Tangled in the Threads

Jon Udell, March 8, 2000

Personal firewalls and local proxies

Inbound filtering is becoming routine. But don't overlook the importance, and power, of outbound filtering.

As always-on DSL and cable-modem connections proliferate, awareness of the associated security risk is growing. Personal firewalls such as BlackICE Defender and ZoneAlarm, once geeky accessories, are now being reviewed and recommended in publications as mainstream as The New York Times.

I bought a copy of BlackICE Defender some months ago, shortly before my DSL line was installed, and have been very impressed with the product. It reveals that even dialup connections are subject to a certain amount of suspicious probing. These probes are not usually attacks, although new users of personal firewalls like to portray them that way: "I was attacked 20 times in the first week." Well, not really. My dialup connection was, for example, hit a few times with a PCAnywhere ping. What's nifty about BlackICE Defender is the comprehensive and level-headed explanations and advice that you can view when one of these probes occurs. In this case, the probes were coming from other machines on my local subnet, and represented nothing more than PCAnywhere's normal promiscuous broadcasting.

When there really is an attack, BlackICE Defender can log your network traffic to a file that you can decode and view with, for example, Windows NT Server's Network Monitor or an equivalent utility.

Once I switched to DSL, though, I stopped seeing alarms from BlackICE Defender. The reason is that my Cisco 675 DSL router's NAT (network address translation) feature blocks all inbound access.

Here's what Randy Switt had to say about BlackICE Defender in the networking newsgroup:

Not too bad, but it seems to put up too many spurious alerts and it doesn't do any sort of OUTBOUND filtering. ZoneAlarm is my current favorite, though I'm interesting at looking at Esafe's Aladdin Desktop Product. They just started offering it as a free product. It includes Java and ActiveX sandboxing as well as firewalling.

An excellent point about outbound filtering. Randy elaborates:

When you launch a program that attempts to make an outside connection, ZA will pop up a dialog informing you that the program is trying to connect to an outside source. It then gives you the chance to deny the connection or allow it, and remembers your choice.

ZA differentiates between a local zone (your personal network) and the Internet (anywhere else), and allows you to put different permissions on each for every network app. In addition, there is an "allow server" checkbox (not checked by default) which will allow a program to accept "incoming" connections (i.e. act as a server).

With outbound (or application-level) filtering, you are much better protected from trojans, since a typical firewall can't stop those if you get it through an e-mail or something. But ZA will alert you that a suspicious program is trying to contact the net, and you can shut it down.

This is why ZA is such a pain for the first day. I never realized how many programs I use actually connect to the Net! A symptom of having a 24/7 DSL connection, I guess.

Robert Carey was immediately sold on the idea:

Last night I stupidly ran the trojan horse, PrettyPark.exe, and installed it on my machine. I spent most of the morning trying to be sure that my system was clean. (Over twenty years with computers and this is the second time I have actually seen a virus-like program. I just installed McAfee two weeks ago. It didn't catch it.) This trojan is supposed to access the net every thirty seconds and propagate itself via email every thirty minutes.

Today, after visiting this newsgroup, I downloaded and ran ZoneAlarm. It is definitely interesting. For the first 10 minutes or so it was a pain, but I would rather have it bug me about all network accesses from my machine and then configure itself to eliminate the checks on programs I feel are safe than to have it remain silent and not really know what it was up to. I definitely feel more comfortable having this thing on my system today. So far it seems to be working pretty well.

Paul Dickins ran into a few problems:

I put ZoneAlarm on to my Win98 xDSL box because I was receiving an increasing number of attacks and Nukenabber did not seem to catch them all.

What I have found is that ZoneAlarm has some quirks: it tells you a site has been blocked just as you leave it to go to another URL. On trying to access http://www.byte.com it often fails because of the ad banner which, presumably, is running Java rotating images and scripts. So, I often receive a 404 error of page not found. I have emailed Zone.

Thanks for the heads-up, guys! I jumped on the ZoneAlarm bandwagon too. Like Robert Carey, I'm feeling more comfortable as a result. Unlike Paul Dickins, I haven't yet run into any problems worth reporting.

The magic of local proxies

Local proxies are complementary to personal firewalls, though less well-known. Why would you use one? Back in December, Ulf Dittmer described the kind of scenario in which a local proxy is handy:

Prompted by the recently reported privacy risk of receiving email that contains HTML image tags and reveals information by automatically downloading the image URL (which contains data in the query string), I examined the HTML of a web site I occasionally use. Turns out it contains IFRAMEs that automatically access (either through JavaScript or IMG tags) a third-party site, and passes information to it, e.g. the date and a token which I've seen in several places when using the web site, and which must be unique to me. Needless to say, I'm not too happy about this. Short of not using the web site anymore, is there a way that I can block connections to this particular third-party site on the machine or browser level (I'm using NT)? I looked through the Navigator and IE options, but haven't found anything. Blocking at the firewall seems overkill; would connecting through a personal proxy server on my machine solve the problem? How do other people deal with this issue?

