Personal Firewalls
The purpose of a firewall is to filter inbound and outbound traffic to your computer or network. Information is sent through the Internet in packets of data, and these packets have sources and destinations. You become vulnerable to attack when you have no protections from all the various types of packets that are being sent to your computer. On the Internet, connections are made to open ports on your computer. As we discussed in Chapter 10, when you have an open port that anyone can reach on the Internet, you are potentially vulnerable to an attack. Your broadband cable or DSL connection leaves you wide open day or night to attack. Even your dial-up account leaves you open to attack, but the limited time you are connected via dial-up access and the slow speed make dial-up accounts less of a target.
A basic firewall architecture is shown in Figure 11.1.
Figure 11.1. Basic firewall architecture.
Your IP address is the defining point of who you are on the Internet. Your computer's IP address is like your house address. If someone knows your IP address, he can find you. When a person knows your IP address, he can perform port scans. A port scan checks for open points of connectivity on your connected computer. Port scans are like open windows and doors in your house. If you don't lock them, anyone can come into the house. Figure 11.2 is a refresher of what an IP address looks like. In this case, our IP address is 192.168.1.5.
Figure 11.2. An IP address of 192.168.1.5.
The average consumer is not a specific target of a hacker. Many hackers and even more script kiddies target people blindly. It would be the same as a burglar just walking down your street trying every door until he found one that was open so he could break in.
Firewall software is used to set rules or filter what kinds of data packets can be sent into the computer and leave the computer. Rules or filters—two interchangeable terms—are used to allow or deny certain types of data into and out of a system using a filtering device such as a firewall. Data packets contain everything from IP address information to port information. The firewall is your first line of defense against hostile attacks. Whatever filters you set up are used to allow or deny packets. If you are running a Web server, you probably only want Web traffic to port 80. You can set up your firewall rules to allow only that port and block all other access from the Internet. Perhaps you are also running a mail server (port 25) on your Web server, but you only want specific people on the Internet to access that mail server. In that case, you can restrict, by IP address, who can connect to check mail on your server.
If a packet is sent that matches the rules you define, then it is allowed through to the open port. If the rules you set up deny access to the requesting packet, the data can be rejected or just dropped. If the data is rejected, the computer that is sending the packet can know that the data was denied. If your filter drops the packet, the data will appear to have gone into a void without confirmation that it reached its destination.
An application gateway, often called a proxy, acts like a customs officer for data. Anything you send or receive stops first at the firewall, which filters packets based on IP addresses and content, as well as the specific functions of an application. For instance, if you're running an FTP program, the proxy could permit file uploads but block other FTP functions, such as viewing or deleting files. You could also set the firewall to ignore all traffic for FTP services but allow all packets that are generated during Web browsing.
As was discussed in Chapter 7, “Understanding the Online Environment: Web Surfing and Online Payment Systems,” spyware programs that you inadvertently install on your computer can send traffic out from your computer to some malicious site on the Internet. You also could have installed a Trojan horse program by mistake that tries to contact some malicious site on the Internet and send out your personal files from your hard drive. With the use of a firewall, you can restrict outbound access from your computer. That way, if the malicious program were trying to make a connection to a port on a remote machine, you could have restrictive filter rules that control what data is allowed out of your machine. Another key feature of firewalls making connections to remote sites is that when a valid connection is established, the firewall can keep the connection open and secure so you can have faith that only valid connections are open on your system.
A key feature of firewalls is network address translation (NAT). NAT translates a single, Internet-routable IP address into many non-routable addresses on the LAN. Therefore, if you have several machines at home and have only one IP address from your ISP, you can set up a home LAN with non-routable addresses, such as 192.168.1.x. That way, your one firewall machine that is running NAT can protect all your computers. Several firewall products perform NAT, but others do not.
Firewalls can be categorized into several basic categories as follows:
Circuit-level— Allow communication only with approved systems
Stateful inspection— Check the configuration of approved packets and allow/deny traffic
This chapter covers the various functions of different firewalls in action. Every firewall has advantages and disadvantages, which we will discuss in some detail later in this chapter.
Why Firewalls Are Necessary
The following list presents the benefits that a personal firewall brings to the operating system:
Enhances the native operating system security features
Protects the operating system and network resources from attack
Protects the system from Trojans, worms, and virus
Watches inbound and outbound traffic
Monitors connectivity to the system
Allows secure remote connections and enable encryption
Tracks potential attackers back to originating source of the attack
Secures data from compromise
Note
 | The personal firewalls we will focus on for this chapter are all Windows based. That is not to say that Linux is not worth mentioning, but most of our readers are Windows users, and the complexities that Linux brings could fill a separate book. Suffice it to say, Linux has built-in firewall capabilities; perhaps we will cover them in more detail in the next edition of this book. |
By being your own system administrator, you are forced to learn the ins and outs of security. Firewall technology can be difficult to grasp, implement, and maintain. These challenges should not discourage you from implementing a personal firewall. A personal firewall is a necessity.
Each of the firewalls we will discuss has some different features and works slightly differently. Like anything you buy, you will look for features that are important to you. Some of the features you should consider when making a choice include the following:
Ability to defend against attacks
Interaction with virus scanners or built-in virus scanning capabilities
Ability to stop denial-of-service attacks
Reporting capabilities of attacks and activity on and against your system
Ability to track intruder footprints
Ability to track an attacker back to their source
Ease of use
Ease of implementation and maintenance
Cost versus features
Support services of the vendor
Whether you want a hardware- or software-based firewall
The proper time to install a firewall is when you first install the operating system. If you are like most of corporate America, security comes after everything else has been done. Before installing the firewall, you should perform a through virus scan of your system to ensure that no virus is waiting in the background. A firewall will be ineffective if the virus acts as a valid application and you do not even know to check for it or design filters to find it. When you check for viruses, be sure you have the system logged off the Internet and then install your firewall. Apply your filter's rules before putting it back on the Internet. We will go through some basic steps to test the security of your firewall rules.
