Free Monthly Newsletter...and much more!

5 Star Support - Free Computer Help and Technical Support




Firewalls and what you need to know

posted by Dave
5 Star Support Security Specialist

If you have read any of the security articles available from just about anywhere on the Internet, I’m sure you are aware that you really do need a good firewall installed in your computer. A software firewall is an absolute necessity these days for any computer connected to a network, or the Internet. The problem I have in my head is that almost all users I have talked to regarding firewalls seem to have the same opinion. That opinion is that they have a firewall installed, so they are completely protected, and that’s the end of it. Unfortunately, that opinion is not correct.

To begin with, software firewalls require periodic updating, a fact that many computer users with firewalls installed seem to be either unaware of, or neglect to do the updates entirely. You should get in the habit of checking for updates to your firewall regularly (at least monthly) just as you should do with all your other software programs.

So, what about protection now that you have a firewall installed? Any good modern software firewall offers good protection from a lot of different things that can attack your computer while on the Internet. Without a firewall, a computer can, and will, be attacked in a matter of minutes. What every computer user needs to understand is that even with a firewall installed, you are not bulletproof. In fact, there is no such thing. Believe it or not, there are still ways around firewalls. With the improved talents of hackers and malware writers, successful ways of getting around them are becoming more common. This may not have been true as little as two years ago, but it certainly is today.

The first concept you need to understand is that a software firewall is, in reality, a series of filters designed to keep the bad stuff out of your computer. A firewall must pay attention to two main areas that result in the two main components of firewall design.

The first area is actual packet level information. The job entails looking for malformed or suspicious packets, detection of port scans, and determining whether or not each packet should be allowed into the protocol stack. Packets are analyzed for validity, direction (inbound or outbound), source host and port, destination host and port, and specific packet flags (is this a new connection attempt, or does it belong to an already established connection).

The second area works at a higher level dealing with actual processes. The firewall must check to see if a process should be allowed to connect to a given host on a given port, whether it should be allowed to listen for connections on a given range of ports, and so on.

Simply stated, a firewall uses two sets of filters and two sets of drivers to function properly.

First, lets look at the packet filters in more detail. The packet level filters are usually designed to work as a man-in-the-middle. They will reside between the drivers for the modem card &/or NIC card (Ethernet card) and the protocol drivers (TCP/IP) in the computer. They can also be designed to reside between the protocol drivers (protocol stack) and anything below in the protocol chain. In either design, it requires all packets to pass through the filters.

It is the job of the packet filter driver to analyze every packet it sees and check it against a series of criteria and rules stored in the firewall data structure (programming). It looks for things like source and target hosts and ports, protocol type, packet flags, level of fragmentation and whether the packet is part of an ongoing connection, or a request to open a new connection. Lets look at an example; the protocol is TCP and the packet has the SYN flag set (an attempt to open a connection), the filter looks up its rules on whether or not to open a connection based on the source and target hosts and ports, and either allows or drops the connection request. If the connection is allowed, the filter adds it to an internal list of open connections (so it can keep track of the connections in use), and passes the packet along to the next layer (protocol drivers for inbound packets, miniport or intermediate drivers for outbound packets). If the packet was blocked by the rules, it is silently dropped and goes no further. In some firewall designs, dropping a packet for failing to comply with the rules triggers a waiting thread to signal an on-screen alert to the user, write to a log file, or both.

This sums up the packet level filtering process. Now we need to look up a level at the process filter of the firewall. So far, we have just discussed packets of data going in or out of a machine. The next level up looks at what these packets do, or to what processes they are applied.

In order to run programs or applications, a computer has a strict set of rules or protocols that it follows. For communicating with other computers, Windows based machines use a set of rules or protocols known as WinSock. In order for an application to access a network or the Internet, third party extensions need to be inserted between the application interface and the base network. This is accomplished by adding a Layered Service Provider (LSP) and inserting it into the LSP chain, or set of protocol rules (WinSock) used by the computer. There is basically at least one LSP for each individual application connection type in your computer.

