Sign-in / Sign-up
Your question

sygate and shields up

Tags:
  • Firewalls
  • Routers
  • Networking
Last response: in Networking
Anonymous
September 8, 2005 5:06:51 PM

Archived from groups: comp.security.firewalls (More info?)

When I test my sygate firewall on Gibson's Shields Up. The ports are
coming up as closed, but not all are coming up as what GRC calls
stealth.

I figure this is to be expected. I have a 'home router'. So my router
is blocking incoming connections - including Gibson's, reporting back
"Closed". Those ports that my router is allowing through , Sygate
kicks in and blocks the incoming connection properly, reporting nothing
back - what GRC calls Stealth. Not even giving away my computer's
existance.

Is running my home router's firewall along with Sygate, actually makign
me less secure than if I was to run Sygate alone ? (since my ports
aren't 'stealthed') ?

More about : sygate shields

Anonymous
September 9, 2005 1:01:32 AM

Archived from groups: comp.security.firewalls (More info?)

In article <1126210011.527911.41120@o13g2000cwo.googlegroups.com>,
jameshanley39@yahoo.co.uk says...
> When I test my sygate firewall on Gibson's Shields Up. The ports are
> coming up as closed, but not all are coming up as what GRC calls
> stealth.
>
> I figure this is to be expected. I have a 'home router'. So my router
> is blocking incoming connections - including Gibson's, reporting back
> "Closed". Those ports that my router is allowing through , Sygate
> kicks in and blocks the incoming connection properly, reporting nothing
> back - what GRC calls Stealth. Not even giving away my computer's
> existance.
>
> Is running my home router's firewall along with Sygate, actually makign
> me less secure than if I was to run Sygate alone ? (since my ports
> aren't 'stealthed') ?
>
>
Run a security check on your Sygate. On the firewall main page,
select the Security Button. This takes you to Sygate website.
You will find that if your ports are "blocked" (closed), you are
in good shape.
Casey
Anonymous
September 9, 2005 1:10:25 AM

Archived from groups: comp.security.firewalls (More info?)

On Thu, 08 Sep 2005 21:01:32 GMT, Casey Klc wrote:

> In article <1126210011.527911.41120@o13g2000cwo.googlegroups.com>,
> jameshanley39@yahoo.co.uk says...
>> When I test my sygate firewall on Gibson's Shields Up. The ports are
>> coming up as closed, but not all are coming up as what GRC calls
>> stealth.
>>
>> I figure this is to be expected. I have a 'home router'. So my router
>> is blocking incoming connections - including Gibson's, reporting back
>> "Closed". Those ports that my router is allowing through , Sygate
>> kicks in and blocks the incoming connection properly, reporting nothing
>> back - what GRC calls Stealth. Not even giving away my computer's
>> existance.
>>
>> Is running my home router's firewall along with Sygate, actually makign
>> me less secure than if I was to run Sygate alone ? (since my ports
>> aren't 'stealthed') ?
>>
>>
> Run a security check on your Sygate. On the firewall main page,
> select the Security Button. This takes you to Sygate website.
> You will find that if your ports are "blocked" (closed), you are
> in good shape.
> Casey

You get them all 'blocked' from ZA and XP too!
--
Jim
Tyneside UK
Related resources
Can't find your answer ? Ask !
Anonymous
September 9, 2005 1:12:39 AM

Archived from groups: comp.security.firewalls (More info?)

jameshanley39@yahoo.co.uk wrote:

>
> Is running my home router's firewall along with Sygate, actually makign
> me less secure than if I was to run Sygate alone ? (since my ports
> aren't 'stealthed') ?
>

No. Closed is the "expected" response when a computer outside your
subnet tries to connect with your system. Stealth is the equivalent of
my asking you a closed-ended question and you choosing to ignore me.
Anonymous
September 9, 2005 9:56:15 AM

Archived from groups: comp.security.firewalls (More info?)

optikl wrote:
> jameshanley39@yahoo.co.uk wrote:
>
> >
> > Is running my home router's firewall along with Sygate, actually makign
> > me less secure than if I was to run Sygate alone ? (since my ports
> > aren't 'stealthed') ?
> >
>
> No. Closed is the "expected" response when a computer outside your
> subnet tries to connect with your system. Stealth is the equivalent of
> my asking you a closed-ended question and you choosing to ignore me.


somebody more-or-less pointed out that what Gibson calls 'stealth'
(blocking without giving a response) is no more secure than closed.

their argument for it being no more secure was that they can already
find out my ip anyway.

It may be that 'stealth' is slightly - but barely - more secure than
closed? Indeed, it probably is, since software firewalls all do it.
But what would be your reason for saying that 'stealth' is more secure?
Anonymous
September 9, 2005 12:08:01 PM

Archived from groups: comp.security.firewalls (More info?)

Keith wrote:
> "Leythos" <void@nowhere.lan> wrote in message
> news:MPG.1d8b63be201d87fb989fce@news-server.columbus.rr.com...
> > In article <dfs49d$4ua$1@newsg3.svr.pol.co.uk>,
> > keith@microsoft.discussions.com says...
> >> So , if I had a static IP and told you what it is, can you tell whether
> >> i'm
> >> online or not?
> >> If I'm stealthed then I'm guessing the answer is no? Otherwise Yes
> >
> > Ping an IP that doesn't have a computer attached and see what you get
> > back.
> >
> > Ping an IP that is stealthed and see what you get back.
> >
> > If you see any difference then you know something is there.
> >
>
> Yes but would ,should there be any difference in theory or practice assuming
> no flaws in OS
>

my understanding is-

seems to me that stealth is more secure.

If you ping an ip address that has port 7 - the ICMP port stealthed.
Then it will not respond. It will be indistinguishable from a computer
that does not exist. somebody port scanning a range of IPs will not
know whether your comp exists or has the port stealthed.

However. When you make an outgoing connection, your IP is available to
the server receiving it. Regardless of whether any of your ports are
stealthed or not.
www.whatismyip.com for example. Presumably it just uses the HTTP
request you sent it, looks at the IP in the packet, and tells you your
IP.

As soon as you make an outgoing connection to anywhere, you give your
IP.
Or your 'home router' public NATTED ip.

So stealth is more secure but only regarding incoming connections.


I am far from an expert, this is all new to me.

Given info posted in the thread. My gripe with Gibson is him calling
his probing 'nanoprobing' as if it's a new technology he invented. it
is obfuscating technical material , it seems to me - it is for the
purposes of his own self promotion. By doing that, I think his self
promotion has crossed the
line.
Anonymous
September 9, 2005 3:22:29 PM

Archived from groups: comp.security.firewalls (More info?)

