What is a Firewall?
A firewall is a tool that monitors communication to and from your computer. It sits
between your computer and the rest of the network, and according to some criteria,
it decides which communication to allow, and which communication to block. It
may also use some other criteria to decide about which communication or
communication request to report to you (either by adding the information to a log
file that you may browse whenever you wish, or in an alert message on the screen),
and what not to report.

What Is It Good For?
Identifying and blocking remote access Trojans. Perhaps the most common way to
break into a home computer and gain control, is by using a remote access Trojan
(RAT). (sometimes it is called "backdoor Trojan" or "backdoor program". Many
people simply call it a "Trojan horse" although the term "Trojan horse" is much
more generic). A Trojan horse, is a program that claims to do something really
innocent, but in fact does something much less innocent. This goes to the days where
the Greek soldiers succeeded to enter through the gates of Troy by building a big
wooden horse, and giving it as a present to the king of Troy. The soldiers allowed
the sculpture to enter through their gates, and then at night, when the soldiers were
busy guarding against an outside attack, many Greek soldiers who were hiding
inside the horse went out and attacked Troy from the inside. This story, which may
or may not be true, is an example of something which looks like something innocent
and is used for some less innocent purpose. The same thing happens in computers.
You may sometimes get some program, via ICQ, or via Usenet, or via IRC, and
believe this program to be something good, while in fact running it will do
something less nice to your computer. Such programs are called Trojan horses. It is
accepted to say that the difference between a Trojan horse and a virus, is that a
virus has the ability to self-replicate and to distribute itself, while a Trojan horse
lacks this ability. A special type of Trojan horses, is RATs (Remote Access Trojans,
some say "remote admin Trojans"). These Trojans once executed in the victim's
computer, start to listen to incoming communication from a remote matching

program that the attacker uses. When they get instructions from the remote
program, they act accordingly, and thus let the user of the remote program to
execute commands on the victim's computer. To name a few famous RATs, the most
common are Netbus, Back-Orifice, and SubSeven (which is also known as
Backdoor-G). In order for the attacker to use this method, your computer must first
be infected by a RAT.
Prevention of infections by RATs is no different than prevention of infection by
viruses. Antivirus programs can identify and remove most of the more common
RATs. Personal firewalls can identify and block remote communication efforts to
the more common RATs and by thus blocking the attacker, and identifying the
RAT.

Blocking/Identifying Other Types of Trojans and WQorms?
There are many other types of Trojan horses which may try to communicate with
the outside from your computer. Whether they are e-mail worms trying to
distribute themselves using their own SMTP engine, or they might be password
stealers, or anything else. Many of them can be identified and blocked by a personal
firewall.

Identifying/Blocking Spyware's/Adbots?
The term "spyware" is a slang which is not well defined. It is commonly used
mainly for various adware (and adware is a program that is supported by
presenting advertisements to the user), and that during their installation process,
they install an independent program which we shall call "adbot". The adbot runs
independently even if the hosting adware is not running, and it maintains the
advertisements, downloads them from the remote server, and provides information
to the remote server. The adbot is usually hidden. There are many companies that
offer adbots, and advertisements services to adware. The information that the
adbots deliver to their servers from the computer where the adbot is installed, is
"how much time each advertisement is shown, which was the hosting adware, and

whether the user clicked on the advertisement. This is important so that the
advertisements server will be able to know how much money to get from each of the
advertised companies, and how much from it to deliver to each of the adware
maintainers. Some of the adbots also collect other information in order to better
choose the advertisements to the users. The term "spyware" is more generic, but
most of the spyware fall into this category. Many types of adbots can be identified
and blocked by personal firewalls.

Blocking Advertisements?
Some of the better personal firewalls can be set to block communication with
specific sites. This can be used in order to prevent downloading of advertisements in
web pages, and thus to accelerate the download process of the web sites. This is not a
very common use of a personal firewall, though.

