232 Chapter 7 • Personal Firewalls An ACL in the file sense is a mechanism for enforcing a particular set of permissions for a file or directory. This could be either on a per-user or per-process basis. For example, if someone is logged into your computers as “guest” you might not want them to have access to your documents. You would have an ACL that said something like guest:no access. For a process example, consider your Web browser. You might want to have a rule as a backup protection mechanism that says your browser can’t write to most of your hard drive. That way, if some attacker takes advantage of a hole in your browser software, your backup mechanism might save you. There is an example of this type of ACL in the eSafe section later in this chapter. A network ACL is used to define which addresses and ports are allowed or blocked. An ACL entry typically includes some portion of the following: an address or range (192.168.0.1, or 192.168.0/24), a list or range of ports (80, 25, >1023), and a protocol type (Transmission Control Protocol, or TCP; User Datagram Protocol, or UDP; or Internet Control Message Protocol, or ICMP). Other things that may be included in an ACL include time information (enforced during certain hours) or temporary entries that may be added in response to other traffic that has gone by. Since the term ACL is pretty generic, it gets fairly vendor-specific beyond those simple terms. Some firewall vendors call it a rule set. Some firewalls can have much more complicated things besides just allowing or not allowing certain ports or files. While discussing specific products in this chapter, there will be a number of examples of ACLs. Execution Control List (ECL) An Execution Control List (ECL) is similar in spirit to an ACL, but it controls which programs may be executed. This may seem to be a bit redundant if an ACL is in place. For example, most file ACL software will allow you to mark files with an execute/no execute flag. But ECLs are not redundant. The reason is that not all programs come off your hard drive. Many programs are now accessed via the Internet. I don’t mean programs that you would normally download and install, but rather executable content; for example, JavaScript, VBScript, ActiveX, Java, or just about any kind of program that can arrive in your e-mail, or can be loaded by a Web browser. The simplest example of this is disabling scripting languages in your Web browser or e-mail client. For example, in Netscape you can disable Java and JavaScript. This is a very primitive ECL that says your browser doesn’t have permission to run Java or JavaScript programs. www.syngress.com 119_email_07 10/5/00 9:25 PM Page 232 Personal Firewalls • Chapter 7 233 Of course, you’ll want some with more detailed control. Some of the personal firewall products in this chapter will allow you to control which scripts and programs get executed, based on where they come from. In addition, some of the products contain signatures for known malicious programs, similar to how a virus scanner works. Intrusion Detection Intrusion detection, also called an Intrusion Detection System (IDS), is a dif- ferent animal than a firewall. While the idea behind much of what is cov- ered in this chapter is prevention, intrusion detection is concerned with detection. There’s a significant difference. Prevention may prevent an attack from succeeding if the preventative measure is working properly. Or, it may fail. Chances are if there’s an attack that is able to get around a preventative measure, it won’t be noticed. Detection focuses on being able to spot attempts and/or intrusions. It doesn’t necessarily block them. An attack might succeed, but it (hopefully) won’t go undetected. Detection is important so that you have some idea of the level of damage done, and so that you have some level of evidence. (This type of evidence may not be admissible in a legal situation, but something is better than nothing.) For many enterprise-level products, the IDS function is often separate from any firewall function, though some IDS products can communicate with firewalls to block apparent attackers. For personal firewall products, the two functions are often integrated. So, for many personal firewall prod- ucts, there is no real distinction between the firewall function and the IDS function. In many ways, you could think of the IDS function as a sophisti- cated reporting mechanism for what the firewall blocks. All of the products we look at in this chapter have some function that could be considered IDS if it’s enabled. At the minimum, you can enable alerting for things that the firewall blocks. Some products go a bit further, and attempt to identify and classify the particular attack being attempted. You may wonder what you do with any IDS information you collect. It depends mostly on your attitude and how much work you’re willing to do. In general, even if you detect something that you think is malicious, you can forget about involving law enforcement. First, many of the probes that constitute attacks are not illegal in most places. An actual intrusion would have to take place to interest law enforcement, and even then, it’s widely reported that they want to see some minimum dollar amount of damages before they will open a case. (It’s usually said to be $5000 in the United States to interest the FBI.) Naturally, the laws vary by region and over time, so if you really want to pursue this route, consult a lawyer. www.syngress.com 119_email_07 10/5/00 9:25 PM Page 233 234 Chapter 7 • Personal Firewalls The next thing you can do is contact the (apparent) ISP of the offender and report the offense. Success for this method varies greatly, and depends on your definition of success. Some ISPs will do nothing. Some will