- Firewalls -
A firewall is a piece of hardware or software that acts as a barrier between the Internet and your computer or network. Firewalls constantly scan the Internet connection for possible threats or intrusions and have the ability to block the source of the threat. So if someone is trying to hack into your computer from a location across the Internet, the firewall can detect the threat, and block all Internet traffic coming from or going to that location.
There are two types of firewall - Hardware and software. Hardware firewalls come in the form of a router. If you have broadband, the router is the physical box that connects your computer to the outside world, either by telephone line or cable connection. Most routers that come with the broadband connection will have a built in firewall. The alternative type of firewall is a software firewall, which is usually installed on your PC. Both have advantages and disadvantages. Firewalls do not allow unsolicited information go through the connection. For example, if you click on a link, the action is deemed as authorised by the user and so the information will be communicated to the computer via the Internet. However, if a stealth Spyware program on your computer is trying to send stolen information from your computer to a destination on the Internet, this will be seen as unauthorised and will be blocked. In this situation the software firewall will see the fact that you did not authorise the transfer and in most cases the software firewall can be setup to allow on some applications to have access to the connection for example, Internet Explorer and Outlook Express. The hardware firewall may let the information out through the connection as it will see the information as authorized by the computer and cannot be setup to recognize which program to allow or block. The software firewall however, can be affected by viruses and programs that may cause it to malfunction whereas the hardware firewall is not prone to these attacks without your whole Internet Connection failing. If the computers you are using are on a network and share a common Internet Connection, the hardware firewall will be watching over all the computers, whereas a software firewall would need to be installed on each computer depending on the network setup. The moral of this story is basically to advise you to have both forms of firewall. The more security you have, the better you chances against Internet threats. It is worth noting that you should not have multiple software firewalls installed on one machine. This will cause conflicts as both programs try to fight over the connection. It is possible to have a hardware and software firewall installed at the same time with no problems.
Firewalls scan information coming into and going out of the connection. The information sent via the connection are known as 'packets' as the data is broken down into small chunks and sent individually and when all the packets have been received, they are pieced back together and compiled back into the original format. One type of scanning a firewall may utilise is 'packet filtering', whereby the firewall scans the packets, the source of the packets and the destination whether it is coming onto your PC, or travelling to someone else's. The firewall would be designed to scan this information with a set of criteria and definitions and determine if the transfer is legitimate. If the process is found out to be threatening or was not authorised by the user or a specific program with allowed access to the Internet , the transfer will be halted, and in most cases the IP address or port of the sender or recipient (on the internet) will be blocked for a certain time. In some cases, after this set time the firewall will enable to port again, and if the same type of threatening behaviour happens again within a certain time frame the IP address or port may be blocked permanently.
Other types of scanning include 'stateful inspection' which is a more recent method. The 'stateful inspection' method will not scan the whole packet, but key points in the packet and will compare the information supplied to that of a database of trusted and suspicious activity. If for example the information being sent out via the connection has certain characteristics and matches the set criteria, but the returning information (being sent at the same time) does not look as expected the transaction will be halted.
There are two types of firewall - Hardware and software. Hardware firewalls come in the form of a router. If you have broadband, the router is the physical box that connects your computer to the outside world, either by telephone line or cable connection. Most routers that come with the broadband connection will have a built in firewall. The alternative type of firewall is a software firewall, which is usually installed on your PC. Both have advantages and disadvantages. Firewalls do not allow unsolicited information go through the connection. For example, if you click on a link, the action is deemed as authorised by the user and so the information will be communicated to the computer via the Internet. However, if a stealth Spyware program on your computer is trying to send stolen information from your computer to a destination on the Internet, this will be seen as unauthorised and will be blocked. In this situation the software firewall will see the fact that you did not authorise the transfer and in most cases the software firewall can be setup to allow on some applications to have access to the connection for example, Internet Explorer and Outlook Express. The hardware firewall may let the information out through the connection as it will see the information as authorized by the computer and cannot be setup to recognize which program to allow or block. The software firewall however, can be affected by viruses and programs that may cause it to malfunction whereas the hardware firewall is not prone to these attacks without your whole Internet Connection failing. If the computers you are using are on a network and share a common Internet Connection, the hardware firewall will be watching over all the computers, whereas a software firewall would need to be installed on each computer depending on the network setup. The moral of this story is basically to advise you to have both forms of firewall. The more security you have, the better you chances against Internet threats. It is worth noting that you should not have multiple software firewalls installed on one machine. This will cause conflicts as both programs try to fight over the connection. It is possible to have a hardware and software firewall installed at the same time with no problems.Firewalls scan information coming into and going out of the connection. The information sent via the connection are known as 'packets' as the data is broken down into small chunks and sent individually and when all the packets have been received, they are pieced back together and compiled back into the original format. One type of scanning a firewall may utilise is 'packet filtering', whereby the firewall scans the packets, the source of the packets and the destination whether it is coming onto your PC, or travelling to someone else's. The firewall would be designed to scan this information with a set of criteria and definitions and determine if the transfer is legitimate. If the process is found out to be threatening or was not authorised by the user or a specific program with allowed access to the Internet , the transfer will be halted, and in most cases the IP address or port of the sender or recipient (on the internet) will be blocked for a certain time. In some cases, after this set time the firewall will enable to port again, and if the same type of threatening behaviour happens again within a certain time frame the IP address or port may be blocked permanently.
