A firewall is a program or hardware device that filters the information coming in through the Internet connection into your local network or standalone computer system. If an incoming packet of information is flagged by the filters that are in place it is not allowed to pass. Without a firewall all your computers are directly accessible to anyone on the Internet, while you are connected. Usually a firewall will allow to set filters for all your servers, such as FTP, mail, Telnet, and so forth.

Firewalls typically use one or more of these methods to control traffic flowing in and out of the network:

• Packet filtering
  Packets are analyzed. Only packets that make it through the filters are forwarded to the requesting system.
   
• Outbound filtering
  Some firewalls only work in one direction. They examine packets your computer is receiving, not the ones it sends. Hostile applications such as trojan horses, worms and viruses can use your Internet connection to send sensitive information from your system. So your firewall should at least have a mechanism for filtering outbound traffic.
   
• Proxy service
  Information from the Internet is retrieved by the firewall and then forwarded to the requesting system and vice versa.
   
• Stateful inspection
  A method that compares certain key parts of a packet to a database of trusted information. If the comparison yields a reasonable match, the information is allowed through, otherwise it is blocked.

Implementing a firewall

There are a few ways of implementing a firewall, whereby in all methods the location of your servers and workstations play a major role in optimized security.

1. the safest method is to use a dedicated system with a built-in firewall for all your Internet server services and not to attach that system to your LAN. This method is very safe, but no system on the LAN has Internet access.

2. you can place the server/firewall on the same LAN as your systems but restrict the flow of traffic through the server. In this case local systems can go through the server/firewall to access Internet services, but no one can come in from the Internet to the local LAN. Unless someone reconfigures the firewall to support two-way traffic.

3. if you use multiple servers you should separate the servers/firewalls from your local systems. Set up your Internet server/firewall to handle the routing for the local systems and the local Internet servers separately. Local systems need one-way access to the Internet, while the local Internet servers need two-way access. You do run the risk of someone penetrating your firewall and changing router tables to get access to your LAN.

4. a second firewall can be added. This provides a backup to the first firewall in the event its router tables are compromised. In this way even if someone gets through the first firewall, the second one will stop or at least slow down the intruder.

Firewalls alone are no longer sufficient protection, because they're static devices. This means that intruders can use valid, legal packets to attack your network and compromise your security. You should use additional tools for complete protection, especially for Windows NT and the TCP/IP protocol. To spot potential problems before intruders exploit them from inside or outside your network, you can implement security tools such as port scanners, vulnerability testers, log analyzers or intrusion detectors.

Possible firewall protection

• Backdoors
  Some programs have features that allow for remote access.
   
• Denial of service
  The hacker sends a request to the server to connect to it. When the server responds with an acknowledgement and tries to establish a session, it cannot find the system that made the request. By inundating a server with these unanswerable requests, a hacker causes a server to slow down or even crash.
   
• E-mail bombs
  Someone sends you the same e-mail hundreds or thousands of times until your e-mail system cannot accept any more messages. That's an e-mail bomb.
   
• Macros
  To simplify procedures applications may allow you to create a script of commands. This is known as a macro. Hackers create their own macros that, depending on the application, can destroy your data or crash your computer.
   
• Operating system bugs
  Like applications, some operating systems have backdoors. Others provide remote access with insufficient security controls or have bugs that a hacker can take advantage of.
   
• Redirect bombs
  Hackers can change (redirect) the path information takes, by sending it to a different router.
   
• Remote login
  When someone is able to login to your computer and control it somehow. This can be from accessing your files to running programs on your computer.
   
• SMTP session hijacking
  SMTP is the most common method of sending e-mail over the Internet. By gaining access to a list of e-mail addresses, a person can send unsolicited e-mail (spam). This is done by redirecting the e-mail through the SMTP server of an unsuspecting host, making the sender of the e-mail difficult to trace.
   
• Spam
  Be careful of clicking on unknown links in e-mails, because you may accidentally accept a cookie that provides a backdoor to your computer.
   
• Source routing
  In most cases, the path a packet travels over the Internet (or any other network) is determined by the routers along that path. But the source providing the packet can arbitrarily specify the route that the packet should travel. Hackers sometimes take advantage of this to make information appear to come from a trusted source or even from inside the network.
   
• Viruses
   For more details see: Anti-virus information.

NCSA Certification

NCSA has a certification program that tests firewall products against a standardized suite of attacks while still letting authorized users accomplish business functions. NCSA certification provides an objective way for you to evaluate the level of security a firewall provides.

Setting filters for a firewall

You can set filters based on various conditions. Some of these are:

IP addresses
Each machine on the Internet is assigned a unique address called an IP address. IP addresses are 32-bit numbers, normally expressed as four octets in a dotted decimal number. (f.e.: 202.62.24.124). Any IP address can be blocked.