Jason Edwards wrote:
> <jameshanley39@yahoo.co.uk> wrote in message
> news:1126278481.310732.60110@g47g2000cwa.googlegroups.com...
> >
> > Keith wrote:
> > > "Leythos" <void@nowhere.lan> wrote in message
> > > news:MPG.1d8b63be201d87fb989fce@news-server.columbus.rr.com...
> > > > In article <dfs49d$4ua$1@newsg3.svr.pol.co.uk>,
> > > > keith@microsoft.discussions.com says...
> > > >> So , if I had a static IP and told you what it is, can you tell
> whether
> > > >> i'm
> > > >> online or not?
> > > >> If I'm stealthed then I'm guessing the answer is no? Otherwise Yes
> > > >
> > > > Ping an IP that doesn't have a computer attached and see what you get
> > > > back.
> > > >
> > > > Ping an IP that is stealthed and see what you get back.
> > > >
> > > > If you see any difference then you know something is there.
> > > >
> > >
> > > Yes but would ,should there be any difference in theory or practice
> assuming
> > > no flaws in OS
> > >
> >
> > my understanding is-
> >
> > seems to me that stealth is more secure.
> >
> > If you ping an ip address that has port 7 - the ICMP port stealthed.
> > Then it will not respond. It will be indistinguishable from a computer
> > that does not exist. somebody port scanning a range of IPs will not
> > know whether your comp exists or has the port stealthed.
>
> Let's assume that this is true (even if it isn't).
> If they have half a brain they will already know that
> 82-70-237-22.dsl.in-addr.zen.co.uk

You are responding as if I am a mug that thinks that stealthed ports
are infinitely superior. And offer complete protection.

Of course, a careless user would give away all sorts of information,
especially on usenet.


Whatever method (be it usenet or anything else) they used to get the
hostname containing an ip address. It might not have been via a port
scan if ports were stealthed. It's possible a comp is there. Or not.

>They will also know that adjacent IP
> addresses are also users of the same ISP and they will know that an
> exploitable PC is very likely to be found in this range because a large
> group of 'stealthed' PCs indicates a large group of Windows users who
> thought they were safe behind their personal firewall but happily accepted
> everything Internet Explorer offered them.

I know that stealthing ports is NOT absolutely secure by any means.
Infact, it offers hardly any more protection. (if any). And if you do
other things carelessly, you will get your router's IP told to the
world. There are many ways an IP can be visible - if one is careless.
I used any outgoing connection as an example. Usenet is another.
(assuming no proxy or ip spoofing or anything).

you're saying that unix users don't stealth their ports?

*Another* method (besides usenet) of hackers getting *anybodys* IP, is
just doing a port scan. And if a port is stealthed. It doesn't tell him
anything. He is left with 2 possibilities. Comp doesn't exist. Or port
is stealthed(which according to you, means a 'personal firewall'.

You're saying that unix firewalls tend not to stealth ports.
I don't see why unix firewalls tend not to stealth ports. Many hackers
do just scan a range of IPs.
So stealthing does have that small advantage over closed. Why don't
unix users use it? I'm sure they had some other way (spoofing IP?
proxy?) for being more anonymous on usenet. But isn't it good to be
safer from port scans too?

Anyhow - not that it matters. NAT Devices tend not to stealth
ports(the ones I've seen certainly don't). They just report back
closed. So if a softare firewall is running and stealthing ports. The
ports will be reported back as closed since the 'home router' is hit
first.

Perhaps stealthed ports indicate a windows user not behind a router.
(not that a windows user behind a router is necessarily any cleverer).
Anyhow. I don't see why unix firewalls shouldn't stealth ports. For the
above mentinoned reasons.
September 9, 2005 3:46:28 PM

Archived from groups: comp.security.firewalls (More info?)

jameshanley39@yahoo.co.uk wrote:

> Perhaps stealthed ports indicate a windows user not behind a router.
> (not that a windows user behind a router is necessarily any cleverer).
> Anyhow. I don't see why unix firewalls shouldn't stealth ports. For the
> above mentinoned reasons.

Every once in a while, some idiot yells that security through obscurity
is a bad idea. I'd say maybe if that's all you're relying on. But if you
think about it, why do soldiers wear camoflauge? Why do chameleons have
color changing abilities? Why do some insects have colors that match
their background? Because it simply works. Whether you're stealthing or
blocking doesn't really matter so long as you're making an active effort
to be security conscious. Steve Gibson, Steve Ballmer, and any other
frothing at the mouth idiot can yell as loud as they want about security
but the signal to noise ratio will still be abysmally low. Just like Usenet.

-Gary
September 9, 2005 5:22:40 PM

Archived from groups: comp.security.firewalls (More info?)

On 9 Sep 2005 05:56:15 -0700, jameshanley39@yahoo.co.uk wrote:
>optikl wrote:
>> jameshanley39@yahoo.co.uk wrote:
>
>somebody more-or-less pointed out that what Gibson calls 'stealth'
>(blocking without giving a response) is no more secure than closed.
>
>their argument for it being no more secure was that they can already
>find out my ip anyway.
>
>It may be that 'stealth' is slightly - but barely - more secure than
>closed? Indeed, it probably is, since software firewalls all do it.
>But what would be your reason for saying that 'stealth' is more secure?

It's not just www.grc.com, but serveral sites that report security in
terms of open, closed, and stealth. For example, take a look at
http://www.pcflank.com/ and the Sygate site. And for what its worth,
this issue of closed vs stealth has been endlessly debated for more
than 3-4 years.

Bottom line ... hell if I know?
Anonymous
September 9, 2005 6:18:25 PM

Archived from groups: comp.security.firewalls (More info?)

In article <dfs49d$4ua$1@newsg3.svr.pol.co.uk>,
keith@microsoft.discussions.com says...
> So , if I had a static IP and told you what it is, can you tell whether i'm
> online or not?
> If I'm stealthed then I'm guessing the answer is no? Otherwise Yes

Ping an IP that doesn't have a computer attached and see what you get
back.

Ping an IP that is stealthed and see what you get back.

If you see any difference then you know something is there.

--

spam999free@rrohio.com
remove 999 in order to email me
Anonymous
September 9, 2005 6:58:28 PM

Archived from groups: comp.security.firewalls (More info?)

In the Usenet newsgroup comp.security.firewalls, in article
<1126270575.225521.167180@g49g2000cwa.googlegroups.com>,
jameshanley39@yahoo.co.uk wrote:

>somebody more-or-less pointed out that what Gibson calls 'stealth'
>(blocking without giving a response) is no more secure than closed.

It tends to be less secure, as the people who use stealth don't know
enough about networking, and nearly always make other ghastly mistakes.

>their argument for it being no more secure was that they can already
>find out my ip anyway.

Why do they have to find "your" IP? Why not anyone's IP? Or do you
feel that the bad guys are specifically looking for you only. If you
are smart enough to NOT install viruses, spyware, trojans or other
mal-ware (but it looked so k3w1), then the "attacks" from outside
are actually being directed at addresses picked at random. Sorry to
disappoint you.

>It may be that 'stealth' is slightly - but barely - more secure than
>closed?

IF DONE RIGHT (and it rarely is), "stealth" offers one and only one
advantage. Those who try to connect to your computer won't be able to
identify what _operating_system_ you are running. They might _guess_
that you are running XP or something, but they won't be able to positively
state that, nor guess on which service packs you've installed, if any.
But then why bother - just try using this exploit or that - if it works
then we're home free, and if not, move on to the next address.

>Indeed, it probably is, since software firewalls all do it.

No, that's marketing pressure - "product A offers to do FOO" - so
products B through Z have to do so as well, or be thought to be
lacking by the clueless sheep who buy something because it promises
to taste better or has less fat, or makes your ***** grow bigger.

