eEye Digital Security

I am not a security expert but I do want my system as secure as possible. I noticed that the System Wide Rules under Firewall Rules has several items entered but no check marks beside them. Am I suppose to check these items? I am not technially inclined on computer security so I have no idea which rules I should check. If these rules are important why aren't they already activated, if they are not important why are they there? Also, is there a section somewhere on the forum where the experts have posted new rules that should be added? I, so far, have found only one and I have included it in my rules. I love the option of adding new rules, I just wish I could find some recommendations. Thank you.

     Blink Personal, by default, has many rules premade for a lot of the popular applications out there.  Most of those rules you honestly do not need, but were put there in case you did.  eEye has tried to make Blink as friendly as possible for the home user because it started out as a product that was mainly created for businesses and large Enterprise use only (hence why you do not see a lot of features you are use to seeing in most other home consumer security products).

     My first question to you would be, do you have multiple computers or devices on your network that you want the system that Blink is running on to connect to for sharing etc?  I have only one system, myself, which is behind a dedicated firewall box I built which is used as my Gateway.  Since I am not sharing any resources on my network and I want it to be as secure as possible, I have only about 4 rules in mine that take care of everything (except the applications themselves which is covered under the Application Firewall section).

NOTE:  I would highly recommend saving your current firewall configuration before making too many changes in case something does not work right and you want to restore it.  Under the "File" menu at the top you should be able to export your current active rule set and be able to save a copy of it where you choose to. 

Depending on your configuration needs, I could give you a few recommendations. 

 Thank you for responding to my query. I am running a wireless network with two computers, however sometimes I take one off the wireless and hook it directly to the Internet (plug it directly into the modem rather than the hub). I am only running Blink and have removed my other spyware/malware applications. I do not share any resources.

I would like my system to be as secure as possible.  I don't  feel that comfortable with Blink yet because I don't know if I have rules in place to be secure. Most of the time I find myself checking to see if it's still enabled.

I work at home and spend a lot of time on the Internet.

I don't have a dedicated firewall that I am aware of unless it came with the router and installed itself. I do disable my Internet connection at night.

 If there is anything I have left out please let me know. I very much want to see your recommendations.

Oh, and I did save my current configuration as you suggested. 

Thank you again. 

 

 

I can tell you what I have done. I feel like a newbie too but I did some digging around in the rulesets and took a bit of time to do some searching on the internet and here is what I have come up with.

First, I've disabled most UDP packets, and forced (internally anyhow) my computer to use TCP as much as possible. I have also restricted a lot of traffic to within my local network, whenever possible. Some people crack on "cheap consumer products" but I'm doing just fine with a $40 router off the shelf from a major retail outlet when used in conjunction with Blink and the rules I have set and modified. Occassionally, I do encounter an error and have to go back in and poke around trying to get things working again.

By far, the biggest problem is that if you use Windows, it is inherently NOT secure. Blink does a pretty good job of solving the majority of these security issues, if not all of them (depends on what you use the computer for, to be honest).

While my suggestions aren't anything new to computer security, Blink makes getting those tasks done easier than isolating your computer to LAN traffic using IPSec, that is very certain. Hope this helps!

Thank you for helping me. UDP packets always disturb me. I don't know which to allow and which to deny. As mentioned, I am no security expert, not even close, but I do want to be able to use your rules. One problem, although you explained what you have set up, I don't know how to set up the rules. When you say you have disabled most UDP packets, how did you set up your rule? Also the rule that you use to force TCP as much as possible. I really have no idea how to set these up. I hope others who know about setting up rules will post their's here on the forum to help those of us who don't. I don't want to become a security expert or have to dig around the Internet trying to find out how to properly set up rules. I just want to make sure I have rules in place that will allow Blink to do it's job.

 It is actually fairly simple.

