A firewall is a tool that monitors communication to and from your computer. It sits between your computer and the rest of the network, and according to some criteria, it decides which communication to allow, and which communication to block. It may also use some other criteria to decide about which communication or communication request to report to you (either by adding the information to a log file that you may browse whenever you wish, or in an alert message on the screen), and what not to report.
What Is It Good For?
Identifying and blocking remote access Trojans. Perhaps the most common way to break into a home computer and gain control is by using a remote access Trojan (RAT). (Sometimes it is called "backdoor Trojan" or "backdoor program". Many people simply call it a "Trojan horse" although the term "Trojan horse" is much more generic). A Trojan horse is a program that claims to do something really innocent, but in fact does something much less innocent. You may sometimes get some program, via ICQ, or via Usenet, or via IRC, and believe this program to be something good, while in fact running it will do something less nice to your computer. Such programs are called Trojan horses. It is accepted to say that the difference between a Trojan horse and a virus is that a virus has the ability to self-replicate and to distribute itself, while a Trojan horse lacks this ability. A special type of Trojan horses, is RATs (Remote Access Trojans, some say "remote admin Trojans"). These Trojans once executed in the victim's computer, start to listen to incoming communication from a remote matching program that the attacker uses. When they get instructions from the remote program, they act accordingly, and thus let the user of the remote program to execute commands on the victim's computer. To name a few famous RATs, the most common are Netbus, Back-Orifice, and SubSeven (which is also known as Backdoor-G). In order for the attacker to use this method, your computer must first be infected by a RAT.
Prevention of infections by RATs is no different than prevention of infection by viruses. Antivirus programs can identify and remove most of the more common RATs. Personal firewalls can identify and block remote communication efforts to the more common RATs and by thus blocking the attacker, and identifying the RAT.
Blocking/Identifying Other Types of Trojans and WQorms?
There are many other types of Trojan horses which may try to communicate with the outside from your computer. Whether they are e-mail worms trying to distribute themselves using their own SMTP engine, or they might be password stealers, or anything else. Many of them can be identified and blocked by a personal firewall.
Identifying/Blocking Spyware's/Adbots?
The term "spyware" is a slang which is not well defined. It is commonly used mainly for various adware (and adware is a program that is supported by presenting advertisements to the user), and that during their installation process, they install an independent program which we shall call "adbot".
The adbot runs independently even if the hosting adware is not running, and it maintains the advertisements, downloads them from the remote server, and provides information to the remote server. The adbot is usually hidden. There are many companies that offer adbots, and advertisements services to adware. The information that the adbots deliver to their servers from the computer where the adbot is installed is "how much time each advertisement is shown, which was the hosting adware, and whether the user clicked on the advertisement. This is important so that the advertisements server will be able to know how much money to get from each of the advertised companies and how much from it to deliver to each of the adware maintainers. Some of the adbots also collect other information in order to better choose the advertisements to the users. The term "spyware" is more generic, but most of the spyware fall into this category. Many types of adbots can be identified and blocked by personal firewalls.
Blocking Advertisements?
Some of the better personal firewalls can be set to block communication with specific sites. This can be used in order to prevent downloading of advertisements in web pages, and thus to accelerate the download process of the web sites. This is not a very common use of a personal firewall, though.
Preventing Communication to Tracking Sites?
Some web pages contain references to tracking sites. e.g. instruct the web browser to download a small picture (sometimes invisible) from tracking sites. Sometimes, the pictures are visible and provide some statistics about the site. Those tracking sites will try to save a small text either as a small file in a special directory, or as a line in a special file (depending on what is your browser), and your browser will usually allow the saving site to read the text that it saved on your computer. This is called "web cookies" or sometimes simply "cookies". Cookies allow a web site to keep information that it saved some time when you entered it, to be read whenever you enter the site again. This allows the web site to customize itself for you, and to keep track on everything that you did on that site. It does not have to keep that information on your computer. All it has to save on your computer is a unique identifying number, and then it can keep in the server's side information regarding what has been done by the browser that used that cookie. Yet, by this method, a web site can get only information regarding your visits in it. Some sites such as "doubleclick" or "hitbox" can collect information from various affiliated sites, by putting a small reference in the affiliated pages to some picture on their servers. When you enter one of the affiliated web pages, your browser will communicate with the tracking site, and this will allow the tracking site to put or to read a cookie that identifies your computer uniquely, and it can also know what was the web page that referred to it, and any other information that the affiliated web site wanted to deliver to the tracking site. This way tracking sites can correlate information from many affiliated sites, to build information that for example will allow them to better customize the advertisements that are put on those sites when you browse them.
Some personal firewalls can be set to block communication to tracking sites. It is not a common use of a personal firewall, though, and a personal firewall is not the best tool for that, but if you already have one, this is yet another possible use of it.
