far better (and far less error prone) languages to use for those tasks. Even if you did find the 10,000 programmers you'd need, they'd still produce a heap of unmaintainable junk. Good luck finding the bugs in that code...



Networking/Security Forums -> Firewalls // Intrusion Detection - External Security


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group