 R2R NotPremium,MVM
join:2000-09-18
Long Beach, CA
kudos:1
| reply to SYNACK
Re: Closed vs Stealthed Ports said by SYNACK:
(As mentioned before, this is my definition of a stealth firewall, the RST response hides the actual presence of the firewall.  ).
I always liked this statement. This gets right to the point about the relatively stupid use of the word "stealth" to describe a port's response. I purposefully did not mention the person who I believe coined the term -- I knew someone would.;)
"Stealth" can be used to describe the computer itself, it can be used to describe a type of port scan, or (as SYNACK does) it can be used to describe a firewall. But using the term to describe a port's response is simply illogical. I completely agree that the term was created to get people interested in acquiring a firewall. That's about it.
Ports can have 3 responses registered by a scanner: Open, Closed, or No Response. There is no "stealth" response.
It seems to me that the non-responding computers just generate more attempts to be attacked -- waiting for the moment when your defenses might be down. Based on the information presented here, a closed response seems more logical.
However, an ICMP Host/Port Unreachable response might be even more likely to squelch probings. THAT might represent the TRUE "Stealth" response!!;)
The perfect firewall could give the user a choice of what response it sends to a SYN probe. Or humorously, you could set it up to randomly vary the responses -- and confuse the he// out of the scanner.:)
________________
This thread moves faster than I type...
Dave is right -- a computer without a firewall gives a Closed response -- hence SYNACK's comments about a "Stealth" firewall pretending it is not there.
Firewalls do MORE that just provide a "stealth" port scan -- however, the push to market the software firewall sadly seemed to make this one of the most important issues...:(
[text was edited by author 2002-06-06 21:14:35] |