Hiding your computer on the internet?
Without a firewall, on a typical computer, even if well maintained, a remote person will still be able to know that the communication effort has reached some computer, and perhaps some information about the operating system on that computer. If that computer is handled well, the remote user will not be able to get much more information from your computer, but might still be able to identify also who your ISP is, and might decide to invest further time in cracking into your computer.
With a firewall, you can set the firewall so that any communication effort from remote users (in the better firewalls you may define an exception list) will not be responded at all. This way the remote user will not be able to even know that it reached a live computer. This might discourage the remote attacker from investing further time in effort to crack into your computer.
The Non-Firewall Defenses
We've discussed a few situations where a personal firewall can provide defense. Yet, in many cases a computer maintainer can deal with those situations even without a firewall. Those "alternative" defenses, in many cases are recommended regardless of whether you use a firewall or not.
Remote Access Trojans?
The best way to defend against remote access Trojans (RATs) is to prevent them from being installed in the first place on your computer. A RAT should first infect your computer in order to start to listen to remote communication efforts. The infection techniques are very similar to the infection techniques that viruses use, and hence the defense against Trojan horses is similar to the defense against viruses. Trojan horses do not distribute themselves (although they might be companions of another Internet worm or virus that distributes them.
Other types of Trojans and worms?
Also here your main interest should be to prevent them from infecting your computer in the first place, rather than blocking their communication. A good antivirus and a good policy regarding the prevention of virus infections should be the first and most important defense.
Blocking Advertisements?
Leaving aside the moral aspect of blocking advertisements, a personal firewall is not the best tool for that anyway. This is not the main purpose of a firewall, and neither its main strength. Some of them can block some of the advertisements from being downloaded, if you know how to configure them for that.
Blocking Tracking Sites?
Also here, a personal firewall is not the best tool for that, and there are other tools and ways which are more effective. These are cookie utilities. Since a tracking site uses a cookie to identify and relate the information gathered to the same person (or computer), by preventing the cookie from being installed. The tracking site will lose its ability to track things. There are plenty of cookie management utilities. Some of them are freeware, and some are not
NetBIOS and Other Services?
The NetBIOS over TCP/IP (NBT) which is sometimes loosely called "NetBIOS", is a service which has some security problems with it. It is enabled by default in Windows default installations, and it is very common to see that a firewall does the job of preventing the efforts to get access to your computer via NBT. Yet, in almost all cases, this service is not needed, and thus can be disabled.
Hiding the Computer?
In web sites of many personal firewall companies, they are putting a lot of weight on the ability of their firewall to hide the computer on the Internet. Yet, exposing your home computer on the Internet is by itself, neither a security nor a privacy threat. If you provide some services to the Internet on your computer, for example, you put a web server on your computer to allow other people to view web pages, and then you might get rid of some of the crackers, by setting your firewall to unhide only this type of communications. Some attackers will not make a full scan of your computer, but only a partial scan, and if they did not scan for the specific service that you provided, they will not see your computer. Yet, if the service is a common one, there is a good chance for many of them to scan it and thus find the existence of your computer. If they "see" the existence of your computer, they might decide to scan it further, and find out the services you are providing, and scan it for security holes to use. Yet, there is no much meaning to it when we speak about simple home computers.
What a Firewall Cannot Do!
Another misconception about personal firewalls is that they are incorrectly thought as if they claim to give an overall protection against "hackers" (i.e. intrusions). They are not.
Defense Against Exploitation of Security Holes
A firewall can allow or deny access to your computer or from your computer according to the type of communication, its source and destination, and according to the question which program on your computer is handling the communication. Yet, its ability to understand the details of the communication is very limited. For example, you may set the firewall to allow or to deny your e-mail program from getting and/or sending messages. It may allow or deny your web browser from browsing the Internet. But if you allowed your e-mail program to communicate with the e-mail servers for sending and receiving messages, (and you are likely to allow it if you want to use your e-mail program), or if you set the firewall to allow your web browser to communicate with web sites, the firewall will not be able to understand the content of the communication much further, and if your web browser has a security hole, and some remote site will try to exploit it, your firewall will not be able to make a distinction between the communication that exploits the security hole, and legitimate communication. The same principle goes with e-mail program. A personal firewall may block you from receiving or sending e-mail messages, but if you allowed it to receive messages, the personal firewall will not make a distinction between a legitimate message and a non-legitimate one (such as a one that carries a virus or a Trojan horse). Security holes in legitimate programs can be exploited and a personal firewall can do practically nothing about it.
I should comment, however, that some personal firewalls come combined with some Trojan horse detection, or intrusion detection. This is not part of the classical definition of a firewall, but it might be useful. Such tasks are usually taken by other tools such as antivirus programs or anti-Trojan programs.
