Firewall Protection How To
Content
What is a Firewall? A firewall is a tool that monitors communication to and from your computer. It sits between your computer and the rest of the network, and according to some criteria, it decides which communication to allow, and which communication to block. It may also use some other criteria to decide about which communication or communication request to report to you (either by adding the information to a log file that you may browse whene er you wish, or in an alert message on the screen!, and what not to report. What Is It "ood For? Identifying and blocking remote access #ro$ans. %erhaps the most common way to break into a home computer and gain control, is by using a remote access #ro$an (&A#!. (sometimes it is called 'backdoor #ro$an' or 'backdoor program'. (any people simply call it a '#ro$an horse' although the term '#ro$an horse' is much more generic!. A #ro$an horse, is a program that claims to do something really innocent, but in fact does something much less innocent. #his goes to the days where the "reek soldiers succeeded to enter through the gates of #roy by building a big wooden horse, and gi ing it as a present to the king of #roy. #he soldiers allowed the sculpture to enter through their gates, and then at night, when the soldiers were busy guarding against an outside attack, many "reek soldiers who were hiding inside the horse went out and attacked #roy from the inside. #his story, which may or may not be true, is an e)ample of something which looks like something innocent and is used for some less innocent purpose. #he same thing happens in computers. *ou may sometimes get some program, ia I+,, or ia -senet, or ia I&+, and belie e this program to be something good, while in fact running it will do something less nice to your computer. .uch programs are called #ro$an horses. It is accepted to say that the difference between a #ro$an horse and a irus, is that a irus has the ability to self/replicate and to distribute itself, while a #ro$an horse lacks this ability. A special type of #ro$an horses, is &A#s (&emote Access #ro$ans, some say 'remote admin #ro$ans'!. #hese #ro$ans once e)ecuted in the ictim0s computer, start to listen to incoming communication from a remote matching program that the attacker uses. When they get instructions from the remote program, they act accordingly, and thus let the user of the remote program to e)ecute commands on the ictim0s computer. #o name a few famous &A#s, the most common are 1etbus, 2ack/3rifice, and .ub.e en (which is also known as 2ackdoor/"!. In order for the attacker to use this method, your computer must first be infected by a &A#. %re ention of infections by &A#s is no different than pre ention of infection by iruses. Anti irus programs can identify and remo e most of the more common &A#s. %ersonal firewalls can identify and block remote communication efforts to the more common &A#s and by thus blocking the attacker, and identifying the &A#. 2locking4Identifying 3ther #ypes of #ro$ans and W,orms? #here are many other types of #ro$an horses which may try to communicate with the outside from your computer. Whether they are e/
mail worms trying to distribute themsel es using their own .(#% engine, or they might be password stealers, or anything else. (any of them can be identified and blocked by a personal firewall. Identifying42locking .pyware0s4Adbots? #he term 'spyware' is a slang which is not well defined. It is commonly used mainly for arious adware (and adware is a program that is supported by presenting ad ertisements to the user!, and that during their installation process, they install an independent program which we shall call 'adbot'. #he adbot runs independently e en if the hosting adware is not running, and it maintains the ad ertisements, downloads them from the remote ser er, and pro ides information to the remote ser er. #he adbot is usually hidden. #here are many companies that offer adbots, and ad ertisements ser ices to adware. #he information that the adbots deli er to their ser ers from the computer where the adbot is installed, is 'how much time each ad ertisement is shown, which was the hosting adware, and whether the user clicked on the ad ertisement. #his is important so that the ad ertisements ser er will be able to know how much money to get from each of the ad ertised companies, and how much from it to deli er to each of the adware maintainers. .ome of the adbots also collect other information in order to better choose the ad ertisements to the users. #he term 'spyware' is more generic, but most of the spyware fall into this category. (any types of adbots can be identified and blocked by personal firewalls. 2locking Ad ertisements? .ome of the better personal firewalls can be set to block communication with specific sites. #his can be used in order to pre ent downloading of ad ertisements in web pages, and thus to accelerate the download process of the web sites. #his is not a ery common use of a personal firewall, though. %re enting +ommunication to #racking .ites? .ome web pages contain references to tracking sites. e.g. instruct the web browser to download a small picture (sometimes in isible! from tracking sites. .ometimes, the pictures are isible and pro ide some statistics about the site. #hose tracking sites will try to sa e a small te)t either as a small file in a special directory, or as a line in a special file (depending on what is your browser!, and your browser will usually allow the sa ing site to read the te)t that it sa ed on your computer. #his is called 'web cookies' or sometimes simply 'cookies'. +ookies allow a web site to keep information that it sa ed some time when you entered it, to be read whene er you enter the site again. #his allow the web site to customi5e itself for you, and to keep track on e erything that you did on that site. It does not ha e to keep that information on your computer. All it has to sa e on your computer is a unique identifying number, and then it can keep in the ser er0s side information regarding what has been done by the browser that used that cookie. *et, by this method, a web site can get only information regarding your isits in it. .ome sites such as 'doubleclick' or 'hitbo)' can collect information from arious affiliated
sites, by putting a small reference in the affiliated pages to some picture on their ser ers. When you enter one of the affiliated web pages, your browser will communicate with the tracking site, and this will allow the tracking site to put or to read a cookie that identifies your computer uniquely, and it can also know what was the web page that referred to it, and any other information that the affiliated web site wanted to deli er to the tracking site. #his way tracking sites can correlate information from many affiliated sites, to build information that for e)ample will allow them to better customi5e the ad ertisements that are put on those sites when you browse them. .ome personal firewalls can be set to block communication to tracking sites. It is not a common use of a personal firewall, though, and a personal firewall is not the best tool for that, but if you already ha e one, this is yet another possible use of it. 2locking or 6imiting the 1et2I3. +ommunication? (as well as other default ser ices! #he two common methods of intruders to break into home computers, are through a &A# (which was discussed in II.7a! and through the 1et2I3. communication. #he 1et2I3. is a standard for naming computers in small networks, de eloped long ago by I2( and (icrosoft. #here are a few communication standards which are used in relation to the 1et2I3.. #he ones that are rele ant for (icrosoft Windows operating systems, are8 12# (1et2I3. o er #+%4I%!, I%94.