×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Port scanning

Unanswered Question
May 23rd, 2012
User Badges:

hello

From access switch can we block end users from running  port scanning software or wireshark on their machines. The topology is simple 3560 acts as core-switch and all access switches terminate on it. 3560 is VTP Server and all access switches 2950/2960 are in client mode


Hoping for some quick help


cheers

CP

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Tagir Temirgaliyev Thu, 05/24/2012 - 01:29
User Badges:
  • Silver, 250 points or more

Hi

so called segregation of LAN



you can divide your LAN on several small LANs or VLANs

and you can make ACLs from each one to each another


user will be able to run port scan only in VLAN and only those hosts witch are permitted in ACL


dont forget to rate post

cisco.plus Thu, 05/24/2012 - 01:41
User Badges:

Hi

we already got VLAN, users are in different vlan, servers are in different vlan, network devices are in different vlan

still not clear how to restrict port scanning from end user PC


cheers

CP

Tagir Temirgaliyev Thu, 05/24/2012 - 02:18
User Badges:
  • Silver, 250 points or more

interface Vlan200

description users1

ip address 172.10.a.1 255.255.255.0

ip access-group Users1_to_Servers out  --- this ACL will prevent to port scan users in Vlan210, only server1 and server2



interface Vlan210

description users2

ip address 172.10.d.1 255.255.255.0

ip access-group Users2_to_Servers out --- this ACL will prevent to port scan users in Vlan200, only server1 and server2




interface Vlan300

description servers

ip address 172.10.b.1 255.255.255.0



ip access-list extended Users1_to_Servers

permit ip 172.10.a.0 255.255.255.0 host 172.10.b.2         -- for example server1

permit ip 172.10.a.0 255.255.255.0 host 172.10.b.3         -- for example server2


ip access-list extended Users2_to_Servers

permit ip 172.10.d.0 255.255.255.0 host 172.10.b.2       

permit ip 172.10.d.0 255.255.255.0 host 172.10.b.3       



thus users in Vlan200 can access only server1 and server2 and not users in Vlan210 and vice versa


and users can scan ports in the same VLAN.

Edwin Summers Thu, 05/24/2012 - 02:37
User Badges:
  • Bronze, 100 points or more

Wireshark is a passive application from the network's POV.  It simply records anything that is already available on the segment to which the host is connected.  You may be able to limit the amount of information one could sniff by controlling what is sent to your access segment, but your network infrastructure will likely not help you "prevent" someone from running Wireshark.  It may be possible to prevent the application through some  Windows policies (if you're running a Windows infrastructure), but I'm not familiar enough with AD to provide a definitive answer to that.  There are other solutions, I believe, that enforce a "trusted desktop", but these are applications and separate from the network infrastructure.


Port scanning software is more active, so it can be observed.  The key points would be 1) finding an active scanner, and 2) determining how you wan to stop it.  The first step requires something in the network to be able to monitor traffic by host(s) over a period of time and analyze for patterns.  It is possible that the access switch could play a role in this, but I don't believe it would be the sole point of action.  Once a scanner is found, the policing system could work in conjunction with the access switch to shut down the port or take other action as appropriate.  However, it will not be able to directly affect the application running on a host machine.


Good luck! -Ed

cisco.plus Thu, 05/24/2012 - 02:50
User Badges:

Thanks Edwin, I do understand its a combination of Windows Group Policy  + Network action

any suggestion on software to monitor taffic by hosts over a period of time and analyze pattern. 


cheers

CP

Edwin Summers Thu, 05/24/2012 - 03:56
User Badges:
  • Bronze, 100 points or more

Off the top of my head I don't have a perfect answer. You may be able to find a NetFlow analyzer that either has a trigger or can be scripted to look for certain activity. Snort comes to mind as well. It may have portscan detection capability. It is freely available for at least some applications, so you could give it a trial.


Hope this helps! -Ed


Sent from Cisco Technical Support Android App

Leo Laohoo Thu, 05/24/2012 - 04:10
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    The Hall of Fame designation is a lifetime achievement award based on significant overall achievements in the community. 

  • Cisco Designated VIP,

    2017 LAN, Wireless

Port scan is an application.  Routers and switches do not operate in this layer.


Windows Group Policy is your answer here. 

Tagir Temirgaliyev Thu, 05/24/2012 - 20:26
User Badges:
  • Silver, 250 points or more

Windows Group Policy is not an answer, because somebody can connect netbook or notebook to your LAN and run port scans and even more dangerous soft.


to prevent this you'l need to enable port security on cisco switches.

hobbe Thu, 05/24/2012 - 03:08
User Badges:
  • Gold, 750 points or more

Hi

Basically the answer is You can not do that.


That does not mean however that it is not possible to achieve to some degree what you are asking for.

First of all what is it that you want to achieve ? the end goal I mean.


Lets se here

Wireshark

Shure you can do a check to se if the computer (if it adheres to your windows group policys) does not have wireshark installed but what happens with fx vmware ? is that allowed ?

if it is you are toast. and so on

There are always ways around this type of blocking so the best thing is to have a good IT policy that tells people that they are not allowed to do whatever it now is that you do not want them to do.

If you find out that they are doing it anyway then I usualy go out to the user in question and have a chat with them to make sure that they are fully aware of the situation and the rules. If they continue I let HR dept know that they are in violation of the protocols and then its up to their bosses to fire them or deduct pay or whatever the punishment is for violating the rules.


Now the second part you want to do is not allow portscanning.

This is basically impossible to do, a port scan can take a few seconds to years to do.

There is no timelimit in theory, but well in practice it is all dependant on what or why you are scanning.

Only an idiot not caring about getting cought would scan as fast as it is possible to do so.

if you do a scan that will scan a class C network for 5 different ports in about a week it will just drown in the static noise of the network and you will not find it.

You stated that you had users in one place and resources in outher places, dependant how scattered the users are you can do some stuff.


First are the users in any way in need to contact eachother ?

if they are this will not work.

if they are not this might work.

if you setup users in a fx 3750 stack and then you apply protected ports on the users but not the router then they can not see eachother but they can reach their router so this solves both the wireshark question ie they can see their own traffic but not anyone elses and some of the portscanning question ie they can not reach anyone in their own vlan except the router. Also they will be able to portscan things through the router.


To handle the portscanning internally you simply put up a honey net and space out the adresses

if they are scanning you will detect them if you setup enough addresses.

word of advice though let them step in it properly before taking action someone could have misspelled or written an ip address wrong so it could be just innocent.

You can even do checks with access-lists and eem to let you know when and who so you can monitor them more carefully. fx you could setup a capture in the router if they trip an access-list that automagicaly captures all traffic to and from that host.


Good luck


Hope This Helps

Mitchell Dyer Thu, 05/24/2012 - 23:09
User Badges:

I think 802.1x, along with a rigid windows security policy is your answer here. IPS/IDS is the only way to detect or prevent portscans, and would be incredibly expensive to deploy in a way that would prevent portscanning on the subnet/VLAN the device resides on.


Rather than stopping the scanning from happening I would look at how to keep the machine from getting on the network in the first place.



Sent from Cisco Technical Support Android App

Actions

This Discussion

Related Content