PERSONAL FIREWALLS: FIREWALL PROTECTION FOR PCS AND HOME NETWORKS

Transcription

1 July WHITE 2001 PAPER PERSONAL FIREWALLS: FIREWALL PROTECTION FOR PCS AND HOME NETWORKS Today's always on cable modem and Digital Subscriber Line (DSL) Internet access connections offer unprecedented bandwidth to the home, but also leave the connected PC or home network vulnerable to hacker attacks. The nature of these attacks varies, but the goal is to gain access to individual computers attached to the Internet. With this access, a hacker can browse the hard drive and add or delete files, discover passwords and credit card numbers, and set the system up to launch attacks on other systems or websites. As a result, firewall protection from these attacks is becoming as important as antivirus protection. And, as the attacks evolve and become more sophisticated, firewall software will require frequent updates much like antivirus software. Personal firewalls have emerged to serve this need. Inexpensive and easier to set up than enterprise-class firewalls, personal firewalls are designed to protect PCs and home networks that are connected to the Internet from intrusion and damage from hackers. Always On Security Issues Cable modem and DSL connections are particularly vulnerable to attack because they are always on (or always connected to the Internet), thus increasing their exposure to hackers. In contrast, dial-up connections are typically temporary sessions that receive a new dynamically assigned Internet Protocol (IP) address each time they connect. Users dial up their Internet Service Provider (ISP) to check or browse the Web, then disconnect when finished. (Or, the ISP disconnects them automatically after detecting that the connection is idle for a specific period of time.) The limited attachment and new IP address for each session make dial-up connections much less vulnerable to attack. In addition, because cable modem and DSL connections are higher bandwidth than dial-up connections, hackers are able to mount certain types of attacks that may not be feasible on dial-up lines. Compounding the security problem for always-on services is the fact that cable and DSL connections often have IP addresses in predictable ranges, making them easier to locate for attack. Hackers can use widely available automated port scanner software to look for vulnerable computers. This software performs unattended probes of a range of IP addresses to locate specific computers for attack, then identifies ports that can be exploited to enter the computers. In this context, the term port refers to a critical portion of a logical connection point between two computers using TCP/IP services. These services include the Simple Mail Transfer TCP/IP Ports Protocol (SMTP), Hypertext Transfer Protocol (HTTP), or File Transfer Protocol (FTP). A client computer accesses a service such as running on a remote server by connecting to the port associated with the SMTP service, typically port 25. Well-known services have reserved port numbers assigned by the Internet Assigned Numbers Authority (IANA) ( Some of these are shown in Table 1. To the extent possible, these same port assignments are used with the User Datagram Protocol (UDP). Service IANA TCP/IP Port Number Reservations Well-known ports 0 through 1023 Registered ports 1024 through Dynamic* and/or private ports through *In practice, most systems start assigning dynamic ports at PING 7 FTP 20 and 21 Telnet 23 World Wide Web (HTTP) 80 SMTP 25 Microsoft Windows file and print sharing TCP Port Number Table 1. Examples of TCP/IP Services With Assigned TCP Port Numbers Visit the Vectors Technology Information 1

2 Personal Firewalls: Firewall Protection for PCs and Home Networks The header information of each TCP/IP packet includes the port number and IP address for the source and destination nodes, and the protocol used. This information is used to describe a unique connection between two peers in an IP network called an association. (See sidebar.) TCP/IP Association A TCP/IP association consists of: (source IP address, source port number, destination IP address, destination port number, protocol) For example, an HTTP connection between two machines with IP addresses (server) and (client) could be defined from the client perspective as: ( , 56788, , 80, TCP) Similarly, the same association looked at from the server perspective is: ( , 80, , 56788, 80, TCP) Both associations describe the same connection from different perspectives. In addition, port is typically called the ephemeral port because it is dynamically selected by the operating system initiating the association. In this example, the client initiates the HTTP connection to the server. When a port is open on a computer (also called a half-association ), the computer is listening through that port for appropriately addressed packets. A server listens through port 80 for HTTP packets and routes them to a Web server application. Similarly, it listens through port 25 for SMTP packets and routes them to an server application. These open ports can be a security issue, because