%9, and 1et2:-I. #he communication standard which is used o er the Internet, is 12#. If it is enabled, and there is no firewall or something else in the middle, it means that your computer is listening for communications o er the Internet ia this standard, and will react according to the different 12# commands that it gets from the remote programs. It is thus that the 12# (which sometimes loosely called '1et2I3.'! is acting as a ser er. .o the ne)t question should be 'what remote 12# commands the 12# ser er will do on the local computer'. #he answer to this question depends on the specific setting on your computer. *ou may set your computer to allow file and print sharing. If also 12# is enabled, it means that you allow remote users to share your files or printers. #his is a big problem. It is true that in principle the remote user has to know your password for that computer, but many users do not set a password for their user on Windows, or set a tri ial password. 3lder ersions of Win;< had file and print sharing o er 1et2I3. enabled by default. 3n Win;=, and Win(e it was disabled by default, but many technicians, when they set a home network, they enable the file and print sharing, without being aware that it influences also the authori5ations of a remote Internet user. #here are e en worms and iruses who use the File sharing option to spread in the Internet. Anyway, no matter whether you need it for some reason or $ust are not aware of it, a personal firewall can identify and block any e)ternal effort to communicate with the 1et2I3. ser er on your computer. #he more fle)ible personal firewalls can be set to restrict the authori5ation to communicate with the 1et2I3.. .ome Windows operating systems, especially those which are not meant for home uses, offer other public ser ices by default, such as &%+. A firewall can identify communication efforts to them, and block them. .ince such
ser ices listen to remote communications, there is a potential risk when there are efforts to e)ploit security holes in the programs that offer the ser ices, if there are such security holes. A firewall may block or limit the communication to those ser ices. >iding *our +omputer on the Internet? Without a firewall, on a typical computer, e en if well maintained, a remote person will still be able to know that the communication effort has reached some computer, and perhaps some information about the operating system on that computer. If that computer is handled well, the remote user will not be able to get much more information from your computer, but might still be able to identify also who your I.% is, and might decide to in est further time in cracking into your computer. With a firewall, you can set the firewall so that any communication effort from remote users (in the better firewalls you may define an e)ception list! will not be responded at all. #his way the remote user will not be able to e en know that it reached a li e computer. #his might discourage the remote attacker from in esting further time in effort to crack into your computer. #he 1on/Firewall ?efenses We0 e discussed a few situations where a personal firewall can pro ide defense. *et, in many cases a computer maintainer can deal with those situations e en without a firewall. #hose 'alternati e' defenses, in many cases are recommended regardless of whether you use a firewall or not. &emote Access #ro$ans? #he best way to defend against remote access #ro$ans (&A#s! is to pre ent them from being installed in the first place on your computer. A &A# should first infect your computer in order to start to listen to remote communication efforts. #he infection techniques are ery similar to the infection techniques that iruses use, and hence the defense against #ro$an horses is similar to the defense against iruses. #ro$an horses do not distribute themsel es (although they might be companions of another Internet worm or irus that distributes them. *et, because in most cases they do not distribute themsel es, it is likely that you will get them from anonymous sources, such as instant messengers, @a5aa, I&+, or a newsgroup. adopting a suspicious policy regarding downloads from such places, will sa e you not only from iruses but also from getting infected with #ro$an horses, including &A#s. 2ecause #ro$an horses are similar in some ways to iruses, almost all anti irus programs can identify, block from being installed, and remo e most of the #ro$an horses, including all the common ones. #here are also some programs (sometimes called anti#ro$an programs! which speciali5e in the identification and remo al of #ro$an horses. For a list of those programs, and for comparison on how well different anti irus, and anti#ro$an programs identify different #ro$an horses, see >ackfi) (http844www.hackfi).org!, under '.oftware test results'. >ackfi) also has information on the more common &A#. (such as the 1etbus and the .ubse en! and on how to remo e them manually.
#here are some tools and web sites, such port scanners, and some ways with a use of more generic tools such as telnet, msconfig, and netstat, which may help you to identify a &A#. 3ther types of #ro$ans and worms? Also here your main interest should be to pre ent them from infecting your computer in the first place, rather than blocking their communication. A good anti irus and a good policy regarding the pre ention of irus infections, should be the first and most important defense. .pyware and Adbots? #he term spyware is sometimes misleading. In my iew, it is the responsibility of the adware de eloper to present the fact that the adware installation will install or use an independent adbots, and to pro ide the information on how this adbot communicates, and which information it deli ers, in a fair place and manner before the adware is installed. It is also a responsibility to pro ide this information in their web sites, so that people will be aware of that before they e en download the software. *et, in general, those adbots do not pose any security threat, and in many cases also their pri acy threat is negligible for many people (e.g. the computer with adbot number AABC<77 has been e)posed to ad ertisements a, b, c, such and such times, while using adware ), while on computer with adbot number AABC<7D has been e)posed to ad ertisements a,d, and e, such amount of time, with the use of adware y, and clicked on ads number d!. It should be fully legitimate for software de elopers to offer an ad ertisement supported programs, and it is up to the user to decide whether the use of the program worth the ads and the adbot, or not. %re enting adbot from communicating is generally not a moral thing. If you decide to use an adware, you should pay the price of letting the adbot work. If you don0t want it, please remo e the adware, and only if for some reason the adbot continue to work e en if no hosting adware that uses it is installed, you may remo e the adbot. Anyway, there are some ery useful tools to identify whether a program is a 'spyware', or whether a 'spyware' is installed on your computer, and you are certainly entitled to this information. #wo useful programs are 'AdAware' which identifies 'spyware' components on your computer and allows you to remo e them, and Ad/.earch which allows you to pro ide a name of a program, and it tells you whether this program is a 'spyware' and which adbot it uses. It is useful to assist you in choosing whether to install a program or not. *ou may find those programs in http844www.la asoft.nu (or, if it doesn0t work, you may try http844www.la asoftusa.com!. #hose programs are useful, mainly because many adware de elopers are not fair enough to present this information in a fair manner. AdAware allows you to also remo e those adbot components from your computer. #his might, howe er, terminate your license to use the hosting adware programs, and might e en cause them to stop functioning. A website which offers to check whether a specific program that you wish to install is 'spyware' or not, is http844www.spychecker.com .
