the naked router

Archived from groups: comp.security.firewalls (More info?)

It is the issue :

i´ve bought a 3COM 3c857 cable/adsl router and connect it to my lan (10
machines)

it works fine

for now i decide to test the onboard firewall. goes to
http://scan.sygatetech.com and run both quick and stealth scan

all the test goes fine : all ports blocked (i have no services to the web
yet)

but sometimes the report says this :


SERVICE : WEB --> Port 80 STATUS "CLOSED"
SERVICE: IDENT -> Port 113 STATUS "CLOSED"

CLOSED is not equally to "BLOCKED"

but sometimes y ran the test again and this ports appears to be BLOCKED
and secure

¿what nuts is happens?, ¿i need a software firewall also?

It is the another question. The router assign via dchp an ip address to
each machine. (192.160.0.x). I need a firewall for EVERY machine?

¿IS MY ROUTER SECURE OR A NAKED ONE?

I don´t intend to have the WHOLE security, but...!!!

les agradeceria AYUDA!
muchas gracias
saludos
15 answers Last reply
More about naked router
  1. Archived from groups: comp.security.firewalls (More info?)

    On Thu, 27 May 2004 15:17:40 -0300, BayaspirinaGhandi spoketh

    >
    >It is the issue :
    >
    >i´ve bought a 3COM 3c857 cable/adsl router and connect it to my lan (10
    >machines)
    >
    >it works fine
    >
    >for now i decide to test the onboard firewall. goes to
    >http://scan.sygatetech.com and run both quick and stealth scan
    >
    >all the test goes fine : all ports blocked (i have no services to the web
    >yet)
    >
    >but sometimes the report says this :
    >
    >
    >SERVICE : WEB --> Port 80 STATUS "CLOSED"
    >SERVICE: IDENT -> Port 113 STATUS "CLOSED"
    >
    >CLOSED is not equally to "BLOCKED"

    Closed is just as "blocked" as anything else. The only thing you have to
    worry about are things showing as "open".


    Lars M. Hansen
    http://www.hansenonline.net
    (replace 'badnews' with 'news' in e-mail address)
  2. Archived from groups: comp.security.firewalls (More info?)

    OK then i will remain calm

    Notice that in http://scan.sygatetech.com says a closed port can be
    vulnerable to trojans or so, and a blocked port, no. They remarks my
    firewall is not completely secure. But may be this test is for sygate
    firewall pro only and no for others!.
    But i made the test several times, and the major tries both ports appears as
    "blocked" only a few times its appears as "closed"

    may be it is a sygate test issue
    ¿does you know another pages where i can test my router?
    thanks in advance
    henry

    "Lars M. Hansen" <badnews@hansenonline.net> escribió en el mensaje
    news:6mfcb0dvh5pno79u2cttn1hrrvec5tjnph@4ax.com...
    > On Thu, 27 May 2004 15:17:40 -0300, BayaspirinaGhandi spoketh
    >
    > >
    > >It is the issue :
    > >
    > >i´ve bought a 3COM 3c857 cable/adsl router and connect it to my lan (10
    > >machines)
    > >
    > >it works fine
    > >
    > >for now i decide to test the onboard firewall. goes to
    > >http://scan.sygatetech.com and run both quick and stealth scan
    > >
    > >all the test goes fine : all ports blocked (i have no services to the web
    > >yet)
    > >
    > >but sometimes the report says this :
    > >
    > >
    > >SERVICE : WEB --> Port 80 STATUS "CLOSED"
    > >SERVICE: IDENT -> Port 113 STATUS "CLOSED"
    > >
    > >CLOSED is not equally to "BLOCKED"
    >
    > Closed is just as "blocked" as anything else. The only thing you have to
    > worry about are things showing as "open".
    >
    >
    > Lars M. Hansen
    > http://www.hansenonline.net
    > (replace 'badnews' with 'news' in e-mail address)
  3. Archived from groups: comp.security.firewalls (More info?)

