How to tell if a firewall alert is suspicious or not

G

Guest

Guest
Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

How can I tell if a Sygate firewall alert is suspicious or not?

For example, I received this message from Sygate just now:

Sygate Personal Firewall:
Firefox (firefox.exe) is being contacted from a remote machine
[206.13.28.12] using local port 1258 (OPENNL - Open Network Library).
Do you want to allow this program to access the network?

How can I tell if this is suspicious or not?
 
G

Guest

Guest
Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

"Gerard Schroeder" <Gshroeder22031@hotmail.com> wrote in message > Firefox
(firefox.exe) is being contacted from a remote machine
> [206.13.28.12] using local port 1258 (OPENNL - Open Network Library).
> Do you want to allow this program to access the network?
>
> How can I tell if this is suspicious or not?

Look at your TCP/IP configuration. Isn't that your SBC DNS server?

nf
 
G

Guest

Guest
Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

There are ways you can research these things... however, you will get so
many of these alerts, and it is so fruitless to research them all, that I
strongly recommend you consider a firewall configuration that does not alert
you all the time with these things. Having a firewall ask the user to make
decisions is a security accident waiting to happen, and is also a
significant consumption of your time.

If and when you do want to research these things, you should look up what
the remote IP address is, for example starting with the DNS name lookup and
whois lookup at www.nwtools.com [which also gets the DNS name and a lot of
other things] or www.netsol.com to find out what that IP address is and
whether you or your computer could have had reason to contact it. This IP
is named dns1.snfcca.sbcglobal.net, which is a big hint that suggests this
is probably normal.

It's also useful to know what the protocol [e.g. TCP] and remote port number
is... the firewall alert below didn't seem to tell you, which is really
dumb. If the remote port was, say, TCP 80 or UDP 53, then that gives you
some level of assurance that this is a response to something your computer
requested. There is no such thing as "port 1258." There's TCP port 1258,
and UDP port 1258. Any firewall that doesn't know that this is important
information is dumb [although I generally like Sygate].

A really smart firewall would let you inspect the TCP flags and contents of
the incoming packet, but I guess that's too much to ask.


"Gerard Schroeder" <Gshroeder22031@hotmail.com> wrote in message
news:9pl87nx3tjpg$.1ugbsdw9mmwkz$.dlg@40tude.net...
> How can I tell if a Sygate firewall alert is suspicious or not?
>
> For example, I received this message from Sygate just now:
>
> Sygate Personal Firewall:
> Firefox (firefox.exe) is being contacted from a remote machine
> [206.13.28.12] using local port 1258 (OPENNL - Open Network Library).
> Do you want to allow this program to access the network?
>
> How can I tell if this is suspicious or not?
 

null

Distinguished
Apr 30, 2004
222
0
18,680
Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

Karl Levinson, mvp wrote:

> There are ways you can research these things... however, you will get so
> many of these alerts, and it is so fruitless to research them all, that I
> strongly recommend you consider a firewall configuration that does not alert
> you all the time with these things. Having a firewall ask the user to make
> decisions is a security accident waiting to happen, and is also a
> significant consumption of your time.
>
> If and when you do want to research these things, you should look up what
> the remote IP address is, for example starting with the DNS name lookup and
> whois lookup at www.nwtools.com [which also gets the DNS name and a lot of
> other things] or www.netsol.com to find out what that IP address is and
> whether you or your computer could have had reason to contact it. This IP
> is named dns1.snfcca.sbcglobal.net, which is a big hint that suggests this
> is probably normal.
>
> It's also useful to know what the protocol [e.g. TCP] and remote port number
> is... the firewall alert below didn't seem to tell you, which is really
> dumb. If the remote port was, say, TCP 80 or UDP 53, then that gives you
> some level of assurance that this is a response to something your computer
> requested. There is no such thing as "port 1258." There's TCP port 1258,
> and UDP port 1258. Any firewall that doesn't know that this is important
> information is dumb [although I generally like Sygate].
>
> A really smart firewall would let you inspect the TCP flags and contents of
> the incoming packet, but I guess that's too much to ask.
>

You make good points, and I really like your nwtools.com and netsol.com
suggestions.

