Helping people with computers... one answer at a time.
Firewall tests can be useful to identify any holes in your security. Rather than relying on simple Pass/Fail, though, examine the results carefully.
How important is it to test your firewall with a firewall test? I've read about many firewall tests like Shields Up, and I've thought about using them. I know that firewall tests check for open ports, so how do ports become open and vulnerable in the first place? Is there really any way to avoid that? I do not use my computer for much other than simple surfing and I never download anything. I have my firewall set on learning mode. Would a firewall test be more important for someone who downloads, plays games, etc? I read that many of these tests are easy to fail for reasons most casuals users would not understand. I do not understand very much about firewalls and do not understand some settings enough to change them. I would not want to take a firewall test for it to tell me I've failed, and then spend days trying to figure out why, when in truth my firewall is fine.
I love Steve Gibson, and his firewall testing utility Shields Up, I really do. Unfortunately, Steve's taken a rather extreme position in how he reports your firewall's status - anything less that total invisibility is labeled with a big red "FAILED".
In my opinion that's both impractical, and unnecessarily alarming for the average user.
But the test itself, which I FAILED right here at home, returns some very valuable information nonetheless.
A firewall works by blocking access to what are called "ports" on your incoming network connection. When a computer is configured to accept incoming connections, it "listens" for those connections on those ports. For example, a web server must, by definition, listen for incoming requests for http connections, which happen on port 80. Your computer at home has no need to respond to http connections, and thus doesn't need to accept incoming connections on port 80.
To "turn off" a port without a firewall requires turning off all software on your machine that might be listening on that port. The fact that you don't run a web server on your desktop means that your computer is already not listening on port 80, because there's no software to do so. Unfortunately, for many other ports, this solution isn't always practical.
Enter the firewall. It sits between your computer and the internet, and controls all incoming requests. When a firewall sees an incoming request, it can take any of several different actions:
If it's a router, it could be configured to pass the requests arriving on a specific port to a specific computer on your network. This is called port forwarding. The externally visible behavior of that port, then, is controlled by however that forwarded-to computer us configured.
It could respond by saying "closed, nothing to connect to here".
It could simply not respond at all.
That last one is the most secure, because not responding is exactly the same as if there were no computer here at all. The remote computer doesn't get any confirmation that your computer even exists.
ShieldsUp refers to this as "Stealth".
Unfortunately, ShieldsUp also considers anything less than stealth on any port as a failure.
Here's my ShieldsUp report:
As you can see I "Fail" the Shields Up test. If you were to look no further, you'd probably panic and not know what to do.
In my case, I do nothing. I'm totally safe. The "failure" is that my router responds to a ping request by saying "this port is closed". You actually can't ping my IP address, but you can determine that my IP address exists.
From a very practical standpoint, my reaction is: so what?
I don't consider this a practical failure, and it's certainly not a hole in my firewall or any kind of serious security flaw. In fact it's exceptionally common, as there have been problems reported with some systems that successfully stealth this port - so they may want it to be discoverable.
And yet, as a result, my test "Failed".
My advice is:
Above All: Use A Firewall - I recommend using a NAT router, even if you only have one machine. Regardless of the results from testing services like ShieldsUp, this single device will, be default, protect you from the majority of the threats that they're looking for. In all honesty, if you have a NAT router I don't think you even need to run the tests.
Ignore the word FAILED - If you do visit GRC and run Shields Up, ignore the "FAILED" that you're likely get. It may, or may not, indicate that you have an actual security issue. Instead...
Look at the Results - After you run ShieldsUp, look at the specific ports that failed, and why. Click through on the details to understand what each failure may, or may not mean. Port 113 being "closed" instead of stealth is no big deal. Port 139 being wide open could easily be an issue, since that's the Windows file-sharing port.
Port/firewall testers are incredibly valuable, but depending on how they display their results they can also be somewhat misleading. Take the time to understand the result you get before you panic.
And yes, use a firewall of some sort.
What's a firewall, and how do I set one up? Firewalls are an important part of keeping your computer safe when connected to the internet. We'll look at what a firewall is and your choices.
Do I need a firewall, and if so, what kind? Firewalls are a critical component of keeping your machine safe on the internet. There are two basic types, but which is right for you?
Internet Safety: How do I keep my computer safe on the internet? Internet Safety is difficult and yet critical. Here are the seven key steps to internet safety - steps to keep your computer safe on the internet.
Recommendation: Security Now Podcast Security Now is a weekly podcast covering technology and the security issues related to it. Security Now is a podcast I listen to and recommend.
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.