Archived from groups: comp.security.firewalls (More info?)

When I test my sygate firewall on Gibson's Shields Up. The ports are
coming up as closed, but not all are coming up as what GRC calls
stealth.

I figure this is to be expected. I have a 'home router'. So my router
is blocking incoming connections - including Gibson's, reporting back
"Closed". Those ports that my router is allowing through , Sygate
kicks in and blocks the incoming connection properly, reporting nothing
back - what GRC calls Stealth. Not even giving away my computer's
existance.

Is running my home router's firewall along with Sygate, actually makign
me less secure than if I was to run Sygate alone ? (since my ports
aren't 'stealthed') ?

Archived from groups: comp.security.firewalls (More info?)

In article <1126210011.527911.41120@o13g2000cwo.googlegroups.com>,
jameshanley39@yahoo.co.uk says...
> When I test my sygate firewall on Gibson's Shields Up. The ports are
> coming up as closed, but not all are coming up as what GRC calls
> stealth.
>
> I figure this is to be expected. I have a 'home router'. So my router
> is blocking incoming connections - including Gibson's, reporting back
> "Closed". Those ports that my router is allowing through , Sygate
> kicks in and blocks the incoming connection properly, reporting nothing
> back - what GRC calls Stealth. Not even giving away my computer's
> existance.
>
> Is running my home router's firewall along with Sygate, actually makign
> me less secure than if I was to run Sygate alone ? (since my ports
> aren't 'stealthed') ?
>
>
Run a security check on your Sygate. On the firewall main page,
select the Security Button. This takes you to Sygate website.
You will find that if your ports are "blocked" (closed), you are
in good shape.
Casey

Archived from groups: comp.security.firewalls (More info?)

On Thu, 08 Sep 2005 21:01:32 GMT, Casey Klc wrote:

> In article <1126210011.527911.41120@o13g2000cwo.googlegroups.com>,
> jameshanley39@yahoo.co.uk says...
>> When I test my sygate firewall on Gibson's Shields Up. The ports are
>> coming up as closed, but not all are coming up as what GRC calls
>> stealth.
>>
>> I figure this is to be expected. I have a 'home router'. So my router
>> is blocking incoming connections - including Gibson's, reporting back
>> "Closed". Those ports that my router is allowing through , Sygate
>> kicks in and blocks the incoming connection properly, reporting nothing
>> back - what GRC calls Stealth. Not even giving away my computer's
>> existance.
>>
>> Is running my home router's firewall along with Sygate, actually makign
>> me less secure than if I was to run Sygate alone ? (since my ports
>> aren't 'stealthed') ?
>>
>>
> Run a security check on your Sygate. On the firewall main page,
> select the Security Button. This takes you to Sygate website.
> You will find that if your ports are "blocked" (closed), you are
> in good shape.
> Casey

You get them all 'blocked' from ZA and XP too!
--
Jim
Tyneside UK

Archived from groups: comp.security.firewalls (More info?)

jameshanley39@yahoo.co.uk wrote:

>
> Is running my home router's firewall along with Sygate, actually makign
> me less secure than if I was to run Sygate alone ? (since my ports
> aren't 'stealthed') ?
>

No. Closed is the "expected" response when a computer outside your
subnet tries to connect with your system. Stealth is the equivalent of
my asking you a closed-ended question and you choosing to ignore me.

Archived from groups: comp.security.firewalls (More info?)

optikl wrote:
> jameshanley39@yahoo.co.uk wrote:
>
> >
> > Is running my home router's firewall along with Sygate, actually makign
> > me less secure than if I was to run Sygate alone ? (since my ports
> > aren't 'stealthed') ?
> >
>
> No. Closed is the "expected" response when a computer outside your
> subnet tries to connect with your system. Stealth is the equivalent of
> my asking you a closed-ended question and you choosing to ignore me.


somebody more-or-less pointed out that what Gibson calls 'stealth'
(blocking without giving a response) is no more secure than closed.

their argument for it being no more secure was that they can already
find out my ip anyway.

It may be that 'stealth' is slightly - but barely - more secure than
closed? Indeed, it probably is, since software firewalls all do it.
But what would be your reason for saying that 'stealth' is more secure?

Archived from groups: comp.security.firewalls (More info?)

On 9 Sep 2005 05:56:15 -0700, jameshanley39@yahoo.co.uk wrote:
>optikl wrote:
>> jameshanley39@yahoo.co.uk wrote:
>
>somebody more-or-less pointed out that what Gibson calls 'stealth'
>(blocking without giving a response) is no more secure than closed.
>
>their argument for it being no more secure was that they can already
>find out my ip anyway.
>
>It may be that 'stealth' is slightly - but barely - more secure than
>closed? Indeed, it probably is, since software firewalls all do it.
>But what would be your reason for saying that 'stealth' is more secure?

