Personal Firewalls By Tracey Losco tracey.losco@nyu.edu

Personal firewalls are becoming a hot topic these days. With more and more people buying and using computers, there is an ever-increasing demand for better Internet access. This heightened demand is not only evident in corporate or university environments; it has also flooded over into the general public, who use and expect large amounts of convenient and quick access to the Internet at home.

Faced with this escalating demand for home access, the marketplace has responded by offering higher speed, 24 x 7 access through DSL and cable-modem connections. This creates a dangerous combination in terms of security: inexperienced users plus computers that are constantly hooked up to the network. Seeing this as an accident waiting to happen, programmers came up with a device that could sit between the actual computer and the Internet as a means of protecting the computer from intrusion--a firewall.

There are two types of firewall protection: those put in place to guard a large network of computers, such as those used at large corporations or universities, and those that are designed for use on a smaller scale, to protect a single computer or a small number of machines. This second category, called a personal firewall, can be used to protect your home or office computer and is actually a program that you can install and run on your computer. For those who use a DSL or cable-modem connection at home, a personal firewall is a must. Even some people here on campus at NYU might want to run a personal firewall on their office computer for an additional level of security.

A personal firewall provides you with a great deal of information. By reviewing the logs, you can see who has tried to connect to your machine, what kind of traffic has been passed to your machine, and, sometimes, whether someone has sent you an infected e-mail message. A personal firewall also serves as a "Keep Out" sign for others on the Internet. It's your way of keeping intruders from trespassing onto your computer and your watchdog to alert you when someone is trying to snoop around.

The need for personal firewalls has grown because there are more security risks in today's constantly networked environment. The bad guys out there have realized that more and more people have started connecting their machines through DSL and cable modem connections, and they've stepped up their efforts to find the machines that are not secured so that they can break into them and use them for mischief. The ITS Network Security Group has seen an escalation in network scanning and distributed denial of service (DDoS) attacks. In general, there has also been an increased number of what we call "script kiddies"--people who, just for fun, download and run attack programs in hopes of compromising other machines. To have an additional layer of protection between your computer and the Internet, you need a personal firewall.

What does a personal firewall actually do?

Personal firewalls help you to protect your machine against those people trying to wreck havoc and others who are just poking around in a number of ways. They give you the ability to actually block non-privileged ports on your machine, which would be anything above port 1024. In fact, you can actually block any port, not just non-privileged ports.

But, why is blocking non-privileged ports a good thing? Because if someone is running a piece of hostile software, it is more likely that it will be running on a higher non-privileged port than a lower privileged port. The privileged ports are already taken and used by well-known applications such as Telnet and ftp.

Mind you, this is not an absolute; you can see cases where the ports are forged with a lower port number in order to get around any type of security software that may be running. There are actually people out there who have enough experience to be able to handcraft a data packet and change the actual port number.

Nevertheless, it's a good thing to only allow connections on those ports that you really need, so this type of blocking is a good precaution. Many personal firewalls let you build a personal configuration, based on the programs you use. As each new connection is made, you are asked if it is OK. This takes longer, but you get a more stable configuration. See below, where I talk about advanced users, for more details about this type of configuration.

Personal firewalls also provide notifications when someone is "poking" at your machine. Therefore, if you do end up being one of the targets in a scan, the firewall can pop up a window letting you know this. In addition to notifying you, it can also collect this information in a log for you. This may be important for you later on if you want to track down the attacker and attempt to prevent them from scanning your computer again.

Some personal firewalls also give you the ability to monitor outgoing connections from your machine, thereby letting you know if there is anything leaving your machine that shouldn't be. This could be the case if your computer has unknowingly been infected with a virus or Trojan and is, in turn, trying to go out to the Internet to infect someone else.

Personal firewalls also enable you to block specific IP addresses manually or automatically. In these cases, if you already know of specific machines that you don't want to have access to your computer, you can block those addresses when you are configuring the software. Some firewall programs give you the ability to do this automatically.

