Firewall Protection how to.........
:: ..:: IT Cafe ::.. :: Articles
Page 1 of 1
Firewall Protection how to.........
by Admin Sun Jul 26, 2009 11:46 pm
What is a Firewall?
A firewall is a tool that monitors communication to and from your
computer. It sits between your computer and the rest of the network,
and according to some criteria, it decides which communication to
allow, and which communication to block. It may also use some other
criteria to decide about which communication or communication request
to report to you (either by adding the information to a log file that
you may browse whenever you wish, or in an alert message on the
screen), and what not to report.
What Is It Good For?
Identifying and blocking remote access Trojans. Perhaps the most common
way to break into a home computer and gain control, is by using a
remote access Trojan (RAT). (sometimes it is called "backdoor Trojan"
or "backdoor program". Many people simply call it a "Trojan horse"
although the term "Trojan horse" is much more generic). A Trojan horse,
is a program that claims to do something really innocent, but in fact
does something much less innocent. This goes to the days where the
Greek soldiers succeeded to enter through the gates of Troy by building
a big wooden horse, and giving it as a present to the king of Troy. The
soldiers allowed the sculpture to enter through their gates, and then
at night, when the soldiers were busy guarding against an outside
attack, many Greek soldiers who were hiding inside the horse went out
and attacked Troy from the inside. This story, which may or may not be
true, is an example of something which looks like something innocent
and is used for some less innocent purpose. The same thing happens in
computers. You may sometimes get some program, via ICQ, or via Usenet,
or via IRC, and believe this program to be something good, while in
fact running it will do something less nice to your computer. Such
programs are called Trojan horses. It is accepted to say that the
difference between a Trojan horse and a virus, is that a virus has the
ability to self-replicate and to distribute itself, while a Trojan
horse lacks this ability. A special type of Trojan horses, is RATs
(Remote Access Trojans, some say "remote admin Trojans"). These Trojans
once executed in the victim's computer, start to listen to incoming
communication from a remote matching program that the attacker uses.
When they get instructions from the remote program, they act
accordingly, and thus let the user of the remote program to execute
commands on the victim's computer. To name a few famous RATs, the most
common are Netbus, Back-Orifice, and SubSeven (which is also known as
Backdoor-G). In order for the attacker to use this method, your
computer must first be infected by a RAT.
Prevention of infections by RATs is no different than prevention of
infection by viruses. Antivirus programs can identify and remove most
of the more common RATs. Personal firewalls can identify and block
remote communication efforts to the more common RATs and by thus
blocking the attacker, and identifying the RAT.
Blocking/Identifying Other Types of Trojans and WQorms?
There are many other types of Trojan horses which may try to
communicate with the outside from your computer. Whether they are
e-mail worms trying to distribute themselves using their own SMTP
engine, or they might be password stealers, or anything else. Many of
them can be identified and blocked by a personal firewall.
Identifying/Blocking Spyware's/Adbots?
The term "spyware" is a slang which is not well defined. It is commonly
used mainly for various adware (and adware is a program that is
supported by presenting advertisements to the user), and that during
their installation process, they install an independent program which
we shall call "adbot". The adbot runs independently even if the hosting
adware is not running, and it maintains the advertisements, downloads
them from the remote server, and provides information to the remote
server. The adbot is usually hidden. There are many companies that
offer adbots, and advertisements services to adware. The information
that the adbots deliver to their servers from the computer where the
adbot is installed, is "how much time each advertisement is shown,
which was the hosting adware, and whether the user clicked on the
advertisement. This is important so that the advertisements server will
be able to know how much money to get from each of the advertised
companies, and how much from it to deliver to each of the adware
maintainers. Some of the adbots also collect other information in order
to better choose the advertisements to the users. The term "spyware" is
more generic, but most of the spyware fall into this category. Many
types of adbots can be identified and blocked by personal firewalls.
Blocking Advertisements?
Some of the better personal firewalls can be set to block communication
with specific sites. This can be used in order to prevent downloading
of advertisements in web pages, and thus to accelerate the download
process of the web sites. This is not a very common use of a personal
firewall, though.
Preventing Communication to Tracking Sites?
Some web pages contain references to tracking sites. e.g. instruct the
web browser to download a small picture (sometimes invisible) from
tracking sites. Sometimes, the pictures are visible and provide some
statistics about the site. Those tracking sites will try to save a
small text either as a small file in a special directory, or as a line
in a special file (depending on what is your browser), and your browser
will usually allow the saving site to read the text that it saved on
your computer. This is called "web cookies" or sometimes simply
"cookies". Cookies allow a web site to keep information that it saved
some time when you entered it, to be read whenever you enter the site
again. This allow the web site to customize itself for you, and to keep
track on everything that you did on that site. It does not have to keep
that information on your computer. All it has to save on your computer
is a unique identifying number, and then it can keep in the server's
side information regarding what has been done by the browser that used
that cookie. Yet, by this method, a web site can get only information
regarding your visits in it. Some sites such as "doubleclick" or
"hitbox" can collect information from various affiliated sites, by
putting a small reference in the affiliated pages to some picture on
their servers. When you enter one of the affiliated web pages, your
browser will communicate with the tracking site, and this will allow
the tracking site to put or to read a cookie that identifies your
computer uniquely, and it can also know what was the web page that
referred to it, and any other information that the affiliated web site
wanted to deliver to the tracking site. This way tracking sites can
correlate information from many affiliated sites, to build information
that for example will allow them to better customize the advertisements
that are put on those sites when you browse them.
Some personal firewalls can be set to block communication to tracking
sites. It is not a common use of a personal firewall, though, and a
personal firewall is not the best tool for that, but if you already
have one, this is yet another possible use of it.
