ALL ABOUT ....FIREWALLS....
Absolutely the best test place:
Personal firewall software MUST be used on the PC if there is no NAT/Router installed on your ADSL or Cable Modem connection. And a personal firewall must be installed on each PC if you are behind a wireless NAT/router! See this page for some interesting info and the discussion of a really big catch 22 in this situation! Even if there is a [non-wireless] NAT/router installed, having a personal firewall on the PC is an interesting exercise, and quite useful. It will show you all the attempts at outgoing communication [as well as intercepting the incoming unsolicited attempts at communication], which can be quite revealing. It is also quite educational. Naturally, behind a NAT/router you should see NO incoming connections, unsolicited or not, unless you start opening ports.
With the advent of XP SP2, I am ....almost... ready to accept the Windows version of "firewall." It is much more capable than the pre SP2 ICF version, so it is well worth the effort. The security center in XP SP2 pesters you to death about firewalls, antivirus, and Windows updates, so that is good... The windows firewall in SP2 can qualify for the PC installed firewall mentioned above.
Update May 2005: The firewall in XP2 is actually a pretty complete inbound firewall, allowing reasonable control. It is still rather confusing about setting defaults.
Most simple NAT/routers can be called a "simple" firewall, or a "zero order" firewall, but I would in no case give them the designation of a true "firewall." "Firewall" is one of those generic terms that is abused terribly. The many vendor implementations of NAT/routers and firewalls run the gamut from simple to complex, and it is very difficult to tell exactly what is being offered, and whether you should call them NAT/routers or firewalls. Many people think that the simple incoming TCP connection blocking done by a NAT/router qualifies it as a "firewall." This can be a confusing issue. I am not sure I can un confuse this whole issue!
Basically, on a residential ADSL or cable modem account, the use of a simple NAT/router is probably sufficient, especially if you practice the other safe computing tips discussed here. This assumes that your NAT/router is completely stealthed, or invisible, that you don't open up any ports to be visible to the Internet, and that your IP address assignment is dynamic, and may change once in a while, especially when you power cycle the modem. If you have a business account, with a static IP, and you run services on your IP address, a simple NAT/router is probably NOT sufficient for your purposes. You will need some heavier firewall artillery, particularly a firewall that does stateful packet inspection, as discussed here. Some of the simple NAT/routers are upgradeable to include a firewall, such as the Cayman 3220/Netopia, the 2wire, and some others. Still if your business is crucial to your life, and it is growing, you need some serious heavy artillery, something like Checkpoint or Cisco firewall equipment. Those are not discussed here.
One of the best software "zero order" firewalls that can be installed on your PC continues to be zonealarm, which can be downloaded free from www.zonelabs.com Beware that they are making it more and more difficult to find the free version - you have to search, and click through about 6 or 7 screens! Can't really blame them. Their deluxe models are probably worth paying for if your PC is directly on the Internet, but if you are behind a NAT/router you may not need the deluxe model. Beware that zonealarm does sap some of your system resources, and it inserts itself into the very middle of your TCP/IP stack. If also can make home networking behind a NAT/router tricky - you may wind up just disabling it to get your networking to work!
Installing zonealarm is a fascinating way to learn about networking. After the install, just start paying attention to all the alerts to see exactly what your PC is doing over the network - you can gradually OK them permanently. Or to start over, just go into zonealarm and delete all the program entries, and then it will ask you every time a program wants to enter, or exit your PC. You can see everything going in or out on your PC. When you combine this with running a sniffer such as ethereal, you can really see what is going on out there.
Now there are other software firewalls. www.sygate.com has a free one. McAfee has an excellent personal firewall, which I think does a much better job of explaining all that is going on, but it is not free. Norton sells one of course. XP comes with a simple incoming port blocker, which they call an "Internet Connection Firewall (ICF) in pre SP2 installs, and simply "Windows Firewall" in SP2 installs." You probably want to turn these off if you are running it behind a NAT/router, since none of your networking will work (unless of course this PC is running on a wireless connection! See here). And notice how Microsoft abuses the term "firewall." See what I mean! Win2K does not come with a built-in firewall, nor do any of the Win9X/ME products. Understanding how to enable ICF and use it is becoming even more important in these wireless times. Of course XP SP2 has updated the ICF firewall, and it is much more complete, and comes with a GUI front end to complement their security improvements. It is called simply "Windows Firewall."
Linux comes with "ip-chains." Linux Redhat 8 comes with a default built in simple configured firewall, and a GUI to manage it, kinda like XP's. Kinda simple as pre-configured, but of course it can be much more complicated. Entire books have been written on this subject. The Linux software is the basis for a LOT of embedded OEM firewalls.
