stealth; good idea or bad; I have 2 different sources; who's right

Discussion in 'Security Software' started by unstablemicrosoft, Oct 26, 2006.

  1. Well, I've heard some people say that having a "stealth" firewall is good,
    and some say it's bad. Two different views:

    Position A: Supposedly, according to the text beneath this, if a computer is
    not "stealthed", connecting to that computer, for example with a PING (I
    assume ICMP), a simple ICMP ping would send a "host unreachable" message
    back to the attacker.
    If the computer is "stealthed", it will simply drop the echo request, and no
    reply is sent back to the attackers' computer.
    That way, a "stealthed" computer will confirm it's existance. Thus being
    counterproductive.

    Position B: the "attacker" would receive a "host unreachable" message from a
    "stealthed" computer. Or would it not receive a "host unreachable" message,
    but something else, that will look like the same to the attacker ?
    For as far as I know, Steve Gibson from www.grc.com stands behind position B.

    So, which view is correct ?
    Maybe it's even more complicated, I'd like to gain some insight. Maybe
    firewalls can have different kinds of stealth. I don't know.
    That stealth is "out of spec" is not an argument for me.

    WHAT I SUSPECT, and I'd like to hear your views about that, is THAT THE
    INTERNET ITSELF is configured in such a way that if a "stealthed" computer
    does not respond to a ping or other attempt to establish a connection, the
    "attacker" would receive a "host unreachable" message. Thus making stealth
    sensible. Essentially position B.

    Below this the original article, that prompted me to do some investigation
    of my own (not very succesfull), and asking this question here.

    Insight/help appreciated.
    Quoting article" Stealth, when it comes to computer security, is when the
    computer (or other network equipment) does not issue any sort of reply to
    connection attempts, including ICMP echo requests (ping). I guess the idea
    was that if there's no response, they can't see that anything is there, and
    therefore you're "stealthed" from the outside world. For some reason, this
    was assumed to be a security enhancement because you cannot attack what you
    cannot see... Oh boy, is that ever wrong. "Stealth" doesn't mean you are
    invisible at all. Instead, it makes you stick out like a sore thumb.

    Here's a picture showing a would-be attacker and your computer behind a
    firewall.



    A simple "ping" from the attacker travels through the cloud, and to the
    router in front of your firewall. Next, the echo request gets to your
    firewall. A stealth firewall will simply drop the echo request, and no reply
    is sent back to the attackers' computer. So, you're invisible, right? Since
    there's no reply, there's no computer there, right? Wrong and wrong! If there
    really was no computer (or firewall) there, the router sitting in front would
    reply for you with a simple ICMP "host unreachable" message back to the
    attacker. The attacker would then know that there really is nothing there.
    The lack of this "host unreachable" message is a clear indication that
    something is there and it's dropping the packets rather than replying to them.

    A simple telnet connection will yield the same result. If the attacker
    attempts to telnet to your computer, and your firewall simply drops the
    packets with no reply (stealth), then the connection attempt simply times
    out. Again, this is not an indication that there's nothing there, because the
    router did not send the "host unreachable" message. With a non-stealth setup,
    a reply packet is sent, and assuming no telnet server is running, the reply
    will be a loud "no service here." If you shut your computer off, the
    connection attempt will also time out, but then the router will send the
    "host unreachable" message back to the attacker, so they really know that
    you're not there at the moment.

    So, being "stealth" doesn't really add any security at all, nor does it
    really hide you from anyone else. Anyone who wants to really know if there's
    anyone at a give IP address will have no difficulty seeing that you're really
    there because you are trying too hard to appear not to be. Since stealth is
    violating the normal rules of network connectivity, it makes you more
    visible, not less. "
     
    unstablemicrosoft, Oct 26, 2006
    #1
    1. Advertisements

  2. Why must this be a good or bad, right or wrong?

    If in either case the probing code/individual determines
    that they cannot access anything at that protocol/port then
    is not the same purpose served, i.e. the system is had its
    surface area reduced. If in either case the system must be
    active at some protocol/port combos, then it can/will be
    located. Routers are going to do what they ought in either
    case in order to be RFC compliant. If the system has had
    its surface minimized then the further hardening can focus
    on the exposures.
     
