- Identifying Risks
- Assessing Your Needs
- Managing Your Firewall
- Summary
This chapter is from the book
This chapter is from the book
This chapter is from the book
Assessing Your Needs
How do you identify your needs? This will rely on identifying your skills, interests, and aptitudes. If you are someone who loves to play with computers, seeing them as an exciting toy and technology, you might want to use a fire-wall tool that requires a little more hands-on configuration and monitoring. If you just like to be able to turn on your computer and have it work—it's just a productivity tool or entertainment device—you'll probably want some firewall software that just looks after things for you like antivirus software does; something you just turn on and forget about. Or you could be someone in between.
So, when you are looking for software you want to consider features such as:
- Ease of use
- Configuration
- Levels of protection
- Ability to address emerging concerns
- Intrusion detection
- Logging
- Licensing
Let's examine some of these items further.
Ease of Use
Simple to use and configure software comes in many forms. Most antivirus vendors are offering personal fire-wall products. You can even find suites of security software offered that include a personal firewall, antivirus software, intrusion detection software, content-filtering software, and more. Products are available for the Mac as well as Windows operating systems. There are not a lot of commercial products for Linux (or other free *nix flavors). It is the nature of the open source community to produce and make available products, but you'll not likely find the same "run it and forget it" type software for Linux. Most Linux users seem to prefer a more hands-on product anyhow.
On Linux, you always have ipchains. Iptables is available for Linux beginning with kernel 2.4. You will require knowledge of the Internet protocol (IP) as well as the operating system to configure it effectively. Furthermore, you will have to maintain current knowledge of the new threats on the Internet. Most commercial packages have update features that allow you to easily remain current.
Let's start out our attempt to provide the security defined in our policy by trying the Windows XP Internet Connection Firewall (ICF) (Figure 4–2). After all, it's free with the operating system.
)
FIGURE 4–2 Windows XP ICF. Enable the ICF by checking the box on the
Advanced Tab of the Local Area Connection Properties dialogue. Screen shot reprinted
by permission from Microsoft Corporation
There, we're done. We have now enabled the fire-wall. However, a quick look in the documentation shows us that all we have done is blocked unsolicited inbound traffic. Our security policy requires us to be able to block certain types of outbound traffic, though. So, while the product is simple to use, and may meet the needs of some users, it doesn't meet our needs.
What about another product, then? BlackICE has a preconfigured setting called paranoid that also blocks all unsolicited traffic, but again, it won't allow us to restrict outbound traffic. The signature detection used by Black-ICE can alert and block outgoing traffic that matches a known pattern that provides us with more peace of mind than XP's ICF, which just assumes everything the local computer wants to do is fine.
Almost every product available now has a selection of default configurations. These defaults do make for a very easy-to-use firewall. But, as we have seen, sometimes the preconfigured settings don't allow us to apply our security policy rules. So, ease of use is not enough of a reason to choose a personal firewall. You need to be able to modify the predefined rules as well.
Configuration
Each product works differently. Some, like ZoneAlarm (Figure 4–3), can be taught rules as you go. When an application attempts to connect to the network, you are prompted to make a choice. This style of configuration relies on the user understanding what applications need to connect to the network and allowing them, but blocking those that should not be accessing the network. Programs like your mail client and Web browser are obviously going to need to connect, but what else do you run that tries to connect?
)
FIGURE 4–3 ZoneAlarm. A fresh install of Zone Alarm with the defaults
chosen. We have not yet begun to teach it any specific applications. Copyright
© 1999–2002 Zone Labs, Inc. All rights reserved.
Having installed ZoneAlarm and chosen the pre-defined settings, we now end up teaching the product the specifics of our environment. "High Security" for the Internet zone still allows us to communicate outbound, assuming the application trying to access the zone has appropriate permissions. In that case, when ZoneAlarm prompts us to allow our browser to access the Internet, we'll say yes. Unfortunately, browsers can be used to access more than just ports 80 and 443; they can also be used for FTP, or other odd ports like 3128 or 5050. Now, we stated in our policy that we would allow HTTP, HTTPS, and FTP communication from our computer, but not some of the other ports that a browser can access. Either we'll have to find a way to block ports other than those specifically allowed, or revisit our security policy. Perhaps there are browser-based services we need to access that do not run on ports 80 or 443.
You can adjust the settings in ZoneAlarm to block specific ports. To do this, click on the Custom button for the Internet Zone, as displayed in Figure 4–3, then edit the "Block outgoing TCP ports" setting.
If you like a graphical user interface or plug-and-play type functionality, you'll like these products (see Figure 4–4). But, if you like to tinker, you're going to want to look at something else. In the Linux world, iptables comes with the 2.4 kernel. Iptables is a stateful replacement for ipchains. GUIs can be found to help you get started with ipchains, but you will find more flexibility by configuring it from scratch. There are many helpful Web sites to get you started with basic rule sets for both products. Products like these certainly allow you a very fine level of configurabil-ity. And, like most things Linux, these are free products.
