sygate and shields up

Archived from groups: comp.security.firewalls (More info?)

When I test my sygate firewall on Gibson's Shields Up. The ports are
coming up as closed, but not all are coming up as what GRC calls
stealth.

I figure this is to be expected. I have a 'home router'. So my router
is blocking incoming connections - including Gibson's, reporting back
"Closed". Those ports that my router is allowing through , Sygate
kicks in and blocks the incoming connection properly, reporting nothing
back - what GRC calls Stealth. Not even giving away my computer's
existance.

Is running my home router's firewall along with Sygate, actually makign
me less secure than if I was to run Sygate alone ? (since my ports
aren't 'stealthed') ?
37 answers Last reply
More about sygate shields
  1. Archived from groups: comp.security.firewalls (More info?)

    In article <1126210011.527911.41120@o13g2000cwo.googlegroups.com>,
    jameshanley39@yahoo.co.uk says...
    > When I test my sygate firewall on Gibson's Shields Up. The ports are
    > coming up as closed, but not all are coming up as what GRC calls
    > stealth.
    >
    > I figure this is to be expected. I have a 'home router'. So my router
    > is blocking incoming connections - including Gibson's, reporting back
    > "Closed". Those ports that my router is allowing through , Sygate
    > kicks in and blocks the incoming connection properly, reporting nothing
    > back - what GRC calls Stealth. Not even giving away my computer's
    > existance.
    >
    > Is running my home router's firewall along with Sygate, actually makign
    > me less secure than if I was to run Sygate alone ? (since my ports
    > aren't 'stealthed') ?
    >
    >
    Run a security check on your Sygate. On the firewall main page,
    select the Security Button. This takes you to Sygate website.
    You will find that if your ports are "blocked" (closed), you are
    in good shape.
    Casey
  2. Archived from groups: comp.security.firewalls (More info?)

    On Thu, 08 Sep 2005 21:01:32 GMT, Casey Klc wrote:

    > In article <1126210011.527911.41120@o13g2000cwo.googlegroups.com>,
    > jameshanley39@yahoo.co.uk says...
    >> When I test my sygate firewall on Gibson's Shields Up. The ports are
    >> coming up as closed, but not all are coming up as what GRC calls
    >> stealth.
    >>
    >> I figure this is to be expected. I have a 'home router'. So my router
    >> is blocking incoming connections - including Gibson's, reporting back
    >> "Closed". Those ports that my router is allowing through , Sygate
    >> kicks in and blocks the incoming connection properly, reporting nothing
    >> back - what GRC calls Stealth. Not even giving away my computer's
    >> existance.
    >>
    >> Is running my home router's firewall along with Sygate, actually makign
    >> me less secure than if I was to run Sygate alone ? (since my ports
    >> aren't 'stealthed') ?
    >>
    >>
    > Run a security check on your Sygate. On the firewall main page,
    > select the Security Button. This takes you to Sygate website.
    > You will find that if your ports are "blocked" (closed), you are
    > in good shape.
    > Casey

    You get them all 'blocked' from ZA and XP too!
    --
    Jim
    Tyneside UK
  3. Archived from groups: comp.security.firewalls (More info?)

    jameshanley39@yahoo.co.uk wrote:

    >
    > Is running my home router's firewall along with Sygate, actually makign
    > me less secure than if I was to run Sygate alone ? (since my ports
    > aren't 'stealthed') ?
    >

    No. Closed is the "expected" response when a computer outside your
    subnet tries to connect with your system. Stealth is the equivalent of
    my asking you a closed-ended question and you choosing to ignore me.
  4. Archived from groups: comp.security.firewalls (More info?)

    optikl wrote:
    > jameshanley39@yahoo.co.uk wrote:
    >
    > >
    > > Is running my home router's firewall along with Sygate, actually makign
    > > me less secure than if I was to run Sygate alone ? (since my ports
    > > aren't 'stealthed') ?
    > >
    >
    > No. Closed is the "expected" response when a computer outside your
    > subnet tries to connect with your system. Stealth is the equivalent of
    > my asking you a closed-ended question and you choosing to ignore me.


    somebody more-or-less pointed out that what Gibson calls 'stealth'
    (blocking without giving a response) is no more secure than closed.

    their argument for it being no more secure was that they can already
    find out my ip anyway.

    It may be that 'stealth' is slightly - but barely - more secure than
    closed? Indeed, it probably is, since software firewalls all do it.
    But what would be your reason for saying that 'stealth' is more secure?
  5. Archived from groups: comp.security.firewalls (More info?)

    Keith wrote:
    > "Leythos" <void@nowhere.lan> wrote in message
    > news:MPG.1d8b63be201d87fb989fce@news-server.columbus.rr.com...
    > > In article <dfs49d$4ua$1@newsg3.svr.pol.co.uk>,
    > > keith@microsoft.discussions.com says...
    > >> So , if I had a static IP and told you what it is, can you tell whether
    > >> i'm
    > >> online or not?
    > >> If I'm stealthed then I'm guessing the answer is no? Otherwise Yes
    > >
    > > Ping an IP that doesn't have a computer attached and see what you get
    > > back.
    > >
    > > Ping an IP that is stealthed and see what you get back.
    > >
    > > If you see any difference then you know something is there.
    > >
    >
    > Yes but would ,should there be any difference in theory or practice assuming
    > no flaws in OS
    >

    my understanding is-

    seems to me that stealth is more secure.

    If you ping an ip address that has port 7 - the ICMP port stealthed.
    Then it will not respond. It will be indistinguishable from a computer
    that does not exist. somebody port scanning a range of IPs will not
    know whether your comp exists or has the port stealthed.

    However. When you make an outgoing connection, your IP is available to
    the server receiving it. Regardless of whether any of your ports are
    stealthed or not.
    www.whatismyip.com for example. Presumably it just uses the HTTP
    request you sent it, looks at the IP in the packet, and tells you your
    IP.

    As soon as you make an outgoing connection to anywhere, you give your
    IP.
    Or your 'home router' public NATTED ip.

    So stealth is more secure but only regarding incoming connections.


    I am far from an expert, this is all new to me.

    Given info posted in the thread. My gripe with Gibson is him calling
    his probing 'nanoprobing' as if it's a new technology he invented. it
    is obfuscating technical material , it seems to me - it is for the
    purposes of his own self promotion. By doing that, I think his self
    promotion has crossed the
    line.
  6. Archived from groups: comp.security.firewalls (More info?)

