You shouldn't have to worry about your ISP. I'm constantly running nmap or
some other network scan and my ISP doesn't say anything. Sometimes I run
them from within my corporate network. Sometimes I run them from my
personal dial-up account with a local ISP.
You are quite correct that you are within your rights to scan your firewall
from another location. If an ISP cancelled an account of mine based on
that, you can bet they'd get a quick letter from my lawyers.
I really can't BELIEVE this thread.
-----Original Message-----
From: Derek Martin [mailto:[EMAIL PROTECTED]]
Sent: Friday, July 23, 1999 12:46 PM
To: Thompson, Dave
Cc: William Joynt; Bill Joynt; Dave Gillett; Firewall list; Paul L.
Lussier
Subject: RE: trial & charges
Dave,
You make some decent points which I'd like to address but first, before
I forget again, I'd like to give another legitimate reason to do a port
scan.
I recently set up a new firewall box here at work, which I'd like to
test before we put it in place; specifically I'd like to run SATAN and a
few other tools on it from my box at home, in order to test the security
of the thing.
I am however very reluctant because I'm concerned that, because of this
legal quagmire that we've created for ourselves, my ISP will see the
traffic and kill my account for "hacking" as it were.
Obviously, I'm well within my right, but I forsee a great deal of
trouble from my ISP in getting my account back. Call me paranoid, but all
good security admins are! ;-)
On Fri, 23 Jul 1999, Thompson, Dave wrote:
> In a place of business, there is a front door, and there is often a
private
> back door. The front door is to be used by the public so they can come in
> and look around. They can rattle the doorknob to their hearts' content.
>
> The private door, however, isn't intended for public use. It's still
> accessible from the street, but just because it accesses the street
doesn't
> mean it's intended for just anyone to use--nor is it intended for people
to
> even come rattle the doorknob to see if it's open. Someone may come to
open
> the door by mistake because he doesn't realize the door isn't for public
> use, but most people have enough sense about them to recognize which door
> they are meant to use.
>
> In this analogy, the front door is the Web site that is open to the
> public--and this is the only part of the system that's open to the public.
This is the best argument I've seen to refute my point so far, and I had
already thought of it. Here's why I don't agree:
> The private door, however, is ftp, telnet, etc., which aren't meant for
> public use. (I know some sites grant public ftp and telnet--that's not my
> point. Stick to the analogy!)
This is where you must divorce the reality from the original analogy.
There IS a difference, and it is that on the internet, none of the "doors"
are clearly marked. Many services are public on some servers and private
on others. You can't simply say that FTP and Telnet are always private,
cuz they ain't! :)
The way TCP and UDP work forces you to find out for yourself which are
public and which are private. If you get an answer that says essentially
"go away" (i.e. by connection refused or other ICMP message, or a specific
message sent back over the connection by the admin), then it's a private
door. Inasmuch as we can extend the analogy, this is the equivalent to a
"KEEP OUT" sign on your private doors. But with TCP and UDP, you don't
know until you try. A port scan is then the equivalent of looking at the
door to see if there's a keep out sign on it.
> The private door accesses files and tools
> that were never meant to be used or even seen by the public. Just having
a
> door doesn't give people permission to try to open it.
How do you know that? Maybe they are running a gopher server that's open
to the public, and you just didn't see it. Maybe they're running an IRC
server that you didn't see advertised anywhere... Replace Gopher and IRC
with about a zillion other protocols that could potentially be running and
open to the public.
> Whether the intruder would be punished or not would depend on local laws.
Right. In most cases, I think the local laws would not punish someone for
a simple port scan, and IMO rightly so. I'm personally against making it
illegal to do anything that doesn't and/or can't have any real direct
negative impact on anyone other than the person who does it (yet another
completely different argument). Port scans are harmless, do not
constitute a REAL intrusion (though arguments can be made that you're
tying up bandwidth and CPU etc, the amounts are so miniscule for a single
full port scan it isn't worth worrying about) and should not be
legislated.
--
Derek D. Martin | UNIX System Administrator
[EMAIL PROTECTED] | [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
