Knowledge Search


×
 

Hardening NSM using IP tables

  [KB25681] Show Article Properties


Summary:

A vulnerability scan or penetration testing on an NSM server might result in a report like this:

"A backdoor or trojan may be running on the system on ports 10000, 11223, 12345, 12754, 16969, 20034, 27665, 29891, 30029, 30100, 30102, 31337, 33270, 33333, 34324, 53001, 7597, 8000, 8080, 8081, 8090, 8888, 9000, 9999 etc."

This article explains why the ports are open and suggests ways to secure your NSM server by closing the open ports.

Symptoms:

Ports are open on an NSM, possibly compromising security. The ports need to be closed.

Solution:

Most network management systems are designed to have unrestricted access. Moreover, the devices managed by network management systems might initiate connections from their end to Network Management Servers.

In some cases, the Network Management Server might act as a centralized log server, NetFlow Collector, SIM/SIEM server, correlation engine, endpoint enforcement sever, FCAPS server, and more.

Different services need different ports to be available. For example, a traditional syslog server listens on UDP port 514, but some customers using the syslog server with that port number might want to use the syslog server with TCP port 1514 in order to have encryption and authentication support, or meet compliance requirements, or avoid log dumping attacks using tools like netcat or socat. The Network Management Server, therefore, must have the capability to listen on various ports as the situation demands.

The Juniper NSM solution is designed with these standards in mind. In fact, the OSI/ISO network management model is one of the most commonly used standards for NMS design.

Once you are sure of the scope of your Network Management Server solution, you might want to harden the Network Management Server by closing all unused ports and services. After vulnerability scanning or penetration testing the NMS solution, you might find a number of open ports that are not associated with any applications. In this case, it is your responsibility to harden the NMS solution by closing the open ports to avoid possible intrusion and privilege escalation attacks. The Unix kernel doesn’t get hardened when NSM is installed. This means that the Unix box can accept connections on any port. If you are closely reviewing the VA scan report, you might notice that it is warning you only about the chances of some applications getting associated with the unused ports.

Customers are welcome to use the IP table rules for blocking any unused ports and hardening their systems. The following document explains how to close the open ports by using IP tables: "Securing and Hardening NSM Using IP Tables".

Related Links: