bleujaegel
asked on
Fingerprinting firewalls
I am concerned about crackers (more specifically spammers) attempting to exploit my router, and would like to know if it is possible to determine what type of router I am using, and how difficult it is to actually exploit flaws in it. I currently am running a Watchguard X5 with only ports 25 and 110 open for Exchange. I've read that sometimes routers display banners, but don't know exactly how to check and/or modify this. Aside from locking down the ports, and firmware updates, are there any other methods to lock down routers (aside from IDS and IPS, also assuming the OS is patched and firewalled)?
Tim Holman
To be honest, it doesn't really matter. Hackers will use generic attack tools that will try and exploit everything on external addresses, rather than trying to guess vendors beforehand. I would stick to locking down the management ports to local addresses only, and making sure you stay up to date with all the patches.
ASKER
So in other words, a determined cracker will get through any firewall with their generic tools? This doesn't make me confident. I'm running a Watchguard x5, and it's updated, with only 4 ports open (25, 110, 443, and oh no 3389). Understandably, the weakest link is probably the services running on those ports, and not the firewall. A cracker could make it into the network, then possibly access and reconfigure the firewall. I am currently using nmap to test this out trying to see how much information I am making available to the public. My goal is to minimize this. Should I be looking into IDS and IPS? If you have any other advice on this, that would be appreciated. Thanks.
Not at all - I'm just saying the tools that someone WOULD use are vendor independent. ie - if they saw an SNMP port option on your Check Point firewall, they would fire ALL exploits at this (Cisco, Microsoft), rather than just the ones pertaining to Check Point.
Agreed though - the firewall is least likely to be the weakest link, as all firewalls are pre-hardened and only accessible if the administrator does something silly, like leave management ports open on the outside.
Agreed though - the firewall is least likely to be the weakest link, as all firewalls are pre-hardened and only accessible if the administrator does something silly, like leave management ports open on the outside.
ASKER
In your experience, are there any good cheap or free IDS/IPS setups that could help trigger alerts from people performing scans and attempting to hack in through any of the Windows services that have open ports?
IDS/IPS is only a part of what it takes to secure servers - think about vulnerability & patch management, physical security, anti-virus, security policies, encryption of sensitive data, etc etc
The X5 has some basic IPS functionality built in you could use?
Otherwise, if you've only ports 25 and 110 open, the best plan is to make sure your servers are kept up to date with the latest patches and you don't have any open relays configured or weak passwords.
What type of mail server is it?
The X5 has some basic IPS functionality built in you could use?
Otherwise, if you've only ports 25 and 110 open, the best plan is to make sure your servers are kept up to date with the latest patches and you don't have any open relays configured or weak passwords.
What type of mail server is it?
ASKER
Exchange 2003. I have it set up for password complexity for all users (default).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the valuable info.