Firewalls and what you
need to know
posted by Dave
5 Star Support Security Specialist
If you have read any of the security articles available from just about anywhere
on the Internet, I’m sure you are aware that you really do need a good firewall
installed in your computer. A software firewall is an absolute necessity these
days for any computer connected to a network, or the Internet. The problem I
have in my head is that almost all users I have talked to regarding firewalls
seem to have the same opinion. That opinion is that they have a firewall
installed, so they are completely protected, and that’s the end of it.
Unfortunately, that opinion is not correct.
To begin with, software firewalls require periodic updating, a fact that many
computer users with firewalls installed seem to be either unaware of, or neglect
to do the updates entirely. You should get in the habit of checking for updates
to your firewall regularly (at least monthly) just as you should do with all
your other software programs.
So, what about protection now that you have a firewall installed? Any good
modern software firewall offers good protection from a lot of different things
that can attack your computer while on the Internet. Without a firewall, a
computer can, and will, be attacked in a matter of minutes. What every computer
user needs to understand is that even with a firewall installed, you are not
bulletproof. In fact, there is no such thing. Believe it or not, there are still
ways around firewalls. With the improved talents of hackers and malware writers,
successful ways of getting around them are becoming more common. This may not
have been true as little as two years ago, but it certainly is today.
The first concept you need to understand is that a software firewall is, in
reality, a series of filters designed to keep the bad stuff out of your
computer. A firewall must pay attention to two main areas that result in the two
main components of firewall design.
The first area is actual packet level information. The job entails looking for
malformed or suspicious packets, detection of port scans, and determining
whether or not each packet should be allowed into the protocol stack. Packets
are analyzed for validity, direction (inbound or outbound), source host and
port, destination host and port, and specific packet flags (is this a new
connection attempt, or does it belong to an already established connection).
The second area works at a higher level dealing with actual processes. The
firewall must check to see if a process should be allowed to connect to a given
host on a given port, whether it should be allowed to listen for connections on
a given range of ports, and so on.
Simply stated, a firewall uses two sets of filters and two sets of drivers to
First, lets look at the packet filters in more detail. The packet level filters
are usually designed to work as a man-in-the-middle. They will reside between
the drivers for the modem card &/or NIC card (Ethernet card) and the protocol
drivers (TCP/IP) in the computer. They can also be designed to reside between
the protocol drivers (protocol stack) and anything below in the protocol chain.
In either design, it requires all packets to pass through the filters.
It is the job of the packet filter driver to analyze every packet it sees and
check it against a series of criteria and rules stored in the firewall data
structure (programming). It looks for things like source and target hosts and
ports, protocol type, packet flags, level of fragmentation and whether the
packet is part of an ongoing connection, or a request to open a new connection.
Lets look at an example; the protocol is TCP and the packet has the SYN flag set
(an attempt to open a connection), the filter looks up its rules on whether or
not to open a connection based on the source and target hosts and ports, and
either allows or drops the connection request. If the connection is allowed, the
filter adds it to an internal list of open connections (so it can keep track of
the connections in use), and passes the packet along to the next layer (protocol
drivers for inbound packets, miniport or intermediate drivers for outbound
packets). If the packet was blocked by the rules, it is silently dropped and
goes no further. In some firewall designs, dropping a packet for failing to
comply with the rules triggers a waiting thread to signal an on-screen alert to
the user, write to a log file, or both.
This sums up the packet level filtering process. Now we need to look up a level
at the process filter of the firewall. So far, we have just discussed packets of
data going in or out of a machine. The next level up looks at what these packets
do, or to what processes they are applied.