Blocking or Limiting the NetBIOS Communication? (as well as other default services)
The two common methods of intruders to break into home computers, are
through a RAT (which was discussed in II.3a) and through the NetBIOS
communication. The NetBIOS is a standard for naming computers in small
networks, developed long ago by IBM and Microsoft. There are a few
communication standards which are used in relation to the NetBIOS. The
ones that are relevant for Microsoft Windows operating systems, are:
NBT (NetBIOS over TCP/IP), IPX/SPX, and NetBEUI. The communication
standard which is used over the Internet, is NBT. If it is enabled, and
there is no firewall or something else in the middle, it means that
your computer is listening for communications over the Internet via
this standard, and will react according to the different NBT commands
that it gets from the remote programs. It is thus that the NBT (which
sometimes loosely called "NetBIOS") is acting as a server. So the next
question should be "what remote NBT commands the NBT server will do on
the local computer". The answer to this question depends on the
specific setting on your computer. You may set your computer to allow
file and print sharing. If also NBT is enabled, it means that you allow
remote users to share your files or printers. This is a big problem. It
is true that in principle the remote user has to know your password for
that computer, but many users do not set a password for their user on
Windows, or set a trivial password. Older versions of Win95 had file
and print sharing over NetBIOS enabled by default. On Win98, and WinMe
it was disabled by default, but many technicians, when they set a home
network, they enable the file and print sharing, without being aware
that it influences also the authorizations of a remote Internet user.
There are even worms and viruses who use the File sharing option to
spread in the Internet. Anyway, no matter whether you need it for some
reason or just are not aware of it, a personal firewall can identify
and block any external effort to communicate with the NetBIOS server on
your computer. The more flexible personal firewalls can be set to
restrict the authorization to communicate with the NetBIOS. Some
Windows operating systems, especially those which are not meant for
home uses, offer other public services by default, such as RPC. A
firewall can identify communication efforts to them, and block them.
Since such services listen to remote communications, there is a
potential risk when there are efforts to exploit security holes in the
programs that offer the services, if there are such security holes. A
firewall may block or limit the communication to those services.
Hiding Your Computer on the Internet?
Without a firewall, on a typical computer, even if well maintained, a
remote person will still be able to know that the communication effort
has reached some computer, and perhaps some information about the
operating system on that computer. If that computer is handled well,
the remote user will not be able to get much more information from your
computer, but might still be able to identify also who your ISP is, and
might decide to invest further time in cracking into your computer.
With a firewall, you can set the firewall so that any communication
effort from remote users (in the better firewalls you may define an
exception list) will not be responded at all. This way the remote user
will not be able to even know that it reached a live computer. This
might discourage the remote attacker from investing further time in
effort to crack into your computer.
The Non-Firewall Defenses
We've discussed a few situations where a personal firewall can provide
defense. Yet, in many cases a computer maintainer can deal with those
situations even without a firewall. Those "alternative" defenses, in
many cases are recommended regardless of whether you use a firewall or
not.
Remote Access Trojans?
The best way to defend against remote access Trojans (RATs) is to
prevent them from being installed in the first place on your computer.
A RAT should first infect your computer in order to start to listen to
remote communication efforts. The infection techniques are very similar
to the infection techniques that viruses use, and hence the defense
against Trojan horses is similar to the defense against viruses. Trojan
horses do not distribute themselves (although they might be companions
of another Internet worm or virus that distributes them. Yet, because
in most cases they do not distribute themselves, it is likely that you
will get them from anonymous sources, such as instant messengers,
Kazaa, IRC, or a newsgroup. adopting a suspicious policy regarding
downloads from such places, will save you not only from viruses but
also from getting infected with Trojan horses, including RATs. Because
Trojan horses are similar in some ways to viruses, almost all antivirus
programs can identify, block from being installed, and remove most of
the Trojan horses, including all the common ones. There are also some
programs (sometimes called antiTrojan programs) which specialize in the
identification and removal of Trojan horses. For a list of those
programs, and for comparison on how well different antivirus, and
antiTrojan programs identify different Trojan horses, see Hackfix
(http://www.hackfix.org), under "Software test results". Hackfix also
has information on the more common RATS (such as the Netbus and the
Subseven) and on how to remove them manually. There are some tools and
web sites, such port scanners, and some ways with a use of more generic
tools such as telnet, msconfig, and netstat, which may help you to
identify a RAT.
A firewall is a tool that monitors communication to and from your
computer. It sits between your computer and the rest of the network,
and according to some criteria, it decides which communication to
allow, and which communication to block. It may also use some other
criteria to decide about which communication or communication request
to report to you (either by adding the information to a log file that
you may browse whenever you wish, or in an alert message on the
screen), and what not to report.
What Is It Good For?
Identifying and blocking remote access Trojans. Perhaps the most common
way to break into a home computer and gain control, is by using a
remote access Trojan (RAT). (sometimes it is called "backdoor Trojan"
or "backdoor program". Many people simply call it a "Trojan horse"
although the term "Trojan horse" is much more generic). A Trojan horse,
is a program that claims to do something really innocent, but in fact
does something much less innocent. This goes to the days where the
Greek soldiers succeeded to enter through the gates of Troy by building
a big wooden horse, and giving it as a present to the king of Troy. The
soldiers allowed the sculpture to enter through their gates, and then
at night, when the soldiers were busy guarding against an outside
attack, many Greek soldiers who were hiding inside the horse went out
and attacked Troy from the inside. This story, which may or may not be
true, is an example of something which looks like something innocent
and is used for some less innocent purpose. The same thing happens in
computers. You may sometimes get some program, via ICQ, or via Usenet,
or via IRC, and believe this program to be something good, while in
fact running it will do something less nice to your computer. Such
programs are called Trojan horses. It is accepted to say that the
difference between a Trojan horse and a virus, is that a virus has the
ability to self-replicate and to distribute itself, while a Trojan
horse lacks this ability. A special type of Trojan horses, is RATs
(Remote Access Trojans, some say "remote admin Trojans"). These Trojans
once executed in the victim's computer, start to listen to incoming
communication from a remote matching program that the attacker uses.
When they get instructions from the remote program, they act
accordingly, and thus let the user of the remote program to execute
commands on the victim's computer. To name a few famous RATs, the most
common are Netbus, Back-Orifice, and SubSeven (which is also known as
Backdoor-G). In order for the attacker to use this method, your
computer must first be infected by a RAT.
Prevention of infections by RATs is no different than prevention of
infection by viruses. Antivirus programs can identify and remove most
of the more common RATs. Personal firewalls can identify and block
remote communication efforts to the more common RATs and by thus
blocking the attacker, and identifying the RAT.
Blocking/Identifying Other Types of Trojans and WQorms?
There are many other types of Trojan horses which may try to
communicate with the outside from your computer. Whether they are
e-mail worms trying to distribute themselves using their own SMTP
engine, or they might be password stealers, or anything else. Many of
them can be identified and blocked by a personal firewall.
