Networking Privacy & Security
Networking Privacy & Security: Intro/Overview
Your topic is not only the most fundamental Internet Privacy and Security topic that we'll cover in this class, but it is also arguably the most technically complex -- at least for non-specialist, non-techie home users of PC's. When we think about computer security, networking security will surely be at the top of our list of considerations, as so many threats to our privacy and security are network borne. But it is a topic that your audience is likely to find frustrating, confusing, and even intimidating. So we must take care in laying out our advice for these readers, making sure that every bit of advice that we give is something that they can actually use in one way or another.
File & Printer Sharing / NetBIOS
One of the simpler and more important bits of advice we can offer our readers consists of instructions for how to shut off File & Printer Sharing in Windows. This service is one of the more dangerous services in Windows, and it just very well might be enabled on your readers' boxes, though more recent versions of Windows turn it off by default. Nevertheless, if your readers do nothing else, they ought to go into the Networking properties configuration box and shut off File & Printer Sharing, and we need to provide instructions for doing so.
Of course, there are legitimate uses and needs for File & Printer Sharing, so we ought to offer advice for setting up shared folders and drives safely should our readers need to do so.
Next, we need to discuss the larger problem of NetBIOS, a transport protocol that can reveal way too much about our computers and our PC configurations over a network. While, again, there are legitimate uses for NetBIOS, most of your readers should have very little need to have this protocol installed and enabled.
While disabling NetBIOS is one of the more important steps that we can take in securing our readers' computers, it can be one of the hairier ones. The most secure way to remove the threat of NetBIOS from a PC is to re-configure our network bindings so that NetBIOS is not bound to TCP/IP or any network adapter that connects to the Internet, and possibly replacing NetBIOS with NetBEUI as a transport. The instructions for performing this rebinding process can get involved, and they will vary across different versions of Windows. I'd suggest that you take a look at Steve Gibson's detailed, highly readable instructions on his Gibson Research Corp. page, ShieldsUp!:
For instructions on performing this process in Windows 2000 and Windows XP, you might also look through the following page on the class web site-- there are several sites with instructions specific to those versions of Windows:
Windows NT/2000/XP Security Info
And don't neglect these pages, which should have links to still other sites with info about NetBIOS as well as File & Printer Sharing:
Networking Security Intro Guides/Overviews
Networking Security Docs & FAQ's
General Networking Security Resources
While the most straightforward way to handle the threat of NetBIOS is to reconfigure networking bindings, we should also touch on two other methods for dealing with NetBIOS:
- renaming files -- renaming certain files in Windows 9x (it doesn't work in Windows Me, Windows NT 4.0, Windows 2000, or Windows XP), effectively ripping NetBIOS right out the networking mix.
- constructing firewall rules for ports 137-39 -- your group will cover firewalls proper in another section, but it is important to discuss the fact that we can and should construct firewall rules for ports 137-39 (though a simple personal firewall like ZoneAlarm will close these ports off automatically).
You might take a look through the bottom section of this page, which contains several utilities for managing File & Printer Sharing:
Misc. Networking Tools
Finally, don't neglect the usefulness of actually showing your readers just what the threats of File & Printer Sharing and NetBIOS involve. An easy way to do this is to point them (and show them) an online networking test like GRC's ShieldsUp!...
...though you can find other such online networking tests on this page:
This sub-topic lies at the heart of your group's Networking topic. Almost everything else in your group's topic revolves around this one (with a few exceptions). With so many people acquiring broadband connections (DSL, cable modem, Ethernet), it's important for us to cover personal firewalls responsibly and in some depth. Keep in mind, though, that many of your readers will resist taking this step, as a personal firewall can look to them unnecessarily complex and simply not relevant to their own privacy and security needs. (In fact, many of your readers may be familiar with the term "firewall" from their workplaces and may think that only big businesses would ever need such a thing.) To address such concerns we need to explain such basic issues as:
- what a personal firewall is
- what threats a personal firewall addresses
Of course, you'll also have to address other basic issues like the difference between a hardware firewall (like a NAT router, which we won't cover in any great detail in this report) and a software-based personal firewall (such as the ones we'll recommend in this report).
Once we introduce the concept of personal firewalls, we also ought to set out and define a few basic categories of software-based personal firewalls to help your readers understand the functional differences between them:
- simple, application-based consumer firewalls (e.g., ZoneAlarm, Deerfield, Sygate)
- rules-based firewalls (e.g., Conseal PC Firewall, AtGuard, Tiny Personal Firewall)
- IDS's (BlackICE, Snort)
Still further, you ought to consider setting up some basic criteria for selecting and evaluating personal firewalls. Such categories might consist of:
- inbound & outbound protection?
