Stealth Vs Closed Ports

[sfish]

I've downloaded BrickHouse 1.0.2. After locking down everything coming in and then going to the "Sharing" System Pref panel and closing down everything that might allow outside access, I still don't seem to have a completely stealthed set of ports.

When using NetBarrier under Mac OS 9, I could set everything to stealth. This would producce a satisfying result from the Gibson Research Corp security tests (http://grc.com/x/ne.dll?bh0bkyd2). Now with everything locked down on Mac OS X as best as I know how, I'm getting quite a few ports that come up as "Closed" instead of "Stealth."

My questions are these:

1) Should I strive for stealthed ports or is merely "closed" enough?

2) If needed, what can I do to get more security here?

Thanks for any insight.

 

[monty]

AFAIK if a port is closed nothing can use it so it can't be used to hack in. I don't have a clue what stealth ports are though.

peter

 

[sfish]

Well, the description I've read is that closed ports are not useable and stealth ports can't even be seen. It's as if there's not even a computer present at the stealthed port. The advantage being that if someone with malicious intent sees a closed port, that might be incentive enough to try to find any available resource at that IP. With all ports stealthed, the same user would not see any computer even available at the IP and would move on to another one.

It would be as if a thief coming to rob a house in your neighborhood would not just be confounded by high security of your abode, but wouldn't even see your house and therefore wouldn't know it was available to violate.

 

[rharder]

A closed port sends a response to the sender that the port is closed.

A stealth port doesn't send any response.

It's like when you get spam. You don't want to reply saying "Please remove me" because that just confirms that you're there.

I'm not sure what OS X does if it gets a request to a "non-active" port. Anyone know?

-Rob

 

[monty]

Thanks for the info!

I guess I just assumed that a closed port was what you say a stealth port is. Now, here's the other question - Why have closed ports and not stealth ports? I would have though that it was easier to send no response. I would have thought that the closed port was the "feature" and that the stealth port was the necessity. eg. Web server down - close the port so that the user knows the computer is there and the URL is right but the server isn't ready. Giving no hint to the outside world is the necessity if apple wants to keep its "Most Secure OS" title.

peter

 

[rharder]

I guess computers want to be polite and respond with a "Go away" instead of pretending that they don't exist.

Check out the www.grc.com website. In particular there is a page (https://grc.com/x/ne.dll?bh0bkyd2) that will walk you through as it scans <em>your computer</em>, telling you where some holes are.

Very interesting.

-Rob

 

[ginoledesma]

Interesting! I learned something new today.

A computer with all ports closed and few open (say HTTP and FTP) is by far difficult to infiltrate, unless of course there were certain unknown exploits that were done. Keeping the software up to date should be a good way of improving security.

I'm interested in making my Mac OS X computer secure. As of the moment, I'm firewalled by a Linux box, which is firewalled by two more firewall hardware machines.

 

[blb]

The main difference is (as has been pointed out) how the two respond, closed says 'nothing here' while stealth just ignores. The advantages of each come up depending on what you want to do. For one, having every port on your machine act in a stealthy manner makes it appear as if there isn't even a computer at your IP (no ports ever respond). Stealth is also a good thing against port scanners, since the scanner has to wait for the response to timeout before marking a port as not open, whereas if it were closed in the normal sense, it receives a 'nothing here' response pretty quick.
On the other hand, some things work better with closed, because of that same timeout. One example I found some time ago was if you run your own mail server for outgoing mail (ie, sendmail). Some mail servers accepting mail will attempt to connect back to your identd port (basically a way of saying who the user is) before accepting mail. If this port is in stealth mode, that mail server won't accept your mail until the attempted connect to identd times out, slowing down mail delivery by about two minutes.