You are on page 1of 11

What is a Firewall?

A firewall is a tool that monitors communication to and from your computer.


It sits between your computer and the rest of the network, and according to
some criteria, it decides which communication to allow, and which
communication to block. It may also use some other criteria to decide about
which communication or communication request to report to you (either by
adding the information to a log file that you may browse whenever you wish,
or in an alert message on the screen), and what not to report.

What Is It Good For?


Identifying and blocking remote access Trojans. Perhaps the most common
way to break into a home computer and gain control, is by using a remote
access Trojan (RAT). (sometimes it is called "backdoor Trojan" or "backdoor
program". Many people simply call it a "Trojan horse" although the term
"Trojan horse" is much more generic). A Trojan horse, is a program that
claims to do something really innocent, but in fact does something much less
innocent. This goes to the days where the Greek soldiers succeeded to enter
through the gates of Troy by building a big wooden horse, and giving it as a
present to the king of Troy. The soldiers allowed the sculpture to enter
through their gates, and then at night, when the soldiers were busy guarding
against an outside attack, many Greek soldiers who were hiding inside the
horse went out and attacked Troy from the inside. This story, which may or
may not be true, is an example of something which looks like something
innocent and is used for some less innocent purpose. The same thing happens
in computers. You may sometimes get some program, via ICQ, or via Usenet,
or via IRC, and believe this program to be something good, while in fact
running it will do something less nice to your computer. Such programs are
called Trojan horses. It is accepted to say that the difference between a
Trojan horse and a virus, is that a virus has the ability to self-replicate and to
distribute itself, while a Trojan horse lacks this ability. A special type of
Trojan horses, is RATs (Remote Access Trojans, some say "remote admin
Trojans"). These Trojans once executed in the victim's computer, start to
listen to incoming communication from a remote matching program that the
attacker uses. When they get instructions from the remote program, they act
accordingly, and thus let the user of the remote program to execute
commands on the victim's computer. To name a few famous RATs, the most
common are Netbus, Back-Orifice, and SubSeven (which is also known as
Backdoor-G). In order for the attacker to use this method, your computer
must first be infected by a RAT.
Prevention of infections by RATs is no different than prevention of infection
by viruses. Antivirus programs can identify and remove most of the more
common RATs. Personal firewalls can identify and block remote
communication efforts to the more common RATs and by thus blocking the
attacker, and identifying the RAT.

Blocking/Identifying Other Types of Trojans and WQorms?


There are many other types of Trojan horses which may try to communicate
with the outside from your computer. Whether they are e-mail worms trying
to distribute themselves using their own SMTP engine, or they might be
password stealers, or anything else. Many of them can be identified and
blocked by a personal firewall.

Identifying/Blocking Spyware's/Adbots?
The term "spyware" is a slang which is not well defined. It is commonly used
mainly for various adware (and adware is a program that is supported by
presenting advertisements to the user), and that during their installation
process, they install an independent program which we shall call "adbot". The
adbot runs independently even if the hosting adware is not running, and it
maintains the advertisements, downloads them from the remote server, and
provides information to the remote server. The adbot is usually hidden. There
are many companies that offer adbots, and advertisements services to
adware. The information that the adbots deliver to their servers from the
computer where the adbot is installed, is "how much time each advertisement
is shown, which was the hosting adware, and whether the user clicked on the
advertisement. This is important so that the advertisements server will be
able to know how much money to get from each of the advertised companies,
and how much from it to deliver to each of the adware maintainers. Some of
the adbots also collect other information in order to better choose the
advertisements to the users. The term "spyware" is more generic, but most of
the spyware fall into this category. Many types of adbots can be identified
and blocked by personal firewalls.

Blocking Advertisements?
Some of the better personal firewalls can be set to block communication with
specific sites. This can be used in order to prevent downloading of
advertisements in web pages, and thus to accelerate the download process of
the web sites. This is not a very common use of a personal firewall, though.

Preventing Communication to Tracking Sites?


