8/8/2019 Windows Firewall - Controlling ICMP (Ping)

1/9

Computer and Network Security Laboratory Session 0e

Wireshark (Ethereal) as Security Monitor

Wireshark is software that "understands" the structure of different networking protocols. Thus, it is

able to display the encapsulation and the fields along with their meanings of different packets

specified by different networking protocols. Wireshark uses pcap to capture packets, so it can only

capture the packets on the types of networks that pcap supports.

Data can be captured "from the wire" from a live network connection or read from a file that

recorded already-captured packets.

Live data can be read from a number of types of network, including Ethernet, IEEE 802.11,

PPP, and loopback.

Captured network data can be browsed via a GUI, or via the terminal (command line)

version of the utility, tshark.

Captured files can be programmatically edited or converted via command-line switches to

the "editcap" program.

Data display can be refined using a display filter.

Plug-ins can be created for dissecting new protocols. VoIP calls in the captured traffic can be detected. If encoded in a compatible encoding, the

media flow can even be played.

Raw USB traffic can be captured with Wireshark. This feature is currently available only

under Linux.

Wireshark's native network trace file format is the libpcap format supported by libpcap and

WinPcap, so it can read capture files from applications such as tcpdump and CA NetMaster that use

that format, and its captures can be read by applications that use libpcap or WinPcap to read capture

files. It can also read captures from other network analyzers, such as snoop, Network General's

Sniffer, and Microsoft Network Monitor.

The network was setup as shown below:

Figure.1 Network topology

Scott W Phillips Page 1 19/11/2010

Source

IP 192.168.0.5Mask 255.255.255.0

Gateway192.168.0.1

Middle (Firewall)IF1

IP 192.168.0.1

Mask 255.255.255.0

Target

IP 192.168.1.5Mask 255.255.255.0

Gateway192.168.1.2

SwitchSwitch

Middle (Firewall)IF2

IP 192.168.1.2

Mask 255.255.255.0

8/8/2019 Windows Firewall - Controlling ICMP (Ping)

2/9

Computer and Network Security Laboratory Session 0e

Fig.2 Actual home-lab setup

To demonstrate the effect ofWindows Firewallwe are going to control it by the handling of ICMP

echo requests (ping requests). This can simply be done by going into the Control Paneland

selecting Windows Firewalland checking/uncheckingAllow Exceptions or turning firewall off, as

shown in Fig 3.

Fig.3 Windows Firewall

Scott W Phillips Page 2 19/11/2010

8/8/2019 Windows Firewall - Controlling ICMP (Ping)

3/9

Computer and Network Security Laboratory Session 0e

Summary of Configurations

Test # Source Middle

(Firewall)

Target Ping Arrived?

1 Yes

2 X Yes

3 X Yes

4 X No

5 X X X No

X = Dont allow exceptions

Fig.4 Configurations

Conclusions.It can be seen that only the final 2 attempts of pinging actually get blocked. Looking at the screen

shots they get blocked at the target machine only. The drawback of Windows XPs Firewall is that

it cannot block outbound connections as we can see from our study in Appendix 1 & 2. Windows

XP firewall is only capable of blocking inbound connections.

Windows Firewall

Windows Firewall is a software component of Microsoft Windows that provides firewalling and

packet filtering functions. It was first included in Windows XP and Windows Server 2003. Prior to

the release of Windows XP Service Pack 2 in 2004, it was known as Internet Connection Firewall.

Overview

When Windows XP was originally shipped in October 2001, it included a limited firewall called

"Internet Connection Firewall". It was disabled by default due to concerns with backward

compatibility, and the configuration screens were buried away in network configuration screens that

many users never looked at. As a result, it was rarely used. In mid-2003, the Blaster worm attacked

a large number of Windows machines, taking advantage of flaws in the RPC Windows service.

Several months later, the Sasser worm did something similar. The ongoing prevalence of these

worms through 2004 resulted in unpatched machines being infected within a matter of minutes.

Because of these incidents, as well as other criticisms that Microsoft was not being active in

protecting customers from threats, Microsoft decided to significantly improve both the functionality

and the interface of Windows XP's built-in firewall, and rebrand it as Windows Firewall.Security log capabilities are included, which can record IP addresses and other data relating to

connections originating from the home or office network or the Internet. It can record both dropped

packets and successful connections. This can be used, for instance, to track every time a computer

on the network connects to a website. This security log is not enabled by default; the administrator

must enable it.

Windows Firewall settings in Windows XP Service Pack 2

Windows Firewall was first introduced as part of Windows XP Service Pack 2. Every type of

network connection, whether it is wired, wireless, VPN, or even FireWire, has the firewall enabled

by default, with some built-in exceptions to allow connections from machines on the local network.It also fixed a problem whereby the firewall policies would not be enabled on a network connection

until several seconds after the connection itself was created, thereby creating a window of

Scott W Phillips Page 3 19/11/2010

8/8/2019 Windows Firewall - Controlling ICMP (Ping)

4/9

Computer and Network Security Laboratory Session 0e

vulnerability. A number of additions were made to Group Policy, so that Windows system

administrators could configure the Windows Firewall product on a company-wide level. XP's

Windows Firewall cannot block outbound connections; it is only capable of blocking inbound ones.

Windows Firewall turned out to be one of the two most significant reasons (the other being DCOM

activation security) that many corporations did not upgrade to Service Pack 2 in a timely fashion.

Around the time of SP2's release, a number of Internet sites were reporting significant application

compatibility issues, though the majority of those ended up being nothing more than ports thatneeded to be opened on the firewall so that components of distributed systems (typically backup

and antivirus solutions) could communicate.

Appendix 1 - Source Capture Files

Test #1

Scott W Phillips Page 4 19/11/2010

8/8/2019 Windows Firewall - Controlling ICMP (Ping)

5/9

Computer and Network Security Laboratory Session 0e

Test #2

Test #3

Scott W Phillips Page 5 19/11/2010

8/8/2019 Windows Firewall - Controlling ICMP (Ping)

6/9

Computer and Network Security Laboratory Session 0e

Test #4

Test #5

Scott W Phillips Page 6 19/11/2010

8/8/2019 Windows Firewall - Controlling ICMP (Ping)

7/9

Computer and Network Security Laboratory Session 0e

Appendix 2 - Firewall Capture Files

Test #1

Test #2

Test #3

Test #4

Test #5

Scott W Phillips Page 7 19/11/2010

8/8/2019 Windows Firewall - Controlling ICMP (Ping)

8/9

Computer and Network Security Laboratory Session 0e

Appendix 3 - Destination Capture Files

Test #1

Test #2

Test #3

Test #4

Scott W Phillips Page 8 19/11/2010

8/8/2019 Windows Firewall - Controlling ICMP (Ping)

9/9

Computer and Network Security Laboratory Session 0e

Test #5

Scott W Phillips Page 9 19/11/2010