Internet Connection Security for Windows Users |
by Steve Gibson, Gibson Research Corporation |
High-quality, low-level packet-filtering personal firewalls which I discuss and review in detail on the next page provide tremendous security benefits for the price. But many companies are leveraging customer ignorance and trading on hype. With much less investment in technology and much more in marketing, they are taking advantage of Internet security hysteria to score a fast buck. During my successful quest for high-quality Internet security solutions, I encountered more than ten pieces of software that make outrageous claims, deliver little, and are much worse for the security of your computer than using nothing at all! I won't name them here, because any of these products might get their acts together in the future. Instead, I'll show you how you can easily determine whether any program you're using or considering to use is a worthwhile and safe monitor of Internet activity . . . or a piece of junk that's actively attracting attention to you and your computer. The whole truth is, so much junk is being pushed with exaggerated claims, that unless you know otherwise I would stick with one of the tools I've reviewed and recommended on the next page. But if you're already using one of the many Evil Port Monitors, you should at least understand how it's compromising your security rather than enhancing it.
When your computer is scanned by the typical Internet port scanner, connection attempts are made across a range of potential connection ports on your system. Some scanners target specific ports. For example, NetBIOS (Windows shares) scanners send message packets to port number 137 to solicit a response and to collect Windows' "name" information (That's what the first page of this Shields UP! site does in order to retrieve your name information.) Or a NetBIOS scanner might attempt to connect on port 139 (the so-called NetBIOS session port) in order to directly access the system's shared resources. Trojan horse scanners typically attempt connections on high-numbered ports where their "Trojan" servers may have crawled into your system and be waiting for a passing intruder to come calling. (This is how the well-known Back Orifice Trojan horse program operates. Here's a list of the ports used by known Trojan programs.) Or if a known vulnerability exists inside a particular application (most applications seem to have many) like Windows Personal Web Server, for example, where several exploits are known then the scanner may try to connect on the system's HTTP (web) port number 80. "Ports" are just what they sound like: PORTALS into your computer. Entry points to give intruders a foothold. Entry points whose mere existence provides intruders with valuable information. The wily cracker knows that the ports which accept connections imply the existence of server software that's listening and waiting to communicate. That's a place to mount an attack. So here's the whole problem: Low-technology "Internet monitors" function by pretending to be Internet servers. They deliberately open connection ports that weren't open before and wait for passing scanners to test those connection points. The problem is that when they sense an intruder through a port, that intruder achieves a successful connection to your machine and is led to believe that a complex and probably insecure server is available to be compromised.
appearance of a huge server farm ready for harvesting! When viewed from across the Internet, computers running Evil Port Monitors give the appearance of being the Grand Central Station of servers with a wide array of exploitable resources. These technologically challenged port monitors typically listen (and allow connections) to ports 21, 23, 25, 80, 110, 443 among others. This gives any passing scanner the seductive impression that they've just encountered a server farm ripe for harvesting. Any cracker examining his scanner's report would be led to believe that they've discovered servers for file transfer protocol (ftp on port 21), remote command prompt execution (Telnet on 23), sending and receiving email (SMTP on 25 and pop on 110), and insecure and secure web services (on ports 80 and 443) among others. Needless to say, this is not the way to maintain a low profile on the net!
But it doesn't have to be that way! By comparison, high-quality port monitors which do exist but are not free can sense connection and intrusion attempts without opening or exposing any ports. If you want to watch for connection attempts to your machine, you should use a good port monitor, not an evil one!
Spotting an Evil Port Monitor . . . Spotting an evil port monitor is simple: We just need to know whether it has altered your computer's open port profile as seen from the Internet. To know this, we need to perform our own "port scan" of your computer once while the suspected evil port monitor is running and then again when it's not. It just so happens that I have a nifty little port scanner built into this web site. (You knew that didn't you?) If your port monitor is opening ports that aren't open when it's not running, you should give serious thought to whether you wish to continue using it at the cost of attracting the attention of passing port scanners.
In any event, I hope you'll find that probing your computer's ports gives you some valuable information you've never had before.
|
Gibson Research Corporation is owned and operated by Steve Gibson. The contents of this page are Copyright (c) 2024 Gibson Research Corporation. SpinRite, ShieldsUP, NanoProbe, and any other indicated trademarks are registered trademarks of Gibson Research Corporation, Laguna Hills, CA, USA. GRC's web and customer privacy policy. |
Last Edit: Sep 21, 2004 at 11:02 (7,421.69 days ago) | Viewed 15 times per day |