Firewall basics (with podcast)

A firewall is an essential part of computer and network protection. This class for the basic computer user is designed to help you understand firewalls, how they work and the technologies behind them. You'll learn about basic internet security policies, explore common firewall configurations and uses, learn how to assess your firewall needs and find the right product to meet those needs.

Lessons
1. What is a firewall? This lesson introduces you to firewalls, and explains why you need one and how to get one. You'll also explore types of firewalls, such as software-only, standalone firewall hardware/software combinations and general-purpose internet firewalls. 2. TCP/IP tutorial Basic knowledge about TCP/IP protocolthe protocol suite that supports the internetis essential to understanding how firewalls and related technologies work. In this lesson, you'll learn about TCP/IP protocol and how firewalls use it to keep your network secure. 3. Inside a firewall This lesson covers how a firewall works and which features and functions are found in most firewalls. You'll see how firewalls use rules and filters and keep track of network activity, and how additional encryption software can provide added protection. 4. Hardware firewalls, software firewalls and secure hosts Not all firewalls are created equal. In this lesson, you'll learn about different kinds of firewalls, and the pros and cons of each. You'll also learn about what's involved in securing a network host, and keeping it as secure as possible thereafter. 5. Firewalls need security policies A security policy is a special type of document that describes what resources must be secured and who may use secured resources under what conditions. In this lesson, you'll learn about security policy and how it helps control traffic on your network. 6. Making the most of your firewall In this lesson, you'll learn about common firewall configurations, how to test and evaluate firewall effectiveness and how to select the right firewall. You'll also learn about common attacks your firewall must counter and best security practices.

What is a firewall?
This lesson introduces you to firewalls, and explains why you need one and how to get one. You'll also explore types of firewalls, such as software-only, standalone firewall hardware/software combinations and generalpurpose internet firewalls.

Get ready to learn firewall basics

This class provides an introduction to firewalls. You'll begin by learning what a firewall is and how it helps protect networks and PCs. Then you'll move on to explore the internet protocols (or guidelines) firewalls monitor and manage, consider firewall features and functions, and learn about firewall technologies, security policies, and best security practices. As the class progresses, you learn what's involved in installing, configuring, and using a personal firewall, an internet appliance, and full-blown software- or hardware-based internet firewall solutions. You'll also find out how to integrate your firewall into a general framework of best security principles and practices.

Dedicated to the firewall

If you're choosing to dedicate a computer to your firewall like experts recommend, think thin clients.

This class is geared toward SMB (small- and medium-size businesses) owners and home office users who want to protect their computers and networks from unauthorized intruders.

HP Thin clients

What to expect in the class

This class discusses important technologies related to firewalls, along with related security policies, practices, and techniques to improve security in your working environment. Along the way, you'll have the opportunity to dig more deeply into the covered topics by working through the accompanying assignments and quizzes. Here's a summary of the lessons: Lesson 1, "What is a firewall?," covers the benefits offered by firewalls, with particular emphasis on the protections they confer and the features they deliver. Lesson 2, "TCP/IP tutorial," explores the protocols that support the internet, namely TCP/IP, as well as related naming and addressing techniques, all of which figure heavily into how a firewall works. Lesson 3, "Inside a firewall," discusses the inner workings of a firewall, including how packets are inspected and filtered, how network address translation and application proxies figure into the process, and more. Lesson 4, "Hardware firewalls, software firewalls, and secure hosts," digs into specific firewall technologies, examines their pros and cons, and compares the benefits and security capabilities of hardware- and softwarebased firewalls. Lesson 5, "Firewalls need security policies," establishes a rationale for a security policy -- a document that describes which network resources must be secured -- and helps you form your own network access and accepted use policies. Lesson 6, "Making the most of your firewall," describes common types of attacks, how to detect firewall intrusions, and best practices to make your firewall work as part of a complete security solution. Beyond the lessons, complete the assignments and quizzes. When you're done with them, visit the message board. It's the perfect place to discuss class topics and swap questions and comments with other students and your instructor.

Firewalls can be intimidating, and inevitably involve numerous technical topics. You'll need to understand a little bit about networks and internet communications to understand how firewalls work, so this class gives you a gentle introduction to those topics. The class message board is your classroom and is the place you should go when you have a question about what's covered in this class, or about other firewall-related issues. Remember, your instructor and classmates are in this learning endeavor with you, so don't be afraid to speak up (virtually, of course).

