topic Re: Pix gives the impression that a port is open when it is not in Network Security

Pix gives the impression that a port is open when it is not

alfonso.cornejo — Mon, 11 Mar 2019 15:32:37 GMT

Hi to all,

I have this scenario, I have a pix firewall and in one DMZ i have my servers, i have allowed only the https access to one of them from the outside interface but if i make a telnet to the server for any port the firewall gives the impression that it is open.

For example if from an MS-DOS command line i try a telnet to the server to the port 1200 wich is not allowed by the firewall and is also closed in the server the MS-DOS window gets "black" wich means that the port is open but as soon as i press a key the MS-DOS window gets closed so it means that the connection was not stablished wich is correct but it gave the impresion that it was stablished.

Do you have any ideas about what could be causing this?

Thanks in advance.

Re: Pix gives the impression that a port is open when it is not

andrew.prince — Fri, 15 May 2009 08:54:56 GMT

This is normal - the pix will just "drop" the packets silently, without sending a "reset" to the remote end indicating there was any kind of connection - basically the firewall is giving the impression of a blackhole.

If you change the TCP settings, to send a reset back - you are announcing there is something there, not allways the best approach.

Re: Pix gives the impression that a port is open when it is not

alfonso.cornejo — Fri, 15 May 2009 14:45:20 GMT

Hi Andrew,

Thank you very much for clearing this!...just for general knowledge how can I change that TCP settings??

Thanks in advance.

Best Regards,

Re: Pix gives the impression that a port is open when it is not

andrew.prince — Fri, 15 May 2009 14:49:46 GMT

Sure no - OK the config you need is:-

service resetinbound

" Causes the security appliance to send TCP resets for all TCP sessions that arrive at the interface, are attempting to transit the security appliance, and are denied by the security appliance based on access lists. When this option is not selected, the security appliance silently discards the packets of all such sessions"

service resetoutside

" Causes the security appliance to send TCP resets for all TCP sessions that arrive at the least secure interface, terminate at the least secure interface, and are denied by the security appliance based on access lists. When this option is not selected, the security appliance silently discards the packets of all such sessions"

HTH>

Re: Pix gives the impression that a port is open when it is not

alfonso.cornejo — Fri, 15 May 2009 15:02:25 GMT

Thank's alot Andrew!

Re: Pix gives the impression that a port is open when it is not

andrew.prince — Fri, 15 May 2009 15:05:58 GMT

np - glad to help.

Re: Pix gives the impression that a port is open when it is not

alfonso.cornejo — Mon, 01 Jun 2009 18:59:17 GMT

Hi Andrew,

Do you know a cisco document that confirm this??

The security department is asking me for an evidence from cisco.

Thanks in advance for your help.

Best Regards,

Re: Pix gives the impression that a port is open when it is not

andrew.prince — Mon, 01 Jun 2009 20:33:24 GMT

Alfonso,

What device (PIX/ASA) do you have and what version of software are you running (6.x,7.x or 8.x) ?

Re: Pix gives the impression that a port is open when it is not

alfonso.cornejo — Mon, 01 Jun 2009 21:13:28 GMT

Hi Andrew,

PIX 7.2

Thanks

Re: Pix gives the impression that a port is open when it is not

andrew.prince — Tue, 02 Jun 2009 14:30:17 GMT

Alfonso,

See the below URL for the version of PIX IOS you are using:-

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1290652

HTH>

Re: Pix gives the impression that a port is open when it is not

alfonso.cornejo — Wed, 03 Jun 2009 02:03:43 GMT

Thank you very much again Andrew!

Best regards,

Re: Pix gives the impression that a port is open when it is not

andrew.prince — Wed, 03 Jun 2009 07:38:07 GMT

np - glad to help.

Re: Pix gives the impression that a port is open when it is not

alfonso.cornejo — Sat, 29 Aug 2009 05:17:29 GMT

Hi Andrew,

Just today i had the opportunity to try the commands service resetinbound and service resetoutside on my pix but there is still the situation, i mean i'm still getting the "black" screen on my MS-DOS window wich gives the impresion that the port that i'm telnet to is open when it is not.

Do you have any idea what else could be causing this??

Thanks in advance

Re: Pix gives the impression that a port is open when it is not

andrew.prince — Sat, 29 Aug 2009 05:54:00 GMT

read the url again:-

http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/s1_72.html#wp1290652

Re: Pix gives the impression that a port is open when it is not

alfonso.cornejo — Sat, 29 Aug 2009 21:04:46 GMT

Hi Andrew,

I read the document again and it seems that the commands that i have to configure are:

service resetoutside

service resetinbound interface dmz

service resetinbound interface outside

But i'm still getting the same situation, do you think this may be a bug issue or anything else?

The traffic is comming from the outside interface to a DMZ.

Thanks in advance for your help.

Re: Pix gives the impression that a port is open when it is not

andrew.prince — Sun, 30 Aug 2009 09:26:35 GMT

What exactly is your problem, I must be missing someting. I thought you did NOT want to send the rest in the tcp session - as when this happens it indicates there is a device there. Not really what you want a hacker to know - ideally you want the device ti silenty discard.

Re: Pix gives the impression that a port is open when it is not

alfonso.cornejo — Sun, 30 Aug 2009 16:25:10 GMT

The situation is this: i have two servers published to the internet using my pix (with a static nat) and with an access-list i have allowed access to them only to the http and smtp port but when you make a telnet lets say to the port 1024 wich is not allowed on your MS-DOS window you get a "black screen" that gives you the impresion that the port is open but it is not, actually i see the denied packets on the monitoring of the pix.

I know that the pix is blocking that traffic, wich is correct, but that impresion of the port open is causing me problems with the information security department, because they say that the "see" that i have all the ports open but they are not.

That's why i put those commands, to send the tcp reset and get the normal message when you make a telnet to an ip address to a port that is blocked.

Re: Pix gives the impression that a port is open when it is not

jan.nielsen — Sun, 30 Aug 2009 21:37:36 GMT

I'm sorry, but your security department are way off, getting a black screen in dos does not mean anything, use a port scanner, or some other tool like nmap to test with. Also, if you care about security you don't want to send tcp resets when you are blocking something, this will tell the scanner that the port is actively being blocked ie. that there is a firewall or router acl.

Re: Pix gives the impression that a port is open when it is not

alfonso.cornejo — Mon, 31 Aug 2009 13:16:39 GMT

Hi, i just did a test with nmap and the report of the scan says that "all" the ports are open (from 1 to 65535) but in the monitoring of my pix i see all the "denies" of the huge amount of ports that are blocked.

what do you think could be causing this condition?

Thanks in advance.

Re: Pix gives the impression that a port is open when it is not

andrew.prince — Tue, 01 Sep 2009 10:14:27 GMT

That is just not possible - if you have a machine on the "outside" of your firewall and ALL ports are comming back as open - then you are using nmap incorrectly.