For instance, if the program has already seen an IP address scan your machine, when that IP address shows up scanning your machine a third time, it's automatically blocked. This can be a good thing and a bad thing. Why a bad thing? Because you might block a machine that was trying to send you information you need, but was somehow misconfigured. Or, you might be blocking legitimate traffic (like DNS lookups) that could cause you problems once that IP is blocked.

More advanced users can minimize the inconvenience of unintentional or unwanted blocks by using the firewall to see how various applications work. When installing a new application, you can see exactly what communications are needed and when. You know what ports you blocked on the firewall, so once you start your new software running, you might get an alert telling you that you have an outgoing connection on a high port. With back and forth testing like this, you should be able to tell which ports your software is using to initiate and receive connections, and to configure your firewall accordingly.

Most personal firewalls also allow you to create your own ruleset. This makes it possible to configure the software to permit traffic on port 5190 (a port used by AOL Instant Messenger), but none of the other ports higher than 1024.

Before you purchase a personal firewall, you should know how they work and that some are more difficult to configure than others. For instance, Zone Alarm and Black Ice are examples of PC platform programs that are easier to use than ipchains, which is made for Unix platform machines. Zone Alarm and Black Ice have a GUI (Graphical User Interface) and offer levels of security ranging from "Careful" through "Paranoid" that you can select by just clicking on a check-box or radio-button. In order to use something like ipchains, you need to have an understanding of Unix-based operating systems and networking in general.

After you decide which firewall you're going to use, you'll want a better understanding of how they actually work. Once you install the program on your machine and configure it, it should be launched every time you turn on your computer. The program basically sits there and runs on your machine in the background. It stands guard and listens to the traffic coming and going from your machine, simply waiting for an incident to occur.

Once the firewall does hear suspicious traffic, it sends you an alert to let you know that it has detected something. It usually sounds some type of noise and then throws a message up on your screen. While the firewall is alerting you, it is also logging the information related to this event. It's recording the time the event started, the IP address of the offending machine and the type of attack it believes it to be. The firewall keeps logging information until it believes the event to be finished, and then it logs the end time. In programs like Black Ice Defender, the firewall also compares the traffic to known intrusion profiles. If it finds a match, it blocks that IP address in order to stop that attack.

In some cases, personal firewalls function like anti-virus software. For some programs, you need to download monthly updates. In the same way that new viruses are created, requiring manufacturers to come up with new ways to protect users against them, new attacks needing new responses can pop up anytime. As with anti-virus software, the program can only protect you from the attacks it knows about. If you bought a personal firewall product two years ago and haven't updated it since, you're not protected against the new attacks that have surfaced in that time.

A final feature of some personal firewalls is protection against e-mail viruses. Some personal firewalls actually sit there listening for these viruses. Zone Alarm, for example, will alert you if you receive any e-mail messages with a Visual Basic script attached.

Personal firewalls are not the "be all and end all" for protecting your computer, so before you use one, you should be aware that they're not perfect. Besides some of the limitations mentioned above, they can and do give out false alarms. A lot of your initial work with them will be in trying to limit the "false positives." You don't want to get yourself into a "boy who cried wolf" situation, where the program keeps alerting you of attacks that are really normal network traffic. After a while, you might ignore the alerts, having seen them before and thinking they meant nothing. Then, when you really were attacked, you might just blow it off, believing it was another false alarm.

Also, personal firewalls can unknowingly pass hostile traffic. Even though you may have been very careful to close all of the appropriate ports and to set up the rest of the software correctly, something may still get through. The personal firewall is not perfect and cannot detect all hostile traffic because not all traffic is what it seems to be. A hostile program can be configured to change its name to some commonly trusted program, such as Outlook.exe, and then sneak in beneath the radar.

Using a personal firewall on your machine here at the University will probably result in seeing and receiving notifications on more traffic than you would on a home DSL or cable modem connection. On campus, you might see traffic that looks suspicious when in fact it is actually automated network maintenance or perhaps the Network Security Group doing maintenance scans to make sure everything is OK. And, since we're a University, there's also going to be research conducted on the network--so there are really several different types of traffic flying back and forth. Keep these things in mind when you are configuring your software and when you receive your notifications.

