Microsoft Firewall

I did test at the Symantec Security site and it still says I am not stealthed.

 

Let me try this a different way.

The only way a port or ports would be "stealthed" would be if:

. There is an active application listening on the port;
. The firewall, aware of this fact, simulates that there are no applications listening for incomings at the requested port (independently of an application presence) and sends "port unreachable" message to the inquirer.

Otherwise it is "closed ".

If you have no applications: an active FTP server, a Web server, a P2P application, .etc that you have granted approval to the firewall, it will then "stealth" the port.

No "listening" application active? The port is closed.

If the computer simply is turned off, it will send nothing to anybody and it will be safe. While you cannot of course test it, all ports would be "closed. "

I disagreee with ReggieB that "stealth" is better than "closed." In stealth mode the inquirer will be sent a response: "– I am here, I am alive, but simply blocked ". It is rather an appeal for new connection attempt by a hacker than real protection. If the port is "closed" the state of that IP address and port is ambiguous. There may not be a machine there at all. If there is a machine it might be turned off. Or it might be firewalled and the ports are "closed. "

In any case: no application installed that creates a listening on a port? No stealth.

 

Here's mine with MS firewall disabled and just behind a Router.
Port 80 is intetionally open.

Secure
21 (FTP)

This port is completely invisible to the outside world.



Secure
23 (Telnet)

This port is completely invisible to the outside world.



Secure
25 (SMTP Mail Server Port)

This port is completely invisible to the outside world.



Secure
79 (Finger)

This port is completely invisible to the outside world.



Open and Unsecure!
80 (HTTP)

If this computer is not supposed to be acting as a web server you should not have this port open.



Secure
110 (POP3 Mail Server Port)

This port is completely invisible to the outside world.



Secure
139 (Net BIOS)

This port is completely invisible to the outside world.



Secure
143 (IMAP)

This port is completely invisible to the outside world.



Secure
443 (HTTPS)

This port is completely invisible to the outside world.

 

I thank you all, I guess I will not worry about it then.

 

I did the same thing and it said that I am in stealth mode (I am using a Sygate Firewall).

Not trying to beat a dead horse here, but Symantic says that it's better to be in stealth mode?

 

If you dialed random phone numbers and received two responses:

. The number you have dialed is not in service (blocked)
. The caller is not available to take your call. (stealth)

Which would you as a hacker find more discouraging? There is no technical arguments about which is "better ", the practical result is the same in both cases. The question is psychological -- which would a hacker find more discouraging and which more encouraging as a response?

My view is completely on the technical merits, and neither port status is "better" than the other. On psychological grounds I would vote for "closed" over "stealth ". If the geniuses at Symantec vote differently, I have no comment. But I assure you there are no studies or other analyses that would support what is simply an opinion.

 

I guess that's one of those "Half empty, half full" things.

Everyone has a different point of view.

My take would be:
(Blocked) the number you called is not accepting calls at this time.
(Stealth) the number you called doesn't exist.

 

'Stealth' involves a response to the one requesting port access.
'Closed' does not.

The analogy, as least as far as any analogy is any good, is correct as written.

It is a fair summary of what happens:
. to an ICMP packet to the IP
. to a UDP packet sent to a specific port
. to a TCP packet sent to a specific port

Depending on the NAT router and firewall used, there can be designed differences on which type of response is give in each instance. It is not some sort of industry standard we are discussing. But if a response vs. no-response is made, one can at least begin to divide closed vs. stealth.

Remember that "stealth" has meaning only on how "listening" ports are treated by the firewall. It is not a generic port status choice. If no listener applications are running, the response will be "closed" in all cases. Most routers make triggered exceptions for common listening ports such as HTTP, Web server clients, email, 113 authentication, .etc. Whether the response is to be "closed" or "stealthed" is up to the firmware author.

 

I'm confident that is not right. If there is no application found listening on the port the response will be:

• Closed port a TCP packet with a TCP flag set as 010100 (0x14) signifying that the connection failed due to there being no listen application on that port.
• Stealth port Nothing. No failure to connect response

 

However, the key point as Bill has correctly stated a number of times, is that your ports are all closed. That is, that you have no open vulnerable ports.

Yes stealth gives you a little more security by obscurity. That is, it makes it slightly more difficult to spot your system on the internet. However, as soon as you start communicating out from your system that obscurity is lost as each connection you make to the internet will involve you sending packets out, each one with your external IP address in it. That is each packet giving away the information that stealthing hides. So it is a very small benefit at best.

Anyway, I am also fairly confident that the ports responding are those on your router. So what you are testing is your router's port status. It tells you nothing about how well your personal firewall is behaving.

 

You guys are so far above my head, but still trying to take this all in.

 

sigh.

To begin with, "stealth" is not defined in the RFCs for TCP/IP. It is an invented term with no standard meaning.

Under Windows NT OS versions, Microsoft only follows RFC 789 for SYN packets. For hacker probes using using anything else --FIN, NUL, or "Xmas Tree scans ", for example -- Windows does not follow the RFC and for "closed" ports makes no response at all.

As a result any statement about "stealth" and "closed" and the response behavior is completely dependent on:

. the flags set on the hacker probe;
. the port under consideration as defined by IANA;
. the firmware in the router;
. the software firewall.

You would have to be a pretty stupid hacker to use SYN probes anymore. These are watched closely by any router with SPI features, and any software firewall.

But any claims about "stealth" vs. "closed" port behavior would be dependent on the four variables above, and cannot be generalized. I know at least how XP would act using its native firewall. It would send an RST for a SYN, and not respond to any other flag combination in a packet sent to probe a "closed" port.

Under Steve Gibson's Shields Up site, a non-response to a port probe is equal to "stealth." (By the way, Steve claims he invented this concept of stealth). I might also note that the Gibson site only uses SYN packets as a test.

Now, to accept the ReggieB definition and the Gibson definition, applying only to a single flag-set packet, and its response, will end this fruitless discussion. So be it. To summarize: the definition of "stealth" for SYN packets, using the XP firewall, and a non-SPI router, is violated by the ReggieB and Gibson definition of "stealth. "

The fact that few in the security community accept this definition should be of small moment. It is a perfectly reasonable definition for SYN packets. It is not the only definition of "stealth" in use in the security community.

 

Instead of trying to get stealthed, closed or whatever you might want to flip things around by reading and trying to learn how to extract & interpert responses from any port condition.

http://insecure.org/nmap/man/man-port-scanning-techniques.html

It would only help you in understanding how to better
protect your network.