2locking Ad ertisements? 6ea ing aside the moral aspect of blocking ad ertisements, a personal firewall is not the best tool for that anyway. #his is not the main purpose of a firewall, and neither its main strength. .ome of them can block some of the ad ertisements from being downloaded, if you know how to configure them for that. *et, there are better tools for that, such as %ro)omitron (http844www.pro)omitron.org!, +ookie+op B (search for the word cookiecop on http844www.pcmag.com!, or 1a iscope (http844www.na iscope.com!, and there are many other programs as well. *ou may check for other alternati es, e.g. in #ucows (http844www.tucows.com4adkiller;<.html!. 2locking #racking .ites? Also here, a personal firewall is not the best tool for that, and there are other tools and ways which are more effecti e. #hese are cookie utilities. .ince a tracking site uses a cookie to identify and relate the information gathered to the same person (or computer!, by pre enting the cookie from being installed. #he tracking site will lose its ability to track things. #here are plenty of cookie management utilities. .ome of them are freeware, and some are not. +ookie+op which was mentioned in the former section is one of them. WebWasher (http844www.webwasher.com! is another recommended one, and there are plenty of other alternati es such as cookie/crusher, cookie/pal, pop/up killer, etc. *ou may search for other alternati es, in #ucows (http844www.tucows.com4cookie;<.html!. 1et2I3. and 3ther .er ices? #he 1et2I3. o er #+%4I% (12#! which is sometimes loosely called '1et2I3.', is a ser ice which has some security problems with it. It is enabled by default in Windows default installations, and it is ery common to see that a firewall does the $ob of pre enting the efforts to get access to your computer ia 12#. *et, in almost all cases, this ser ice is not needed, and thus can be disabled. #o disable 12# in Win;<4;=4(: is not as simple as it is in WinB@49%, but can still be done reliably. We e)plain how to do this in another article (Eto be written soon!. It is needless to say, that if 12# is disabled, there is no need for a firewall to block communication to it. Also, in the case of other ser ices, such as &%+ ser ices, and others, in many cases you simply don0t need those ser ices and better disable them from within Windows rather than use the firewall to block them. #here are arious ways to know which ser ices are running on your computer, and which of them are listening for communications from the outside. If there are ones that you don0t need, they should be disabled. >iding the +omputer? In web sites of many personal firewall companies, they are putting a lot of weight on the ability of their firewall to hide the computer on the Internet. *et, e)posing your home computer on the Internet is by itself, neither a security nor a pri acy threat. If you pro ide some ser ices to the Internet on your computer, for e)ample, you put a web ser er on your computer to allow other people to iew web pages, then you might get rid of some of
the crackers, by setting your firewall to unhide only this type of communications. .ome attackers will not make a full scan of your computer, but only a partial scan, and if they did not scan for the specific ser ice that you pro ided, they will not see your computer. *et, if the ser ice is a common one, there is a good chance for many of them to scan it and thus find the e)istence of your computer. If they 'see' the e)istence of your computer, they might decide to scan it further, and find out the ser ices you are pro iding, and scan it for security holes to use. *et, there is no much meaning to it when we speak about simple home computers. What a Firewall +annot ?oF Another misconception about personal firewalls is that they are incorrectly thought as if they claim to gi e an o erall protection against 'hackers' (i.e. intrusions!. #hey are not. ?efense Against :)ploitation of .ecurity >oles A firewall can allow or deny access to your computer or from your computer according to the type of communication, its source and destination, and according to the question which program on your computer is handling the communication. *et, its ability to understand the details of the communication is ery limited. For e)ample, you may set the firewall to allow or to deny your e/mail program from getting and4or sending messages. It may allow or deny your web browser from browsing the Internet. 2ut if you allowed your e/mail program to communicate with the e/mail ser ers for sending and recei ing messages, (and you are likely to allow it if you want to use your e/mail program!, or if you set the firewall to allow your web browser to communicate with web sites, the firewall will not be able to understand the content of the communication much further, and if your web browser has a security hole, and some remote site will try to e)ploit it, your firewall will not be able to make a distinction between the communication that e)ploits the security hole, and legitimate communication. #he same principle goes with e/mail program. A personal firewall may block you from recei ing or sending e/ mail messages, but if you allowed it to recei e messages, the personal firewall will not make a distinction between a legitimate message and a non/legitimate one (such as a one that carries a irus or a #ro$an horse!. .ecurity holes in legitimate programs can be e)ploited and a personal firewall can do practically nothing about it. I should comment, howe er, that some personal firewalls come combined with some #ro$an horse detection, or intrusion detection. #his is not part of the classical definition of a firewall, but it might be useful. .uch tasks are usually taken by other tools such as anti irus programs or anti#ro$an programs. #ricks to 2ypass or ?isable %ersonal Firewalls #here are also arious ways to disable, or bypass personal firewalls. ?uring the time a few tricks to bypass or disable were demonstrated by arious programs. :specially, tricks for an internal program to communicate with the outside bypassing or tricking the firewall. For some
of them such as the one demonstrated by the 6eaktest, and in which a non/legitimate program disguises itself as Internet :)plorer, practically today, all personal firewalls are immuned. For other tricks, such as a one demonstrated by 3utbound, which uses some non/standard type of communication directly to the network adapters bypassing the components of the operating system which are suppose to deal with Internet communication, and by that bypassing the firewall, are only now being patched against by the arious firewalls, and yet other methods, such as the one demonstrated by #ooleaky, which uses Internet :)plorer as a messenger to communicate with the outside, and is thus identified as a mere legitimate browsing, are still waiting for most of the personal firewall to find a fi). Firewalls +A113# ?ecide for *ou What is a 6egitimate +ommunication and What is 1ot 3ne of the main problems with personal firewalls, is that you cannot simply install them and forget them, counting on them to do their $ob. #hey can deny or permit arious types of communications according to some criteria, but what is this criteria, and who decides what is the criteria for whether they should permit or deny some communication? #he answer, is that it is the computer user0s $ob to define the e)act criteria when the firewall should allow a communication and when it should block it. #he firewall may make it easier for you, but it should not take the decisions. #here are too many programs, too many ersions, and it is not possible for the firewall to decide accurately when a communication is legitimate and when it is not. 3ne person might think that it is legitimate for some program to deli er some information to the outside in order to get some ser ice, while another will think that it is not. 3ne ersion of a program might communicate with its home ser er in order to check whether there is an upgrade, and another ersion might also install the upgrade e en if you do not wish. .ome firewalls will try to identify communication efforts which are largely considered as legitimate, and will let you the information so that it will be easier for you to decide whether such should be allowed. 