Other types of scanning include 'stateful inspection' which is a more recent method. The 'stateful inspection' method will not scan the whole packet, but key points in the packet and will compare the information supplied to that of a database of trusted and suspicious activity. If for example the information being sent out via the connection has certain characteristics and matches the set criteria, but the returning information (being sent at the same time) does not look as expected the transaction will be halted.
- The type of attack a firewall can prevent -
A firewall protects your computer against the following main attacks and threats. As you will see, a combination of firewall and antivirus software can be a very strong defence against Internet attacks.
Remote login - This is where someone can access your computer from across the internet an have full control of your PC in the same way you do. Potential for this type of attack is very severe. Your files can be erased, moved onto public display onto the Internet, or even modified slightly without your knowledge. Cases of remote login can be seen on the computer, someone can take control of your mouse and keyboard and start doing strange things in front of your eyes, or make it very difficult for you to work by turning the display of your monitor upside down and back to front for example.
Application and Operating System backdoors - some programs have flaws in the design code, whereby they open ports on your computer or act as a magnet to certain viruses as soon as someone notices the program hole and takes advantage of this. A classic example is the security vulnerability of Windows XP and the MS Blast threat. The Blaster virus (not technically a virus) would activate the auto shutdown whenever windows XP accessed the internet. Therefore users were seeing a 60 second shut down timer whenever they accessed the Internet. The resolution for this was to simply download a patch from the Microsoft Update website, but many users did not know this and many did not have time to download the patch before the machine shut down.
Denial of Service - This very popular type of threat is usually a result of a virus or worm trying to connect to a server across the Internet. The attempt to connect to the server is made, and then the server responds to the request but cannot find the source which can cause the server to hang for a very short time. But if all the computers across the world infected with the virus all set to ping the server at the same time , the target server will grind to a halt and crash. An attempt of this magnitude was recently made against the American government controlled white house server by the 'code red' worm. Fortunately shortly before the payload of the virus was triggered, the white house server change the IP address and the virus ping failed.
E-mail bombs - An e-mail bomb will repeatedly send a very large amount (hundreds or more) of e-mails over and over to a mail address until the mailbox locks up and will not receive any more e-mails.
Macros - When a complicated procedure for an application is simplified into a string of commands this is known as a macro. So it is possible to set up a macro to perform several actions in one go. Macros are often setup by virus makers to perform various actions including formatting a computer which would damage the disk and all the information on the computer, or change the voltage settings on the computer to cause a burnout and melt the processor.
Viruses - Programs created to infect, self replicate and change files and data on computers. See the virus section for virus definitions.
SMTP Hijacking - A user can access the SMTP protocol of a user and send junk mail also known as spam to millions of users worldwide. The sending of spam this way makes the real remote user very hard to trace, and the victim of the hijacking is often the user who gets black listed from Internet Service Providers (ISP).
Source routing - Hackers can change the location of the files appearing on your computer so that they appear to come form a trusted source such as a bank. You may click on the back website and enter your details and submit them. The data is actually coming from a fake source using a fake website. The data that is input into the online forms is transmitted somewhere for the viewing of those with access.
Remote login - This is where someone can access your computer from across the internet an have full control of your PC in the same way you do. Potential for this type of attack is very severe. Your files can be erased, moved onto public display onto the Internet, or even modified slightly without your knowledge. Cases of remote login can be seen on the computer, someone can take control of your mouse and keyboard and start doing strange things in front of your eyes, or make it very difficult for you to work by turning the display of your monitor upside down and back to front for example.
Application and Operating System backdoors - some programs have flaws in the design code, whereby they open ports on your computer or act as a magnet to certain viruses as soon as someone notices the program hole and takes advantage of this. A classic example is the security vulnerability of Windows XP and the MS Blast threat. The Blaster virus (not technically a virus) would activate the auto shutdown whenever windows XP accessed the internet. Therefore users were seeing a 60 second shut down timer whenever they accessed the Internet. The resolution for this was to simply download a patch from the Microsoft Update website, but many users did not know this and many did not have time to download the patch before the machine shut down.
Denial of Service - This very popular type of threat is usually a result of a virus or worm trying to connect to a server across the Internet. The attempt to connect to the server is made, and then the server responds to the request but cannot find the source which can cause the server to hang for a very short time. But if all the computers across the world infected with the virus all set to ping the server at the same time , the target server will grind to a halt and crash. An attempt of this magnitude was recently made against the American government controlled white house server by the 'code red' worm. Fortunately shortly before the payload of the virus was triggered, the white house server change the IP address and the virus ping failed.
E-mail bombs - An e-mail bomb will repeatedly send a very large amount (hundreds or more) of e-mails over and over to a mail address until the mailbox locks up and will not receive any more e-mails.
