The magazine of the Melbourne PC User Group
Firewalls
George Skarbek
 gskarbek@melbpc.org.au

Introduction 

Recently there has been an increase in the number advertisements for firewall software. The publishers are aware that fear sells and they may hope that the fear of some unknown threat to you will cause you to purchase more software. Users should be aware that your anti-virus (AV) software is not a firewall program. The AV software will protect you only from a program that has been, or is being, put onto your computer via a CD-ROM, e-mail or floppy disk. A program that will replicate itself and possibly cause damage to your computer. The AV software will not stop a human connecting to your computer when you are connected to the Internet or via a Local Area Network (LAN) and won't stop them from looking at, copying, modifying or deleting your files. 

Firewall software is designed largely to protect you from a human accessing your computer, via another computer of course and via the Internet, without your knowledge. 

Now, do you need a firewall? This is a subjective question but I feel that if you are connected to the Internet, usually for a fairly short period via a dial-up modem, the risk of someone connecting to your computer is extremely small and you do not need firewall software. People running permanent Internet connections via LANs may be more at risk, as are people connected by cable. For a user who is connected by cable, and therefore whenever the computer is on they are connected to the Internet, the risk is greater, especially if you are also connected to other PCs via a LAN and sharing the hard disk. There are now many homes that fall into this category and these users should consider some firewall software as your exposure is much greater.

With a modem you are likely to be connected for only a few hours a day at most, and every time you connect you will be assigned a new TCP/IP number (your machine address on the Internet) and this makes it much harder for a hacker to find you the next day and continue the attack. Furthermore there are steps that you can take to almost eliminate the risk without having to purchase additional software. 

Firewall Functions

A firewall moves all traffic through a single point examining every packet and blocking any packets that may be potentially harmful; that may enable someone to access your computer. The tasks performed by the firewall software include port blocking, dynamic configuration, stealth mode, file share and service control, as well as smart alerts. Port blocking works by denying any network traffic in or out of your 
PC unless you specifically allow it. The firewall also provides idle port blocking, which automatically closes any port not in use by an application that you may have configured to allow access to or from your PC. Stealth mode goes one step further by stopping automatic TCP/IP responses on unused ports for such common protocols as mail, browsing etc.

There are 65,535 ports available from your computer that can be used by various software programs. Melb PC servers respond to requests from the following ports and provide the following services:

  • when you collect e-mail you connect to port 110 on popa.melbpc.org.au
  • when you send e-mail you connect to port 25 on smtp.melbpc.org.au
  • when you read news you connect to port 119 on news.melbpc.org.au
  • when you lookup an Internet address you connect to port 53 on the nameserver
  • when you "surf" to melbpc you connect to port 80 on our Web server
  • when you collect or upload files via FTP (File Transfer Protocol) you would use port 21
  • when you surf to the rest of the world you connect through port 8080 on our proxy server.
F irewalls will prevent unauthorised access to your computer via the many available ports and protocols that your computer offers. If you are interested to see what the assigned port numbers are for Internet protocols, then look at: http://www.isi.edu/in-notes/iana/assignments/port-numbers.
 
Non-firewall Protection

If you connect to the Internet via a dial-up modem, you can take steps to make your computer very secure without installing additional software.

The first thing to check is that you have not shared your disk drives. If you are not connected to a LAN, then this is unlikely to be the case. To check, click on Start, Setting, Control Panel, Network, File and Print Sharing and check that "I want to be able to give others access to my files" is not ticked.

If you are connected to a LAN at home and need to share your drives then set a long password containing letters and numbers. To save you typing the long password every time you connect, on the other computer create a .BAT (batch) file that reads; 

    net use x: \\server\c password 

and make it a short cut. \\server is the name of your computer, which will be seen as drive x: or any other drive letter that you wish to assign.

False Positives (attacks)

One common problem faced by users of all firewall programs is the reporting of attacks against your computer when in fact there is no attack. During my visit to Comdex I spoke to every firewall vendor there and asked what is the main reason for the large number of these alarming but untrue reports. Amazingly every vendor gave a different answer! 

