Author: Uzi
Paz
E-Mail: for
e-mail contact: user is uzi4wg and domain is uzipaz.com 
First version date:
18 Aug 2002
Recent version date: 18
Oct 2002
Legal Notice:
While as far as I know all the information here is exact and correct, as
I'm giving this information as a free service, I'm taking no responsibility.
Parent Page: Uzi
Paz home page on http://www.uzipaz.com
.
Printer Friendly Format
I. Introduction
I.1 Motivation for the Article
Personal firewalls become more and more popular, and many more people consider whether to use them. Yet, there are many misconceptions and misunderstanding about personal firewalls, what they do, what they cannot do, how to configure them correctly, and how to understand them correctly. Unfortunately, many articles about personal firewalls that I've read, just add to the confusion. This article tries to provide detailed, yet non-technical explanation about personal firewalls. The article concentrates on personal firewalls used on typical home computers. If you are running public services on your computer, or willing to use the firewall for defending computer networks, the information in this article, while can still be useful, does not suffice.
This article is derived from the first two sections
of a much more exhaustive article which I still have to finish writing.
This article deals only with the potential uses
and limitations of personal firewalls. I tried here to avoid entering the
technical aspects. It does not enter any of the terminology used
by firewalls, nor it helps you regarding the configuration of the firewall,
or the understanding of the firewall's messages. The bigger article which
is still "under construction" covers also these subjects.
I.2. An Appetizer - False Statements You Might Have Seen
Here, we shall list some false conceptions and statements, and a short summary of the more accurate answer. We add it as an appetizer for the rest of the article. I hope that after reading this article, you will also understand better why those statements are false. If you don't understand some of those statements or they do not mean anything to you, then just skip this subsection, and proceed to section II.
Here are some false statements and misconceptions:
A computer can be very safe even without a firewall, and it can be unsafe while using a firewall. A firewall can add to the defense of the computer, but it must not be the main line of defense. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
There is no generic way that always work for an intruder from the outside to bypass a firewall. There are some ways that work for a malicious program that is already running on your computer to bypass the firewall, but in order for it to do so, the intruder has to find some way to plant it on your computer first. For most of us, it is unlikely that an expert hacker works around the clock to find a way to penetrate into our home computer. Almost all the intrusions to typical home computers use one of 2 or 3 methods, which can be blocked quite easily with a firewall and a bit of knowledge. The fact that a software does not offer an ultimate security does not render it useless. |
II. An Extended Overview
II.1 Scope of the Section
In this section we shall learn what a firewall can and cannot do, and what should be the concerns regarding the use of a personal firewall. This should give us to see the whole picture. Yet, because in this section we shall avoid entering any technical aspects, it will not suffice in order for us to understand the meaning of various firewall messages, or to understand how to configure a firewall correctly.
II.2 What is a Firewall
A firewall is a tool that monitors communication to and from your computer.
It sits between your computer and the rest of the network, and according
to some criteria, it decides which communication to allow, and which communication
to block. It may also use some other criteria to decide about which communication
or communication request to report to you (either by adding the information
to a log file that you may browse whenever you wish, or in an alert message
on the screen), and what not to report.
II.3 What Is It Good For
I gathered here the main uses of a personal firewall.
II.3a Identifying and blocking remote access Trojans
Perhaps the most common way to break into a home computer and gain control, is by using a remote access Trojan (RAT). (sometimes it is called "backdoor Trojan" or "backdoor program". Many people simply call it a "Trojan horse" although the term "Trojan horse" is much more generic).
A Trojan horse, is a program that claims to do something really innocent,
but in fact does something much less innocent. This goes to the days where
the Greek soldiers succeeded to enter through the gates of Troy by building
a big wooden horse, and giving it as a present to the king of Troy. The
soldiers allowed the sculpture to enter through their gates, and then at
night, when the soldiers were busy guarding against an outside attack,
many Greek soldiers who were hiding inside the horse went out and attacked
Troy from the inside. This story, which may or may not be true, is an example
of something which looks like something innocent and is used for some less
innocent purpose. The same thing happens in computers. You may sometimes
get some program, via ICQ, or via Usenet, or via IRC, and believe this
program to be something good, while in fact running it will do something
less nice to your computer. Such programs are called Trojan horses. It
is accepted to say that the difference between a Trojan horse and a virus,
is that a virus has the ability to self-replicate and to distribute itself,
while a Trojan horse lacks this ability.