>But what would be your reason for saying that 'stealth' is more secure?

I don't say that - but then I've only been using TCP/IP since 1986.

Old guy
Anonymous
September 9, 2005 7:07:54 PM

Archived from groups: comp.security.firewalls (More info?)

<jameshanley39@yahoo.co.uk> wrote in message
news:1126270575.225521.167180@g49g2000cwa.googlegroups.com...
>
> optikl wrote:
> > jameshanley39@yahoo.co.uk wrote:
> >
> > >
> > > Is running my home router's firewall along with Sygate, actually
makign
> > > me less secure than if I was to run Sygate alone ? (since my ports
> > > aren't 'stealthed') ?
> > >
> >
> > No. Closed is the "expected" response when a computer outside your
> > subnet tries to connect with your system. Stealth is the equivalent of
> > my asking you a closed-ended question and you choosing to ignore me.
>
>
> somebody more-or-less pointed out that what Gibson calls 'stealth'
> (blocking without giving a response) is no more secure than closed.
>
> their argument for it being no more secure was that they can already
> find out my ip anyway.
>
> It may be that 'stealth' is slightly - but barely - more secure than
> closed? Indeed, it probably is, since software firewalls all do it.

The reason why personal software firewalls all do it is because they know
that most of their customers think it's better. Any personal firewall vendor
who doesn't do stealth will lose customers. So they all do it.
Whether or not stealth really is better or not is irrelevant if you want to
sell personal firewall software.

Jason

> But what would be your reason for saying that 'stealth' is more secure?
>
September 9, 2005 7:28:42 PM

Archived from groups: comp.security.firewalls (More info?)

"Leythos" <void@nowhere.lan> wrote in message
news:MPG.1d8b63be201d87fb989fce@news-server.columbus.rr.com...
> In article <dfs49d$4ua$1@newsg3.svr.pol.co.uk>,
> keith@microsoft.discussions.com says...
>> So , if I had a static IP and told you what it is, can you tell whether
>> i'm
>> online or not?
>> If I'm stealthed then I'm guessing the answer is no? Otherwise Yes
>
> Ping an IP that doesn't have a computer attached and see what you get
> back.
>
> Ping an IP that is stealthed and see what you get back.
>
> If you see any difference then you know something is there.
>

Yes but would ,should there be any difference in theory or practice assuming
no flaws in OS

> --
>
> spam999free@rrohio.com
> remove 999 in order to email me
Anonymous
September 9, 2005 7:28:43 PM

Archived from groups: comp.security.firewalls (More info?)

In article <dfs66m$6ah$1@newsg3.svr.pol.co.uk>,
keith@microsoft.discussions.com says...
>
> "Leythos" <void@nowhere.lan> wrote in message
> news:MPG.1d8b63be201d87fb989fce@news-server.columbus.rr.com...
> > In article <dfs49d$4ua$1@newsg3.svr.pol.co.uk>,
> > keith@microsoft.discussions.com says...
> >> So , if I had a static IP and told you what it is, can you tell whether
> >> i'm
> >> online or not?
> >> If I'm stealthed then I'm guessing the answer is no? Otherwise Yes
> >
> > Ping an IP that doesn't have a computer attached and see what you get
> > back.
> >
> > Ping an IP that is stealthed and see what you get back.
> >
> > If you see any difference then you know something is there.
> >
>
> Yes but would ,should there be any difference in theory or practice assuming
> no flaws in OS

Yes, one lets people know you exist, one doesn't.

There is no such thing as a flawless OS, never been created. Start with
the idea that everything has holes and you will have it much easier when
it comes to security.

--

spam999free@rrohio.com
remove 999 in order to email me
Anonymous
September 9, 2005 9:20:17 PM

Archived from groups: comp.security.firewalls (More info?)

<jameshanley39@yahoo.co.uk> wrote in message
news:1126278481.310732.60110@g47g2000cwa.googlegroups.com...
>
> Keith wrote:
> > "Leythos" <void@nowhere.lan> wrote in message
> > news:MPG.1d8b63be201d87fb989fce@news-server.columbus.rr.com...
> > > In article <dfs49d$4ua$1@newsg3.svr.pol.co.uk>,
> > > keith@microsoft.discussions.com says...
> > >> So , if I had a static IP and told you what it is, can you tell
whether
> > >> i'm
> > >> online or not?
> > >> If I'm stealthed then I'm guessing the answer is no? Otherwise Yes
> > >
> > > Ping an IP that doesn't have a computer attached and see what you get
> > > back.
> > >
> > > Ping an IP that is stealthed and see what you get back.
> > >
> > > If you see any difference then you know something is there.
> > >
> >
> > Yes but would ,should there be any difference in theory or practice
assuming
> > no flaws in OS
> >
>
> my understanding is-
>
> seems to me that stealth is more secure.
>
> If you ping an ip address that has port 7 - the ICMP port stealthed.
> Then it will not respond. It will be indistinguishable from a computer
> that does not exist. somebody port scanning a range of IPs will not
> know whether your comp exists or has the port stealthed.

Let's assume that this is true (even if it isn't).
If they have half a brain they will already know that
82-70-237-22.dsl.in-addr.zen.co.uk is probably a home dsl user (could be
business but makes little difference). They will also know that adjacent IP
addresses are also users of the same ISP and they will know that an
exploitable PC is very likely to be found in this range because a large
group of 'stealthed' PCs indicates a large group of Windows users who
thought they were safe behind their personal firewall but happily accepted
everything Internet Explorer offered them.

They will know all this (and more) even if your computer is behind an event
horizon, never mind a personal firewall.

Jason

> However. When you make an outgoing connection, your IP is available to
> the server receiving it. Regardless of whether any of your ports are
> stealthed or not.
> www.whatismyip.com for example. Presumably it just uses the HTTP
> request you sent it, looks at the IP in the packet, and tells you your
> IP.
>
> As soon as you make an outgoing connection to anywhere, you give your
> IP.
> Or your 'home router' public NATTED ip.
>
> So stealth is more secure but only regarding incoming connections.
>
>
> I am far from an expert, this is all new to me.
>
> Given info posted in the thread. My gripe with Gibson is him calling
> his probing 'nanoprobing' as if it's a new technology he invented. it
> is obfuscating technical material , it seems to me - it is for the
> purposes of his own self promotion. By doing that, I think his self
> promotion has crossed the
> line.
>
September 9, 2005 9:20:18 PM

Archived from groups: comp.security.firewalls (More info?)

Jason Edwards wrote:

> They will know all this (and more) even if your computer is behind an event
> horizon, never mind a personal firewall.

I'd better register a domain for my new company, Event Horizon
Networking. I will build fully buzzword compliant security appliances,
spread FUD across the galaxy, and laugh all the way to the bank. When
Symantec or Microsoft buys me out and end of lifes all my vaporware
products, I'll retire to the Bahamas. Or Betelgeuse.

-Gary
Anonymous
September 10, 2005 12:04:24 AM

Archived from groups: comp.security.firewalls (More info?)