Identifying/Blocking Spyware's/Adbots?
The term "spyware" is a slang which is not well defined. It is commonly
used mainly for various adware (and adware is a program that is
supported by presenting advertisements to the user), and that during
their installation process, they install an independent program which
we shall call "adbot". The adbot runs independently even if the hosting
adware is not running, and it maintains the advertisements, downloads
them from the remote server, and provides information to the remote
server. The adbot is usually hidden. There are many companies that
offer adbots, and advertisements services to adware. The information
that the adbots deliver to their servers from the computer where the
adbot is installed, is "how much time each advertisement is shown,
which was the hosting adware, and whether the user clicked on the
advertisement. This is important so that the advertisements server will
be able to know how much money to get from each of the advertised
companies, and how much from it to deliver to each of the adware
maintainers. Some of the adbots also collect other information in order
to better choose the advertisements to the users. The term "spyware" is
more generic, but most of the spyware fall into this category. Many
types of adbots can be identified and blocked by personal firewalls.
Blocking Advertisements?
Some of the better personal firewalls can be set to block communication
with specific sites. This can be used in order to prevent downloading
of advertisements in web pages, and thus to accelerate the download
process of the web sites. This is not a very common use of a personal
firewall, though.
Preventing Communication to Tracking Sites?
Some web pages contain references to tracking sites. e.g. instruct the
web browser to download a small picture (sometimes invisible) from
tracking sites. Sometimes, the pictures are visible and provide some
statistics about the site. Those tracking sites will try to save a
small text either as a small file in a special directory, or as a line
in a special file (depending on what is your browser), and your browser
will usually allow the saving site to read the text that it saved on
your computer. This is called "web cookies" or sometimes simply
"cookies". Cookies allow a web site to keep information that it saved
some time when you entered it, to be read whenever you enter the site
again. This allow the web site to customize itself for you, and to keep
track on everything that you did on that site. It does not have to keep
that information on your computer. All it has to save on your computer
is a unique identifying number, and then it can keep in the server's
side information regarding what has been done by the browser that used
that cookie. Yet, by this method, a web site can get only information
regarding your visits in it. Some sites such as "doubleclick" or
"hitbox" can collect information from various affiliated sites, by
putting a small reference in the affiliated pages to some picture on
their servers. When you enter one of the affiliated web pages, your
browser will communicate with the tracking site, and this will allow
the tracking site to put or to read a cookie that identifies your
computer uniquely, and it can also know what was the web page that
referred to it, and any other information that the affiliated web site
wanted to deliver to the tracking site. This way tracking sites can
correlate information from many affiliated sites, to build information
that for example will allow them to better customize the advertisements
that are put on those sites when you browse them.
Some personal firewalls can be set to block communication to tracking
sites. It is not a common use of a personal firewall, though, and a
personal firewall is not the best tool for that, but if you already
have one, this is yet another possible use of it.
Blocking or Limiting the NetBIOS Communication? (as well as other default services)
The two common methods of intruders to break into home computers, are
through a RAT (which was discussed in II.3a) and through the NetBIOS
communication. The NetBIOS is a standard for naming computers in small
networks, developed long ago by IBM and Microsoft. There are a few
communication standards which are used in relation to the NetBIOS. The
ones that are relevant for Microsoft Windows operating systems, are:
NBT (NetBIOS over TCP/IP), IPX/SPX, and NetBEUI. The communication
standard which is used over the Internet, is NBT. If it is enabled, and
there is no firewall or something else in the middle, it means that
your computer is listening for communications over the Internet via
this standard, and will react according to the different NBT commands
that it gets from the remote programs. It is thus that the NBT (which
sometimes loosely called "NetBIOS") is acting as a server. So the next
question should be "what remote NBT commands the NBT server will do on
the local computer". The answer to this question depends on the
specific setting on your computer. You may set your computer to allow
file and print sharing. If also NBT is enabled, it means that you allow
remote users to share your files or printers. This is a big problem. It
is true that in principle the remote user has to know your password for
that computer, but many users do not set a password for their user on
Windows, or set a trivial password. Older versions of Win95 had file
and print sharing over NetBIOS enabled by default. On Win98, and WinMe
it was disabled by default, but many technicians, when they set a home
network, they enable the file and print sharing, without being aware
that it influences also the authorizations of a remote Internet user.
There are even worms and viruses who use the File sharing option to
spread in the Internet. Anyway, no matter whether you need it for some
reason or just are not aware of it, a personal firewall can identify
and block any external effort to communicate with the NetBIOS server on
your computer. The more flexible personal firewalls can be set to
restrict the authorization to communicate with the NetBIOS. Some
Windows operating systems, especially those which are not meant for
home uses, offer other public services by default, such as RPC. A
firewall can identify communication efforts to them, and block them.
Since such services listen to remote communications, there is a
potential risk when there are efforts to exploit security holes in the
programs that offer the services, if there are such security holes. A
firewall may block or limit the communication to those services.
Hiding Your Computer on the Internet?
Without a firewall, on a typical computer, even if well maintained, a
remote person will still be able to know that the communication effort
has reached some computer, and perhaps some information about the
operating system on that computer. If that computer is handled well,
the remote user will not be able to get much more information from your
computer, but might still be able to identify also who your ISP is, and
might decide to invest further time in cracking into your computer.
With a firewall, you can set the firewall so that any communication
effort from remote users (in the better firewalls you may define an
exception list) will not be responded at all. This way the remote user
will not be able to even know that it reached a live computer. This
might discourage the remote attacker from investing further time in
effort to crack into your computer.
The Non-Firewall Defenses
We've discussed a few situations where a personal firewall can provide
defense. Yet, in many cases a computer maintainer can deal with those
situations even without a firewall. Those "alternative" defenses, in
many cases are recommended regardless of whether you use a firewall or
not.
Remote Access Trojans?
The best way to defend against remote access Trojans (RATs) is to
prevent them from being installed in the first place on your computer.