    Jason Edwards wrote:
    > <jameshanley39@yahoo.co.uk> wrote in message
    > news:1126278481.310732.60110@g47g2000cwa.googlegroups.com...
    > >
    > > Keith wrote:
    > > > "Leythos" <void@nowhere.lan> wrote in message
    > > > news:MPG.1d8b63be201d87fb989fce@news-server.columbus.rr.com...
    > > > > In article <dfs49d$4ua$1@newsg3.svr.pol.co.uk>,
    > > > > keith@microsoft.discussions.com says...
    > > > >> So , if I had a static IP and told you what it is, can you tell
    > whether
    > > > >> i'm
    > > > >> online or not?
    > > > >> If I'm stealthed then I'm guessing the answer is no? Otherwise Yes
    > > > >
    > > > > Ping an IP that doesn't have a computer attached and see what you get
    > > > > back.
    > > > >
    > > > > Ping an IP that is stealthed and see what you get back.
    > > > >
    > > > > If you see any difference then you know something is there.
    > > > >
    > > >
    > > > Yes but would ,should there be any difference in theory or practice
    > assuming
    > > > no flaws in OS
    > > >
    > >
    > > my understanding is-
    > >
    > > seems to me that stealth is more secure.
    > >
    > > If you ping an ip address that has port 7 - the ICMP port stealthed.
    > > Then it will not respond. It will be indistinguishable from a computer
    > > that does not exist. somebody port scanning a range of IPs will not
    > > know whether your comp exists or has the port stealthed.
    >
    > Let's assume that this is true (even if it isn't).
    > If they have half a brain they will already know that
    > 82-70-237-22.dsl.in-addr.zen.co.uk

    You are responding as if I am a mug that thinks that stealthed ports
    are infinitely superior. And offer complete protection.

    Of course, a careless user would give away all sorts of information,
    especially on usenet.


    Whatever method (be it usenet or anything else) they used to get the
    hostname containing an ip address. It might not have been via a port
    scan if ports were stealthed. It's possible a comp is there. Or not.

    >They will also know that adjacent IP
    > addresses are also users of the same ISP and they will know that an
    > exploitable PC is very likely to be found in this range because a large
    > group of 'stealthed' PCs indicates a large group of Windows users who
    > thought they were safe behind their personal firewall but happily accepted
    > everything Internet Explorer offered them.

    I know that stealthing ports is NOT absolutely secure by any means.
    Infact, it offers hardly any more protection. (if any). And if you do
    other things carelessly, you will get your router's IP told to the
    world. There are many ways an IP can be visible - if one is careless.
    I used any outgoing connection as an example. Usenet is another.
    (assuming no proxy or ip spoofing or anything).

    you're saying that unix users don't stealth their ports?

    *Another* method (besides usenet) of hackers getting *anybodys* IP, is
    just doing a port scan. And if a port is stealthed. It doesn't tell him
    anything. He is left with 2 possibilities. Comp doesn't exist. Or port
    is stealthed(which according to you, means a 'personal firewall'.

    You're saying that unix firewalls tend not to stealth ports.
    I don't see why unix firewalls tend not to stealth ports. Many hackers
    do just scan a range of IPs.
    So stealthing does have that small advantage over closed. Why don't
    unix users use it? I'm sure they had some other way (spoofing IP?
    proxy?) for being more anonymous on usenet. But isn't it good to be
    safer from port scans too?

    Anyhow - not that it matters. NAT Devices tend not to stealth
    ports(the ones I've seen certainly don't). They just report back
    closed. So if a softare firewall is running and stealthing ports. The
    ports will be reported back as closed since the 'home router' is hit
    first.

    Perhaps stealthed ports indicate a windows user not behind a router.
    (not that a windows user behind a router is necessarily any cleverer).
    Anyhow. I don't see why unix firewalls shouldn't stealth ports. For the
    above mentinoned reasons.
  7. Archived from groups: comp.security.firewalls (More info?)

    jameshanley39@yahoo.co.uk wrote:

    > Perhaps stealthed ports indicate a windows user not behind a router.
    > (not that a windows user behind a router is necessarily any cleverer).
    > Anyhow. I don't see why unix firewalls shouldn't stealth ports. For the
    > above mentinoned reasons.

    Every once in a while, some idiot yells that security through obscurity
    is a bad idea. I'd say maybe if that's all you're relying on. But if you
    think about it, why do soldiers wear camoflauge? Why do chameleons have
    color changing abilities? Why do some insects have colors that match
    their background? Because it simply works. Whether you're stealthing or
    blocking doesn't really matter so long as you're making an active effort
    to be security conscious. Steve Gibson, Steve Ballmer, and any other
    frothing at the mouth idiot can yell as loud as they want about security
    but the signal to noise ratio will still be abysmally low. Just like Usenet.

    -Gary
  8. Archived from groups: comp.security.firewalls (More info?)

    On 9 Sep 2005 05:56:15 -0700, jameshanley39@yahoo.co.uk wrote:
    >optikl wrote:
    >> jameshanley39@yahoo.co.uk wrote:
    >
    >somebody more-or-less pointed out that what Gibson calls 'stealth'
    >(blocking without giving a response) is no more secure than closed.
    >
    >their argument for it being no more secure was that they can already
    >find out my ip anyway.
    >
    >It may be that 'stealth' is slightly - but barely - more secure than
    >closed? Indeed, it probably is, since software firewalls all do it.
    >But what would be your reason for saying that 'stealth' is more secure?

    It's not just www.grc.com, but serveral sites that report security in
    terms of open, closed, and stealth. For example, take a look at
    http://www.pcflank.com/ and the Sygate site. And for what its worth,
    this issue of closed vs stealth has been endlessly debated for more
    than 3-4 years.

    Bottom line ... hell if I know?
  9. Archived from groups: comp.security.firewalls (More info?)

    In article <dfs49d$4ua$1@newsg3.svr.pol.co.uk>,
    keith@microsoft.discussions.com says...
    > So , if I had a static IP and told you what it is, can you tell whether i'm
    > online or not?
    > If I'm stealthed then I'm guessing the answer is no? Otherwise Yes

    Ping an IP that doesn't have a computer attached and see what you get
    back.

    Ping an IP that is stealthed and see what you get back.

    If you see any difference then you know something is there.

    --

    spam999free@rrohio.com
    remove 999 in order to email me
  10. Archived from groups: comp.security.firewalls (More info?)

    In the Usenet newsgroup comp.security.firewalls, in article
    <1126270575.225521.167180@g49g2000cwa.googlegroups.com>,
    jameshanley39@yahoo.co.uk wrote:

    >somebody more-or-less pointed out that what Gibson calls 'stealth'
    >(blocking without giving a response) is no more secure than closed.

    It tends to be less secure, as the people who use stealth don't know
    enough about networking, and nearly always make other ghastly mistakes.

    >their argument for it being no more secure was that they can already
    >find out my ip anyway.

    Why do they have to find "your" IP? Why not anyone's IP? Or do you
    feel that the bad guys are specifically looking for you only. If you
    are smart enough to NOT install viruses, spyware, trojans or other
    mal-ware (but it looked so k3w1), then the "attacks" from outside
    are actually being directed at addresses picked at random. Sorry to
    disappoint you.

    >It may be that 'stealth' is slightly - but barely - more secure than
    >closed?

    IF DONE RIGHT (and it rarely is), "stealth" offers one and only one
    advantage. Those who try to connect to your computer won't be able to
    identify what _operating_system_ you are running. They might _guess_
    that you are running XP or something, but they won't be able to positively
    state that, nor guess on which service packs you've installed, if any.
    But then why bother - just try using this exploit or that - if it works
    then we're home free, and if not, move on to the next address.

    >Indeed, it probably is, since software firewalls all do it.

    No, that's marketing pressure - "product A offers to do FOO" - so
    products B through Z have to do so as well, or be thought to be
    lacking by the clueless sheep who buy something because it promises
    to taste better or has less fat, or makes your ***** grow bigger.

    >But what would be your reason for saying that 'stealth' is more secure?

    I don't say that - but then I've only been using TCP/IP since 1986.

