Firewall Questions for beginners

Discussion in 'other firewalls' started by Paranoid2000, Aug 1, 2006.

Thread Status:
Not open for further replies.
  1. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Basic Questions
    This section aims to provide information useful to people unfamiliar with firewalls or networking.

    What is a firewall?
    A firewall controls network traffic, allowing or blocking it according to rules you specify (rather like a doorman at a nightclub, with rules on who to allow entry to). This can either be a special program running on your computer ("software firewall") or a separate box connected between your computer and the Internet ("hardware or firmware firewall").

    What benefits does it offer?
    Connecting to the Internet is like opening the door to your house - anyone can come in, anyone can go out. Sadly, it is also now like entering a war zone due to the number of unscrupulous individuals seeking to hijack others' computers for a variety of reasons. An unprotected Windows system is therefore likely to be broken into within 10-15 minutes when connected.

    Both software and hardware firewalls can block such attempts - often with the option of alerting you or taking other action like blocking any further traffic from the attacker.

    Firewalls can also control what programs on your computer can access the Internet (though hardware firewalls are fairly limited here). This is useful for two reasons - first it allows you to protect your privacy by blocking programs that try to "phone home" unnecessarily and secondly it can provide warning if your system has been compromised by malware undetected by your anti-virus scanner (since virtually all malware needs to connect to the Internet to function properly).

    Many software firewalls also include features like ad-filtering (removing adverts from web pages), web-filtering (removing any content from a web page that may pose a security or privacy risk) or parental controls (blocking access to known adult websites). These features can all be provided by other software so should not be regarded as essential, but they may be useful to have.

    Which one should I use? (Is there a 'best'?)
    There is no best product overall since factors like simplicity, flexibility, speed and features can conflict (a "simple" firewall has to compromise on "flexibility" for example). In addition, your own technical experience and desire for control need to be considered - you may prefer a firewall that alerts you to anything remotely suspicious or instead want one that stays in the background. Furthermore, it is possible for a particular firewall to conflict with other security or network software on your computer.

    However, almost every product has a free trial so the best advice is to visit the websites, review the documentation and then create a shortlist of products to try out. Then download and install the trial versions - only committing to a purchase once you are certain that the firewall works on your system and that you are happy configuring and using it.

    How good is Windows' firewall?
    Microsoft provided a very simple firewall with Windows 2000 which was then significantly improved with Windows XP Service Pack 2. This version can provide good protection from incoming attacks but cannot be relied upon to control outgoing traffic. Older versions of Windows (95, 98, ME, NT) have no firewall.

    How can I test my firewall?
    To test your firewall's ability to protect against incoming attacks and scans, visit one or more of the following sites. Note that if you are using a router, the test will target the router, not any software firewall your PC is running.

    Shields UP!
    PCFlank
    Sygate Online Scan
    HackerWhacker

    Please note that while your firewall may report these scans as an "attack", you should not report this to any ISP. The Outpost forum thread Online Scans - What to do with Open and Closed Ports has more information about what the results mean and what action to take.

    To test your firewall's ability to detect outgoing connections, special programs called "leaktests" have been developed which you can download and run on your system. FirewallLeaktester is the best source of information here, containing copies of the current leaktests plus reviews of firewall performance against them.

    Can I use multiple firewalls?
    For software firewalls (programs running on your PC), only one should ever be installed. Multiple software firewalls may cause system crashes (blue screen errors) or interfere with each other, leaving your system unprotected.

    Multiple hardware firewalls can be used (for example, having 2 or more routers connected in series) but this offers little extra security benefit while increasing the amount of work you have to do to set everything up.

    A software and hardware firewall can be used together and this provides the best of both worlds - the hardware firewall will block intruders leaving the software firewall free to control program network access.

    I have several computers - does each one need a firewall?
    If the computers are sharing an Internet connection using Windows' Internet Connection Sharing (where one computer, the "gateway", is connected directly to the Internet), then you can protect them by either installing a firewall on each one or by using a firewall on the gateway machine. Internet Connection Sharing is quite complex however so the gateway firewall may need some adjustment to work properly.

    If you have a router with its own (hardware) firewall, then that will protect every connected computer from outside attack.