A RAT should first infect your computer in order to start to listen to
remote communication efforts. The infection techniques are very similar
to the infection techniques that viruses use, and hence the defense
against Trojan horses is similar to the defense against viruses. Trojan
horses do not distribute themselves (although they might be companions
of another Internet worm or virus that distributes them. Yet, because
in most cases they do not distribute themselves, it is likely that you
will get them from anonymous sources, such as instant messengers,
Kazaa, IRC, or a newsgroup. adopting a suspicious policy regarding
downloads from such places, will save you not only from viruses but
also from getting infected with Trojan horses, including RATs. Because
Trojan horses are similar in some ways to viruses, almost all antivirus
programs can identify, block from being installed, and remove most of
the Trojan horses, including all the common ones. There are also some
programs (sometimes called antiTrojan programs) which specialize in the
identification and removal of Trojan horses. For a list of those
programs, and for comparison on how well different antivirus, and
antiTrojan programs identify different Trojan horses, see Hackfix
(http://www.hackfix.org), under "Software test results". Hackfix also
has information on the more common RATS (such as the Netbus and the
Subseven) and on how to remove them manually. There are some tools and
web sites, such port scanners, and some ways with a use of more generic
tools such as telnet, msconfig, and netstat, which may help you to
identify a RAT.
Admin- Admin
- Posts : 131
Join date : 2009-07-04
Age : 33
Location : Karachi -
continue..........
by Admin Sun Jul 26, 2009 11:48 pm
Other types of Trojans and worms?
Also here your main interest should be to prevent them from infecting
your computer in the first place, rather than blocking their
communication. A good antivirus and a good policy regarding the
prevention of virus infections, should be the first and most important
defense.
Spyware and Adbots?
The term spyware is sometimes misleading. In my view, it is the
responsibility of the adware developer to present the fact that the
adware installation will install or use an independent adbots, and to
provide the information on how this adbot communicates, and which
information it delivers, in a fair place and manner before the adware
is installed. It is also a responsibility to provide this information
in their web sites, so that people will be aware of that before they
even download the software. Yet, in general, those adbots do not pose
any security threat, and in many cases also their privacy threat is
negligible for many people (e.g. the computer with adbot number 1127533
has been exposed to advertisements a, b, c, such and such times, while
using adware x, while on computer with adbot number 1127534 has been
exposed to advertisements a,d, and e, such amount of time, with the use
of adware y, and clicked on ads number d). It should be fully
legitimate for software developers to offer an advertisement supported
programs, and it is up to the user to decide whether the use of the
program worth the ads and the adbot, or not. Preventing adbot from
communicating is generally not a moral thing. If you decide to use an
adware, you should pay the price of letting the adbot work. If you
don't want it, please remove the adware, and only if for some reason
the adbot continue to work even if no hosting adware that uses it is
installed, you may remove the adbot. Anyway, there are some very useful
tools to identify whether a program is a "spyware", or whether a
"spyware" is installed on your computer, and you are certainly entitled
to this information. Two useful programs are "AdAware" which identifies
"spyware" components on your computer and allows you to remove them,
and Ad-Search which allows you to provide a name of a program, and it
tells you whether this program is a "spyware" and which adbot it uses.
It is useful to assist you in choosing whether to install a program or
not. You may find those programs in http://www.lavasoft.nu (or, if it
doesn't work, you may try http://www.lavasoftusa.com). Those programs
are useful, mainly because many adware developers are not fair enough
to present this information in a fair manner. AdAware allows you to
also remove those adbot components from your computer. This might,
however, terminate your license to use the hosting adware programs, and
might even cause them to stop functioning. A website which offers to
check whether a specific program that you wish to install is "spyware"
or not, is http://www.spychecker.com .
Blocking Advertisements?
Leaving aside the moral aspect of blocking advertisements, a personal
firewall is not the best tool for that anyway. This is not the main
purpose of a firewall, and neither its main strength. Some of them can
block some of the advertisements from being downloaded, if you know how
to configure them for that. Yet, there are better tools for that, such
as Proxomitron (http://www.proxomitron.org), CookieCop 2 (search for
the word cookiecop on http://www.pcmag.com), or Naviscope
(http://www.naviscope.com), and there are many other programs as well.
You may check for other alternatives, e.g. in Tucows
(http://www.tucows.com/adkiller95.html).
Blocking Tracking Sites?
Also here, a personal firewall is not the best tool for that, and there
are other tools and ways which are more effective. These are cookie
utilities. Since a tracking site uses a cookie to identify and relate
the information gathered to the same person (or computer), by
preventing the cookie from being installed. The tracking site will lose
its ability to track things. There are plenty of cookie management
utilities. Some of them are freeware, and some are not. CookieCop which
was mentioned in the former section is one of them. WebWasher
(http://www.webwasher.com) is another recommended one, and there are
plenty of other alternatives such as cookie-crusher, cookie-pal, pop-up
killer, etc. You may search for other alternatives, in Tucows
(http://www.tucows.com/cookie95.html).
NetBIOS and Other Services?
The NetBIOS over TCP/IP (NBT) which is sometimes loosely called
"NetBIOS", is a service which has some security problems with it. It is
enabled by default in Windows default installations, and it is very
common to see that a firewall does the job of preventing the efforts to
get access to your computer via NBT. Yet, in almost all cases, this
service is not needed, and thus can be disabled. To disable NBT in
Win95/98/ME is not as simple as it is in Win2K/XP, but can still be
done reliably. We explain how to do this in another article (#to be
written soon). It is needless to say, that if NBT is disabled, there is
no need for a firewall to block communication to it. Also, in the case
of other services, such as RPC services, and others, in many cases you
simply don't need those services and better disable them from within
Windows rather than use the firewall to block them. There are various
ways to know which services are running on your computer, and which of
them are listening for communications from the outside. If there are
ones that you don't need, they should be disabled.
Also here your main interest should be to prevent them from infecting
your computer in the first place, rather than blocking their
communication. A good antivirus and a good policy regarding the
prevention of virus infections, should be the first and most important
defense.
Spyware and Adbots?