    Old guy
  11. Archived from groups: comp.security.firewalls (More info?)

    <jameshanley39@yahoo.co.uk> wrote in message
    news:1126270575.225521.167180@g49g2000cwa.googlegroups.com...
    >
    > optikl wrote:
    > > jameshanley39@yahoo.co.uk wrote:
    > >
    > > >
    > > > Is running my home router's firewall along with Sygate, actually
    makign
    > > > me less secure than if I was to run Sygate alone ? (since my ports
    > > > aren't 'stealthed') ?
    > > >
    > >
    > > No. Closed is the "expected" response when a computer outside your
    > > subnet tries to connect with your system. Stealth is the equivalent of
    > > my asking you a closed-ended question and you choosing to ignore me.
    >
    >
    > somebody more-or-less pointed out that what Gibson calls 'stealth'
    > (blocking without giving a response) is no more secure than closed.
    >
    > their argument for it being no more secure was that they can already
    > find out my ip anyway.
    >
    > It may be that 'stealth' is slightly - but barely - more secure than
    > closed? Indeed, it probably is, since software firewalls all do it.

    The reason why personal software firewalls all do it is because they know
    that most of their customers think it's better. Any personal firewall vendor
    who doesn't do stealth will lose customers. So they all do it.
    Whether or not stealth really is better or not is irrelevant if you want to
    sell personal firewall software.

    Jason

    > But what would be your reason for saying that 'stealth' is more secure?
    >
  12. Archived from groups: comp.security.firewalls (More info?)

    "Leythos" <void@nowhere.lan> wrote in message
    news:MPG.1d8b63be201d87fb989fce@news-server.columbus.rr.com...
    > In article <dfs49d$4ua$1@newsg3.svr.pol.co.uk>,
    > keith@microsoft.discussions.com says...
    >> So , if I had a static IP and told you what it is, can you tell whether
    >> i'm
    >> online or not?
    >> If I'm stealthed then I'm guessing the answer is no? Otherwise Yes
    >
    > Ping an IP that doesn't have a computer attached and see what you get
    > back.
    >
    > Ping an IP that is stealthed and see what you get back.
    >
    > If you see any difference then you know something is there.
    >

    Yes but would ,should there be any difference in theory or practice assuming
    no flaws in OS

    > --
    >
    > spam999free@rrohio.com
    > remove 999 in order to email me
  13. Archived from groups: comp.security.firewalls (More info?)

    In article <dfs66m$6ah$1@newsg3.svr.pol.co.uk>,
    keith@microsoft.discussions.com says...
    >
    > "Leythos" <void@nowhere.lan> wrote in message
    > news:MPG.1d8b63be201d87fb989fce@news-server.columbus.rr.com...
    > > In article <dfs49d$4ua$1@newsg3.svr.pol.co.uk>,
    > > keith@microsoft.discussions.com says...
    > >> So , if I had a static IP and told you what it is, can you tell whether
    > >> i'm
    > >> online or not?
    > >> If I'm stealthed then I'm guessing the answer is no? Otherwise Yes
    > >
    > > Ping an IP that doesn't have a computer attached and see what you get
    > > back.
    > >
    > > Ping an IP that is stealthed and see what you get back.
    > >
    > > If you see any difference then you know something is there.
    > >
    >
    > Yes but would ,should there be any difference in theory or practice assuming
    > no flaws in OS

    Yes, one lets people know you exist, one doesn't.

    There is no such thing as a flawless OS, never been created. Start with
    the idea that everything has holes and you will have it much easier when
    it comes to security.

    --

    spam999free@rrohio.com
    remove 999 in order to email me
  14. Archived from groups: comp.security.firewalls (More info?)

    <jameshanley39@yahoo.co.uk> wrote in message
    news:1126278481.310732.60110@g47g2000cwa.googlegroups.com...
    >
    > Keith wrote:
    > > "Leythos" <void@nowhere.lan> wrote in message
    > > news:MPG.1d8b63be201d87fb989fce@news-server.columbus.rr.com...
    > > > In article <dfs49d$4ua$1@newsg3.svr.pol.co.uk>,
    > > > keith@microsoft.discussions.com says...
    > > >> So , if I had a static IP and told you what it is, can you tell
    whether
    > > >> i'm
    > > >> online or not?
    > > >> If I'm stealthed then I'm guessing the answer is no? Otherwise Yes
    > > >
    > > > Ping an IP that doesn't have a computer attached and see what you get
    > > > back.
    > > >
    > > > Ping an IP that is stealthed and see what you get back.
    > > >
    > > > If you see any difference then you know something is there.
    > > >
    > >
    > > Yes but would ,should there be any difference in theory or practice
    assuming
    > > no flaws in OS
    > >
    >
    > my understanding is-
    >
    > seems to me that stealth is more secure.
    >
    > If you ping an ip address that has port 7 - the ICMP port stealthed.
    > Then it will not respond. It will be indistinguishable from a computer
    > that does not exist. somebody port scanning a range of IPs will not
    > know whether your comp exists or has the port stealthed.

    Let's assume that this is true (even if it isn't).
    If they have half a brain they will already know that
    82-70-237-22.dsl.in-addr.zen.co.uk is probably a home dsl user (could be
    business but makes little difference). They will also know that adjacent IP
    addresses are also users of the same ISP and they will know that an
    exploitable PC is very likely to be found in this range because a large
    group of 'stealthed' PCs indicates a large group of Windows users who
    thought they were safe behind their personal firewall but happily accepted
    everything Internet Explorer offered them.

    They will know all this (and more) even if your computer is behind an event
    horizon, never mind a personal firewall.

    Jason

    > However. When you make an outgoing connection, your IP is available to
    > the server receiving it. Regardless of whether any of your ports are
    > stealthed or not.
    > www.whatismyip.com for example. Presumably it just uses the HTTP
    > request you sent it, looks at the IP in the packet, and tells you your
    > IP.
    >
    > As soon as you make an outgoing connection to anywhere, you give your
    > IP.
    > Or your 'home router' public NATTED ip.
    >
    > So stealth is more secure but only regarding incoming connections.
    >
    >
    > I am far from an expert, this is all new to me.
    >
    > Given info posted in the thread. My gripe with Gibson is him calling
    > his probing 'nanoprobing' as if it's a new technology he invented. it
    > is obfuscating technical material , it seems to me - it is for the
    > purposes of his own self promotion. By doing that, I think his self
    > promotion has crossed the
    > line.
    >
  15. Archived from groups: comp.security.firewalls (More info?)

    Jason Edwards wrote:

    > They will know all this (and more) even if your computer is behind an event
    > horizon, never mind a personal firewall.

    I'd better register a domain for my new company, Event Horizon
    Networking. I will build fully buzzword compliant security appliances,
    spread FUD across the galaxy, and laugh all the way to the bank. When
    Symantec or Microsoft buys me out and end of lifes all my vaporware
    products, I'll retire to the Bahamas. Or Betelgeuse.

    -Gary
  16. Archived from groups: comp.security.firewalls (More info?)

