Locking the doors and windows to your house won’t stop someone from getting in if they are really determined. However, it is still a lot harder than opening an unlocked door or window. Breaking into a locked house, takes a lot more time and typically when someone forces their way in, they are bound to leave marks or traces, which is often what allows you to catch or stop the intruder. Perimeter security starts in pretty much the same way – by identifying open ports, checking that they are really necessary to have open, and ensuring that they are as secure as possible.
The search for the unlocked door:
- When a request is made to an open port on your perimeter server, the computer sends a response back letting the requester know that there is a service listening in on this port. So what this means is that anything that comes through this port will be processed by a service. Back to our original scenario – the kitchen window is open.
- When a request is made to a closed port, the server replies that no services are listening on that port. So, the house has been found, we know that the front door is locked, so let’s try another one until we find one open.
- Finally a “Stealth” port, i.e. when the request is made, no reply is sent at all and all packets are dropped. The house cannot be located, which makes breaking in impossible. You can’t hit what you can’t see.
Note: Using a Windows firewall with advanced security, the ability to set ports to stealth is an option, though one thing to keep in mind is that any packets that are dropped are not logged. Using iptables on Linux, packets can be set to be dropped, enabling “stealth” ports. Logging is not enabled by default though it can be configured manually.
For anyone fooled into thinking that running these scans maliciously is difficult – it’s not! Anyone can do it with free, readily available GUI or Command Line tools so either the beginner or seasoned veteran can start scanning hosts in a matter of minutes.
After a thorough Port scan against a target, one can already make an educated guess of the perimeter server’s operating system based on the sequence of ports that are open. Once the OS is identified, this already gives a lot of information to start working with. An attacker can then research known vulnerabilities of that particular operating system and its common ports and start moving forward with an attack.
A tool like Acunetix Online, which incorporates OpenVAS network security scanning, uses the result of a port scan to identify the OS using various techniques such as port probing, port banner grabbing and TCP/IP and OS fingerprinting to provide similar information to what would be available to an attacker.
Apart from allowing the identification of the Operating System, each open port presents a possible security risk. It is therefore advisable to keep open ports to a bare minimum. In addition, all services running on a perimeter server should have a secure authentication mechanism.
Finally, keep an eye out for ports that you are not aware of – There could be trojans that were somehow installed on the server. Acunetix will report on well known Trojans. If you detect these, a full security audit of the server would be required.
For more information on the specifics of some of these dangers see the Acunetix blog posts below:
- Open Ports – Trojan is as trojan does
- Danger: Open Ports – Remote Access Trojans (RATs) vs Worms
- Analysis of an intrusion: DOS Attack
- How to Close Unused Ports