hackers gain entry to a computer through open ports. For example, if a server connected to the Internet is set up as an FTP server, the computer is listening through port 21 for incoming FTP requests. Using port-scanning software, a hacker can locate this open port and gain entry to the system, particularly if the FTP service is not password-protected. If password-protected, the hacker might still gain entry by using password-cracking software to attempt to learn the password. It is important to use passwords that are difficult to crack. Servers are particularly vulnerable, because unsecured servers can have many open ports associated with services. But, a client system is also vulnerable in the following ways: If used to host a personal website, port 80 is open. Most operating systems have security vulnerabilities that can be exploited when connected to the Internet. For example, a Microsoft Windows PC connected to the Internet can be vulnerable if it is configured with File and Printer Sharing enabled, which opens port 137. This feature is designed to allow files and printers to be shared over a small local area network (LAN). However, when these systems are connected to the Internet via cable modem or DSL, they essentially become network resources available over the Internet via port 137. (In a home network, File and Printer Sharing should be disabled on the Internet connection of any PC directly connected to the Internet by dial-up modem or broadband cable modem/dsl. File and Printer Sharing should remain enabled on the PC's separate connection to the internal network, as well as on other client PCs on the network not connected directly to the Internet. This allows users to share printers and files over the network.) If files on the client system need to be accessed remotely across the Internet, a port is open. If running Internet-based remote access programs such as pcanywhere, Laplink, or Wingate, a port is open. If compromised with a Trojan horse (see sidebar) program such as BackOrifice or NetBus, a port may be opened. What is a Personal Firewall? Trojan Horse One of the more prevalent attacks today, a Trojan horse is a destructive program that masquerades as a benign program. A Trojan horse typically enters a computer as an attachment or as a download from the Internet. User intervention is required to actually infect the computer; the program must be executed. Trojan horses may also be used to locate passwords or tamper with data or programs stored on the hard drive. Or, a Trojan horse may open a port to listen for packets from hackers taking advantage of the security breach. Trojan horses have been used in recent denial-of-service attacks in which infected computers deluge public websites with requests, making the websites unavailable to legitimate users. Sophisticated commercial firewalls with the performance capacity to handle enterprise networks have been around for awhile, but it has only been in the last few years that personal firewalls have emerged that are designed to prevent unauthorized access to or from a home PC or network. Commonly, personal firewalls protect home/ home office systems and networks from being accessed by unauthorized users from the Internet. Firewalls consist of software running on a PC, dedicated gateway, or firewall hardware device. The software examines all messages entering or leaving the private network and accepts or rejects them based on user-defined rules. 2

3 The most secure firewalls are dedicated devices that include all of the necessary hardware and software, but they can be complicated to set up and configure. Because of this complexity, dedicated firewalls are uncommon in the typical home network in which one or two PCs are connected to the Internet. Instead, a number of personal firewall software packages have become popular. The software runs on a home PC connected to the Internet or on PCs that connect to the Internet over a home network. These packages are typically inexpensive (or free) and require less configuration than their enterprise counterparts. Some examples are Norton Internet Security 2000 (firewall and virus protection), BlackICE Defender, ZoneAlarm, and McAfee.com Personal Firewall. Firewall functions are also bundled into the residential gateway hardware devices that connect a home network to the Internet. Packet-filtering routers and proxy servers are the two distinct types of firewalls in common use today. Packet-filtering routers make decisions at the network level of the Open System Interconnection (OSI) model (or IP level of the TCP/IP model) based on the source Firewall Functions The OSI model standardizes the process of data communications into a modular, seven-layer protocol stack. Layer 7: Application Layer 6: Presentation Layer 5: Session Layer 4: Transport Layer 3: Network Layer 2: Data Link Layer 1: Physical Each layer performs a specific communications function and provides services to the layers immediately above and below it. The result is a systematic, step-by-step process for transmitting and receiving information over the network. The