From:         Patrick Douglas Crispen 
Subject:      Tourbus - 31 July 04 - Firewalls

TODAY'S TOURBUS TOPIC: HOME COMPUTER SECURITY, PART TWO

The Internet Tourbus - U.S. Library of Congress ISSN #1094-2239
Copyright © Bob Rankin and Patrick Crispen - All rights reserved
Firewalls

Howdy, y'all, and greetings once again from deep behind the orange curtain in beautiful Irvine, California, where the sun goes down and the tide rolls out and the people gather 'round and they all begin to shout: "Ick! Mud!" :P

TOURBUS is made possible by the kind support of our sponsors. Please take a moment to visit today's sponsors and thank them for keeping our little bus of Internet happiness on the road week after week.

On with the show...

In my last post we talked about how to protect your computer from attacks and exploits by practicing simple patch management. [If you missed that post you can find it online at http://tinyurl.com/64evp ]

This week we're going to tackle a topic everyone has heard of but few truly understand: Firewalls.

Home Computer Security: Part Two Firewalls

How do crackers--people who compromise the security of your computer without your permission--find your computer in the first place? Well, every semi-competent cracker has software that

  • Scans thousands of Internet connections looking for Windows
  • file and printer shares.

  • Scans for known vulnerabilities, holes, and unsecured services
  • in Windows, Mac OS, Linux, Apache, VM-CMS, etc.

  • Exploits those known vulnerabilities
  • Cracks Windows [and other operating systems'] passwords.
  • And so on.
  • Most home computer attacks/intrusions are either coordinated or opportunistic. In a coordinated attack your computer is specifically targeted, and in an opportunistic attack a cracker finds your computer during a random scan of thousands of other computers

    Unless someone is specifically after you--a former employee, a jilted lover, Snuggle the fabric softener bear--you don't have to worry about coordinated attacks. They're few and far between. Besides, like a visit from your in-laws, you can't really stop a coordinated attack. You can only delay it.

    Opportunistic attacks are an entirely different matter. They happen all the time. In fact, your computer is probably being probed for vulnerabilities as we speak.

    One of the better ways to protect your computer from opportunistic attacks--besides being vigilant with your patch management--is to "hide" your computer from the Internet. If crackers can't see your computer, they [hopefully] won't attack you.

    How do you hide your computer? Use a firewall.

    What is a firewall?

    A firewall is either hardware or software that stands between your computer [or home network] and its Internet connection and provides "access control." Access control is just a fancy way of saying that your firewall determines what can and cannot pass through.

    A computer firewall is very much like the firewall in your car. Your car's firewall keeps the bad stuff from your engine [like heat and exhaust] out of your passenger cabin. But it isn't impervious. It has holes in it to let the good stuff [like the steering column and the brakes] through.

    A good computer firewall, like your car's firewall, keeps the bad stuff out and lets the good stuff through. How? Well most consumer firewalls--the hardware firewalls [well, actually they're routers] you can buy at Wal-Mart or Target or the software firewalls you can download off of the Internet--offer a combination of

    1. Computer stealth: they hide your computer from the crackers' scans; and

    2. Intrusion blocking: they make it harder [but not impossible] for crackers to break in.

    The peril of visible addresses

    When you connect your home computer to the Internet, the Internet connects to your computer. Every computer connected to the Internet has its own, unique Internet address [like 137.151.128.96 or 130.160.4.4]. Your ISP automatically assigns the Internet address to your computer from a pool of addresses the ISP maintains. When you disconnect [or at some regular interval with cable modem and DSL connections], that address goes back into the ISP's pool of addresses and is given to someone else.

    Unfortunately, if a cracker knows your Internet address, he can probe your computer for vulnerabilities.

    NAT and SPI

    Hardware firewalls use something called "Network Address Translation" or "NAT" to hide your computer's Internet address from the crackers.

    You physically connect your home computer[s] to a hardware firewall and connect the firewall to the Internet. The firewall, not your home computer, connects to the Internet and is assigned a publicly-visible Internet address by your ISP. Your firewall then automatically assigns your computer a *private* Internet address, an address that only your firewall knows. In fact, the private address is not visible to anyone on the Internet nor is it even [directly] accessible from the Internet.

    In the process of hiding your computer's address from the Internet, your firewall becomes your computer's intermediary on the Internet. All traffic must go through it. And since the crackers can't see either your computer or your computer's address, it is harder for the crackers to scan your computer for vulnerabilities. So, hopefully, the crackers move on to someone else's computer.

