Where should I test my firewall?

[kuregu02]

I want to test my firewall to see how secure it is. I usually go to www.grc.com, but I want something more extreme. Any ideas?

Thanks!

[OPaul]

https://grc.com/x/ne.dll?bh0bkyd2

[MxxCon]

http://www.dslreports.com/secureme

much better than that GRC crap :yes:

[byte12]

http://security.symantec.com/sscv6/default...id=ie&venid=sym

[PseudoRandomDragon]

I don't think so MxxCon...

[+chorpeac MVC]

http://scan.sygatetech.com/

[SportzManiak87]

  byte12 said:

http://security.symantec.com/sscv6/default...id=ie&venid=sym

Definately the best place to go test your firewall :)

[Evolution]

Here are two of the best ones that I've found :)

http://www.pcflank.com/

http://www.auditmypc.com/

[PseudoRandomDragon]

By all means, use more than one scanner. However, ensure that the scanner is dependable and isn't just lieing to you in order to get you to purchase one of there products. I know plenty of tests out there that falsely say that you failed the test, such would include the one featured on www.ipchicken.com

[MxxCon]

ya, you keep thinking GRC is good and be one of his clueless zombies

here's some sites that created web frontend for NMAP, the best port scanner

http://www.derkeiler.com/Service/PortScan/

http://www.komar.org/pres/nmap-web/

http://crypto.yashy.com/nmap.php

[PseudoRandomDragon]

Sigh... There is more than one port scanner out there, and there is no doubt that some are better than others, but don't go saying GRC scanner sucks, because it doesn't. Besides, its not like scanning for open ports on your computer is a complicated task. The only thing complicated about it is serving a large amount of users.

[MxxCon]

GRC scanner might be good, but the way he presents it's results is absolutly misleading

he's contentrating too much on the fact that all ports must be "stealth" :rolleyes: instead of educating people about secure computing

[Premgenius]

if you really wanna proped scan check

http://www.blackcode.com/scan

[PseudoRandomDragon]

Obviously if his scanner finds that the not all ports are stealthed, you will fail the true stealth test. Better security is achived when a port scanner finds absolutely nothing, but it doesn't mean that a computer is insecure because it is not totaly stealthed. The ideal results for the average home computer user is to have a full stealth rating.

[Hypercube]

The grc item is more of a overgeneralized picture of firewall testing, most other sites [or get someone to nmap] would likely produce more meaningful results.

[PseudoRandomDragon]

Overgeneralized? Excuse me, but the grc.com Shields Up! test is not ment to test a corperate firewall, or any other firewall except the firewalls used by home users/very small networks. The test is only generalized for and only meaningful to the home user.

[Hypercube]

  PseudoRandomDragon said:

Overgeneralized? Excuse me, but the grc.com Shields Up! test is not ment to test a corperate firewall, or any other firewall except the firewalls used by home users/very small networks. The test is only generalized for and only meaningful to the home user.

Now, care to explain how a corporate setup differs greatly from an excellent home user setup?

[PseudoRandomDragon]

A corperate network uses VPN, making it impossible for the Shields Up! test to successfully test one computer in that entire network. Don't know what VPN is? I didn't think so, but you can go to http://computer.howstuffworks.com/vpn.htm and try your best to learn.

[SimplyPotatoes]

grc sucks , listen to mxxcon and stop being paranoid and wanting extreme firewalls, if someone really wanted to hack you and knew how they could

[MxxCon]

  PseudoRandomDragon said:

A corperate network uses VPN, making it impossible for the Shields Up! test to successfully test one computer in that entire network.

huh?

what does using VPN have anything to do with open/closed/filtered ports?

when you go to grc or any other web based scanner, they will detect your ip from the incoming connection and use it for scan.

wtf are you talking about?

SimplyPotatoes, that's not exactly true. if all your ports are closed, ie your computer does not accept incoming connections, there is no way somebody can "hack" you. it's not like they can use a crowbar and pry your ports open.

all closed ports is just as good as all filtered ports.

[PseudoRandomDragon]

MxxCon, read Hypercube's post, then read my post. I was trying to show him how a port scan from grc.com would never give accurate results for a computer connected using VPN in a corperation because of how traffic is routed and how other hardware firewalls would recieve & filter the port scan. The port scan would never test a computer in a VPN, but would test a home user just fine. The most difficult thing a home user would have to do is add the grc.com servers to the DMZ host on their router if they have one.

This is my point:

GRC.com port scan test is ment for home users.

GRC.com port scan is not ment for corperate networks, or any other large network.

Why?

Because traffic is routed differently for client computers between the two types of networks.

--------

MxxCon, your comment about how someone with the best firewall cannot be hacked is simply untrue. Yes, a great firewall will make it very difficult for a hacker and impossible for a script kiddie, but someone who is determined enough WILL get in. There is only one hardware firewall that can prevent any type of hack attempt: "The Adaptive Packet Destructive Filter" (See picture in link below)

http://antioffline.de/images/seitenschneider.jpg

----------

SimplyPotatos, you are right about someone being able to hack you if they really wanted to, but only because you made a very ignorant comment and just happend to be right. Get out of here.

[MxxCon]

if you have all ports closed(or filtered, same ****), there is absolutly no way somebody can initiate a connection TO YOU.

no ifs, ands or buts about it.

it's possible for somebody to do M-I-M attack, such as intercepting http traffic and injecting it w/ code that will exploit some hole in your browser, execute certain payload and make your computer connect to a predetermined host.

but chances of that happening on a switching network is as low as getting hit by an asteroid.

[PseudoRandomDragon]

Chances are extreamly low, yes, but the very remote chance of being hacked does not mean invulnerability from hackers. I just want to make that clear, thats all.

[Hypercube]

Care to explain why a corporate network uses VPN and how that matters? A VPN connection is between two endpoints through the internet not to the internet. A company can very well be using a SSH solution rather than VPN for their tunneling needs. Regardless, the corporation does connect to the internet for their webservices and employee use [with no relation to vpn / ssh except for some secure data links between two points], and a properly constructed home network does not differ much from a good corporate net.

[PseudoRandomDragon]

Duh.

If you really understood how VPN worked, you would understand why any port scan would not even reach a client computer requesting one in this kind of network. Routing the traffic for the port scan correctly would be an impossible task for that many computers.

But if I am wrong, please tell me how it is possible for the port scan to be routed successfully so that it will reach the target client computer.

Edited November 14, 2003 by PseudoRandomDragon