Problems with Firewalls
The trouble with Tribbles (Star Trek reference for those who don't watch the show) and firewalls is that if you leave them unattended, all sorts of problems can occur. First, if you don't get the firewall that suits your needs, you will either have more features than you can deal with and comfortably configure or you will not have enough features to protect you. For example, if you need virus scanning and choose a firewall that has some virus scanning capability, but is not as fully functional as a robust standalone virus scanner, you might have a false sense of security and be infected.
With all the features in many firewalls, people have a tendency to implement them and hope the filters they have set up do the job. This is asking for trouble. The hacker community is constantly coming up with new attacks, and firewall vendors always seek to update their products to meet the new attacks. If you are not vigilant in updating your firewall version or the filters you have designed, you might leave yourself open for the latest attack.
Another great problem with firewalls, the same problem that corporations with expensive products face, is how to read the log files and determine if you are being attacked or if an attacker successfully circumvented your filter rules. When you begin playing with these firewalls, you will see that reading the information that spews out is not easy to understand and definitely not easy to keep up with. Configuration of the reporting and filter rules to give you the necessary information is an important step in setting up any of these products.
Understanding the role of the product in your home is essential in a good implementation. If you have just one home machine, then perhaps a simple firewall will work. But if you have several computers at home, you will need to protect all of them. In such a case, you will need a more robust firewall that can act as a DHCP server and route traffic from multiple machines and enable different filtering rules for each machine if necessary.
Product Review
The firewall products we have selected to detail in the following sections were chosen to show a variety of different variations on how firewalls are built, implemented, and used and represent what is currently popular in the marketplace. These are described in Table 11.1. Many firewalls are on the market. Table 11.2 shows several products you might want to consider after you better understand firewalls and how they can be used. By no means is this a complete list of firewall products available to you.
| Product | Cost | Operating System | Web Site |
|---|---|---|---|
| BlackICE Defender 2.5 | $39.95 | Windows 95, 98, Me, 2000, or NT 4.0 | www.networkice.com |
| Norton Personal Firewall 2002 | $49.95 | Windows 95, 98, Me, 2000, NT 4.0, or XP | www.symantec.com |
| ZoneAlarm Pro | $39.95 | Windows 95, 98, Me, 2000, NT 4.0, or XP | www.zonealarm.com |
| Sygate Personal Firewall | Free | Windows 95, 98, Me, 2000, or NT 4.0 | www.sygate.com |
| Tiny Software Personal Firewall | Free | Windows 95, 98, Me, 2000, or NT 4.0 | www.tinysoftware.com |
| Tiny Software WinRoute Pro | $149 | Windows 95, 98, Me, 2000, or NT 4.0 | www.tinysoftware.com |
| Product | Web Site |
|---|---|
| PC Viper Personal Firewall | www.pcviper.com |
| Biodata's Sphinxwall Firewall | www.sphinxwall.com |
| Neowatch 2.4 | www.neoworx.com |
| F-Secure Distributed Firewall | www.datafellows.com |
| VirusMD Personal Firewall | www.virudmd.com |
| Conseal PC | www.candc1.com |
| PrivacyWare | www.privacyware.com |
| McAfee Personal Firewall | www.mcafee.com |
Firewall Appliances
Small hardware appliances (devices that are separate from your computer) that you can connect and configure are available on the market, although they're not as popular with home users as software products are. Appliances enable remote management of small remote offices or home offices and are used to protect several computers. Setting up hardware appliances is easier than setting up software products, but hardware appliances tend to be more costly. As for feature sets, these generally tend to be similar to software firewalls. Although we will not go into any great detail about these more expensive hardware appliances, you should keep them in mind after you have learned a bit more about the capabilities of firewalls. Several hardware firewalls include the following:
Watchguard SOHO— The small office/home office (SOHO) uses stateful inspection and NAT. One feature, LiveSecurity, is a subscription that provides software updates, technical support, and some training. This makes for a painless process in updating the features of the firewall. The SOHO also has a remote management feature and is frequently used in corporate environments to connect small home offices to the central corporate office, forming a virtual private network (VPN).
D-Link Systems DI-704— The DI-704 comes with a built-in hub or switch. This cuts down on the cost of buying a hub or switch to set up your internal network. It is not a robust appliance like the SOHO and has no VPN capability, Remote Authentication Dial-In User Service (RADIUS) capability, or encrypted remote management.
SonicWall SOHO2— The SOHO2 is on the expensive side of small appliances, retailing for about $495 for a 10-user model. It includes NAT, Web proxy, antivirus protection, multiple user IDs, RADIUS, DHCP server and client services, Web-content filtering, VPN, an intrusion detection mechanism, digital certificate authentication, centralized policy management, and customizable firewall protection.
Linksy's BEFSR11— This model, similar to the DI-704, is cheaper than a SOHO2, but it does not have VPN capability, support for centralized policy management, built-in antivirus or Web-content filtering support, or Java and cookie filtering capabilities. It uses packet filtering to protect the system, and it has an easy-to-understand user interface.
SNAPgear PRO— SNAPgear focuses on providing PPTP and IPsec VPN capabilities. Its price competes with the SOHO2 and the Watchguard SOHO. It has a second serial port that can be used to simultaneously support a dial-up/ISDN WAN and dial-in RAS connection and supports RADIUS/TACACS+ authentication and encryption. This is a robust Linux-based firewall.
Appliances do not really fit the needs of consumers in many cases. Remote management, VPN, and authentication to RADIUS servers is not really high on the priority list for home users. Many of these acronyms are beyond the scope of this book and are not necessary for the time being to the security of your home. The robust user interfaces that most software products have and the cost of the software products makes them a better choice for the home user, which is why we chose to concentrate on the software firewalls.
