Personal Firewalls and

Intrusion Detection Systems

With the advent of ubiquitous broadband connections such as DSL and cable
modem, many home users and small businesses have started running their own
Web servers instead of paying exorbitant fees to a commercial Web host.
However, having an always on DSL connection or running your own server
comes with much more responsibility. You are now required to manage your own
Internet security or else hackers will have a field day with your proprietary data.
Fortunately, personal firewalls now provide you with a fun and easy way to learn
Internet security quickly.

A personal firewall is a software program that sits on your computer like a guard
dog, monitoring traffic even while you sleep. Soon, personal firewalls will come
integrated with all home computers and Web application software packages.
This is because a personal firewall is a useful system component just as a virus
scanner is.

Internet Service Providers (ISPs) also feel pressured to acquire personal firewalls
for their subscribers. ISPs realize that personal firewalls are a fad that can
attract subscribers by at least giving them the illusion of better security.

Do Personal Firewalls Really Work?

Personal firewalls have yet to be shown to be effective. There has never been a
statistically significant, randomized trial to define whether personal firewalls
actually provide any useful protection.

There are serious reasons why you should not rely solely on a personal firewall.
Real hackers can easily slice through a personal firewall using advanced
techniques such as masquerading, packet fragmentation or buffer overflows.
Because of this, real hackers laugh at these supposedly secure personal
firewalls. Hackers speak of the 3-second rule because that is how long it takes
for them to blow right past your personal firewall. Thus, hackers will always be
one step ahead. That is why you must use a layered approach to security,
combined with common sense. The best security tool is your own brain. The
more you read and study Internet security, the stronger you will be.

Trojan horses have remained one step ahead of the firewall market. Bionet was
the first Trojan to circumvent protection programs simply by starting up earlier in
the system boot sequence and by disarming the firewall. In a test conducted by
computer scientists, even old versions of Bionet completely shut down the latest
versions of ZoneAlarm without ZoneAlarm ever detecting anything amiss. In
addition, newer Trojans easily defeat antimasquerading firewalls by spoofing their
encrypted checksums.

If you have secured your machine from Trojans and exploits using Trojan
scanner, port scanner and/or network exploit scanner, and you have multiple
layers of security, then you have nothing to fear. Merely having open ports does
not make you more vulnerable to penetration, nor do extra open ports increase
your statistical risk of denial of service attacks.

Why Do I Need a Personal Firewall?

Although personal firewalls should not be your main level of protection, they are
nevertheless very useful for educational purposes. For this reason, we highly
recommend that you install and begin to use a personal firewall. Such a program
will quickly provide you with valuable information about what is going on behind
the scenes with your Internet connection.

McAfee Personal Firewall

This product is produced by McAfee, a company is best known for their

VirusScan antivirus software. Like several other antivirus software corporations,
McAfee jumped on the personal firewall market bandwagon. In order to stay
competitive, they scrambled to acquire a product, and they were lucky enough to
buy Conseal PC Firewall. Conseal had been a long-respected software
application.

McAfee personal firewall is comprehensive solution, selectively blocking all

incoming and outgoing traffic. Like most personal firewalls, the user must
continually configure rule sets. For beginners, complicated rule sets can be a
security flaw themselves, as the user tends to tune out the programs constant
security warnings. Nevertheless, this is an excellent product for novice users.

Norton Personal Firewall

A more advanced product is Norton Personal Firewall. Norton acquired the

technology for this product after purchasing the now-defunct AtGuard, which was
one of the most powerful and beloved personal firewalls ever created.

Norton Personal Firewall, like many personal firewalls, has the ability to block
JavaScript and ActiveX, which are Internet programming languages that hackers
can use to penetrate your computers security through your Web browser.
Without this, your computer can actually be infected by malicious programming
code merely by viewing someones Internet Web page. Norton Personal Firewall
gives you the flexibility to toggle JavaScript and ActiveX on and off.
In addition, Norton Personal Firewall adds privacy and advertisement filters to
protect you when you surf the Web. You are given flexible control over cookies
which are small files that allow remote Web sites to track your personal
movement across the Internet. Norton Personal Firewall can also block your
browser from displaying certain types of banner advertisements. Although this
feature can cause display problems at times, it is still useful; it is analogous to
being able to hit mute on your television remote control during a commercial
break.

