Nazila Mofrad wrote:
> Hi everybody,
>
> I run nmap to find open ports on my PIX firewall and
> in my surprise, all UDP ports were open on that!
> Beside, the tcp port 1467 was open and replied to
> "telnet pix 1467" command!
> What should I do with these open ports? They can be
> used as security holes, can't be?
The UDP ports are being reported as open because you don't get an ICMP
port unreachable response from the PIX in response to a UDP packet from
nmap.
The TCP port 1467 is the port the PIX uses to communicate with the Cisco
management software that is available for the PIX. I don't think
there's any way to turn it off but you can certainly create a rule to
drop traffic for it.
I've never heard of an exploit against the PIX using this service, but
that doesn't mean that it can't be done. I was actually surprised that
Cisco would do such a thing, when I first nmap'd a PIX. There ought to
be a way to turn it off. It makes fingerprinting a PIX almost trivial,
which is most ironic, given some other measures PIX takes to try to keep
a low profile, like not decrementing TTL's in the IP header. But then
again, that example is really another case of making yourself
identifiable by trying to make yourself unidentifiable... d'oh... double
irony.
Michael
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