    In addition to using NAT to hide your computer, a firewall also uses "stateful packet inspection" or "SPI" to block intruders. Put simply, SPI only lets through the stuff you ask for, the connections that you and you alone originate. All other connections--like connections from crackers trying to break into your computer--are automatically blocked at the firewall.

    So, a consumer firewall protects your computer from attack by offering a combination of computer stealth using network address translation and intrusion blocking using stateful packet inspection.

    Can you see now why a firewall is such an important part of your computer's defense against crackers? I mean, is there anything a firewall CAN'T do?!

    What a firewall can't do

    Well, actually, a consumer firewall can't

  • Fix operating system or software vulnerabilities. A firewall
  • may block SOME exploits coming in from the Internet, but the vulnerabilities will still be there. That's why patch management is so important.

  • Protect your computer from viruses. A firewall may block SOME
  • Internet worms, but it won't block viruses attached to emails, hidden in files you download from the Internet or Kazaa, etc. Virus protection is a job for your antivirus program, not a firewall.

  • Protect your computer from spyware
  • Block pop-up ads
  • Block spam
  • Completely keep crackers out
  • Protect you from doing stupid stuff to your computer
  • But, if you are looking for simple computer stealth and basic intrusion blocking--and trust me, you ARE--you need a firewall.

    Don't I already have a firewall?

    How can you tell if you have a firewall and/or if it is working properly? Simple! Go to

    https://grc.com/x/ne.dll?bh0bkyd2

    and run "Shields Up." This is a free, online tool from security guru Steve Gibson that probes your computer for common vulnerabilities used by crackers. To learn how to use Shields Up, check out the free, online streaming video at

    http://www.allianceits.com/diy/shieldsup/index.php

    The guy who recorded this video [me] is a complete and total idiot, but the video is still better than poke in the eye. [And, yes, that really is my voice.]

    If Shields Up can see your computer, so can the crackers. You either don't have a firewall or it isn't configured properly.

    Which one?

    Should you get a hardware firewall or a software firewall?

    Yes.

    If you have a cable modem, satellite, or DSL connection, you need BOTH a hardware firewall AND a software firewall If you have a dial-up connection, you only need a software firewall. [In fact, hardware firewalls for dial-up connections are kind of hard to find, at least out here on the left coast.]

    Why both?

    Hardware firewalls have an Achilles' heel: they [for the most part] assume that ALL the Internet traffic originating from your computer is safe. But, if you "accidentally" double-click on a virus-infected file,

  • Your computer will be infected with that virus. [Remember,
  • hardware firewalls can't protect you from either viruses or doing stupid stuff.]

  • That virus is more than likely going to try to use your
  • computer and your Internet connection to infect other computers.

    So your computer is now a virus-spewing zombie ["Brains! Must eat brains!"]. BUT, remember, your hardware firewall still trusts your computer. Your computer is flooding the Internet with thousands of viruses, worms, or spams, and your hardware firewall doesn't notice, care, or even bother to tell you.

    Grumble.

    How software firewalls work

    A software firewall [actually, a "personal software firewall"]

  • Constantly runs in the background.
  • Blocks bad stuff from the Internet from getting to your
  • computer [the stuff that somehow magically makes it past your hardware firewall]

  • Warns you when a program on your computer tries to access the
  • Internet. You then decide whether or not that program should be allowed to access the Internet.

    So in our zombie example, the software firewall--NOT the hardware firewall--would catch the flood of viruses before they even left your computer. You'd get a warning that some program on your computer, probably one you've never heard of, is trying to access the Internet.

    Hardware v. Software

    In the simplest [grossly oversimplified] terms, hardware firewalls protect your computer from the Internet. Software firewalls

  • Are a second layer of defense behind your hardware firewall
  • Protect both your computer from the Internet AND the Internet
  • from your computer.

  • Warn you when something fishy is happening on your computer.
  • So can you see why I recommend running both a hardware AND a software firewall?

    Hardware firewalls

    Now for the really bad news: Hardware firewalls--stand-alone boxes that do nothing but block intruders--are both complicated and expensive. Cisco's cheapest firewall [the PIX 501] is approximately US$400!