<jameshanley39@yahoo.co.uk> wrote in message
news:1126290149.731517.316650@f14g2000cwb.googlegroups.com...
>
> Jason Edwards wrote:
> > <jameshanley39@yahoo.co.uk> wrote in message
> > news:1126278481.310732.60110@g47g2000cwa.googlegroups.com...
> > >
> > > Keith wrote:
> > > > "Leythos" <void@nowhere.lan> wrote in message
> > > > news:MPG.1d8b63be201d87fb989fce@news-server.columbus.rr.com...
> > > > > In article <dfs49d$4ua$1@newsg3.svr.pol.co.uk>,
> > > > > keith@microsoft.discussions.com says...
> > > > >> So , if I had a static IP and told you what it is, can you tell
[cut]
> >
> > Let's assume that this is true (even if it isn't).
> > If they have half a brain they will already know that
> > 82-70-237-22.dsl.in-addr.zen.co.uk
>
> You are responding as if I am a mug that thinks that stealthed ports
> are infinitely superior. And offer complete protection.

I was in fact unable to know that you thought I would think that you think
this.

>
> Of course, a careless user would give away all sorts of information,
> especially on usenet.

Such as?

>
>
> Whatever method (be it usenet or anything else) they used to get the
> hostname containing an ip address. It might not have been via a port
> scan if ports were stealthed. It's possible a comp is there. Or not.

Yup and either it's exploitable or it's not.

>
> >They will also know that adjacent IP
> > addresses are also users of the same ISP and they will know that an
> > exploitable PC is very likely to be found in this range because a large
> > group of 'stealthed' PCs indicates a large group of Windows users who
> > thought they were safe behind their personal firewall but happily
accepted
> > everything Internet Explorer offered them.
>
> I know that stealthing ports is NOT absolutely secure by any means.
> Infact, it offers hardly any more protection. (if any). And if you do
> other things carelessly, you will get your router's IP told to the
> world.

Assuming your computer is not exploitable, can you think of a reason to care
about who (world or otherwise) knows your IP address? (I'm not saying there
is no possible reason whatsoever).

> There are many ways an IP can be visible - if one is careless.
> I used any outgoing connection as an example. Usenet is another.
> (assuming no proxy or ip spoofing or anything).
>
> you're saying that unix users don't stealth their ports?

I don't recall saying anything at all about unix anything.

>
> *Another* method (besides usenet) of hackers getting *anybodys* IP, is
> just doing a port scan.

I think you'll find that it's necessary to have an IP (or IP range) _before_
doing a port scan.

> And if a port is stealthed. It doesn't tell him
> anything. He is left with 2 possibilities. Comp doesn't exist. Or port
> is stealthed(which according to you, means a 'personal firewall'.

Many home NAT routers appear as 'stealth' to shields up.
The vendors would never be able to sell them otherwise.
People would return them claiming that they weren't stealth.

>
> You're saying that unix firewalls tend not to stealth ports.

I don't recall saying anything at all about unix anything.
It may be true that not all the customers of
http://www.zen.co.uk/
use Windows but I think we can safely assume that most of them do.

> I don't see why unix firewalls tend not to stealth ports. Many hackers
> do just scan a range of IPs.
> So stealthing does have that small advantage over closed. Why don't
> unix users use it? I'm sure they had some other way (spoofing IP?
> proxy?) for being more anonymous on usenet. But isn't it good to be
> safer from port scans too?

What makes you want to be safe from port scans?
What harm can a port scan do to you?

Jason

>
> Anyhow - not that it matters. NAT Devices tend not to stealth
> ports(the ones I've seen certainly don't). They just report back
> closed. So if a softare firewall is running and stealthing ports. The
> ports will be reported back as closed since the 'home router' is hit
> first.
>
> Perhaps stealthed ports indicate a windows user not behind a router.
> (not that a windows user behind a router is necessarily any cleverer).
> Anyhow. I don't see why unix firewalls shouldn't stealth ports. For the
> above mentinoned reasons.
>
Anonymous
September 10, 2005 1:18:33 AM

Archived from groups: comp.security.firewalls (More info?)

In article <slnkuzbl6wcw.dlg@ID-104726.news.individual.net>,
mr.jimscott@Xvirgin.net says...
> On Thu, 08 Sep 2005 21:01:32 GMT, Casey Klc wrote:
>
> > In article <1126210011.527911.41120@o13g2000cwo.googlegroups.com>,
> > jameshanley39@yahoo.co.uk says...
> >> When I test my sygate firewall on Gibson's Shields Up. The ports are
> >> coming up as closed, but not all are coming up as what GRC calls
> >> stealth.
> >>
> >> I figure this is to be expected. I have a 'home router'. So my router
> >> is blocking incoming connections - including Gibson's, reporting back
> >> "Closed". Those ports that my router is allowing through , Sygate
> >> kicks in and blocks the incoming connection properly, reporting nothing
> >> back - what GRC calls Stealth. Not even giving away my computer's
> >> existance.
> >>
> >> Is running my home router's firewall along with Sygate, actually makign
> >> me less secure than if I was to run Sygate alone ? (since my ports
> >> aren't 'stealthed') ?
> >>
> >>
> > Run a security check on your Sygate. On the firewall main page,
> > select the Security Button. This takes you to Sygate website.
> > You will find that if your ports are "blocked" (closed), you are
> > in good shape.
> > Casey
>
> You get them all 'blocked' from ZA and XP too!
>
Hi Jim,
James, the poster, was concerned about a test of his Sygate at GRC
that show his ports "Closed". He was wondering why the ports were
not called "Stealthed".
I suggested he do a test at the Sygate website where he would also
find his ports "Blocked" (closed). I was trying to point out that
Stealth is advertising nonsense.
Most any firewall worth a flip will block/close ports.
Casey
Anonymous
September 10, 2005 2:51:54 AM

Archived from groups: comp.security.firewalls (More info?)

On Fri, 09 Sep 2005 21:18:33 GMT, Casey Klc wrote:

> In article <slnkuzbl6wcw.dlg@ID-104726.news.individual.net>,
> mr.jimscott@Xvirgin.net says...
>> On Thu, 08 Sep 2005 21:01:32 GMT, Casey Klc wrote:
>>
>>> In article <1126210011.527911.41120@o13g2000cwo.googlegroups.com>,
>>> jameshanley39@yahoo.co.uk says...
>>>> When I test my sygate firewall on Gibson's Shields Up. The ports are
>>>> coming up as closed, but not all are coming up as what GRC calls
>>>> stealth.
>>>>
>>>> I figure this is to be expected. I have a 'home router'. So my router
>>>> is blocking incoming connections - including Gibson's, reporting back
>>>> "Closed". Those ports that my router is allowing through , Sygate
>>>> kicks in and blocks the incoming connection properly, reporting nothing
>>>> back - what GRC calls Stealth. Not even giving away my computer's
>>>> existance.
>>>>
>>>> Is running my home router's firewall along with Sygate, actually makign
>>>> me less secure than if I was to run Sygate alone ? (since my ports
>>>> aren't 'stealthed') ?
>>>>
>>>>
>>> Run a security check on your Sygate. On the firewall main page,
>>> select the Security Button. This takes you to Sygate website.
>>> You will find that if your ports are "blocked" (closed), you are
>>> in good shape.
>>> Casey
>>
>> You get them all 'blocked' from ZA and XP too!
>>
> Hi Jim,
> James, the poster, was concerned about a test of his Sygate at GRC
> that show his ports "Closed". He was wondering why the ports were
> not called "Stealthed".
> I suggested he do a test at the Sygate website where he would also
> find his ports "Blocked" (closed). I was trying to point out that
> Stealth is advertising nonsense.
> Most any firewall worth a flip will block/close ports.
> Casey

On the other hand http://www.hackerwatch.org/probe/ port-scan distinguishes
brtween closed and stealthed.
--
Jim
Tyneside UK
Anonymous
September 10, 2005 12:15:08 PM

Archived from groups: comp.security.firewalls (More info?)

charlie R <welpctSKIPME@psci.net> wrote:
> When you connect to a website, it has to read your address, or else
> you couldn't view it. Gibson also tells you your machine address when
> you connect to his site. The scanner is a different machine and
> cannot see your address because you are not connected to it, and your
> ports are closed or stealth.