In Application Rules, add to svchost.exe a new rule. The wizard lets you go through step by step. You are also going to set up a very similar rule in System Wide Rules - do not forget you need TWO rules for this to be effective. The key thing is that you are setting a rule for svchost.exe, so make sure you authenticate that by the path or md5. You are allowing TCP / UDP only for your LAN. Select "These IPs" for your local machine, and then put in 192.168.2.60 (or whatever your LAN/NAT IP is) and then for remote computers, the range of your LAN like 192.168.2.1 - 192.168.2.253. Note that I omit not just the 192.168.2.255 but also 192.168.2.254 address also. You can allow ALL ports.

Next rule (or copy/duplicate this one then modify it slightly, up to you how) you do slightly different. Oh and make sure you combine things IF POSSIBLE. That means if you can control TCP and UDP, then do so with one rule. On with this second one, you are blocking UDP to any external IP. This would be from ANY IP address your computer may be assigned whether by DHCP or as one you've established you prefer (this gets tricky, do this if you want the possible headaches). Then set the external IPs for 0.0.0.1 - 192.168.0.1 / and a second range of 192.168.4.0 - 224.0.0.0 (the start of broadcast IPs, I think).

The idea is to have the least amount of rules doing all of the work. If you follow what I'm saying here, you can probably figure out the next rule on your own. If not, I'll post it under any reply you have. And yes, UDP packets have bothered me also, for a long time. I almost wish there was an "Exceptions" tab on the rules so  if I encounter a problem, I don't have to figure out where the heirarchy is in rulesets / program permissions.

Please also see http://forums.eeye.com/forums/t/570.aspx for some additional suggestions.

I've mucked this up a bit, so it might seem confusing, but I'm sure you get the point of how to do it, its a matter of the details. Quite simply, the wizards make this so easy, once you have an idea of what you need to do. 

[ edited @ 9:28 AM GMT-8 on Apr 5, 2008 ] 

You haven't mucked anything up. You have been a great help! Thank you so much for not only suggesting a few rules but giving step-by-step procedures for applying them. If you want to see mucked up, you should have been around when I tried to do this on my own!

 Ok, now make sure you have TCPView from sysinternals.com and keep a look out for odd things your ISP might do to kick you off the net because you look offline for the most part. You may have to allow ICMP (the ping) to their DNS servers or something. Did you look at that other page and allow UDP to the DNS servers for your ISP? You should do that for port 53 incoming and pretty much any port outgoing. I forget, that might be another svchost.exe rule. Regardless, check out that other list of suggestions if you haven't done so yet. I'm sure all of this has gotten you thinking and you probably have an idea or two of your own about things you'd like to do to ratchet up security.

I'd also encourage you to look at your installed programs and check with  http://secunia.com/  and see if anything you have installed needs some "help".

Then export your ruleset once everything is working even close to properly. Keep exporting until you are satisfied you've got it setup the way it truly should be.

NOTE TO OTHERS: Your ISP may do different things, your router may have different addressing, there are many variables here. You are encouraged to follow these suggestions, but they are not any kind of warranty against an attacker gaining access to your personal files or other data. 

IF YOU FOLLOW THESE SUGGESTIONS, I AM NOT LIABLE FOR YOU MUCKING THINGS UP. THIS IS A VERY GENERAL OUTLINE OF WHAT CAN BE DONE. USE THESE SUGGESTIONS AT YOUR OWN RISK!

In addition, you should be running a processor that is 64 bit extensible if you run a 32 bit OS. Your processor should fully support DEP, and you should have DEP enabled. Your internet will slow down, it can't be helped. Your applications will open a little slower. This is the price you pay for security! 

Thank you for adding more suggestions! I hope others will add their's as well.

Dakota:

I don't have a dedicated firewall that I am aware of unless it came with the router and installed itself

     Yes, by deafult most of the Wireless and wired routers, in themselves, are considered a Hardware Firewall device.  They both do NAT (Network Address Translation - assign private internal IPs to your computers internally, normally starting with 192.168.X.X, and connect them to the public IP your ISP assigns you).  This provides all the inbound protection you really need at home.  Blink is doing the same, but also providing you outbound protection along with its IPS.

PART I - 

      As far as the security of your Wireless router I would recommend you check for the following things in it.

