Tourbus: Firewall

      astutedata.com / documentation / tourbus: firewall
The following is an excerpt from an email by Patrick Douglas Crispen at Tourbus.com. I liked the way he explains the topic, so I include it here with appropriate credit.
Testing Your Firewall
--------------
A quick review
--------------

Connect to the internet and two things will quickly target and attack
your computer: Worms and crackers.  To protect your computer from
opportunistic attacks--besides being vigilant with patch management--
you need to "hide" your computer from the internet.  If worms and
crackers can't see your computer, they [hopefully] won't attack you.

How do you hide your computer?  Use a firewall.  A firewall is either
hardware or software that stands between your computer [or home
network] and its internet connection and provides "access control"--it
determines what can and cannot pass.  If you have a broadband
connection [cable modem or DSL] you need BOTH a hardware firewall [in
the form of a ~US$70 router] and a [free] software firewall.  If you
have a dial-up connection or an internal cable or DSL modem, you only
need a [free] software firewall.

------------
Uh... WHAT?!
------------

If all of this is Greek to you, check out my "Home Computer Security
and Privacy, Part One: Firewalls and Exploit Management" presentation
at

     http://netsquirrel.com/classroom/

This presentation is available online, free of charge, in both
Microsoft PowerPoint and Macromedia Flash formats.

---------------------
Testing your firewall
---------------------

How do you know if your firewall is doing its job of keeping the bad
stuff out?  Well, the best way is to test your firewall by having a
trusted entity attack it.  There are people called "white hat hackers"
or "sneakers" who can do this for you...for a price.  That price is
usually the same as the price of a mortgage payment in Beverly Hills.
Or you can test your firewall yourself for free with both Sygate
Online Services and Steve Gibson's Shields Up.

----------------------
Sygate Online Services
----------------------

Sygate is one of the biggest players in the corporate security market,
and they also make one of my favorite software firewalls: Sygate
Personal Firewall.  Sygate Online Services is a free web site that,
with your permission, probes your firewall[s] looking for
vulnerabilities.  And since the scan is done online, it doesn't matter
what type of computer you have.  Sygate Online Services can scan PCs,
Macs, and *nix boxes.

Just point your web browser to

     http://scan.sygate.com/

and click on the black "Scan Now" button.  This starts something
called the "Prescan."

--------------
Sygate prescan
--------------

The first three bits of information you'll see--your IP address, your
operating system, and the name of your web browser--are [more or less]
"public" information.  And if you are using a hardware router with
network address translation, that isn't your computer's real IP
address anyway.  It's your router's.

Your operating system and browser name information came from the HTTP
GET packet your browser sent when it requested Sygate's web page.
Don't believe me?  Check out http://www.rexswain.com/httpview.html or
http://www.ipchicken.com/

In other words, "There's nothing to see here.  Move along."

*BUT*, if Sygate's prescan can see your computer name or the services
running on your computer, your computer could potentially have a
serious security problem, especially if you're running Windows.

--------------------------------
Windows file and printer sharing
--------------------------------

Windows comes with a built-in service called "File and Printer Sharing
for Microsoft Networks."  File sharing lets you make files and folders
in a shared folder accessible to others on your home network to view,
copy, or modify.  Printer sharing lets you share a printer with all
the other computers on your home network. [Check out
http://tinyurl.com/ywh8q for more information.]

Apple also offers a built-in file and printer sharing service, but it
is MUCH more secure than Microsoft's.

Unless you are really careful in setting up file and printer sharing,
your computer may, without your knowledge or permission, be sharing
personal files stored on your computer with everyone on the internet.

How can you tell if your computer's files are visible online?  Well,
Sygate Online Services' prescan probes something called "port 139" on
your computer to see if:

     1. File and printer sharing turned on; and

     2. If those shares are accessible from the internet.

Before we talk about File and Printer Sharing and port 139, let's
first talk about ports.

----------------------------
Any port in the packet storm
----------------------------

Most people connect to the internet through a single wire [or antenna.]
For example, your single wire for a dial up connection is a RJ-11
telephone cable.  Cable modem users use a single RG-6 coaxial cable.
[Yeah, I know.  There are actually a bunch of wires back there.  Work
with me on this one.]

