Personal Firewall

by Johannes Helmig [Published on 1 Nov. 2000 / Last Updated on 1 Nov. 2000]

When setting up your network connection with
File-and-Printer Sharing, you should have already
de-activate the binding between the TCP/IP protocol
used for your Internet connection with the
File and Printer sharing for Microsoft networks
:

In the "TCP/IP Properties", tab "Bindings":
no checkmark on "File and Printer sharing for
Microsoft Networks
"

But this is only a first stop, offering a low-level of security.

The TCP/IP protocol with its multiple services using different ports will still allow an attacker
coming in from the Internet to find out information about your system.


I suggest that you test the security of your system and visit on the Internet www.grc.com , click
on the "Shields UP":

You can then run a check on your network security and your TCP/IP ports:

Lets look at the Network security of my system with "Test My Shields !"

Port Probe :
1
Attempting connection to your computer. . .
Shields UP! is now attempting to contact the Hidden Internet Server within your PC. It is likely that no one has told you that your own personal computer may now be functioning as an Internet Server with neither your knowledge nor your permission. And that it may be serving up all or many of your personal files for reading, writing, modification and even deletion by anyone, anywhere, on the Internet!
Please Note: On highly secure systems this may take up to one minute. . .
+
Preliminary Internet connection established!
Your computer has accepted an anonymous connection from another machine it knows nothing about! (That's not good.) This ShieldsUP! web server has been permitted to connect to your computer's highly insecure NetBIOS File and Printer Sharing port (139). Subsequent tests conducted on this page, and elsewhere on this website, will probe more deeply to determine the extent of this system's vulnerability. But regardless of what more is determined, the presence and availability of some form of Internet Server HAS BEEN CONFIRMED within this machine . . . and it is accepting anonymous connections!

The rest of this website explains the implications and dangers of your present configuration and provides complete and thorough instruction for increasing the security of this system. At the moment, any passing high speed Internet scanner will quickly spot this computer as a target for attack. (When this page has completely finished displaying, you might wish to sneak a quick peek at these two pages to see what lies ahead at this website: )

The phrase you must remember is:
"My port 139 is wide OPEN!"
-
Unable to connect with NetBIOS to your computer.
The attempt to connect to your computer with NetBIOS protocol over the Internet (NetBIOS over TCP/IP) FAILED. But, as you can see below, significant personal information is still leaking out of your system and is readily available to curious intruders. Since you do not appear to be sharing files or printers over the TCP/IP protocol, this system is relatively secure. It is exposing its NetBIOS names (see below) over the Internet, but it is refusing to allow connections, so it is unlikely that anyone could gain casual entry into your system due to its connection to the Internet.
Several of your private names are being served up to the
Internet by the Windows networking system. (see below)
While it's unlikely that this information can be exploited, you
should know what anyone can learn about you and your system.
C500  — Your User Name
C500  — Your Computer's Name
NT4_T300  — Your Workgroup

Looks like a big security hole with the "File and Printer Sharing port (139), it found out
my computer name and the workgroup name.

Lets look at the Network security of my system with "Probe my Ports !"

Quickly Check for Connectable
Listening Internet Ports

Port Probe attempts to establish standard TCP/IP (Internet) connections on a handful of standard, well-known, and often vulnerable Internet service ports on YOUR computer. Since this is being done from our server, successful connections demonstrate which of your ports are "open" and actively soliciting connections from passing Internet port scanners.
Your computer at IP:

 212.190.4.249 

Is now being probed. Please stand by. . .


Port

Service

Status
Security Implications

21

FTP

Closed
Your computer has responded that this port exists but is currently closed to connections.

23

Telnet

Closed
Your computer has responded that this port exists but is currently closed to connections.

25

SMTP

Stealth!
There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

79

Finger

Closed
Your computer has responded that this port exists but is currently closed to connections.

80

HTTP

Closed
Your computer has responded that this port exists but is currently closed to connections.

110

POP3

Closed
Your computer has responded that this port exists but is currently closed to connections.

113

IDENT

Closed
Your computer has responded that this port exists but is currently closed to connections.

139

Net
BIOS

OPEN!
As you probably know by now, the NetBIOS File Sharing port is the single largest security hole for networked Windows machines. The payoff from finding open Windows shares is so big that many scanners have been written just to find open ports like this one. Closing it should be a priority for you!

143

IMAP

Closed
Your computer has responded that this port exists but is currently closed to connections.

443

HTTPS

Closed
Your computer has responded that this port exists but is currently closed to connections.