Now it's time to get started with the topics in Lesson 1.

What is a firewall?
When creating a link to the internet, a firewall sits between the private, or internal, side of the connection and the public, or external, side of that same connection. The connection can contain a single system or one or more networks, as shown in Figure 1-1. Simply put, a firewall's primary job is to

examine inbound traffic -- that is, traffic coming from the public side of the link destined for the private side of that link -- to make sure it's safe before permitting that traffic to pass through to the private side of the link.

Figure 1-1: A firewall. Like the physical barrier it's named after, no internet firewall is perfect, nor can it always defeat or deflect all malign traffic.

To appreciate a firewall, you must recognize that you have a system or systems which contain information that's worth protecting. This class is designed to help you cultivate that appreciation and understand exactly how a firewall works to protect crucial information. It isn't designed to teach you how to implement a particular firewall software or technology; it's a more conceptoriented class that helps you understand what firewalls are designed to do and how they work.

If you're interested in setting up a firewall, the principles and concepts covered in this class will help you select the right firewall and understand its documentation so you can get your firewall up and running.

Terms to know
A bastion is a term from medieval architecture and refers to a fortified place designed to provide a strong point of defense against outside attack. The metaphor carries over into networking: A bastion host is a computer that provides protected single points of entry and exit between outside and inside networks. Firewalls often run on bastion hosts along with routers, intrusion detection systems, and so forth. A screened host, shown in Figure 1-2, is a synonym for a bastion host; however, this terminology emphasizes a router's or firewall's role examining incoming and outgoing traffic, and filtering out unwanted or excluded traffic.

Figure 1-2: A screened host. A screened subnet, shown in Figure 1-3, is a special kind of network neighborhood, where all addresses are related to each other and described by enumeration around a specific network address, such as 192.168.1.0. It's a network that interconnects the untrusted world of external networks and trusted internal networks. By interposing various barriers and proxies between the inside and the outside, a screened subnet doesn't permit traffic to flow directly in or out of the system.

Figure 1-3: A screened subnet host. You'll learn about proxies and addressing in Lesson 3. First, you'll learn about the two primary types of firewall forms: software and hardware.

Exploring common firewall forms

Firewalls come in two primary forms: Software-only firewalls: This kind of firewall is a program that runs on a computer attached to the internet (and might also be attached to an internal, private network). The firewall software inspects all incoming traffic before it can enter the computer or internal network. Firewalls can also inspect outgoing traffic. Hardware firewalls: In this form, a firewall is a kind of device that's attached to the internet on one side and to an internal, private network on the other side. In some cases, this device can include other functions besides that of a firewall, such as a cable modem or DSL (digital subscriber line) interface, and more. Hardware firewall devices are often called internet appliances, because they provide everything that's needed to attach one or more computers safely to the internet in a single box. Some vendors offer a dedicated box that runs firewall software and other security-related software; in that case, it can be called a security appliance. An example of a small network with internet appliances attached is illustrated in Figure 1-4.

Secure desktops
HP ProtectTools embedded security is now available on select HP business desktop PCs to help you secure the sensitive data housed on each of your business PCs.

HP 7000 series desktop PCs

Desktop buying guide

Figure 1-4: Personal firewalls, or internet appliances, on individual computers. It's important to understand that firewall devices generally include both hardware and software; however, you manage them together as a single unit. It's also important to recognize that for the same level of functionality, a firewall device generally costs more than a software-only firewall, if only because of the hardware costs involved. However, companies such as Belkin, D-Link, and Linksys offer internet appliances (that include firewall capabilities) for under $100.

Because firewalls represent the most obvious point of attack for those with less than honest intentions, most security experts recommend that you dedicate a computer or some other device, such as an internet appliance, for use as a firewall and for other related security functions. This explains the popularity of internet or security appliances -- they're usually less expensive than buying a computer and software for exclusive firewall use.

In many cases, internet or security appliances come preconfigured and ready to install and use, and require little or no expertise to put them to work. By contrast, installing and configuring software-only firewalls can involve some work, and require at least some knowledge about security, in general, and the firewall in use, in particular.

Since the release of Windows XP SP2 (Service Pack 2), Windows desktop software includes a built-in firewall called Windows Firewall, which is enabled by default. It's an adequate firewall and might be just the thing for home or small office users with just one or two PCs to protect. Next, we'll discuss why you need a firewall.