- granularity of user control of traffic (how much control does user have over traffic vs. how many decisions does firewall make for user)?
- stealth ports straight out-of-the-box (esp. NetBIOS 137-39) or is significant user configuration/tweaking required before ports are stealthed (good place to bring in the ShieldsUp tests)?
- application control for Internet access?
- Ease of Use:
- helpful/complete/useful logging?
- helpful/useful/complete alerts (what we talked about last night)?
- rules-based vs. sliders/stoplights?
- pre-defined rules or a rules wizard to guide user in setting up rules/policies?
- main functions easily accessible or buried someplace several layers down in menus?
- main window full of useful info and hints? (ZoneAlarm, for example, is very good in this respect.)
The above criteria are only suggestions, but they should give you some idea of what's possible. In these first few sections of our discussion of personal firewalls, it is important, though, to bring our readers up to speed on basic terms and concepts so that we can have a useful discussion of specific firewalls, which is what comes next. Everything we lay out to this point should be carefully crafted to be of use when we're discussing specific personal firewalls.
The heart of your write-up of personal firewalls should be a set of reviews of a select group of personal firewalls, preferably at least one from each of the three categories laid out above. In a way, what you'll be offering is a kind of software review of each personal firewall that you choose, but we need offer our readers solid, specific guidance in selecting a personal firewall. We can't write a complete user guide of each firewall -- that's not the point. We do need to offer our readers more than just three paragraphs of useless impressionistic description of these firewalls, though.
To that end you might consider laying out each review as follows:
Lead off each firewall section w/ a general overview that defines the type of firewall it is and points out its most important features and significant shortcomings.
Then give the reader a good sense of what it's like to use the firewall on a day-to-day basis. What kinds of decisions will the user be expected to make? What sorts of issues are typically encountered? How much is the firewall going to be "in your face," pestering you to make decisions?
The key here is explaining the general "philosophy" behind a particular programs' usage. For example: the whole point behind Zone Alarm is that it alerts us to applications trying to gain outbound access and makes us decide which to allow/deny, and keeps track of our decisions in the applications list. ZA lets us control inbound access with that slider thingy (sorry, I don't have ZA installed so I'm doing it all from memory) and makes a number of decisions for us based on the slider setting. That's all pretty simple. A rules-based firewall like Tiny Personal Firewall or AtGuard forces the user to make a different set of decisions, and the underlying "philosophy of use" is a bit different.
After explaining the general philosophy of use, we can get into some of the nitty-gritty interface issues and specific features and functionality .
When discussing an IDS like BlackICE Defender (BID), for example. it's important to provide a solid description of the difference between and IDS like BID or
and a straight firewall like AtGuard or ZoneAlarm. The simple contrast that you could work here is hard-and-fast criteria for allowing and blocking traffic on the one hand (what a firewall does via its rules) vs. recognizing and blocking certain types of known networking attacks based on PATTERNS of traffic. The obvious advantage to the latter (recognizing patterns of known attacks) is that BID can give the user a much more descriptive and helpful account of what is actually happening with inbound traffic (though a personal firewall proper has its own advantages over a pure IDS like BID).
When discussing a rules-based firewall like AtGuard or Tiny Personal Firewall it might be helpful to give your readers a very clear sense of what's involved in setting up rules for a firewall like TPF or AtGuard. You might even list and explain the typical types of information that make up a firewall rule:
- policy (allow/deny)
- traffic direction (inbound/outbound)
- local port(s) / remote port(s)
- packet type (TCP, UDP, ICMP, IGMP, et al)
- destination IP (or IP range)
Rules-based firewalls are time-consuming to set up and involve a steep learning curve, but the rewards are significant. Rules-based firewalls have clear strengths over more simple consumer firewalls like ZoneAlarm, but they might confront some of your readers with insurmountable difficulties, so it's important that our readers clearly understand what they could be getting themselves into should they go with a rules-based firewall.
Finally, a nice conclusion where you discuss your own experiences and judgments, make some insightful comparisons with the other firewalls, and then apply the criteria you earlier set up brings the whole discussion to a close.
We can't write a complete user manual for every single firewall we discuss, but we can give our readers a concrete sense of what it might be like to use these firewalls and let them gauge their own level of patience and tolerance for the ease-of-use vs. security tradeoff inherent to each personal firewall themselves.
And while we're discussing everyday use of personal firewalls, we also ought to briefly touch on the kinds of routine traffic that personal firewall users can expect to see. All too often beginning users get an application like ZoneAlarm and then flip the first time ZA reports stopping inbound traffic that, in actuality, is merely routine "background noise" on the Net. A minor port scan that one's personal firewall repels quite handily should not be any great cause for alarm, but many new users will perceive it as an all-out assault on their computers, driving network admins positively batty with a flood of abuse reports. (See THESE links for some harsh criticism of personal firewalls and their users.) We need to explain to our readers what they can expect to find in their logs and how to begin to make sense of that info.