However, to expect the average user to understand what the different
protocols are, what they do, and what ports are used for what, is a bit
over the top. Like you hinted at, the firewall responses to incoming and
outgoing packets should be as automated as possible for the average user.

And, yes, it is a bit too much to ask your firewall to let you inspect
the packets. 99% of the users wouldn't have a clue anyway. And if you're
competent enough to know what to look for, and have the time, then
you're going to have to invest a bit more than fifty bucks for the
privilege of doing so.

Since so many users don't even HAVE a decent software firewall
installed, this poster is at least making an attempt to protect his
system - I commend him for that!


--
The reader should exercise normal caution and backup the Registry and
data files regularly, and especially before making any changes to their
PC, as well as performing regular virus and spyware scans. I am not
liable for problems or mishaps that occur from the reader using advice
posted here. No warranty, express or implied, is given with the posting
of this message.
 
G

Guest

Guest
Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

"Gerard Schroeder" <Gshroeder22031@hotmail.com> wrote in message
news:9pl87nx3tjpg$.1ugbsdw9mmwkz$.dlg@40tude.net...
> How can I tell if a Sygate firewall alert is suspicious or not?
>
> For example, I received this message from Sygate just now:
>
> Sygate Personal Firewall:
> Firefox (firefox.exe) is being contacted from a remote machine
> [206.13.28.12] using local port 1258 (OPENNL - Open Network Library).
> Do you want to allow this program to access the network?
>
> How can I tell if this is suspicious or not?

That's for you to determine by using a link like to one below and entering
the IP into the WhoIs search box and finding out of the IP is
dubious or not.

http://www.arin.net/index.html

However, the above is one of the problems with personal FW solutions with
features that try to control programs on the machine as they confuse the
end-user as they whine about nothing.

Duane :)
 
G

Guest

Guest
Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

On Thu, 15 Sep 2005 07:56:07 -0400, Karl Levinson, mvp wrote:

> There are ways you can research these things... however, you will get so
> many of these alerts, and it is so fruitless to research them all
....
> you should look up what the remote IP address is
> www.nwtools.com or www.netsol.com
....
> A really smart firewall would let you inspect the TCP flags and contents of
> the incoming packet

I thank you for your detailed suggestions summarized below as:
1. There exists innocent common connections reported by the firewall
2. We can find the NAME of the IP address contacting us for clues
3. The content of the incoming packet may contain clues

Regarding the first interesting comment above:
- Is there a site where all the common innocent connections are listed?
- I searched (before I posted) and did not find one (but it may exist).
- If not, I don't mind starting a list (in this post perhaps?).

Regarding looking up the NAME of the IP address:
- WHY would my DNS provider suddently connect (this does not happen often)?
- I keep a list of the common contact requests & this isn't one of them.
- I said NO to the request & I don't see negative consequences.

Regarding the content of the incoming packets:
- Sygate Personal Firewall 5.6 provides a Yes/No/Details response
- The DETAILS button gives more information (cryptic to me, a novice).
- Again I wonder if there is a list of known non-dangerous contacts.

For we novices who still desire basic firewall protection, it would be nice
to refer to a list of known generally non-dangerous requests to accept.
I'll post separately (as it's slightly OT) the list I maintain of what I
THINK are innocent requests (but I'm not sure) that I get every day so as
to START this desired list (if it doesn't exist already).

The particular message I posted from my DNS server does NOT happen often so
that is what startled me.
 
G

Guest

Guest
Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

On Thu, 15 Sep 2005 06:14:04 GMT, nutso fasst wrote:

> "Gerard Schroeder" <Gshroeder22031@hotmail.com> wrote in message
>> How can I tell if this is suspicious or not?
> Look at your TCP/IP configuration. Isn't that your SBC DNS server?

Using DHCP, I don't specify a DNS server so I'd have no clue if that truly
was my DNS server ... but I maintain a list of daily requests and this is
NOT one of them.

So, why, all of a sudden, would my DNS server be contacting me, out of the
blue. And, why, does my network still (apparently) work even though I said
NO to the request?

What would be nice is for users to post (and for experts to doublecheck)
what they consider to be innocuous requests uninitiated by them which
appear in their yes/no request list from Sygate.

I am willing to START that list of what appears to be common innocuous
requests (for expert review).