)
FIGURE 4–4 ZoneAlarm. Prompt to allow Internet Explorer to access
the Internet. We can check the "Remember..." box to tell ZoneAlarm not
to prompt us in the future. Copyright © 1999–2002 Zone Labs, Inc. All
rights reserved.
Let's consider an ipchains rule set that will allow for the functionality we are interested in.
Chain input (policy REJECT): Num target prot opt source destination ports 1 ACCEPT tcp -y--l- 0.0.0.0/0 localhost 80->* 2 ACCEPT tcp -y—-l- 0.0.0.0/0 localhost 443->* 3 ACCEPT tcp -y—l 0.0.0.0/0 localhost 110->* 4 ACCEPT tcp -y--l- 0.0.0.0/0 localhost 25->* 5 ACCEPT tcp -y--l- 0.0.0.0/0 localhost 21->* 6 ACCEPT tcp -y--l- 0.0.0.0/0 localhost 5000->* 7 ACCEPT udp l- 0.0.0.0/0 localhost 53->* Chain output (policy REJECT): Num target prot opt source destination ports 1 ACCEPT tcp -y--l- localhost 0.0.0.0/0 * ->80 2 ACCEPT tcp -y—-l- localhost 0.0.0.0/0 * ->443 3 ACCEPT tcp -y--l- localhost 0.0.0.0/0 * ->110 4 ACCEPT tcp -y--l- localhost 0.0.0.0/0 * ->25 5 ACCEPT tcp -y--l- localhost 0.0.0.0/0 * ->21 6 ACCEPT tcp -y--l- localhost employer/0 * ->5000 7 ACCEPT udp l- localhost dnsserver/0 * ->53
This should do the trick for us. But we've enabled logging so that when we try to use the various services, we can check the log if something doesn't work.
One very big consideration is our desire to use a virtual private network (VPN). If you use VPN software to connect to an employer's network, you must be sure that the firewall you select will allow the VPN software to function. Most can be configured to allow VPN traffic, but testing is always advisable. Check with your corporate IT department, as they may already know which products work and how to configure them. The catch with a VPN comes in the way that a tunnel is established. In short, your host will initiate the communication, but the VPN device at the remote location will send SYN packets back as part of setting up the tunnel. To many firewalls, these SYN packets appear to be unsolicited; however, they are part of the VPN application, just not part of an already established TCP session.
Protection Levels
Having decided how much work you want to do to remain protected, you need to look at your security policy again. The policy will help you decide what level of protection you are going to need. Will the product you have chosen automatically provide that level? Or are you going to have to teach it some settings? For example, Windows XP allows you to easily signify that you are running certain common services and allow related traffic through. You cannot con-figure it to allow you to set up a VPN, though. So, while it may meet all your ease-of-use requirements, it may not allow you the functionality you need.
Generally, products provide three basic protection levels: none, medium/low, and high (see Figure 4–5). "None," or no protection, is just that; the firewall features are turned off and all traffic is allowed to pass in or out of your system. Using this level could be one way you can test that your computer can communicate during troubleshooting steps. Generally, though, you do not want to set your protection to "none" unless you are using some other means of protecting your computer.
The medium level of security typically allows the average user to use every standard Internet service; you should be able to game, use streaming media, and even instant messaging services without additional configura-tion of the firewall rules. You may still have to respond to pop-ups and grant the applications permission to access the network, though.
)
FIGURE 4–5 GNOME-Lokkit configuration. The Lokkit tool can be used
to configure basic settings for the ipchains firewall in Linux. Screen shot
copyright 2002 Red Hat, Inc. All rights reserved. Reprinted with permission
from Red Hat, Inc.
Finally, a high level of security typically restricts everything that isn't necessary for you to actually connect to the Internet. DHCP must be allowed so that your computer can get an IP address from your ISP and DNS replies are necessary for functionality as well.
Updates
How is the software updated? Is it costly in dollars or time? Is it realistic to think that you will perform the update regularly? You might love the challenge of getting iptables con-figured properly. Will it still be fun if you have to reconfigure it every week? You might be better off finding a product that has an automatic update feature (Figure 4–6).
)
FIGURE 4–6 ZoneAlarm updates. This screen will pop up when the program
recognizes that there is an update available. You can configure the update features
in the Overview window of the program. Copyright © 1999–2002 Zone
Labs, Inc. All rights reserved.
Do such products even exist for your chosen operating system?
As new vulnerabilities are found and exploits written, the threats to your information systems change. Vulnerabilities are found in personal firewalls; firewalls are just software products, after all. Even hardware appliances use software, although it is called firmware. So, how will you react to these new threats? Will you be able to easily, even automatically, update your software or firmware or will you end up having to add rules or install a whole new version? Admittedly, one of the joys with much commercial software is that it can be updated easily, often as easily as updating antivirus software. The technically pure among you may be bothered by the lack of control over what is happening with an automatic update. However, I think we can agree that personal firewalls are as necessary today as antivirus software. And like antivirus software, personal firewalls must be kept current.