Why do you need a firewall?

The short answer to the question, "Why do you need a firewall?" is pretty simple: Because it helps protect your system or network from attack (usually from the internet). The longer answer takes a little explaining, starting with what exactly you need to protect, and the type and nature of the threats from which a firewall can protect your system.

Let us help
To make decisions about your firewall, servers, and storage needs, look to HP's Servers & Storage expertise center for guidance.

Protecting your network

Internet and other attacks come in many forms, and can threaten your computer or network in different ways. In general, you probably want to protect the following aspects or capabilities of your computer.

If you have an internal private network, you want to protect these things on all the computers or other devices attached to that network.

Servers & Storage expertise center

Preserving system integrity

Some attacks can be purely destructive, and might seek to obliterate the entire contents of any systems they encounter, rendering them inoperable. This means a total loss of system integrity. Other attacks on system integrity can be more subtle, and might try to take control of your systems. This also compromises their integrity, however, in perhaps less obvious ways.

Protecting system contents

Some attacks aim to delete critical files, steal sensitive information, or change configuration files to enable outsiders to control your systems (or strip you of such control). All such attacks involve unauthorized access to system contents.

Controlling system behavior

Some attacks involve installing software on your system (or systems) to provide easy access for an attacker, or to engage in attacks against other systems. This latter attack turns systems into zombies, which means your computers could be used to attack other systems and networks; however, someone else is lurking in the background directing that activity. Other such attacks might be less overtly destructive and just install unwanted monitoring, reporting, remote control, or advertisement display software on your system (a common symptom of adware and spyware; more on these topics later).

Controlling system access

Some attacks just seek to make your system (or network) unavailable to authorized users. These are called DoS (denial of service) attacks because they block legitimate users from access to services or resources on your system(s) or network.

You'll learn all about many security threats and attacks in Lesson 6.

When installing a firewall, make sure its capabilities are up to date. New attacks appear all the time, and old software often can't handle new threats. This applies equally to software-only and hardware firewalls. Visit vendor websites to find patches and fixes to keep any firewall current.

How firewalls protect you

After a firewall is in place, it can provide numerous types of protection; some are described in the following sections.

The how and why of these protections will follow later in the class.

Blocking unused or unwanted access requests

On the internet, requests for access come in specific forms that relate to particular services, such as web, email, file transfer, and so on. You can configure your firewall to block access requests you don't want to support or any that pose a security risk. In general, it's considered wise to block all requests for services you don't plan to offer anyway, because such requests can provide avenues for attack.

Blocking incoming traffic from known points of attack

Certain names or addresses from which traffic originates might be strongly associated with prior attacks or bad behavior. You can instruct your firewall to ignore traffic that originates from such sources.

Limit or block outgoing traffic

You can prohibit some services that inside users might want to access, such as instant messaging or streaming media, or judge other services too vulnerable to attack to be used at all, such as file transfer. Many firewalls can keep such traffic from leaving your network. This prevents connections that might be subjected to attack from being opened in the first place. Likewise, you might block addresses for inappropriate websites so users can't access explicit or questionable materials through the firewall. You'll learn

more about setting the business rules that define what traffic your firewall keeps in and out in Lesson 3.

Windows Firewall doesn't limit or block outgoing traffic, although it does a pretty good job on inbound traffic. Many experts believe this lack of capability permits other firewalls that do support such screening to offer better protection and security.

The most important reason for using a firewall, and the best explanation for why you would need one, remains your need to protect your system or network against unwanted penetration, access, or compromise. There are no perfect firewalls, and therefore, no perfect protection against attacks. However, it's relatively easy to deploy reasonable protection that keeps all except the most knowledgeable and dedicated attackers from breaching your defenses. The principle at work here is similar to a burglar alarm: Although it can't keep all burglars away, if it keeps most of them away at a reasonable cost, it's probably good enough for your needs. Next up: how to obtain a firewall.

