[ale] How to test your public internet connection for open ports

Michael B. Trausch mike at trausch.us
Fri Feb 11 02:13:35 EST 2011 

On Thu, 2011-02-10 at 13:04 -0500, Ron Frazier wrote:
> Michael W.,
> 
> I appreciate the post, but, I think you're being excessively harsh on 
> Mr. Gibson.  You've got to understand that his whole focus in just about 
> everything he does (that I'm aware of) in the field of security is the 
> AVERAGE everyday CONSUMER, or moderately technical consumer.

Mr. Gibson's ideas are often plain incorrect, or so grossly
oversimplified as to be made incorrect even if there is a kernel of
truth in them.  Mr. Gibson is the Kim Komando of security.

> His 
> audience is the consumer.  He writes for the consumer.  Not for 
> engineers, such as you or me, and not for networking gurus.  His sole 
> focus is to help those consumers secure their computers within the 
> bounds of their knowledge and their equipment.  Almost everything you 
> said doesn't apply to a consumer environment, but does apply to an 
> enterprise environment.  My message post was in reply to another which 
> asked advice on how to buy a router, even though I changed the subject 
> line.  Well, the next thing you need to do after you buy a router is 
> properly configure it, which is why I made two followup posts.

Whether he is writing for the average consumer or the network engineer,
bad advice is bad advice.  Period.  Full stop.  Intent does not matter.
Target audience does not matter.  Bad advice is just as bad no matter
who it's given to.  It's even worse when it's given to someone who
doesn't know any better and simply accepts it without question.

As has been stated numerous times and in numerous ways:  A "stealth"
port simply lets a potential attacker know that active filtering is
taking place.  If you want ports to be "closed" (e.g., not respond to
connection attempts), you simply do not start a program that listens on
them.  Simple as that.  So-called "stealth" provides no advantage, and
is a bit of a misnomer.  I suspect that it is named such in order to
confer some sort of undue confidence.

> The average consumer is going to go to Fry's or Best Buy or a similar 
> place and buy an off the shelf router for $ 50 - $ 100.  The odds are, 
> he won't be running DD-WRT on it.  He'll take it home and install it 
> according to the instructions.  Then, he'll either run their setup 
> wizard, which I don't recommend, or he'll manually configure it, which I 
> do recommend.

The average consumer doesn't configure _anything_ manually.  At least,
not in my own personal experience.  Hell, they don't even set passwords,
or if they do, they're taped to the keyboard or the monitor.  Hardly
shining beacons of security, humans.

> The main question on his mind other than getting it 
> working, will be - is the firewall in this thing going to protect me as 
> much as possible from unsolicited internet attacks?  In this context, 
> it's entirely appropriate to use simplified terminology to get the point 
> across.

The default configuration of any NAT appliance is going to be absolutely
all that the average consumer requires.  By default, all consumer
devices that I am aware of do not forward incoming connections on any
port to any system on the LAN side of the device, thereby raising the
bar sufficiently high enough that your typical script kiddie isn't going
to bother with it.  IOW, unsolicited connections aren't allowed.

If someone other than a script kiddie is interested in your data, there
is more likely than not a reason for that (and you're probably aware of
that and enhancing your security in really useful and meaningful ways,
such as employing encryption, running any services that are run in a
manner so as to be private, and so forth).  If someone who has serious
skills (probably both in programming and in social engineering) wants to
get at your data, I assure you, they'll get there.  It won't matter what
you have in place in terms of port filtering; the one thing I can say
for sure is that they won't come through a TCP or a UDP port.  At least,
not via a normal connection.

I could say a lot more.  It'd only be repeating things that either
myself or Mike W. or others on the list have said, pointed to,
referenced, or whatever.  It comes down to this:  The things you
advocate make you feel better and perceive an increase in your security.
That's what the United States Federal Government does with its DHS, as
well.  I'm going to guess that you like that.  I don't.  I am concerned
with real security, not façades that make it appear as if we have more
security than we do.

Regardless of the topic or problem domain, security requires one thing
above all else: intimate knowledge of what it is that you are attempting
to secure.  That's why we have consultants to secure our cars against
early failure.  And contractors who do our electrical wiring for us, to
secure ourselves against early deadedness.  We pay consultants and
contractors for their knowledge and ability to apply it.  Or at least,
that's the hope.

	--- Mike
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20110211/013295bd/attachment.bin

More information about the Ale mailing list