How To Configure Firewall to Maximum Security Settings

Hi,

Let’s say I need to use Internet very often for sensitive transactions (like Internet banking, online purchase which requires entering credit card number etc) on a PUBLIC NETWORK (unavoidable) which everyone can access.

Q1. HOW would performing transactions over unsecured network make my computer less secure?

Q2. Can people on the same unsecured public network easily gain access to my computer and steal my info etc?

I would not allow any chances of my personal info being stolen so

Q3. What is the TIGHTEST settings I can make on my Comodo firewall when I am connecting to a unsecured public network with no encryption? (e.g. put it to stealth mode, deny all incoming traffic, defining my IP to be the only trusted network etc)

Q4. By default, is Comodo blocking all incoming traffic? How abt outgoing traffic?

I am also using Orbit Downloader and understand it uses P2P connection to accelerate download.

Q5. Does P2P makes my computer less secure and more vulnerable? Is Orbit Downloader totally clean? Can I use P2P service and block all incoming traffic at the same time?

I am no expert in configuring firewall and hope I could get help here to make my system more secure. Any help would be much appreciated.

Thanks!

Q1: An unsecure network means that anyone can log into it and read anything your looking at and see whatever your typing. Personal data etc can also be stolen and your computer is vulnerable to attack.

Q2: The Simple answer is YES.

Q3: Just ensure that when CPF3 detects the network that you DO NOT tick any of the other boxes for File Sharing etc. Other than that your IP Address will be the ONLY trusted network. Change your security level to Custom Policy Mode

Q4: By default comodo is blocking ingoing and outgoing traffic according to your security level and network policy in CPF. Change your security level to Custom Policy Mode.

Q5: From what I understand P2p is less secure and more vulnerable.

*** What your best bet to do is connect to what’s known as a VPN (Virtual Private Network) Therefore Securing your wireless connection. Comodo has recently introduced Comodo TrustConnect for this very purpose. See Here: Change your security level to Custom Policy Mode

Ensure you’ve setup your P2p Connections properly - see here: https://forums.comodo.com/frequently_asked_questions_faq_for_comodo_firewall/cant_get_torrentsp2p_apps_to_work_look_here_opening_ports-t5136.0.html;msg37687#msg37687

I hope this answers all of your questions.

Eric

I do a lot of use of public wireless, so can maybe expound a little bit on what Eric said:

1. Don’t ever use a purely “unsecured” network. Use SSL for any private or financial transactions. Most finance-related websites use https, if they don’t, strongly suspect a phish. If your ISP doesn’t offer secure email, get a gmail account. This is only secure between you and the ISP, but that is the really vulnerable link. Don’t use sites that require passwords in the clear.
   2,3,4-as Eric said, don’t share, don’t trust, don’t allow anything that doesn’t stop your system from doing its functions. Explicity block ports 135-139 and 445. In Comodo firewall, use custom policy and very high alert settings. End every ruleset with a block and log all. Always block first and fix it later if things fail. Use paranoid mode for D+. Usa a good AV/AS/ like avast!, antivir, …
   And an uneducated opinion, knowing nothing of Orbit downloader, says don’t do it. Unless you use a VPN like TrustConnect (free).
   Unless you are really rich and really careless, making you a prime target of hackers, a little bit of cautious security should take care of you. If you are, get the VPN!

Thanks Eric and sded for replying.

Currently I set both Defense+ and Firewall Security Level to “Train with Safe Mode”. I will now put Defense+ to Paranoid Mode. Hope Defense+ will not be overly talkative ;p

I am also running AVG Anti-Virus 7.5, Ad-Aware free version (usually do a scan once or twice a week) and Comodo BO Clean together with Comodo Firewall Pro 3 on my Vista 32 Home Premium notebook. For Comodo firewall, I put

1. Defense+ Security Level to “Paranoid Mode”
2. Firewall Security Level to “Custom Policy Mode”
   Q6. How Custom Policy Mode make my PC more secure as compared to Train with Safe Mode?
3. Firewall to stealth ports

I did not add any networks in “My Network Zones” and “My Blocked Network Zones”.

