Skip to main content
NetWerx
NetWerx
New Member
December 17, 2013
Question

Stealth Ports

  • December 17, 2013
  • 6 replies
  • 12742 views
On my old router, the firewall had a checkbox to stealth all ports. Instead of reporting that a port was closed, if set, it would not issue a response at all. As such, the router, and the network behind it, was invisible to the Internet. Port Scans would not get a response on Port 113, or otherwise. How do I accomplish the same thing on FortiOS? I understand there is an option to ignore Pings from the WAN, and I can forward Port 113 to an unused address, but how about other ports? Am I missing a setting somewhere? Is there an easy way to make the Fortigate invisible? I read somewhere that the IPS signatures will detect and prevent Port Scans, but if I don' t opt for the UTM services, am I exposed? Any advice or guidance would be appreciated.

    6 replies

    emnoc
    emnoc
    New Member
    December 17, 2013
    Have you looked at the interface set ident-accept disable| enable command? Enable or disable passing ident packets (TCP port 113) to the firewall policy. If set to disable, the FortiGate unit sends a TCP reset packet in response to an ident packet. look here, but I think this what your talking about http://docs.fortinet.com/cb/html/FOS_Cookbook/Install_advanced/cb_enhance_security.html Oh the other question; am I exposed ? The real question is exposed to what? What risked do you deem your network and security appliance has? You can always schedule a port sweep and vulnerability test to your network and firewall appliance. I find that disable remote admin on the untrust/external or if ssh is required, move it to a non well known port Ensure that all fwpolices are check and primary the ordering Disable weak ciphers Bascially everything in that link should look at deploying and with regulary checks and audits. just my 2 cts
    NetWerx
    NetWerxAuthor
    New Member
    December 17, 2013
    Thanks for the info! Wouldn' t sending a TCP Reset in response to an Ident packet tell the sender that there is a network present at the IP address targeted? Is this any different than having the router return a Port Closed response? By exposed, I was referring to having my network completely hidden from port scans or probes from the WAN side. I am not hosting any servers and do not want any ports exposed to the Internet. On other lesser SPI routers, as I mentioned in my original post, I can accomplish this with a single check-box. I am concerned that with all the configuration options available, I will not be able to properly lock-down my environment.
    netmin
    netmin
    New Member
    December 17, 2013
    I would suggest to take a look at local-in policies for ports which respond to requests due to implicit defaults.
    emnoc
    emnoc
    New Member
    December 18, 2013
    I hope this answer your questions
    Wouldn' t sending a TCP Reset in response to an Ident packet tell the sender that there is a network present at the IP address targeted? Is this any different than having the router return a Port Closed response? You have this backwards, with ident enable it won' t send a tcp-reset. You enable it per interface and the default is disable . With it disable, it sends a tcp-reset response such as this from probes; sudo tcpdump -nnnn -vvv -i ppp0 src net 192.16.153 tcpdump: listening on ppp0, link-type PPP (PPP), capture size 65535 bytes 06:03:40.001204 IP (tos 0x0, ttl 32, id 40446, offset 0, flags [none], proto TCP (6), length 40) 192.16.153.5.113 > 10.1.49.98.50534: Flags [R.], cksum 0x3a1e (correct), seq 0, ack 3493808439, win 0, length 0 By exposed, I was referring to having my network completely hidden from port scans or probes from the WAN side. I am not hosting any servers and do not want any ports exposed to the Internet. Will in that case , you want to drop port 541 also, than the fortigate will sit quietly With 514/tcp open 06:13:22.551278 IP (tos 0x80, ttl 56, id 49378, offset 0, flags [DF], proto TCP (6), length 52) 192.16.153.5.541 > 10.1.49.98.50621: Flags [.], cksum 0xd812 (correct), seq 85, ack 6, win 5792, options [nop,nop,TS val 97668268 ecr 294822558], length 0 06:13:22.552171 IP (tos 0x80, ttl 56, id 49379, offset 0, flags [DF], proto TCP (6), length 59) 192.16.153.5.541 > 10.1.49.98.50621: Flags [P.], cksum 0x7b0c (correct), seq 85:92, ack 6, win 5792, options [nop,nop,TS val 97668268 ecr 294822558], length 7 06:13:22.552202 IP (tos 0x80, ttl 56, id 49380, offset 0, flags [DF], proto TCP (6), length 52) 192.16.153.5.541 > 10.1.49.98.50621: Flags [F.], cksum 0xd80a (correct), seq 92, ack 6, win 5792, options [nop,nop,TS val 97668268 ecr 294822558], length 0 06:13:22.857135 IP (tos 0x80, ttl 56, id 34511, offset 0, flags [none], proto TCP (6), length 40) 192.16.153.5.541 > 10.1.49.98.50621: Flags , cksum 0xe61f (correct), seq 3787753917, win 0, length 0 ( you disable it here ) config system central-management set status disable set type fortimanager set auto-backup disable set schedule-config-restore enable set schedule-script-restore enable set allow-push-configuration enable set allow-pushd-firmware enable set allow-remote-firmware-upgrade enable set allow-monitor enable set fmg ' ' set vdom " root" set authorized-manager-only enable unset serial-number end FWIW: To validate, open a telnet to a unused port on your firewall, monitor for any noise such as reset or icmp port unreachables using tcpdump or a portscanner On other lesser SPI routers, as I mentioned in my original post, I can accomplish this with a single check-box. I am concerned that with all the configuration options available, I will not be able to properly lock-down my environment.
    Not sure what you mean by SPI, but typically a router is not a firewall unless it' s running some type of stateless-firewall ( e.g cisco ZBFW advancesecurity , etc… ) I would not compare the 2. What you should be more concern with are the policies that you active have open allow traffic inbound and securing the hosts that are using such fwpolicies. A firewall no matter how good it is, don' t fix host specific problems or weak secure practices :) Any have good person can figure out a firewall is in place via traceroute. Just following that link, it provides some good practices. And no matter if it' s a fortigate/cisco/juniper or iptables.
    netmin
    netmin
    New Member
    December 18, 2013
    To get an additional overview of how a Fortigate itself may/does communicate with other devices by default, we found this KB article helpful. (btw. SPI is referring to stateful packet inspection)
    emnoc
    emnoc
    New Member
    December 18, 2013
    Another useful command for port listeners and active sessions status; diag sys tcpsock It can provide alot of good information.
    Terms & ConditionsAccessibility statement