Re: Norton Personal Firewall 2003
From: Alsvik Ture (ture@alsvik.dk)
Date: 12/10/02
- Next message: Paul Laudanski Zhen-Xjell: "Computer Cops Offers Free Web Nmap SYN, FIN, XMAS, NULL, and ACK Scans"
- Previous message: Alsvik Ture: "Re: Norton Personal Firewall 2003"
- In reply to: Alsvik Ture: "Re: Norton Personal Firewall 2003"
- Next in thread: Joseph V. Morris: "Re: Norton Personal Firewall 2003"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Alsvik Ture" <ture@alsvik.dk> Date: Tue, 10 Dec 2002 00:57:10 +0100
Sorry if you thought i was rude in my last post. I wasn't ...! Just
misunderstood your comment about the 12 posts!
Ture :o)
"Alsvik Ture" <ture@alsvik.dk> wrote in message
news:119J9.63061$HU.4620588@news010.worldonline.dk...
> Thanks for your concern and interest in my matters.
> It has now evolved to a quite long post, and i will try to answer your
> questions.
> First, NPF2003 has an intrusion detection feature called "port scan" - but
> it hasn't detected any portscans yet. Even if i disable home networking
and
> scans it from a computer within the network, it doesn't detect it!
>
> I have a router, and i hasnt been changed since i installed it and plugged
> it into the wall. I routes all traffic to the server.
> So the setup for the router is the same and has always been, whether i've
> been using NPF2002 or NPF2003.
> GRC and sygate's port scanner validates my external ip-adress, so it's the
> correct ip it's scanning.
>
> If X decides to scan my ports he will have the same result as grc.com.
> And when NPF2003 doesn't detect grc's scan it wont detect X's scan either.
>
> When uninstalling NAV or NPF i have always (during this period since the
> problems occured) removed the programs using add/remove in contro panel,
and
> after that i've used the Symantec removal tool and then to be total secure
> it wasn't any thing in the registry that messed it up, i manually removed
> entries like "symantec" and "norton" with regedit.
>
> I cannot uncheck "port scan detection" in NPF2003 (as i can in NPF2002)
but
> i can exclude the intrusion detection called "port scan".
>
> When installing NPF2003 i decided not to run liveupdate, not to do program
> scan and not to create any rules before a reboot.
> After the reboot it will ask me to allow programs like ftp, iis, p2p and
so
> on. Where possible i will pick "automatic" since it then is a know
program.
> Where it's not possible i will choose "permit all". This is just the
> programs and services starting automatically when windows boots to
desktop.
> After that i changed the security level to HIGH. Autoblock is default on.
> Then i ran program scan and i checked the programs i know needs internet
> access, and i choose automatic where possible.
>
>
> I have no sites added under autoblock! I have from time to time, when some
> kind of intrusion is detected., Often it's a ip that have accessed my port
> 80 with some kind of invalid "cgi script" attempt!
>
> I never created any custom rules for my services, as NPF2002 would detect
> them automatically and just ask me if i would permit or deny them access
to
> the internet. For all my services/servers i can choose "automatic" - which
> is recommended by NPF. This is the same with NPF2003.
>
>
>
> Just deleted all programs in the list and re-did the program scan.
> Everything is set to high. Even alerting.
> I set up a rule to monitor internetacess on the local ports 21, 25, 80,
110,
> 443 and 8080 and did a port scan from grc.com.
> It adds a monitoring event to the log. Two for each port. One with the
> destination of my internal ip adress, and one for ip adress 0.0.0.0.
> It creates entries for the ports i'm not using saying " unused port
> blocking"
> So it detects the access attempt, but it doesn't recognize it as a port
> scan!
>
>
> Going through the automatically created rules for programs, i see that
they
> are created as follows:
> allow connections from any computer on any port on any nic to program
>
> That is a pretty loose rule.
> Can i change these so that the webserver only allow traffic on port 80,
and
> the ftp-server only allows traffic on port 21 and so on?
>
> ?
>
> Ture
>
> Again: Thank you for your interest and concern. I really appreciate it!
>
> >
>
> > . . . .
> >
> > "Alsvik Ture" <ture@alsvik.dk> wrote in message
> > news:gZoI9.61554$HU.4262223@news010.worldonline.dk...
> > . . . .
> >
> > | > First thing I would do is put the GRC test site into the Exclusions
> > List.
> >
> > | That would be cheating, wouldn't it? I mean if anyone scans my
computers
> > | ports they will not get the same result being in my blocklist, right?
So
> > | blocking www.grc.com will not make my ports stealthed on other sites
or
> > from
> > | other users, and i cant add everybody!!!