Q7. What any other settings I can do to ensure maximum security when connecting to UNSECURED PUBLIC WIRELESS NETWORK (I am always on the go and will be connecting my notebook to any public wireless network that I have access to (e.g. public libraries, airports, shopping malls etc) and I might need to perform sensitive transactions quite often on the go and I am quite concerned about the security of public wireless network which everyone has access to) on top of those which I have done?

I’m thinking of explicitly defining my IP address to be the only trusted network and defining all other IP addresses and networks as not trusted (and possibly blocked?).
Q8. How do I do that?

And sded (or anyone)
Q9. Would you please tell me what do these ports - 135-139 and 445 do? and
Q10. What “block and log all” in rules do?

And lastly
Q11. VPN TrustConnect seems is exactly what I need now, how do I get one and/or read more abt it?

Many questions! and I am learning ;p

Q7. I use whoever will let me on, and am less concerned about the public access points sponsored by reputable organizations. I spent 6 months last Winter sailing in Mexico, had no problems with just a little caution. You will see some blocked traffic, but doesn’t stop you, just annoys the router sometimes.
Q8. You have already blocked all incoming with the Stealth Port Wizard, other than by exception. Your IP address will change regularly, and you could reset things for each network, but I haven’t seen any need to do it.
Q9. These are Netbios and related ports, and are used for things like sharing. Also can provide remote access to your computer. Normally blocked if you don’t check any of these features, but I throw in an extra explicit block just in case. To read a little more about them, go to Shields UP!! — System Error or just Google the ports.
Q10. A block and log just stops new access attempts. It is a little inconvenient sometimes, but it keeps you from having to make decisions on the fly about new alerts; you can look at them later if something doesn’t work right.
Q11. As far as Trust Connect, you can read about it and get an account at https://forums.comodo.com/comodo_trustconnect_securing_the_wireless_world-b103.0/ .
And this time Eric can expound.

Quick question if I log on to public Wifi at my local library in order to be hacked or “looked at” would someone in the local wireless area of the library have to be doing the hacking?

Expounding…

Q7/Q8. Whenever you connect to a network CPF3 automatically detects that your Wireless Card has connected to a new network. When you click Ok on the window pops up that adds your IP address as the only trusted IP Address automatically. This is the same even if you are on a home Private network.

There are a few other options which you might want to think about. - In Firefox there is an extension that you can download which scrambles your keystrokes which can be found here: https://addons.mozilla.org/en-US/firefox/addon/3383- This does tend to slow your system a little and obviously typing things out isn’t quite as fast as usual either but it’s an option for a bit of extra security. Particularly when you have just connected to a unsecure network and are typing in your passwords etc.

Obviously encrypting your system is also an option but since you’ll be connecting to a VPN which varies from provider but the encryption of the VPN is usually WPA and requires a login and Password. This brings me to answering Question 11. Comodo Trust Connect is a VPN (Virtual Private Network) At the moment this is offered free of charge and is probably the only VPN that I know of that is free. It’s a program that you will have to load and log into and you will see another wireless network Icon on your system tray. You can read more about it here: https://forums.comodo.com/comodo_trustconnect_securing_the_wireless_world/a_new_service_to_secure_the_wireless_world-t13379.0.html
You’ll need to PM Melih in order to be joined up and he’lll send you an email link to download the connection program.

Q9. Here’s the information from GRC.Com and can be found by putting the following address in your browser: GRC | Port Authority, for Internet Port 0   - Replaceing “(Portnumber)” with the port number you want to look up.

Port Authority Database

Port 135

Name:
dcom-scm
Purpose:
DCOM Service Control Manager
Description:
Microsoft’s DCOM (Distributed, i.e. networked, COM) Service Control Manager (also known as the RPC Endpoint Mapper) uses this port in a manner similar to SUN’s UNIX use of port 111. The SCM server running on the user’s computer opens port 135 and listens for incoming requests from clients wishing to locate the ports where DCOM services can be found on that machine.
Related Ports:
111

Background and Additional Information:

Port 135 is certainly not a port that needs to be, or should be, exposed to the Internet. Hacker tools such as “epdump” (Endpoint Dump) are able to immediately identify every DCOM-related server/service running on the user’s hosting computer and match them up with known exploits against those services.