What to Block
The most difficult part of implementing a personal firewall is knowing what to block. The simplest answer is that you should block all unsolicited incoming traffic. This means that unless you are browsing a Web site or making a purchase over an SSL-enabled Web site, you should block incoming traffic you have not initiated. In both Windows- and Linux-based systems, a number of ports are open by default that can be dangerous to your system. In addition, several ports exist that are really of no consequence, and it does not really matter whether you block them.
For the typical home setup, in which you have perhaps one or two machines and are not running server software such as your own Web site or mail server, blocking incoming traffic using firewall software is easy. If you're running applications that can open ports on your system, such as PCAnywhere or Winroute Web Administration, you must be aware of what these third-party applications open on your system. Several of the ports you really need to be concerned about (whether you run Windows or Linux) and ensure that your firewall software blocks if you are not running server software include
FTP (21)
Telnet (23)
Mail (25)
DNS (53)
Finger (79)
Web (80)
Sunrpc (111)
Auth (113)
SNMP (161)
EPMAP (135)
NetBIOS-NS (137)
NetBIOS-SSN (139)
Microsoft DS (445) TCP, (445) UDP
R-Services (511-515)
Firewall Implementations
The products discussed next were tested against two criteria. The first criterion was out-of-the-box implementation of the firewall. The process of implementation and the default filter settings were analyzed in all products. For the second criterion, we walked through the details of how to set up filter rules in each product and then performed a comparison of how each was configured and what needs were best suited to these products. After each product was set up with the correct filter rules, we performed a mini-test to see how well the rules held up against a basic attack.
BlackICE Defender
BlackICE Defender is one of the simplest yet most powerful personal firewalls on the market. If you are looking for a product to set up a demilitarized zone (DMZ), perform NAT, and perform internal routing, then this is not the product for you. If you have one system that needs to be locked down inside of 3 minutes, and you want it to function without much interaction, then this is the product for you. BlackICE Defender can make your system secure with the basic functionality it has, and it's alerting feature lets you know when someone is trying to attack your system.
BlackICE Defender's four basic security settings say it all: Trusting, Cautious, Nervous, and Paranoid. These options range from blocking just about everything to letting whatever traffic you want through. The Paranoid setting blocks programs such as ICQ, IRC file transfers, NetMeeting, and PCAnywhere, whereas the Cautious setting blocks only unsolicited network traffic. You can allow application functions but block access to the operating system.
The program's alerting features block traffic when they detect an attack; trace the attacking IP address, NetBIOS name, DNS information, and MAC address; and place the attacker in a block list that denies all access from that attacker. This information can give you a lot of data about who is attacking you in case you want to try to contact the attacker's ISP to complain about the attack. The intruder log includes what BlackICE thinks is the severity level, a short description of the type of attack, and the intruder's name and IP address. If you click on the attack type, BlackICE provides a description of what the attack means, which is more than many firewalls will do. BlackICE has an “AdvICE” database of information about attacks that is very helpful.
When BlackICE runs, it stays in the system tray. If you have the attack indicators set, you will see a flashing yellow or red icon depending on the severity of the attack. You can do more investigation of the attack by clicking on the icon and seeing details about the attack. BlackICE has a nice sort feature to check attacks and attackers.
The default installation level is Cautious. This setting automatically starts protecting your computer by blocking unsolicited traffic. The other settings perform the following functions:
Paranoid— This is the most restrictive setting. It blocks just about every piece of inbound unwanted traffic. The problem is that it might also block some traffic you want, such as Web traffic or applications like ICQ.
Nervous— This setting blocks all unsolicited inbound traffic, but it allows more traffic such as Web content, ICQ-type programs, and streaming media to function without a problem.
Trusting— All ports remain open and unblocked, so no filtering protects you. This is probably a good setting to use if you have a laptop that you use at work or if you are running it on a computer that is already behind another firewall.
BlackICE's latest incarnation, version 2.5, has added port filter rules that enable you to allow specific ports or deny specific ports, no matter which setting you have turned on. BlackICE is slowly adding features that will increase its feature set, but its basic functionality and ease of use, coupled with its alerting capability, make it a great consumer choice.
Caution
Installation
BlackICE is one of the few firewall products that does not require a reboot after installation. After you have downloaded and installed the software, it automatically begins blocking traffic. You can check for the latest update of the software with the Tools, Download Update option. If an update is available, you can download it and execute the update, all without rebooting the system.
Configuration
1. |
The default installation of BlackICE is set to the Cautious level, as shown in Figure 11.3. This level blocks some unwanted inbound traffic and has Auto Blocking enabled. Packet logging is not enabled, but Evidence logging is. The Alert indicator goes off with a flashing icon when an attack is detected in the system tray. Figure 11.3. Default BlackICE settings.
|
2. |
You can change the configuration of the security levels through the Tools, Edit BlackICE Settings option. The Cautious level that is the default protects against basic attacks and allows free access to outbound Internet resources. The Paranoid level is the most secure, but it can block certain traffic that you might actually want. When this type of blocking occurs, you can set up specific rules to allow certain ports to have access to your computer. |
3. |
Logging of Evidence is enabled by default, but regular packet logging is not. You can turn on packet logging through the Tools, Edit BlackICE Settings, Packet Log option, as shown in Figure 11.4. The problem with this option is that all packets are logged, not just selected traffic. In addition, you will need a separate program to view the log files. They are not readily viewed with a basic program such a text editor. Windows Network Monitor can view these programs or other third-party programs. Network Ice has additional programs that can be used to analyze the logs in the BlackICE installation directory. You can set the log size and number of logs to create. After the number of log sets is created, they will start overwriting each other. Figure 11.4. Logging enabled.
|
4. |
With the basic configuration options, you can begin blocking traffic. Detailed traffic blocking can be accomplished with the Tools, Advanced Firewall Settings. Through this option, you can filter by IP address, as shown in Figure 11.5, or by port number, as shown in Figure 11.6. These settings trust the IP address 192.168.1.5, block port 139, and allow ports 20 and 21. Figure 11.5. IP address filter.