    How do I decide what to allow and what to block?
    Most firewalls will ask you the first time a program tries to connect to the Internet whether or not to allow it. If the program is one you have installed and has legitimate need for Internet access (a web browser needs to connect to websites, email software needs to connect to your ISPs email server), then you should allow it. If you are unsure, block it and look up the details on the program using a search engine like Google.

    The following list covers programs that, for most people, should be allowed access (the first letter may vary, depending on your system setup):
    • Windows System
      If you are running Windows XP, the following applies:
      C:\WINDOWS\System32\Svchost.exe
      Allow access for DNS and DHCP protocols in order to connect to the Internet (required).
      Allow access for NTP (to time.windows.com, time.nist.gov) for clock synchronisation (optional);
      Allow access for HTTP, HTTPS (to *.microsoft.com) to access online Windows Help (optional).
      Block access if any is requested for the RPC protocol to any address (a good indication of a compromised system) and for SSDP/UPnP (Universal Plug and Play) unless you are sure that you need it.
      Block access for any other incoming traffic (known as Server access in ZoneAlarm or Sygate) - this is to prevent Windows Messenger spam which targets svchost.

      Do not allow any network access to files named svchost.exe in other folders - they are likely to be malware

      If you are running Windows 2000, the following applies:
      C:\WINNT\System32\Services.exe
      Allow access for DNS and DHCP protocols in order to connect to the Internet (required).;
    • Web Browsers
      C:\Program Files\Internet Explorer\iexplore.exe
      C:\Program Files\Firefox\firefox.exe
      C:\Program Files\Opera\opera.exe

      Allow access for FTP, HTTP, HTTPS protocols to be able to view webpages and download files (apply to whichever browsers you use)
      Allow access for POP3, IMAP, SMTP protocols to be able to read and send emails for Opera if using its M2 email client;
    • Email Programs
      C:\Program Files\Outlook Express\msimn.exe
      C:\Program Files\Thunderbird\thunderbird.exe

      Allow access for POP3, IMAP, SMTP protocols to be able to read and send emails (apply to whichever email programs you use)
      Block access for HTTP, HTTPS protocols since these are more likely to be used by email "tracking" systems that allow the sender to tell if you have read an email, plus your address;
    How can a firewall tell me if my system has been compromised?
    Almost all malware (a general term covering viruses, spyware and trojans) needs Internet access - to inform their creator of their existence, to receive orders on how to exploit your system or to send back private information. If your firewall alerts you to a new program trying to connect out that you have not installed or the connection looks suspicious in other ways (connecting to a dynamic domain rather than a website, to a domain in a country you don't normally access or using a protocol commonly abused like Internet Relay Chat), then this should be blocked and you should run a full scan of your system with an up-to-date anti-virus utility.

    Often malware will attempt to bypass firewalls by hijacking trusted programs - many firewalls can detect such techniques and will alert on them. While some software uses such methods legitimately (mouse/keyboard/touchpad software most notably), it is safer to block if in doubt and do an online search for details of the program concerned.

    What limits are there to a firewall's security?
    Firewalls cannot provide protection for programs allowed network access. To fully secure your system, you need to look at each program allowed access and consider how it could be used to compromise your system. For example, email software could download attachments containing malware - to prevent this either use anti-virus software or disable attachments completely. A web browser could be affected by a malicious website - anti-virus web scanners or web-filters would prevent this. A downloaded file could contain malware - an anti-virus/anti-malware scanner would be the best protection.

    Special care needs to be taken with programs allowed to accept incoming traffic from the Internet (known as "server access" in ZoneAlarm or Sygate) since these would be open to attackers - examples include many file-sharing programs and any "server" software (webserver, mailserver, game server). Such programs need to be kept updated with any patches to fix security problems and it may be worth considering other security software (like a "system firewall") to restrict their access - or running them under a Limited User account.


    What are Internet Addresses and Domain Names?
    Every system on the Internet has a unique numeric address which needs to be known before connecting to it (rather like a telephone number). This consist of 4 numbers, each in the range 0-255 - for example 192.168.0.1. However most people find names easier and more meaningful so almost every system has a name also (like wilderssecurity.com) which is known as a Domain Name.