Please first read RFC 792 and try to understand it. Then you'll see,
that this is just nonsense. This is not the way, the TCP/IP network
family is working.

If a host is not there, then you get a message from a router before:
the message, that a packet to this host cannot be routed (ICMP Destination
Unreachable with code 0, net unreachable, or code 1, host unreachable.

If a host is there, and only there is no process listening at the port
you wanted to communicate with, you get a message: ICMP Destination
Unreachable with code 3 or a TCP RST (see RFC 793).

If you're getting nothing, then you know: there definitely _is_ a host:
A Windows box with a protocol injuring "Personal Firewall" which fools
it's user feeling "stealth".

> The server you are connected to can read
> your IP, and anything else your security settings allow, if it wants
> to.

No. The system you communicate with has your IP address, of course -
you're communicating with it. But it cannot "read ... anything else your
security settings allow". This is just wrong.

> That's why it's important to block Active X, mobile code,
> scripts, java, etc, and keep your Internet Security settings high.

This is monkeyshines. The reason why not using ActiveX is completely
different - it's the design flaws in ActiveX. This has nothing to do
with "mobile code" or "scripts".

> VB will tell you he can get into any machine he wants
> to, despite personal firewalls.

BTW: I never told that.

Please, before you're starting with polemics, *PLEASE* read the RFCs.
They're in English. You can understand that, if you try.

The RFCs http://www.rfc-editor.org are the official standards of the IETF,
the Internet Engineering Task Force, http://www.ietf.org

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"
Anonymous
September 10, 2005 12:15:09 PM

Archived from groups: comp.security.firewalls (More info?)

>
> If you're getting nothing, then you know: there definitely _is_ a
> host: A Windows box with a protocol injuring "Personal Firewall" which
> fools it's user feeling "stealth".
>

I like that --- protocol injuring. :) 

Duane :) 
Anonymous
September 10, 2005 12:15:53 PM

Archived from groups: comp.security.firewalls (More info?)

Jason <Jason@winblows.net> wrote:
> And you were doing so good until you said use the windows-firewall too.

What problem are you having with the Windows-Firewall?

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"
Anonymous
September 10, 2005 12:18:43 PM

Archived from groups: comp.security.firewalls (More info?)

Keith <keith@microsoft.discussions.com> wrote:
> So , if I had a static IP and told you what it is, can you tell whether i'm
> online or not?

If you mean with that, that sometimes your computer is not connected
and sometimes it is, yes even if your computer is "stealthed", one can
detect that.

That is, because if you're not online, the router of your provider sends
a ICMP Destination Unreachable message, usually with code 1 (host
unreachable). When you're connected, then it doesn't.

> If I'm stealthed then I'm guessing the answer is no? Otherwise Yes

You're guessing wrong.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"
Anonymous
September 10, 2005 12:43:16 PM

Archived from groups: comp.security.firewalls (More info?)

Keith <keith@microsoft.discussions.com> wrote:
> > Ping an IP that doesn't have a computer attached and see what you get
> > back.
> > Ping an IP that is stealthed and see what you get back.
> > If you see any difference then you know something is there.
> Yes but would ,should there be any difference in theory or practice assuming
> no flaws in OS

Sorry, this is all nonsense.

No-one would use ICMP echo (this is what your PING command does) to find
out wether a host exists or not.

ICMP echo is just for testing purposes in own setups. Everyone knows, that
most people try to "hide" their PCs by filtering ICMP echo, so no-one will
use it for such cases.

A much better probe is using nmap -sS -P0 to scan, just sending TCP SYN
to different ports. Usually, one get's back information like ICMP
destination unreachable with code 0 or 1, which means there is no host,
or ICMP destination unreachable with code 3, TCP RST or just nothing,
which means, that there _is_ a host.

This is why nmap is showing a host to be there also if there is no reply.

BTW: because there will be no help for security at all with "hiding" a
PC or other host, even if this would be possible, this complete discussion
is ridiculous anyway.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"
Anonymous
September 10, 2005 12:53:35 PM

Archived from groups: comp.security.firewalls (More info?)

jameshanley39@yahoo.co.uk wrote:
> I know that stealthing ports is NOT absolutely secure by any means.

That's right, because it's not helping to make a computer more secure
at all.

> And if you do
> other things carelessly, you will get your router's IP told to the
> world.

*ROTFL* - how should routing work _without_ having this IP? Please,
*PLEASE* first try to understand the concepts you're talking about!

> There are many ways an IP can be visible - if one is careless.

*sigh*

> *Another* method (besides usenet) of hackers getting *anybodys* IP, is
> just doing a port scan.

The next misunderstanding. "Hackers" (you mean crackers, see the Jargon
File), are not trying to get anybodies IP. They're just scanning networks
for connected boxes, the IPs they have already.

> And if a port is stealthed. It doesn't tell him
> anything.

Yes, and that tells an attacker, that there definitly _is_ a host,
otherwise he would have got back an answer, as I stated already.

> He is left with 2 possibilities. Comp doesn't exist. Or port
> is stealthed(which according to you, means a 'personal firewall'.

This is wrong, unfortunately. Could you *please* read the RFCs now,
before you're continuing to argue? That would help to have a sensible
discussion, thanx!

> So stealthing does have that small advantage over closed.

No, it hasn't.

> Why don't
> unix users use it?

I don't know most UNIX users. Usually they don't do it, because this
is crippeling your TCP/IP implementation, wrong undefined behaviour,
which does not help at all.

> I'm sure they had some other way (spoofing IP?
> proxy?) for being more anonymous on usenet. But isn't it good to be
> safer from port scans too?

The problem is, that anonymity in the Internet cannot achieved this way
at all. Better methods you'll find in the Tor project and in the AN.ON
project. Both of them are good ideas to try to reach anonymity in the
Internet.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"
Anonymous
September 10, 2005 1:29:30 PM

Archived from groups: comp.security.firewalls (More info?)

Gary <garyd@efn.org.spamsux> wrote:
> Every once in a while, some idiot yells that security through obscurity
> is a bad idea. I'd say maybe if that's all you're relying on. But if you
> think about it, why do soldiers wear camoflauge? Why do chameleons have
> color changing abilities? Why do some insects have colors that match
> their background?

