Re: stealth; good idea or bad; I have 2 different sources; who's right
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Thu, 26 Oct 2006 03:07:39 -0700
Why must this be a good or bad, right or wrong?
If in either case the probing code/individual determines
that they cannot access anything at that protocol/port then
is not the same purpose served, i.e. the system is had its
surface area reduced. If in either case the system must be
active at some protocol/port combos, then it can/will be
located. Routers are going to do what they ought in either
case in order to be RFC compliant. If the system has had
its surface minimized then the further hardening can focus
on the exposures.
"unstablemicrosoft" <unstablemicrosoft@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:9389D2AE-A172-48C7-9D14-EA12F8638E1D@xxxxxxxxxxxxxxxx
Well, I've heard some people say that having a "stealth" firewall is good,
and some say it's bad. Two different views:
Position A: Supposedly, according to the text beneath this, if a computer
is
not "stealthed", connecting to that computer, for example with a PING (I
assume ICMP), a simple ICMP ping would send a "host unreachable" message
back to the attacker.
If the computer is "stealthed", it will simply drop the echo request, and
no
reply is sent back to the attackers' computer.
That way, a "stealthed" computer will confirm it's existance. Thus being
counterproductive.
Position B: the "attacker" would receive a "host unreachable" message from
a
"stealthed" computer. Or would it not receive a "host unreachable"
message,
but something else, that will look like the same to the attacker ?
For as far as I know, Steve Gibson from www.grc.com stands behind position
B.
So, which view is correct ?
Maybe it's even more complicated, I'd like to gain some insight. Maybe
firewalls can have different kinds of stealth. I don't know.
That stealth is "out of spec" is not an argument for me.
WHAT I SUSPECT, and I'd like to hear your views about that, is THAT THE
INTERNET ITSELF is configured in such a way that if a "stealthed" computer
does not respond to a ping or other attempt to establish a connection, the
"attacker" would receive a "host unreachable" message. Thus making
stealth
sensible. Essentially position B.
Below this the original article, that prompted me to do some investigation
of my own (not very succesfull), and asking this question here.
Insight/help appreciated.
Quoting article" Stealth, when it comes to computer security, is when the
computer (or other network equipment) does not issue any sort of reply to
connection attempts, including ICMP echo requests (ping). I guess the idea
was that if there's no response, they can't see that anything is there,
and
therefore you're "stealthed" from the outside world. For some reason, this
was assumed to be a security enhancement because you cannot attack what
you
cannot see... Oh boy, is that ever wrong. "Stealth" doesn't mean you are
invisible at all. Instead, it makes you stick out like a sore thumb.
Here's a picture showing a would-be attacker and your computer behind a
firewall.
A simple "ping" from the attacker travels through the cloud, and to the
router in front of your firewall. Next, the echo request gets to your
firewall. A stealth firewall will simply drop the echo request, and no
reply
is sent back to the attackers' computer. So, you're invisible, right?
Since
there's no reply, there's no computer there, right? Wrong and wrong! If
there
really was no computer (or firewall) there, the router sitting in front
would
reply for you with a simple ICMP "host unreachable" message back to the
attacker. The attacker would then know that there really is nothing there.
The lack of this "host unreachable" message is a clear indication that
something is there and it's dropping the packets rather than replying to
them.
A simple telnet connection will yield the same result. If the attacker
attempts to telnet to your computer, and your firewall simply drops the
packets with no reply (stealth), then the connection attempt simply times
out. Again, this is not an indication that there's nothing there, because
the
router did not send the "host unreachable" message. With a non-stealth
setup,
a reply packet is sent, and assuming no telnet server is running, the
reply
will be a loud "no service here." If you shut your computer off, the
connection attempt will also time out, but then the router will send the
"host unreachable" message back to the attacker, so they really know that
you're not there at the moment.
So, being "stealth" doesn't really add any security at all, nor does it
really hide you from anyone else. Anyone who wants to really know if
there's
anyone at a give IP address will have no difficulty seeing that you're
really
there because you are trying too hard to appear not to be. Since stealth
is
violating the normal rules of network connectivity, it makes you more
visible, not less. "
.
- Follow-Ups:
- Re: stealth; good idea or bad; I have 2 different sources; who's r
- From: unstablemicrosoft
- Re: stealth; good idea or bad; I have 2 different sources; who's r
- From: unstablemicrosoft
- Re: stealth; good idea or bad; I have 2 different sources; who's r
- References:
- stealth; good idea or bad; I have 2 different sources; who's right
- From: unstablemicrosoft
- stealth; good idea or bad; I have 2 different sources; who's right
- Prev by Date: Re: Blocking USB
- Next by Date: Re: stealth; good idea or bad; I have 2 different sources; who's r
- Previous by thread: stealth; good idea or bad; I have 2 different sources; who's right
- Next by thread: Re: stealth; good idea or bad; I have 2 different sources; who's r
- Index(es):
Relevant Pages
|
|
