July 2000 - NT Internet Goodies

In this issue, we examine some of the free personal firewalls available for Windows NT. These firewalls protect your computer from attack by hiding any Web server software you may be running (such as Personal Web Server, or an FTP or Telnet daemon). Internet security is, of course, a hot topic right now. Given the spate of corporate attacks (such as the widely-publicized Yahoo server shutdown, and the pernicious ILOVEYOU virus), it’s a good idea to protect yourself pre-emptively.


My Personal Firewall Challenge

As I searched through more and more of the Internet for personal firewalls, I found that almost every article touched on ConSeal PC Firewall ($49.95, http://www.consealfirewall.com/), BlackICE Defender Lite ($39.95, http://www.networkice.com/), Sybergen Secure Desktop (“SyShield”, covered below), and ZoneAlarm (covered below). I chose not to touch on either ConSeal or BlackICE, since they’re too expensive for my taste. But it does make me wonder about the real value added by most columns (the companies listed above should probably get royalties for providing word-work for so many would-be analysts!). My hope is that this column will offer you a little more information than you’d find in similar columns elsewhere, rather than simply churning paragraphs for the sake of a deadline.

Unfortunately, the “big four” listed above pretty much define the free or inexpensive personal firewalls available for NT. I simply found that to be unacceptable, so I expanded my search to finding source code for firewalls that I could build. While I did find some firewall projects, they were all UNIX-centric. Hence my challenge: If you know of or have written the beginnings of a firewall for NT, I want to help you build it. My goal is a completely free personal firewall that performs at least as well as the currently fashionable firewall (ZoneAlarm, as of today). Let’s give those columnists something new to talk about! Do I have any takers??


A Real Example of Good Things Gone Bad

My good friend Joe Berry was himself the unwitting victim of an attack last year. He runs his own 24x7 Web site (on a Solaris box), and had an improperly configured firewall. He noticed network traffic over his IP connection at times and at levels not justified by his own usage; upon investigation with a TCP/IP port scanner, he discovered a port in use that he couldn’t identify. Yes, someone had invaded his machine, installed a daemon, took over an unused TCP/IP port, and was using his machine as a “way-station” for unspecified activity. Plus, all his personal mail (as well as lots of other private information) was available for the hacker to read. Joe tried to track down the source, and (as is usual in sophisticated cases) ran up against a whole series of subverted Web servers–he finally gave up the chase at a machine somewhere in Scandinavia.


But the situation actually got worse after he located and deactivated the daemon on his box. Apparently, the perturbed hacker wanted to punish him for daring to remove himself from the circle of servers–his Web server became the subject of a packet attack! In this type of attack, which also shutdown the Yahoo servers, a Web server gets overloaded with bogus pings and connection requests, with the result that the machine can’t handle anything. It got so bad that Joe had to work with his IP provided to clean up the situation. Plus, the installed hacker’s daemon apparently brought some friends along, since file systems began to be corrupted after Joe deactivated the daemon. Ouch! Not a pretty picture.


NT Can Let You Down

My next step was to research security solutions specifically for NT. Whenever I’m in doubt about specific NT security questions I turn to a good security man, Rick Cormier of EMC Corporation. As I researched this article, I got some good information from Rick that I’d like to share with you.

NT offers some specific vulnerabilities to network hackers, but not because it’s inherently insecure (it’s just shipped that way). Basically, an NT Print Server can be a prime point of attack, since a print server generally has connectivity to many other hosts. Thus, a print server can offer a relatively easy way to get into an enterprise’s NT intranet.

The secret to doing this type of infiltration lies in a specific security assumption made by NT. If there exists an account in two different domains with the same username and password, you can access resources in one domain from the other as if you were logged into both domains even though you are only logged into one. As a not-so-nifty consequence, the NT Resource Kit (freeware from Microsoft, http://www.microsoft.com/ntserver/nts/downloads/recommended/ntkit/default.asp) event allows you to execute remote commands on the domain you are not installed in (I verified this).