Here is my list of common requests not explicitly initiated by me which my
Sygate Personal Firewall seems to report daily so that others may consult
it before accepting or rejecting a Sygate Personal Firewall request to
allow access:

NDIS User mode I/O Driver (ndisuio.sys)
has received a Multicast packet from the remote machine [192.168.0.1].
Do you want to allow this program to access the network?

NDIS Filter Intermediate Driver (eacfilt.sys)
has received a Multicast packet from the remote machine [192.168.0.1].
Do you want to allow this program to access the network?

NDIS Filter Intermediate Driver (eacfilt.sys)
is trying to broadcast to [192.168.0.255]
using remote port 137 (NETBIOS-NS - Browsing request of NetBIOS over
TCP/IP).
Do you want to allow this program to access the network?

NDIS User mode I/O Driver (ndisuio.sys)
has received a Broadcast packet from the remote machine [192.168.0.100].
Do you want to allow this program to access the network?

Firefox (firefox.exe)
is being contacted from a remote machine news.google.com [216.239.37.147]
using local port 1615 (NETBILL-AUTH - NetBill Authorization Server).
Do you want to allow this program to access the network?

Firefox (firefox.exe)
is being contacted from a remote machine [206.13.28.12]
using local port 1258 (OPENNL - Open Network Library).
Do you want to allow this program to access the network?

Generic Host Process for Win32 Services (svchost.exe)
is trying to connect to [207.46.157.60]
using remote port 443 (HTTPS - HTTP protocol over TLS/SSL).
Do you want to allow this program to access the network?

Generic Host Process for Win32 Services (svchost.exe)
is trying to connect to time.windows.com [207.46.130.100
using remote port 123 (NTP - Network Time Protocol).
Do you want to allow this program to access the network?

Firefox (firefox.exe)
is being contacted from a remote machine [80.237.203.14]
using local port 4503
Do you want to allow this program to access the network?
 
G

Guest

Guest
Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

The packet filter/personal FW solution is in serious whine mode asking the
end-user unnecessary questions that the average home user just doesn't
understand.

If the user's machine was sitting behind a simple NAT router for the
protection and not running the PFW solution on the machine, none of the
ridiculous authorization questions the end-user is dealing with would be
asked.

Duane :)
 

Mike

Splendid
Apr 1, 2004
3,865
0
22,780
Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

Gerard Schroeder wrote:
> On Thu, 15 Sep 2005 06:14:04 GMT, nutso fasst wrote:
>
>
>>"Gerard Schroeder" <Gshroeder22031@hotmail.com> wrote in message
>>
>>>How can I tell if this is suspicious or not?
>>
>>Look at your TCP/IP configuration. Isn't that your SBC DNS server?
>
>
> Using DHCP, I don't specify a DNS server so I'd have no clue if that truly
> was my DNS server ... but I maintain a list of daily requests and this is
> NOT one of them.
>
> So, why, all of a sudden, would my DNS server be contacting me, out of the
> blue. And, why, does my network still (apparently) work even though I said
> NO to the request?
>
> What would be nice is for users to post (and for experts to doublecheck)
> what they consider to be innocuous requests uninitiated by them which
> appear in their yes/no request list from Sygate.
>
> I am willing to START that list of what appears to be common innocuous
> requests (for expert review).

<Snip pointless list>

Without knowing what you were doing at the time, what applications you
need to run, how your network is configured, if you indeed have a
network and a host of other detail, there is no way of knowing. There is
no 'correct' answer.

Example:-
Generic Host Process for Win32 Services (svchost.exe)
is trying to connect to time.windows.com [207.46.130.100
using remote port 123 (NTP - Network Time Protocol).
Do you want to allow this program to access the network?

Well I might want to allow that because I want my clock to synchronise
to time.windows.com but you may not want to use that server preferring
uk.pool.ntp.org which is on a round robin DNS which will respond from a
different server each time giving rise to yet another problem and so on
and so on...

Ditch the stupid software and get a router.
 

null

Distinguished
Apr 30, 2004
222
0
18,680
Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

Mike wrote:

>
> Ditch the stupid software and get a router.


You made a good point about the inability to give good advice on how to
respond, when we know nothing about his network or applications.

However, to tell him to trash the software firewall and rely strictly on
a router is simply bad advice.