BlackICE Defender

Another popular solution is BlackICE Defender, which was developed by Network

ICE Corporation and which is subsequently purchased by Internet Security
Systems Corporations. BlackICE is actually a hybrid between a personal firewall
and an IDS (Intrusion Detection System). BlackICE borrows its name from a
term coined by William Gibson, a renowned science-fiction author. In his book
Neuromance, Gibson foreshadows the use of personal firewalls, known as
BlackICE. He predicted that such tools will someday not only be able to protect
computers, but they also will be able to automatically counterattack by frying the
invading the hackers central nervous system.

Although not yet up to the ideal, BlackICE Defender does have some interesting
features. One advantage of BlackICE Defender is its ability to trace the hacker to
his point of attack. Because of its holistic approach, most experts consider
BlackICE Defender to be the most secure of the personal firewalls. In addition,
this tool is popular among real hackers, which lends it credibility. Hackers are
the most paranoid users when it comes to Internet security.

Zone Alarm

The least expensive firewall is the freeware version of ZoneAlarm. Although, not
recommended for beginners, ZoneAlarm is popular among intermediate-level
users. There is also a professional version available for a fee. ZoneAlarm has
been plagued by complaints from users that the program often causes their
computers to hand or to crash. The company itself also reports that it has been
working on problems involving dynamic DSL connections. In addition, there are
other well-known bugs, such as ZoneAlarms interference with Internet telephony
programs. Neverhteless, the company is very responsive to customer feedback,
and they have been consistent in fixing bugs rapidly.

In summary, these personal firewalls are among the popular products. The
products range in complexity from McAfee Personal Firewall, which is the easiest
to use, to ZoneAlarm, which has both more power and more connectivity issues.
Expert users who value tight security invariably choose BlackICE. Fortunately,
most programs offer a 15 or 30-day trial, so you should experiment which works
best for you.
It is important for your home or small business computer to have a personal
firewall. For the price, the amount of practical education that you receive is
invaluable. Nevertheless, you should be aware of the limitations of personal
firewalls. To be successful, they must be combined with other techniques, such
as data restoration, virus scanning and encryption.

Intrusion Detection Systems

Although an intrusion detection system (IDS) is not necessary for the typical
home or small business user, they are gaining popularity in the corporate world
as an alternative or as an additional safeguard against hackers. An IDS serves
one purpose: to detect a hack attempt while it is occurring.

When hackers try to break into a network or computer, they use certain tools to
probe the possible entry points. These tools, such as a ping scanner, can help a
hacker figure out what ports are open and what services are available. This is
where and IDS can act as the first line of defense.

Every IDS system is preprogrammed to recognize certain incoming requests.

These rules are then used to monitor all the activity on a computer. For example,
one common trigger would be if someone pinged the monitored computer with
more than 10 pings per minute. This rule would be sensitive enough to catch
someone using a ping scanner, which sends up to 1,000 pings per minute.
However, it would not pick up a network administrator doing some
troubleshooting at 2 pings per minute.

To fully understood the place that an IDS can have in network protection, take a
security guard example. We have a security guard monitoring people as they
board an airplane. The guard is following a set of rules and standards as to
whom he will let through the gates. Obviously, if you try to enter with a bazooka,
the guard will be alerted and you will not even make it to the gate before you are
rejected. However, what if you have a gun or a knife smuggled in your clothing?
If the guard merely does a visual inspection of your credentials, like a typical
firewall, you would be allowed to pass. In reality, however, in an airport you have
to put everything through a metal detector.