3thers will suffice with more basic information, making no suggestions (and thus / no incorrect recommendations!. 3ne way or another, once you installed a firewall, you will ha e better means to understand what types of communications are running on your computer, but you will also ha e to understand them in order to be able to configure your firewall so that it will correctly know which communications to allow and which to block. +ommon %roblems and ?eficiencies &egarding %ersonal Firewalls A personal firewall might be a good contribution to security. *et, if you do not understand much about the topic, then you are likely to be confused and misled by its alerts and queries, and thus find yourself spending hours in chasing after imaginary crackers, fear from imaginary threats, and misconfigure it due to misunderstanding. *ou may find yourself blocking
legitimate and important communication belie ing it to be cracking efforts, and thus surprised to see why things work slowly or why you are disconnected from the Internet, or you might be misled to allow a non/ legitimate communication by some software that tricked you to belie e that it is a legitimate one. 3n the other side, if you are quite knowledgeable on computers and security, then you are likely to effecti ely defend your computer e en without a firewall (by means discussed in section II.D! and it is thus that the role of personal firewall in securing your computer, is e)tremely small and not much important. We discuss here in brief some of the problems that personal firewalls may generate. A False .ense of .ecurity As we0 e already learned here, a firewall is limited in its ability to secure your computer. *et, many people belie e that if they will install a personal firewall they will be secured against the arious security threats. I was e en surprised to find out that there are people who belie e that gi e much higher priority in installing a personal firewall than in installing an anti irus program. An always updated anti irus program plays a much more important role in the security of a personal home computer than installing and maintaining a personal firewall. A personal firewall should not come on account of any other security measure that you use. A False .ense of Insecurity When you install a firewall and you look at all the communication efforts through it, you might be surprised at the amount of communication efforts from the Internet to your computer. (ost of them are blocked by a typically configured firewall. #here are all the times efforts to try to communicate with arious backdoor #ro$ans on your computers. If you are not infected, there will be nothing to listen and to respond to those communication efforts, and they are thus practically harmless. #here are efforts to communicate with your 12# dri er, to see if your computer by mistake allows file sharing. #here are other types of probes to see if your computer e)ists, or arious efforts of ser ers to probe your computer in order to find the best path for legitimate communication to it. #here are sometimes remnants of communications that were supposed to go to other computers, but made their way to yours (for ad anced readers8 because the I% number that your computer uses, were used by some other computer earlier!. #hose communication efforts are blocked e en without a firewall. If your computer is not infected with a &A#, and if your computer don0t ha e 1et2I3. o er #+%4I% enabled or e en it does not ha e file and print sharing enabled (and on most computers this is disabled by default!, then none of these pose any security threat. If your computer is not infected with a .ub.e en #ro$an, then no matter how often there will be efforts to communicate with it, they are all doomed to be failed. *et, some personal firewall (such as 1orton %ersonal Firewall or GoneAlarm! by default proudly announce that they ha e $ust blocked an effort to crack into your computer. 1orton may e en define those efforts
that were blocked as 'high security threats' while they were not a threat at all e en if your computer didn0t ha e a personal firewall at all. .uch firewalls gi e you the false impression that they sa e your computer again and again from e)tremely dangerous threats on the Internet, so that you wonder how did you sur i e so much time without noticing any intrusion before you installed the firewall. I usually say, that those personal firewalls are set their 'report le el' to 'promotional mode'. 1amely, the personal firewall is set to gi e you the false impression that it is much more important than it really is. +hasing After "hosts #his is a side effect of the types of misunderstandings that were discussed in the pre ious subsection. When a person who starts to learn about the $argon related to personal firewalls, is reported that some 'dangerous' communication efforts persist from the same source, the person is decisi e to locate and identify the 'hacker', and perhaps report about it to the police or to its Internet ser ice pro ider. >owe er, since many people do not really understand thoroughly how things work, they may sometimes spend many hours in trying to locate a cracker that does not e)ist, or when the knowledge they need to ha e, in order to track the cracker, is much higher than what they ha e, and they might e en suspect the wrong person due to lack of knowledge (e.g. the connection person on the Internet ser ice pro ider that was used by the cracker!. (ore knowledgeable people, usually do not bother to track those 'hackers' (which are usually teenagers!, but instead are concentrating on the security of their computer. 2locking 6egitimate +ommunications 1o personal firewall is smart enough to decide for the user what is a legitimate communication and what is not. A personal firewall cannot make a distinction between a legitimate program trying to contact its ser er to check and notify the user when there is a newer ersion, and a non/legitimate program trying to communicate with its ser er in order deli er sensiti e information such as passwords, unless the user tells it. It is thus up to the user to decide what should be considered as legitimate and what should not. *et, can we count on the user to be knowledgeable enough to decide what is legitimate and what is not? In many cases the user is not knowledgeable enough, and may thus allow non/legitimate communication or disallow a legitimate and important communication. #here are many types of communications handled $ust to manage other communications. Among this are arious types of communications between your computer and the arious ser ers of your Internet ser ice pro ider. A not knowledgeable user may interpret those types of communications as cracking efforts, and will thus decide to block them. As a result, a connection might become slower, a connection to the Internet ser ice pro ider might be disconnected quiet often and other types of communication problems.
