Friday, November 18, 2011

10 Steps To Securing Firewalls

"The Clapco D29 is the most impenetrable lock on the market today. It has only one design flaw… the door… must be closed!" –Seinfeld (1990)
After installing an expensive alarm system in his apartment and then getting robbed, Jerry Seinfeld learned a valuable lesson: no matter how good the security system, if it isn't used correctly, it is completely ineffective. That lesson holds just as true when it comes to everyday computer users and their firewalls.

Most computers now come with a firewall built in, but despite this, the number of computers that are infected with viruses, worms and other types ofmalware grows by the day. One of the biggest reasons why firewalls are not doing their job, is because many of us have never taken the time to tweak our firewall to make it effective. This 10 step list will help introduce individuals and small business owners alike to some very simple ways that they can tweak, supplement, and support their firewall in order to keep their computer and private information as secure as possible.


Before you can start supporting or tweaking your firewall, it is important to make sure you actually have one installed. Surprisingly, a large number of individuals who believe they are already protected, have not even taken the most basic step of installing a free firewall.
If you are using Microsoft's Windows XP and just assumed that you were protected by a built-in firewall, you may be wrong. In fact, the standard version of Microsoft's Windows XP is notoriously vulnerable to worms and viruses precisely because it has no substantial built-in firewall. In response to the criticisms, Microsoft created an all-in-one patch (or downloadable add-on) to Windows XP called SP2. By downloading and installing SP2 onto your computer, you will automatically be equipped with Windows Security Center, Windows Firewall, a Pop-up blocker for Internet Explorer, an Email virus scanner for Outlook Express, and a Wireless Network Security system.
Given the standard version of Windows XP's notorious weaknesses against worms and viruses, it is a necessary first step for all individual and small business users who use Windows XP to download the all-in-one patch. Make sure, however, to download the patch directly from Microsoft, as clever spammers often offer a version on their own sites which are full of hidden viruses.
For those individuals that haven't been using any sort of firewall whatsoever, having SP2 in place is a big step up. Unfortunately, however, the Windows Firewall will only block attacks that come from the outside, it just presumes that anything you send out is safe. But, if you have been connecting your computer to the internet without a firewall in the past, that assumption is probably wrong. Your computers may already be infected and you simply have no idea. To deal with this problem you will need to install a 'bidirectional' third-party firewall. For individuals, there are some good free ones available, including Zone Labs' ZoneAlarm. If ZoneAlarm does not fit your needs, there are dozens of other options. Check out PCWorld's firewall review for a few more ideas.
Now that we have made sure that you actually have a firewall in place, it is time to start optimizing it.


New viruses, worms and other forms of malware are created daily, so it is important that once a firewall is installed in your personal computer or across your company's computers, you develop a plan to regularly check for and install new patches for your firewall. While normally it is a terrible idea to let your computer download anything without your approval, when it comes to fighting viruses, there is a whole new set of rules. Because every small business is strapped for time, the only reliable means of ensuring that your business's firewalls remain up to date is to setup auto-updates. Once automatic updates are set up, your firewall will upload the newest patches each time you have them scheduled or each time you turn off your computer. These updates will enable to firewall to protect your computer against any new viruses, worms, Trojan horses or bugs that have been created since the program was last updated.
If you are using the default Windows XP firewall that you downloaded with the SP2 patch, then you should simply enable Windows Automatic Updates. This is a program for Windows that will actually check to see what patches you need, and then suggest that you download them. Once you are current, the program will frequently check for new updates and when they are created, it will wait for a time when your computer is idle, so as not to interrupt your work, and automatically download the new patch. The setup for Automatic Updates is a simple step-by-step process that will not take more than 15 minutes to complete, even fore the most technically disinclined.
If you decided to opt for greater protection and downloaded or purchased a 'bidirectional' firewall you can still setup automatic updates, and typically the process is very straightforward. If you selected the free version of ZoneAlarm, the setup instructions are here, otherwise you will simply need to check the manufacturer’s website for instructions on how to setup auto updates for your firewall.