    On Thu, 27 May 2004 16:29:01 -0300, BayaspirinaGhandi spoketh

    >OK then i will remain calm
    >
    >Notice that in http://scan.sygatetech.com says a closed port can be
    >vulnerable to trojans or so, and a blocked port, no. They remarks my
    >firewall is not completely secure. But may be this test is for sygate
    >firewall pro only and no for others!.
    >But i made the test several times, and the major tries both ports appears as
    >"blocked" only a few times its appears as "closed"
    >
    >may be it is a sygate test issue
    >¿does you know another pages where i can test my router?
    >thanks in advance
    >henry
    >

    Always take security scans from companies selling firewalls with a
    healthy dose of salt. They're in it to make money, so if they can
    convince you that you existing solution is not good enough, they just
    might get your money....

    There's a "new" state on ports, which is more of a marketing ploy than
    anything else. The claim is that a "Stealth" port (or blocked, as Sygate
    calls it) is more secure than a closed port because it "makes your
    computer invisible".

    A closed port will respond with a "we're closed, go away" message
    whenever a connection is attempted. A blocked port doesn't send any
    response at all, nor does the targets default gateway respond with the
    appropriate ICMP reply that the target doesn't exist. So, since we know
    the target does indeed exist (due to the lack of the ICMP packet), and
    the lack of response to the connection attempt, we can safely assume
    that there is a system there that is actively blocking connection
    attempts. So, there goes the "invisibility" claim. As for more secure...
    Since you can't connect to either a closed port or a blocked port,
    there's really no significant difference...


    Lars M. Hansen
    www.hansenonline.net
    Remove "bad" from my e-mail address to contact me.
    "If you try to fail, and succeed, which have you done?"
  4. Archived from groups: comp.security.firewalls (More info?)

    BayaspirinaGhandi wrote on Thu, 27 May 2004 15:17:40 -0300GMT:

    > [router]

    > but sometimes the report says this :


    > SERVICE : WEB --> Port 80 STATUS "CLOSED"
    > SERVICE: IDENT -> Port 113 STATUS "CLOSED"

    > CLOSED is not equally to "BLOCKED"

    That is good in this case, I'd say. These ports are needed for http
    (websites) respectively nntp (news servers). If you blocked them you
    couldn't use your browser on the internet or connect to newsgroups.
    Someone correct me if I'm wrong.

    --
    Kind regards
    Peter
  5. Archived from groups: comp.security.firewalls (More info?)

    Thanks you peter for your reply

    ¿you says the router "open" the ports a little as he need it?

    ¿do you recommends me a software firewall also?

    regards
    henry


    "Peter Meyns" <peterNOSPAM@meynsweb.com> escribió en el mensaje
    news:969518108.20040527205422@devnull.meynsweb.com...
    >
    > BayaspirinaGhandi wrote on Thu, 27 May 2004 15:17:40 -0300GMT:
    >
    > > [router]
    >
    > > but sometimes the report says this :
    >
    >
    > > SERVICE : WEB --> Port 80 STATUS "CLOSED"
    > > SERVICE: IDENT -> Port 113 STATUS "CLOSED"
    >
    > > CLOSED is not equally to "BLOCKED"
    >
    > That is good in this case, I'd say. These ports are needed for http
    > (websites) respectively nntp (news servers). If you blocked them you
    > couldn't use your browser on the internet or connect to newsgroups.
    > Someone correct me if I'm wrong.
    >
    > --
    > Kind regards
    > Peter
    >
    >
    >
  6. Archived from groups: comp.security.firewalls (More info?)

    On Thu, 27 May 2004 20:54:22 +0200, Peter Meyns
    <peterNOSPAM@meynsweb.com> wrote:
    >
    >BayaspirinaGhandi wrote on Thu, 27 May 2004 15:17:40 -0300GMT:
    >
    >> [router]
    >
    >> but sometimes the report says this :
    >
    >
    >> SERVICE : WEB --> Port 80 STATUS "CLOSED"
    >> SERVICE: IDENT -> Port 113 STATUS "CLOSED"
    >
    >> CLOSED is not equally to "BLOCKED"
    >
    >That is good in this case, I'd say. These ports are needed for http
    >(websites) respectively nntp (news servers). If you blocked them you
    >couldn't use your browser on the internet or connect to newsgroups.
    >Someone correct me if I'm wrong.
    >

    Well, you are wrong! :-)

    Those ports are used to initiate connections to servers on the
    Internet. Unless you have local servers that people on the Internet
    can connect to, those ports should never be opened or even closed, for
    that matter, as they should present themselves in stealth mode.
  7. Archived from groups: comp.security.firewalls (More info?)