2eing #ricked by #ro$ans bbb Hust as less knowledgeable users may instruct the firewall to block legitimate communications, they can be tricked by arious #ro$ans to allow them to communicate. .ome #ro$ans are using names resembling or identical to names of legitimate programs, so that the user would think that it is a legitimate programs. -sers should be aware of that. >ea y .oftware, 2uggy .oftware -ntil now we discussed only problems related to lack of appropriate knowledge by the user. *et, there are other problems regarding personal firewalls. For e)ample, some of them are known to be quite hea y on computer resources, or slow down the communication speed. ?ifferent personal firewalls quite ary with regard to that. If you ha e a new computer with a slow Internet communication (such as regular dial/up networking! then it might not slow down your computer noticeably. *et, if you use an older computer, and a fast communication, you might find that some personal firewalls will slow down your communication quite drastically. %ersonal firewalls also ary on how much they are stable. Ad antages of :)ternal Firewalls o er %ersonal Firewalls A. #hey do not take resources from the computer. #his should be clear. #his is especially useful when the firewall blocks flooding attacks. B. It is harder (although in principle still possible! for a #ro$an horse to disable it, because it does not reside in the same computer that the #ro$an has infected. It is not possible to use the specific communication while totally bypassing the firewall. 7. #hey can be used without any dependence on the operating system on the computer(s! they defend. D. 1o instability problems.
mail worms trying to distribute themsel es using their own .(#% engine, or they might be password stealers, or anything else. (any of them can be identified and blocked by a personal firewall. Identifying42locking .pyware0s4Adbots? #he term 'spyware' is a slang which is not well defined. It is commonly used mainly for arious adware (and adware is a program that is supported by presenting ad ertisements to the user!, and that during their installation process, they install an independent program which we shall call 'adbot'. #he adbot runs independently e en if the hosting adware is not running, and it maintains the ad ertisements, downloads them from the remote ser er, and pro ides information to the remote ser er. #he adbot is usually hidden. #here are many companies that offer adbots, and ad ertisements ser ices to adware. #he information that the adbots deli er to their ser ers from the computer where the adbot is installed, is 'how much time each ad ertisement is shown, which was the hosting adware, and whether the user clicked on the ad ertisement. #his is important so that the ad ertisements ser er will be able to know how much money to get from each of the ad ertised companies, and how much from it to deli er to each of the adware maintainers. .ome of the adbots also collect other information in order to better choose the ad ertisements to the users. #he term 'spyware' is more generic, but most of the spyware fall into this category. (any types of adbots can be identified and blocked by personal firewalls. 2locking Ad ertisements? .ome of the better personal firewalls can be set to block communication with specific sites. #his can be used in order to pre ent downloading of ad ertisements in web pages, and thus to accelerate the download process of the web sites. #his is not a ery common use of a personal firewall, though. %re enting +ommunication to #racking .ites? .ome web pages contain references to tracking sites. e.g. instruct the web browser to download a small picture (sometimes in isible! from tracking sites. .ometimes, the pictures are isible and pro ide some statistics about the site. #hose tracking sites will try to sa e a small te)t either as a small file in a special directory, or as a line in a special file (depending on what is your browser!, and your browser will usually allow the sa ing site to read the te)t that it sa ed on your computer. #his is called 'web cookies' or sometimes simply 'cookies'. +ookies allow a web site to keep information that it sa ed some time when you entered it, to be read whene er you enter the site again. #his allow the web site to customi5e itself for you, and to keep track on e erything that you did on that site. It does not ha e to keep that information on your computer. All it has to sa e on your computer is a unique identifying number, and then it can keep in the ser er0s side information regarding what has been done by the browser that used that cookie. *et, by this method, a web site can get only information regarding your isits in it. .ome sites such as 'doubleclick' or 'hitbo)' can collect information from arious affiliated
sites, by putting a small reference in the affiliated pages to some picture on their ser ers. When you enter one of the affiliated web pages, your browser will communicate with the tracking site, and this will allow the tracking site to put or to read a cookie that identifies your computer uniquely, and it can also know what was the web page that referred to it, and any other information that the affiliated web site wanted to deli er to the tracking site. #his way tracking sites can correlate information from many affiliated sites, to build information that for e)ample will allow them to better customi5e the ad ertisements that are put on those sites when you browse them. .ome personal firewalls can be set to block communication to tracking sites. It is not a common use of a personal firewall, though, and a personal firewall is not the best tool for that, but if you already ha e one, this is yet another possible use of it. 2locking or 6imiting the 1et2I3. +ommunication? (as well as other default ser ices! #he two common methods of intruders to break into home computers, are through a &A# (which was discussed in II.7a! and through the 1et2I3. communication. #he 1et2I3. is a standard for naming computers in small networks, de eloped long ago by I2( and (icrosoft. #here are a few communication standards which are used in relation to the 1et2I3.. #he ones that are rele ant for (icrosoft Windows operating systems, are8 12# (1et2I3. o er #+%4I%!, I%94.%9, and 1et2:-I. #he communication standard which is used o er the Internet, is 12#. If it is enabled, and there is no firewall or something else in the middle, it means that your computer is listening for communications o er the Internet ia this standard, and will react according to the different 12# commands that it gets from the remote programs. It is thus that the 12# (which sometimes loosely called '1et2I3.'! is acting as a ser er. .o the ne)t question should be 'what remote 12# commands the 12# ser er will do on the local computer'. #he answer to this question depends on the specific setting on your computer. *ou may set your computer to allow file and print sharing. If also 12# is enabled, it means that you allow remote users to share your files or printers. #his is a big problem. It is true that in principle the remote user has to know your password for that computer, but many users do not set a password for their user on Windows, or set a tri ial password. 3lder ersions of Win;< had file and print sharing o er 1et2I3. enabled by default. 3n Win;=, and Win(e it was disabled by default, but many technicians, when they set a home network, they enable the file and print sharing, without being aware that it influences also the authori5ations of a remote Internet user. #here are e en worms and iruses who use the File sharing option to spread in the Internet. Anyway, no matter whether you need it for some reason or $ust are not aware of it, a personal firewall can identify and block any e)ternal effort to communicate with the 1et2I3. ser er on your computer. #he more fle)ible personal firewalls can be set to restrict the authori5ation to communicate with the 1et2I3.. .ome Windows operating systems, especially those which are not meant for home uses, offer other public ser ices by default, such as &%+. A firewall can identify communication efforts to them, and block them. .ince such