The current configuration has a direct
and un-controlled connection to the Internet

We need to add an additional module between the Internet and your system ( which monitors
all TCP/IP traffic and stops any unsecured communication), called : Firewall :


A Firewall can be a dedicated System (running just the Firewall program), which is usually the case
when protecting the connection between a large Local Area Network and the Internet.
Such professional Firewalls are often a combination with a Proxy-server, allowing User-control
and monitoring (which websites have been visited ? exclusion of certain websites)

For small networks or just for the connection of a single system to the Internet
( SOHO: Small Office - Home Office ), a Firewall can be just a software program running on
the PC, then called a "Personal Firewall", working as "packet-filters" just looking at the
IP-packets received/transmitted based on their PORT-number.

Windows XP has a build-in Firewall.


There are several packages available on the market (free / Shareware / to be purchased):

ZoneAlarm from www.zonelabs.com
(compatible with Win95/98/ME/NT/2000/XP)
ZoneAlarm is free for Personal and non-profit use
ZoneAlarm Pro is a professional Firewall solution (to be purchased)
If you like your product to be listed here, please contact me.


As an example for an installed Personal Firewall, I used ZoneAlarm
(special note on using ZoneAlarm on Windows XP ) :

if you now test your Security of your system
via www.grc.com, all incoming illegal calls will
be blocked off and not even answered anymore.

Port

Service

Status
Security Implications

21

FTP

Stealth!
There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

23

Telnet

Stealth!
There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

25

SMTP

Stealth!
There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

79

Finger

Stealth!
There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

80

HTTP

Stealth!
There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

110

POP3

Stealth!
There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

113

IDENT

Stealth!
There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

139

Net
BIOS

Stealth!
There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

143

IMAP

Stealth!
There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

443

HTTPS

Stealth!
There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!
Port Status Descriptions:


Stealth!

If all of the tested ports were shown to have stealth status, then for all intents and purposes your computer doesn't exist to scanners on the Internet!

It means that either your computer is turned off or disconnected from the Net (which seems unlikely since you must be using it right now!) or an effective stealth firewall is blocking all unauthorized external contact with your computer. This means that it is completely opaque to random scans and direct assault. Even if this machine had previously been scanned and logged by a would-be intruder, a methodical return to this IP address will lead any attacker to believe that your machine is turned off, disconnected, or no longer exists. You couldn't ask for anything better.

There's one additional benefit: scanners are actually hurt by probing this machine! You may have noticed how slowly the probing proceeded. This was caused by your firewall! It was required, since your firewall is discarding the connection-attempt messages sent to your ports. A non-firewalled PC responds immediately that a connection is either refused or accepted, telling a scanner that it's found a live one ... and allowing it to get on with its scanning. But your firewall is acting like a black hole for TCP/IP packets! This means that it's necessary for a scanner to sit around and wait for the maximum round-trip time possible — across the entire Net, into your machine, and back again — before it can safely conclude that there's no computer at the other end. That's very cool.

FALSE  STEALTH  REPORTS
A "Stealth" port is one from which no reply is received (neither acceptance nor refusal) in response to a connection initiation request. This ShieldsUP web site sends a series of four connection requests, waiting for any reply after each one. If no reply is received to any of them, the port is declared to be "Stealth" . . . and for all intents and purposes that's exactly what it is. But Internet "packets" are continually being lost in route to their destination. When Internet "routers" are overloaded with traffic they have no recourse other than to simply drop packets completely, hoping that they will be resent when the destination fails to acknowledge their receipt. This, of course, is why we try four times to get through.

Therefore, if prime-time Internet congestion coupled with a slow or noisy connection were to cause those four packets to become lost or garbled, our port test would show "Stealth" when your port would have replied if it had ever received the request.

If you suspect that this may have happened during the assembly of the report above, simply refresh your browser's page to re-run the tests. If the results differ you can presume that congestion or a weak connection were the temporary cause.


The protection of a firewall should be for both directions: incoming and outgoing.

Incoming:

I did not expect this:
within minutes of installing the Firewall,
I got 3 alerts: my system received from
3 different sources a PING signal ,
all within 1 minute !
Somebody probing for a target ?
Outgoing:

When starting a program to use the
Internet connection (like in this example:
Outlook Express)
, the Firewall will ask you
whether this is a valid access.
(there are viruses , which try to connect back
to their home-server to transmit confidential
data of your system , like passwords ! ).
The firewall builds a list of programs
allowed to connect out to the Internet.
You need to check the security Settings,
in this case under "Advanced" and
declare by placing a checkmark, that
network traffic on a LAN adapter does
NOT to be checked, otherwise PING will
not work to this system on the LAN and
the systems will not see each other in the
Network Neighborhood,
if only TCP/IP
protocol is insta

See Also

Advertisement

Featured Links