Static IP address & Security
Is there anything I should do to help secure my small network? My connection to the internet is a 3.0/1.5 Mbps DSL line with a static IP address. The DSL modem is hooked up to a router doing NAT through a switch to 8 Macs running various versions of OS X (1 - 10.4.3 Server, 2 - 10.4.3, 1 - 10.3.9, 4 - 10.2.8 ). I used NmapFE for OS X v0.85 to run a simple TPC connect scan without a ping. Here are the results:
Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2005-12-02 13:36 EST
Initiating Connect() Scan against static-XX-XX-XXX-XXX.aubnin.dsl-w.verizon.net (XX.XX.XXX.XXX) [1660 ports] at 13:36
Connect() Scan Timing: About 8.77% done; ETC: 13:41 (0:05:12 remaining)
The Connect() Scan took 343.42s to scan 1660 total ports.
Host static-XX-XX-XXX-XXX.aubnin.dsl-w.verizon.net (XX.XX.XXX.XXX) appears to be up ... good.
All 1660 scanned ports on static-XX-XX-XXX-XXX.aubnin.dsl-w.verizon.net (XX-XX-XXX-XXX) are: filtered
Nmap run completed -- 1 IP address (1 host up) scanned in 343.876 seconds
It appears to me that my network is visible to anyone who wants to look for it. So here are my questions:
1) Do most routers stealth all ports?
2) Does anyone use a Network Intrusion Detection System like HenWen, which is a GUI for Snort.
3) Does anyone use a FIle System Scanning like radmind.
4) What else do you do to secure your network?
Starting nmap 3.70 ( http://www.insecure.org/nmap/ ) at 2005-12-02 13:36 EST
Initiating Connect() Scan against static-XX-XX-XXX-XXX.aubnin.dsl-w.verizon.net (XX.XX.XXX.XXX) [1660 ports] at 13:36
Connect() Scan Timing: About 8.77% done; ETC: 13:41 (0:05:12 remaining)
The Connect() Scan took 343.42s to scan 1660 total ports.
Host static-XX-XX-XXX-XXX.aubnin.dsl-w.verizon.net (XX.XX.XXX.XXX) appears to be up ... good.
All 1660 scanned ports on static-XX-XX-XXX-XXX.aubnin.dsl-w.verizon.net (XX-XX-XXX-XXX) are: filtered
Nmap run completed -- 1 IP address (1 host up) scanned in 343.876 seconds
It appears to me that my network is visible to anyone who wants to look for it. So here are my questions:
1) Do most routers stealth all ports?
2) Does anyone use a Network Intrusion Detection System like HenWen, which is a GUI for Snort.
3) Does anyone use a FIle System Scanning like radmind.
4) What else do you do to secure your network?
Comments
Originally posted by fahlman
All 1660 scanned ports on static-XX-XX-XXX-XXX.aubnin.dsl-w.verizon.net (XX-XX-XXX-XXX) are: filtered
This from the nmap ref guide:
"Filtered means that a firewall, filter, or other network obstacle is blocking the port so that Nmap cannot tell whether it is open or closed."
Looks to me like NMAP is telling you that your router/firewall is blocking access to all ports. Not sure how much more secure you can make things other than turning off the router.
Originally posted by fahlman
Considering I have no ports open and forwarded to any of the computers with services turned on I would like the router to deny that it even existed.
If the router was not at all visible, then you would not have any traffic routed to it at all. While this is very secure, it is also not very handy if you want to use the internet at all. Personally I think you are looking about as secure you can get while still being connected to a network.
Originally posted by slyinthedam
Thinking about it a little more, you could see if you can configure your router to not respond to pings, it will still be visible to the outisde world though, which as previously mentioned is essential if you want to receive any traffic.
Thanks. I've disabled pings from the WAN side.
Originally posted by fahlman
Thanks. I've disabled pings from the WAN side.
You can set Stealth in the OS X firewall. It might even be set by default.
Stealth does not mean that you can't do network traffic - it just blocks UNSOLICITED network traffic (i.e. those not in response to a packet sent by you).
Originally posted by lundy
You can set Stealth in the OS X firewall. It might even be set by default.
Stealth does not mean that you can't do network traffic - it just blocks UNSOLICITED network traffic (i.e. those not in response to a packet sent by you).
So I need to turn on DHCP, the Firewall, possibly NAT on my Tiger server, install a second NIC and have it be the gateway to the internet instead of the router?
Originally posted by fahlman
So I need to turn on DHCP, the Firewall, possibly NAT on my Tiger server, install a second NIC and have it be the gateway to the internet instead of the router?
No - what I was saying was that you can turn Stealth on and you should still be fine UNLESS there are UNSOLICITED packets that you want to see. The only unsolicited packets that you would want to see are if you are running a server. Since you say you are running OS X Server, if that is serving to the outside world, then you cannot run stealth on it or nobody would be able to send it a request.
If the server only serves the local IPs, then there is no problem.
So the router set to no-ping and the firewall set to stealth should be all that you need. If you are in fact running a public server, that is a whole different discussion, namely how to secure your server.
Originally posted by lundy
No - what I was saying was that you can turn Stealth on and you should still be fine UNLESS there are UNSOLICITED packets that you want to see. The only unsolicited packets that you would want to see are if you are running a server. Since you say you are running OS X Server, if that is serving to the outside world, then you cannot run stealth on it or nobody would be able to send it a request.
If the server only serves the local IPs, then there is no problem.
So the router set to no-ping and the firewall set to stealth should be all that you need. If you are in fact running a public server, that is a whole different discussion, namely how to secure your server.
The server just a file and print server and when I get some time I'm going to set up a VPN so a few of my employees can work from home in the evenings and weekends.