People like me start wars!

I mainly install and administer SBS networks for various organisations. In the past I have used an adsl modem to connect the external network card to the internet, rather than a router with a firewall. Since Server 2000 came along, I've always trusted ISA and had no problems.

A couple of weeks ago I started a thread to discuss a problem. During this discussion I mentioned the above philosophy and got severely criticised for taking unecessary risks by allowing ISA to be the only firewall.

This week I have installed a new SBS system for a customer. Taking on board  what I had been told, I used a Netgear DG834 router instead of the usual modem, and set up the necessary port forwarding to the web and mail servers which reside behind ISA.

As an experiment, from the server console, I visited They have a port scanning utility called ShieldsUP. This correctly identified that I had ports 80 and 443 open. I then created a firewall rule in the router to forward ALL traffic to the ISA firewall. I ran Shields Up again. It now showed that ALL ports were now operating in Stealth Mode.

I would have thought that the best philsophy would be to open just the required ports on the router. But with the router forwarding everything to ISA, I  have SMTP, HTTP, HTTPS, IMAP and RDP functionality and the server appears invisible to the port scanner!

So why is this? I repeated the experiment on a server that was connected using just an ADSL modem and the open ports are correctly identified as being open.


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ipendleburyAuthor Commented:
I should mention that ISA 2004 is installed on both servers mentioned.
Rich RumbleSecurity SamuraiCommented:
In reading: I can see how the forwarding could be done incorrectly and the router/firewall not tell you.
But, if you have a public IP of for example, and are forwarding port 25 to a private ip of there should be little problem. Whatever is behind the ADSL ip, is going to be an RFC 1918 ip address, unless you want try and create static routes, and or peering tables that the router isn't capable of. I should say typically... if your ADSL provider is giving you more than one public ip address, then the devices behind the router/firewall could have public address'.

This is the old "is hardware better than software" firewall debate. It breaks down to this, and technically both are "software" firewalls, if we wanted to get into semantics about it... A hardware firewall, such as Cisco Pix or CheckPoint device, are simply dedicated to firewalling and it's related functions, like vpn, some routing, packet inspection. Netwrok Address Translation, as well as Port Address Translation are also functions of firewalls, along with the standard access control list's (block this port, allow this port, block all host's except this one using this source port...)

Typically, personal firewalls, or "software firewalls" are for single connection pc's, and aren't intended for an enterprise level or connection load. ISA is an enterprise solution, it's designed to handle what is thrown at it. I'm not sure if M$ want's you to dedicate an entire server to just running ISA, or if they state that you can add other services like exchange, or IIS to the same server or not.

There is also much to gain by having multiple firewalls, such as DMZ capabilites, redundancy, Egress filtering, load distribution of the filters/acl's. In an environment where I'm doing more than 5+ megs of traffic I use a hardware firewall, such as a Pix, or a linux IPTables setup. If it's a standalone or two, connected to ADSl/Cable modem, ZoneAlarm or XP's firewall is fine. IF there is financial data stored in/on the lan, I use 2 firewalls minimum. It's all realitive.

ALthough I am not a windows minded person I do believe in your strategy and yes I do believe that if you work for small and medium business ISA can be one of the answers to secure your network.
As I am on the same market segment as you I do not believe that many of our type of customers require 2 different brands of firewalls if they already need 2.

The problem you encountered with netgear is pretty normal, afterall it still is a router and not a firewall. THe big difference is that your router is more likely to be a packet filter and not being stateful hence the issues you encountered.
Your router allows inbound forwarding because you enabled, the only thing the rules do is forward it to a predefined internal host. You only have it configured for several services but still all other standard services are ready to be forwarded but are actually halted on the router because it does not know where to send them too.
SO to keep it simple, your router is allowing inbound traffic to be natted. It does this for all services but only forwards those services as configured in your router. All otherservice it will accept to be natted inbound but there will be no answer from any host behind it. This is typically a router behaviour and not firewall behaviour. I also doubt that it is stateful.
The stealth issue could be a problem with the scanner; I would try another scanner and compare results.
OWASP: Threats Fundamentals

Learn the top ten threats that are present in modern web-application development and how to protect your business from them.

I just installed (the bittorrent p2p application) azureus and let it run. I configured an open port in my dsl router and of cause grc showed an open port.

After I stopped azureus and rechecked shields up, I was "stealth" again on that port.

So, an "open" port can only be open if there is some response ;-) You can forward those incoming packets to your isa, but as long as there is no application up and running behind it (or a forwarding rule is broken) shields up will always report that you are stealthed.

