stealthed firewalls.

[AMIGA500]

hi.
Just wondered what members opinions were on stealthing firewall ports.
Im currently using KIS and it does not stealth by default.I could stealth it if i wished but im leaving as it came.
Any thoughts on this and is it crucial to be stealthed.?

[King Grub]

I don't care since I am behind a hardware firewall. I would think most are, no?

If I wasn't, I would want the software firewall to stealth it, not because I think it would offer a huge security benefit, but because it would feel better, and that's important as well.

[Dundertaker]

Personally I' prefer stealthed than not(combination of closed ports and stealthed is acceptable). Other's will vary because of like the explanation at the Kaspersky forums and by experience. There was a post that I've bookmarked as I got a few infos there. It's HERE.

[moontan]

you can go to Gibson's Shields Up site and test your firewall.

there's a section where you can test the first 1024 ports and click on each little squares for a detailed description on each ports, what they do, and a Closed vs Stealthed analysis.

[AMIGA500]

Quote:

Originally Posted by moontan

you can go to Gibson's Shields Up site and test your firewall.

there's a section where you can test the first 1024 ports and click on each little squares for a detailed description on each ports, what they do, and a Closed vs Stealthed analysis.

hi moontan.
Yes ive tested kasperskys firewall there several times and its a mixture of stealthed and closed ports.
I know comodo and OA and the windows firewall stealth all of their ports.
From what i can gather from the kaspersky forum the kaspersky firewall is different in design.I can stealth the kaspersky firewall by altering 3 settings but apparently kaspersky discourages this.
Also the gibson testing site is under dispute in regard to the legitimacy of the test results.
Im getting paranoid now lol.

[AMIGA500]

Another confusion i have with the gibson testing site.
Ive just scanned all the common ports 3 times in a row and all 3 test results were different.it shows a mixture of green and blue ports but 3 times these were different.
How does a port go from being stealthed to closed in a matter of minutes like this.?
Is this testing site reliable?

[noone_particular]

IMO, there isn't much value in stealthing ports any more. When most internet services were dialup and the users IP changed most every time they connected, stealthing was a semi-effective way of hiding your presence. With DSL and cable replacing most dialup services, most PCs are connected 24/7 and their IP address changes much less if at all. With everything from the AV to Windows itself connecting out regularly for updates, it's quite easy to determine if there's a PC on a given IP address, whether the ports respond or not.

From a security perspective, there's no real advantage to stealthed ports over closed. As long as they're closed, you're protected from unsolicited connections. Regarding the mixed results (some stealthed, some closed) this is often due to ISPs blocking specific ports. In some situations, when such mixed results originate from your own equipment, it can be an indication of a misconfigured firewall or server application. Sometimes a specific pattern of closed and stealth ports or the ports changing from one to the other after repeated scans is a known behavior for a specific firewall. If the pattern is unique to a specific firewall or PC, it may be enough to identify that PC even if its IP address changes.

[AMIGA500]

Quote:

Originally Posted by noone_particular

IMO, there isn't much value in stealthing ports any more. When most internet services were dialup and the users IP changed most every time they connected, stealthing was a semi-effective way of hiding your presence. With DSL and cable replacing most dialup services, most PCs are connected 24/7 and their IP address changes much less if at all. With everything from the AV to Windows itself connecting out regularly for updates, it's quite easy to determine if there's a PC on a given IP address, whether the ports respond or not.

From a security perspective, there's no real advantage to stealthed ports over closed. As long as they're closed, you're protected from unsolicited connections. Regarding the mixed results (some stealthed, some closed) this is often due to ISPs blocking specific ports. In some situations, when such mixed results originate from your own equipment, it can be an indication of a misconfigured firewall or server application. Sometimes a specific pattern of closed and stealth ports or the ports changing from one to the other after repeated scans is a known behavior for a specific firewall. If the pattern is unique to a specific firewall or PC, it may be enough to identify that PC even if its IP address changes.

Thank you very much for that explanation.

[moontan]

Quote:

Originally Posted by Beethoven1770

Thank you very much for that explanation.

+1 one that.

very nice!

[chronomatic]

Stealthed ports are a sham. This whole business was started by the charlatan Steve Gibson many years ago. The truth is there is no difference in a closed port and a stealthed port. The only difference is a closed port responds "not open" while the stealthed port will simply ignore the request.

However, the mere fact the machine doesn't respond one way or the other lets the port scanner know the machine exists! So it kind of defeats the purpose. How so? Because, as I said, the machine should respond "open" or "closed." If you've ever scanned a machine with ports set to DROP, you will notice how long the scan takes (it takes a really long time to scan all 65535 ports when they are all set to drop, whereas if they are closed or open, it usually finishes in a few seconds).

