How to hide system information from network scanning software

Network scanning software is capable of obtaining sensitive system information. Mike Chappel explains how implementing various firewalls can stop intrusive software in its tracks.

What are the best ways to hide system information (system name, IP address, and installed software) from network scanning software?
The absolute best way to hide your system from the probing eyes of network scanners is to install a properly configured software firewall. If the scanners in question are on a remote network, use a network firewall to also block inbound connections. Once installed, configure those defenses to block all unnecessary traffic from reaching your system. On a typical user workstation, simply set the firewall to "Don't allow exceptions," which will completely conceal it from inbound access attempts. With a server that must allow inbound connections, create firewall rules that limit that traffic to the greatest possible extent.

The easiest way to hide system names and IP addresses from external scanners is to use Network Address Translation (NAT) on your network. NAT devices (usually border firewalls) allow you to use private addresses on your internal network and public addresses on your external one. Unless a NAT rule is specifically enabled, such configuration prevents anyone on the Internet from reaching systems that use private addresses.

When using NAT, it's a matter of best practice to use RFC 1918-reserved private address ranges. These include the,, and address ranges. These addresses are not routable over the Internet, and they can protect you from firewall mis-configurations.

More information:

  • A reader asks whether firewalls alone can block port-scanning activity.
  • Is it ever a good idea to put a firewall before a router?

Dig Deeper on Threat detection and response

Enterprise Desktop
Cloud Computing