Fullscreen HTML5Med Res (??MB)HTML4

COMPUTER SECURITY Lock out the bad guys with a firewall by Greg Swain If you connect to the Internet, you need a firewall. Here’s a quick rundown on three very effective firewalls: ZoneAlarm, Sygate Personal Firewall & Tiny Personal Firewall. They’re all free for personal use so there’s no excuse for not taking action to protect yourself. C ONNECTING A COMPUTER to the Internet without a firewall is like leaving a car unlocked with the keys in the ignition. Without a firewall, your PC can easily be hacked and sensitive data stolen. In addition, a cracker (or Internet vandal) could damage the operating system or use your machine to launch further attacks against other PCs connected to the Internet. Users with broadband connections, such as cable modems and ADSL, make particularly juicy targets. There are a couple of reasons for this. First, every computer connected to the Internet must have a unique IP (Internet Protocol) address and broad­ band users usually either have a fixed address or one that is assigned for very long periods of time (ie, a “leased” IP address). That makes it easy for a cracker to repeatedly return to the same computer and wreak further mischief. Second, users of broadband connections are more likely to be connected to the Internet for very long periods, if not permanently. That, plus the high-speed nature of the connection, means that crackers are more likely to zero in on users with cable modems or ADSL. By contrast, if you access the Inter­ net via a dial-up con­nection, your PC receives a different IP address each time it makes a connection. This makes it more of a moving target and, of course, the connection is much slower so it’s less attractive for launching denial of service attacks. But that still doesn’t make you safe – not by a long shot. Once you’re connected, an unprotected computer can quickly be “spotted” by a cracker using a software tool called a “port scanner”. This allows the cracker to automatically portscan vast blocks of IP addresses to find out what which services are “listening” for a connection. A PC has some 65,535 ports (basi­ cally data pathways) and if they are left open, an intruder can gain access. Of course, some ports are reserved for specific functions. For example, a web server communicates via port 80, FTP via port 21, incoming email via port 110 and outgoing email via port 25. So be warned – an unprotected com- Don’t Let The Firewall Nag You! Once you’ve set up all the rules for your firewall, you don’t want it continually nagging you each time it encounters an unknown data packet. The way around this is to turn off the alert notifications. Here’s how: (1) In ZoneAlarm, go to the Alerts panel and clear the box next to “Show the alert popup window”. (2) In Sygate Personal Firewall, 16  Silicon Chip click Tools, Options and check the box next to “Hide notification messages”. (3) In Tiny Personal Firewall, click the Advanced tab and clear the box next to “Ask for action when no rule is found”. If you later find that the firewall blocks something that it shouldn’t you can quickly re-enable the alert messages, create the new rules then disable the messages again. The log files can also help you sort out any problems. Finally, a tip – if your computer automatically dials out each time it is booted after a firewall has been installed, find and uncheck the “Check For New Version” or “Check For Update” (or similar) option buried in the firewall setup menus. www.siliconchip.com.au puter is wide open and that applies even if you use a dial-up connection, since you can be spotted in just a few minutes. And if you’re on a network with file and printer sharing enabled and bound to the Internet adapt­ er, you’re really asking for trouble. Protecting yourself So how do you protect your PC from unwelcome visitors? The answer is to install a firewall. This can either be a hardware device that sits between your PC and the Internet or a dedicated piece of software. The most basic software firewalls simply function as port blockers; ie, they close unused ports to prevent unauthorised access. This is the type of firewall that’s now incorporated into Windows XP. More sophisticated firewalls such as ZoneAlarm, Sygate Personal Fire­wall and Tiny Personal Firewall not only close unused ports but also filter and inspect the TCP/IP network packets as they pass across the firewall interface (this tech­nique is called “Stateful Inspection”). Unwanted or unauthorised packets are then blocked and logged, according to a set of rules built into the firewall. This not only allows them to block attempted intrusions but also prevents certain applications such as Trojan horses and spyware from communicating with the Internet from your computer. A “Trojan horse”, by the way, is a program that’s smuggled into your computer (either via email or when you download from the web) to perform various nefarious activities. Most firewalls (including these three) can also selectively block other PCs on a local network from having access to your machine. That’s a worthwhile feature if you want