20.4. Protecting Your Macs from Network Scanning

All right, you've mapped your network and found a list of IP addresses —and then you've scanned the ports on each of those IP addresses and found a bunch of open ports. What does it all mean, and should you worry that other people can get that same information? If so, what can you do about it?

The first thing to remember is that more information is available about a network when scanned from the inside than from the outside. So, if you performed your scans while on your local network, it pays to try them again from outside your network. Depending on what sort of router, gateway, and/or firewall you have between your network and the outside world, you may have little or nothing to worry about. For example, if you use a NAT router, such that none of your Macs have a publicly routable IP address, network mapping is extremely difficult (although not necessarily impossible) to perform from outside your network. Even if an attacker were able to determine a Mac's private IP address, port scanning would almost certainly fail —unless the Mac were configured in your gateway as a DMZ host or you've configured port forwarding to provide access to particular ports on that Mac from the outside.

Second, even the fact that someone has found an open port on a valid IP address with a known operating system, version, and application doesn't necessarily mean you're in danger. It only means there's a potential path by which an exploit could be delivered ...

Get Mac® Security Bible now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.