    Before connecting to a Domain Name, your computer must look up this numeric address (known as an Internet Protocol or IP address - wilderssecurity.com had the IP address 65.175.38.194 at the time of writing) and it uses a system called the Domain Name System (DNS) to find this. DNS can be thought of as a giant phone directory split into thousands of sections, spread around the Internet. This is why it is necessary to allow DNS traffic for so many programs.

    Almost all firewalls allow you to set access restrictions by IP address and many allow domain name restrictions also (for example, you could limit your email software to access your ISP email servers only, allowing it to read and send emails while preventing it from contacting any websites linked to in HTML emails, an increasingly popular technique by marketeers for tracking users).

    Note: Due to a shortage of IP numbers, a new addressing system called IPv6 has been created which uses 32 numbers for an address rather than just 4. This is not in widespread use currently (and not many firewalls support it), but this is likely to change in the future.

    Hardware Firewalls
    With hardware firewalls, the type of Internet connection you use may affect the choice available. While it is possible to have a "2-box" setup with a modem (xDSL, Cable or Satellite) being connected to a router (which has multiple network connections and a firewall), most users would find a single box (providing the connection to their ISP, a firewall plus one or more connections for their PCs) easier to manage. However while such systems are readily available for DSL users (known as DSL routers - ensure you use the correct type like ADSL or SDSL for your connection), cable or satellite users may be limited to routers offered and supported by their ISP. If you use cable or satellite, you should first contact your ISP for advice on supported units.

    Aside from that, most units will provide adequate security from incoming attack - the key features to look out for are:

    * the ability to share an Internet connection (using a technique called NAT - Network Address Translation). Even without a firewall, NAT will block most incoming attacks due to the way it works;
    * a firewall able to provide details of any attacks blocked (and ideally with some visible indicator when this occurs);
    * enough network connections (known as ports) to cover all your computers plus one or two spare for future use;
    * a straightforward and simple way of setting up the router (most can be done using your browser but some have strange interfaces);
    * for wireless networking, comprehensive support for the strongest encryption available (128-bit WEP as a minimum with WPA strongly recommended).

    Some routers offer extra features like virus filters, content blocking (mainly to prevent access to adult websites) or traffic prioritization (also known as Quality of Service). Filtering can be quite easily bypassed so should not be considered a key feature while prioritization can be done via software also. Faster wireless technologies may be worth paying extra for, but every computer will need a wireless network card that supports the same protocol (e.g. 802.11g, 802.11a or 80.2.11n).




    Where else can I find more information?
    The Other Firewalls Sticky Posts contains links to sites covering configuration and support for several firewalls.
     
    Last edited by a moderator: Aug 11, 2006
  2. Stem

    Stem Firewall Expert

    Joined:
    Oct 5, 2005
    Posts:
    4,948
    Location:
    UK
    This is just a follow up post to explain some of the connections that a firewall will try to make (for the services/ internet connections mentioned, and rules that can be put in place.)

    _______________________________________________________________________________________________
    Dhcp client
    Service Name: Dhcp
    Process Name: svchost.exe -k netsvcs
    Microsoft Service Description: Manages network configuration by registering and updating IP addresses and DNS names
    (This is how your computer gets a Dynamic IP address so you can connect to the internet. If Internet Connection Sharing is enabled, you need DHCP Client. Also required for most DSL/Cable connections.)

    UDP Ports 67:68

    Allow UDP Local port 68 Remote port 67


    _______________________________________________________________________________________________
    DNS Client
    Service Name: DNS
    Process Name: svchost.exe -k NetworkService
    Microsoft Service Description: Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
    (With this service enabled, svchost will perform all the DNS lookups, if disabled, then any program that requires this service will perform this itself.)

    UDP Port 53

    Allow UDP Remote port 53


    _______________________________________________________________________________________________
    Windows Time Service
    Service Name: W32Time
    Process Name: svchost.exe -k Netsvcs
    Microsoft Service Description: Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
    (If you like to synchronize your PC clock to a time server, this is one way to go)

    UDP Port 123

    Allow UDP Remote port 123 (time.windows.com)


    _______________________________________________________________________________________________
    Help and Support Service
    Service Name: helpsvc
    Process Name: svchost.exe
    Microsoft Service Description: Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
    (some like this service, and its ability to connect out to microsoft for help, but please note, this does not need to connect to the internet to work correctly, and is optional)

    TCP outbound, Ports 80:443

    Allow TCP (outbound connection): Local ports 1024-4999: Remote Ports 80:443

    _______________________________________________________________________________________________

    _______________________________________________________________________________________________
    Remote Procedure Call (RPC) Locator Service
    Service Name: RpcLocator
    Process Name: locator.exe
    Microsoft Service Description: Manages the RPC name service database.
    (When searching for RPC Services on the network a Windows RPC client will connect to the domain controller over TCP port 139/445 (the SMB ports) and search for services/servers through the "locator" named pipe. The need for this on an home PC I have yet to find, as mentioned, best to block this.)