Unless the router performs stateful packet inspection and is highly
configurable, etc., etc., etc., then the router alone will not be
providing sufficient protection.

His use of a software firewall is not unreasonable, and your advice to
get rid of it is unwise.

--
The reader should exercise normal caution and backup the Registry and
data files regularly, and especially before making any changes to their
PC, as well as performing regular virus and spyware scans. I am not
liable for problems or mishaps that occur from the reader using advice
posted here. No warranty, express or implied, is given with the posting
of this message.
 

Mike

Splendid
Apr 1, 2004
3,865
0
22,780
Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

Gerard Schroeder wrote:
> On Thu, 15 Sep 2005 07:56:07 -0400, Karl Levinson, mvp wrote:
>
>
>>There are ways you can research these things... however, you will get so
>>many of these alerts, and it is so fruitless to research them all
>
> ...
>
>>you should look up what the remote IP address is
>>www.nwtools.com or www.netsol.com
>
> ...
>
>>A really smart firewall would let you inspect the TCP flags and contents of
>>the incoming packet
>
>
> I thank you for your detailed suggestions summarized below as:
> 1. There exists innocent common connections reported by the firewall
> 2. We can find the NAME of the IP address contacting us for clues
> 3. The content of the incoming packet may contain clues
>
> Regarding the first interesting comment above:
> - Is there a site where all the common innocent connections are listed?
> - I searched (before I posted) and did not find one (but it may exist).
> - If not, I don't mind starting a list (in this post perhaps?).
>
> Regarding looking up the NAME of the IP address:
> - WHY would my DNS provider suddently connect (this does not happen often)?
> - I keep a list of the common contact requests & this isn't one of them.
> - I said NO to the request & I don't see negative consequences.
>
> Regarding the content of the incoming packets:
> - Sygate Personal Firewall 5.6 provides a Yes/No/Details response
> - The DETAILS button gives more information (cryptic to me, a novice).
> - Again I wonder if there is a list of known non-dangerous contacts.
>
> For we novices who still desire basic firewall protection, it would be nice
> to refer to a list of known generally non-dangerous requests to accept.

No!! Novices do not have the knowledge as you so patently demonstrate.
You need a hardware firewall like the ones built into Zyxel routers etc.
Tick the box that says enable firewall and just get on with using your
computer without all the silly pointless and misleading popups from your
software firewall.

> The particular message I posted from my DNS server does NOT happen often so
> that is what startled me.

If you had a router you would not have seen it or been startled plus you
would have been protected.
 
G

Guest

Guest
Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

"Gerard Schroeder" <Gshroeder22031@hotmail.com> wrote in message
news:125fddwsx0agz.8ux1n0q8ec5.dlg@40tude.net...
> So, why, all of a sudden, would my DNS server be contacting me, out of the
> blue.

Dunno, and wish one of the experts had answered that. But DHCP simply
assigns YOU an IP address, it doesn't eliminate the need for DNS. And you
will have at least one alternate DNS server.

> NDIS User mode I/O Driver (ndisuio.sys)
> has received a Multicast packet from the remote machine [192.168.0.1].

NDIS messages from 192.168.x.x suggest you have a wireless NAT router and
your firewall is responding to messages from it. (Surely you are behind some
kind of NAT, ICS perhaps.) If you're not using a wireless network, disable
wireless configuration service.

As for such terms as HTTPS, SSL and NTP, Google them (and NAT, if necessary)
and expand your understanding. HTTPS means you're connecting to a secure
website.

You're suggesting the compilation of what could be an ever-expanding
database of mostly-irrelevant details. Seems to me time would be better
spent becoming more of an expert. Your choice of firewall apparently demands
it.

Sygate has a product forum. Air your concerns there. Those dialogs are too
obscure for "even inexperienced users" unwilling to spend time researching
them.

nf
 
G

Guest

Guest
Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

Firefox is a browser of the Mozilla.
then, you can do the command line: tracert 206.13.28.12 and to know
what/where this IP (or any) is, if it really works....

alf


"Gerard Schroeder" <Gshroeder22031@hotmail.com> wrote in message
news:9pl87nx3tjpg$.1ugbsdw9mmwkz$.dlg@40tude.net...
> How can I tell if a Sygate firewall alert is suspicious or not?
>
> For example, I received this message from Sygate just now:
>
> Sygate Personal Firewall:
> Firefox (firefox.exe) is being contacted from a remote machine
> [206.13.28.12] using local port 1258 (OPENNL - Open Network Library).
> Do you want to allow this program to access the network?
>
> How can I tell if this is suspicious or not?
 