The term spyware is sometimes misleading. In my view, it is the
responsibility of the adware developer to present the fact that the
adware installation will install or use an independent adbots, and to
provide the information on how this adbot communicates, and which
information it delivers, in a fair place and manner before the adware
is installed. It is also a responsibility to provide this information
in their web sites, so that people will be aware of that before they
even download the software. Yet, in general, those adbots do not pose
any security threat, and in many cases also their privacy threat is
negligible for many people (e.g. the computer with adbot number 1127533
has been exposed to advertisements a, b, c, such and such times, while
using adware x, while on computer with adbot number 1127534 has been
exposed to advertisements a,d, and e, such amount of time, with the use
of adware y, and clicked on ads number d). It should be fully
legitimate for software developers to offer an advertisement supported
programs, and it is up to the user to decide whether the use of the
program worth the ads and the adbot, or not. Preventing adbot from
communicating is generally not a moral thing. If you decide to use an
adware, you should pay the price of letting the adbot work. If you
don't want it, please remove the adware, and only if for some reason
the adbot continue to work even if no hosting adware that uses it is
installed, you may remove the adbot. Anyway, there are some very useful
tools to identify whether a program is a "spyware", or whether a
"spyware" is installed on your computer, and you are certainly entitled
to this information. Two useful programs are "AdAware" which identifies
"spyware" components on your computer and allows you to remove them,
and Ad-Search which allows you to provide a name of a program, and it
tells you whether this program is a "spyware" and which adbot it uses.
It is useful to assist you in choosing whether to install a program or
not. You may find those programs in http://www.lavasoft.nu (or, if it
doesn't work, you may try http://www.lavasoftusa.com). Those programs
are useful, mainly because many adware developers are not fair enough
to present this information in a fair manner. AdAware allows you to
also remove those adbot components from your computer. This might,
however, terminate your license to use the hosting adware programs, and
might even cause them to stop functioning. A website which offers to
check whether a specific program that you wish to install is "spyware"
or not, is http://www.spychecker.com .
Blocking Advertisements?
Leaving aside the moral aspect of blocking advertisements, a personal
firewall is not the best tool for that anyway. This is not the main
purpose of a firewall, and neither its main strength. Some of them can
block some of the advertisements from being downloaded, if you know how
to configure them for that. Yet, there are better tools for that, such
as Proxomitron (http://www.proxomitron.org), CookieCop 2 (search for
the word cookiecop on http://www.pcmag.com), or Naviscope
(http://www.naviscope.com), and there are many other programs as well.
You may check for other alternatives, e.g. in Tucows
(http://www.tucows.com/adkiller95.html).
Blocking Tracking Sites?
Also here, a personal firewall is not the best tool for that, and there
are other tools and ways which are more effective. These are cookie
utilities. Since a tracking site uses a cookie to identify and relate
the information gathered to the same person (or computer), by
preventing the cookie from being installed. The tracking site will lose
its ability to track things. There are plenty of cookie management
utilities. Some of them are freeware, and some are not. CookieCop which
was mentioned in the former section is one of them. WebWasher
(http://www.webwasher.com) is another recommended one, and there are
plenty of other alternatives such as cookie-crusher, cookie-pal, pop-up
killer, etc. You may search for other alternatives, in Tucows
(http://www.tucows.com/cookie95.html).
NetBIOS and Other Services?
The NetBIOS over TCP/IP (NBT) which is sometimes loosely called
"NetBIOS", is a service which has some security problems with it. It is
enabled by default in Windows default installations, and it is very
common to see that a firewall does the job of preventing the efforts to
get access to your computer via NBT. Yet, in almost all cases, this
service is not needed, and thus can be disabled. To disable NBT in
Win95/98/ME is not as simple as it is in Win2K/XP, but can still be
done reliably. We explain how to do this in another article (#to be
written soon). It is needless to say, that if NBT is disabled, there is
no need for a firewall to block communication to it. Also, in the case
of other services, such as RPC services, and others, in many cases you
simply don't need those services and better disable them from within
Windows rather than use the firewall to block them. There are various
ways to know which services are running on your computer, and which of
them are listening for communications from the outside. If there are
ones that you don't need, they should be disabled.
Admin- Admin
- Posts : 131
Join date : 2009-07-04
Age : 33
Location : Karachi -
continue.........
by Admin Sun Jul 26, 2009 11:49 pm
Hiding the Computer?
In web sites of many personal firewall companies, they are putting a
lot of weight on the ability of their firewall to hide the computer on
the Internet. Yet, exposing your home computer on the Internet is by
itself, neither a security nor a privacy threat. If you provide some
services to the Internet on your computer, for example, you put a web
server on your computer to allow other people to view web pages, then
you might get rid of some of the crackers, by setting your firewall to
unhide only this type of communications. Some attackers will not make a
full scan of your computer, but only a partial scan, and if they did
not scan for the specific service that you provided, they will not see
your computer. Yet, if the service is a common one, there is a good
chance for many of them to scan it and thus find the existence of your
computer. If they "see" the existence of your computer, they might
decide to scan it further, and find out the services you are providing,
and scan it for security holes to use. Yet, there is no much meaning to
it when we speak about simple home computers.
What a Firewall Cannot Do!
Another misconception about personal firewalls is that they are
incorrectly thought as if they claim to give an overall protection
against "hackers" (i.e. intrusions). They are not.
Defense Against Exploitation of Security Holes
A firewall can allow or deny access to your computer or from your
computer according to the type of communication, its source and
destination, and according to the question which program on your
computer is handling the communication. Yet, its ability to understand
the details of the communication is very limited. For example, you may
set the firewall to allow or to deny your e-mail program from getting
and/or sending messages. It may allow or deny your web browser from
browsing the Internet. But if you allowed your e-mail program to
communicate with the e-mail servers for sending and receiving messages,
(and you are likely to allow it if you want to use your e-mail
program), or if you set the firewall to allow your web browser to
communicate with web sites, the firewall will not be able to understand
the content of the communication much further, and if your web browser
has a security hole, and some remote site will try to exploit it, your
firewall will not be able to make a distinction between the
communication that exploits the security hole, and legitimate
communication. The same principle goes with e-mail program. A personal
firewall may block you from receiving or sending e-mail messages, but
if you allowed it to receive messages, the personal firewall will not
make a distinction between a legitimate message and a non-legitimate
one (such as a one that carries a virus or a Trojan horse). Security
holes in legitimate programs can be exploited and a personal firewall
can do practically nothing about it.
I should comment, however, that some personal firewalls come combined
with some Trojan horse detection, or intrusion detection. This is not
part of the classical definition of a firewall, but it might be useful.
Such tasks are usually taken by other tools such as antivirus programs
or antiTrojan programs.
Tricks to Bypass or Disable Personal Firewalls
There are also various ways to disable, or bypass personal firewalls.
