Understanding Port Scans

Generally speaking, few people on the Internet are out to get you specifically. In truth, they’re out to get anyone whose systems they can possibly gain access to. Obviously the Internet is a huge, immense place, so how do they find people? Well, the most basic tool employed by automated bots and those out to hack user systems is known as a port scanner. This software allows a hacker to input a range of IP addresses (typically those on high-speed networks like DSL), and then scan for a particular open port, or all open ports. In most cases, a hacker will scan for a single port associated with a known exploit, such as a virus or Trojan horse program that allows them to gain access to your PC. Using a port scanner allows then to look for that open port on thousands of systems in very little time. In fact, they can set up the scan, head to bed, and then be presented with a very comprehensive list of “attackable” systems in the morning.

In case you’re curious, this is one of the ways that providers also check to see whether you have servers on your home network, which is often not allowed under their terms of service.
One of the best ways for you to defend yourself is to scan your own public IP address looking for open ports. One easy (and free) piece of software to accomplish this is SuperScan, shown above. It can be downloaded from http://www.foundstone.com/resources/scanning.htm. Additionally, a number of web-based port scanners are available online, often referred to as firewall testing tools.

Traffic Filtering Basics

Earlier in this article we mentioned that a firewall could also be used to control the services that internal hosts can access on the Internet. While most hardware routers are initially configured to allow all hosts access to any Internet services by default, you can also control who can access the Internet, or certain services, using filtering features.

On a hardware router like the Linksys model we used for this article, both IP address and port filtering can be accomplished via the Filtering tab in the router configuration program. This tab allows you to configure both IP addresses that cannot access the Internet, along with ports that cannot be connected to. For example, if you were to filter the IP address 192.168.1.50, the client system with that address would not be able to access the Internet at all. This can be useful in situations where you need to control children accessing the Internet, for example.

Similarly, you can also block internal users from accessing certain ranges of ports. For example, blocking port 80 would stop internal users from accessing external websites, while blocking all ports except for port 80 would stop users from accessing anything except Web sites. Ultimately, the ability to control Internet access by IP address and port numbers gives you a higher degree of control over how people use your Internet connection, and most importantly, your bandwidth.

Getting Familiar with TCP/IP Port Numbers

Certainly you don’t need to know anything about port numbers if you never plan to allow external users to access your network, or if you don’t plan to control the types of Internet services that your internal users can use. However, if you do plan to make use of either feature, you’ll need to know something about port numbers.

Different types of applications use different port numbers to communicate. Port numbers come in two flavors, namely TCP and UDP. Transmission Control Protocol (TCP) is a reliable protocol used by some applications (such as Web, FTP, and Email servers), while User Datagram Protocol (UDP) is a faster (but unreliable) protocol used by services like DNS. You don’t get to choose which is used – the specifications for different services define which protocol is used which individual applications.

A total of 65536 TCP/UDP port numbers exist. Certainly no one could remember all of them, but some of them are much more common than others. For example, the list below outlines some of the port numbers used by common services:

HTTP (Web servers) – TCP 80
FTP (FTP servers) – TCP 21
SMTP (Email servers) – TCP 25
POP3 (Email servers) – TCP 110
DNS (Name resolution) – UDP 53

This is far from a comprehensive list, but gives you the idea. So, if you plan on having your own internal FTP server that should be accessible from the Internet, port forwarding would need to be enabled on your router for TCP ports 20 and 21. If you’re using ICF, a definition for FTP already exists which you can simply check off to accomplish the same task. For a complete and very comprehensive list of port numbers, see http://www.iana.org/assignments/port-numbers.