Obtaining a firewall
Many potential sources for internet firewalls exist, be they hardware firewalls or software firewalls, appliances, or otherwise. Because there's hardware involved, you won't find hardware firewalls or appliances actually given away at no cost to their users -- although cable or DSL users might be loaned or leased such gear that becomes part of your monthly service costs. Some software-only firewalls are available at no cost, making it possible to protect a single computer connected to the internet for free. There's a category of firewall software called a personal firewall that generally applies to use in SOHO (small office/home office), or strictly to personal networks. Firewalls in this category include the following: Built-in: This comes as part of the operating system and involves no extra costs. Freeware: You don't pay anything; it's free. Shareware: You don't pay anything up front; however, you normally must provide modest compensation to the firewall's creator if you continue to use shareware software beyond a specified trial period (normally, 30 days). Commercial: You must purchase the software before you can use it. Thus, you have numerous options for obtaining a firewall for personal use in a home office environment to protect key business systems when you or your staff works from home: If any of your PCs run Windows XP SP2 or higher (including Windows Vista), Windows Firewall comes with the operating system. Although it doesn't offer outbound traffic inspection and screening -- as most other software-only firewalls do -- it's adequate for protecting single systems and small networks. Visit a freeware or shareware download web page (such as the collection of Windows firewall shareware and freeware at tucows.com) and download a software-only firewall package. Read your PC's documentation carefully. Sometimes installing freeware can void your warranty.

Online firewall guide

For an excellent compendium of personal firewall products, visit the Home PC Firewall Guide. This is an excellent source of information about personal firewalls, as well as about related products, tools, and technologies.

If you have a cable or DSL connection to the internet, it might come with firewall software or possibly a modem or appliance with a hardware firewall built in. Some service providers offer software-only firewalls to their subscribers. Contact your service provider for more information. Purchase a shrink-wrapped software or hardware firewall product at a store, or pay to download a commercial software-only firewall from the internet. Any company or individual connected to the internet should use a firewall to protect that connection and any system(s) it serves from unauthorized access and potential harm. When you install a firewall to protect a network, you can still decide between software and hardware firewalls, and the same basic principles apply. However, because you have a network -- and presumably, multiple systems -to protect, there are more technical issues to address before you get your firewall set up and running.

Moving on
In this lesson, you learned that a firewall is designed to sit between the public and private sides of an internet connection and block or deflect unwanted incoming traffic (and often, outgoing traffic as well). In Lesson 2, you'll learn more about the protocols and services that make the internet work (and firewalls necessary) in a primer on the internet protocol suite known as TCP/IP (Transmission Control Protocol/Internet Protocol). Before you move on, do the assignment and quiz. Also, visit the message board to find out what other students are up to and to touch base with your instructor.

Assignment #1
Visit one or more of the following websites, and search on the term firewall. Read through the resulting materials to get a sense of how you might use these resources for future learning and research. The CMP TechWeb Encyclopedia Internet.com's Webopedia Marcus Ranum's and Matt Curtin's Internet Firewalls FAQ Now, visit your favorite search engine and look for introductory information about firewalls. (Hint: Using search strings like firewall tutorial, firewall overview, or firewall introduction will work much better than just firewall.) Bookmark or add those websites that you find most interesting and informative to your favorites list.

Quiz #1
Question 1: True or False: A firewall's primary job is to examine inbound traffic to make sure it's okay before permitting that traffic to pass through to the private side of the link. A) B) Question 2: Which of the following forms do internet firewalls take? (Check all that apply.) A) B) C) D) Internet appliances Software-only implementations Hardware implementations Remote access services True False

Question 3: Which of the following aspects or capabilities of your network should you seek to protect from internet attack? (Check all that apply.) A) B) C) D) E) Question 4: True or False: All firewalls work only on inbound traffic; they do not limit or block outgoing traffic. A) B) True False System integrity Hardware System contents System behavior System access

TCP/IP tutorial
Basic knowledge about TCP/IP protocolthe protocol suite that supports the internetis essential to understanding how firewalls and related technologies work. In this lesson, you'll learn about TCP/IP protocol and how firewalls use it to keep your network secure.

What's TCP/IP and how does it relate to firewalls?

Welcome back. In Lesson 1, you learned what a firewall is and how it can protect your network. This lesson focuses on TCP/IP (Transmission Control Protocol/Internet Protocol). TCP/IP can be described somewhat loosely as a collection of networking protocols (or guidelines) and services that make the internet run. The current version of TCP/IP is called IPv4 and reflects an optimistic security model. That means it trusts the good will of users and believes they won't actively seek ways to bypass or defeat such security measures. A new version, called IPv6, is still being refined and is used only occasionally.

