the naked router

[Guest]

Archived from groups: comp.security.firewalls (More info?)

It is the issue :

i´ve bought a 3COM 3c857 cable/adsl router and connect it to my lan (10
machines)

it works fine

for now i decide to test the onboard firewall. goes to
http://scan.sygatetech.com and run both quick and stealth scan

all the test goes fine : all ports blocked (i have no services to the web
yet)

but sometimes the report says this :


SERVICE : WEB --> Port 80 STATUS "CLOSED"
SERVICE: IDENT -> Port 113 STATUS "CLOSED"

CLOSED is not equally to "BLOCKED"

but sometimes y ran the test again and this ports appears to be BLOCKED
and secure

¿what nuts is happens?, ¿i need a software firewall also?

It is the another question. The router assign via dchp an ip address to
each machine. (192.160.0.x). I need a firewall for EVERY machine?

¿IS MY ROUTER SECURE OR A NAKED ONE?

I don´t intend to have the WHOLE security, but...!!!

les agradeceria AYUDA!
muchas gracias
saludos

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Thu, 27 May 2004 15:17:40 -0300, BayaspirinaGhandi spoketh

>
>It is the issue :
>
>i´ve bought a 3COM 3c857 cable/adsl router and connect it to my lan (10
>machines)
>
>it works fine
>
>for now i decide to test the onboard firewall. goes to
>http://scan.sygatetech.com and run both quick and stealth scan
>
>all the test goes fine : all ports blocked (i have no services to the web
>yet)
>
>but sometimes the report says this :
>
>
>SERVICE : WEB --> Port 80 STATUS "CLOSED"
>SERVICE: IDENT -> Port 113 STATUS "CLOSED"
>
>CLOSED is not equally to "BLOCKED"

Closed is just as "blocked" as anything else. The only thing you have to
worry about are things showing as "open".


Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

OK then i will remain calm

Notice that in http://scan.sygatetech.com says a closed port can be
vulnerable to trojans or so, and a blocked port, no. They remarks my
firewall is not completely secure. But may be this test is for sygate
firewall pro only and no for others!.
But i made the test several times, and the major tries both ports appears as
"blocked" only a few times its appears as "closed"

may be it is a sygate test issue
¿does you know another pages where i can test my router?
thanks in advance
henry

"Lars M. Hansen" <badnews@hansenonline.net> escribió en el mensaje
news:6mfcb0dvh5pno79u2cttn1hrrvec5tjnph@4ax.com...
> On Thu, 27 May 2004 15:17:40 -0300, BayaspirinaGhandi spoketh
>
> >
> >It is the issue :
> >
> >i´ve bought a 3COM 3c857 cable/adsl router and connect it to my lan (10
> >machines)
> >
> >it works fine
> >
> >for now i decide to test the onboard firewall. goes to
> >http://scan.sygatetech.com and run both quick and stealth scan
> >
> >all the test goes fine : all ports blocked (i have no services to the web
> >yet)
> >
> >but sometimes the report says this :
> >
> >
> >SERVICE : WEB --> Port 80 STATUS "CLOSED"
> >SERVICE: IDENT -> Port 113 STATUS "CLOSED"
> >
> >CLOSED is not equally to "BLOCKED"
>
> Closed is just as "blocked" as anything else. The only thing you have to
> worry about are things showing as "open".
>
>
> Lars M. Hansen
> http://www.hansenonline.net
> (replace 'badnews' with 'news' in e-mail address)

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Thu, 27 May 2004 16:29:01 -0300, BayaspirinaGhandi spoketh

>OK then i will remain calm
>
>Notice that in http://scan.sygatetech.com says a closed port can be
>vulnerable to trojans or so, and a blocked port, no. They remarks my
>firewall is not completely secure. But may be this test is for sygate
>firewall pro only and no for others!.
>But i made the test several times, and the major tries both ports appears as
>"blocked" only a few times its appears as "closed"
>
>may be it is a sygate test issue
>¿does you know another pages where i can test my router?
>thanks in advance
>henry
>

Always take security scans from companies selling firewalls with a
healthy dose of salt. They're in it to make money, so if they can
convince you that you existing solution is not good enough, they just
might get your money....

There's a "new" state on ports, which is more of a marketing ploy than
anything else. The claim is that a "Stealth" port (or blocked, as Sygate
calls it) is more secure than a closed port because it "makes your
computer invisible".

A closed port will respond with a "we're closed, go away" message
whenever a connection is attempted. A blocked port doesn't send any
response at all, nor does the targets default gateway respond with the
appropriate ICMP reply that the target doesn't exist. So, since we know
the target does indeed exist (due to the lack of the ICMP packet), and
the lack of response to the connection attempt, we can safely assume
that there is a system there that is actively blocking connection
attempts. So, there goes the "invisibility" claim. As for more secure...
Since you can't connect to either a closed port or a blocked port,
there's really no significant difference...



