Greetings all,
I'm currently using the home version of Sophos XG and was wondering if there is a way to block port scans? I know that UTM has the ability for anti-portscans, but does XG have this capability as well?
Thanks.
Mike
Hi Mike,
The feature is not considered yet , to promote this feature I would encourage you to add a Vote to this feature to make it available for the future release.
https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/19243372-anti-portscan
Hi aditya and thanks for the reply. As mentioned earlier in the thread, a feature request for such a basic feature is like requesting NAT on a router. I think there needs to be a feature request to bring all the basic UTM features into XG. Everyone will vote for it and I think it will cover most of the feature requests pending for XG [:D]
Meghan is another of the puzzle missing. More layers you have, more safe you have. So XG is missing another piece....however relying on one product to achieve security is absolutely wrong! A bug mistake that many security admins do.
Meghan if you have only clients, is firewall should be turned on with no exceptions because connections start from clients to servers and not viceversa. Close all the ports and you will be safe from external attacks. Having Windows Firewall on even on computers will prevent malware from jumping from one computer to another because ports are closed.
The story is long. Enroll a Security Architect if you need advanced security advices. Send me a PM if you need and we can arrange something!
I thought I would revive this thread, seems to have been dormant for a while now!
I think this is a require counter measure, in the arena of security, so admins can tell if there are any potential probes being performed.
Also as a UTM user, this is essential when there is a server out on the 'wild internet', it is invaluable for information about who is trying to interrogate your server.
I have just voted for this feature, as it is a requirement for our arsenal of tools available for these pesky .... (ooh i feel like I am on scooby doo...lol)
Hi,
i´m just curious regarding the "use-case" of a anti-port scan feature.
This is a missing feature in XG - Yes, but i want to understand the benefit of this feature.
I´m just thinking about the security benefit - The ports are still open, if somebody tries to find all open ports on WAN. If you stop/block a certain IP on WAN with anti port features, "they" will start another WAN IP and continue the other Ports until they have checked all Ports. So what can you do with this kind of information, that somebody wants to know, which Ports you use on WAN? Another Point is - this feature will simply not secure any open vulnerability, which can be open on Port X. It simply can prevent a person to know, you are using Port X,Y,Z on WAN.
Read couple of "hacking docs" regarding this. I know, it is one of the first steps to get an overview of the target, but i don´t see the use-case to know which port is open and which is not? Nevertheless, "they" start mostly with the common ports, so you won´t see the port scanning at all. And to be honest, i see the most attacks in the vulnerable ports like 443, 80, 21, etc. Not in some "custom ports" like special products. And even for these products, you use IPS or IDS systems.
Just personal speaking, would categorise this as "nice to have". Maybe somebody can enlighten me - Would like to take about it!
Cheers
I believe that on the UTM 9.5 side it knows that if X amount of SYNC or ICMP packets are arriving in sequential order over X amount of time then that IP is blocked from further scan. For example on UTM 9.5 when I ran the GRC Port scan it was only able to scan the first 30 ports before the rest were just stealthed for that specific IP doing the port scan. So yeah if you have let say SSL port 443 open, then an Anti-Port scan will never see it, since it would be blocked before it gets there, thus the adversary won't even know that you are running such a protocol.
I believe that on the UTM 9.5 side it knows that if X amount of SYNC or ICMP packets are arriving in sequential order over X amount of time then that IP is blocked from further scan. For example on UTM 9.5 when I ran the GRC Port scan it was only able to scan the first 30 ports before the rest were just stealthed for that specific IP doing the port scan. So yeah if you have let say SSL port 443 open, then an Anti-Port scan will never see it, since it would be blocked before it gets there, thus the adversary won't even know that you are running such a protocol.
Hi,
i know couple of software with portscan - as mentioned before: They try the most used port before starting von 1 to X.
So you would not see anything in a AntiPort Scan Feature until they have scanned already all common ports and start the sequenziell scanning.
And it is not common to use sequenziell scanning - Instead you try known ports (like http/s etc.).
Cheers
Thats true, but it is just another Software component wich could help to improve the protective impact of this product.
And as you can see here https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/19243372-anti-portscant there is an big demand on this feature by customers.
Regards
Hi,
i understand you. But also i dont see any real security benefit in having this feature. It wont protect you against any attack at all. And i think, most of the voters just vote for this, because UTM has it.
After all these years: What was the "use case" in knowing about a port scan in UTM?
Cheers
Hi,
from my Point of view it's a Little Feature which helps you in several ways:
1. You simply informed about when somebody tries to get informations about your Network config, so you can try to strengthen your policies, or blacklist the IP's wich executes the scan
2. It gives you an sign that you are maybe under attack. So you can immediatly check logs to find out if someone got into your network
3. It's a first (Little) wall against attacks because it complicates the reconaissence of the Network
4.If you know there were an portscan, you take countermeasures, e.g. Change your public IP
That are the benefits of Anti-Portscan from my opinion. Sure Anti-Portscan can't move mountains, but as I pointed out before, it's just another Little Feature, wich helps improving the infomations about security Status of Network and the security.
Regards
