Personal Firewalls (work in progress)
Just like our homes have street addresses, our computers have IP addresses. These are the numbers computers use to identify themselves. To make it easier for people to remember computer addresses, the addresses are often converted to a more friendly format called a DNS name. For example, the JMU web server, whose address is 188.8.131.52, has a DNS name of www.jmu.edu.
When computers communicate, they do so using packets of information similar to postal envelopes. Each packet envelope has a destination address, a return address, and contents that vary with the purpose of the communication. It is the job of the network to properly route these envelopes to the desired destination. When one computer talks to another computer, many envelopes are exchanged during the process.
Many different programs may use the network at the same time. An email program, a web program, and an instant messenger program may all be in use at once. To make sure messages don't get mixed up between different programs, each program listens and talks through a different door on the computer. Every computer has 65,535 TCP doors and 65,535 UDP doors. The meaning of TCP and UDP isn't important right now nor is the difference between the two. The important thing to remember is that there are thousands of doors through which computer programs may communicate. These doors are referred to as "ports".
When you go to a web server, your traffic goes out one of the doors on your computer to one of the doors on the web server. Which door you leave through doesn't matter. In most cases, it is a door with a number greater than 1023. However, what door you visit on the web server is important as the web server program will only be accepting visitors on one of the thousands of doors on its own computer.
To make talking to services like web servers easy, people have agreed over time to use a common set of doors for servers. Thus, doors 443 and 80 are the doors where almost all web servers listen for visitors. One door is for SSL protected sessions and one for unprotected sessions. Mail servers accept visitors at door number 25. Each type of server program has an assigned door where it should accept visitors. This makes it easy for clients like you, I, and our browsers to find the right door to talk to the service in which we are interested.
When we use a web browser to go to http://www.jmu.edu, the web browser knows to go to door number 80 on the computer known as www.jmu.edu which a name server tells our browser is at address 184.108.40.206.
Although people have agreed to use specific ports for specific purposes, there is nothing to prevent people from doing otherwise.
Firewalls work by refusing access to doors. Even if a server program on our computer opens a door and listens for visitors, the firewall keeps visitors out. Unless, of course, we open a hole in our firewall and tell it to allow visitors through to the open door. This blocking provides protection against visitors who may visit doors on our computer that we don't know are open, that are defective, or that are opened by malicious software like viruses.
Firewalls can be separate devices that sit on the network and do nothing but act as traffic cops or they can reside on our computers in the form of personal firewall programs.
Most personal firewall programs that run on a desktop not only block external visitors but also watch for programs on our computer that try to open our doors. When a program attempts to open a door, the firewall lets us choose whether or not to permit it. Choosing which programs to allow to open doors on our computer can be tricky and a wrong decision renders the firewall useless.
Checking to see what doors are open on our computer is a little complicated. The netstat utility will tell us what doors are open. However, deciphering its output is a little tricky. To make it as easy as possible, first reboot the computer and make sure not to start up any programs. Then, open an MSDOS, CMD, or terminal window and type "netstat -an".
Any doors labeled "LISTENING" are programs with open doors waiting for visitors to your computer. To close the doors, you must stop the programs that open them. Many of these programs start automatically when the computer is first started. How they can be stopped (and the door closed) depends upon the particular program.
Finding out what program is opening a door is the first step. This can be a tricky process and, among the Windows family, only Windows XP makes it halfway sane. With Windows XP, typing "netstat -ano" provides us with the information needed to know what programs are opening the doors. The output of that command provides the "process ID" (PID) of the programs. By using that PID, we can then go to the task manager, cross-reference the PID, and find the name of the program opening the door. The task manager can be started by right-clicking the task bar. Figuring out what the programs are and do is a major job in itself. For example, here is a list of services that may be found on a Windows 2000 computer and here is a site that describes what is involved in controlling them.
Other versions of Windows don't offer a way to find the program responsible for opening a door. Instead, a third party tool must be used. One such tool for Windows NT and 2000 is Fport from Foundstone.
If you run linux, the command to find out what programs are opening doors is "netstat -anp". The lsof command will do the same for other unix computers.