Lars M. Hansen
www.hansenonline.net
Remove "bad" from my e-mail address to contact me.
"If you try to fail, and succeed, which have you done?"

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

BayaspirinaGhandi wrote on Thu, 27 May 2004 15:17:40 -0300GMT:

> [router]

> but sometimes the report says this :


> SERVICE : WEB --> Port 80 STATUS "CLOSED"
> SERVICE: IDENT -> Port 113 STATUS "CLOSED"

> CLOSED is not equally to "BLOCKED"

That is good in this case, I'd say. These ports are needed for http
(websites) respectively nntp (news servers). If you blocked them you
couldn't use your browser on the internet or connect to newsgroups.
Someone correct me if I'm wrong.

--
Kind regards
Peter

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Thanks you peter for your reply

¿you says the router "open" the ports a little as he need it?

¿do you recommends me a software firewall also?

regards
henry



"Peter Meyns" <peterNOSPAM@meynsweb.com> escribió en el mensaje
news:969518108.20040527205422@devnull.meynsweb.com...
>
> BayaspirinaGhandi wrote on Thu, 27 May 2004 15:17:40 -0300GMT:
>
> > [router]
>
> > but sometimes the report says this :
>
>
> > SERVICE : WEB --> Port 80 STATUS "CLOSED"
> > SERVICE: IDENT -> Port 113 STATUS "CLOSED"
>
> > CLOSED is not equally to "BLOCKED"
>
> That is good in this case, I'd say. These ports are needed for http
> (websites) respectively nntp (news servers). If you blocked them you
> couldn't use your browser on the internet or connect to newsgroups.
> Someone correct me if I'm wrong.
>
> --
> Kind regards
> Peter
>
>
>

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Thu, 27 May 2004 20:54:22 +0200, Peter Meyns
<peterNOSPAM@meynsweb.com> wrote:
>
>BayaspirinaGhandi wrote on Thu, 27 May 2004 15:17:40 -0300GMT:
>
>> [router]
>
>> but sometimes the report says this :
>
>
>> SERVICE : WEB --> Port 80 STATUS "CLOSED"
>> SERVICE: IDENT -> Port 113 STATUS "CLOSED"
>
>> CLOSED is not equally to "BLOCKED"
>
>That is good in this case, I'd say. These ports are needed for http
>(websites) respectively nntp (news servers). If you blocked them you
>couldn't use your browser on the internet or connect to newsgroups.
>Someone correct me if I'm wrong.
>

Well, you are wrong!

Those ports are used to initiate connections to servers on the
Internet. Unless you have local servers that people on the Internet
can connect to, those ports should never be opened or even closed, for
that matter, as they should present themselves in stealth mode.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Peter Meyns <peterNOSPAM@meynsweb.com> wrote in message news:<969518108.20040527205422@devnull.meynsweb.com>...
> BayaspirinaGhandi wrote on Thu, 27 May 2004 15:17:40 -0300GMT:
>
> > SERVICE : WEB --> Port 80 STATUS "CLOSED"
> > SERVICE: IDENT -> Port 113 STATUS "CLOSED"
>
> > CLOSED is not equally to "BLOCKED"
>
> That is good in this case, I'd say. These ports are needed for http
> (websites) respectively nntp (news servers). If you blocked them you
> couldn't use your browser on the internet or connect to newsgroups.
> Someone correct me if I'm wrong.

Not so much wrong as not quite correct (how's that for PC?). The OP
is checking his system for inbound vulnerabilities, which shouldn't
have any effect on his ability to make outbound connections.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Thu, 27 May 2004 16:06:42 -0300, "BayaspirinaGhandi"
<cablecito@msn.com> wrote:
>
>Thanks you peter for your reply
>
>¿you says the router "open" the ports a little as he need it?
>
>¿do you recommends me a software firewall also?
>

Those ports should never be a "little bit" open unless you have
servers on your LAN that you people on the Internet to connect to. For
me, what you are experiencing is a bug and should not happen.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Thu, 27 May 2004 20:07:40 GMT, Lars M. Hansen
<badnews@hansenonline.net> wrote:
>
>Since you can't connect to either a closed port or a blocked port,
>there's really no significant difference...
>

Since you are getting a reply from the device, wouldn't you be able to
fingerprint it? And, as soon as you know what the device is, doesn't
it make it easier for a cracker to search for known exploits?

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Thu, 27 May 2004 21:16:35 GMT, shopping.nowthor.com spoketh

>On Thu, 27 May 2004 20:07:40 GMT, Lars M. Hansen
><badnews@hansenonline.net> wrote:
>>
>>Since you can't connect to either a closed port or a blocked port,
>>there's really no significant difference...
>>
>
>Since you are getting a reply from the device, wouldn't you be able to
>fingerprint it? And, as soon as you know what the device is, doesn't
>it make it easier for a cracker to search for known exploits?

Yes, you can use certain techniques to attempt to ID the OS even when
ports are closed.