A great book, Hacking Exposed (http://www.hackingexposed.com/), describes how you might get into a non-admin account on some simple machine that no one suspects to be a vulnerability (like a print server). For instance, the "guest" local account , with a null password, may have been enabled. Often, an administrator will have a local account on the machine with the same username and password that he uses for his domain account. There are standard hacking tools that can be used to crack the password for all local accounts on the box (if the password is not sufficiently strong, as is the case more often than not). If the hacker can get the admin's local password and that password is the same as for the admin's domain account, he can use it to log into the domain as an administrator. This is a specific case of the general notion of privilege escalation, in which a hacker compromises a seemingly innocuous account on a seemingly innocuous machine and leverages it to gain deeper privilege. Even if this doesn't work, NT's default behavior with a share is to allow everyone in the domain to have full access to it, including the aforementioned 'guest' user. So compromising one machine with a seemingly trivial account can yield lots of power.

The easiest way to prevent this type of problem is by setting up a firewall to prevent unwanted connections from the outside world. (Internal subversion is a completely separate problem!) And that’s what we’re going to look at now.


Steve Gibson’s Security Site

As I’ve pointed out before, a good starting point for any exploration of Web security services is Steve Gibson’s Web page on firewalls(http://grc.com/su‑firewalls.htm). Steve looks at five personal firewalls. However, I’m only going to look at a couple of them–my rule is “if it costs more than $29.95, I don’t look at it” (at least for the purposes of this column!).


The first thing that I did was to submit my machine (actually, my wife’s crummy Windoze/98 box connected through CompuServe) to Steve’s ShieldsUP! test (https://grc.com/x/ne.dll?bh0bkyd2). Surprise, surprise–it reported a Big Hole in Windows Networking at port 139. As is the case with all of Steve’s work, the page then went on to say that it was a Big Problem. And then (in the next paragraph) it went on to say that, perhaps, it wasn’t such a Big Problem after all. Either way, his page suggested I Do Something About It. Hmm, thinks I, mayhaps I shall experiment with some firewalls on this box itself.



ZoneAlarm (free for personal use, ZoneLabs, http://www.zonelabs.com/) got rave reviews from many folks, and at the price I knew we had to try it out. I must say that I’m surprised Steve Gibson thought so much of it, seeing that its “huge” download size (a whole 1.5MB) means that the developers didn’t write the entire application in Assembler language. (I suppose he must make some concessions for lesser mortals.)

Anyway, I installed the application and nothing seemed to happen. I opened up Internet Explorer again–presto, an alert came up “Do you want to allow Internet access by this program?” Apparently ZoneAlarm was awake. Then I went back to ShieldsUP! and immediately received yet another alarm (Figure 1).




Holy moly! I didn’t do anything in order to make this alert happen. At the very least, I was expecting to have to configure the ports I wanted to block!

I then went to the task bar, and clicked on the ZoneAlarm entry, and got a detailed screen with the same alert information on it. Apparently Steve is right–install this baby and forget it! What a nice treat. And at the price, I can’t beat it.

However, I really don’t like the lack of configuration. Basically, you install the product and that’s all you can do. So it’s on to the next firewall.


Sybergen Secure Desktop (formerly SyShield)

Steve thinks this firewall ($29.95, Sybergen Networks, www.sygate.com) is alright (at least he used to think so!), so I thought that I’d it a try. Since I’d already tried one firewall on my personal box at home, I thought I’d try this one at work—but try going through a free Internet connection service.

I have both AltaVista and Juno for free access. I started with AltaVista and went to ShieldsUP!—and promptly got told that:

·        Steve could connect to my machine

·        Steve could get my computer name and user name

·        Steve could see all my shared resources—all drives, printers, ZIP drives, and so on!

·        Yikes!

Also, doing a port scan told me that both my FTP server (port 21) and my NetBIOS File Sharing system (port 139) were both open. SyShield to the rescue!

During the installation process, SyShield did offer one nice feature by prompting me for the protocol I wanted to protect. It listed all my protocols (network card, and the different dial-ups I have), and I selected the AltaVista selection. (One thing to keep in mind about AltaVista—it’s dial-up is called “DO_NOT_REMOVE”. Confusing, eh?)