Ok, I'll try to explain.

We're not talking about the "real world", the world where the pizza man
comes from ;-) We're talking about computers, about a special case of
computers: about deterministic machines. But let us compare anyway:

Here you have three classes of methods for improving security against
the incidence of an event you want to avoid.

[A] You can make it impossible for an event to happen, already in theory.

You can make it unlikely for an event to happen, so unlikely, that
you can say, it will not happen in practice.

[C] You can make it unlikely for an event to happen, but the likelihood
is not small enough, that you can be sure, that it will not happen
in practice. It will be seldom, though.

I think, it's obvious, why to prefer methods of class [A] to methods of
class , and why to prefer methods of classes [A] and to methods of
class [C], OK?

There is no method of [A] or to make a soldier or a cameleon not
being detected. There is only a method of [C]: camouflage. So, because
there is no other way, soldiers and chameleons are using methods of [C].

Believe me, if a soldier or a chameleon had the option to find methods
of [A] or , they would do it immediately and not using camouflaging
any more.

Now there are differencies between deterministic machines and the
pizza man universe:

With deterministic machines there often are possibilities for methods
of [A] or at least , for most of the cases, so why using methods of
[C] at all?

Another reason is: Many of the events you want to avoid are secrets
detected by an attacker. Methods of [C] do not help here at all, because
in the deterministic descrete world of computers, all states are
countable. Usually, a method is in [C] and not in , because it is
possible also in practice to just "try out" every combination (beside
cleverer ways, which will be prefered by most attackers). This is
called "brute forcing".

Brute forcing only is not possible if the secrets are protected by
methods of [A] or a least of (by definition).

So this is the reason, why people say: "Don't use security by obscurity,
it will not work".

To be exactly, they should say: "Don't use security by obscurity for most
of the cases, because there are much better methods to secure - in most
cases, security by obscurity will not work, though, only in a few ones it
could work anyway."

Clear now? ;-)

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"
Anonymous
September 10, 2005 1:35:01 PM

Archived from groups: comp.security.firewalls (More info?)

Jim Scott <mr.jimscott@xvirgin.net> wrote:
> On the other hand http://www.hackerwatch.org/probe/ port-scan distinguishes
> brtween closed and stealthed.

I tried out http://www.hackerwatch.org/probe/ - the results were useless.
You can find out more on this topic in <431452bf@news.uni-ulm.de>

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"
Anonymous
September 10, 2005 1:37:33 PM

Archived from groups: comp.security.firewalls (More info?)

jameshanley39@yahoo.co.uk wrote:
> It may be that 'stealth' is slightly - but barely - more secure than
> closed?

No, it isn't.

> Indeed, it probably is, since software firewalls all do it.

They do it because, then people _feel_ more secure, when they're buying
such products, though they're not more secure. This is fooling people.

> But what would be your reason for saying that 'stealth' is more secure?

I'm looking forward to the explanation ;-)

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"
Anonymous
September 10, 2005 3:26:00 PM

Archived from groups: comp.security.firewalls (More info?)

In the Usenet newsgroup comp.security.firewalls, in article
<dfs66m$6ah$1@newsg3.svr.pol.co.uk>, Keith wrote:

>"Leythos" <void@nowhere.lan> wrote

>> Ping an IP that doesn't have a computer attached and see what you get
>> back.
>>
>> Ping an IP that is stealthed and see what you get back.
>>
>> If you see any difference then you know something is there.
>
>Yes but would ,should there be any difference in theory or practice
>assuming no flaws in OS

Apparently, your O/S is masking what's happening.

When you 'ping' an address that doesn't have a computer, the last
working router your ping passes over trying to reach the address will
discover "you can't get there". The _router_ sends an error message
back to you.

When you 'ping' a working address, this error doesn't happen, because
the last router is able to send the packet on - it doesn't make one
bit of difference if the destination is stealth, closed, or has it's
legs wide open. It doesn't make ANY difference no matter what the
operating system is on the destination. The router did it's job, and
forwarded the packet.

If you 'ping' a working address and the destination is open, you should
get a response back. If the destination is closed, you will also get
back a response, but it will tell you that it's closed.

If the destination is stealthed, then you won't get a response back.

Now, re-read what I've just written. The ONLY time you don't get a
response back is when it's stealthed. So why do you feel it's so
hard to detect stealthed computers?

Old guy
Anonymous
September 10, 2005 3:26:49 PM

Archived from groups: comp.security.firewalls (More info?)

In the Usenet newsgroup comp.security.firewalls, in article
<1126278481.310732.60110@g47g2000cwa.googlegroups.com>,
jameshanley39@yahoo.co.uk wrote:

>my understanding is-
>
>seems to me that stealth is more secure.

Possible, but only under exceptional circumstances.

>If you ping an ip address that has port 7 - the ICMP port stealthed.

0792 Internet Control Message Protocol. J. Postel. Sep-01-1981.
(Format: TXT=30404 bytes) (Obsoletes RFC0777) (Updated by RFC0950)
(Also STD0005) (Status: STANDARD)

ICMP doesn't have ports. An ICMP Echo Request (called a 'ping' based
on the original program used) is a Type 8 Code 0. The ICMP Echo Reply
is a Type 0 Code 0. The port 7 you are thinking of:

echo 7/tcp Echo
echo 7/udp Echo
# Jon Postel <postel@isi.edu>

(Jonathan Postel died in 1998, but you'll find his name nearly everywhere
in Internet documents.) Notice that the '7' is referencing TCP and UDP.
The document that defines that is

0862 Echo Protocol. J. Postel. May-01-1983. (Format: TXT=1294 bytes)
(Also STD0020) (Status: STANDARD)

While it is a standard, no one uses this service.

>Then it will not respond. It will be indistinguishable from a computer
>that does not exist.

When you attempt to contact a computer that does not exist (is turned
off, not plugged in, never unpacked - doesn't matter), the last
working router sends an error message back "I can't get there".

When you attempt to contact a computer that is connected, and open or
closed, you will get back a response from that computer (either a
"welcome", or a "go-away" message).

When you attempt to contact a computer that is stealthed, there is no
response.

So, the quite obvious difference is that error message from the router.
Your premise fails.

>As soon as you make an outgoing connection to anywhere, you give your
>IP.

Correct.

>So stealth is more secure but only regarding incoming connections.

Nope. The only thing stealth MAY buy you is preventing O/S fingerprinting,
but only if no ports are open, and ALL OTHER PROTOCOLS (there's another
hint - there is more than ICMP, TCP and UDP) are set to remain silent.
Nearly everyone using 'stealth' is quite unaware of the other problem,
so stealth fails.

>I am far from an expert, this is all new to me.

TCP/IP Illustrated Volume 1 - The Protocols. W.Richard Stevens 1994,96
Addison Wesley, ISBN 0-201-63346-9, 576 pgs, US$LOTS

Try to find a copy in a technical library. The book is normally used as a
textbook in college or university networking classes. I think I paid about
US$55 for my copy in 1994. It's a bit old, but it profusely illustrated,
and understandable because of that and the many examples it contains.

Old guy
Anonymous
September 10, 2005 9:12:56 PM

Archived from groups: comp.security.firewalls (More info?)