This means that the false positive reporting will be with us for some time and it's this that causes much anxiety for many users. They believe that if so many users are trying to break into their computer, then someone will eventually succeed. However, my guess is that probably well over 99% of these reports are the result of some harmless and normal activity on the Internet. Some ISPs even probe their customers on a regular basis to ensure they are not running a server (a very low cost private network) which is not allowed. 

Another area where false positive reports can arise is from an NT based LAN. When you click on the Network Neighbourhood icon there is a computer designated the Master Browser that keeps a record of whose computers are online and what resources they have. It would generate a lot of traffic in an office with hundreds of computers, if every computer had to be interrogated every time someone clicked. The Master Browser polls at regular intervals to update its database. Now if the router is not well configured these polls can leave the office via the Internet and your firewall software can report this harmless activity as a positive attack.

At home, I am permanently connected by cable and decided to experiment in order to find out just how much malicious activity there really is. With my heavily password-protected hard drives, and one RAM drive shared but not protected, I removed all firewall software and constantly monitored my drives for network connections using the Windows program Netwatch. See a typical pattern (Figure 1) for an Internet connection where G: is the RAM drive.

During one week I have had three users connect to my drive. However, the pattern was not that of hackers. After the initial connection, within two seconds there was no further activity for the hour or so that I monitored that connection. To test hacker's theory, I created a dummy file called Visa Records and left it on the RAM drive, as this is the type of file any hacker would be interested in. However, the pattern was the same and that file was not opened. During the next week there were two connections but no activity after connection, indicating some machine process was connecting without that user being aware. Even the names of users were not the names that you see on the hacker site; they were all office type names. 

Although the above is not a definitive test, the indications are there may not be all that much real hacking of the end users going on when these automatic polls or "attacks" occur. However, I am now running with a firewall after the tests but I am not worried at all about the supposed activity being reported.

Testing Your Firewall

Having installed some firewall software, how can you tell if it is working? My background in computing has been quite extensive in the network area and I have software tools for analysing LANs. So after installing a firewall on my computer, and setting it to maximum security, I attempted to access that computer from a computer on the next desk. Even knowing the IP address and NetBIOS name of the other computer, I was not able to break into it, regardless of which firewall software was used. They all work adequately well. 

The next step was to see how well it performed protecting me from the Internet. I set the protection level to all access over the LAN and then went to the Gibson Research site at http://grc.com/default.htm. There you can run a test to determine the level of security of your computer via a program called ShieldsUp. The author of the testing software, Steve Gibson, has written some amazing software in the past and I would trust anyone with such a deep understanding of software and hardware to produce some high quality testing software. All the firewall software passed with equal and perfect results.


Figure 1. Netwatch

Figure 2 is a part of the text from that report. Running that test without any firewall software will produce a report that highlights major weakness in your protection. A typical open port will be Port 139 - NetBIOS . Again, quoting from http://grc.com/default.htm ...

As you probably know by now, the NetBIOS File Sharing port is the single largest security hole for networked Windows machines. The payoff from finding open Windows shares is so big that many scanners have been written just to find open ports like this one. Closing it should be a priority for you!

Another Test Site

Another site that can test your firewall is http://scan.sygatetech.com/ and this can show slightly different results. However, the company, Sygate, is selling firewall software and may have a vested interest in finding even the most obscure potential weaknesses that may not present any real threat. If they report that you are not fully and totally protected then you may be tempted to purchase their software as fear certainly sells. One report from Sygate states, "ICMP ping request is open." ICMP stands for Internet Control Message Protocol that is an extension to the Internet Protocol (IP), ICMP allows for the generation of error messages and test packets mainly using Ping to determine if a computer is alive. I am not aware of how anyone can access your computer via this method. 

Which Firewall Software?

While there are commercial firewalls products available, and I tested and evaluated one. I would recommend that anyone considering installing a firewall should consider the free software options.

