<div class='os_post_top_link'><a href='http://www.airscanner.com/downloads/firewall/fwmanual.htm' target='_blank'>http://www.airscanner.com/downloads...ll/fwmanual.htm</a><br /><br /></div>AirScanner has just announced a public beta of their personal firewall product for WM2003 devices. It looks like a pretty slick, thorough firewalling package, and is freely available.<br /><br /><img src="http://www.pocketpcthoughts.com/images/web/2003/parekh-20040828-AirscannerFirewall.jpg" /><br /><br />As to whether it's necessary, that's a tougher question. To this date, there haven't been any substantial remote exploits on Pocket PCs, although there might be vulnerable code in the OS that we just don't know about. It's a little scary that we might eventually have to firewall what was once simply a PIM. :| Personally, I'm going to wait a bit longer and see how things develop and evolve.

You hit the nail on the head. The pocket PC is no longer a PIM. It's way to sophisticated. If someone stole my PDA, they'd know every single thing about me. They'd also have access to my home pc, my network. Hmmm.... I think it's time I started using the password feature of my H6315

As a phone edition user, Im more interested in a reverse firewall, that will protect me from trojan programs stealing my information and running up unnecessary GPRS costs. I install a lot of freeware, and there is just no way of knowing what the software is doing behind your back. As there is not any known networks exploits in win CE, I think that this is much more important functionality.

Surur

No we don't need a firewall to protect us just yet. Although I could see if you had the ability to have 2 ethernet cards how something like this could be used for a nice hardware based firewal.....

its only a matter of time until this becomes a necessity. with the amount of exploits in w2k and xp i am positive my i-mate will be susceptible to the same. a firewall looks like a better idea every day considering i have an always on connection to the interent on my pda. maybe kerio will come up with a nice solution.

Some corporate security network policies require that any device attached to their network have an active firewall installed to try and prevent anything from coming from the device to the corporate network. Consequently, this type of firewall software is going to be important for corporate use of handhelds.

As a phone edition user, Im more interested in a reverse firewall, that will protect me from trojan programs stealing my information and running up unnecessary GPRS costs. I install a lot of freeware, and there is just no way of knowing what the software is doing behind your back. As there is not any known networks exploits in win CE, I think that this is much more important functionality.

Surur

agreed. when on wifi, you already have a decent hardware firewall on ythe router. the purpose of a software one is for upstream control.

agreed. when on wifi, you already have a decent hardware firewall on ythe router.
Except when you use resources like public hotspots. ;) I haven't played at all with this software; I wonder if it does any outbound filtering.

--janak

Well, now we have Anti-virus software and Firewall software for the PPC. What I'm waiting for is the Auto-update feature so MS can push WM2003SE to me like they are pushing XPSP2 ;)

What I'm waiting for is the Auto-update feature so MS can push WM2003SE to me like they are pushing XPSP2 ;)
Despite the little off-humor, this unmasks a serious point: the current ROM upgrade mechanism (i.e., wait for OEMs to post updates) doesn't scale well for critical updates... hopefully, Microsoft is thinking about ways of tackling this, as it may become a concern sometime in the near future.

--janak

agreed. when on wifi, you already have a decent hardware firewall on ythe router.
Except when you use resources like public hotspots. ;) I haven't played at all with this software; I wonder if it does any outbound filtering.

--janak

why wouldnt a hotspot have a hardware firewall?

they probably also use it to block porn and stuff.

As a phone edition user, Im more interested in a reverse firewall, that will protect me from trojan programs stealing my information and running up unnecessary GPRS costs. I install a lot of freeware, and there is just no way of knowing what the software is doing behind your back. As there is not any known networks exploits in win CE, I think that this is much more important functionality.

Surur

The Aiscanner allows you to define rules based on address and port, both incoming and outgoing. Unless the trojan uses port 80 or one of the ports eeded for other common services, then the software will help you block pretty much everything else. Even for POP and SMTP, you can define a rule for specific servers. Of course if the Trojan acts by creating messages in your Outbox then this will not work.

This is a problem with desktop computers too. A firewall solution is not enough, it must used with an anti-virus and best practices to be effetive.

why wouldnt a hotspot have a hardware firewall?
A hardware firewall works when you can establish a policy of allowed protocols, etc. At a hotspot, they can't -- there are diverse people using it. Try making a firewall that blocks malicious traffic but allows SMB, VPNs, etc. -- you'll find it's not much of a firewall.

they probably also use it to block porn and stuff.
That would be a proxy server, not a firewall, and I think that would be even more problematic to establish at a hotspot. You see such proxy servers at libraries.

