Stealthing Ports Question

Discussion in 'ten-forward' started by Checkout, May 1, 2002.

Thread Status:
Not open for further replies.
  1. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    When a firewall 'stealths' ports, it effectively refuses to respond to incoming request, right?  Presumably, then, incoming traffic on port 80 (or any other port in use) is only accepted if the packet IDs prove that the conversation was started locally - in other words, only traffic initiated by the firewall's host will be honoured.

    Am I correct?
     
  2. FanJ

    FanJ Guest

    Hi Checkout,

    Isn't that what Stateful Packet Inspection is about?
     
  3. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    [Picture of me looking blank] I don't know.
     
  4. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Not all people agree on stealth.
    The common terminology is:
    Stealth - the incoming packet is dropped, as in nobodys there.
    Blocked - The incoming packet is bounced back (returned to sender) as in theres a door there, but its closed.
    Stateful Packet inspection is when the contents of a packet are scanned instead of just the header. I think.
     
  5. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    in under 30 seconds I dug up this:

    http://www.ciol.com/content/flavour/netsec/101041101.asp

    Excerp:
    End excerp.

    But back to stealthing.........

    Stealthing is when the computer (or router) does not reply at all to requests on ports that it wishes not to be detected on. A client pc often has no need for ANY ports to respond to requests from the lan/wan. In this case, stealthing all ports can make you computer seem invisible to some port scanners.

    Unfortunately, this buzzword has been misrepresented to signify security, and really it doesn't.

    For example, jonny luchbox runs windows 95. Some @sshole commandeered his PC and printed large clolored dots on 100 sheets of his nice photo quality paper. Now he has no paper and no ink. Poor Jonny! Now Jonny is no dummy, just inexperienced with this stuff, and he can take advice from "quatsi-experts." So he learns he needs a firewall to keep out them printer pirate bastiches. ZoneAlarm comes highly recommended from a seemingly well respected website, so he installs it. The sites have tests that say "Congratulations! You are totally stealthed!" Well Jonny feels sooo good now! Take that, printer pirate pissant punks!

    A nice story indeed. Did Jonny live happily ever after? Probably not, but he can at least brag to his non-computer literate freinds that he is "totally stealthed." Any make no mistake, they are impressed; he proudly shows them how to "get stealthed." A new quatsi-expert" has entered the world!

    What is the moral of the story? That an enterprise level nth teir Cysco router behind several dedicated hardware firewalls that is used to carry out bank transactions and proccess credit cards will fail the stealth test every time, and be told in BIG RED PRINT that they are insecure all because they have a port open to serve something. NO SERVER can be totally stealthed, unless it serves nothing. Would you suggest that Jonny's PC is more secure than the bank's system? Probably not. Stealth means very little to REAL internet security.


    D@mn it is good to be back!
     
  6. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    Thanks for the explanation, O Under-Thirty-Second Digger-Upper!  I presume then that the real danger is servers which are indiscriminate (promiscuous?) as opposed to those which only talk to trusted IP addresses?  Natively, I suppose servers are promiscuous, but stateful packet inspection by firewalls should tame this behaviour.  There goes another brain cell.
     
  7. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    Promiscous mode is when an ethernet adapter is purposely listening to packet transmissions not addressed to it. On dumb hubs, all packets are broadcast to all PCs on the hub, and the ethernet cards only read packets that are addressed to them (destination header conatains that PCs IP) With them there evil raw sockets from winpcap (or any linux/unix machine which knows no other kind) one can tell the network card to read all the packets no matter who they are for. If the PCs are on a switch (smart hub that swiches the connection on and off very quicky so there is never more than one connection at any given nanosecond) or a router, packets are not broadcast and the ethernet card that is sniffing, will only recieve packets addressed to it. Promiscuous mode is never on by default.

    I do not think "promiscuous" is the word you are looking for.
     
  8. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    It was meant as an analogy.
     
