If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#16
|
|||
|
|||
On Thu, 15 Sep 2005 15:44:45 +0100, Mike wrote:
Snip pointless list Without knowing what you were doing at the time, what applications you need to run, how your network is configured, if you indeed have a network and a host of other detail, there is no way of knowing. There is no 'correct' answer. Sorry about not being specific. I already pared the list down to those event which occur WITHOUT the users' explicit action. For example, I removed any request to/from the NNTP software which occur while using it. Likewise with POP3/SMTP clients, explicit actions from HTTP clients, etc. The Sygate Personal Firewall software has the ability to "remember" a decision so the user, if they knew which to ignore, would not see those which make it into the innocuous list. That is mainly why I ask. Example:- Generic Host Process for Win32 Services (svchost.exe) is trying to connect to time.windows.com [207.46.130.100 using remote port 123 (NTP - Network Time Protocol). Do you want to allow this program to access the network? Again, I should have noted, I never explicitly told the Windows XP machine to synchronize the time so that is why this unasked for request made it onto the posted listing. Said another way, if I KNEW I had explicitly asked WinXP to synchronize the time, I would have removed that request from the list (by telling Sygate Personal Firewall to simply accept all of those requests in the future). Ditch the stupid software and get a router. Isn't the D-Link wired and wireless box connected to the DSL modem a "router"? |
Ads |
#17
|
|||
|
|||
On Thu, 15 Sep 2005 11:02:57 -0400, null wrote:
However, to tell him to trash the software firewall and rely strictly on a router is simply bad advice. I'm confused whether the D-Link wired and wireless box I have connected to the DSL modem is considered the "router" you bespeak of. Is it? |
#18
|
|||
|
|||
On Thu, 15 Sep 2005 18:11:47 GMT, nutso fasst wrote:
NDIS messages from 192.168.x.x suggest you have a wireless NAT router and your firewall is responding to messages from it. (Surely you are behind some kind of NAT, ICS perhaps.) If you're not using a wireless network, disable wireless configuration service. I am using a wireless D-Link (is that the router you bespeak of)? You're suggesting the compilation of what could be an ever-expanding database of mostly-irrelevant details. Seems to me time would be better spent becoming more of an expert. I do run http://www.dnsstuff.com checks on all requests that the Sygate Personal Firewall pops up before putting the messages on the list of suspicious items. Also I don't put on the list messages which pop up from KNOWN events. For example, when I start the NNTP client, a message pops up which I tell the Sygate Personal Firewall program to accept forever (so that message only pops up once). Likewise with the web browser, email client, Microsoft Anti-Spyware update program, Windows Updater, Real Audio client, etc. I only posted what I considered the unasked for messages (not the obvious ones). |
#19
|
|||
|
|||
On Thu, 15 Sep 2005 07:56:07 -0400, Karl Levinson, mvp wrote:
There are ways you can research these things... Generally I do two obvious things each time I get a NEW message. 1. I run a reverse-IP address lookup at www.dnsstuff.com 2. I search Google Groups for the exact message (often I find others have the exact same question, with the exact same message, and IP address). Should I do more? I'm hoping others can find THIS THREAD, for example, when they get the messages I just posted and therefore they'd get the advice we all so desperately need. Where would YOU go when you received any one of the messages previously posted when you didn't explicitly ask for that IP address to connect to you? however, you will get so many of these alerts, and it is so fruitless to research them all, that I strongly recommend you consider a firewall configuration that does not alert you all the time with these things. THAT's THE WHOLE POINT OF THIS THREAD! With Sygate Personal Firewall (and I suspect all software firewalls), you can tell the program to silently ignore and simply LOG all these connections! My question was really WHICH OF THESE WOULD YOU IGNORE? Having a firewall ask the user to make decisions is a security accident waiting to happen, and is also a significant consumption of your time. Is there any other choice? These requests were made to my machine and I must respond to them. Of course, I could simply say "Accept All Requests" but that would be folly. The question really becomes two questions: 1. Which of these common requests is truly something to ignore 2. Of those which aren't ignorable, HOW DO NOVICES FIGURE THEM OUT? If and when you do want to research these things, you should look up what the remote IP address is I generally use http://www.dnsstuff.com but your suggestion of adding for