Intrusion Detection
As noted in an earlier chapter, personal firewalls are being combined with intrusion detection features to enhance your protection. If this feature is important to you, obviously it will affect your choices. Essentially, some personal firewalls will adjust their rule set to react to an attack. The drawbacks to this include the potential for a denial of service attack against you. If the attack is spoofed, you may be denying access to innocent parties, and this in turn may deny you the ability to go somewhere or do something you want. What if someone tried an Xmas scan against you, using the IP address of your mail server? When your IDS reacts and changes the fire-wall rule set, you may be denied the ability to retrieve email. Oops. Generally, for the small home user, this may not be a big concern. A similar function in a corporate firewall could be very problematic.
XMAS SCAN
An Xmas scan has the TCP flags FIN, URG, and PSH set in the header. These flags are never normally set in TCP packets, so they are indicative of a crafted packet. Since RFC 793 indicates that a RST packet should be returned in this case, an attacker can use these crafted packets to map your network.
A Full-Xmas scan has all TCP flags set: SYN, ACK, RST, FIN, URG, and PSH. Again, this pattern should never be seen.
The name comes from the appearance of the flags on the packet—they are all lit up, like a Christmas tree.
Now, if all you are interested in is seeing and understanding attacks, most products can be made to take care of this. Once you are alerted, you can take steps to stop an attack and block traffic intelligently. That is to say, a computer is dumb and only follows the instructions it is given. You can look into the incident a little more carefully and decide if you really want to block your mail server.
In Linux, iptables can be combined with a product like snort to provide alerting capabilities. Right now, Internet Security Systems' BlackICE PC Protection product is the Windows personal firewall that sells itself on its IDS-firewall integration. The current version of the software allows you to restrict which applications have access to the Internet, block inbound and outbound traffic based on simple rules, and will use intrusion signatures to block traffic that matches known malicious patterns. For example, Figure 4–1 showed how a tool like Trinoo could be used to cause a DDOS by allowing an attacker to control many master and slave computers. Well, BlackICE can detect Trinoo traffic leaving your host and block it. So, even if you managed to be infected with Trinoo, you would not be used as part of the DDOS attack against some victim. Furthermore, you would be notified of this activity and could take steps to clean up your system.
){kind=link}
There are over 1,500 items in the BlackICE intrusions database. Table 4–1 just gives you a brief glimpse at the types of intrusions that are included.
TABLE 4–1 Select Intrusions Identified by BlackICE
| Name |
Information |
| Back Orifice Scan |
Someone is scanning your system looking for the Back Orifice Trojan. This does not indicate an infection. |
| Code Red I |
Worm attempting to propagate. |
| ISS Scan |
Someone is using the commercially available ISS scanner to scan your system. |
| Subseven |
IRC Notification Attempt by local machine to notify attacker that Subseven is installed. Indicates your system is probably compromised. |
| TCP Xmas Scan |
Crafted packets used to try to map systems. |
| Trinoo Master Activity |
A Trinoo Master is scanning your system to see if the Trinoo Daemon is installed. |
| Trinoo Daemon Activity |
A Trinoo Master has tried to send a command to you. |
Logs
The level, depth, breadth, and clarity of logging available to you are dependent on the product you chose to use (Figures 4–7 and 4–8). Logging varies from a line with the source and destination information and an attack "name" to full hexadecimal dumps of packet contents.
){kind=link}
){kind=link}
When the software assigns an attack name to a traffic pattern, this is based on a signature. You trust that the information is correct, but you are not getting the whole picture. I have seen products that link the attack name to a description of the attack. This is a nice feature for educating yourself. When you get the complete packet dumps in your logs you can identify exactly what is happening—if you take the time to understand them. Be realistic about the amount of time and effort you are willing to put into log review.
)
FIGURE 4–7 BlackICE alert. By default, this is all the log information
you see. There are some more details available in the GUI, but to see the complete
packet, you must enable packet capture or evidence capture in the BlackICE configuration
settings. Copyright © 2002, Internet Security Systems, Inc. All rights
reserved worldwide.
)
FIGURE 4–8 BlackICE packet. This data was captured for the highlighted
ICMP entry above when the evidence capture feature was turned on. You must use
a product like Microsoft's Network Monitor to view these packet captures.
Screen shot reprinted by permission from Microsoft Corporation.
See Chapter 6 for a more in-depth discussion of logs and how to use them.
Licensing
When choosing your product, take into consideration the licensing rules and fees. Some commercial products are free for home use. When you want to use them in a business setting, even if it's just your home-based business, you will need to pay. Sometimes your corporate IT group will license software for employees. This can be good from a cost perspective, but they may also be centrally collecting and reviewing the logs. So, you may give up some privacy to use their software. Check before you decide if this is an important concern for you.
Of course, there is always open source, if you like the operating system choices you have. There is no point, at this time, in deciding to use iptables if you're only willing to run Windows 2000.
After the initial licensing fees, you may need and want to pay a yearly maintenance or subscription fee. As with antivirus subscriptions, this can be a wise investment—ensuring you are always current on the software (firewall engine) and attack signatures where applicable.