Some web pages contain references to tracking sites. e.g. instruct the web
browser to download a small picture (sometimes invisible) from tracking
sites. Sometimes, the pictures are visible and provide some statistics about
the site. Those tracking sites will try to save a small text either as a small file
in a special directory, or as a line in a special file (depending on what is your
browser), and your browser will usually allow the saving site to read the text
that it saved on your computer. This is called "web cookies" or sometimes
simply "cookies". Cookies allow a web site to keep information that it saved
some time when you entered it, to be read whenever you enter the site again.
This allow the web site to customize itself for you, and to keep track on
everything that you did on that site. It does not have to keep that information
on your computer. All it has to save on your computer is a unique identifying
number, and then it can keep in the server's side information regarding what
has been done by the browser that used that cookie. Yet, by this method, a
web site can get only information regarding your visits in it. Some sites such
as "doubleclick" or "hitbox" can collect information from various affiliated
sites, by putting a small reference in the affiliated pages to some picture on
their servers. When you enter one of the affiliated web pages, your browser
will communicate with the tracking site, and this will allow the tracking site
to put or to read a cookie that identifies your computer uniquely, and it can
also know what was the web page that referred to it, and any other
information that the affiliated web site wanted to deliver to the tracking site.
This way tracking sites can correlate information from many affiliated sites,
to build information that for example will allow them to better customize the
advertisements that are put on those sites when you browse them.
Some personal firewalls can be set to block communication to tracking sites.
It is not a common use of a personal firewall, though, and a personal firewall
is not the best tool for that, but if you already have one, this is yet another
possible use of it.

Blocking or Limiting the NetBIOS Communication? (as well as other default


services)
The two common methods of intruders to break into home computers, are
through a RAT (which was discussed in II.3a) and through the NetBIOS
communication. The NetBIOS is a standard for naming computers in small
networks, developed long ago by IBM and Microsoft. There are a few
communication standards which are used in relation to the NetBIOS. The
ones that are relevant for Microsoft Windows operating systems, are: NBT
(NetBIOS over TCP/IP), IPX/SPX, and NetBEUI. The communication standard
which is used over the Internet, is NBT. If it is enabled, and there is no
firewall or something else in the middle, it means that your computer is
listening for communications over the Internet via this standard, and will
react according to the different NBT commands that it gets from the remote
programs. It is thus that the NBT (which sometimes loosely called "NetBIOS")
is acting as a server. So the next question should be "what remote NBT
commands the NBT server will do on the local computer". The answer to this
question depends on the specific setting on your computer. You may set your
computer to allow file and print sharing. If also NBT is enabled, it means that
you allow remote users to share your files or printers. This is a big problem. It
is true that in principle the remote user has to know your password for that
computer, but many users do not set a password for their user on Windows,
or set a trivial password. Older versions of Win95 had file and print sharing
over NetBIOS enabled by default. On Win98, and WinMe it was disabled by
default, but many technicians, when they set a home network, they enable
the file and print sharing, without being aware that it influences also the
authorizations of a remote Internet user. There are even worms and viruses
who use the File sharing option to spread in the Internet. Anyway, no matter
whether you need it for some reason or just are not aware of it, a personal
firewall can identify and block any external effort to communicate with the
NetBIOS server on your computer. The more flexible personal firewalls can be
set to restrict the authorization to communicate with the NetBIOS. Some
Windows operating systems, especially those which are not meant for home
uses, offer other public services by default, such as RPC. A firewall can
identify communication efforts to them, and block them. Since such services
listen to remote communications, there is a potential risk when there are
efforts to exploit security holes in the programs that offer the services, if
there are such security holes. A firewall may block or limit the communication
to those services.

Hiding Your Computer on the Internet?


Without a firewall, on a typical computer, even if well maintained, a remote
person will still be able to know that the communication effort has reached
some computer, and perhaps some information about the operating system
on that computer. If that computer is handled well, the remote user will not
be able to get much more information from your computer, but might still be
able to identify also who your ISP is, and might decide to invest further time
in cracking into your computer.
With a firewall, you can set the firewall so that any communication effort
from remote users (in the better firewalls you may define an exception list)
will not be responded at all. This way the remote user will not be able to even
know that it reached a live computer. This might discourage the remote
attacker from investing further time in effort to crack into your computer.