> >
> > No, you've got it turned around backwards. In NIS/NPF 3/4, you find
these
> > settings on the pane entitled "Intrusion Detection". I believe this may
> > be a somewhat different location in NIS/NPF 2003 (6.0x) for the simple
> > reason that Symantec has now introduced some serious intrusion detection
> > (IDS) capabilities. (Indeed, that may be part of the problem you are
> > experiencing.) Now, on _that_ pane in NIS/NPF 3/4, you find several
> > choices:
> > 1) You can check (select) or uncheck (deselect) "Detect Port Scan
> > Attempts"
> > 2) You can check (select) or uncheck (deselect) "Enable AutoBlock"
> > 3) You can specify specific sites or URLs that would be EXCLUDED from
the
> > above options (assuming, of course, that you SELECTed these
options).
> >
> > Now, I run with both 1) and 2) CHECKED, BUT I specifically _exclude_
sites
> > like GRC, Sygate, PCFLANK, Symantec, the DSLR Security test site, etc.,
> > that I use to check my system. Now, why do I do that? Well, you have
to
> > understand what happens if you have both of the two above options
checked.
> >
> > If you have BOTH of these options checked, _ANY_ web-based port testing
> > site that you may care to use will automatically be BLOCKed from TESTING
> > your system to see if you're secure (unless the site is listed in the
> > Exclusions list, of course). These options will shut down these (and
any
> > other sites not in the Exclusions list) within milliseconds as soon as a
> > multi-port scan against your firewall is detected. How does this occur?
> > Well, the firewall checks unsolicited inbound communications attempts.
If
> > it finds more than N probes of _distinct_ ports on your machine in M
> > milliseconds or less (at least in NIS/NPF 3/4), it treats that as a
> > hostile intrusion attempt. And, by default, it shuts down ALL inbound
> > communications from that remote IP address for something like 30
minutes.
> > What that means is that your ports aren't being tested AT ALL (really!)
to
> > determine if they're OPEN, CLOSED, or STEALTHED. Indeed, the probes
never
> > hit the NIS/NPF firewall at all -- the site is simply BLOCKED in its
> > entirety for the default 30 minutes. So, if you REALLY want to know if
> > you've got OPEN or even just CLOSED ports tested by these sites, you
have
> > to add the testing site to the Exclusions list.
> >
> > Okay, now, you're saying "Yes, but what about hostile sites? Not test
> > sites?" Well, if it's _not_ a test site and it's NOT in the Exclusions
> > list, those two options will do exactly what you expect. Only problem
is
> > that you're unlikely to have any _hostile_ sites picked up this way.
> > HOSTILE sites that will set this off are rare as hen's teeth. Indeed,
> > since July at least of this year, I've never seen anything stopped by
> > these options other than my chosen test sites and my own ISP (scanning
to
> > make sure I'm not running any services in violation of my ISP's ToS/AUP
> > agreements). And this, of course, is _precisely_ what I've resolved by
> > putting those test and my ISP's own scanning sites into my Exclusions
> > list. Everything else will still be auto-blocked.
> >
> > There's just one problem with this wonderful solution: I WON'T HAVE ANY
> > INFORMATION THAT I CAN PROVIDE TO THE HOSTILE USER'S ISP AS TO EXACTLY
> > WHAT WAS PROBED OR WHEN. You can try filing an abuse report with
> > IDIOTSISP.com (yourself, directly) or with MyNetWatchman.com, or with
> > dShield.org in this instance -- IT WON'T MAKE ANY DIFFERENCE; YOU HAVE
> > _NO_ INFORMATION THAT THEY CAN THEN USE TO IDENTIFY AND BLAME THE
CULPRIT.
> > YOU WON'T HAVE ANY DETAILS TO PROVIDE THEM. (Check your firewall event
> > log; you'll find out what I mean.)
> >
> > Okay, now let's go back to what I meant by "scarce as hens teeth". Any
> > fool worth their salt knows better than to do something that will set
off
> > these alarms in the first place. It's just begging to get cut off by
> > their ISP. I've got about eight instances since July in which I've seen
a
> > REAL multi-port scan from a single remote IP address. NONE OF THESE
HAVE
> > BEEN PICKED UP BY THESE OPTIONS. Do you know why? Probably not. It's
> > the N distinct local ports in less than M milliseconds criteria. Anyone
> > worth their salt knows better than to do this. I've seen multi-port
> > probes of anywhere from 4 to 8 ports in these eight instances. The
> > DEFAULT THRESHHOLD for a "Port Scan Detected" is TEN (distinct) ports in
> > NIS/NPF. Only a skiddy would be stupid enough to do THAT. (And I
haven't
> > seen a skiddy in a long, long time.) In addition, someone who really
> > knows what they're doing will also space out the probes just enough to
> > escape the M milliseconds criteria. No, you can't simply modify the M
> > millisecond criteria to 'resolve' this problem (by increasing it, that
> > is). Even IBR from someone running a P2P file sharing program will
again
> > ping you in three seconds. If that fails, they'll try again six seconds
> > later. Three seconds, in other words, is the largest increment to which
> > you can set the time interval (and that assumes you know how to do that)
> > without being bombarded with meaningless "Port Scan Detected" events in
> > your firewall event log.
