Update for NCSU
How Do Firewalls Work? How Do Computers Communicate? What are ports?
Just like our homes have street addresses, our computers have IP addresses. These are the numbers computers use to identify themselves. To make it easier for people to remember computer addresses, the addresses are often converted to a more friendly format called a DNS name. For example, the JMU web server, whose address is 18.104.22.168, has a DNS name of <a href="http://www.jmu.edu"> www.jmu.edu</a>.
When computers communicate, they do so using packets of information similar to postal envelopes. Each packet envelope has a destination address, a return address, and contents that vary with the purpose of the communication. It is the job of the network to properly route these envelopes to the desired destination. When one computer talks to another computer, many envelopes are exchanged during the process.
Many different programs may use the network at the same time. An email program, a web program, and an instant messenger program may all be in use at once. To make sure messages don't get mixed up between different programs, each program listens and talks through a different door on the computer. Every computer has 65,535 TCP doors and 65,535 UDP doors. The meaning of TCP and UDP isn't important right now nor is the difference between the two. The important thing to remember is that there are thousands of doors through which computer programs may communicate. These doors are referred to as "ports".
When you go to a web server, your traffic goes out one of the doors on your computer to one of the doors on the web server. Which door you leave through doesn't matter. In most cases, it is a door with a number greater than 1023. However, what door you visit on the web server is important as the web server program will only be accepting visitors on one of the thousands of doors on its own computer.
To make talking to services like web servers easy, people have agreed over time to use a common set of doors for servers. Thus, doors 443 and 80 are the doors where almost all web servers listen for visitors. One door is for SSL protected sessions and one for unprotected sessions. Mail servers accept visitors at door number 25. Each type of server program has an <a href="http://www.iana.org/assignments/port-numbers">assigned door</a> where it should accept visitors. This makes it easy for clients like you, I, and our browsers to find the right door to talk to the service in which we are interested.
When we use a web browser to go to http://www.jmu.edu, the web browser knows to go to door number 80 on the computer known as <a href="http://www.jmu.edu">www.jmu.edu</a> which a name server tells our browser is at address 22.214.171.124.
Although people have agreed to use specific ports for specific purposes, there is nothing to prevent people from doing otherwise.
Firewalls work by refusing access to doors. Even if a server program on our computer opens a door and listens for visitors, the firewall keeps visitors out. Unless, of course, we open a hole in our firewall and tell it to allow visitors through to the open door. This blocking provides protection against visitors who may visit doors on our computer that we don't know are open, that are defective, or that are opened by malicious software like viruses.
Firewalls can be separate devices that sit on the network and do nothing but act as traffic cops or they can reside on our computers in the form of personal firewall programs.
Most personal firewall programs that run on a desktop not only block external visitors but also watch for programs on our computer that try to open our doors. When a program attempts to open a door, the firewall lets us choose whether or not to permit it. Choosing which programs to allow to open doors on our computer can be tricky and a wrong decision renders the firewall useless.
Checking to see what doors are open on our computer is a little complicated. The netstat utility will tell us what doors are open. However, deciphering its output is a little tricky. To make it as easy as possible, first reboot the computer and make sure not to start up any programs. Then, open an MSDOS, CMD, or terminal window and type "netstat -an".
Any doors labeled "LISTENING" are programs with open doors waiting for visitors to your computer. To close the doors, you must stop the programs that open them. Many of these programs start automatically when the computer is first started. How they can be stopped (and the door closed) depends upon the particular program.
Finding out what program is opening a door is the first step. This can be a tricky process and, among the Windows family, only Windows XP makes it halfway sane. With Windows XP, typing "netstat -ano" provides us with the information needed to know what programs are opening the doors. The output of that command provides the "process ID" (PID) of the programs. By using that PID, we can then go to the task manager, cross-reference the PID, and find the name of the program opening the door. The task manager can be started by right-clicking the task bar. Figuring out what the programs are and do is a major job in itself. For example, <a href="http://www.microsoft.com/windows2000/techinfo/howitworks/management/w2kservices.asp"> here is a list of services that may be found on a Windows 2000 computer</a> and <a href="http://www.hsc.fr/ressources/breves/min_srv_res_win.en.html">here is a site</a> that describes what is involved in controlling them.