A special type of Trojan horses, is RATs (Remote Access Trojans, some
say "remote admin Trojans"). These Trojans once executed in the victim's
computer, start to listen to incoming communication from a remote matching
program that the attacker uses. When they get instructions from the remote
program, they act accordingly, and thus let the user of the remote program
to execute commands on the victim's computer.
To name a few famous RATs, the most common are Netbus, Back-Orifice,
and SubSeven (which is also known as Backdoor-G).
In order for the attacker to use this method, your computer must first
be infected by a RAT.
Prevention of infections by RATs is no different than prevention of
infection by viruses. Antivirus programs can identify and remove most of
the more common RATs.
Personal firewalls can identify and block remote communication efforts to the more common RATs and by thus blocking the attacker, and identifying the RAT.
II.3b Blocking and identifying other types of Trojans and worms
There are many other types of Trojan horses which may try to communicate with the outside from your computer. Whether they are e-mail worms trying to distribute themselves using their own SMTP engine, or they might be password stealers, or anything else. Many of them can be identified and blocked by a personal firewall.
II.3c Identifying and blocking spyware's adbots
The term "spyware" is a slang which is not well
defined. It is commonly used mainly for various adware (and adware is a
program that is supported by presenting advertisements to the user), and
that during their installation process, they install an independent program
which we shall call "adbot". The adbot runs independently even if the hosting
adware is not running, and it maintains the advertisements, downloads them
from the remote server, and provides information to the remote server.
The adbot is usually hidden.
There are many companies that offer adbots, and
advertisements services to adware.
The information that the adbots deliver to their
servers from the computer where the adbot is installed, is "how much time
each advertisement is shown, which was the hosting adware, and whether
the user clicked on the advertisement. This is important so that the advertisements
server will be able to know how much money to get from each of the advertised
companies, and how much from it to deliver to each of the adware maintainers.
Some of the adbots also collect other information in order to better choose
the advertisements to the users. The term "spyware" is more generic, but
most of the spyware fall into this category.
Many types of adbots can be identified and blocked by personal firewalls.
II.3d Blocking advertisements
Some of the better personal firewalls can be set to block communication with specific sites. This can be used in order to prevent downloading of advertisements in web pages, and thus to accelerate the download process of the web sites. This is not a very common use of a personal firewall, though.
II.3e Preventing communication to tracking sites
Some web pages contain references to tracking sites. e.g. instruct the
web browser to download a small picture (sometimes invisible) from tracking
sites. Sometimes, the pictures are visible and provide some statistics
about the site. Those tracking sites will try to save a small text either
as a small file in a special directory, or as a line in a special file
(depending on what is your browser), and your browser will usually allow
the saving site to read the text that it saved on your computer. This is
called "web cookies" or sometimes simply "cookies".
Cookies allow a web site to keep information that it saved some time
when you entered it, to be read whenever you enter the site again. This
allow the web site to customize itself for you, and to keep track on everything
that you did on that site. It does not have to keep that information on
your computer. All it has to save on your computer is a unique identifying
number, and then it can keep in the server's side information regarding
what has been done by the browser that used that cookie. Yet, by this method,
a web site can get only information regarding your visits in it. Some sites
such as "doubleclick" or "hitbox" can collect information from various
affiliated sites, by putting a small reference in the affiliated pages
to some picture on their servers. When you enter one of the affiliated
web pages, your browser will communicate with the tracking site, and this
will allow the tracking site to put or to read a cookie that identifies
your computer uniquely, and it can also know what was the web page that
referred to it, and any other information that the affiliated web site
wanted to deliver to the tracking site. This way tracking sites can correlate
information from many affiliated sites, to build information that for example
will allow them to better customize the advertisements that are put on
those sites when you browse them.
Some personal firewalls can be set to block communication to tracking
sites. It is not a common use of a personal firewall, though, and a personal
firewall is not the best tool for that, but if you already have one, this
is yet another possible use of it.
II.3f Blocking or limiting the NetBIOS communication, as well as other default services
The two common methods of intruders to break into home computers, are through a RAT (which was discussed in II.3a) and through the NetBIOS communication.
The NetBIOS is a standard for naming computers
in small networks, developed long ago by IBM and Microsoft. There are a
few communication standards which are used in relation to the NetBIOS.
The ones that are relevant for Microsoft Windows operating systems, are:
NBT (NetBIOS over TCP/IP), IPX/SPX, and NetBEUI.
