Thursday, November 10, 2005

The complete guide to firewalls for newbies

The complete guide to firewalls for newbies


Viruses, trojans, script kiddies, denial-of-service attacks – the Internet can be a dangerous place for the unwary. Even big companies aren’t immune, with regular embarrassing stories about how credit card numbers (or other personal information) they’ve collected have been accessed by hackers. So, is there any way to keep your system secure when you go online?

One piece of advice you’ll hear again and again, is that you must get a firewall. This is certainly a good idea, but there are so many myths in this area, that it can be difficult to figure out why. Who is most at risk online? Is going online via an ADSL connection more insecure than using a modem? Once you’ve installed a firewall, does this mean you’re safe? And what exactly does a firewall do, anyway?

Port to port
Before you can understand how to restrict your PC’s access to the Internet, you first need to know how it works normally, so let’s begin with a little theory.

The Internet is normally associated with Web pages, but it offers plenty of other services: POP3 and SMTP email, Usenet, FTP and Telnet are well-known examples (see www.networkice.com/advice/Exploits/Ports/ for a full list), and there’s nothing to stop a single computer providing all of these features.

To help keep things organised, each service is normally allocated to a different port on the server. This isn’t a physical feature of the computer, like a serial port – it’s just a number contained within every packet of data the server receives. Each service looks for its own port identifier, and handles any incoming information that belongs to it.

Such flexibility is useful, but not something the average user cares about – they just want to run their FTP or news program, and see it work correctly. To make this happen, most services use standard port numbers: FTP is 21, HTTP uses 80, NNTP news servers default to 119, and so on. Your browser and other Internet applications know which ports to use, and so everything works automatically.

Still, some servers do use alternative ports. You may have seen when this happens on a site, as the URL has a colon, followed by the new port number at the end of the address: www.bigsite.com:8080/downloads/.

The chances are you don’t have a Web server at home, of course, but that doesn’t matter. Your PC makes use of ports, too, and whenever you go online they’re accessible to everyone else on the Internet. This could make your PC and data available to any passing hacker, but what are the actual risks?

Port scans
Despite the constant scare stories, it’s really very difficult for someone else on the Internet to hack into your PC. Their first challenge is just to find you. When you go online, your ISP will almost certainly allocate you a different IP address (your unique location on the Internet) every time. Any hacker then only has the duration of that single Internet session to penetrate your defences, or see all their work go to waste.

You’ll almost certainly have read dire warnings about how this doesn’t apply to broadband connections. Get ADSL, you’re told, and its ‘always-on’ connection means that hackers can be hammering at your PC 24 hours a day. Fortunately, this simply isn’t true. While you can pay extra for a static IP address, the standard BT ADSL connection provides a dynamic address, giving you similar protection to a normal modem user.

Good news? Yes, but you’re still potentially at risk for the time you’re online. A hacker will typically use an automated port-scanning tool to check a wide range of IP addresses, sending a message to the key ports on each system, and examining the responses (if any) for potential vulnerabilities.

The best way to protect yourself is to see the type of information your PC is currently giving out, and there are plenty of Web sites that offer to do just that. We particularly like Sygates free online scanning service (scan.sygatetech.com) for its detailed reports, and HackerWatch (www.hackerwatch.org/probe) for its in-depth tests, while BlackCode (www.blackcode.com) allows more experienced users to scan a particular range of ports. Interpreting the results can be difficult, though, unless you know what to look for.

Who’s at risk?
One problem with most online port-scanning sites is they tend to over-dramatise their results. Typically you’ll be told that having port 139 (Windows NetBIOS file and printer sharing) open leaves your entire hard disk open to other Internet users, for example.

However, if your PC isn’t connected to a network, then you probably won’t have file and printer sharing installed (select Network in Control Panel, to check). In this case, there’s nothing listening at port 139, and it’s not possible for an external hacker to use it to access your hard drive.

Networked PCs are at more risk, but even here hackers can only access folders you’ve chosen to share (which is why it’s a good idea to share individual folders like ‘My Documents’, rather than your entire PC). And they’ll only be able to do this if you’ve forgotten to password-protect each share, or used a password that’s very easy to guess. (For lots more helpful information on NetBIOS, see the Navas Group page at cable-dsl.home.att.net/netbios.htm).

Although scanning sites target lots of other ports on your PC, the risks are very limited. Hackers can send all the messages they like, but unless you have an application running that’s listening to the targeted ports – a Web or FTP server, say – they can’t get any kind of access to your system.

So, a standard Windows 98 system is likely to be very safe when online, and even a networked PC can be strongly protected, simply by making use of security features that already exist in the operating system. Adding a firewall is still advisable, though, as a look at one of the more popular examples will make clear.

