Website To Test Internal Network Security?

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

rfrazier

Well-known member
Sep 30, 2020
320
100
Probably doable. There are online AV scanners. Might be hard to trust such a thing though. After all, you're letting the scanner javascript app inside your firewall.

May your bits be stable and your interfaces be fast. :cool: Ron
 

Intuit

Well-known member
Dec 27, 2020
88
25
Seems like few people have an actively restricting outbound firewall. Aside from very specific ports that browser manufacturers have collectively decided to block, it's been my understanding that websites are already capable of LAN snooping anyway?

Since the ISP owns many of the Gateways and not the people visiting the test site, whoever implements this may face some legal hurdles... and perhaps that's the been one of the barriers already. There are also people who will snatch the code from the website and run it on their own... but silently and for the purpose of knowing what and where to exploit. (assuming this isn't already being done)

Given the total lack of outbound security on Apple, Google and the default configuration of Microsoft's Operating Systems, perhaps browsers need to start embedding their own outbound firewalls.
 
  • Like
Reactions: Amazon132021
Sep 17, 2020
162
55
63
London UK
I used to love ZoneAlarm. Not really sure why it fell out of favour
Me too. It fell out of favour with me when it started to automatically change some windows settings. I think it decided that certain emails were up to no good. Also when it started it had a very small footprint, but every release it got much larger, due to the fact it was taking over more of what it thought was good for you. I remember it caught the outgoing of the MTX virus, in the early days. I had foolishly clicked a link in an email, supposedly from my paragliding instructor, that was for a "Matrix style Screensaver"
 
  • Like
Reactions: SeanBZA

hyperbole

New member
Oct 2, 2020
4
1
I used to love ZoneAlarm. Not really sure why it fell out of favour...
I like it too. I think along with getting bigger and adding too many features, the main reason ZoneAlarm disappeared was that MicroSoft started including its own firewall in Windows and ZoneAlarm couldn't make enough money to keep the development process going.
 

DanR

Dan
Sep 17, 2020
205
52
I used to love ZoneAlarm. Not really sure why it fell out of favour...
Me also. I still think fondly of ZA 1.0, the version that Steve recommended so long ago.

I used it thru Ver 3.6 or something like that. I "skipped" Versions 4, 5, 6, 7, as it seemed every X.0 release was evermore bloated, and invariably late alpha / early beta, with lots of bugs and crashes, etc. Clearly marketeers were running the show out of control. Eventually ZA always came out with a X.2 , X.3 etc release that was what I thought the X.0 release should have been.

My parting of the ways came when I booted my PC one day and ZA had locked me out of the Task bar (early Win 7). Weird. I dumped ZA and all was well. Never looked back.
 

Intuit

Well-known member
Dec 27, 2020
88
25
Microsoft included a firewall with XP, it just wasn't turned on by default.
I turned it on, not long after my first Messenger pop-up.
Memory serving, they didn't turn it on by default until SP1.

Even to this day the Outbound firewall is effectively off and must be manually "enabled" and then configured.
Its biggest limitation is an inability to deal with host processes.
Microsoft seems to have reserved host process filtering for themselves.

With Kerio Personal FIrewall I had no problem seeing and controlling any traffic. Besides its flexibility for manual configuration, its clear, easy, detailed, graphic logging was its best feature. They added stuff like HIPS but I turned all that automation off.

With other firewalls they tend to rewrite and/or selectively ignore the user's rule base; allowing its own "phone home" traffic for example.
 

MichaelRSorg

Well-known member
Nov 1, 2020
88
13
RouterSecurity.org
First off, see RouterSecurity.org
Secondly, what sort of thing are you interested in testing?

Any testing can only go so far. For example, it is close to impossible to know if a router is spying on you. I am looking at an Asus router and see that when it boots up it phones home a few times to Asus. Why? We'll never know.
 
  • Like
Reactions: DanR

Intuit

Well-known member
Dec 27, 2020
88
25
@MichaelRSorg - Took a quick look at the site and no tests are offered there. I'm not interested in testing my own routers as they're operating on open source firmware. (But I do know that these firmwares are outdated and therefore has exploitable code running on them. -- I have a router with updated hardware features in the works.) Running NMap scans against OEM firmwares and ISP routers invariably revealed external/internal open ports that could not be closed with firewall rules; which is why I started running open source.

