Re: OT: Best Antivirus?

On Fri, 26 May 2006 09:54:04 +0100, Graham Hodgson wrote:

ts wrote:
On Thu, 25 May 2006 11:14:44 +0100, Graham Hodgson wrote:

ts wrote:

Even if that's the case, you're less vulnerable than if you returned an
RST, and significantly less vulnerable than if you'd returned SYN/ACK,
especially on a port with some known vulnerability. If you're dropping
packets at the firewall, then by definition they're not getting to your
host.
Why is it less vulnerable than sending back a RST?

Because if the sender gets an RST, he knows that the SYN got all the way
to the target host and wasn't intercepted and dropped by the firewall.
This would certainly encourage the attacker to press the attack to try to
find open ports. Of course, it could be the firewall itself returning the
RST, but that's still an incentive to continue the attack against the
firewall. Getting nothing back, while possibly indicating the presence of
a "stealth" firewall, still provides little hope of finding any open ports
since most such devices will reject all connection attempts unless the
user has reconfigured it.

Are you suggesting that having set a machine up to be "stealthed" means
there'll likely be no open ports, whereas setting a machine up to return
means it's more likely? Getting nothing back must surely suggest the
presence of a "stealthed" host?

I was assuming the presence of a separate firewall, something like a small
NAT router with some packet filtering ability, since that's what most
people have. The hosts are all on a network behind this router. In this
configuration, the "stealth" is really provided by the NAT function in the
router, which rejects all incoming packets not associated with an active
connection. If someone outside this router sends a connection request
(SYN), and gets a connection refused (RST), then they know that their
request got through the router and to a target host. This means that the
user has configured the router to allow connection requests to pass, at
least for that port. If that's the case, then it's worthwhile to continue
the probe. Getting nothing back indicates that the router is probably
properly configured and will reject requests for other ports as well.

So the answer to your question, within the context described above, is yes.

If it's doing that, then there is a fair bet it's been tested
against Shields-Up! to make sure all the ports are stealthed, and
AIUI this can lead to a sense of false security.
Most of the personal firewalls that I've read about drop packets by
default, and I think most cable modems do as well. I don't think you
can infer anything about the user's sense of security from that.
Look for packet filtering firewalls. I've not looked at the router
here, but AIUI it can do PF. The machine I'm typing from has an
OpenBSD box with a PF/NAT firewall on between it and the router. The
sense of security comes from people thinking "I'm not going to get
hacked because I've installed ZoneAlarm, and stealthed my ports like
GRC suggests".

You keep bringing up the "false sense of security" that having
"stealth" ports provides. While it may not provide the "cloak of
invisibility" that some may think, I don't understand why someone with
this false sense of security is any more vulnerable because of it. In
fact, if someone has run the GRC "Shields Up" test and it indicates all
ports are "stealthed", then it would seem that they are in fact fairly
safe. Certainly safer than if they had never run it and hence never
discovered that they had an open Telnet port (for instance).

Because they think "I'm stealthed, GRC says so, so I must be ok". The
concept that their firewall may be vulnerable in some other fashion
quite possibly doesn't enter their heads. Not because they are stupid,
but because they aren't properly informed. Of course having a stealthed
telnet port is better than having an open one. But if there was no
telnet service running in the first place where would the vulnerability
come from?

Other ports that the user is not aware of. Most people have no idea what
ports or network services are, much less how to properly configure them.
I'll grant that the emphasis that GRC places on "stealth" over just not
having open ports is unjustified, but the fact is that if someone
discovers open ports as a result of running Shields Up, then they are much
better off than if they had not run it at all.

-Tony
.

Relevant Pages

  • Re: New stealth test in Pc-flank
    ... firewall is absolutely absurd. ... you what ports they're using. ... something's from local network, as can stand-alone desktops with a firewall ... Again the never ending stupid stealth stuff. ...
    (comp.security.firewalls)
  • Re: OT: Best Antivirus?
    ... RST, and significantly less vulnerable than if you'd returned SYN/ACK, ... especially on a port with some known vulnerability. ... to the target host and wasn't intercepted and dropped by the firewall. ... find open ports. ...
    (rec.autos.sport.f1)
  • Re: NIS 2002 upgraded to 2003, Stealth ports??
    ... >from Symantec or GRC they both say the ports are closed and not stealth ... >and I should check my firewall settings! ... >I even tried to install NIS 2003 on a clean install of Winxp and it does ...
    (comp.security.firewalls)
  • Re: Root exploit for FreeBSD
    ... for two ports to my FreeBSD portscluster nodes. ... and it gives the firewall ... US this is also quite common, at least with regards to University ... if your computer is going to connect on our network it must be configured in certain ways and behave "normally" or you won't get a connection. ...
    (freebsd-questions)
  • Re: Root exploit for FreeBSD
    ... for two ports to my FreeBSD portscluster nodes. ... and it gives the firewall ... US this is also quite common, at least with regards to University ... if your computer is going to connect on our network it must be configured in certain ways and behave "normally" or you won't get a connection. ...
    (freebsd-current)