- What is a Firewall?
A firewall is a tool that monitors communication to and from your computer. It sits
between your computer and the rest of the network, and according to some criteria,
it decides which communication to allow, and which communication to block. It
may also use some other criteria to decide about which communication or
communication request to report to you (either by adding the information to a log
file that you may browse whenever you wish, or in an alert message on the screen),
and what not to report.
What Is It Good For?
Identifying and blocking remote access Trojans. Perhaps the most common way to
break into a home computer and gain control, is by using a remote access Trojan
(RAT). (sometimes it is called "backdoor Trojan" or "backdoor program". Many
people simply call it a "Trojan horse" although the term "Trojan horse" is much
more generic). A Trojan horse, is a program that claims to do something really
innocent, but in fact does something much less innocent. This goes to the days where
the Greek soldiers succeeded to enter through the gates of Troy by building a big
wooden horse, and giving it as a present to the king of Troy. The soldiers allowed
the sculpture to enter through their gates, and then at night, when the soldiers were
busy guarding against an outside attack, many Greek soldiers who were hiding
inside the horse went out and attacked Troy from the inside. This story, which may
or may not be true, is an example of something which looks like something innocent
and is used for some less innocent purpose. The same thing happens in computers.
You may sometimes get some program, via ICQ, or via Usenet, or via IRC, and
believe this program to be something good, while in fact running it will do
something less nice to your computer. Such programs are called Trojan horses. It is
accepted to say that the difference between a Trojan horse and a virus, is that a
virus has the ability to self-replicate and to distribute itself, while a Trojan horse
lacks this ability. A special type of Trojan horses, is RATs (Remote Access Trojans,
some say "remote admin Trojans"). These Trojans once executed in the victim's
computer, start to listen to incoming communication from a remote matching
program that the attacker uses. When they get instructions from the remote
program, they act accordingly, and thus let the user of the remote program to
execute commands on the victim's computer. To name a few famous RATs, the most
common are Netbus, Back-Orifice, and SubSeven (which is also known as
Backdoor-G). In order for the attacker to use this method, your computer must first
be infected by a RAT.
Prevention of infections by RATs is no different than prevention of infection by
viruses. Antivirus programs can identify and remove most of the more common
RATs. Personal firewalls can identify and block remote communication efforts to
the more common RATs and by thus blocking the attacker, and identifying the
- Blocking/Identifying Other Types of Trojans and WQorms?
There are many other types of Trojan horses which may try to communicate with
the outside from your computer. Whether they are e-mail worms trying to
distribute themselves using their own SMTP engine, or they might be password
stealers, or anything else. Many of them can be identified and blocked by a personal
The term "spyware" is a slang which is not well defined. It is commonly used
mainly for various adware (and adware is a program that is supported by
presenting advertisements to the user), and that during their installation process,
they install an independent program which we shall call "adbot". The adbot runs
independently even if the hosting adware is not running, and it maintains the
advertisements, downloads them from the remote server, and provides information
to the remote server. The adbot is usually hidden. There are many companies that
offer adbots, and advertisements services to adware. The information that the
adbots deliver to their servers from the computer where the adbot is installed, is
"how much time each advertisement is shown, which was the hosting adware, and
whether the user clicked on the advertisement. This is important so that the
advertisements server will be able to know how much money to get from each of the
advertised companies, and how much from it to deliver to each of the adware
maintainers. Some of the adbots also collect other information in order to better
choose the advertisements to the users. The term "spyware" is more generic, but
most of the spyware fall into this category. Many types of adbots can be identified
and blocked by personal firewalls.
Some of the better personal firewalls can be set to block communication with
specific sites. This can be used in order to prevent downloading of advertisements in
web pages, and thus to accelerate the download process of the web sites. This is not a
very common use of a personal firewall, though.
Preventing Communication to Tracking Sites?
