What
is a Firewall?
A
firewall is a tool that monitors communication to and from your
computer. It sits between your computer and the rest of the network,
and according to some criteria, it decides which communication to
allow, and which communication to block. It may also use some other
criteria to decide about which communication or communication request
to report to you (either by adding the information to a log file that
you may browse whenever you wish, or in an alert message on the
screen), and what not to report.
What
Is It Good For?
Identifying
and blocking remote access Trojans. Perhaps the most common way to
break into a home computer and gain control, is by using a remote
access Trojan (RAT). (sometimes it is called "backdoor Trojan"
or "backdoor program". Many people simply call it a "Trojan
horse" although the term "Trojan horse" is much more
generic). A Trojan horse, is a program that claims to do something
really innocent, but in fact does something much less innocent. This
goes to the days where the Greek soldiers succeeded to enter through
the gates of Troy by building a big wooden horse, and giving it as a
present to the king of Troy. The soldiers allowed the sculpture to
enter through their gates, and then at night, when the soldiers were
busy guarding against an outside attack, many Greek soldiers who were
hiding inside the horse went out and attacked Troy from the inside.
This story, which may or may not be true, is an example of something
which looks like something innocent and is used for some less
innocent purpose. The same thing happens in computers. You may
sometimes get some program, via ICQ, or via Usenet, or via IRC, and
believe this program to be something good, while in fact running it
will do something less nice to your computer. Such programs are
called Trojan horses. It is accepted to say that the difference
between a Trojan horse and a virus, is that a virus has the ability
to self-replicate and to distribute itself, while a Trojan horse
lacks this ability. A special type of Trojan horses, is RATs (Remote
Access Trojans, some say "remote admin Trojans"). These
Trojans once executed in the victim's computer, start to listen to
incoming communication from a remote matching program that the
attacker uses. When they get instructions from the remote program,
they act accordingly, and thus let the user of the remote program to
execute commands on the victim's computer. To name a few famous RATs,
the most common are Netbus, Back-Orifice, and SubSeven (which is also
known as Backdoor-G). In order for the attacker to use this method,
your computer must first be infected by a RAT.
Prevention
of infections by RATs is no different than prevention of infection by
viruses. Antivirus programs can identify and remove most of the more
common RATs. Personal firewalls can identify and block remote
communication efforts to the more common RATs and by thus blocking
the attacker, and identifying the RAT.
Blocking/Identifying
Other Types of Trojans and WQorms?
There
are many other types of Trojan horses which may try to communicate
with the outside from your computer. Whether they are e-mail worms
trying to distribute themselves using their own SMTP engine, or they
might be password stealers, or anything else. Many of them can be
identified and blocked by a personal firewall.
Identifying/Blocking
Spyware's/Adbots?
The
term "spyware" is a slang which is not well defined. It is
commonly used mainly for various adware (and adware is a program that
is supported by presenting advertisements to the user), and that
during their installation process, they install an independent
program which we shall call "adbot". The adbot runs
independently even if the hosting adware is not running, and it
maintains the advertisements, downloads them from the remote server,
and provides information to the remote server. The adbot is usually
hidden. There are many companies that offer adbots, and
advertisements services to adware. The information that the adbots
deliver to their servers from the computer where the adbot is
installed, is "how much time each advertisement is shown, which
was the hosting adware, and whether the user clicked on the
advertisement. This is important so that the advertisements server
will be able to know how much money to get from each of the
advertised companies, and how much from it to deliver to each of the
adware maintainers. Some of the adbots also collect other information
in order to better choose the advertisements to the users. The term
"spyware" is more generic, but most of the spyware fall
into this category. Many types of adbots can be identified and
blocked by personal firewalls.
Blocking
Advertisements?
Some
of the better personal firewalls can be set to block communication
with specific sites. This can be used in order to prevent downloading
of advertisements in web pages, and thus to accelerate the download
process of the web sites. This is not a very common use of a personal
firewall, though.
Preventing
Communication to Tracking Sites?