www.nwtools.com or www.netsol.com is valid. I did that, for example, with the DHCP server request. But, that really only tells me who owns the machine. It doesn't tell me WHY they would be contacting me. (Remember, that server only contacted me once and I have been using this same setup for years). So, why, all of a sudden, would a machine which purports to be a DNS server, be contacting me? It's also useful to know what the protocol [e.g. TCP] and remote port number is... the firewall alert below didn't seem to tell you, which is really dumb. In defence of the Sygate Personal Firewall, there is a DETAILS button which spits out a huge amount of cryptic (to a novice) information about something called a "packet" so the remote port MIGHT be in that listing. A really smart firewall would let you inspect the TCP flags and contents of the incoming packet, but I guess that's too much to ask. I could post the DETAILED information if it would help (caution, it's cryptic at best). |
#20
|
|||
|
|||
On Thu, 15 Sep 2005 15:48:26 +0100, Mike wrote:
Novices do not have the knowledge as you so patently demonstrate. You need a hardware firewall like the ones built into Zyxel routers etc. Is the D-Link wireless/wired box connected to the DSL modem set up in the default configuration sufficient? Or is there something ELSE I should purchase to get this "hardware firewall"? If you had a router you would not have seen it or been startled plus you would have been protected. I've been using this setup for more than a year and this is the FIRST time that particular server contacted me (for whatever reason). That is what startled me and made me suspicious. |
#21
|
|||
|
|||
On Thu, 15 Sep 2005 12:51:41 GMT, Duane Arnold wrote:
That's for you to determine by using a link like to one below and entering the IP into the WhoIs search box and finding out of the IP is dubious or not. That's only HALF the answer. All it tells you is WHO made the request. That doesn't tell you if the request is valid. For example, the posted DNS address has NOT contacted me ever in the more than a year that my DSL to D-LINK setup has been in existance. So, WHY should a machine which purports to be a DNS machine all of a sudden contact me today? On the other hand, many of the requests happen every day all day. That STILL doesn't make them innocuous; it just makes them "probably" not suspicious. That would include, for example, the NDIS User mode I/O Driver, the NDIS Filter Intermeidate Driver, the Generic Host Process for Win32 Services, etc. All I'm asking is for these events, none of which are explicitly user initiated, is it reasonable to tell the Sygate Personal Firewall to ACCEPT all these requests without complaint? |
#22
|
|||
|
|||
On Thu, 15 Sep 2005 18:14:23 -0300, alfranze wrote:
Firefox is a browser of the Mozilla. then, you can do the command line: tracert 206.13.28.12 and to know what/where this IP (or any) is, if it really works.... Since NOBODY has mentioned the problem that this is only HALF the story, I wonder if I understand this correctly. Knowing the machine "name" and "owner" is only HALF the story (isn't it)? The other half is for what PURPOSE did the machine contact my machine. For example, when Adobe Acrobat 6.0 (Acrobat.exe) [206.13.31.12] contacts me on local port 1880 (VSAT-CONTROL - Gilat VSAT Control), I can find the name of the machine contacting me from www.dnsstuff.com as "dns1.scrmca.sbcglobal.net" ... but that does not tell me anything about WHY this SBCGlobal DNS server would be contacting Adobe Acrobat on port 1880 (whatever that port is for). Knowing ONLY the name of the server contacting you, would YOU want to allow this program to access the network? |
#23
|
|||
|
|||
On Thu, 15 Sep 2005 19:25:21 -0600, Bruce Chambers wrote:
Sygate Personal Firewall: Firefox (firefox.exe) is being contacted from a remote machine [206.13.28.12] using local port 1258 (OPENNL - Open Network Library). Do you want to allow this program to access the network? Do you have another computer on your internal network with that specific IP address? Is that computer allowed to connect to the Internet via your computer? Of course not! If I had another machine on the same tiny home network with that IP address (which would be highly unlikely in a 192.168.0.XXX network), then I would NOT have posted that specific request in the list above as it would have been an obvious innocuous request. Again, knowing the machine name & owner is only HALF the story. Actually, it's only 1/3 the story as the following is important: 1. WHO is the owner of that machine? 