Some web pages contain references to tracking sites. e.g. instruct the web browser to
download a small picture (sometimes invisible) from tracking sites. Sometimes, the
pictures are visible and provide some statistics about the site. Those tracking sites
will try to save a small text either as a small file in a special directory, or as a line in
a special file (depending on what is your browser), and your browser will usually
allow the saving site to read the text that it saved on your computer. This is called
"web cookies" or sometimes simply "cookies". Cookies allow a web site to keep
information that it saved some time when you entered it, to be read whenever you
enter the site again. This allow the web site to customize itself for you, and to keep
track on everything that you did on that site. It does not have to keep that
- information on your computer. All it has to save on your computer is a unique
identifying number, and then it can keep in the server's side information regarding
what has been done by the browser that used that cookie. Yet, by this method, a web
site can get only information regarding your visits in it. Some sites such as
"doubleclick" or "hitbox" can collect information from various affiliated sites, by
putting a small reference in the affiliated pages to some picture on their servers.
When you enter one of the affiliated web pages, your browser will communicate
with the tracking site, and this will allow the tracking site to put or to read a cookie
that identifies your computer uniquely, and it can also know what was the web page
that referred to it, and any other information that the affiliated web site wanted to
deliver to the tracking site. This way tracking sites can correlate information from
many affiliated sites, to build information that for example will allow them to better
customize the advertisements that are put on those sites when you browse them.
Some personal firewalls can be set to block communication to tracking sites. It is not
a common use of a personal firewall, though, and a personal firewall is not the best
tool for that, but if you already have one, this is yet another possible use of it.
Blocking or Limiting the NetBIOS Communication? (as well as other default
The two common methods of intruders to break into home computers, are through a
RAT (which was discussed in II.3a) and through the NetBIOS communication. The
NetBIOS is a standard for naming computers in small networks, developed long ago
by IBM and Microsoft. There are a few communication standards which are used in
relation to the NetBIOS. The ones that are relevant for Microsoft Windows
operating systems, are: NBT (NetBIOS over TCP/IP), IPX/SPX, and NetBEUI. The
communication standard which is used over the Internet, is NBT. If it is enabled,
and there is no firewall or something else in the middle, it means that your computer
is listening for communications over the Internet via this standard, and will react
according to the different NBT commands that it gets from the remote programs. It
is thus that the NBT (which sometimes loosely called "NetBIOS") is acting as a
server. So the next question should be "what remote NBT commands the NBT
server will do on the local computer". The answer to this question depends on the
specific setting on your computer. You may set your computer to allow file and
print sharing. If also NBT is enabled, it means that you allow remote users to share
your files or printers. This is a big problem. It is true that in principle the remote
user has to know your password for that computer, but many users do not set a
password for their user on Windows, or set a trivial password. Older versions of
Win95 had file and print sharing over NetBIOS enabled by default. On Win98, and
WinMe it was disabled by default, but many technicians, when they set a home
network, they enable the file and print sharing, without being aware that it
influences also the authorizations of a remote Internet user. There are even worms
and viruses who use the File sharing option to spread in the Internet. Anyway, no
matter whether you need it for some reason or just are not aware of it, a personal
- firewall can identify and block any external effort to communicate with the
NetBIOS server on your computer. The more flexible personal firewalls can be set
to restrict the authorization to communicate with the NetBIOS. Some Windows
operating systems, especially those which are not meant for home uses, offer other
public services by default, such as RPC. A firewall can identify communication
efforts to them, and block them. Since such services listen to remote
communications, there is a potential risk when there are efforts to exploit security
holes in the programs that offer the services, if there are such security holes. A
firewall may block or limit the communication to those services.
Hiding Your Computer on the Internet?
Without a firewall, on a typical computer, even if well maintained, a remote person
will still be able to know that the communication effort has reached some computer,
and perhaps some information about the operating system on that computer. If that
computer is handled well, the remote user will not be able to get much more
information from your computer, but might still be able to identify also who your
ISP is, and might decide to invest further time in cracking into your computer.
With a firewall, you can set the firewall so that any communication effort from
remote users (in the better firewalls you may define an exception list) will not be
responded at all. This way the remote user will not be able to even know that it
reached a live computer. This might discourage the remote attacker from investing
further time in effort to crack into your computer.