It's not just www.grc.com, but serveral sites that report security in
terms of open, closed, and stealth. For example, take a look at
http://www.pcflank.com/ and the Sygate site. And for what its worth,
this issue of closed vs stealth has been endlessly debated for more
than 3-4 years.

Bottom line ... hell if I know?

Archived from groups: comp.security.firewalls (More info?)

<jameshanley39@yahoo.co.uk> wrote in message
news:1126270575.225521.167180@g49g2000cwa.googlegroups.com...
>
> optikl wrote:
> > jameshanley39@yahoo.co.uk wrote:
> >
> > >
> > > Is running my home router's firewall along with Sygate, actually
makign
> > > me less secure than if I was to run Sygate alone ? (since my ports
> > > aren't 'stealthed') ?
> > >
> >
> > No. Closed is the "expected" response when a computer outside your
> > subnet tries to connect with your system. Stealth is the equivalent of
> > my asking you a closed-ended question and you choosing to ignore me.
>
>
> somebody more-or-less pointed out that what Gibson calls 'stealth'
> (blocking without giving a response) is no more secure than closed.
>
> their argument for it being no more secure was that they can already
> find out my ip anyway.
>
> It may be that 'stealth' is slightly - but barely - more secure than
> closed? Indeed, it probably is, since software firewalls all do it.

The reason why personal software firewalls all do it is because they know
that most of their customers think it's better. Any personal firewall vendor
who doesn't do stealth will lose customers. So they all do it.
Whether or not stealth really is better or not is irrelevant if you want to
sell personal firewall software.

Jason

> But what would be your reason for saying that 'stealth' is more secure?
>

Archived from groups: comp.security.firewalls (More info?)

In article <dfs49d$4ua$1@newsg3.svr.pol.co.uk>,
keith@microsoft.discussions.com says...
> So , if I had a static IP and told you what it is, can you tell whether i'm
> online or not?
> If I'm stealthed then I'm guessing the answer is no? Otherwise Yes

Ping an IP that doesn't have a computer attached and see what you get
back.

Ping an IP that is stealthed and see what you get back.

If you see any difference then you know something is there.

--

spam999free@rrohio.com
remove 999 in order to email me

Archived from groups: comp.security.firewalls (More info?)

"Leythos" <void@nowhere.lan> wrote in message
news:MPG.1d8b63be201d87fb989fce@news-server.columbus.rr.com...
> In article <dfs49d$4ua$1@newsg3.svr.pol.co.uk>,
> keith@microsoft.discussions.com says...
>> So , if I had a static IP and told you what it is, can you tell whether
>> i'm
>> online or not?
>> If I'm stealthed then I'm guessing the answer is no? Otherwise Yes
>
> Ping an IP that doesn't have a computer attached and see what you get
> back.
>
> Ping an IP that is stealthed and see what you get back.
>
> If you see any difference then you know something is there.
>

Yes but would ,should there be any difference in theory or practice assuming
no flaws in OS

> --
>
> spam999free@rrohio.com
> remove 999 in order to email me

Archived from groups: comp.security.firewalls (More info?)

In article <dfs66m$6ah$1@newsg3.svr.pol.co.uk>,
keith@microsoft.discussions.com says...
>
> "Leythos" <void@nowhere.lan> wrote in message
> news:MPG.1d8b63be201d87fb989fce@news-server.columbus.rr.com...
> > In article <dfs49d$4ua$1@newsg3.svr.pol.co.uk>,
> > keith@microsoft.discussions.com says...
> >> So , if I had a static IP and told you what it is, can you tell whether
> >> i'm
> >> online or not?
> >> If I'm stealthed then I'm guessing the answer is no? Otherwise Yes
> >
> > Ping an IP that doesn't have a computer attached and see what you get
> > back.
> >
> > Ping an IP that is stealthed and see what you get back.
> >
> > If you see any difference then you know something is there.
> >
>
> Yes but would ,should there be any difference in theory or practice assuming
> no flaws in OS

Yes, one lets people know you exist, one doesn't.

There is no such thing as a flawless OS, never been created. Start with
the idea that everything has holes and you will have it much easier when
it comes to security.

--

spam999free@rrohio.com
remove 999 in order to email me

Archived from groups: comp.security.firewalls (More info?)