    Peter Meyns <peterNOSPAM@meynsweb.com> wrote in message news:<969518108.20040527205422@devnull.meynsweb.com>...
    > BayaspirinaGhandi wrote on Thu, 27 May 2004 15:17:40 -0300GMT:
    >
    > > SERVICE : WEB --> Port 80 STATUS "CLOSED"
    > > SERVICE: IDENT -> Port 113 STATUS "CLOSED"
    >
    > > CLOSED is not equally to "BLOCKED"
    >
    > That is good in this case, I'd say. These ports are needed for http
    > (websites) respectively nntp (news servers). If you blocked them you
    > couldn't use your browser on the internet or connect to newsgroups.
    > Someone correct me if I'm wrong.

    Not so much wrong as not quite correct (how's that for PC?). The OP
    is checking his system for inbound vulnerabilities, which shouldn't
    have any effect on his ability to make outbound connections.
  8. Archived from groups: comp.security.firewalls (More info?)

    On Thu, 27 May 2004 16:06:42 -0300, "BayaspirinaGhandi"
    <cablecito@msn.com> wrote:
    >
    >Thanks you peter for your reply
    >
    >¿you says the router "open" the ports a little as he need it?
    >
    >¿do you recommends me a software firewall also?
    >

    Those ports should never be a "little bit" open unless you have
    servers on your LAN that you people on the Internet to connect to. For
    me, what you are experiencing is a bug and should not happen.
  9. Archived from groups: comp.security.firewalls (More info?)

    On Thu, 27 May 2004 20:07:40 GMT, Lars M. Hansen
    <badnews@hansenonline.net> wrote:
    >
    >Since you can't connect to either a closed port or a blocked port,
    >there's really no significant difference...
    >

    Since you are getting a reply from the device, wouldn't you be able to
    fingerprint it? And, as soon as you know what the device is, doesn't
    it make it easier for a cracker to search for known exploits?
  10. Archived from groups: comp.security.firewalls (More info?)

    On Thu, 27 May 2004 21:16:35 GMT, shopping.nowthor.com spoketh

    >On Thu, 27 May 2004 20:07:40 GMT, Lars M. Hansen
    ><badnews@hansenonline.net> wrote:
    >>
    >>Since you can't connect to either a closed port or a blocked port,
    >>there's really no significant difference...
    >>
    >
    >Since you are getting a reply from the device, wouldn't you be able to
    >fingerprint it? And, as soon as you know what the device is, doesn't
    >it make it easier for a cracker to search for known exploits?

    Yes, you can use certain techniques to attempt to ID the OS even when
    ports are closed.

    Lars M. Hansen
    http://www.hansenonline.net
    (replace 'badnews' with 'news' in e-mail address)
  11. Archived from groups: comp.security.firewalls (More info?)

    BayaspirinaGhandi wrote on Thu, 27 May 2004 16:06:42 -0300GMT:

    > Thanks you peter for your reply

    You're welcome.

    > ¿you says the router "open" the ports a little as he need it?

    You can put it this way, yes. You do need some ports if you want to
    connect to the internet.

    > ¿do you recommends me a software firewall also?

    It might be helpful to control your ports. There are geeks around
    telling me I can do it all from within Windows, but (yet) I don't know
    how, so I'm using KerioPF 2.15 from www.kerio.com (freeware) to help
    me along with this. (Windows 98 SE here)

    --
    Kind regards
    Peter
  12. Archived from groups: comp.security.firewalls (More info?)

    //shopping.nowthor.com wrote on Thu, 27 May 2004 19:11:28 GMTGMT:

    >>> SERVICE : WEB --> Port 80 STATUS "CLOSED"
    >>> SERVICE: IDENT -> Port 113 STATUS "CLOSED"
    >>
    >>> CLOSED is not equally to "BLOCKED"
    >>
    >>That is good in this case, I'd say. These ports are needed for http
    >>(websites) respectively nntp (news servers). If you blocked them you
    >>couldn't use your browser on the internet or connect to newsgroups.
    >>Someone correct me if I'm wrong.
    >>

    > Well, you are wrong! :-)

    > Those ports are used to initiate connections to servers on the
    > Internet. Unless you have local servers that people on the Internet
    > can connect to, those ports should never be opened or even closed, for
    > that matter, as they should present themselves in stealth mode.