As I discussed earlier, personal firewalls can have a high noise level and it's good to know what some typical false alarms can be--this doesn't mean that you should ignore the alerts, it just means that you shouldn't go into a complete panic if you see them. SNMP broadcasts can be mistaken for an attack. This has even shown up in reviews of the University's alerts. HP Jet Direct printers, if not configured correctly, can bombard whole networks just saying, "Hi, I'm here if you want to print to me!" Receiving that kind of communication could cause you to receive a false alert. Another example could be a network ping (IP/2048). This is a packet that is sent as a kind of "Hello, are you there?" and the machine should respond, "Yup, here I am." NYU's Network Services will sometimes use this method as a maintenance procedure to make sure that there are no network problems. Unfortunately, to a personal firewall, this might be construed as an attack. Napster also does this in search of other machines with which to trade files.

Ident lookups can also be misread as attacks. For instance, when you connect to a website, the machine on the other side may send back a packet to your machine to verify its identity. This lookup may not come back on the same port, and might even originate from a completely different machine than the one to which you originally connected. This lookup would then appear completely unrelated to your original outgoing traffic and may appear to be an attack. Path MTU (multiple transmission unit) discoveries can be mistaken for an attack because they will appear as a series of multiple pings. Basically, this is an attempt to guide a packet along the shortest route across a network. This is done by routers as an attempt to get you information from the closest location at the quickest possible speed and is a good thing; however, a firewall may not see it that way.

As I mentioned earlier, more people are on the Internet for longer periods of time these days. Unfortunately, the longer you're on the Net, the more likely it is that you'll be attacked. When machines are constantly connected, the bad guys have more time to pound away at them in an effort to break in. I see this all the time. Having a personal firewall can help you to protect your machine and data from being destroyed or stolen, but even a personal firewall can't do everything. You should also have a virus-checking program on your machine, so you can have a "belt and suspenders" type of protection. If one fails, you have the other one in place to possibly save you from embarrassment. Remember, as a good Netizen, it's up to you to secure your machine. You are responsible for what happens on it and for what comes from it. Personal firewalls are another way for you to make sure that your machine and data are secure and that you are not contributing to the spread of some new exploit or virus.

In the evolution of our increasingly networked world, we run into more and more issues that give us cause to better protect our machines. With the introduction of Mac OS X and Free-BSD, we're going to see one of two things--an increased amount of break-ins or an increase in security awareness. Newly released systems such as these will call for more security measures to protect them.

Viruses and Trojans are not exactly new issues, but they are constantly increasing and remain a concern. If you were hit with the most recent SirCam worm, you know what I am talking about. (You can find more information about it at: www.symantec.com/avcenter/venc/data/w32.sircam.worm@mm.html). Viruses and Trojans pose a new need for greater awareness of what type of traffic is leaving your machine. They put us in the situation where we could possibly be the cause of spreading some new type of virus or Trojan. Just because you're aware of the traffic that is coming at your machine does not mean you're safe. Sometimes outbound traffic is hostile too. If some packet comes at your machine, isn't detected as hostile, and enters under the radar, your machine can then be used to attack other machines. Hostile programs such as Back Orifice and the SubSeven Trojan would cause this type of behavior.

And, finally, be prepared to go through panic attacks. The first time you see that pop-up screen on your machine notifying you that something has tried to initiate a connection with your machine, your blood pressure is going to rise. You're going to want to pick up the phone and scream to someone, "Help! I'm being attacked!" Try to restrain yourself...and be glad that you were smart enough to protect yourself!

You can find more information about personal firewalls and some product reviews at the following websites:

Remember that the best offense is a good defense. If you're interested in purchasing a personal firewall, stop by the NYU Computer Store; they can help you pick one out for your specific machine. If you have any security-related questions or comments, visit www.nyu.edu/its/security/, or contact the ITS Network Security Team at security@nyu.edu.