ALL the data that you send and receive online goes through that one
[bundled] wire.  But think of the different types of data that travel
through that wire: Web pages, instant messages, emails, etc.  How does
your computer sort through all of this incoming data and forward that
data to the appropriate software applications?  Well, your computer
uses something called "ports."

Ports don't exist in the physical world--you can't actually see or
touch them.  Instead, they're just "pretend" addresses inside of your
computer that your computer recognizes and uses to route incoming data
to the appropriate software application.  For example, any data that
comes into your computer from the internet addressed to port 80 is
automatically forwarded to your web browser.  Data addressed to port
110 is automatically forwarded to your email program, and data
addressed to port 5190 is automatically sent to your AOL Instant
Messenger program.

How many of these pretend addresses [or ports] are there?  Officially,
up to 69,536. [source: http://www.iana.org/assignments/port-numbers]

--------------------------------
The potential danger of port 139
--------------------------------

Crackers and script kiddies LOVE port 139.  Why?  Well, every semi-
competent cracker and script kiddie has software that scans thousands
of internet connections looking for Windows file and printer shares
accessible through port 139.  All the cracker or script kiddie has to
do is map to the share and he's in.  It's just as if he was sitting in
front of your computer [although, in reality, he can only access the
stuff that is being shared.]

----------------
Remember Sygate?
----------------

Your goal is to have Sygate Online Services tell you that it is both

     1. Unable to determine your computer name; and

     2. Unable to detect any running services.

If Sygate can't see your computer, neither can the crackers.  But if
Sygate CAN see you, it means that

     - You don't have a firewall.

     - If you do have a firewall, it either isn't working or isn't
       properly configured.

     - File and Printer Sharing for Microsoft Networks may be sharing
       your personal files with the entire planet.

--------------------
Fixing your firewall
--------------------

If Sygate can see your computer name or any of the services running on
your computer, you NEED to fix your firewall.  Check the instructions
that came with your firewall to make sure you set it up correctly or
visit the support section of your firewall manufacturer's web site.

To fix the File and Printer Sharing for Microsoft Networks problem,
call *BOTH* your internet Service Provider's *AND* your school's or
employer's helpdesks and ask them:

     "Can you think of any reason why I SHOULDN'T disable NetBIOS over
     TCP/IP on my home computer?"

If the answer is yes--if either helpdesk says you *NEED* NetBIOS over
TCP/IP in order to do some important thing on their network--ask the
helpdesk tech to send you a handout showing you how to secure NetBIOS
from attack from people outside of the network.

If and only if the folks at *BOTH* helpdesks tell you that they have
no problem with you disabling NetBIOS over TCP/IP, nuke that bugger.
You don't need it.

-----------------------------
Disabling NetBIOS over TCP/IP
-----------------------------

You can find step-by-step instructions on how to disable NetBIOS over
TCP/IP at

     http://comp.bio.uci.edu/security/netbios.htm

The first step, regardless of what version of Windows you are running,
is to open Windows Explorer.  Right-click on My Computer or press the
Windows key and the E key at the same time.

The rest is pretty self-explanatory.

--------------------
Wait.  There's more.
--------------------

Once Sygate Online Services' prescan gives you a clean bill of health
by telling you it was unable to determine your computer name and
unable to detect any running services, there are four more scans you
need to run.

     1. Stealth Scan
     2. Trojan Scan
     3. TCP Scan
     4. UDP Scan

-------------------
Sygate Stealth Scan
-------------------

The Stealth Scan re-runs the prescan but uses some common cracker
stealthing techniques to try to sneak past your firewall.  You can
find a link to the Stealth Scan on the left side of the Sygate Online
Services page, or you can just go to

     http://scan.sygate.com/prestealthscan.html

Click on the black "Scan Now" button to start the 30 second scan.