G

Guest

Guest
Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

Gerard Schroeder wrote:
> How can I tell if a Sygate firewall alert is suspicious or not?
>
> For example, I received this message from Sygate just now:
>
> Sygate Personal Firewall:
> Firefox (firefox.exe) is being contacted from a remote machine
> [206.13.28.12] using local port 1258 (OPENNL - Open Network Library).
> Do you want to allow this program to access the network?
>
> How can I tell if this is suspicious or not?


Do you have another computer on your internal network with that
specific IP address? Is that computer allowed to connect to the
Internet via your computer?


--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on having
both at once. - RAH
 
G

Guest

Guest
Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

On Thu, 15 Sep 2005 15:44:45 +0100, Mike wrote:

> <Snip pointless list>
>
> Without knowing what you were doing at the time, what applications you
> need to run, how your network is configured, if you indeed have a
> network and a host of other detail, there is no way of knowing. There is
> no 'correct' answer.

Sorry about not being specific. I already pared the list down to those
event which occur WITHOUT the users' explicit action. For example, I
removed any request to/from the NNTP software which occur while using it.
Likewise with POP3/SMTP clients, explicit actions from HTTP clients, etc.

The Sygate Personal Firewall software has the ability to "remember" a
decision so the user, if they knew which to ignore, would not see those
which make it into the innocuous list. That is mainly why I ask.

> Example:-
> Generic Host Process for Win32 Services (svchost.exe)
> is trying to connect to time.windows.com [207.46.130.100
> using remote port 123 (NTP - Network Time Protocol).
> Do you want to allow this program to access the network?

Again, I should have noted, I never explicitly told the Windows XP machine
to synchronize the time so that is why this unasked for request made it
onto the posted listing. Said another way, if I KNEW I had explicitly asked
WinXP to synchronize the time, I would have removed that request from the
list (by telling Sygate Personal Firewall to simply accept all of those
requests in the future).

> Ditch the stupid software and get a router.

Isn't the D-Link wired and wireless box connected to the DSL modem a
"router"?
 
G

Guest

Guest
Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

On Thu, 15 Sep 2005 11:02:57 -0400, null wrote:

> However, to tell him to trash the software firewall and rely strictly on
> a router is simply bad advice.

I'm confused whether the D-Link wired and wireless box I have connected to
the DSL modem is considered the "router" you bespeak of. Is it?
 
G

Guest

Guest
Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

On Thu, 15 Sep 2005 18:11:47 GMT, nutso fasst wrote:

> NDIS messages from 192.168.x.x suggest you have a wireless NAT router and
> your firewall is responding to messages from it. (Surely you are behind some
> kind of NAT, ICS perhaps.) If you're not using a wireless network, disable
> wireless configuration service.

I am using a wireless D-Link (is that the router you bespeak of)?

> You're suggesting the compilation of what could be an ever-expanding
> database of mostly-irrelevant details. Seems to me time would be better
> spent becoming more of an expert.

I do run http://www.dnsstuff.com checks on all requests that the Sygate
Personal Firewall pops up before putting the messages on the list of
suspicious items. Also I don't put on the list messages which pop up from
KNOWN events. For example, when I start the NNTP client, a message pops up
which I tell the Sygate Personal Firewall program to accept forever (so
that message only pops up once). Likewise with the web browser, email
client, Microsoft Anti-Spyware update program, Windows Updater, Real Audio
client, etc.

I only posted what I considered the unasked for messages (not the obvious
ones).
 
G

Guest

Guest
Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

On Thu, 15 Sep 2005 07:56:07 -0400, Karl Levinson, mvp wrote:

> There are ways you can research these things...

Generally I do two obvious things each time I get a NEW message.
1. I run a reverse-IP address lookup at www.dnsstuff.com
2. I search Google Groups for the exact message (often I find others have
the exact same question, with the exact same message, and IP address).