The Non-Firewall Defenses
We've discussed a few situations where a personal firewall can provide defense. Yet,
in many cases a computer maintainer can deal with those situations even without a
firewall. Those "alternative" defenses, in many cases are recommended regardless
of whether you use a firewall or not.
Remote Access Trojans?
The best way to defend against remote access Trojans (RATs) is to prevent them
from being installed in the first place on your computer. A RAT should first infect
your computer in order to start to listen to remote communication efforts. The
infection techniques are very similar to the infection techniques that viruses use, and
hence the defense against Trojan horses is similar to the defense against viruses.
Trojan horses do not distribute themselves (although they might be companions of
another Internet worm or virus that distributes them. Yet, because in most cases
they do not distribute themselves, it is likely that you will get them from anonymous
sources, such as instant messengers, Kazaa, IRC, or a newsgroup. adopting a
suspicious policy regarding downloads from such places, will save you not only from
viruses but also from getting infected with Trojan horses, including RATs. Because
Trojan horses are similar in some ways to viruses, almost all antivirus programs can
- identify, block from being installed, and remove most of the Trojan horses,
including all the common ones. There are also some programs (sometimes called
antiTrojan programs) which specialize in the identification and removal of Trojan
horses. For a list of those programs, and for comparison on how well different
antivirus, and antiTrojan programs identify different Trojan horses, see Hackfix
(http://www.hackfix.org), under "Software test results". Hackfix also has
information on the more common RATS (such as the Netbus and the Subseven) and
on how to remove them manually. There are some tools and web sites, such port
scanners, and some ways with a use of more generic tools such as telnet, msconfig,
and netstat, which may help you to identify a RAT.
Other types of Trojans and worms?
Also here your main interest should be to prevent them from infecting your
computer in the first place, rather than blocking their communication. A good
antivirus and a good policy regarding the prevention of virus infections, should be
the first and most important defense.
Spyware and Adbots?
The term spyware is sometimes misleading. In my view, it is the responsibility of the
adware developer to present the fact that the adware installation will install or use
an independent adbots, and to provide the information on how this adbot
communicates, and which information it delivers, in a fair place and manner before
the adware is installed. It is also a responsibility to provide this information in their
web sites, so that people will be aware of that before they even download the
software. Yet, in general, those adbots do not pose any security threat, and in many
cases also their privacy threat is negligible for many people (e.g. the computer with
adbot number 1127533 has been exposed to advertisements a, b, c, such and such
times, while using adware x, while on computer with adbot number 1127534 has
been exposed to advertisements a,d, and e, such amount of time, with the use of
adware y, and clicked on ads number d). It should be fully legitimate for software
developers to offer an advertisement supported programs, and it is up to the user to
decide whether the use of the program worth the ads and the adbot, or not.
Preventing adbot from communicating is generally not a moral thing. If you decide
to use an adware, you should pay the price of letting the adbot work. If you don't
want it, please remove the adware, and only if for some reason the adbot continue to
work even if no hosting adware that uses it is installed, you may remove the adbot.
Anyway, there are some very useful tools to identify whether a program is a
"spyware", or whether a "spyware" is installed on your computer, and you are
certainly entitled to this information. Two useful programs are "AdAware" which
identifies "spyware" components on your computer and allows you to remove them,
and Ad-Search which allows you to provide a name of a program, and it tells you
whether this program is a "spyware" and which adbot it uses. It is useful to assist
you in choosing whether to install a program or not. You may find those programs
- in http://www.lavasoft.nu (or, if it doesn't work, you may try
http://www.lavasoftusa.com). Those programs are useful, mainly because many
adware developers are not fair enough to present this information in a fair manner.
AdAware allows you to also remove those adbot components from your computer.
This might, however, terminate your license to use the hosting adware programs,
and might even cause them to stop functioning. A website which offers to check
whether a specific program that you wish to install is "spyware" or not, is
Leaving aside the moral aspect of blocking advertisements, a personal firewall is not
the best tool for that anyway. This is not the main purpose of a firewall, and neither
its main strength. Some of them can block some of the advertisements from being
downloaded, if you know how to configure them for that. Yet, there are better tools
for that, such as Proxomitron (http://www.proxomitron.org), CookieCop 2 (search
for the word cookiecop on http://www.pcmag.com), or Naviscope
(http://www.naviscope.com), and there are many other programs as well. You may
check for other alternatives, e.g. in Tucows
Blocking Tracking Sites?