I've provided very specific and detailed advice about writing up the firewalls section, but you shouldn't feel unduly constrained by this advice. If I've offered such detailed advice, it is only because the topic of personal firewalls is a large one, and it might initially be difficult to decide where to begin, especially with so many personal firewalls out there in the market.
You'll find a lot of information on the Internet about firewalls and IDS's, not all relevant or useful for your discussion of personal firewalls for home users of PC's. You can find many links to firewall and IDS info on these pages:
Networking Security Intro Guides/Overviews
Networking Security Docs & FAQ's
General Networking Security Resources
And for links to personal firewalls that you can download and install, see this page:
And don't neglect this page, which contains many add-ons and other utilities for personal firewalls:
Personal Firewalls -Addons & Utilities
For some interesting networking tests that you can run to test the security of your firewall, see this page:
You might also try out some of the "leak test" applications on this page to judge the effectiveness of a particular firewall's outbound protection:
Misc Addons & Utilities
This sub-topic is fairly circumscribed and specific: we're talking about the threat of "war dialers" that crackers use to identify phone lines with modems connected to them and then hack into those PC's through the modems. Modems can be configured to answer calls, and crackers have figured out ways to exploit PC's with modems that answer calls. There are at least three ways that your readers might be at risk:
- if they have a installed and configured a Windows Remote Networking protocol on their computers -- Windows NT 4.0, Windows 2000, and Windows XP come with Remote Networking (Remote Desktop/Access capabilities) by default, though in Windows 98 and Windows Me the user must specifically install that Remote Networking service;
- if they have installed a third-party remote networking program like PC Anywhere;
- if they have installed a fax modem program and configured it to answer calls -- this type of program is much less of a threat, though I have heard that there are exploits for security holes in fax modem programs, some of which will reportedly give you a login prompt using the basic terminal functionality embedded in some fax programs.
If your readers don't need remote networking capabilities or a fax modem answering service, then the obvious suggestion here is either to uninstall the Remote Networking service and/or configure the modem to dial out only (not answer calls).
If your readers do need remote networking functionality on their boxes, then they should configure that remote networking service to dial them back at the location they're currently at.
Unfortunately, you'll have to scour the web yourself for info on this small topic. Try doing searches at Google or DogPile on "war dialing" and "war dialers."
Even in a technically advanced topic such as your group is addressing, this particular sub-topic stands out as complex and even abstruse. Nonetheless, some of your readers may be interested in setting up secure, encrypted networking connections, either to connect with other individual users or non-commercial networks on the Net, or to connect with their office networks and work from home. Our goal here is not to give them detailed step-by-step instructions on how to set up and use various secure networking protocols and utilities (VPN's, SSH, SSL tunnels, et al), but rather to give them both an overview of what's available as well as some idea of how to go about investigating this topic further on their own.
The majority of your readers who would be interested in this particular topic will come to it because they need to learn how connect to an office network at their place of work using VPN technology. They might be able to connect to their offices using the native VPN capabilities of Windows 98, Windows Me, Windows 2000, or Windows XP. Then again, they might need to install a third-party VPN client compatible with the VPN's their offices use. Either way we need to give them a basic introduction to VPN's:
- what they are, how they work, and why they are used
- the basics of setting up Windows as a VPN client
- installing a third-party VPN client
- what information they will need from their office SysAdmins
in order to configure Windows as a VPN client or to install a
third-party VPN client
No matter what method and means they use to establish a VPN connection with the office, there's simply no way that we can provide them with all the information they would need in order to get the job done. At best, we can introduce them to the basics of VPN technology and point them in the right direction to get the information they do need.
For information on VPN's and IPSec, see this page:
VPN's & IPSec
Be sure to look through the many Microsoft documents about VPN technology built straight into various versions of Windows. You can find links to a few example third-party VPN clients here:
One interesting program with VPN capabilities is Pretty Good Privacy (PGP). While PGP is best known for its email encryption and signing functionality, PGP versions 6.5 and above ship with a component called PGPnet, which allows individual PGP users to set up small VPN's. (The most current version of PGP is 7.11.) There's a wealth of info on PGP out there on the Net, though most of it is not related to PGPnet. What info there is on PGPnet you can find by scouring the links on this page:
PGP (Pretty Good Privacy)
And for links to various versions of PGP available on the Net, check out this page:
PGP Versions, Sources, & Alternatives
Another secure networking option that we need to cover is the Secure Shell, otherwise known simply as SSH. Originally conceived as a replacement for such basic net apps as telnet, rlogin, and ftp, SSH uses strong encryption to establish a secure connection with a server running an ssh daemon. Using SSH, we can even use Port Forwarding to establish a secure tunnel through which we can route other services (such as pop3, smtp, et al). SSH also allows for secure file transfers (sftp). Currently, there are two versions of SSH in use: ssh1 (the original), and ssh2 (a newer, revamped, much more secure implementation).