1.  Your not using the deafult password! Create your own, atleast 8 characters minimum.

2.  Change the name of the router in its settings.  Some come default Linksys or Netgear with some name after it.  Leaving a router with a default name such as those, makes it easy for an attacker to see what brand of router your using without having to do a whole lot of poking at it right from the start!  To make it easier to understand why, lets say I am a hacker.  I find out your router make and model.  IF you have not changed any of the default settings in the router I can easily look it up in one of these lists for all the basi info I need to get into it and change things on you.

 http://www.phenoelit-us.org/dpl/dpl.html

 http://www.routerpasswords.com/ 

These are so popular they are the first two results that come up when you google such a thing!  But I wanted to give you an example of the first mistake people make when they buy and install a router.

3.  Look in your router and make sure you disable the UPNP (Universal Plug and Play) function unless you know you need it.  9 out of 10 times if you don't know what it is, you don't need it!

4 . Make sure some of the routing protocols in your router are disabled.  IOne of the main one you see in home routers is "RIP".  Unless you have more than one router on your network, you do not need these enabled.  Most of the timeby default they are disabled, but better safe then never.

5.  Make sure the firmware in your router is updated.  For a lot of folks this is a difficult thing for them to check on if they don't know where to check, but you can tell the firmware version by going to the manufacture's website and compare it with what your router currently states that it has in it.  Most routers that I have seen, have had atleast 1 firmware update fixing either minor bugs of some sort, or a security vulnerability.

-  If I am an attacker and I know what your router is this is another thing I would want to do.  I would check the manufacture's website and see if there was any known fixes that were issued.  If there was, I would attempt to exploit those known bugs or vulnerabilities in the router (hoping that the user did not update their router) attempting to compromise it this way. 

6.  Don't use WEP for your routers Wireless Encryption!  Some routers, if they are older, give you no other choice but to use WEP for your encryption.  If you have a choice of encryption to use, use WPA.  Most WEP keys now can be broken in under a minute with free hacking tools on the internet. 

     To sum this up, if you don't properly protect your boundary of your home network first, securing your local machines is not going to help you much more (unless you have no boundary device).  It kinda goes along the same lines as if your local computer is compromised you can nolonger trust it.  If your gateway router is compromised anything that goes through that router is now compromised too...so tighten your security from the outward most point inward if your serious about the whole overall picture.

A good website article I came across on this is here:  http://isc.sans.org/diary.html?storyid=4282 

Anyways, enough of my senseless babbling ....

     I will get back to you on a secure setup for your system if your NOT sharing anything on your system, or trying to access anything shared on a LAN computer at home.  There are a few things in the registry that deal with NETBIOS and such that I will give you guidance on disabling etc along with my configuration.  I would recommend looking at this post for a first step until I get back to you.  Keep in mind this is up to you whether or not you want to do it.  See my post here for tightening up DNS security in Blink:  http://forums.eeye.com/forums/t/486.aspx

     Second of all I would recommend going to this site:  http://blackviper.com and taking a look at his setup for the services that run in Windows and try to eliminate a lot of what you don't need.  He gives a good description of each service and explains what you may need it for or what you don't need each one for.  After locking down un-needed services on my system, I now only have 18 processes running under task manager (includes Blink's services) when I log into my Windows XP Professional system.  As with disabling services I would highly recommend that you write down what the service is, what is is currenly set at and then what your changing it to until you get the hang of this.  Each user's computer is different and you have to tweak and test things before finalizing your setup.  I will post what I have for my services settings in here when I give you my firewall rules, however to get my system the way it is now, I have had to tweak my service's settings about 13 times to get the right setup.  In Part II of my response to you I will list what rules I have in my firewall sections and the settings for my Window's services that work for me.

Part II -

     Okay this is entirely up to you if you wish to use this and if you do I highly recommend you save your current known good configuration.  This may not work for you.  I would recommend only using this if you plan to not use your system for sharing anything or accessing anything on a home LAN or other LAN.  I have set my configuration this way because I want to be as secure as possible at home and if I trave and use a public connection etc.  If you do this it is at your own risk and choice!  This is only my recommendation of how to secure a system and is what works well for me.

