Steve Gibson from GRC.com provides a free port scanning tool called ShieldsUp that I was playing with the other day.  You can perform the scan of your network here Before doing the scan, make sure you have permission from your network administrator since  ShieldsUp will probe ports of the IP address that your browser made the connection from and therefore,  can trip your company’s IDS.  Of course, if you’re doing this from home you will not have to concern yourself with this; just click on the link and proceed with the firewall check.  It’s good to know that this service cannot be used as a hacking tool like NMAP since one cannot scan a specified IP address.

We talked about egress filtering in a prior post - you can refer to that here as a refresher.  A port, also referred to as a software port, is a logical point on the computer where a remote connection takes place.   A popular port number is port 80, where you would typically run the webserver service.  As you read this page, your computer connected to this blog’s Webserver on port 80.  Once the connection on a port is made between a remote computer and the host computer communication can be begin between the two endpoints.  Besides a Webserver, there are other legitimate situations where a service would run on a computer and listen on a port for a client to connect.  For example, the programs like Remote Acess and Filesharing, as well as others, will need to listen for incoming requests.  In order for a remote machine to make a connection on your computer they would need a port or a “window” to get in.  It becomes essential to be aware if such a window to your computer exists and if it’s open and not needed, then it should be closed immediately. 

Most of us home users use some sort of router.  A router allows us to share connections between multiple computers either wired or wireless, which comes in handy these days where it’s quite typical to find more than one computer in today’s homes.  Another feature of the router is that it acts as a firewall between the internet and your computers on your network.  Found this definition of a firewall at GRC.com:

“A firewall ABSOLUTELY ISOLATES your computer from the Internet using a “wall of code” that inspects each individual “packet” of data as it arrives at either side of the firewall - inbound to or outbound from your computer - to determine whether it should be allowed to pass or be blocked. “

So I recently switched my internet service from FIOS to Cablevision.  Cablevison installed the cable and connected our MAC to the Internet without supplying a router.  I didn’t have a chance to get a router yet and our Mac is now directly connected to the Internet.  I’m not worried since our  MAC has a built in software firewall, more on that soon.   So I decided to run ShieldsUp to see the status of my ports prior to hooking up my router.

The test checked all the service ports 0 - 1055.  As you can see in the screenshot,  I recieved almost all blue boxes (representing ports)  with a few green and a “FAILED” rating.  What do the colors blue, green and red mean ?  OK, red means the port is open and listening for incoming connections and ready to serve, which, remember isn’t a bad thing necessarily, it’s only  bad if you aren’t aware of any services that should be running.  Blue means that the port is actually closed and no service is running on that port, which means that no connections can be made. That’s good.  Green is “stealth”, a term Steve Gibson coined.  A port is “stealthed” if, when probing the port  on the remote computer or router, there is no response at all. There  is complete silence on the wire.  There is  a debate in the TCP/IP Internet world regarding the notion of “stealth” vs. closed ports.  Steve felt that a TCP/IP port shouldn’t respond but rather drop the request completely.  In his opinion a “Stealthed” port is better than a closed port.  If a port responds that it is closed that, in itself, tells the remote machine that there was a system on the other end that exists and is “out there”.   If your system is completely “Stealthed” a hacker wouldn’t  even know if your system was actually connected to the Internet.  Steve feels that this added layer of privacy makes it more secure.  The “FAILED” message that I received is indicative to Gibson’s “True Stealth Analysis” which is why I recieved a failed rating from this tool. 

I did some further reading into the MAC firewall and was surprised to learn that the Leopard OS firewall is turned off by default.  Again, if you’re behind a Router (which I was before Cablevision),  there is no need for concern since the router is a firewall.  However, if you have a laptop and connect to the internet in potentially hostile environments it would be a wise thing to turn on your MAC firewall.  It is surprising that Apple, of all companies who toot their horns about security, would ship Leopard’s firewall off by default.  So, the analysis done in the screen shot above is  my MAC connected directly to the internet with no firewall running.  If there were any services running on my computer the ports would have displayed red for open.  Why the few green “Stealthed” ports?  Good question.  It turns out that these ports are actually shut down (”Stealthed”)  by my cable provider Cablevision and one of the ports is 80  - yup, I can’t run a Webserver on my MAC unless I use a router and go through some hoops to properly configure it.

Here is a screen shot of the ShieldsUp test performed on  my Ipod touch mobile browser after configuring my router.  Now, with a router in between the Internet and my the computers on my network I’m fully “Stealthed”.