Some network programs don't have assigned doors. Instead, they register with a doorman. The doorman opens a door and listens for visitors on a commonly known, assigned door just like other network programs do. When a visitor arrives, they ask the doorman where the services of one of the registered programs can be found, and the doorman directs the visitor to another door. The Windows and Unix Remote Procedure Call (RPC) services use this architecture and the doorman is called a port mapper. Some other programs also break the rule of one door - one program. The most common programs exhibiting this behavior are FTP and some game and peer-to-peer file/music sharing programs. Firewalling RPC, FTP, peer sharing, and similar applications can become complicated or impossible because the ports may be shared by multiple services or change from one instant to another.
Tools to determine port and program usage for RPC services include:
An open door doesn't necessarily mean that someone can break into your computer. But if the door is opened needlessly, risk can be reduced by closing it or denying access to it. When a program opens a door on a computer, it is the responsibility of the program that opened the door to control access and limit the ability of visitors to do harm. Unfortunately, this doesn't always happen.
First, lets define a computer break-in. A computer break-in is when someone unauthorized to do so:
There are other types of incidents that are similar but different in ways that are important to understand:
Personal firewalls protect against external attacks by limiting access to doors.
When a program opens a door on a computer, it is the responsibility of the program that opened the door to control access and limit the ability of visitors to do harm. There are several reasons this may not happen. Among them:
In any of these cases, if a firewall does not permit access to the door, the problem is prevented. Doors that are typically open on a desktop Windows computer out of the box include:
Of course, if we configure the firewall to allow access to a door, like to provide access to a shared folder, run a music sharing program, or run a web server, then we must be careful about the maintenance and configuration of the program that opens the door on our computer by following RUNSAFE guidelines.
Personal firewalls help reduce the effects of already compromised or infected computers by limiting access to outbound doors.
Personal firewalls can also help reduce the effects of a pre-existing computer break-in or untrusted programs. However, it is important to understand that once a break-in occurs or untrusted programs are run the computer is already compromised and the person or malicious program controlling the computer can disable the personal firewall. Many viruses do this. It is better to prevent the initial break-in in the first place by following StartSafe and RUNSAFE guidelines then to depend upon the integrity of a personal firewall running on a compromised computer.
Some malicious programs make use of the network to perform their dirty work. They may open network doors to let other people into our computers as do remote control trojans. They may send out private information. They may try to spread themselves to other computers through email, instant messages, file shares, and other means.
In these cases, personal firewalls help prevent the malicious behavior by not allowing unauthorized programs to open doors on our computer. Depending upon the particular firewall program and configuration, it will usually pop up a warning message telling us that such and such a program is attempting to open a door and ask us if we want to permit it. Making a decision is sometimes difficult and if we allow the wrong program to talk to the network out of a hasty or uninformed decision, the protection provided by the firewall is lost.
The idea behind a firewall is to prevent malicious communications. However, they are very limited in their ability to determine what is malicious and what is friendly. It is up to the operator of the firewall to understand the implications of any configuration decisions.
On some firewalls, when a program needs to talk to another computer on the network, whether its a web site, email server, or instant message buddy, it opens a door on your computer. The first time a program does this after a firewall is installed, the firewall will ask you if you want to allow it. It will generally give you three options:
In general, these warnings should not come up unless you ran a program for the first time since installing the firewall, or after a new program is installed. If neither of these situations apply, it would be advisable to block the program and call support. If you did just install a new program, how much do you trust the author and its distribution mechanism with everything on your computer?
This is another one of those cases where we're between a rock and a hard place. The underlying technical decisions can be complex and confusing. If we try to make the software intelligent enough to make the decisions for us, we risk the same type of mistakes and issues we're trying to cure with the firewall that are caused by other overly presumptuous and permissive software.
Generally it means the firewall detected some unexpected network traffic to your computer. Sometimes that traffic is malicious and sometimes it isn't.
Whether it is malicious or not, it is rarely harmful because your firewall blocks it. If it is malicious, it is rarely under direct human control. That is, the malicious behavior is usually due to an automated program...e.g. a virus or worm infecting the source computer.
