Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 7 replies
  • Answers 2 answers
  • Subscribers 40 subscribers
  • Views 2282 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Are there plans to include an "anti-portscan" feature in sophos XG?

alan weir

The UTM has an essential feature called "anti-portscan" that is seperate from DoS protection.Anti-portscan, if you are not aware, will detect when a source IP address is scanning the external WAN interface for open ports, and block, drop, or log the source IP.

While not necessary for functionality, since Sophos firewall will block all connection attempts anyways, portscan detection/prevention can at least provide an email alert to an admin that a device is scanning the external interface for open ports.

From what I gather, DoS is not necessarily the same, but is still erroneously considered "port scan prevention" but is not, since it is nothing more than TCP/UDP flood protection, to prevent infected hosts in the LAN from running denial of service attacks on clients/servers on the internet.

So the advantages of portscan detection and prevention are: 

Sophos detects that ports are being scanned from the same IP address and the IPS can send an email to an admin.

The IPS automatically blocks, drops, or logs the IP so that the attacker cannot see open ports (or be DNAT'd to a device listening for connections) if there are any.



This thread was automatically locked due to age.
Parents
  • 0

    I had this discussion plenty of times and my point of view: Anti-Port Scan is not viable and does not provide any extra layer of protection in any sharper form. 

    Simply because literally no attack will work like this. Shodan and other tools are there to do this job and they are build to workaround such Anti-Port Scans by building and using a a Distributed network. 

    You can read about my take here:  Port scan Detection XG18  

    While you can also talk about the XDR Point of view (Hey show me more infos about this IP or who scanned my network etc.) - What will you do about this information. 

    And i am not aware of any attacker, using his attack client to also do the evaluation phase. 

    Shodan and other tools are 24/7 scanning the internet, so if this tool would work, you should not find your firewall in the internet with all information. But likely you will. So the anti-port scan feature is likely not working as it should (because it cant). 

    __________________________________________________________________________________________________________________

Reply
  • 0

    I had this discussion plenty of times and my point of view: Anti-Port Scan is not viable and does not provide any extra layer of protection in any sharper form. 

    Simply because literally no attack will work like this. Shodan and other tools are there to do this job and they are build to workaround such Anti-Port Scans by building and using a a Distributed network. 

    You can read about my take here:  Port scan Detection XG18  

    While you can also talk about the XDR Point of view (Hey show me more infos about this IP or who scanned my network etc.) - What will you do about this information. 

    And i am not aware of any attacker, using his attack client to also do the evaluation phase. 

    Shodan and other tools are 24/7 scanning the internet, so if this tool would work, you should not find your firewall in the internet with all information. But likely you will. So the anti-port scan feature is likely not working as it should (because it cant). 

    __________________________________________________________________________________________________________________

Children
  • 0 in reply to LuCar Toni

    Agree 100%. To be honest, port scanning from INSIDE the network might be useful. The idea being that an insider threat or a penetration would probably have a small footprint -- probably a single machine -- and hence would not be able to use distributed workarounds.

    Of course, they could operate very slowly: maybe probe a port on a different machine every few seconds but a single machine wouldn't be probed more than once every couple of minutes.

    But port-scanning prevention from external devices makes no sense in the AWS and botnet era.

  • 0 in reply to Wayne Folta

    Sort of makes sense. At the time when Astaro was conceptualized, botnets probably weren't even a thing and anti-protscan had a use.

    However it has some limited use case scenario. For penetration testing of the IPS to make sure it's doing it's job, and for testing the email system in general to make sure an alert is sent.

  • 0 in reply to alan weir

    UTM does not do this via IPS. It is just in the IPS tab. Anti-port Scan was a own build engine for this job.

    You can test the IPS within SFOS with a custom IPS rule. 

    docs.sophos.com/.../index.html

    __________________________________________________________________________________________________________________

Unfiltered HTML