    Thank you for clearing it up. I appreciate your opinion, as I'm still
    a learner in this realm. :-)

    --
    Kind regards
    Peter
  13. Archived from groups: comp.security.firewalls (More info?)

    On Thu, 27 May 2004 17:36:55 -0400, Lars M. Hansen
    <badnews@hansenonline.net> wrote:
    >
    >On Thu, 27 May 2004 21:16:35 GMT, shopping.nowthor.com spoketh
    >
    >>On Thu, 27 May 2004 20:07:40 GMT, Lars M. Hansen
    >><badnews@hansenonline.net> wrote:
    >>>
    >>>Since you can't connect to either a closed port or a blocked port,
    >>>there's really no significant difference...
    >>>
    >>
    >>Since you are getting a reply from the device, wouldn't you be able to
    >>fingerprint it? And, as soon as you know what the device is, doesn't
    >>it make it easier for a cracker to search for known exploits?
    >
    >Yes, you can use certain techniques to attempt to ID the OS even when
    >ports are closed.
    >

    In that case, it's not the same to have a port in a closed state or
    stealth state. It is better to have it in stealth state, contradicting
    your original assertion.
  14. Archived from groups: comp.security.firewalls (More info?)

    On Thu, 27 May 2004 21:47:02 GMT, shopping.nowthor.com spoketh

    >
    >In that case, it's not the same to have a port in a closed state or
    >stealth state. It is better to have it in stealth state, contradicting
    >your original assertion.

    Considering we're talking about a router, fingerprinting probably isn't
    going to give you any results that'll expose any vulnerabilities to
    anyone.

    Even knowing the OS, and knowing about vulnerabilities for this OS,
    exploiting them is an entirely different matter. So, just because I know
    you're driving a Ford doesn't mean I'll know the code for your remote
    keyless entry...


    Lars M. Hansen
    http://www.hansenonline.net
    (replace 'badnews' with 'news' in e-mail address)
  15. Archived from groups: comp.security.firewalls (More info?)

    OK it is clearly explained, thanks you for your info
    I think the best i did was buy this 3com. I am really happy with it.
    Regards
    henry

    "Lars M. Hansen" <badnews@hansenonline.net> escribió en el mensaje
    news:8rhcb0pdvukqj5bq7gp8a0ku4pj5ql91om@4ax.com...
    > On Thu, 27 May 2004 16:29:01 -0300, BayaspirinaGhandi spoketh
    >
    > >OK then i will remain calm
    > >
    > >Notice that in http://scan.sygatetech.com says a closed port can be
    > >vulnerable to trojans or so, and a blocked port, no. They remarks my
    > >firewall is not completely secure. But may be this test is for sygate
    > >firewall pro only and no for others!.
    > >But i made the test several times, and the major tries both ports appears
    as
    > >"blocked" only a few times its appears as "closed"
    > >
    > >may be it is a sygate test issue
    > >¿does you know another pages where i can test my router?
    > >thanks in advance
    > >henry
    > >
    >
    > Always take security scans from companies selling firewalls with a
    > healthy dose of salt. They're in it to make money, so if they can
    > convince you that you existing solution is not good enough, they just
    > might get your money....
    >
    > There's a "new" state on ports, which is more of a marketing ploy than
    > anything else. The claim is that a "Stealth" port (or blocked, as Sygate
    > calls it) is more secure than a closed port because it "makes your
    > computer invisible".
    >
    > A closed port will respond with a "we're closed, go away" message
    > whenever a connection is attempted. A blocked port doesn't send any
    > response at all, nor does the targets default gateway respond with the
    > appropriate ICMP reply that the target doesn't exist. So, since we know
    > the target does indeed exist (due to the lack of the ICMP packet), and
    > the lack of response to the connection attempt, we can safely assume
    > that there is a system there that is actively blocking connection
    > attempts. So, there goes the "invisibility" claim. As for more secure...
    > Since you can't connect to either a closed port or a blocked port,
    > there's really no significant difference...
    >
    >
    >
    > Lars M. Hansen
    > www.hansenonline.net
    > Remove "bad" from my e-mail address to contact me.
    > "If you try to fail, and succeed, which have you done?"
Ask a new question

Read More

Firewalls Routers Networking