CSCE 201 Windows XP Firewalls Fall 2010
Reading Windows XP help and Support: search on “Firewall” Tony Bradley, CISSP-ISSAP, Windows XP SP2 Firewall, Is It Sufficient To Replace 3rd-party Personal Firewalls?, About.com CSCE Farkas2
3 Traffic Control – Firewall Brick wall placed between apartments to prevent the spread of fire from one apartment to the next Single, narrow checkpoint placed between two or more networks where security and audit can be imposed on traffic which passes through it
CSCE Farkas4 Firewall Hardware device or a software application and generally is placed at the perimeter of the network Private Network External Network Firewall
CSCE Farkas5 Firewall Objectives Act as the gatekeeper for all incoming and outgoing traffic Private Network External Network Proprietary data External attacks
Firewall Rules Restrict access to certain IP addresses or domain names Block certain types of traffic by blocking the TCP/IP ports they use Four basic approaches: – packet-filtering – circuit-level gateway – proxy server – application gateway CSCE Farkas6
Packet Filter Intercepts all traffic to and from the network Evaluates it against the firewall rules Rules use: source IP address, source port, destination IP address and destination port CSCE Farkas7
Circuit-level Gateway Blocks all incoming traffic to any host but itself Internally: the client machines establish a connection with the circuit-level gateway Outside world: all communication from your internal network seems to originate from the circuit-level gateway CSCE Farkas8
Proxy Server Boosts the performance of the network Hide the internal network topology (all communications appear to originate from the proxy server itself) Caches pages that have been requested to improve speed Filters traffic based on traffic info, ports and content Application Gateways: application specific proxy server CSCE Farkas9
Comparing Firewalls Filtering capability: – Packet filters: packet header information only – Application gateways: packet header and data content, application specific info Speed of detection – Packet filters: generally fast and uses limited resources – Application gateways: slower and uses more resources Use of traffic history – Packet filters: generally stateless (New systems: stateful packet filters) – Application gateways: generally stateful CSCE Farkas10
Home Users Home routers: – Come with built-in firewall – Generally simple packet filters Can block all incoming connections on all ports if desired Open connections as needed Examples: – Publish a web page from your computer: allow incoming traffic on Port 80 – Download files from outside using FTP: allow incoming connections on Port 21 CSCE Farkas11
Windows Firewalls Microsoft Windows XP Service Pack 2 (SP2), Windows Firewall is turned on by default You can install and run any firewall that you choose If you choose to install and run another firewall, turn off Windows Firewall CSCE Farkas12
Functionality Help block computer viruses and worms from reaching your computer Ask for your permission to block or unblock certain connection requests Allow to create a record (a security log), if you want one, that records successful and unsuccessful attempts to connect to your computer CSCE Farkas13
Not Supported Detect or disable computer viruses and worms if they are already on your computer Stop you from opening with dangerous attachments Block spam or unsolicited from appearing in your inbox CSCE Farkas14
To turn Windows Firewall on or off Must be logged on as an administrator To open Windows Firewall: click Start, click Control Panel, click Network and Internet Connections, and then click Windows Firewall On the General tab, click one of the following: – On (recommended) – Exceptions tab – Off (not recommended) CSCE Farkas15
Firewall Settings Exception Tab: when the firewall is turned on, some features of some types of programs are blocked – Unblock features: list the program on the Exceptions tab in Windows Firewall Advanced Options: – Set Windows Firewall settings for individual connections – Advanced tab, and then, under Network Connection Settings, click Settings CSCE Farkas16
Risk of Exceptions Exceptions make your computer is made more vulnerable Intruders often use software that scans the Internet looking for computers with unprotected connections Best Practices: – Only allow an exception when you really need it – Never allow an exception for a program that you don't recognize – Remove an exception when you no longer need it CSCE Farkas17
Add an Exception Open Windows Firewall. On the Exceptions tab, under Programs and Services, select the check box for the program or service that you want to allow, and then click OK. If the program (or service) that you want to allow is not listed: – Click Add Program. – In the Add a Program dialog box, click the program that you want to add, and then click OK. The program will appear, selected, on the Exceptions tab, under Programs and Services. Click OK. CSCE Farkas18
Open a Port Each port has a number. Many programs and services have predefined port numbers they use Open Windows Firewall. On the Exceptions tab, choose one of the following options: – To open a port for a program or service, select the check box for the program or service – To close a port for a program or service, clear the check box for the program or service CSCE Farkas19
Exception vs. Opening Port Adding an exception is preferable to opening a port – It is easier to do – You do not need to know which port number to use – Adding an exception helps provide security, because the firewall is only open while the program is waiting to receive the connection CSCE Farkas20
When to Block a Program? Firewall is turned on: a program on your computer attempts to accept connections from the Internet or a network the firewall blocks the program from doing this and displays a message giving you the option to unblock the program Options: – Keep Blocking – Unblock – Ask Me Later CSCE Farkas21
Firewall Settings Apply to every user who logs on to the computer The message might be hidden behind the program minimize or close the program Messages can be disabled by using Windows Firewall: Exceptions tab, clear the Display a notification when Windows Firewall blocks a program check box (not recommended) If Don't allow exceptions is selected on the General tab, you will not receive this message CSCE Farkas22
3 rd party firewalls From: Tony Bradley, CISSP-ISSAP, Windows XP SP2 Firewall, Is It Sufficient To Replace 3rd-party Personal Firewalls? Windows Firewall is much better than its Internet Connection Firewall (ICF) predecessor Still no match for a 3rd-party personal firewall solution CSCE Farkas23
Shortcomings of Windows Firewall Windows: does not monitor or block outbound traffic 3 rd party: monitors which programs attempt to initiate outbound communications and either alert the user or block the traffic when suspicious activity occurs Windows: relies on API's which can be disabled 3 rd party: Cannot be disabled without uninstalling CSCE Farkas24
Windows or 3 rd party? Use Windows and 3 rd party firewalls together? – No – Complicates setting and may create additional vulnerabilities Is SP2 of Windows sufficient? – For most home users: yes – For advanced home users: may not be enough CSCE Farkas25
Top 3 rd Party Firewalls Ranging in price between FREE and $50 on average – ZoneAlarm Pro 5 – PC-Cillin 2004 Internet Security – Norton Personal Firewall 2005 – McAfee Personal Firewall CSCE Farkas26
CSCE Farkas27 Without firewalls, nodes: – Are exposed to insecure services – Are exposed to probes and attacks from outside – Can be defenseless against new attacks – Network security totally relies on host security and all hosts must communicate to achieve high level of security – almost impossible
CSCE Farkas28 Firewall Advantages Protection for vulnerable services Controlled access to site systems Concentrated security Enhanced Privacy Logging and statistics on network use, misuse Policy enforcement
CSCE Farkas29 Firewall Disadvantages Restricted access to desirable services Large potential for back doors No protection from insider attacks No protection against data-driven attacks Cannot protect against newly discovered attacks – policy/situation dependent Large learning curve
CSCE Farkas30 Firewall Evaluation Level of protection on the private network ? – Prevented attacks – Missed attacks – Amount of damage to the network How well the firewall is protected? – Possibility of compromise – Detection of the compromise – Effect of compromise on the protected network Ease of use Efficiency, scalability, redundancy Expense