Some
web pages contain references to tracking sites. e.g. instruct the web
browser to download a small picture (sometimes invisible) from
tracking sites. Sometimes, the pictures are visible and provide some
statistics about the site. Those tracking sites will try to save a
small text either as a small file in a special directory, or as a
line in a special file (depending on what is your browser), and your
browser will usually allow the saving site to read the text that it
saved on your computer. This is called "web cookies" or
sometimes simply "cookies". Cookies allow a web site to
keep information that it saved some time when you entered it, to be
read whenever you enter the site again. This allow the web site to
customize itself for you, and to keep track on everything that you
did on that site. It does not have to keep that information on your
computer. All it has to save on your computer is a unique identifying
number, and then it can keep in the server's side information
regarding what has been done by the browser that used that cookie.
Yet, by this method, a web site can get only information regarding
your visits in it. Some sites such as "doubleclick" or
"hitbox" can collect information from various affiliated
sites, by putting a small reference in the affiliated pages to some
picture on their servers. When you enter one of the affiliated web
pages, your browser will communicate with the tracking site, and this
will allow the tracking site to put or to read a cookie that
identifies your computer uniquely, and it can also know what was the
web page that referred to it, and any other information that the
affiliated web site wanted to deliver to the tracking site. This way
tracking sites can correlate information from many affiliated sites,
to build information that for example will allow them to better
customize the advertisements that are put on those sites when you
browse them.
Some
personal firewalls can be set to block communication to tracking
sites. It is not a common use of a personal firewall, though, and a
personal firewall is not the best tool for that, but if you already
have one, this is yet another possible use of it.
Blocking
or Limiting the NetBIOS Communication? (as well as other default
services)
The
two common methods of intruders to break into home computers, are
through a RAT (which was discussed in II.3a) and through the NetBIOS
communication. The NetBIOS is a standard for naming computers in
small networks, developed long ago by IBM and Microsoft. There are a
few communication standards which are used in relation to the
NetBIOS. The ones that are relevant for Microsoft Windows operating
systems, are: NBT (NetBIOS over TCP/IP), IPX/SPX, and NetBEUI. The
communication standard which is used over the Internet, is NBT. If it
is enabled, and there is no firewall or something else in the middle,
it means that your computer is listening for communications over the
Internet via this standard, and will react according to the different
NBT commands that it gets from the remote programs. It is thus that
the NBT (which sometimes loosely called "NetBIOS") is
acting as a server. So the next question should be "what remote
NBT commands the NBT server will do on the local computer". The
answer to this question depends on the specific setting on your
computer. You may set your computer to allow file and print sharing.
If also NBT is enabled, it means that you allow remote users to share
your files or printers. This is a big problem. It is true that in
principle the remote user has to know your password for that
computer, but many users do not set a password for their user on
Windows, or set a trivial password. Older versions of Win95 had file
and print sharing over NetBIOS enabled by default. On Win98, and
WinMe it was disabled by default, but many technicians, when they set
a home network, they enable the file and print sharing, without being
aware that it influences also the authorizations of a remote Internet
user. There are even worms and viruses who use the File sharing
option to spread in the Internet. Anyway, no matter whether you need
it for some reason or just are not aware of it, a personal firewall
can identify and block any external effort to communicate with the
NetBIOS server on your computer. The more flexible personal firewalls
can be set to restrict the authorization to communicate with the
NetBIOS. Some Windows operating systems, especially those which are
not meant for home uses, offer other public services by default, such
as RPC. A firewall can identify communication efforts to them, and
block them. Since such services listen to remote communications,
there is a potential risk when there are efforts to exploit security
holes in the programs that offer the services, if there are such
security holes. A firewall may block or limit the communication to
those services.
Hiding
Your Computer on the Internet?
Without
a firewall, on a typical computer, even if well maintained, a remote
person will still be able to know that the communication effort has
reached some computer, and perhaps some information about the
operating system on that computer. If that computer is handled well,
the remote user will not be able to get much more information from
your computer, but might still be able to identify also who your ISP
is, and might decide to invest further time in cracking into your
computer.
With
a firewall, you can set the firewall so that any communication effort
from remote users (in the better firewalls you may define an
exception list) will not be responded at all. This way the remote
user will not be able to even know that it reached a live computer.
This might discourage the remote attacker from investing further time
in effort to crack into your computer.
