I need a good program to test my firewall(s)
Sep 17, 2006 | 1:08 pm
#1
Original Poster
Join Date: May 2000
Location: Naples, Florida
Posts: 7,419
I need a good program to test my firewall(s)
I need a good program to test my firewall(s) - In & Out, hardware (router) & software.
I am not an expert! I googled and some programs claim that they should be used only by an IT-security expert.
http://tooleaky.zensoft.com/
"To demonstrate how outbound filtering is a joke, I am providing here a small executable file (3KB), along with its C++ source code.
In this example, if Internet Explorer is a "trusted" application by your firewall, you'll find that this drills right through. In essence, by giving "trust" to Internet Explorer, you are implicitly trusting every other software application on your PC.
Now, a brief warning: Who should download this software? Quite likely not you. This software is targeted for security professionals. Unless you have a thorough understanding of software firewalls, outbound filtering methods, and the details of this exploit, there is no need to download this program. It's not going to do anything other than frustrate you. However, that said, it can be lots of fun to demonstrate to your friends how you can get right through their firewall if it trusts Internet Explorer."
I am not an expert! I googled and some programs claim that they should be used only by an IT-security expert.
http://tooleaky.zensoft.com/
"To demonstrate how outbound filtering is a joke, I am providing here a small executable file (3KB), along with its C++ source code.
In this example, if Internet Explorer is a "trusted" application by your firewall, you'll find that this drills right through. In essence, by giving "trust" to Internet Explorer, you are implicitly trusting every other software application on your PC.
Now, a brief warning: Who should download this software? Quite likely not you. This software is targeted for security professionals. Unless you have a thorough understanding of software firewalls, outbound filtering methods, and the details of this exploit, there is no need to download this program. It's not going to do anything other than frustrate you. However, that said, it can be lots of fun to demonstrate to your friends how you can get right through their firewall if it trusts Internet Explorer."
Sep 17, 2006 | 1:45 pm
#2
Join Date: Nov 2002
Location: San Francisco, CA
Programs: US CP, *wood Gold, Marriott gold, Hilton something
Posts: 1,458
Both tests are probably easier than you might think.
For inbound, use a port scanner like sheldsup at GRC.com (issues with Gibson aside). That will tell you if you have any open ports.
For outbound, try to connect to servers outside your network on blocked ports. IF you are blocking telnet, for instance, google a free/open telnet server and try to telnet that box. If you are blocking SMTP (port 25 for mail) then you can actually try and telnet to SMTP server and specify port 25. In fact, I'd think testing the outbound would be fairly easy- if you know what you are blocking.
Now, if this is a software based outbound firewall, you're never going to be 100% sure, since a clever virus could disable the firewall or open the ports it needs. But if you are talking about a hardware outbound firewall, just try to connect to services on ports you are blocking. Your comment above sounds like you have some combination of the two. I'm guessing hardware inbound and software outbound? Have you considered hardware that will do both (even just a hacked Linksys)?
Finally, your best tests are going to be on machines outside of your network. By virtue of running any software to test things on your desktop, you've changed the test environment.
For inbound, use a port scanner like sheldsup at GRC.com (issues with Gibson aside). That will tell you if you have any open ports.
For outbound, try to connect to servers outside your network on blocked ports. IF you are blocking telnet, for instance, google a free/open telnet server and try to telnet that box. If you are blocking SMTP (port 25 for mail) then you can actually try and telnet to SMTP server and specify port 25. In fact, I'd think testing the outbound would be fairly easy- if you know what you are blocking.
Now, if this is a software based outbound firewall, you're never going to be 100% sure, since a clever virus could disable the firewall or open the ports it needs. But if you are talking about a hardware outbound firewall, just try to connect to services on ports you are blocking. Your comment above sounds like you have some combination of the two. I'm guessing hardware inbound and software outbound? Have you considered hardware that will do both (even just a hacked Linksys)?
Finally, your best tests are going to be on machines outside of your network. By virtue of running any software to test things on your desktop, you've changed the test environment.
Sep 17, 2006 | 2:20 pm
#3
Original Poster
Join Date: May 2000
Location: Naples, Florida
Posts: 7,419
SpaceBass:
Thanks.
.... sheldsup at GRC.com seems to be gone!?!
And yes, I would like to test my two PCs from outside...see, if everything is OK.
It looks you are an expert ... I can not perform those tests you are explaining.
I have a D-Link DI-524 AirPlus G High Speed 2.4GHz Wireless Router, 802.11b, g .... and it looks like the firewall is off, but I am reluctant to put it on .... had lots of problems with McAffee firewall some time ago.
I also run Zone Alarm, Windows Defender, AVG, Ewido, Spybot and Ad-Aware....
Thanks.
.... sheldsup at GRC.com seems to be gone!?!
And yes, I would like to test my two PCs from outside...see, if everything is OK.