So, what should be done with the reports?
While you are connected to the Internet, your computer is going to get a steady stream of unsolicited traffic. You're on a shared network with over 300,000,000 other people and a good many virus infected computers.
JMU's own organizational firewalls show hundreds, thousands, and sometimes tens of thousands of attacks per day. Our virus logs show dozens or hundreds of outside infected computers per hour. We don't even attempt to send notification reports on that much activity. We depend upon our firewalls to keep the unwanted traffic out and concentrate on doing our work. A firewall today is like a screen door keeping out flies. We may hear them buzzing outside but don't pay much attention to them unless they're in the house. (Of course, if we notice a ten pound fly on the screen door, or that our lawn is completely covered, we may have a more proactive response.)
That said, JMU certainly has an interest in knowing when a computer on our network, which consists of thousands of student computers in their homes as well as computers owned by JMU, is involved in harmful activity.
In order for us to determine if your firewall report is accurate, and not just a normal part of being on the Internet, we will need the logs from your firewall. The firewall report by itself doesn't provide enough information to track down what is happening. And we certainly aren't going to disconnect somebody's computer because somebody we never met said "my computer said your computer attacked my computer" without sufficient evidence. That would really make the Internet chaotic.
We will need the firewall logs generated by your firewall before we can determine the reason for the activity or take any action. We cannot analyze a report that does not contain a firewall log. Different firewall programs store these logs in different places. You willl have to consult your firewall's documentation to find out how to get to the logs and attach them to the e-mail you send us.
Before sending the report to us, read through the following. You may find that the report of an "attack" is misleading you.
The most common attack report we receive is a "port scan" or ICMP ping. Your firewall may report one of these "attacks" if:
These reports result from file/music sharing programs running on other computers looking for their long lost buddy (your computer's address) that they once communicated with. Its automatic. Its the way the programs work. There is nothing you or anyone else can do about it. The most common port connection attempts of this type target 6346 or nearby ports.
If the firewall reports a port scan (particularly to ports around 6346) or an ICMP ping, ignore it. They are blocked by your firewall anyway. They're basically harmless and you are going to be constantly subjected to them. If its bothersome, carefully tell the firewall you don't want to be told about that particular kind of attack anymore. Consult your firewall documentation.
If the firewall reports connections to any of the following ports, its probably because the sending computer is infected. If it is a computer on the JMU network (134.126.x.y), our own detection mechanisms are likely also detecting it and the offending computer either is, or will soon be, in quarantine. The firewall may also report that it detected the various underlying exploits or virus infections (LSASS, RPC, DCOM, MYDOOM, Blaster, AGOBot, SDBot, etc.) which makes things somewhat confusing.
If the firewall reports other activity from a computer on the JMU network (a computer with an address of 134.126.x.y), e-mail the information to firstname.lastname@example.org. We will need the firewall logs generated by your firewall before we can determine the reason for the activity or take any action. We cannot analyze a report that does not contain a firewall log. Different firewall programs store these logs in different places. You will have to consult your firewall's documentation to find out how to get to the logs and attach them to the e-mail you send us. Do not use the web to report the activity because you won't be able to attach the log.
Do not expect an immediate response. If the activity is associated with harmful behavior on the JMU network, we will take steps to make it cease.
If your firewall is reporting activity from computers outside the JMU network and you are on the JMU campus network, send us a report and we will try to determine whether the report is something to worry about. Again, we'll need the firewall logs generated by your firewall before we can accurately assess the situation.
If your firewall is reporting activity from computers outside the JMU network and you are off-campus, you can send us a report but there isn't much we can do. If you'd like to lodge a complaint with the network operators of the network the "attacking" computer resides in, here are the instructions:
Type the "attacking" computer's IP address (from your firewall report) into one of the Internet Number registry web pages below. This will typically tell you the Internet Service Provider and often the originating organization and contact e-mail addresses. For example, if you typed in 220.127.116.11, you'd see that address is registered to JMU. Start with the ARIN registry. It will tell you if the IP address is registered somewhere else and where you need to go.