In order to run programs or applications, a computer has a strict set of rules
or protocols that it follows. For communicating with other computers, Windows
based machines use a set of rules or protocols known as WinSock. In order for an
application to access a network or the Internet, third party extensions need to
be inserted between the application interface and the base network. This is
accomplished by adding a Layered Service Provider (LSP) and inserting it into
the LSP chain, or set of protocol rules (WinSock) used by the computer. There is
basically at least one LSP for each individual application connection type in
Generally, this process level filtering looks at the functions of the packets
and the functions that the target applications and/or helper DLLs (WinSock) use
to communicate data to and from the transport protocol drivers (drivers that
allow communications with other computers). They are compared to a complex set
of rules in the programming of the firewall to determine whether or not the
packets should be allowed to communicate with the application involved. In other
words, the filter has to determine if the executable that generated this process
is allowed to perform the action it is trying to perform. It also has to
determine if any modules (DLLs) are attached, and whether or not they are
supposed to be there. If a decision cannot be reached, the usual result is an
on-screen display alerting the user that a certain application is trying to
‘communicate’ or ‘send a packet’ or ‘access the network’ or ‘access the
Internet’, after which it waits for an answer from the user to either allow or
deny the action. This is where you, the user, have to make the decision. No
firewall can possibly know all the current and future DLLs, good and bad. This
is why there are firewall software updates. This is also why you, the user,
needs to know what software you have and whether or not you want to allow it to
access the Internet.
Now that we see how a firewall basically works, let’s talk about how the bad
guys can go around it. Remember at the beginning we said there is no such thing
The most common ways around a firewall involve the use of a Trojan or
Trojan/Worm combination. These threats usually find their way into a computer by
way of visiting a Website with malicious intent, malicious files attached to a
Website without the Website owner’s knowledge, or via emails and email
attachments. Still others find their way in via downloaded programs from the
Internet, the usual MO for Adware and Spyware programs (which is why I always
caution users about ‘freeware’). More recently, we have seen successful
straightforward frontal attacks launched by malware writers who have devised
code that allows their program to piggyback in along with regular benign code.
These advanced malware programs are attached to web crawlers looking for
computers that meet specific criteria as to Operating System type and open
Let’s look at a simple and common example, the most notorious of which is called
a Backdoor Trojan. Let’s say you opened the wrong piece of email, or email
attachment, and it contained a Backdoor Trojan. You probably would not even
notice anything out of the ordinary. Once this Trojan is inside the computer, it
would implement a rogue LSP and insert it into the WinSock protocol chain we
discussed above. Just like any other LSP in the chain, it can now see all
legitimate traffic going in and out of the computer, and go to work.
The installed Trojan can now modify packets (traffic) before passing it along
the chain to suit its own purposes, choose not to pass it on at all, and even
generate fake traffic to be fed to the lower layers as if it came from a
legitimate application, or fake traffic to the upper levels as if it came from
Lets make our simple example a bit worse for our computer user. We now have our
Trojan installed complete with its rogue LSP. It now resides in the perfect
place for a man-in-the-middle attack. Now all it needs to do is piggyback a
simple browser request to go along with some normal Internet traffic on, lets
say, port 80 (port 80 is used by www [http, the Web]) and it can communicate
with the originator of the attack, wherever he may be. The attacker then merely
sends back whatever data, code, or commands he desires, and it passes right
through the firewall along with normal traffic on the already existing open
connection. This traffic (packets) simply passes through our firewall in both
directions controlled by the rogue LSP installed by the Trojan, and both our
user and his firewall are none the wiser. If you use an always-on high-speed
connection to the Internet, the (already recognized by the firewall) rogue LSP
can even open a port for communications at will, in the background, without your
Although the above example is simplified, it should give you a basic idea of how
a software firewall can be circumvented by someone with malicious intent.
Although simple, this example method is still successfully used by many
attackers to this day. There are also many, much more sophisticated ways of
doing the same thing that are very difficult to find and eliminate once they
have found their way into a computer.
I hope this paper serves as a good working basic knowledge for you as to how
firewalls work, and in some way helps deter you from simply installing a
firewall and then surfing the Internet with reckless abandon thing you are safe
If you don’t yet have a firewall, get a good one right away. Do some research
and be sure to pick one that monitors traffic both incoming and outgoing. After
installing it, I also highly recommend testing it regularly.
If you want to test your firewall, I suggest two tests from Gibson Research. One
is called Shields Up, and the other is called Leak Test. They are available for
Both tests are found by scrolling down about half way on the page.
For even better protection, I suggest you might want to think about installing a
router with a hardware firewall, even if you only have one computer. This way,
your computer hides behind the IP address of the router, which is all that is
seen from the outside in. A good router with hardware firewall has no ports to
attack, and a decent one can be had for around $80 these days. It will add an
extra layer of protection from attacks.
Until we meet again here on the Security Center, happy computing.