The "firestarter" distribution (available as an rpm) provides more fine grained control of the underlying ip-chains using a nice GUI front end. Look for it at www.rpmfind.net.
To understand what a NAT/router or a "simple" firewall does, you must understand that there are basically two kinds of PCs. The simplest one is the one you use at home to surf the web. You run "clients" which make "outgoing" connection requests to web servers, mail servers, etc on the Internet. You are the one who controls what happens on your PC. The other kind of PC is the type that "services" these requests - they run "services." These tend to be the PCs at the web and mail and ftp sites that service incoming connection requests from PCs like your simple PC at home. See this section which explains the three way handshake.
Now if your simple PC was ONLY a client the Internet world would be a much better place, but that is not the way it has been. Your PC, even though it is mostly a "client" does offer some "services," and thus there is the potential that your PC will ACCEPT incoming connection requests. This can be a real problem if not done correctly. The default install of Win95 and Win98 (and ME) was to enable the services that do the file and print sharing [these were on ports 137,138, and 139]. Thus anybody in the world could "connect" to these services, i.e. anybody on the Internet could see your files on your PC. Gradually over the last 5 years people have learned, for the most part, to turn OFF these simplest file sharing services if their PC was connected directly to the Internet. A user may also easily install a web or an ftp server on his home PC that also will accept incoming connection requests. The problem has been that all these services have very BIG HOLES, or ways to exploit them which allow crackers to get into the PC via problems with those service implementations. The updates that you get from Windowsupdate every week are meant to close holes in a lot of these services which allow crackers to get in. In addition, some of the newer Windows OS's have some services that allow connections to be made to the PC, such as "remote assistance" or "UPnP."
The basic task of a NAT/router is to block incoming connection attempts from sources on the Internet. By putting a NAT/router as the interface to the Internet for your home network, you are protected from simple incoming connection attempts and also, unsolicited UDP. You are thus a lot safer on your home network, and you can open up all those services like file sharing so you can use it in your home environment.
A novice user can get into pretty big trouble by installing all these services and NOT keeping Windows up to date. He/she desperately needs to install as a minimum a NAT/router on his ADSL or Cable Modem connection!
NAT/routers in their simplest incarnation are vulnerable to very clever crackers however. There are many techniques to tunnel through these simple NAT/router boxes if a cracker is determined. This is where a "firewall" earns its keep and distinguishes itself from the simple NAT/router. A firewall goes beyond the simple inspection of individual packets, and actually monitors, records, and tracks each individual TCP connection, or TCP connection attempt, to verify its validity, and is not susceptible to some of the sophisticated SYN floods, FIN probes, fragment attacks, and all the other tricks that can be thrown at the simple NAT/router. A "stateful firewall" will remember that a connection has been setup, and will allow subsequent communication over that connection and will block all kinds of tricks that crackers can play with the TCP protocols and the individual IP packets. It will remember outgoing UDP packets, and allow the returning UDP packets.
www.pcflank.com and www.firewallleaktester.com are great sites to test your NAT/router. www.grc.com and www.dslreports.com will also run tests on your NAT/router. These sites do not do exhaustive tests, but they test for all the well-known service ports. Here is a nice interview with the founder of grc.com, Steve Gibson.
The slickest new tester I have seen as of June 2003, is Steve Gibson's (www.grc.com) "nanoprobe" server. Notice the httpS, not plain http. There is a reason for this. Update: As of September, Steve has moved the beta to the production server, and it can be found at the normal "Shields Up" link at www.grc.com . Once you click on the "shields up," it will switch to https. I also have the link at the top of this page!
Your NAT/router should test as "stealthed," or "not visible" in the best case on all probed ports. This means that it doesn't even send back REJECTs if it is probed for a port that is not open. And it doesn't even respond to pings in this state either. If ports are "CLOSED" this is not too bad - it just means that your NAT/router sent a REJECT telling the prober that that port is not available here. The problem with CLOSED as opposed to STEALTHED is that there may exploits which can be run against these machines, especially if they detect that a machine exists at this IP address and port. Now there are 64K possible ports, and these sites don't check all the ports, but they check all the main ones. You can request full port scans if you want from several sites.
See this page for some discussion of understanding IP and TCP connections.
See this page to convince you that you really need an EXTERNAL NAT/router to eprform a low level firewall function instead of a PC resident firewall..