Firewall settings are designed with the median user in mind. The problem is, none of us is that mythical 'median' user, so almost everyone will benefit from tweaking the settings on their firewall.
One of the most common tweaks is the timing of automatic updates. You enabled automatic updates to take place because they will keep your firewall updated all the time. But that can only happen if the 'automatic update' actually happens. For most firewalls the automatic update is timed to start each night at 3 a.m. If you typically have your computer off and disconnected from the internet at that time, however, your firewall will never update. So, make sure to schedule your updates for a time when the computer is going to be on and connected, but not in heavy use. If you cannot come up with a time that works for your home or business, just select an option that the computer notify you when an update is ready, and then you can decide pick a convenient time that day.
At work, most of us are focused on getting the job done in the quickest way possible. So if your employees are having trouble with a pop-up blocker (e.g. it is blocking pop-ups they need to sign in or fill out a form) often they will just disable the pop-up blocker rather than spending the time to whitelist that site. Very soon, you will find that all the computers in your company now have disabled pop-up blockers, and as a result your firewall has to filter a lot more bad content, and ultimately your computer is less secure. Rather than have that happen, make sure to tweak your firewall to allow exceptions, by listing all the trusted sites that your employees will need to frequently visit throughout their workday. So for instance, if your employees constantly need to sign in to the company email provider, which uses a pop-up, make sure that that site is listed in your 'trusted sites' list so that pop-ups can appear. Just adding the five or ten sites that your employees visit most frequently to the exceptions list, will stop them from disabling that pop-up blocker, and keep your whole network safer.
If you read a lot of newsletters, you may quickly find that after having installed SP2, those newsletters look a lot less pretty. That is because SP2 and other firewalls often block tiny images called 'web bugs' that are placed in newsletters in order to send to the creator information about how much a person is reading of the newsletter, etc. So if you want to view your newsletters in their original form and do not mind the privacy trade-off, you may want to allow the display of these image links in e-mail messages (usually entitled the 'HTML e-mail' option).
For a hacker to be effective, he or she needs a way to get information on and off your computer without you knowing. One of the most common ways they do this is by hiding their malware inside of a legitimate program, and then directing that legitimate program to establish a connection between your computer and the internet. Untweaked firewalls that are left to their default settings can often do little to prevent this, as the firewall does not know which programs need to send and receive messages from the internet and which do not. But, by tweaking the settings of your firewall, you can restrict those of your programs that do not need to send and receive information from the internet from doing so. One of the most common steps is to restrict your printer from having access to anything beyond the local network level. That way, a virus will not be able to embed itself into your printer software and send and receive information through that connection. For those programs that do require internet access, you should consider whether they need to both send and receive information, or whether they might simply send information. If that is the case, you can toggle your settings so that that program is restricted to sending outgoing information, but cannot receive incoming information. While this offers less protection than a total block, it is certainly better than the default firewall setting.


In most companies and homes, individual users access the internet and use their computers in wildly different ways. Because of these different uses, many individuals and small companies decide to setup the individual firewalls within a network differently according to the usage habits of that individual. For example, if a person accesses a certain site more than the other users, he might authorize that site to show pop-ups by adding it to his ‘trusted site’ list. And even more commonly, an individual employee might decide to toggle their firewall settings to permit Instant Messenger to function without hindrance.
While these sorts of individualized tweaks can seem harmless, in fact they create different attack surfaces for each computer throughout the network, so that when a worm or other malicious program eventually succeeds in breaching the firewall, it is far more difficult to tell where the firewall vulnerability is located, and thus what change needs to be made to close up the weakness. This same reasoning also requires that the firewall administrator not permit different firewall settings for each connection, or profile, on the computer. Just as individualized firewall settings on different computers make it difficult to identify where the firewall weakness is, having different settings for different users within the same computer make the task of identification nearly impossible.


An easy way to think about a firewall, is that it is a program that creates a sort of shell around your computer that lets certain types of authorized information pass through it, while identifying and blocking out other types of code or information that it recognizes as bad. But for all their advancements, firewalls are and will always be defensive in nature. That means, that a firewall can only block malware that humans have coded it to recognize as bad, and that code can only be created for viruses that already exist and have already infected some computers.

