Why have port blocking at all?
A common question people ask is:
If the product detects hostile traffic and sets dynamic filters, why
does it need port blocking at all?
To answer the question, we need to look more about the problem
in real-world scenarios, and compare the product to a burgler alarm.
In your home, you have both locks on your doors as well
as the detection system. With the cyberspace equivalent,
the firewall is the lock, and the intrusion detection
system is the burgler alarm. (Note:
the packetlog feature is the security camera,
and the Backtrace is the fingerprinting system).
You would not leave your door unlocked and rely upon
the burgler alarm, in much the same way you need port
blocking as well.
The protection levels
The problem with the internet is that all communication is two
way. When you go to a website, your machine and the website
exchange traffic. A "lock" that blocks all incoming traffic
would be useless, because it would block the webpages that
you ask a website to download to your computer.
Therefore, the technology behind the firewall is designed
to generally block "requests" coming into your computer
(such as a hacker trying to read a file from your hard disk),
but to allow "responses" to things you've asked for.
The problem is that the technology is much more difficult than
that. Sometimes we cannot figure what is a response to a request.
One example is where you contact a server in order to listen
to Internet radio. That server passes off your request to another
server to start sending you the virtual radio stream. We can't
tell that this is happening, and might block the incoming stream.
Therefore, we've chosen 4 different security levels. At the most
Paranoid level, the above Internet radio will not work. However,
at the default Cautious level, such things work fine.
Many people raise the level to "Paranoid", then edit the
"firewall.ini" file in order to allow specific
ports for the applications they use. They essentially get the
best of both worlds.
The intrusion detection system
Part of the reason is you need "locks" (port filters) is that
the intrusion detection system cannot be 100% perfect.
Motion sensors are used as part of burglar alarms, but then your pet
cat can trigger them. Likewise, you might go on vacation and
give a key to your neighbors to feed the cat, but forget to
give them the alarm code for the alarm.
The thing is, you know who should be allowed inside
your house, but it will always be impossible to generate an automated
system that knows the same information (unless we figure out how
to tap directly into your brain).
Building anti-hacker countermeasures presents
much the same sort of difficulties. The intrusion detection
system detects obvious hostile activities. In the real-world,
many anti-burgler systems detect broken windows as an obvious
sign of somebody trying to break in.
But there are a lot more subtle activities that go on.
Consider a burglar alarm that can detect if someone
is trying to pick the lock. What happens if it is dark
out, and you fumble through your key chain trying all the
keys until you find your house key? After how many attempts
should the alarm trigger?
The cyberspace equivalent to a key is the password. If you want
to share files with your friends, but not the entire world,
you put a password on the share that only your friends know.
The intrusion detection component of our product detects
the bad passwords, and triggers after a few bad attempts
and locks the person out of the machine completely. However,
a friend may simply have written down the password wrong,
and will unjustly be locked out of the system.