    _______________________________________________________________________________________________
    SSDP Discovery Service (UPnP)
    Service Name: SSDPSRV
    Process Name: svchost.exe -k LocalService
    Microsoft Service Description: Enables discovery of UPnP devices on your home network.
    (This is NOT the Plug`n`play as you may at first think, this is used for finding external devices. Example is a Router which can be UPnP, applications can, by using UPnP open inbound ports (port forward), this was possibly a good idea for ease of use, but can also be used by Trojans etc)

    [Signs of SSDP/UPnP activity: svchost will attempt to send UDP out to remote IP 239.255.255.250 remote port 1900 and will attempt to listen on local port 1900 (as well as listen on localhost(127.0.0.1:1900))]

    _______________________________________________________________________________________________
    _______________________________________________________________________________________________

    HTTP (HyperText Transfer Protocol)
    This is the basic connection made by your browser (http(remote port 80)) when connecting to the internet. There is some confusion at times due to the way the PC uses Local posts, as the PC will use local ports somewhere between 1024-5000 when connecting out, so a typical firewall rule for HTTP could be:-

    Allow outbound TCP local ports 1024-5000 remote port 80
    _______________________________________________________________________________________________
    HTTPS
    This is basically the same as HTTP but uses encryption on connection, and connects to remote port 443.
    Once again the local ports used can be between 1024-5000, so a typical firewall rule for HTTPS could be:-

    Allow outbound TCP local ports 1024-5000 remote port 443
    _______________________________________________________________________________________________
    FTP (File Transfer Protocol)
    This is a commonly used protocol for exchanging files over any network, to connect out this protocol will connect to remote port 21

    Allow outbound TCP local ports 1024-5000 remote port 21

    FTP uses 2 ways of connection, one known as "Active FTP" and one as "Passive FTP", I will not go into a full explanation of this at this time, I just feel that "a need to know" that when connecting via FTP other remote ports can be asked for, with the dreaded popup from the firewall, or if the firewall as a "block all rule" at the end of the ruleset, a "The connection was reset" page..
    So at this time I will just say, that, when an FTP connection is made, some firewalls will allow these other ports to be used, but some will require an extra rule for the "Passive" connection

    Possible extra rule:
    Allow outbound TCP local ports 1024-65535 remote ports 1024-65535

    _______________________________________________________________________________________________
    POP3 (Post Office Protocol 3)
    This is the most recent version of a standard protocol for receiving e-mail. POP3 is a client/server protocol in which e-mail is received and held for you by your Internet server. Periodically, you (or your client e-mail receiver) check your mail-box on the server and download any mail, probably using POP3. This standard protocol is built into most popular e-mail products, such as Eudora and Outlook Express.

    Allow outbound TCP local ports 1024-5000 remote port 110

    _______________________________________________________________________________________________
    IMAP (Interactive Mail Access Protocol)
    This is another way that e-mails are collected, but as more advanced options for access/retrieval.
    (a more detailed explanation will be given later)

    Allow outbound TCP local ports 1024-5000 remote port 143

    _______________________________________________________________________________________________
    SMTP (Simple Mail Transfer Protocol)
    This is a protocol for sending e-mail messages between servers. Most e-mail systems that send mail over the Internet use SMTP to send messages from one server to another; the messages can then be retrieved with an e-mail client using either POP or IMAP. In addition, SMTP is generally used to send messages from a mail client to a mail server. This is why you need to specify both the POP or IMAP server and the SMTP server when you configure your e-mail application.

    Allow outbound TCP local ports 1024-5000 remote port 25


    NOTE:
    If this post brings more questions, then please post to the forum and ask.
     
    Last edited: Jan 1, 2007
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.