Re: How to Stealth POP3 Port 110 using NIS2000?

From: Nameless (nameless@noname.com)
Date: 02/14/02 

From: "Nameless" <nameless@noname.com>
Date: Thu, 14 Feb 2002 05:17:17 GMT

Thanks Joseph,

That makes a whole lot of sense and sounds like a very reasonable
explanation for why my POP3 port never seemed to get probed yet showed
up as "closed" instead of "stealth" regardless of what firewall rules I
set.

I have NIS 2000 1.0 and I use LiveUpdate to renew it with internet
security updates regularly. I had to renew my LiveUpdate subscription
after one year of using the software and even that renewal is coming to
an end in a few months.

I'm not running any kind of NAT router, so that shouldn't be an issue.

I'll probably take your advice and avoid installing a second firewall.

Is NIS 3.0 or 4.0 any "better" than NIS 1.0/2.0? Is the interface much
different? Would my system be potentially more vulnerable because I'm
running an older version of NIS? Symantec's web site seems to imply
that, but of course they just want to sucker people into paying for more
upgrades.

"Joseph V. Morris" <jvmorris@erols.com> wrote in message
news:a4dujb$4hb$1@bob.news.rcn.net...
> Nameless,
>
> There's a potentially simple answer for what you're seeing . . . .
>
> "Nameless" <nameless@noname.com> wrote in message
> news:aoda8.19392$Cg5.1074668@news1.calgary.shaw.ca...
> | . . . .
> | According to the firewall log, that port is not even being probed.
>
> A lot of ISPs BLOCK unsolicited inbound POP3 requests at the border
> routers, apparently. POP3 was one of the ports that was NEVER probed
by
> GRC on my machine (if I recall correctly and the last time that I
bothered
> to run Shields Up). The response that GRC is reporting is, therefore,
> coming from your ISP's routers, not from you. And many
> industrial-strength routers aren't going to support Stealthing ports
for
> the simple reason that it's not an industry standard response. (Find
me a
> reference to Stealth in the RFCs; I can't.)
>
> The reason for this is quite simple. Under most ISP's TOS/AUP, you're
not
> _supposed_ to be running a POP server. Consequently, there's no need
to
> forward such requests to the IP address assigned to you (not to
mention
> the minor problem of the vulnerabilities associated with running such
a
> server).
>
> Check out the NIS rules for POP3 and SMTP for your e-mail client
software.
> You're only going to see a PERMIT rule for outbound. In other words,
YOU
> have to initiate the conversation -- either to send mail or to receive
it.
> (And once you've initiated the conversation, the response packets are
> allowed in.) NIS, NPF, and AtGuard all block any communication that is
not
> explicitly PERMITted. In NIS and NPF, the event you would probably
see is
> "Unused Port Blocking". In AtGuard, I think it would show as
"Implicit
> Block Rule".
>
> What _version_ of NIS 2000 are you running? NIS 1.0 or NIS 2.0? I
don't
> believe NIS 1.0 ever invoked a patch to "Stealth Unused Ports", but I
> think it may have been added via Live Update at some point to NIS 2.0.
(I
> jumped from NIS FE 1.0 to NIS FE 2.5, so I'm not completely positive
what
> happened with NIS 2.0.)
>
> Finally, if you're running any kind of NAT router -- hardware or
software
> (like ICS in Win 98 SE) -- there's a very good chance that the
response
> you're seeing could be coming from your router. Most of them block
> unsolicited inbound POP3 and SMTP communications, or can be configured
to
> do so.
>
> | This problem persists whether I have NAV e-mail scanning enabled or
> | disabled. Apparently, long ago there was a problem with this port
being
> | left completely open. But that was later fixed with a new
LiveUpdate
> | (mine is up to date).
>
> Yes, the original version of the NAV e-mail scanner DID function as a
> server that would also receive unsolicited inbound requests. But, I
think
> they fixed this quite some time ago. In this instance, it was
listening
> for unsolicited inbound and consequently could not be Stealthed (but
it
> could be CLOSED).
>
> | By the way, is it possible (or desirable) to have two firewall
programs
> | active on a PC? I've read lots of good things about Zone Alarm and
am
> | wondering whether it would be compatible with NIS.
>
> This is a matter of personal opinion. _I_ don't think it's desirable;
if
> you don't know how to set up one personal software firewall (PSF),
it's
> very unlikely that you will know how to correctly set up two.
> Furthermore, the firewalls are burrowing further and further into and
> under the winsock and TCP/IP stack to protect against newly emerging
> threats. The possibility of a conflict that effectively nullifies
some
> aspect of the firewall protection for _both_ PSFs is therefore
increasing.
> (And, of course, you'd never know -- until . . . .) In other words,
it's
> quite conceivable that your protection could actually decline as a
> consequence of running two firewalls. However, AFAIK, there's no
known
> conflict between most versions of ZA/ZAP and the early versions of
> NIS/NPF. There WAS, at one time, a conflict between one particular
ZA/ZAP
> build and one of the later versions of NIS/NPF, but, IIRC, ZoneLabs
fixed
> that quite some time ago.
>
> | One other thing, is there an easier way to rearrange the firewall
rules
> | in NIS2000 rather than choosing one rule at a time and clicking the
> | up/down arrows over-and-over-and-over again!?
>
> Not yet. Maybe in NIS/NPF 5.0. There's been a lot of talk about an
> enhanced ruleset editor/browser, primarily to rectify the unmitigated
> disaster represented by the rules editor GUI in NIS 3.0/4.0. One of
the
> obvious enhancements would be to implement multiple rule selection and
> drag and drop functionality.
>
> --
> Regards,
> Joseph V. Morris
> jvmorris@erols.com
> ICQ #29438199

Relevant Pages

  • Re: How to Stealth POP3 Port 110 using NIS2000?
    ... | According to the firewall log, that port is not even being probed. ... coming from your ISP's routers, ... Check out the NIS rules for POP3 and SMTP for your e-mail client software. ... "Unused Port Blocking". ...
    (comp.security.firewalls)
  • Re: OWA email OK
    ... the CEICW and which have to be set manually. ... > in and manually set the RRAS firewall setting ... > "Need Port Open Help!" ... >>> A quick way to test and make sure POP3 is working on the server is to ...
    (microsoft.public.windows.server.sbs)
  • Re: problems with NOD32 and NIS on same computer
    ... >Security then after a few seconds will finish boot. ... good so you may get away with NIS 2003.. ... Obviously you only installed the Norton Firewall not the AV as well on ... >access this computer on any port 1-65000 is automatically blocked ...
    (alt.comp.anti-virus)
  • Re: OWA email OK
    ... Hi Doug I have ran the CEICW again this time without enabling the built-in ... I am now running the CEICW again to enable built-in firewall ... but this time adding POP3 port 110 tcp. ...
    (microsoft.public.windows.server.sbs)
  • Re: Possible Exchange/Firewall Issue
    ... firewall so I am pretty sure that it's a firewall issue. ... of the firewall I can telnet via port 110 and log into the server. ... server i.e. test account and the Unable to log onto POP3 server and no ... We have port 25 open and we can log in via that port. ...
    (microsoft.public.exchange.admin)