Keith wrote:
> "Leythos" <void@nowhere.lan> wrote in message
> news:MPG.1d8b63be201d87fb989fce@news-server.columbus.rr.com...
> > In article <dfs49d$4ua$1@newsg3.svr.pol.co.uk>,
> > keith@microsoft.discussions.com says...
> >> So , if I had a static IP and told you what it is, can you tell whether
> >> i'm
> >> online or not?
> >> If I'm stealthed then I'm guessing the answer is no? Otherwise Yes
> >
> > Ping an IP that doesn't have a computer attached and see what you get
> > back.
> >
> > Ping an IP that is stealthed and see what you get back.
> >
> > If you see any difference then you know something is there.
> >
>
> Yes but would ,should there be any difference in theory or practice assuming
> no flaws in OS
>

my understanding is-

seems to me that stealth is more secure.

If you ping an ip address that has port 7 - the ICMP port stealthed.
Then it will not respond. It will be indistinguishable from a computer
that does not exist. somebody port scanning a range of IPs will not
know whether your comp exists or has the port stealthed.

However. When you make an outgoing connection, your IP is available to
the server receiving it. Regardless of whether any of your ports are
stealthed or not.
www.whatismyip.com for example. Presumably it just uses the HTTP
request you sent it, looks at the IP in the packet, and tells you your
IP.

As soon as you make an outgoing connection to anywhere, you give your
IP.
Or your 'home router' public NATTED ip.

So stealth is more secure but only regarding incoming connections.


I am far from an expert, this is all new to me.

Given info posted in the thread. My gripe with Gibson is him calling
his probing 'nanoprobing' as if it's a new technology he invented. it
is obfuscating technical material , it seems to me - it is for the
purposes of his own self promotion. By doing that, I think his self
promotion has crossed the
line.

Archived from groups: comp.security.firewalls (More info?)

<jameshanley39@yahoo.co.uk> wrote in message
news:1126278481.310732.60110@g47g2000cwa.googlegroups.com...
>
> Keith wrote:
> > "Leythos" <void@nowhere.lan> wrote in message
> > news:MPG.1d8b63be201d87fb989fce@news-server.columbus.rr.com...
> > > In article <dfs49d$4ua$1@newsg3.svr.pol.co.uk>,
> > > keith@microsoft.discussions.com says...
> > >> So , if I had a static IP and told you what it is, can you tell
whether
> > >> i'm
> > >> online or not?
> > >> If I'm stealthed then I'm guessing the answer is no? Otherwise Yes
> > >
> > > Ping an IP that doesn't have a computer attached and see what you get
> > > back.
> > >
> > > Ping an IP that is stealthed and see what you get back.
> > >
> > > If you see any difference then you know something is there.
> > >
> >
> > Yes but would ,should there be any difference in theory or practice
assuming
> > no flaws in OS
> >
>
> my understanding is-
>
> seems to me that stealth is more secure.
>
> If you ping an ip address that has port 7 - the ICMP port stealthed.
> Then it will not respond. It will be indistinguishable from a computer
> that does not exist. somebody port scanning a range of IPs will not
> know whether your comp exists or has the port stealthed.

Let's assume that this is true (even if it isn't).
If they have half a brain they will already know that
82-70-237-22.dsl.in-addr.zen.co.uk is probably a home dsl user (could be
business but makes little difference). They will also know that adjacent IP
addresses are also users of the same ISP and they will know that an
exploitable PC is very likely to be found in this range because a large
group of 'stealthed' PCs indicates a large group of Windows users who
thought they were safe behind their personal firewall but happily accepted
everything Internet Explorer offered them.

They will know all this (and more) even if your computer is behind an event
horizon, never mind a personal firewall.

Jason

> However. When you make an outgoing connection, your IP is available to
> the server receiving it. Regardless of whether any of your ports are
> stealthed or not.
> www.whatismyip.com for example. Presumably it just uses the HTTP
> request you sent it, looks at the IP in the packet, and tells you your
> IP.
>
> As soon as you make an outgoing connection to anywhere, you give your
> IP.
> Or your 'home router' public NATTED ip.
>
> So stealth is more secure but only regarding incoming connections.
>
>
> I am far from an expert, this is all new to me.
>
> Given info posted in the thread. My gripe with Gibson is him calling
> his probing 'nanoprobing' as if it's a new technology he invented. it
> is obfuscating technical material , it seems to me - it is for the
> purposes of his own self promotion. By doing that, I think his self
> promotion has crossed the
> line.
>

Archived from groups: comp.security.firewalls (More info?)

Jason Edwards wrote:
> <jameshanley39@yahoo.co.uk> wrote in message
> news:1126278481.310732.60110@g47g2000cwa.googlegroups.com...
> >
> > Keith wrote:
> > > "Leythos" <void@nowhere.lan> wrote in message
> > > news:MPG.1d8b63be201d87fb989fce@news-server.columbus.rr.com...
> > > > In article <dfs49d$4ua$1@newsg3.svr.pol.co.uk>,
> > > > keith@microsoft.discussions.com says...
> > > >> So , if I had a static IP and told you what it is, can you tell
> whether
> > > >> i'm
> > > >> online or not?
> > > >> If I'm stealthed then I'm guessing the answer is no? Otherwise Yes
> > > >
> > > > Ping an IP that doesn't have a computer attached and see what you get
> > > > back.
> > > >
> > > > Ping an IP that is stealthed and see what you get back.
> > > >
> > > > If you see any difference then you know something is there.
> > > >
> > >
> > > Yes but would ,should there be any difference in theory or practice
> assuming
> > > no flaws in OS
> > >
> >
> > my understanding is-
> >
> > seems to me that stealth is more secure.
> >
> > If you ping an ip address that has port 7 - the ICMP port stealthed.
> > Then it will not respond. It will be indistinguishable from a computer
> > that does not exist. somebody port scanning a range of IPs will not
> > know whether your comp exists or has the port stealthed.
>
> Let's assume that this is true (even if it isn't).
> If they have half a brain they will already know that
> 82-70-237-22.dsl.in-addr.zen.co.uk

You are responding as if I am a mug that thinks that stealthed ports
are infinitely superior. And offer complete protection.

Of course, a careless user would give away all sorts of information,
especially on usenet.


Whatever method (be it usenet or anything else) they used to get the
hostname containing an ip address. It might not have been via a port
scan if ports were stealthed. It's possible a comp is there. Or not.

>They will also know that adjacent IP
> addresses are also users of the same ISP and they will know that an
> exploitable PC is very likely to be found in this range because a large
> group of 'stealthed' PCs indicates a large group of Windows users who
> thought they were safe behind their personal firewall but happily accepted
> everything Internet Explorer offered them.

I know that stealthing ports is NOT absolutely secure by any means.
Infact, it offers hardly any more protection. (if any). And if you do
other things carelessly, you will get your router's IP told to the
world. There are many ways an IP can be visible - if one is careless.
I used any outgoing connection as an example. Usenet is another.
(assuming no proxy or ip spoofing or anything).

you're saying that unix users don't stealth their ports?

*Another* method (besides usenet) of hackers getting *anybodys* IP, is
just doing a port scan. And if a port is stealthed. It doesn't tell him
anything. He is left with 2 possibilities. Comp doesn't exist. Or port
is stealthed(which according to you, means a 'personal firewall'.

You're saying that unix firewalls tend not to stealth ports.
I don't see why unix firewalls tend not to stealth ports. Many hackers
do just scan a range of IPs.
So stealthing does have that small advantage over closed. Why don't
unix users use it? I'm sure they had some other way (spoofing IP?
proxy?) for being more anonymous on usenet. But isn't it good to be
safer from port scans too?

Anyhow - not that it matters. NAT Devices tend not to stealth
ports(the ones I've seen certainly don't). They just report back
closed. So if a softare firewall is running and stealthing ports. The
ports will be reported back as closed since the 'home router' is hit
first.

Perhaps stealthed ports indicate a windows user not behind a router.
(not that a windows user behind a router is necessarily any cleverer).
Anyhow. I don't see why unix firewalls shouldn't stealth ports. For the
above mentinoned reasons.

Archived from groups: comp.security.firewalls (More info?)

Jason Edwards wrote:

> They will know all this (and more) even if your computer is behind an event
> horizon, never mind a personal firewall.

I'd better register a domain for my new company, Event Horizon
Networking. I will build fully buzzword compliant security appliances,
spread FUD across the galaxy, and laugh all the way to the bank. When
Symantec or Microsoft buys me out and end of lifes all my vaporware
products, I'll retire to the Bahamas. Or Betelgeuse.

-Gary

Archived from groups: comp.security.firewalls (More info?)

jameshanley39@yahoo.co.uk wrote:

> Perhaps stealthed ports indicate a windows user not behind a router.
> (not that a windows user behind a router is necessarily any cleverer).
> Anyhow. I don't see why unix firewalls shouldn't stealth ports. For the
> above mentinoned reasons.

Every once in a while, some idiot yells that security through obscurity
is a bad idea. I'd say maybe if that's all you're relying on. But if you
think about it, why do soldiers wear camoflauge? Why do chameleons have
color changing abilities? Why do some insects have colors that match
their background? Because it simply works. Whether you're stealthing or
blocking doesn't really matter so long as you're making an active effort
to be security conscious. Steve Gibson, Steve Ballmer, and any other
frothing at the mouth idiot can yell as loud as they want about security
but the signal to noise ratio will still be abysmally low. Just like Usenet.

-Gary