Bienvenido! - Willkommen! - Welcome!

Bitácora Técnica de Tux&Cía., Santa Cruz de la Sierra, BO
Bitácora Central: Tux&Cía.
Bitácora de Información Avanzada: Tux&Cía.-Información
May the source be with you!

Tuesday, September 30, 2008

Knowledge: Firewalls

Paranoid2000's AvatarParanoid2000
Security Expert in North West, United Kingdom
Firewall Questions for beginners
Thanks for the good information, Paranoid2000!

Information useful to people unfamiliar with firewalls or networking.
What is a firewall?
A firewall controls network traffic, allowing or blocking it according to rules you specify (rather like a doorman at a nightclub, with rules on who to allow entry to). This can either be a special program running on your computer ("software firewall") or a separate box connected between your computer and the Internet ("hardware or firmware firewall").
What benefits does it offer?
Connecting to the Internet is like opening the door to your house - anyone can come in, anyone can go out. Sadly, it is also now like entering a war zone due to the number of unscrupulous individuals seeking to hijack others' computers for a variety of reasons. An unprotected Windows system is therefore likely to be broken into within 10-15 minutes when connected.
Both software and hardware firewalls can block such attempts - often with the option of alerting you or taking other action like blocking any further traffic from the attacker.
Firewalls can also control what programs on your computer can access the Internet (though hardware firewalls are fairly limited here).
This is useful for two reasons - first it allows you to protect your privacy by blocking programs that try to "phone home" unnecessarily and secondly it can provide warning if your system has been compromised by malware undetected by your anti-virus scanner (since virtually allmalware needs to connect to the Internet to function properly).
Many software firewalls also include features like ad-filtering (removing adverts from web pages), web-filtering (removing any content from a web page that may pose a security or privacy risk) or parental controls (blocking access to known adult websites). These features can all be provided by other software so should not be regarded as essential, but they may be useful to have.
Which one should I use? (Is there a 'best'?)
There is no best product overall since factors like simplicity, flexibility, speed and features can conflict (a "simple" firewall has to compromise on "flexibility" for example). In addition, your own technical experience and desire for control need to be considered - you may prefer a firewall that alerts you to anything remotely suspicious or instead want one that stays in the background. Furthermore, it is possible for a particular firewall to conflict with other security or network software on your computer.
However, almost every product has a free trial so the best advice is to visit the websites, review the documentation and then create a shortlist of products to try out. Then download and install the trial versions - only committing to a purchase once you are certain that the firewall works on your system and that you are happy configuring and using it.
How good is Windows' firewall?
Microsoft provided a very simple firewall with Windows 2000 which was then significantly improved with Windows XP Service Pack 2. This version can provide good protection from incoming attacks but cannot be relied upon to control outgoing traffic. Older versions of Windows (95, 98, ME, NT) have no firewall.
How can I test my firewall?
To test your firewall's ability to protect against incoming attacks and scans, visit one or more of the following sites. Note that if you are using a router, the test will target the router, not any software firewall your PC is running.
Shields UP!
Sygate Online Scan
Please note that while your firewall may report these scans as an "attack", you should notOnline Scans - What to do with Open and Closed Ports has more information about what the results mean and what action to take.
To test your firewall's ability to detect outgoing connections, special programs called "leaktests" have been developed which you can download and run on your system. FirewallLeaktester
is the best source of information here, containing copies of the current leaktests plus reviews of firewall performance against them.
Can I use multiple firewalls?
For software firewalls (programs running on your PC), only one should ever be installed. Multiple software firewalls may cause system crashes (blue screen errors) or interfere with each other, leaving your system unprotected.
Multiple hardware firewalls can be used (for example, having 2 or more routers connected in series) but this offers little extra security benefit while increasing the amount of work you have to do to set everything up.
A software and hardware firewall can be used together and this provides the best of both worlds - the hardware firewall will block intruders leaving the software firewall free to control program network access.
I have several computers - does each one need a firewall?
If the computers are sharing an Internet connection using Windows' Internet Connection Sharing (where one computer, the "gateway", is connected directly to the Internet), then you can protect them by either installing a firewall on each one or by using a firewall on the gateway machine. Internet Connection Sharing is quite complex however so the gateway firewall may need some adjustment to work properly.
If you have a router with its own (hardware) firewall, then that will protect every connected computer from outside attack.
How do I decide what to allow and what to block?
Most firewalls will ask you the first time a program tries to connect to the Internet whether or not to allow it. If the program is one you have installed and has legitimate need for Internet access (a web browser needs to connect to websites, email software needs to connect to your ISPs email server), then you should allow it. If you are unsure, block it and look up the details on the program using a search engine like Google.
The following list covers programs that, for most people, should be allowed access (the first letter may vary, depending on your system setup):
report this to any ISP. The Outpost forum thread
  • Windows SystemIf you are running Windows XP, the following applies:
    Allow access for DNS and DHCP protocols in order to connect to the Internet (required).
    Allow access for NTP (to, for clock synchronisation (optional);
    Allow access for HTTP, HTTPS (to * to access online Windows Help (optional).
    Block access if any is requested for the RPC protocol to any address (a good indication of a compromised system) and for SSDP/UPnP (Universal Plug and Play) unless you are sure that you need it.
    Block access for any other incoming traffic (known as Server access in ZoneAlarm or Sygate) - this is to prevent Windows Messenger spam which targets svchost.
    Do not allow any network access to files named svchost.exe in other folders - they are likely to be malware
    If you are running Windows 2000, the following applies:
    Allow access for DNS and DHCP protocols in order to connect to the Internet (required).;
  • Web Browsers
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Firefox\firefox.exe
    C:\Program Files\Opera\opera.exe

