Security Navigation

Virus | Spam | Firewall | Firewall Basics Configuring Firewall | Blocking IP's Spyware |

Latest news

24 May 2008: Comodo Firewall Pro 3.0 Version 24.368 has been released to fix a number of problems. This is the one I decided to install during a spell of very bad weather - So far so good.

Links:

• Comodo Products
• Comodo Forum

Firewall Basics

Before looking at specific firewall applications it may be worthwhile having a look at and trying to understand some of the fundamentals that are necessary in order to successfully configure a firewall.

There have been attempts by Outpost and Comodo to minimise the amount of effort spent by the novice in setting up a firewall and whilst these are successful in the majority of cases, all that has happened is that the user tends to get more and more afraid of changing a configuration setting in case something goes wrong. Also, what a firewall is supposed to do has been further confused by adding functionality that is strictly speaking nothing to do with a firewall - in particular I would note the anti-spyware module which is now an integral part of Outpost Pro.

Ports

I have to admit that ports have always been a bit of a mystery to me - I know they are needed by applications to send and receive information and that I occasionally receive firewall alerts telling me that the firewall has detected and blocked a port scan. So, I had a look on the Outpost forum and came up with an excellent introduction and also some ideas on how to manage ports. The first thing I learnt was that when we receive and send data we need an IP address and a port number which is a memory allocation for a particular application. So, for example MySQL uses port 3306, and Spamihilator by default uses ports 993 for POP3 and 995 for IMAP. When the application wishes to receive or send data it asks the OS for a port and then gets or places the data from/to the port. An open port is one which has been requested by the application, allocated by the OS and is available to receive data. A good firewall such as Outpost will allow or block traffic to the port depending on the rules set up for the application, so that to a port scanner the port may appear to be closed or stealthed. Closed just means that the OS will send back an error message, whereas 'stealthed' will still block the port but no warning message will be issued. It is usually advised to run your firewall in stealthed mode so that a potential attacker remains unaware that there is a port available on the PC. But before relying on your firewall configuration settings it maybe worthwhile stealthing some of the ports that Windows uses in order to reduce potential threats from worms. A good utility is Windows Worms Door Cleaner which allows you to disable some of the windows services that are most vulnerable to worm attacks. These include DCOM RPC (listen on port 135), RPC Locator (Port 445), NetBIOS (ports 137/138/139), UPNP (port 5000), Messenger service (uses RPC/NetBIOS ports). When you disable these services you have to check out whether in fact you need them to be there all the time, but if you find later on you do, then the utility allows you to re-enable.

Protocols

This is a complex subject which if you are interested you should refer to the excellent aricles on Wikipedia which discuss in some detail the five layer TCP/IP model for communications over a network. Your Firewall should have some control over the protocols used and also which protocols are permitted with which applications. It should also have the ability to exclude specific protocols and any protocols which are not on the allowed list. When protocols are discussed in the context of firewalls we are mostly talking about those in the 'Transport Layer' which govern the responses from the 'Applications Layer' to the Network or Internet layer and also Protocols used in the application layer. The following gives some brief details about the most common protocols that you will meet:-

TCP (Transmission Control Prototype) - This is one of the core protocols used on the internet and is often used by applications such as File Transfer and email. The mySQL database is another popular application that uses TCP to transmit and receive data across a network. If you have a look at List of TCP and UDP Port Numbers you will see MySQL has port 3306 reserved which can be used for both TCP and UDP.
UDP (User Datagram Protocol) - This is another core protocol which is used to send short messages but unlike TCP it does not check arrival of messages or ordering, so it tends to be much more efficient. It is commonly used where time sensitive data is required such as packet broadcasting and multicasting. It is also used by the Domain Name System (DNS) which translates the url request into an IP address. On-line games and Voice Over IP also use UDP because TCP would take too long.
IP (Internet Protocol) - this is a data-oriented protocol used for communicating data across a packet-switched internetwork. It is a core protocol in the Network layer.
GRE (Generic Routing Encapsulation) - This protocol is usually only being required if you use VPN (Virtual Private Networks) to communicate between clients or clients and servers.
DHCP (Dynamic Host Control Protocol - Is a protocol used by networked devices to obtain various parameters necessary for the devices to operate in an Internet Protocol (IP) network. It greatly saves on administrative overhead when devices are added or removed from the network.
IGMP (Internet Group Management Protocol) - This is used by IP hosts and adjacent multicast routers to establish multicast group memberships.

