ESET Press Center
Why Your First Line of Defense From Internet Threats Must be a Good Firewall
Complete Transcript of Interview - Randy Abrams - ESET
on Let’s Talk Computers, Host Alan Ashendorf
April 19th 2008
Alan: Any time you are on the Internet, you really need protection against all kinds of threats and your first line of defenses must be a good firewall. However, all firewalls are not the same. To help us filter out fact from fiction is our guest today - Randy Abrams, Director of Technical Education with ESET. Welcome back to Let’s Talk Computers, Randy.
Randy: Thanks, Alan. It’s great to be here.
Alan: Randy, we’re constantly being told that if we get on the Internet we really to have anti-virus, anti-threat software and we need to have a good firewall. What exactly is firewall?
Randy: When your computer is on the Internet, it’s like there’s a whole bunch of doors, we call them “ports” in technical speak. Imagine your house has 2,000 doors and they are all open. There’s no way you can monitor all that; people can come and go as they please. Your computer has all these ports that are all open; they are listening to stuff and people are trying to come in, (break in). Hackers want to come in; malicious software wants to come in.
What a firewall does is it forces most of all the doors to be closed and then it monitors which ones are open. Depending on the firewall, it can even say, “You’ve got to show me your identification, because if you’re not who is on the approved list, you’re not coming in.” And then for a bi-directional firewall, (a two-way firewall), it even monitors what goes back out, too.
Alan: This is a way the computer actually talks to the real world. Each of these ports – some of them are standardized and some of them aren’t. For instance, you have an FTP port and there’s port 21, so anyone who’s using the FTP protocol will go in and out port 21. And then you have other ones like HTTP, which is actually your web browser, which is on port 80. But, how do they actually work in the real world?
Randy: In the real world, what happens is if I don’t want FTP to be able to be used, then I’ll tell the firewall to “Block port 21. Just don’t listen for anything and don’t let anything go out,” assuming I’ve got a two-way firewall. And that breaks FTP, effectively; it makes it so you can’t use FTP. A good firewall will have closed all of the ports except for what you have to use.
Alan: And then you have HTTPS when you’re browsing you see this little lock on your screen down in the corner; that basically means that you have a secure connection to the other site and that’s a port.
Randy: That uses a different port; port 80 is your standard HTTP port. HTTPS uses another port. The important thing about HTTPS is that what it does is encrypt the data between your computer and the computer that your computer is talking to. It’s more for privacy than security. Depending on the data that you’re transmitting, security can be an issue, as well.
Alan: And then if you have any kind of email that you’re pulling, say from the Internet, you’re going to be using what they call, “pop3” or use “port 110,” and that’s a standardized port for email.
Randy: It used to be that this was what was always used. Nowadays, a lot of ISPs, (your service providers) are changing which ports are used because there are a lot of malicious programs that know that that port will be open and will send on that port when using people’s account. So, for example on my Comcast account my pop3 port is now someone in the 900’s and my outgoing server for SMTP for sending email is in the 400’s. The ports - there are standard ones, but they can be changed.
Alan: We have port #1-65,535 available ports, but really, the first 1,023 ports are really special. Those are the ones we really have to protect to make sure that hackers don’t get into our system, aren’t they?
Randy: Well, both yes and no; those are some commonly used ports that you definitely want to monitor; you definitely want to lock down if you don’t need to use them. Because you know they’re used for standard things that often times most people never use you can block those. But the higher number ports above 1023, you definitely want those locked, “closed” by default, because malicious software can use those ports to communicate to the Internet, as well.
Alan: If you’re going to be on the Internet, you’re probably going to be using either a cable modem or a DSL modem. Why is it a bad idea to connect your computer directly to either a cable modem or a DSL modem, without a router?
Randy: What a router does is, effectively, adds a firewall. But, it adds what we call, “NAT”, or name address translation, as well. That makes it more difficult for the bad guys to actually find your computer. When your router connects to your service provider, your ISP, your router has an IP address.
The firewall - what that’s going to do is say that the computer doesn’t belong to that IP address, it’s got a different IP address. It makes a much less direct attack vector. It’s a lot harder for malicious software and hackers to actually locate your computer. They can locate your cable modem or your DSL modem; actually locating your computer becomes a lot more difficult.