Many organizations maintain a mailbox for complaints named "abuse". So, for example, if you find the IP address belongs to America Online (AOL), you can send the information to email@example.com. The "abuse contact" is often included with the registry information. An email message drafted to the ISP (typically to abuse@isp) may prompt them to disable the account or to contact the owner of the sending computer. In most cases, if you get a response at all, it will be a computer generated response acknowledging receipt of your e-mail.
Make sure you include your firewall logs or they will not be able help you. By the way, you can use the same procedure to complain about SPAM or other unwanted e-mail. For e-mail, the sending computer's IP address is in the e-mail headers which you'll need to include in your complaint.
There are organizations that attempt to correlate activity from multiple desktop firewalls and notify the owners of the network where the offending computer is located for you. Note that they are volunteer organizations and are not associated with law enforcement or any other official body. Two popular ones are DShield and MyNetWatchman. Before participating in these types of services, make sure you understand their privacy policies. Also consider that you are asked to trust your computer to the programs they ask you to run for the automated reporting capability. Use of these services is not recommended by JMU owned computers at this time.
The primary advantage of third party firewalls is that they attempt to control outbound connections from your computer. There are scenarios where they can be fooled and even when they can't be fooled, they depend upon the operator's judgment whether or not to allow a program to make a connection. The choices can be confusing even for computer professionals. In addition, like other resident security software such as anti-virus and auto-update software, they are often disabled by malware if the operator makes a mistake. Finally, the products often cause confusion and undue alarm due to their reporting practices.
So while they offer some additional protection, their effectiveness can vary widely. A person interested in improving their desktop's security would much more effectively decrease risk by operating the computer using a regular user account (i.e. not administrator or power user) for day to day activities.
At this time, there are no plans to distribute 3rd party firewall software for JMU computers.
A personal firewall is included with both Windows XP Professional and Windows XP Home. It will block inbound attacks but will not control network access to programs running on your computer. It is a valuable security tool and should be enabled on most Windows XP computers. To enable it:
Other ways to enable it and more information is available at the following Microsoft site:
Some programs will require you to change the configuration of ICF to work properly. Some of these are described at the following Microsoft web site:
A more complete overview of ICF is at:
XP Service Pack 2 Windows Firewall information soon...
Most firewalls allow you to configure them based on a mixture of:
The support web sites for firewall manufacturers often provide recommendations for popular programs.
It is always best to allow the least access necessary.
Standalone firewall products developed for the enterprise often incorporate many functions other than simple door blocking. Among these functions are:
Besides this extra functionality, enterprise firewalls often have more sophisticated network access control methods than do desktop or standalone home firewalls:
Firewalls are not a panacea. They only enforce an organization's (or individual's) security policy. Computers or services behind a firewall that are allowed visitors are vulnerable and must be maintained accordingly. Many complexities arise due to the constant compromise between usability, functionality, and security.
The SANS organization, in cooperation with the FBI and many noted security experts, recently published a list of the Twenty Most Critical Internet Security Vulnerabilities. When contemplating a firewall, it may be useful to determine how many of these vulnerabilities a proposed firewall can address within the framework of your organization's access and service provisioning policies.
Intrusion Detection Systems
Software and devices called "Intrusion Detection Systems" generally look at more details in the communications traffic than firewalls do in an effort to differentiate between good traffic and malicious traffic. However, the mechanisms they use to inspect the traffic often result in a lot of warnings about innocent traffic. Additionally, the definition of "good" and "malicious", and the appropriate reaction to an event often depends on the environment in which one works. Therefore, they have rarely been configured to block traffic for fear of disrupting innocent communications.
Some desktop IDS programs will block traffic they define as malicious. Most other IDS systems do not do this. They simply alert someone that something suspicious has occurred and a follow-up investigation is necessary to determine the actual outcome. New inline systems coming to market, sometimes labeled "Intrusion Prevention Systems", actually stop the malicious traffic by using carefully tuned, context intelligent rule sets.