    <jameshanley39@yahoo.co.uk> wrote in message
    news:1126290149.731517.316650@f14g2000cwb.googlegroups.com...
    >
    > Jason Edwards wrote:
    > > <jameshanley39@yahoo.co.uk> wrote in message
    > > news:1126278481.310732.60110@g47g2000cwa.googlegroups.com...
    > > >
    > > > Keith wrote:
    > > > > "Leythos" <void@nowhere.lan> wrote in message
    > > > > news:MPG.1d8b63be201d87fb989fce@news-server.columbus.rr.com...
    > > > > > In article <dfs49d$4ua$1@newsg3.svr.pol.co.uk>,
    > > > > > keith@microsoft.discussions.com says...
    > > > > >> So , if I had a static IP and told you what it is, can you tell
    [cut]
    > >
    > > Let's assume that this is true (even if it isn't).
    > > If they have half a brain they will already know that
    > > 82-70-237-22.dsl.in-addr.zen.co.uk
    >
    > You are responding as if I am a mug that thinks that stealthed ports
    > are infinitely superior. And offer complete protection.

    I was in fact unable to know that you thought I would think that you think
    this.

    >
    > Of course, a careless user would give away all sorts of information,
    > especially on usenet.

    Such as?

    >
    >
    > Whatever method (be it usenet or anything else) they used to get the
    > hostname containing an ip address. It might not have been via a port
    > scan if ports were stealthed. It's possible a comp is there. Or not.

    Yup and either it's exploitable or it's not.

    >
    > >They will also know that adjacent IP
    > > addresses are also users of the same ISP and they will know that an
    > > exploitable PC is very likely to be found in this range because a large
    > > group of 'stealthed' PCs indicates a large group of Windows users who
    > > thought they were safe behind their personal firewall but happily
    accepted
    > > everything Internet Explorer offered them.
    >
    > I know that stealthing ports is NOT absolutely secure by any means.
    > Infact, it offers hardly any more protection. (if any). And if you do
    > other things carelessly, you will get your router's IP told to the
    > world.

    Assuming your computer is not exploitable, can you think of a reason to care
    about who (world or otherwise) knows your IP address? (I'm not saying there
    is no possible reason whatsoever).

    > There are many ways an IP can be visible - if one is careless.
    > I used any outgoing connection as an example. Usenet is another.
    > (assuming no proxy or ip spoofing or anything).
    >
    > you're saying that unix users don't stealth their ports?

    I don't recall saying anything at all about unix anything.

    >
    > *Another* method (besides usenet) of hackers getting *anybodys* IP, is
    > just doing a port scan.

    I think you'll find that it's necessary to have an IP (or IP range) _before_
    doing a port scan.

    > And if a port is stealthed. It doesn't tell him
    > anything. He is left with 2 possibilities. Comp doesn't exist. Or port
    > is stealthed(which according to you, means a 'personal firewall'.

    Many home NAT routers appear as 'stealth' to shields up.
    The vendors would never be able to sell them otherwise.
    People would return them claiming that they weren't stealth.

    >
    > You're saying that unix firewalls tend not to stealth ports.

    I don't recall saying anything at all about unix anything.
    It may be true that not all the customers of
    http://www.zen.co.uk/
    use Windows but I think we can safely assume that most of them do.

    > I don't see why unix firewalls tend not to stealth ports. Many hackers
    > do just scan a range of IPs.
    > So stealthing does have that small advantage over closed. Why don't
    > unix users use it? I'm sure they had some other way (spoofing IP?
    > proxy?) for being more anonymous on usenet. But isn't it good to be
    > safer from port scans too?

    What makes you want to be safe from port scans?
    What harm can a port scan do to you?

    Jason

    >
    > Anyhow - not that it matters. NAT Devices tend not to stealth
    > ports(the ones I've seen certainly don't). They just report back
    > closed. So if a softare firewall is running and stealthing ports. The
    > ports will be reported back as closed since the 'home router' is hit
    > first.
    >
    > Perhaps stealthed ports indicate a windows user not behind a router.
    > (not that a windows user behind a router is necessarily any cleverer).
    > Anyhow. I don't see why unix firewalls shouldn't stealth ports. For the
    > above mentinoned reasons.
    >
  17. Archived from groups: comp.security.firewalls (More info?)

    In article <slnkuzbl6wcw.dlg@ID-104726.news.individual.net>,
    mr.jimscott@Xvirgin.net says...
    > On Thu, 08 Sep 2005 21:01:32 GMT, Casey Klc wrote:
    >
    > > In article <1126210011.527911.41120@o13g2000cwo.googlegroups.com>,
    > > jameshanley39@yahoo.co.uk says...
    > >> When I test my sygate firewall on Gibson's Shields Up. The ports are
    > >> coming up as closed, but not all are coming up as what GRC calls
    > >> stealth.
    > >>
    > >> I figure this is to be expected. I have a 'home router'. So my router
    > >> is blocking incoming connections - including Gibson's, reporting back
    > >> "Closed". Those ports that my router is allowing through , Sygate
    > >> kicks in and blocks the incoming connection properly, reporting nothing
    > >> back - what GRC calls Stealth. Not even giving away my computer's
    > >> existance.
    > >>
    > >> Is running my home router's firewall along with Sygate, actually makign
    > >> me less secure than if I was to run Sygate alone ? (since my ports
    > >> aren't 'stealthed') ?
    > >>
    > >>
    > > Run a security check on your Sygate. On the firewall main page,
    > > select the Security Button. This takes you to Sygate website.
    > > You will find that if your ports are "blocked" (closed), you are
    > > in good shape.
    > > Casey
    >
    > You get them all 'blocked' from ZA and XP too!
    >
    Hi Jim,
    James, the poster, was concerned about a test of his Sygate at GRC
    that show his ports "Closed". He was wondering why the ports were
    not called "Stealthed".
    I suggested he do a test at the Sygate website where he would also
    find his ports "Blocked" (closed). I was trying to point out that
    Stealth is advertising nonsense.
    Most any firewall worth a flip will block/close ports.
    Casey
  18. Archived from groups: comp.security.firewalls (More info?)

    On Fri, 09 Sep 2005 21:18:33 GMT, Casey Klc wrote:

    > In article <slnkuzbl6wcw.dlg@ID-104726.news.individual.net>,
    > mr.jimscott@Xvirgin.net says...
    >> On Thu, 08 Sep 2005 21:01:32 GMT, Casey Klc wrote:
    >>
    >>> In article <1126210011.527911.41120@o13g2000cwo.googlegroups.com>,
    >>> jameshanley39@yahoo.co.uk says...
    >>>> When I test my sygate firewall on Gibson's Shields Up. The ports are
    >>>> coming up as closed, but not all are coming up as what GRC calls
    >>>> stealth.
    >>>>
    >>>> I figure this is to be expected. I have a 'home router'. So my router
    >>>> is blocking incoming connections - including Gibson's, reporting back
    >>>> "Closed". Those ports that my router is allowing through , Sygate
    >>>> kicks in and blocks the incoming connection properly, reporting nothing
    >>>> back - what GRC calls Stealth. Not even giving away my computer's
    >>>> existance.
    >>>>
    >>>> Is running my home router's firewall along with Sygate, actually makign
    >>>> me less secure than if I was to run Sygate alone ? (since my ports
    >>>> aren't 'stealthed') ?
    >>>>
    >>>>
    >>> Run a security check on your Sygate. On the firewall main page,
    >>> select the Security Button. This takes you to Sygate website.
    >>> You will find that if your ports are "blocked" (closed), you are
    >>> in good shape.
    >>> Casey
    >>
    >> You get them all 'blocked' from ZA and XP too!
    >>
    > Hi Jim,
    > James, the poster, was concerned about a test of his Sygate at GRC
    > that show his ports "Closed". He was wondering why the ports were
    > not called "Stealthed".
    > I suggested he do a test at the Sygate website where he would also
    > find his ports "Blocked" (closed). I was trying to point out that
    > Stealth is advertising nonsense.
    > Most any firewall worth a flip will block/close ports.
    > Casey

    On the other hand http://www.hackerwatch.org/probe/ port-scan distinguishes
    brtween closed and stealthed.
    --
    Jim
    Tyneside UK
  19. Archived from groups: comp.security.firewalls (More info?)

    charlie R <welpctSKIPME@psci.net> wrote:
    > When you connect to a website, it has to read your address, or else
    > you couldn't view it. Gibson also tells you your machine address when
    > you connect to his site. The scanner is a different machine and
    > cannot see your address because you are not connected to it, and your
    > ports are closed or stealth.

