|
 Why
You Need A Firewall
By
Brian K. Lewis, Ph.D., Member of the Sarasota PCUG, Florida
www.spcug.org bwsail
at yahoo dot com
Obtained
from APCUG with the author's permission for publication by APCUG
member groups.
When
you connect your computer to the Internet, you have opened a door
which invites any other computer in the world to come in. Actually,
you have more than 65,000 doors into your computer, any one of which
may be open. That is, unless you have taken steps to keep these doors
closed. That is the purpose of a firewall. The firewall filters the
information packets that show up at your “door” or computer port
as we usually refer to it, and can either prevent them from entering
or pass them through.
When
your computer connects to the Internet, it is assigned a numeric
address or IP (internet protocol) address. These addresses are a 32
bit number. They usually written out in four groups with periods
between each group as follows: 111.11.11.111. Traveling over the
Internet are many programs that simply look for unprotected IP
addresses. The IP address of any unprotected computer is sent back to
the originator who can then upload a trojan or spyware package to
that address. The originator can then take control of the computer
or the application will record keystrokes and send all recorded
information back to the program originator.
Although
your computer has one IP address there are many different ports on
your address. There are different ports for different purposes on
your computer. Your connection to the Internet is usually through
port 80. This is referred to as the HTTP (hypertext transfer
protocol) port. It is used when you connect to a web page. The web
page data is downloaded to your computer through this port. Another
commonly used port is 25. This is used for the SMTP (standard mail
transfer protocol) or e-mail transfer. Another port is used for
incoming mail or POP3 transfer is port 110. These are all part of the
port series from 0 to 1024 that are the most common ports. Many
applications use ports in this region including PC Anywhere, Internet
telephones, MSN messenger, Net Meeting, and all AOL operations. Ports
1024 to 49451 are referred to as registered ports. There are many
Internet games that use ports in this region. There are also other
specific functions assigned to these ports and some may duplicate
functions in the common port region. The final group of ports are
dynamic and have no specific functions registered. However, the point
is that all of these ports can be accessed by remote computers
somewhere out on the Internet and use them to connect to your
computer if you have not protected them.
Automated
port scanning software is available free on the Internet from many
“hacker sites”. Its use is very common on the Internet. There are
various types of scans. Some scanners will look for any of the 65,535
possible ports. Another type looks for open UDP (user data protocol)
ports or may use an FTP (file transfer protocol) bounce to hide the
origin of the scan. If an open port is located, software can be
downloaded that will open a “backdoor” on your computer. This
allows remote input and output. Such access can be used to record and
transmit out information from your computer. It can also be used to
attack other computers to produce a “zombie” network. Such
networks have been used to attack large computer servers in attempts
to bring them down or to produce a “denial of service” attack.
Many
users believe that a router with a firewall is adequate protection.
Most routers use either network address translation (NAT) or a packet
filter. Information on the Internet is transmitted in packets which
contain the IP address of the sender and the address of the receiver
in addition to the data. The routers firewall uses filters that look
at the sending and receiving addresses of incoming packets on port 80
(HTTP). Only those packets that are a response to an outgoing request
are allowed through. If your router uses a packet filter it can be
penetrated by a fragmented scan. This type of scan breaks up packets
into fragments which can easily get through the simple packet filter
found in most router firewalls. Routers using NAT either alone or in
combination with a packet filter can also be easily thwarted. NAT is
not successful when the packet is an FTP packet or is sent by
Microsoft's Netmeeting or similar audio/video applications that bury
the address in the body of the packet. Only when the address is in
the header of the packet can the router use address substitution. So
packet filtering and NAT, although useful, do not provide complete
firewall protection for all Internet connections.
Another
method for preventing intrusions is “stateful” packet inspection.
This is the method used by most software firewalls and is found is
some of the newer routers. When your web browser opens a connection
to the Internet, the firewall software records that connection and
keeps a record of its status. Whenever a packet arrives at your
computer, the data in the packet can be compared to the information
in the firewall state table. The firewall software can also make
decisions based on the data content of the packet, not just the
sender's address. Because this examination does require some time
there may be a slight slowdown of your system. However, in most
cases, there will not be a long enough delay for most users to
notice.
So
inbound packets can be filtered and examined for dangerous content.
However, when the user connects to a web server, the page requested
is downloaded to the users computer. It is possible for that web page
to contain a small program or a link to a dangerous site in a one
pixel unit on the page. When this is downloaded the program is run or
the link activated. This results in an outgoing packet to some
Internet address through a non-standard port so the user is not aware
of the activity. This type of activity would not be stopped by a
hardware firewall in a router. It can only be blocked by a software
firewall which recognizes that this activity is coming from a new
application that has not previously made an Internet connection. In
this case the software will query the computer user to determine if
this new application should be allowed to connect. Hopefully, the
user would recognize that this was not an application that the user
was running and the outbound packet would then be blocked. It is
absolutely necessary for the firewall to process both incoming and
outgoing packets. Only a software firewall can establish the
necessary tables for comparing the incoming/outgoing packets to
allowed activity and request user interaction when necessary.
This
leads us to the Windows firewall. This firewall, as used with Windows
XP, does not have any control of outbound packets. Any application is
allowed to connect to the Internet without any filtering or other
checking of source or content. Windows Vista was supposed to come
with both inbound and outbound filtering. However, as it is delivered
it provides only inbound protection just as did XP. The outbound
protection is turned off by default. So, if it is there, how do you
turn on the outbound protection. To change this you have to use the
Microsoft Management Console. Then you have to write a rule to block
each “malware” application you anticipate might get on your
computer. You can not create a general rule for all malware. Creating
rules that would cover all possible malware applications is an
impossible task. Microsoft has been quoted as saying “outbound
filtering isn’t really needed, and the key is making sure that
malware doesn’t infect the PC in the first place.” Also they
have stated that large enterprises had requested that it be turned
off by default. Microsoft does say that “core Windows Services have
specific behaviors which are monitored by the firewall”. Instead of
using outbound filtering Microsoft recommends that you buy “Windows
Live OneCare”, a product and subscription service. My
recommendation is that you obtain a free two-way firewall like
ZoneAlarm and ignore the Windows firewall completely.
Whatever
you do, don't connect your computer to the Internet without using a
firewall and an antivirus application. I have come across too many
computers recently that are attached to constant on Internet
connections and had no protection. The cost of removing the malware
from these systems was more than the cost of premium protection. So
don't get caught short!
Dr.
Lewis is a former university & medical school professor. He has
been working with personal computers for more than thirty years. He
can be reached via e-mail: bwsail at yahoo dot com.
This
article has been provided to APCUG by the author solely for
publication by APCUG member groups. All other uses require the
permission of the author (see e-mail address above).
|
Bentsen Grove Resort Newsletter By Barbara Goff