The communication standard which is used over
the Internet, is NBT. If it is enabled, and there is no firewall or something
else in the middle, it means that your computer is listening for communications
over the Internet via this standard, and will react according to the different
NBT commands that it gets from the remote programs. It is thus that the
NBT (which sometimes loosely called "NetBIOS") is acting as a server.
So the next question should be "what remote NBT
commands the NBT server will do on the local computer".
The answer to this question depends on the specific
setting on your computer.
You may set your computer to allow file and print
sharing. If also NBT is enabled, it means that you allow remote users to
share your files or printers. This is a big problem. It is true that in
principle the remote user has to know your password for that computer,
but many users do not set a password for their user on Windows, or set
a trivial password. Older versions of Win95 had file and print sharing
over NetBIOS enabled by default. On Win98, and WinMe it was disabled by
default, but many technicians, when they set a home network, they enable
the file and print sharing, without being aware that it influences also
the authorizations of a remote Internet user. There are even worms and
viruses who use the File sharing option to spread in the Internet.
Anyway, no matter whether you need it for some reason or just are not
aware of it, a personal firewall can identify and block any external effort
to communicate with the NetBIOS server on your computer. The more flexible
personal firewalls can be set to restrict the authorization to communicate
with the NetBIOS.
Some Windows operating systems, especially those which are not meant
for home uses, offer other public services by default, such as RPC. A firewall
can identify communication efforts to them, and block them. Since such
services listen to remote communications, there is a potential risk when
there are efforts to exploit security holes in the programs that
offer the services, if there are such security holes. A firewall may block
or limit the communication to those services.
II.3g Hiding your computer on the Internet
Without a firewall, on a typical computer, even if well maintained,
a remote person will still be able to know that the communication effort
has reached some computer, and perhaps some information about the operating
system on that computer. If that computer is handled well, the remote user
will not be able to get much more information from your computer, but might
still be able to identify also who your ISP is, and might decide to invest
further time in cracking into your computer.
With a firewall, you can set the firewall so that any communication
effort from remote users (in the better firewalls you may define an exception
list) will not be responded at all. This way the remote user will not be
able to even know that it reached a live computer. This might discourage
the remote attacker from investing further time in effort to crack into
your computer.
II.4 The Non-Firewall Defenses
In section II.3 we discussed a few situations where a personal firewall can provide defense. Yet, in many cases a computer maintainer can deal with those situations even without a firewall. Those "alternative" defenses, in many cases are recommended regardless of whether you use a firewall or not.
II.4a Remote Access Trojans
The best way to defend against remote access Trojans
(RATs) is to prevent them from being installed in the first place on your
computer. A RAT should first infect your computer in order to start to
listen to remote communication efforts. The infection techniques are very
similar to the infection techniques that viruses use, and hence the defense
against Trojan horses is similar to the defense against viruses. Trojan
horses do not distribute themselves (although they might be companions
of another Internet worm or virus that distributes them. Yet, because in
most cases they do not distribute themselves, it is likely that you will
get them from anonymous sources, such as instant messengers, Kazaa, IRC,
or a newsgroup. adopting a suspicious policy regarding downloads from such
places, will save you not only from viruses but also from getting infected
with Trojan horses, including RATs. Because Trojan horses are similar in
some ways to viruses, almost all antivirus programs can identify, block
from being installed, and remove most of the Trojan horses, including all
the common ones. There are also some programs (sometimes called antiTrojan
programs) which specialize in the identification and removal of Trojan
horses. For a list of those programs, and for comparison on how well different
antivirus, and antiTrojan programs identify different Trojan horses, see
Hackfix (http://www.hackfix.org),
under "Software test results". Hackfix also has information on the more
common RATS (such as the Netbus and the Subseven) and on how to remove
them manually.
There are some tools and web sites, such port
scanners, and some ways with a use of more generic tools such as telnet,
msconfig, and netstat, which may help you to identify a RAT.
II.4b Other types of Trojans and worms
Also here your main interest should be to prevent them from infecting your computer in the first place, rather than blocking their communication. A good antivirus and a good policy regarding the prevention of virus infections, should be the first and most important defense.
