How to stealth port 113 (ident/auth) for users of [NAT] routers
From: Vanguard (rztqf6v02-NIX_at_sneakemail-NIX.com)
Date: 09/11/03
- Next message: |{evin: "Re: extortion"
- Previous message: Ronnie Vernon MVP: "Re: MS03-039"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 10 Sep 2003 21:15:27 -0500
Below is an e-mail thread between me and Symantec regarding why I could
not stealth port 113 (IDENT/auth) using their firewall software (Norton
Internet Security 2003). Turns out it wasn't a fault of their firewall.
My NAT router (DLink DI-604) was the culprit although it has some
firewall capability. Even after defining a firewall rule within the
router to block traffic on port 113, my router would deliberately ignore
that rule and still reply with a "closed" status on port 113 - which
means a hacker could see my network exists. I was not fully stealthed
because of this one port. But a cure was available and became evident
after reading https://grc.com/port_113.htm. The cure? Forward port 113
connects to a host on your network that doesn't exist, that will never
exist, and that cannot exist (see the UPDATE section here on how to do
it).
While system admins of firewalls for businesses might know this already
(but then they are running enterprise-quality firewalls, too), it wasn't
something that I was familiar with on a home network using a router. I
did a search here and found some articles, like
news:04a701c366a0$c0beb4f0$a401280a@phx.gbl (but they neglect to mention
that hardware firewalls [i.e., router with firewall] probably won't
stealth port 113), so I figured this might prove helpful to make your
home network truly stealthed.
----- My e-mail correspondence -----
*** See UPDATE section for how to cure the problem.
I did define a rule to block connections on port 113 - and it DOES NOT
WORK! I tried again. I defined a rule as follows:
Block
Inbound & outbound connections (to/from a computer)
ANY computer
TCP & UDP
Port 113 (ident/auth)
Tracking: Log, security monitor message, security alert.
I then ran the Shields Up test for Common Ports. Again it said that port
113 was reporting that it was closed. The point is that it is REPORTING
the closure. It should be stealthed and not report ANYTHING! NIS should
not respond at all.
However, the problem may not be with NIS 2003. I am connected to a NAT
router (DLink DI-604) with an inbuilt firewall. The IP address against
which Shields Up is testing is assigned by my ISP's DHCP server to my
router. I have also tried defining a block rule there but without
success. At this point, it looks like I need to talk with DLink as to
why their router's firewall cannot block this connection (by stealthing
it).
The NAT connection of my host is through my router to the Shields Up web
site. It is unclear if the test is executing against my host (through
the address translation which permitted my browser to connect with the
web site) or if the test is executing against the router. Yet on both my
host (using NIS 2003) and on the router (using its firewall), I have
defined rules to block connections on port 113. From what you say, it
appears a "block" by NIS 2003 means the port is stealth (rather than
report closed or refused). Now I have to find out from DLink if
"blocked" to them also means stealthed or closed.
Thanks for the assistance.
*** UPDATE ***
Aha! After reading https://grc.com/port_113.htm, the cure became
apparent. Define the NAT router so that the WAN-side port 113 would port
forward to a non-existent intranet host by specifying an internal IP
address that will not get assigned. My router's DHCP server is
configured to assign IP addresses in the range of 192.168.0.x, where x =
0 to 199. So I configured a virtual server on the public port 113 to go
to port 113 on a internal host with IP address of 192.168.255.255. This
IP address is outside of the range that the DHCP server would be allowed
to assign IP addresses, so that host will never exist. Basically the
router redirects the IDENT/auth connection off to a non-existent host
and effectively stealths that request. I ran Shields Up again and,
voila, my network was now fully stealthed.
Thought you might like this information to include in your knowledgebase
so other users that discover port 113 is not being stealthed know why,
and for those using routers they can see how to keep their entire
network stealthed.
So the problem was not with NIS. It was with the router in that it was
supporting an old, mostly unused, and potentially dangerous protocol.
This also clarifies one cause of why some users of firewalls find that
they cannot use e-mail with the firewall enabled but e-mail works when
the firewall is disabled (and maybe something else to add to your
knowledgebase if not already described); see the referenced GRC article
on why.
| -----Original Message-----
| From: <symantectech>@<symantechelpdomain>
| [mailto:<symantecdept>@<symantechelpdomain>]
| Sent: Wednesday, September 10, 2003 03:40 AM
| To: <me>@<myisp>
| Subject: RE:Alerts and Security Issues [#<ticketnumber>]
|
| <snip>
|
| In your message you wrote:
|
| > I ran the [Shields Up] Common Ports [at http://grc.com/] test
| > and it found all were stealthed (no response) except for port
| > 113 (IDENT/auth) which reported it was closed.
|
| I understand your concerns about this issue. Please
| note that if you have created a rule to block communication
| through a port, then Norton Internet Security will reject
| the connection request to that port. To know more about, how
| Norton Internet Security handles port scans, please refer to
| the document provided below:
|
| <snip - some KB articles>
|
| A port is open or closed because some application is using
| that port. To know more about this, please refer to the
| document provided below:
|
| <snip - more KB articles>
|
| Please note that if there is no rule to allow access through
| a port and if it is not used by any application, then Norton
| Internet Security will stealth that port by default.
|
| To ensure your system security, I recommend that you run an
| Online Scan, to make sure that your system secure. To
| perform an Online Scan, please perform the steps provided below:
|
| Web URL: http://security.symantec.com
| Then perform 'Security Scan'.
|
NOTE: Symantec's Security Scan will NOT detect that the host (or router)
on port 113 is reporting a status of "closed" (the "problem" being that
the host is *reporting* at all rather than remaining silent and thus
stealthed). Only GRC's Shields Up showed port 113 was reporting a
"closed" status - until I defined port forwarding to a non-existent host
in my router's firewall.
____________________________________________________________
** Share with others. Post replies in the newsgroup.
** If present, remove all "-nix" from my email address.
____________________________________________________________
- Next message: |{evin: "Re: extortion"
- Previous message: Ronnie Vernon MVP: "Re: MS03-039"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