to keep certain people in an office network from prying on sensitive data. Keeping Trojans at bay A feature of all three firewalls is that they create what are known as “MD5 signatures”. Initially, these firewalls have to “learn” which applications have Internet access. These applica­ tions typically include web browsers, FTP and email clients, plus other utilities (eg, Windows Update). Each time a new application is Don’t Take Security For Granted For the home user, the firewalls described here should make for a fairly secure system – provided they are properly set up. Just keep them up-to-date and keep an eye on the log files for any suspicious activity and you should be OK. However, we don’t offer any guarantees – the net is not a safe place. If security is vital, be sure to seek expert help in setting up a firewall. Don’t just rely on the advice in this article. granted Internet access, the firewall creates an MD5 signature (basically a 128-bit algorithm) for that application. This signature is then stored and compared with the signature generated each time the application attempts to bind to a particular port. If the signatures match, then access is permitted. This technique effectively blocks Trojan horse applications on your computer from accessing the Internet, since it prevents application “spoofing” –ie, where a Trojan attempts to disguise itself as a valid application. If the Trojan does attempt access, its MD5 signature will be invalid and it will be blocked. A look at ZoneAlarm 2.6.362 Z oneAlarm is easy to install and operate. It comes in two versions: (1) ZoneAlarm 2.6.362 (the latest version at the time of writing) which is freeware; and (2) ZoneAlarm Pro 3.0 which is a retail version costing about $US40. The Pro version adds a few extra features over the freeware version, including Internet ad blocking, cookie control, full compatibility with ICS (Internet Connection Sharing) and the ability to block some 36 different email worms (Mailsafe). For personal use, the freeware version should be suffi­cient. You can download it from www.zonelabs.com or from any one of a number of other sites but make sure you get the latest version. When you launch ZoneAlarm (it’s configured by default to automatically load at startup), the program places a small icon in your system tray and this also indicates incoming and outgoing traffic. To configure the program, you simply decide what www.siliconchip.com.au level of security you want for your local network and Internet zones. The choices are Low, Medium and High and are independently set by dragging the two sliders. The window text explains what the settings mean. For a standalone com­ puter, you will want to set the Internet zone to High but this will have to reduced to Medium (which presumably weakens security) if you use Internet Connection Sharing. The “High” setting is generally preferable because it places the machine into Fig.1: ZoneAlarm offers independent security stealth mode. This makes settings for the local network and the Internet. all ports not in use by an application appear invisible to the Internet. By contrast, the Either setting blocks all Internet ac“Medium” setting blocks port access cess to Windows services and to file but still leaves them visible, so it’s not and printer shares, a very necessary as good from a security viewpoint. securi­ty feature. June 2002  17 COMPUTER SECURITY continued . . . Fig.2: ZoneAlarm initially pops up frequent alerts until it “learns” which programs have access to the Internet. Fig.3: clicking the Advanced tab lets you add machines to your local zone but don’t choose the PPP adapter. The Local zone can be set to “High” for a standalone com­ puter but the “Medium” setting will be necessary if you want other local machines to have access to file and printer shares. Clicking the “Advanced” tab then takes you to the “Local Zone Properties” dialog. This is where you add “trusted” computers (eg, PCs on a local area network) to your Local Zone. The “Adapter Subnets” are created and automatically main­ tained by ZoneAlarm. You only have to decide whether to check or uncheck the entries. For example, checking the Ether­ net Adapter entry (under Adapter Subnets) enables access for all machines on the local network. Alternatively, you can leave this unchecked and simply specify the IP addresses for individual computers (or an IP address range) to add an additional entry to the “Other computers” section. Those machines not covered by an IP address (or address range) will then be blocked by the firewall. Initially, ZoneAlarm displays frequent alert panels and you have to teach ZoneAlarm which applications are allowed access to the Internet. These applications typically include your web browser, email client (eg, Outlook Express) and any other Inter­ net applications (eg, ICQ). Basically, an alert panel pops up when ever an application requests access. You can choose to always block access for that program, allow access on a once-only basis or always allow access. By this means, ZoneAlarm quickly “learns” which programs can have access and which