During the time a few tricks to bypass or disable were demonstrated by
various programs. Especially, tricks for an internal program to
communicate with the outside bypassing or tricking the firewall. For
some of them such as the one demonstrated by the Leaktest, and in which
a non-legitimate program disguises itself as Internet Explorer,
practically today, all personal firewalls are immuned. For other
tricks, such as a one demonstrated by Outbound, which uses some
non-standard type of communication directly to the network adapters
bypassing the components of the operating system which are suppose to
deal with Internet communication, and by that bypassing the firewall,
are only now being patched against by the various firewalls, and yet
other methods, such as the one demonstrated by Tooleaky, which uses
Internet Explorer as a messenger to communicate with the outside, and
is thus identified as a mere legitimate browsing, are still waiting for
most of the personal firewall to find a fix.
Firewalls CANNOT Decide for You What is a Legitimate Communication and What is Not
One of the main problems with personal firewalls, is that you cannot
simply install them and forget them, counting on them to do their job.
They can deny or permit various types of communications according to
some criteria, but what is this criteria, and who decides what is the
criteria for whether they should permit or deny some communication?
The answer, is that it is the computer user's job to define the exact
criteria when the firewall should allow a communication and when it
should block it. The firewall may make it easier for you, but it should
not take the decisions. There are too many programs, too many versions,
and it is not possible for the firewall to decide accurately when a
communication is legitimate and when it is not. One person might think
that it is legitimate for some program to deliver some information to
the outside in order to get some service, while another will think that
it is not. One version of a program might communicate with its home
server in order to check whether there is an upgrade, and another
version might also install the upgrade even if you do not wish. Some
firewalls will try to identify communication efforts which are largely
considered as legitimate, and will let you the information so that it
will be easier for you to decide whether such should be allowed. Others
will suffice with more basic information, making no suggestions (and
thus - no incorrect recommendations). One way or another, once you
installed a firewall, you will have better means to understand what
types of communications are running on your computer, but you will also
have to understand them in order to be able to configure your firewall
so that it will correctly know which communications to allow and which
to block.
In web sites of many personal firewall companies, they are putting a
lot of weight on the ability of their firewall to hide the computer on
the Internet. Yet, exposing your home computer on the Internet is by
itself, neither a security nor a privacy threat. If you provide some
services to the Internet on your computer, for example, you put a web
server on your computer to allow other people to view web pages, then
you might get rid of some of the crackers, by setting your firewall to
unhide only this type of communications. Some attackers will not make a
full scan of your computer, but only a partial scan, and if they did
not scan for the specific service that you provided, they will not see
your computer. Yet, if the service is a common one, there is a good
chance for many of them to scan it and thus find the existence of your
computer. If they "see" the existence of your computer, they might
decide to scan it further, and find out the services you are providing,
and scan it for security holes to use. Yet, there is no much meaning to
it when we speak about simple home computers.
What a Firewall Cannot Do!
Another misconception about personal firewalls is that they are
incorrectly thought as if they claim to give an overall protection
against "hackers" (i.e. intrusions). They are not.
Defense Against Exploitation of Security Holes
A firewall can allow or deny access to your computer or from your
computer according to the type of communication, its source and
destination, and according to the question which program on your
computer is handling the communication. Yet, its ability to understand
the details of the communication is very limited. For example, you may
set the firewall to allow or to deny your e-mail program from getting
and/or sending messages. It may allow or deny your web browser from
browsing the Internet. But if you allowed your e-mail program to
communicate with the e-mail servers for sending and receiving messages,
(and you are likely to allow it if you want to use your e-mail
program), or if you set the firewall to allow your web browser to
communicate with web sites, the firewall will not be able to understand
the content of the communication much further, and if your web browser
has a security hole, and some remote site will try to exploit it, your
firewall will not be able to make a distinction between the
communication that exploits the security hole, and legitimate
communication. The same principle goes with e-mail program. A personal
firewall may block you from receiving or sending e-mail messages, but
if you allowed it to receive messages, the personal firewall will not
make a distinction between a legitimate message and a non-legitimate
one (such as a one that carries a virus or a Trojan horse). Security
holes in legitimate programs can be exploited and a personal firewall
can do practically nothing about it.
I should comment, however, that some personal firewalls come combined
with some Trojan horse detection, or intrusion detection. This is not
part of the classical definition of a firewall, but it might be useful.
Such tasks are usually taken by other tools such as antivirus programs
or antiTrojan programs.
Tricks to Bypass or Disable Personal Firewalls
There are also various ways to disable, or bypass personal firewalls.
During the time a few tricks to bypass or disable were demonstrated by
various programs. Especially, tricks for an internal program to
communicate with the outside bypassing or tricking the firewall. For
some of them such as the one demonstrated by the Leaktest, and in which
a non-legitimate program disguises itself as Internet Explorer,
practically today, all personal firewalls are immuned. For other
tricks, such as a one demonstrated by Outbound, which uses some
non-standard type of communication directly to the network adapters
bypassing the components of the operating system which are suppose to
deal with Internet communication, and by that bypassing the firewall,
are only now being patched against by the various firewalls, and yet
other methods, such as the one demonstrated by Tooleaky, which uses
Internet Explorer as a messenger to communicate with the outside, and
is thus identified as a mere legitimate browsing, are still waiting for
most of the personal firewall to find a fix.
Firewalls CANNOT Decide for You What is a Legitimate Communication and What is Not
One of the main problems with personal firewalls, is that you cannot
simply install them and forget them, counting on them to do their job.
They can deny or permit various types of communications according to
some criteria, but what is this criteria, and who decides what is the
criteria for whether they should permit or deny some communication?
The answer, is that it is the computer user's job to define the exact
criteria when the firewall should allow a communication and when it
should block it. The firewall may make it easier for you, but it should
not take the decisions. There are too many programs, too many versions,
and it is not possible for the firewall to decide accurately when a
communication is legitimate and when it is not. One person might think
that it is legitimate for some program to deliver some information to
the outside in order to get some service, while another will think that
it is not. One version of a program might communicate with its home
server in order to check whether there is an upgrade, and another
version might also install the upgrade even if you do not wish. Some
firewalls will try to identify communication efforts which are largely
considered as legitimate, and will let you the information so that it
will be easier for you to decide whether such should be allowed. Others
will suffice with more basic information, making no suggestions (and
thus - no incorrect recommendations). One way or another, once you
installed a firewall, you will have better means to understand what
types of communications are running on your computer, but you will also
have to understand them in order to be able to configure your firewall
so that it will correctly know which communications to allow and which
to block.