    Please first read RFC 792 and try to understand it. Then you'll see,
    that this is just nonsense. This is not the way, the TCP/IP network
    family is working.

    If a host is not there, then you get a message from a router before:
    the message, that a packet to this host cannot be routed (ICMP Destination
    Unreachable with code 0, net unreachable, or code 1, host unreachable.

    If a host is there, and only there is no process listening at the port
    you wanted to communicate with, you get a message: ICMP Destination
    Unreachable with code 3 or a TCP RST (see RFC 793).

    If you're getting nothing, then you know: there definitely _is_ a host:
    A Windows box with a protocol injuring "Personal Firewall" which fools
    it's user feeling "stealth".

    > The server you are connected to can read
    > your IP, and anything else your security settings allow, if it wants
    > to.

    No. The system you communicate with has your IP address, of course -
    you're communicating with it. But it cannot "read ... anything else your
    security settings allow". This is just wrong.

    > That's why it's important to block Active X, mobile code,
    > scripts, java, etc, and keep your Internet Security settings high.

    This is monkeyshines. The reason why not using ActiveX is completely
    different - it's the design flaws in ActiveX. This has nothing to do
    with "mobile code" or "scripts".

    > VB will tell you he can get into any machine he wants
    > to, despite personal firewalls.

    BTW: I never told that.

    Please, before you're starting with polemics, *PLEASE* read the RFCs.
    They're in English. You can understand that, if you try.

    The RFCs http://www.rfc-editor.org are the official standards of the IETF,
    the Internet Engineering Task Force, http://www.ietf.org

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  20. Archived from groups: comp.security.firewalls (More info?)

    >
    > If you're getting nothing, then you know: there definitely _is_ a
    > host: A Windows box with a protocol injuring "Personal Firewall" which
    > fools it's user feeling "stealth".
    >

    I like that --- protocol injuring. :)

    Duane :)
  21. Archived from groups: comp.security.firewalls (More info?)

    Jason <Jason@winblows.net> wrote:
    > And you were doing so good until you said use the windows-firewall too.

    What problem are you having with the Windows-Firewall?

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  22. Archived from groups: comp.security.firewalls (More info?)

    Keith <keith@microsoft.discussions.com> wrote:
    > So , if I had a static IP and told you what it is, can you tell whether i'm
    > online or not?

    If you mean with that, that sometimes your computer is not connected
    and sometimes it is, yes even if your computer is "stealthed", one can
    detect that.

    That is, because if you're not online, the router of your provider sends
    a ICMP Destination Unreachable message, usually with code 1 (host
    unreachable). When you're connected, then it doesn't.

    > If I'm stealthed then I'm guessing the answer is no? Otherwise Yes

    You're guessing wrong.

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  23. Archived from groups: comp.security.firewalls (More info?)

    Keith <keith@microsoft.discussions.com> wrote:
    > > Ping an IP that doesn't have a computer attached and see what you get
    > > back.
    > > Ping an IP that is stealthed and see what you get back.
    > > If you see any difference then you know something is there.
    > Yes but would ,should there be any difference in theory or practice assuming
    > no flaws in OS

    Sorry, this is all nonsense.

    No-one would use ICMP echo (this is what your PING command does) to find
    out wether a host exists or not.

    ICMP echo is just for testing purposes in own setups. Everyone knows, that
    most people try to "hide" their PCs by filtering ICMP echo, so no-one will
    use it for such cases.

    A much better probe is using nmap -sS -P0 to scan, just sending TCP SYN
    to different ports. Usually, one get's back information like ICMP
    destination unreachable with code 0 or 1, which means there is no host,
    or ICMP destination unreachable with code 3, TCP RST or just nothing,
    which means, that there _is_ a host.

    This is why nmap is showing a host to be there also if there is no reply.

    BTW: because there will be no help for security at all with "hiding" a
    PC or other host, even if this would be possible, this complete discussion
    is ridiculous anyway.

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  24. Archived from groups: comp.security.firewalls (More info?)

    jameshanley39@yahoo.co.uk wrote:
    > I know that stealthing ports is NOT absolutely secure by any means.

    That's right, because it's not helping to make a computer more secure
    at all.

    > And if you do
    > other things carelessly, you will get your router's IP told to the
    > world.

    *ROTFL* - how should routing work _without_ having this IP? Please,
    *PLEASE* first try to understand the concepts you're talking about!

    > There are many ways an IP can be visible - if one is careless.

    *sigh*

    > *Another* method (besides usenet) of hackers getting *anybodys* IP, is
    > just doing a port scan.

    The next misunderstanding. "Hackers" (you mean crackers, see the Jargon
    File), are not trying to get anybodies IP. They're just scanning networks
    for connected boxes, the IPs they have already.

    > And if a port is stealthed. It doesn't tell him
    > anything.

    Yes, and that tells an attacker, that there definitly _is_ a host,
    otherwise he would have got back an answer, as I stated already.

    > He is left with 2 possibilities. Comp doesn't exist. Or port
    > is stealthed(which according to you, means a 'personal firewall'.

    This is wrong, unfortunately. Could you *please* read the RFCs now,
    before you're continuing to argue? That would help to have a sensible
    discussion, thanx!

    > So stealthing does have that small advantage over closed.

    No, it hasn't.

    > Why don't
    > unix users use it?

    I don't know most UNIX users. Usually they don't do it, because this
    is crippeling your TCP/IP implementation, wrong undefined behaviour,
    which does not help at all.

    > I'm sure they had some other way (spoofing IP?
    > proxy?) for being more anonymous on usenet. But isn't it good to be
    > safer from port scans too?

    The problem is, that anonymity in the Internet cannot achieved this way
    at all. Better methods you'll find in the Tor project and in the AN.ON
    project. Both of them are good ideas to try to reach anonymity in the
    Internet.

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  25. Archived from groups: comp.security.firewalls (More info?)

    Gary <garyd@efn.org.spamsux> wrote:
    > Every once in a while, some idiot yells that security through obscurity
    > is a bad idea. I'd say maybe if that's all you're relying on. But if you
    > think about it, why do soldiers wear camoflauge? Why do chameleons have
    > color changing abilities? Why do some insects have colors that match
    > their background?

    Ok, I'll try to explain.