The Non-Firewall Defenses

We've discussed a few situations where a personal firewall can provide


defense. Yet, in many cases a computer maintainer can deal with those
situations even without a firewall. Those "alternative" defenses, in many
cases are recommended regardless of whether you use a firewall or not.

Remote Access Trojans?


The best way to defend against remote access Trojans (RATs) is to prevent
them from being installed in the first place on your computer. A RAT should
first infect your computer in order to start to listen to remote communication
efforts. The infection techniques are very similar to the infection techniques
that viruses use, and hence the defense against Trojan horses is similar to the
defense against viruses. Trojan horses do not distribute themselves (although
they might be companions of another Internet worm or virus that distributes
them. Yet, because in most cases they do not distribute themselves, it is likely
that you will get them from anonymous sources, such as instant messengers,
Kazaa, IRC, or a newsgroup. adopting a suspicious policy regarding
downloads from such places, will save you not only from viruses but also from
getting infected with Trojan horses, including RATs. Because Trojan horses
are similar in some ways to viruses, almost all antivirus programs can
identify, block from being installed, and remove most of the Trojan horses,
including all the common ones. There are also some programs (sometimes
called antiTrojan programs) which specialize in the identification and removal
of Trojan horses. For a list of those programs, and for comparison on how
well different antivirus, and antiTrojan programs identify different Trojan
horses, see Hackfix (http://www.hackfix.org), under "Software test results".
Hackfix also has information on the more common RATS (such as the Netbus
and the Subseven) and on how to remove them manually. There are some
tools and web sites, such port scanners, and some ways with a use of more
generic tools such as telnet, msconfig, and netstat, which may help you to
identify a RAT.

Other types of Trojans and worms?


Also here your main interest should be to prevent them from infecting your
computer in the first place, rather than blocking their communication. A good
antivirus and a good policy regarding the prevention of virus infections,
should be the first and most important defense.

Spyware and Adbots?


The term spyware is sometimes misleading. In my view, it is the
responsibility of the adware developer to present the fact that the adware
installation will install or use an independent adbots, and to provide the
information on how this adbot communicates, and which information it
delivers, in a fair place and manner before the adware is installed. It is also a
responsibility to provide this information in their web sites, so that people
will be aware of that before they even download the software. Yet, in general,
those adbots do not pose any security threat, and in many cases also their
privacy threat is negligible for many people (e.g. the computer with adbot
number 1127533 has been exposed to advertisements a, b, c, such and such
times, while using adware x, while on computer with adbot number 1127534
has been exposed to advertisements a,d, and e, such amount of time, with
the use of adware y, and clicked on ads number d). It should be fully
legitimate for software developers to offer an advertisement supported
programs, and it is up to the user to decide whether the use of the program
worth the ads and the adbot, or not. Preventing adbot from communicating is
generally not a moral thing. If you decide to use an adware, you should pay
the price of letting the adbot work. If you don't want it, please remove the
adware, and only if for some reason the adbot continue to work even if no
hosting adware that uses it is installed, you may remove the adbot. Anyway,
there are some very useful tools to identify whether a program is a
"spyware", or whether a "spyware" is installed on your computer, and you are
certainly entitled to this information. Two useful programs are "AdAware"
which identifies "spyware" components on your computer and allows you to
remove them, and Ad-Search which allows you to provide a name of a
program, and it tells you whether this program is a "spyware" and which
adbot it uses. It is useful to assist you in choosing whether to install a
program or not. You may find those programs in http://www.lavasoft.nu (or,
if it doesn't work, you may try http://www.lavasoftusa.com). Those
programs are useful, mainly because many adware developers are not fair
enough to present this information in a fair manner. AdAware allows you to
also remove those adbot components from your computer. This might,
however, terminate your license to use the hosting adware programs, and
might even cause them to stop functioning. A website which offers to check
whether a specific program that you wish to install is "spyware" or not, is
http://www.spychecker.com .

Blocking Advertisements?
Leaving aside the moral aspect of blocking advertisements, a personal
firewall is not the best tool for that anyway. This is not the main purpose of a
firewall, and neither its main strength. Some of them can block some of the
advertisements from being downloaded, if you know how to configure them
for that. Yet, there are better tools for that, such as Proxomitron
(http://www.proxomitron.org), CookieCop 2 (search for the word cookiecop
on http://www.pcmag.com), or Naviscope (http://www.naviscope.com), and
there are many other programs as well. You may check for other alternatives,
e.g. in Tucows (http://www.tucows.com/adkiller95.html).