Lastly, if someone on the Internet is going to scan all your ports, he already knows your machine exists otherwise he wouldn't bother. In real life, you are almost always going to see random single ports in your firewall log (often HTTP, SSH, etc.) You will almost never see more than a few random ports scanned. If you start seeing a lot of ports being scanned from one IP, then you know this person is likely targeting you. And if he is targeting you, he already knows your machine exists.

So stealthed ports offer zero protection over closed ports. Bottom line.

[moontan]

maybe Stealth does not improve security.

but i've read yesterday that Stealth uses less resource because someone might probe your computer for just a moment if it is stealthed.
but they will keep on 'knocking at the door' if your ports are closed instead of stealthed.

here's the quote:

Quote:

I very strongly disagree with that it is a marketing trick. This is simply due to the logic of the port scanning attacks — in most cases they just drop you after a short number of no-replies to save time, if you reply — they look deeper.

While this is not an immediate threat for a well-configured machine, it at least consumes resources. No reply → presumably no target, a target with closed ports → broader scan, spoofed packets, etc.

So stealth is has both obvious resource and security benefits.

and:

Quote:

Replying on a closed port is very much like saying «no» to «are you there». It does show that you are. It also shows that you are rather dim and might have other weak spots to discover.

From my logs:
Stealth mode = one or two port probes from an ip, then it stops.
Closed mode = full ass massive port scans, forged packets, all sorts of weird requests.

from here:
http://vistafirewallcontrol.freeforu...orts-t119.html

[TheWindBringeth]

FWIW, I do believe Steve Gibson popularized the subject and coined the phrase "steathed port". A few searches didn't nail the first use date, but I'm guessing late 90s at the earliest. By then there were all manner of TCP/IP devices being used in above-commercial-grade applications where resistance to attacks was a top priority and bandwidth/hardware limitations were significant. Even before TCP/IP became popular there were other communications protocols/applications where it was best to drop inappropriate "packets" at the earliest opportunity and NOT respond to them. The concept and its application go back a long way.

The problem is as follows:
the tester of ports/hacker knows it our IP?
is he does not know our IP research techniques used to it?


In the first case, the ports to be stealth or not no interest.

In the second, if the hacker candidate scans a small IP range one, if an IP returns no information, it is that there is probably a firewall, and therefore a PC behind.
But if the tester's ports scans a range of ports very extended, with a tool that will show him what IP that have ports open, the stealth mode will then prevent attacks.


If Kaspersky changes its position it is that he has good reasons, but behind the speech there is marketing, costs, may be having stealth ports interferes too much access or the proper functioning of the printer or other, no need to search too far.



Le problème est le suivant :
le testeur de ports/hacker connait il notre IP ?
s'il ne connait pas notre IP quelles techniques de recherche utilise t'il ?


Dans le premier cas, que les ports soient furtifs ou pas aucun intérêt.

Dans le deuxième, si le candidat hacker scanne une petite plage d'IP une par une, si une IP ne renvoie aucune information, c'est qu'il y a probablement un pare feu, et donc un PC derrière. Mais si le testeur de ports scanne une plage de ports très étendue, avec un outil qui va lui montrer quelles sont les IP qui ont des ports ouverts, le mode furtif permettra alors d'éviter les attaques.


Si Kaspersky change son fusil d'épaule c'est qu'il a de bonnes raisons, mais derrière le discours il y a le marketing, les coûts, peut être que le fait d'avoir des ports furtifs gêne de trop l'accès ou le bon fonctionnement de l'imprimante ou autres, inutile de chercher trop loin.

[deadmeat]

Quote:

Originally Posted by chronomatic

Stealthed ports are a sham.

I absolutely agree with this and I'm not alone.

http://www.hansenonline.net/Networking/stealth.html

Get over the notion too that there are legions of basement hackers physically trying to break into your PC. The reality is these are mostly automated bots scanning thousands of IP addresses and port sequences at random without caring what state the target PC's might be in.

If you understand where the biggest threat area lies, then you also appreciate that constantly searching for the "best" or "strongest" firewall and AV is a pointless exercise. Your majority risk factor begins and ends when you click to enter a site, and you can control this with your finger without relying on security software to do it for you. I recently set up a shared laptop (teenage brother and sister) with Just the Windows 7 firewall (UAC enabled), Chrome, DuckDuckGo + WOT and Norton DNS. Three months later without an AV and the machine is still clean. Had they been entering red rated WOT sites then it would not have been, but then this is the choice we can all make. There are plenty of smart folks who rubbish WOT, but they all have infection tales to tell too. Sure it has its faults but so does everything else and sticking to green rated sites only will not wreck your life.