    Roger Abell [MVP], Oct 26, 2006
    #2
    1. Advertisements

  3.  
    unstablemicrosoft, Oct 26, 2006
    #3
  4. My reply: RFC compliant ? doesn't ring a bell.
    Roger Abell, although you were probably trying to help, it's not much of an
    answer ...
    I'd like to understand "stealth" better.

    Regards,

    unstablemicrosoft
     
    unstablemicrosoft, Oct 26, 2006
    #4
  5. unstablemicrosoft

    Tom Willett Guest

    Then, to find the answer that satisfies you, try: www.google.com

    message | My reply: RFC compliant ? doesn't ring a bell.
    | Roger Abell, although you were probably trying to help, it's not much of
    an
    | answer ...
    | I'd like to understand "stealth" better.
    |
    | Regards,
    |
    | unstablemicrosoft
    |
    | "Roger Abell [MVP]" wrote:
    |
    | > Why must this be a good or bad, right or wrong?
    | >
    | > If in either case the probing code/individual determines
    | > that they cannot access anything at that protocol/port then
    | > is not the same purpose served, i.e. the system is had its
    | > surface area reduced. If in either case the system must be
    | > active at some protocol/port combos, then it can/will be
    | > located. Routers are going to do what they ought in either
    | > case in order to be RFC compliant. If the system has had
    | > its surface minimized then the further hardening can focus
    | > on the exposures.
    | >
    in
    | > message | > > Well, I've heard some people say that having a "stealth" firewall is
    good,
    | > > and some say it's bad. Two different views:
    | > >
    | > > Position A: Supposedly, according to the text beneath this, if a
    computer
    | > > is
    | > > not "stealthed", connecting to that computer, for example with a PING
    (I
    | > > assume ICMP), a simple ICMP ping would send a "host unreachable"
    message
    | > > back to the attacker.
    | > > If the computer is "stealthed", it will simply drop the echo request,
    and
    | > > no
    | > > reply is sent back to the attackers' computer.
    | > > That way, a "stealthed" computer will confirm it's existance. Thus
    being
    | > > counterproductive.
    | > >
    | > > Position B: the "attacker" would receive a "host unreachable" message
    from
    | > > a
    | > > "stealthed" computer. Or would it not receive a "host unreachable"
    | > > message,
    | > > but something else, that will look like the same to the attacker ?
    | > > For as far as I know, Steve Gibson from www.grc.com stands behind
    position
    | > > B.
    | > >
    | > > So, which view is correct ?
    | > > Maybe it's even more complicated, I'd like to gain some insight. Maybe
    | > > firewalls can have different kinds of stealth. I don't know.
    | > > That stealth is "out of spec" is not an argument for me.
    | > >
    | > > WHAT I SUSPECT, and I'd like to hear your views about that, is THAT
    THE
    | > > INTERNET ITSELF is configured in such a way that if a "stealthed"
    computer
    | > > does not respond to a ping or other attempt to establish a connection,
    the
    | > > "attacker" would receive a "host unreachable" message. Thus making
    | > > stealth
    | > > sensible. Essentially position B.
    | > >
    | > > Below this the original article, that prompted me to do some
    investigation
    | > > of my own (not very succesfull), and asking this question here.
    | > >
    | > > Insight/help appreciated.
    | > > Quoting article" Stealth, when it comes to computer security, is when
    the
    | > > computer (or other network equipment) does not issue any sort of reply
    to
    | > > connection attempts, including ICMP echo requests (ping). I guess the
    idea
    | > > was that if there's no response, they can't see that anything is
    there,
    | > > and
    | > > therefore you're "stealthed" from the outside world. For some reason,
    this
    | > > was assumed to be a security enhancement because you cannot attack
    what
    | > > you
    | > > cannot see... Oh boy, is that ever wrong. "Stealth" doesn't mean you
    are
    | > > invisible at all. Instead, it makes you stick out like a sore thumb.
    | > >
    | > > Here's a picture showing a would-be attacker and your computer behind
    a
    | > > firewall.
    | > >
    | > >
    | > >
    | > > A simple "ping" from the attacker travels through the cloud, and to
    the
    | > > router in front of your firewall. Next, the echo request gets to your
    | > > firewall. A stealth firewall will simply drop the echo request, and no
    | > > reply
    | > > is sent back to the attackers' computer. So, you're invisible, right?
    | > > Since
    | > > there's no reply, there's no computer there, right? Wrong and wrong!
    If
    | > > there
    | > > really was no computer (or firewall) there, the router sitting in
    front
    | > > would
    | > > reply for you with a simple ICMP "host unreachable" message back to
    the
    | > > attacker. The attacker would then know that there really is nothing
    there.
    | > > The lack of this "host unreachable" message is a clear indication that
    | > > something is there and it's dropping the packets rather than replying
    to
    | > > them.
    | > >
    | > > A simple telnet connection will yield the same result. If the attacker
    | > > attempts to telnet to your computer, and your firewall simply drops
    the
    | > > packets with no reply (stealth), then the connection attempt simply
    times
    | > > out. Again, this is not an indication that there's nothing there,
    because
    | > > the
    | > > router did not send the "host unreachable" message. With a non-stealth
    | > > setup,
    | > > a reply packet is sent, and assuming no telnet server is running, the
    | > > reply
    | > > will be a loud "no service here." If you shut your computer off, the
    | > > connection attempt will also time out, but then the router will send
    the
    | > > "host unreachable" message back to the attacker, so they really know
    that
    | > > you're not there at the moment.
    | > >
    | > > So, being "stealth" doesn't really add any security at all, nor does
    it
    | > > really hide you from anyone else. Anyone who wants to really know if
    | > > there's
    | > > anyone at a give IP address will have no difficulty seeing that you're
    | > > really
    | > > there because you are trying too hard to appear not to be. Since
    stealth
    | > > is
    | > > violating the normal rules of network connectivity, it makes you more
    | > > visible, not less. "
    | > >
    | >
    | >
    | >
     