investigate. Some will note the complaint, and maintain a tally of how many complaints they get about a particular user. Some will terminate the apparent offender’s account immediately. Taking the time to look up whom to contact each time you get a probe from somewhere in the world can be very time consuming. I don’t have an answer for you about what to do with your IDS logs. If you’re interested in joining an e-mail list that covers this subject, you can check out the Incidents list at SecurityFocus.com: http://securityfocus.com/ forums/incidents/intro.html. Personal Firewalls and E-mail Clients How do personal firewalls relate to e-mail security? Well they don’t, not directly. Strictly speaking, e-mail security is all the things covered by the rest of this book. If you were extremely careful about how you handled attachments, and you kept the latest patches for your e-mail client installed, you would be relatively safe. One problem is that you might be one of the first victims of an exploit for a bug that wasn’t previously www.syngress.com IDS Monitoring A significant issue for many larger companies is what to do with the information collected by your IDS. If you have purchased and installed an expensive IDS, what are you going to do about monitoring? Some organizations are set up with 24-hour teams to monitor such activities, ready to make some sort of live response. Others will review the logs once a day, once a week, or when time permits. Some will use it after an incident has occurred, to try and see how the intruder got in. If you’re thinking about acquiring an IDS system, decide ahead of time how it will be monitored. This should be detailed in a written secu- rity policy for your company—not only how it will be monitored, but also what your response(s) will be. If you’re not able to put down on paper how you’re going to utilize an IDS, then you probably don’t have a good reason to purchase one. For IT Professionals 119_email_07 10/5/00 9:25 PM Page 234 Personal Firewalls • Chapter 7 235 known. Bugs have been published for both Outlook and Eudora that would be triggered as soon as the e-mail was downloaded, before you had any chance to react at all. Personal firewalls can help you keep your e-mail secure in two ways. The first is to save you from yourself. The second is to act as a secondary defense mechanism. There’s always a chance that you might click on an attachment you know you shouldn’t have, or put off reconfiguring your e-mail program to be more secure. Some of the personal firewall products noted in this chapter can help with that, to some degree. In addition, a personal firewall might just save you from a problem that you could never have hoped to prevent. The idea is security in layers. Levels of Protection You’ve probably heard the term “belt and suspenders.” This refers to the idea of a person who wears both a belt and suspenders to hold up their pants, in case one of the mechanisms fails. This way, should there be a catastrophic failure in one of the two pants-retention systems, coverage is maintained. The same concept applies here. Consider your e-mail client program or server (with a conservative configuration) your primary security mecha- nism. Your personal firewall is your backup. Hopefully, even if something slips past your e-mail, your personal firewall will keep your trousers from rocketing to the ground. Basically, if you take all the concepts covered so far (including ACLs, ECLs, port blocking, intrusion detection, and content filtering), and add those as security layers to your system, you’ve got a much harder target for the attacker. ACLs may prevent the malware from erasing or modifying files. ECLs may keep it from fetching and running the rest of the exploit from the Internet. If you manage to install a Trojan, port filtering may keep the attacker from connecting to your machine. False Positives One of the difficulties with IDS systems (and personal firewalls that pro- duce IDS-like reports) is false positives. A false positive is a report that something threatening is taking place, when in fact something less serious is occurring. There are several reasons this might happen. One is that some attack or probes could be malicious, but unfortunately happen fre- quently for non-malicious reasons. Another reason is a technical weakness in the program. Finally, it’s possible to have false positives due to miscon- figuration. www.syngress.com 119_email_07 10/5/00 9:25 PM Page 235 236 Chapter 7 • Personal Firewalls One example of a probe that appears serious, but might be accidental, is NetBIOS name probes. An attacker looking for vulnerable Windows machines might broadcast NBNAME probes looking for responses. The problem is, Windows machines broadcast the same types of request to their local subnet on a regular basis. This is part of how the Network Neighborhood browsing works. This happens often enough that you will probably be stuck ignoring such probes because you won’t be able to tell the malicious from the innocent. A common technical weakness that appears in some less sophisticated IDS and firewall products is the reverse port problem. For example, one com- monly identified Trojan port is 12345 for Netbus. If a packet comes into your machine destined for port 12345, it will likely cause an alert saying that a Netbus probe is happening. However, if your machine happened to pick 12345 as its source port for originating a connection out to some server, then the reply is going to contain that port as the destination, and some IDSs will flag that. The smarter IDSs will note either that it’s a reply, or have noted that it was preceded by a request from that port, and ignore it. Finally, it’s possible to get false positives from an IDS due to misconfig- uration. Some probes