After rebooting the system, SyShield identified the various network applications that my machine automatically loads (my Sybase database, Internet Explorer, and some others) and verified that I wanted these applications to have network access.

Once installed, I went back to ShieldsUP! and all the offending problems were corrected. Yes, without any configuration SyShield saved the day.

Steve brought up one good point, that SyShield offers no way to define a “trusted” set of machines that allow TCP/IP connections, while blocking all other machines. However, my installation definitely does allow this type of filtering, via the “Config” option after starting SyShield.

Based on what I’m seeing, plus the powerful configuration utilities available, I think I actually prefer this firewall to the free one! It’s possible to change almost any aspect of connection that you can think of—specific ports, specific machines, specific applications, and much more. Plus the logging facilities (all automatic) appear nicely designed and implemented.

Now for the bad news: the application burns up CPU. Specifically, I tracked the problem down to the installed SYSAM service (my guess is the SyShield security module). Stopping the SYSAM service immediately freed up my CPU, and seemed to have no effect on the application’s functionality. After sending a query to the help desk, I received a response about their latest version (2.1), which they said should address the problem.



This fine site offers a wealth of information on NT security flaws and features, as well as numerous links to software tools. I especially enjoyed the FAQ, written in a non-confusing and quite accessible fashion (not always the case for engineering information!). By using this FAQ, I got a great lead to a whole page devoted to listing firewalls (free and commercial) at http://www.greatcircle.com/firewalls/vendors.html. A quick trip through that page led me to some freeware and shareware products, only one of which (SOCKS) supports Windows (and requires purchase of a commercial product, such as AutoSOCKS or NEC’s own SOCKS server). However, the set of commercial products is quite complete and can provide you with information on purchasing a large-scale corporate firewall.

While I was hoping to find a firewall server I could build using my C compiler, I haven’t given up hope. I’ll keep scanning the Internet until I do find one—or someone responds to my challenge.


Good OlAtGuard

Some issues ago I talked about a nice Internet ad blocker called AtGuard. I installed the application and noticed an immediate improvement in throughpu, as well as many fewer ads to read! However, I completely forgot that AtGuard comes with its own firewall. Those of you that downloaded AtGuard before they were bought out by Symantec Corporation may want to try the firewall aspect of the software out.

I must admit that I wasn’t too impressed with AtGuard’s capabilities. I enabled the firewall, and immediately started getting notifications about TNSLSNR80 (the Oracle database listener) receiving data on port 1521—not suprising, since my Oracle database was running and the data came inbound from my local machine! Mainly, I was disappointed at the technical level required to do the configuration (I got confused with the constant alarms and the wizard interface for each application and port that had any network activity). While it’s possible to get all your network protected by using the rules logic model presented by AtGuard, I certainly wouldn’t recommend the software for people who don’t know the details of which ports for different application should allow network traffic!


From the Goodie Bag...

For your edification and perusal, this month I’m providing a neat little solution to a non-security problem that I had. I needed to generate SNMP alerts using Java, but had no library for it. All the solutions I found required money (imagine that!), so I wrote a package myself. While Java isn’t strictly for NT (neither is SNMP, for that matter), it can run on NT, and SNMP is kinda Internet-ish (at least it has Network in the name).

You Java folks are free to use this package any way you want. I think my packet assembly logic is elegant and simple, and completely transparent to the developer. Also included (again, free of charge) are a few useful utilities I use throughout all my Java applications, including logging capabilities, C-like string functions, and so on. Unfortunately, since all I needed was an alert generator, I don’t handle the other SNMP functions (SET, GET, GETNEXT, etc.) However, a good Java developer should be able to add these functions to the base set of classes. (And perhaps update it back to me??) Anyway, I hope it’s useful to you. You can get it from the <EDITOR: INSERT FTP ADDRESS FOR javasnmp.zip HERE>. Also, if I get any interest in the package, you might persuade to add the other SNMP functions.


Coming up next time…

Now that we’ve touched on firewalls, I think the next step is to expand into how we can improve our usage of various Internet tools. I’ll cover the Secure Sockets Layer, as well as secure FTP and Telnet servers. Until then, surf safely!