1. Windows' Services: 

If you consider a fresh install of Windows XP Professional with Blink installed only, these are the settings I have for my Windows Services:

 

Items Set to Automatic -

  

Automatic Updates

Crytographic Services

DCOM Server Process Launcher

DHCP Client

Event Log

IPSEC Services

Plug and Play

Remote Procedure Call (RPC)

Secondary Logon

Security Accounts Manager

Themes

Windows Audio

Windows Firewall/Internet Connection Sharing

Windows Management Instrumentation

Windows Time

  

Items Set to Manual - 

 

.NET Runtime Optimization Service v2.0.50727_X86

ASP.NET State Service

Background Intelligent Transfer Service

Logical Disk Manager

Logical Disk Manager Administrative Service

Network Connections

Protected Storage

Remote Procedure Call (RPC) Locator

Removable Storage

Shell Hardware Detection

Uniterruptable Power Supply

Windows Driver Foundation - user mode

Windows Installer

 

Everything else has been disabled.  This includes the "Security Center" because I got tired of it barking at me about firewalls, A/V, and Windows update being turned off.  I have my Windows update turned off because I want to manually check for updates myself and I do not want it going out whenever it wants to on its own to check for updates.  I have also disabled Windows' Wifi service because I use something else in its place.

 

 2. NETBIOS -

     If your not sharing anything or trying to access shared resources on a LAN or remotely you should disable all the junk dealing with NETBIOS and Microsoft's Sharing services.  To do this do the folllowing:

1 . Go to My Network Places

2. View Network Connections

3. On each Local Area Connection icon you have (anything for Wifi too or a VPN adapter if you have one) complete the following:

     A. Right click on the icon

     B. Select "Properties"

     C. In the This Connection uses the following items field in the middle un-install the "File and Printer Sharing for Microsoft Networks" and the "Client for Microsoft Networks". You may be prompted to restart your system after doing this, wait until you are done with all of these steps and then do it.

     D. Next,  Click on the Internet Protocol (TCP/IP) in the middle area field, select "Properties" on it.

     E. Select the "Advanced" button in the lower right and then on the new screen that appears select the "WINS" tab at the top.

     F. Under the WINS tab at the bottom, select Disable NETBIOS over TCP/IP.  The "Enable LMHOSTS lookup" box above it can also be unchecked if it is checked.

     NOTE 1:  You should do this or atleast check to make sure this is done for each connection icon (except for step C above.  This only needs to be done on your main Local Area Connection and should duplicate to your other ones by default if you remove something).

     NOTE 2:  Since you have disable this stuff you may not see a little icon in the lower right of your screen that says it is trying to Obtain an IP Address when in fact your system has already been assigned one.  Disabling the stuff you have makes your system kind of "late to the game" of making this icon disappear.  Moreless it becomes something I just ignore, but it may be annoying to some.  It is just something you have to deal with if you choose to do this.

3. Port 445 -

      After you disable all this junk you may notice with your Retina Scans that port 445 is still open or being used shall I say.  You can get rid of this too.  To do so see this article online at the following website to describe how to properly disable it in your registry:  http://www.petri.co.il/what's_port_445_in_w2k_xp_2003.htm

 

4. Bink's Firewall Settings -  

     Now on to the part you have been waiting for.  The following is a description of what I recommend for both your Application Rules and System Wide Rules sections in Blink.

 

Application Rules -  There are two main points of focus here; "Svchost.exe" and the "System Process"

 

If you have disabled the DNS Service in Windows' Services as I pointed out in this post:  http://forums.eeye.com/forums/t/486.aspx  , then you will only need three rules under this category in the Application Firewall.  They are as follows (top down):

 

1. This is for Svchost.exe to assist with DHCP functions

    Application  - C:\WINDOWS\system32\svchost.exe

    Initial Trust - N/A

    Trust Application by - MD5

    Action - Allow

    Protocol - UDP

    Direction - Any Direction

    Local Address - At the top "Applies to all IP addresses of this computer

                                At the bottom "Rule Applies to all Local Ports of this computer".