    We're not talking about the "real world", the world where the pizza man
    comes from ;-) We're talking about computers, about a special case of
    computers: about deterministic machines. But let us compare anyway:

    Here you have three classes of methods for improving security against
    the incidence of an event you want to avoid.

    [A] You can make it impossible for an event to happen, already in theory.

    You can make it unlikely for an event to happen, so unlikely, that
    you can say, it will not happen in practice.

    [C] You can make it unlikely for an event to happen, but the likelihood
    is not small enough, that you can be sure, that it will not happen
    in practice. It will be seldom, though.

    I think, it's obvious, why to prefer methods of class [A] to methods of
    class , and why to prefer methods of classes [A] and to methods of
    class [C], OK?

    There is no method of [A] or to make a soldier or a cameleon not
    being detected. There is only a method of [C]: camouflage. So, because
    there is no other way, soldiers and chameleons are using methods of [C].

    Believe me, if a soldier or a chameleon had the option to find methods
    of [A] or , they would do it immediately and not using camouflaging
    any more.

    Now there are differencies between deterministic machines and the
    pizza man universe:

    With deterministic machines there often are possibilities for methods
    of [A] or at least , for most of the cases, so why using methods of
    [C] at all?

    Another reason is: Many of the events you want to avoid are secrets
    detected by an attacker. Methods of [C] do not help here at all, because
    in the deterministic descrete world of computers, all states are
    countable. Usually, a method is in [C] and not in , because it is
    possible also in practice to just "try out" every combination (beside
    cleverer ways, which will be prefered by most attackers). This is
    called "brute forcing".

    Brute forcing only is not possible if the secrets are protected by
    methods of [A] or a least of (by definition).

    So this is the reason, why people say: "Don't use security by obscurity,
    it will not work".

    To be exactly, they should say: "Don't use security by obscurity for most
    of the cases, because there are much better methods to secure - in most
    cases, security by obscurity will not work, though, only in a few ones it
    could work anyway."

    Clear now? ;-)

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  26. Archived from groups: comp.security.firewalls (More info?)

    Jim Scott <mr.jimscott@xvirgin.net> wrote:
    > On the other hand http://www.hackerwatch.org/probe/ port-scan distinguishes
    > brtween closed and stealthed.

    I tried out http://www.hackerwatch.org/probe/ - the results were useless.
    You can find out more on this topic in <431452bf@news.uni-ulm.de>

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  27. Archived from groups: comp.security.firewalls (More info?)

    jameshanley39@yahoo.co.uk wrote:
    > It may be that 'stealth' is slightly - but barely - more secure than
    > closed?

    No, it isn't.

    > Indeed, it probably is, since software firewalls all do it.

    They do it because, then people _feel_ more secure, when they're buying
    such products, though they're not more secure. This is fooling people.

    > But what would be your reason for saying that 'stealth' is more secure?

    I'm looking forward to the explanation ;-)

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  28. Archived from groups: comp.security.firewalls (More info?)

    In the Usenet newsgroup comp.security.firewalls, in article
    <dfs66m$6ah$1@newsg3.svr.pol.co.uk>, Keith wrote:

    >"Leythos" <void@nowhere.lan> wrote

    >> Ping an IP that doesn't have a computer attached and see what you get
    >> back.
    >>
    >> Ping an IP that is stealthed and see what you get back.
    >>
    >> If you see any difference then you know something is there.
    >
    >Yes but would ,should there be any difference in theory or practice
    >assuming no flaws in OS

    Apparently, your O/S is masking what's happening.

    When you 'ping' an address that doesn't have a computer, the last
    working router your ping passes over trying to reach the address will
    discover "you can't get there". The _router_ sends an error message
    back to you.

    When you 'ping' a working address, this error doesn't happen, because
    the last router is able to send the packet on - it doesn't make one
    bit of difference if the destination is stealth, closed, or has it's
    legs wide open. It doesn't make ANY difference no matter what the
    operating system is on the destination. The router did it's job, and
    forwarded the packet.

    If you 'ping' a working address and the destination is open, you should
    get a response back. If the destination is closed, you will also get
    back a response, but it will tell you that it's closed.

    If the destination is stealthed, then you won't get a response back.

    Now, re-read what I've just written. The ONLY time you don't get a
    response back is when it's stealthed. So why do you feel it's so
    hard to detect stealthed computers?

    Old guy
  29. Archived from groups: comp.security.firewalls (More info?)

    In the Usenet newsgroup comp.security.firewalls, in article
    <1126278481.310732.60110@g47g2000cwa.googlegroups.com>,
    jameshanley39@yahoo.co.uk wrote:

    >my understanding is-
    >
    >seems to me that stealth is more secure.

    Possible, but only under exceptional circumstances.

    >If you ping an ip address that has port 7 - the ICMP port stealthed.

    0792 Internet Control Message Protocol. J. Postel. Sep-01-1981.
    (Format: TXT=30404 bytes) (Obsoletes RFC0777) (Updated by RFC0950)
    (Also STD0005) (Status: STANDARD)

    ICMP doesn't have ports. An ICMP Echo Request (called a 'ping' based
    on the original program used) is a Type 8 Code 0. The ICMP Echo Reply
    is a Type 0 Code 0. The port 7 you are thinking of:

    echo 7/tcp Echo
    echo 7/udp Echo
    # Jon Postel <postel@isi.edu>

    (Jonathan Postel died in 1998, but you'll find his name nearly everywhere
    in Internet documents.) Notice that the '7' is referencing TCP and UDP.
    The document that defines that is

    0862 Echo Protocol. J. Postel. May-01-1983. (Format: TXT=1294 bytes)
    (Also STD0020) (Status: STANDARD)

    While it is a standard, no one uses this service.

    >Then it will not respond. It will be indistinguishable from a computer
    >that does not exist.

    When you attempt to contact a computer that does not exist (is turned
    off, not plugged in, never unpacked - doesn't matter), the last
    working router sends an error message back "I can't get there".

    When you attempt to contact a computer that is connected, and open or
    closed, you will get back a response from that computer (either a
    "welcome", or a "go-away" message).

    When you attempt to contact a computer that is stealthed, there is no
    response.

    So, the quite obvious difference is that error message from the router.
    Your premise fails.

    >As soon as you make an outgoing connection to anywhere, you give your
    >IP.

    Correct.

    >So stealth is more secure but only regarding incoming connections.

    Nope. The only thing stealth MAY buy you is preventing O/S fingerprinting,
    but only if no ports are open, and ALL OTHER PROTOCOLS (there's another
    hint - there is more than ICMP, TCP and UDP) are set to remain silent.
    Nearly everyone using 'stealth' is quite unaware of the other problem,
    so stealth fails.

    >I am far from an expert, this is all new to me.

    TCP/IP Illustrated Volume 1 - The Protocols. W.Richard Stevens 1994,96
    Addison Wesley, ISBN 0-201-63346-9, 576 pgs, US$LOTS

    Try to find a copy in a technical library. The book is normally used as a
    textbook in college or university networking classes. I think I paid about
    US$55 for my copy in 1994. It's a bit old, but it profusely illustrated,
    and understandable because of that and the many examples it contains.

    Old guy
  30. Archived from groups: comp.security.firewalls (More info?)