Also here, a personal firewall is not the best tool for that, and there are other tools
and ways which are more effective. These are cookie utilities. Since a tracking site
uses a cookie to identify and relate the information gathered to the same person (or
computer), by preventing the cookie from being installed. The tracking site will lose
its ability to track things. There are plenty of cookie management utilities. Some of
them are freeware, and some are not. CookieCop which was mentioned in the
former section is one of them. WebWasher (http://www.webwasher.com) is another
recommended one, and there are plenty of other alternatives such as cookie-crusher,
cookie-pal, pop-up killer, etc. You may search for other alternatives, in Tucows
NetBIOS and Other Services?
The NetBIOS over TCP/IP (NBT) which is sometimes loosely called "NetBIOS", is a
service which has some security problems with it. It is enabled by default in
Windows default installations, and it is very common to see that a firewall does the
job of preventing the efforts to get access to your computer via NBT. Yet, in almost
all cases, this service is not needed, and thus can be disabled. To disable NBT in
Win95/98/ME is not as simple as it is in Win2K/XP, but can still be done reliably.
We explain how to do this in another article (#to be written soon). It is needless to
say, that if NBT is disabled, there is no need for a firewall to block communication
to it. Also, in the case of other services, such as RPC services, and others, in many
cases you simply don't need those services and better disable them from within
- Windows rather than use the firewall to block them. There are various ways to
know which services are running on your computer, and which of them are listening
for communications from the outside. If there are ones that you don't need, they
should be disabled.
Hiding the Computer?
In web sites of many personal firewall companies, they are putting a lot of weight on
the ability of their firewall to hide the computer on the Internet. Yet, exposing your
home computer on the Internet is by itself, neither a security nor a privacy threat. If
you provide some services to the Internet on your computer, for example, you put a
web server on your computer to allow other people to view web pages, then you
might get rid of some of the crackers, by setting your firewall to unhide only this
type of communications. Some attackers will not make a full scan of your computer,
but only a partial scan, and if they did not scan for the specific service that you
provided, they will not see your computer. Yet, if the service is a common one, there
is a good chance for many of them to scan it and thus find the existence of your
computer. If they "see" the existence of your computer, they might decide to scan it
further, and find out the services you are providing, and scan it for security holes to
use. Yet, there is no much meaning to it when we speak about simple home
What a Firewall Cannot Do!
Another misconception about personal firewalls is that they are incorrectly thought
as if they claim to give an overall protection against "hackers" (i.e. intrusions). They
Defense Against Exploitation of Security Holes
A firewall can allow or deny access to your computer or from your computer
according to the type of communication, its source and destination, and according to
the question which program on your computer is handling the communication. Yet,
its ability to understand the details of the communication is very limited. For
example, you may set the firewall to allow or to deny your e-mail program from
getting and/or sending messages. It may allow or deny your web browser from
browsing the Internet. But if you allowed your e-mail program to communicate with
the e-mail servers for sending and receiving messages, (and you are likely to allow it
if you want to use your e-mail program), or if you set the firewall to allow your web
browser to communicate with web sites, the firewall will not be able to understand
the content of the communication much further, and if your web browser has a
security hole, and some remote site will try to exploit it, your firewall will not be
able to make a distinction between the communication that exploits the security
hole, and legitimate communication. The same principle goes with e-mail program.
A personal firewall may block you from receiving or sending e-mail messages, but if
you allowed it to receive messages, the personal firewall will not make a distinction
- between a legitimate message and a non-legitimate one (such as a one that carries a
virus or a Trojan horse). Security holes in legitimate programs can be exploited and
a personal firewall can do practically nothing about it.
I should comment, however, that some personal firewalls come combined with some
Trojan horse detection, or intrusion detection. This is not part of the classical
definition of a firewall, but it might be useful. Such tasks are usually taken by other
tools such as antivirus programs or antiTrojan programs.
