Before breaking into your network, bad guys will scan and probe various parts of the network, looking for attack vectors or weak points of security. With easy-to-use tools such as Nmap and Firewalk, mapping a network from the outside is simple. Nmap can scan an entire network in minutes or probe a single host for open sockets.
Although the first of our five types of network attacks, network reconnaissance, is nearly impossible to stop altogether, it can be limited, throttled, or obscured.
The first location to harden is the perimeter of the network. In this book’s example network (see Figure 1 in the Preface), it’s the Campus Core SRX5800 cluster. However, this is only the starting point, as network reconnaissance could come from not only outside your network, but also inside it. Internal threats also need to be taken into account and protected against—the threat could be the result of a breach of the actual physical network, or it could have come from a malicious employee or contractor.
The SRX has multiple built-in protection mechanisms to prevent and mitigate many common types of reconnaissance. Keep in mind that there is no single cookie-cutter solution for preventing reconnaissance—security is always a compromise, and to make something completely secure you have to unplug it and store it in a safe. The moment you bring a server or network online, it will be vulnerable to attack. So, many of the methods that prevent network reconnaissance ...