Re: Firewalls offer no REAL outbound protection????

From: Tilman Schmidt (Tilman.Schmidt@ePost.de)
Date: 04/11/02

• Next message: Chris Severance: "Re: routers before the firewall"
• Previous message: Tim Browning: "Re: Zone Labs and Motorola SURFboard Cable Modems;"
• In reply to: Tore Lund: "Re: Firewalls offer no REAL outbound protection????"
• Next in thread: TOYOTA MR2: "Re: Firewalls offer no REAL outbound protection????"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Tilman Schmidt <Tilman.Schmidt@ePost.de>
Date: Thu, 11 Apr 2002 19:43:32 +0200

Tore Lund <tl001@online.no> wrote:

>"Lars M. Hansen" wrote:
>>
>> Actually, the most reliable is "netstat -an". Or, if you're running
>> Linux, try "netstat -A inet -anp".
>
>I wonder how you find that information reliable. At least, on my Win2K
>there are always some ports LISTENING according to netstat, even when
>all the test sites report that they are closed.

There is a known bug in Win2K netstat, showing ports as "listening"
which are actually part of an established connection (and also listed
as such). Apart from that, netstat is quite reliable even on Windows.

>> If it doesn't show there, it's not open.
>
>I believe you, but the converse does not necessarily hold. In
>particular, ports 135 and 445 are always LISTENING on my machine, but I
>have not seen any evidence that they are "open" in any way that
>constitutes a risk.

They *are* open in the strict sense of the word, ie. they accept and
process network packets. Whether you consider this a risk is the same
decision as with every other open port: you have to decide whether you
trust the program which does process these packets not to contain any
vulnerabilities which might compromise your system.

-- 
Tilman Schmidt                       E-Mail: Tilman.Schmidt@ePost.de
Bonn, Germany
- In theory, there is no difference between theory and practice.
  In practice, there is.

---

• Next message: Chris Severance: "Re: routers before the firewall"
• Previous message: Tim Browning: "Re: Zone Labs and Motorola SURFboard Cable Modems;"
• In reply to: Tore Lund: "Re: Firewalls offer no REAL outbound protection????"
• Next in thread: TOYOTA MR2: "Re: Firewalls offer no REAL outbound protection????"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Win2k Netstat sockets interpretation ... I have deleted "file and print sharing" under "internet connections and disbled most recognizable "remote access" services under 'services.msc' but ZA detects a few remote access modules running and gives them permission if select "OK" to the suggested query. ... notice randomly ports assigned to urls or ip addresss. ... 'netstat' on Win2K provides a view on the state of the *TDI interface*, ... something appearing as 0.0.0.0 listening means "an outstanding request to ... (alt.computer.security) Re: ServU-deamon trojan warning with McAfee ... This PLAIN and SIMPLE shouldn't happen in an ISA controlled ... A NETSTAT can reveal some information, ... listening on that port and passes 'normal' traffic to my SMTP but also ... > only needed TCP ports listening. ... (microsoft.public.backoffice.smallbiz2000) Re: How to find a process ... "netstat -lp" will show all ports in the listening state and the PID ... of the process listening on that port. ... with netstat i only see the ports daemons are listening ... (Security-Basics) Re: DCOM Listening Ports ... | I do a netstat -an and I have several ports related to DCOM ... Ports 1025 and 1027 particularly. ... shown as 'listening' in netstat despite tightening up your ... You will find that disabling the service Task Scheduler will ... (comp.security.misc) Re: Firewalls offer no REAL outbound protection???? ... At least, on my Win2K ... there are always some ports LISTENING according to netstat, ... particular, ports 135 and 445 are always LISTENING on my machine, but I ... (comp.security.firewalls)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)