High Security Zone
Buggy or malicious software can transport viruses and Trojan horses to your computer and spy out your passwords. Take better care of your PC: just block your software and secure your Internet connection. We provide a tool for this purpose - exclusively for PC WELT readers - on CDA basic rule under Windows says: Never work as an administrator. In this way, possible risks can be significantly reduced. Programs will only be able to access the directories to which you hold rights as a user. The Windows directory and large portions of the registry thereby become taboo, and the Windows installation is sufficiently secure.
For the time being, only a few malicious programs are aimed at interfering with the system functioning. Quite the contrary: anyone who uses your PC for spamming, or spies on your data, is interested in a system which runs smoothly. Only in this way can such programs do their work unnoticed in the background.
For comprehensive protection - in addition to the virus scanner - additional modules and measures are required. All programs which require an Internet access and which are not trustworthy or come from unknown sources, should preferably be allowed to operate only within a partitioned area - a sort of virtual environment. In this way, they will have no possibility of modifying the system or accessing sensitive data. In addition, however, outward transmission from your system should be limited to the most necessary information only. We recommend anonymizing your Internet connections and filtering out undesirable content.
We provide you with software for greater security, enclosed on CD or DVD. The English-speaking full version of Bufferzone Security Pro is supplied exclusively to PC WELT readers on CD and DVD. On the next pages, you will read how to install and use the security programs.
1. Virtualizing - for greater security
Virus scanners and desktop firewalls offer only illusory protection. An example: you download a program which interests you from the Web, and the program, following installation, quietly transfers your access data for online banking or modifies system installations. In such a case, your virus scanner will only alert you if it recognizes the application as dangerous. If the program in question requires an Internet connection in order to function, your firewall will not help you, either. If it were to block the program, you would not be able to use it at all.
The only method of protection consists of starting the problematic application in a secure environment. To do so, you must either have a virtualized operating system, in which the programs run shielded, or software which virtualizes access to the file system. In this article, we combine the advantages of both solutions. With the help of Bufferzone Security Pro (English-language full version on CD), accesses to the file system and the registry can be virtualized; through the use of a virtual firewall, you can secure the Internet connection as required (Section 4).
More specific information on the topic of virtualization and instructions on how to set up VM-ware servers may be found under http://pcwelt-wiki.de/wiki/Virtualisierung.
2. How to install and configure BufferzoneBufferzone Security Pro
requires Windows XP with Service Pack 2 and about 20 MB of free space on your hard disk. The program does not run under Windows Vista. Install Bufferzone by calling up the setup program from our CD. After doing so, you will have to restart Windows. Bufferzone will log on with a short introduction in English and will deposit an icon in the systray (information area), next to the time. When necessary, you can temporarily deactivate the tool, which is ordinarily started along with Windows, by means of its context menu; double-clicking on it will open the program window. Explained below are the most important settings which you can reach via the icons on the left side of the window.
The first thing for you to do is to check the list of programs which should run under Bufferzone's protection. Left-click on "Edit Bufferzone programs". Several important applications are contained in the list on a standard basis: either Internet Explorer ("Iexplore.exe"), Firefox ("Firefox.exe") or Emule ("Emule.exe"). Add additional programs by using the plus symbol. The X symbol is used to remove Tools from the list, if you wish to start them - as you used to - without Bufferzone.
When all newly installed programs should basically run under the control of Bufferzone, activate the click box in front of "Activate Application Control" and select "Run in BufferZone". You can also set "Prompt user". If you do so, Bufferzone will leave the decision up to you each time a program is started. In the list, under "Device Control", you can configure how replaceable data media and network drives should be handled. You can setup a BufferZone for each device. Programs started or installed by you will then run on a standard basis within the protected zone. To save the modifications in the dialog box, click "Save".
In this dialog box, you can set up filter rules for programs inside and outside Bufferzone. On a standard basis, only Port 25 (SMTP) is blocked to Bufferzone programs. This port is frequently used by Trojan horses to send e-mail messages. If you are already using a different firewall, you should not make any settings here.
