Personal Firewall
-
A personal firewall (also known as a decentralised firewall or desktop firewall) is a software solution that is installed on the end devices. It is intended to provide protection against online attacks. It is also intended to prevent certain programs already on the internal system, such as spyware, making external contact online. Certain personal firewalls also restrict the ways for any program to access system resources (known as sandboxing). This is intended to enable a possibly unsafe program to be used without any greater risk. Functionality of this kind may be useful for browsers that execute active content, for example.
-
Personal firewalls can be installed on end devices in a network in addition to a central firewall. It may be appropriate, for example, to block browsers in a sandbox (see above) if you want to permit active content in the network. If an attempt is then made to exploit a vulnerability (e.g. to read data from the hard disk), it will fail because the browser will not have the requisite rights. Personal firewalls may also be appropriate in situations where computers with widely different rights and protection needs are operated within the same network and cannot be compartmentalised from each other using packet filters or firewalls in the network. In such cases, however, the personal firewalls should be administered centrally to ensure they have a standard configuration that complies with the security policy of the institution in question.
Personal firewalls are mainly used on PCs belonging to private individuals, however. In these cases, firewalls work to protect computers from online attacks. -
Significant differences are often found here between the individual products. A categorisation can nonetheless be attempted.
- Packet filter: in this scenario, the software inspects all data packets to identify the computers in the network and the services on these computers that are being communicated with. Typically, things are configured so that e-mail, for example, can only be exchanged with a single computer (e.g. the e-mail server hosted by the provider). In this setup, no other communication is possible with this server, nor can any other server utilise the email protocols to communicate with the protected computer. With some products, the communication relationships so permitted can also be tied to individual applications. As one example, a browser may be allowed to initiate HTTP (Hypertext Transfer Protocol) connections but no other program is permitted to do so.
- Sandbox: in this scenario, individual programs are 'caged' within a restricted environment. The application itself may well have vulnerabilities. However, these vulnerabilities do not have any impact on the system, since the vulnerable program has no rights to make corresponding changes to the system.
-
You should not assume that 'simply' installing a personal firewall is enough to protect your computer from all online threats. The most important thing is to make sure your operating system, web browser, e-mail client and other applications are configured to be as secure as possible. Unneeded ports must be blocked to discourage attacks through them. It goes without saying that an up-to-date anti-virus scanner is a crucial part of making your system secure, along with regular data back-ups and the installation of the latest software patches whenever relevant vulnerabilities are identified.
These are just a few examples to show that security cannot be achieved by using one single item of software; rather, it relies on various factors interacting together.
However, it is also true that the more secure a computer's configuration, the less security is added by installing a personal firewall. -
A personal firewall can have the following functions:
- Packet filter
- Sandboxing
The packet filter checks whether the data in the headers of incoming and outgoing packets comply with the rules defined by the user. The rules should be defined as restrictively as possible and limited to communication that is really necessary. It makes sense to define the communication relationships for individual applications if this is possible. To simplify the configuration, it is desirable for the personal firewall to 'learn' the configuration -- with the help of the user, of course.
The sandboxing procedure relates to an implemented protection area in which, for example, the browser and thus also all Java applets, Active-X, etc. can be executed in a controlled manner. In this area, the programs are checked for malware without affecting the rest of the system. However, very few products use this procedure.
We would also like to point out that even a sandbox procedure like this cannot provide complete protection. This is because implementing a perfect sandbox requires knowledge of all the communication relationships between the applications and the applications with the operating system.
Besides these two functions, some personal firewalls offer additional functions, e.g. virus protection, simple intrusion detection systems (IDS), content filters. These functions may be useful but need not be decisive in purchasing a personal firewall, as they can also be purchased as individual software.
Recommendation: personal firewalls must be able to handle packet filtering and it must be possible to define the communication relationships between the individual applications. -
If you have installed a personal firewall, define its filter rules so that only those absolutely necessary accesses are permitted. You should check these filter rules again at regular intervals to determine whether all permitted accesses are really necessary. If possible, the rules should be assigned to the respective applications. In addition, note the following:
- Ports that are not needed must be blocked.
- The latest virus scanner should always be installed and used.
- Patches should be applied immediately after the disclosure of vulnerabilities.
- Security-relevant events should be logged and evaluated.
Some personal firewalls offer the option of a self-learning configuration. Any application that requires a specific connection for the first time is initially prevented and the personal firewall asks the user whether the connection should be allowed. This gradually builds up a set of rules. This configuration has the advantage of being reasonably understandable, even for those who are not technical experts. The disadvantage, however, is that security-critical misconfigurations can happen quickly this way.
In addition, you should pay attention to the correct configuration of the web browser, the mail client, the operating system and the applications. To understand the warnings given by your firewall, you need to know about the meaning of Internet Protocol (IP) addresses and host/computer names as well as the reports or warnings about Transmission Control Protocol (TCP)/User Datagram Protocol (UDP) ports. -
If the personal firewall reports a scan (or a connection), this can have various causes:
- Providers usually assign dynamically allocated IP addresses to their customers. When a customer logs off, the address they are using is assigned to a new customer, who then dials in (possibly only seconds later). If an Internet computer now sends data to the old customer (e.g. due to a slow line), this is considered an unauthorised connection by the personal firewall of the new customer.
- Another Internet user has configured their computer or a program incorrectly, so that this computer tries to establish connections. These problems occur relatively often with file-sharing programs. Connection attempts from the same IP address to the same port are one indication.
- Entire address ranges are searched for certain programs that would open a backdoor on the computer (e.g. Back Orifice, Netbus), or for file-sharing services, etc. In this case, a single connection to a single port is usually observed. Often, a personal firewall also reports that an attempt has been made to contact a specific backdoor program. This message can be neglected in 95% of cases, because if this program is not present (more precisely, if no service is listening on the corresponding port), the "attacked" computer reports back to the attacker that no service is available, and the attacker turns to the next IP address. A computer without a personal firewall would also behave in this way.
- If attackers wants to examine a computer more closely, they first try to contact all the ports of their target. The personal firewall would therefore report numerous connection attempts to different ports. Such attacks against private users are rare. Due to the dynamic IP allocation of the provider, a targeted attack can almost be ruled out. With some Internet services (e.g. Internet Relay Chat (IRC)), however, it is quite possible for any communication partner to find out the current IP address, so that such attacks could then also be targeted.
Scenarios 1) and 2) are not to be evaluated as attacks. Scenario 3) is also uncritical if no corresponding malware has been installed (which in turn could be detected by a virus scanner).