Blocking Tracking Sites?


Also here, a personal firewall is not the best tool for that, and there are other
tools and ways which are more effective. These are cookie utilities. Since a
tracking site uses a cookie to identify and relate the information gathered to
the same person (or computer), by preventing the cookie from being
installed. The tracking site will lose its ability to track things. There are plenty
of cookie management utilities. Some of them are freeware, and some are
not. CookieCop which was mentioned in the former section is one of them.
WebWasher (http://www.webwasher.com) is another recommended one,
and there are plenty of other alternatives such as cookie-crusher, cookie-pal,
pop-up killer, etc. You may search for other alternatives, in Tucows
(http://www.tucows.com/cookie95.html).

NetBIOS and Other Services?


The NetBIOS over TCP/IP (NBT) which is sometimes loosely called
"NetBIOS", is a service which has some security problems with it. It is
enabled by default in Windows default installations, and it is very common to
see that a firewall does the job of preventing the efforts to get access to your
computer via NBT. Yet, in almost all cases, this service is not needed, and
thus can be disabled. To disable NBT in Win95/98/ME is not as simple as it is
in Win2K/XP, but can still be done reliably. We explain how to do this in
another article (#to be written soon). It is needless to say, that if NBT is
disabled, there is no need for a firewall to block communication to it. Also, in
the case of other services, such as RPC services, and others, in many cases
you simply don't need those services and better disable them from within
Windows rather than use the firewall to block them. There are various ways
to know which services are running on your computer, and which of them are
listening for communications from the outside. If there are ones that you
don't need, they should be disabled.

Hiding the Computer?


In web sites of many personal firewall companies, they are putting a lot of
weight on the ability of their firewall to hide the computer on the Internet.
Yet, exposing your home computer on the Internet is by itself, neither a
security nor a privacy threat. If you provide some services to the Internet on
your computer, for example, you put a web server on your computer to allow
other people to view web pages, then you might get rid of some of the
crackers, by setting your firewall to unhide only this type of communications.
Some attackers will not make a full scan of your computer, but only a partial
scan, and if they did not scan for the specific service that you provided, they
will not see your computer. Yet, if the service is a common one, there is a
good chance for many of them to scan it and thus find the existence of your
computer. If they "see" the existence of your computer, they might decide to
scan it further, and find out the services you are providing, and scan it for
security holes to use. Yet, there is no much meaning to it when we speak
about simple home computers.

What a Firewall Cannot Do!

Another misconception about personal firewalls is that they are incorrectly


thought as if they claim to give an overall protection against "hackers" (i.e.
intrusions). They are not.
Defense Against Exploitation of Security Holes
A firewall can allow or deny access to your computer or from your computer
according to the type of communication, its source and destination, and
according to the question which program on your computer is handling the
communication. Yet, its ability to understand the details of the
communication is very limited. For example, you may set the firewall to allow
or to deny your e-mail program from getting and/or sending messages. It
may allow or deny your web browser from browsing the Internet. But if you
allowed your e-mail program to communicate with the e-mail servers for
sending and receiving messages, (and you are likely to allow it if you want to
use your e-mail program), or if you set the firewall to allow your web browser
to communicate with web sites, the firewall will not be able to understand
the content of the communication much further, and if your web browser has
a security hole, and some remote site will try to exploit it, your firewall will
not be able to make a distinction between the communication that exploits
the security hole, and legitimate communication. The same principle goes
with e-mail program. A personal firewall may block you from receiving or
sending e-mail messages, but if you allowed it to receive messages, the
personal firewall will not make a distinction between a legitimate message
and a non-legitimate one (such as a one that carries a virus or a Trojan
horse). Security holes in legitimate programs can be exploited and a personal
firewall can do practically nothing about it.
I should comment, however, that some personal firewalls come combined
with some Trojan horse detection, or intrusion detection. This is not part of
the classical definition of a firewall, but it might be useful. Such tasks are
usually taken by other tools such as antivirus programs or antiTrojan
programs.