The purpose is the same as with other sites; to inform people if they're operating with insecure and/or exploitable firmware and settings... such as UPnP enabled.
 

MichaelRSorg

Well-known member
Nov 1, 2020
88
13
RouterSecurity.org
This page has many tests
There is also a page with assorted DNS tests here

Your trust in open source software is mis-placed. No software is perfect and, as Steve says, its best to trust no one. I agree that many ISP provided routers have open TCP ports on the WAN side. My experience has been that routers purchased at retail do not have any open WAN side ports. Then again, you also need to test the LAN side as routers can be attacked on either end. And we need to test what, if any, data a router phones home with. It might be spying on us.

Steve has the only external UPnP tester that I know of. Testing UPnP on the LAN side requires installing software.
 

Intuit

Well-known member
Dec 27, 2020
88
25
Thanks; sorry about that.
Think, "ShieldsUP!" but LAN instead of WAN.
Is there an equivalent?
Everyone focuses on WAN without thinking about LAN.
The nMap scans I did *years* back were on both sides of the gateway.
WAN was scanned by connecting the equipment behind another devices LAN.

Never said or implied anything about about open-source being perfect? Much of the code that the OEMs use is "borrowed" from open-source anyway... it's just that they tend to never update that code and/or make boneheaded changes. I would assume that retail has improved over the last couple of years. But I'm sticking to open-source. (All options are vulnerable to a comprised supply chain link.) Having a router with open ports one can't close AND exploitable code is typically better than having a router with just the exploitable code. (and "features" you can actually turn off)
 

rfrazier

Well-known member
Sep 30, 2020
320
100
Testing UPnP on the LAN side requires installing software.
@MichaelRSorg I actually read that 2 or 3 times before I realized you said UPnP and not TCP. But, regardless, couldn't you use a javascript app (assuming you had a good one) running on a local drive inside the LAN. That definitely requires running software, but not exactly installing it. A minor distinction, but one could run such a program without elevated security privileges.
My experience has been that routers purchased at retail do not have any open WAN side ports.
It's been a long time since I've bought a router. And the ones I have are running DD-WRT. But, regardless of where I get a router or what it's running, I always check every setting and especially make sure all "services" I don't want are OFF, remote admin is OFF, UPnP is OFF, etc. I never assume that the router is safe or appropriate as it comes. I wrote a blog post on router security back in 2017. It's a little old, and your posts are far more comprehensive, but it still might be useful.


May your bits be stable and your interfaces be fast. :cool: Ron
 

MichaelRSorg

Well-known member
Nov 1, 2020
88
13
RouterSecurity.org
Think, "ShieldsUP!" but LAN instead of WAN.
Is there an equivalent?
There are some programs that claim to do this, but I don't think much of them. Avast has one. F-Secure used to have a router checker, but it was external and just looked at DNS. There are a host of add-on devices that live on your LAN and claim to find network errors (fingbox, firewalla, bitdefender, trend micro, dojo, cujo, etc.). I doubt they do much. There is a list of these on the Resources page at RouterSecurity.org. There are some specific bugs we can check for but software on the LAN does not know the model/firmware version of the router. And nothing on the LAN side of a router can tell if a router is spying on you.

Everyone focuses on WAN without thinking about LAN.

agreed.
The nMap scans I did *years* back were on both sides of the gateway.
WAN was scanned by connecting the equipment behind another devices LAN.

I agree again. But, when you find open ports on the LAN side, what then? You have to ask the router vendor what the port is used for and whether it can be closed.

Never said or implied anything about about open-source being perfect? Much of the code that the OEMs use is "borrowed" from open-source anyway...

Third agreement :) There are pros/cons to both open and closed source software. Both camps have good and bad developers. Closed source commercial sw is more likely to offer continued development and available tech support. These things cost money.
 

MichaelRSorg

Well-known member
Nov 1, 2020
88
13
RouterSecurity.org
... couldn't you use a javascript app (assuming you had a good one) running on a local drive inside the LAN. That definitely requires running software, but not exactly installing it.
I don't know.

... regardless of where I get a router or what it's running, I always check every setting and especially make sure all "services" I don't want are OFF, remote admin is OFF, UPnP is OFF, etc. I never assume that the router is safe or appropriate as it comes.

That's the attitude :) I too, review every ... darn ... configuration setting.