--janak

im sure they are "thinking" about it but the user base is not big enough yet for them to actually implement anything. it really is no different though when i have an always on gprs connection.

Some corporate security network policies require that any device attached to their network have an active firewall installed to try and prevent anything from coming from the device to the corporate network. Consequently, this type of firewall software is going to be important for corporate use of handhelds.


NONE that I know of. Why slow your corporate folks down when you can establish VLANS as well as having firewalls around important sections of the network. I don't know of very many companies where it would be necessary to run a firewall on all the clients. It's easier to just do it on both the perimeter and the real important parts of the network.

why wouldnt a hotspot have a hardware firewall?
A hardware firewall works when you can establish a policy of allowed protocols, etc. At a hotspot, they can't -- there are diverse people using it. Try making a firewall that blocks malicious traffic but allows SMB, VPNs, etc. -- you'll find it's not much of a firewall.

they probably also use it to block porn and stuff.
That would be a proxy server, not a firewall, and I think that would be even more problematic to establish at a hotspot. You see such proxy servers at libraries.

--janak

Ok, when running a public hotspot, it may be permissible to pass SMB traffic on that branch of the network but to let SMB go in and out the DSL, Cable Modem or T1/T3 Line would be stupid. The hardware firewall would only block traffic in and out of the hotspots network. That's not to say that there may be vlan's or firewalls between different segments of the WiFi network or they may just provide a port 80 proxy to each port and nothing else. Most public spots would probably pass VPN traffic, port 80, and POP3 but other then that, why would they need to or want to pass anything else? Trust me, they probaby use a firewall otherwise they'd have all of their customers infected by people trying to ping the network with viruses and other exploits. SMB traffic should not be allowed to pass to the internet...period. Allowing that will open up all of your clients to hackers. If you need a SMB share to mount your work's hard disk, you would establish the VPN first. The VPN would pass all traffic (at the very basic level it's a pipe that all of your activity would be run through, encrypted of course).

More than likely those running the hotspot probably do have a firewall of some sort that blocks any malicious inbound traffic from getting to those that are enjoying their latte whilel surfing the web.

I am more concerned about what might go on behind the firewall. Let's say you are sitting at your favorite Starbucks and log on with your PDA or laptop. Once you have established a connection, can't you see what the IP address is and start running some pings to see who else is on the same segment? And once you have their IP, what is the possibility of my using some utility to map to their device and start poking around their data?

Obviously I am not a network engineer but for those in this forum that are - is this a possiblity? If so, would this not be a good reason to want to run a personal firewall on the laptop or PDA?

Just thinking outloud here ...

More than likely those running the hotspot probably do have a firewall of some sort that blocks any malicious inbound traffic from getting to those that are enjoying their latte whilel surfing the web.

I am more concerned about what might go on behind the firewall. Let's say you are sitting at your favorite Starbucks and log on with your PDA or laptop. Once you have established a connection, can't you see what the IP address is and start running some pings to see who else is on the same segment? And once you have their IP, what is the possibility of my using some utility to map to their device and start poking around their data?

Obviously I am not a network engineer but for those in this forum that are - is this a possiblity? If so, would this not be a good reason to want to run a personal firewall on the laptop or PDA?

Just thinking outloud here ...

Well, the pda would probably be safe from prying eyes because as far as I know, there's no way to access the pdas storage from another pda or laptop unless your create a BT OBEX session (meaning, your BT is probably more vulnerable then your WiFi would be) unless you are runnign a ftp daemon or some other network type service on your pda and as far as I know, there are not many of those and none of these are shipped with the pocket pc. Your laptop COULD be affected if you forget to change things to turn off your sharing and anything, pda or laptop (be it a PC or Mac) could be used to browse your hard drive if your so stupid to activate sharing and NOT have a password. Again the age old UNIX policy stands...if you don't NEED SMB sharing, then don't activate or confiugre it. If you don't need Sendmail, then make sure its not active. Unnecessary services running open your self up for attack. Also, make sure you are up to date on your patches as well and for laptops, it would not be a bad idea to run a firewall. On a PDA, being there are not that many network services enabled, it would not do much good to have a firewall. Now having something that works like Zone Alarm may be useful, but even then, only CAB's and PPC specific exe's will do any damage. As over the air software becomes more prevelant, then the need for both a firewall and outbound traffic monitoring may be necessary.

