Forum Thread: Firewall question

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
CSI

This thread has been marked as locked.
Mester Firewall question
Member 6th Oct, 2009 12:34
Ranking: 0
Posts: 5
User Since: 25th Aug, 2009
System Score: N/A
Location: N/A
Hi,

which ports should I open on the client machine's firewall to be able to run a clientless scan on the machine?
I opened the file and printer sharing but I still only have partial scans. If I completly disable the firewall scan status is success.


Attila Mesterhazy

This user no longer exists RE: Firewall question
Secunia Official 6th Oct, 2009 12:42
The system requirements for scanning using remote login (Agent-less):

Administrative privileges
Microsoft Windows 2000, XP, 2003, and Vista
Windows Update Agent 2.0

Standard Windows services/ports:
Workstation and Server Service
Remote Registry Service
File and Print Sharing
COM+
Ports 139/tcp and 445/tcp open inbound

Isak
Secunia support
Mester RE: Firewall question
Member 6th Oct, 2009 12:47
Score: 0
Posts: 5
User Since: 25th Aug 2009
System Score: N/A
Location: N/A
I know it, because this is what I found in the manual.
But if I disable the firewall the scan finishes withount any error and if I turn it on the scan is only partly. I have port 139 and 445 open in the firewall but it seems CSI needs some other ports too.
Was this reply relevant?
+0
-0
newyork10023 RE: Firewall question
Member 6th Oct, 2009 17:45
Score: 0
Posts: 4
User Since: 2nd Apr 2009
System Score: N/A
Location: N/A
I must say that is a heady number of open ports and services.

It would be no wonder that a machine would be attacked, successfully.
Was this reply relevant?
+0
-0
Slamgeden RE: Firewall question
Member 7th Oct, 2009 08:22
Score: 0
Posts: 181
User Since: 17th Jul 2009
System Score: N/A
Location: N/A
Can't you just check your log and see what traffic was blocked?

--
Assorted Fnords.
Was this reply relevant?
+0
-0
Mester RE: Firewall question
Member 7th Oct, 2009 09:31
Score: 0
Posts: 5
User Since: 25th Aug 2009
System Score: N/A
Location: N/A
How can I check it with the Windows XP's built-in firewall?
Was this reply relevant?
+0
-0
Slamgeden RE: Firewall question
Member 7th Oct, 2009 14:47
Score: 0
Posts: 181
User Since: 17th Jul 2009
System Score: N/A
Location: N/A
Last edited on 7th Oct, 2009 14:56
First hit from google: http://technet.microsoft.com/en-us/library/cc73637...).aspx

--
Assorted Fnords.
Was this reply relevant?
+0
-0
hellcat77 RE: Firewall question
Member 18th Feb, 2010 23:10
Score: 0
Posts: 4
User Since: 18th Feb 2010
System Score: N/A
Location: US
So is there some kind of CSI client side program available so we don't have to open up all these ports and turn on file and print sharing on every single box?

Otherwise this could realy have a negative affect on your networks base security? IMHO?

Please advise,


Many Thanks!


Howie
Was this reply relevant?
+0
-0
This user no longer exists RE: Firewall question
Secunia Official 19th Feb, 2010 09:08
Last edited on 19th Feb, 2010 09:11 Hello Howie,

As an alternative you can use CSI Agents.
The Secunia CSI Agent is a standalone executable that can run as a command line program or installed as a local service. The agent can be configured to scan the system at regular intervals.

CSI Agent requirements:
Port 443/TCP open outbound (SSL)
Windows Update Agent 2.0 or later

Thanks!
/Luis
Secunia
hellcat77 RE: Firewall question
Member 19th Feb, 2010 17:02
Score: 0
Posts: 4
User Since: 18th Feb 2010
System Score: N/A
Location: US
So being that we are just evaluating this new system, and have not purchased it yet, do I just download the regular CSI client trial program for my clients and use the CSI 4.0 beta with our WSUS serverside to connect to the regular CSI trial clients or?


Thanks!



Howie
Was this reply relevant?
+0
-0
This user no longer exists RE: Firewall question
Secunia Official 22nd Feb, 2010 09:03
Hello Howie,

let me explain with more detail how you can use the CSI Agent.
First you should install the CSI 4.0 beta (I'm assuming you already did this).
Now, in the CSI Graphical User Interface, you will see several options in a menu in the left hand side, go to Scan now -> Scheduled Scanning -> Download CSI Agent

In the Download CSI Agent screen, you will see a link for downloading a file, csia.exe (this is the CSI agent). In that very same screen we describe some steps on how to get the agent installed in the target hosts.
Example:
you download the CSIA.exe, then you logon into a target host, copy the agent do the target computer and install it with the following command:
csia.exe -i -L
once the agent is successful installed you can run a scan by typing the command:
csia.exe -c

After performing these steps you can check the scan result on the CSI 4 GUI, you can also change the agent settings from the GUI in Scheduled Scanning -> Single Host Agents

Let me know if you need more information.

Thanks!
/Luis
Secunia
Winsyrstrife RE: Firewall question
Member 25th Feb, 2010 19:43
Score: 6
Posts: 9
User Since: 21st Jan 2010
System Score: N/A
Location: US
Just sharing my personal experience with CSI and Windows Firewall.

if you check the logs, you'll see that several random ports connections from the CSI scanner will be dropped by the client's Windows Firewall during the scan. This part is the Windows Update check. Since the connections are dropped, you get a partial scan result. As said, disabling Windows Firewall will give you a full result every time. Since Windows Firewall does not allow for port ranges or all ports for a specific IP address, for me, the alternative was:

A. registry hacking

B. alternate firewall

C. CSI Agent - local install

I opted for B, and made an exception for 1 IP address to access all workstations on a particular segment.
Was this reply relevant?
+0
-0
hellcat77 RE: Firewall question
Member 2nd Mar, 2010 18:40
Score: 0
Posts: 4
User Since: 18th Feb 2010
System Score: N/A
Location: US
Thanks for the tips folks!

Wow that really seem like a pain to install a 3rd party firewall on each and every workstation? Also, if we had to, what freeware Firewall can we put on our XP and Vista clients to enable a full CSI 4.0 scan?

Please advise...


Many Thanks!


Howie
Was this reply relevant?
+0
-0
Winsyrstrife RE: Firewall question
Member 5th Mar, 2010 18:21
Score: 6
Posts: 9
User Since: 21st Jan 2010
System Score: N/A
Location: US
I have experience using several 100% free firewalls, but I couldn't say they're acceptable for corporate use. Kerio Personal Firewall is my personal favorite, but it hasn't been updated in ages, and is sometimes subject to crashes / blue screens. Sygate is good, as well as Online Armor & Ashampoo, but the primary component of the free agreement is using them for personal use only. It also becomes a pain to manage said firewall on multiple machine across your network. A centrally managed firewall policy capable application is your best bet, be it free or pay product. I use Trend Micro OfficeScan at my company (pay product), which can be managed centrally.

You can also contact Secunia regarding the problem. They had suggested the registry tweaks (I don't know exactly what they are), but I found using an alternate firewall, which was readily available, to be an easier solution.

Maybe, this scanning issue is being resolved in v4.0, and this discussion will become moot? =)
Was this reply relevant?
+0
-0

This thread has been marked as locked.