Tricks to Bypass or Disable Personal Firewalls
There are also various ways to disable, or bypass personal firewalls. During the time
a few tricks to bypass or disable were demonstrated by various programs.
Especially, tricks for an internal program to communicate with the outside
bypassing or tricking the firewall. For some of them such as the one demonstrated
by the Leaktest, and in which a non-legitimate program disguises itself as Internet
Explorer, practically today, all personal firewalls are immuned. For other tricks,
such as a one demonstrated by Outbound, which uses some non-standard type of
communication directly to the network adapters bypassing the components of the
operating system which are suppose to deal with Internet communication, and by
that bypassing the firewall, are only now being patched against by the various
firewalls, and yet other methods, such as the one demonstrated by Tooleaky, which
uses Internet Explorer as a messenger to communicate with the outside, and is thus
identified as a mere legitimate browsing, are still waiting for most of the personal
firewall to find a fix.
Firewalls CANNOT Decide for You What is a Legitimate Communication and
What is Not
One of the main problems with personal firewalls, is that you cannot simply install
them and forget them, counting on them to do their job. They can deny or permit
various types of communications according to some criteria, but what is this
criteria, and who decides what is the criteria for whether they should permit or
deny some communication?
The answer, is that it is the computer user's job to define the exact criteria when the
firewall should allow a communication and when it should block it. The firewall
may make it easier for you, but it should not take the decisions. There are too many
programs, too many versions, and it is not possible for the firewall to decide
accurately when a communication is legitimate and when it is not. One person might
think that it is legitimate for some program to deliver some information to the
outside in order to get some service, while another will think that it is not. One
version of a program might communicate with its home server in order to check
whether there is an upgrade, and another version might also install the upgrade
even if you do not wish. Some firewalls will try to identify communication efforts
- which are largely considered as legitimate, and will let you the information so that it
will be easier for you to decide whether such should be allowed. Others will suffice
with more basic information, making no suggestions (and thus - no incorrect
recommendations). One way or another, once you installed a firewall, you will have
better means to understand what types of communications are running on your
computer, but you will also have to understand them in order to be able to configure
your firewall so that it will correctly know which communications to allow and
which to block.
Common Problems and Deficiencies Regarding Personal Firewalls
A personal firewall might be a good contribution to security. Yet, if you do not
understand much about the topic, then you are likely to be confused and misled by
its alerts and queries, and thus find yourself spending hours in chasing after
imaginary crackers, fear from imaginary threats, and misconfigure it due to
misunderstanding. You may find yourself blocking legitimate and important
communication believing it to be cracking efforts, and thus surprised to see why
things work slowly or why you are disconnected from the Internet, or you might be
misled to allow a non-legitimate communication by some software that tricked you
to believe that it is a legitimate one. On the other side, if you are quite
knowledgeable on computers and security, then you are likely to effectively defend
your computer even without a firewall (by means discussed in section II.4) and it is
thus that the role of personal firewall in securing your computer, is extremely small
and not much important. We discuss here in brief some of the problems that
personal firewalls may generate.
A False Sense of Security
As we've already learned here, a firewall is limited in its ability to secure your
computer. Yet, many people believe that if they will install a personal firewall they
will be secured against the various security threats. I was even surprised to find out
that there are people who believe that give much higher priority in installing a
personal firewall than in installing an antivirus program. An always updated
antivirus program plays a much more important role in the security of a personal
home computer than installing and maintaining a personal firewall. A personal
firewall should not come on account of any other security measure that you use.
A False Sense of Insecurity
When you install a firewall and you look at all the communication efforts through it,
you might be surprised at the amount of communication efforts from the Internet to
your computer. Most of them are blocked by a typically configured firewall. There
are all the times efforts to try to communicate with various backdoor Trojans on
- your computers. If you are not infected, there will be nothing to listen and to
respond to those communication efforts, and they are thus practically harmless.
