Ports holes in NIS10.
I have spent all day tracking down this problem on multiple systems.
Ports scans from www.grc.com report a number of “closed” as opposed to stealthed ports in the first 1100 or so ports. (In order to do this scan, I have been putting various systems into DMZ mode so that the router does not intercept the port probes.)
Various ports such as 1029, 1031, 1032, 1033, 1036, 1037, 1038, 1039, 1040, and 1054 are reported to be “closed” instead of “stealthed”.
I have tried the following measures to clear this situation.
(1) Full scans with NIS10. No problems found.
(2) Resetting the NIS10 firewall.
(3) Reviewing the program rules in the NIS10 firewall.
Previously with NIS09, this problem did not exist.
Now, how do I know for sure that this is intrinsic to NIS10? I turned off the NIS10 firewall and turned on the Window’s firewall. When that was done, those ports immediately reverted to “stealthed”.
Other information: NIS10 17.0.0.136 Win XP Pro SP3.
Could someone from Symantec Technical Support please look into this matter further? I have the feeling that NIS10 is giving away more information about the user’s system that it should in a non-obvious fashion.
Thank you.
Are you using these ports or trying to use these ports?
Are these ports important for ur work?
There may b a reason of security vulnerability by allowing these ports to continue thats y symantec might had closed them in nis 2010.
If this isn't the reason then wait for more comments.
If these ports are causing u trouble i suggest u to contact tech support.
I have no need of these ports. However, I understand that used ports should be “stealthed” which they are not.
Excuse my ignorance but if you are not using the ports isn’t it better they are closed rather than stealthed?
“Stealthed” is the prefered security discipline. “Stealthed” also means that they are inaccessible.
However, “closed” says that there is a computer at this address as opposed to nothing, since it is a digital reply.
“Stealthed” is a non-response which increases the work load on port scanners, since they must wait for a time out instead of have an instant reply.
I believe that something isn’t working properly in NIS’ firewall and should be looked at. Your firewall is your very first line of protection. If there are holes in that, then you are asking for trouble.
Symantec?
Mark,
Symantec is currently researching your report.
Although you've pretty much ruled out this possibility, a common reason that people see ports as either closed or open when NIS should be stealthing them is due to their ISP. Some ISPs intercept certain ports and it is actually the response from the ISP that is being detected.
The primary value with stealthing is the delay that it causes for scanners. The fact that a scanner does not receive any response at all actually indicates that the IP address has been recently valid, otherwise, some router on the path would return a destination unreachable response because it doesn't have that IP address mapped.
Mark_Kratzer -
In reguards to Reese's post also, have you found any ports that are not closed or stealthed at all? In my past experience with probes, closed is better than stealthed for the reason Reese stated in his reply above.
Hi Mark_Kratzer
Have you run this Symantec Security Check... also available from here
The results anaylsis agree with your comments re Stealth
Understanding your results:
Open port An open port responds to port probes and acknowledges the port's availability. Open ports are dangerous because they're an easy and attractive means of entry for hackers.
Closed port A closed port is visible but not open to attack. Although this is a safe state, a hacker can use closed ports to detect the existence of your computer and potentially target it for attack.
Stealth port A stealth port is safest of all. Stealth means that your computer doesn't respond to port probes, and you are virtually invisible to hackers scanning the Internet for potential targets. Although this is a very safe result, a stealth port may cause performance problems for some Internet applications.
The Scan may not be as extensive as grc.com but, the scan will generate NIS Intrusion attempts popups...verify NIS is on the job.
Symantec also has Free PC Checkup Scan here may offer some info.
Regards
bjm_
Finally, some time to reply.
This problem report was developed across for separate systems. It should be noted that the ports not stealthed are not identical on each system. The ports I reported in my initial post were a composite of all not stealthed ports scanned below 1100.
I verified that there are no applications on these systems which are using any of these ports. I verified that there were not entries in NIS10 which were using these ports. While we are on the topic, it would be a handy feature in NIS to have a port search so that you could rapidly find if a rule has been created for a particular port. The way it stands now, you have to step through everything in order to check. Certainly, the NIS firewall does, in fact, have a composite of the status of all ports which is traceable back to the particular rule(s).
Reese,
Interesting point about “stealthed” indicating a live IP. In any case, it seems that the standard firewall practice these days is to stealth. Based on the different ports from different machines and the test with Windows Firewall, I think we can safely say that this is not related to my ISP (Comcast BTW).
Bjm,
I use GRC and Symantec as my two standard checks. The Symantec scanner did not report any problems.
—
My systems are in fact behind a hardware firewall. However, I reported for the following reasons:
(1) Being in Systems myself and a customer, it just seems that it is the proper thing to do to report issues.
(2) I believe in a layered defense. So, if somehow someone got through my hardware firewall either through a hole or maybe a hack became available to access the sys admin Web pages, then NIS10 would become my next line of defense.
(3) In the rare event that DMZ mode would become necessary for some reason, then NIS10 becomes the active line of defense.
(4) If port setting is not behaving properly, then perhaps it is indicative of a problem which might be more serious than “closed” versus “stealthed”.
(5) Finally, for some of you out there directly on the Internet, NIS10 may be the only thing that stands between some hacker and your credit cards.
This is a very interesting thread at Broadbandreports about the question of Closed versus stealthed
Interesting reading. Well, it may, in fact, be that the "stealth" is simply about satisfying a features check list ... still NIS10 is not behaving as one is led to expect by Symantec. That merits some concern in any case.
Thanks for the link.
Mark_Kratzer -
Did you find any ports that were either not closed or stealthed?
Nothing open.
Thank you. Just wanted to check that to make certain your system was safe.
Symantec Technical Support,
4 machines upgraded to NIS 17.1.0.19 today.
This problem with inconsistencies of NIS10's handling of ports persists (see first post).
Have you been able to reproduce this situation?
Thank you.
We are still researching this and may have managed to reproduce your symptoms in one case but it still requires further analysis.
Hi Mark:
I have one system still running NIS 2009 on XP/SP3 and noticed that Port 1025 is OPEN.
The only way for me to immediately correct the problem was to set a manual firewall rule to close the port.
Interestingly enough, when I went to GRC (ShieldsUp!) to check it, the port was reported to be stealthed, not closed. So am curious to know how NIS 2009 is actually handling the status of this port, i.e. closed or stealthed?
There is not a choice in the rules to specify that, at least that I can see.
My other system, also running XP/SP3 and NIS 2010 does not have this issue - all ports are stealthed.
Hope this helps.