    Volker Birk wrote:
    > Gary <garyd@efn.org.spamsux> wrote:
    > > Every once in a while, some idiot yells that security through obscurity
    > > is a bad idea. I'd say maybe if that's all you're relying on. But if you
    > > think about it, why do soldiers wear camoflauge? Why do chameleons have
    > > color changing abilities? Why do some insects have colors that match
    > > their background?
    >
    > Ok, I'll try to explain.
    >
    > We're not talking about the "real world", the world where the pizza man
    > comes from ;-) We're talking about computers, about a special case of
    > computers: about deterministic machines. But let us compare anyway:
    >
    > Here you have three classes of methods for improving security against
    > the incidence of an event you want to avoid.
    >
    > [A] You can make it impossible for an event to happen, already in theory.
    >
    > You can make it unlikely for an event to happen, so unlikely, that
    > you can say, it will not happen in practice.
    >
    > [C] You can make it unlikely for an event to happen, but the likelihood
    > is not small enough, that you can be sure, that it will not happen
    > in practice. It will be seldom, though.
    >
    > I think, it's obvious, why to prefer methods of class [A] to methods of
    > class , and why to prefer methods of classes [A] and to methods of
    > class [C], OK?
    >
    > There is no method of [A] or to make a soldier or a cameleon not
    > being detected. There is only a method of [C]: camouflage. So, because
    > there is no other way, soldiers and chameleons are using methods of [C].
    >
    > Believe me, if a soldier or a chameleon had the option to find methods
    > of [A] or , they would do it immediately and not using camouflaging
    > any more.
    >
    > Now there are differencies between deterministic machines and the
    > pizza man universe:
    >
    > With deterministic machines there often are possibilities for methods
    > of [A] or at least , for most of the cases, so why using methods of
    > [C] at all?
    >
    > Another reason is: Many of the events you want to avoid are secrets
    > detected by an attacker. Methods of [C] do not help here at all, because
    > in the deterministic descrete world of computers, all states are
    > countable. Usually, a method is in [C] and not in , because it is
    > possible also in practice to just "try out" every combination (beside
    > cleverer ways, which will be prefered by most attackers). This is
    > called "brute forcing".
    >
    > Brute forcing only is not possible if the secrets are protected by
    > methods of [A] or a least of (by definition).
    >
    > So this is the reason, why people say: "Don't use security by obscurity,
    > it will not work".
    >
    > To be exactly, they should say: "Don't use security by obscurity for most
    > of the cases, because there are much better methods to secure - in most
    > cases, security by obscurity will not work, though, only in a few ones it
    > could work anyway."
    >
    > Clear now? ;-)
    >
    > Yours,
    > VB.
    > --
    > "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    > deutschen Schlafzimmern passiert".
    > Harald Schmidt zum "Weltjugendtag"


    ok- if you're talking about competing options of which A is superior to
    B which is superior to C.


    But In the stealth case. C=stealth, is not inferior to B=Closed (in
    terms of security offered).
    Infact, C matches the security offered by B (if it's Stealthed then
    it's not Open. It is closed), it just makes it a tiny amount more
    difficult to find out if the IP exists on the internet (you said in a
    post. nmap with the switch -p0).

    In your case, you would use many intelligent techniques for securing
    your system. A cracker intelligent enough to get through your system
    would not be put off by a 'Stealthed port' or fooled into thinking that
    there's no comp or router with that IP.

    Perhaps for the average user, that little obscurity might put off a
    cracker that could break into their system.
  31. Archived from groups: comp.security.firewalls (More info?)

    I detected that on Sat 10-Sep-2005 07:15:08 Volker Birk
    wrote in message <news:432279ec@news.uni-ulm.de>
    <snip>

    > If a host is there, and only there is no process listening at the port
    > you wanted to communicate with, you get a message: ICMP Destination
    > Unreachable with code 3 or a TCP RST (see RFC 793).
    >
    > If you're getting nothing, then you know: there definitely _is_ a host:

    Not always? For example, in an ethernet environment if the end device is
    recently[1] powered down (or powered down and has a static entry in the
    ARP table) the router will have an ARP entry. It has no need to send an
    ARP request (which would result in the router responding as in your
    examples). It encapsulates the PDU and sends it on its way. Exactly the
    same would happen with a 'stealthed' device. IMO the only way of really
    telling any difference (bar trying to elicit responses via crafted
    packets) is to have access to the layer 2 devices and trace the port the
    device is patched to and see whether one can detect a MAC there (or
    ascertain how old the ARP table entry is on the router if it is not a
    static).

    [1] 'recently' being a value less than the expiration period of the
    cached entry in the router's ARP table. I think the default value for
    Cisco IOS is about 4 hours?
  32. Archived from groups: comp.security.firewalls (More info?)

    >
    > Perhaps for the average user, that little obscurity might put off a
    > cracker that could break into their system.
    >
    >


    If a hacker broke into average someone's computer with any type
    of filter/PFW active on the machine and configured properly, the average
    someone contributed in someway that lead to the compromise of the machine
    by the user clicking on something that introduced the compromise. So closed
    port or stealthed ports it's over.

    If one wants a machine to be stealthed, then one puts the machine behind a
    cheap NAT router with all ports closed by default and unsolicited inbound
    traffic never reaches the machine -- that's stealth.

    Duane :)
  33. Archived from groups: comp.security.firewalls (More info?)

    Nellie <Nellie@from.is.invalid> wrote:
    > > If you're getting nothing, then you know: there definitely _is_ a host:
    > Not always? For example, in an ethernet environment if the end device is
    > recently[1] powered down (or powered down and has a static entry in the
    > ARP table) the router will have an ARP entry. It has no need to send an
    > ARP request (which would result in the router responding as in your
    > examples). It encapsulates the PDU and sends it on its way. Exactly the
    > same would happen with a 'stealthed' device.

    Sorry, no.

    The point, that a router detects somewhat later, if a device is just
    switched off, has nothing to do with "stealthing". The WAN connections don't
    use ARP at all usually anyway, but some point2point protocol.

    > IMO the only way of really
    > telling any difference (bar trying to elicit responses via crafted
    > packets) is to have access to the layer 2 devices and trace the port the
    > device is patched to and see whether one can detect a MAC there (or
    > ascertain how old the ARP table entry is on the router if it is not a
    > static).

    It's enough to look at the ICMP messages. Just try it out, please. Or
    better: read the RFCs yourself.

    > [1] 'recently' being a value less than the expiration period of the
    > cached entry in the router's ARP table. I think the default value for
    > Cisco IOS is about 4 hours?

    Yes. But: so what?

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  34. Archived from groups: comp.security.firewalls (More info?)

    jameshanley39@yahoo.co.uk wrote:
    > But In the stealth case. C=stealth, is not inferior to B=Closed (in
    > terms of security offered).

    In terms of security, sending nothing is not superior to sending TCP RST,
    and sending TCP RST is not superior to sending nothing. It just doesn't
    matter.

    In terms of networking, sending nothing in this situation means violating
    protocol, and that means one does not support the free Internet any more,
    but disturbing free communication.

    It's just b0rken to send nothing in this situation, anybody who is able
    to read the RFCs can understand that. And it's completely useless.

    > Infact, C matches the security offered by B (if it's Stealthed then
    > it's not Open. It is closed), it just makes it a tiny amount more
    > difficult to find out if the IP exists on the internet (you said in a
    > post. nmap with the switch -p0).