    Remote Address: - At the top "Specify remote IP address for this rule" should be selected.  To the right of this click on the Add button and then selected the "Determine IP(s) at run-time" selection then from the drop down menu it has select "Default Gateway".  Click OK to close this window.                                  At the bottom "Specify Remote Ports" - 67, 68

 

2. This is for Svchost.exe to assist with Windows Time operations.

    Application  - C:\WINDOWS\system32\svchost.exe

    Initial Trust - N/A

    Trust Application by - MD5

    Action - Allow

    Protocol - UDP

    Direction - Any Direction

    Local Address - At the top "Applies to all IP addresses of this computer

                             At the bottom "Specify Local Ports" - 123 

    Remote Address: - At the top "Applies to all IP addresses of this computer

                                  At the bottom "Specify Remote Ports" - 123 

 

3 . This is for Svchost.exe to carry out other miscellaneous functions that it handles via HTTP and HTTPS.

    Application  - C:\WINDOWS\system32\svchost.exe

     Initial Trust - N/A

     Trust Application by - MD5

    Action - Allow

    Protocol - TCP

    Direction - Traffic from this Computer

    Local Address - At the top "Applies to all IP addresses of this computer"

                             At the bottom "Rule Applies to all ports of this computer"  

    Remote Address - At the top "Applies to all IP addresses of this computer"

                                 At the bottom "Specify Remote Ports" - 80, 443

 

Now for the "System Process" It needs only the following:

1. Application -  System Process is selected

    Action - Deny

    Protocol - TCP or UDP

    Direction - Any Direction

    Local Address - At the top "Applies to all IP addresses of this computer"

                              At the bottom "Specify Local Ports" -   445, 135-139

    Remote Address - At the top "Applies to all IP addresses of this computer"

                                 At the bottom "Specify Remote Ports" -   445, 135-139

  

This ties up anything for NETBIOS.

 

System Wide Rules - This section really only needs 5 Rules total.  Anything else is dropped by default or you are queried for permission on a Application by Application basis.

 

1. This is for ALL ICMP

    Action - Deny

    Protocol - ICMP - Select the box that says "This rule will filter all ICMP packets"

    Direction - Any Direction from this Computer

    Local Address - At the top "Applies to all IP addresses of this computer"

                             Bottom is greyed out

    Remote Address - At the top "Applies to all IP addresses of this computer"

                                 Bottom is greyed out

 

 2.  This is for NETBIOS again

      Action - Deny

      Protocol - TCP or UDP

      Direction - Any Direction from this Computer

      Local Address - At the top "Applies to all IP addresses of this computer"

                               At the bottom "Specify Remote Ports" -   445, 135-139

      Remote Address - At the top "Applies to all IP addresses of this computer"

                                   At the bottom "Specify Remote Ports" -   445, 135-139

 

3.  This is for eEye Recommended rule for the ICS Vulnerability that was given to me in Retina.

      Action - Deny

      Protocol - UDP

      Direction - Traffic from other computers

      Local Address - At the top "Applies to all IP addresses of this computer"

                               At the bottom "Specify Local Ports" - 53

      Remote Address - At the top "Applies to all IP addresses of this computer"

                                  At the bottom "Rule Applies to all remote ports"

 

4.  This is to allow for DNS to function  - NOTE: For this to really function properly and actually be used you must uncheck the  "Allow DNS Traffic" in the "Advanced Options" section of the Firewall tab in Blink's Options.  If you don't there is a chance Blink will just allow DNS queries regardless of the circumstance to possibly anywhere.

      Action - Allow

      Protocol - UDP

      Direction - Any Direction

      Local Address -  At the top "Applies to all IP addresses of this computer"

                                At the bottom "Rule Applies to all ports of this computer"

     Remote Address: - At the top "Specify remote IP address for this rule" should be selected.  To the right of this click on the Add button and then selected the "Determine IP(s) at run-time" selection then from the drop down menu it has select "DNS Server".  Click OK to close this window.

