What is a Firewall?
A firewall is a tool that monitors communication to and from your computer. It
sits between your computer and the rest of the network, and according to some
criteria, it decides which communication to allow, and which communication to
block. It may also use some other criteria to decide about which communication
or communication request to report to you (either by adding the information to
a log file that you may browse whenever you wish, or in an alert message on the
screen), and what not to report.
What Is It Good For?
Identifying and blocking remote access Trojans. Perhaps the most common way to
break into a home computer and gain control, is by using a remote access Trojan
(RAT). (sometimes it is called "backdoor Trojan" or "backdoor
program". Many people simply call it a "Trojan horse" although
the term "Trojan horse" is much more generic). A Trojan horse, is a
program that claims to do something really innocent, but in fact does something
much less innocent. This goes to the days where the Greek soldiers succeeded to
enter through the gates of Troy by building a big wooden horse, and giving it
as a present to the king of Troy. The soldiers allowed the sculpture to enter
through their gates, and then at night, when the soldiers were busy guarding
against an outside attack, many Greek soldiers who were hiding inside the horse
went out and attacked Troy from the inside. This story, which may or may not be
true, is an example of something which looks like something innocent and is
used for some less innocent purpose. The same thing happens in computers. You
may sometimes get some program, via ICQ, or via Usenet, or via IRC, and believe
this program to be something good, while in fact running it will do something
less nice to your computer. Such programs are called Trojan horses. It is
accepted to say that the difference between a Trojan horse and a virus, is that
a virus has the ability to self-replicate and to distribute itself, while a
Trojan horse lacks this ability. A special type of Trojan horses, is RATs
(Remote Access Trojans, some say "remote admin Trojans"). These
Trojans once executed in the victim's computer, start to listen to incoming
communication from a remote matching program that the attacker uses. When they
get instructions from the remote program, they act accordingly, and thus let
the user of the remote program to execute commands on the victim's computer. To
name a few famous RATs, the most common are Netbus, Back-Orifice, and SubSeven
(which is also known as Backdoor-G). In order for the attacker to use this
method, your computer must first be infected by a RAT.
Prevention of infections by RATs is no different than prevention of infection
by viruses. Antivirus programs can identify and remove most of the more common
RATs. Personal firewalls can identify and block remote communication efforts to
the more common RATs and by thus blocking the attacker, and identifying the
RAT.
Blocking/Identifying Other Types of Trojans and
WQorms?
There are many other types of Trojan horses which may try to communicate with
the outside from your computer. Whether they are e-mail worms trying to
distribute themselves using their own SMTP engine, or they might be password
stealers, or anything else. Many of them can be identified and blocked by a
personal firewall.
Identifying/Blocking Spyware's/Adbots?
The term "spyware" is a slang which is not well defined. It is
commonly used mainly for various adware (and adware is a program that is
supported by presenting advertisements to the user), and that during their installation
process, they install an independent program which we shall call
"adbot". The adbot runs independently even if the hosting adware is
not running, and it maintains the advertisements, downloads them from the
remote server, and provides information to the remote server. The adbot is
usually hidden. There are many companies that offer adbots, and advertisements
services to adware. The information that the adbots deliver to their servers
from the computer where the adbot is installed, is "how much time each
advertisement is shown, which was the hosting adware, and whether the user
clicked on the advertisement. This is important so that the advertisements
server will be able to know how much money to get from each of the advertised
companies, and how much from it to deliver to each of the adware maintainers.
Some of the adbots also collect other information in order to better choose the
advertisements to the users. The term "spyware" is more generic, but
most of the spyware fall into this category. Many types of adbots can be
identified and blocked by personal firewalls.
Blocking Advertisements?
Some of the better personal firewalls can be set to block communication with
specific sites. This can be used in order to prevent downloading of
advertisements in web pages, and thus to accelerate the download process of the
web sites. This is not a very common use of a personal firewall, though.
Preventing Communication to Tracking Sites?
Some web pages contain references to tracking sites. e.g. instruct the web
browser to download a small picture (sometimes invisible) from tracking sites.
Sometimes, the pictures are visible and provide some statistics about the site.