ser ices listen to remote communications, there is a potential risk when there are efforts to e)ploit security holes in the programs that offer the ser ices, if there are such security holes. A firewall may block or limit the communication to those ser ices. >iding *our +omputer on the Internet? Without a firewall, on a typical computer, e en if well maintained, a remote person will still be able to know that the communication effort has reached some computer, and perhaps some information about the operating system on that computer. If that computer is handled well, the remote user will not be able to get much more information from your computer, but might still be able to identify also who your I.% is, and might decide to in est further time in cracking into your computer. With a firewall, you can set the firewall so that any communication effort from remote users (in the better firewalls you may define an e)ception list! will not be responded at all. #his way the remote user will not be able to e en know that it reached a li e computer. #his might discourage the remote attacker from in esting further time in effort to crack into your computer. #he 1on/Firewall ?efenses We0 e discussed a few situations where a personal firewall can pro ide defense. *et, in many cases a computer maintainer can deal with those situations e en without a firewall. #hose 'alternati e' defenses, in many cases are recommended regardless of whether you use a firewall or not. &emote Access #ro$ans? #he best way to defend against remote access #ro$ans (&A#s! is to pre ent them from being installed in the first place on your computer. A &A# should first infect your computer in order to start to listen to remote communication efforts. #he infection techniques are ery similar to the infection techniques that iruses use, and hence the defense against #ro$an horses is similar to the defense against iruses. #ro$an horses do not distribute themsel es (although they might be companions of another Internet worm or irus that distributes them. *et, because in most cases they do not distribute themsel es, it is likely that you will get them from anonymous sources, such as instant messengers, @a5aa, I&+, or a newsgroup. adopting a suspicious policy regarding downloads from such places, will sa e you not only from iruses but also from getting infected with #ro$an horses, including &A#s. 2ecause #ro$an horses are similar in some ways to iruses, almost all anti irus programs can identify, block from being installed, and remo e most of the #ro$an horses, including all the common ones. #here are also some programs (sometimes called anti#ro$an programs! which speciali5e in the identification and remo al of #ro$an horses. For a list of those programs, and for comparison on how well different anti irus, and anti#ro$an programs identify different #ro$an horses, see >ackfi) (http844www.hackfi).org!, under '.oftware test results'. >ackfi) also has information on the more common &A#. (such as the 1etbus and the .ubse en! and on how to remo e them manually.
#here are some tools and web sites, such port scanners, and some ways with a use of more generic tools such as telnet, msconfig, and netstat, which may help you to identify a &A#. 3ther types of #ro$ans and worms? Also here your main interest should be to pre ent them from infecting your computer in the first place, rather than blocking their communication. A good anti irus and a good policy regarding the pre ention of irus infections, should be the first and most important defense. .pyware and Adbots? #he term spyware is sometimes misleading. In my iew, it is the responsibility of the adware de eloper to present the fact that the adware installation will install or use an independent adbots, and to pro ide the information on how this adbot communicates, and which information it deli ers, in a fair place and manner before the adware is installed. It is also a responsibility to pro ide this information in their web sites, so that people will be aware of that before they e en download the software. *et, in general, those adbots do not pose any security threat, and in many cases also their pri acy threat is negligible for many people (e.g. the computer with adbot number AABC<77 has been e)posed to ad ertisements a, b, c, such and such times, while using adware ), while on computer with adbot number AABC<7D has been e)posed to ad ertisements a,d, and e, such amount of time, with the use of adware y, and clicked on ads number d!. It should be fully legitimate for software de elopers to offer an ad ertisement supported programs, and it is up to the user to decide whether the use of the program worth the ads and the adbot, or not. %re enting adbot from communicating is generally not a moral thing. If you decide to use an adware, you should pay the price of letting the adbot work. If you don0t want it, please remo e the adware, and only if for some reason the adbot continue to work e en if no hosting adware that uses it is installed, you may remo e the adbot. Anyway, there are some ery useful tools to identify whether a program is a 'spyware', or whether a 'spyware' is installed on your computer, and you are certainly entitled to this information. #wo useful programs are 'AdAware' which identifies 'spyware' components on your computer and allows you to remo e them, and Ad/.earch which allows you to pro ide a name of a program, and it tells you whether this program is a 'spyware' and which adbot it uses. It is useful to assist you in choosing whether to install a program or not. *ou may find those programs in http844www.la asoft.nu (or, if it doesn0t work, you may try http844www.la asoftusa.com!. #hose programs are useful, mainly because many adware de elopers are not fair enough to present this information in a fair manner. AdAware allows you to also remo e those adbot components from your computer. #his might, howe er, terminate your license to use the hosting adware programs, and might e en cause them to stop functioning. A website which offers to check whether a specific program that you wish to install is 'spyware' or not, is http844www.spychecker.com .