                                   At the bottom "Specify Remote Ports" - 53

 

5 . This rule allows DHCP to function properly

      Action - Allow

      Protocol - UDP

      Direction - Any Direction

      Local Address - At the top "Applies to all IP addresses of this computer"

                               At the bottom "Applies to all ports of this computer."

      Remote Address: - At the top "Specify remote IP address for this rule" should be selected.  To the right of this click on the Add button and then selected the "Determine IP(s) at run-time" selection then from the drop down menu it has select "Default Gateway".  Click OK to close this window.

                                   At the bottom "Specify Remote Ports" - 67, 68

 

------------------------------------------------------------------------------------------------------------------------

     This is the setup I have on my system that seems to lock it down pretty well.  Like I said you can try this at your own risk, but for a computer you want to secure from everything else, this is a good way to do it.  Some side-effects of this are:

1.  Web pages may load a little slower now.  This is because now, if a DNS query does not match the DNS rule exactly requesting the remote port of 53 of the DNS server and instead it just simply requests any port (like a DNS trojan would) it will be dropped.  Once this happens, it will have to attempt its lookup again.

     Second of all if you disabled the DNS service in Windows, which takes the duty away from Svchost.exe doing DNS querys, then your computer will also nolonger cache DNS requests that were made from prior lookups.  This is one of the fuctions the DNS service does - store a small cache of known querys.

2.  Your browser may take a few extra seconds to open initially

3.  You will sometimes have that annoying connection icon in the lower right, as I pointed out before, that says it is attempting to retrieve or renew your IP address (which has already been done obviously).

4.  From time to time as Applications start (for the first time) you may see them pop up a Blink alert wanting to make an outbound connection attempt to the DNS servers for the remote IP of 53.  I have had this when I connect to my home via OpenVPN, because once it connects, it is now using my home ISP's DNS servers and not the DNS servers of the local connection router where I happen to be anymore (for example in a WiFi spot or something). 

       The next best thing that I would do, IF you have Windows XP Professional, is to create a Limited User Account for everyday use.  This in itself eliminates a lot of the problems out there from installing themselves to begin with.  By default when you use Windows XP you are running with Administrative privlages, this you do not want.  

     If anyone is using Windows XP Professional and is using a Limited User Account and wants to really lock down their Hard Drive permissions let me know.  I can give some pointers on that too.

      Hopefully some other folks will post their configurations in here too.  :)

Another good post to take a look at that will assist with creating rulesets for diffferent environments (i.e. a Trusted or Not Trusted LAN) can be found here:    http://forums.eeye.com/forums/p/1040/4503.aspx#4503

 

UPDATED LAST ON:  09JUL09

 

 

 

 

 

 

   

 

 I just checked back to see if anyone else had posted to this topic and was i surprised! Thank you Blue for taking the time and effort to post this informative addition to the thread.

I know this topic is helping and will continue to help not only myself but many others who read the forums but may not ask any questions.

I really found the links you gave as well as your advice on setting up the router invaluable!

UPDATE - I took all of your recommendations and currently I have had no problems. Everything seems to run smoothly. I haven't really noticed any slow downs worth mentioning. Thank you again.

 

 

Not a problem, glad I could help some. 

Man you win for most in depth post of the week....

 

Jeffrey, I hate to even ask this because you put so much effort into providing the info. for Dakota's setup, but I have just recently started using Blink and know next to nothing about how to set up the proper rules for my situation. I do share files through my home network. I have three PC's and one laptop running WinXP that are networked through my router. All are hardwired except the laptop which is wireless. I was suprised that I was even able to do this with my level of understanding. Can you suggest settings / rules or maybe point me to a resource I can use to secure my setup? I am using Blink Personal v3.5.7. I do plan to change / check my router settings based on Part 1 of your prior posting and will also review running processes based on the link you provided. Thanks, Bill