A closed port message, you might have expected is only shown, if there is a service up and running but sending an active message back to the sender: I can hear you, but I will not offer you any service.


> .. and the server appears invisible to the port scanner!
> So why is this?
what is bad with this behaviour?
ipendleburyAuthor Commented:
There's nothing wrong with this behaviour as such. Except that I have increased the apparent security of the sytem by reducing the actual security.

I am certainly not an expert in any of this. But by forwarding all traffic to the ISA firewall I assume that I have removed all protecton offered by the netgear router.

So long as my firewall is as strong as it appears to be, I have no complaints whatever.

I found this online.  I hope it is helpful.

"Behind an enterprise firewall or a proxy server, most ports remain closed but visible. A resourceful hacker can see them and sneak in. It’s better for all ports to stay in stealth mode so a hacker won’t even suspect their presence. "

ipendleburyAuthor Commented:
With my netgear router forwarding all traffic to the ISA server, all ports appear to be in stealth mode. So this would appear to be the optimal configuration.

No one has commented on the fact that apart apparently from masking my open ports, the netgear router is affording no real protection in this configration. ISA is doing it all.

I just want to do what's right. So should I leave it as it is?
Rich RumbleSecurity SamuraiCommented:
If they are stealth to GRC or other scanners, then they should not function... as no TCP handshake/response is taking place, is that not so? Do they appear stealthed, and still work? Unless your firewall or acl blocks based access by using more that simple port block's, then as far as I've ever seen, your services should not be available.
If you block everyones access to port 25, except, then I can see GRC showing the port as stealthed, as they are not so only would be able to connect.

I can't ping M$, but I can access port 80 on their site, because they don't block port 80, the do however stealth icmp (pings)... so if you have no acl like the one above, then your services aren't working in this "FWD'd" config....
ipendleburyAuthor Commented:
I'm not at this company today. So I just TS'd into their server and logged onto Shields Up again. It still shows all ports stealthed.

I just checked my Exchange webmail. So that proves ports 80 and 443 are working. I had received email, so port 25 must be open.

It sounds too good to be true. It probably is. I'm just waiting for the gotcha.

Rich RumbleSecurity SamuraiCommented:
Ok, is the IP of that server the same as the webmail address... GRC can only scan the IP your coming from, so if the ip your comming from isn't the same as the webmail ip, it won't work, it won't see port 80 or 443 open, if webmail is a non-standard port grc may skip it entirely. Please do not post ip's here btw. You can use other scanners from anywhere on the internet to scan as well, don't rely on GRC everytime... nmap is good, GFI LanGuard Network Security Scanner is another good one...
Open a cmd prompt after installing nmap and libPcap
nmap -sT -P0 -T5 -v ip.ip.ip.ip

ipendleburyAuthor Commented:
Yes everything is on one IP.

Ok I installed nmap and libPcap. I couldn't make it run with the command line you gave me. It kept saying invalid target specified. However I did manage to make it run with out any switches on the command line. It reported that ports 25, 80, 443 and 3389 were open on my server. So it would appear that Shields Up isn't all that it's cracked up to be.

I wanted to repeat the scan without the netgear router forwarding all requests to the ISA server. Each time I try, nmap quits says that it failed to determine the mac address for the destination ip.

I'm runnng my scan from behind another ISA firewall, but I created an Allow All Rule so hopefully this ISA server isn't interfering with things.

> I just want to do what's right. So should I leave it as it is?
IMHO no.
If you have a router with firewall as seperate device, then use it.
Anything captured there won't bother and/or harm your backend.

> I'm runnng my scan from behind another ISA firewall, ..
bad idea.
Either you want to test your ISA server directly, then you have to be in the same physical and logical net segment, or you want to test the firewall somewhere in front of your ISA, then start the test in front of that firewall.
Anything else gives you a false sense of security.
Rich RumbleSecurity SamuraiCommented:
You should test from outside, like GRC is doing. Install nmap on your laptop or home pc, scan that webmail ip or name
Case sesntiive, also it's pee zero (-P0) you can leave off the P0, however if ICMP is denied then you'll need it.
nmap -sT -P0 -T5   (or IP address.) That's a TCP scan, not pinging the target, scanning at the fastest level agains the target or ip address for example.
ipendleburyAuthor Commented:
Ok i've installed nmap at home now. I'm seeing different results. I've tried it with all ports redirected to my server, then with just the important ports redirected.