On the "Settings" register card, by means of "Confidential files and folders", you determine which files or directories should be especially protected by Bufferzone - for example, folders with confidential data. Programs which run under the control of Bufferzone will not have read or write access to these files and directories. For example, enter "%profilesbase%\*\Own Data" in order to shield the "Own Data" folder from all users of the PC.
You can define an even higher security setting by means of "Forbidden files". Folders or files contained in this list cannot be read either from within or from outside of Bufferzone (not even with Windows Explorer). This restrictive setting, however, only makes sense if you activate the click box in front of "Administrator's password" under "Password" and enter a password. To modify any configuration, you will then first have to enter this password. If the click box in front of "Memorize password for (seconds)"is active, the program will ask for the password again after the time set (standard: 60 seconds).
An additional password may be entered under "Basic maintenance password". This password will be requested before you transfer files into or out of the protected zone. To save the modifications in the dialog box, click "Save".
Tip: For rapid access, the "Confidential: hide from Bufferzone" and "Forbidden: deny all access" can be reached via the Bufferzone context menu from files and folders. This means that you will not have to go through the configuration dialog box.
3. Bufferzone: how the program works
As soon as you start one of the programs configured for Bufferzone - for example, Firefox - its window is surrounded by a red frame. You will be able to download files from the Internet as you used to. The files will be located in the Download directory, with the ending ".virtual" following their names. If the file in question is an executable, start it by double-clicking via Windows Explorer, and it will also run under the control of Bufferzone. The same applies to setup programs which you download and execute, as well as to the software installed there with.
Applications which are under the supervision of Bufferzone have no direct write access to the file system or the registry. Bufferzone virtualizes each access and writes the modifications to the C:\Virtual directory, which it has already installed on a standard basis. This means that poorly programmed or malicious applications will not be able to modify the system.
4. Administering files and application data
You can remove files and directories from Bufferzone or place them under Bufferzone's control at any time, by means of their context menu. For example: you can select a downloaded file with the ending ".virtual" and click "Move out of Bufferzone" in the context menu. On the other hand, you can select an .exe file and click "Move to Bufferzone".
Handling the operational data of an application is slightly more complicated. For example, when you start Firefox under the supervision of Bufferzone, not only cookies and temporary files land in the virtual file system; newly installed expansions, updates and bookmarks go there, too. If you operate the browser outside of Bufferzone, all of these will not be visible to Firefox. In order to enable Firefox to access them, you will have to transfer the files or directories in question, by means of the "Move out of Bufferzone" context menu item, from the virtual storage area to the standard storage area. To do so, however, you must know exactly which files serve which purpose. In addition, there is a risk of transferring malicious files into the unprotected area. It is therefore safer and less confusing to operate the program under Bufferzone on a permanent basis.
5. Double protection: the firewall in the sandbox
If you block your Internet applications in the safe Bufferzone and filter your Internet connection through the Windows firewall or a desktop firewall, you will have taken an important step toward online security. This concept, however, has a loophole: although you will be shielding your applications, the firewall itself will be left unprotected.
The term "firewall", however, is extremely imprecise for this type of applications. They merely consist of software which attempts to recognize suspicious network traffic and filter suspicious data packets. Just like any other software - your browser, for example - such a packet filter can have security loopholes and can therefore be susceptible to attacks. This is why it makes sense to place the network traffic filter in a shielded sandbox.
In the professional area, this practice has been customary for some time. For professionals, a firewall is not just software; there is always a hardware solution, in which the connection to the Internet - or to another network for which protection is desired - is first physically interrupted. The gap is then closed again by means of one or more computers, each of which is connected to each part of the network via a network adapter - the firewall. The firewall software determines which data exchanges between the network adapters are permitted. Only the network administrator can influence the firewall software. Normal users cannot reconfigure it - and neither can any other software running in the user context (i.e. with normal user rights), such as a virus or other malicious software.
Even without extra hardware, you can install a real firewall for your PC - virtualization makes it possible. If you want to install firewall and/or router software into virtual machine with VM Ware Player or VM Ware Server 1.0.3 (both on DVD), this involves no work at all. For such purposes, prefabricated "Appliances" are provided; these are images with a configuration file, which you can start with the VM Ware products with no further configuration. One example is X-Monowall on CD. Others may be found, ready for downloading, at http://vmware.com/vmtn/appliances . X-Monowall contains the well-known, stable Monowall firewall, which can be configured easily by means of the Web browser.
