newbie - stealth ports

Until recently I connected 2 PCs together with a crossover cable and
used ICS to access the Internet via a USB adsl modem through one of the
PCs. I installed Norton Firewall and their website security check said
that I had 'stealth ports in operation.

I've since added a third PC to my setup and therefore have connected
these 3 to a "Mentor" (conexant) ADSL modem router instead of the USB
modem. Although everything works perfectly in the sense that I can
access the internet and share files across the network, I'm left with a
nagging fear that it's not quite set up properly, as the same Symantec
security check says that one of my ports (80) is open and the rest are
no longer 'stealth' but are 'closed' (I'm still running the Norton
firewall BTW)

Under Misc Configuration for the router there's a setting for Http
access where HTTP Server port 80 is mentioned - I've ticked 'restricted'
and 'LAN' and left 'WAN' unticked and I'm fairly certain that this is
where the open port 80 is coming from. However if I take this port out,
I can't access the setup pages for the router and have to do a factory
reset.

Also I'm at a loss as to how I make all the rest of the ports as
stealthy as they (apparently) were before I started using the router.

I have enabled NAT for all 3 PC's
All PC's using XP pro

Am I worrying unnecessarily or am I really not as secure as I was with
just the modem?


Sorry for all the newbie type ramblings here, but I really do struggle
when it comes to networking.

Any help appreciated.

Dave





--
David Furness

"David Furness" <(E-Mail Removed)> wrote in message
news:S9QBRcCv+(E-Mail Removed)...
[snip]
> I've since added a third PC to my setup and therefore have connected
> these 3 to a "Mentor" (conexant) ADSL modem router instead of the USB
> modem. [...] the same Symantec security check says that one of my ports
> (80) is open and the rest are no longer 'stealth' but are 'closed' (I'm
> still running the Norton firewall BTW)

Unless you are using port forwarding, the only thing that can be "seen" from
the outside is the router, so the firewall has no bearing on the test
results. That's not to say the firewall is useless.

> Under Misc Configuration for the router there's a setting for Http
> access where HTTP Server port 80 is mentioned - I've ticked 'restricted'
> and 'LAN' and left 'WAN' unticked and I'm fairly certain that this is
> where the open port 80 is coming from.

Yep, I agree.

> However if I take this port out, I can't access the setup pages for the
> router and have to do a factory reset.
>
> Also I'm at a loss as to how I make all the rest of the ports as
> stealthy as they (apparently) were before I started using the router.

It's a function of the router. That's the only place to look.

> I have enabled NAT for all 3 PC's

Not sure what you mean by this.

> All PC's using XP pro
>
> Am I worrying unnecessarily or am I really not as secure as I was with
> just the modem?

I would be worried about the web administration possibly being accessible
from the Internet at large (even if it is password protected). However, I
wouldn't be too worried about the lack of "stealth" (but this is something
of a religious issue).

Alex

"Alex Fraser" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> "David Furness" <(E-Mail Removed)> wrote in message
> news:S9QBRcCv+(E-Mail Removed)...
> [snip]
> > I've since added a third PC to my setup and therefore have connected
> > these 3 to a "Mentor" (conexant) ADSL modem router instead of the USB
> > modem. [...] the same Symantec security check says that one of my ports
> > (80) is open and the rest are no longer 'stealth' but are 'closed' (I'm
> > still running the Norton firewall BTW)
>
> Unless you are using port forwarding, the only thing that can be "seen"
from
> the outside is the router, so the firewall has no bearing on the test
> results. That's not to say the firewall is useless.
>
> > Under Misc Configuration for the router there's a setting for Http
> > access where HTTP Server port 80 is mentioned - I've ticked 'restricted'
> > and 'LAN' and left 'WAN' unticked and I'm fairly certain that this is
> > where the open port 80 is coming from.
>
> Yep, I agree.
>
> > However if I take this port out, I can't access the setup pages for the
> > router and have to do a factory reset.
> >
> > Also I'm at a loss as to how I make all the rest of the ports as
> > stealthy as they (apparently) were before I started using the router.
>
> It's a function of the router. That's the only place to look.
>
> > I have enabled NAT for all 3 PC's
>
> Not sure what you mean by this.
>
> > All PC's using XP pro
> >
> > Am I worrying unnecessarily or am I really not as secure as I was with
> > just the modem?
>
> I would be worried about the web administration possibly being accessible
> from the Internet at large (even if it is password protected). However, I
> wouldn't be too worried about the lack of "stealth" (but this is something
> of a religious issue).
>
> Alex
>
on my router here i have set (PAT) both ports 80 & 21 to forward to machine
number 255 on my network i.e. 192.168.1.255 this stealths them without
preventing access to router setup page. www.grc.com can be useful as a test,
use sheildsup

