15ec
Subj : Port Blocking
To   : Stewart Buckingham
From : Peter Knapper
Date : Sat Apr 06 2002 06:34 am

Hi Stewart,

 SB> As an end-user connecting to the internet via my local 
 SB> isp, running W4, FP12, TCPIP 4.3, In-joy 2.3, Warpzilla 
 SB> & Polarbar, am I at all vulnerable to attack from 
 SB> hackers whilst I'm connected to the net? 

ANYTHING connected to the internet is vulnerable to attack. The real question I 
guess is probably HOW vulnerable would you consider acceptable??? 

 SB> If so, what ports should I be blocking? 

In simplistic terms, the safest way to access the internet is to only permit 
INCOMING connections that are responses to REQUESTS YOU have sent out TO 
something, OR only permit INCOMING connections on a PORT that you have a KNOWN 
service operating.

 SB> How to do it?

The issue probably comes down to how much do you wish to spend (in time and 
$$$) to make yourself feel "comfortable" with your security. To me, it comes 
down to the different possible modes of operation, and here are the parameters 
I try and work with. I split things into 2 main categories, dial-up and 
Permanent connections, and then into different MODES of operation within those 
categories -
 1. Dial-up connections such a Modem, ISDN, etc, are the most ppular for Home 
users, however some of the lower cost permanent items are gaining popularity 
now. 
   1.a. With a dial-up connection that I connect and disconnect MANUALLY under 
MY control, (IE: the modem is not in auto-answer mode and no calls are placed 
automatically by the S/W), then my main area of concern would be restricted to 
the OS I was using and the application S/W I was running that used the 
Internet. A Firewall may be desireable, but it is optional at this point. Here 
simple common sense can apply.
   1.b. With a Dial-up connection that was automated (IE under machine control 
for call placement), then some sort of Firewall is HIGHLY desireable. In this 
case the Firewall would be configured to allow only sessions initiated BY MY 
END of the link, and I would even allow the Firewall component to be on the 
machine I was using. 

NB: A Standalone Firewall is MUCH preferred over running a Firewall on the 
end-user machine. Because an End-User machine is alwaysbeingtinkered with by 
the user, and End-User machine based Firewall is just waiting for the user to 
do something that breaks the Firewall without the user being aware of it. A 
standalone Firewall is far less vulnerable to user error.

 2. With any type of permanent connection (DSL, Cable, Leased line, etc), then 
operating without a Firewall should be thought of as almost immediate "Death on 
the Internet". The hard part here is working out what type of Firewall to use, 
and how it should be configured. There are a couple of scenarios that I use 
here -
   2.a. With a cable or DSL type connection that does NOT have a permanent IP 
assigned or does NOT have a DNS entry pointing at the connection (other than 
ISP assigned DNS entry for reverse lookups), then something similar to 2 above 
should be enough, except it SHOULD definately be a standalone Firewall, 
especially if the PC is left connected 24hrs/day.
   2.b. As for 2.a above but with a DNS reference and/or static address, 
REGARDLESS of a configured SERVER on the DNS/Ip Address then a standalone 
Firewall is a MUST. Depending on the level of external AND internal access 
required to the server, a DMZ may be desireable.
   2.c Permanent connection with full DNS references and full-time Servers, 
then a DMZ is definately desirable to retain your sanity.

I have at various times run in modes 1.a, 1.b, 2.a at home as my needs changed. 
At work we usually use 2.c with a DMZ every time, they are commercial ventures 
that need appropriate configurations. There are numerous options available for 
each mode, and of course I have certain preferences. You also need to be aware 
that not all Firewalls are equal. Some are like brick walls that expressley 
permit or deny traffic using HARD RULES as set by a human (a common term used 
by users here is "pinholing" a device to allow certain traffic through). Other 
Firewalls use what is known as "Stateful Inspection", in which the Firewall 
applies user based rulesets to decide which traffic is blocked, which is 
allowed, and which may be permitted under certain conditions. Stateful 
Firewalls also try to detect events such as "Denial of service" attacks, and 
apply decisons based on what it learns about such situations to limit the 
potential "damage", while still remaining operational for other "normal" 
traffic (if possible).

As an example for categories 2.a or even 2.b, there are a number of devices 
that fit this requirement quite nicely for most Home (or Small Businesss 
Office) use. EG, for an ADSL connection, something like a Cisco 827 ADSL Router 
with the Firewall S/W can provide the DSL capabilty, the Routing capability, 
NAT and the Firewalling capability, and offer other extras such as DHCP Server, 
VPN, Voice over IP, etc, all within one box. Yes, it is not cheap, but if you 
can use all the features, then it is a pretty darn good option considering you 
do not have to have other H/W performing these tasks. 
From what yu have asked about, this is probably a bit more than you want, but 
at least it gives you an idea and starts you thinking in the right direction.

I hope you find this useful..............pk.

--- Maximus/2 3.01
 * Origin: Another Good Point About OS/2 (3:772/1.10)

.

0