Preventing Communication to Tracking Sites?
Some web pages contain references to tracking sites. e.g. instruct the web browser to
download a small picture (sometimes invisible) from tracking sites. Sometimes, the
pictures are visible and provide some statistics about the site. Those tracking sites
will try to save a small text either as a small file in a special directory, or as a line in
a special file (depending on what is your browser), and your browser will usually
allow the saving site to read the text that it saved on your computer. This is called
"web cookies" or sometimes simply "cookies". Cookies allow a web site to keep
information that it saved some time when you entered it, to be read whenever you
enter the site again. This allow the web site to customize itself for you, and to keep
track on everything that you did on that site. It does not have to keep that
information on your computer. All it has to save on your computer is a unique
identifying number, and then it can keep in the server's side information regarding
what has been done by the browser that used that cookie. Yet, by this method, a web
site can get only information regarding your visits in it. Some sites such as
"doubleclick" or "hitbox" can collect information from various affiliated sites, by

putting a small reference in the affiliated pages to some picture on their servers.
When you enter one of the affiliated web pages, your browser will communicate
with the tracking site, and this will allow the tracking site to put or to read a cookie
that identifies your computer uniquely, and it can also know what was the web page
that referred to it, and any other information that the affiliated web site wanted to
deliver to the tracking site. This way tracking sites can correlate information from
many affiliated sites, to build information that for example will allow them to better
customize the advertisements that are put on those sites when you browse them.
Some personal firewalls can be set to block communication to tracking sites. It is not
a common use of a personal firewall, though, and a personal firewall is not the best
tool for that, but if you already have one, this is yet another possible use of it.

Blocking or Limiting the NetBIOS Communication? (as well as other default
services)
The two common methods of intruders to break into home computers, are through a
RAT (which was discussed in II.3a) and through the NetBIOS communication. The
NetBIOS is a standard for naming computers in small networks, developed long ago
by IBM and Microsoft. There are a few communication standards which are used in
relation to the NetBIOS. The ones that are relevant for Microsoft Windows
operating systems, are: NBT (NetBIOS over TCP/IP), IPX/SPX, and NetBEUI. The
communication standard which is used over the Internet, is NBT. If it is enabled,
and there is no firewall or something else in the middle, it means that your computer
is listening for communications over the Internet via this standard, and will react
according to the different NBT commands that it gets from the remote programs. It
is thus that the NBT (which sometimes loosely called "NetBIOS") is acting as a
server. So the next question should be "what remote NBT commands the NBT
server will do on the local computer". The answer to this question depends on the
specific setting on your computer. You may set your computer to allow file and
print sharing. If also NBT is enabled, it means that you allow remote users to share
your files or printers. This is a big problem. It is true that in principle the remote

user has to know your password for that computer, but many users do not set a
password for their user on Windows, or set a trivial password. Older versions of
Win95 had file and print sharing over NetBIOS enabled by default. On Win98, and
WinMe it was disabled by default, but many technicians, when they set a home
network, they enable the file and print sharing, without being aware that it
influences also the authorizations of a remote Internet user. There are even worms
and viruses who use the File sharing option to spread in the Internet. Anyway, no
matter whether you need it for some reason or just are not aware of it, a personal
firewall can identify and block any external effort to communicate with the
NetBIOS server on your computer. The more flexible personal firewalls can be set
to restrict the authorization to communicate with the NetBIOS. Some Windows
operating systems, especially those which are not meant for home uses, offer other
public services by default, such as RPC. A firewall can identify communication
efforts to them, and block them. Since such services listen to remote
communications, there is a potential risk when there are efforts to exploit security
holes in the programs that offer the services, if there are such security holes. A
firewall may block or limit the communication to those services.

