I really wish a firewall would have . .

If a firewall can stealth all ports that are closed, then why cant they tarpit all of them? Think about it. If you are stealth apart from x y and z ports then they know whats what very quickly. If all your ports seemed to be open and the firewall delt with them as 8sign does and keeps in internal and uses no resources for the "tarpitted" ports then their scanns would come back all open but they dont know what to do and how to do it. they would have to telnet all the ports and see whats what. I tried to tarpit all incoming with 8 signs but it takes it too literally. Any ideas or thoughts on this?

 

Because tarpitting requires a firewall to do extra processing on incoming packets. Because tarpitting requires a firewall to maintain unnecessary (and unwanted) network connections. Because tarpitting can have a negative impact on legitimate resources (e.g. if you connected to a server which was slow to the point of causing your browser to time out, your firewall would notice the connection closure and then tarpit subsequent responses from that server, resulting it its resources being wasted). And finally tarpitting requires a firewall to accept and process unsolicited incoming packets (rather than just checking and discarding) which increases the chance of any coding error resulting in a buffer overflow vulnerability.

In summary, tarpitting is useful for some individuals but is not a technique that should be used by everyone.

 

Well some firewalls are half working, some work very good and some don't work at all. And there are also those that work different way as you mentioned.
But take the whole port thing like this.

We have 65536 ports available. Lets compare them with doors.
We have building with 65536 doors.

Whats better? To have all doors open, all closed or the fact that we don't know for sure if doors are actually there. We don't even know how many of them are there (ok we know there can only be 65536 doors).

Now if it's closed we know they're there, they're just closed. If they're opened we know they're there and we can even easily try to enter.
Now stealthed are another story. We don't know if they are there, we don't know if the are opened or closed. Firewall will always "respond" with "Destination unreachable". And thats the same like port scanning of ports on IP whos PC is turned off or disconnected...

 

Rej . . . Tarpitted ports are "not there" the ports are not "open" they are just being accepted by the firewall so that the firewall can do what it need to keep the connection alive . . Stealth and Tarpitted adn be used interchangably in that scenario . . you dont know what doors are real and not. Yes the only thing with stealth if you dont have any services loaded is that you "may" not exist. I personally have an ftp server running on my pc so i never ever get stealth status. My method is if they can find out i am there and see the 1 port i have open Umm i may as well advertise the fact i am here by seemingly open a whole bunch of ports that dont exist to protect mysystem.

 

Firewalls "stealthing" ports will not reply with an ICMP Destination Unreachable packet, they simply discard incoming traffic without any reply. Sending a Destination Unreachable response is "normal" behaviour to indicate a closed port.

 

Do you recommend permitting ICMP 8 (Dest. unreachable) inbound/outbound from any source?

What about for ICMP 0 (Echo request)?

Thanks,

-rich

 

Please see section B of A Guide to Producing a Secure Configuration Using Outpost Firewall for my recommendations on ICMP.

 

Rmus, I think you mean ICMP 3, right?

Typical procedure is to allow Type 8 out (ping) and Type 0 (reply) in. For ICMP type 3, I think it's usually allowed in as it's sometimes needed, and it's typically allowed out usually to one's DNS servers only, or perhaps not at all.

I think it varies from person to person. If I remember right (I am trying!), Kerio 2 went by the above suggestions. Some other firewalls default to allowing Type 3 in and out. Some just in. I think there is some debate on Type 3 rules..

 

Thanks!

EDIT: even though this is for Outpost, all who use a rule set should read it - it's very thorough!

-rich

 

Yes, esp. in the old Kerio forums. (yes, I meant type 3, not 8 )

I just looked at Paranoid's rules and he explains the pros and cons well.

I also notice he suggests using separate DNS entries for each application, which I do - it's the only way to prevent the DNS exploit.

regards,

-rich
________________
~~Be ALERT!!! ~~

 

Separate rules for DNS is fine unless using a program like Treewalk where you have to give fully TCP/UDP rights and that too on top priority as I did with Kerio 2x rules, but there is no chance of poisoning with TW.

 

Bah i messed something up. The firewall accepts ICMP Ping Reply packets but doesn't reply to them. Thx Paranoid2000 for fixing that...

 

lol @ rej