Tricks to Bypass or Disable Personal Firewalls


There are also various ways to disable, or bypass personal firewalls. During
the time a few tricks to bypass or disable were demonstrated by various
programs. Especially, tricks for an internal program to communicate with the
outside bypassing or tricking the firewall. For some of them such as the one
demonstrated by the Leaktest, and in which a non-legitimate program
disguises itself as Internet Explorer, practically today, all personal firewalls
are immuned. For other tricks, such as a one demonstrated by Outbound,
which uses some non-standard type of communication directly to the network
adapters bypassing the components of the operating system which are
suppose to deal with Internet communication, and by that bypassing the
firewall, are only now being patched against by the various firewalls, and yet
other methods, such as the one demonstrated by Tooleaky, which uses
Internet Explorer as a messenger to communicate with the outside, and is
thus identified as a mere legitimate browsing, are still waiting for most of the
personal firewall to find a fix.

Firewalls CANNOT Decide for You What is a Legitimate Communication and


What is Not

One of the main problems with personal firewalls, is that you cannot simply
install them and forget them, counting on them to do their job. They can deny
or permit various types of communications according to some criteria, but
what is this criteria, and who decides what is the criteria for whether they
should permit or deny some communication?

The answer, is that it is the computer user's job to define the exact criteria
when the firewall should allow a communication and when it should block it.
The firewall may make it easier for you, but it should not take the decisions.
There are too many programs, too many versions, and it is not possible for
the firewall to decide accurately when a communication is legitimate and
when it is not. One person might think that it is legitimate for some program
to deliver some information to the outside in order to get some service, while
another will think that it is not. One version of a program might communicate
with its home server in order to check whether there is an upgrade, and
another version might also install the upgrade even if you do not wish. Some
firewalls will try to identify communication efforts which are largely
considered as legitimate, and will let you the information so that it will be
easier for you to decide whether such should be allowed. Others will suffice
with more basic information, making no suggestions (and thus - no incorrect
recommendations). One way or another, once you installed a firewall, you will
have better means to understand what types of communications are running
on your computer, but you will also have to understand them in order to be
able to configure your firewall so that it will correctly know which
communications to allow and which to block.

Common Problems and Deficiencies Regarding Personal Firewalls

A personal firewall might be a good contribution to security. Yet, if you do not


understand much about the topic, then you are likely to be confused and
misled by its alerts and queries, and thus find yourself spending hours in
chasing after imaginary crackers, fear from imaginary threats, and
misconfigure it due to misunderstanding. You may find yourself blocking
legitimate and important communication believing it to be cracking efforts,
and thus surprised to see why things work slowly or why you are
disconnected from the Internet, or you might be misled to allow a non-
legitimate communication by some software that tricked you to believe that it
is a legitimate one. On the other side, if you are quite knowledgeable on
computers and security, then you are likely to effectively defend your
computer even without a firewall (by means discussed in section II.4) and it
is thus that the role of personal firewall in securing your computer, is
extremely small and not much important. We discuss here in brief some of
the problems that personal firewalls may generate.

A False Sense of Security

As we've already learned here, a firewall is limited in its ability to secure your
computer. Yet, many people believe that if they will install a personal firewall
they will be secured against the various security threats. I was even surprised
to find out that there are people who believe that give much higher priority in
installing a personal firewall than in installing an antivirus program. An
always updated antivirus program plays a much more important role in the
security of a personal home computer than installing and maintaining a
personal firewall. A personal firewall should not come on account of any other
security measure that you use.

