
Mitigating Reconnaissance Attacks
Reconnaissance attack mitigation centers on protecting the network from scouting forays by attackers. It is not possible to completely protect address range information in ARIN, APNIC, and RIPE or domain name information in a network registrar from being evaluated by an attacker. You must assume that an attacker can ferret out that information with relative ease. With that in mind, you should understand that, realistically, defense begins at the network perimeter, and starting it there involves two basic techniques: reducing the network posture visibility and hardening the application.
Network Posture Visibility
Reducing the visibility of the network posture involves reducing the number of services in the public-facing segment of the network to a minimum. This means that if a web server, an SMTP server, an FTP server, and a DNS server are situated in the DMZ of the Corporate Internet module, the only inbound ports open at the edge router are for web, e-mail, FTP, and DNS to those servers. All other ports are blocked with an access control list (ACL). If other hosts exist in the DMZ but access from the outside is not required, no traffic should reach these hosts through the edge router. This concept is shown in Figure 8-1. There are four servers behind the router:
- WWW
- DNS
- SMTP
- SQL
Figure 8-1. Network Posture Visibility

Application Hardening
Application hardening involves staying current on patches for all applications and reducing any information the applications may provide through service banners. It is possible to configure sendmail, a popular mail transport agent (MTA), so that it does not announce its version number when another MTA connects to it. Similarly, many Telnet and FTP daemons can be configured not to announce the operating system type or version number when a client connects. Removing banner information from the application makes reconnaissance much more difficult for an attacker.