Janak,
Thank you so much for the link! I have been looking for a firewall for the PPC. Blue Mobile Firewall (http://www.bluefiresecurity.com/mobile_firewall.php) is the only other true PPC firewall that I know of but only offers its software solution to OEM's, enterprise, and other high volume customers.
Does anyone know how well AirScanner Mobile Firewall protects against "blue-snarfing" and "blue-jacking" (http://www.yenra.com/bluesnarfing/)? Thanks in advance for the help!

Ok, when running a public hotspot, it may be permissible to pass SMB traffic on that branch of the network but to let SMB go in and out the DSL, Cable Modem or T1/T3 Line would be stupid.
I'm not saying it's smart. I was using that as an example of why arbitrary portblocking won't work from the hotspot operator's perspective -- there are all sorts of protocols people want to use. A better example, perhaps, is SIP, which is something that hotspots may provide a key role for in the near future.

Most public spots would probably pass VPN traffic, port 80, and POP3 but other then that, why would they need to or want to pass anything else? Trust me, they probaby use a firewall otherwise they'd have all of their customers infected by people trying to ping the network with viruses and other exploits.
What about IMAP? IMAPS? POP3S? RealAudio? SSH? Webs on port 8080? VPN over IPsec vs. PAT over UDP/TCP vs. PPTP/GRE vs. whatever? If you're providing commodity Internet services, as a hotspot does, you cannot easily establish a policy that keeps all your customers happy. My experience with hotspots is that there's no firewalling, and the TOS clearly suggest consumers are responsible for keeping their machines clean. Yes, I know NAT can handle most of these transparently and provide minimal firewalling, but it's not anywhere near secure -- other laptops on the hotspot may be infected, and NAT interferes with a lot of IPsec and related implementations, especially when multiple VPN connections are established.

The VPN would pass all traffic (at the very basic level it's a pipe that all of your activity would be run through, encrypted of course).
Believe me, I'm very aware -- my organization blocks SMB at the perimeter, and we use Cisco's client to gain access to it.

--janak

Thank you so much for the link! I have been looking for a firewall for the PPC. Blue Mobile Firewall (http://www.bluefiresecurity.com/mobile_firewall.php) is the only other true PPC firewall that I know of but only offers its software solution to OEM's, enterprise, and other high volume customers.
Does anyone know how well AirScanner Mobile Firewall protects against "blue-snarfing" and "blue-jacking" (http://www.yenra.com/bluesnarfing/)? Thanks in advance for the help!
The problem is that I think this is an IP firewall, and as such probably doesn't filter Bluetooth. That said, I think it's fairly easy to lock down a BT setup on most Pocket PCs so that it's reasonably secure. Most bluejacking vulnerabilities have come in cell phones if I understand the situation correctly.

--janak

Question: As of today do we need to install both av and firewall software on a PPC? I know there is already a proof of concept virus for PPC OS and Symbian OS (actually the CARIBE Symbian Virus is quite prolific here in the Philippines; it was even featured in the dailies and on TV). Wouldn't this be an unnecessary drain on what little resources the PPC has? I used to have Airscanner's AV software but it messed up my PPC, and I wasn't really using it, so I had to do a hard reset and didn't bother with installing it again.

Question: As of today do we need to install both av and firewall software on a PPC?
As of this moment? Probably not, because there are no known exploits of the Pocket PC OS. That said, there might be exploits, so if you're doing ultra-critical military work or something, and need a connected Pocket PC, it might not hurt...

--janak

I have an iPAQ 5555 and I installed airscanner a couple of days ago. Looked keen. Today, I turned on wireless for the first time. A WM window popped up asking me which network I wanted to connect to. Puzzled, I chose mine. It asked me for a WEP key. Odd, since I've been connecting at home for about a year, and after first entering settings, never had to choose. So I canceled and clicked on my "Connections" or "Network" settings icon to open my fabulous wireless chooser doo-dad. Magically, it didn't appear. It went straight to the hardware selection screen. Odd again. Long story short(er), after a half hour of my life that I can't get back spent taking out the battery and reinserting and soft-resetting, I thought about what had changed since I last successfully connected. I uninstalled airscanner and presto, everything works again.

Nice feature.