The
Non-Firewall Defenses
We've
discussed a few situations where a personal firewall can provide
defense. Yet, in many cases a computer maintainer can deal with those
situations even without a firewall. Those "alternative"
defenses, in many cases are recommended regardless of whether you use
a firewall or not.
Remote
Access Trojans?
The
best way to defend against remote access Trojans (RATs) is to prevent
them from being installed in the first place on your computer. A RAT
should first infect your computer in order to start to listen to
remote communication efforts. The infection techniques are very
similar to the infection techniques that viruses use, and hence the
defense against Trojan horses is similar to the defense against
viruses. Trojan horses do not distribute themselves (although they
might be companions of another Internet worm or virus that
distributes them. Yet, because in most cases they do not distribute
themselves, it is likely that you will get them from anonymous
sources, such as instant messengers, Kazaa, IRC, or a newsgroup.
adopting a suspicious policy regarding downloads from such places,
will save you not only from viruses but also from getting infected
with Trojan horses, including RATs. Because Trojan horses are similar
in some ways to viruses, almost all antivirus programs can identify,
block from being installed, and remove most of the Trojan horses,
including all the common ones. There are also some programs
(sometimes called antiTrojan programs) which specialize in the
identification and removal of Trojan horses. For a list of those
programs, and for comparison on how well different antivirus, and
antiTrojan programs identify different Trojan horses, see Hackfix
(http://www.hackfix.org), under "Software test results".
Hackfix also has information on the more common RATS (such as the
Netbus and the Subseven) and on how to remove them manually. There
are some tools and web sites, such port scanners, and some ways with
a use of more generic tools such as telnet, msconfig, and netstat,
which may help you to identify a RAT.
Other
types of Trojans and worms?
Also
here your main interest should be to prevent them from infecting your
computer in the first place, rather than blocking their
communication. A good antivirus and a good policy regarding the
prevention of virus infections, should be the first and most
important defense.
Spyware
and Adbots?
The
term spyware is sometimes misleading. In my view, it is the
responsibility of the adware developer to present the fact that the
adware installation will install or use an independent adbots, and to
provide the information on how this adbot communicates, and which
information it delivers, in a fair place and manner before the adware
is installed. It is also a responsibility to provide this information
in their web sites, so that people will be aware of that before they
even download the software. Yet, in general, those adbots do not pose
any security threat, and in many cases also their privacy threat is
negligible for many people (e.g. the computer with adbot number
1127533 has been exposed to advertisements a, b, c, such and such
times, while using adware x, while on computer with adbot number
1127534 has been exposed to advertisements a,d, and e, such amount of
time, with the use of adware y, and clicked on ads number d). It
should be fully legitimate for software developers to offer an
advertisement supported programs, and it is up to the user to decide
whether the use of the program worth the ads and the adbot, or not.
Preventing adbot from communicating is generally not a moral thing.
If you decide to use an adware, you should pay the price of letting
the adbot work. If you don't want it, please remove the adware, and
only if for some reason the adbot continue to work even if no hosting
adware that uses it is installed, you may remove the adbot. Anyway,
there are some very useful tools to identify whether a program is a
"spyware", or whether a "spyware" is installed on
your computer, and you are certainly entitled to this information.
Two useful programs are "AdAware" which identifies
"spyware" components on your computer and allows you to
remove them, and Ad-Search which allows you to provide a name of a
program, and it tells you whether this program is a "spyware"
and which adbot it uses. It is useful to assist you in choosing
whether to install a program or not. You may find those programs in
http://www.lavasoft.nu (or, if it doesn't work, you may try
http://www.lavasoftusa.com). Those programs are useful, mainly
because many adware developers are not fair enough to present this
information in a fair manner. AdAware allows you to also remove those
adbot components from your computer. This might, however, terminate
your license to use the hosting adware programs, and might even cause
them to stop functioning. A website which offers to check whether a
specific program that you wish to install is "spyware" or
not, is http://www.spychecker.com .
Blocking
Advertisements?
Leaving
aside the moral aspect of blocking advertisements, a personal
firewall is not the best tool for that anyway. This is not the main
purpose of a firewall, and neither its main strength. Some of them
can block some of the advertisements from being downloaded, if you
know how to configure them for that. Yet, there are better tools for
that, such as Proxomitron (http://www.proxomitron.org), CookieCop 2
(search for the word cookiecop on http://www.pcmag.com), or Naviscope
(http://www.naviscope.com), and there are many other programs as
well. You may check for other alternatives, e.g. in Tucows
(http://www.tucows.com/adkiller95.html).
