Software Firewall: Why use it, Where to get it

Topic

New Reply

Terrific post.

Joe

--Joe

Reply | Quote

Replies

Original Post 21-Sep-04; updated 20-Nov-04.

A firewall is a program (or a separate device containing a program) that inspects packets leaving and coming into your computer or network. Firewalls can protect your computer from packets that might cause it to crash, to become dysfunctional, or to fall under the control of someone with bad intentions.

Modern, sophisticated software firewalls add a new feature: application control. These firewall determine which program on your computer is attempting to access the internet and, if it is not one it trusts, will alert you and let you allow or block that program. This can help prevent leaks of personal information, or your computer being taken over to participate in an attack on someone else.

In my opinion, every computer should be protected by a firewall that lets the user control both inbound and outbound communications. Here are some comments and suggestions:

1. Inbound Protection
   • Network Address Translation (NAT). The first line of defense against strangers contacting your computer is to use a router on your network that implements NAT. Here’s how it works: your ISP supplies you a numeric address, the IP address, which may look something like 66.27.123.48 (this is a random number, please do not call this number). Your router assigns the computers inside your network private addresses like 192.168.10.2, which are not valid on the internet. When you send out a request for a web page, your computer uses your private address as the return address, and your router substitutes the address assigned by the ISP, and sets a unique port number so that it knows which computer in your network should get the response. As far as the rest of the world is concerned, you might have one computer or a million, all it knows is the address of your router.

     How does this help? When a stranger sends a packet to your router, it is very unlikely to match the port the router has assigned to any of your computers. First, it would just be dumb luck to guess a number like 32324. Second, most packets will target ports associated with specific “services” (like port 25 for a mail server), that the NAT program will not assign to any computer. Thus, when a packet comes in, it won’t match anything, and the router will just delete it. Because there are computers all over the world spewing random packets, trolling for a victim, NAT will filter out a huge amount of potential problems.

     There are exceptions to this pretty picture. If you participate in online gaming, or operate a web server from inside your network, or allow remote access, you may allow your router to pass through some of the traffic that otherwise would be blocked. Also, it’s always possible that NAT will fail for some reason, and the router will forward the packet to one of your computers. And, of course, if there is spyware (or p2p file sharing software) on your computer broadcasting your computer’s contact information to others, the NAT program will happily allow two way data transfers because it was initiated from inside the network. For all of these reasons, while NAT is a great start, one should not rely only on NAT.

     (Note: if you purchase a firewall appliance, it may take the place of the router in the above story.)

   • Router Firewall. Some ISPs supply routers that have a built-in firewall program, such as the 2Wire HomePortal. These firewalls try to balance protection and functionality: block too little and there’s no point in using it, block too much and the user probably will just turn it off. If you do plan to open your network to others, you probably will need to adjust some settings in the router’s firewall. Otherwise, for the same reasons that NAT alone will not protect you, you will want to add protection that works on your own computer.
   • Software Firewalls: Windows XP. Windows XP was the first Microsoft Windows OS to have a built-in firewall. The Internet Connection Firewall offered very few featured and limited customization; it probably isn’t fair to call it useless, but because it was not turned on automatically, and because free firewalls from other companies offered so much more, it got little use. In Service Pack 2 (SP2), Microsoft completely overhauled the built-in firewall, which now will come on early in the process of starting up the operating system (unless you turn it off). The Windows Firewall provides much more flexibility and is centrally administrable, so it may find significant usage inside corporate networks. For home users, though, who tend to “try out” more programs, especially “free” advertising-supported programs, Windows Firewall is not enough protection. Like a router firewall, Windows Firewall is not very concerned about connections initiated from your computer. However, there is one very handy feature: if you start a program (such as a game), the firewall will detect when the program wants to set itself up as a server to receive connections from other computers and will open the port designated by the program only temporarily, while you are actively using it. But Windows Firewall is not designed to stop programs from send packets out, and as far as I can tell from various documentation, cannot be configured to do so on an application-by-application basis.

I agree with Joe. I don’t know what motivated you to write all this down, Jefferson, but ya done good! Great job and THANKS!

Reply | Quote

I agree with Joe. I don’t know what motivated you to write all this down, Jefferson, but ya done good! Great job and THANKS!

Reply | Quote

Excellent piece of work !!!

Reply | Quote

Excellent piece of work !!!

Reply | Quote

Reply | Quote

Nice post – If I can add one comment – Noting that Microsoft’s Windows Firewall is woefully inadequate at protecting you from Trojans or other malware from “calling home” with your personal data (credit cards, passwords, etc.), or at preventing that malware from propagating itself from your system, it is certainly advisable to install another firewall such as ZoneAlarm or Sygate Personal Firewall. However, even Microsoft acknowledges that problems can occur if you attempt to run two firewall at once and Microsoft correctly recommends disabling Windows Firewall upon installation of your new firewall.

See MS’s Firewall FAQ – about 15 questions down.

Bill (AFE7Ret)
Freedom isn't free!

Reply | Quote

Nice post – If I can add one comment – Noting that Microsoft’s Windows Firewall is woefully inadequate at protecting you from Trojans or other malware from “calling home” with your personal data (credit cards, passwords, etc.), or at preventing that malware from propagating itself from your system, it is certainly advisable to install another firewall such as ZoneAlarm or Sygate Personal Firewall. However, even Microsoft acknowledges that problems can occur if you attempt to run two firewall at once and Microsoft correctly recommends disabling Windows Firewall upon installation of your new firewall.

