×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

CSA security

Unanswered Question
Oct 15th, 2007
User Badges:

Hello!

I have deployed CSA with policy that allow only VPN tcp and udp traffic with my VPN concentrator on all interfaces, and all ip stack hardening policies against port scans....and DENY ALL TCP UDP....


When I have laptop in my local LAN network i can not use any protocol except make tunnel......


The problem is when I use particular scanner like GFI Lan guard I get over UDP - epmap port 135 computer name and the domain name.


Why CSA can not deny this?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
tsteger1 Mon, 10/15/2007 - 09:37
User Badges:
  • Red, 2250 points or more

The hosts are probably advertising NetBIOS information in several ways and may have registered this information elsewhere.


If you turn off the Server service and disable NetBIOS over TCP on the scanned hosts, that should prevent remote Windows enumeration.


Also, if you have WINS and Computer Browser enabled on the scanning host, it can use that information to resolve IP adresses to names.


Tom

fisko Mon, 10/15/2007 - 22:38
User Badges:

Hello! I know what You mean.


But why should I disable netbios on the scanned host.


Should CSA deny any udp traffic if i had that in policy?

There is no any WINS and I can not browse scanned host.


tsteger1 Tue, 10/16/2007 - 12:17
User Badges:
  • Red, 2250 points or more

Hi Fisko,


If you want to prevent NetBIOS enumeration, you can either create rules preventing the host from accepting NetBIOS and Location Service connections or try turning off the Server service and disabling NetBIOS over TCP/IP on a host.


The default CSA rules allow hosts to offer these services.


NetBIOS allows the host to advertise and register its name and workgroup/domain with any name service that is listening and storing the information on the local subnet.


NetBIOS over TCP/IP allows it to cross subnets to register with name services.


The location service (port 135) provides endpoint mapping.


The Server service will also advertise to name services.


Tom

fisko Wed, 10/17/2007 - 22:57
User Badges:

If I put the rule

allow TCP/10000, UDP/500, UDP/4500 as client


deny TCP/0-65535 and UDP/0-65535 as client/server


how can CSA allow netbios?






gojericho0 Thu, 10/18/2007 - 08:58
User Badges:
  • Bronze, 100 points or more

Is there another allow network access rule trumping the deny in another Module?

tsteger1 Thu, 10/18/2007 - 09:19
User Badges:
  • Red, 2250 points or more

NetBIOS is allowed by default via the required system module.


Unless you make a priority deny blocking it or disable the allow rule, it will still be allowed.


Tom

fisko Wed, 10/24/2007 - 04:20
User Badges:

Other think that i find is that CSA protected machine brodcast all netbios info on broadcast ip of the segment even if all upd except udp/4500 is denied?


Why CSA does not stop this traffic?

tsteger1 Wed, 10/24/2007 - 12:00
User Badges:
  • Red, 2250 points or more

Being CSA protected doesn't stop a host from being a client and that sounds like where the broadcast is coming from.


You can stop this via CSA or Windows settings.

fisko Mon, 10/29/2007 - 04:37
User Badges:

Strange...I add rule deny tcp /udp 135 with priority and after scan there is no open ports....

tsteger1 Mon, 10/29/2007 - 09:54
User Badges:
  • Red, 2250 points or more

Precisely.


This traffic is allowed by default in the "All applications, server for basic services" rule in the "Required System Module" as I mentioned in an earlier post.


You must either deny it (as you just did) or modify\disable the allow rule.


Tom S

Actions

This Discussion