Port Forwarding Basics

Although a firewall will block all requests from the outside world by default, there may be times when you actually want to allow external users into your network. For example, maybe you’re running an FTP server internally that you want to gain access to while on the road, or maybe you have a Web server configured that you want to allow Internet users to access. Because the default configuration of most firewalls blocks all external requests, you’ll need to open things up using a feature known as port forwarding.
Remember that in almost all cases, your internal network will be configured to use private IP addresses. Because of this, you’ll need to configure your firewall to take requests destined for your public or “real” IP address and forward them to the appropriate internal server. For example, let’s say that you have a Web server configured on a system with the IP address 192.168.1.50, a private address. In order to allow external users to access this server, you’ll need to configure your firewall to “listen” for Web server requests on the external IP address, and then forward them to the internal server at 192.168.1.50. Unfortunately, to make all this work, you need to know one additional piece of information – namely the port to which Web requests are made.
When a user on the Internet needs to contact a Web server, the request is forwarded to the IP address of the server, and the port on which the Web server service is running. By default, all Web server software (such as IIS or Apache) listens for requests on TCP port 80. So, what you would need to do in this case is tell the firewall that every time your public IP address receives a request destined for TCP port 80, it should forward the request to TCP port 80 on the Web server running on 192.168.1.50. The manner in which this is configured depends upon the firewall you are using. The stepped instructions below provide details for configuring port forwarding on a hardware device, in this case a Linksys router – note that the exact steps will probably be different based on your hardware.

If you don’t see the service that you want to configure on the list, you can define your own forwarding rules by clicking the Add button and specifying a name for the service, as well as an IP address and port number(s).

Example: Allow access to your internal FTP server from the Internet using your Linksys router.

Step 1: Open a web browser and access address http://192.168.1.1. This is the default address to access the router configuration. Enter your password (check your documentation) and press Enter.

Step 2: Click on the Advanced tab at the top of the screen. This will bring you into advanced configuration options for the router, such as port forwarding and filtering. Click the forwarding tab.

Step 3: In the first line of Service Port Range numbers, enter 21 in both boxes, and then the IP address of your internal FTP server in the IP Address box. In this case, an FTP server is located at 192.168.1.150. Click Apply. Test everything by attempting to connect to your external IP with an FTP client program and see if you reach your internal server.

Network Address Translation (NAT) Basics

If you’re planning to connect your network to the Internet, chances are good that your ISP will provide you with only a single “real” IP address. The good news is that’s all you’ll need for multiple internal PCs to connect to the Internet. Network Address Translation (NAT) is a feature that allows systems on an internal network to use private IP addresses (such as those in the 192.168.0.0 range) to connect to the Internet using only one “real” IP address. When an internal system needs to access an Internet resource such as a Web server, the request is sent to the default gateway, which would be running NAT. The NAT server would take that request, translate the “source” IP address in the request to be the “real” IP address assigned by your ISP, and then forward the request along to the site you are trying to connect to. The reply will be sent back to this “real” address as well, where the NAT server will change the destination address to be that of the internal client that originally made the request. To keep everything organized, the NAT system maintains a table that maps internal requests to external requests, allowing multiple internal systems to share a single “real” IP address.

Thankfully, configuring NAT does not take a degree in rocket science. All home routers are configured as NAT servers by default – all you need to do is connect everything correctly, configure clients to obtain their IP addresses automatically (via DHCP), and the rest is history – NAT is up and running, and there’s nothing left for you to do. Same goes if you’re sharing an Internet connection using the ICS feature in Windows 98/ME/XP – ICS effectively is a type of NAT implementation, although Microsoft has given it a catchier name. Again, as long as ICS is enabled and clients are configured to obtain their IP addresses automatically, you’re good to go. Both ICS and almost all hardware routers include integrated DHCP server functionality to allocate IP addresses to clients on your internal network.

Although the basic DHCP server functionality included with most NAT devices and software (like ICS) makes it easier for users to configure their home network, there may be times when you want to allocate dedicated static IP addresses to internal clients. For example, you might be running an internal Web server, and not want its IP address to change, which may occur with DHCP. Although Microsoft explicitly states that clients must be using DHCP in order to function on an ICS network, this technically isn’t true. You can definitely assign static IP addresses to clients, but you’ll have to be careful about the addresses you use.

For example, when ICS is configured, the internal interface of the ICS system will be configured with an IP address of 192.168.1.1 – this cannot be changed, as other clients will use it as their default gateway. Then ICS will hand out addresses using DHCP starting with 192.168.1.2, moving upwards to 192.168.1.3, and so forth. You cannot configure the addresses that will be allocated with ICS, but you can give a client a sufficiently “high” address that ICS will likely never reach. In this example, you might give a client the static address 192.168.1.100 – an address that ICS is unlikely to hand out unless you have almost 100 computers on your network.