Tricks to Bypass or Disable Personal Firewalls
There are also various ways to disable, or bypass personal firewalls. During the time a few tricks to bypass or disable were demonstrated by various programs. Especially, tricks for an internal program to communicate with the outside bypassing or tricking the firewall. For some of them such as the one demonstrated by the Leaktest, and in which a non-legitimate program disguises itself as Internet Explorer, practically today, all personal firewalls are immuned.
Firewalls CANNOT Decide for You What is a Legitimate Communication and What is Not
One of the main problems with personal firewalls, is that you cannot simply install them and forget them, counting on them to do their job. They can deny or permit various types of communications according to some criteria, but what is this criteria, and who decides what is the criteria for whether they should permit or deny some communication?
Common Problems and Deficiencies Regarding Personal Firewalls
A personal firewall might be a good contribution to security. Yet, if you do not understand much about the topic, then you are likely to be confused and misled by its alerts and queries, and thus find yourself spending hours in chasing after imaginary crackers, fear from imaginary threats, and misconfigure it due to misunderstanding. You may find yourself blocking legitimate and important communication believing it to be cracking efforts, and thus surprised to see why things work slowly or why you are disconnected from the Internet or you might be misled to allow a non-legitimate communication by some software that tricked you to believe that it is a legitimate one. On the other side, if you are quite knowledgeable on computers and security, then you are likely to effectively defend your computer even without a firewall.
A False Sense of Security
As we've already learned here, a firewall is limited in its ability to secure your computer. Yet, many people believe that if they will install a personal firewall they will be secured against the various security threats. I was even surprised to find out that there are people who believe that give much higher priority in installing a personal firewall than in installing an antivirus program. An always updated antivirus program plays a much more important role in the security of a personal home computer than installing and maintaining a personal firewall. A personal firewall should not come on account of any other security measure that you use.
A False Sense of Insecurity
When you install a firewall and you look at all the communication efforts through it, you might be surprised at the amount of communication efforts from the Internet to your computer. Most of them are blocked by a typically configured firewall. There are all the times efforts to try to communicate with various backdoor Trojans on your computers. If you are not infected, there will be nothing to listen and to respond to those communication efforts, and they are thus practically harmless. There are efforts to communicate with your NBT driver, to see if your computer by mistake allows file sharing. There are other types of probes to see if your computer exists, or various efforts of servers to probe your computer in order to find the best path for legitimate communication to it. There are sometimes remnants of communications that were supposed to go to other computers, but made their way to yours (for advanced readers: because the IP number that your computer uses, were used by some other computer earlier). Those communication efforts are blocked even without a firewall. If your computer is not infected with a RAT, and if your computer don't have NetBIOS over TCP/IP enabled or even it does not have file and print sharing enabled (and on most computers this is disabled by default), then none of these pose any security threat. If your computer is not infected with a SubSeven Trojan, then no matter how often there will be efforts to communicate with it, they are all doomed to be failed.
Blocking Legitimate Communications
No personal firewall is smart enough to decide for the user what is a legitimate communication and what is not. A personal firewall cannot make a distinction between a legitimate program trying to contact its server to check and notify the user when there is a newer version, and a non-legitimate program trying to communicate with its server in order deliver sensitive information such as passwords, unless the user tells it. It is thus up to the user to decide what should be considered as legitimate and what should not.
Being Tricked by Trojans
Just as less knowledgeable users may instruct the firewall to block legitimate communications; they can be tricked by various Trojans to allow them to communicate. Some Trojans are using names resembling or identical to names of legitimate programs, so that the user would think that it is a legitimate program. Users should be aware of that.
Heavy Software, Buggy Software
Until now we discussed only problems related to lack of appropriate knowledge by the user. Yet, there are other problems regarding personal firewalls. For example, some of them are known to be quite heavy on computer resources, or slow down the communication speed. Different personal firewalls quite vary with regard to that. If you have a new computer with a slow Internet communication (such as regular dial-up networking) then it might not slow down your computer noticeably. Yet, if you use an older computer, and a fast communication, you might find that some personal firewalls will slow down your communication quite drastically. Personal firewalls also vary on how much they are stable.
Advantages of External Firewalls over Personal Firewalls
1. They do not take resources from the computer. This should be clear. This is especially useful when the firewall blocks flooding attacks.
2. It is harder (although in principle still possible) for a Trojan horse to disable it, because it does not reside in the same computer that the Trojan has infected. It is not possible to use the specific communication while totally bypassing the firewall.
3. They can be used without any dependence on the operating system on the computer(s) they defend.
4. No instability problems.
No comments:
Post a Comment