Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Can an intruder penetrate my firewall?

Posted on 2008-10-28
2
Medium Priority
?
595 Views
Last Modified: 2012-05-05
Our firewall has several log entries similar to this::
Possible port scan dropped      
Source:203.149.62.175, 80, WAN      
Destination:202.57.149.114, 40204, WAN
TCP scanned port list: 40176, 40176, 40176, 40176, 40176

The IT manager at that office has interpreted these to mean the following:
" In the log you can see the same connection type being dropped with the same external IP but different port numbers... when you see this multiple times within a very quick time span and the only thing that changes is the port number (in sequence) then you know someone is trying to scan your ports and attack you.
When you see internal IPs that are not from your subnet, they can only be external. If this is happening, it is most likely IP spoofing which is when someone floods a legitimate IP with so much data that it crashes and at the same time they impersonate your IP and the server doesn't know the difference. At this point, they can do pretty much anything because you were most probably already logged on. What ever privileges the user "had" are now the impersonators."

Is his assessment correct?  Does this mean a hacker is trying to get in?  Will the firewall stop them?  If not, how do we protect ourselves?
0
Comment
Question by:captainrichard
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 14

Expert Comment

by:cuziyq
ID: 22823321
IP spoofing, port scanning, and denial-of-service attacks are among the oldest tricks in the book.  Any firewall that's worth spending money on can easily deal with these kinds of things.

The log entry you noted was notification that the firewall was doing its job.  It detected a possible port scan attempt and dropped that connection.

Is a hacker trying to get in?  Probably.  Even an obscure company with a public web site can expect to have a break-in attempt several times a year.  The more high-profile your company, the more attacks you see.  Google gets attacked literally millions of times a year.

Will the firewall stop them?  Maybe, maybe not.  Depends on a lot of factors, but the competence of your IT security staff is a much bigger factor than your choice of firewall.

How do you protect yourself?  Any web site is basically a analogous to a store in a shopping mall.  They see thousands of people passing by each day, and it's a statistical certainty that some of them are going to be shoplifters and vandals.  It's just a fact of life.  Vigilance is your best defense.  I would recommend reading some books about network security best practices.
0
 
LVL 12

Accepted Solution

by:
jahboite earned 2000 total points
ID: 22830336
The example log entry doesn't look like a port scan to me.
It looks like someone behind the public interface at 202.57... was browsing the web at www.siamsport.co.th and the firewall is reporting the ports mapped to the internal user.  I believe this kind of thing happens when one closes a web-browser or navigates away from a page that is currently loading.

A port scan is not an attack.  It's just an attempt to enumerate services available via the scanned interface.

Your IT managers assessment doesn't directly apply to the log entry you provided here so I can't really comment on its accuracy - save to say that the kind of impersonation using resource exhaustion and IP spoofing is not really applicable with todays technologies.

Hope that helps a bit.
0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Cybersecurity has become the buzzword of recent years and years to come. The inventions of cloud infrastructure and the Internet of Things has made us question our online safety. Let us explore how cloud- enabled cybersecurity can help us with our b…
If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question