Any machines placed behind a NAT router (any typical residential or small business broadband IP-sharing router) will be inherently safe. And any good personal software firewall should also be able to easily block port 135 from external exposure. That’s what you want.

In addition, many security conscious ISPs are now blocking port 135 along with the notorious “NetBIOS Trio” of ports (137-139). So even without any of your own proactive security, you may find that port 135 has been blocked and stealthed on your behalf by your ISP.

Going Further: Closing port 135

The widespread exposure and insecurity of this port has generated a great deal of concern among PC gurus. This has resulted in several approaches to shutting down the Windows DCOM server and firmly closing port 135 once and for all. Although applications may be “DCOM enabled” or “DCOM aware”, very few, if any, are actually dependent upon the presence of its services. Consequently, it is usually possible (and generally desirable if you’re comfortable doing such things) to shut down DCOM and close port 135 without any ill effects. (The fewer things running in a Windows system, the fewer things to suck up RAM and slow everything else down.)

Port Authority Database

Port 136

Name:
profile
Purpose:
PROFILE Naming System
Description:

Related Ports:

Port Authority Database

Port 137

Name:
netbios-ns
Purpose:
NetBIOS Name Service
Description:
UDP NetBIOS name query packets are sent to this port, usually of Windows machines but also of any other system running Samba (SMB), to ask the receiving machine to disclose and return its current set of NetBIOS names.
Related Ports:
138, 139, 445

Background and Additional Information:

When Microsoft first awoke to the wide area network (WAN) Internet, its local area network (LAN) NetBIOS file sharing technology was using a “transport protocol” known as NetBEUI. Unlike the Internet Protocol (IP), NetBEUI does not have the concept of “ports”. So Microsoft grabbed a trio of three successive Internet ports 137, 138, and 139, to use for the transport of their existing NetBIOS protocol over IP-based LAN and WAN networks. The horrors of insecurity resulting from Microsoft’s exposure of their NetBIOS protocol to the Internet are legendary. They were the original impetus for our creation of the ShieldsUP! services, and our ongoing research into personal computer security and privacy.

As a result of the continuing security concerns created by the default global exposure of Windows’ NetBIOS file sharing, many ISPs are now blocking this wildly abuse-prone trio of ports on behalf of their users. Many users will find that the various ShieldsUP! probes and scans will report a “stealth” status for these ports without any user-side protection of any kind. After a decade of trouble, ISPs have stepped up and decided that, much as they didn’t want to be involved in the need to block specific ports, they are doing their users a security service for which Microsoft has been unwilling to take the necessary responsibility.

If you are curious to learn more about the truth and consequences of Microsoft’s Windows NetBIOS file sharing, the topic is covered carefully and in detail in a series of pages beginning here: GRC | Shields UP! -- Internet Connection Security Analysis  .

445?

In the name of backward compatibility, Windows 2000 and subsequent Microsoft operating systems continue to support the original NetBIOS port trio. But with Windows 2000 and beyond, Microsoft has moved their NetBIOS services over to port 445 — and, perhaps not surprisingly, created an entire next-generation of even more serious security problems with that port. See the port 445 page for details.

Port Authority Database

Port 138

Name:
netbios-dgm
Purpose:
NETBIOS Datagram Service
Description:
UDP NetBIOS datagrams packets are exchanged over this port, usually with Windows machines but also with any other system running Samba (SMB). These UDP NetBIOS datagrams support non-connection oriented file sharing activities.
Related Ports:
137, 139, 445

Background and Additional Information:

This is the second port of the original “NetBIOS trio” used by the first Windows operating systems (up through Windows NT) in support of file sharing.

For additional information about this trio of Internet ports, please see the “Background and Additional Information” for the first port of the trio, port 137.

Port Authority Database

Port 139

Name:
netbios-ssn
Purpose:
NETBIOS Session Service
Description:
TCP NetBIOS connections are made over this port, usually with Windows machines but also with any other system running Samba (SMB). These TCP connections form “NetBIOS sessions” to support connection oriented file sharing activities.
Related Ports:
137, 138, 445

Background and Additional Information:

This is the third port of the original “NetBIOS trio” used by the first Windows operating systems (up through Windows NT) in support of file sharing.