Domain names
All servers on the Internet have readable names, called domain names, beside their IP address. These two are linked using a DNS (domain name server) server. A firewall can be setup to block access to certain domain names, or allow access to specific domain names only.

Protocols
Protocols are usually in text format, and describe how client and server are to establish communication. Some protocols that you can set firewall filters for:

• IP (Internet Protocol) - the main delivery system for information over the Internet
• TCP (Transport Control Protocol) - used to break apart and rebuild information that travels over the Internet
• HTTP (Hyper Text Transfer Protocol) - used for Web pages
• FTP (File Transfer Protocol) - used to download and upload files
• UDP (User Datagram Protocol) - used for information that requires no response, such as streaming audio and video
• ICMP (Internet Control Message Protocol) - used by a router to exchange information with other routers
• SMTP (Simple Mail Transport Protocol) - used to send text-based information (e-mail)
• SNMP (Simple Network Management Protocol) - used to collect system information from a remote computer
• Telnet - used to perform commands on a remote computer

Ports
Any server machine makes its services available to the Internet using ports, one for each service that is available on the server. A Web server is typically available on port 80, or port 8080, while the FTP server is usually available on port 21. Any port can be filtered.

Specific words and phrases
The firewall will search through each packet of information for an exact match of the text listed in the filter. You can include as many words, phrases and variations as you need to setup a correct filter.

Ping

A method for determining whether a system is connected to the Internet at a particular address. You ping a system by sending an Echo Request packet. If the target is connected, you'll receive a 'pong' in response. Most operating systems have this program. Try entering the command:

 ping domain.com (any domain name or IP address)

Operating System Fingerprinting

By sending or receiving a special packet, one can determine whether a system is connected to an IP address and which operating system it is running.

Port scanners

TCP and UDP use port numbers to identify higher layer services. Systems administrators use port scanners to determine what TCP/UDP services are available on a server. A basic rule of server security is to disable any service that the system isn't using because any open TCP/UDP service offers intruders a possible entry into your system. You can use a port scanner to ensure that only the desired TCP/UDP services are running.

Port numbers 0 through 1023 are well-known ports that systems administrators usually use for system processes or for programs that privileged users are running. If attackers exploit a well-known port, they can potentially gain control of a server. Attackers use several generic schemes to scan ports.

TCP connect() scanning
is the most basic form of TCP scanning. An attacker's host issues a connect() system call to every interesting port on the target machine. If the port is listening, connect() will succeed; otherwise, the port is unreachable and the service is unavailable. This scheme is fast and doesn't require any special privileges.

TCP SYN scanning
attempts to set up a TCP virtual connection. Establishing a TCP virtual connection requires a three-way handshake, in which one host sends a TCP segment with the synchronize (SYN) flag set, the other host responds with a segment that has the acknowledge valid (ACK) and SYN flags set, and the first host responds with a segment that has only the ACK flag set. In SYN scanning, a querying host sends a SYN segment to every port. If the server responds with a SYN-ACK segment the service is available. If the server responds with a reset (RST) segment the service is unavailable.

TCP FIN scanning
the attacker's querying host skips the three-way handshake and sends a finish (FIN) segment to all interested TCP ports. Sending a FIN segment closes an open TCP connection. If the port is open, the system is supposed to ignore the FIN because there is no existing connection; if the port is closed, the system generates an RST segment. Lack of a response identifies an active port to an attacker. This method doesn't work well on most Windows systems because Microsoft's TCP implementation always sends a RST in response to a FIN.

FTP bouncing
uses the FTP PORT command and the upload capability at an FTP server behind the firewall. This attack lets a client connect with other systems that otherwise wouldn't be accessible.

UDP Internet Control Message Protocol (ICMP) port unreachable scanning
is one of the few UDP scans. UDP is a connectionless protocol, so it's harder to scan than TCP because UDP ports aren't required to respond to probes. Most implementations generate an ICMP port_unreachable error when a user (or intruder) sends a packet to a closed UDP port.

You can perform port scans by using several tools that employ a combination of methods to detect attacks. The FTP and HTTP services are vulnerabilities simply because they're always running. The medium risk vulnerability FTP service is susceptible because it has anonymous access enabled, and the HTTP service is high risk because attackers can exploit the $DATA hole in Microsoft's Internet Information Server (IIS). This vulnerability affects many IIS installations because an attacker can download the Active Server Pages (ASP) source by appending a ::$DATA string to the URL. This action can expose usernames and passwords that systems administrators have hard-coded within scripts.

Many port scanners suggest possible fixes, such as shutting down the service or installing a hotfix. Although shutting off the service might not be an option, knowing that a vulnerability exists helps you balance the risk exposure with the benefit.