Application Control

Ideally the firewall will prevent any applications or executables, that are not on its safe list (sometimes called 'whitelist'), from running. The idea behind this is to prevent an attack from a bad application, rather than trying to counter a future unknown threat after it is running. This method is also sometimes referred to as Host Intrusion Protection System (HIPS) but just to confuse everyone now that it has been introduced to Comodo Firewall Pro it is called Defense+. This is bound to make people more cautious about what applications they install and also the frequency with which updates to existing applications are installed. I have to admit to having been a bit of a 'Beta' software junkie, so if there is a new version available I often rush to install it, maybe check that it loads and then forget about it until the next time. However, if you stop and think, beta software and security don't really go together. Basically, I want a secure, stable and fast system and to achieve this I am prepared to limit the number of applications I run (so that I can better understand their capability) and let others do the user testing of untried programs. Sometimes you are forced to take a new version because some gaping holes have been found - how about Windows XP, IE7 and Firefox for starters - but my view is if you are happy with the current version only upgrade when absolutely necessary - for example when the old version is no longer supported.

Component Control

Component Control manages the database of known components. Every application that wants to be allowed to access the Internet can contain only allowed components. This protection fights against well known DLL injection attacks, which is a technique used to run code within the memory of another process by forcing it to load a DLL (Dynamic Link Library).

Network Rules

So now your application is in the safe list and the components have been checked, so we are ready to start communicating? No way - now we have to have some rules to govern how the application is allowed to communicate both for inbound and outbound communications. This takes even more setting up in the Firewall, so most good firewalls have some sort of learning mode or set of default rules available for common applications. This means that early on in the install you can be faced with lots of pop-up requests asking you if a particular communication is allowed or not. For each rule you will normally be asked whether to allow or block it (either for this instance or all future instances), the protocol used, the port(s) allowed, the direction i.e. whether it is handling inbound or outbound communication, the source IP and the remote IP. It is important to note that inbound and outbound rules both control information coming to our PC. Inbound rules handle communications that we have not initiated (we may or may not want to allow this) and outbound rules handle communications we have initiated. In general firewalls have more relaxed rules on traffic that we have initiated and much tighter control on traffic that is unsolicited (i.e. inbound).

Anti-Leak Protection

In order for a Firewall to be highly rated it must not just be able to prevent unwanted processes, viruses, trojans etc. from running on your computer, but must also prevent outbound data being 'leaked' to the outside world. There are a number of 'leak' tests that have been devised, which consist of small programs which attempt to bypass your outbound security. If your Firewall cannot thwart these standard leak tests then there is more than a fair chance that a hacker can infiltrate your system and grab your passwords (for example). Both Comodo 3.0 and Outpost 6.0 are currently highly rated against the standard leak tests. However, there is no guarantee that this will always be the case, so it is always worth while making sure your security is up to date and checking how it performs against the latest leak tests.

Attack Detection

There are two main types of attacks that need to be dealt with - port scans that are looking for open ports that can be used to send worms to you and the second is DoS (Denial of Service) attacks.
Port Scanning These attacks may only look at likely ports that are often left open and the rate of scanning may not trigger the DoS shutdown. To deal with that, ports need to be stealthed to avoid discovery of your computer as a live IP address. If you have open ports, there are a variety of worms that can try to infect your computer. The firewall should respond by blocking the attackers IP for a length of time. Persistent attacks should be added to your blocklist using an IP blocker such as Blockpost or Protowall.
DoS (Denial of Service) - The scan blocking that is employed depends on the rate of connection attempts and the response is to deny all connections for the duration of the attack. From what I can gather it seems that personal users are unlikely to suffer a DoS attack simply because the attackers will normally try to bring down the big servers rather than waste time on a single PC. However, if you are worried about this then you should install something like Blockpost or Protowall which are capable of filtering out large numbers of bad IP's before they hit the firewall. If you are running a large server, then a personal Firewall such as being discussed here is totally ineffective against a determined attacker - in these cases you should have a hardware firewall which can filter out attacks before they reach your server.

Logging

Logging is one of the keys to effective security because here you should have a record of every attempt that is made to connect to your computer with information such as the source IP address and the destination IP address and port. Unfortunately logs are not the easiest pieces of information to interpret because the information needs to be stored as efficiently as possible at the expense of readability. Also a badly designed log system can have major impacts on the performance of your system. However, if you really want to understand how successful your configuration is then you will have to invest a little bit of time in analysing your firewall log(s) so that you can determine where attacks are coming from and which ports are being targetted. Armed with this knowledge you can decide to block certain IP's and protect vulnerable ports. I have yet to find a good free software firewall log analyzer, but I am still looking.

Global Settings

These apply to your network and also globally to any applications. Outpost comes pre configured with some global settings, but in certain circumstances some of them can be disabled to provide a safer environment. For example you may wish to disallow GRE protocol if you are not using Virtual Private Networks. Also it may be considered prudent to block any 'unknown' protocol with a global rule.

Application Control

The first method is to control what your applications can do on the internet. For example if you do not want your Microsoft Word application to be open to the world then you should block it. For those applications that definitely do need internet access to function (such as internet explorer) then it is often possible to restrict their network access.