    No. It doesn't. It's ridiculous to argue, that -P0 as an option in nmap
    will make it more difficult to scan "stealthed" hosts. It does not do it
    at all. Usually, when I'm scanning, I'm typing nmap -sS -P0 automatically
    without knowing what's goin' on, or on my laptop there is an alias
    nmap='nmap -sS -P0' already in my .zshrc - so what?

    > In your case, you would use many intelligent techniques for securing
    > your system. A cracker intelligent enough to get through your system
    > would not be put off by a 'Stealthed port' or fooled into thinking that
    > there's no comp or router with that IP.
    > Perhaps for the average user, that little obscurity might put off a
    > cracker that could break into their system.

    Even if "stealthing" would bring obscurity (which it does not as I stated
    already), this would not help at all. Any script-kiddy tool can handle
    such easy things, so even not pupils who are trying out "cracking boxes"
    out of the school network will be influenced by such ridiculous "security".

    "Stealthing" is, what it is: an idea, perhaps from Mr. Gibson, which sounds
    good, everyone is believing in, the manufacturors of "security" software
    like the "Personal Firewalls" can make advertizing with and money is coming
    in with.

    It's a typical placebo.

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
  35. Archived from groups: comp.security.firewalls (More info?)

    <jameshanley39@yahoo.co.uk> wrote in message
    news:1126397576.801637.69870@o13g2000cwo.googlegroups.com...
    >
    > Volker Birk wrote:
    > > Gary <garyd@efn.org.spamsux> wrote:
    > > > Every once in a while, some idiot yells that security through
    obscurity
    > > > is a bad idea. I'd say maybe if that's all you're relying on. But if
    you
    > > > think about it, why do soldiers wear camoflauge? Why do chameleons
    have
    > > > color changing abilities? Why do some insects have colors that match
    > > > their background?
    > >
    > > Ok, I'll try to explain.
    > >
    > > We're not talking about the "real world", the world where the pizza man
    [cut]
    >
    > ok- if you're talking about competing options of which A is superior to
    > B which is superior to C.
    >
    >
    > But In the stealth case. C=stealth, is not inferior to B=Closed (in
    > terms of security offered).

    Sure it is because it's an unnecessary step which will take time (and maybe
    money if you wasted money on a personal firewall) to implement. It's
    unnecessary because if you have B (or A) then you don't need C.

    If I limit the discussion to inbound connection requests (which you want to
    'stealth') then it should be easy to see that as a home PC user I can have
    A. I can make it impossible for anyone else on the internet to get a
    potentially exploitable response from my PC. To do this I simply make sure
    that no services are being offered to the Internet. It does not matter how
    my PC responds to an inbound packet containing any port numbers or other
    information as long as the PC does not send any useful information back in
    response to an unsolicited request. The fact that it does send something
    back (closed or port unreachable) is irrelevant. This does not mean that
    useful information is sent to anyone else. I know you'll try to argue that
    this gives your IP away or tells the 'hacker' that you are there but I think
    this has more to do with psychology than anything else. In some cases it's
    due to lack of knowledge. The misconception that 'stealth' hides your IP is
    not uncommon, as is the misconception that a firewall hides your IP. A worse
    misconception is that a personal firewall will keep malware off your PC.

    I think you should increase your knowledge. Buy the book Moe Trin
    recommended. Do some searches.
    The Internet is not the answer to everything but if you want technical
    information on how it works then a search engine is all you need. You may
    already be aware of how to search but here are some examples in case they
    help.

    http://www.google.com/search?&q=icmp

    http://www.google.com/search?q=icmp+packet+structure

    Try some tools which will show useful information which you can learn from.

    http://www.google.com/search?q=tcpview

    Understand what you are connecting to, and why.
    Tools such as shields up do not tell you what your computer is having a
    conversation with if your computer made the outbound request to another
    computer.

    Make sure you are not offering any unnecessary services to the Internet.

    http://www.google.com/search?q=%22security+scan%22

    But don't be fooled into purchasing any unnecessary products offered by
    those sites, just use them to check whether any obvious services are being
    offered to the Internet.

    When you've read everything you can find, ask questions either here or in
    comp.protocols.tcp-ip
    By then you may find your questions being answered by a different set of
    people - those who never bother with pointless arguments about whether
    stealth is better or not because they already have sufficient knowledge to
    make their own decision.

    I would advise you to forget about whether or not stealth makes you more
    secure and concentrate on other things which are far more important. If you
    are not already aware of what is running in your computer and why it's there
    and what it's doing then find out. A personal firewall will not help with
    this and 'stealth' will not make the slightest bit of difference. If you
    must use Internet Explorer then ask yourself why it's had a security update
    every month since the beginning of time. No browser is 100% secure but a B
    browser is better than a C one.

    Personal firewalls exist to persuade people to buy them. They do not exist
    to help educate people to the level where they understand why they didn't
    need to purchase that firewall software.

    Jason
  36. Archived from groups: comp.security.firewalls (More info?)

    I detected that on Sun 11-Sep-2005 09:04:49 Volker Birk
    wrote in message <news:4323e521@news.uni-ulm.de>
    > Nellie <Nellie@from.is.invalid> wrote:
    >>> If you're getting nothing, then you know: there definitely _is_ a host:
    >> Not always? For example, in an ethernet environment if the end device is
    >> recently[1] powered down (or powered down and has a static entry in the
    >> ARP table) the router will have an ARP entry. It has no need to send an
    >> ARP request (which would result in the router responding as in your
    >> examples). It encapsulates the PDU and sends it on its way. Exactly the
    >> same would happen with a 'stealthed' device.
    >
    > Sorry, no.
    >
    > The point, that a router detects somewhat later, if a device is just
    > switched off, has nothing to do with "stealthing".

    My point being that that (in my example) there is no way to
    differentiate. Security by obfucasion/doubt, no certainty. Unlike your
    'definite' <shrug>.

    > The WAN connections don't
    > use ARP at all usually anyway, but some point2point protocol.

    I think I am/we are thinking of two distinct setups/talking at cross
    purposes.

    Thank you for the brief exchange of views.
  37. Archived from groups: comp.security.firewalls (More info?)

    Nellie <Nellie@from.is.invalid> wrote:
    > My point being that that (in my example) there is no way to
    > differentiate. Security by obfucasion/doubt, no certainty. Unlike your
    > 'definite' <shrug>.
    > > The WAN connections don't
    > > use ARP at all usually anyway, but some point2point protocol.
    > I think I am/we are thinking of two distinct setups/talking at cross
    > purposes.

    Yes. Aren't we talking about boxes, which are connected via Modem, DSL,
    $WHATEVER to the Internet, and "protected" by the "stealthing" feature
    of a "Personal Firewall", so their IP-address is "hidden"?

    I just wanted to explain, why this cannot work.

    Of course, it is possible to completely hide an host in a network - just
    _never_ send anyting to any other host, use the connection read only.

    That includes, do not "load" webpages, do not send or receive E-Mail with
    this host.

    In such a scenario, the host is invisible to the rest of the network.
    Sometimes, one is doing this for sniffing purposes, for example.

    Yours,
    VB.
    --
    "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
    deutschen Schlafzimmern passiert".
    Harald Schmidt zum "Weltjugendtag"
Ask a new question

Read More

Firewalls Routers Networking