Admin- Admin
- Posts : 131
Join date : 2009-07-04
Age : 33
Location : Karachi -
continue.........
by Admin Sun Jul 26, 2009 11:50 pm
Common Problems and Deficiencies Regarding Personal Firewalls
A personal firewall might be a good contribution to security. Yet, if
you do not understand much about the topic, then you are likely to be
confused and misled by its alerts and queries, and thus find yourself
spending hours in chasing after imaginary crackers, fear from imaginary
threats, and misconfigure it due to misunderstanding. You may find
yourself blocking legitimate and important communication believing it
to be cracking efforts, and thus surprised to see why things work
slowly or why you are disconnected from the Internet, or you might be
misled to allow a non-legitimate communication by some software that
tricked you to believe that it is a legitimate one. On the other side,
if you are quite knowledgeable on computers and security, then you are
likely to effectively defend your computer even without a firewall (by
means discussed in section II.4) and it is thus that the role of
personal firewall in securing your computer, is extremely small and not
much important. We discuss here in brief some of the problems that
personal firewalls may generate.
A False Sense of Security
As we've already learned here, a firewall is limited in its ability to
secure your computer. Yet, many people believe that if they will
install a personal firewall they will be secured against the various
security threats. I was even surprised to find out that there are
people who believe that give much higher priority in installing a
personal firewall than in installing an antivirus program. An always
updated antivirus program plays a much more important role in the
security of a personal home computer than installing and maintaining a
personal firewall. A personal firewall should not come on account of
any other security measure that you use.
A False Sense of Insecurity
When you install a firewall and you look at all the communication
efforts through it, you might be surprised at the amount of
communication efforts from the Internet to your computer. Most of them
are blocked by a typically configured firewall. There are all the times
efforts to try to communicate with various backdoor Trojans on your
computers. If you are not infected, there will be nothing to listen and
to respond to those communication efforts, and they are thus
practically harmless. There are efforts to communicate with your NBT
driver, to see if your computer by mistake allows file sharing. There
are other types of probes to see if your computer exists, or various
efforts of servers to probe your computer in order to find the best
path for legitimate communication to it. There are sometimes remnants
of communications that were supposed to go to other computers, but made
their way to yours (for advanced readers: because the IP number that
your computer uses, were used by some other computer earlier). Those
communication efforts are blocked even without a firewall. If your
computer is not infected with a RAT, and if your computer don't have
NetBIOS over TCP/IP enabled or even it does not have file and print
sharing enabled (and on most computers this is disabled by default),
then none of these pose any security threat. If your computer is not
infected with a SubSeven Trojan, then no matter how often there will be
efforts to communicate with it, they are all doomed to be failed.
Yet, some personal firewall (such as Norton Personal Firewall or
ZoneAlarm) by default proudly announce that they have just blocked an
effort to crack into your computer. Norton may even define those
efforts that were blocked as "high security threats" while they were
not a threat at all even if your computer didn't have a personal
firewall at all. Such firewalls give you the false impression that they
save your computer again and again from extremely dangerous threats on
the Internet, so that you wonder how did you survive so much time
without noticing any intrusion before you installed the firewall. I
usually say, that those personal firewalls are set their "report level"
to "promotional mode". Namely, the personal firewall is set to give you
the false impression that it is much more important than it really is.
Chasing After Ghosts
This is a side effect of the types of misunderstandings that were discussed in the previous subsection.
When a person who starts to learn about the jargon related to personal
firewalls, is reported that some "dangerous" communication efforts
persist from the same source, the person is decisive to locate and
identify the "hacker", and perhaps report about it to the police or to
its Internet service provider. However, since many people do not really
understand thoroughly how things work, they may sometimes spend many
hours in trying to locate a cracker that does not exist, or when the
knowledge they need to have, in order to track the cracker, is much
higher than what they have, and they might even suspect the wrong
person due to lack of knowledge (e.g. the connection person on the
Internet service provider that was used by the cracker). More
knowledgeable people, usually do not bother to track those "hackers"
(which are usually teenagers), but instead are concentrating on the
security of their computer.
Blocking Legitimate Communications
No personal firewall is smart enough to decide for the user what is a
legitimate communication and what is not. A personal firewall cannot
make a distinction between a legitimate program trying to contact its
server to check and notify the user when there is a newer version, and
a non-legitimate program trying to communicate with its server in order
deliver sensitive information such as passwords, unless the user tells
it. It is thus up to the user to decide what should be considered as
legitimate and what should not. Yet, can we count on the user to be
knowledgeable enough to decide what is legitimate and what is not? In
many cases the user is not knowledgeable enough, and may thus allow
non-legitimate communication or disallow a legitimate and important
communication. There are many types of communications handled just to
manage other communications. Among this are various types of
communications between your computer and the various servers of your
Internet service provider. A not knowledgeable user may interpret those
types of communications as cracking efforts, and will thus decide to
block them. As a result, a connection might become slower, a connection
to the Internet service provider might be disconnected quiet often and
other types of communication problems.
Being Tricked by Trojans bbb
Just as less knowledgeable users may instruct the firewall to block
legitimate communications, they can be tricked by various Trojans to
allow them to communicate. Some Trojans are using names resembling or
identical to names of legitimate programs, so that the user would think
that it is a legitimate programs. Users should be aware of that.
Heavy Software, Buggy Software
Until now we discussed only problems related to lack of appropriate
knowledge by the user. Yet, there are other problems regarding personal
firewalls. For example, some of them are known to be quite heavy on
computer resources, or slow down the communication speed. Different
personal firewalls quite vary with regard to that. If you have a new
computer with a slow Internet communication (such as regular dial-up
networking) then it might not slow down your computer noticeably. Yet,
if you use an older computer, and a fast communication, you might find
that some personal firewalls will slow down your communication quite
drastically. Personal firewalls also vary on how much they are stable.
Advantages of External Firewalls over Personal Firewalls
1. They do not take resources from the
computer. This should be clear. This is especially useful when the
firewall blocks flooding attacks.
2. It is harder (although in principle
still possible) for a Trojan horse to disable it, because it does not
reside in the same computer that the Trojan has infected. It is not
possible to use the specific communication while totally bypassing the
firewall.
