|
How important is it to test your firewall with a firewall test? I’ve |
I love Steve Gibson, and his firewall testing utility Shields Up, I
really do. Unfortunately, Steve’s taken a rather extreme position in how
he reports your firewall’s status – anything less that total
invisibility is labeled with a big red “FAILED“.
In my opinion that’s both impractical, and unnecessarily alarming
for the average user.
But the test itself, which I FAILED right here at home, returns some
very valuable information nonetheless.
]]>
A firewall works by blocking access to what are called “ports” on your incoming network connection. When a computer is configured to accept incoming connections, it “listens” for those connections on those ports. For example, a web server must, by definition, listen for incoming requests for http connections, which happen on port 80. Your computer at home has no need to respond to http connections, and thus doesn’t need to accept incoming connections on port 80.
To “turn off” a port without a firewall requires turning off all software on your machine that might be listening on that port. The fact that you don’t run a web server on your desktop means that your computer is already not listening on port 80, because there’s no software to do so. Unfortunately, for many other ports, this solution isn’t always practical.
Enter the firewall. It sits between your computer and the internet, and controls all incoming requests. When a firewall sees an incoming request, it can take any of several different actions:
-
If it’s a router, it could be configured to pass the requests arriving on a specific port to a specific computer on your network. This is called port forwarding. The externally visible behavior of that port, then, is controlled by however that forwarded-to computer us configured.
-
It could respond by saying “closed, nothing to connect to here”.
-
It could simply not respond at all.
That last one is the most secure, because not responding is exactly the same as if there were no computer here at all. The remote computer doesn’t get any confirmation that your computer even exists.
ShieldsUp refers to this as “Stealth”.
Unfortunately, ShieldsUp also considers anything less than stealth on any port as a failure.
Here’s my ShieldsUp report:
As you can see I “Fail” the Shields Up test. If you were to look no further, you’d probably panic and not know what to do.
In my case, I do nothing. I’m totally safe. The “failure” is that my router responds to a ping request by saying “this port is closed”. You actually can’t ping my IP address, but you can determine that my IP address exists.
From a very practical standpoint, my reaction is: so what?
I don’t consider this a practical failure, and it’s certainly not a hole in my firewall or any kind of serious security flaw. In fact it’s exceptionally common, as there have been problems reported with some systems that successfully stealth this port – so they may want it to be discoverable.
And yet, as a result, my test “Failed”.
My advice is:
-
Above All: Use A Firewall – I recommend using a NAT router, even if you only have one machine. Regardless of the results from testing services like ShieldsUp, this single device will, be default, protect you from the majority of the threats that they’re looking for. In all honesty, if you have a NAT router I don’t think you even need to run the tests.
-
Ignore the word FAILED – If you do visit GRC and run Shields Up, ignore the “FAILED” that you’re likely get. It may, or may not, indicate that you have an actual security issue. Instead…
-
Look at the Results – After you run ShieldsUp, look at the specific ports that failed, and why. Click through on the details to understand what each failure may, or may not mean. Port 113 being “closed” instead of stealth is no big deal. Port 139 being wide open could easily be an issue, since that’s the Windows file-sharing port.
Port/firewall testers are incredibly valuable, but depending on how they display their results they can also be somewhat misleading. Take the time to understand the result you get before you panic.
And yes, use a firewall of some sort.
Related:
-
What’s a firewall, and how do I set one up? Firewalls are an important part of keeping your computer safe when connected to the internet. We’ll look at what a firewall is and your choices.
-
Do I need a firewall, and if so, what kind? Firewalls are a critical component of keeping your machine safe on the internet. There are two basic types, but which is right for you?
-
Internet Safety: How do I keep my computer safe on the internet? Internet Safety is difficult and yet critical. Here are the seven key steps to internet safety – steps to keep your computer safe on the internet.
-
Recommendation: Security Now Podcast Security Now is a weekly podcast covering technology and the security issues related to it. Security Now is a podcast I listen to and recommend.
My shields up test reported failed with all ports showing stealth because they responded to ping.
“My shields up test reported failed with all ports showing stealth because they responded to ping.”
Mine did the same thing. I am also having trouble at times connecting to web sites. It will take for ever to load then say that they cant connect to the web site, that darn white page. Then I will click diagnosis error and it says its fine. HELP!
Steve , if they responded to the ping they cannot be stealth, they are just closed. It’s a good enough result, nothing to worry.
lEO you wrote “The “failure” is that my router responds to a ping request by saying “this port is closed”. You actually can’t ping my IP address, but you can determine that my IP address exists”
My router doen not respond and gives a full stealth? How come? And LEO, would you not be safer still if your router did not respond to a ping?
Would I be safer? Technically, yes. But by what I consider to be a tiny, tiny amount. I’m not so horribly unsafe that “failed” is an appropriate reaction.
25-Mar-2009
I am sorry but I have to disagree. I had PC Tools Firewall which I ran in the highest setting possible and it failed. Now I have Comodo Firewall. I installed it with the highest settings they offer and it is in stealth mode on it’s highest settings and in safest mode it has. It failed as well. For average user trying to find about the things you say is simply not practical. My opinion? Gibson is a idiot and his Shields Up is garbage!!
Pavel,
I use a router and COMODO (not even set at highest) and mine passed.
my test said I have ports 21,22,26,and 80 open how do I close them ,I have kaspersky internet security 8.0.0.357 windows xp sp3
correction port 26 should be 23 typo
Beth G. I have tried every setting I knew. Comodo has setting that will not allow you access to Internet and so no test. Every other setting failed. Could you please tell me the setting you used to pass? Until then I stand by my original comment.
I have BitDefender Internet Security 2009 and GRC also shows my ports 21, 22, 23 and 80 open. Previously I had AVG and it showed the same thing on GRC. I would really like to know if this is anything I should be concerned about.
I still use Sygate Personal Firewall from 2003 and I got a clean report except for the Ping Reply failure, which is probably my gateway modem router.
I use zone alarm and threatfire, on Windows XP. I passed the test with flying colors, no leaks anywhere on any of the tests. According to the results, my computer does not exist on the internet!
I continually pass the “Shields are up” test,BUT I continually fail the “Leak Test”,(GRC)! I recently changed my anti-virus suite,but it didn’t change “Shields are up test”. The settings on my Router continue to put all my ports in stealth. Question: what’s the problem? Steve Gibson doesn’t accept written questions.