Vulnerability testing

Vulnerability testing is similar to port scanning, but you use vulnerability testing for specific Operating Systems rather than TCP/IP communications protocols. Many security vulnerabilities are OS specific, so a good rule of secure management is to avoid advertising your servers' OS. However, clues such as .asp file extensions, use of .htm rather than .html, and home pages named default.htm usually identify an IIS server to an attacker. In addition, many tools help attackers determine a system's OS, and to use these tools attackers need only the server's IP address. Systems administrators are well advised to use software to examine their systems for OS vulnerabilities. Most vulnerability testers will also tell you where you can get more information, such as pointers to Microsoft articles and links to hot fixes and service packs, and suggest corrective measures, such as instructions for updating the Registry to secure your systems. New OS vulnerabilities appear all the time. You need to do scan security frequently with an up-to-date database of OS vulnerabilities.

Hardware firewalls

Hardware firewalls are secure and not expensive anymore. The router is connected to a cable or a DSL modem and functions as gateway, DHCP server, virtual server and applications server. You configure the router via a browser interface that resides on your computer by entering its local IP address. You can set many filters for each of the functions of the router.

Software firewalls

A software firewall can be installed on a standalone computer with an Internet connection. This computer is considered a gateway because it provides the main or only point of access between your computer and the Internet. Firewall programs can be found in SimplytheBest Software.

 

A virus is a file that can infect other files in a computer or a network and can produce undesired side-effects. These effects can range from harmless messages to data corruption or destruction. Some viruses can format your hard disk or destroy the FAT (File Allocation Table) and the disk directories, others can generate minor effects such as occasional displaying of on-screen messages, erasure or modification of data, music or interference or difficulties with printer output.

Possible sources of virus transmission are diskettes, CDs, network cables, telephone cables (with a modem) and the Internet. Closely related to computer viruses are Trojan horses and Worms.

A Trojan horse is a program that performs some undesired action while pretending to do something else. One common class of Trojans are fake login programs - collecting accounts and passwords by prompting for this info just like a normal login program does. Another is a disk defragmenter that erases files rather than reorganizing them. A Trojan Horse differs from a virus in that the former does not attempt to reproduce itself.

A Worm is a self-propagating virus. The worm disguises itself as an email attachment. This attached file is the actual worm code, and it propagates by locating valid email addresses. The worm modifies wsock32.dll and patches itself into this file so that two APIs Connect() and Send() can hook into the worm’s code. Win32/SKA.A can see all network activities on the current machine. When someone posts an email message to another user or to a news server, the worm sends a copy of its email message with an attachment of its code. These types of chain letter worms are very successful because people usually trust messages they receive from friends and associates. 32-bit worms are much more successful than viruses that spread relatively slowly. A worm can infect 100000s of machines around the globe in a single day.

 There are four main classes of computer viruses: file infectors, cluster infectors, macro viruses and system infectors. About 85 percent of all known viruses infect files containing applications such as COM or EXE files under DOS and spreadsheet programs or games. Cluster infectors modify the file system so that they are run prior to other programs, but  they do not actually attach themselves to programs. The third category, macro viruses, are independent of operating systems and infect files that are usually regarded as data rather than as programs. System infectors store themselves in the boot sector on floppies or a master boot record  (MBR) for hard disks and hence are invoked whenever the disk is used to boot the system.

A virus must be executed by someone, perhaps unwittingly, in order to spread. Such as booting from an infected floppy disk. System infectors are loaded each time an infected disk is used to boot the system. This can happen even if a disk is not equipped with the files needed to truly boot the computer, as is the case with most floppies. With PCs, the initial infection typically occurs when someone boots - or reboots - a computer with an infected floppy accidentally left in drive A. It is always a good habit to check and remove any floppies that might be in the drives before booting your machine. We recommend that you take all necessary precautions with e-mail messages that include attached files. Unless you know its source, delete it without opening the attachment.

Viruses

We can differentiate the following types of viruses: boot viruses, DOS viruses, hoaxes, Java viruses, MS Excel viruses, MS Word viruses, PalmOS viruses, script viruses, trojan horses, Windows viruses and worms.

Types of infections

Damaging the hardware under Windows 95/98
Virus attacks took a big step in 1998 when the Win95/CIH became the first virus to damage system hardware, specifically the flash BIOS. CIH, like Win95/Anxiety, implements a PE infection mechanism based on VxD calls. Because the virus executes its damage routine in Ring0 (system level), you can't prevent the damage caused by the port commands (e.g. IN, OUT).