[Hungry Man]

https://insanitybit.wordpress.com/20...rts-or-closed/

I wrote about this a while back. Short story - stealthed makes no real difference and most of the time it's not even done properly.

[Disney]

Stealth is always good if you are under a warch of some kind where someone is actively trying to find your computer . That almost is never happening to an individual so , closed and stealth from a home stand point is basically the same . You are pretty much safe with either as in the real home world , no one cares.

[wat0114]

I can nmap a Windows fw xp stealthed (my own) but I still get some info:

Code:

sudo nmap -sS 192.168.1.xx

Starting Nmap 5.21 ( http://nmap.org ) at 2012-10-15 19:33 MDT
Nmap scan report for 192.168.1.xx
Host is up (0.00039s latency).
All 1000 scanned ports on 192.168.1.xx are filtered
MAC Address: 00:40:05:xx:xx:xx (ANI Communications)

Nmap done: 1 IP address (1 host up) scanned in 21.26 seconds

Filtered means stealth. I've x'ed out some info for privacy reasons. So I still know:

1. the host is on
2. its mac address
3. the ip address is valid

[Sir paranoids]

ill take stealth , every little bit help and with out it it makes port scanning a joke to find out what ports are open with nmap or whatever it is you use for that kind of thing.

[CloneRanger]

Quote:

Originally Posted by Beethoven1770

How does a port go from being stealthed to closed in a matter of minutes like this.?

First you need to do a more complete scan, All Service Ports

Determine the status of your system's first 1056 ports

After it's finished you'll see more info, scroll down to

Quote:

Adaptive IDENT Stealthing Experimentation

This second connection attempt will ultimately fail, but ZoneAlarm will notice the effort, which is all that's necessary.

Step Four: Finally, refresh the port probe window or repeat the scan to check your system's current port status. You should find that port 113 is no longer "stealth" to the probing IP address because you are attempting to connect to it and it has been determined to be "friendly".

For some reason GRC @ 4.79.142.206 wasn't working for me ? Anyway i hope you get the idea

Is this testing site reliable?

Yes, & always has been for me since i first started using using it, in around 2004.

*

I've always prefered Stealth, & apart from tinkering around a few times over the years to try various things, i've Always got it. & that's with an earlier version of ZA that i still use of this XP SP2

[TheWindBringeth]

* Remember, the GRC test machine is not directly connected to the target system and the test results can be affected by intermediary devices. An ISP silently dropping SYNs, or intercepting them and responding with RSTs, to enforce a no servers policy would be one example. Which would be a problem if it were only applied at external borders and it caused you to miss an open port that could be hit by other ISP customers. Some will want to test their system using a directly connected machine running nmap or whatever.

[Seer]

Quote:

Originally Posted by chronomatic

if someone on the Internet is going to scan all your ports

then he, if he has knowledge on protocols any better than 0, will use a packet builder to craft custom packets and scan you to hell and back. It is impossible (except in Harry Potter/Frodo Baggins series) to really be invisible, the TCP/IP stack simply isn't created with that notion in mind. There are rules that can be placed in packet filters to partially alleviate this, but to be fully invisible against skilled scan techniques is, I repeat, not possible. Although I haven't read their statement, this could be Kaspersky's motive for dropping the stealth issue.
A good analogy would be the F117 - stealth fighter plane. It's called "stealth" but it actually is not, it is just so for the conventional radar systems. There are other ways to detect it, and as a consequence the F117 is known to have been shot down from the skies.
This isn't saying that Steve Gibson is a charlatan (as implied by some obviously more knowledgable than him in this thread) or that dropping SYN packets doesn't have its place.

[wat0114]

The trouble with ShieldsUp! is those who are uninformed are too easily spooked into believing they're vulnerable when the response from the scan indicates a "Failed" for as little as a ping reply or closed ports instead of stealthed.

"filtered
Nmap cannot determine whether the port is open because packet filtering prevents its probes from reaching the port. The filtering could be from a dedicated firewall device, router rules, or host-based firewall software. These ports frustrate attackers because they provide so little information. Sometimes they respond with ICMP error messages such as type 3 code 13 (destination unreachable: communication administratively prohibited), but filters that simply drop probes without responding are far more common. This forces Nmap to retry several times just in case the probe was dropped due to network congestion rather than filtering. This slows down the scan dramatically"


...

[wat0114]

No, there is no router appliance between the scanning pc and the target. The nmap scan was not being filtered.

Quote:

Originally Posted by wat0114

No, there is no router appliance between the scanning pc and the target. The nmap scan was not being filtered.

Off topic, the ports must be stealths, router or not.