NIS Firewall open ports - is this normal?

Discussion in 'other firewalls' started by Abeltje, May 30, 2007.

Thread Status:
Not open for further replies.
  1. Abeltje

    Abeltje Registered Member

    Joined:
    Aug 24, 2006
    Posts:
    156
    Location:
    Netherlands
    Hallo,

    I've checked my ports with JFirewallTest as offered in this forum. I found that there are some open ports with my Norton Internet Security 2007. Is this normal and / or dangerous? Shouldn't they all be closed? (I thought they were with Windows Firewall). I'm running Windows Vista. Thanks for your opinion.
     

    Attached Files:

  2. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi Abeltje :)

    Hmmm...

    Open, closed... from inside...

    3389 is used by the Windows remote assistance and the 5357 may be by the Web Service describe here: http://msdn2.microsoft.com/en-us/library/aa386284.aspx

    For all the other may be the local ports used for any normal application.

    Local ports are:

    xp 1024-5000
    sp sp2 ICS 60000-65000
    vista 49152-65535 The ports shows in your screen capture are in this range...

    Are you using Vista? If so it's possibly normal...

    You know what? This test is a real crap. The most important things to know is what running in your PC. Try with Process explorer for example and check for each process which port is used by each one.

    This "test" do not show which process used the port and to which remote port it's connected. How to understand what's happen with this "half picture"?

    How can you connect to internet services without opened ports?

    An example:

    When you makes a connection to a web site your PC open the first available local port range to connect to a DNS server on remote port 53 in UDP.

    Then your browser start a connection from by opening the first available local port in the local port to the remote port 80 of the web server...

    Some other applications required a port outside this local range
    and so on...

    The important is :

    What's running in your PC ?
    Did your firewall ask you to allow an unknown program ?

    Hope this help.

    :)
     
  3. Abeltje

    Abeltje Registered Member

    Joined:
    Aug 24, 2006
    Posts:
    156
    Location:
    Netherlands
    Hallo,
    thanks for you answer, it's already a bit clearer now. Still there are some things I don't understand fully.

    First, I downloaded Process Explorer, how can I check which process uses which port? Didn't find it. Anyway, I don't think there are unusual processes, there has also been no unusual warning by NIS. And I am running Vista indeed.

    What I don't understand - how can the port for Remote Desktop be open to the outside? First of all, I don't use Remote Desktop at the moment. And than, shouldn't the port only be open to other "Remote Desktop software" and not a port scan?

    In general, do you think the NIS firewall is sufficient to protect a PC? Are they qualitative differences with for example look'n'stop? Or put otherwise, can I expect major security flaws in the NIS firewall or should I really not need to worry? And I am not talking about leak tests, but simply the pure firewall protection, in- and outbound.

    Thanks again.
     
  4. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hello Abeltje
    No, this is not normal.

    You will need to check your firewall settings. If you have the firewall set to "Automatically decide what to do", or "Automatically customize Internet access" then this can cause ports to be opened.

    Such scans to show open ports, will only be shown as open if the application on that port is allowed inbound connections.

    Check the firewall rules for your applications.
     
  5. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi Stern :)

    Sorry to argue with you but this may be normal...

    The test shows only which port are opened but not by which process and to which remote port...

    In the example give by Abeltje the local ports from 41153 to 41159 are in the normal range of local ports used by applications under Vista... or some applications using that local port range (even on XP...)

    An example of this is Tor. It's possible to modify the MaxUserPort registry key to give Tor an higher local port range than normal. In this condition opened ports in the range shows in the screen capture may be normal...

    Ref.: http://www.microsoft.com/technet/community/columns/cableguy/cg1205.mspx

    But the only way to know this is to know what's running with Process Explorer or alike and, like you say, to check the firewall settings.

    Not by this (useless) test because it prove nothings.

    Best regards,

    :)
     
  6. Abeltje

    Abeltje Registered Member

    Joined:
    Aug 24, 2006
    Posts:
    156
    Location:
    Netherlands
    I'm running basically nothing. I tested the extreme and deleted ALL program rules still there were those open ports, and if I understand it correctly this is impossible. Either there is a general problem with Vista and NIS, but I doubt that, someone else should have noticed before me, shouldn't he? Maybe my Vista installation got corrupted, I tested quite some security applications during the last weeks. I could also not get a stealthed system with Avira Security Suite also. When I look at my Windows XP laptop and NIS 2007 all my ports are closed. Any idea what to do to fix the error on my Vista or should I do reinstall? (No, I don't have a backup image ...)
     
  7. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Hi Climenole
    Not with an SPI firewall.
    The test (JFirewallTest) is only for open/closed ports. A scan is made internally to see what ports are being listened on, then an external scan is made against these ports.
    I did make a number of scans against NIS, these showed as stealth. The "JFirewallTest" test does depend on the firewall settings, as this is an internal application (Java) connectiong out to make the test which can give strange results as NIS will allow this application all access required (If NIS firewall is set as "Auto", as mentioned in my last post)
    Open ports are only made available for unsolicited inbound. An SPI firewall will filter returned packets (from outbound connections), not open a port for these.
     
  8. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Did you change the firewall main rules, as I mentioned?(so you are prompted to allow/deny connections,... then block any inbound attempt). If the application making this test is allowed the inbound scan, then the result will be incorrect.

    NIS worked correctly on XP (After I change the default firewall rules).
    I do not have vista installed to check with this OS.
     
  9. Abeltje

    Abeltje Registered Member

    Joined:
    Aug 24, 2006
    Posts:
    156
    Location:
    Netherlands
    It was definately a problem with my Vista installation. I did a clean install and no open ports anymore. Also, with my old, corrupted installation it made no difference whether I had the firewall turned on or off, always got the same results. So thankfully I did the reinstall, thank you both for your helpful comments!
     
  10. Climenole

    Climenole Look 'n' Stop Expert

    Joined:
    Jun 3, 2005
    Posts:
    1,640
    Hi Abeltje :)

    This is an Happy End ! :D

    Next time check with this to which process used the local ports in the 49152-65535 range... This is better than an half picture from a "test"... ;)

    http://www.microsoft.com/technet/sysinternals/ProcessesAndThreads/ProcessExplorer.mspx

    :)
     
  11. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    Good to hear.
    You should now know that having open ports on the PC is not "Normal"
     
  12. Abeltje

    Abeltje Registered Member

    Joined:
    Aug 24, 2006
    Posts:
    156
    Location:
    Netherlands
    Hi Climenole :)

    Could you explain from where I can see which process uses which port? I looked around I couldn't find it.
     
  13. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    Hello Abeltje. :)

    I'm not Climenole, but Sysinternsls' Process Explorer can show you this info. Just r-click on a process and select 'properties' -> TCP/IP

    Cheers.
     
Loading...
Thread Status:
Not open for further replies.