Other versions of Windows don't offer a way to find the program responsible for opening a door. Instead, a third party tool must be used. One such tool for Windows NT and 2000 is <a href="http://www.foundstone.com/knowledge/proddesc/fport.html">Fport from Foundstone</a>.
If you run linux, the command to find out what programs are opening doors is "netstat -anp". The lsof command will do the same for other unix computers.
Some network programs don't have assigned doors. Instead, they register with a doorman. The doorman opens a door and listens for visitors on a commonly known, assigned door just like other network programs do. When a visitor arrives, they ask the doorman where the services of one of the registered programs can be found, and the doorman directs the visitor to another door. The Windows and Unix Remote Procedure Call (RPC) services use this architecture and the doorman is called a port mapper. Some other programs also break the rule of one door - one program. The most common programs exhibiting this behavior are FTP and some game and peer-to-peer file/music sharing programs. Firewalling RPC, FTP, peer sharing, and similar applications can become complicated or impossible because the ports may be shared by multiple services or change from one instant to another.
Tools to determine port and program usage for RPC services include:
- <a href="http://support.microsoft.com/default.aspx?scid=KB;EN-US;q310298&"> Portqry</a>
- <a href="http://support.microsoft.com/default.aspx?scid=KB;EN-US;Q250320&"> tscan -s</a>
An open door doesn't necessarily mean that someone can break into your computer. But if the door is opened needlessly, risk can be reduced by closing it or denying access to it. When a program opens a door on a computer, it is the responsibility of the program that opened the door to control access and limit the ability of visitors to do harm. Unfortunately, this doesn't always happen.
How Do People Break Into My Computer?
First, lets define a computer break-in. A computer break-in is when someone unauthorized to do so:
- Breaks through door locks to access data on your computer
- Causes a program to be run on your computer. Since the program controls the computer, they have effectively taken control of the computer.
There are other types of incidents that are similar but different in ways that are important to understand:
- Someone may convince you to run their program on your computer. They may do this by sending you a malicious email attachment, offering you an instant message download, or simply by making a malicious program available on the Internet. They'll usually try to make the program attractive by naming it something desirable or by using an email message with a tricky subject line or false "From" line. If you run the malicious program, you break into your computer for them by giving control of your computer to their program. That program probably has the ability to disable your personal firewall. These types of problems can be avoided by <a href="http://www.jmu.edu/computing/runsafe/index.shtml#refuse">refusing to run unknown software</a>.
- Someone may search for open doors on your computer and, if found, try to take advantage of them in a variety of ways. This is sometimes called "port scanning". If no doors are open or the programs that open them handle the malicious visitor properly, a break-in can't occur. The moral questions associated with the door checking are contentious and some programs do this as a normal part of their operation.
- Let us say you configure a Windows computer to share a folder on the network without a password. Someone may fill the folder with viruses, modify files that you're trying to share with others, or delete files other people put in the folder to share with you. In this case, the program that opened the door is performing exactly the way you told it to....let anyone in without a password and do anything they want. It is difficult to call someone that takes advantage of this "unauthorized" but they are certainly abusing your computer and intent. A personal firewall will not help with this problem. These types of incidents can be avoided by <a href="http://www.jmu.edu/computing/runsafe/index.shtml#nullify">nullifying unneeded risk</a>.
- Some folks abuse doors that we want left open or that the vendor left open
for us. Sometimes this type of abuse can be prevented by simply closing doors,
especially those left open unnecessarily by vendors, but more often extra cost
and complexity is required in the software that opens the doors and/or the
network leading up to the doors. Examples include:
- <a href="spam.shtml">People sending unwanted email messages to your mail server</a>.
- <a href="winmsg.shtml">People sending unwanted Windows POP-UP messages to the Windows Messenger Service</a>.
- People performing various types of denial of service attacks that generally work by depleting resources with unnecessary traffic.
