Bookmark this page Print this page

Appendix 9 – Firewalls, NAT & Static IP Addresses

A firewall is an application that lets you control and filter packets flowing in and out of your computer or network. Almost all PC's accept certain types of connections, and hackers can take advantage of this when probing for systems to attack. Such techniques include:

  • Ping - A method for determining whether a system is connected to the Internet at a particular address. You ping a system by sending what's known as an ICMP Echo Request packet. If the target is connected, you'll receive a 'pong' in response. Most operating systems, including Windows, have this program: just try running the command "ping foo.com" where foo.com is any domain name or IP address.
  • Operating System Fingerprinting - By sending/receiving a single specially crafted packet, an attacker can both determine whether a system is connected to an IP address and what operating system it is running (Windows XP, Windows 95, Red Hat Linux, etc).
  • Port scans - It is possible to determine whether any server programs are active and listening for data on a system by sending a connection request to every single possible port number. If you and the attacker both have fast Internet connections, then thousands of ports can be scanned within seconds.
  • Firewalls are effective at blocking all of these kinds of probes as well as any other intrusion or denial of service attacks by immediately rejecting any incoming packets that weren't solicited from programs running on your computer. The attacker never receives a response, creating the illusion that there is no computer at your IP address. This in turn prevents any further attempts to exploit security vulnerabilities and break into a system.

    Outbound Filtering

    Some firewalls (such as the one included with Windows XP) only work in a single direction - they examine packets your computer is receiving, not those it sends. This is because in most cases, data originating from your computer, such as requests for web pages, is legitimate But hostile applications like trojan horses, worms, and viruses can use your Internet connection to send an attacker sensitive information such as your files, screen captures, or even keystrokes. It is therefore crucial that your firewall has some mechanism for filtering outbound traffic from your computer. This is usually done by building up a list of programs that are allowed to use your Internet connection. If an unauthorized program makes a connection attempt, the firewall alerts you and lets you decide whether or not to give it permission to proceed.

    NAT

    Most multi-user connections to the Internet (i.e. where all your staff connect via a single phone line, now typically for broadband) will utilise a gadget called a router, and most routers now incorporate NAT or “Network Address Translation”. This technique allows the millions of office networks in the world all to re-use the same network addresses in the ranges…

  • 192.168.nn.nn
  • 172.16.nn.nn
  • 10.0.nn.nn
  • ...The router, on the other hand, will have a unique Internet address, such as 212.69.225.200, from which it can send and receive information (a bit like a post code). So when one of your staff, let’s call him Charlie, sends a request to the Internet it goes from his local address of 192.168.1.71, through the router’s one of 212.69.225.200, and then out to the world wide web, that is only aware of the router, not Charlie himself. So the returned packets are addressed to the router, which then re-addresses them (or translates their network addresses) to Charlie. In this manner computers on the local network are kept separate, invisible and safe from those on the Internet side of the router.

    Whereas NAT gives excellent protection to the computers on its local area network, it must be remembered that the router itself will still have ports that can be attacked by hackers, and must therefore be set-up with as much protection as possible (e.g. “ping” turned off, internal firewall enabled, etc).

    Static IP Addresses

    All Internet connections are allocated a unique IP address when they join the web, such as 212.69.225.200, which work a bit like post codes. Usually you’ll get a different address (i.e. a dynamic one) each time you connect. However if you need, for example, to repeatedly connect two offices via the Internet (i.e. to join all their computers in a WAN) then you must have the same IP address every time you connect, in which case you simply have to request a fixed or static IP address from your ISP (which will cost a few pounds extra each month).

    Implications

  • Routers must be set-up properly (i.e. with “ping” turned off)
  • Windows XP will not stop email-forwarding (i.e. outbound) viruses unless you add personal firewall software
  • Norton Personal Firewall is good, but in some instances its fierce protection may actually prevent some applications from working