Blocking
Tracking Sites?
Also
here, a personal firewall is not the best tool for that, and there
are other tools and ways which are more effective. These are cookie
utilities. Since a tracking site uses a cookie to identify and relate
the information gathered to the same person (or computer), by
preventing the cookie from being installed. The tracking site will
lose its ability to track things. There are plenty of cookie
management utilities. Some of them are freeware, and some are not.
CookieCop which was mentioned in the former section is one of them.
WebWasher (http://www.webwasher.com) is another recommended one, and
there are plenty of other alternatives such as cookie-crusher,
cookie-pal, pop-up killer, etc. You may search for other
alternatives, in Tucows
(http://www.tucows.com/cookie95.html).
NetBIOS
and Other Services?
The
NetBIOS over TCP/IP (NBT) which is sometimes loosely called
"NetBIOS", is a service which has some security problems
with it. It is enabled by default in Windows default installations,
and it is very common to see that a firewall does the job of
preventing the efforts to get access to your computer via NBT. Yet,
in almost all cases, this service is not needed, and thus can be
disabled. To disable NBT in Win95/98/ME is not as simple as it is in
Win2K/XP, but can still be done reliably. We explain how to do this
in another article (#to be written soon). It is needless to say, that
if NBT is disabled, there is no need for a firewall to block
communication to it. Also, in the case of other services, such as RPC
services, and others, in many cases you simply don't need those
services and better disable them from within Windows rather than use
the firewall to block them. There are various ways to know which
services are running on your computer, and which of them are
listening for communications from the outside. If there are ones that
you don't need, they should be disabled.
Hiding
the Computer?
In
web sites of many personal firewall companies, they are putting a lot
of weight on the ability of their firewall to hide the computer on
the Internet. Yet, exposing your home computer on the Internet is by
itself, neither a security nor a privacy threat. If you provide some
services to the Internet on your computer, for example, you put a web
server on your computer to allow other people to view web pages, then
you might get rid of some of the crackers, by setting your firewall
to unhide only this type of communications. Some attackers will not
make a full scan of your computer, but only a partial scan, and if
they did not scan for the specific service that you provided, they
will not see your computer. Yet, if the service is a common one,
there is a good chance for many of them to scan it and thus find the
existence of your computer. If they "see" the existence of
your computer, they might decide to scan it further, and find out the
services you are providing, and scan it for security holes to use.
Yet, there is no much meaning to it when we speak about simple home
computers.
What
a Firewall Cannot Do!
Another
misconception about personal firewalls is that they are incorrectly
thought as if they claim to give an overall protection against
"hackers" (i.e. intrusions). They are not.
Defense
Against Exploitation of Security Holes
A
firewall can allow or deny access to your computer or from your
computer according to the type of communication, its source and
destination, and according to the question which program on your
computer is handling the communication. Yet, its ability to
understand the details of the communication is very limited. For
example, you may set the firewall to allow or to deny your e-mail
program from getting and/or sending messages. It may allow or deny
your web browser from browsing the Internet. But if you allowed your
e-mail program to communicate with the e-mail servers for sending and
receiving messages, (and you are likely to allow it if you want to
use your e-mail program), or if you set the firewall to allow your
web browser to communicate with web sites, the firewall will not be
able to understand the content of the communication much further, and
if your web browser has a security hole, and some remote site will
try to exploit it, your firewall will not be able to make a
distinction between the communication that exploits the security
hole, and legitimate communication. The same principle goes with
e-mail program. A personal firewall may block you from receiving or
sending e-mail messages, but if you allowed it to receive messages,
the personal firewall will not make a distinction between a
legitimate message and a non-legitimate one (such as a one that
carries a virus or a Trojan horse). Security holes in legitimate
programs can be exploited and a personal firewall can do practically
nothing about it.
I
should comment, however, that some personal firewalls come combined
with some Trojan horse detection, or intrusion detection. This is not
part of the classical definition of a firewall, but it might be
useful. Such tasks are usually taken by other tools such as antivirus
programs or antiTrojan programs.