Should I do more?
I'm hoping others can find THIS THREAD, for example, when they get the
messages I just posted and therefore they'd get the advice we all so
desperately need.

Where would YOU go when you received any one of the messages previously
posted when you didn't explicitly ask for that IP address to connect to
you?



> however, you will get so many of these alerts, and it is so
> fruitless to research them all, that I strongly recommend you consider
> a firewall configuration that does not alert you all the time with
> these things.

THAT's THE WHOLE POINT OF THIS THREAD!
With Sygate Personal Firewall (and I suspect all software firewalls), you
can tell the program to silently ignore and simply LOG all these
connections! My question was really WHICH OF THESE WOULD YOU IGNORE?


> Having a firewall ask the user to make decisions is a security accident
> waiting to happen, and is also a significant consumption of your time.

Is there any other choice?
These requests were made to my machine and I must respond to them.
Of course, I could simply say "Accept All Requests" but that would be
folly. The question really becomes two questions:
1. Which of these common requests is truly something to ignore
2. Of those which aren't ignorable, HOW DO NOVICES FIGURE THEM OUT?

> If and when you do want to research these things, you should look up what
> the remote IP address is

I generally use http://www.dnsstuff.com but your suggestion of adding for
www.nwtools.com or www.netsol.com is valid. I did that, for example, with
the DHCP server request. But, that really only tells me who owns the
machine. It doesn't tell me WHY they would be contacting me. (Remember,
that server only contacted me once and I have been using this same setup
for years). So, why, all of a sudden, would a machine which purports to be
a DNS server, be contacting me?

> It's also useful to know what the protocol [e.g. TCP] and remote port number
> is... the firewall alert below didn't seem to tell you, which is really
> dumb.

In defence of the Sygate Personal Firewall, there is a DETAILS button which
spits out a huge amount of cryptic (to a novice) information about
something called a "packet" so the remote port MIGHT be in that listing.

> A really smart firewall would let you inspect the TCP flags and contents of
> the incoming packet, but I guess that's too much to ask.

I could post the DETAILED information if it would help (caution, it's
cryptic at best).
 
G

Guest

Guest
Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

On Thu, 15 Sep 2005 15:48:26 +0100, Mike wrote:

> Novices do not have the knowledge as you so patently demonstrate.
> You need a hardware firewall like the ones built into Zyxel routers etc.

Is the D-Link wireless/wired box connected to the DSL modem set up in the
default configuration sufficient?

Or is there something ELSE I should purchase to get this "hardware
firewall"?

> If you had a router you would not have seen it or been startled plus you
> would have been protected.

I've been using this setup for more than a year and this is the FIRST time
that particular server contacted me (for whatever reason). That is what
startled me and made me suspicious.
 
G

Guest

Guest
Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

On Thu, 15 Sep 2005 18:14:23 -0300, alfranze wrote:

> Firefox is a browser of the Mozilla.
> then, you can do the command line: tracert 206.13.28.12 and to know
> what/where this IP (or any) is, if it really works....

Since NOBODY has mentioned the problem that this is only HALF the story, I
wonder if I understand this correctly.

Knowing the machine "name" and "owner" is only HALF the story (isn't it)?
The other half is for what PURPOSE did the machine contact my machine.

For example, when Adobe Acrobat 6.0 (Acrobat.exe) [206.13.31.12] contacts
me on local port 1880 (VSAT-CONTROL - Gilat VSAT Control), I can find the
name of the machine contacting me from www.dnsstuff.com as
"dns1.scrmca.sbcglobal.net" ... but that does not tell me anything about
WHY this SBCGlobal DNS server would be contacting Adobe Acrobat on port
1880 (whatever that port is for).

Knowing ONLY the name of the server contacting you, would YOU want to allow
this program to access the network?
 
G

Guest

Guest
Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

On Thu, 15 Sep 2005 19:25:21 -0600, Bruce Chambers wrote:

>> Sygate Personal Firewall:
>> Firefox (firefox.exe) is being contacted from a remote machine
>> [206.13.28.12] using local port 1258 (OPENNL - Open Network Library).
>> Do you want to allow this program to access the network?

> Do you have another computer on your internal network with that
> specific IP address? Is that computer allowed to connect to the
> Internet via your computer?

