Using a Host Based Firewall

Even if you have a hardware router, you could still benefit from a host based firewall on each of your computers. Host based firewalls also go by the familiar name of “personal firewall.” You already have a pretty good one built in if you have installed Service Pack 2 on your Windows XP computer. However, the built-in Windows Firewall lacks some features that some of the other third-party firewalls, such as ZoneAlarm or McAfee have.

So why do you need a host-based firewall anyway? Three words: Defense-in-Depth! A basic tenet of computer security is that no one measure will be able to prevent every type of attack. But having a variety of measures (layers) in place will be able to stop most of them. You have a router at the perimeter, you keep your patches up to date, you use antivirus and anti-malware solutions, and you have a host based firewall in place to intercept all other traffic. Here is an example: I have a Linksys router performing firewall duties at my perimeter. However, looking at my McAfee firewall logs I see that certain events got through, but were intercepted and stopped by my host based firewall.




Some of the added features of the other third-party products are the ability to more granularly configure program exceptions for allowed behavior, configure outbound as well as inbound blocking, and collect event log information. As far as the inbound events, the Windows Firewall allows you to configure applications and ports to allow. But as far as outbound events, the Windows Firewall won’t be able to allow configuration of those until Windows Vista hits the streets.

Installing a host based firewall doesn’t come without some complexity. You are going to have to be a little patient while the firewall is learning. It will alert and prompt you many times when something is trying to go outbound, and you will have to tell it to remember whether or not each item is acceptable. Likewise, on the inbound events, most firewalls will just outright block them, but will alert you. You will then have to see what it is and make appropriate configuration adjustments. Once you have done all this for several days, however, you will find that the alerts are les and less frequent, and the firewall will be pretty low maintenance after that. You will also need to keep your firewall up to date, just like your antivirus software and patches.

Defense-in-depth is a vital necessity for keeping your computer and your data safe. Host based firewalls will add to your other protective measures and help keep the threats minimized.

SANS Handler Diary Article

“Help – The Internet is Broken!!”

Well – actually – the Internet isn’t broken. If it was, I would be the first one running down the street and proclaiming the end of civilization as we know it. What is broken though is your connection to the Internet. In fact, even as I am writing this, I am unable to receive email and I can’t get a page to display on my web browser. I guess this would be a good time to discuss what to do in a crisis situation such as this.

Troubleshooting an Internet connection is as simple as following the layers, starting at layer 1 and moving on to layer 7. What the heck are these layers?! Network engineers, a long time ago, described a networking model called the OSI model. Without an advanced networking lesson, I will summarize by saying that layer 1 is the physical layer – cables, wires, and voltage. Layer 7 is the application itself – email, web browsers, and anything else you use on your computer. The layers in between represent things like network addresses, networking protocols, encryption, and communication session setup.

Lets start at layer 1: Is your network cable plugged in? Is your phone cord plugged in if you use dial up? If you use a cable or DSL modem, is the cable or network light on, off, or blinking? Is the cable modem connected to the cable itself? Is the power even on?

Take my problem today, for example. I have a cable modem. The power light is on, but the “Cable” light is not on. That means that the cable modem is not getting correct data to sync up and get good network connectivity from Comcast. I also have other indicators – my router is telling me that it is able to talk to the computer, and it says it sees voltage from the cable modem. What I have done is segment the problem and narrowed it down to which piece of equipment was having the problem – in this case the cable modem. Some things you can do in a case like this. Power cycle the modem, power cycle the router (if you use one), and see what information the status lights give you.

Also, check the router's admin console to see if it is pulling good information from the cable modem. If the router is successfully talking to the cable modem AND the cable modem is getting good network information from the provider, then the router status page will usually tell you that your router has good connectivity. If you do a release and renew and you get what looks like a good address, then that part of the network is fine. If it comes back all zero's then either the modem is bad or your provider is having a network outage.

If the modem and router (if you use them) are OK, then it is time to start checking your computer. For the most part, your computer represents layers 2 through 7 in our troubleshooting, but usually, the problem is at layers 3 or 4. Do you have a good network address, also known as an IP address? If you are using what is known as a dynamic (DHCP) address, then it is a good idea to know what it looks like when it is correct. Go to a command line (Start, Run, cmd) and type in “ipconfig /all” (no quotes). Your address will be four numbers separated by dots, such as 24.120.83.124:

As I mentioned – you need to know what it looks like when it’s working to know if it’s wrong when it’s not. Usually, if you have all zero’s or a number that starts with a 169, then you usually aren’t “pulling” a good address from the provider or your router. If you use a router, the address will usually come from your router, and be something such as 192.168.1.2. If you do not have a router and connect straight to your cable modem, your service provider will give you an address and it will be any number of addresses – find out what it is now so that you know what to look for later.

If all that is correct, then you may have another deeper problem. Usually rebooting the computer will clear this up. If it doesn’t, call your service provider. They will usually tell you if the problem is related to a service outage (which can also cause the problem with not getting a good address) or possibly your computer.

The bottom line – start at layer 1 – power cords, cables, modem and router lights, and then move up the layers looking at network addresses. If this still doesn’t solve it, reboot. And that includes the cable modem, router (if you use one), and your computer, in that order. If it still isn’t working, call your ISP for help – it’s their job.

Whoops – gotta run – my cable modem light is back on – time to go surfing.