TCP/IP standards
TCP/IP protocols are specified in formal documents known as RFCs (Requests for Comment). Despite the tentative sounding name, RFCs govern existing (and proposed) TCP/IP protocols and services absolutely. You can review the complete collection of RFCs online at the IETF (Internet Engineering Task Force) website, including RFC 3700, the most current "Internet Official Protocol Standards."

IPv6 should be widely deployed sometime between 2010 and 2015. It embodies a pessimistic security model and will require significantly fewer add-ons to keep communications safe and secure.

Understanding protocols and services

A protocol is a collection of rules governing the sequence and formats of messages that can pass from a sender to a receiver (or multiple receivers). The senders and receivers are computers on the internet and the messages are data. Thus, a protocol defines what kinds of communications can occur between computers, in what order those messages occur, and the formats for such messages. A group of related protocols is often called a protocol suite, to signify their interdependencies. This suite can also be called a protocol stack, to identify the layered set of software components that actually implement such protocols. In most cases, protocol stacks are built into the operating system -- as is the case for all modern versions of Windows, for example. The concept of a service, on the other hand, defines what a protocol can do. Thus, a file transfer protocol (such as FTP) supports a file transfer service, which means it enables a sender to transmit a file to a receiver, to navigate local and remote file systems, to delete local and remote files, and so forth. The file transfer service works much like a two-sided file system, where local files can be copied to another location on a network (or vice versa), and both local

Are you doing all you can?

Or is there something that you haven't thought of? Count on HP's years of expertise to help you detect vulnerability and then protect your business from conceivable attacks.

HP Accidental damage protection

and a remote file systems can be moved to list directories, manage files, make copies, and so on.

Recognizing TCP/IP elements

TCP/IP is a large, complex protocol suite that's been widely used since the early 1980s. It embraces hundreds of protocols and services, for everything from address management to zone information transfers, and many points in between. It's not important to understand these details at the moment, just recognize that TCP/IP supports nearly any kind of network activity you can think of -- from email, to web access, to file transfer, network addressing, and so on. TCP/IP takes its name from two protocols that represent two of its most important components: TCP(Transmission Control Protocol) breaks big chunks of data into small chunks for transmission over a network, keeps track of individual chunks as they arrive on the receiving end, and makes sure all chunks get delivered and reassembled in the proper sequence -- or lets the recipient know that the data transfer could not be correctly completed. TCP is what supports lots of higher-level internet services, including email, file transfer, and web page access. IP (Internet Protocol) provides a way to address and route data packages from a sender to a receiver. IP is a fundamental component of TCP/IP, because virtually all internet communications use IP to move and direct data.

Combining TCP/IP and firewalls

TCP/IP was created in a laboratory setting, where none of its original designers had any idea of the global scope, reach, and importance these protocols and services would one day assume. There's not much built-in security available from TCP/IP's basic building blocks with an optimistic security model. Because of this, protective elements, such as firewalls, must be inserted between safe private systems and networks, and unsafe public systems and networks. Understanding the TCP/IP stack is next.

Inside the TCP/IP stack

TCP/IP stack refers to the collection of software components and elements that fall into various layers on a particular computer. Lower layers provide support for upper layers, and are essential to the functioning of protocols and services at higher layers. This explains how TCP/IP got its name: the TCP and IP protocols (and related services) support many, if not most, of the important higher-layer protocols and services that users really care about.

DARPA
DARPA is the arm of the U.S. Department of Defense that funded the initial research and development work that produced TCP/IP. At its inception, the agency was known just as ARPA (Advanced Research Projects Agency), and gave its name to an early precursor of the internet known as ARPANET.

In most cases, using TCP/IP means operating a number of interlinking and interdependent software components that correspond loosely to the actual protocols and services in use. They also incorporate software drivers that permit the computer to communicate with one or more network interfaces as needed.

It helps if you understand the layers into which the TCP/IP protocol suite is divided, and the roles that each of these layers plays. This division into layers corresponds to a formal model for TCP/IP known as the DARPA (Defense

Advanced Research Projects Agency) model or, more directly, as the TCP/IP networking model, which is shown in Figure 2-1.