ones to block and the alerts all cease. As well as blocking Trojans, this feature is also very effective when it comes to preventing “spyware” programs from contacting Internet-based servers without your permission. Other features of ZoneAlarm include an Internet lock and “Mailsafe.” Sygate Personal Firewall L IKE ZoneAlarm, Sygate Personal Firewall 5.0 makes your computer invisible to the Internet by closing all unused ports. It also filters and inspects incoming and outgoing traffic using rule-based policies and can be configured to allow Internet access for trusted applications, plus selective access for 18  Silicon Chip com­puters on a local network. Once again, there are two flavours –a freeware version for personal use and a fully-featured “Pro” version. Both versions now offer full support for Internet Connection Sharing, unlike the previous 4.2 version. During installation, Sygate Personal Firewall automatically discovers Fig.4: the Programs tab shows which applications have been granted access to the Internet and to the Local Zone. You can also change the settings here, to grant or deny access. Fig.5: placing the ZoneAlarm Desk Band on the taskbar gives you fast access to the various functions. Clicking on the lock immediately blocks all Internet activity, or you can set it to block all Internet traffic after a period of inactivity or when the screen saver activates. You can also give certain programs the right to bypass the lock (eg, if you want to check for email at regular inter­vals). The MailSafe feature scans all incoming email attachments and quarantines any .vbs (ie, Visual Basic script) files by changing the extension to .zlx (“x” can be either a letter or a number). If you then try to open such attachments, ZoneAlarm pops up a dialog warning of the dangers of VB scripts and giving you an opportunity to back out. the local area network and the ICS Manager and creates the rules necessary to allow Internet Connection Sharing. As with ZoneAlarm, it can be automatically configured to load at startup and (optionally) place an icon in the System Tray. This icon flashes red if an intrusion attempt is detected and you can double-click it to open the main console, before clicking the Logs button to review the security log. Alternatively, right-clicking the tray www.siliconchip.com.au Testing Your Firewall Once you have a firewall installed, you’ll want to test its effectiveness. There are several web sites on the Internet that allow you to do just that. These commonly do port scans and test for other vulnerabilities, and some can even scan for the presence of known Trojans. Of these, perhaps the best known sites are PC Flank at http://www. pcflank.com and Steve Gibson’s ShieldsUp site http://www.grc.com In addition, Sygate has a test site at http://scan/sygatetech.com and you are automatically connected to this when you click the Test button in Sygate Personal Firewall. However, there are some situations in which the tests from these sites are rendered inaccurate. For example, if you use a proxy server, it’s the proxy server (eg, at your ISP) that could end up being scanned – not your local machine with the fire­ w all. That’s because it’s necessary for the test site to accurately determine your machine’s IP address before running the tests and it’s often the proxy’s IP address that it recognises instead. For example, the ShieldsUp site at www.grc.com has a tend­ency to recognise the proxy’s IP but this is easily overcome by down­ loading a small utility called “IP Agent”. Running this utility then sends the machine’s correct IP address to the ShieldsUp test site, after which you can run the security checks. The Sygate test site also has a habit of recognising the IP of the proxy server. In some cases, you may be able to get around the problem by disabling the proxy server settings in your web browser but that depends on your Internet Service Provider – disabling the proxy settings can sometimes prevent web access! By contrast, in the tests we ran, the PC Flank site accu­rately determined the IP address of the local machine, despite the use of a proxy server. This site has several tests that you can run, including: Quick Test, Stealth Test, Browser Test (checks browser security), Trojans Test, Advanced Port Scanner and Exploits Test. Testing a firewall that’s on a client machine that accesses the Internet through a gateway (eg, via a PC with Internet Con­nection Sharing) also poses problems, since private IP addresses aren’t recognised by the Internet. As before, the results of any web-based port scans and security checks will be misleading since it’s either the gateway machine of the proxy server that will be scanned by the test site icon gives you quick access to all the features of the firewall. Security levels There are three security levels – Block All, Normal and Allow All – and you can also click the “Block All” button on the toolbar to immediately block all Internet access. This is similar to the lock feature in ZoneAlarm. The “Options” dialog box (found under the Tools menu) provides various configuration and local