<a href="howthe.shtml">Click here for a more thorough description of how people break into our computers.</a>
Most common break-ins can be prevented by setting up our computer in a more security manner described by <a href="../startsafe">StartSafe</a>, and subsequently operating our computers in a safe manner as described by <a href="http://www.jmu.edu/computing/runsafe/index.shtml">RUNSAFE</a>.
How Does a Firewall Prevent Break-ins?
Personal firewalls protect against external attacks by limiting access to doors.
When a program opens a door on a computer, it is the responsibility of the program that opened the door to control access and limit the ability of visitors to do harm. There are several reasons this may not happen. Among them:
- The program may have a defect allowing visitors to do unintended things. Unfortunately, this is a common problem and is responsible for many computer break-ins. To help avoid this scenario we must <a href="http://www.jmu.edu/computing/runsafe/index.shtml#update">update our programs regularly</a>.
- The program may be fooled into thinking the visitor is someone we authorized to use the door. For example, the visitor may have discovered the authorized person's password or spoof a computer address we've allowed to use the door.
- The program may be misconfigured by the operator or be shipped in a vulnerable configuration.
- The program may simply be too trusting in its design. It may have been designed with a trusted network in mind while it, in fact, resides on the Internet along with 300 million other people.
In any of these cases, if a firewall does not permit access to the door, the problem is prevented. Doors that are typically open on a desktop Windows computer out of the box include:
- Windows File Sharing
- Windows Messenger (and other RPC services)
- Windows Plug-n-Play services
Of course, if we configure the firewall to allow access to a door, like to provide access to a shared folder, run a music sharing program, or run a web server, then we must be careful about the maintenance and configuration of the program that opens the door on our computer by following <a href="http://www.jmu.edu/computing/runsafe/index.shtml">RUNSAFE guidelines</a>.
Personal firewalls help reduce the effects of already compromised or infected computers by limiting access to outbound doors.
Personal firewalls can also help reduce the effects of a pre-existing computer break-in or untrusted programs. However, it is important to understand that once a break-in occurs or untrusted programs are run the computer is already compromised and the person or malicious program controlling the computer can disable the personal firewall. Many viruses do this. It is better to prevent the initial break-in in the first place by following <a href="../startsafe">StartSafe</a> and <a href="http://www.jmu.edu/computing/runsafe">RUNSAFE</a> guidelines then to depend upon the integrity of a personal firewall running on a compromised computer.
Some malicious programs make use of the network to perform their dirty work. They may open network doors to let other people into our computers as do remote control trojans. They may send out private information. They may try to spread themselves to other computers through email, instant messages, file shares, and other means.
In these cases, personal firewalls help prevent the malicious behavior by not allowing unauthorized programs to open doors on our computer. Depending upon the particular firewall program and configuration, it will usually pop up a warning message telling us that such and such a program is attempting to open a door and ask us if we want to permit it. Making a decision is sometimes difficult and if we allow the wrong program to talk to the network out of a hasty or uninformed decision, the protection provided by the firewall is lost.
The idea behind a firewall is to prevent malicious communications. However, they are very limited in their ability to determine what is malicious and what is friendly. It is up to the operator of the firewall to understand the implications of any configuration decisions.
What Do I Do When My Firewall Tells Me A Program is Trying to Communicate on the Network?
On some firewalls, when a program needs to talk to another computer on the network, whether its a web site, email server, or instant message buddy, it opens a door on your computer. The first time a program does this after a firewall is installed, the firewall will ask you if you want to allow it. It will generally give you three options:
- Denying the program access to the network
- Allowing it just this one time. You will be asked again the next time it wants to use the network.
- Allowing it forever more. You will not be asked again the next time it wants to use the network.
In general, these warnings should not come up unless you ran a program for the first time since installing the firewall, or after a new program is installed. If neither of these situations apply, it would be advisable to block the program and call support. If you did just install a new program, how much do you trust the author and its distribution mechanism with everything on your computer?