polly

David Furness wrote:
> Until recently I connected 2 PCs together with a crossover cable and
> used ICS to access the Internet via a USB adsl modem through one of the
> PCs. I installed Norton Firewall and their website security check said
> that I had 'stealth ports in operation.
>
> I've since added a third PC to my setup and therefore have connected
> these 3 to a "Mentor" (conexant) ADSL modem router instead of the USB
> modem. Although everything works perfectly in the sense that I can
> access the internet and share files across the network, I'm left with a
> nagging fear that it's not quite set up properly, as the same Symantec
> security check says that one of my ports (80) is open and the rest are
> no longer 'stealth' but are 'closed' (I'm still running the Norton
> firewall BTW)

Stealth ignores the request. Closed replies with "go away". Obviusly
stealth is considered more secure 'cos to the requesting machine your
machine appears dead or not there. Also, it takes longer to timeout a
connection than to receive a "go away" reply. Thus the requesting machine
has more things to deal with simultaneously, 65k simultaneous connections is
not a good thing :-)

> Under Misc Configuration for the router there's a setting for Http
> access where HTTP Server port 80 is mentioned - I've ticked 'restricted'
> and 'LAN' and left 'WAN' unticked and I'm fairly certain that this is
> where the open port 80 is coming from. However if I take this port out,
> I can't access the setup pages for the router and have to do a factory
> reset.

Hmm. You should be able to access port 80 (for configuration) on the router
from the LAN by default, the WAN and wireless as an option... thats a fairly
safe default config, and the one I recommend for you.

> Also I'm at a loss as to how I make all the rest of the ports as
> stealthy as they (apparently) were before I started using the router.

Forward all ports, or set the DMZ (if you can) to your machine with Norton
Firewall. That is however, far less secure than sitting behind the router.
There MAY be an option to drop connections rather than reply with closed in
the router, but thats a fairly unusual option in my experience. Not
necessary in most cases.

> I have enabled NAT for all 3 PC's
> All PC's using XP pro
>
> Am I worrying unnecessarily or am I really not as secure as I was with
> just the modem?

You are almost certainly more secure. Only the ports you specifically
forward to your machine can cause you problems (from outside your subnet,
anyway). Random attacks aimed at "you" will hit the router, not your
machine.

Ben
--
A7N8X FAQ: www.ben.pope.name/a7n8x_faq.html
Questions by email will likely be ignored, please use the newsgroups.
I'm not just a number. To many, I'm known as a String...

"Ben Pope" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
[snip]
> Stealth ignores the request. Closed replies with "go away". Obviusly
> stealth is considered more secure 'cos to the requesting machine your
> machine appears dead or not there.

I've yet to see anyone successfully justify this point of view. But that's
another story.

> Also, it takes longer to timeout a connection than to receive a "go away"
> reply.

That is, you (obviously) have to allow longer before you time out a request
than the length of time you would expect before receiving a "go away" reply.

> Thus the requesting machine has more things to deal with simultaneously,

....in order to maintain a given rate of requests.

This is IMHO a sound reason for "stealth", but it has nothing to do with
being secure (not that you said it did).

Alex

Alex Fraser wrote:
> "Ben Pope" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> [snip]
>> Stealth ignores the request. Closed replies with "go away". Obviusly
>> stealth is considered more secure 'cos to the requesting machine your
>> machine appears dead or not there.
>
> I've yet to see anyone successfully justify this point of view. But that's
> another story.

Agreed. The only thing I can think of is that if you scan a number of ports
at a given IP, and see no reply whatsoever, the attacker might give up,
assuming you are not there. In which case they may never come across your
insecure server running on an obscure port. I would suspect that this makes
up a pretty small number of attacks.

>> Also, it takes longer to timeout a connection than to receive a "go away"
>> reply.
>
> That is, you (obviously) have to allow longer before you time out a
> request than the length of time you would expect before receiving a "go
> away" reply.
>
>> Thus the requesting machine has more things to deal with simultaneously,
>
> ...in order to maintain a given rate of requests.
>
> This is IMHO a sound reason for "stealth", but it has nothing to do with
> being secure (not that you said it did).

Indeed. Thanks for clarifying some of my points.

Ben
--
A7N8X FAQ: www.ben.pope.name/a7n8x_faq.html
Questions by email will likely be ignored, please use the newsgroups.
I'm not just a number. To many, I'm known as a String...