Zone Alarm is possibly the best and Sygate Personal Firewall can also be considered. Both are very easy to install and work just as well as the commercial firewalls products in protecting your system.

For anyone who is running a business or is very concerned about security, a higher level of protection should be used. I would suggest that a separate computer with two network cards and running only commercial firewall software be used. One card would be connected to the internal LAN and the other to the Internet. Only the appropriate protocol bindings should be used on each card and if the internal LAN is Windows based, the operating system on that computer should be NT or Windows 2000 .

Conclusion

There is enough evidence to indicate that most computer users must use some anti-virus software. However, for the home user who connects via a dial-up modem, and is not connected to a LAN, the probability of any hacker being able to connect to your computer is exceedingly small. Firstly in most cases it may not even be possible, and even then why should anyone waste the time and effort when your ISP's computers are a far more attractive target.

The open port 139, NetBIOS, is the most serious weakness to have but if you are not sharing any resources, or have them password protected, then you are largely protected anyway.

My recommendation is that if you have not installed a firewall then there is no real reason for you to do so. If you have and you are seeing constant reports of hackers trying to break into your computer then relax and don't worry. What is being reported is almost certainly just harmless and normal background Internet activity.

Quickly Check for Connectable Listening Internet Ports

Port Probe attempts to establish standard TCP/IP (Internet) connections on a handful of standard, well-known, and often vulnerable Internet service ports on YOUR computer. Since this is being done from our server, successful connections demonstrate which of your ports are "open" and actively soliciting connections from passing Internet port scanners. 

Your computer at IP: 144.132.77.42 is now being probed. Please stand by. . .

Port 21 FTP   Status Stealth!
Security Implications 
There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

Port 23 Telnet Status Stealth!
Security Implications 
There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

Port 25 SMTP  Status Stealth!
Security Implications 
There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

Port 79 Finger Status Stealth!
Security Implications 
There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

Port 80 HTTP  Status Stealth!
Security Implications 
There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

Port Status Descriptions:

Stealth!
If all of the tested ports were shown to have stealth status, then for all intents and purposes your computer doesn't exist to scanners on the Internet! 

It means that either your computer is turned off or disconnected from the Net (which seems unlikely since you must be using it right now!) or an effective stealth firewall is blocking all unauthorized external contact with your computer. This means that it is completely opaque to random scans and direct assault. Even if this machine had previously been scanned and logged by a would-be intruder, a methodical return to this IP address will lead any attacker to believe that your machine is turned off, disconnected, or no longer exists. You couldn't ask for anything better.
 
There's one additional benefit: scanners are actually hurt by probing this machine! You may have noticed how slowly the probing proceeded. This was caused by your firewall! It was required, since your firewall is discarding the connection-attempt messages sent to your ports. A non-firewalled PC responds immediately that a connection is either refused or accepted, telling a scanner that it's found a live one ... and allowing it to get on with its scanning. But your firewall is acting like a black hole for TCP/IP packets! This means that it's necessary for a scanner to sit around and wait for the maximum round-trip time possible - across the entire Net, into your machine, and back again - before it can safely conclude that there's no computer at the other end. That's very cool.
 
False Stealth Reports

A "Stealth" port is one from which no reply is received (neither acceptance nor refusal) in response to a connection initiation request. This ShieldsUP web site sends a series of four connection requests, waiting for any reply after each one. If no reply is received to any of them, the port is declared to be "Stealth" and for all intents and purposes that's exactly what it is. But Internet "packets" are continually being lost en route to their destination. When Internet "routers" are overloaded with traffic they have no recourse other than to simply drop packets completely, hoping that they will be resent when the destination fails to acknowledge their receipt. This, of course, is why we try four times to get through.

Figure 2. Part of the text from the ShieldsUp report at http://grc.com/default.htm.

Reprinted from the April 2001 issue of PC Update, the magazine of Melbourne PC User Group, Australia

[About Melbourne PC User Group]