Figure 11.6. Port filter.
|
5. |
An attack will set off the alert function, which can be audible beeping or a flashing BlackICE icon in the system tray. The attacker's IP address and domain name (if a lookup on the IP address is possible) will be shown in the Attacks and Intruders windows, as shown in Figure 11.7. By right-clicking on the attacker, you can set up blocking or trusting of the IP address for a period of time. Figure 11.7. Intruder detection.
|
Default Installation Port Scan Results
After BlackICE is installed, the basic security options enable a good deal of security. Unsolicited traffic is blocked, and Auto-Blocking can further block an intruder. The Alert function notifies you when an attacker is attempting to probe or break into your system. A port scan of the default installation is shown in Figure 11.8.
Figure 11.8. Port scan results.
Enhanced Filtering Options
1. |
To further restrict access, set the security level to Paranoid, as shown in Figure 11.9. Figure 11.9. Paranoid option.
|
2. |
The Paranoid level might block some traffic you want, such as Java or ActiveX, but with the Advanced Firewall Options, you can enable specific ports and IP addresses. |
3. |
Logging is always beneficial, even if you don't review the log files on a daily basis. Enable Packet Logging from Edit BlackICE Setting, Packet Log. Review your log files frequently. |
ZoneAlarm Pro
ZoneAlarm Pro is the paid version of the firewall from ZoneLabs. The free version is ZoneAlarm. We will look at the robust Pro version to compare it with the other products we are reviewing. Like some of the other products we tested, Pro provides a wide range of firewall capabilities to block attacks from hackers on the Internet who are seeking to pillage your broadband connection. From the ZoneAlarm Web site (www.zonealarm.com), you can download a fully working evaluation version for 30 days, or you can purchase it, of course. The Pro version is about 3.2MB in size.
The installation process is simple and provides a helpful walkthrough wizard that sets up most of the filter rules for you. By selecting all the default options, you will be ready to go as soon as the wizard is complete. During the wizard process, you can set a password to protect the application. The nice thing is that no reboot is required.
Pro has a built-in networking capability so you can set up a DMZ and have your internal computers, such as your kid's PC, protected by your Pro firewall. It has three configuration options: low, medium, or high. The easy-to-understand user interface allows you to navigate the functions easily. ZoneLabs has a comprehensive support Web site. Technical support is also available through technicians.
Caution
 | You don't have much to worry about with Pro. The default installation is secure. The one problem is that you have to know what programs you need to allow access to the Internet, such as Netscape, Mail, and Internet Explorer. When someone port scans your system, the number of alerts can be daunting; you have to understand what is a legitimate connection and what is not. Unlike some of the other programs, you cannot set up your own filter rules without first having a program execute and attempt to perform some function that Pro does not already know about. |
Installation
After you have downloaded the installation program and run through the install process, Pro starts a wizard that walks you through the setup procedure. Using the default install directory should be fine for most operating system implementations. Pro runs at startup by default whenever you reboot your machine.
Configuration
1. |
Most of the wizard screens are informational, as in Figure 11.10. The nine wizard screens explain a bit about firewalls and Pro. Figure 11.10. ZoneAlarm Wizard.
|
2. |
One of the configurations you can select is setting up a password, as shown in Figure 11.11. Figure 11.11. Password protection.
|
3. |
The next configuration option you can select is to enable ICS/NAT network. If you are not running a network, use the default option, as shown in Figure 11.12. If the computer on which you are installing Pro is going to be a gateway firewall to protect the rest of your computers, give the computer IP address as the gateway. This computer will then route data into and out of your network. If another computer on your network is the gateway, select the third option and put in the IP address of your other gateway computer. Figure 11.12. ICS/NAT configuration.
|
4. |
After you finish the walkthrough wizard, Pro is up and running and protecting your computer with the High security level, as shown in Figure 11.13. This level blocks just about all unsolicited traffic. Security zones are already defined that you can modify: Local, Restricted, and Internet. Figure 11.13. Custom zone settings.
|
5. |
Selecting the Advanced option under the Security tab allows you to customize each zone, as shown in Figure 11.14. For example, by default, the Internet Zone blocks ICMP (ping). You can allow your system to respond to ICMP requests by selecting the Allow Incoming Ping and Allow Outgoing Ping requests. If you see constant attacks from one IP address or network, you can add that IP address or network to the Restricted Zone to block traffic from that hostile source. Figure 11.14. Security settings.
|
6. |
If an attack or a port scan is launched against your computer, the default setup options will block it and pop up an alert, as shown in Figure 11.15. Figure 11.15. Alert pop-up.
|
7. |
To further research the attacks and alerts that your system shows, you can select the Alerts tab, as shown in Figure 11.16. You can change the log file location, disable the pop-up alerts, and request more information about an alert from the ZoneLabs Web site. Using the Advanced option, you can change the Alerts that are flagged, change log parameters, and prevent your IP address information from being sent to ZoneLabs Analyzer. Figure 11.16. Alerts configuration.
|
8. |
If you are going to step away from your computer, you can stop all Internet traffic with Lock functionality, as shown in Figure 11.17. Figure 11.17. Internet Lock settings.
|
9. |
You can also restrict each program that you use to access the Internet, as shown in Figure 11.18. In the default setting, when a program runs, Pro asks you if you want to let it have access. After you enable a program, you can use the Programs tab to change options on each program. These options might include allowing or denying access in the Local and Internet Zone, allowing the program to function if the Lock is on, and specifying ports that the program can access. Figure 11.18. Program settings and zone restrictions.
|
10. |
Pro runs automatically at startup. The Configure tab allows you to change this option, change the password, and check for updates, as shown in Figure 11.19. Figure 11.19. Application Configuration option.
|
Default Installation Port Scan Results
The tight restrictions that are enabled by default with Pro block just about all outside connections that are not specifically allowed. When a port scan is performed, it does not return results, as shown in Figure 11.20.