networking options, while the “Advanced Rules” dialog lets you create your own fire­wall rules based on IP numbers, port numbers and scheduling. Fortunately, if you’re a complete novice, you don’t have to worry about any of this. Sygate Personal Firewall is all set to go immediately following installation. All you have to do is answer the alerts it pops up when you first start using it, to tell it which applications should be granted Inter­ net access. As with ZoneAlarm, Sygate Personal Firewall then uses your answers to create the access rules, so that the alerts cease after a short period of initial use. Clicking the “Applications” button on the toolbar brings up the Applicawww.siliconchip.com.au Fig.7: you can quickly gain access to Sygate Personal Firewall’s main functions by right-clicking its icon in the System Tray. Fig.6: Sygate Personal Firewall 5.0 has an easyto-use interface that displays network traffic and lists running applications. Right-clicking an application lets you change its access status. Fig.8: like ZoneAlarm, Sygate Personal Firewall “learns” which applications have Internet access. June 2002  19 Fig.9: setting up local network and file and printer sharing rights is a “no-brainer” in Sygate Personal Firewall. Fig.10: the Advanced Rule Settings let you specify access rights for certain IP addresses, ports and protocols. Fig.11: in this case, the firewall is blocking a computer on the local network with an IP of 192.168.0.20. tions list. You can change each application’s access status by right-clicking it and choosing either Allow, Ask or Block from the drop-down menu. port scans and other security scans but can also scan for the presence of Trojans. Note however, that Internet test sites do not always give accu­rate results if you are using a proxy server or are connected to the Internet via a gateway (eg, using ICS) – see the “Testing Your Firewall” panel for further details. Finally, Sygate Personal Firewall features password protection. This is designed to prevent your security settings from being changed by other users of the machine. And like Zone­ Alarm, it can be set to block all Internet traffic while the screen saver is active. Tracing attacks Fig.12: this dialog box lets you quickly change Internet access rights for var­ious applications. A neat feature of Sygate Personal Firewall is its ability to trace the path of an attempted intrusion. However, you can normally only trace the source of an attack back to the router used by the hacker to launch the attack, not the hacker’s computer itself. Finally, the Test button on the main console logs you onto Sygate’s test site, so that the effectiveness of the firewall can be checked. This not only provides Tiny Personal Firewall L AST BUT NOT LEAST, there’s Tiny Personal Firewall. Let’s call it TPF for short. As with the previous two firewalls, it’s best to fire up all your Internet applications when you first install TPF so that it can learn the ropes. TPF then creates filter rules based on your responses to the alerts it throws up (you can customise these rules if necessary). TPF’s administration utility is launched by double-clicking the icon in the System Tray and is, initially at least, disarmingly simple in appearance. The level of protection is set using the 3-position slider control. You can choose to cut off all network activity (top position), permit network activity according to the rules that have been set (centre position) or allow all network activity (bottom). The medium security (centre) posi20  Silicon Chip tion is the default level and is necessary if you want Internet access but want to keep the firewall rules in place (the top maximum security setting blocks everything, including Internet access). TPF provides a few pre-defined filter rules and the user is prompted to set up a new filter rule (permit or deny) each time an unknown data packet is encountered. Clicking the Advanced Fig.13: Tiny Personal Firewall’s interface is distab launches the Firewall armingly simple at first glance. Configura­ tion menu and opens up a whole new world. This initially displays the Filter for individual filter rules if necessary. Rules dialog, which lists all the rules However, you will need to have a that have been created. You can then reasonable under­standing of TCP/IP edit, add or delete rules, change the and port addressing to do this if you rule order and even set time frames intend to create the rules from scratch. www.siliconchip.com.au Alternatively, if you don’t know how to create the rules, you can let the wizard do it for you each time you attempt to access a resource or browse to a network share from another machine. All you have to do is make sure that the box next to “Ask for action when no rule is found” is checked and follow the bouncing ball to create the rules from the alerts that pop up. The other tabs on the Firewall Configuration control panel (Microsoft Networking, Miscellaneous & Application’s MD5) let you set up local area networking options, trusted address groups and logging options. There’s also an “Is running on Internet gateway” option