The Internet vs. You

Who is vulnerable?

Any machine on the Internet can be reached by another machine on the Internet, unless it's protected by software or hardware designed to control that access. Whether your connection is by dialup, ISDN, cable modem, T1, or ADSL, you can be attacked over the Internet.

Broadband connections tend to keep the same IP address for long periods, while dialup usually only has a specific IP address during a one session. This means that the villains scanning for Back Orifice, NetBus, Hack-a-Tack and others concentrate on the broadband connections. It does not mean that dialup accounts are immune to attack.

Why are you vulnerable?
Because you're there and because of what you run. Sometimes its the software on your machine which makes you vulnerable. Sometimes its the Internet functions you like to use. Some functions in very high risk -- ICQ, IRC, and "instant messaging" programs. Sure, they are cool. But, they're are dangerous because your IP address can be visible or available and the other folks know you're on the net. This last aspect completely negates the security advantage that dialup accounts with dynamically assigned IP addresses have over the permanent or semi-permanent addresses of cable modems. Add that to the security problems of some of these products, and you have created an easy attack route.

What's a firewall?
It is a program that examines data packets arriving over a network and programmatically makes decisions on whether or not to allow the packet to get to its stated destination. This program may run on the machine that it is protecting, or it may be built into and run on a dedicated computer or a specialized piece of hardware, which can also provide additional isolation via connection sharing.

In other words, it may be a software that you run on your computer. It also may be your cable / DSL router. You may even use both, and I suggest you do, because both of these options have unique advantages.

Why should you be concerned?
You've spent a lot of time and effort setting up your computer and the files on it. Some of these may be personal; others may relate to work or investments. All this took your time and effort to create, and you don't want to have to do it again. Just reinstalling windows will take you upwards of an hours, once you find all the drivers for your add-on hardware. This assumes the bad guys were just destructive. But, they aren't all that way.

What are the bad guys trying to do?
Some are just bored, some curious, some destructive, and some are really bad guys. These last may try to compromise your security so that they can use your computer (and your IP address or your mail ID) as the apparent source of spam or of attacks on other computers. How would you like the FBI to visit you because your IP address showed up in an attack on the SEC’s website, a corporation’s, or on a military computer?

One nice thing -- if you’ve set your system up to be able to identify attacks, you’ve probably prevented most of these attacks from happening. Unless you’ve really annoyed someone in a chat room or a newsgroup, or are otherwise a target for some reason, the bad guy will usually move on when he can’t get in easily. There really is no such thing as totally secure; you just want to make the other guy decide the effort isn’t worth it.

How does he get in?
Of course, the method depends on whether the target system normally provides services (like a web server) or normally uses them. The heart of the problem: you have to be running something that allows him to get in. Unfortunately, you don’t need to have decided to do this.

For example, Frontpage98 installs the Personal Web Server by default. You can only password-protect the PWS if you’re on WinNT/2000/XP. Plus, PWS has known security holes, many of which can allow the intruder to get full access.

Or, you may be running IE and allowing Active-X applications to install automatically, or scripts to run automatically. Some of the trojans have been rewritten to install from Active-X programs which you download just by visiting their webpage. Others install via scripts on webpages. Scripts imbedded in emails and attachments to emails are more problems. Or, you may have downloaded something that had a trojan program hidden in it. All in all, you have to block out attempts and make sure you’re not listening for attempts. The firewall programs can do this.

Running web servers and ftp servers is particularly dangerous from a security point of view (and forbidden by most cable ISP’s Acceptable Use Policies for their non-commercial services).

Most of these have been proven to be subject to flaw after flaw which allow a person to jump to a command prompt on your computer. Not only are these weaknesses known, there are script tools available on the internet which will do all the work for the attacker (nicknamed a "script kiddie").

There are also a number of known security weaknesses in Internet Explorer and Netscape Navigator which can be exploited by the html code on a web page. As mentioned above, Internet Explorer uses Active-X applications that may be automatically downloaded and executed without you knowing it.

Besides their legitimate uses, these can be written to cause your integrated emailer to send an email automatically, to install a trojan program on your system, to install a virus on your system, or to crash your system. Unlike Java, which operates in a "virtual sandbox," Active-X applications have many system capabilities including writing to your drives. Javascript is not the same thing as Java, and is more similar to Active-X than to Java in its security issues. Trojan programs can also get in via email attachments.

So, what should you do?
Run a firewall. Run a "Two-Way" firewall — and that exclcudes the Windows XP firewall because it is only a one-way firewall.

Always run a firewall. Whether you are using dialup or broadband, you need a firewall. Trend Micro offers a good firewall for purchase as part of Trend Micro PC-cillin Internet Security 2006. Read more in my Security Software Recommendations article.