Figure 11.20. Port scan output.
Enhanced Filtering Options
The default options of Pro (security level High) are extremely secure. You can block almost all traffic, and you can disable ping. You can add a password to the system during the configuration to keep anyone else from modifying your rules. You don't need much else to make the program more secure, but keep it functional.
Norton Personal Firewall
Personal Firewall 2002 is part of Norton's Internet Security 2002 suite. Although it is somewhat geared toward businesses, home users can also use it. The product comes with antivirus built-in, which is a nice feature. Like the other products already discussed, Personal Firewall 2002 has logging capability of attacks. It shows the attacker's IP address. During the initial setup, you can have configurations set up for the programs you have on your system that might need further restrictions.
The Norton product goes a step beyond the other firewalls already discussed by allowing you some control over cookies. This cuts down on the need for a separate program such as CookiePal. With the addition of a password feature, only the home administrator can change these types of settings; therefore, you can control all changes to the filter rules. Some additional features that are privacy geared include the ability to protect specific information such as your credit card numbers, your Social Security number, and your e-mail address.
The varying security levels (Minimal, Medium, High), Internet access, and privacy options can be adjusted separately, giving more granularity to the controls. The Minimal selection allows the firewall to block only known malicious applications; the Medium selection blocks most malicious applications; and the High selection allows only approved programs to function.
The Security category offers a rule-based, interactive-learning firewall capability that automatically generates rules based on the programs the user uses to connect to the Internet. Both inbound and outbound access can be filtered. Like the other products already discussed, Norton Firewall 2002 has logging capabilities.
Caution
 | By default, Norton Personal Firewall (NPF) is not enabled. You are asked to enable it after you have installed and rebooted your system. The default installation still leaves two important ports open: 135 and 139. These are two key ports in Windows systems. You must enable further port filters to restrict these ports. |
Installation
Purchasing NPF 2002 saves a setup file to your hard drive. The full 15MB program is downloaded to your computer after you execute this setup file. After you have downloaded NPF, the installation procedures are simple. You do not need to reboot the computer when you are finished with installation. NPF is not enabled after the installation is complete and before the configuration starts. You must configure the program to have it start blocking.
Configuration
Configuration is a simple process, as it is with many of the other products. A wizard provides a basic walkthrough for you to set up the configuration. Follow these steps:
1. |
When installation is complete and you reboot, the configuration wizard has some basic configurations already set. You can check the preset configuration level, which is Medium, as shown in Figure 11.21. Figure 11.21. The default security level is Medium.
|
2. |
The next action you can take is to set up Privacy Controls, as shown in Figure 11.22. You can set up the program to block access to information such as e-mail, bank account information, credit card information, and so on. Figure 11.22. Privacy controls set during configuration.
|
3. |
The next configuration option can automatically set up rules for the applications that connect to the Internet, and you can allow or deny access to these applications. NPF can look for applications such as Netscape and e-mail, as shown in Figure 11.23. Figure 11.23. Scanning for applications.
|
4. | |
5. |
The next configuration screen is where you select Current Status to enable the firewall rules, as shown in Figure 11.24. After the rules are enabled, they start blocking traffic. Through this screen, by default, the Intrusion Protection section enables Detect Port Scan Attempts and Enable Autoblock. Figure 11.24. Enable Norton filter rules.
|
6. |
The Reporting option shows that the reporting level is set to Minimal. This can be increased to Medium or High to enable more logging information. |
7. |
The Alert tracking is automatically enabled in the next configuration option. |
Default Installation Port Scan Results
The default installation of NPF, with its security setting set to Medium, blocks ICMP. No port will show up in the port scan output unless you have enabled the ports in NPF prior to this point. The output of the port scan against a default install is shown in Figure 11.25.
Figure 11.25. Port scan output.
After the actual configuration wizard walk-through is complete, the port scan of the default settings changes to show the output (see Figure 11.26).
Figure 11.26. Port scan output after the configuration wizard is complete.
As you can see from this output, most of the ports are blocked, but an attacker still sees some key ports with the default options. To restrict the ports that are visible, it's necessary to manually change the filtering options.
Enhanced Filtering Options
As with most firewall products, you can increase the default security options with enhanced features. By increasing the security features, you further restrict access to your computer. Follow these steps:
1. |
Increase the Reporting level from Minimum to Medium. |
2. |
The Trusted Network enables trusts for the network your machine is on. If there are other machines on your network that you do not own or control, you do not want to automatically trust them. Remove the network from the Trusted Zone and only add single IP addresses. |
3. |
Enter information such as e-mail addresses in the Privacy Controls options. You do not have to enter the full information of your credit card or social security number. Partial numbers can be used to block information. |
4. |
Use the Medium Level for cookie checking under the Privacy Control, Custom Level option. |
5. |
Under the Personal Firewall, Configure option, enable more granular controls such as the following:
|
6. |
Modify the Personal Firewall Settings, Custom Level option to enable the Medium setting for Java Applet Security and ActiveX Control Security, as shown in Figure 11.28. Figure 11.28. Custom security settings.
|
Sygate Personal Firewall
Sygate Personal Firewall (SPF) 4.2 is a robust firewall product. It has an easy-to-understand user interface that is intuitive and simple. The display window shows activity and traffic patterns as they occur. The custom rule configuration makes it easy to set up new rules and increase the filtering capabilities that come built into the standard installation. One key feature is the ability to test the rule set using the Sygate Web site.