> >
> > | > Second, you should now be able to find events from the GRC port scan
> > in
> > | > your firewall event log. Do you see events for 21, 25, 80, 110,
443?
> > I
> > | > realize this is going to be a bit tedious, given the firewall event
> > log
> > | > display available in NPF 2003. In earlier versions, you could have
> > used
> > | > Sven Schaefer's NIS Log Viewer to quickly ascertain if these events
> > are or
> > | > are not present.
> >
> > | There are not log entries with the adress of grc.com or their ip (at
> > | grc.com they write that alarms can go on in your firewall with entried
> > from
> > | ip: xxx.xxx.xx.xx ). But it doesn't report any alerts while doing a
> > scan -
> > | and i doesn't create any entries while the scan is done . That is why
i
> > | think something is wrong!
> >
> > Well, if you HAVEN'T put the GRC.COM test IP addresses into your
> > Exclusions List, it's bloody amazing that you see ANYTHING in the
firewall
> > event log when running their "Probe My Ports" test -- if you've got both
> > of the options discussed above CHECKED.
> >
> > | > Now, we get to the complications:
> > | > 1) Do you (or your ISP) have a proxy server between you and GRC?
> > | > What about a router? (That's the most common source of this
> > | > kind of result. If it's probing your router or even your ISP's
> > | > proxy server, it will most definitely report these ports as
> > | > open in 9 cases out of 10.)
> > |
> > | They used to be reported as stealth. I haven't changed anything but
> > | upgrading to NPF2003.
> >
> > I'll go back and check, but I could have sworn that you said that you
use
> > a router in one of your subsequent responses. My (first) question now
> > becomes: Was the router in place when running NPF 2002?
> >
> > My (second) question now becomes: How do you know that you are not NOW
> > accessing the GRC site through a proxy server (or router) in use by your
> > ISP? Have you _confirmed_ that YOUR IP address (from winipcfg.exe or
> > ipconfig.exe, depending on your operating system) is NOW being correctly
> > picked up by the GRC test site (as indicated in the test results)?
> >
> > | To answer another of your questions, i uninstalled NPF2002 first, and
> > since
> > | i also used NAV2002 and upgraded that product at the same time, i also
> > | uninstalled that. When i first noticed the problem i now seem to have,
i
> > | uninstalled both programs and deleted all entries i could find
matching
> > | "symantec" and "norton" in regedit.
> >
> > Uh-ohhh! That may be part of the problem. There's a lot of
> > Symantec/Norton registry entries that can cause problems if unilaterally
> > removed. You have to start with Start | Programs | Control Panel |
> > Add/Remove Software... (and pay particular attention to any options that
> > may be presented). After that, you should have used Symantec's RNIS and
> > RNAV utilities, not scoured the registry independently and manually.
> >
> > | > 2) Did you have all these multiple servers running when you had
> > | > NPF 2002 installed? If so, what inbound TCP rules did you
> > | > have in place for them at that time?
> >
> > | NPF2002 created these rules on it's own. It detected the
IIS5.0-service
> > and
> > | the ftp-server, and it created the rules for the mailserver. I only
had
> > to
> > | choose "permit all" or "automatic" - and i choose "automatic" where
> > | possible.
> >
> > Okay, got that. You had these services running when you had NPF 2002
> > installed. But you still haven't answered my questions. What WERE the
> > rules that NPF 2002 created for these applications? Do you have any
> > documentation on them, whatsoever? Did you ever off-load these rule
> > specifications using Albert Janssen's AtGuard NIS Rules Viewer (which is
> > the only way you _could_ have saved them off in a readable form)?
> >
> > | > 3) What are your _current_ inbound TCP rules for these servers?
> > | > (Remember, the rules you had in place in NPF 2002 don't
> > | > automatically upgrade to NPF 2003; you have to re-enter.)
> > | > (I know answering that one is going to be tedious, because
> > | > you can't use Albert Schaefer's AtGuard NIS Rules Viewer
> > | > with NPF 2003.)