Choosing a high number allows you to avoid potential conflicts, which is the main reason for Microsoft’s “warning”. Besides specifying a “higher” IP address, be sure to use the correct subnet mask (255.255.255.0), as well as the correct default gateway (192.168.1.1) used by ICS, and everything will work fine. One other note – when your network is using ICS, you should not configure clients with the address of a DNS server, since the ICS system will handle DNS requests on behalf of clients.

If you’re using a hardware router that includes DHCP functionality, you can usually control the IP addresses that are handed out by the router. To avoid conflicts, assign static addresses that are outside of the configured DHCP pool.

Firewall Basics

While once strictly the domain of UNIX geeks and enterprise network administrators, almost all PC users today have at least heard of a firewall. At the most basic level, a firewall is a hardware device or software application that allows you to control the types of network traffic that travel into and out of a network. For example, a company might configure their firewall to allow internal users to connect to Web and FTP servers on the Internet, but block them from connecting to other services like MSN or Yahoo Messenger. In large companies, a firewall is typically a dedicated hardware device capable of handling anywhere from hundreds to thousands of simultaneous connections. For home users, firewall-type functionality is typically built into home Internet-sharing routers, or implemented using software such as ZoneAlarm. Windows XP also includes a dedicated software firewall in the form of its Windows Firewall feature.

The most common reason for implementing a firewall is to block external users from accessing systems on your internal network. The default configuration of most home firewall hardware and software allows all traffic that originates internally to access the Internet, but blocks all requests from external users by default. This is simply the most logical default configuration, especially for new users – it keeps the bad guys out, while allowing internal users to access Internet resources without issue. In some cases you may want to allow Internet users to connect to an internal system, such as an FTP or game server – we’ll explore how to address that need in a future article.

When implementing a home network that has any Internet connection (such as DSL, or even dial-up), a firewall should be considered mandatory, not optional. All internal network systems should be located “behind” the firewall. If you share an Internet connection through a device like a Linksys router, the router would act as your firewall. If you’re sharing an Internet connection with a Windows feature like Internet Connection Sharing (ICS), then the system running ICS should be configured with firewall software.

It’s one thing to have a firewall, and quite another to ensure it is functioning correctly. Almost all hardware and software firewalls (including ICF) support a “logging” function. This is usually disabled by default, but enabling it is a good idea – it will provide you with information about all external users who have attempted to connect to your network in a file called C:\Windows\pfirewall.log by default. Programs like ZoneAlarm can also be configured to display an on-screen message any time an external user attempts to connect to the firewall system.

Computer Forensics Incident First Response: First, Do No Harm

Forensics is becoming a popular following, thanks to the multitude of TV shows that show crime scene technicians collecting evidence, spending a few minutes in the lab determining the guilt of the culprit, and wrapping up the case at the end of the show. But in real life, forensics, like other complex issues distilled on TV, is much more time-consuming, process intensive, and sometimes inconclusive. The art and science of computer forensics is no different. Digital forensics is gaining in popularity as the next must-have skill set in the IT job market arsenal. However, computer forensics technicians and analysts require some intensive and usually expensive training.

Since computer-related incidences are sometimes few and far between (the ones that are discovered, anyway), most companies don’t see an immediate return on investment by hiring someone exclusively devoted to that task. Only a few more see some value in expensive training for the support technicians and system administrators that are already working for them, since they may never have a need for these skills. As a result, when incidents do happen and are actually discovered, the company may find itself in a situation where the “server guy” or other support technician may be called upon to do the initial response to the incident. Despite lack of training or experience, this article is here to help you with a few critical points that can make or break your investigation and ensure that key evidence is not contaminated or rendered unusable in administrative or legal actions. We’re not going to make you a forensics expert, but you will at least be able to handle the critical first response tasks.

Test Your Firewall’s Inbound Security

In this tutorial you’ll learn more about how easy it is to test your firewall’s incoming security preparedness, and what port scan results are actually telling you.