3. They can be used without any dependence on the operating system on the computer(s) they defend.
4. No instability problems.
A personal firewall might be a good contribution to security. Yet, if
you do not understand much about the topic, then you are likely to be
confused and misled by its alerts and queries, and thus find yourself
spending hours in chasing after imaginary crackers, fear from imaginary
threats, and misconfigure it due to misunderstanding. You may find
yourself blocking legitimate and important communication believing it
to be cracking efforts, and thus surprised to see why things work
slowly or why you are disconnected from the Internet, or you might be
misled to allow a non-legitimate communication by some software that
tricked you to believe that it is a legitimate one. On the other side,
if you are quite knowledgeable on computers and security, then you are
likely to effectively defend your computer even without a firewall (by
means discussed in section II.4) and it is thus that the role of
personal firewall in securing your computer, is extremely small and not
much important. We discuss here in brief some of the problems that
personal firewalls may generate.
A False Sense of Security
As we've already learned here, a firewall is limited in its ability to
secure your computer. Yet, many people believe that if they will
install a personal firewall they will be secured against the various
security threats. I was even surprised to find out that there are
people who believe that give much higher priority in installing a
personal firewall than in installing an antivirus program. An always
updated antivirus program plays a much more important role in the
security of a personal home computer than installing and maintaining a
personal firewall. A personal firewall should not come on account of
any other security measure that you use.
A False Sense of Insecurity
When you install a firewall and you look at all the communication
efforts through it, you might be surprised at the amount of
communication efforts from the Internet to your computer. Most of them
are blocked by a typically configured firewall. There are all the times
efforts to try to communicate with various backdoor Trojans on your
computers. If you are not infected, there will be nothing to listen and
to respond to those communication efforts, and they are thus
practically harmless. There are efforts to communicate with your NBT
driver, to see if your computer by mistake allows file sharing. There
are other types of probes to see if your computer exists, or various
efforts of servers to probe your computer in order to find the best
path for legitimate communication to it. There are sometimes remnants
of communications that were supposed to go to other computers, but made
their way to yours (for advanced readers: because the IP number that
your computer uses, were used by some other computer earlier). Those
communication efforts are blocked even without a firewall. If your
computer is not infected with a RAT, and if your computer don't have
NetBIOS over TCP/IP enabled or even it does not have file and print
sharing enabled (and on most computers this is disabled by default),
then none of these pose any security threat. If your computer is not
infected with a SubSeven Trojan, then no matter how often there will be
efforts to communicate with it, they are all doomed to be failed.
Yet, some personal firewall (such as Norton Personal Firewall or
ZoneAlarm) by default proudly announce that they have just blocked an
effort to crack into your computer. Norton may even define those
efforts that were blocked as "high security threats" while they were
not a threat at all even if your computer didn't have a personal
firewall at all. Such firewalls give you the false impression that they
save your computer again and again from extremely dangerous threats on
the Internet, so that you wonder how did you survive so much time
without noticing any intrusion before you installed the firewall. I
usually say, that those personal firewalls are set their "report level"
to "promotional mode". Namely, the personal firewall is set to give you
the false impression that it is much more important than it really is.
Chasing After Ghosts
This is a side effect of the types of misunderstandings that were discussed in the previous subsection.
When a person who starts to learn about the jargon related to personal
firewalls, is reported that some "dangerous" communication efforts
persist from the same source, the person is decisive to locate and
identify the "hacker", and perhaps report about it to the police or to
its Internet service provider. However, since many people do not really
understand thoroughly how things work, they may sometimes spend many
hours in trying to locate a cracker that does not exist, or when the
knowledge they need to have, in order to track the cracker, is much
higher than what they have, and they might even suspect the wrong
person due to lack of knowledge (e.g. the connection person on the
Internet service provider that was used by the cracker). More
knowledgeable people, usually do not bother to track those "hackers"
(which are usually teenagers), but instead are concentrating on the
security of their computer.
Blocking Legitimate Communications
No personal firewall is smart enough to decide for the user what is a
legitimate communication and what is not. A personal firewall cannot
make a distinction between a legitimate program trying to contact its
server to check and notify the user when there is a newer version, and
a non-legitimate program trying to communicate with its server in order
deliver sensitive information such as passwords, unless the user tells
it. It is thus up to the user to decide what should be considered as
legitimate and what should not. Yet, can we count on the user to be
knowledgeable enough to decide what is legitimate and what is not? In
many cases the user is not knowledgeable enough, and may thus allow
non-legitimate communication or disallow a legitimate and important
communication. There are many types of communications handled just to
manage other communications. Among this are various types of
communications between your computer and the various servers of your
Internet service provider. A not knowledgeable user may interpret those
types of communications as cracking efforts, and will thus decide to
block them. As a result, a connection might become slower, a connection
to the Internet service provider might be disconnected quiet often and
other types of communication problems.
Being Tricked by Trojans bbb
Just as less knowledgeable users may instruct the firewall to block
legitimate communications, they can be tricked by various Trojans to
allow them to communicate. Some Trojans are using names resembling or
identical to names of legitimate programs, so that the user would think
that it is a legitimate programs. Users should be aware of that.
Heavy Software, Buggy Software
Until now we discussed only problems related to lack of appropriate
knowledge by the user. Yet, there are other problems regarding personal
firewalls. For example, some of them are known to be quite heavy on
computer resources, or slow down the communication speed. Different
personal firewalls quite vary with regard to that. If you have a new
computer with a slow Internet communication (such as regular dial-up
networking) then it might not slow down your computer noticeably. Yet,
if you use an older computer, and a fast communication, you might find
that some personal firewalls will slow down your communication quite
drastically. Personal firewalls also vary on how much they are stable.
Advantages of External Firewalls over Personal Firewalls
1. They do not take resources from the
computer. This should be clear. This is especially useful when the
firewall blocks flooding attacks.
2. It is harder (although in principle
still possible) for a Trojan horse to disable it, because it does not
reside in the same computer that the Trojan has infected. It is not
possible to use the specific communication while totally bypassing the
firewall.
3. They can be used without any dependence on the operating system on the computer(s) they defend.
4. No instability problems.
Admin- Admin
- Posts : 131
Join date : 2009-07-04
Age : 33
Location : Karachi -
:: ..:: IT Cafe ::.. :: Articles
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum|
|
|