How to hide system information from network scanning software

The absolute best way to hide your system from the probing eyes of network scanners is to install a properly configured software firewall. If the scanners in question are on a remote network, use a network firewall to also block inbound connections. Once installed, configure those defenses to block all unnecessary traffic from reaching your system. On a typical user workstation, simply set the firewall to "Don't allow exceptions," which will completely conceal it from inbound access attempts. With a server that must allow inbound connections, create firewall rules that limit that traffic to the greatest possible extent.

The easiest way to hide system names and IP addresses from external scanners is to use Network Address Translation (NAT) on your network. NAT devices (usually border firewalls) allow you to use private addresses on your internal network and public addresses on your external one. Unless a NAT rule is specifically enabled, such configuration prevents anyone on the Internet from reaching systems that use private addresses.

When using NAT, it's a matter of best practice to use RFC 1918-reserved private address ranges. These include the 10.0.0.0-10.255.255.255, 172.16.0.0-172.31.255.255, and 192.168.0.0-192.168.255.255 address ranges. These addresses are not routable over the Internet, and they can protect you from firewall mis-configurations.

More information:

• A SearchSecurity.com reader asks whether firewalls alone can block port-scanning activity.
• Is it ever a good idea to put a firewall before a router?