(source form : http://www.pccitizen.com/firewallinstall.htm)
Absolutely the best test place:
Personal firewall software MUST be used on the PC if there is no NAT/Router installed on your ADSL or Cable Modem connection. And a personal firewall must be installed on each PC if you are behind a wireless NAT/router! See this page for some interesting info and the discussion of a really big catch 22 in this situation! Even if there is a [non-wireless] NAT/router installed, having a personal firewall on the PC is an interesting exercise, and quite useful. It will show you all the attempts at outgoing communication [as well as intercepting the incoming unsolicited attempts at communication], which can be quite revealing. It is also quite educational. Naturally, behind a NAT/router you should see NO incoming connections, unsolicited or not, unless you start opening ports.
With the advent of XP SP2, I am ....almost... ready to accept the Windows version of "firewall." It is much more capable than the pre SP2 ICF version, so it is well worth the effort. The security center in XP SP2 pesters you to death about firewalls, antivirus, and Windows updates, so that is good... The windows firewall in SP2 can qualify for the PC installed firewall mentioned above.
Update May 2005: The firewall in XP2 is actually a pretty complete inbound firewall, allowing reasonable control. It is still rather confusing about setting defaults.
Most simple NAT/routers can be called a "simple" firewall, or a "zero order" firewall, but I would in no case give them the designation of a true "firewall." "Firewall" is one of those generic terms that is abused terribly. The many vendor implementations of NAT/routers and firewalls run the gamut from simple to complex, and it is very difficult to tell exactly what is being offered, and whether you should call them NAT/routers or firewalls. Many people think that the simple incoming TCP connection blocking done by a NAT/router qualifies it as a "firewall." This can be a confusing issue. I am not sure I can un confuse this whole issue!
Basically, on a residential ADSL or cable modem account, the use of a simple NAT/router is probably sufficient, especially if you practice the other safe computing tips discussed here. This assumes that your NAT/router is completely stealthed, or invisible, that you don't open up any ports to be visible to the Internet, and that your IP address assignment is dynamic, and may change once in a while, especially when you power cycle the modem. If you have a business account, with a static IP, and you run services on your IP address, a simple NAT/router is probably NOT sufficient for your purposes. You will need some heavier firewall artillery, particularly a firewall that does stateful packet inspection, as discussed here. Some of the simple NAT/routers are upgradeable to include a firewall, such as the Cayman 3220/Netopia, the 2wire, and some others. Still if your business is crucial to your life, and it is growing, you need some serious heavy artillery, something like Checkpoint or Cisco firewall equipment. Those are not discussed here.
One of the best software "zero order" firewalls that can be installed on your PC continues to be zonealarm, which can be downloaded free from www.zonelabs.com Beware that they are making it more and more difficult to find the free version - you have to search, and click through about 6 or 7 screens! Can't really blame them. Their deluxe models are probably worth paying for if your PC is directly on the Internet, but if you are behind a NAT/router you may not need the deluxe model. Beware that zonealarm does sap some of your system resources, and it inserts itself into the very middle of your TCP/IP stack. If also can make home networking behind a NAT/router tricky - you may wind up just disabling it to get your networking to work!
Installing zonealarm is a fascinating way to learn about networking. After the install, just start paying attention to all the alerts to see exactly what your PC is doing over the network - you can gradually OK them permanently. Or to start over, just go into zonealarm and delete all the program entries, and then it will ask you every time a program wants to enter, or exit your PC. You can see everything going in or out on your PC. When you combine this with running a sniffer such as ethereal, you can really see what is going on out there.
Now there are other software firewalls. www.sygate.com has a free one. McAfee has an excellent personal firewall, which I think does a much better job of explaining all that is going on, but it is not free. Norton sells one of course. XP comes with a simple incoming port blocker, which they call an "Internet Connection Firewall (ICF) in pre SP2 installs, and simply "Windows Firewall" in SP2 installs." You probably want to turn these off if you are running it behind a NAT/router, since none of your networking will work (unless of course this PC is running on a wireless connection! See here). And notice how Microsoft abuses the term "firewall." See what I mean! Win2K does not come with a built-in firewall, nor do any of the Win9X/ME products. Understanding how to enable ICF and use it is becoming even more important in these wireless times. Of course XP SP2 has updated the ICF firewall, and it is much more complete, and comes with a GUI front end to complement their security improvements. It is called simply "Windows Firewall."
Linux comes with "ip-chains." Linux Redhat 8 comes with a default built in simple configured firewall, and a GUI to manage it, kinda like XP's. Kinda simple as pre-configured, but of course it can be much more complicated. Entire books have been written on this subject. The Linux software is the basis for a LOT of embedded OEM firewalls.