This is another one of those cases where we're between a rock and a hard place. The underlying technical decisions can be complex and confusing. If we try to make the software intelligent enough to make the decisions for us, we risk the same type of mistakes and issues we're trying to cure with the firewall that are caused by other overly presumptuous and permissive software.
What Does it Mean When My Firewall Reports an Attack? What Should I Do?
Generally it means the firewall detected some unexpected network traffic to your computer. Sometimes that traffic is malicious and sometimes it isn't.
Whether it is malicious or not, it is rarely harmful because your firewall blocks it. If it is malicious, it is rarely under direct human control. That is, the malicious behavior is usually due to an automated program...e.g. a virus or worm infecting the source computer.
So, what should be done with the reports?
While you are connected to the Internet, your computer is going to get a steady stream of unsolicited traffic. You're on a shared network with over 300,000,000 other people and a good many virus infected computers.
JMU's own organizational firewalls show hundreds, thousands, and sometimes tens of thousands of attacks per day. Our virus logs show dozens or hundreds of outside infected computers per hour. We don't even attempt to send notification reports on that much activity. We depend upon our firewalls to keep the unwanted traffic out and concentrate on doing our work. A firewall today is like a screen door keeping out flies. We may hear them buzzing outside but don't pay much attention to them unless they're in the house. (Of course, if we notice a ten pound fly on the screen door, or that our lawn is completely covered, we may have a more proactive response.)
That said, JMU certainly has an interest in knowing when a computer on our network, which consists of thousands of student computers in their homes as well as computers owned by JMU, is involved in harmful activity.
In order for us to determine if your firewall report is accurate, and not just a normal part of being on the Internet, we will need the logs from your firewall. The firewall report by itself doesn't provide enough information to track down what is happening. And we certainly aren't going to disconnect somebody's computer because somebody we never met said "my computer said your computer attacked my computer" without sufficient evidence. That would really make the Internet chaotic.
We will need the firewall logs generated by your firewall before we can determine the reason for the activity or take any action. We cannot analyze a report that does not contain a firewall log. Different firewall programs store these logs in different places. You willl have to consult your firewall's documentation to find out how to get to the logs and attach them to the e-mail you send us.
Before sending the report to us, read through the following. You may find that the report of an "attack" is misleading you.
The most common attack report we receive is a "port scan" or ICMP ping. Your firewall may report one of these "attacks" if:
- Your computer has now, or has ever had, file/music sharing programs installed on it.
- You are on a dial-up line or a new Internet Service Provider and you receive an IP address previously used by a computer that had file/music sharing programs on it
These reports result from file/music sharing programs running on other computers looking for their long lost buddy (your computer's address) that they once communicated with. Its automatic. Its the way the programs work. There is nothing you or anyone else can do about it. The most common port connection attempts of this type target 6346 or nearby ports.
If the firewall reports a port scan (particularly to ports around 6346) or an ICMP ping, ignore it. They are blocked by your firewall anyway. They're basically harmless and you are going to be constantly subjected to them. If its bothersome, carefully tell the firewall you don't want to be told about that particular kind of attack anymore. Consult your firewall documentation.
If the firewall reports connections to any of the following ports, its probably because the sending computer is infected. If it is a computer on the JMU network (134.126.x.y), our own detection mechanisms are likely also detecting it and the offending computer either is, or will soon be, in quarantine. The firewall may also report that it detected the various underlying exploits or virus infections (LSASS, RPC, DCOM, MYDOOM, Blaster, AGOBot, SDBot, etc.) which makes things somewhat confusing.
If the firewall reports other activity from a computer on the JMU network (a computer with an address of 134.126.x.y), e-mail the information to <a href="mailto:firstname.lastname@example.org">email@example.com</a>. We will need the firewall logs generated by your firewall before we can determine the reason for the activity or take any action. We cannot analyze a report that does not contain a firewall log. Different firewall programs store these logs in different places. You will have to consult your firewall's documentation to find out how to get to the logs and attach them to the e-mail you send us. Do not use the web to report the activity because you won't be able to attach the log.