    But two important features of hardware firewalls--NAT and a very simplified form of SPI--are built into most hardware routers which are a LOT cheaper. My favorite router, the Linksys' EtherFast Cable/DSL Router with 4-Port Switch [BEFSR41], is approximately US$50.

    My suggestion? If you have a cable modem or DSL line, run to your nearest technology store or big box retailer and buy a cable/DSL router from Linksys [my favorite], D-Link, Netgear, Belkin, or SMC for about US$50.

    You are not limited to this list, though. Do a Google search for "home router" and you'll find literally hundreds of different hardware routers that you can purchase online.

    Remember: If you have a cable or DSL connection, you really should get both a hardware firewall/router and a software firewall [which we'll talk about in a bit] to hide your computer from the Internet. If you have a dial-up modem connection, though, stick with just a software firewall.

    u:admin p:admin?

    If you take my advice and buy a hardware firewall/router, I have a HUGE favor to ask of you: Please read the instructions that come with your router and CHANGE YOUR ROUTER'S DEFAULT ADMIN USERID AND PASSWORD! Hackers know the default administrator's userid and password for every router [and firewall and server and operating system and...] ever made.

    Check out http://www.phenoelit.de/dpl/dpl.html if you don't believe me.

    Software firewalls

    Now that I spent US$50 of your hard-earned money on a router, let me save you some money. In my humble opinion [and mine alone], the four best software firewalls are absolutely free.

    1. ZoneAlarm: http://www.zonelabs.com/

    2. Sygate Personal Firewall: http://smb.sygate.com/products/spf_standard.htm

    3. Windows XP Service Pack 2 Internet Connection Firewall: built into Windows XP SP2 but NOT into previous versions of XP

    4. Mac OS X Firewall: built into Mac OS X

    You are not limited to this list, though. Do a Google search for "software firewall" and you'll find literally tens of thousands of software firewalls that you can download and/or purchase.

    One thing to keep in mind about ZoneAlarm [my favorite] and many of the other software firewalls out there is that you have to train it. By default, ZoneAlarm blocks EVERYTHING on your computer from accessing the Internet. This causes much anguish to many newbies ["I just installed ZoneAlarm and now I can't access ANYTHING!"] Remember, you have to manually tell ZoneAlarm which programs you want to let through and which ones to block. Fortunately, this couldn't be simpler. Just check out the free, PDF-formatted user guides at

    http://tinyurl.com/27wcz

    for instructions on how to install and configure ZoneAlarm.

    XP Firewall

    Windows XP comes with its own firewall, so we XP users can breathe easy, right? WRONG! If you have Windows XP home or professional, your built-in software firewall is both horrible and [most likely] disabled.

    Microsoft plans to fix XP's firewall in the Windows XP Service Pack 2 [SP2] which you'll be able to get through Windows Update later this summer. Until SP2 is released, though, avoid XP's original, built-in firewall like the plague.

    OS-X Firewall

    To turn on OS-X's built-in firewall

    1. Go to Apple menu > System Preferences.

    2. In Internet & Network, click on the Sharing folder icon.

    3. Click on the Firewall tab.

    4. Uncheck all of the checkboxes on screen.

    5. Then click on the Start button.

    In summary

    If you have a cable modem, DSL, or satellite connection, you need both a hardware firewall [in the form of a router] and a software firewall. If you have a dial-up connection, you only need a software firewall.

    Once you've [regularly] patched your operating system and programs and installed a hardware and/or software firewall you're in the clear, right? Not exactly. You're SIGNIFICANTLY better protected from exploits and network intrusions than most people, but there's still more you need to do.

    The Internet Tourbus - U.S. Library of Congress ISSN #1094-2239
    Copyright © Bob Rankin and Patrick Crispen - All rights reserved

    See ya' in a week!

               .~~~.  ))
     (\__/)  .'     )  ))       Patrick Douglas Crispen
     /o o  \/     .~
    {o_,    \    {              crispen@netsquirrel.com
      / ,  , )    \            http://www.netsquirrel.com/ 
      `~  -' \    } ))    AOL Instant Messenger: Squirrel2K
     _(    (   )_.'
    ---..{____}                  Warning: squirrels.
    

    TOURBUS
    HOME PAGE
    LINUX
    TUTORIAL
    TOURBUS
    ARCHIVES
    Firewalls, viruses, hoaxes, urban legends, search engines, cookies, cool sites
    TOURBUS Site Search