Tricks
to Bypass or Disable Personal Firewalls
There
are also various ways to disable, or bypass personal firewalls.
During the time a few tricks to bypass or disable were demonstrated
by various programs. Especially, tricks for an internal program to
communicate with the outside bypassing or tricking the firewall. For
some of them such as the one demonstrated by the Leaktest, and in
which a non-legitimate program disguises itself as Internet Explorer,
practically today, all personal firewalls are immuned. For other
tricks, such as a one demonstrated by Outbound, which uses some
non-standard type of communication directly to the network adapters
bypassing the components of the operating system which are suppose to
deal with Internet communication, and by that bypassing the firewall,
are only now being patched against by the various firewalls, and yet
other methods, such as the one demonstrated by Tooleaky, which uses
Internet Explorer as a messenger to communicate with the outside, and
is thus identified as a mere legitimate browsing, are still waiting
for most of the personal firewall to find a fix.
Firewalls
CANNOT Decide for You What is a Legitimate Communication and What is
Not
One
of the main problems with personal firewalls, is that you cannot
simply install them and forget them, counting on them to do their
job. They can deny or permit various types of communications
according to some criteria, but what is this criteria, and who
decides what is the criteria for whether they should permit or deny
some communication?
The
answer, is that it is the computer user's job to define the exact
criteria when the firewall should allow a communication and when it
should block it. The firewall may make it easier for you, but it
should not take the decisions. There are too many programs, too many
versions, and it is not possible for the firewall to decide
accurately when a communication is legitimate and when it is not. One
person might think that it is legitimate for some program to deliver
some information to the outside in order to get some service, while
another will think that it is not. One version of a program might
communicate with its home server in order to check whether there is
an upgrade, and another version might also install the upgrade even
if you do not wish. Some firewalls will try to identify communication
efforts which are largely considered as legitimate, and will let you
the information so that it will be easier for you to decide whether
such should be allowed. Others will suffice with more basic
information, making no suggestions (and thus - no incorrect
recommendations). One way or another, once you installed a firewall,
you will have better means to understand what types of communications
are running on your computer, but you will also have to understand
them in order to be able to configure your firewall so that it will
correctly know which communications to allow and which to block.
Common
Problems and Deficiencies Regarding Personal Firewalls
A
personal firewall might be a good contribution to security. Yet, if
you do not understand much about the topic, then you are likely to be
confused and misled by its alerts and queries, and thus find yourself
spending hours in chasing after imaginary crackers, fear from
imaginary threats, and misconfigure it due to misunderstanding. You
may find yourself blocking legitimate and important communication
believing it to be cracking efforts, and thus surprised to see why
things work slowly or why you are disconnected from the Internet, or
you might be misled to allow a non-legitimate communication by some
software that tricked you to believe that it is a legitimate one. On
the other side, if you are quite knowledgeable on computers and
security, then you are likely to effectively defend your computer
even without a firewall (by means discussed in section II.4) and it
is thus that the role of personal firewall in securing your computer,
is extremely small and not much important. We discuss here in brief
some of the problems that personal firewalls may generate.
A
False Sense of Security
As
we've already learned here, a firewall is limited in its ability to
secure your computer. Yet, many people believe that if they will
install a personal firewall they will be secured against the various
security threats. I was even surprised to find out that there are
people who believe that give much higher priority in installing a
personal firewall than in installing an antivirus program. An always
updated antivirus program plays a much more important role in the
security of a personal home computer than installing and maintaining
a personal firewall. A personal firewall should not come on account
of any other security measure that you use.
A
False Sense of Insecurity
When
you install a firewall and you look at all the communication efforts
through it, you might be surprised at the amount of communication
efforts from the Internet to your computer. Most of them are blocked
by a typically configured firewall. There are all the times efforts
to try to communicate with various backdoor Trojans on your
computers. If you are not infected, there will be nothing to listen
and to respond to those communication efforts, and they are thus
practically harmless. There are efforts to communicate with your NBT
driver, to see if your computer by mistake allows file sharing. There
are other types of probes to see if your computer exists, or various
efforts of servers to probe your computer in order to find the best
path for legitimate communication to it. There are sometimes remnants
of communications that were supposed to go to other computers, but
made their way to yours (for advanced readers: because the IP number
that your computer uses, were used by some other computer earlier).