Of course not!

If I had another machine on the same tiny home network with that IP address
(which would be highly unlikely in a 192.168.0.XXX network), then I would
NOT have posted that specific request in the list above as it would have
been an obvious innocuous request.

Again, knowing the machine name & owner is only HALF the story. Actually,
it's only 1/3 the story as the following is important:
1. WHO is the owner of that machine?
2. WHAT is the purpose of the port being used?
3. WHY is that machine contacting me?

Is this information available somewhere?

Note that the WHO part is trivial to obtain, e.g., we can obtain that from:
http://www.dnsstuff.com
http://www.nwtools.com
http://www.netsol.com
http://remote.12dt.com/rns
http://www.zoneedit.com/lookup.html
etc.; but that doesn't tell us WHAT or WHY.


The WHAT part, albeit often highly technical, is not too very difficult to
obtain, e.g., we can use any of the following which describe the ports:
http://www.bekkoame.ne.jp/~s_ita/port/port1200-1299.html
http://www.seifried.org/security/ports/1000/1258.html
http://www.iana.org/assignments/port-numbers
http://www.sonomawireless.com/~ports/port1200-1299.html
http://www.auditmypc.com/freescan/readingroom/portlist.asp
etc.; but that doesn't tell us WHY they contacted us.

The WHY part is the key question.

For example, WHY would dns1.snfcca.sbcglobal.net contact my machine on tcp
tdp/udp port 1258 named the Open Network Library?

The question becomes:
1. HOW do users learn MORE about the PURPOSE of this OPEN NETWORK LIBRARY?
2. HOW do we obtain possible REASONS for a machine contacting us on this
port?

That advice was the purpose of the original question.
 
G

Guest

Guest
Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

On 15 Sep 2005 10:10:51 +0200, Volker Birk wrote:

>> Firefox (firefox.exe) is being contacted from a remote machine
>> [206.13.28.12] using local port 1258 (OPENNL - Open Network Library).
>> Do you want to allow this program to access the network?
>> How can I tell if this is suspicious or not?
>
> You can't. This is, why such messages are nonsense. BTW, they're useless,
> too, because also Sygate cannot prevent "phoning home" from malicious
> programs anyway, as my simple POC here shows:
>
> http://www.dingens.org/breakout.c

Unfortunately, I don't know what a POC (point of contact?) is nor do I have
a c compiler.

What does the breakout.c program do for us? Does it slip past the Sygate
Personal Firewall somehow secretly and silently?

I think there are 3 parts to the problem, one of which is trival, the other
of which is technical, and the third of which is the crux of the matter:

1. WHO is it that is contacting us (all agree this is trivial to obtain but
nearly meaningless in many cases as it doesn't tell us WHAT they are doing
when they contact us or WHY they are doing it).

2. WHAT the machine is doing when it contacts us (I suspect this is
explained somewhere on the Internet based on the port being contacted, but
so far all I've found is the posted listings of a NAME and quick
DESCRIPTION of the port used). This is INCOMPLETE information as merely
knowing the name of a protocol doesn't always help to understand WHAT is
occurring. Plus, I routinely DENY all these requests and my machine seems
to work fine so what is it that it is doing anyway?

3. WHY would the machine contact us on the specified port. I believe this
is the crux of the question. My question to you experts is to ask if there
is a good web site which would explain WHY any particular machine would be
contacting us on any particular port. If we knew WHY, we could then decide
whether to allow this connection or now.

For example, WHY would Adobe Acrobat 6.0 (Acrobat.exe) be contacted from an
SBCGlobal DNS machine [206.13.31.12] using local port 1880 (VSAT-CONTROL -
Gilat VSAT Control)?

What could it possibly want?
Why doesn't anything bad happen when I deny the request?
 
G

Guest

Guest
Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

On 15 Sep 2005 19:14:08 +0200, Volker Birk wrote:

> It's OK, that not everybody is a networking expert. A good security solution
> has to work _without_ asking the user.
>
>> For we novices who still desire basic firewall protection, it would be nice
>> to refer to a list of known generally non-dangerous requests to accept.
>
> Why not using the Windows-Firewall and not having such problems?

Since the remote machine is gonna try to contact us anyway, wouldn't we
have the same three problems no matter which personal firewall solution we
used?

For example, if I used Windows XP Firewall, or ZoneAlarm (
http://snipurl.com/6ohg ) or Kerio Personal Firewall (
http://www.kerio.com/kpf_download.html ) or Sygate Personal Firewall (
http://smb.sygate.com/free/spf_download.php ) or Outpost Firewall (
http://www.agnitum.com/products/outpost ) or whatever, WOULDN'T the
offending machine STILL try to contact my machine?

And then, if it did, wouldn't we STILL have the THREE QUESTIONS:
1. Who is trying to contact us?
2. On what port are they trying to contact us?
3. Why are they trying to contact us?

This seems, to me, to be such a common need for virtually every one of the
millions of computer users out there, that the ANSWER to these three
questions SHOULD be somewhere very easy to locate for we novice users?

I can't believe there is a single person out there on the Internet who
doesn't have this very same problem. That's why it's so frustrating to me
to not be able to find the all-important WHY information so desperately
needed by millions of us users.

GS

> Gerard Schroeder <Gshroeder22031@hotmail.com> wrote:
>> I thank you for your detailed suggestions summarized below as:
>> 1. There exists innocent common connections reported by the firewall
>
> Yes.
>
>> Regarding the first interesting comment above:
>> - Is there a site where all the common innocent connections are listed?
>
> I don't know one. And I think, this will not be possible. There are
> too many possibilities for these. Why using a "Personal Firewall" at all,
> which is showing useless Popups?
>
>> Regarding looking up the NAME of the IP address:
>> - WHY would my DNS provider suddently connect (this does not happen often)?
>
> There may be many reasons for this.
>
>> Regarding the content of the incoming packets:
>> - Sygate Personal Firewall 5.6 provides a Yes/No/Details response
>> - The DETAILS button gives more information (cryptic to me, a novice).
>> - Again I wonder if there is a list of known non-dangerous contacts.
>
> The point is, that this is a b0rken concept to ask the only person,
> who for sure does not know what to do here - you, the user.
>
> It's OK, that not everybody is a networking expert. A good security solution
> has to work _without_ asking the user.
>
>> For we novices who still desire basic firewall protection, it would be nice
>> to refer to a list of known generally non-dangerous requests to accept.
>
> Why not using the Windows-Firewall and not having such problems?
>
> Yours,
> VB.
 
G

Guest

Guest
Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

On 15 Sep 2005 19:09:09 +0200, Volker Birk wrote:

> null <null@planetzero.com> wrote:
>> However, to tell him to trash the software firewall and rely strictly on
>> a router is simply bad advice.
>
> No. It's a very good advice. Also he could use the Windows-Firewall.
>
>> Unless the router performs stateful packet inspection and is highly
>> configurable, etc., etc., etc., then the router alone will not be
>> providing sufficient protection.
>
> The "Personal Firewalls" we tested all were terribly incompetently
> implemented. I doubt, that with a "Personal Firewall" he will be secure
> in any way.
>
>> His use of a software firewall is not unreasonable, and your advice to
>> get rid of it is unwise.
>
> The opposite is true.

If Adobe Acrobat 6.0 (Acrobat.exe) is going to be contacted from a remote
machine [206.13.31.12] using local port 1880 (VSAT-CONTROL - Gilat VSAT
Control), what would Windows Firewall do differently from what Sygate,
ZoneAlarm, Kerio, Outpost, etc. would do?
 
G

Guest

Guest
Archived from groups: microsoft.public.security,comp.security.firewalls,microsoft.public.windowsxp.security_admin (More info?)

"null" <null@planetzero.com> wrote in message
news:OBgtyifuFHA.3252@TK2MSFTNGP10.phx.gbl...

> However, to expect the average user to understand what the different
> protocols are, what they do, and what ports are used for what, is a bit
> over the top. Like you hinted at, the firewall responses to incoming and
> outgoing packets should be as automated as possible for the average user.

I don't expect the user to know that. But I expect the firewall to include
that information in the error message, for situations like this one where
the user copies and pastes the error message to their firewall support or to
a newsgroup for assistance. Not having those details really cripples
whoever is trying to help the user. If necessary, the vendor can hide this
information under a "Details" button on the message, and put them into the
log file for posterity.