Because of the inherent defensive nature of firewalls, they are always fighting an uphill battle against hackers who are creating new sorts of malware. Thus, to help put a firewall on equal footing, it must always be supplemented with an aggressive anti-virus program. Unlike a firewall which tries to form a shell around your computer, an anti-virus program scans information that has gotten through the firewall and quarantines then eliminates the malware that it finds. That way, even if a new virus is quick enough to sneak past your firewall, it will eventually be rooted out by your anti-virus software, once your software is updated to recognize the new virus.
In addition to an anti-virus program, you should also add a pop-up blocker and spam-blocking software to your company's computers. While these two firewall supplements will not directly fight against attacks by viruses, worms, and trojan horses, they will limit the number of these types of malware that your computer faces, and thus help make your firewall more effective overall.
If you use Internet Explorer as your Web browser, the SP2 patch you already downloaded includes a pop up blocker and spam blocker standard. But because many viruses are designed specifically for Internet Explorer, it is safer for you or your company to begin using an alternative internet browser such as Firefox. Firefox comes with a built-in pop-up blocker and spam blocker that are usually regarded as better than most off the shelf third party alternatives. So if you decide to go this route, you won't need add-on spywareor spam blocker protection.
But if you decide to use an internet browser besides Internet Explorer or Firefox, it may not come with a strong pop-up and spam blocker. This means that you will need to download spam and spyware blocking software because the standard version included with the SP2 patch is only compatible with Internet Explorer. Microsoft offers a free program entitled Windows Defender, which will alerts you if viruses, Trojan horses, or worms try to enter your computer and stop them. If you want protection beyond the off the shelf freebie version, you should consider a customized security solution.
By supplementing your firewall with the essential add-ons like a spam blocker, spyware blocker, and of course, an anti-virus program, you add valuable layers to your malware protection and better ensure that your computer remains malware free.


An effective firewall will shield out almost every attack by a hacker to gain access to your computer. No matter how effective a firewall, however, it can be rendered useless if a hacker is able to gain access to your sensitive data through direct means. For example, anyone can access your wireless network if they have the correct WEP encryption key. Similarly, a hacker need not breach your firewall to gain your banking information, if he or she can instead just guess your password. For these reasons, an essential part of supporting the effectiveness of your firewall is to use strong passwords.
Using a strong password requires four things:
1. Length: One of the simplest methods that hackers use to obtain sensitive information is to simply start guessing. The longer a password the more letter and number combinations a hacker will have to try before he or she can guess a password. Even with a computer program designed specifically for trying every letter and number combination, most hackers are quickly frustrated by longer passwords.
2. Structure: Hackers often use a password stealing method in which a computer program repeatedly tries various combinations of words out of a dictionary to guess a password. Consequently, your password should never be a single word found in a dictionary, nor should it be a combination of two or three words. Instead, your password should always involve either fake words or word and number combinations.
3. Distinctness: Around the house, no one uses just one key to open the garage, backdoor, front door, the car, and their safe. Just as in the physical world, you should never use the same password for all of your access codes. If a single password holds the key to all your bank accounts, social security number, personal emails, and work intranet, then a single correct guess by a hacker will leave you and your company irreparably harmed.
4. Frequency: Nobody is perfect, and you should build that assumption in when you consider how often you need to change your password. Eventually your password information will leak out to someone. But as long as you change your password frequently enough, you can minimize the chance that when the information leaks out, it will still be relevant. The frequency with which you change your password will depend upon how important the information it protects is, but under no circumstances should you go more than six months without changing a password.