Those tracking sites will try to save a small text either as a small file in a
special directory, or as a line in a special file (depending on what is your
browser), and your browser will usually allow the saving site to read the text
that it saved on your computer. This is called "web cookies" or
sometimes simply "cookies". Cookies allow a web site to keep
information that it saved some time when you entered it, to be read whenever
you enter the site again. This allow the web site to customize itself for you,
and to keep track on everything that you did on that site. It does not have to
keep that information on your computer. All it has to save on your computer is
a unique identifying number, and then it can keep in the server's side
information regarding what has been done by the browser that used that cookie.
Yet, by this method, a web site can get only information regarding your visits
in it. Some sites such as "doubleclick" or "hitbox" can
collect information from various affiliated sites, by putting a small reference
in the affiliated pages to some picture on their servers. When you enter one of
the affiliated web pages, your browser will communicate with the tracking site,
and this will allow the tracking site to put or to read a cookie that
identifies your computer uniquely, and it can also know what was the web page
that referred to it, and any other information that the affiliated web site
wanted to deliver to the tracking site. This way tracking sites can correlate
information from many affiliated sites, to build information that for example
will allow them to better customize the advertisements that are put on those
sites when you browse them.
Some personal firewalls can be set to block communication to tracking sites. It
is not a common use of a personal firewall, though, and a personal firewall is
not the best tool for that, but if you already have one, this is yet another
possible use of it.
Blocking or Limiting the NetBIOS Communication? (as
well as other default services)
The two common methods of intruders to break into home computers, are through a
RAT (which was discussed in II.3a) and through the NetBIOS communication. The
NetBIOS is a standard for naming computers in small networks, developed long
ago by IBM and Microsoft. There are a few communication standards which are
used in relation to the NetBIOS. The ones that are relevant for Microsoft
Windows operating systems, are: NBT (NetBIOS over TCP/IP), IPX/SPX, and
NetBEUI. The communication standard which is used over the Internet, is NBT. If
it is enabled, and there is no firewall or something else in the middle, it
means that your computer is listening for communications over the Internet via
this standard, and will react according to the different NBT commands that it
gets from the remote programs. It is thus that the NBT (which sometimes loosely
called "NetBIOS") is acting as a server. So the next question should
be "what remote NBT commands the NBT server will do on the local
computer". The answer to this question depends on the specific setting on
your computer. You may set your computer to allow file and print sharing. If also
NBT is enabled, it means that you allow remote users to share your files or
printers. This is a big problem. It is true that in principle the remote user
has to know your password for that computer, but many users do not set a
password for their user on Windows, or set a trivial password. Older versions
of Win95 had file and print sharing over NetBIOS enabled by default. On Win98,
and WinMe it was disabled by default, but many technicians, when they set a
home network, they enable the file and print sharing, without being aware that
it influences also the authorizations of a remote Internet user. There are even
worms and viruses who use the File sharing option to spread in the Internet.
Anyway, no matter whether you need it for some reason or just are not aware of
it, a personal firewall can identify and block any external effort to
communicate with the NetBIOS server on your computer. The more flexible
personal firewalls can be set to restrict the authorization to communicate with
the NetBIOS. Some Windows operating systems, especially those which are not
meant for home uses, offer other public services by default, such as RPC. A
firewall can identify communication efforts to them, and block them. Since such
services listen to remote communications, there is a potential risk when there
are efforts to exploit security holes in the programs that offer the services,
if there are such security holes. A firewall may block or limit the
communication to those services.
Hiding Your Computer on the Internet?
Without a firewall, on a typical computer, even if well maintained, a remote
person will still be able to know that the communication effort has reached
some computer, and perhaps some information about the operating system on that
computer. If that computer is handled well, the remote user will not be able to
get much more information from your computer, but might still be able to
identify also who your ISP is, and might decide to invest further time in
cracking into your computer.
With a firewall, you can set the firewall so that any communication effort from
remote users (in the better firewalls you may define an exception list) will
not be responded at all. This way the remote user will not be able to even know
that it reached a live computer. This might discourage the remote attacker from
investing further time in effort to crack into your computer.
The Non-Firewall Defenses
We've discussed a few situations where a personal firewall can provide defense.
Yet, in many cases a computer maintainer can deal with those situations even
without a firewall. Those "alternative" defenses, in many cases are
recommended regardless of whether you use a firewall or not.