goal is interoperability protocols that conform to standards can be interchanged without a reduction in functionality. and destination addresses, and ports in individual IP packets. Packet-filtering routers have a low impact on network performance. Proxy servers monitor and control Internet traffic at the application level of the OSI or TCP/IP model. The proxy server's application-level filtering offers a high level of security, but has a significant impact on network performance. Personal firewalls primarily use packet filtering to detect and block intruders. Some also include rudimentary application filtering. In addition, these applications typically generate alerts and log intrusion attempts. Packet Filtering In packet filtering, the firewall software inspects the header information (source and destination IP addresses and ports) in each incoming and, in some cases, outgoing, TCP/IP packet. Based on this information, the firewall blocks the packet or transmits it. The firewall uses the port information to block idle or nonstandard ports such as a listening port opened by a Trojan horse. In this way, the firewall blocks packets sent from a hacker to the Trojan horse listening port. Increasingly, personal firewalls also block outgoing traffic on these ports. This precludes a Trojan horse from sending outgoing packets. The firewall also uses the port information to block certain types of incoming packets associated with common hacker attacks. For example, hackers Firewalls work in concert with antivirus software. A firewall can detect attacks against the system, but cannot detect viruses such as a Trojan horse that enter the system via or Web download. The combination of good up-to-date antivirus and firewall software is essential. use port scanner software to identify target computers for attack. Port scanners ping ranges of IP addresses via port 7. If a computer responds to the ping, it becomes a target for further probing for open ports. By default, personal firewall software packages block these incoming pings on port 7 so that the computer does not respond. Personal firewalls also use the source and destination IP addresses to filter packets. Firewalls can be configured to allow or block packets from specific IP addresses. However, packet filtering is susceptible to IP spoofing, which refers to the practice of forging the source IP address in a packet. In this way, a malicious hacker can try to gain entry by spoofing the source IP address. For example, some firewalls will not block a packet if its source and destination IP addresses correspond to IP addresses behind the firewall on the private network. Hackers exploit this vulnerability by forging the source IP address. In another IP spoofing scenario, the source and destination IP addresses are the same; this type of packet will lock up some computers. 3

4 Personal Firewalls: Firewall Protection for PCs and Home Networks Application Filtering Application-level filtering uses higher-layer protocol information to filter traffic and implements additional security and access control services. More typical in enterprise networks, application-level firewalls are implemented as hosts running proxy servers. These proxy servers are used to prevent direct traffic between network peers. Additionally, proxy servers can log and audit network traffic. Many personal firewalls have a basic form of application-level filtering that allows users to specify which applications on the computer may access the Internet. Some Trojan horse programs may circumvent this filtering by modifying a program that is commonly granted full access to the Internet through a firewall. In this way, the Trojan horse masquerades as a harmless program on the PC, but provides a hacker with access to the PC, in spite of application-level filtering firewalls. Only a personal firewall software package (such as ZoneAlarm), which also checks programs for unauthorized modifications, can successfully defend a user from this type of attack. Alerting and Logging A key feature of any firewall is its ability to alert the user when it detects an attack, and to maintain a system log of these events. This allows the user to identify threats and to fine tune the firewall configuration appropriately. A key responsibility of the user is to monitor the logs and take appropriate action when necessary. 