Personal Firewalls and Trusted Programs

david.o.hamilton — Fri, 19 Sep 2008 23:00:00 GMT

In the last posting, I talked about changing security level to fix problems created by personal firewalls. In this posting I talk about the next thing to try, if the first two options either are not available, don't resolve the problem or there is a reason to not select a lower security level.

The next thing to try is to trust a particular program. This helps when custom software has been installed, as is generally the case with a network printer.

The easiest way to trust a program is to ensure that the firewall is configured to prompt whenever a program first attempts to make a network connection. This setting needs to be made before installing the printer software. Fortunately, firewalls often have this as their default setting, but not always.

For these prompts to occur, the firewall needs to be running. Don't disable the firewall before installing the printer software, or the prompts will not occur; while it may be tempting to turn off the firewall before installation to avoid problems, this only postpones problems to a later time. The best thing to do is to leave the firewall enabled and then look for, carefully read, and select to Always-Allow connections when prompted by the firewall software.

When the firewall is set to prompt, then as soon as a program first tries to make a network connection, the firewall should pop up a dialog asking whether to allow or block this program from what it is trying to do. There are several common problems with these popup dialogs:

1) They can happen frequently, leading to a temptation to click quickly on something to make the dialog go away.

2) They can be told to “go away and not come back”. To reduce how often these popup dialogs happen, they often have an option not to show them again. Although one might think this means to take the current selection (e.g., Allow Communication) and always apply this choice without prompting again, this is not always what this option means. Sometimes the firewall simply blocks without prompting. It often surprises people when they find this out.

3) Popup dialogs are not always worded using the most clear language, so be sure to read them carefully to make the right selection.

4) They sometimes incorrectly report that a program is attempting to make a connection to the “Internet” when the program is actually just connecting to the private local network, not the public Internet. This surprises people and sometimes causes them to select to block the connection because they don’t know why a program needs to access the “Internet” and don’t want it to send information on the Internet. This inadvertently causes local network connections to be blocked.

Any of the above problems can lead to a necessary program not being trusted. So if problems happen after installation, it may be a good idea to check to be sure that all necessary pieces of software are trusted. So how does one find out what software should be in the firewall’s list of trusted programs? You need to check the available documentation on the specific printer. Take the HP Photosmart C4380 wireless All-in-One as an example. The following document lists the programs that need to be trusted to ensure that scanning will work.

http://h10025.www1.hp.com/ewfrf/wc/document?docname=c01460919&cc=us&lc=en&dlc=en&product=3221646

You can find documents like this using the method described in the first posting, repeated here:

Go to the main hp web site: http://www.hp.com/

Move the mouse over the “Support & Drivers” tab near the top of the page.

Enter the product name, such as Photosmart C8180.

Here is the key part: near the top of the page is a field called “Questions or keywords”. In this field, enter the word “networking” (or other keywords if you have problems outside of networking)

The search results will list several documents on the right side of the page, including a variety of documents with tips and solutions. There may be multiple pages of results; you can get to additional pages by clicking on the “Next” button or clicking on one of the page numbers.

Once you find the list of programs that need to be trusted, you will need to navigate the user interface of your particular firewall in order to find out how to add them to the trusted programs list.

If you uninstall the software that you have trusted, you should go back into the firewall settings to remove the trust as well.

It is probably clear that this method of trusting a program is a bit more complex and error-prone than the previously discussed methods. One thing that Hewlett-Packard does to avoid customers from having to deal with the hassle of trusting programs is to work with various firewall manufacturers to pre-configure the firewall to trust programs associated with HP printers. This only works when you have an active subscription for your firewall and you accept updates for it. Not all firewall makers have a method of pre-configuring trusted programs.

MAC Address Filtering

david.o.hamilton — Fri, 11 Jul 2008 22:57:00 GMT

Imagine the following scenario: a small startup business (“Acme Networking”) wants to increase their security by posting a guard at their front door who only admits authorized employees. Because they don’t have a lot of money, and because they want to keep things simple, they tell the guard to block people who do not tell the guard that they work for “Acme Networking”. The guard stands beside a door that has “Acme Networking” posted on it, and asks each person “Who do you work for?”

Pretty dumb security, isn’t it? It would prevent someone from accidentally going through the Acme Networking door, but it wouldn’t stop someone who is trying to sneak in; they would just look at the door and say “Oh yes, well um, I work for Acme Networking of course.”

MAC address filtering is like the Acme Networking security guard because with it the router only allows communication with devices having a MAC address that the router has been told about, and because those MAC addresses are easy to see for anyone trying to sneak into the network. The MAC address is included in communication with the router and the MAC address portion of the communication is unencrypted so anyone can see it even if they have not joined the wireless network. An "intruder" simply needs to change the MAC address on their computer to match one that they see being used on the network.

So although MAC address filtering prevents people from accidentally joining a network, it does little to prevent anyone from sneaking onto the network.

MAC address filtering causes problems because it obviously needs to be kept current. As each new device is added to the network, the new device’s MAC address needs to be added to the MAC address filter list. Any mistake in entering it prevents the new device from working correctly. And because MAC address filtering is not a standard WiFi feature, there is no mechanism to tell a device that it really hasn't joined the network because it was "filtered out". So the new device will think it is on the network but the router will be ignoring anything the new device sends to it, and the router won’t route any data to the new device.

Most people don’t manage their router settings on a daily basis, so it is easy to forget that MAC address filtering is being used, and others using the network may not be aware it is being used. If someone forgets or is unaware that MAC address filtering is being used and they try to add a new printer to the network, they will generally be confused and frustrated. They did everything right but the darn thing just won’t work.

This is why MAC address filtering is often deemed much more trouble than it is worth. In fact, it has been listed as one of “the six dumbest ways to secure a wireless LAN” by George Ou. (http://blogs.zdnet.com/Ou/index.php?p=43)

By the way, many recent HP inkjet printers include a Wireless Network Test that can be run from the printer front panel, with the results printed as a report. It includes many different checks of error conditions. If there are no indications of an error but the printer does not sense any network communication, it warns that MAC address filtering may be blocking communication.

Everyone needs to make their own choice when the balance security and convenience, but pros and cons of MAC address filtering should be carefully considered when setting up a wireless network for a friend or relative. Are you really going to be doing them a favor by setting this up so that they have to deal with it later?

Network Inkjets from the Inside : networking printing

Personal Firewalls and Trusted Programs

MAC Address Filtering