Port scanned behind firewall???

Discussion in 'other firewalls' started by SKYBLUE, May 16, 2003.

Thread Status:
Not open for further replies.
  1. SKYBLUE

    SKYBLUE Guest

    I have a network setup. Two pc's, one win98se and the other winxphome, both connected via a belkin router with built in firewall and nat, and on a cable modem.

    I also have SYGATE personal firewall on these computers.

    My question is, how can someone do a port scan on my computer and get past the belkin, and have the SYGATE pick it up?

    Would the belkin firewall stop the port scan before it reached the sygate?

    In other words, are portscans supposed to be seen by the hardware firewall as well as the software firewall?

    I checked the security log on the belkin router and it didnt show any intrusions, and its on.

    Thanks,

    Sky :doubt:
     
  2. Finn McCool

    Finn McCool Registered Member

    Joined:
    Mar 3, 2003
    Posts:
    49
    Location:
    New Orleans
    Hi, Skyblue. I doubt that your Sygate firewalls are going to see any portscan activity from outside your network as long as your router and its firewall are set up properly. So they will function mainly to protect you from rogue programs that got onto your own computers somehow. When those programs try to call home, Sygate should alert you. You can tighten up its rules a bit, e.g., limit svchost to the IPs on your network using your NAT IP range as trusted host. But your focus will be on controlling the access from your computer outbound.
     
  3. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Scanning behind a router is a common problem. As far as I know, there are two ways to do it.
    You can physically bypass your router in some cases, and some even switch to a dialup connection to do the scan.
    The other possibility is if your router can forward all traffic to a DMZ, then your firewall can be scanned.
    I don't have a router so I am only passing on what I have heard others discussing. May not be worded correctly.
    What Finn McCool said is correct about the need for control of outbound traffic. As a matter of fact, I have little if any concern about someone trying to DDoS or "hack" me. I am more concerned about having a backup in case some Malware does get past my first and second line of defense.
    On a small lan mostly you want to be sure your ports 135-139, 445, and for XP a couple of others are not open to the net with file sharing enabled. A router usually does that quite well I believe.
     
  4. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Hi SKYBLUE,

    if you do an online port scan test for example it's not your computer which will be tested, but your router. If there are packets coming through and the software firewall (Sygate) picks them up, this means, that the router's security isn't at 100%. That's the reason why you have Sygate installed behind the router! :D

    But to improve the security of your router, check out the vendors site and look for a new firmware. If you don't have the latest firmware of it installed do it! Sometimes they add additional security features to it. After that check out the router's settings. Are they all correct? After having done all this, check out some online port scans and check your router again -especially check out port 113 (most of the routers don't stealth this special port).

    If you have done all this and you still have any questions how to improve the security of your router come back and let us know! ;)

    Best regards,

    Patrice
     
  5. SkyBlue

    SkyBlue Guest

    It seems as though the computer that was registering the port scans in sygate was in the DMZ, I fixed that, However I am wondering if the following services are harmless and should I let them have access all the time:

    NT KERNEL & SYSTEM

    LSA SHELL

    GENERIC HOST PROCESS FOR WIN 32 SERVICES

    COMMON CLIENT CC APP

    ?

    THANKS

    SKY
     
  6. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Hi SkyBlue,

    The common wisdom is to first try to block all these OS services, just to see if everything still works properly. If everything works, then all is well and you leave them blocked.

    If not, try giving them just the ability to connect outbound to the network, but don't allow them to receive unsolicited inbound connections from the Internet (this is sometimes called "server rights" or "acting as a server"). On my XP system, from your list of apps, I allow only Generic Host Process for Win32 Services to have outbound access. None of the programs needs "server rights" for me to have full functionality.

    Now, in your case, since you have a router, it is preventing any of these from receiving unsolicited inbound connections anyway, so, the settings on your personal firewall are less important because of that protection. But, I would still use the rules above just because I believe in the "least privilege" rule (i.e. always give things the least amount of access / rights / privileges necessary in order for them to work, and give them no more than that.)

    I hope this helps,
    LowWaterMark
     
  7. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi SkyBlue

    Just to add to what LWM said, you will need to allow ccapp access as well because it will be required to validate certain live update files for NAV and is also used for email scanning if you have that enabled.

    Regards,

    CrazyM
     
Loading...
Thread Status:
Not open for further replies.