that you can check (under Miscellaneous). This feature is apparently designed to make TPF work with Internet Connection Sharing but I couldn’t make it work on the two ICS gateway ma­chines I tested it on. With TPF installed on a gateway machine, I was unable to browse the Internet from any of the client machines – even with the firewall disabled (or completely shut down for that matter). Full browsing rights were immediately restored when TPF was uninstalled, however. But don’t let this put you off TPF. If you don’t plan to run this firewall with Internet Connection Sharing, it really doesn’t matter. Which One Should You Choose? Any of the three will do the job quite nicely but if you’re a rank beginner, go for ZoneAlarm or Sygate Personal Firewall. They are easy to set up and you don’t have to learn about ports and network protocols. Those of a more technical bent might prefer Tiny Personal Fire­wall. It’s more flexible that the other two and allows you to create and tightly edit your own packet-fil­tering rules – provided you have the know-how, of course. Alternatively, you can let the wizard create the rules for you and then edit them afterwards. Our advice is to choose the firewall that best suits your needs and stick with it. But what ever you do, don’t install multiple firewalls on your PC or you’ll get all sorts of foul-ups. And that applies even if you have only one firewall running. For example, having both Sy­gate Personal Firewall and Tiny Personal Firewall installed (but not running) prevented both Internet and email access with ZoneAlarm set for high Internet security. Uninstalling both SPF and TPF restored normal operation. Which one was causing the conflict? We didn’t bother to investigate but it does indicate the sorts of problems that can occur if you install multiple firewalls. Don’t do it. If you do want to try a different firewall, uninstall the previous fire­ wall first. Filtering the local network One very nice feature about TPF is that it detects if there is a local area network as soon as the machine is rebooted after installation. The user is then prompted to permit or deny the network traffic. If it’s permitted, then the LAN’s all set to go without any further action from you. By default, TPF sets up a “Trusted address Group” for your LAN and displays this under the Microsoft Networking tab. This means that if the machines on the LAN have 192.168.0.x IP ad­ dresses (where x is a number between 1 and 254 and is different for each machine), then TPF sets up a trusted address group of 192.268.0.0/255.255.255.0. This rule simply allows all machines on the 192.168.0.x network to access shared resources on the machine with the fire­wall. Alternatively, by modifying the Trusted Address Group, you can restrict access to certain machines only. For example, chang­ing the trustwww.siliconchip.com.au Fig.14: Tiny Personal Firewall initially displays frequent outgoing and incoming connection alerts until it learns the ropes. The incoming alert here is from a machine on the local network. Fig.15: clicking the Advanced button in Fig.13 brings up this dialog which shows all the current filter rules. You can add, edit or delete rules as necessary. June 2002  21 filter rules yourself if you wanted to share resources. We’ll show you how to do that next month. Living by the rules One thing that’s important to remember here is that the rules set up under Microsoft Networking override any Filter Rules that you may create. This means that it’s futile creating sepa­rate Filter Rules to block certain IP addresses (as in Fig.17) if they have already been granted access under Microsoft Networking. In short, the rules listed under Microsoft Networking will win out every time. If you wish to create your own Filter Rules for the local network, make sure that they will not be overridden by the Microsoft Networking rules. In some cases, it may be easier to disable the Microsoft Networking rules altogether (just clear the top check box). Fig.16 (above): the Microsoft Networking section makes it easy to grant or deny access for machines on the local network. Note that any settings here take precedence over the filter rules. Top-down rule order Fig.17(right): the Filter Rules dialog is very flexible and lets you create rules based on protocol, packet direction, ports and application. You can even set up scheduling and logging from here. ed address group to 192.168.0.0 -192.168.0.10 re­ stricts access to machines with IP addresses in this range. Machines with an IP of 192.168.0.11 or higher are blocked. If you’re not on a local network, just check “For Microsoft Networking Use These Rules Instead Of Filter Rules” and clear all other check boxes under the Microsoft Networking tab. This simple step prevents your computer from being identified by machines on an external network and denies access to any shared resources (not that you should have any for a standalone machine). Earlier versions of TPF did not include the “Microsoft Networking” tab, which meant that you had to set up the Firewall Downloads Firewall Operating System Sygate Personal