No one would consider leaving a box of keys to the office laying right out side the office doors. Yet many individuals and small companies do just that when they fail to encrypt or password protect their office's wireless network. With an unencrypted network, anybody can access your network and thus access your company's computers. Even beginner hackers can then use this access to steal company information like credit card numbers and passwords, or barrage your computer with viruses and worms since they have essentially circumvented your network firewall.
While big companies need to undertake major steps to protect their wireless networks, for homes and smaller companies, WEP encryption is an easy and good solution. The most common WEP encryption is a 128-bit encryption, however, encryptions can range anywhere from 40-bit to 152-bit. Practically speaking, the higher the number encryption, the longer the password required to access your wireless network, and thus the harder to hack into. But if you are worried about performance and speed, there is very little difference in security between a 64-bit and a 128-bit encryption, and a 64-bit encryption will require slightly less time to log in to.
Setting up a wifi encryption is very easy to do, and the technology to encrypt comes standard on almost every commercially available wireless router. If you have not purchased a wireless router, you should consider D-Link andLinksys, two cheap but reliable systems. If you already have a wifi system that is not yet encrypted, just check the website of the manufacturer for your particular models instructions. Once the WEP is in place, the network is sealed and only users with the correct WEP can use the network.


A hacker can only get to your computer remotely if it is accessible to him or her. That is to say, a hacker cannot remotely place a Trojan hore onto a computer that is not connected to the Internet. Consequently, one of the easiest ways to reduce your vulnerability to hackers and thus supplement your firewall's efforts to keep your computer malware free, is to shut down or change over to standby mode whenever you are not actively using your computer.
Remember that no matter how strong you make a firewall or how frequently you update it, a firewall can never provide perfect protection against malware. But by shutting the computer down each night and setting the computer to standby mode when not in use, you can cut your potential exposure to malware like viruses and Trojan horses by more than half.


Having tweaked and strengthened your firewall by installing certain software and taking certain preventative steps, you should now feel reasonably secure that your computer's firewall and overall safety are reasonably strong. But the only way you will actually know if your firewall is working well is if you do not get infected with malware. Since that trial by fire method of testing can be so dangerous, however, a safe alternative is to undergo firewall leak testing. These firewall leak tests will actually try to bypass your personal firewall and in so doing actually test the firewall's software filtering, and outbound filtering capabilities. Because each firewall link test uses slightly different techniques to try to circumvent your firewall (just like different malware will use different techniques), it is helpful to run a variety of different leak tests in order to ensure that your firewall makes the grade. There are a number of free online versions of firewall leak tests, including GKweb's Firewall Leak Tester and Gibson Research Corporation's LeakTest.


A port is not just a word for the socket that you plug your mouse or keyboard into. Rather, a port also refers to a special number in a data packet that helps route data to and from a particular program running on your computer. Ports can either be open, closed, or filtered. When a port is open, a hacker will be able to use that opening to gain easy access to your computer. Consequently, it should always be a goal to keep as few ports open for as short of time as possible.
Therefore, when you install a new program and find that your firewall is conflicting with it, make sure to tweak your firewall correctly by selecting a 'program exception' rather than a 'port exception' to get the program working. A 'program exception' will open the port only as that particular program needs it opened to function, that way a port will not remain open unnecessarily. A 'port exception' by contrast, will leave the entire port in open status.
Because of the stated security benefits of having ports open only as your programs need then opened, it is important to know exactly which programs use which ports, so that you can make sure that no ports are accidentally left permanently open. Thankfully, there are a number of free port scanners available online that will tell you the status of your computer's ports. A few of the more well-reputed are:
1. Microsoft's Port Reporter Tool.
2. Sygate's Online Scan. An extended security check that also includes a stealth scan and a trojan scan.
3. Planet Security's Firewall-Check. A fast test that checks currently highly endangered ports.
4. AuditMyPC's complete port scanning. An in-depth test which will scan all 65,535 of your computer’s ports.


While no single resource can adequately cover everything you need to know about maintaining your firewall effectively, the ten points introduced in this article should serve as a basic primer of the deficiencies of many firewalls as well as cover a few of the ways to upgrade, tweak and supplement your personal or small businesses’ firewall in order to improve your computer's overall security.

By Kaila Piyush
My Google Profile

No comments:

Post a Comment

You might also like....

Related Posts Plugin for WordPress, Blogger...