Re: OT: Best Antivirus?

ts wrote:
On Thu, 25 May 2006 09:40:03 +0100, Graham Hodgson wrote:

ts wrote:
On Wed, 24 May 2006 14:12:46 +0100, Graham Hodgson wrote:

A "stealthed" port drops the packet indicating the presence
of a host (some say behind a poorly configured firewall).
I don't understand this. By dropping the SYN packet with no reply, the
host is effectively acting like it's not there, assuming that it does
likewise with other types of probes. Why would you describe this as a
poorly configured firewall?
I haven't, I said some people do. If the host wasn't there then don't you get a different response? I was under the impression that the last hop to the host wouldn't be completed, and so you'd get a host unknown type of error.

Good question. IIRC, a router will send a "host unreachable" back to the
source if it can't find a route to the destination, usually because no one
responded to its ARP. I'm not sure this is applicable to a system
connected to an ISP via a point-to-point broadband connection. I would
think that the router at my ISP would have a permanent route to my IP and
thus never return a "host unreachable". On the other hand, perhaps it
would if my IP wasn't currently assigned. This could be tested easily
enough I suppose.

From what I've read, your ISP knows if you're attached or not. Hence, if it doesn't return host unreachable and packets are magically disappearing then it's a damn good bet the host you're looking at is there, and is trying to hide. It's then also a good bet that they are under the illusion that nobody can see them.

Instead, with a stealthed port you get nothing back. Since you don't get a RST, or a SYN/ACK or a host unknown from the last router you *know* there is something there that is quietly dropping packets.

Even if that's the case, you're less vulnerable than if you returned an
RST, and significantly less vulnerable than if you'd returned SYN/ACK,
especially on a port with some known vulnerability. If you're dropping
packets at the firewall, then by definition they're not getting to your
host.

Why is it less vulnerable than sending back a RST?

If it's doing that, then there is a fair bet it's been tested
against Shields-Up! to make sure all the ports are stealthed, and AIUI
this can lead to a sense of false security.

Most of the personal firewalls that I've read about drop packets by
default, and I think most cable modems do as well. I don't think you
can infer anything about the user's sense of security from that.

Look for packet filtering firewalls. I've not looked at the router here, but AIUI it can do PF. The machine I'm typing from has an OpenBSD box with a PF/NAT firewall on between it and the router. The sense of security comes from people thinking "I'm not going to get hacked because I've installed ZoneAlarm, and stealthed my ports like GRC suggests".

I'm far from an expert in
this, but have a look over at comp.security.firewalls, or read some of
the firewall security related sites (not fora for ZA and the like). The
general message is: "stealthed" ports is a load of crap.

I'll do that - thanks.

If you'd have asked me a few years ago I'd have automatically gone to grc, having read about stealthing ports back around '99-'00. Having come across nmap in more recent years and taken more of an interest in security[1] and alike I've come to realise that grc isn't all it's cracked up to be.

1. I was a subwarden for 2 years in the recent past at a university hall of residence. I'd heard stories of other subbies having porn printed off their printers randomly, presumably from students in hall with some windows networking knowledge. With an active interest in computers I decided to learn a little more than I knew. It didn't get much beyond installing IPCop, but in the process I learned a few things along the way - nmap being one of them.

--
Graham

Make a little birdhouse in your soul...
.