Do not expect an immediate response. If the activity is associated with harmful behavior on the JMU network, we will take steps to make it cease.
If your firewall is reporting activity from computers outside the JMU network and you are on the JMU campus network, send us a report and we will try to determine whether the report is something to worry about. Again, we'll need the firewall logs generated by your firewall before we can accurately assess the situation.
If your firewall is reporting activity from computers outside the JMU network and you are off-campus, you can send us a report but there isn't much we can do. If you'd like to lodge a complaint with the network operators of the network the "attacking" computer resides in, here are the instructions:
Type the "attacking" computer's IP address (from your firewall report) into one of the Internet Number registry web pages below. This will typically tell you the Internet Service Provider and often the originating organization and contact e-mail addresses. For example, if you typed in 126.96.36.199, you'd see that address is registered to JMU. Start with the ARIN registry. It will tell you if the IP address is registered somewhere else and where you need to go.
Many organizations maintain a mailbox for complaints named "abuse". So, for example, if you find the IP address belongs to America Online (AOL), you can send the information to <a href="mailto:firstname.lastname@example.org">email@example.com</a>. The "abuse contact" is often included with the registry information. An email message drafted to the ISP (typically to <a href="mailto:abuse@isp"> abuse@isp</a>) may prompt them to disable the account or to contact the owner of the sending computer. In most cases, if you get a response at all, it will be a computer generated response acknowledging receipt of your e-mail.
Make sure you include your firewall logs or they will not be able help you. By the way, you can use the same procedure to complain about SPAM or other unwanted e-mail. For e-mail, the sending computer's IP address is in the <a href="headers.shtml">e-mail headers</a> which you'll need to include in your complaint.
- <a href="http://www.arin.net/whois/index.html">ARIN ( North and South America, Caribbean, and sub-Saharan Africa )</a>
- <a href="http://lacnic.net/en/index.html">LACNIC (Latin America and Caribbean)</a>
- <a href="http://www.ripe.net/perl/whois">RIPE ( Europe )</a>
- <a href="http://www.apnic.net/apnic-bin/whois.pl">APNIC ( Asia Pacific)</a>
There are organizations that attempt to correlate activity from multiple desktop firewalls and notify the owners of the network where the offending computer is located for you. Note that they are volunteer organizations and are not associated with law enforcement or any other official body. Two popular ones are <a href="http://www.dshield.org/index.php">DShield</a> and <a href="http://www.mynetwatchman.com/">MyNetWatchman</a>. Before participating in these types of services, make sure you understand their privacy policies. Also consider that you are asked to trust your computer to the programs they ask you to run for the automated reporting capability. Use of these services is not recommended by JMU owned computers at this time.
Should I Install a Third Party Firewall or just use the Windows XP firewall?
The primary advantage of third party firewalls is that they attempt to control outbound connections from your computer. There are scenarios where they can be fooled and even when they can't be fooled, they depend upon the operator's judgment whether or not to allow a program to make a connection. The choices can be confusing even for computer professionals. In addition, like other resident security software such as anti-virus and auto-update software, they are often disabled by malware if the operator makes a mistake. Finally, the products often cause confusion and undue alarm due to their reporting practices.
So while they offer some additional protection, their effectiveness can vary widely. A person interested in improving their desktop's security would much more effectively decrease risk by operating the computer using a regular user account (i.e. not administrator or power user) for day to day activities.
At this time, there are no plans to distribute 3rd party firewall software for JMU computers.
How Do I Enable Windows XP Internet Connection Firewall?
A personal firewall is included with both Windows XP Professional and Windows XP Home. It will block inbound attacks but will not control network access to programs running on your computer. It is a valuable security tool and should be enabled on most Windows XP computers. To enable it:
Other ways to enable it and more information is available at the following Microsoft site:
- <a href="http://www.microsoft.com/windowsxp/pro/using/howto/networking/icf.asp"> http://www.microsoft.com/windowsxp/pro/using/howto/networking/icf.asp</a>
- <a href="http://www.microsoft.com/WindowsXP/pro/using/howto/networking/ics.asp"> http://www.microsoft.com/WindowsXP/pro/using/howto/networking/ics.asp</a>
Some programs will require you to change the configuration of ICF to work properly. Some of these are described at the following Microsoft web site:
- <a href="http://support.microsoft.com/default.aspx?scid=kb;en-us;Q307554"> http://support.microsoft.com/default.aspx?scid=kb;en-us;Q307554</a>
- Other functionality that is affected includes sharing files on the ICF protected computer and receiving "new mail" notifications in an Exchange/Outlook environment and "print job completion" notifications.