The "firestarter" distribution (available as an rpm) provides more fine grained control of the underlying ip-chains using a nice GUI front end. Look for it at www.rpmfind.net.
To understand what a NAT/router or a "simple" firewall does, you must understand that there are basically two kinds of PCs. The simplest one is the one you use at home to surf the web. You run "clients" which make "outgoing" connection requests to web servers, mail servers, etc on the Internet. You are the one who controls what happens on your PC. The other kind of PC is the type that "services" these requests - they run "services." These tend to be the PCs at the web and mail and ftp sites that service incoming connection requests from PCs like your simple PC at home. See this section which explains the three way handshake.
Now if your simple PC was ONLY a client the Internet world would be a much better place, but that is not the way it has been. Your PC, even though it is mostly a "client" does offer some "services," and thus there is the potential that your PC will ACCEPT incoming connection requests. This can be a real problem if not done correctly. The default install of Win95 and Win98 (and ME) was to enable the services that do the file and print sharing [these were on ports 137,138, and 139]. Thus anybody in the world could "connect" to these services, i.e. anybody on the Internet could see your files on your PC. Gradually over the last 5 years people have learned, for the most part, to turn OFF these simplest file sharing services if their PC was connected directly to the Internet. A user may also easily install a web or an ftp server on his home PC that also will accept incoming connection requests. The problem has been that all these services have very BIG HOLES, or ways to exploit them which allow crackers to get into the PC via problems with those service implementations. The updates that you get from Windowsupdate every week are meant to close holes in a lot of these services which allow crackers to get in. In addition, some of the newer Windows OS's have some services that allow connections to be made to the PC, such as "remote assistance" or "UPnP."
The basic task of a NAT/router is to block incoming connection attempts from sources on the Internet. By putting a NAT/router as the interface to the Internet for your home network, you are protected from simple incoming connection attempts and also, unsolicited UDP. You are thus a lot safer on your home network, and you can open up all those services like file sharing so you can use it in your home environment.
A novice user can get into pretty big trouble by installing all these services and NOT keeping Windows up to date. He/she desperately needs to install as a minimum a NAT/router on his ADSL or Cable Modem connection!
NAT/routers in their simplest incarnation are vulnerable to very clever crackers however. There are many techniques to tunnel through these simple NAT/router boxes if a cracker is determined. This is where a "firewall" earns its keep and distinguishes itself from the simple NAT/router. A firewall goes beyond the simple inspection of individual packets, and actually monitors, records, and tracks each individual TCP connection, or TCP connection attempt, to verify its validity, and is not susceptible to some of the sophisticated SYN floods, FIN probes, fragment attacks, and all the other tricks that can be thrown at the simple NAT/router. A "stateful firewall" will remember that a connection has been setup, and will allow subsequent communication over that connection and will block all kinds of tricks that crackers can play with the TCP protocols and the individual IP packets. It will remember outgoing UDP packets, and allow the returning UDP packets.
www.pcflank.com and www.firewallleaktester.com are great sites to test your NAT/router. www.grc.com and www.dslreports.com will also run tests on your NAT/router. These sites do not do exhaustive tests, but they test for all the well-known service ports. Here is a nice interview with the founder of grc.com, Steve Gibson.
The slickest new tester I have seen as of June 2003, is Steve Gibson's (www.grc.com) "nanoprobe" server. Notice the httpS, not plain http. There is a reason for this. Update: As of September, Steve has moved the beta to the production server, and it can be found at the normal "Shields Up" link at www.grc.com . Once you click on the "shields up," it will switch to https. I also have the link at the top of this page!
Your NAT/router should test as "stealthed," or "not visible" in the best case on all probed ports. This means that it doesn't even send back REJECTs if it is probed for a port that is not open. And it doesn't even respond to pings in this state either. If ports are "CLOSED" this is not too bad - it just means that your NAT/router sent a REJECT telling the prober that that port is not available here. The problem with CLOSED as opposed to STEALTHED is that there may exploits which can be run against these machines, especially if they detect that a machine exists at this IP address and port. Now there are 64K possible ports, and these sites don't check all the ports, but they check all the main ones. You can request full port scans if you want from several sites.
See this page for some discussion of understanding IP and TCP connections.
See this page to convince you that you really need an EXTERNAL NAT/router to eprform a low level firewall function instead of a PC resident firewall..
(source form : http://www.pccitizen.com/firewallinstall.htm)
Comments