Firewall 5.0 Ti ny Personal Firewall 2.0.15 Windows 95/98/Me Windows NT/2000/XP Windows 95/98/Me Windows NT/2000/XP Windows 95/98/Me Windows NT/2000/XP Lavasoft Ad-aware 5.71 Windows 95/98/Me Windows NT/2000/XP ZoneAl arm 2.6.362 File Size Download Site 2.92MB www.zonelabs.com 4.74MB www.sygate.com 1.42MB www.tinysoftware.com Spyware Checking Software 22  Silicon Chip 0.87MB www.l avasoftusa.com Another thing that’s important to remember is that the Filter Rules operate in a “top-down” order. In other words, filter entries at the top of the table take precedence over entries lower down. This works as follows: let’s say that you create a rule that allows access for machines with IP addresses from 192.168.0.1 to 192.168.0.20 but then have a rule further down that blocks access for 192.168.0.10 only. Guess what? – 192.168.0.10 will still have access through the firewall since the top rule “clobbers” the rule further down. Once permission for something has been granted (or denied), you cannot change it with a rule further down the list. The answer in this case is to move the “blocking” rule up the list, so that it is above the other rule. The blocking rule then blocks 192.168.0.10, with the following rule then allowing access for the remaining machines. That said, you wouldn’t normally block access for individu­al machines on a local network by creating separate Filter Rules. Instead, it’s far easier to block access by leaving the relevant IP addresses out of the Trusted Address Group under the Microsoft Net­working tab. We’ll take a closer look at creating your own rules for Tiny Personal Firewall in next month’s issue. www.siliconchip.com.au A Few Basic Security Measures Here are a few other security measures that you can take to protect your PC, whether you run a firewall or not. (1) Make sure that “File And Printer Sharing For Microsoft Net­ works” and “Client For Microsoft Networks” are NOT bound to your Internet adapter (note: this advice applies whether you are on a local network on not). For example, if you use a modem to connect to the Internet, you should unbind these services from your Dial-Up Adapter. To do this, right-click My Network Places (or Network Neighborhood), select the TCP/IP entry for the Dial-Up Adpater, click Proper­ties, click the Binding tab and clear the check boxes. (2) If you don’t require Internet access for any other machines on the network, consider using Net­BEUI as your networking protocol for file and printer sharing. TCP/IP can then be removed from these other machines altogether, thus effectively closing NetBIOS ports 137-139. Both TCP/IP and NetBEUI will be required on the Internet machine but make sure that TCP/IP is bound only to your Internet adapter. If you’re not running a network, remove “Client for Micro­ soft Networks” from your PC entirely. (3) Visit Steve Gibson’s ShieldsUp site at www.grc.com for lots of good advice on security measures. (4) Check the Microsoft Update Fig.18: make sure that Client for Microsoft Networks and File and Printer Sharing are not bound to your Internet adapter. site regularly and install any critical updates that involve security. (5) Install a “spychecker” program such as Ad-aware from Lava­ soft. This can detect and remove any “spyware” and “adware” programs that have snuck in. Ad-aware is a free utility from www.lavasoftusa.com but be sure to regularly update its signature file (called “reflist.sig”). A related utility – refupdate.exe – can do this for you automatically. (6) Use the PCFlank site at http:// pcflank.com to scan your machine for Trojans. You should also use this site (or one of the other test sites) to scan for open ports and to test the effec­tiveness of your firewall. (7) Use a good anti-virus program and regularly update its virus definitions file. (8) Don’t run email attachments unless they are from a trusted source, they have been virus check­ed and you know what they are. SC ELAN Audio The Leading Australian Manufacturer of Professional Broadcast Audio Equipment Featured Product of the Month PC-BAL PCI Format Balancing Board Interface PC Sound Cards to Professional Systems Not only do we make the best range of Specialised Broadcast "On-Air" Mixers in Australia. . . We also make a range of General Audio Products for use by Radio Broadcasters, Recording Studios, Institutions etc. And we sell AKG and Denon Professional Audio Products For Technical Details and Professional Pricing Contact Elan Audio 2 Steel Crt South Guildford WA 6055 Phone 08 9277 3500 08 9478 2266 Fax email sales<at>elan.com.au ADVERT WWW elan.com.au Subscribe & Get this FREE!* *Australia only. Offer valid only while stocks last. Buy a 1- or 2-year subscription to SILICON CHIP and we’ll mail you a free copy of “Computer Omnibus”. Or you can choose “Electronics Testbench”. Fig.19: it’s a good idea to install a “spyware” checking utility such as Lavasoft’s Ad-aware but be sure to keep its signature file up-to-date. www.siliconchip.com.au Subscribe now by using the handy order form in this issue or call (02) 9979 5644, 8.30-5.30 Mon-Fri with your credit card details. June 2002  23