It looks you are an expert ... I can not perform those tests you are explaining.
I have a D-Link DI-524 AirPlus G High Speed 2.4GHz Wireless Router, 802.11b, g .... and it looks like the firewall is off, but I am reluctant to put it on .... had lots of problems with McAffee firewall some time ago.
I also run Zone Alarm, Windows Defender, AVG, Ewido, Spybot and Ad-Aware....
Sep 17, 2006 | 2:25 pm
#4
Join Date: Mar 2005
Location: BKK, MKE
Programs: DL DM,Marriott Plat
Posts: 241
Originally Posted by USAFAN
SpaceBass:
.... sheldsup at GRC.com seems to be gone!?!
.... sheldsup at GRC.com seems to be gone!?!
Sep 17, 2006 | 2:58 pm
#5
Join Date: Jan 2003
Location: Ontario, Canada
Programs: Westjet Platinum, Fairmont Platinum RIP, Accor Gold, Marriott Lifetime Silver, HH Diamond
Posts: 1,296
Sep 17, 2006 | 3:01 pm
#6
Original Poster
Join Date: May 2000
Location: Naples, Florida
Posts: 7,419
Originally Posted by dw8146
I had no problem getting to ShieldsUp. Try this ShieldsUp Link
Thanks a lot your link worked fine.
Did all tests. All is OK (safe) but this:
Ping Reply: RECEIVED (FAILED) Your system REPLIED to our Ping (ICMP Echo) requests, making it visible on the Internet. Most personal firewalls can be configured to block, drop, and ignore such ping requests in order to better hide systems from hackers. This is highly recommended since "Ping" is among the oldest and most common methods used to locate systems prior to further exploitation.
with the cable-modem connection.
Thanks again.
Sep 17, 2006 | 6:53 pm
#7
Join Date: Nov 2002
Location: San Francisco, CA
Programs: US CP, *wood Gold, Marriott gold, Hilton something
Posts: 1,458
Originally Posted by USAFAN
dw8146:
Thanks a lot your link worked fine.
Did all tests. All is OK (safe) but this:
Actually, I was aware of this. Comcast once pinged me when I had trouble
with the cable-modem connection.
Thanks again.
Thanks a lot your link worked fine.
Did all tests. All is OK (safe) but this:
Actually, I was aware of this. Comcast once pinged me when I had trouble
with the cable-modem connection.
Thanks again.
For external port scanners- IE if you want to test from outside your home network, check out nmap (http://insecure.org/nmap/) there are versions for most major operating systems.
I hate to say this, but I'm pretty anti software firewalls. I just don't see the need. If you have NAT protecting you up front and observe some sense of safe surfing habits, then software firewalls do little more than provide annoying pop-ups and burn memory/speed on your PC.
I'm not, however, opposed to hardware firewalls, but that's another topic
Sep 18, 2006 | 2:07 am
#8
Join Date: Jan 2005
Posts: 8,884
Originally Posted by SpaceBass
For external port scanners- IE if you want to test from outside your home network, check out nmap (http://insecure.org/nmap/) there are versions for most major operating systems.
Sep 18, 2006 | 9:47 am
#9
Original Poster
Join Date: May 2000
Location: Naples, Florida
Posts: 7,419
Originally Posted by Arthurrs
I made some tests ... all are fine ^
Sep 18, 2006 | 9:51 am
#10
Original Poster
Join Date: May 2000
Location: Naples, Florida
Posts: 7,419
Originally Posted by SpaceBass
The ping thing is not much of a concern. Some people would argue that being 100% stealth is a great thing...its like if your home IP address was your house, and ports are the doors and windows...if you didn't even respond to pings it would be like your house was totally invisible from the street. Personally I trust NAT routers enough AND I like ping as a diagnostic tool so I'm willing to trade the possible insecurity.
For external port scanners- IE if you want to test from outside your home network, check out nmap (http://insecure.org/nmap/) there are versions for most major operating systems.
I hate to say this, but I'm pretty anti software firewalls. I just don't see the need. If you have NAT protecting you up front and observe some sense of safe surfing habits, then software firewalls do little more than provide annoying pop-ups and burn memory/speed on your PC.
I'm not, however, opposed to hardware firewalls, but that's another topic
For external port scanners- IE if you want to test from outside your home network, check out nmap (http://insecure.org/nmap/) there are versions for most major operating systems.
I hate to say this, but I'm pretty anti software firewalls. I just don't see the need. If you have NAT protecting you up front and observe some sense of safe surfing habits, then software firewalls do little more than provide annoying pop-ups and burn memory/speed on your PC.
I'm not, however, opposed to hardware firewalls, but that's another topic
I bookmarked http://insecure.org/nmap/ however, I am not ready to do this test. As said before, I am not an expert ... and my common sense tells me, not to use such tests (without assistance of an expert).
Thanks again!