Stealth firewalls

Rifter

Lifer
Oct 9, 1999
11,522
751
126
Was talking to a network admin i know recently and he was going on about stealth firewalls that stealth all ports being the best thing ever. Obviosly you cant do that if you have a server on the inside that needs open ports but can use them for offices and whatnot that just need internet and he said they were great cause they dont respond to any requests so no one knows you are there. I told him he was full of shit because if i was scanning his ports and it dropped all packets i would know there was a firewall/network there being hidden because if no computer was turned on behind the router it would return a host unreachable packet, not nothing. He told me i was wrong. Who is right?
 

SirGeeO

Member
Dec 22, 2009
51
0
0
Actually, you both have points.
Even with a computer off, if it's physically connected to the router, the ethernet is still recieving/sending, so that PC is in a sense, still able to be pinged. Iunno *shrugs*
 

blackangst1

Lifer
Feb 23, 2005
22,902
2,359
126
Host unreachable can also be a result of a routing loop. I see this more commonly in my job. If a host is umplugged from the network, you would simply get failed pings.
 

Modelworks

Lifer
Feb 22, 2007
16,240
7
76
If you know a computer is at an ip address then there goes your stealth. It is only good if the attacker does not know there is a pc at the address.
 

theevilsharpie

Platinum Member
Nov 2, 2009
2,322
14
81
I told him he was full of shit because if i was scanning his ports and it dropped all packets i would know there was a firewall/network there being hidden because if no computer was turned on behind the router it would return a host unreachable packet, not nothing. He told me i was wrong. Who is right?

The network admin is correct in that from a perspective of an outside attacker, a "stealth" firewall is indistinguishable from a host that doesn't exist. However, if the network admin thinks that a "stealth" firewall provides any more security than a firewall that simply responds saying that a port is closed, he's mistaken. In addition, such firewalls are usually also configured to block incoming ICMP packets (particularly echo requests), which is incredibly irritating and can potentially lead to an accidental denial of service.
 

blackangst1

Lifer
Feb 23, 2005
22,902
2,359
126
If you know a computer is at an ip address then there goes your stealth. It is only good if the attacker does not know there is a pc at the address.

That is incorrect. A computer, server, harware firewall, whatever can be assigned an IP and be completley undiscoverable.
 

SirGeeO

Member
Dec 22, 2009
51
0
0
^my question is what IP...not the internal/intranet IP rite?..I hope not, because that's what's been coming up lately in my tests done on auditmypc and grc....it shows my private IP address, which is somehow (and which I hate), displayed within your browser header everytime you go online...so if your talking about that IP, then shewww! *wipes sweat from forehead* ...good riddens...
 

spikespiegal

Golden Member
Oct 10, 2005
1,219
9
76
Ya know, I read threads like this and I realize how chain stores and government agencies lose so much customer data via simple network hacks.

In the event somebody outside your network is trying to hack your box two conditions exist; (1) they already know you are there and what your static IP is, and from that they can deduce what they need (2) it's a bot / malware running an a search algorithm via brute force.

In either condition, nobody gives a sh_t if your ports are stealth or not. Ironically the only time the condition is verified is when you check an outside service (or read amatuer security sites like GRC). My opinion is that 'stealth' ports and not respondiong to a basic ping is like turning your porch light off to try and hide your house from a burglar. If you are on the internet, you have an IP address and you have ports.

Also, the potential attacks coming from outside *aren't* attacking your firewall (except in some very rare instances). The vulnerability is the *applications and OS services* listening to those ports. If those layers are blocked from the internal or external side, and/or patched sufficiently, I could care less if a port says 'f-off' to an automated bot or doesn't respond at all.

If you want to have some fun sometime get a good firewall that shows realtime connection attempts and set up some 'honey pots' like a fake open port 25 relay, or unpatched windows web server. Watch the bot nets swarm to you like crazy and look up the countries of origin of the IPs.
 

n0cmonkey

Elite Member
Jun 10, 2001
42,936
1
0
Ya know, I read threads like this and I realize how chain stores and government agencies lose so much customer data via simple network hacks.

Its more surprising how much personal info is lost due to mis-dials and bad mail labels.

In the event somebody outside your network is trying to hack your box two conditions exist; (1) they already know you are there and what your static IP is, and from that they can deduce what they need (2) it's a bot / malware running an a search algorithm via brute force.

