Discussion in 'other firewalls' started by Spanky, May 11, 2003.
Is the fireall that comes with Windpws XP any good?
It's a good inbound protection, only down fall to it is no outbound protection. You can't prevent application, from getting out, like Trojans, Spyware and such.
even the inbound protection is very basic. Not much you can set or change. Let's say it's for people who don't care much about security. Like that they have at least some sort of firewall. Even though I think that the protection isn't that good...
The protection is really good for IN
The main issue is you cannot allow a range of ports: you have to enter them one by one : that's crippling ASF, for instance, if you are using a personal FTP server in PASV.
well, I don't think so! If you use FIN or SYN flags to ping the computer, you will see, that the computer is responding. So, there's won't be a problem for a hacker to find out if there's a computer online or not. That's the reason why I think that the firewall is bad. As you certainly know, the test on PC Flank are quite good to simulate that if you don't wanna use port scanning tools yourself.
Ah, but then that comment leads back to which is "better," closed or "stealth" ports? *If* that's the distinction you're making and there's nothing else, what's the danger if someore knows your computer is online through such pings, if your ports are closed? If you're being scanned by a robot scanner that finds no holes, it will move on for easier more interesting and vulnerable prey.
Why would closed ports attract anyone's interest when there are so many readily vulnerable machines open on the net for the taking? If you're being specifically targeted by a real person, perhaps they already have your IP and have sought you out intentionally. But that's another issue. So how does simply knowing a pc is there can make one vulnerable if one's ports are closed? And to what kind of attack?
"Stealth" is something firewall vendors push as a desirable, but I suspect it is vastly overrated and is more of a marketing issue than a security necessity.
Nope, that's not just a marketing issue. For sure some firewalls aren't stealth even if they say they are. There you are right with your argument. But look for example at Look'n'Stop (I'm using it that's why I can talk about it). This firewall is absolutely stealth. I didn't manage til today that it sends a signal back...
Let's say it like this, if a hacker encounters a computer which has closed ports, he won't just go away for an easier target. Sure if there are other interesting targets wiht open ports he will try there. But if the ports are closed this doesn't mean, that the will stay closed all the time. Let's say he just needs to send some specific data (so called exploits) and bumm, a port is open.
Personally, I prefer to have stealth ports. Better that the hacker means I'm down than that he knows that my computer is online and running (closed ports). You certainly agree that this makes my computer an easier target, right?
But you can't it prevent it with a personal firewall either.
It is even better than a personal firewall because it is part of the operating system and not as an application. That's a big advantage.
Sure you can prevent it. With Look'n'Stop for example you will be noticed if an application wants to go out and even if its signature changed. Did I get your answer wrong?
If a 'hacker' sends you ping to a firewall with 'stealth' mode he does not get a reply and therefore he knows that you are online as well and he nows even more: that you have a firewall running. I think that makes your computer even more intressting for the hacker.
well, turn you computer off and ping it with another computer. You won't get any answer. Does this mean that your computer is stealth? Try to hack it then...
You got my point now?
If you run malware on your system it will run with the same 'rights' than a desktop firewall and therefore it can do what ever it wants:
- disable the desktop firewall
- tunnel the firewall with application
- change the ruleset
- controll the keyboard and mouse input
and so on and so on...
The truth is that there is no real 'outbound' protection except of simpler malware that doesn't do one of the tricks above.
There is a difference between the answer of a 'stealthed' computer (no answer) and one that is turned off(answer: no host available). You can be sure that a hacker can 'see' the differences as well.
But first of all it needs to be installed on the system in some way. Therefore you got other tools to prevent you of this danger. When you restart the computer this tool has to be in the autostart and for this you have again other tools to warn you. Tunneling the firewall is quite difficult...
I disagree, when I do a portscan of my IP range I don't get an answer like "no host available" when my computers are down. Even when they are up I don't get an answer like this. They just don't show up that's it. Which port scanning tool are you talking about then? As far as I know I'm using one of the most sophisticated...
Yes and that is the point: If you really want to be protected from this kind of threats you could not rely on a personal firewall.
No not at all.
No it's not. Several 'leak test' utilities proofed tunneling concepts several times in the past.