Figure 2-1: The TCP/IP Networking model. The model defines a layered collection of protocols and services that together support all of TCP/IP's capabilities. Higher-level layers depend on lower layers to work. The four layers of the TCP/IP networking model are: Application (or Process) layer: The protocol stack interfaces with applications or processes on a host machine. Recognizable TCP/IP services, such as email, web access, file transfer, terminal emulation operate at this layer. It defines the kinds of functions and behaviors that TCP/IP makes available to users. Transport (or Host-to-Host)layer: Moves data by taking large chunks of data of arbitrary size, breaking them into smaller chunks, and managing delivery. Reliability and robustness are vital when tracking delivery, retrying failed transmissions, and reassembling received messages before sending. Internet layer: Handles addressing and routing between computers, permits multiple networks to interconnect, and provides naming and addressing schemes. Networking concepts of here (the origination point for communication) and there (the destination) are established, along with routing mechanisms. Network Access (or Network Interface) layer: Networking hardware, interface cards, and communications technologies (such as Ethernet or Token Ring), specific connection-management and WAN (wide area network) come into play. Cables, interfaces, and low-level connections to computers operate here. The following table lists common TCP/IP protocols associated with these layers. Name Acronym Explanation Newer serial line connection protocol (used in most modern operating systems and devices).

Network Access layer Point-to- PPTP Point Tunneling Protocol Point-toPoint Protocol X.25 PPP

Modern robust point-to-point communications protocol used to ferry IP across various types of point-to-point links (serial links, modems, broadband connections, and more). European ITU (International Telecommunication Union) WAN protocol widely used for low- and mediumbandwidth telephony-based networking outside the U.S. Converts from numeric IP addresses to hardware addresses on some specific network segment. Newer, exterior routing protocol used to interconnect multiple routing domains or internet backbones. Manages IP-based routing or network activity.

X.25

Internet layer Address ARP Resolution Protocol Border Gateway Protocol Internet BGP

ICMP

Control Message Protocol Internet Protocol IP Routes packets from sender to receiver. Newer, interior routing protocol used inside large private networks or routing domains. Old-fashioned, basic IP routing protocol.

Open OSPF Shortest Path First

Routing Information RIP Protocol Transport layer Transmission Control Protocol User Datagram Protocol Application layer File Transfer Protocol HyperText Transfer Protocol Network News Transport Protocol FTP TCP UDP

Reliable, connection-oriented transport protocol. Unreliable, connectionless transport protocol.

Remote file access and transfer services.

HTTP Supports web access. NNTP Supports internet newsgroup access.

Simple Mail Transfer SMTP Supports email delivery from sender to receiver. Protocol Table 2-1: Protocols associated with TCP/IP Networking model layers. Basic firewalls operate primarily at the Internet and Transport layers; more advanced firewalls cover these layers, however, also operate at the Application layer as well. The importance of these statements will be explained in detail throughout the rest of this class. In the next section you'll learn about IP addresses.

Understanding IP addresses
One of the most important functions of the Internet layer in the TCP/IP Networking Model relates to addressing. In general, IP addresses enable every system on the internet to be completely and uniquely identified. IP uses a three-part addressing scheme. Symbolic names consist of internet domain names that take the form www.microsoft.com or ftp.hp.com. To be valid, any domain name must correspond to at least one unique numeric IP address. Domain names point to numeric IP addresses, mediated by the TCP/IP application service known as the DNS (Domain Name System), which translates from the symbolic to the numeric form. A logical numeric (IP) address for IPv4 is often expressed in dotted decimal notation -- a set of four numbers separated by dots, as in 10.6.120.78. Each of these four numbers must be less than 256 in decimal value, because each represents an eight-bit number. IP uses this kind of address to uniquely identify all hosts and interfaces on the internet. Most people call eight-bit numbers bytes; however, TCP/IP experts like to call them octets, which means the same thing. For physical numeric addresses, network interfaces are encoded with a six-

byte numeric address as part of the manufacturing process. This is known as a MAC (Media Access Control) layer address. The first three bytes identify the manufacturer, and the second three bytes represent a unique counter value. No two physical interfaces can ever have the same physical address. The rest of this class focuses on numeric IP addresses. Next, take a look inside an IP packet.

Identifying IP packets
Each protocol defines a set of rules for information exchange, as well as a set of formats for messages to take. Rules for IP packets define the overall shape of TCP/IP communications, because most messages ultimately occupy IP packets -- moving from sender to receiver. Learning the basic IP packet layout and initial fields (called header fields in TCP/IP lingo) will help you understand how TCP/IP behaves, and how firewalls operate.