Volker Birk wrote:
> Gary <garyd@efn.org.spamsux> wrote:
> > Every once in a while, some idiot yells that security through obscurity
> > is a bad idea. I'd say maybe if that's all you're relying on. But if you
> > think about it, why do soldiers wear camoflauge? Why do chameleons have
> > color changing abilities? Why do some insects have colors that match
> > their background?
>
> Ok, I'll try to explain.
>
> We're not talking about the "real world", the world where the pizza man
> comes from ;-) We're talking about computers, about a special case of
> computers: about deterministic machines. But let us compare anyway:
>
> Here you have three classes of methods for improving security against
> the incidence of an event you want to avoid.
>
> [A] You can make it impossible for an event to happen, already in theory.
>
> You can make it unlikely for an event to happen, so unlikely, that
> you can say, it will not happen in practice.
>
> [C] You can make it unlikely for an event to happen, but the likelihood
> is not small enough, that you can be sure, that it will not happen
> in practice. It will be seldom, though.
>
> I think, it's obvious, why to prefer methods of class [A] to methods of
> class , and why to prefer methods of classes [A] and to methods of
> class [C], OK?
>
> There is no method of [A] or to make a soldier or a cameleon not
> being detected. There is only a method of [C]: camouflage. So, because
> there is no other way, soldiers and chameleons are using methods of [C].
>
> Believe me, if a soldier or a chameleon had the option to find methods
> of [A] or , they would do it immediately and not using camouflaging
> any more.
>
> Now there are differencies between deterministic machines and the
> pizza man universe:
>
> With deterministic machines there often are possibilities for methods
> of [A] or at least , for most of the cases, so why using methods of
> [C] at all?
>
> Another reason is: Many of the events you want to avoid are secrets
> detected by an attacker. Methods of [C] do not help here at all, because
> in the deterministic descrete world of computers, all states are
> countable. Usually, a method is in [C] and not in , because it is
> possible also in practice to just "try out" every combination (beside
> cleverer ways, which will be prefered by most attackers). This is
> called "brute forcing".
>
> Brute forcing only is not possible if the secrets are protected by
> methods of [A] or a least of (by definition).
>
> So this is the reason, why people say: "Don't use security by obscurity,
> it will not work".
>
> To be exactly, they should say: "Don't use security by obscurity for most
> of the cases, because there are much better methods to secure - in most
> cases, security by obscurity will not work, though, only in a few ones it
> could work anyway."
>
> Clear now? ;-)
>
> Yours,
> VB.
> --
> "Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
> deutschen Schlafzimmern passiert".
> Harald Schmidt zum "Weltjugendtag"


ok- if you're talking about competing options of which A is superior to
B which is superior to C.


But In the stealth case. C=stealth, is not inferior to B=Closed (in
terms of security offered).
Infact, C matches the security offered by B (if it's Stealthed then
it's not Open. It is closed), it just makes it a tiny amount more
difficult to find out if the IP exists on the internet (you said in a
post. nmap with the switch -p0).

In your case, you would use many intelligent techniques for securing
your system. A cracker intelligent enough to get through your system
would not be put off by a 'Stealthed port' or fooled into thinking that
there's no comp or router with that IP.

Perhaps for the average user, that little obscurity might put off a
cracker that could break into their system.
Anonymous
September 10, 2005 10:52:52 PM

Archived from groups: comp.security.firewalls (More info?)

I detected that on Sat 10-Sep-2005 07:15:08 Volker Birk
wrote in message <news:432279ec@news.uni-ulm.de>
<snip>

> If a host is there, and only there is no process listening at the port
> you wanted to communicate with, you get a message: ICMP Destination
> Unreachable with code 3 or a TCP RST (see RFC 793).
>
> If you're getting nothing, then you know: there definitely _is_ a host:

Not always? For example, in an ethernet environment if the end device is
recently[1] powered down (or powered down and has a static entry in the
ARP table) the router will have an ARP entry. It has no need to send an
ARP request (which would result in the router responding as in your
examples). It encapsulates the PDU and sends it on its way. Exactly the
same would happen with a 'stealthed' device. IMO the only way of really
telling any difference (bar trying to elicit responses via crafted
packets) is to have access to the layer 2 devices and trace the port the
device is patched to and see whether one can detect a MAC there (or
ascertain how old the ARP table entry is on the router if it is not a
static).

[1] 'recently' being a value less than the expiration period of the
cached entry in the router's ARP table. I think the default value for
Cisco IOS is about 4 hours?
Anonymous
September 11, 2005 4:59:23 AM

Archived from groups: comp.security.firewalls (More info?)

>
> Perhaps for the average user, that little obscurity might put off a
> cracker that could break into their system.
>
>


If a hacker broke into average someone's computer with any type
of filter/PFW active on the machine and configured properly, the average
someone contributed in someway that lead to the compromise of the machine
by the user clicking on something that introduced the compromise. So closed
port or stealthed ports it's over.

If one wants a machine to be stealthed, then one puts the machine behind a
cheap NAT router with all ports closed by default and unsolicited inbound
traffic never reaches the machine -- that's stealth.

Duane :) 
Anonymous
September 11, 2005 2:04:49 PM

Archived from groups: comp.security.firewalls (More info?)

Nellie <Nellie@from.is.invalid> wrote:
> > If you're getting nothing, then you know: there definitely _is_ a host:
> Not always? For example, in an ethernet environment if the end device is
> recently[1] powered down (or powered down and has a static entry in the
> ARP table) the router will have an ARP entry. It has no need to send an
> ARP request (which would result in the router responding as in your
> examples). It encapsulates the PDU and sends it on its way. Exactly the
> same would happen with a 'stealthed' device.

Sorry, no.

The point, that a router detects somewhat later, if a device is just
switched off, has nothing to do with "stealthing". The WAN connections don't
use ARP at all usually anyway, but some point2point protocol.

> IMO the only way of really
> telling any difference (bar trying to elicit responses via crafted
> packets) is to have access to the layer 2 devices and trace the port the
> device is patched to and see whether one can detect a MAC there (or
> ascertain how old the ARP table entry is on the router if it is not a
> static).

It's enough to look at the ICMP messages. Just try it out, please. Or
better: read the RFCs yourself.

> [1] 'recently' being a value less than the expiration period of the
> cached entry in the router's ARP table. I think the default value for
> Cisco IOS is about 4 hours?

Yes. But: so what?

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"
Anonymous
September 11, 2005 2:17:08 PM

Archived from groups: comp.security.firewalls (More info?)

jameshanley39@yahoo.co.uk wrote:
> But In the stealth case. C=stealth, is not inferior to B=Closed (in
> terms of security offered).

In terms of security, sending nothing is not superior to sending TCP RST,
and sending TCP RST is not superior to sending nothing. It just doesn't
matter.

In terms of networking, sending nothing in this situation means violating
protocol, and that means one does not support the free Internet any more,
but disturbing free communication.

It's just b0rken to send nothing in this situation, anybody who is able
to read the RFCs can understand that. And it's completely useless.

> Infact, C matches the security offered by B (if it's Stealthed then
> it's not Open. It is closed), it just makes it a tiny amount more
> difficult to find out if the IP exists on the internet (you said in a
> post. nmap with the switch -p0).