II.4c Spyware and adbots
The term spyware is sometimes misleading. In my
view, it is the responsibility of the adware developer to present the fact
that the adware installation will install or use an independent adbots,
and to provide the information on how this adbot communicates, and which
information it delivers, in a fair place and manner before the adware is
installed. It is also a responsibility to provide this information in their
web sites, so that people will be aware of that before they even download
the software.
Yet, in general, those adbots do not pose any
security threat, and in many cases also their privacy threat is negligible
for many people (e.g. the computer with adbot number 1127533 has been exposed
to advertisements a, b, c, such and such times, while using adware x, while
on computer with adbot number 1127534 has been exposed to advertisements
a,d, and e, such amount of time, with the use of adware y, and clicked
on ads number d). It should be fully legitimate for software developers
to offer an advertisement supported programs, and it is up to the user
to decide whether the use of the program worth the ads and the adbot, or
not.
Preventing adbot from communicating is generally
not a moral thing. If you decide to use an adware, you should pay the price
of letting the adbot work. If you don't want it, please remove the adware,
and only if for some reason the adbot continue to work even if no hosting
adware that uses it is installed, you may remove the adbot.
Anyway, there are some very useful tools to identify
whether a program is a "spyware", or whether a "spyware" is installed on
your computer, and you are certainly entitled to this information. Two
useful programs are "AdAware" which identifies "spyware" components on
your computer and allows you to remove them, and Ad-Search which allows
you to provide a name of a program, and it tells you whether this program
is a "spyware" and which adbot it uses. It is useful to assist you in choosing
whether to install a program or not.
You may find those programs in http://www.lavasoft.nu
(or, if it doesn't work, you may try http://www.lavasoftusa.com).
Those programs are useful, mainly because many adware developers are not
fair enough to present this information in a fair manner. AdAware allows
you to also remove those adbot components from your computer. This might,
however, terminate your license to use the hosting adware programs, and
might even cause them to stop functioning.
A website which offers to check whether a specific
program that you wish to install is "spyware" or not, is http://www.spychecker.com
.
II.4d Blocking advertisements
Leaving aside the moral aspect of blocking advertisements, a personal firewall is not the best tool for that anyway. This is not the main purpose of a firewall, and neither its main strength. Some of them can block some of the advertisements from being downloaded, if you know how to configure them for that. Yet, there are better tools for that, such as Proxomitron (http://www.proxomitron.org), CookieCop 2 (search for the word cookiecop on http://www.pcmag.com), or Naviscope (http://www.naviscope.com), and there are many other programs as well. You may check for other alternatives, e.g. in Tucows (http://www.tucows.com/adkiller95.html).
II.4e Blocking tracking sites
Also here, a personal firewall is not the best tool for that, and there are other tools and ways which are more effective. These are cookie utilities. Since a tracking site uses a cookie to identify and relate the information gathered to the same person (or computer), by preventing the cookie from being installed. The tracking site will lose its ability to track things. There are plenty of cookie management utilities. Some of them are freeware, and some are not. CookieCop which was mentioned in the former section is one of them. WebWasher (http://www.webwasher.com) is another recommended one, and there are plenty of other alternatives such as cookie-crusher, cookie-pal, pop-up killer, etc. You may search for other alternatives, in Tucows (http://www.tucows.com/cookie95.html).
II.4f NetBIOS and other services
The NetBIOS over TCP/IP (NBT) which is sometimes loosely called "NetBIOS", is a service which has some security problems with it. It is enabled by default in Windows default installations, and it is very common to see that a firewall does the job of preventing the efforts to get access to your computer via NBT. Yet, in almost all cases, this service is not needed, and thus can be disabled.
To disable NBT in Win95/98/ME is not as simple as it is in Win2K/XP, but can still be done reliably. We explain how to do this in another article (#to be written soon). It is needless to say, that if NBT is disabled, there is no need for a firewall to block communication to it.
Also, in the case of other services, such as RPC services, and others, in many cases you simply don't need those services and better disable them from within Windows rather than use the firewall to block them. There are various ways to know which services are running on your computer, and which of them are listening for communications from the outside. If there are ones that you don't need, they should be disabled.