are perfectly normal, depending on your configura- tion. For example, at my job I frequently get complaints from people who say that I am “probing their smtp port,” according to their IDS system. So far in every case, it has turned out that the problem was that they had set their IDS to flag probes to port 25 as suspicious. Port 25 is the Simple Mail Transfer Protocol (SMTP) port, used for receiving e-mail. Then they set the IDS system to monitor their e-mail server. An e-mail server is supposed to get connections to port 25. A packet destined for port 25 is suspicious only if the system being probed is not an e-mail system. Network Ice BlackICE Defender 2.1 BlackICE Defender from Network Ice is a firewall and IDS. The Defender version is designed as a stand-alone package for the home user. There are also centrally-manageable versions for corporate use. BlackICE Defender is strictly a commercial product, and they do not make an evaluation version available at the time this was written. It’s relatively inexpensive (as are all of the products mentioned in this chapter) at $39.95 US, and can be pur- chased directly from the Network Ice Web site at www.networkice.com. Installation BlackICE Defender installs like most Windows applications. First, you select a directory to install it into (see Figure 7.1). www.syngress.com 119_email_07 10/5/00 9:25 PM Page 236 Personal Firewalls • Chapter 7 237 Next, you select which program folder you want it to go into (see Figure 7.2). BlackICE requires a license, since they do not offer a trial version. The screen where the license is entered is shown in Figure 7.3. www.syngress.com Figure 7.1 Selecting an installation directory for BlackICE Defender. Figure 7.2 Selecting a program folder. 119_email_07 10/5/00 9:25 PM Page 237 238 Chapter 7 • Personal Firewalls Figure 7.4 shows the next screen, which is the summary of the options you’ve selected so far, before proceeding. My license key is blacked-out, in order to avoid giving all the readers of this book free usage of BlackICE. Following this step, the installation program copies the appropriate files to the directory you indicated, and activates BlackICE Defender. On my test system (Windows 98), a reboot was not required. www.syngress.com Figure 7.3 Entering the BlackICE Defender license string. Figure 7.4 Installation confirmation screen. 119_email_07 10/5/00 9:25 PM Page 238 Personal Firewalls • Chapter 7 239 Configuration BlackICE Defender will run in the background watching for attacks and probes. When an attack of some sort is detected, BlackICE will flash in the Taskbar, or produce a sound, or pop up, depending on configuration. Attacks are listed in the Attacks screen, as shown in Figure 7.5. There are a number of potential attacks that have been flagged in our example. The top two on the list (identified as a NetBIOS port probe) occurred by coincidence while I was simply running BlackICE with my DSL connection up. They are neighboring machines who sent NetBIOS broad- casts as part of their normal network browsing process. If you’re on a cable modem or DSL connection, you’ll probably get these from time to time. The third NetBIOS port probe was generated intentionally by my using Telnet to attempt to connect to port 139 of my Windows 98 machine, from a machine named mail (which I was connected to remotely via SSH). Telnet reported that my connection was unsuccessful, but BlackICE noted it, as we expect it would. BlackICE is doing its job of both firewalling the connection attempt, and alarming on it. The rest of the alarms shown in Figure 7.5 were the result of using either Telnet, or NMAP from the machines indicated as the Intruder. When you see alerts like these, you’ll want to know how serious the attempts are. Are they normal (like the NetBIOS port probes we saw), are www.syngress.com Figure 7.5 BlackICE Defender Attacks screen. 119_email_07 10/5/00 9:25 PM Page 239 240 Chapter 7 • Personal Firewalls they potentially malicious but not something to worry too much about, or is someone trying really hard and showing some sophistication? BlackICE can provide some help in this area. Notice the advICE button in the lower-right corner of Figure 7.5. If you highlight a particular attack, and then click the advICE button, you’ll be taken to a Web page similar to the one shown in Figure 7.6. On this particular Web page (there is a different one for each type of attack) Network Ice is providing information about an NMAP ping. Basically, it says that NMAP is a mapping and scanning tool, and that a false positive is unlikely. Based on this, you could probably be fairly confi- dent that NMAP is being used against you. This doesn’t necessarily tell you what to do about it, if anything. Network Ice also provides some Frequently Asked Questions (FAQ) links in the upper-right corner of their Web page. Let’s return to the main BlackICE screen, and look at the Intruders tab, as shown in Figure 7.7. Here we see the list of intruders from the intruder column on the Attacks tab. On this screen, we get more information (if it’s available) about each of the intruders. For example, for the machine named GATEWAY, BlackICE Defender has been able to determine the node www.syngress.com Figure 7.6 Network Ice NMAP ping advICE. 