Firewall Weirdness

Factual Questions
1

Okay, so we’ve got about four computers. Five, actually–the kids’ computer has two removable hard drives so that paidhi-boy doesn’t abuse paidhi-girl’s Catz. And Mr. Cameron set up a network so we can move files around easily, and I can do my work in the basement, or upstairs while the kids are playing right next to me. Very convenient. I’d asked him in the past, “Don’t we need a firewall?”

No, he said, we didn’t, for some reason I don’t recall. In the past I’d downloaded ZoneAlarm out of a sort of vague anxiety about security, but it doesn’t work with Win95. ( Mr. Cameron has been itching to upgrade my computer, but I’m an “if it ain’t broke don’t fix it” kind of girl. The whole network thing is Mr. Cameron’s toy, and I know very little about it.)

Anyway, after hearing about all this msblaster stuff (yes, I know 95 is safe, but it got me thinking about security issues), and pondering what people said about firewalls and security, I figured I’d try Agnitum’s Outpost. Downloaded it, fired it up. Huh, I think, this is nifty. But then I get four attacks–from IP’s inside our LAN. Or at least that’s what it looked like. Then Mr. Cameron’s computer started trying to connect to mine. Which would have been fine if he’d been home and working on his machine, but he was at work, the kids’ machine was turned off…so what the heck? So when he got home, he ran a trojan scan and found nothing, and then disconnected his computer from the network.

All day today, I’m getting netbios traffic that says it’s coming from his computer. I’ve disabled Netbios traffic, and it’s blocked, but what the heck? Where is this coming from? I’m also occasionally getting (blocked) netbios traffic from utterly foreign Ips, and what the heck is up with that? And I’m wondering what the point is of allowing netbios traffic from computers in my LAN if someone can just walk right up and say they’re one of our machines…

This is, obviously, my first exposure to this kind of thing, and I’m not sure exactly what’s normal and what’s not. I’ve googled terms I’m not familiar with, but that’s only partially helpful–half of what I’m reading assumes I know stuff I don’t. Help?

2

Without being able to look at your logs, I’ll offer some observations about common issues encountered by folks who turn on a firewall for the first time.

Out-of-the-box levels of protection are commonly set too sensatively, at least if you want your firewall to only trigger alerts for potentially dangerous incidents, or incidents that you would want to report to the Abuse desk of the network of origin.

In this day and age, if you’re bored with TV and would rather watch the output of a firewall on “paranoid” setting (to quote an actual setting from a common bit of software) you will see metric assloads of activity. Especially if you’re on a broadband connection. The internet is constantly abuzz with “normal” activity that will trigger a sensative firewall.

My gut reaction to your OP is that your firewall may be a wee bit touchy and is logging “normal” LAN activity. Assuming my gut is wrong, I’d want to know more about the “trojan scan” that Mr. Cameron ran. Trojans aren’t the only malware that make connection attempts. Many common virus/worms that are not defined as “trojans” do so. Is there full-service, currently updated Anti-Virus software on all of your systems? How often is it configured to update and scan your systems? I’d recommend doing so daily. Also, there is malware out there that can bypass or disable software such as Norton and McAfee. Using an assortment of freely available virus scans and specific removal tools can help you deal with such tricky bugs.

As far as activity that constitutes Abuse, such as malicious hack attempts or virus/worm/trojan probes, they can pretty much come from anywhere in the big bad world at any time. Unprotected, insecure, or already compromised hosts are a resource to be exploited. All sorts of automated processes and script kiddies are constantly looking for them, using other unprotected, insecure, or already compromised systems all over the world as their periscopes.

One last parting tip…

If you’re interested in running a firewall and also taking the extra proactive step to report Abuse to those who can take action on it, but you don’t want to play cybercop trying to figure out who to complain to about the Brazilian IP that keeps Trojan probing you…check out mynetwatchman.net. This is a free service that, (once configured) will accept your firewall log output, determine the appropriate contacts, send a standardized complaint on your behalf (including all required evidence for an investigation), and keep track of any responses to your complaints for you on the mynetwatchman website.

3

I’m inclined to say that if your machines have been exposed to the internet without some sort of filtering for any amount of time than it is possible that your machines have all been compromised even if you’ve got all the patches for your OS/software. However, its entirely common for computers to be networked together using routers (especially for 4-5 machine networks, such as yours) which often integrate a hardware firewall into them (read: almost always). If such is the case unless a rather large amount of time has been spent reversing this caution it’s unlikely that your machines have been infected unless you’ve downloaded programs and executed them, which would be infection via local means:dubious: software firewalls are usually set to a very very very high level of filtering by default and it’s simply catching local network traffic that is legitimate (as the previous poster said).