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

BayaspirinaGhandi wrote on Thu, 27 May 2004 16:06:42 -0300GMT:

> Thanks you peter for your reply

You're welcome.

> ¿you says the router "open" the ports a little as he need it?

You can put it this way, yes. You do need some ports if you want to
connect to the internet.

> ¿do you recommends me a software firewall also?

It might be helpful to control your ports. There are geeks around
telling me I can do it all from within Windows, but (yet) I don't know
how, so I'm using KerioPF 2.15 from www.kerio.com (freeware) to help
me along with this. (Windows 98 SE here)

--
Kind regards
Peter

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

//shopping.nowthor.com wrote on Thu, 27 May 2004 19:11:28 GMTGMT:

>>> SERVICE : WEB --> Port 80 STATUS "CLOSED"
>>> SERVICE: IDENT -> Port 113 STATUS "CLOSED"
>>
>>> CLOSED is not equally to "BLOCKED"
>>
>>That is good in this case, I'd say. These ports are needed for http
>>(websites) respectively nntp (news servers). If you blocked them you
>>couldn't use your browser on the internet or connect to newsgroups.
>>Someone correct me if I'm wrong.
>>

> Well, you are wrong!

> Those ports are used to initiate connections to servers on the
> Internet. Unless you have local servers that people on the Internet
> can connect to, those ports should never be opened or even closed, for
> that matter, as they should present themselves in stealth mode.

Thank you for clearing it up. I appreciate your opinion, as I'm still
a learner in this realm.

--
Kind regards
Peter

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Thu, 27 May 2004 17:36:55 -0400, Lars M. Hansen
<badnews@hansenonline.net> wrote:
>
>On Thu, 27 May 2004 21:16:35 GMT, shopping.nowthor.com spoketh
>
>>On Thu, 27 May 2004 20:07:40 GMT, Lars M. Hansen
>><badnews@hansenonline.net> wrote:
>>>
>>>Since you can't connect to either a closed port or a blocked port,
>>>there's really no significant difference...
>>>
>>
>>Since you are getting a reply from the device, wouldn't you be able to
>>fingerprint it? And, as soon as you know what the device is, doesn't
>>it make it easier for a cracker to search for known exploits?
>
>Yes, you can use certain techniques to attempt to ID the OS even when
>ports are closed.
>

In that case, it's not the same to have a port in a closed state or
stealth state. It is better to have it in stealth state, contradicting
your original assertion.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

On Thu, 27 May 2004 21:47:02 GMT, shopping.nowthor.com spoketh

>
>In that case, it's not the same to have a port in a closed state or
>stealth state. It is better to have it in stealth state, contradicting
>your original assertion.

Considering we're talking about a router, fingerprinting probably isn't
going to give you any results that'll expose any vulnerabilities to
anyone.

Even knowing the OS, and knowing about vulnerabilities for this OS,
exploiting them is an entirely different matter. So, just because I know
you're driving a Ford doesn't mean I'll know the code for your remote
keyless entry...


Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

OK it is clearly explained, thanks you for your info
I think the best i did was buy this 3com. I am really happy with it.
Regards
henry

"Lars M. Hansen" <badnews@hansenonline.net> escribió en el mensaje
news:8rhcb0pdvukqj5bq7gp8a0ku4pj5ql91om@4ax.com...
> On Thu, 27 May 2004 16:29:01 -0300, BayaspirinaGhandi spoketh
>
> >OK then i will remain calm
> >
> >Notice that in http://scan.sygatetech.com says a closed port can be
> >vulnerable to trojans or so, and a blocked port, no. They remarks my
> >firewall is not completely secure. But may be this test is for sygate
> >firewall pro only and no for others!.
> >But i made the test several times, and the major tries both ports appears
as
> >"blocked" only a few times its appears as "closed"
> >
> >may be it is a sygate test issue
> >¿does you know another pages where i can test my router?
> >thanks in advance
> >henry
> >
>
> Always take security scans from companies selling firewalls with a
> healthy dose of salt. They're in it to make money, so if they can
> convince you that you existing solution is not good enough, they just
> might get your money....
>
> There's a "new" state on ports, which is more of a marketing ploy than
> anything else. The claim is that a "Stealth" port (or blocked, as Sygate
> calls it) is more secure than a closed port because it "makes your
> computer invisible".
>
> A closed port will respond with a "we're closed, go away" message
> whenever a connection is attempted. A blocked port doesn't send any
> response at all, nor does the targets default gateway respond with the
> appropriate ICMP reply that the target doesn't exist. So, since we know
> the target does indeed exist (due to the lack of the ICMP packet), and
> the lack of response to the connection attempt, we can safely assume
> that there is a system there that is actively blocking connection
> attempts. So, there goes the "invisibility" claim. As for more secure...
> Since you can't connect to either a closed port or a blocked port,
> there's really no significant difference...
>
>
>
> Lars M. Hansen
> www.hansenonline.net
> Remove "bad" from my e-mail address to contact me.
> "If you try to fail, and succeed, which have you done?"