    Allow access for FTP, HTTP, HTTPS protocols to be able to view webpages and download files (apply to whichever browsers you use)
    Allow access for POP3, IMAP, SMTP protocols to be able to read and send emails for Opera if using its M2 email client;
  • Email Programs
    C:\Program Files\Outlook Express\msimn.exe
    C:\Program Files\Thunderbird\thunderbird.exe

    Allow access for POP3, IMAP, SMTP protocols to be able to read and send emails (apply to whichever email programs you use)
    Block access for HTTP, HTTPS protocols since these are more likely to be used by email "tracking" systems that allow the sender to tell if you have read an email, plus your address
How can a firewall tell me if my system has been compromised?
Almost all malware (a general term covering viruses, spyware and trojans) needs Internet access - to inform their creator of their existence, to receive orders on how to exploit your system or to send back private information. If your firewall alerts you to a new program trying to connect out that you have not installed or the connection looks suspicious in other ways (connecting to a dynamic domain rather than a website, to a domain in a country you don't normally access or using a protocol commonly abused like Internet Relay Chat), then this should be blocked and you should run a full scan of your system with an up-to-date anti-virus utility.
Often malware will attempt to bypass firewalls by hijacking trusted programs - many firewalls can detect such techniques and will alert on them. While some software uses such methods legitimately (mouse/keyboard/touchpad software most notably), it is safer to block if in doubt and do an online search for details of the program concerned.
What limits are there to a firewall's security?
Firewalls cannot provide protection for programs allowed network access. To fully secure your system, you need to look at each program allowed access and consider how it could be used to compromise your system. For example, email software could download attachments containing malware - to prevent this either use anti-virus software or disable attachments completely. A web browser could be affected by a malicious website - anti-virus web scanners or web-filters would prevent this. A downloaded file could contain malware - an anti-virus/anti-malware scanner would be the best protection.
Special care needs to be taken with programs allowed to accept incoming traffic from the Internet (known as "server access" in ZoneAlarm or Sygate) since these would be open to attackers - examples include many file-sharing programs and any "server" software (webserver, mailserver, game server). Such programs need to be kept updated with any patches to fix security problems and it may be worth considering other security software (like a "system firewall") to restrict their access - or running them under a Limited User account.
What are Internet Addresses and Domain Names?
Every system on the Internet has a unique numeric address which needs to be known before connecting to it (rather like a telephone number).
This consist of 4 numbers, each in the range 0-255 - for example However most people find names easier and more meaningful so almost every system has a name also (like which is known as a Domain Name.
Before connecting to a Domain Name, your computer must look up this numeric address (known as an Internet Protocol or IP address - had the IP address at the time of writing) and it uses a system called the Domain Name System (DNS) to find this. DNS can be thought of as a giant phone directory split into thousands of sections, spread around the Internet. This is why it is necessary to allow DNS traffic for so many programs.
Almost all firewalls allow you to set access restrictions by IP address and many allow domain name restrictions also (for example, you could limit your email software to access your ISP email servers only, allowing it to read and send emails while preventing it from contacting any websites linked to in HTML emails, an increasingly popular technique by marketeers for tracking users).
Note: Due to a shortage of IP numbers, a new addressing system called IPv6 has been created which uses 32 numbers for an address rather than just 4. This is not in widespread use currently (and not many firewalls support it), but this is likely to change in the future.
Hardware Firewalls
With hardware firewalls, the type of Internet connection you use may affect the choice available. While it is possible to have a "2-box" setup with a modem (xDSL, Cable or Satellite) being connected to a router (which has multiple network connections and a firewall), most users would find a single box (providing the connection to their ISP, a firewall plus one or more connections for their PCs) easier to manage.
However while such systems are readily available for DSL users (known as DSL routers - ensure you use the correct type like ADSL or SDSL for your connection), cable or satellite users may be limited to routers offered and supported by their ISP. If you use cable or satellite, you should first contact your ISP for advice on supported units.
Aside from that, most units will provide adequate security from incoming attack - the key features to look out for are:
* the ability to share an Internet connection (using a technique called NAT - Network Address Translation). Even without a firewall, NAT will block most incoming attacks due to the way it works;
* a firewall able to provide details of any attacks blocked (and ideally with some visible indicator when this occurs);
* enough network connections (known as ports) to cover all your computers plus one or two spare for future use;
* a straightforward and simple way of setting up the router (most can be done using your browser but some have strange interfaces);
* for wireless networking, comprehensive support for the strongest encryption available (128-bit WEP as a minimum with WPA strongly recommended).
Some routers offer extra features like virus filters, content blocking (mainly to prevent access to adult websites) or traffic prioritization (also known as Quality of Service). Filtering can be quite easily bypassed so should not be considered a key feature while prioritization can be done via software also. Faster wireless technologies may be worth paying extra for, but every computer will need a wireless network card that supports the same protocol (e.g. 802.11g, 802.11a or
Where else can I find more information?
The Other Firewalls Sticky Posts contains links to sites covering configuration and support for several firewalls.

No comments: