Understanding and Using Firewalls

Table of Contents

1. Introduction
2. The Firewall
3. Firewall Features
4. Firewall Monitoring & Good Practice
5. Common Issues with Firewalls
6. Popular Firewalls
7. Conclusion

Introduction

The Internet is a scary place. Criminals on the Internet have the ability to hide behind
their computers, or even other peoples computers, while they attempt to break into your
computer to steal personal information or to use it for their own purposes. To make
matters worse, there always seems to be a security hole in your software or operating
system that is not fixed fast enough that could potentially allow someone to hack into
your computer. Where does this leave you? Are you supposed to cancel your Internet
access, or is there something you can do to protect yourself?

The answer is that you can protect yourself with a firewall. In the past, firewalls were
expensive pieces of hardware that only companies would use. Most people were not on
the Internet, and if they were they were connected via a dial up which is not fast enough
for most hacker's purposes. Therefore, hackers predominantly targeted companies who
normally had larger pools of available bandwidth. Now with almost everyone being able
to connect to the Internet, and many with extremely fast and cheap bandwidth, hackers
tend to target the home user as they are more apt to not secure their computers properly
thus becoming an easy target. With this in mind developers have created cheap but
powerful home firewall solutions for the home users to protect themselves.

This tutorial will help to increase your knowledge on how to protect yourself with a
firewall so you are not an easy target to hackers and viruses in the future.

The Firewall

A firewall is a hardware device or software application that sits between your computer
and the Internet and blocks all Internet traffic from reaching your computer that you have
not specifically requested. What this means is that if you browse to a web site, the
firewall will allow the traffic from that web site to reach your computer and therefore
yourself. On the other hand, if you did not request information from that web site, and the
web site sent traffic to you, it would be denied from reaching your computer because you
did not specifically ask for it. This behavior can be changed if you wish, and we will
discuss that further in the document.

Firewalls for the home user can either be a piece of hardware or a piece of software. The
differences will be discussed below.

A Hardware Firewall is a device that sits between your Internet connection and the rest of
the computers plugged into it. These firewalls usually come with a built in hub that
allows you to connect multiple computers to it in order for them all to be able to share
one Internet connection. These firewalls provide protection to all the computers
connected to it using a technology called Network Address Translation, or NAT. This
protection is performed by all the protected machines using private IP addresses, such as
192.168.1.X, that can not be reached via the Internet. The firewall then convert these
internal IP addresses to the single public IP address that is assigned to the firewall. This
makes it so that your hardware firewall accepts all incoming requests you asked for and
then forwards them on to the requesting internal computer. Using this method, outside
machines are never able to connect directly to your computers.

A Personal Firewall is a piece of software installed on each computer that needs to be

protected. This software then filters all incoming, and sometimes outgoing traffic, and
only allows only data that has been requested or explicitly allowed to pass through.
Personal firewalls tend to be more feature rich than hardware versions, but they do not
have the ability to allow you to share your Internet connection with multiple computers
on the network.

The decision as to which type of firewall you to use depends on what you plan on using it
for. If you would like to protect just one computer, then a personal software based
firewall is more than adequate. If you would like to protect multiple computers, then a
hardware based solution may be most cost effective. Some people even state that you
should use both a hardware firewall to protects your network and a personal firewall that
further protects your computer. Though this is not a bad idea, it may be cost prohibitive
for many users. If money is not an option, then using both will add an extra level of
security as well as provide you with the greater functionality found in personal firewalls.

For the rest of this tutorial we will predominantly focus on personal firewalls that are
installed on your computer, though many of the topics discussed here apply to hardware
firewalls as well.

Firewall Features

When choosing your firewall it is important to pay attention to what features they offer
you as these features can make a large difference in how your computer is protected. For
some people certain features are more important than others, but in terms of security the
most important are inbound and outbound filtering, application protection, notifications,
stealth mode. These features and others will be discussed below:
Inbound and Outbound Filtering

Filtering is when a firewall examines information passing through it and determines if

that information is allowed to be transmitted and received or should be discarded based
on rules or filters that have been created. This function is the primary function of a
firewall and how it handles these tasks if very important for your security. Most people
feel inbound filtering, which is the processing of inbound data towards your computer, is
the most important function of a firewall. Outbound filtering, though, plays just as an
important role for securing your computer. You may have had malware installed on your
computer without your knowledge, and suddenly when you install a firewall with
outbound filtering, you will find that software on your computer is attempting to transmit
data to a remote host somewhere on the Internet. Now, not only do you know that this
software is installed, but the outbound filtering stopped it from passing on private
information.

These filters can also be modified to allow certain computers on the Internet to reach
your computer or for certain applications on your computer to transmit data to the
Internet. How these rules should be modified is determined by your needs. For example if
you would like remote users to be able to connect you remotely using remote desktop you
will need to open up the port associated with Remote Desktop, which is tcp port 3389, in
order for your firewall to allow that traffic to flow through. An example of this can be
seen below where a particular remote computer is given permission to access the
computer behind the firewall.

Figure 1. Example of a Firewall allowing a remote computer access to a computer

behind a firewall

Stealth Mode
It is important for your firewall to not only block requests to reach your computer, but to
also make it appear as if your computer does not even exist on the Internet. When you are
connected to the Internet and your computer can be not be detected via probes to your
computer, you are in what is called Stealth mode. Hackers have the ability to detect if you
are on the Internet by probing your machine with special data and examining the results.
When you are in Stealth mode the firewall does not send this information back making it
seem like you are not even connected. Due to this hackers will not continue targeting
your computer as they will think you are not online.

Privacy protection

Many firewalls now have the ability to block spyware, hijackers, and adware from
reaching your computer. This allows you to protect your computer from being infected
with software that is known to reveal private information about what you do on the
Internet or other computing habits. These features are usually bundled into the
commercial versions of the firewall software packages.

Application Integrity

Application Integrity is when the firewall monitors the files on your computer for
modification in the file or how they are launched. When it detects such a change it will
notify the user of this and not allow that application to run or transmit data to the Internet.
Many times these modifications may have been part of an upgrade, but if it was modified
by a malicious program you will now be made aware of it.

Intrusion detection

Intruders use various methods to penetrate the security of your computer. Intrusion
detection scans incoming data for signatures of known methods and notifies you when
such attacks are recognized. This allows you to see what means a hacker is trying to use
to hack your computer.

Notifications

Notifications allow you to see the activity of what is happening on your firewall and for
the firewall to notify you in various ways about possible penetration attempts on your
computer.

Firewall Monitoring and Good Practice

Monitoring

Regardless of the firewall you use it is good practice to monitor the firewall logs
occasionally. With good monitoring of your logs your will increase your security
immediately. Statistically most hacks could have been avoided if people monitored their
logs as most hackers will probe a computer before they hack it. If an administrator of the
computer had noticed these probes, they may have been able to determine if their
computers were vulnerable to what was being probed for. When you first install your
firewall and examine the logs you will be simply amazed as to the amount of people who
are attempting to access your computer without your knowledge.

There are three main reasons for monitoring your log files and are discussed below:

Preventative Measures: By monitoring the logs of your firewall you can see what ports
and services hackers are attempting to exploit. You can then use this information to make
sure your computer is secure from these exploits. For example, if you notice on your logs
that many people are scanning your computer for port 3127 and did some research, you
will find that it could be that people or viruses are looking for backdoors into your
computer left by an early variant of the MyDoom virus. You can then make sure your
computers are not affected by this potential exploit.

Forensics: If your computer gets compromised by a remote computer, and you find the
files placed on your computer by the hacker you can determine the date and time that
they were placed there. Using this information you can check your log archives for
activity during that time and date to determine how the hacker was able to penetrate your
computer. This information can then be used to secure your computer.

Reporting to the authorities: Using the information found in the log files will allow you
to present information to authorities in the case of a successful hack or an attempt. The
logs will give you the IP address of the offending computer, the method used, and the
time and date it was performed. This information can be given to the appropriate ISP or
authorities in case of criminal activities.

Good Practice

It is good practice to occasionally examine any custom rules or filters that you have
created for allowing incoming traffic or outbound traffic to or from your computer. You
may at time allow certain protocol to be allowed to connect to your computer for various
reasons including file sharing, mail, ftp, or web. Many times these rules are created, and
then they are forgotten and remain open. It is good practice to examine your firewalls
configuration occasionally to make sure these rules are disabled if they are no longer
needed. If you keep these rules open when you do not need them, you are creating a
potential avenue for hackers to compromise your computer.

Common Issues with Firewalls

It is important to note that almost all Internet applications are created with the thought
that there is no firewall in place that could change how these applications can
communicate with the Internet. Sometimes using a firewall can make certain features of
the applications no longer work properly. In the majority of cases, these services can be
enabled to work by changing certain settings in your firewall to allow incoming traffic to
be received by your computer. When this type of situation occurs you can create a custom
rule that allows that particular application to work.

An example of this would be if you have Windows XP Professional and would like to be
able to remotely connect to your Remote Desktop from another computer. Since firewalls
by default block all incoming traffic to your computer when you attempt to connect to
Remote Desktop the connection will be denied. If you search on Remote Desktop using
Google you will find that Remote Desktop uses TCP port 3389 to accept incoming
connection. You would then change your rules on your firewall to allow incoming
connections to TCP port 3389, thus allowing you to connect to your computer remotely.

Therefore, when using applications with a firewall and you find that there are problems,
you should search the Internet on how to use that program with a firewall and what ports
should be opened. Then you would create a custom rule that would allow the specific
traffic to reach your computer.

Popular Firewalls

There are many types of firewalls on the market, each with their own strengths and
weaknesses. I have listed these personal software firewalls and hardware vendors as
resources for you to research further. If a firewall is noted as free it is important to note
that their commercial equivalents will probably contain more features that may be
beneficial to you.

Free Personal Firewalls

• Kerio
• Outpost Firewall
• Zone Alarm Free

Commercial Personal Firewalls

• Black Ice
• McAfee Personal Firewall
• Norton Person Firewall
• Outpost Firewall Pro
• Tiny Personal Firewall
• Zone Alarm Pro/Plus

Hardware Router/Firewalls Vendors

• Belkin
• D-Link
• Linksys
• Netgear
Conclusion

As you can see having a firewall protecting your computer is a necessity in protecting
your computer from hackers or viruses. With the proper monitoring and rules you will be
able to use your applications on the Internet as you would like to with the added benefit
of securing your computer. When you leave your house, you lock your doors to prevent
robbery, why not use a firewall to put a lock on your computer.

As always if you have any comments, questions or suggestions about this tutorial please
do not hesitate to tell us in the computer help forums.