You’re a lot less subject to things like the Blaster Worm, which although it’s several years old, is still out there. If you go directly onto the Internet, without having name, address translation, NAT or a firewall of some sort, you’re going to be infected before you can patch your computer.
Alan: Every device that we have on our network has an IP address and if you’re using a router, you have a “public address,” which is on the outside part of your router and a “local address,” which is your internal network. That protects you, because as you say, it’s has got NAT translation between the two.
But just having a hardware firewall really kind of gives you a false sense of security, because your computer can always dial out past it, can’t it?
Randy: A router is designed to let you talk to the Internet. Most of the routers, especially low-end ones, have a very unsophisticated firewall. It’s not really there to add a lot of protection; it just adds the most basic protection, without blocking the fundamental services that anyone might potentially want to use.
It’s a great first step; I would never want to connect through cable modem, without having a router, as well. But, it doesn’t replace another type of firewall – whether it’s a dedicated hardware firewall that is designed to be a “true firewall,” or a software firewall.
Alan: Your operating system, if you have Windows XP or you have the new Windows Vista, has its own built-in firewall. But, why is that really not giving you the protection that you think you should have?
Randy: Microsoft did a really smart thing by adding the Firewall to Vista and to Windows XP, especially in Service Pack 2, where they turned it “on” by default. Before that, it wasn’t even turned on by default. It is a good thing for people to have; however if you want to take your security up to the next level, then you need a more sophisticated firewall.
In XP and I believe Vista, also, there is very, very little out-going filtering – which means if malicious software gets onto your computer, it’s allowed to talk to the outside world and you’re not going to know about it. Because the XP and Vista firewall is designed with novice users in mind, it’s designed to be so simple that it’s not going to ask people any questions at all – it has to assume a lot of programs should be allowed to communicate with your computer. That isn’t always smart.
The ESET Firewall that’s built into ESET Smart Security also has a standard or novice type mode, but in addition to doing what normal firewalls do, we’re monitoring that traffic. There are a couple of kinds of firewalls. One is called, a “Stateful Firewall,” the other one is “Stateless.”
The main difference is a Stateless Firewall, like what Vista and XP has just blindly accept or block traffic. A Stateful Firewall looks at what the traffic is in addition to what port it’s using. So, with the ESET Smart Security Firewall, we’re able to determine what types of data are trying to be communicated through the Internet and also scan that data with our advanced heuristics.
Alan: One of the tricks that Internet threat writers use is they will have a virus masquerade as a common program. For instance, it will say Internet Explorer, but it’s not really Internet Explorer; but if your firewall is not sophisticated it says, “Oh, Internet Explorer, okay – I can pass it, it’s a good program.”
Randy: Right, it’s the difference between asking someone what their name is and asking for their identification.
Alan: And you have to be very careful, because once a program gets installed on your computer that allows Internet traffic to either come into your system or go out of your system, you could be opening the doors for all kinds of hacks, can’t you?
Randy: Absolutely. And that’s one of the things that I try to teach people is that – although it’s very, very important to have a firewall, especially if you have a
software-based firewall; don’t give yourself a false sense of security. That doesn’t mean that now you’re safe and you don’t have to pay any attention - because with software, anything that you can do with software, you can undo with software. Malicious software is going to try to disable your firewalls. So, you still want to be careful about the programs that you run.
Alan: You’ve added a firewall to your award-winning Anti-threat Software, but you added it in such a way that it is integrated with your Anti-virus Engine instead of being an add-on piece of software, like most companies do. Why?
Randy: The reason is because we’re able to provide much better protection. With your standard security set-up, you’ve got your anti-virus doing its thing; you’ve got your firewall doing its thing; you’ve got your anti-spam doing its thing. These programs, even though the goal is to secure you computer, the programs don’t talk to each other. The programs actually are gathering a lot of data that could be useful to the various applications.
With ESET Smart Security, the way that the Product is integrated, the Firewall shares data with the scanning Engine. That allows us to make better decisions because we now know not only what this data is, but also how it’s trying to get into the system. The more information you have, the better a decision you can make about whether something that you have never seen before is potentially harmful.