Operating a firewall in a virtual machine is admittedly not quite as safe as the hardware variants. After all, it is located on the computer which is supposed to be protecting. The "network adapter" consists of software only; there is no real physical separation of the networks. Nonetheless, the protection is greater than that of a pure desktop firewall: malicious software cannot get through. Even though the virtual firewall is only a virtual network, the malware does not get inside the VM Ware sandbox, because the access methods available to it are only those for a real network. Only malware specialized in finding and attacking virtual machines could possibly get through - and no such malware is known to date.
6. How to configure Monowall
Monowall is the software for a router with integrated firewall, which you can install, for example, on an old PC or barebone - or, alternatively, start as a virtual machine. To do so, unpack the Monowall appliance into a directory of your choice; open the FreeBSD.vmx file contained in it by means of the VM Ware Player or VM Ware Server, and click a button with the green arrow to start.
Monowall is initially set up in such a way as to function as a DHCP (Dynamic Host Configuration Protocol) server and gateway. In other words, it issues a valid IP address to all other computers in the network and is responsible for their Internet access. In any event, it functions only when this is not accomplished by a previously available router. Use the documentation and configuration to check whether you have installed such a router. If not, the Internet access in the network will be handled by Monowall. In this mode, it assigns itself the IP address 192.168.1.1. In the prompt of the host system, in your capacity as administrator, enter the following command:
ipconfig /renew /all Once you have done so, your computer will be added to the Monowall LAN. Subsequently, enter http://192.168.1.1 in the address line of your browser; this will enable you to continue configuring Monowall via the Web interface.
Monowall without DHCP:
If you already have a DHCP server in the LAN (such as a DSL router), you will have to reconfigure Monowall so as to added to the existing network. Determine the IP address of the router by means of its interface. Alternatively, open a prompt in your host system and enter the "ipconfig" command. In this way, you will find out the IP address of your PC - for example, 192.168.0.1. Now, in the virtual machine, under "m0n0wall console setup", select item 2. Under "Enter the new LAN IP address", enter an IP address, the last digit of which is different from the IP address determined for the host system - for example, 192.168.0.5. This address should also not be used by any other computer - including the router - in the LAN. Under "Enter the new LAN subnet bit count", enter "24". The question "Do you want to enable the DHCP server on LAN?" should be answered "No". Now enter the determined IP address in your browser, as above, and continue with the graphic setup of Monowall.
The preset administrator access is called "admin" and its password is "mono". You will determine how it accesses the Internet under "Interfaces, WAN" in the menu. If you already have a router in the network and DHCP for Monowall is switched off, keep the "DHCP" setting. Monowall will then find its way into the Internet automatically, via the router. In any event, you have to provide Windows, so that it will use it to send Internet traffic. For this purpose, note down the IP address of Monowall; in a prompt under the Windows host, in your capacity as administrator, enter the following command:
route change 0.0.0.0 metric 0.0.0.0
If Monowall operates as a DHCP server, this is not necessary. In any event, however, you will have to specify manually, under "Interfaces, WAN", how it gets into the Internet. The available choices for DSL include PPPoE, which is customary in Germany, or PPTP, which is used in Switzerland and Austria. You will need the "Static IP" option if you have a router which does not provide DHCP. Similarly to the process described above, you will then enter an unused IP address in the "IP address" field; under "Gateway", enter the address of the router. The "Bigpond Cable" option has no significance in Europe.
Monowall is effective as long as it is responsible for connecting your computer to the Internet. In order to make sure that data traffic actually runs through Monowall, enter the following command in a prompt:
tracert pcwelt.deThe output must show the IP address of Monowall as the first station. In addition, under "Diagnostics" in the Web interface, you will find a concealed menu item, "Backup/Restore". Through this item, you can back up the entire Monowall configuration in an XML file and restore it as necessary.
More information: A description of Monowall is to be found at http://pcwelt.de/mow . A complete English-language handbook, with all configuration options, is available at http://doc.m0n0.ch/handbook .