There are efforts to communicate with your NBT driver, to see if your computer by
mistake allows file sharing. There are other types of probes to see if your computer
exists, or various efforts of servers to probe your computer in order to find the best
path for legitimate communication to it. There are sometimes remnants of
communications that were supposed to go to other computers, but made their way
to yours (for advanced readers: because the IP number that your computer uses,
were used by some other computer earlier). Those communication efforts are
blocked even without a firewall. If your computer is not infected with a RAT, and if
your computer don't have NetBIOS over TCP/IP enabled or even it does not have
file and print sharing enabled (and on most computers this is disabled by default),
then none of these pose any security threat. If your computer is not infected with a
SubSeven Trojan, then no matter how often there will be efforts to communicate
with it, they are all doomed to be failed.
Yet, some personal firewall (such as Norton Personal Firewall or ZoneAlarm) by
default proudly announce that they have just blocked an effort to crack into your
computer. Norton may even define those efforts that were blocked as "high security
threats" while they were not a threat at all even if your computer didn't have a
personal firewall at all. Such firewalls give you the false impression that they save
your computer again and again from extremely dangerous threats on the Internet,
so that you wonder how did you survive so much time without noticing any
intrusion before you installed the firewall. I usually say, that those personal
firewalls are set their "report level" to "promotional mode". Namely, the personal
firewall is set to give you the false impression that it is much more important than it
Chasing After Ghosts
This is a side effect of the types of misunderstandings that were discussed in the
When a person who starts to learn about the jargon related to personal firewalls, is
reported that some "dangerous" communication efforts persist from the same
source, the person is decisive to locate and identify the "hacker", and perhaps
report about it to the police or to its Internet service provider. However, since many
people do not really understand thoroughly how things work, they may sometimes
spend many hours in trying to locate a cracker that does not exist, or when the
knowledge they need to have, in order to track the cracker, is much higher than
what they have, and they might even suspect the wrong person due to lack of
knowledge (e.g. the connection person on the Internet service provider that was used
by the cracker). More knowledgeable people, usually do not bother to track those
"hackers" (which are usually teenagers), but instead are concentrating on the
security of their computer.
- Blocking Legitimate Communications
No personal firewall is smart enough to decide for the user what is a legitimate
communication and what is not. A personal firewall cannot make a distinction
between a legitimate program trying to contact its server to check and notify the
user when there is a newer version, and a non-legitimate program trying to
communicate with its server in order deliver sensitive information such as
passwords, unless the user tells it. It is thus up to the user to decide what should be
considered as legitimate and what should not. Yet, can we count on the user to be
knowledgeable enough to decide what is legitimate and what is not? In many cases
the user is not knowledgeable enough, and may thus allow non-legitimate
communication or disallow a legitimate and important communication. There are
many types of communications handled just to manage other communications.
Among this are various types of communications between your computer and the
various servers of your Internet service provider. A not knowledgeable user may
interpret those types of communications as cracking efforts, and will thus decide to
block them. As a result, a connection might become slower, a connection to the
Internet service provider might be disconnected quiet often and other types of
Being Tricked by Trojans bbb
Just as less knowledgeable users may instruct the firewall to block legitimate
communications, they can be tricked by various Trojans to allow them to
communicate. Some Trojans are using names resembling or identical to names of
legitimate programs, so that the user would think that it is a legitimate programs.
Users should be aware of that.
Heavy Software, Buggy Software
Until now we discussed only problems related to lack of appropriate knowledge by
the user. Yet, there are other problems regarding personal firewalls. For example,
some of them are known to be quite heavy on computer resources, or slow down the
communication speed. Different personal firewalls quite vary with regard to that. If
you have a new computer with a slow Internet communication (such as regular dial-
up networking) then it might not slow down your computer noticeably. Yet, if you
use an older computer, and a fast communication, you might find that some
personal firewalls will slow down your communication quite drastically. Personal
firewalls also vary on how much they are stable.
Advantages of External Firewalls over Personal Firewalls
- 1. They do not take resources from the computer. This should be clear. This is
especially useful when the firewall blocks flooding attacks.
2. It is harder (although in principle still possible) for a Trojan horse to disable it,
because it does not reside in the same computer that the Trojan has infected. It is
not possible to use the specific communication while totally bypassing the firewall.
3. They can be used without any dependence on the operating system on the
computer(s) they defend.
4. No instability problems.