See MS’s Firewall FAQ – about 15 questions down.

Bill (AFE7Ret)
Freedom isn't free!

Reply | Quote

Reply | Quote

Thank you for this useful information.

Reply | Quote

Nice encapsulation. Please add ISS BlackIce: BlackIce PC Protection

The first (even before ZoneAlarm) and IMHO the BEST.

Then, check to see if it’s all working by going to “Shields-Up” and running each of the reports: GRC Corp – “Shields-up”

Thanks again for the handy explanation and chart.

Reply | Quote

I’ve added it and freshed up some of the links. I think ISS has finally gotten religion on outbound traffic, so it should score much better now on “leak tests” than it did a couple of years ago (e.g., Steve Gibson’s here or PC Flank). However, I haven’t surfed for up-to-date test results.

Reply | Quote

I’ve added it and freshed up some of the links. I think ISS has finally gotten religion on outbound traffic, so it should score much better now on “leak tests” than it did a couple of years ago (e.g., Steve Gibson’s here or PC Flank). However, I haven’t surfed for up-to-date test results.

Reply | Quote

Nice encapsulation. Please add ISS BlackIce: BlackIce PC Protection

The first (even before ZoneAlarm) and IMHO the BEST.

Then, check to see if it’s all working by going to “Shields-Up” and running each of the reports: GRC Corp – “Shields-up”

Thanks again for the handy explanation and chart.

Reply | Quote

Thank you for this useful information.

Reply | Quote

Original Post 21-Sep-04; updated 20-Nov-04.

A firewall is a program (or a separate device containing a program) that inspects packets leaving and coming into your computer or network. Firewalls can protect your computer from packets that might cause it to crash, to become dysfunctional, or to fall under the control of someone with bad intentions.

Modern, sophisticated software firewalls add a new feature: application control. These firewall determine which program on your computer is attempting to access the internet and, if it is not one it trusts, will alert you and let you allow or block that program. This can help prevent leaks of personal information, or your computer being taken over to participate in an attack on someone else.

In my opinion, every computer should be protected by a firewall that lets the user control both inbound and outbound communications. Here are some comments and suggestions:

1. Inbound Protection
   • Network Address Translation (NAT). The first line of defense against strangers contacting your computer is to use a router on your network that implements NAT. Here’s how it works: your ISP supplies you a numeric address, the IP address, which may look something like 66.27.123.48 (this is a random number, please do not call this number). Your router assigns the computers inside your network private addresses like 192.168.10.2, which are not valid on the internet. When you send out a request for a web page, your computer uses your private address as the return address, and your router substitutes the address assigned by the ISP, and sets a unique port number so that it knows which computer in your network should get the response. As far as the rest of the world is concerned, you might have one computer or a million, all it knows is the address of your router.

     How does this help? When a stranger sends a packet to your router, it is very unlikely to match the port the router has assigned to any of your computers. First, it would just be dumb luck to guess a number like 32324. Second, most packets will target ports associated with specific “services” (like port 25 for a mail server), that the NAT program will not assign to any computer. Thus, when a packet comes in, it won’t match anything, and the router will just delete it. Because there are computers all over the world spewing random packets, trolling for a victim, NAT will filter out a huge amount of potential problems.

     There are exceptions to this pretty picture. If you participate in online gaming, or operate a web server from inside your network, or allow remote access, you may allow your router to pass through some of the traffic that otherwise would be blocked. Also, it’s always possible that NAT will fail for some reason, and the router will forward the packet to one of your computers. And, of course, if there is spyware (or p2p file sharing software) on your computer broadcasting your computer’s contact information to others, the NAT program will happily allow two way data transfers because it was initiated from inside the network. For all of these reasons, while NAT is a great start, one should not rely only on NAT.

     (Note: if you purchase a firewall appliance, it may take the place of the router in the above story.)

   • Router Firewall. Some ISPs supply routers that have a built-in firewall program, such as the 2Wire HomePortal. These firewalls try to balance protection and functionality: block too little and there’s no point in using it, block too much and the user probably will just turn it off. If you do plan to open your network to others, you probably will need to adjust some settings in the router’s firewall. Otherwise, for the same reasons that NAT alone will not protect you, you will want to add protection that works on your own computer.
   • Software Firewalls: Windows XP. Windows XP was the first Microsoft Windows OS to have a built-in firewall. The Internet Connection Firewall offered very few featured and limited customization; it probably isn’t fair to call it useless, but because it was not turned on automatically, and because free firewalls from other companies offered so much more, it got little use. In Service Pack 2 (SP2), Microsoft completely overhauled the built-in firewall, which now will come on early in the process of starting up the operating system (unless you turn it off). The Windows Firewall provides much more flexibility and is centrally administrable, so it may find significant usage inside corporate networks. For home users, though, who tend to “try out” more programs, especially “free” advertising-supported programs, Windows Firewall is not enough protection. Like a router firewall, Windows Firewall is not very concerned about connections initiated from your computer. However, there is one very handy feature: if you start a program (such as a game), the firewall will detect when the program wants to set itself up as a server to receive connections from other computers and will open the port designated by the program only temporarily, while you are actively using it. But Windows Firewall is not designed to stop programs from send packets out, and as far as I can tell from various documentation, cannot be configured to do so on an application-by-application basis.