Your goal is to have the Stealth Scan tell you that all of the ports
it scanned are "blocked."  This means that your firewall is working
perfectly.  No one on the internet can see any of those ports on your
computer, so [hopefully] no one on the internet can attack those ports.

However, if Sygate tells you that a particular port is "Closed"
instead of blocked, you could have a problem.  Sygate is telling you
that while it couldn't break into that particular port it could still
see it.  Remember: If a port can been seen it can be attacked.  You
need to IMMEDIATELY check your firewall's instructions or the
manufacturer's web site to find out how to "stealth" that particular
port.

------------------
Sygate Trojan Scan
------------------

Once you've verified that your firewall is blocking all of the common
ports, you need to make sure your computer doesn't have any Trojan
Horses on it.  A Trojan Horse is a type of virus that masquerades as a
legitimate program but actually contains a payload that can damage
your computer.  Many Trojan Horses also attach themselves to a
particular port so that they can listen for a command from the
internet telling them when to activate and unleash all living hell.
In fact, take a look at

     http://scan.sygate.com:443/cgi-bin/probe/trojans.cgi

for a list of some common Trojans and the ports to which they attach
themselves

Sygate's Trojan Scan searches through over 65,000 ports looking for
Trojan Horses hiding on your computer.  You can find a link to the
Trojan Scan on the left side of the Sygate Online Services page, or
you can just go to

     http://scan.sygate.com/pretrojanscan.html

I need to warn you that if you don't have a firewall or if your
firewall is not properly configured, this scan can take up to TWENTY
MINUTES.  But, if your firewall is working properly, there won't be
anything for Sygate to scan [because Sygate can't see your computer]
so Sygate will angrily give up.

If Sygate finds a Trojan Horse on your computer,

     1. Write the name of the Trojan Horse on a piece of paper

     2. Go to http://www.symantec.com/avcenter/vinfodb.html and search
        for that Trojan's removal instructions.

---------------
Sygate TCP Scan
---------------

After the Trojan Scan comes the TCP Scan.  Sygate tells you if any of
the first 1,024 ports on your computer are both open for attack and
visible to crackers.  You can find a link to the TCP Scan on the left
side of the Sygate Online Services page, or you can just go to

     http://scan.sygate.com/pretcpscan.html

Even if your firewall is working properly, this scan will take up to
45 minutes to complete.  Thoroughness is a good thing, especially when
it comes to testing your firewall[s].

If Sygate tells you that a particular port is "Open," immediately
check your firewall's instructions or the manufacturer's web site to
find out how to both close and stealth that particular port.

---------------
Sygate UDP Scan
---------------

We've already scanned the first 1,024 TCP ports on your computer.  Now
let's scan the common UDP ports.  You can find a link to the UDP Scan
on the left side of the Sygate Online Services page, or you can just
go to

     http://scan.sygate.com/preudpscan.html

The UDP scan could take up to 20 minutes, and your goal is to have
Sygate tell you your firewall is blocking UDP ports.  If your firewall
isn't blocking UDP ports, check your firewall's instructions or the
manufacturer's web site to find out how to block UDP ports.

------
Done?!
------

Once you've run all the firewall tests at Sygate Online Services
you're done, right?  Not exactly.  To be COMPLETELY sure your firewall
is protecting your computer, you really need to test your firewall one
more time using a different tool: Steve Gibson's Shields Up.

Fortunately, once you've run Sygate Online Services, you know
everything you need to know in order to run Shields Up.  Just point
your web browser to

    https://grc.com/x/ne.dll?bh0bkyd2

and click on the "Proceed" button.  Then click on the file sharing,
common ports, all service ports, and messenger spam buttons to test
those particular vulnerabilities.

Oh, and if you need help figuring out how to use Shields Up, check out

     http://www.allianceits.com/diy/shieldsup/index.php

The is an online movie I recently made that shows you, step-by-step
how to access and use Shields Up.

-----
DONE!
-----

Once you've tested your firewall[s] with Sygate Online services and
Shields Up--and once you've received a clean bill of health from both
--you can pretty much forget about your firewall[s].  It's as squared
away as it's going to get.

website powered by WinHost.com