How would a closed port suddenly be open on the internet when you're running a firewall? Say ZA at medium net security level. (Although the issue originally was talking about syn pings to the XP firewall getting a response and stealth to just ordinary port scans.) Or let's say, even without a firewall in such an instance: with W98 I could do away with a firewall since my ports on the internet were closed and I ran no services that would open them. Why would a hacker (if there was one and not automated bots and other compromised machines) hang around just on the off chance I might just decide to run a server on the net and open a port? I never did in 5 years and I doubt someone would sit and wait just for the chance it might happen.
One has to do something to open a port on the internet, like run a server for example. Or one could drop the firewall AND have open ports that lead to vulnerabilities that a bot or hacker can exploit. (My understanding is that an open port in and of itself doesn't always represents a vulnerability unless it opens to something that can be exploited. It depends which ports are open and if there's a vulnerability that might be subject to exploit. Not that I would recommend running open ports on the net for the average home user who wouldn't know what's safe or not.)
But anyway, ports that are really closed to the net don't just flop open on the net without the user doing something to make it so, especially if you're running a firewall. And then it would be open on the net even with your better than XP's ICF firewall. If you open ports by rrunning services on the internet, your firewall won't stealth or close them. Of course, you'd have to *set up* the firewall to allow a server to run on the net. But that's my point. Ports don't just open on the net if you're running a firewall. You'd have to do something to make it happen.
Also, given your scenario, since most of the scanning one sees on the net are by automated robots and compromised pcs, rather than an actual person directing each move, how long will this rare person just hang around in case this anonymous pc's user decides to suddenly run a server or drop his firewall? What are the odds of either happening and a hacker just waiting on this one unextraordinary pc among millions?
Unless it's a specific targeted attack for a specific reason in which case the person most likely has your IP and has some special motivation and knows you're going to do something to open a port to the internet through your firewall, I don't see how your scenario answers the issue.
And if you drop your firewall, then the issue is really moot because we're talking about a firewall showing either closed or stealth ports to specific types of scans and how some scans getting a response might or might not make your pc vulnerable. In and of itself, it just doesn't.
I agree, but let's say it like this. You can't rely on a personal firewall only. Something like a Registry Monitor (like RegProt or the Cleaner for example) come into the game.
Well, I'm talking for me in this special case, but I know every process which is running on my machine. TDS-3 shows me very well which processes are started and which have been changed. If there's a new one I get suspicous...
Look especially at the results of Look'n'Stop:
If your computer is not online than the last router before the host will send back the reply "destination or host unreachable".
I think you got me wrong in a way. If I read your post it seems to me as if the hacker is waiting for a port to open. No, I wasn't suggesting that! Let's go through it: A hacker uses a port scanning tool for a specific IP range. After that he has some results of some computers which are up and running. He scans them more thoroughly. There he finds open ports (weak security) and closed ports. Let's assume that he goes for the computer with the closed ports. He scans the whole machine and finds out which OS is running and that all ports are closed. What is he doing now? He sends some code to a port for example and uses a known exploit. (Please don't ask me how he will do this exactly: First I'm not a hacker and secondly I won't go into the technical stuff. For that you can go to Microsoft TechNet for example if you wanna know more about such exploits)
So, he sends some code which will cause an error on the compromised computer which leads to a port to open. Sure if you use a firewall, this whole process is much more difficult! You can also send code, so that the whole computer crashes because you overload the CPU with this code. Like that he's able to enter the computer. There are always ways to get into a system. Even if you use firewalls. Just send for example 1'000 packets to a special port within some seconds. The firewall tries to block everything but gets overloaded after a while and crashes. Bumm, there's no more firewall running on your computer.
That's what I really meant. Do you see my point more clear now?
I don't use ICF, I just tried it at the very beginning when I installed WinXP 2 years ago and you can be in stealth mode if you want : just set it not to accept ICMP and it passes all stealth tests with flying colours
Even with packets with special flags, not only SYN and FIN :8
If you inject the trojan code into a valid process like explorer.exe than there is no chance for a process viewer.
And the next 'Leak test' is just around the corner...
interesting indeed, wasn't aware of this. I don't use this firewall myself. Thanks for the information!
P.S. But nevertheless I'm sure that this firewall isn't that safe. But I would have to test it more thoroughly to prove my hypothesis! But I won't do that with this Microshit software, I'm happy with LnS, which I tested thoroughly.