For additional information about this trio of Internet ports, please see the “Background and Additional Information” for the first port of the trio, port 137.

Port Authority Database

Port 445

Name:
microsoft-ds
Purpose:
Microsoft Directory Services
Description:
This port replaces the notorious Windows NetBIOS trio (ports 137-139), for all versions of Windows after NT, as the preferred port for carrying Windows file sharing and numerous other services.
Related Ports:
137, 138, 139

Background and Additional Information:

While ports 137-139 were known technically as “NBT over IP”, port 445 is “SMB over IP”. (SMB is known as “Samba” and stands for “Server Message Blocks”.) After all of the trouble the personal computer industry has had with Microsoft’s original Windows NetBIOS ports 137 through 139, it is difficult to imagine or believe that Microsoft could have actually made things significantly worse with their replacement port 445 . . . but they did.

Whereas the great vulnerability originally created by Windows file sharing was that hackers could perhaps gain remote access to the contents of hard disk directories or drives, the default exposure of the Internet server Microsoft silently installed into every Windows 2000 system (where port 445 first appeared), allows malicious hackers to remotely log onto the computers of unsuspecting users — across the Internet — and more recently, though the use of some clever and readily available freeware tools (PsExec from SysInternals) to silently upload and run (in the remote user’s computer) any programs of their choosing without the computer’s owners ever being aware.

As you might imagine, malicious hackers have been having a field day scanning for port 445, then easily and remotely commandeering Windows machines. Even several hackers I have spoken with are unnerved by the glaring insecurities created by port 445. One chilling consequence of port 445 has been the relatively silent appearance of NetBIOS worms. These worms slowly but methodically scan the Internet for instances of port 445, use tools like PsExec to transfer themselves into the new victim computer, then redouble their scanning efforts. Through this mechanism, massive, remotely controlled Denial of Service “Bot Armies”, containing tens of thousands of NetBIOS worm compromised machines, have been assembled and now inhabit the Internet.

Dealing with Port 445

Needless to say, you do NOT want port 445 exposed to the Internet. Like Windows port 135 (which is a whole different problem) port 445 is deeply embedded in Windows and can be difficult or impossible to safely close. While its closure is possible, other dependent services such as DHCP (dynamic host configuration protocol) which is frequently used for automatically obtaining an IP address from the DHCP servers used by many corporations and ISPs, will stop functioning.

For the security reasons described above, port 445 has been causing so many problems that many ISPs are taking security matters into their own hands and blocking this port on behalf of their users. If our port checking shows your port 445 as “stealth” while you are not being otherwise protected by a NAT router or personal firewall, your ISP is probably preventing port 445 traffic from reaching you.

If you really want 445 closed

Any NAT router or personal firewall should be able to block port 445 from the outside world without trouble.

Q10. Block obviously stops new access attempts as Sded stated and Log will show the list of blocked attempts as they happen.

Hope this answers all your questions further.

Eric

I am not a hacker or cracker, so don’t have an expertise in breaking into wireless computer networks. But a few points that might be useful:
1, Wifi is nothing but ethernet over radio. The power of the transmitters is typically from .03-.5 watts EIRP, so even with a directional antenna trained on the access point hackers won’t be too far away. So the answer to your question is generally “YES”
2. Once you get to the wireless router, the vulnerabilities are the same as for any wired network accessing the internet. There may be bad guys out there too, but same problems.
3. So security really concentrates on the link between your network adapter and the router. Your vulnerabilities within the library LAN are again just like wired, except for link security. You need a good firewall, block stuff you don’t absolutely need, don’t trust or share, use SSL, do all the stuff discussed before. And the hacker (not necessarily listener) needs to connect to the network to send traffic, although with a wireless link you are more vulnerable to spoofing, man in the middle attacks, and other things that delight security wonks.
4. As far as listening, within range a hacker can easily listen to and decode the conversation between the router and any of the nodes. Thus the emphasis on link encryption (WPA, since WEP cracking tools are easily available) to the router and VPNs which encrypt the whole link to the VPN server. If you operate in the clear, it is not too difficult to intercept your traffic and decode it, especially for Linux users, with Packet Sniffers and other tools. So a good rule of thumb is to assume that your link can be easily intercepted, and proceed accordingly.
5. If you really think someone is after you, use the VPN. If it is the Government, they will just get the data from your ISP with a subpoena, so think about full message encryption with a tool like PGP.