ZoneAlarm
A firewall is a system (either software, or hardware based) that monitors your PC’s network and Internet traffic, and decides whether it should be allowed through, or blocked. Typical personal firewalls allow you to increase your online security, by closing all but the most essential ports. They can also protect against ‘denial of service’ attacks, where other people online might send a huge number of messages to a particular port, in an effort to crash your machine or disrupt your Internet connection. Visit the firewall FAQ (www.faqs.org/faqs/firewalls-faq) for more info.

ZoneAlarm (www.zonelabs.com) may not be the most configurable product around, but a combination of simplicity and price (it’s free for personal use) make it a very good choice for your first firewall.

After a straightforward installation, you’ll find the program pops up every time you launch an application that wants to access your Internet connection (browser, FTP program, email software, whatever it might be), and asks if you want to allow this. This can be tiresome, initially, but you can instruct ZoneAlarm not to ask you again for your main Internet programs, and it soon quietens down.

Why does it do this? Well, you may have accidentally installed a Trojan. These unpleasant programs masquerade as something useful, perhaps a game or utility, but in fact they have a more sinister function.

If you’re unlucky enough to install SubSeven, for example, then a remote user could be able to use your computer as though they were sitting in front of it: use programs, browse files (all of them, regardless of network shares), take screen shots, capture your keypresses, almost anything they want. (See http://www.symantec.com/avcenter/ve...r.subseven.html for the scary details).

Trojans beat even viruses for sheer nastiness, but in order for them to work, they need to be able to communicate with the outside world. After distributing them, perhaps as executable binary attachments in newsgroups, the authors will run an automated detection tool. This scans the port used by the Trojan, across a wide range of IP addresses; if you’re online at the time, and infected, then the Trojan sends a response, and the hacker will probably be able to take over your system.

Unless, that is, your PC has a firewall. If your system has something like ZoneAlarm installed, the firewall will block the suspicious port scan (and let you know it’s happened), so the Trojan never gets activated. Even if that level of security failed, you would still be warned if the Trojan tried to send any information about your PC to its creator. Good news, then – but you need to be careful about how you interpret your firewalls’ alerts.

Tracking hackers
Install a firewall, then spend some time online, and you’ll quickly find yourself alerted to suspect port scans, perhaps as many as one an hour. Beginners usually interpret this as a dangerous attack, and post enthusiastic newsgroup messages about how their firewall has saved them from hacker hell – but is this really true?

If the port scan was an attempt to activate a Trojan, for example, then it could only ever have any effect if you happened to have the Trojan installed on your PC. Firewalls offer some protection against that eventuality, but it’s not particularly difficult to bypass them (see keir.net/firehole.html and tooleaky.zensoft.com for some worrying examples). The best idea is not to get infected by malicious software in the first place, so there’s still a place for Trojan detectors like PestPatrol (www.safersite.com).

Deciding whether other port scans are malicious or not is notoriously difficult. A bunch of alerts that occur as soon as you log on, for example, could occur because a Web site is trying to send information to the last user of your IP address.

Some mail or news server configurations can provoke your firewall into thinking something sinister is going on, as can plenty of other standard ISP and network activities. So what should you do when your firewall reports an attack? One approach it to try and figure out what’s going on for yourself. Tools like Visual Route (www.visualware.com/visualroute/index.html, and on this month’s CD) offer a great way to determine where a particular IP address is located, and you can use a Web site like Sam Spade (www.samspade.org) to figure out the attackers ISP. Send them an email, and they’ll take it from there. Be polite, though – IP addresses can be faked, and even if it is genuine, the system carrying out the port scan might itself have been hacked via a Trojan.

A simpler alternative is to send your firewall logs to a site like My NetWatchman (www.mynetwatchman.com) or DShield (www.dshield.org). These companies accept firewall reports from users all over the Net, strip out the false alarms, and forward the most serious cases on to the ISP from which the attacks originated (at no charge to you). An ISP is far more likely to be interested in a collection of 1,000 reports, than one, so if you feel like fighting back against the hackers and script kiddies, this could be the way to go.

Stay alert
It’s very easy to be complacent about your online security. And it’s dangerous, too. Some people are, to put it mildly, overly trusting. They don’t bother with anti-virus software because ‘there’s not that much risk really’, and think that hackers will leave their PC alone because ‘they only target big companies’. Their luck has held out so far, and so they think it always will.

At the other end of the spectrum, you’ll find a rather more paranoid group. These folks believe that going online is a supremely dangerous activity, where evil cookies track your every movement, malicious Web sites steal personal information, and hackers are waiting to format your hard drive at the drop of a hat. Worse still, they think that installing a firewall offers a total solution, leaving them invulnerable to Trojans or similar threats.

The best approach is to find a way between these two extremes; the Net isn’t entirely safe, but it’s not as dangerous as some people suggest, either. So read up on the risks. Check out a security site occasionally (net-security.org or www.securityfocus.com are good places to start). Visit a site containing the type of tools hackers might use (like www.thenewbiesarea.com), so you can learn more about the potential dangers. And make sure you install a firewall, but remember – this is just the first step in making yourself secure online, and not the last

No comments:

Digg it !