As with VPN's, we can't provide complete coverage of SSH, but we can give our readers a good, useful overview. By the way, you can use SSH here at the University of Illinois with your CCSO account -- see THIS page for detailed configuration info.
For information on the Secure Shell (SSH), see this page:
SSH (Secure Shell)
And for SSH clients, many of them free, see this page:
The Secure Shell (SSH)
Yet another secure networking technology to which we can introduce to our readers is secure tunneling. There are several types of tunneling programs out there (http tunnels, SSL tunnels) that your readers can use for a variety of purposes, either to establish secure private networking connections with other users or networks, or to set up proxies in order to tunnel securely past firewalls and other obstructing barriers on a network.
For links to all kinds of tunnels see this page:
And for information specifically on SSL (used in some tunnels), see this page:
PKI: SSL, S/MIME, Certificates, & Signatures
...though most of the information on that page will pertain to the use of digital certificates in browsers, email clients, and other PKI contexts. You'll find, I think, that the documentation for these tunnels can be a bit dense. The best documentation will come with the individual programs themselves, although the quality can vary from author to author.
Supplementary Net Utilities
In this sub-topic we'll introduce our readers to a variety of basic networking utilities that can be used in conjunction with a firewall. As with so many of our other sub-topics, our aim here is not to provide complete step-by-step instructions for using each and every utility, but rather to give our readers a solid introduction to the most important types of utilities that do exist and explain how they can be used to monitor and control their networking connections.
The net apps that we should cover are:
- basic, standard net utilities (ping, finger, whois, traceroute, DNS lookup, et al)
- net monitors (netstat replacements)
- packet sniffers
- port scanners (local and remote)
You can find links to all of these types of utilities on this page:
General TCP/IP & Networking Intro
I'm covering this topic last here, though in your report it will likely come first. As we've noted several times now, your readers will likely find your group's topic technical, complex, and intimidating. Nonetheless, it's an important topic, given that so many home users are getting permanent, "always on" broadband networking connections. And, unfortunately, the nature of this topic is unavoidably technical. At some point there's simply no way to have a useful discussion about firewalls, File & Printer Sharing, NetBIOS, VPN's, or other networking utilities without introducing your readers to some basic networking terms and concepts. By no means do we need to offer a complete short course on TCP/IP networking, but we need to move our readers beyond their minimal understanding of the network as some sort of "magic box" in which things "just happen."
At the very least your introduction to TCP/IP networking ought to consist of the following:
- introduction to basic concepts
- definition of basic terms
- narrative account of standard networking connections (perhaps a browser connecting to a web site and an email client fetching and sending email)
Our goal is to provide our readers with a more fine-grained sense of what happens when they connect to and use the Internet and what kinds of negotiations and exchanges their standard Internet applications engage in when being used.
After giving our readers and intro to basic TCP/IP terms and concepts, we need to explain basic networking threats...
- DoS attacks, SYN floods, and other attacks
- open ports
- Remote Administration Trojans (RATs)
...and how these threats put their privacy and security at risk. This is crucial, because without a strong sense that their privacy and security is at risk, most of your readers will balk at dealing with the arcane terminology and conceptual framework that you'll be putting in front of them.
I would suggest that you as group approach this particular sub-topic last. As you're researching and writing about your other topics, start compiling a list of terms and concepts that you know you'll need to cover. Remember that we need to keep this list as short as possible; we'll introduce our readers to just enough TCP/IP to get them through our discussions of firewalls, VPN's, and other networking utilities. No more, no less. Everything in the introduction to TCP/IP networking must specifically set up some discussion in one of your main topics later on. There's no point in covering TCP/IP material for which your readers won't see a specific application in their everyday use of the utilities you discuss elsewhere in the report.
For introductory information about TCP/IP and networking issues and threats pertinent to home users of PC's, see these pages:
Networking Security Intro Guides/Overviews
Networking Security Docs & FAQ's
General Networking Security Resources
- Windows NT/2000/XP Security Info
And don't overlook the effectiveness of the many online networking threat demonstrations that are available:
Some of those networking test pages are straightforward port scans; others, however, will launch standard networking attacks against you (with your permission) so that you can see just what can happen should someone turn the evil eye on you. Be careful, some of those attacks can crash your system hard.
This Page Last Updated: Mar. 26, 2002
Home [frames] Home [no frames]
Advice, Organization, & Compilation
© 2000, 2001, 2002 Eric L. Howes