Network Port Scan Cloaking

The Network Port Scan Cloaking feature allows you to configure this Digi device to ignore (discard) received packets for services that are hidden or not enabled and network ports that are not open.

Malicious software on the Internet may scan IP addresses, protocols, and ports to try to gain access to hosts. You can use the Network Port Scan Cloaking feature to prevent sending responses to the originator for ping and for TCP and UDP ports that do not have an associated service. The default operation is that, when a TCP connection request is received for a port that is not open/bound, the Digi device will send a TCP reset reply to inform the originator that the service is not available. Similarly, the default operation when a UDP datagram is received for a port that is not open/bound, the Digi device will send an ICMP port unreachable packet to inform the originator that the service is not available. For the DNS Proxy feature, you can configure specific network interfaces to ignore (discard) requests that are received from that interface, without otherwise acting on them.

These actions, which are common behaviors in accordance with established protocol standards, effectively inform the originator that it has found a valid IP destination. The originator may continue to probe other ports to gain access to the Digi device. In addition, such reply packets may have a monetary cost for mobile network services such as cellular or WiMAX. Enabling the cloaking feature can help manage both the port scanning threat and reduce overall data costs.

You can configure your Digi device to activate cloaking on a global basis, as well as for individual network interfaces that are available on your Digi device. By enabling the cloak for individual protocols and interfaces, you prevent the possibility of sending reply packets to the originator under the conditions described above.

Note If you enable cloaking on a global basis for a particular protocol, that selection overrides the selections for the interface-specific settings. For example, enabling cloaking for ping in the global group, overrides a disabled selection for the eth0 (Ethernet) interface.

• Enable Network Port Scan Cloaking: Enables the Network Port Scan Cloaking feature on this Digi device.
• Scan Cloaking: Ping: Enables/disables cloaking for ping requests. Replies will not be sent for received ping requests.
• Scan Cloaking: TCP: Enables/disables cloaking for TCP connection requests for which no service is available.
• Scan Cloaking: UDP: Enables/disables cloaking for UDP packets for which no service is available.
• Scan Cloaking: DNS Proxy: Enable/disable cloaking for DNS Proxy requests for a specific network interface.

Note There is no global cloaking selection for DNS Proxy. To cloak the DNS Proxy feature altogether, simply disable it.