    Tom Willett, Oct 26, 2006
    #5
  6. unstablemicrosoft

    Robert Moir Guest

    Well life is like that sometimes. You appear to be after a "cast in stone"
    answer that says "one of those choices sucks, use the other" but this isn't
    a choice between right and wrong, its a choice between two alternative
    philosophies, both of which have good points and bad and both of which have
    respected advocates pointing out their position's strength and the other
    position's weaknesses.

    Asking which one is "better" or "right" is like asking "Ice Cream: Is
    Chocolate flavour correct, or is Vanilla flavour correct". Now I prefer
    vanilla, and I don't think 'stealth' as practiced by your average home
    computer firewall is worth the effort, but its a question of taste, not
    right and wrong.

    What don't you understand about "Stealth", exactly?
     
    Robert Moir, Oct 26, 2006
    #6
  7.  
    Shenan Stanley, Oct 27, 2006
    #7
  8. I am sorry you could not understand my response,
    but I do believe it spoke to the issue. Perhaps if
    you indicated where meaning failed to carry over . . .

    RFC (request for comment) compliant means that the
    implementation behaves according to how the IEEE
    "standards" have defined.

    Look.
    In one case a probe can tell that there is something there.
    In the other case it cannot, except by the ports that are
    intended to be available.
    What I was saying is that for me, as someone that runs
    servers exposed to the world, what matters is whether
    what I have allowed to be exposed (those protocols/ports)
    can only be used in the ways that are intended and that
    they do not fail to perform as intended.
    So, I said, one way or the other, "stealthed" so that there
    is no indication that something is at the IP which does
    not respond to some protocol/port probing, is not really
    material. What I observe in the world is that probes will
    scan across a large selection of protocols/ports, and if
    I have a machine there to actually do something then one
    of those common, well know protocols/ports will be seen.
    People say that not being stealth invites a thorough scan.
    For some probing-wares that may be so, but for other is
    is not a factor. Heck, there are probing-wares that first
    attempt ping and if you have ICMP being dropped then the
    probing gives up and moves on.

    There is all sorts of stuff coming at us. To think that stealth
    or not will lend an advantage is in my estimate not a particularly
    valuable point for leverage on the problem. Instead, I assume that
    since I must have some protocol/port active, hence visible to a
    full scan, that the machine will be "found" by probeware. As
    such, I do not see any better or worse in being stealthed or not.
     
    Roger Abell [MVP], Oct 27, 2006
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.