Like the security setting of other programs, the SPF offers three security settings: Normal, Block All, and Allow All. Normal is the recommended mode of operation, allowing setting of security rules and protection. Block All stops all traffic, and Allow All disables all filtering options. With the Test function, you can use the Sygate Web site to test your filter rules.
Ports and IP addresses can specify granular access. When an attack is launched that is blocked by the ruleset, SPF can send an e-mail to you. Detailed logging shows attacker information such as time, date, remote IP, remote port, local IP, and local port. You can backtrace the attack information that is logged to gain more information about the attacker. An example might be performing a trace to see where the attacker is coming from, or performing a WHOIS lookup on the owner of the IP address.
Caution
 | Several problems are apparent with this product. The first is that password protection is not forced by default; you must manually configure the password. Secondly, having the application ask you every time you need access to some function can be quite cumbersome. And third, the Sygate Test feature worked only once in about three tries as we tested this product. |
Installation and Configuration
Sygate installation is packaged and simple. A reboot is required when the install is complete. A default installation has security features turned on. All traffic in and out of the system is checked, and you can allow or deny access. Do the following:
Install the setup file and reboot the computer. If you are connected to the Internet when you restart the computer, the machine might attempt to broadcast to the Internet for some reason, such as checking for a DNS server. In our example, as soon as we rebooted, the computer started broadcasting information. Sygate picked it up immediately, before we got to set up rules and security settings (see Figure 11.29). You have the option of remembering your answer to allow or deny the function to occur.
Figure 11.29. Detection of activity at program start.
After you have rebooted, you can start the Sygate administration program from the Start menu, as shown in Figure 11.30.
Figure 11.30. Administration screen.
From the Tools menu, you can check all applications. You can modify each process to allow or deny granular access to and from ports using the Advanced button, as shown in Figure 11.31. Each service has the Access methods of Allow, Ask, or Block. The system can use these options to let the service function, ask your permission, or always block access. Right-clicking on the service allows the access method to be changed or even removed.
Figure 11.31. Setting up port rules.
Through the Tools, Options menu, you can set a password to secure access to the program, run the program at startup, and set up e-mail notification and log settings (see Figure 11.32).
Figure 11.32. Setting up logging.
When you have the system up and running, you can set up the Advanced Rules through the Tools, Advanced Rules option. You can set up specific rules, as in Figure 11.33, to fine-tune your access to the Internet and provide a good defense against attackers. In this example, we have set up two rules. The first one blocks ports 80, 20, and 21 (Web and FTP) from the IP address 192.168.1.1. The second one blocks ICMP (ping) from IP address 24.7.48.70.
Figure 11.33. Advanced filter rule setup.
After you have set up the rules you need, you can start watching your log files for hacker activity. The default settings are enough to stop many attacks. Pinging the system from a remote computer is enough to issue a warning to the screen. You can see log file captures of traffic in Figure 11.34. Several types of logs are being captured in a readable format: Security, System, Traffic, and Packet. In the Log window, you can select an IP address and perform a Backtrace, which attempts to find more information on the attacking IP address by using WHOIS. (We discussed WHOIS in Chapter 6, “Understanding the Online Environment: Addresses, Domains, and Anonymity.”) You can save the log with the File, Export function.
Figure 11.34. Log output.
Default Installation Port Scan Results
The default installation of Sygate is pretty secure in that it asks you if you want to allow any kind of access to your system. The port scan of the default installation, shown in Figure 11.35, immediately pops up an alert on the computer. The default installation does not show open ports if you deny access when the alert pops up. The default option also disallows ICMP, which will block a ping to your system.
Figure 11.35. Default port scan results.
Enhanced Filtering Options
Several enhanced options can be turned on to make the Sygate firewall more secure. Several of these include
Sygate Personal Firewall— This is not enabled by default. Enable it to start on system startup by selecting Tools, Automatically Start Service.
A password— This can be enabled on the application through Tools, Options, Set Password.
E-mail notification— If you are away from your computer and want to be notified when an attack occurs, use this option, under Tools, Options, E-mail Notification.
Sygate Web site— Click Tools, Test Your System Security to use this site to check your security settings.
Granular rules— Use Tools, Advanced Rule Settings to define granular rules that might be needed, such as allowing ICQ or blocking a specific type of traffic.
Tiny Software Personal Firewall
Tiny Software Personal Firewall (TPF) is a scaled-down version of the WinRoute Pro/Lite model. After it is installed, it sits in the system tray. Temporary logging information is in the main window, but information is saved to a file.
Installation of TPF is simple. It is not as robust as Norton or McAfee, but it does the job. The default installation is in AskMe First mode. When allowing incoming and outgoing connections for the first time, TPF asks you permission. Installing with network connections open does not close the connections. Only when the operation is complete does TPF ask you to apply a filter rule to the network process. The Firewall Administration function allows you to configure more granular access controls. Granular access includes filtering by port and IP address. When you allow connections, a feature of TPF allows you see open connections in the Status window. When you are attacked and access is blocked based on your ruleset, an alert window displays. Support for TPF comes in the form of online manuals and FAQs and a toll-free phone number.
Caution
Installation
After you have installed TPF and rebooted your computer, TFP immediately begins asking you if you want to permit or deny inbound/outbound connections. Figure 11.36 shows an obscure alert message during system startup. This is helpful because the system is being secured even before you configure the firewall. The problem with this, as with Sygate, is that you probably don't know what all the services are. To understand some of these low-level communications, you might need to do some research. As a basic rule, you should probably allow the connections you don't understand, although this really isn't a secure option. Research all the alerts you receive that you do not understand, and then go back and disable them if they are not necessary. You don't want to break the system when you're trying to secure it.