Installing personal firewall software like ZoneAlarm or Norton Personal Firewall is a great start towards protecting your PC from online dangers, but you should still test its inbound security situation at least periodically to be certain that it’s offering the protection you expect. All personal firewall programs will block incoming connection attempts by default, but if you’ve been opening ports (or allowing programs to “act as a server”) to allow others to connect to your PC, you’ll want to be sure that you haven’t left any ports open by accident. Additionally, it’s a good idea to check the status of ports occasionally in order to be sure that a malicious program (such as a Trojan horse) hasn’t wormed its way onto your system and silently opened a backdoor that would allow others to connect.

The easiest way to test the inbound security of your firewall is to use one of the many free port scanning tools available on the web. There are a number to choose from, but the one I usually recommend is ShieldsUP! at www.grc.com. This tool will perform a scan of your IP address to determine whether any ports are open and accessible to Internet users. If your firewall is configured correctly, all ports should be in stealth mode (with the exception of any ports that you have explicitly opened), meaning that these ports do not respond to requests from outside users – exactly what most users need and should want.

To test your firewall with ShieldsUP!, follow these steps:

  1. Open your preferred web browser and head to the ShieldsUP! home page.
  2. Read through the details provided on the page, and then click the Proceed button. If a Security Warning dialog box appears, click Continue.
  3. Click the buttons provided to run scans for open File Sharing, Common Ports, Service Ports, and so forth, one at a time. Complete all of the scans. Scans will take anywhere from a few seconds to over a minute to complete, depending on how busy the site is and the speed of your connection.

Once complete, review the scan’s results and proceed to the next scan. If open ports and/or vulnerabilities are found, use the details provided to make the necessary changes to your firewall. This may involve denying certain programs the ability to “act as a server” in your firewall’s program configuration settings. When ports are open, connections from outside users are allowed. When closed, connections are denied but your PC is visible to the outside world. When ports are determined to be in stealth mode, it means that the scanner couldn’t get any response from the port, making it virtually invisible.

One thing to note when your scan is complete – even if all ports are determined to be in stealth mode, you PC may still officially “fail” the test. Many firewalls (especially older versions) will automatically reply to “ping” diagnostic messages, even with all ports closed. If the firewall does reply to a ping, it tells the person who initiated it that a system does exist at your IP address. That’s doesn’t mean that they can get in, but it does mean that they could attempt a more involved attack knowing that there’s a system at your address. For this reason, almost all firewalls now automatically discard ping requests originating from the Internet. If yours didn’t, take a look through your firewall’s configuration settings and you’ll likely find an option to block ping replies – typically named “discard ping from WAN”, “block ICMP echo replies” or similar.

If your firewall shows all ports running in full stealth mode, that’s good news. It doesn’t necessarily mean that your PC is protected from all potential security threats, but it’s a good start. Don’t be afraid to experiment with other online port scanning tools, either. There’s no shortage of great options available ranging from basic probing tools through to more advanced and detailed scanners.

Free Anti-Spyware Programs

Call them what you will, but one thing is for certain: spyware, malware, and adware have become the bane of many a PC user’s experience. While IT departments in larger organizations have done a good job of cleaning up systems and locking them down to prevent future infections, the average home user’s PC continues to be the perfect breeding ground for these pesky pests.

Unfortunately, most users still mistakenly believe that having an anti-virus program installed is enough to keep their PC safe. Certainly some of the popular anti-virus packages do an admirable job of eradicating spyware, but most are still focused on removing traditional viruses and offer spyware fighting capabilities as little more than an afterthought. Thankfully, there are plenty of free tools (for personal use) available online that can be downloaded and installed to keep just about any PC spyware free.