The future is wireless

HP's wireless and mobility solution center provides services and partnerships that make your mobile experience smarter, simpler, and safer.

IP packet layout
Figure 2-2 shows a map of an IP header, which contains the following named fields whose lengths are denoted by their sizes in that diagram.

HP Wireless and mobility solution center

Figure 2-2: A map of the IP header. Enlarge image A brief description of each field name: IP Version: Identifies the version of IP in use. IPv4 is most common, which shows up as a 4 in this field. IPv6 is the newest version and follows a different layout. Header Length: Specifies the length of the IP header in bytes, divided by four (because all IP headers must take lengths divisible by four, this shortens the number of possible header lengths used). ToS (Type of Service): Consists of two subfields. The first three bits define precedence. Routers can use this value to prioritize through traffic. Actual ToS value occurs in the next four bits and specifies general routing characteristics. See RFC 1349 for complete details about different kinds of TCP/IP services. Total Length: Specifies the actual length of the IP header, plus any valid data in the data portion of the packet (called the payload), not including any padding (extra unused bytes added to meet minimum length requirements). Identification: A unique packet identifier that can be used to reassemble fragments if an IP packet must be broken into smaller pieces (fragmentation) en route from sender to receiver. Flags: A three-bit number used to control or describe packet fragmentation. Bit 1 is always set to 0. If bit 2 is set to 0, the packet might be fragmented; if set to 1, it might not be fragmented. If bit 3 is set to 0, it identifies the last fragment in the series; if set to 1, additional fragments are forthcoming. Fragment Offset: If an IP packet must traverse a network segment that can't carry a packet as large as the original packet as sent, it has to be chopped into smaller chunks, called fragments. The offset value helps the IP software reassemble all fragments upon receipt.

Some clever network attacks use illegal or invalid offset values to confuse IP software; many firewalls do the math and deny packets with invalid values. TTL (Time to Live): Denotes the remaining lifetime of an IP packet, counting hops through routers. Typical starting values are 32, 64, and 128. This field is designed to make sure that IP packets will die after a certain time in transit, so they can't travel forever on the internet. Protocol: Identifies what kind of protocol occurs in the payload of the IP packet. Firewalls pay close attention to this value because they use it to decide which packets to let through, or block packets of a particular protocol type. Header Checksum: Provides an error detection mechanism on the header contents. Used as a quality control mechanism. Source IP Address: Contains the IP address of the packet's (putative) sender. Firewalls can use this information in several ways to block traffic. Destination IP Address: Contains the IP address of the packet's intended recipient (or recipients). Options: Any of a variety of settings that provide various types of additional IP routing data or controls. Seldom used except when testing and debugging. Essentially, a firewall can inspect key header fields quickly and block or enable transit of IP packets accordingly. A firewall is most likely to act on the Fragment Offset, Protocol, and Source IP Address fields when evaluating an IPv4 packet against the firewall ruleset. The same controls are also possible in Application layer packet headers, as you'll learn in the following section.

Defining Application layer protocols

If you examined the contents of traffic moving across the internet, you'd find a collection of TCP and UDP packets used to transport all kinds of data from senders to receivers. In a continuing chain of packets within packets, known as encapsulation, you'd find higher-layer application protocols related to services, such as email, file transfer, remote file system access, network news, and web access within those TCP and UDP packets. An example of a TCP packet is shown in Figure 2-3.

Figure 2-3: TCP header fields that firewalls typically inspect. An example of a UDP packet is shown in Figure 2-4.

Figure 2-4: UDP header fields that firewalls typically inspect. Without going into too much detail, firewalls can glean and act on all kinds of useful information at the Transport layer (within the TCP and UDP header fields) and Application layer (within the headers for whichever of the hundreds of TCP/IP application protocols happens to be in use). However, the more headers a firewall must read, and the more kinds of information it must act on, the less quickly it works. Packets move across the internet at a furious rate; reading more deeply into packets takes more time and requires more complex software. There's a tradeoff between speed and efficiency.

This explains why firewalls are more important at the edges of the internet infrastructure, where traffic rates are slower and there's more time to inspect such traffic (and where there are also more individual systems and networks that organizations or individuals need to protect).

On the internet backbone, traffic rates might be tens of thousands to millions of times greater than at the edges. At extreme traffic levels, highly specialized IP routers act on IP header contents; however, they don't have time to dig deeper into packet structures as they race through them. What kinds of information do firewalls look for at the Transport and Application layers? The following table summarizes the kinds of information that firewalls use to block or enable traffic to pass through a network link. Transport layer Source port Identifies the application or process that sent the packet using UDP or TCP transports.

