Reliable Firewall Testing Sites

Discussion in 'other firewalls' started by Blackcat, Dec 20, 2002.

Thread Status:
Not open for further replies.
  1. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    With Kaspersky's new AntiHacker program with stealth mode activated I am failing PC Flanks Stealth-Test!!!! All 5 mini-tests are all coming up negative - ' all non-stealthed' and the recommendation is to switch to another firewall!!!! :'(

    The site is recognising my correct IP address and AntiHacker passed all the other tests on the site and the two tests on 'Shields Up'. I have not tried more extensive testing as I was quite alarmed by the negative results at Flank. The WinXP firewall is switched off.

    Is the stealth testing procedure over at PC Flank reliable or is it simply something I am doing wrong? Overall can people suggest testing sites they would recommend for testing of the reliability of their firewalls?
     
  2. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    OOPS!!!!! The PC Flank site is not reporting my IP address correctly ( did not have my glasses on ); so it looks like it is this testing site and not my firewall. :D

    Would still like recommendations to more reliable sites. Why is PC Flank not reporting my correct IP address?
     
  3. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hi ;)
    Because your are behind a proxy :)

    Maybe from your ISP by default when installing your connexion with your ISP 's CD.

    Rgds,
     
  4. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    I've been having trouble finding a scan site that can pick up my IP since my ISP installed a proxy. Even thought the proxy is transparent and most proxy checkers see my real IP rather easily, most of the scan sites can't.
    I found out tonight that Blackcode sees my real IP thru the proxy and does a very thorough scan. It reports closed instead of stealth, but I believe thats the same thing as the results say congratulations, you have no open ports and la de da.
    Can be found here:
    http://www.blackcode.com/scan/

    When I get time, I'll try to find more that can see my IP. Right now PC Flank and Kalish can't see my IP I know for sure.
     
  5. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hi Root,

    This scan give CLOSED if the ports are not OPEN and don't
    notify you whether they are BLOCKED instead of CLOSED.

    Not a big issue : several online scanners are working that way.

    Anyway, BLOCKED is not more secure than CLOSED.

    What's is important is not to be OPEN in fact if your only concern is about security.

    Rgds,
     
  6. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hi Blackcat:

    Sooo, you want some sites to test hey!

    How about this lot for ya mate. Keep ya busy for a while.

    Not only Firewall tests, but heaps of others for general test/info.

    have fun!


    ONLINE SCANNER TESTS FOR AV:

    Trend Micro's free online [Housecall] virus scanner: http://housecall.trendmicro.com/

    BitDefender Free Online Virus Scan: http://www.bitdefender.com/scan/licence.php

    Panda ActiveScan Online Virus Scan: http://www.pandasoftware.es/activescan/activescan-com.asp

    PCPitstop AntiVirus Online Scan: http://www.pcpitstop.com/antivirus/avload.asp

    Symantec's Online Scan: http://security2.norton.com/

    Eicar virus tests [EXCELLENT. Try to download the virus 'test files' and see if your AV stops it before it downloads. Mine does :) ]:
    http://www.eicar.org/anti_virus_test_file.htm



    email EXPLOITS TESTS:

    Declude email tests: http://www.declude.com/tools/mailsend.html

    GFI Email Security Testing Zone: http://www.gfi.com/emailsecuritytest/



    FIREWALL / SYSTEMS TESTS: [Some of these sites you may have to "Register", just fill in a UserName and password or email for verification. No personal details needed, all sites listed below are trustworthy]

    NOTE: Make sure you read each page/site carefully, as you MUST make sure it is scanning YOUR IP, NOT your ISP's IP. Some sites you will have no choice to alter the setting if you are behind a 'Proxy IP' that your ISP provides. I personally cannot be scanned by one or two of the sites most of the time, as they only detect my ISP's Proxy address, therefore waste of time and your ISP may get cranky if you keep probing their ports]

    Blackcode [EXCELLENT]: http://www.blackcode.com/scan/index.php

    HackerWhacker: http://hackerwhacker.com/newindex.dyn

    AuditMyPC.com: http://www.auditmypc.com/freescan/prefcan.asp

    Broadband Reports.com [EXCELLENT, DO THE SLOW SCAN]: http://www.dslreports.com/scan/

    Computer Cops Security Professionals: http://www.computercops.biz/index.php

    HackerWatch.org: http://www.hackerwatch.org/probe/

    Security Space.com: http://www.securityspace.com/sspace/index.html

    PC Flank Complete Check [EXCELLENT]: http://www.pcflank.com/

    PCPitStop Checks/TuneUp: http://pcpitstop.com/

    Qualys' Free Browser Checkup: http://browsercheck.qualys.com/

    Sygate Online Services [EXCELLENT]: http://scan.sygate.com/

    Steve Gibons's ShieldsUP [GRC-Gibson Research Centre]: http://grc.com/x/ne.dll?rh1bi2l2=wzngrojn



    SECURITY NEWS/INFO:

    For GREAT info on Internet Explorer, AOL [You may have to cut and paste this entire address, as link looks broken in preview I just did, but copy/paste works]: http://www.staff.uiuc.edu/~ehowes/btw/ie/ie-opts.htm

    Wayne's Windows Administrator Support site for Windows NT / Windows 2000 / Windows XP / Penetration Testing / Firewalls: LOTS of links inside....
    http://is-it-true.org/

    Outlook Express Security Related Info: Lots of troubleshooting, etc: http://www.mvps.org/inetexplorer/outlook_express.htm OR: http://www.mvps.org to Home Page with lots extra info various flavours.