Macros - When a complicated procedure for an application is simplified into a string of commands this is known as a macro. So it is possible to set up a macro to perform several actions in one go. Macros are often setup by virus makers to perform various actions including formatting a computer which would damage the disk and all the information on the computer, or change the voltage settings on the computer to cause a burnout and melt the processor.
Viruses - Programs created to infect, self replicate and change files and data on computers. See the virus section for virus definitions.
SMTP Hijacking - A user can access the SMTP protocol of a user and send junk mail also known as spam to millions of users worldwide. The sending of spam this way makes the real remote user very hard to trace, and the victim of the hijacking is often the user who gets black listed from Internet Service Providers (ISP).
Source routing - Hackers can change the location of the files appearing on your computer so that they appear to come form a trusted source such as a bank. You may click on the back website and enter your details and submit them. The data is actually coming from a fake source using a fake website. The data that is input into the online forms is transmitted somewhere for the viewing of those with access.
- Port Blocking -
The filters of the firewall are customisable and are based on several conditions and criteria. Some of the ways in which the filters work are as follows.
IP Addresses - Every individual computer on the internet, whether they are on a network, or stand-alone will have this unique IP address (Internet Protocol). IP addresses are numbers arranged into four blocks known as 'octets' separated by a dot. An example of an IP address is 255.255.255.244 - This number is also the highest an IP address can go to, starting from 1.0.0.0 - If too much activity was coming from an example IP address of 193.113.209.8 (which is the IP address of www.pcdisinfection.co.uk), the firewall will detect this and block the IP address potentially blocking the computer the user is accessing from.
Domain names - A domain name is a translation of an IP address. As stated in the example above the IP address 193.113.209.8 also translates into www.pcdisinfection.co.uk. A domain name is much easier to remember than a string of numbers. As they are identical in function, the idea of the firewall blocking the IP address is the same as the firewall blocking domain names.
Protocols - A protocol is a pre-defined way of communication between two sources. This may be something like your computer communicating with the internet, translating the language protocol of HTTP. It's a bit like saying you can communicate with another person and you use spoken language such as english, or that you can communicate with your television using the language of infa red (via the remote control). These protocols are monitored by the firewall and the filters can scan these protocols for certain criteria.
Some example protocols are as follows
IP Addresses - Every individual computer on the internet, whether they are on a network, or stand-alone will have this unique IP address (Internet Protocol). IP addresses are numbers arranged into four blocks known as 'octets' separated by a dot. An example of an IP address is 255.255.255.244 - This number is also the highest an IP address can go to, starting from 1.0.0.0 - If too much activity was coming from an example IP address of 193.113.209.8 (which is the IP address of www.pcdisinfection.co.uk), the firewall will detect this and block the IP address potentially blocking the computer the user is accessing from.
Domain names - A domain name is a translation of an IP address. As stated in the example above the IP address 193.113.209.8 also translates into www.pcdisinfection.co.uk. A domain name is much easier to remember than a string of numbers. As they are identical in function, the idea of the firewall blocking the IP address is the same as the firewall blocking domain names.
Protocols - A protocol is a pre-defined way of communication between two sources. This may be something like your computer communicating with the internet, translating the language protocol of HTTP. It's a bit like saying you can communicate with another person and you use spoken language such as english, or that you can communicate with your television using the language of infa red (via the remote control). These protocols are monitored by the firewall and the filters can scan these protocols for certain criteria.
Some example protocols are as follows
- IP - (Internet Protocol) - communication method for data across the Internet
- TCP - (Transport Control Protocol) - Works side by side with IP (often known as TCP/IP) to break down and re assemble the information across the Internet.
- HTTP - (Hyper Text Transfer Protocol) - The translation of web pages onto your PC
- FTP - (File Transfer Protocol) - Handles the uploading and downloading of files onto and off of the Internet
- UDP - (User datagram Protocol) - Information that is one way only and requires no 'handshake' or response. An example of this activity could be the streaming of music or video
- ICMP - (Internet Control Message Protocol) - Routers use this language to handle errors and controls communication to other routers (on LAN or WAN)
- SMTP - (Simple Mail Transfer Protocol) - Used to send data via e-mail
- SNMP - (Simple Network Management Protocol) - Collects system information about the network traffic and statistic
- Telnet - Used for accessing and transferring data from a remote source
- Ports - Ports are used to handle a specific transfer of data. For example port 25 and port 110 handle the outgoing e-mail and incoming e-mail respectively, whilst port 80 handles the HTTP communication. The amount of ports available in theory is unlimited, and so many ports are not used but remain active. Hackers or malware can use any of these unused ports to transfer information. The firewall will monitor these ports and anything that appears to be a threat can be blocked and the port closed.
- PC Disinfection Team -
The PC Disinfection team are based in Bristol in the United Kingdom. If you have a problem with a security threat, are concerned about your security level, or have any general questions that are not answered on this website, you can contact the PC Disinfection team and we will respond to you as soon as possible. Please see the contact details page for information on how you can contact us.
We can give you individual support on your problems by e-mail and if necessary, by phone or in person.