A more complete overview of ICF is at:
- <a href="http://www.microsoft.com/windowsxp/pro/techinfo/planning/firewall/default.asp"> http://www.microsoft.com/windowsxp/pro/techinfo/planning/firewall/default.asp</a>
XP Service Pack 2 Windows Firewall information soon...
How Do I Configure My Firewall to Allow Programs with Special Needs to Work?
Most firewalls allow you to configure them based on a mixture of:
- what network doors are open on your computer
- what programs are allowed to open network doors
- what other computer addresses on the network can access the network doors and programs
The support web sites for firewall manufacturers often provide recommendations for popular programs.
It is always best to allow the least access necessary.
Enterprise Firewalls and Intrusion Detection Systems
Standalone firewall products developed for the enterprise often incorporate many functions other than simple door blocking. Among these functions are:
- Authenticating the identity of visitors through varying means before allowing them through the firewall
- Encrypting communications sessions in Virtual Private Networks (VPN) and limiting access to these virtual private networks through varying means of authentication of identity.
- Filtering out content such as email attachments, email viruses, and dynamic web content
- Performance enhancements such as web caching
- Hiding internal computer addresses with a feature called Network Address Translation (NAT)
Besides this extra functionality, enterprise firewalls often have more sophisticated network access control methods than do desktop or standalone home firewalls:
- They may open their doors only for return traffic from internally initiated communications. For some applications, this involves multiple ports and protocols and the ability of firewalls to handle different applications vary. The overall effect is to prevent externally initiated connections and outsiders from scanning for and accessing open doors. Except, of course, for the doors expressly permitted by the firewall configuration rules.
- They may look inside the packets of certain types of communications to see if there are any obvious signs of maliciousness or policy prohibited behavior. Firewalls vary widely in this ability and generally do not have the level of capabilities that products labeled Intrusion Detection Systems do.
- They may re-create the entire client and server environment inside themselves and shuffle traffic piece by piece decoding and evaluating each operation as it happens. This lets them have complete control of the behavior of supported applications. The number of supported applications, implementation detail, and protective actions, if any, vary greatly from product to product.
Firewalls are not a panacea. They only enforce an organization's (or individual's) security policy. Computers or services behind a firewall that are allowed visitors are vulnerable and must be maintained accordingly. Many complexities arise due to the constant compromise between usability, functionality, and security.
The SANS organization, in cooperation with the FBI and many noted security experts, recently published a list of the <a href="http://www.sans.org/top20/"> Twenty Most Critical Internet Security Vulnerabilities</a>. When contemplating a firewall, it may be useful to determine how many of these vulnerabilities a proposed firewall can address within the framework of your organization's access and service provisioning policies.
Intrusion Detection Systems
Software and devices called "Intrusion Detection Systems" generally look at more details in the communications traffic than firewalls do in an effort to differentiate between good traffic and malicious traffic. However, the mechanisms they use to inspect the traffic often result in a lot of warnings about innocent traffic. Additionally, the definition of "good" and "malicious", and the appropriate reaction to an event often depends on the environment in which one works. Therefore, they have rarely been configured to block traffic for fear of disrupting innocent communications.
Some desktop IDS programs will block traffic they define as malicious. Most other IDS systems do not do this. They simply alert someone that something suspicious has occurred and a follow-up investigation is necessary to determine the actual outcome. New inline systems coming to market, sometimes labeled "Intrusion Prevention Systems", actually stop the malicious traffic by using carefully tuned, context intelligent rule sets.