2locking Ad ertisements? 6ea ing aside the moral aspect of blocking ad ertisements, a personal firewall is not the best tool for that anyway. #his is not the main purpose of a firewall, and neither its main strength. .ome of them can block some of the ad ertisements from being downloaded, if you know how to configure them for that. *et, there are better tools for that, such as %ro)omitron (http844www.pro)omitron.org!, +ookie+op B (search for the word cookiecop on http844www.pcmag.com!, or 1a iscope (http844www.na iscope.com!, and there are many other programs as well. *ou may check for other alternati es, e.g. in #ucows (http844www.tucows.com4adkiller;<.html!. 2locking #racking .ites? Also here, a personal firewall is not the best tool for that, and there are other tools and ways which are more effecti e. #hese are cookie utilities. .ince a tracking site uses a cookie to identify and relate the information gathered to the same person (or computer!, by pre enting the cookie from being installed. #he tracking site will lose its ability to track things. #here are plenty of cookie management utilities. .ome of them are freeware, and some are not. +ookie+op which was mentioned in the former section is one of them. WebWasher (http844www.webwasher.com! is another recommended one, and there are plenty of other alternati es such as cookie/crusher, cookie/pal, pop/up killer, etc. *ou may search for other alternati es, in #ucows (http844www.tucows.com4cookie;<.html!. 1et2I3. and 3ther .er ices? #he 1et2I3. o er #+%4I% (12#! which is sometimes loosely called '1et2I3.', is a ser ice which has some security problems with it. It is enabled by default in Windows default installations, and it is ery common to see that a firewall does the $ob of pre enting the efforts to get access to your computer ia 12#. *et, in almost all cases, this ser ice is not needed, and thus can be disabled. #o disable 12# in Win;<4;=4(: is not as simple as it is in WinB@49%, but can still be done reliably. We e)plain how to do this in another article (Eto be written soon!. It is needless to say, that if 12# is disabled, there is no need for a firewall to block communication to it. Also, in the case of other ser ices, such as &%+ ser ices, and others, in many cases you simply don0t need those ser ices and better disable them from within Windows rather than use the firewall to block them. #here are arious ways to know which ser ices are running on your computer, and which of them are listening for communications from the outside. If there are ones that you don0t need, they should be disabled. >iding the +omputer? In web sites of many personal firewall companies, they are putting a lot of weight on the ability of their firewall to hide the computer on the Internet. *et, e)posing your home computer on the Internet is by itself, neither a security nor a pri acy threat. If you pro ide some ser ices to the Internet on your computer, for e)ample, you put a web ser er on your computer to allow other people to iew web pages, then you might get rid of some of
the crackers, by setting your firewall to unhide only this type of communications. .ome attackers will not make a full scan of your computer, but only a partial scan, and if they did not scan for the specific ser ice that you pro ided, they will not see your computer. *et, if the ser ice is a common one, there is a good chance for many of them to scan it and thus find the e)istence of your computer. If they 'see' the e)istence of your computer, they might decide to scan it further, and find out the ser ices you are pro iding, and scan it for security holes to use. *et, there is no much meaning to it when we speak about simple home computers. What a Firewall +annot ?oF Another misconception about personal firewalls is that they are incorrectly thought as if they claim to gi e an o erall protection against 'hackers' (i.e. intrusions!. #hey are not. ?efense Against :)ploitation of .ecurity >oles A firewall can allow or deny access to your computer or from your computer according to the type of communication, its source and destination, and according to the question which program on your computer is handling the communication. *et, its ability to understand the details of the communication is ery limited. For e)ample, you may set the firewall to allow or to deny your e/mail program from getting and4or sending messages. It may allow or deny your web browser from browsing the Internet. 2ut if you allowed your e/mail program to communicate with the e/mail ser ers for sending and recei ing messages, (and you are likely to allow it if you want to use your e/mail program!, or if you set the firewall to allow your web browser to communicate with web sites, the firewall will not be able to understand the content of the communication much further, and if your web browser has a security hole, and some remote site will try to e)ploit it, your firewall will not be able to make a distinction between the communication that e)ploits the security hole, and legitimate communication. #he same principle goes with e/mail program. A personal firewall may block you from recei ing or sending e/ mail messages, but if you allowed it to recei e messages, the personal firewall will not make a distinction between a legitimate message and a non/legitimate one (such as a one that carries a irus or a #ro$an horse!. .ecurity holes in legitimate programs can be e)ploited and a personal firewall can do practically nothing about it. I should comment, howe er, that some personal firewalls come combined with some #ro$an horse detection, or intrusion detection. #his is not part of the classical definition of a firewall, but it might be useful. .uch tasks are usually taken by other tools such as anti irus programs or anti#ro$an programs. #ricks to 2ypass or ?isable %ersonal Firewalls #here are also arious ways to disable, or bypass personal firewalls. ?uring the time a few tricks to bypass or disable were demonstrated by arious programs. :specially, tricks for an internal program to communicate with the outside bypassing or tricking the firewall. For some
of them such as the one demonstrated by the 6eaktest, and in which a non/legitimate program disguises itself as Internet :)plorer, practically today, all personal firewalls are immuned. For other tricks, such as a one demonstrated by 3utbound, which uses some non/standard type of communication directly to the network adapters bypassing the components of the operating system which are suppose to deal with Internet communication, and by that bypassing the firewall, are only now being patched against by the arious firewalls, and yet other methods, such as the one demonstrated by #ooleaky, which uses Internet :)plorer as a messenger to communicate with the outside, and is thus identified as a mere legitimate browsing, are still waiting for most of the personal firewall to find a fi). Firewalls +A113# ?ecide for *ou What is a 6egitimate +ommunication and What is 1ot 3ne of the main problems with personal firewalls, is that you cannot simply install them and forget them, counting on them to do their $ob. #hey can deny or permit arious types of communications according to some criteria, but what is this criteria, and who decides what is the criteria for whether they should permit or deny some communication? #he answer, is that it is the computer user0s $ob to define the e)act criteria when the firewall should allow a communication and when it should block it. #he firewall may make it easier for you, but it should not take the decisions. #here are too many programs, too many ersions, and it is not possible for the firewall to decide accurately when a communication is legitimate and when it is not. 3ne person might think that it is legitimate for some program to deli er some information to the outside in order to get some ser ice, while another will think that it is not. 3ne ersion of a program might communicate with its home ser er in order to check whether there is an upgrade, and another ersion might also install the upgrade e en if you do not wish. .ome firewalls will try to identify communication efforts which are largely considered as legitimate, and will let you the information so that it will be easier for you to decide whether such should be allowed. 3thers will suffice with more basic information, making no suggestions (and thus / no incorrect recommendations!. 3ne way or another, once you installed a firewall, you will ha e better means to understand what types of communications are running on your computer, but you will also ha e to understand them in order to be able to configure your firewall so that it will correctly know which communications to allow and which to block. +ommon %roblems and ?eficiencies &egarding %ersonal Firewalls A personal firewall might be a good contribution to security. *et, if you do not understand much about the topic, then you are likely to be confused and misled by its alerts and queries, and thus find yourself spending hours in chasing after imaginary crackers, fear from imaginary threats, and misconfigure it due to misunderstanding. *ou may find yourself blocking
