After having my previous post blocked and being asked to "search the archives", I did just that but only found one post (using "UDP" as the search criteria) that kind of had an answer. I did some digging around on the net, and found a site that had a better answer. The question was why all UDP ports are show as opened using various port scanners. The answer seems to be, and it kind of makes sense, that UDP being connectionless, the scanner has no real method to differentiate between an opened port, and a port that was silently dropped (which most firewalls should[1] do). The only way to know for sure that a port is closed would be to get a response indicating a closed port (i.e. ICMP response). This has led me to some other questions.
Is there a port scanner on the market (free or $$$) that does not generate the "false positive" result of a UDP scan against a stealth host? For example, rather than reporting the ports opened, it only reports those ports it gets some sort of response from as opened, and reports the rest as "may be opened", "state unknown" or something similar. If a UDP scan is run against a host, and rather than showing all ports the results show only certain ports opened, should this be considered a bad security situation, and if so why? My thoughts are that yes, it should be, as the host is not functioning in a "stealth" mode, which I think is a more secure process[1]. Simply put, a scanner can know with certainty which ports are opened if only certain ports are listed, where as in the other situation, every port appears to be opened. Any opinions/answers from the list? Thanks. Wes Noonan, MCSE/MCT/CCNA/CCDA/NNCSS Senior QA Rep. BMC Software, Inc. (713) 918-2412 [EMAIL PROTECTED] http://www.bmc.com [1] I say should because most references I have seen recommend a firewall operating in a stealth fashion as being more effective since it requires any scanning, etc. to time out before proceeding causing more time to pass and increasing the likelihood of catching it occurring. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