Hiding Your Computer on the Internet?
Without a firewall, on a typical computer, even if well maintained, a remote person
will still be able to know that the communication effort has reached some computer,
and perhaps some information about the operating system on that computer. If that
computer is handled well, the remote user will not be able to get much more
information from your computer, but might still be able to identify also who your
ISP is, and might decide to invest further time in cracking into your computer.
With a firewall, you can set the firewall so that any communication effort from
remote users (in the better firewalls you may define an exception list) will not be
responded at all. This way the remote user will not be able to even know that it
reached a live computer. This might discourage the remote attacker from investing
further time in effort to crack into your computer.


The Non-Firewall Defenses


We've discussed a few situations where a personal firewall can provide defense. Yet,
in many cases a computer maintainer can deal with those situations even without a
firewall. Those "alternative" defenses, in many cases are recommended regardless
of whether you use a firewall or not.

Remote Access Trojans?
The best way to defend against remote access Trojans (RATs) is to prevent them
from being installed in the first place on your computer. A RAT should first infect
your computer in order to start to listen to remote communication efforts. The
infection techniques are very similar to the infection techniques that viruses use, and
hence the defense against Trojan horses is similar to the defense against viruses.
Trojan horses do not distribute themselves (although they might be companions of
another Internet worm or virus that distributes them. Yet, because in most cases
they do not distribute themselves, it is likely that you will get them from anonymous
sources, such as instant messengers, Kazaa, IRC, or a newsgroup. adopting a
suspicious policy regarding downloads from such places, will save you not only from
viruses but also from getting infected with Trojan horses, including RATs. Because
Trojan horses are similar in some ways to viruses, almost all antivirus programs can
identify, block from being installed, and remove most of the Trojan horses,
including all the common ones. There are also some programs (sometimes called
antiTrojan programs) which specialize in the identification and removal of Trojan
horses. For a list of those programs, and for comparison on how well different
antivirus, and antiTrojan programs identify different Trojan horses, see Hackfix
(), under "Software test results". Hackfix also has
information on the more common RATS (such as the Netbus and the Subseven) and
on how to remove them manually. There are some tools and web sites, such port

scanners, and some ways with a use of more generic tools such as telnet, msconfig,
and netstat, which may help you to identify a RAT.

Other types of Trojans and worms?
Also here your main interest should be to prevent them from infecting your
computer in the first place, rather than blocking their communication. A good
antivirus and a good policy regarding the prevention of virus infections, should be
the first and most important defense.

Spyware and Adbots?
The term spyware is sometimes misleading. In my view, it is the responsibility of the
adware developer to present the fact that the adware installation will install or use
an independent adbots, and to provide the information on how this adbot
communicates, and which information it delivers, in a fair place and manner before
the adware is installed. It is also a responsibility to provide this information in their
web sites, so that people will be aware of that before they even download the
software. Yet, in general, those adbots do not pose any security threat, and in many
cases also their privacy threat is negligible for many people (e.g. the computer with
adbot number 1127533 has been exposed to advertisements a, b, c, such and such
times, while using adware x, while on computer with adbot number 1127534 has
been exposed to advertisements a,d, and e, such amount of time, with the use of
adware y, and clicked on ads number d). It should be fully legitimate for software
developers to offer an advertisement supported programs, and it is up to the user to
decide whether the use of the program worth the ads and the adbot, or not.
Preventing adbot from communicating is generally not a moral thing. If you decide
to use an adware, you should pay the price of letting the adbot work. If you don't
want it, please remove the adware, and only if for some reason the adbot continue to
work even if no hosting adware that uses it is installed, you may remove the adbot.
Anyway, there are some very useful tools to identify whether a program is a
"spyware", or whether a "spyware" is installed on your computer, and you are

certainly entitled to this information. Two useful programs are "AdAware" which
identifies "spyware" components on your computer and allows you to remove them,
and Ad-Search which allows you to provide a name of a program, and it tells you
whether this program is a "spyware" and which adbot it uses. It is useful to assist
you in choosing whether to install a program or not. You may find those programs