Alternatively, you can run a good firewall on an old PC running Linux, and let it do account-sharing duty at the same time. Coyote Firewall is a free floppy-based firewall and router that can run on really old PC’s.

These days, most individuals with any kind of firewall hardware use an Internet-sharing device such as the Linksys and D-Link cable/dsl routers, which are designed to share the Internet service with your home network. These also protect the computers on your home network by hiding the IP addresses on the home network (the router gets the official IP address that the cable ISP assigns you).

Recent versions of these routers have fairly sophisticated firewalls to control inbound data packets, but will allow any communications originating from your computer to access the Internet. In other words, if you do get infected by a virus, trojan, worm, and start spouting spam and/or virus emails from the infection, these external routers won’t stop them.

Large businesses tend to use high-speed, high-priced firewall hardware and software by Cisco, Microsoft, Checkpoint and others.

So, what should you do? (continued)

Run a current Anti-Virus program and keep it up to date (most AV programs will check automatically for updated virus definitions). Get the Windows Updates and install them! Don't run email attachments from people you don't know. Don't run others without virus scanning them. Turn off Active-X in your browsers, except when needed. Turn off Javascript and HTML in your email program.

So, what does a firewall do?
It applies a set of comparison rules for handling packets of data from the Internet. Some firewalls are provided with a default ruleset. All should allow you to modify the rules, although some will be more sophisticated in their capabilities than others. Rule construction is probably best explained via an example.

Even better, if you’re using Windows, you should use one of the good two-way firewall programs that are available and easy to configure, such as the Sunbelt Personal Firewall or firewall combination programs such as Trend Micro PC-cillin Internet Security 2006.

Packet Filter:
The following is an example of a "packet filter," which examines the addressing, protocol, port, and interface of the packet to determine its disposition. Although the ways to specify rules differ among the different firewall program, and they all may not allow you to do all of the same things, they all have this basic concept.

A sample ipchains(linux) rule to guard against trojan program Back Orifice on udp/31337: ipchains -i eth0 -s 0.0.0.0/0 -p udp -d 24.4.x.y/32 31337 -j DENY -l Translated: If the interface is eth0 (1st ethernet card), if the source is anywhere, if the protocol is udp, if the destination is 24.4.x.y/255.255.255.255 (all netmask bits set, so this exact address), if the destination port is 31337, then DENY access to the packet without a Destination Unreachable message, and log it.

Sample IPCHAINS Log Report
Sep 20 13:42:30 mymachine kernel: Packet log: hostile DENY eth0 PROTO=6
24.a.b.c:2006 24.x.y.z:31337 L=40 S=0x00 I=39426 F=0x0000 T=31 (#6) [where a,b,c,x,y,z are 0-254]

In contrast, if you’re using one of the Windows firewalls, configuration is a matter of "do I want this program to access the Internet?" By default, inbound ports will be blocked, other than for data packets that are in response to outbound packets from your computer.

Stateful Inspection:
The current state of the art is "stateful inspection." Beyond packet filtering, this type of firewall actually evaluates the contents of the packet. The goal is to make sure that incoming packets are supposed to be incoming -- that they are either requested communications or continuations of those connection or connectionless communications. They examine the incoming packets to make sure they belong to currently valid transactions initiated by your computer.

Connection vs. Connectionless Protocols:
The tcp protocol establishes and uses a connection established between two machines, such that each expects packets and sends acknowledgements when they get them. This enables certainty of delivery of the packets, confirmation that the message was received, and resending or rerouting if necessary. Connections are established via a request (a tcp packet with the applicable port and the SYN flag set) and acceptance. The request also enables a firewall to recognize an attempt to connect -- and to discard the attempt without response, or to respond if the rules permit it to do so.

On the other hand, udp and icmp are connectionless. The receiving machine listens for a packet. When a sending machine sends a packet, the listening machine responds. However, there is no certainty of delivery of the packet and no warning (other than timeout) that a single packet was not delivered (multiple packets in a response are sequenced so they can be put back together properly, therefore they have a key to identify missing packets).

Logging:
Let the usefulness help you deciding what to log and what not to log. There is almost no need to log outbound packets from your site on normal ports, such as tcp/80 which is http, unless you are testing. Otherwise, you can fill your logs quickly. Similarly, inbound responses on tcp/80 are not very useful. However, you would want to log inbound tcp/80 packets which had the SYN flag set, since they are connection requests from the outside. There is little use in logging a packet if you're not the destination specified. As @Home is configured, you will receive a lot of packets that don't apply to you.