Online Scans - What to do with Open and Closed Ports

[Paranoid2000]

A major benefit of using a personal firewall like Outpost is its ability to "stealth" ports reducing the visibility of computers when connected to the Internet. This however does depend not only on the rules configured in Outpost, but also upon the method used to connect to the Internet and the Internet Service Provider's (ISP) network setup.

Introduction - What Are Ports?
Every computer needs to have an Internet Protocol (IP) address in order to send and receive data on the Internet - this can be thought of as the electronic equivalent of a postal address.

However, there will usually be more than one application on a system sending data so there needs to be a way to identify them. This is where ports come in - if you imagine an IP address as being an apartment block, then ports can be thought of as the mailboxes in the entrance lobby where post is delivered (in reality, they are an area of memory reserved for the application). When an application wishes to send or receive data, it will request a port from the computer operating system (OS - Windows, Unix, Linux, etc) - the OS will allocate it an area of memory with a port number. The application will then place data in the port, which is picked up by the OS and sent out on the network. Any incoming traffic for the application is placed in the port by the OS, which then sends a signal to the application that there is data to be processed.

Open, Closed and Stealthed
Open ports are those that have been requested by an application, created by the OS and can receive data.

Outpost will list all the ports that have been requested in the Open Ports section in its main window. This simply indicates that a port has been allocated by Windows (and would therefore be open if Outpost was not running). Outpost will allow or block traffic to that port depending on the rules set for the related application, so the ports listed may appear to be closed or stealthed to outside traffic.

A number of ports here are opened by Windows services - these can be avoided by closing such services and there is an excellent guide on Minimizing Windows network services that gives details on how to do this (focusing on Windows 2000 and XP). A simpler option is to use a utility like Windows Worms Doors Cleaner to disable such services - Gibson Research also offer tools for this on their Freeware page - specifically Unplug n'Pray and DCOMbobulator.

Closed ports are those which have not been allocated by the OS - data sent to them will be discarded and the OS will send an error message back to the sender (an ICMP "Destination Unreachable" packet).

Stealthed ports are like closed ports, but no error message is sent back by the OS.

From a security perspective, closed and stealthed ports are almost identical - neither will permit unauthorised access. However a stealthed port will not report your presence which makes it harder for an attacker to probe your computer (the first stage of such a probe is typically a "port scan" - sending packets to a wide range of port numbers in an attempt to find out which are open). Also, since many attackers scan for a specific port number over a wide address range (looking for a trojan application that uses that port number), having stealthed ports helps the Internet community by making such scans far slower (if a response is sent by everyone, an attacker could scan thousands of addresses per second - if none are sent, the attacker would have to wait longer to check for a delayed reply, reducing their scanning speed to tens of addresses per second or less).

Checking Your Ports
There are a number of sites that can help you check the status of ports on your system (verifying whether or not you have your firewall properly configured). When undergoing such a scan, it is recommended that Outpost be placed in Block Most policy (to avoid having to answer dozens of prompts which could occur with Rules Wizard policy) and that the "Block intruder IP..." function of the Attack Detection plugin is disabled (to allow the site to complete its scan without being blocked - which would give an incorrect result).

If you submit to such a scan, you should not report it as an attack to any ISP! (this point may seem obvious to many, but there have been cases of people undergoing a scan, looking at the firewall logs and concluding that they were under real attack).

Online Scan Sites
PCFlank
Sygate Online Scan
HackerWhacker
Shields UP!

Failed the Test?
Scan sites have differing criteria for success or failure and some will include tests on browser settings (cookies, javascript, etc) and exploits using specially malformed network packets. If in doubt, repeat a test or use another site to verify the results.

However, the following results should be investigated further:

Open Ports
To have an open port when Outpost is running, you must have an application rule allowing Incoming traffic. Unless you run a server of some description (mail, FTP, web or game) or a Peer-to-Peer (P2P) program (like KaZaA, Gnutella, WinMX, eMule and others), there is no need for incoming traffic rules. Otherwise be aware that you are, by necessity, allowing others to access your system and ensure that you keep the application involved up-to-date to avoid falling victim to any security exploits. If others are allowed to upload files to your system, make sure that you scan them using updated anti-virus and anti-trojan scanners before opening them.

If you do have rules for incoming traffic and are uncertain about whether they are needed, try a Forum Search for the application involved to see what rulesets others recommend. If no results are found then try searching the Internet (using a search engine like Google) for the application (including terms like "port", "network" and "TCP" or "UDP") to check what network access is needed.

For the most common applications, check the recommendations given in the Secure Configuration FAQ thread.

Closed Ports
As discussed previously, these are far less of a problem than open ports. As long as only a minority of ports are closed (with the rest stealthed) this should not be a concern.

If however, no ports are stealthed then check that Outpost is in Stealth mode (Options/System/Firewall mode).

If Outpost is in Stealth mode and you still see a large number of "Closed" ports then check if the scan actually was of your computer. Open a Command Prompt/DOS Box window and type ipconfig to find your system's IP address and compare it with that reported on the page. If the two differ, then the scan was on the second address which could be a router or a proxy server.

Scans with a Router
If your Internet connection uses a router (an option for xDSL, cable and satellite connections - not dial-up however) then that router will have its own Internet address and will use Network Address Translation (NAT) to amend packets allowing you to share the Internet connection between several computers. This is an advantage security-wise since the router will be visible on the Internet rather than your computer, but it can make certain applications and online scans harder to set up.

In this case, check the router's configuration - many can be set to give "stealthed" ports but the exact details will depend on the make and model of router. If you do not have appropriate documentation on this, then try an Internet search to see what other users have done.

To scan your PC (and Outpost) you will need to either:

• Reconfigure your router (temporarily!) to pass all incoming packets to your computer - this may be refered to as creating a DMZ, DeMilitarized Zone, or Port Forwarding (for all ports) or;
• Disconnect from your router and use a dial-up connection for the duration of the test only.

Scans with Proxy Servers
If you do not use a router but still have different IP addresses reported, then the next most likely cause is a proxy server. These are common in work or school environments and may be used by some ISPs. In such a case, there may no easy method of obtaining a direct connection, other than attempting a dial-up connection (with another ISP if possible). If in doubt, contact the proxy administrator.

ISP Filtering
There have been cases of people getting "Closed" results for certain ports without having a router or proxy server. In such cases, it is possible that the ISP is blocking some ports and returning an error message in order to prevent the spread of certain worms or trojans. This is most likely for ports widely used by such worms - notably 135-139 and 445.