  9. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Good to see ya back UNICRON. Like I said, not all people agree on stealth. I liked your little story. :)
    I agree with everything you said. However, if I can stealth all the ports on my computer with a good firewall, that is certainly an extra layer of protection from the average wanna be black hat. Granted, a pro will do what he wants.
    I still fell there is a certain amount of security gained when my ports are stealthed and they do not respond to the thousands of random scans that hit my box daily.
    I use Outpost. It is a very powerful and highly configurable tool to be used as an extra layer of protection. By tweaking rules and controlling the traffic in and out of my computer, I have far more protection than someone without a firewall or with a firewall that would better be called a toy.
    Bottom line is people need to learn. You can't outsmart someone that is more learned than you in the field of security. I study, I listen, I learn. I am safer today than I was a month ago. I am not totally safe. I never will be.
    I also try not to be paranoid. God, some people drive me mad with the paranoia. :) All in all, I try to learn and have fun with it. If it ain't fun, why am I doing it?
    Just my thoughts. No criticism for any one or any body elses philosophy intended.
    Last. I am building a website for the very basest of basic security. I am learning as I go along. I am just starting to realise, how much there is to learn, when you start from scratch and know nothing about internet security. I may be asking you guys and gals for input soon.
     
  10. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Hey Root does Outpost have an option to open particular ports by number?
     
  11. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    You are correct Root. A stealthed port is better than a non stealthed one provided (and this is important) they ALL are stealthed. Then, to the amature hacker who is port scanning, you do not apear to exist. If you have one port open, then someone can tell you are there.

    The problem with stealthing as a means of security against experts is that they ALREADY know you are there, and a stealthed port doesn't fool them. They got your IP some other way (not port scanning) and have selected you specifically because they have your IP. This could have happened by you going to their website, replying to their spam email, downloading something from their ftp server...etc. Since a server cannot hide its IP (and potentially has more booty to reap), they are attacked quite often.

    It isn't too hard to get the IP of someone specifically. If I pretend to be a sexy young girl who claims to live in the same town as MR BLAZE, I could invite him to email me directly, and then poor MR BLAZE would be in serious trouble, stealth or no stealth. Someone who can spoof an IP will spoof yours and appear to be local, your freebee software firewall may or may not be able to distinguish between real packets from you and the fakies. (Done right, probably not) I don't think any software firewall that costs under a hunerd bucks is really expected to hold up to attacks like that, however, or else the enterprise level firewalls wouldn't sell ;)

    So, yes stealthing is better than nothing. It will keep away most of the amature wannabees, but no

    stealth != security;
     
  12. Checkout;

    Checkout; Guest

    Surely Stealth + External Proxy = Invisibility, whatever colour the hat?  This is illuminating.  Thanks Uni.
     
  13. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    Detox, yes, ports are configurable one at a time or in groups or combinations.
    Checkout, like UNICRON said, only if somebody is scanning blind. If someone has your IP, you can be had, pure and simple.
    100% secure=unplugged.
     
  14. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    This is what I don't understand.  How?  Sure, flooding could knock me offline, but...?
     
  15. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    Checkout, you are suggesting that you are bullet proof?

    Don't say that too loud, you might attract The "we'll see about that " crowd.

    All those big companies that spend thousands on security are sure fools eh? Who knew they could just use ZA!... snicker!
     
  16. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Checkout, thank you for this threat!  i am struggling with figuring out ports and what my firewalls do (i'm trying to figure what my firewalls are doing to the ports?)

    Your original question regarding the conversation must be started locally or it won't be accepted...forgive me if i have misunderstood it...i'm trying to see if that might be my problem with icq.  i can send out a file, but can't receive one on my XP, but i can send and receive on my Win98se, and they are both on the same router(with firewall) and both have SPF installed.  i think the XP's internal firewall might be blocking incoming files requests...but i'm confused because if i've clicked on the "accept" wouldn't i be opening that port to accept the file?

    LOL...i know, icq is not a safe application, but darn the nets gotta have some fun to it. ~grin~

    (if i'm way off topic....LOL..just speed read over my post and i'll go away)  ;)
     
  17. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    oh boy...

    no, Checkout didn't threaten me LOL  opps!

    it's almost 3am and that's a typo!!  

    meant to say:  thank you for this threaD   (sorry)

    get's herself to bed.....
     
  18. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    snapdragin, you can edit your posts, without having to post corrections in a new post.

    you will see a "last edited on..." at the end of this post signifying the last time I edited it. Unless you are a mod or admin, you can only edit your own posts. You cannot delete your post either.
     
  19. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    I never give ladies threats - I give 'em treats!   :D
     
  20. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    I would like to feel that I am.  A lot of what this security field is about is confidence, remember - we're all happy until the next exploit is announced, then we rush out and upgrade our filters and blockers like lunatics.
    I realise that, and I'm not about to throw down the gauntlet.
    Here lies the rub, bub:  how many of us are living with a false sense of security?  You've given me every reason to believe I've been a confidence junky, and now I need to know more.  I need to understand what I'm exposed to otherwise I can do nothing to address it.