The unknown access points present a few more problems, since even the router may be compromised, and the link encryption doesn’t help. So that tends to drive you to the VPN solution if you don’t encrypt the traffic itself with SSL or otherwise.

And the experts can delight you with a lot more information. (:KWL)

This is a very useful and informative topic. Special thanks to all writers.

The Firefox extention was mistyped in Eric’s link. It is corrected.

aXes

Thanks Eric, sded for expounding… That was very informative.

Q12. How do I add “Block and log all” in a rule? Do I have to end EVERY rule in Network Security Policy with this? I still don’t quite get this. If I add that “Block and log all”, doesn’t that mean my programs won’t work anymore since I already blocked them?

In fact I hv already been using KeyScrambler for my IE a few months ago. Generally I would think it’s a great add-on for protection against keyloggers. Also hv explicitly blocked those netbios ports. Probably that is all I can do now.

Already PM Melih and waiting for the VPN invitation. Think this is exactly what I need now and eager to try it out and hope Comodo will not charge for it in the future. Well now who doesn’t like increased security for free.

I read about http://opendns.com/ (free) and it claimed to make Internet safer, faster and more reliable. Here:

The easiest way to protect against spoofing and phishing attacks is to simply ensure that DNS resolution can be trusted. If the attacker does not control name resolutions, it becomes much harder to trick a user into using a phishing site. With this control of DNS resolution, an attacker can replace any well know domain name with a phishing site. However, without access to the user’s DNS, the attacker can only phish by using a domain name that is similar, but not the same, as a well known name.

There are two ways to protect against such attacks. First, users could use a trusted third-party DNS service instead of the supplied DNS to provide some protection. Second, the move to secure DNS using DNS Security Extensions (DNSSEC) would provide safe DNS resolution.

Almost all networks provide DNS server addresses as part of dynamic host configuration (DHCP) and thus most users just use these servers. However, this provides an easy opportunity for an attacker to specify his own compromised DNS servers. To protect against this threat, users can instead use a trusted third-party DNS resolution service when on an unsecured network. There are several choices for alternative DNS servers, including free DNS services such as OpenDNS.

OpenDNS is a free, public available DNS service that provides not only DNS resolution but additional security features [OpenDNS]. OpenDNS provides extra security by blocking requests to known phishing and other malicious sites. To use this service, a user needs only to manually set their DNS servers in their computer’s network settings. This is a onetime change because the OpenDNS service can be used for any Internet connect.

OpenDNS protects millions of people a day across hundreds of thousands of schools, businesses and homes. We block phishing sites, give you the power to filter out adult sites and proxies among more than 40 categories, and provide the precision to block individual domains.

OpenDNS has servers situated strategically at the most well-connected intersections of the Internet. Unlike your ISP, our network uses Anycast routing technology, which means no matter where you are in the world your DNS requests are answered by our closest datacenter. Anycast routing also means that you are automatically routed to our next closest datacenter in the event of maintenance or downtime. This makes your Internet faster and more reliable.

No harm trying it out.

I add a “block and log all” at the end of each application ruleset, just like in the predefined policies from Comodo. That way there is a log of anything an application trys that is unexpected, and I can decide to allow or block it based on a little analysis. Also add another as the final rule of the application rules to avoid getting unexpected popups that require an on-the-fly decision. Usually remove it when doing an installation known to access internet, put it back afterward.
Should have mentioned DNS. I do as the article recommends, and set up the wireless adapter with known and trusted DNS servers (my ISP and a couple of majors) instead of using whatever is served. OpenDNS adds a few other features, but have not used it-the big benefit is really in not letting an unknown network select your DNS server. Seems like a worthwhile tool, though. :-TU

[attachment deleted by admin]