NIS 2006 and Shields UP

Discussion in 'other firewalls' started by Cloudcroft, Jan 8, 2006.

Thread Status:
Not open for further replies.
  1. Cloudcroft

    Cloudcroft Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    471
    Location:
    The Hill Country of Texas
    I've used Norton Internet Security over the years and have been happy with it. I've run Shields UP on Steve Gibsons website over the years, and my system has always passed the tests. I've recently installed NIS 2006, so last night I ran Shields Up, and passed all the tests, except the ping reply test.

    Ping Reply: RECEIVED (FAILED) — Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation

    I checked the firewall rules, and Norton Firewall has a default rule to block inbound and outbound ICMP echo requests and replies. I stayed up half the night playing with the rules, trying to pass the Shields UP test. I researched the Symantec website, and hooked up with "live" tech support, whose agent told me Symantec's policy is not to support their own "Security Check" scanner, let alone a third party scanner. I'm pretty frustrated trying to figure out why the firewall rule is not not working. Any help would be appreciated, short of throwing out NIS 2006, which by the way, I thought about in the middle of the night.
     
  2. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    461
    Assuming you have a standalone machine connected to internet without a router and without using a remote proxy for browsing, why don't you try enabling logging on all ICMP rules (Block and Permit), then check the Event Viewer after visiting ShieldsUP!. You should only get one matching rule at GRC
    for ICMP, although the rule will be matched mutiple times. Personally, I always deleted the default rules when I was using Norton, then created my own. The rules as described by CrazyM in the first post in this thread:
    https://www.wilderssecurity.com/showthread.php?t=110701
    ...is the way I've always done it, with a Block All Other ICMP (In/Out) (Log) below these Permit rules. I would keep the ICMP rules all in one place, such as in
    the General rules section, which is given priority over Program and Trojan Horse rules.
     
  3. Cloudcroft

    Cloudcroft Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    471
    Location:
    The Hill Country of Texas
    I've spent quite a bit of time trying to figure out the problem, and I didn't mention that I've recently switched to DSL, and also have a Linksys router which I set to block WAN requests. I've been reading through the grc.com discussion groups, and found a number of people who had the same thing happen to them after switching to DSL from dial-up. In many situations the DSL modem is also a router, and it is the modem/router that is responding to the ping requests. Would that be why I've received no alerts (set the firewall rule to alert me) when this rule is applied-the Norton firewall is not receiving the pings?
    I found several people that were able to change configuration settings for their modem to stop the system replying to ping requests from Shields Up. I'm having trouble finding the correct settings to change, and the Verizon tech support person I spoke to earlier was no help. The Westell (my modem) support page instructs users to see their ISP for help on my model. I think I may have figured out the culprit, but am having no luck in finding the solution.
     
  4. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    This setting in Linksys routers will usually drop inbound echo requests (pings).

    Yes, the modem and/or router will be handling the unsolicited inbound traffic, not the software firewall on systems behind them.

    Can you clarify/determine if your modem also functions as a router?

    Regards,

    CrazyM
     
  5. Cloudcroft

    Cloudcroft Registered Member

    Joined:
    Feb 29, 2004
    Posts:
    471
    Location:
    The Hill Country of Texas
    Yes, the modem does function as a router with a built in firewall. I didn't know that until today. I had already installed a Linksys router/firewall for more security. I finally figured out that I needed to go into the modem firewall configuration, and change the setting to custom. When I went into edit, there was a default rule for dropping ICMP protocol. I saved the settings, then reran Shields Up, and passed, so now I know the modem/router was the culprit. There was also a outbound default rule for blocking Netbios on ports 135-139. My Norton firewall has a rule to permit outbound Netbios on ports 137-139. Can anyone tell me if I should leave the block outbound Netbios rule in the modem/router firewall, or remove it?
     
  6. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    So you probably just needed a switch for additional ports with the modem and not another router.

    Which offers more features/configuration, the Westell modem/router or the Linksys? You may want to consider reconfiguring things so just one of these devices is doing NAT.

    Leave it, you do not want this type of traffic to leave your network.

    Regards,

    CrazyM
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.