1 Network Address Translation (NAT) Firewall protection is also included in residential gateway hardware devices that are designed for home/ home office network use. These special-purpose devices serve as the gateway between the incoming broadband Internet service (such as DSL or cable modem) and the home network. These residential gateways provide basic firewall protection via NAT. NAT is an Internet Engineering Task Force (IETF) standard that makes it possible for a LAN to appear as one IP address on the Internet. A NAT server acts as a gateway between the Internet and the LAN, and assigns private IP addresses to each client PC on the LAN. These private addresses are not known outside the LAN on the Internet. All incoming packets arriving at the NAT gateway have the same destination address. The NAT gateway refers to its associationmapping table to determine the actual client address and port number for a destination packet and forwards the packet to the correct client. Many of these NAT devices also include additional firewall protection in the form of basic packet filtering. Some NAT implementations also include stateful port inspection, in which the firewall monitors the state of the transaction to verify that the destination of an inbound packet matches the source of a previous outbound request. Stateful port inspection helps to prevent denial-of-service attacks (which typically use the UDP transport) that can be mounted using IP address spoofing techniques. If there is no dedicated residential gateway device, NAT can also be implemented on a PC, enabling the PC to function as the gateway. Internet connection sharing software such as WinGate and WinProxy provide this functionality. The PC must also have a robust personal firewall to protect itself and all PCs on the home network. Recent Windows operating systems include built-in NAT functionality called Internet Connection Sharing (ICS). ICS allows a PC running Windows 98 SE, Windows 2000, Windows Millennium Edition (Me), and the upcoming Windows XP to be configured as an Internet connection-sharing gateway. PC-Based Personal Firewall Software The personal firewall software industry has been consolidating with other security programs. Antivirus software industry leaders Symantec and McAfee have acquired personal firewall software packages, and offer them in addition to their antivirus products. Symantec also bundles its personal firewall with its leading antivirus software into a personal security suite called Norton Internet Security Virus definition files and firewall software can be updated regularly over the Internet. In addition, the upcoming Microsoft XP operating system includes built-in personal firewall software. 1. Not all events that appear in the log are hacker attacks. There are many different types of harmless events such as ISP server pings that can appear in the log. 4

5 Windows XP: Built-In Internet Connection Firewall Windows XP will include a built-in personal firewall called Internet Connection Firewall that provides basic firewall protection. Automatically enabled when the Windows XP Home Networking wizard is run, the firewall can be applied to each Internet connection on the computer. There are additional configuration options for more advanced users. These advanced options include the ability to open or close specific TCP or UDP ports, or to enable port redirection. Port redirection allows access requests to a specific port on the firewall (such as port 80, the Web server port) to be automatically redirected to another computer on the local network. This capability allows a Web server on a home network to be protected by an edge firewall. The firewall also provides basic logging capabilities. Good security is multilayered, and includes ISP security measures to detect and block attacks. Within the home or home network, implementing ICS or NAT on the home network gateway device hides the IP addresses of networked PCs. The addition of firewall software on the gateway device or on each networked PC provides another layer of protection, as does regularly monitoring the logs generated by the firewall software. For further protection, users can enable password protection on each networked PC. Finally, the ultimate protection is to power off networked PCs that are not in use for extended periods of time. A typical home network configuration shares home PCs and printers behind a residential gateway, with each PC protected by antivirus software. The residential gateway is a router with a NAT firewall (such as current broadband cable/dsl routers Conclusion How to Protect Home PCs and Home Networks Install firewall and antivirus software. Update them regularly. On Windows PCs, turn off file and printer sharing, if possible. If needed for home network, configure firewall software appropriately. Turn off your computer when not in use for an extended period of time. Password-protect all server-type services such as Telnet, FTP, and Web servers. Use hard-to-crack passwords. equipped with multiple 10/100 Ethernet networking ports) or a PC configured for NAT or ICS. In the latter case, the PC must be equipped with robust personal firewall software to protect itself and all PCs on the home network. If these residential gateway options are not possible, each PC connected to the Internet must be protected by personal firewall software. Information in this document is subject to change without notice Dell Computer Corporation. All rights reserved. Trademarks used in this text: The DELL logo is a trademark of Dell Computer Corporation; Microsoft and Windows are registered trademarks of Microsoft Corporation. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and names or their products. Dell Computer Corporation disclaims any proprietary interest in trademarks and trade names other than its own. 5