II.4g Hiding the computer
In web sites of many personal firewall companies, they are putting a
lot of weight on the ability of their firewall to hide the computer on
the Internet. Yet, exposing your home computer on the Internet is by itself,
neither a security nor a privacy threat. If you provide some services to
the Internet on your computer, for example, you put a web server on your
computer to allow other people to view web pages, then you might get rid
of some of the crackers, by setting your firewall to unhide only this type
of communications. Some attackers will not make a full scan of your computer,
but only a partial scan, and if they did not scan for the specific service
that you provided, they will not see your computer. Yet, if the service
is a common one, there is a good chance for many of them to scan it and
thus find the existence of your computer. If they "see" the existence of
your computer, they might decide to scan it further, and find out the services
you are providing, and scan it for security holes to use. Yet, there is
no much meaning to it when we speak about simple home computers.
II.5 What a Firewall Cannot Do
Another misconception about personal firewalls is that they are incorrectly thought as if they claim to give an overall protection against "hackers" (i.e. intrusions). They are not.
II.5a Defense against exploitation of security holes
A firewall can allow or deny access to your computer or from your computer
according to the type of communication, its source and destination, and
according to the question which program on your computer is handling the
communication. Yet, its ability to understand the details of the communication
is very limited.
For example, you may set the firewall to allow or to deny your e-mail
program from getting and/or sending messages. It may allow or deny your
web browser from browsing the Internet. But if you allowed your e-mail
program to communicate with the e-mail servers for sending and receiving
messages, (and you are likely to allow it if you want to use your e-mail
program), or if you set the firewall to allow your web browser to communicate
with web sites, the firewall will not be able to understand the content
of the communication much further, and if your web browser has a security
hole, and some remote site will try to exploit it, your firewall will not
be able to make a distinction between the communication that exploits the
security hole, and legitimate communication. The same principle goes with
e-mail program. A personal firewall may block you from receiving or sending
e-mail messages, but if you allowed it to receive messages, the personal
firewall will not make a distinction between a legitimate message and a
non-legitimate one (such as a one that carries a virus or a Trojan horse).
Security holes in legitimate programs can be exploited and a personal firewall
can do practically nothing about it.
I should comment, however, that some personal firewalls come combined with some Trojan horse detection, or intrusion detection. This is not part of the classical definition of a firewall, but it might be useful. Such tasks are usually taken by other tools such as antivirus programs or antiTrojan programs.
II.5b Tricks to bypass or disable personal firewalls
There are also various ways to disable, or bypass personal firewalls. During the time a few tricks to bypass or disable were demonstrated by various programs. Especially, tricks for an internal program to communicate with the outside bypassing or tricking the firewall. For some of them such as the one demonstrated by the Leaktest, and in which a non-legitimate program disguises itself as Internet Explorer, practically today, all personal firewalls are immuned. For other tricks, such as a one demonstrated by Outbound, which uses some non-standard type of communication directly to the network adapters bypassing the components of the operating system which are suppose to deal with Internet communication, and by that bypassing the firewall, are only now being patched against by the various firewalls, and yet other methods, such as the one demonstrated by Tooleaky, which uses Internet Explorer as a messenger to communicate with the outside, and is thus identified as a mere legitimate browsing, are still waiting for most of the personal firewall to find a fix.
II.5c Firewalls cannot decide for you what is a legitimate communication and what is not
One of the main problems with personal firewalls, is that you cannot simply install them and forget them, counting on them to do their job. They can deny or permit various types of communications according to some criteria, but what is this criteria, and who decides what is the criteria for whether they should permit or deny some communication?
The answer, is that it is the computer user's job to define the exact
criteria when the firewall should allow a communication and when it should
block it. The firewall may make it easier for you, but it should not take
the decisions. There are too many programs, too many versions, and it is
not possible for the firewall to decide accurately when a communication
is legitimate and when it is not. One person might think that it is legitimate
for some program to deliver some information to the outside in order to
get some service, while another will think that it is not. One version
of a program might communicate with its home server in order to check whether
there is an upgrade, and another version might also install the upgrade
even if you do not wish. Some firewalls will try to identify communication
efforts which are largely considered as legitimate, and will let you the
information so that it will be easier for you to decide whether such should
be allowed. Others will suffice with more basic information, making no
suggestions (and thus - no incorrect recommendations).
One way or another, once you installed a firewall, you will have better
means to understand what types of communications are running on your computer,
but you will also have to understand them in order to be able to configure
your firewall so that it will correctly know which communications to allow
and which to block.