Infecting Kernel32.dll
Virus writers have written several Win32 viruses that attack kernel32.dll, which most PE applications load and use to access the most important Win32 API set, such as file functions. These viruses work by patching the export address of one exported API (e.g., GetFileAttributesA) to point into the virus code that the virus has appended to the end of the DLL image. Because 32-bit DLLs use the PE file format, virus writers can easily infect this type of file. These viruses can be per process resident (i.e., the viruses run actively as part of a process or several processes). As a result, each process that uses kernel32.dll, which is any process that uses the basic Win32 file functions and directory functions, links to the virus code. The infected DLL attaches to every program that has kernel32.dll imports. Whenever the application calls the API with the attached virus code, the virus code gets control in the address spaces of the infected application.

Every system DLL contains a pre-calculated checksum that the linker places in the DLL's PE header. Unlike Win95, NT recalculates this checksum before it loads DLLs and drivers. If the calculated checksum doesn't match the checksum in the DLL's header, the system loader stops with an error message at the blue screen during system boot. However, this doesn't mean that a virus writer can't implement such a virus for NT. The Win32/Heretic virus was the first of its kind to implement proper kernel32.dll infection. As a result, the virus ran on NT. The Win32/Kriz virus also used this method and uses the CIH damage routine, but the damage routine doesn't work under NT because the virus runs in Ring3 (user mode).

Kernel-mode driver viruses
This type of virus adds x number of bytes to the end of applications that run in user mode. The virus modifies the entry point so that it points to the start of the virus code. The virus tries to install the virus driver to the system and uses hard-coded IDs to call native APIs. It can monitor all file access and infect applications on the fly. It can infect anything it wants. Fortunately these kind of viruses are hard to program and are scarce.

Complex Win32 viruses
These viruses use polymorphic engines to make detection of virus code extremely difficult. Some implement polymorphic engines that can change the virus code from byte to byte in different generations. So you can't use a constant search string to detect the virus code unless you use antivirus modules such as code emulation. Another approach to polymorphic viruses is writing metamorphic viruses. These viruses consist of small modules that viruses can place in a virtually endless order using various sets of instruction sequences that differ in code but have the same result when executed. Several of these viruses consist of pieces of assembly code that is encrypted multiple times.

Counter measures

Infected DLLs can be hard to clean from the system because applications map these files from the disk to memory, and you can't modify these files once they load. Whereas you can boot an infected Win9x machine from a clean system diskette, it's much more complicated when you're using Win2000 and NT with NTFS. In these situations, you need to use utilities such as NTFSDOS that can boot the system for write access. Windows System File Checker (SFC) will fix the modified system components automatically. To use SFC, type sfc.exe from the command prompt. SFC is not a virus security feature, but it helps reduce the risk of spreading viruses under Win2000.

Backups of all software (including operating systems) should be made regularly.
Prevention includes creating user awareness, implementing hygiene rules, using disk authorization software or providing isolated 'quarantine' PCs.
Detection involves the use of anti-virus software to detect, report and disinfect viruses.
Containment involves identifying and isolating the infected items.
Recovery involves disinfecting or removing infected items and recovering or replacing corrupted data.

Techniques to detect viruses

String search
The first step in detecting a virus in a file is to search for a unique piece of its code or of its data within files. This method is used for simple viruses. Although the string search technique is not considered foolproof it is still the basis of most anti virus programs.

Algorithmic search
This technique consists of determining whether a file has been infected by observing certain parameters that commonly appear in infected files.

Vaccination
This consists of recording file characteristics in the file itself or in separate files. This information is later used to determine whether the file was modified, which almost always implies a virus attack.

Investigation method
This method is very effective for unknown viruses and tries to discover viruses that are active in memory, but have not been discovered by a conventional memory scan. It basically consists of testing the virus so as to discover its infection capacity.

Anti-stealth method
It consists of controlling the system resources first, before any other application, and therefore does not allow itself to be manipulated by other applications. This isolation system only makes sense when the virus is in memory, i.e. when it is active, as this is when we try to avoid the effects of the virus on the system.

Precautions

1. Be careful when downloading software or other items.
2. Don't run programs directly from the Internet unless you trust their source..
3. Avoid opening files attached to e-mail messages, unless you trust their source.
4. Scan new programs before running or installing them onto your system.
5. After you have an anti-virus program installed, keep it on auto-detect and keep the virus signature files up to date. Most programs offer an easy online updating option.

Disinfecting a virus

You should never work with a virus in memory. A virus or any other program can only get into memory when it is run. When you run an infected program, the virus is activated, and that is what we want to prevent by booting from a clean, virus-free boot diskette. When a virus is active in memory, it interferes with the operations performed and, at best, it could re-infect cleaned files if you go on working with the computer (without re-booting) after the disinfection is finished. Click here for the latest anti-virus software.

Some necessary program features:

A good anti-virus program will check RAM, boot sectors and system files. It should: have an auto-detect function which scans your system in the background, scan email attachments, documents and spreadsheets when opening them, enable you to scan any area of your system, on demand or scheduled. It should scan for all sorts of (unknown) viruses such as Trojan horses.