119_email_07 10/5/00 9:25 PM Page 240 Personal Firewalls • Chapter 7 241 (NetBIOS) name, the workgroup, Media Access Control (MAC) address, Domain Name System (DNS) name, and NetBIOS functions advertised. This is the much the same as the information you’ll get from doing a nbtstat (a command on the IP address of the attacker). Some of this information you could get yourself sometime later, but many times the attacker will be on a temporary IP address, either dialup, or some flavor of Dynamic Host Configuration Protocol (DHCP). If you have BlackICE grab the information immediately following the attempt, you’re much more likely to get accurate information. This feature can be disabled, which may be important. Don’t forget that the attacker may be running a similar personal firewall, and see your machine connect to try to get the information. This may indicate to the attacker that you’re running a per- sonal firewall of some sort. It may be a good or bad thing for the attacker to think that, depending on their mindset. It also depends on your pur- poses, whether you want to deter or just detect. BlackICE Defender will give you a time-based history graph of both traffic and attacks. See Figure 7.8 for an example. The Information tab simply provides some basic program information, such as the license string, date your support expires, and some what’s new information, similar to what is in the readme file. (See Figure 7.9.) The only thing that the menu in Figure 7.9 is obscuring is my license string. www.syngress.com Figure 7.7 BlackICE Defender Intruders screen. 119_email_07 10/5/00 9:25 PM Page 241 [...]... ICEcap Settings screen ICEcap is the piece that communicates with the central server in an Enterprise setup for BlackICE This feature is not enabled in BlackICE Defender, so everything is greyed out Going back to the Tools menu (as shown in Figure 7.9), we want to look at the Preference menu item That screen is shown in Figure 7.17 Figure 7.17 BlackICE Defender Preferences Settings screen www.syngress.com... Chapter 7 243 Figure 7.10 BlackICE Defender Protection Settings screen This window uses a tabbed interface, like the previous one The first tab, which can be seen in Figure 7.10, is the Protection tab In the center is the Security Level setting The default is Cautious I’ve set mine here to Paranoid If you’re curious what the different levels are, and you end up purchasing a copy of BlackICE Defender,... Settings screen Much like the packet logging feature, BlackICE Defender supports an Evidence Log (see Figure 7.12) This is on by default The key difference is that the Evidence Log contains only packets related to identified attacks Any new attacks that the BlackICE developers haven’t seen before will be missed, unless they appear to be similar enough to a known attack to trigger an attack signature... also set the levels of alert you want to be notified of E- mail and BlackICE BlackICE Defender concentrates on IDS and firewalling Therefore, its strength isn’t necessarily direct e- mail protection However, BlackICE will detect some malware as you are in the process of downloading it from your mail server For example, on my system it was able to detect a copy of the Love Letter virus arriving in my mailbox,... to let it be known that you’ve detected the attempt The numbers in each case are BlackICE’s internal severity levels The 30 falls under suspicious, and 60 is in the range of serious The next tab we will look at is Trusted Addresses, shown in Figure 7.14 Figure 7.14 BlackICE Defender Trusted Addresses Settings screen Trusted addresses are IP addresses that you trust BlackICE will not firewall or alert... rather than an arrow It may not be visible in the black and white figure, but this circle is all red with a white band across the middle, not the mixed red/white/green that we already saw The red means that at least one of the rights has been unchecked For the DATA directory, we can see that Execute and Delete have been disabled This file protection, which eSafe calls their Sandbox, is an extra layer... Windows Explorer The attempt also produced this Explorer error message, shown in Figure 7. 36: www.syngress.com 119_email_07 258 10/5/00 9:25 PM Page 258 Chapter 7 • Personal Firewalls Figure 7.35 eSafe access violation error Figure 7. 36 Explorer error message The error message isn’t exactly clear as to the reason why, but the attempt does fail The point of the file protections isn’t to keep you from removing... you can see where it has Internet Explorer listed as the program being sandboxed Just above that, you can see where this sandbox is Application dependent rather than General purpose Close to the center of the screen is a slider that lets you choose between Activate sandbox, Learn mode, and Do not use The first www.syngress.com 119_email_07 10/5/00 9:25 PM Page 259 Personal Firewalls • Chapter 7 259... intended to be a sort of control panel/cockpit view of things The protection meter is simply a graphical indicator of where the protection setting slider is set In this picture, the slider is set three-quarters of the way up, at normal, so the corresponding graph is three-quarters blue If you set your protection to extreme, the graph goes all blue The Change View button switches www.syngress.com 119_email_07... www.syngress.com 119_email_07 10/5/00 9:25 PM Page 251 Personal Firewalls • Chapter 7 251 Following the virus scan, the installer prompts you about whether you’d like to create a rescue disk The rescue disk is for help recovering from certain types of malware, which may render the system unbootable Finally, following the virus check and rescue disk procedure, you’re presented with the success screen, shown . BlackICE Defender 2.1 BlackICE Defender from Network Ice is a firewall and IDS. The Defender version is designed as a stand-alone package for the home user. There are also centrally-manageable versions. we want to look at the Preference menu item. That screen is shown in Figure 7.17. www.syngress.com Figure 7. 16 BlackICE Defender ICEcap Settings screen. Figure 7.17 BlackICE Defender Preferences. into (see Figure 7.2). BlackICE requires a license, since they do not offer a trial version. The screen where the license is entered is shown in Figure 7.3. www.syngress.com Figure 7.1 Selecting