By Chris Bonatti, IECA of Casper, Guest Contributor
IECA often recommends that our clients operate their networks, whenever possible, in a stealth mode. However, we have never explained to this audience exactly what stealth means in this context.
In some ways, networks are like bodies of water… it’s difficult to perceive what’s inside until you’ve interacted with it. Think of a shark here. Most swimmers, at least, would prefer not to interact with a shark, and would prefer that any sharks not notice that they’re in the water.
Like the shark, attackers on the Internet can only “see” something on your network when it emits packet traffic. So if a server doesn’t respond to a query, or your firewall blocks the traffic, your network can look as dark and
mysterious as your favorite beach on a moonless night.
Your network is perceived by a remote attacker as a range of Internet Protocol (IP) addresses, and the port space of the protocols operating over IP. Attackers often attempt to gain intelligence about potential targets by scanning for IP address and port combinations that respond to their queries. This is enabled by a characteristic of the Transmission Control Protocol (TCP), which provides a reliable virtual connection over IP, and over which many common Internet protocols operate. TCP connections are formed when an initiating host sends a TCP SYN (synchronize) packet to another host. If that host agrees to connect, it returns a SYN-ACK packet. If it does not, it returns a RST (reset) packet.
When one of these scans encounters a stealthed port, a different course of events unfolds. Instead of the standard TCP behavior, a stealthed port sends no response whatsoever to a SYN packet.
While some Internet “purists” say that stealth operation is “against the standards”, we invite them to swim with the sharks.
You may well ask, though, how can a fully stealthed host actually do anything useful? First, it’s important to realize that full stealth may not be necessary.
Making sure that your system is as stealthy as possible can be challenging, but we would be happy to help. IECA has a self-help guide that points out many of the potential pitfalls to help you keep the “sharks” away from your systems. We’re also happy to meet new clients, and offer our help in person. www.ieca.com