II.6 Common Problems and Deficiencies Regarding Personal Firewalls
A personal firewall might be a good contribution to security. Yet, if
you do not understand much about the topic, then you are likely to be confused
and misled by its alerts and queries, and thus find yourself spending hours
in chasing after imaginary crackers, fear from imaginary threats, and misconfigure
it due to misunderstanding. You may find yourself blocking legitimate and
important communication believing it to be cracking efforts, and thus surprised
to see why things work slowly or why you are disconnected from the Internet,
or you might be misled to allow a non-legitimate communication by some
software that tricked you to believe that it is a legitimate one.
On the other side, if you are quite knowledgeable on computers and
security, then you are likely to effectively defend your computer even
without a firewall (by means discussed in section II.4) and it is thus
that the role of personal firewall in securing your computer, is extremely
small and not much important.
We discuss here in brief some of the problems that personal firewalls
may generate.
II.6a A false sense of security
As we've already learned here, a firewall is limited in its ability
to secure your computer. Yet, many people believe that if they will install
a personal firewall they will be secured against the various security threats.
I was even surprised to find out that there are people who believe
that give much higher priority in installing a personal firewall than in
installing an antivirus program. An always updated antivirus program plays
a much more important role in the security of a personal home computer
than installing and maintaining a personal firewall. A personal firewall
should not come on account of any other security measure that you use.
II.6b A false sense of insecurity
When you install a firewall and you look at all the communication efforts
through it, you might be surprised at the amount of communication efforts
from the Internet to your computer. Most of them are blocked by a typically
configured firewall.
There are all the times efforts to try to communicate with various
backdoor Trojans on your computers. If you are not infected, there will
be nothing to listen and to respond to those communication efforts, and
they are thus practically harmless. There are efforts to communicate with
your NBT driver, to see if your computer by mistake allows file sharing.
There are other types of probes to see if your computer exists, or various
efforts of servers to probe your computer in order to find the best path
for legitimate communication to it. There are sometimes remnants of communications
that were supposed to go to other computers, but made their way to yours
(for advanced readers: because the IP number that your computer uses, were
used by some other computer earlier). Those communication efforts are blocked
even without a firewall.
If your computer is not infected with a RAT, and if your computer don't
have NetBIOS over TCP/IP enabled or even it does not have file and print
sharing enabled (and on most computers this is disabled by default), then
none of these pose any security threat. If your computer is not infected
with a SubSeven Trojan, then no matter how often there will be efforts
to communicate with it, they are all doomed to be failed.
Yet, some personal firewall (such as Norton Personal Firewall or ZoneAlarm)
by default proudly announce that they have just blocked an effort to crack
into your computer. Norton may even define those efforts that were blocked
as "high security threats" while they were not a threat at all even if
your computer didn't have a personal firewall at all. Such firewalls give
you the false impression that they save your computer again and again from
extremely dangerous threats on the Internet, so that you wonder how did
you survive so much time without noticing any intrusion before you installed
the firewall.
I usually say, that those personal firewalls are set their "report
level" to "promotional mode". Namely, the personal firewall is set to give
you the false impression that it is much more important than it really
is.
II.6c Chasing after ghosts
This is a side effect of the types of misunderstandings that were discussed
in the previous subsection.
When a person who starts to learn about the jargon related to personal
firewalls, is reported that some "dangerous" communication efforts persist
from the same source, the person is decisive to locate and identify the
"hacker", and perhaps report about it to the police or to its Internet
service provider. However, since many people do not really understand thoroughly
how things work, they may sometimes spend many hours in trying to locate
a cracker that does not exist, or when the knowledge they need to have,
in order to track the cracker, is much higher than what they have, and
they might even suspect the wrong person due to lack of knowledge (e.g.
the connection person on the Internet service provider that was used by
the cracker).
More knowledgeable people, usually do not bother to track those "hackers"
(which are usually teenagers), but instead are concentrating on the security
of their computer.
II.6d Blocking legitimate communications
No personal firewall is smart enough to decide for the user what is a legitimate communication and what is not. A personal firewall cannot make a distinction between a legitimate program trying to contact its server to check and notify the user when there is a newer version, and a non-legitimate program trying to communicate with its server in order deliver sensitive information such as passwords, unless the user tells it. It is thus up to the user to decide what should be considered as legitimate and what should not. Yet, can we count on the user to be knowledgeable enough to decide what is legitimate and what is not? In many cases the user is not knowledgeable enough, and may thus allow non-legitimate communication or disallow a legitimate and important communication. There are many types of communications handled just to manage other communications. Among this are various types of communications between your computer and the various servers of your Internet service provider. A not knowledgeable user may interpret those types of communications as cracking efforts, and will thus decide to block them. As a result, a connection might become slower, a connection to the Internet service provider might be disconnected quiet often and other types of communication problems.