When choosing the right free anti-spyware program for your home computer, keep the following points in mind:

  • Spyware removal tools typically do not offer real-time protection. In other words, these tools will work towards trying to remove any existing pests that may be present, but will do little (if anything) to prevent future infections.
  • Compared to paid alternatives, most of the free anti-spyware tools offer little in the way of advanced features. For example, commercial anti-spyware programs like Spyware Doctor offer integrated tools to foil keyloggers and detect phishing scams. Most of the free programs are pretty bare-bones, but can still be 100% effective at detecting and removing spyware.
  • As with anti-virus programs, you should never try to run more than one anti-spyware tools that offers real-time protection at once. While there’s certainly nothing wrong with having multiple anti-spyware tools installed on your computer, you should only use the real-time protection features of one of these programs at any one time.
  • Updating and scanning regularly are crucial – as with anti-virus programs, staying completely protected means having the latest spyware definitions installed, and then scanning for spyware regularly.

If you do choose to go the “free” route, then it’s also important to be on the lookout for rogue anti-spyware programs. Many spyware developers and shady organizations have taken to scamming users into installing their supposedly free tools, many of which actually infect computers or display false results in a bid to scare you into a purchase. Before you download and install any anti-spyware tool, you should take a closer look at the Rogue/Suspect Anti-Spyware list maintained by the good people at SpywareWarrior.com.

And now, without further ado, our list of great free anti-spyware resources:

  • Spybot Search & Destroy: This tool has been around for a long time, has always been free, and it’s still being updated regularly. If you’re sticking to free anti-spyware software only, then this makes a great secondary scanner.
  • Windows Defender: It’s technically still in beta, but if this program from Microsoft offers great real-time protection, regular updates, scheduled scanning, and it’s very easy to use.
  • CWShredder: This free scanning tool is designed to identify and eradicate the nasty (and very popular) CWS pest in its many variants. Many other anti-spyware tools have problems dealing with this troublesome pest, but this quick little program gets the job done by focusing its energies.
  • Ad-Aware SE Personal: This free scanning and removal tool doesn’t offer real-time spyware protection, but it does an excellent job as a secondary scanner on a PC with other real-time protection software installed (a second opinion never hurts!)

If you’re already well-versed in the spyware game, then you’re no doubt already familiar with these programs. However, it’s PCs belonging to normal, everyday Windows users that suffer the scourge of spyware most prominently. So, rather than just kick back and enjoy the fact that you’re computer is safe, I’m asking that you please take the time to help other users clean up their PCs by getting the right tools installed. After all, it doesn’t have to cost them a penny!

Securing Windows XP Using Automatic Updates

Keeping Windows XP updated with the latest critical security patches released by Microsoft is one of the most effective ways to protect your PC against exploits designed to take advantage of known flaws. This article explains how you can ensure that XP is configured to download and install the necessary updates automatically.

In much the same way that cars periodically require preventative maintenance, so too does your computer. Like any piece of software, Windows XP is not perfect. From time to time, flaws are discovered that present a potential security risk, and it’s up to you to ensure that these holes are properly patched. If you neglect to update your PC, you run the risk that an attacker could gain access to your computer remotely, install dangerous programs or viruses, or even render it unable to function.

Thankfully, Windows XP is an easy operating system to keep updated. Using a feature known as Automatic Updates, you can configure your Windows XP computer to check for, download, and install critical updates automatically as they’re released. The process is so easy that there’s really no excuse why any Windows XP system should go unpatched and protected. Outside of critical security updates (which are released by Microsoft as flaws are discovered), the Automatic Updates feature will also download and install new Service Packs as they become available.

To check the status of Automatic Updates on your Windows XP system, follow these steps:

  1. Click Start > Control Panel.
  2. Open Security Center. If you don’t see a Security Center icon, it means that you don’t have Windows XP Service Pack 2 installed.
  3. In the Security Center window, ensure that Automatic Updates is set to On (with a green icon). If set to On, the feature will download and install updates automatically, as available when you connect to the Internet.
  4. If Automatic Updates is set to anything other than On, click the Automatic Updates link in the Manage security settings for section of the Security Center window. This will open the Automatic Updates window.
  5. Click the Automatic (recommended) option to enable Automatic Updates for your PC.

With Automatic Updates enabled, Windows XP will now automatically download and install all critical security updates and Service Packs as they’re released. In some cases you may be prompted to restart Windows XP in order to complete the update installation process, but an on-screen message will alert you when this is necessary and give you the option of delaying the restart until it’s more convenient for you.