2. WHAT is the purpose of the port being used? 3. WHY is that machine contacting me? Is this information available somewhere? Note that the WHO part is trivial to obtain, e.g., we can obtain that from: http://www.dnsstuff.com http://www.nwtools.com http://www.netsol.com http://remote.12dt.com/rns http://www.zoneedit.com/lookup.html etc.; but that doesn't tell us WHAT or WHY. The WHAT part, albeit often highly technical, is not too very difficult to obtain, e.g., we can use any of the following which describe the ports: http://www.bekkoame.ne.jp/~s_ita/por...1200-1299.html http://www.seifried.org/security/ports/1000/1258.html http://www.iana.org/assignments/port-numbers http://www.sonomawireless.com/~ports/port1200-1299.html http://www.auditmypc.com/freescan/re...m/portlist.asp etc.; but that doesn't tell us WHY they contacted us. The WHY part is the key question. For example, WHY would dns1.snfcca.sbcglobal.net contact my machine on tcp tdp/udp port 1258 named the Open Network Library? The question becomes: 1. HOW do users learn MORE about the PURPOSE of this OPEN NETWORK LIBRARY? 2. HOW do we obtain possible REASONS for a machine contacting us on this port? That advice was the purpose of the original question. |
#24
|
|||
|
|||
On 15 Sep 2005 10:10:51 +0200, Volker Birk wrote:
Firefox (firefox.exe) is being contacted from a remote machine [206.13.28.12] using local port 1258 (OPENNL - Open Network Library). Do you want to allow this program to access the network? How can I tell if this is suspicious or not? You can't. This is, why such messages are nonsense. BTW, they're useless, too, because also Sygate cannot prevent "phoning home" from malicious programs anyway, as my simple POC here shows: http://www.dingens.org/breakout.c Unfortunately, I don't know what a POC (point of contact?) is nor do I have a c compiler. What does the breakout.c program do for us? Does it slip past the Sygate Personal Firewall somehow secretly and silently? I think there are 3 parts to the problem, one of which is trival, the other of which is technical, and the third of which is the crux of the matter: 1. WHO is it that is contacting us (all agree this is trivial to obtain but nearly meaningless in many cases as it doesn't tell us WHAT they are doing when they contact us or WHY they are doing it). 2. WHAT the machine is doing when it contacts us (I suspect this is explained somewhere on the Internet based on the port being contacted, but so far all I've found is the posted listings of a NAME and quick DESCRIPTION of the port used). This is INCOMPLETE information as merely knowing the name of a protocol doesn't always help to understand WHAT is occurring. Plus, I routinely DENY all these requests and my machine seems to work fine so what is it that it is doing anyway? 3. WHY would the machine contact us on the specified port. I believe this is the crux of the question. My question to you experts is to ask if there is a good web site which would explain WHY any particular machine would be contacting us on any particular port. If we knew WHY, we could then decide whether to allow this connection or now. For example, WHY would Adobe Acrobat 6.0 (Acrobat.exe) be contacted from an SBCGlobal DNS machine [206.13.31.12] using local port 1880 (VSAT-CONTROL - Gilat VSAT Control)? What could it possibly want? Why doesn't anything bad happen when I deny the request? |
#25
|
|||
|
|||
On 15 Sep 2005 19:14:08 +0200, Volker Birk wrote:
It's OK, that not everybody is a networking expert. A good security solution has to work _without_ asking the user. For we novices who still desire basic firewall protection, it would be nice to refer to a list of known generally non-dangerous requests to accept. Why not using the Windows-Firewall and not having such problems? Since the remote machine is gonna try to contact us anyway, wouldn't we have the same three problems no matter which personal firewall solution we used? For example, if I used Windows XP Firewall, or ZoneAlarm ( http://snipurl.com/6ohg ) or Kerio Personal Firewall ( http://www.kerio.com/kpf_download.html ) or Sygate Personal Firewall ( http://smb.sygate.com/free/spf_download.php ) or Outpost Firewall ( http://www.agnitum.com/products/outpost ) or whatever, WOULDN'T the offending machine STILL try to contact my machine? And then, if it did, wouldn't we STILL have the THREE QUESTIONS: 1. Who is trying to contact us? 2. On what port are they trying to contact us? 3. Why are they trying to contact us? This seems, to me, to be such a common need for virtually every one of the millions of computer users out there, that the ANSWER to these three questions SHOULD be somewhere very easy to locate for we novice users? I can't believe there is a single person out there on the Internet who doesn't have this very same problem. That's why it's so frustrating to me to not be able to find the all-important WHY information so desperately needed by millions of us users. GS Gerard Schroeder wrote: I thank you for your detailed suggestions summarized below as: 1. There exists innocent common connections reported by the firewall Yes. Regarding the first interesting comment above: - Is there a site where all the common innocent connections are listed? I don't know one. And I think, this