Generally, this process level filtering looks at the functions of the packets and the functions that the target applications and/or helper DLLs (WinSock) use to communicate data to and from the transport protocol drivers (drivers that allow communications with other computers). They are compared to a complex set of rules in the programming of the firewall to determine whether or not the packets should be allowed to communicate with the application involved. In other words, the filter has to determine if the executable that generated this process is allowed to perform the action it is trying to perform. It also has to determine if any modules (DLLs) are attached, and whether or not they are supposed to be there. If a decision cannot be reached, the usual result is an on-screen display alerting the user that a certain application is trying to ‘communicate’ or ‘send a packet’ or ‘access the network’ or ‘access the Internet’, after which it waits for an answer from the user to either allow or deny the action. This is where you, the user, have to make the decision. No firewall can possibly know all the current and future DLLs, good and bad. This is why there are firewall software updates. This is also why you, the user, needs to know what software you have and whether or not you want to allow it to access the Internet.

Now that we see how a firewall basically works, let’s talk about how the bad guys can go around it. Remember at the beginning we said there is no such thing as bulletproof?

The most common ways around a firewall involve the use of a Trojan or Trojan/Worm combination. These threats usually find their way into a computer by way of visiting a Website with malicious intent, malicious files attached to a Website without the Website owner’s knowledge, or via emails and email attachments. Still others find their way in via downloaded programs from the Internet, the usual MO for Adware and Spyware programs (which is why I always caution users about ‘freeware’). More recently, we have seen successful straightforward frontal attacks launched by malware writers who have devised code that allows their program to piggyback in along with regular benign code. These advanced malware programs are attached to web crawlers looking for computers that meet specific criteria as to Operating System type and open ports.

Let’s look at a simple and common example, the most notorious of which is called a Backdoor Trojan. Let’s say you opened the wrong piece of email, or email attachment, and it contained a Backdoor Trojan. You probably would not even notice anything out of the ordinary. Once this Trojan is inside the computer, it would implement a rogue LSP and insert it into the WinSock protocol chain we discussed above. Just like any other LSP in the chain, it can now see all legitimate traffic going in and out of the computer, and go to work.

The installed Trojan can now modify packets (traffic) before passing it along the chain to suit its own purposes, choose not to pass it on at all, and even generate fake traffic to be fed to the lower layers as if it came from a legitimate application, or fake traffic to the upper levels as if it came from the network.

Lets make our simple example a bit worse for our computer user. We now have our Trojan installed complete with its rogue LSP. It now resides in the perfect place for a man-in-the-middle attack. Now all it needs to do is piggyback a simple browser request to go along with some normal Internet traffic on, lets say, port 80 (port 80 is used by www [http, the Web]) and it can communicate with the originator of the attack, wherever he may be. The attacker then merely sends back whatever data, code, or commands he desires, and it passes right through the firewall along with normal traffic on the already existing open connection. This traffic (packets) simply passes through our firewall in both directions controlled by the rogue LSP installed by the Trojan, and both our user and his firewall are none the wiser. If you use an always-on high-speed connection to the Internet, the (already recognized by the firewall) rogue LSP can even open a port for communications at will, in the background, without your knowledge.

Although the above example is simplified, it should give you a basic idea of how a software firewall can be circumvented by someone with malicious intent. Although simple, this example method is still successfully used by many attackers to this day. There are also many, much more sophisticated ways of doing the same thing that are very difficult to find and eliminate once they have found their way into a computer.

I hope this paper serves as a good working basic knowledge for you as to how firewalls work, and in some way helps deter you from simply installing a firewall and then surfing the Internet with reckless abandon thing you are safe from anything.

If you don’t yet have a firewall, get a good one right away. Do some research and be sure to pick one that monitors traffic both incoming and outgoing. After installing it, I also highly recommend testing it regularly.

If you want to test your firewall, I suggest two tests from Gibson Research. One is called Shields Up, and the other is called Leak Test. They are available for free at:

Both tests are found by scrolling down about half way on the page.

For even better protection, I suggest you might want to think about installing a router with a hardware firewall, even if you only have one computer. This way, your computer hides behind the IP address of the router, which is all that is seen from the outside in. A good router with hardware firewall has no ports to attack, and a decent one can be had for around $80 these days. It will add an extra layer of protection from attacks.

Until we meet again here on the Security Center, happy computing.







   Site Map  | About 5 Star Support  | Links | Comments
    Privacy Policy  | Terms of Use  | Newsletter Archive  | Awards
Usage of this site constitutes acceptance of our Terms of Use
Copyright © 2000-2014  5 Star Support All rights reserved.