UF Computing and Networking Services

Personal Firewall Information

Purpose

This document is intended as a guide for University of Florida students and faculty to help them understand some of the issues associated with running personal firewall or network defense program, as well as how to report incidents from this firewall information. Others are welcome to use this document as a reference, but some particular comments may be specific to within the University of Florida.

Contents

• General Firewall Links
  
• What are some personal firewalls and how do they work?
• What abuse do I report?
• How do I report abuse?

General Firewall Links

• Firewallguide.com's review of different personal firewalls

What are some personal firewalls and how do they work?

A firewall is a program that sits between your computer and your internet connection. It watches the traffic that goes back and forth and usually restricts traffic that you don't want to come at you. For example, many hackers will scan computers to see what those computers are running before they attack. On the other hand, personal firewalls are often overly sensitive. Sometimes even visiting certain webpages can make the firewall think your computer is scanning someone. One of the main points of this document is to help the average user understand the difference.

First off, you'll need a firewall. If you already have a firewall, obviously you can skip this section. If not, check out some of the information below, as well as the reviews under the links section of this document.

List of common personal firewalls:

Free:

• Sunbelt Kerio Personal Firewall - Recommended, free for personal use.
• Zone Alarm - free for personal and non-profit use
• Tiny Firewall - Free for personal use
• Core Force - Highly recommended; network and application firewall

Fee:

• Norton Personal Firewall
• BlackIce Defender from NetworkICE
• Mcafee Personal Firewall

What abuse do I report?

Every personal firewall will have different levels of severity and different ways of indicating that to you. Some however, can be overly zealous in their estimations of damages, and/or weak in their explanation, and the average user could believe the worst, when in fact, nothing malicious has occured.

What you decide to report on is ultimately up to you, but here is a summary and analysis of a few different categories of 'attack':

Exceptions

First, keep in mind that, when on campus, your connection is automatically scanned by UF security computers. If you are on campus, you may view the ongoing scans at http://infosec.ufl.edu/admins/scans.shtml and make exceptions accordingly in your firewall.

Sweeps

Also known as port probing and port scanning, these type of events have two different forms. In the first, a large group of computers on the internet are all swept for a particular port that would indicate a certain type of program running (like a webserver). The second targets just one machine, and will usually sweep up and down all the ports on that machine to see if it can identify all the services on a given machine. There are also combinations of these two that will sweep more than one port on more than one computer.

One of the major disadvantages of a personal firewall as opposed to a corporate or large-scale network firewall is the inability to distinguish between these two. Because of this, a program may report an attack that turns out to merely be a small part of a large subnet sweep a hacker, or possibly even a benign service, was conducting.

In general, these are very low severity events.

Service level Probing

Service level probes are probes that are specifically aimed at a program to try to determine more information about the program. There are many different forms of these events that can be as simple and innocuous as a web page request to something as dangerous as a bind inverse query attempt.

These events represent no direct threat in and of themselves, but they are often direct precursors to an attack. Especially when the version query information relates to some service that has a relatively recent remote exploit, such as bind or ssh.

Service probes often warrant reporting for critical services and machines.

Web Exploit

Web exploits are attempts to abuse web servers through http requests. These events will only occur if you are running a webserver, and any personal machine should theoretically only be running a webserver if you yourself have installed one. If you have done so, please seek advice from your local network administrator on securing the webserver.

How do I report abuse?

Information about reporting network abuse is available at the "Report an Incident" page.