will not be possible. There are too many possibilities for these. Why using a "Personal Firewall" at all, which is showing useless Popups? Regarding looking up the NAME of the IP address: - WHY would my DNS provider suddently connect (this does not happen often)? There may be many reasons for this. Regarding the content of the incoming packets: - Sygate Personal Firewall 5.6 provides a Yes/No/Details response - The DETAILS button gives more information (cryptic to me, a novice). - Again I wonder if there is a list of known non-dangerous contacts. The point is, that this is a b0rken concept to ask the only person, who for sure does not know what to do here - you, the user. It's OK, that not everybody is a networking expert. A good security solution has to work _without_ asking the user. For we novices who still desire basic firewall protection, it would be nice to refer to a list of known generally non-dangerous requests to accept. Why not using the Windows-Firewall and not having such problems? Yours, VB. |
#26
|
|||
|
|||
On 15 Sep 2005 19:09:09 +0200, Volker Birk wrote:
null wrote: However, to tell him to trash the software firewall and rely strictly on a router is simply bad advice. No. It's a very good advice. Also he could use the Windows-Firewall. Unless the router performs stateful packet inspection and is highly configurable, etc., etc., etc., then the router alone will not be providing sufficient protection. The "Personal Firewalls" we tested all were terribly incompetently implemented. I doubt, that with a "Personal Firewall" he will be secure in any way. His use of a software firewall is not unreasonable, and your advice to get rid of it is unwise. The opposite is true. If Adobe Acrobat 6.0 (Acrobat.exe) is going to be contacted from a remote machine [206.13.31.12] using local port 1880 (VSAT-CONTROL - Gilat VSAT Control), what would Windows Firewall do differently from what Sygate, ZoneAlarm, Kerio, Outpost, etc. would do? |
#27
|
|||
|
|||
"Gerard Schroeder" wrote in message ... I am using a wireless D-Link (is that the router you bespeak of)? Not specifically, but it qualifies. I'd OK the NDIS messages. I only posted what I considered the unasked for messages (not the obvious ones). Unasked for... You weren't visiting a secure web page when you got the HTTPS message? Weren't looking at a PDF when the DNS server tried to contact Acrobat? That would be odd indeed. As for some of the others, is it possible a web page you were visiting pulled an advertisement or graphic from a different address? Have you looked at the relevant transactions in context in the firewall logs? Do you understand that local ports 1024-5000 are typically ones YOUR system uses to connect to a remote system? And that once a connection is made, the remote system communicates FROM the destination port TO the port your system has connected from? Next time you get a prompt referring to any of those local ports, try opening a command prompt and typing 'netstat -a' and see if the port's currently connected to something. I suspect the references to 'Open Network Library' and 'NetBill Authorization Server' are bogus (pulled from the list of 'registered ports'). But then, I'm no expert. Ask on the Sygate forum. nf |
#28
|
|||
|
|||
"null" wrote in message ... However, to expect the average user to understand what the different protocols are, what they do, and what ports are used for what, is a bit over the top. Like you hinted at, the firewall responses to incoming and outgoing packets should be as automated as possible for the average user. I don't expect the user to know that. But I expect the firewall to include that information in the error message, for situations like this one where the user copies and pastes the error message to their firewall support or to a newsgroup for assistance. Not having those details really cripples whoever is trying to help the user. If necessary, the vendor can hide this information under a "Details" button on the message, and put them into the log file for posterity. |
#29
|
|||
|
|||
"Gerard Schroeder" wrote in message ... Where would YOU go when you received any one of the messages previously posted when you didn't explicitly ask for that IP address to connect to you? I do the same things I suggested in my post. THAT's THE WHOLE POINT OF THIS THREAD! With Sygate Personal Firewall (and I suspect all software firewalls), you can tell the program to silently ignore and simply LOG all these connections! My question was really WHICH OF THESE WOULD YOU IGNORE? I think the best firewall configuration is one that doesn't give you any popups whatsoever. Corporate firewalls don't give the firewall administrator popups and ask him or her questions. They just work. The same thing is true of hardware firewalls used in homes. Firewalls should have just two situations: packets it knows are bad and it blocks without question, and everything else that it lets through. Having a firewall ask the user to make decisions is a security accident waiting to happen, and is also a significant consumption of your time. Is there any other choice? Yes... I don't have the latest version of Sygate, but I believe most software firewalls have a configuration choice that does not cause any popups. If Sygate doesn't, there's also www.kerio.com, www.zonealarm.com, both of which are free. If you are already protected by a hardware firewall, you may not really totally need that software firewall. 