A False Sense of Insecurity

When you install a firewall and you look at all the communication efforts
through it, you might be surprised at the amount of communication efforts
from the Internet to your computer. Most of them are blocked by a typically
configured firewall. There are all the times efforts to try to communicate with
various backdoor Trojans on your computers. If you are not infected, there
will be nothing to listen and to respond to those communication efforts, and
they are thus practically harmless. There are efforts to communicate with
your NBT driver, to see if your computer by mistake allows file sharing. There
are other types of probes to see if your computer exists, or various efforts of
servers to probe your computer in order to find the best path for legitimate
communication to it. There are sometimes remnants of communications that
were supposed to go to other computers, but made their way to yours (for
advanced readers: because the IP number that your computer uses, were
used by some other computer earlier). Those communication efforts are
blocked even without a firewall. If your computer is not infected with a RAT,
and if your computer don't have NetBIOS over TCP/IP enabled or even it does
not have file and print sharing enabled (and on most computers this is
disabled by default), then none of these pose any security threat. If your
computer is not infected with a SubSeven Trojan, then no matter how often
there will be efforts to communicate with it, they are all doomed to be failed.
Yet, some personal firewall (such as Norton Personal Firewall or ZoneAlarm)
by default proudly announce that they have just blocked an effort to crack
into your computer. Norton may even define those efforts that were blocked
as "high security threats" while they were not a threat at all even if your
computer didn't have a personal firewall at all. Such firewalls give you the
false impression that they save your computer again and again from
extremely dangerous threats on the Internet, so that you wonder how did
you survive so much time without noticing any intrusion before you installed
the firewall. I usually say, that those personal firewalls are set their "report
level" to "promotional mode". Namely, the personal firewall is set to give you
the false impression that it is much more important than it really is.

Chasing After Ghosts

This is a side effect of the types of misunderstandings that were discussed in


the previous subsection.
When a person who starts to learn about the jargon related to personal
firewalls, is reported that some "dangerous" communication efforts persist
from the same source, the person is decisive to locate and identify the
"hacker", and perhaps report about it to the police or to its Internet service
provider. However, since many people do not really understand thoroughly
how things work, they may sometimes spend many hours in trying to locate a
cracker that does not exist, or when the knowledge they need to have, in
order to track the cracker, is much higher than what they have, and they
might even suspect the wrong person due to lack of knowledge (e.g. the
connection person on the Internet service provider that was used by the
cracker). More knowledgeable people, usually do not bother to track those
"hackers" (which are usually teenagers), but instead are concentrating on the
security of their computer.

Blocking Legitimate Communications

No personal firewall is smart enough to decide for the user what is a


legitimate communication and what is not. A personal firewall cannot make a
distinction between a legitimate program trying to contact its server to check
and notify the user when there is a newer version, and a non-legitimate
program trying to communicate with its server in order deliver sensitive
information such as passwords, unless the user tells it. It is thus up to the
user to decide what should be considered as legitimate and what should not.
Yet, can we count on the user to be knowledgeable enough to decide what is
legitimate and what is not? In many cases the user is not knowledgeable
enough, and may thus allow non-legitimate communication or disallow a
legitimate and important communication. There are many types of
communications handled just to manage other communications. Among this
are various types of communications between your computer and the various
servers of your Internet service provider. A not knowledgeable user may
interpret those types of communications as cracking efforts, and will thus
decide to block them. As a result, a connection might become slower, a
connection to the Internet service provider might be disconnected quiet often
and other types of communication problems.

Being Tricked by Trojans bbb


Just as less knowledgeable users may instruct the firewall to block legitimate
communications, they can be tricked by various Trojans to allow them to
communicate. Some Trojans are using names resembling or identical to
names of legitimate programs, so that the user would think that it is a
legitimate programs. Users should be aware of that.

Heavy Software, Buggy Software

Until now we discussed only problems related to lack of appropriate


knowledge by the user. Yet, there are other problems regarding personal
firewalls. For example, some of them are known to be quite heavy on
computer resources, or slow down the communication speed. Different
personal firewalls quite vary with regard to that. If you have a new computer
with a slow Internet communication (such as regular dial-up networking)
then it might not slow down your computer noticeably. Yet, if you use an
older computer, and a fast communication, you might find that some personal
firewalls will slow down your communication quite drastically. Personal
firewalls also vary on how much they are stable.

Advantages of External Firewalls over Personal Firewalls

1. They do not take resources from the computer. This should be clear. This is
especially useful when the firewall blocks flooding attacks.
2. It is harder (although in principle still possible) for a Trojan horse to
disable it, because it does not reside in the same computer that the Trojan
has infected. It is not possible to use the specific communication while totally
bypassing the firewall.
3. They can be used without any dependence on the operating system on the
computer(s) they defend.
4. No instability problems.

You might also like