Firewall Attacks: Friend or Foe?

By Ronald Pacchiano | Posted September 08, 2003

I recently installed a NETGEAR Cable/DSL router on my home network. I also have BlackIce Defender running on my Windows XP Professional system, and the firewall has reported several "attacks" since I installed the router. The router says that user data protocol (UDP) port probes were coming from v2.vc.scd.yahoo.com and v7.vc.scd.yahoo.com. There was also an entry about address 164.109.92.167, saying "HTTP GET data contains script." How were these external addresses able to access my internal client through the router?

The reason your software firewall is logging the first two "attacks" is likely because you're running Yahoo! Messenger software on your computer. The IP addresses and domain names that were flagged are a Yahoo! servers designed to provide Yahoo! Messenger's voice chat capabilities. The application uses UDP to transmit voice data, so use of the voice chat feature could cause these sorts of entries to appear. If you point your browser to that address, you'll see an informational message that discusses this in more detail.

Even if you weren't using the voice chat feature at the time the entry was recorded, it could be due to the application scanning to see what ports were available for this type of traffic.

As to the last "attack," an HTTP GET is typically the result of clicking a link on a Web page. You likely clicked on a link that referenced back to the address recorded by the log, and the data returned probably contained a script that BlackIce deemed harmful. Whether it actually was dangerous or not is impossible for me to say, but the fact that the address does not resolve back to a domain name could possibly indicate less-than-honorable intent.

I did determine that the address is owned by Digex, a Web Hosting firm, so if you see a lot of these entries in the future, you may want to contact Digex and ask which of their customers is using this address, allowing you to better determine whether or not this individual or organization is the source of an actual attack.

Finally, you asked how the external addresses were able to access your internal client through the router. The answer is that a router will automatically allow traffic from an external address if it is in response to a request that originated inside your network.

And whenever a program like Yahoo! Messenger (or any other instant messaging client or similar application, for that matter) is running on your computer, it has the ability to proactively initiate connections to communicate with its servers. You can be sure that the program has one or more open connections to its servers whenever it is running, as if that weren't the case, you wouldn't be able to communicate with anyone unless you initiated the connection yourself.

The last log entry represents a similar situation. The data coming from that address was in response to a request from your browser (the HTTP GET), so the router considered it acceptable traffic and allowed it to pass through.

Most hardware firewalls can detect certain types of common IP-based attacks, but they generally pay more attention to where the traffic is coming from as opposed to what kind of traffic it is. This is why software firewalls are usually good compliments to a hardware router.

For the longest time I have had only one computer in my home office — a Windows XP Professional workstation — that is connected to the internet via a cable modem and router. Recently, a friend of mine passed down to me his old iMac, which is running MAC OS9. What I would like to know is if there is any way for me to configure my iMac to share my current cable modem connection? The router I'm currently using only has one local area network (LAN) connection on it, which is already being used by my Windows XP system.

I'm not interested in sharing data between the two systems; I only want both systems to be able to connect to the internet simultaneously. I'm totally new to computer networking, so please try to explain this to me in the simplest terms possible.

I'm happy to report that a shared cable modem connection between Windows XP and iMac computers is actually quite easy to set up. The only configuration that really needs to takes place happens within each computer's operating system. Basically, the only thing you need to be concerned with is that your TCP/IP settings are configured to automatically obtain the needed IP information. This information includes settings for the IP address, gateway address, and DNS servers. Most routers are configured by default to provide this information to any PC on the network.

Being new to networking, it might be helpful for you to think of the router as sort of a splitter, much like the one you would use to split the signal from your cable box to two TVs. The router in this case splits the internet connection so that multiple computers can use it.

Speaking of your router, you had mentioned that your particular router had only one LAN connection on it, which was already being used by your Windows XP system. In order to get the iMac online using your current router, you would need to install a hub or switch to the router. This normally requires the additional purchase of a crossover cable to link the hub and the router together. This isn't very hard to do, but it can be a bit tricky for new users.

So while it is possible to set up the network in this fashion, my advice would be to instead upgrade your router by buying a newer model that has a multi-port switch integrated into it. A decent one can usually be found for well under $100. D-Link, NETGEAR, and Linksys all have inexpensive products to fit the bill.

Also, remember all you're going to have at this point is two machines with a shared internet connection that are incapable of sharing data. If at some point you'd like to network the computers for data sharing, you would need to install the appropriate networking protocols on each system. Specifically, Windows XP is going to need the AppleTalk protocol installed on it, while the iMac will need to have the Client for Microsoft Networks configured on it.

Adapted from PracticallyNetworked.com.

Comment and Contribute


     

    Get free tips, news and advice on how to make technology work harder for your business.

    Submit
    Learn more
     
    You have successfuly registered to
    Enterprise Apps Daily Newsletter
    Thanks for your registration, follow us on our social networks to keep up-to-date