There are a couple of anomolies that I can't explain...

Port 21 is show as being open in both cases. This port is not open on the router or in ISA.

With just my important ports forwarded, Port 5190 is shown as being open. Again I have not got this port open on the Router or in ISA.

When I forward all ports to my server, port 3389 is not shown as being open. Even though I am currently logged in via Terminals Services.

Rich RumbleSecurity SamuraiCommented:
There can be false positives on any scanner, however Nmap is typically very good. You can also specify port's and ranges to look for
nmap -sT -P0 -T5 -p 21,25,3389,80,443  (also try -sS  and -sX instead of -sT)

nmap -sT -P0 -T5 -p 21,25,80,443,3389
Starting nmap 3.81 ( ) at 2006-02-15 15:10 EST
Interesting ports on
21/tcp   filtered ftp
25/tcp   filtered smtp
80/tcp   open     http
443/tcp  open     https
3389/tcp filtered ms-term-serv

Open means that the target machine will accept() connections on that  port.
Filtered  means  that a firewall, filter, or other network obstacle is covering the port and preventing nmap from determining whether the port is open.
If you get port's you think aren't open, like FTP, try to connect to them yourself to verify, open a browser, type in ftp://ip.ip.ip.ip if you get a connection, then IIS might be serving FTP (port 21)or your firewall isn't blocking it. or you can use http://ip.ip.ip.ip:21 
Port 5190 is an AOL AIM port I think... but most apps allow you to reassign ports as you wish, like P2P apps...
My post above was based on a confused interpretation of the question.  Hope the following is a little it more helpful.

I like to install double firewall configurations with different brands to ensure a double wall of security and  to circumvent having a single point of failure (such as a bug in one of the firewalls).   The firewall/router you are using addresses these issues even thought they don't provide the anonymity that you want.   Although it may not be monitarily feasible, a second ISA server or PIX firewall would offer much higher security.  If it is a low traffic site where there isn't a major threat of security I wouldn't worry about having a double firewall configuration.  
If security is a concern try some port forwarding as well have an outside port of 31003 forward to internal port 3389.  Setup a DMZ that with the web server proxying connections between the Internet and the internal network (if necessary).  You can do quite a bit, but it doesn't seem like this is a major requirement.  Please let me know if I am mistaken.
I've had a lot of luck with ISA Server alone.  
Also, a trick for mail traffic,  use a third party pop server.  That way they receive the emails exposed to related DoS attacks.  You put the security concern on a third party.

As a side note, consider using a different port whenever possible.  For instance, 31003 instead of 3389.  It is more difficult to scan.  Even if port scanners can find it, the type of traffic may not be known and therefore not usable.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FYI: SBS comes with Exchange and has a POP Connection to pull mail from a third party POP server.   Unless it has changed, POP puller does not come with other versions of Exchange.  
I have also been criticized in EE for taking too lax an approach on security.  But what most don't understand is that you have to balance security against functionality and resources.  If you have a highly secure environment that prevents users from working or is too hard to maintain or costs too much, then you do not have a good security plan.  The deciding factor should always be based on how important the data is.
> For instance, 31003 instead of 3389.  It is more difficult to scan.  Even if port scanners can find it, the type of traffic may not be known and therefore not usable.
do you really use port scanners which can be fooled this way?
ipendleburyAuthor Commented:
This is my sixth installation of SBS. It's the first time that I have used anything other than an ADSL Modem. I've never had any hacking problems at all. The router I've used is only 25% more expensive than my usual modem, so that's not an issue.

At the moment, I am using a third party for pop traffic. So that would appear to be a safer way to things.

What might be issue would be if one of my servers were to be hacked. If the subsequent investigation were to blame it on there only being one firewall present, then I would be for the high jump. So for the extra $15 I think i'll user a router in future.

My original question has been answered, and there has been a lot of extra discussion as well. So I shall award the points and thank everyone for their input.


Thanks ipendlebury.

Regarding ahoffmann, I'm not saying that it is impossible, but it will prevent some people.  Car alarms don't stop people from stealing cars, but they can deter thieves from stealing your car.  

You must agree that hackers tend to look for certain open ports to take advantage of such 137, and scan across many ip addresses.  Changing default ports does provide an increase in security. However, it should not be the only security measure.  Please don't dissuade this security measure.  I have seen it work countless times.
Sorry, I meant port 139 above
> .. prevent some people
 = script kiddies with a mouse but not used to a keyboard ;-)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.