Dear Guest Visitor → Once you register and log-in:
This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!
You are using an out of date browser. It may not display this or other websites correctly. You should upgrade or use an alternative browser.
Seems like few people have an actively restricting outbound firewall. Aside from very specific ports that browser manufacturers have collectively decided to block, it's been my understanding that websites are already capable of LAN snooping anyway?
Since the ISP owns many of the Gateways and not the people visiting the test site, whoever implements this may face some legal hurdles... and perhaps that's the been one of the barriers already. There are also people who will snatch the code from the website and run it on their own... but silently and for the purpose of knowing what and where to exploit. (assuming this isn't already being done)
Given the total lack of outbound security on Apple, Google and the default configuration of Microsoft's Operating Systems, perhaps browsers need to start embedding their own outbound firewalls.
I used to love ZoneAlarm. Not really sure why it fell out of favour... probably because it was causing too many people too many annoyances. Windows has some sort of an outbound firewall of its own, but it's no where near as user friendly as ZoneAlarm was.
Me too. It fell out of favour with me when it started to automatically change some windows settings. I think it decided that certain emails were up to no good. Also when it started it had a very small footprint, but every release it got much larger, due to the fact it was taking over more of what it thought was good for you. I remember it caught the outgoing of the MTX virus, in the early days. I had foolishly clicked a link in an email, supposedly from my paragliding instructor, that was for a "Matrix style Screensaver"
I like it too. I think along with getting bigger and adding too many features, the main reason ZoneAlarm disappeared was that MicroSoft started including its own firewall in Windows and ZoneAlarm couldn't make enough money to keep the development process going.
Me also. I still think fondly of ZA 1.0, the version that Steve recommended so long ago.
I used it thru Ver 3.6 or something like that. I "skipped" Versions 4, 5, 6, 7, as it seemed every X.0 release was evermore bloated, and invariably late alpha / early beta, with lots of bugs and crashes, etc. Clearly marketeers were running the show out of control. Eventually ZA always came out with a X.2 , X.3 etc release that was what I thought the X.0 release should have been.
My parting of the ways came when I booted my PC one day and ZA had locked me out of the Task bar (early Win 7). Weird. I dumped ZA and all was well. Never looked back.
Microsoft included a firewall with XP, it just wasn't turned on by default.
I turned it on, not long after my first Messenger pop-up.
Memory serving, they didn't turn it on by default until SP1.
Even to this day the Outbound firewall is effectively off and must be manually "enabled" and then configured.
Its biggest limitation is an inability to deal with host processes.
Microsoft seems to have reserved host process filtering for themselves.
With Kerio Personal FIrewall I had no problem seeing and controlling any traffic. Besides its flexibility for manual configuration, its clear, easy, detailed, graphic logging was its best feature. They added stuff like HIPS but I turned all that automation off.
With other firewalls they tend to rewrite and/or selectively ignore the user's rule base; allowing its own "phone home" traffic for example.
First off, see RouterSecurity.org
Secondly, what sort of thing are you interested in testing?
Any testing can only go so far. For example, it is close to impossible to know if a router is spying on you. I am looking at an Asus router and see that when it boots up it phones home a few times to Asus. Why? We'll never know.
@MichaelRSorg - Took a quick look at the site and no tests are offered there. I'm not interested in testing my own routers as they're operating on open source firmware. (But I do know that these firmwares are outdated and therefore has exploitable code running on them. -- I have a router with updated hardware features in the works.) Running NMap scans against OEM firmwares and ISP routers invariably revealed external/internal open ports that could not be closed with firewall rules; which is why I started running open source.
The purpose is the same as with other sites; to inform people if they're operating with insecure and/or exploitable firmware and settings... such as UPnP enabled.
Your trust in open source software is mis-placed. No software is perfect and, as Steve says, its best to trust no one. I agree that many ISP provided routers have open TCP ports on the WAN side. My experience has been that routers purchased at retail do not have any open WAN side ports. Then again, you also need to test the LAN side as routers can be attacked on either end. And we need to test what, if any, data a router phones home with. It might be spying on us.
Steve has the only external UPnP tester that I know of. Testing UPnP on the LAN side requires installing software.
Everyone focuses on WAN without thinking about LAN.
The nMap scans I did *years* back were on both sides of the gateway.
WAN was scanned by connecting the equipment behind another devices LAN.
Never said or implied anything about about open-source being perfect? Much of the code that the OEMs use is "borrowed" from open-source anyway... it's just that they tend to never update that code and/or make boneheaded changes. I would assume that retail has improved over the last couple of years. But I'm sticking to open-source. (All options are vulnerable to a comprised supply chain link.) Having a router with open ports one can't close AND exploitable code is typically better than having a router with just the exploitable code. (and "features" you can actually turn off)
It's been a long time since I've bought a router. And the ones I have are running DD-WRT. But, regardless of where I get a router or what it's running, I always check every setting and especially make sure all "services" I don't want are OFF, remote admin is OFF, UPnP is OFF, etc. I never assume that the router is safe or appropriate as it comes. I wrote a blog post on router security back in 2017. It's a little old, and your posts are far more comprehensive, but it still might be useful.
There are some programs that claim to do this, but I don't think much of them. Avast has one. F-Secure used to have a router checker, but it was external and just looked at DNS. There are a host of add-on devices that live on your LAN and claim to find network errors (fingbox, firewalla, bitdefender, trend micro, dojo, cujo, etc.). I doubt they do much. There is a list of these on the Resources page at RouterSecurity.org. There are some specific bugs we can check for but software on the LAN does not know the model/firmware version of the router. And nothing on the LAN side of a router can tell if a router is spying on you.
Third agreement There are pros/cons to both open and closed source software. Both camps have good and bad developers. Closed source commercial sw is more likely to offer continued development and available tech support. These things cost money.
... regardless of where I get a router or what it's running, I always check every setting and especially make sure all "services" I don't want are OFF, remote admin is OFF, UPnP is OFF, etc. I never assume that the router is safe or appropriate as it comes.