Those communication efforts are blocked even without a firewall. If
your computer is not infected with a RAT, and if your computer don't
have NetBIOS over TCP/IP enabled or even it does not have file and
print sharing enabled (and on most computers this is disabled by
default), then none of these pose any security threat. If your
computer is not infected with a SubSeven Trojan, then no matter how
often there will be efforts to communicate with it, they are all
doomed to be failed.
Yet,
some personal firewall (such as Norton Personal Firewall or
ZoneAlarm) by default proudly announce that they have just blocked an
effort to crack into your computer. Norton may even define those
efforts that were blocked as "high security threats" while
they were not a threat at all even if your computer didn't have a
personal firewall at all. Such firewalls give you the false
impression that they save your computer again and again from
extremely dangerous threats on the Internet, so that you wonder how
did you survive so much time without noticing any intrusion before
you installed the firewall. I usually say, that those personal
firewalls are set their "report level" to "promotional
mode". Namely, the personal firewall is set to give you the
false impression that it is much more important than it really is.
Chasing
After Ghosts
This
is a side effect of the types of misunderstandings that were
discussed in the previous subsection.
When
a person who starts to learn about the jargon related to personal
firewalls, is reported that some "dangerous" communication
efforts persist from the same source, the person is decisive to
locate and identify the "hacker", and perhaps report about
it to the police or to its Internet service provider. However, since
many people do not really understand thoroughly how things work, they
may sometimes spend many hours in trying to locate a cracker that
does not exist, or when the knowledge they need to have, in order to
track the cracker, is much higher than what they have, and they might
even suspect the wrong person due to lack of knowledge (e.g. the
connection person on the Internet service provider that was used by
the cracker). More knowledgeable people, usually do not bother to
track those "hackers" (which are usually teenagers), but
instead are concentrating on the security of their computer.
Blocking
Legitimate Communications
No
personal firewall is smart enough to decide for the user what is a
legitimate communication and what is not. A personal firewall cannot
make a distinction between a legitimate program trying to contact its
server to check and notify the user when there is a newer version,
and a non-legitimate program trying to communicate with its server in
order deliver sensitive information such as passwords, unless the
user tells it. It is thus up to the user to decide what should be
considered as legitimate and what should not. Yet, can we count on
the user to be knowledgeable enough to decide what is legitimate and
what is not? In many cases the user is not knowledgeable enough, and
may thus allow non-legitimate communication or disallow a legitimate
and important communication. There are many types of communications
handled just to manage other communications. Among this are various
types of communications between your computer and the various servers
of your Internet service provider. A not knowledgeable user may
interpret those types of communications as cracking efforts, and will
thus decide to block them. As a result, a connection might become
slower, a connection to the Internet service provider might be
disconnected quiet often and other types of communication problems.
Being
Tricked by Trojans bbb
Just
as less knowledgeable users may instruct the firewall to block
legitimate communications, they can be tricked by various Trojans to
allow them to communicate. Some Trojans are using names resembling or
identical to names of legitimate programs, so that the user would
think that it is a legitimate programs. Users should be aware of
that.
Heavy
Software, Buggy Software
Until
now we discussed only problems related to lack of appropriate
knowledge by the user. Yet, there are other problems regarding
personal firewalls. For example, some of them are known to be quite
heavy on computer resources, or slow down the communication speed.
Different personal firewalls quite vary with regard to that. If you
have a new computer with a slow Internet communication (such as
regular dial-up networking) then it might not slow down your computer
noticeably. Yet, if you use an older computer, and a fast
communication, you might find that some personal firewalls will slow
down your communication quite drastically. Personal firewalls also
vary on how much they are stable.
Advantages
of External Firewalls over Personal Firewalls
1.
They do not take resources from the computer. This should be clear.
This is especially useful when the firewall blocks flooding attacks.
2.
It is harder (although in principle still possible) for a Trojan
horse to disable it, because it does not reside in the same computer
that the Trojan has infected. It is not possible to use the specific
communication while totally bypassing the firewall.
3.
They can be used without any dependence on the operating system on
the computer(s) they defend.
4.
No instability problems.