II.6e Being tricked by Trojans
Just as less knowledgeable users may instruct the firewall to block legitimate communications, they can be tricked by various Trojans to allow them to communicate. Some Trojans are using names resembling or identical to names of legitimate programs, so that the user would think that it is a legitimate programs. Users should be aware of that.
II.6f Heavy software, buggy software
Until now we discussed only problems related to lack of appropriate knowledge by the user. Yet, there are other problems regarding personal firewalls. For example, some of them are known to be quite heavy on computer resources, or slow down the communication speed. Different personal firewalls quite vary with regard to that. If you have a new computer with a slow Internet communication (such as regular dial-up networking) then it might not slow down your computer noticeably. Yet, if you use an older computer, and a fast communication, you might find that some personal firewalls will slow down your communication quite drastically.
Personal firewalls also vary on how much they are stable.
II.7 A few words about Hardware/External Firewalls vs. Personal Firewalls
A personal firewall is a software which runs on the computer it is supposed
to defend. Some people will prefer to use an external firewall, which is
not running on the computer is should defend, but rather at some other
location between that computer and the Internet. Common hardware firewalls,
are either part of an ADSL or a cable external modem, or part of an external
router (which also allow a local network to share a single communication
to the Internet), or might it be a firewall which is installed on a separate
computer which is dedicated to serve as a gateway between the computer(s)
it should defend and the rest of the Internet.
It is very popular to take an old computer (IBM AT 486 compatible or
something similar), to install some Linux or one of the free Unix flavours
on it, and to use the standard firewall that comes with many Unix/Linux
distribution (namely, IPTables), and to use this as a NAT router with a
firewall. If you are speaking about connecting a home network, or other
local area network, this might really be a good idea.
We wish to discuss here the common advantages and disadvantages of external
firewalls compared to personal (software) firewalls.
II.7a Advantages of external firewalls over personal firewalls
1. They do not take resources from the computer. This should be clear.
This is especially useful when the firewall blocks flooding attacks.
2. It is harder (although in principle still possible) for a Trojan
horse to disable it, because it does not reside in the same computer that
the Trojan has infected. It is not possible to use the specific communication
while totally bypassing the firewall.
3. They can be used without any dependence on the operating system
on the computer(s) they defend.
4. No instability problems.
II.7b Disadvantages of external firewalls over personal firewalls
1. External firewalls cost money, while there are personal firewalls
which are not only free, but also excellent.
2. External firewalls have no way to know which program on the computer
generates the communication or listens to communication. This means that
the filters (which types of communications to allow and which to forbid)
cannot be depended on the applications that listen or initiate the communications.
This allows a very easy way to bypass the firewalls by a program that is
already running on the computer. This means that for the uses mentioned
in sections II.3b to II.3e, the abilities of an external firewall are extremely
limited, with respect to personal firewalls.
3. The number and flexibility of the rules that can be set on a firewall
which comes with a router, is sometimes much more limited than any personal
firewall.
4. It is somewhat less easy to configure them.
5. On average they are updated less frequently and less easily than
personal firewalls.
II.7c Discussion regarding personal vs. external firewalls
It is not rare to find people, even knowledgeable ones, that claim that hardware/external firewalls are "real firewalls" while personal firewalls are "just toys". Those people usually forget that the needs of a single computer are quite different than the needs of a local network which is connected to the Internet.
While external firewalls have their own advantages, this claim as a
generic one is not true. If you want to have a small home/office network,
sharing an Internet connection, and having different rules for local communications
between the computers on that network, and different rules regarding communications
with/from the Internet, then an external firewall has a considerable advantage,
being running all the time to serve all computers, and having abilities
to imply a certain policy on the local network. When speaking about a single
computer, unless it comes with your ADSL/ISDN/Cable modem, its advantages
usually do not justify investing money in it, and a personal firewall might
be much more useful.
Some of the external firewalls combine firewalling with content filtering,
and it is somewhat harder to remove traces of an intrusion. Yet, when speaking
about non-expensive hardware firewalls, their content filtering is very
basic, and there are enough "software" alternatives that will do it. There
are even some personal firewalls that combine basic content filtering,
and even Internet Explorer has its own configuration flexibilities which
offer content filtering.