> > |
> > | I haven't created any rules but one, allowing any traffic from/to
any
> > | computer to my local ports 4661-4665
> >
> > Ahhh, that doesn't really answer my question (especially after reading t
he
> > response to the following question). If you started NIS/NPF 2003 with
> > Security set to MEDIUM (and especially with Automatic Firewall Rule
> > Creation, or whatever it's called in NIS/NPF 2003, invoked), then the
> > INBOUND PERMIT rules for these server applications were _probably_
invoked
> > BEFORE you set the Security Level to HIGH. So, again, when you actually
> > inspect your ruleset for these applications, what INBOUND PERMIT rules
do
> > you find? There is NO way to accurately respond to this question other
> > than manually inspecting your rules for these services (in detail, I
might
> > add) and manually copying them off into a response. True, in NIS/NPF
> > _prior_to_ NIS 4.5, you could have used Albert's utilities to do this,
but
> > his utilities don't work with NIS 4.5 or NIS/NPF 6.0x.
> >
> > | > 4) Okay, I assume you've confirmed that the firewall component
> > | > is actually enabled. Do you have the Security Level set
> > | > to HIGH?
> > |
> > | The firewall is enabled (everthing is default) except i've raised it
to
> > | HIGH.
> >
> > Hmm, exactly WHEN did you raise the security level to HIGH? (This may
be
> > very important, in light of my response above.)
> >
> > | Alert level is set to MIN. Changing this to high will not create any
> > alerts
> > | from grc.com or their ip or create any log entries from their adress /
> > ip.
> > | So the scan just isn't detected!
> >
> > No, that's not quite correct. IF you had SECURITY set to MEDIUM, and
> > AUTOMATICALLY ENABLE FIREWALL RULE CREATION ENABLED, or if you used the
> > AutoScan for Internet Enabled Applications run during system setup,
YOU'VE
> > ALREADY CREATED the PERMIT INBOUND rules -- and these rules do _not_ log
> > by default. You have to MANUALLY enable logging on them. If you don't
do
> > so, the unsolicited inbound communications will simply be PERMITted and
> > you will have no firewall log events to indicate that this is happening.
> >
> > | > 5) If you've done all of the above and still can't identify
> > | > the source of the problem, then you need to add a custom
> > | > rule to the System-Wide Settings. This would be a
> > | > MONITOR rule for TCP inbound for these particular ports.
> > | > ENABLE Logging for this rule and position it at the top
> > | > (beginning) of your System-Wide Rule Settings. Run GRC's
> > | > "Probe My Ports" again. If THIS rule doesn't generate
> > | > log events, then these probes are, in fact, not getting
> > | > to your machine. If THIS rule DOES generate log events,
> > | > it should also tell you what Process is accepting them.
> > |
> > | I will try that - but somehow i've lost my sense of security with NPF.
> > | I'll try to create a custom rule that monitores the open ports 21, 25,
> > 80,
> > | 110, and 443 and see if that creates any entries in the log.
> >
> > At this point, I can't say. But it rather looks to me as if you've let
> > NIS/NPF create the necessary PERMIT INBOUND rules automatically for
these
> > server applications. If so, those rules don't automatically log (unless
> > you manually invoke logging). And, of course, if these PERMIT INBOUND
> > rules actually EXIST, well, sure ... GRC is going to identify these
ports
> > as OPEN.
> >
> > Now, if you _want_ these services available to others (_any_ others, I
> > might add) via the Internet, well, that's the way it's going to be. If,
on
> > the other hand, you'd like to limit Internet access to these services to
a
> > select few, then you'll need to CUSTOMIZE the automatically created
rules
> > to restrict the PERMIT INBOUND communications to just those users (by IP
> > address) whom you choose to allow. You can't offer up services to the
> > Internet at large and get STEALTH results when running GRC, Sygate, DSLR
> > Security, PC Flank, or Symantec port testing sites (to name only a few).
> >
> > --
> > Regards,
> > Joseph V. Morris
> > jvmorris@erols.com
> > ICQ #29438199
> >
> > This is a NEWSGROUP message; except for privacy reasons, please respond
> > therein; an e-mail COPY is always appreciated, of course.
> > Almost all electrons used in the creation of this message were recycled.
> > No electrons used in the production of this message were harmed or
> > mistreated in any manner.
> >
>
>
- Next message: Paul Laudanski Zhen-Xjell: "Computer Cops Offers Free Web Nmap SYN, FIN, XMAS, NULL, and ACK Scans"
- Previous message: Alsvik Ture: "Re: Norton Personal Firewall 2003"
- In reply to: Alsvik Ture: "Re: Norton Personal Firewall 2003"
- Next in thread: Joseph V. Morris: "Re: Norton Personal Firewall 2003"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
