Static IP address & Security

Posted:
in Genius Bar edited January 2014
Is there anything I should do to help secure my small network? My connection to the internet is a 3.0/1.5 Mbps DSL line with a static IP address. The DSL modem is hooked up to a router doing NAT through a switch to 8 Macs running various versions of OS X (1 - 10.4.3 Server, 2 - 10.4.3, 1 - 10.3.9, 4 - 10.2.8 ). I used NmapFE for OS X v0.85 to run a simple TPC connect scan without a ping. Here are the results:



Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2005-12-02 13:36 EST

Initiating Connect() Scan against static-XX-XX-XXX-XXX.aubnin.dsl-w.verizon.net (XX.XX.XXX.XXX) [1660 ports] at 13:36

Connect() Scan Timing: About 8.77% done; ETC: 13:41 (0:05:12 remaining)

The Connect() Scan took 343.42s to scan 1660 total ports.

Host static-XX-XX-XXX-XXX.aubnin.dsl-w.verizon.net (XX.XX.XXX.XXX) appears to be up ... good.

All 1660 scanned ports on static-XX-XX-XXX-XXX.aubnin.dsl-w.verizon.net (XX-XX-XXX-XXX) are: filtered



Nmap run completed -- 1 IP address (1 host up) scanned in 343.876 seconds



It appears to me that my network is visible to anyone who wants to look for it. So here are my questions:



1) Do most routers stealth all ports?

2) Does anyone use a Network Intrusion Detection System like HenWen, which is a GUI for Snort.

3) Does anyone use a FIle System Scanning like radmind.

4) What else do you do to secure your network?

Comments

  • Reply 1 of 10
    fahlmanfahlman Posts: 723member
    I enabled the Inbound Packet Filter on my Router to deny all packets. I thought it might change the results of the nmap scan, but no luck. What did this actually do?
  • Reply 2 of 10
    Quote:

    Originally posted by fahlman



    All 1660 scanned ports on static-XX-XX-XXX-XXX.aubnin.dsl-w.verizon.net (XX-XX-XXX-XXX) are: filtered







    This from the nmap ref guide:



    "Filtered means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed."



    Looks to me like NMAP is telling you that your router/firewall is blocking access to all ports. Not sure how much more secure you can make things other than turning off the router.
  • Reply 3 of 10
    fahlmanfahlman Posts: 723member
    Considering I have no ports open and forwarded to any of the computers with services turned on I would like the router to deny that it even existed.
  • Reply 4 of 10
    Quote:

    Originally posted by fahlman

    Considering I have no ports open and forwarded to any of the computers with services turned on I would like the router to deny that it even existed.



    If the router was not at all visible, then you would not have any traffic routed to it at all. While this is very secure, it is also not very handy if you want to use the internet at all. Personally I think you are looking about as secure you can get while still being connected to a network.
  • Reply 5 of 10
    Thinking about it a little more, you could see if you can configure your router to not respond to pings, it will still be visible to the outisde world though, which as previously mentioned is essential if you want to receive any traffic.
  • Reply 6 of 10
    fahlmanfahlman Posts: 723member
    Quote:

    Originally posted by slyinthedam

    Thinking about it a little more, you could see if you can configure your router to not respond to pings, it will still be visible to the outisde world though, which as previously mentioned is essential if you want to receive any traffic.



    Thanks. I've disabled pings from the WAN side.
  • Reply 7 of 10
    lundylundy Posts: 4,466member
    Quote:

    Originally posted by fahlman

    Thanks. I've disabled pings from the WAN side.



    You can set Stealth in the OS X firewall. It might even be set by default.



    Stealth does not mean that you can't do network traffic - it just blocks UNSOLICITED network traffic (i.e. those not in response to a packet sent by you).
  • Reply 8 of 10
    fahlmanfahlman Posts: 723member
    Quote:

    Originally posted by lundy

    You can set Stealth in the OS X firewall. It might even be set by default.



    Stealth does not mean that you can't do network traffic - it just blocks UNSOLICITED network traffic (i.e. those not in response to a packet sent by you).




    So I need to turn on DHCP, the Firewall, possibly NAT on my Tiger server, install a second NIC and have it be the gateway to the internet instead of the router?
  • Reply 9 of 10
    lundylundy Posts: 4,466member
    Quote:

    Originally posted by fahlman

    So I need to turn on DHCP, the Firewall, possibly NAT on my Tiger server, install a second NIC and have it be the gateway to the internet instead of the router?



    No - what I was saying was that you can turn Stealth on and you should still be fine UNLESS there are UNSOLICITED packets that you want to see. The only unsolicited packets that you would want to see are if you are running a server. Since you say you are running OS X Server, if that is serving to the outside world, then you cannot run stealth on it or nobody would be able to send it a request.



    If the server only serves the local IPs, then there is no problem.



    So the router set to no-ping and the firewall set to stealth should be all that you need. If you are in fact running a public server, that is a whole different discussion, namely how to secure your server.
  • Reply 10 of 10
    fahlmanfahlman Posts: 723member
    Quote:

    Originally posted by lundy

    No - what I was saying was that you can turn Stealth on and you should still be fine UNLESS there are UNSOLICITED packets that you want to see. The only unsolicited packets that you would want to see are if you are running a server. Since you say you are running OS X Server, if that is serving to the outside world, then you cannot run stealth on it or nobody would be able to send it a request.



    If the server only serves the local IPs, then there is no problem.



    So the router set to no-ping and the firewall set to stealth should be all that you need. If you are in fact running a public server, that is a whole different discussion, namely how to secure your server.




    The server just a file and print server and when I get some time I'm going to set up a VPN so a few of my employees can work from home in the evenings and weekends.
Sign In or Register to comment.