    SecurityFocus: http://www.securityfocus.org/

    Microsoft Setting up Security Zones IE: http://www.microsoft.com/windows/ie/using/howto/security/setup.asp#activex

    StormRanger Computer Security: http://www.stormranger.net/pages/590300/index.htm

    my | NETWATCHMAN Attacks Info: http://www.mynetwatchman.com/

    Distributed Intrusion Detection System
    DShield.org: http://www.dshield.org/index.html
     
  7. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    Many Thanks for all this great information. At least I have an excuse now to leave all the Xmas shopping until the last minute. I will be too busy testing :D

    Happy Xmas to you in Australia and try and let us Poms at least draw one of the last Test matches coming up. Total humiliation is not nice :'(
     
  8. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hi Blackcat:

    In the matter of security/help I am only too happy to help.

    In the matter of cricket. No bleeding way mate. It's 'owsdat' to ya!

    lol..... [Bring out ya dead, bring out ya...... ashes]
     
  9. Tassie_Devils

    Tassie_Devils Global Moderator

    Joined:
    May 8, 2002
    Posts:
    2,514
    Location:
    State Queensland, Australia
    Hi Jack in reply re blackcode.com's site tests and the "Closed" ports results. This is the same as either "blocked" or "stealthed" from other sites. Each site has it's own way of saying if you are safe or not.
    Usually, of course, they do say "Blocked" like Sygate's site and "Stealthed" like GRC's.

    I did have one site [forgotten the damn addy] which said "All Ports Secure" and would only report any 'Open' ones.

    I too have some trouble sometimes getting a couple of sites to work as my ISP is behind a proxy. Sometimes they work, sometimes they don't. Go figure. Majority of the times they are OK though.
     
  10. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hi Tassie Devils ,

    You get me wrong :)

    No test sites will give you a good result with a single port OPEN of course.

    But mosts sites like grc or sygate have 3 differents respons :

    OPEN (bad)

    STEALTH (or BLOCKED)

    CLOSED

    What I mean is that blackcode.com

    Has only to :

    OPEN

    and CLOSED whenever the port is BLOCKED or CLOSED : it does not made the difference between both.

    So if you port is BLOCKED (STEALTH) it notifies you CLOSED too.

    Best regards,
     
  11. eyespy

    eyespy Registered Member

    Joined:
    Feb 20, 2002
    Posts:
    490
    Location:
    Oh Canada !!
    Hi Tassie_Devils !
    Very nice post and thanks for the many useful links ! ;)

    regards,
    bill :)
     
  12. Jack Frost

    Jack Frost Guest

    Before you use mynetwatchman, know that visiting these scan sites will register as an attack and the ISP will be notified – it does not matter if you gave them permission or not, the service will still file a complaint.

    It will also look at your log files from the start – meaning last months activity will be reported. And note that ALL OF YOUR ACTIVITY will be reported; this includes every site you visit, etc.

    It also assumes the user will not modify their log files and add or change entries. A malicious user could make it appear that activity is coming from an IP that is actually innocent.

    Use a packet sniffer (ethereal.com) and look at what their program transmits ;)

    I’m using XP and XP’s firewall.

    Just a word of caution!
     
  13. psloss

    psloss Security Expert

    Joined:
    Dec 22, 2002
    Posts:
    102
    Location:
    San Diego, CA
    Do you recall what responses you saw come back from the server? There are several IPs that are excluded based on information we've received from dialog with ISPs. I've seen my ISP's fairly feeble security scan return a status of: "mNWStatus: EXCLUDED - Source IP Address exists in exclusion database."

    Gibson Research's Shields Up is an example of something like that -- and an example of a site that has changed IPs recently due to one of the latest DDoS attacks on that site. It's possible that this isn't reflected yet in the exclusion list, but communicating with the ISP would also bring issues like IP changes to our attention.

    What agent configuration did you look at?

    Logs can be and should be "prefiltered" since we are only interested in inbound data (intrusion attempts). The prefilter string for the XP firewall is "DROP" -- only events in which a packet was dropped should be uploaded. If the agent is not using prefilters, then extraneous information would be uploaded, which will be ignored by the server, usually with a status of "mNWStatus: REPORT_FILTERED."

    Not only is extraneous information useless to us, but it takes up unnecessary bandwidth to transmit to the server and then server resources for the server to process and reject the data. Both of these reasons were part of the motivation to add some filtering on the client side...

    Some personal software firewalls do log more than just intrusions. For example, Zone Alarm reports all sorts of events besides just intrusions:

    http://robertpanderson.homestead.com/files/zonealarm1.html

    We're only interested in the FWIN or FWROUTE events -- which are the two prefilter strings for the Zone Alarm log format.

    That's mitigated by the scoring algorithms used to filter out "false positives"; I've had several probes to my broadband IP not escalated because my IP was the only one targeted. In the case of "noisy" worms like Opaserv or the new Lioten one or things like Winpopup spam messages, it usually takes reports from two or three (and sometimes more) independent agents for an incident to be escalated despite the fact that -- in those cases -- the signature of a single probe is sufficient to determine its intent.

    Additionally, most ISPs are unlikely to act based on an escalation. An escalation is just that -- just like an abuse incident that was manually reported, we're asking the ISP to look into an event. Given how hard it is to get many ISPs to do anything even after presented with incident information, I would be surprised at this point in time to find that they don't verify/validate the event in their logs before taking an action with respect to one of their customers.

    Philip Sloss
     
  14. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Welcome, Philip, and compliments for doing a very fine job overall.

    regards.

    paul
     
  15. psloss

    psloss Security Expert

    Joined:
    Dec 22, 2002
    Posts:
    102
    Location:
    San Diego, CA
    Thanks, Paul. I hope to take a longer look around here after the holidays...

    Happy Holidays,

    Philip Sloss
     
  16. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Be our guest!

    Happy times as well,

    regards.

    paul
     
Loading...
Thread Status:
Not open for further replies.