Alan Shutko:

Try http://www.junkbusters.com/ht/en/index.html.

It's a personal proxy server which strips as much info as you want, from requests going to website you want.

Fred Pacquier:

Indeed. I've been using The Proxomitron myself for many months, despite the funny name and the author's unserious attitude (or maybe indeed because of those :-). It's easy to use and customize, yet powerful and lightweight:

http://proxomitron.cjb.net/

I first tried local proxying a few years ago, inspired by something that Bret Musser said in these newsgroups. I did some experimentation in Perl, and was fascinated with the power that flows from the ability to run search-and-replace operations on incoming web pages, and incoming and outgoing HTTP headers.

Proxomitron makes these capabilities readily available to anyone -- well, to anyone geeky enough to want to do this kind of thing in the first place, but not quite geeky enough to build it from scratch in Perl. I think it's the coolest (and funniest) software invention I've seen lately.

Using Proxomitron

Proxomitron by default listens on port 8080. Point your browser there, and Proxomitron happily begins rewriting your web pages and HTTP headers on the fly. The default web-page filters attack a variety of annoyances. For example, there's the "Link De-Obfuscator" which neuters JavaScript onMouseOver handlers like this:

Search for: onMouseOver=("*.status=)\1

Replace with: noMouseOver=\1

What's annoying about JavaScript onMouseOver handlers is that they prevent the browser from displaying, in the status window, the address of the link your cursor is hovering over. I think that address is useful information, much more useful than a repetition of the link's label, or anything else an over-eager web-page designer decides to put there. The "Link De-Obfuscator" transforms the handler for onMouseOver into a handler for noMouseOver -- an event that, conveniently, does not exist.

Is Scott Lemmon, Proxomitron's author, having too much fun? My browser, for example, would normally send out the User-Agent header:

Mozilla/4.5 [en] (WinNT; I)

When Proxomitron is active, it instead reports:

SpaceBison/0.01 [fu] (Win67; X; ShonenKnife)

You can (and should) visit Scott's site to learn about the derivation of ShonenKnife. Whimsical as all this is, however, there is also tremendous utility here. Suppose for example you want to automatically authorize yourself to a password-protected web site as user Aladdin, with password open sesame. If you type in these credentials when the protected site prompts you to log in, your browser will retry the request and add this HTTP header:

Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

With Proxomitron, you can skip that login by pre-emptively transmitting the Authorization: header, using an outbound HTTP header that you declare thusly:

Of course, your real username/password combo is not likely to be Aladdin:open sesame. How do you discover the MIME-encoded representation of your real credentials? For geeks that's no problem, but Proxomitron makes it easy for civilians. Just turn on its logging window, authenticate to your protected site, copy the MIME-encoded header that your browser sends when you log in, and paste it into the filter.

I'm not recommending that you use this particular trick. There are good reasons not to write passwords down anywhere. But in general, this technique of rewriting headers is incredibly powerful and useful.

Last week, I wrote about cross-browser DHTML. While researching that column, I was curious to know how the new Mozilla browser would handle DHTML -- without the assistance of the JavaScript wrappers that are often used to smooth over the differences between Netscape's and IE's DHTML. By the time this discussion came up, I'd forgotten about Proxomitron, which Fred had mentioned months before. Here's how Mark Wilcox suggested making Mozilla masquerade as MSIE:

I don't have any code, nor have I tried this but here's how I would give a better test of Mozilla's DHTML.

Write a VB (or Perl or Python using COM) app that did HTTP (reporting the Useragent as MSIE 5) and feed all of the HTML to Gecko (using the Gecko ActiveX control).

Fred Pacquier:

Much easier (under Windows): use Proxomitron as a local filtering proxy, and tell it to report exactly what UA you want.

Mark Wilcox:

Oh yeah! Take the easy way out :-)

Fred Pacquier:

Sometimes it pays to keep the occasional low-tech guy around, just to keep the trigger-happy coders from overengineering things :-)

Amen. Thanks Fred! I'm having way too much fun with Proxomitron! If only I could get its plug-in filter called "Deja-Spam Toilet Brush" to deal with the latest abomination foisted on us by the designers of Deja.com, life would be perfect.


Jon Udell (http://udell.roninhouse.com/) was BYTE Magazine's executive editor for new media, the architect of the original www.byte.com, and author of BYTE's Web Project column. He's now an independent Web/Internet consultant, and is the author of Practical Internet Groupware, from O'Reilly and Associates. His recent BYTE.com columns are archived at http://www.byte.com/index/threads

Creative Commons License
This work is licensed under a Creative Commons License.