    Lessons please, Master Unicron.   :eek:
     
  21. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    Ahh enthusiastic disciple, all in good time.

    Here is the "question for checkout to ponder" lesson of the day:

    If a blackhat uses raw sockets, and doesn't use an ISP that employes any kind of anti-spoofing filters (my ISP is one of the few that actually does do some level of antispoofing although I have yet to test how far they have got) then what would happen if that bad-feller spoofed his IP to appear to be your IP and tried to fool your firewall into thinking you had initiated a connection to the internet when in fact you did not. Would the stealthed port now respond to a connection started locally?


    A good read on spoofing and antispoofing for the uninitiated:  http://www.xs4all.nl/~rmeijer/spoofing.html
     
  22. snowman

    snowman Guest

           please excuse my getting alittle side tracked with the topic here.........posted below is a comment by snapdrin that seems to suggest that she has two firewalls working at the same time:

          --------------------------------------------------------------

         "both on the same router(with firewall) and both have SPF installed.  i think the XP's internal firewall might be blocking incoming files requests..."
         ---------------------------------------------------------------


           it appears that she did not disable the built-in firewall in her XP....an is also using SPF firewall...isn't it possible that this may cause some conflict with the "stacks"o_O        Perhaps some of the more experience could offer a comment.....an if there is a possible or potential problem she would be alerted to it.

            again..sorry for side-tracking...

                              snowman
     
  23. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    I must be missing something.  Here I am, a little program, talking through my serial port to my modem.  I tell it to call my ISP, and it does.
    • I say, "Take me to 244.12.3.9 for I wish to view nekkid wimmin"
    • My trusty modem shakes hands with the IP who supplies said fantasy items
    • I send a packet with the target IP as the destination and my IP as the source
    • I include a sequence number 'cause I'm not a stupid program
    • I receive a packet which has my IP as the target and the IP I wanted to hear from as the source
    • I check the sequence number and it is not 1 greater than the sequence number I sent - so I throw it away
    Just because I receive a header with my own IP in it doesn't mean I'm going to be fooled into thinking it's a genuine response to something I started.  I sincerely hope you're not suggesting that current firewalls will?

    Edit for PS

    pS My mother told me never to accept UDP, so I don't.
     
  24. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    yes snowman, thank you!
    it's difficult to ask a question clearly when one doesn't really understand the subject they are asking about, but you put it in much better words for me!

    this was what i was wondering, am i over-firewalled to the point other applications that i want to access the net in both directions and with an incoming connection initiated from another computer on the net to send me a file (with my permission of course) can't?.  i don't understand ports that well yet....i need to find something like Ports 101, but if i have 3 firewalls..(router's firewall, XP's internal firewall and a software firewall) then what's taking care of what ports? ~blink~

    UNICRON....i'm heading back to the test board to learn about editing posts...i'm getting better at the "quoting" though.  :D

    ~HUGE GRIN~ my first edit!  WHoo hooo!! :D
     
  25. snowman

    snowman Guest

              Snap

              by no means am I an expert in regards to firewalls....an with that in mind I would hope that some of the more highly experienced posters would add their replies also.

            IMO running two firewalls on one computer is a serious security risk........yes it can be done...but should only be by the highly experience..........

            so as not to confuse you......the experienced computers users I know who use XP disabled the in-built firewall in XP an used only the "added" firewall...in your case SPF.........this resolves any conflicts in regard to Stack placement.....(lets not get into Stacks...may only confuse)       I think The Root and Unicron could best explain why.

            Snap..remember that because you now have the in-built firewall in XP working...once you disable it you may\most likely will need to add\refine your rules in SPF for inbound connections.   with the in-built firewall in XP enable as you now have it....its questionable if SPF is blocking the in-bound connections or is the XP firewall blocking the in-bound connections.    there is a good chance that the XP firewall is doing the blocking because its built into the windows os..an that starts first.

          there is a website devoted entirely to refining rules for SPF.......when you reach that point I'll help in trying to locate the url

          for the moment I highly suggest that you immediately post in the firewall forum regarding this issue.........I know there are others here who use XP.

           an no don't panic...this isn't all that complicated nor are you in grave risk....nevertheless its not an issue you should ignor.......an should be done before discussing ports.


                                  snowman
     
Thread Status:
Not open for further replies.