Monday, September 3, 2012

NX-OS 6.x + nmap UDP Port 1434 open|filtered

Problem Description:
The nmap 6.01 port scanning results upon a Nexus 7000 running NX-OS 6.0(4) showing that UDP Port 1434 is open or filtered.


Problem Analysis:
The packet capture shows that the Nexus 7000 never reply to any packet destined to UDP port 1434.

However, it replies upon the packet destined to UDP port 1433 with an ICMP Port Unreachable message.

UDP Port 1433 is MS SQL Server.
UDP Port 1434 is MS SQL Monitor.
http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers


Solutions:
Preventing NX-OS to generate ICMP Unreachable messages with the no ip unreachables interface subcommand (a very common Cisco IOS hardening command) is not sufficient, we need to also prevent NX-OS from generating ICMP Port Unreachable messages with the no ip port-unreachable interface subcommand, in order to prevent NX-OS from leaking information to port scanning tools.

n7010# sh ip int vlan 3
IP Interface Status for VRF "default"(1)
Vlan3, Interface status: protocol-up/link-up/admin-up, iod: 3,
  IP address: 192.168.1.1, IP subnet: 192.168.1.0/24
  IP broadcast address: 255.255.255.255
  IP multicast groups locally joined:
      224.0.0.9  224.0.0.2
  IP MTU: 1500 bytes (using link MTU)
  IP primary address route-preference: 0, tag: 0
  IP proxy ARP : disabled
  IP Local Proxy ARP : disabled
  IP multicast routing: disabled
  IP icmp redirects: disabled
  IP directed-broadcast: disabled
  IP icmp unreachables (except port): disabled
  IP icmp port-unreachable: enabled
  IP unicast reverse path forwarding: none
  IP load sharing: per-packet
  IP interface statistics last reset: never
  IP interface software stats: (sent/received/forwarded/originated/consumed)
    Unicast packets    : 139718/1314121/1507/138211/0
    Unicast bytes      : 15147448/245546562/225076/14922372/0
    Multicast packets  : 333941/5486628/0/333941/5484138
    Multicast bytes    : 125711410/424427396/0/125711410/424218414
    Broadcast packets  : 0/0/0/0/0
    Broadcast bytes    : 0/0/0/0/0
    Labeled packets    : 0/0/0/0/0
    Labeled bytes      : 0/0/0/0/0
  WCCP Redirect outbound: disabled
  WCCP Redirect inbound: disabled
  WCCP Redirect exclude: disabled
n7010#
n7010# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
n7010(config)# int vlan 3
n7010(config-if)# no ip port-unreachable
n7010(config-if)#
n7010#
n7010# sh ip int vlan 3
IP Interface Status for VRF "default"(1)
Vlan3, Interface status: protocol-up/link-up/admin-up, iod: 3,
  IP address: 192.168.1.1, IP subnet: 192.168.1.0/24
  IP broadcast address: 255.255.255.255
  IP multicast groups locally joined:
      224.0.0.9  224.0.0.2
  IP MTU: 1500 bytes (using link MTU)
  IP primary address route-preference: 0, tag: 0
  IP proxy ARP : disabled
  IP Local Proxy ARP : disabled
  IP multicast routing: disabled
  IP icmp redirects: disabled
  IP directed-broadcast: disabled
  IP icmp unreachables (except port): disabled
  IP icmp port-unreachable: disabled
  IP unicast reverse path forwarding: none
  IP load sharing: per-packet
  IP interface statistics last reset: never
  IP interface software stats: (sent/received/forwarded/originated/consumed)
    Unicast packets    : 140024/1315515/1507/138517/0
    Unicast bytes      : 15188844/245681590/225076/14963768/0
    Multicast packets  : 333952/5486963/0/333952/5484473
    Multicast bytes    : 125712400/424451506/0/125712400/424242524
    Broadcast packets  : 0/0/0/0/0
    Broadcast bytes    : 0/0/0/0/0
    Labeled packets    : 0/0/0/0/0
    Labeled bytes      : 0/0/0/0/0
  WCCP Redirect outbound: disabled
  WCCP Redirect inbound: disabled
  WCCP Redirect exclude: disabled
n7010#

Finally...

1 comment: