Re: Closed vs Stealthed Ports

Author	All Replies
SYNACK Just Firewall It Premium,Mod join:2001-03-05 Venice, CA Host: Networking Virtual Private Ne.. Netgear ZyXEL	reply to dja Re: Closed vs Stealthed Ports The concept of stealth had to be invented to allow remote detection/verification of the presence of a firewall by online self-scanning tools. It is a self-serving stance by firewall promoters and is NOT the best stance in day-to-day operations because it breaks certain useful mechanisms of the protocol (many examples have been mentioned by others). In the long run, these shortcoming need to be addressed to design a better, low-impact firewall. I intentionally have my ZyWALL 10 set to closed instead of stealth. (As mentioned before, this is my definition of a stealth firewall, the RST response hides the actual presence of the firewall. ). The 1214 problem has been mentioned, where stealth causes never-ending probing. Maybe a stealth firewall should once-in-a-while send a RST if a certain number of probes have occurred to the same port. Firewalls need more intelligence to deal with nuisance traffic they cause. Another serious issue is with NAT routers. Some people like to define a default server, then run a stealth firewall on that LAN target. Each little probe creates a lingering entry in the NAT table that stays until the NAT timeout for half-open connections expires, plugging up the NAT table. If the firewall would respond with closed, the outgoing RST reply would clear the NAT entry immediately, freeing valuable resources. -- Where is the world is LA/OC ?
	to forum · permalink · 2002-06-06 19:45:48 ·
jvmorris I Am The Man Who Was Not There. Premium,MVM join:2001-04-03 Reston, VA	SYNACK, First, I want to say thank you for showing up before I started banging on your door with IMs. I suspect you probably know far more (and far more authoritatively) about this subject than I do. said by SYNACK: The concept of stealth had to be invented to allow remote detection/verification of the presence of a firewall by online self-scanning tools. It is a self-serving stance by firewall promoters and is NOT the best stance in day-to-day operations because it breaks certain useful mechanisms of the protocol (many examples have been mentioned by others). In the long run, these shortcoming need to be addressed to design a better, low-impact firewall. I intentionally have my ZyWALL 10 set to closed instead of stealth. (As mentioned before, this is my definition of a stealth firewall, the RST response hides the actual presence of the firewall. ). I really need to take some time and figure all this out, but this sounds very much like one of the options that R2 originally proposed. The "neat" part of R2's 'solution' (at least to me) was that the bad guys would be in instant hell in terms of being able to further diagnose just what they had encountered. Right now, it's a no-brainer as far as 'stealth' is concerned. quote: . . . . Another serious issue is with NAT routers. Some people like to define a default server, then run a stealth firewall on that LAN target. Each little probe creates a lingering entry in the NAT table that stays until the NAT timeout for half-open connections expires, plugging up the NAT table. If the firewall would respond with closed, the outgoing RST reply would clear the NAT entry immediately, freeing valuable resources. Another good point. Thank you. -- Regards, Joseph V. Morris
	to forum · permalink · 2002-06-06 20:14:37 ·
R2 R Not Premium,MVM join:2000-09-18 Long Beach, CA kudos:1	reply to SYNACK said by SYNACK: (As mentioned before, this is my definition of a stealth firewall, the RST response hides the actual presence of the firewall. ). I always liked this statement. This gets right to the point about the relatively stupid use of the word "stealth" to describe a port's response. I purposefully did not mention the person who I believe coined the term -- I knew someone would.;) "Stealth" can be used to describe the computer itself, it can be used to describe a type of port scan, or (as SYNACK does) it can be used to describe a firewall. But using the term to describe a port's response is simply illogical. I completely agree that the term was created to get people interested in acquiring a firewall. That's about it. Ports can have 3 responses registered by a scanner: Open, Closed, or No Response. There is no "stealth" response. It seems to me that the non-responding computers just generate more attempts to be attacked -- waiting for the moment when your defenses might be down. Based on the information presented here, a closed response seems more logical. However, an `ICMP Host/Port Unreachable` response might be even more likely to squelch probings. THAT might represent the TRUE "Stealth" response!!;) The perfect firewall could give the user a choice of what response it sends to a SYN probe. Or humorously, you could set it up to randomly vary the responses -- and confuse the he// out of the scanner.:) ________________ This thread moves faster than I type... Dave is right -- a computer without a firewall gives a Closed response -- hence SYNACK's comments about a "Stealth" firewall pretending it is not there. Firewalls do MORE that just provide a "stealth" port scan -- however, the push to market the software firewall sadly seemed to make this one of the most important issues...:( [text was edited by author 2002-06-06 21:14:35]
	to forum · permalink · 2002-06-06 21:09:17 ·

Broadband Tech > Security > Security > Closed vs Stealthed Ports