In this tutorial I will explain some basic networking concepts and how to quickly setup Guarddog to protect a single workstation.
First start up Guarddog. For recent Mandrake and Redhat systems there should be a Guarddog menu entry on the K menu under Configuration/Networking. You will then immediately be asked for the password for the 'root' user. This is required because Guarddog needs administrator access in order to modify the computer's networking sub-system.
Once Guarddog has opened it's window you will see that the user interface is divided across four tabs. For this tutorial we will ignore the the Zone, Logging and Advanced tabs and concentrate on the Protocol tab.
(Skip this section if you understand network protocols and the "Client Server Model".)
Now I must explain what a protocol is. Computer networks are all about computers talking to other computers. And just like when talking to other person in the real world, it helps if you both agree to speak the same language, be it English, Dutch or Sign Language. The same thing applies to computers on networks. They need to agree on what language they are going to speak when talking to another computer. These 'languages' are know as network protocols. An important difference between human languages and network protocols is that protocols are usually only intended for one particular task, like moving files (for example, FTP, the File Transfer Protocol), fetching web pages (for example, HTTP, the HyperText Transmission Protocol) or chatting with other computer users (for example, IRC, Internet Relay Chat).
Attacks against computer systems across a network are performed by using and abusing protocols and the software that implements them. All too often the software implementing a protocol contains flaws that can be exploited by malicious people to gain access to a system, or to disrupt it.
One more important concept to understand about network protocols is the "Client Server Model". All network protocols involve at least two different parties communicating. Although each party is using the same protocol, quite often they will have different roles to play in that protocol. The most common model is where one party acts as a "client" while the other acts as a "server" who responds to requests from the "client". A very close analogy in the real world would be buying fries down at the local fast food restaurant. You and the person behind the counter would both be using English as the communication protocol, but in this situation you both have different roles. You would have the role of "client" while the person serving you would be acting as the "server", basically doing what the "client" requests. HTTP, the protocol used on the World Wide Web uses a the "Client Server Model". Your web browser acts as the client while the big web server at Slashdot or CNN acts as the server, delivering pages back to your browser when it asks for them.
(Skip the next paragraph is you know what DNS is.)
The Protocol tab is where you specify which protocols may be used between your computer and the internet. The "Domain Name System" protocol, commonly known as DNS, is a very important protocol. All machines on the internet have what is known as an IP address, which is just a number. You may have seen some before. They are often written as a "dotted quad" like "188.8.131.52" for example. An IP address is sort of like a telephone number, except that it's for identifying computers on the internet and not telephones. One problem with using IP addresses to identify machines is that it's not very human friendly. This is why "Domain Names" were invented. A "Domain Name" is just a human friendly name for a machine. Some examples of domain names are www.simonzone.com, www.cnn.com and dot.kde.org. But to use the internet your computer needs IP addresses, and not "domain names". This is where DNS comes in. It bridges the gap between "Domain Names" and IP addresses. It is a system for turning human friendly names like www.simonzone.com into computer friendly IP addresses. Machines on the internet known as DNS Servers do nothing except answer queries from other machines wanting to know what IP address matches which domain name. Much like how a telephone directory matches people's names and address to telephone numbers. By using a DNS server your computer knows what you are talking about when you ask for www.slashdot.org. Without DNS your web browser won't know where to find www.cnn.com, and ICQ chat client won't be able to find the chat network at icq.com either. Without DNS most other protocols don't work.
Lets go through the steps involved for permitting our computer to use the DNS protocol to communicate with DNS servers on the internet.
Go to the Protocol tab.
First make sure that Internet is selected in the Defined Network Zones: list. (It's at the top left corner in the window.) The list should have two entries, Internet and Local.
Open the Network part of the list view control in the center of the window. It should expand to show more options and check boxes with entries like ICMP Redirect and DNS - Domain Name Server for example.
To the right of the protocol list is a black box in the Local column. The box is a check box. Click on it until it shows a check mark (tick). The box has three states, unchecked, checked and crossed. Just repetitively click on it to cycle through the states.
Done. That is all you need to do to grant your machine permission to access DNS servers on the Internet. Your screen should look like the picture below.
This illustration also summarises how to read all of the information presented on the Protocol tab. There is a lot of information packed into this one tab, but it is vital that you understand what it means so that you can avoid misconfiguration.
Once we have DNS permitted we can move on to permitting other common protocols that we might want to use.
Guarddog supports many different network protocols. They are organised into categories to make it easier to find what you want. The different categories are:
Chat - Protocols used by chat programs like IRC and ICQ.
Data Serve - Protocols used by databases and other data sources like time servers for example.
File Transfer - Protocols used to transfers files. HTTP for the Web and FTP are very good examples.
Game - Protocols used by games for online multiplayer gaming.
Interactive Session - Protocols used for working on or performing actions on a remote system. SSH Secure Shell, telnet and also RPC protocols are here.
Mail - Protocols associated with delivering and moving email. SMTP and POP3 are under here.
Media - Protocols used for delivering multimedia across the internet.
Miscellaneous - Other protocols that really didn't fit under the other categories.
Network - Protocols related to the operation of the network itself.
User Defined - Protocols defined by the user on the Advanced tab appear here.
Naturally there is some overlap and some protocols could easily be placed under a different category than the end they are currently in.
Click on the name of a protocol to quickly get information about it. A description of the protocol will appear in the area in the lower left corner of the window.
Here is a quick list of the most common protocols that you will probably want to permit.
HTTP - Used on the World Wide Web to move web pages around. If you want to browse the web you will need this. It's in the File Transfer category.
FTP - File Transfer Protocol. Used for uploading and downloading files. Also commonly used on the web too. If you have seen something like "ftp://" in the location bar on your web browser, then you have used FTP. FTP is in the File Transfer category.
SMTP - Simple Mail Transport Protocol. Used for sending email around the internet. It's in the Mail category.
POP3 - Post Office Protocol version 3. Commonly used for picking up and downloading email from a mailbox located at an ISP. It's in the Mail category.
Resist any temptation to permit all protocols. The more protocols you permit the weaker your firewall will be. The idea is to only permit the protocols you really need, and no more. Don't permit something just in case you might need it in the future. If you need to permit another protocol in the future then you can just come back to Guarddog and turn it on.
Changes made in Guarddog don't take effect immediately. To activate your changes you need to press the Apply button or the OK button. The Ok button will also quit the Guarddog once the firewall is in place. Guarddog will then set up the networking subsystem on your machine with your new firewall rules. Once you click on the Ok or Apply button a warning message appears to warn you that changing the system's firewall may disrupt existing network connections. Generally it is not a good idea to be doing anything important on your network, like an FTP download for example, when you Apply the firewall. After you click on the warning's OK button another popup window will appear, showing the firewall setup progress. If any errors occurred while setting up the firewall, they will be shown in the popup. Click on the OK button to exit the popup window.
Done! Your new firewall should now be in place and working. From now on whenever your system starts it will automatically be set up to use your firewall. Guarddog does not have to be constantly running to protect your computer. As your firewalling needs evolve you can just run Guarddog again and modify the configuration.
To see if your firewall is doing its job you can put it too a bit of a test. Go over to Gibson Research Corporation and head towards the "Shields Up!" area and ask it to "Test My Shields!" or "Probe My Ports!". It will then scan your machine and give you a report on what it found. Hopefully it should give you a very positive report.
|Why use Guarddog||Up||Tutorial: Using Zones|