legitimate and important communication belie ing it to be cracking efforts, and thus surprised to see why things work slowly or why you are disconnected from the Internet, or you might be misled to allow a non/ legitimate communication by some software that tricked you to belie e that it is a legitimate one. 3n the other side, if you are quite knowledgeable on computers and security, then you are likely to effecti ely defend your computer e en without a firewall (by means discussed in section II.D! and it is thus that the role of personal firewall in securing your computer, is e)tremely small and not much important. We discuss here in brief some of the problems that personal firewalls may generate. A False .ense of .ecurity As we0 e already learned here, a firewall is limited in its ability to secure your computer. *et, many people belie e that if they will install a personal firewall they will be secured against the arious security threats. I was e en surprised to find out that there are people who belie e that gi e much higher priority in installing a personal firewall than in installing an anti irus program. An always updated anti irus program plays a much more important role in the security of a personal home computer than installing and maintaining a personal firewall. A personal firewall should not come on account of any other security measure that you use. A False .ense of Insecurity When you install a firewall and you look at all the communication efforts through it, you might be surprised at the amount of communication efforts from the Internet to your computer. (ost of them are blocked by a typically configured firewall. #here are all the times efforts to try to communicate with arious backdoor #ro$ans on your computers. If you are not infected, there will be nothing to listen and to respond to those communication efforts, and they are thus practically harmless. #here are efforts to communicate with your 12# dri er, to see if your computer by mistake allows file sharing. #here are other types of probes to see if your computer e)ists, or arious efforts of ser ers to probe your computer in order to find the best path for legitimate communication to it. #here are sometimes remnants of communications that were supposed to go to other computers, but made their way to yours (for ad anced readers8 because the I% number that your computer uses, were used by some other computer earlier!. #hose communication efforts are blocked e en without a firewall. If your computer is not infected with a &A#, and if your computer don0t ha e 1et2I3. o er #+%4I% enabled or e en it does not ha e file and print sharing enabled (and on most computers this is disabled by default!, then none of these pose any security threat. If your computer is not infected with a .ub.e en #ro$an, then no matter how often there will be efforts to communicate with it, they are all doomed to be failed. *et, some personal firewall (such as 1orton %ersonal Firewall or GoneAlarm! by default proudly announce that they ha e $ust blocked an effort to crack into your computer. 1orton may e en define those efforts
that were blocked as 'high security threats' while they were not a threat at all e en if your computer didn0t ha e a personal firewall at all. .uch firewalls gi e you the false impression that they sa e your computer again and again from e)tremely dangerous threats on the Internet, so that you wonder how did you sur i e so much time without noticing any intrusion before you installed the firewall. I usually say, that those personal firewalls are set their 'report le el' to 'promotional mode'. 1amely, the personal firewall is set to gi e you the false impression that it is much more important than it really is. +hasing After "hosts #his is a side effect of the types of misunderstandings that were discussed in the pre ious subsection. When a person who starts to learn about the $argon related to personal firewalls, is reported that some 'dangerous' communication efforts persist from the same source, the person is decisi e to locate and identify the 'hacker', and perhaps report about it to the police or to its Internet ser ice pro ider. >owe er, since many people do not really understand thoroughly how things work, they may sometimes spend many hours in trying to locate a cracker that does not e)ist, or when the knowledge they need to ha e, in order to track the cracker, is much higher than what they ha e, and they might e en suspect the wrong person due to lack of knowledge (e.g. the connection person on the Internet ser ice pro ider that was used by the cracker!. (ore knowledgeable people, usually do not bother to track those 'hackers' (which are usually teenagers!, but instead are concentrating on the security of their computer. 2locking 6egitimate +ommunications 1o personal firewall is smart enough to decide for the user what is a legitimate communication and what is not. A personal firewall cannot make a distinction between a legitimate program trying to contact its ser er to check and notify the user when there is a newer ersion, and a non/legitimate program trying to communicate with its ser er in order deli er sensiti e information such as passwords, unless the user tells it. It is thus up to the user to decide what should be considered as legitimate and what should not. *et, can we count on the user to be knowledgeable enough to decide what is legitimate and what is not? In many cases the user is not knowledgeable enough, and may thus allow non/legitimate communication or disallow a legitimate and important communication. #here are many types of communications handled $ust to manage other communications. Among this are arious types of communications between your computer and the arious ser ers of your Internet ser ice pro ider. A not knowledgeable user may interpret those types of communications as cracking efforts, and will thus decide to block them. As a result, a connection might become slower, a connection to the Internet ser ice pro ider might be disconnected quiet often and other types of communication problems.
2eing #ricked by #ro$ans bbb Hust as less knowledgeable users may instruct the firewall to block legitimate communications, they can be tricked by arious #ro$ans to allow them to communicate. .ome #ro$ans are using names resembling or identical to names of legitimate programs, so that the user would think that it is a legitimate programs. -sers should be aware of that. >ea y .oftware, 2uggy .oftware -ntil now we discussed only problems related to lack of appropriate knowledge by the user. *et, there are other problems regarding personal firewalls. For e)ample, some of them are known to be quite hea y on computer resources, or slow down the communication speed. ?ifferent personal firewalls quite ary with regard to that. If you ha e a new computer with a slow Internet communication (such as regular dial/up networking! then it might not slow down your computer noticeably. *et, if you use an older computer, and a fast communication, you might find that some personal firewalls will slow down your communication quite drastically. %ersonal firewalls also ary on how much they are stable. Ad antages of :)ternal Firewalls o er %ersonal Firewalls A. #hey do not take resources from the computer. #his should be clear. #his is especially useful when the firewall blocks flooding attacks. B. It is harder (although in principle still possible! for a #ro$an horse to disable it, because it does not reside in the same computer that the #ro$an has infected. It is not possible to use the specific communication while totally bypassing the firewall. 7. #hey can be used without any dependence on the operating system on the computer(s! they defend. D. 1o instability problems.
