Test Your Firewall’s Inbound Security

In this tutorial you’ll learn more about how easy it is to test your firewall’s incoming security preparedness, and what port scan results are actually telling you.

Installing personal firewall software like ZoneAlarm or Norton Personal Firewall is a great start towards protecting your PC from online dangers, but you should still test its inbound security situation at least periodically to be certain that it’s offering the protection you expect. All personal firewall programs will block incoming connection attempts by default, but if you’ve been opening ports (or allowing programs to “act as a server”) to allow others to connect to your PC, you’ll want to be sure that you haven’t left any ports open by accident. Additionally, it’s a good idea to check the status of ports occasionally in order to be sure that a malicious program (such as a Trojan horse) hasn’t wormed its way onto your system and silently opened a backdoor that would allow others to connect.

The easiest way to test the inbound security of your firewall is to use one of the many free port scanning tools available on the web. There are a number to choose from, but the one I usually recommend is ShieldsUP! at www.grc.com. This tool will perform a scan of your IP address to determine whether any ports are open and accessible to Internet users. If your firewall is configured correctly, all ports should be in stealth mode (with the exception of any ports that you have explicitly opened), meaning that these ports do not respond to requests from outside users – exactly what most users need and should want.

To test your firewall with ShieldsUP!, follow these steps:

  1. Open your preferred web browser and head to the ShieldsUP! home page.
  2. Read through the details provided on the page, and then click the Proceed button. If a Security Warning dialog box appears, click Continue.
  3. Click the buttons provided to run scans for open File Sharing, Common Ports, Service Ports, and so forth, one at a time. Complete all of the scans. Scans will take anywhere from a few seconds to over a minute to complete, depending on how busy the site is and the speed of your connection.

Once complete, review the scan’s results and proceed to the next scan. If open ports and/or vulnerabilities are found, use the details provided to make the necessary changes to your firewall. This may involve denying certain programs the ability to “act as a server” in your firewall’s program configuration settings. When ports are open, connections from outside users are allowed. When closed, connections are denied but your PC is visible to the outside world. When ports are determined to be in stealth mode, it means that the scanner couldn’t get any response from the port, making it virtually invisible.

One thing to note when your scan is complete – even if all ports are determined to be in stealth mode, you PC may still officially “fail” the test. Many firewalls (especially older versions) will automatically reply to “ping” diagnostic messages, even with all ports closed. If the firewall does reply to a ping, it tells the person who initiated it that a system does exist at your IP address. That’s doesn’t mean that they can get in, but it does mean that they could attempt a more involved attack knowing that there’s a system at your address. For this reason, almost all firewalls now automatically discard ping requests originating from the Internet. If yours didn’t, take a look through your firewall’s configuration settings and you’ll likely find an option to block ping replies – typically named “discard ping from WAN”, “block ICMP echo replies” or similar.

If your firewall shows all ports running in full stealth mode, that’s good news. It doesn’t necessarily mean that your PC is protected from all potential security threats, but it’s a good start. Don’t be afraid to experiment with other online port scanning tools, either. There’s no shortage of great options available ranging from basic probing tools through to more advanced and detailed scanners.

Author: Dan DiNicolo

Dan DiNicolo is a freelance author, consultant, trainer, and the managing editor of 2000Trainers.com. He is the author of the CCNA Study Guide found on this site, as well as many books including the PC Magazine titles Windows XP Security Solutions and Windows Vista Security Solutions. Click here to contact Dan.