Figure 11.36. Pop-up alert message during system startup.
Configuration
The Filter Rules tab, shown in Figure 11.37, shows all the default rules. These can be added, deleted, or modified to enable more granular filter rules.
Figure 11.37. Advanced port filter ruleset.
Like its big brother WinRoute Pro, TPF has a password protection, remote administration capability and can be run automatically when the system starts as a service. These options can be set through the Miscellaneous tab, shown in Figure 11.38.
Figure 11.38. Password and remote administration capability.
Setting up password protection requires you to enter the password to administer the program, as in Figure 11.39. If you want to administer another computer running TFP, place the IP address in the Host box and make the connection.
Figure 11.39. Administration Login dialog box.
When a rule does not match the list of already defined rules, TFP asks you if you want to have it created. Rather than your having to set up all the details of the new rule, TFP automatically generates the new rule for you.
You can obtain a list of listen ports and connection to other IP addresses from your system by right-clicking the icon in the system tray and selecting Status Window. The results are shown in Figure 11.40.
Figure 11.40. Status window.
Default Installation Port Scan Results
The default installation blocks many ports, but not all of them. During the scanning, TFP pops up alerts on the screen with messages about certain services being contacted, which can then be denied. But after the scan is complete, some ports are still found and reported to the port scanner, as shown in Figure 11.41.
Figure 11.41. Default setup port scan results.
Enhanced Filtering Options
The enhanced filter options available in TPF are not as numerous as in some of the other products. Several changes that can be made include
Modify the filter rules not to ask each time a frequently accessed service such as ICMP is contacted. For new filter rules that are generated the first time FTP sees the traffic, this can be set; however, for already defined rules, this can only be set when the filter is activated by incoming or outgoing traffic.
As soon as you start up the program, set a password and do not enable remote administration unless you require it.
Perform a port scan of your system after you have completed the installation and determine what ports are still visible. Setup Filter rules through the Advanced option to block those ports that you do not want available to an attacker.
WinRoute Pro
WinRoute Pro is a bit out of the league of the other firewall products. Although it is not geared specifically at the home user market as is WinRoute Lite and Tiny Personal Firewall, it is easy enough for a home user to understand eventually. WinRoute Pro can be used to set up a complex home network to filter just about any kind of traffic you need. It does require a good understanding of networking, but we will go through some basic setup options to get you going.
WinRoute Pro has some complex features. One of its main features is the remote administration capability. With password protection and administration via a Web page, corporate administrators can modify rules remotely. Because it is a networking firewall, multiple users can be set up, DMZ and NAT can be used, and individual rules can be applied to protocols, IP addresses, and ports. Incoming and outgoing data can be filtered, monitored, and logged. All pieces—such as TCP, UDP, ICMP, ARP packets, DNS requests, and time information—can be logged.
With the firewall features comes built-in server capabilities. WinRoute Pro has Mail, DHCP, Proxy, and DNS capability. With all these capabilities, your main gateway machine can run these services and protect all your computers behind the firewall. Port mapping can be set up to forward packets to specific machines and ports. All these features can be turned on or off by clicking on the icon in the system tray and stating or stopping the program.
The support that is provided by Tiny Software through its Web site and documentation gives troubleshooting information and example information for setting up the firewall. Tech support is also available for any questions.
Caution
 | WinRoute Pro is not for the faint of heart when it comes to networking. It is a robust and detail-oriented program that can be used to build an extensive internal and external network. By default, it has no filter set. It is up to you to define each rule by port and protocol. You need in-depth knowledge to operate the program. |
Installation
WinRoute Pro 4.1 is easy to install and runs on several flavors of Windows. The complexity of the program is matched by its capability. WinRoute has a simple installation procedure. After you run the setup program, you are required to reboot. When you install, no rules are active, as shown in Figure 11.42. WinRoute starts by default. If you want to manually start WinRoute (not recommended), you can disable automatic startup by right-clicking on the icon in the system tray and selecting Startup Preferences. You can then uncheck the two options for automatic startup.
Figure 11.42. Rules screen.
Configuration
After you reboot and enter the license key, you are ready to configure one of the most robust personal firewalls. Because no rules are installed by default, the servers are running (mail, proxy, and DNS), and remote administration capabilities are enabled, you want to set a password on the account. If you do not set a password on the Admin account, anyone can port scan your system, see the remote administration ports are open, and modify your filter rules. You can set a password through the Settings, User Accounts, Edit option. Add your own password where the *s are, as in Figure 11.43. Through this option, you can also set up other users, although for home users, you probably don't want to do this. In a corporate environment, you might want to do this.
Figure 11.43. Password protection.
When the password is set, turn off the servers that are running—such as Mail and Proxy—if you do not need them. You can disable these servers through Settings, Mail Server and Settings, Proxy Server (runs on port 3128 by default) option. The DHCP server is disabled by default. You can leave the DNS Forwarding settings as they are. Figure 11.44 shows how you can enable or disable these servers.
Figure 11.44. Proxy server screen.
After you have disabled the server from running, disable the remote administration capabilities if you will not be performing remote functions. Don't run services that are not absolutely necessary. An attacker can contact the remote administration port if it is open and attempt to gain access. You can disable the remote function through Settings, Advanced, Remote Administration, as shown in Figure 11.45.
Figure 11.45. Remote administration screen.
You can turn on some built-in security options. To select them, choose Settings, Security Options. Instead of using the packet filter rules manually, you can select Drop ICMP packet to deny pinging of your system by attackers, drop packets that don't have a NAT destination, set up logging of NAT, and report to the display window, as shown in Figure 11.46.
Figure 11.46. Security Options screen.
