By Sheryl Canter
Nearly everyone understands the need for antivirus software, but it may not be clear why a firewall is also needed. The two reinforce each other and back each other up. Firewalls use safe computing rules to protect your computer from intrusion, while antivirus software scans your file system for known malware that has slipped through the firewall, then removes it when found.
Antivirus software is easy to set up and use. The default settings won't hinder your computer's operation; you just need to update the virus definitions regularly. With firewalls, though, the settings must be customized. Improperly configured firewalls either provide inadequate protection or hamper legitimate activities.
Firewalls can be either hardware- or software-based. Many PC security packagessuch as Norman Internet Control, Norton Internet Security, McAfee Internet Security Suite, and ZoneAlarm Security Suiteinclude both antivirus software and a firewall. A firewall's wizards are helpful but can't make every decision. A wrong choice can create a false sense of security.
This article explains how attackers try to gain access to your computer and how antivirus software and firewalls block these attacks. It also lists general principles in configuring a software firewall. (For more on firewalls, see our August 3 issue).
Your computer is vulnerable to attack in two areas: the file system and the network stack (the set of protocols that defines network communication). Antivirus software guards the file system, scanning e-mail attachments and file downloads as well as inspecting files before loading, saving, or executing them. Scanned files are compared with a database of known virus definitions, or signatures. False positives are rare with signature monitoring.
Some antivirus programs offer heuristic scanning, which tries to identify viruses not in the database by looking for suspicious patterns. Such behavior monitoring gives more false positives and is usually turned off by default. In firewalls, it's the reverse.
Your computer can become infected whenever you're connected to the Interneteven if your e-mail program and browser are closedthrough attacks against the network stack. Every computer connected to the Internet has a unique address (the IP, or Internet Protocol, address) so communication can be directed to it. With dial-up, your IP address changes each time you log in. From a security standpoint this is good, as it makes your computer a moving target for human hackers (though some automated worms can check the whole range of IP addresses in less than 15 minutes). With broadband, your IP address is always the same, so hackers can probe your computer at leisure.
Firewalls protect your computer's network ports, or endpoints of communication (as opposed to the USB and other ports used to connect devices to the computer). Common Internet services use specific ports; HTTP is usually on port 80; FTP, on port 21. An open port can give hackers a way in, so firewalls close and hide ("stealth") all unused ports. Use of other ports is governed by sets of rules. A firewall, for example, may allow outgoing FTP requests but not incoming (so you can download files from the Internet, but others can't pull files from your hard disk).
The MS-Blaster worm provides a good example of how firewalls can protect you where antivirus software can't. The worm entered computers through port 135. A Windows remote execution service (for starting programs at the request of other computers) automatically launched the worm. Usually programs launched remotely have limited access to the host system, but MS-Blaster got around this with a buffer overflowsending more data to an input buffer (an area in memory allocated by a program for user input) than it can hold. This overwrites adjacent areas of memory, letting attackers alter settings or add instructions.
Once MS-Blaster appeared, antivirus programs updated their signature files to recognize it, but only after numerous computers had been infected. A firewall could have prevented infection by blocking access to the port.
If you had to leave port 135 open for a valid service, an Intrusion Detection System (IDS), which provides signature-based monitoring, would help. If a buffer overflow attack was seen to send 4,875 bytes to port 135, this would go into the IDS signature database, and similar attacks would be caught, even if port 135 were open. Sygate Personal Firewall Pro and Norton Personal Firewall are examples of software firewalls with an IDS. (ZoneAlarm doesn't use one.)
Firewalls are of two basic types, proxy servers and packet filters. Proxy firewalls, used by large business networks, use dedicated servers to break the connection between client and server. This applies to both incoming and outgoing traffic, so the client could be an employee or an external hacker. The server could be an external Web server or the company's internal server. Packet filters evaluate packetsthe units in which data travels the Internetto decide whether or not to forward them.
Personal firewalls, as well as many business firewalls, use packet filtering. The simplest packet filters use rules based only on the source and destination IP addresses, source and destination ports, and protocol. Firewalls that view this data for each packet in isolation are called static packet filters. They can control what Internet services a computer can use or provide, but as software they are vulnerable to IP spoofing. More often these filters are built into routers, where a process called Network Address Translation (NAT) hides the IP addresses of computers on a local network, exposing just the router to the Internet.
Most worms attack Windows or Windows-based applications. Since routers don't use Windows, they're fairly immune to these attacks. Even if you have just one computer, it helps to use a NAT router along with a software firewall to bolster security (see "NAT Enough?", Security Watch, September 21, page 92.)
Dynamic packet filtering (or stateful packet inspection) looks at IP packets in context. This method can tell whether a given IP packet continues an existing connection or starts a new one. To prevent IP spoofing, communication not initiated by the firewall owner is blocked. The method's weakness is that outgoing traffic is always permitted, letting Trojan horses spread themselves or pilfer private data.
ZoneAlarm was the first program to monitor outgoing traffic as well as to filter communication on an application level; this is now the standard in personal firewalls. With outbound monitoring, you can allow requests from your browser while denying requests from a Trojan, even for the same port. Most personal firewalls use application information along with port, protocol, and flow data to provide multilevel stateful inspection. Norman's firewall does this especially well ( www.norman.com ). When an unknown program tries to access the Internet, a wizard lets you control how much access to grant it.
With the Windows XP firewall (SP1 and SP2), you can give applications permission to listen for incoming requests but not to talk, so this firewall doesn't help against Trojans. Microsoft says the XP SP2 firewall is not designed to replace third-party firewalls but to give all users a minimal level of protection from worms like MS-Blaster.
The most common decision a personal firewall asks you to make is whether to let a particular program access the Internet. You'll get such prompts most often when you first install the firewall. The question can be confusing because you may not recognize the name of your e-mail client's executable, or the Windows system compo- nents that access the Internet. It's good to start with as clean a system as possible. Update your virus definitions and perform a full system scan before you install the firewall; this should catch any Trojans on your system. Then you can safely answer Yes to the access requests you get the first time you go online.
For access requests after that, look at the program's information. If you don't recognize it, think about what you were doing before getting the prompt. If you just installed software or selected a command that might trigger communication, the request is probably valid. If you're unsure, tell the firewall to block it but to prompt you if the program again requests access. If saying No blocks something you want to do, say Yes the next time you're prompted.
When your firewall won't let you do something, resist the temptation to punch a hole in the wall rather than trying to define a pinhole that will keep your computer safe. If you want to access your work computer from home, it's easier to give full access to the file-sharing ports or turn off your firewall than to figure out how to give file-sharing access only to your home computer's IP address. But it's worth taking the time to do the job right, or else your computer will be left open to attack.
Several Web-based vulnerability tests can tell you how well protected you are:
Shields Up ( www.grc.com/x/ ne.dll?bh0bkyd2 )
PC Flank ( http://www.pcflank.com/about.htm )
Sygate Tests ( http://scan.sygate.com )
Run one of these and you'll see why you need to insert a firewall between yourself and the Internet.