No. It doesn't. It's ridiculous to argue, that -P0 as an option in nmap
will make it more difficult to scan "stealthed" hosts. It does not do it
at all. Usually, when I'm scanning, I'm typing nmap -sS -P0 automatically
without knowing what's goin' on, or on my laptop there is an alias
nmap='nmap -sS -P0' already in my .zshrc - so what?

> In your case, you would use many intelligent techniques for securing
> your system. A cracker intelligent enough to get through your system
> would not be put off by a 'Stealthed port' or fooled into thinking that
> there's no comp or router with that IP.
> Perhaps for the average user, that little obscurity might put off a
> cracker that could break into their system.

Even if "stealthing" would bring obscurity (which it does not as I stated
already), this would not help at all. Any script-kiddy tool can handle
such easy things, so even not pupils who are trying out "cracking boxes"
out of the school network will be influenced by such ridiculous "security".

"Stealthing" is, what it is: an idea, perhaps from Mr. Gibson, which sounds
good, everyone is believing in, the manufacturors of "security" software
like the "Personal Firewalls" can make advertizing with and money is coming
in with.

It's a typical placebo.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"
Anonymous
September 11, 2005 3:33:32 PM

Archived from groups: comp.security.firewalls (More info?)

<jameshanley39@yahoo.co.uk> wrote in message
news:1126397576.801637.69870@o13g2000cwo.googlegroups.com...
>
> Volker Birk wrote:
> > Gary <garyd@efn.org.spamsux> wrote:
> > > Every once in a while, some idiot yells that security through
obscurity
> > > is a bad idea. I'd say maybe if that's all you're relying on. But if
you
> > > think about it, why do soldiers wear camoflauge? Why do chameleons
have
> > > color changing abilities? Why do some insects have colors that match
> > > their background?
> >
> > Ok, I'll try to explain.
> >
> > We're not talking about the "real world", the world where the pizza man
[cut]
>
> ok- if you're talking about competing options of which A is superior to
> B which is superior to C.
>
>
> But In the stealth case. C=stealth, is not inferior to B=Closed (in
> terms of security offered).

Sure it is because it's an unnecessary step which will take time (and maybe
money if you wasted money on a personal firewall) to implement. It's
unnecessary because if you have B (or A) then you don't need C.

If I limit the discussion to inbound connection requests (which you want to
'stealth') then it should be easy to see that as a home PC user I can have
A. I can make it impossible for anyone else on the internet to get a
potentially exploitable response from my PC. To do this I simply make sure
that no services are being offered to the Internet. It does not matter how
my PC responds to an inbound packet containing any port numbers or other
information as long as the PC does not send any useful information back in
response to an unsolicited request. The fact that it does send something
back (closed or port unreachable) is irrelevant. This does not mean that
useful information is sent to anyone else. I know you'll try to argue that
this gives your IP away or tells the 'hacker' that you are there but I think
this has more to do with psychology than anything else. In some cases it's
due to lack of knowledge. The misconception that 'stealth' hides your IP is
not uncommon, as is the misconception that a firewall hides your IP. A worse
misconception is that a personal firewall will keep malware off your PC.

I think you should increase your knowledge. Buy the book Moe Trin
recommended. Do some searches.
The Internet is not the answer to everything but if you want technical
information on how it works then a search engine is all you need. You may
already be aware of how to search but here are some examples in case they
help.

http://www.google.com/search?&q=icmp

http://www.google.com/search?q=icmp+packet+structure

Try some tools which will show useful information which you can learn from.

http://www.google.com/search?q=tcpview

Understand what you are connecting to, and why.
Tools such as shields up do not tell you what your computer is having a
conversation with if your computer made the outbound request to another
computer.

Make sure you are not offering any unnecessary services to the Internet.

http://www.google.com/search?q=%22security+scan%22

But don't be fooled into purchasing any unnecessary products offered by
those sites, just use them to check whether any obvious services are being
offered to the Internet.

When you've read everything you can find, ask questions either here or in
comp.protocols.tcp-ip
By then you may find your questions being answered by a different set of
people - those who never bother with pointless arguments about whether
stealth is better or not because they already have sufficient knowledge to
make their own decision.

I would advise you to forget about whether or not stealth makes you more
secure and concentrate on other things which are far more important. If you
are not already aware of what is running in your computer and why it's there
and what it's doing then find out. A personal firewall will not help with
this and 'stealth' will not make the slightest bit of difference. If you
must use Internet Explorer then ask yourself why it's had a security update
every month since the beginning of time. No browser is 100% secure but a B
browser is better than a C one.

Personal firewalls exist to persuade people to buy them. They do not exist
to help educate people to the level where they understand why they didn't
need to purchase that firewall software.

Jason
Anonymous
September 12, 2005 2:28:49 AM

Archived from groups: comp.security.firewalls (More info?)

I detected that on Sun 11-Sep-2005 09:04:49 Volker Birk
wrote in message <news:4323e521@news.uni-ulm.de>
> Nellie <Nellie@from.is.invalid> wrote:
>>> If you're getting nothing, then you know: there definitely _is_ a host:
>> Not always? For example, in an ethernet environment if the end device is
>> recently[1] powered down (or powered down and has a static entry in the
>> ARP table) the router will have an ARP entry. It has no need to send an
>> ARP request (which would result in the router responding as in your
>> examples). It encapsulates the PDU and sends it on its way. Exactly the
>> same would happen with a 'stealthed' device.
>
> Sorry, no.
>
> The point, that a router detects somewhat later, if a device is just
> switched off, has nothing to do with "stealthing".

My point being that that (in my example) there is no way to
differentiate. Security by obfucasion/doubt, no certainty. Unlike your
'definite' <shrug>.

> The WAN connections don't
> use ARP at all usually anyway, but some point2point protocol.

I think I am/we are thinking of two distinct setups/talking at cross
purposes.

Thank you for the brief exchange of views.
Anonymous
September 12, 2005 11:46:24 AM

Archived from groups: comp.security.firewalls (More info?)

Nellie <Nellie@from.is.invalid> wrote:
> My point being that that (in my example) there is no way to
> differentiate. Security by obfucasion/doubt, no certainty. Unlike your
> 'definite' <shrug>.
> > The WAN connections don't
> > use ARP at all usually anyway, but some point2point protocol.
> I think I am/we are thinking of two distinct setups/talking at cross
> purposes.

Yes. Aren't we talking about boxes, which are connected via Modem, DSL,
$WHATEVER to the Internet, and "protected" by the "stealthing" feature
of a "Personal Firewall", so their IP-address is "hidden"?

I just wanted to explain, why this cannot work.

Of course, it is possible to completely hide an host in a network - just
_never_ send anyting to any other host, use the connection read only.

That includes, do not "load" webpages, do not send or receive E-Mail with
this host.

In such a scenario, the host is invisible to the rest of the network.
Sometimes, one is doing this for sniffing purposes, for example.

Yours,
VB.
--
"Es kann nicht sein, dass die Frustrierten in Rom bestimmen, was in
deutschen Schlafzimmern passiert".
Harald Schmidt zum "Weltjugendtag"