Or they know your email address. Or they know which hotel you're staying in and that you'll be at a "business meeting" from 8-11p. Or they just got a janitorial job in the datacenter... ;)

In either condition, nobody gives a sh_t if your ports are stealth or not. Ironically the only time the condition is verified is when you check an outside service (or read amatuer security sites like GRC). My opinion is that 'stealth' ports and not respondiong to a basic ping is like turning your porch light off to try and hide your house from a burglar. If you are on the internet, you have an IP address and you have ports.

Also, the potential attacks coming from outside *aren't* attacking your firewall (except in some very rare instances). The vulnerability is the *applications and OS services* listening to those ports. If those layers are blocked from the internal or external side, and/or patched sufficiently, I could care less if a port says 'f-off' to an automated bot or doesn't respond at all.

Be more worried about client side attacks. Businesses should be worried about basic webapp attacks too.

If you want to have some fun sometime get a good firewall that shows realtime connection attempts and set up some 'honey pots' like a fake open port 25 relay, or unpatched windows web server. Watch the bot nets swarm to you like crazy and look up the countries of origin of the IPs.

Don't advocate running a honeypot without also mentioning that its a really bad idea if you are doing it "just for fun." Especially heavy weight honeypots (like unpatched windows servers). There's a lot of work involved with honeypots, and most of it involves you trying to keep yourself from ending up in jail, on blacklists, or major debt from lawsuits. ;) They are fun though.
 
Last edited:

Red Squirrel

No Lifer
May 24, 2003
68,483
12,622
126
www.anyf.ca
The nice thing with stealth is that it might be more likely to just make the hacker "walk away" while if the hacker knows there is a PC there he might just launch a syn dos attack or simply a continuous port scan in hopes the firewall gets brought down for a short period of time. Though with billions of unprected machines out there even if the hacker knows the machine is there, but is protected he/she might still just walk away.

It's the targetted attacks and bots that suck. No matter what, they'll find a way. The only good solution there is a good NAT firewall but even then there may be ways to get around that, I'm no hacking or security expert.

And yeah honey pots are fun. It's fun to put an unpatched windows machine on the DMZ. It gets totally hacked within minutes.
 

Modelworks

Lifer
Feb 22, 2007
16,240
7
76
Its more surprising how much personal info is lost due to mis-dials and bad mail labels.

More information is lost through social engineered attacks than any other form. It is so much easier for someone to sit with a phone book and a notepad and start randomly calling people pretending to be their bank than it is for someone to hack into computers looking for the same info.
 

snikt

Member
May 12, 2000
198
0
0
And what good is that if I already know the computer is at that ip ?

But its not always a computer with an ip; it could be a network printer, among other things. And the intruder more than likely wouldn't know that and his continued efforts to try and "hack" it would be wasted.
 
Last edited:

capnstabn

Junior Member
Dec 30, 2009
4
0
0
Stealth rule dropping all traffic destined for the firewall needs to be in place. Only rules that should be above it are for managing the firewall and VPNs. In some cases you may have to make exceptions but I would do so very carefully. You people keep saying "if you know the ip" you can hack the $%^& out of the firewall. The reason for a stealth rule is to inhibit the information gathering phases of attacks. Of course if someone really spends some time they are going to get it....but a stealth rule will stop 90% of the people who are just looking for easy targets. If you think its a good idea to allow ICMP from the internet directly to your firewall, I would keep your resume updated.
 

capnstabn

Junior Member
Dec 30, 2009
4
0
0
OR you can just take my advice =p. I promise you having ICMP open to the world will draw more evil in than good. Malicious bastards will be more prone to finding you.....and auditors will scrutinize you!
 

gsellis

Diamond Member
Dec 4, 2003
6,061
0
0
Malicious bastards don't need ICMP to find my firewall ;)
You would have one of those non-pingable 'router' between the server in the DMZ and the internet too? ;) The one that does not answer (as opposed to 'host unreachable'). As theevilsharpe already knows, no reply means there is something there. ICMP then helps troubleshoot for those who won't believe that they are getting to the network and servers. The reason folks orginally stealthed was to drop the load on the firewalls from answering ICMP requests.

ICMP yes too, everything else to the firewall, no.

Stealth probably seems cool in small scale and it is in some day 0 cases that have long been patched, but it is just like a machine without a listening port. A real firewall's rules should be configured so only allowed addresses on allowed ports to specific destinations. In big sites, the firewalls are protected too. Something like F5's Big-IP kills the malicious ICMP and other DOS packets.