When the basic options are set, you can begin setting up the packet filter rules by selecting Settings, Advanced, Packet Filter. Without these rules, WinRoute is no good to you. From here, you can set rules for inbound and outbound traffic. You can select the specific interface you want to apply to the rule or apply it to all interfaces. If you are using the system that is running the WinRoute program as your gateway and you have another interface to your internal network, you might want different rules on each interface. (If you are not sure what an interface is, it's the network card. Most systems will typically have just one network card unless you have an internal DMZ setup that is protected by your firewall). You can set up a rule to block ICMP (ping) to the system, but that allows you to ping other systems. In other words, you can tell if someone else is connected to the Internet, but that person can't tell if you are alive, as shown in Figure 11.47. This example denies any address from replying to a ping request with the Echo Request selected. The error message “Unreachable” is denied from going back to the attacker. (This can give you away because error messages can let you know a system is alive.) The packet is “dropped” into nonexistence and logged into the display window. You could also log to a file, of course.
Figure 11.47. Rule to block ICMP (ping).
Another example of a filter rule is shown in Figure 11.48. In this example, a filter is set on a TCP protocol. Any address that tries to make a connection to Port 139 (a dangerous port in Windows) on the host is “dropped” and logged into the display window and written to the log file. In this case, “drop” is used instead of “deny” because a “deny” rule cannot let someone know that a port is active. A “drop” rule sends the packet into nowhere and does not give the attacker any information.
Figure 11.48. Filter rule to block port 139.
Note
Learning all the intricacies of setting up filter rules will take you some time. A good principle to follow is just to allow the certain ports you need, such as Web (80) and SSL (443) for credit card transactions, FTP (20,21), and other programs you use. If you allow these ports and block everything else, you should be able to stop most attacks, especially denial of service attacks. The supporting documentation on the Tiny Software site is helpful in understanding filter rules. The site also provides some good examples of setting up a home network.
The filter rules, with logging enabled, will send information to the display window and the log files if you check those log boxes when setting up rules. To check the files, open the Security window by selecting View, Logs, Security Logs to see what activity is taking place on your system (see Figure 11.49).
Figure 11.49. Logging output.
Default Installation Port Scan Results
The default installation of WinRoute Pro does not apply firewall rules. This basically means your system is just as open to attack as if you had no firewall installed. A port scan of the system with a default installation returns the results shown in Figure 11.50 with SuperScan.
Figure 11.50. Default WinRoute port scan results.
As you can see, many ports are open, including the Web-Admin port, 3129. If you have not password-enabled WinRoute, anyone who sees this port with a port scanner can connect to your system and administer your firewall! This is a very bad thing.
Enhanced Filtering Options
To use WinRoute securely, you can do a few things immediately:
Add a password to the Admin account— Do this by selecting Settings, Accounts. Select the Admin account and Edit it.
Disable or restrict Remote Administration capability— From Settings, Advanced, Remote Administration, uncheck Enable Remote Administration over Network or select Allow Access From and put in an IP address where you allow connectivity, such as from your work computer or work firewall IP address. In this same screen, uncheck Enable Web-Admin Interface on Port or select Require User Authentication. In most cases, you will want to just disable these options.
Disable the mail server— From the Settings, Mail Server option, uncheck the Mail Server Enabled option.
Disable the proxy server— From the Settings, Proxy Server Option, uncheck Proxy Server Option. This is not a security weakness, just a usability issue.
Enable the option DHCP Server Enabled— If you will be using this WinRoute computer as a DHCP server, do this under Settings, DHCP. Then, set up your Internet IP address range by selecting New Scope (see Figure 11.51). A typical setting for your internal home network can be a range from 192.168.1.2 to 192.168.1.10, a Mask of 255.255.255.0, a Default Gateway of 192.168.1.1, a DNS Server that is the same as your ISP's DNS server, and a Lease Time of 60 days.
Figure 11.51. WinRoute DHCP settings.
Set several ICMP options— Do this by using Settings, Advanced, Security Options. However, you can make things more granular by using the Packet Filter rules.
Set up several packet filter rules to allow basic functionality— These rules can be set through Settings, Advanced, Packet Filter. From here, select the Network Adapter or Any Interface on the Incoming tab to apply the rules. These rules can be set as shown in Table 11.3.
| Protocol | Source | Destination | Action | Log Packet | Other Options |
|---|---|---|---|---|---|
| ICMP | Any | Host: Your External IP Address | Drop | Window | ICMP Type = Echo Request, Redirect, Unreachable Time Exceeded |
| ICMP | Any | Any | Permit | ICMP Type = Echo Reply | |
| UDP | Any, Port = 53 | Any, Port = Any | Permit | ||
| UDP | Any, Port = Any | Any, Port = Any | Drop | ||
| TCP | Any, Port = Any | Any, Port = Between (IN) 135-139 | Drop | Window, File | |
| TCP | Any, Port = Any | Any, Port = 445 | Drop | Window, File | |
| UDP | Any, Port = Any | Any, Port = 445 | Drop | Window, File | |
| TCP | Any, Port = Any | Any, Port = Any | Permit | Window | TCP Flags = Only Established TCP Connections |
| IP | Any | Any | Drop |
These rules, as shown in Figure 11.52, allow you to ping systems. However, they do not allow anyone to ping your system. You can resolve names of Web sites on the Internet and log any attempted access to blocked Windows ports such as 135–139 and 445 (key weaknesses in Windows). These rules allow you to perform various functions on the Internet but block all incoming connections by anyone else to your system. If you run SuperScan against your system now, you will see that it does not show any ports open, or even that the system is alive. If the attacker does not know you are alive and cannot see any open ports, he can't attack you. You can, of course, get more granular and set up more rules to run your own Web server or FTP server. It will take a bit of time to explore all the great functionality of WinRoute Pro.
Figure 11.52. WinRoute rules.