1. Which of these common requests is truly something to ignore All of them. machine. It doesn't tell me WHY they would be contacting me. (Remember, The problem is all you've got is what the firewall tells you, and it hasn't told you everything you need to know. Very often, you will not be able to 100% determine the cause. You'll have to make a best guess, go with a gut feeling, and move on. Even professionals who monitor computer networks for intrusions do this as well. Another possibly strategy would be to deny any packets you have questions about. If something breaks, then you know it was probably something you needed to allow. This is also the safest strategy. that server only contacted me once and I have been using this same setup for years). So, why, all of a sudden, would a machine which purports to be a DNS server, be contacting me? I believe it is more likely that this was a reply to a connection your computer made. The reply took too long to come back, and your firewall stopped watching that connection, was surprised when the reply came back and considered it a new connection. DNS servers should never be contacting you. This situation can happen when you look up the IP address for a host name where the DNS server is troubled or down and does not respond, and the request times out 45 seconds or more later. It's happened to me. In defence of the Sygate Personal Firewall, there is a DETAILS button which spits out a huge amount of cryptic (to a novice) information about something called a "packet" so the remote port MIGHT be in that listing. Ah, that might help us a little. But I'm still leaning towards ignoring this one, moving on, and pursuing a silent firewall configuration. I could post the DETAILED information if it would help (caution, it's cryptic at best). Sure, go ahead. |
#30
|
|||
|
|||
"Gerard Schroeder" wrote in message ... So, why, all of a sudden, would my DNS server be contacting me, out of the blue. And, why, does my network still (apparently) work even though I said NO to the request? See my other post. More likely, this was a reply to your computer, but the reply took so long, your firewall wrongly considers this a new inbound connection. DNS especially does this due to having timeout values that are greater than the timeout values in many stateful firewalls. What would be nice is for users to post (and for experts to doublecheck) what they consider to be innocuous requests uninitiated by them which appear in their yes/no request list from Sygate. I am willing to START that list of what appears to be common innocuous requests (for expert review). It's not really that easy. If it was, someone would have done it already. One problem is that each firewall reports things in different ways. Another problem is that some Firefox traffic is good, and some might not be so good. These sorts of things are very variable and conditional. However, you can find some informative resources by searching www.google.com for firewall-faq and also search for ids-faq. In particular, there are some good IDS FAQs on Robert Graham's web site [google says it's at http://www.robertgraham.com/pubs/net...detection.html but I can't get to that web site currently] and especially this, I strongly recommend reading this: http://www.myne****chman.com/kb/res-falsepos.htm By the way, you may want to sign up with a free service like www.myne****chman.com or www.dshield.org Those sites automatically report hacking attempts blocked in your firewall to the ISPs responsible, and they also let you see useful relevant information from other people's firewall logs, which helps you determine whether something is just hitting you or is hitting a lot of other people. You can't get that information any other way. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Windows Firewall not working (Error 10047) | mistefani | Security and Administration with Windows XP | 4 | October 1st 06 11:52 PM |
Problem about Window Xp SP2 firewall and the buildin FTP command | ping | Windows Service Pack 2 | 2 | June 23rd 05 02:47 PM |
XPsp2 firewall - bug? - disables on certain networks | RJ | Windows Service Pack 2 | 7 | January 24th 05 09:55 AM |
XP (SP2) and Firewall Alert Setting... | JFF KRWD | Windows Service Pack 2 | 3 | October 21st 04 03:14 PM |
Windows Firewall | Walter Hall | Security and Administration with Windows XP | 1 | September 27th 04 09:05 PM |