User`s guide
Configuration through the web interface
101
Network Port Scan Cloaking
The Network Port Scan Cloaking feature allows you to configure this Digi device to ignore
(discard) received packets for services that are hidden or not enabled and network ports that are not
open.
Malicious software on the Internet may scan IP addresses, protocols and ports to try to gain access
to hosts. The Network Port Scan Cloaking feature can be used to prevent responses from being sent
to the originator for ping and for TCP and UDP ports that do not have an associated service. The
default operation is that, when a TCP connection request is received for a port that is not open/
bound, the Digi device will send a TCP reset reply to inform the originator that the service is not
available. Similarly, the default operation when a UDP datagram is received for a port that is not
open/bound, the Digi device will send an ICMP port unreachable packet to inform the originator
that the service is not available. For the DNS Proxy feature, specific network interfaces can be
configured to ignore (discard) requests that are received from that interface, without otherwise
acting on them.
These actions, which are common behaviors in accordance with established protocol standards,
effectively inform the originator that it has found a valid IP destination. The originator may
continue to probe other ports to gain access to the Digi device. In addition, such reply packets may
have a monetary cost for mobile network services (cellular, WiMAX, etc.). Enabling the cloaking
feature can help manage both the port scanning threat and reduce overall data costs.
Your Digi device can be configured to activate cloaking on a global basis, as well as for individual
network interfaces that are available on your device. By enabling the cloak for individual protocols
and interfaces, you prevent reply packets from being sent to the originator under the conditions
described above.
Note
If you enable cloaking on a global basis for a particular protocol, that selection
overrides the selections for the interface-specific settings. For example, enabling
cloaking for ping in the global group, overrides a disabled selection for the eth0
(Ethernet) interface.
Enable Network Port Scan Cloaking: Enables the Network Port Scan Cloaking
feature on this Digi device.
Scan Cloaking: Ping: Enables/disables cloaking for ping requests. Replies will not be
sent for received ping requests.
Scan Cloaking: TCP: Enables/disables cloaking for TCP connection requests for
which no service is available.
Scan Cloaking: UDP: Enables/disables cloaking for UDP packets for which no service
is available.
Scan Cloaking: DNS Proxy: Enable/disable cloaking for DNS Proxy requests for a
specific network interface. Note: there is no global cloaking selection for DNS Proxy.
To cloak the DNS Proxy feature altogether, simply disable it.