A metal detector is not 100% sensitive. If allows you to pass with a small amount
of metal on your body. This is to allow the zippers, buttons, tooth fillings, and
other tiny amounts of metal that you could not possibly get rid of. However, once
a certain threshold is reached, the alarm will sound.

An IDS works using the same principle. It monitors the traffic and incoming
requests and spots the obvious violations immediately. However, it also takes a
deeper look at the information being sent to the computer on which it is installed.
If the influx of suspect data reaches a certain level, the IDS sounds the alarm and
alerts the network administrator.

There are a few different techniques or properties of an IDS that make some
better or more efficient than others. Depending on whether there is a network-
based or a host-based need, IDS software can be installed on each PC on a
network or a location between the network and the firewall. This depends on
where the threat is located. If a company is only concerned with threats from the
Internet, they only need one central IDS. However, if they are concerned with
internal threats, IDS software can be installed on every computer.

Another difference between IDSs and firewalls can be found in how they handle
threats. Some IDSs will only log attempted hacks and then sound an alert,
whereas other IDSs will go as far as to disable the users account that is being
used to hack the network or to reprogram a firewall to ignore all data from a
particular IP address.

The final difference in IDS systems can be seen in how they work internally. An
IDS will compare current traffic patterns with preexisting database. This
database can consist of two different types of information. On one hand, the IDS
could compare current traffic with a snapshot of normal traffic. Bandwidth use,
connection status, protocol use, and more are monitored for a period of time and
a baseline of normal activity is created. Then, as the IDS monitors traffic, it
compared the current pattern with the snapshot and sends out an alert if
something appears to be wrong. The other type of IDS works just like a virus
canner. It compares current incoming requests and traffic patterns to a database
of known hacker attack techniques. Again, when a match is made, an alert is
sent or the firewall is adjusted accordingly.

An IDS is an important support consideration for large companies. A business

cannot restrict all information coming in to and going out of a network. If they did,
they would be shut off from the outside world. For this reason, many companies
must leave holes in their firewall configurations. An IDS takes a different
approach. Instead of restricting everything, it follows a set of rules and
thresholds and alerts those who are in charge of any suspect activity. Alone, it
cannot take care of all threats, but when combined with a firewall, the level of
protection is greatly increased.

There are many IDS programs on the market that range from enterprise size to
home user size. For the average user, you can get an IDS built into the
previously mentioned firewall products. If you are looking for a more
comprehensive solution for a business, Dragon IDS and PGPs CyberCop
scanner offer enterprise-level solutions that can meet your needs.
Honeypots

Firewalls and IDSs go a long way toward preventing a hacker from gaining
access to a network or computer. However, there is another way to reduce the
threat of hackers: distract them. This is the function of a honeypot.

Honeypots also serve another useful purpose. Because they can be setup to
appear as a worthwhile goal, a honeypot can be used to study hackers. In this
way, a company can learn about a new undocumented vulnerability before it
becomes public. The following scenarios show you how honeypots are used and
the information they can provide.

Imagine if you were a script kiddie and you were out scouring the Internet for an
easy target to hack. You have two or three hacker search tools running that are
looking for a computer with a certain vulnerability that you are familiar with
exploiting. Boing! An alarm suddenly alerts you have potential target. You start
up some programs and realize that you have stumbled across a computer wide
open and waiting for your attack. What an opportunity. Of course, you will not
pass up this easy kill. Who knows what secrets this computer has to offer?

In the abovementioned scenario, we caught a script kiddie as he happened to

stumble on to a wide open computer. Although this honeypot was configured to
be easy to hack, we can learn several things about how script kiddies work and
about what programs are currently circulating through the hacker underground.
Information like this is extremely useful in creating a set of rules for an existing
IDS and in configuring a firewall. If we know what ports and programs script
kiddies are scanning for, we can be more active in scanning them.

In summary, for the average user, personal firewall software provides a good
starting point. However, a business may need more than just a firewall to
maintain the integrity of its network. Furthermore, in the case of a large company
that comes under attack several times a day by serious hackers, a honeypot is
useful for studying the more dangerous custom attacks.