Alan: Nowadays, we have so many programs on our computer that can and do access the Internet. They go out to the Internet to see if there are any updates for this program. They go out to the Internet just to kind of handshake and say, “I’m running your program.” There are so many different programs that we have to watch for; it’s not just Internet Explorer, anymore, is it?
Randy: Not by a long shot; when you install QuickTime or iTunes on your computer it’s constantly checking to see if there are updates and who knows what else it keeps trying to access the Internet. A variety of software uses Macromedia and they have a software manager that is constantly trying to connect to the Internet; because I watch this stuff – I have my Firewall set up to be interactive, so it tells me about everything.
Microsoft is constantly checking for all kinds of things. Every time you launch Windows Media Player or Apple iTunes the program is going to try to contact “The Mothership.”
Alan: On your ESET Smart Security, you have two modes; you have the Automatic mode and you have the interactive mode. The Automatic mode basically says, “I’m going to watch for most of the threats out there.” But, the Interactive mode is very detailed and watches every time that something either goes out to the Internet or comes into from the Internet and it gives you a choice on whether you want you to allow it permanently by making a rule for it or allow it temporarily for just this one session or to deny it completely.
Randy: And for power users that’s awesome! It’s a lot of fun, actually. It’s pretty interesting. But, most users don’t want to be bothered with that stuff. And so in the Automatic mode, ESET’s has already made the decisions about what’s going to protect you without causing you to have to answer all kinds of questions, which most people don’t actually understand the answer to.
In the Interactive mode, then the power users get the kind of control over their systems that they like.
Alan: Well, one of the benefits of having an integrated firewall is that it makes it a very tight and very small footprint and it makes performance a lot faster, too, doesn’t it?
Randy: It really does. Having the integration of the firewall, the anti-Spam and the anti-virus virtually imperceptible, the difference in performance between just having ESET NOD32 Anti-virus, which already is a very, very quick, lightweight program that most people don’t notice is even running on their computer. That tight integration means that you get a lot better performance out of your computer, while maintaining the highest levels of security.
Alan: If you don’t think you need a firewall, don’t kid yourself. By the time that you hook your computer up to the Internet, turn it on and you’ll start seeing what they call “Scanning Attacks,” to your different ports, just right off the bat. And when they do find a site that is open then they initialize an attack on it, don’t they?
Randy: They do. What happens often times is people will rebuild their computer and they might install Windows XP, the first version or even Service Pack 1. There are a lot of vulnerabilities and before you can even download the Service Pack 2 or patch the vulnerabilities, these port-scanning attacks are going to find your computer and infect it and you’ll have to rebuild it again, all over.
Alan: With ESET Smart Security, I can set up a rule that will protect me for in-coming or out-going and it will attach that particular port to a program that says, “X-Y-Z program only has permission to go out this port and if anything else tries to go out this port block it or log it so we can see exactly what’s going on.”
Randy: A very, very useful tool for an advanced user to be able to secure their computer and know what’s happening. You can also set up ports where you are alerted if something tries to go out on that port and you might very well know that nothing should be trying to go out. That could be an indication that there’s something that shouldn’t be there, too.
Alan: You have ESET Smart Security as a Trial Software Version, where we can actually download it and put on our computer and it’s not stripped down in any way, whatsoever, is it?
Randy: It’s not, at all disabled. Everything on the 30-day Free Trial Version works just like the purchased Product does, so you can give it a test drive for 30 days and see how the updates work; you’ll see how the Firewall works and how everything works. If you encounter malicious software, we don’t say, “Oh, you have to buy it to clean it,” because this disinfection is fully functional in the Trial Version, as well.
Alan: Where can we go to get the Trialware Version and to find out more about all the threats that are out there on the Internet?
Randy: Go to http://www.eset.com and if you take a look there’s a link to the Threat Center on ESET.com and you can get a whole bunch more information about what’s out there.
Alan: Randy, as always, it’s been a pleasure to have you here as our guest on Let’s Talk Computers, talking about what a firewall is and why we absolutely must have one on our computer system to keep us safe. We look forward to talking to you, next time.
Randy: I’ll look forward to coming back again, Alan. Thanks so much.
