Puzzled by firewall test results

Purchased a new router so naturally I wanted to test its security. I went to two sites, grc and pcflank. How accurate are these sites because I got two different results?

GRC says that all 1056 of my ports are stealth but I failed the ping. Pcflank says that I passed the ping but have about half-a-dozen ports closed but not stealth.

Thanks,
Acadia

 

PcFlank scans have been known to generate some unexplainably weird results.

 

GRC is fine, but the result just say, that your routers INBOUND firewall (NAT) is working well. thats complete different from a windows/general OS firewall. thats reason i dont need such strong firewall like outpost or online armor for inbound security, i use a small solution for simple but effective outbound control.

 

PCFlack has different port scan tests. If you run the Quick Scan test, it uses the Advanced Port Scanner test. The Stealth test for PCFlack is a separate stand alone test.

So did you run the Stealth test and receive open ports results?

As far as the ping test go, I would check your router settings. Most have a setting if ping is responded to or not.

Finally check if your router has a Statefull Inspection feature and make sure it is set on. That is the most important feature a router can have. It will cause the router to block any unsolicted inbound traffic.

 

Thanks for all replies thus far.

itman: Unfortunately or fortunately, I'm not sure which now, I purchased an Apple Airport Extreme router. It does not have a ping killing feature (I did not realize that when I started this thread) and it evidently, based upon what I have now been reading, does not do Statefull Inspection.

Hmmm, I read a lot of good things about this router before purchasing, now I am beginning to wonder if I purchased a very expensive brick. Works wonderfully otherwise with all the wired and wireless computers in our household but security is the most important thing.

Acadia

 

There are two interfaces on every router; WAN and LAN. The WAN is the outside world, the LAN interface is your local network. Allowing pings in from the LAN is almost always required to verify connectivity for your local devices and PCs. The fact the GRC ping test did not show a response from the router WAN interface indicates it is secure. I would not lose sleep over it.

Statefull inspection is usually only offered on commercial routers like my Netopia/Motorola router. Just make sure NAT is enabled on your Apple router and you should be OK. Most good third party software firewalls and the Vista and WIN 7 firewalls offer statefull inspection so again, you show be covered.

The biggest vulnerabilty I have found on routers is the NetBIOS ports 137 and 138. My Netopia router has problems with those ports. So much so, I have disabled NetBIOS on both my WIN XP and 7 installations. That's OK for me since I don't have a home network setup. You can however set up your home network without NetBIOS but it takes a bit of work.

Finally there are millions of routers that are vulnerable to DNS rebind attacks. These attacks use TCP and UDP port 53 outbound to localhost 127.0.0.0 - 127.255.255.255 to redirect traffic through your default localhost connection. On Windows and most third third party firewalls, I make it a habit to create a block rule for the above traffic. Note that if you use Norton AV or IS, you might not be able to do this since Norton uses localhost for internal and external communication. Also some products like Kapersky block external access to localhost.

 

itman, thanks a million for your response, it is a bit reassuring for me. Yes, the Apple router has NAT. Behind the router I am using Online Armor for my software firewall. You mentioned Norton; I like playing around with security software programs and currently I am playing with Norton which I am getting for free since I use Comcast. I regret to say that the port and DNS stuff was a little over my head but I do one thing on my own that I have never heard of any one else doing: I put my financial institutions into my HOST files so, as I understand it, no malware will be able to redirect me using DNS unless they are able to re-hack and change my HOST file.

Again, thanks, and I REALLY appreciate the time that you took for your responses, take care.

Acadia