Destination Identifies the application or process to which the packet is sent, port both for UDP and TCP transports. When attempts to access unwanted or unused port addresses occur, firewalls can block traffic based on destination port numbers. TCP sequence number TCP data offset A number that identifies each individual TCP packet, called a segment. Used to reassemble incoming packets at the receiving end; however, can also be manipulated in an attack. As with fragmented IP packets, firewalls can sometimes examine values supplied for TCP packets, to make sure the numbers add up properly and no deliberate attempts to confuse the IP software are underway.

TCP flags To establish a working connection, TCP goes through a deliberate initial sequence of packet exchanges between computers. Numerous clever attacks start the sequence, then leave it hanging, or just flood a recipient with initial packets. Most Internet boundary devices, including routers and firewalls, look for and deny incoming packets that meet related attack profiles. Application layer Message type Within most application protocols, packets are labeled as one type or another. Some firewalls look for patterns of incoming message types to identify and block potential attacks.

Source domain name

Many Application layer protocols provide domain name data. This can be compared to the originating IP address for a packet in a maneuver called a reverse DNS lookup (instead of translating a domain name to an IP address, it translates an IP address into a domain name) to make sure both sides agree. A common attack signature is known as spoofing, which occurs when a false source address or domain name is supplied. Firewalls often perform such checks on incoming traffic.

Command Many TCP/IP application protocols use a sequence of content request/reply messages to do their jobs. Some firewalls read the syntax of specific incoming application commands, and can enable or deny them based on the potential impact of the requests being made. This is as deep into TCP/IP packet structure as even the most sophisticated firewalls available today ever go. Table 2-2: Key packet contents of interest to firewalls at the Transport and Application layers.

Recognizing TCP and UDP port numbers

Port numbers are provided for senders and receivers of UDP and TCP packets, and define the sending and receiving process where the traffic originated (the sender) and where it's destined to arrive (the receiver). Port numbers are 16-bit integers that span values from 0 to 65535. They fall into three ranges, as follows: Well-known Port Numbers (0 to 1023): Assigned to various TCP/IP core services. These numbers generally identify specific well-known services, such as FTP (ports 20 and 21), telnet (port 23), SMTP (port 25), and so on. Registered Port Numbers (1024 to 49151): Associated with specific industry applications or processes. For instance, port 1433 for both TCP and UDP, is associated with Microsoft's SQL (Structured Query Language) Server database services. DynamicPort Numbers (49152 to 65535): Used strictly to establish temporary connections between a sender and a receiver, and then discarded for reuse when that connection is terminated. To review a complete list of assigned port numbers and an expanded discussion of the three types of port numbers just covered, please visit the IANA (Internet Assigned Numbers Authority) Port Numbers website.

Summing up the firewall's job

The two-word phrase packet inspection describes a firewall's job as succinctly as possible. This activity covers many types of inspection that range from the IP packet level, to the UDP and TCP transport level, all the way into the headers of Application layer packets. Basically, firewalls examine this data to look for illegal, unwanted, or potentially dangerous patterns, and attempt to block all traffic that might indicate an attack is underway, or might be about to start.

Moving on
That's it for TCP/IP basics. In this lesson, you learned that for a firewall to do its job, it needs to examine the contents of the traffic that tries to pass through it. In Lesson 3, you'll learn about the inner workings of a firewall and the kinds of services a firewall most commonly performs. Before you move on, do the assignment and quiz. Also, visit the message board to find out what other students are up to and touch base with your instructor.

Assignment #2

Visit at least one the following websites, and follow related instructions. Read through the materials referenced to get a sense of how you might use these resources for future learning and research, or to answer specific questions about TCP/IP. IANA (Internet Assigned Numbers Authority) maintains the official list of assigned IP and UDP port numbers. Visit and read the initial sections of the document entitled Port Numbers . You'll find this an invaluable reference any time you need information about TCP or UDP port numbers in the future. The IETF operates an indexed website for Internet RFCs . Use it to look up RFCs 1918, 3000, and 959. Which RFC governs private IP addressing? Which governs FTP? Which describes current standard protocols and BCPs (best current practices)? Use Google to locate and find the 3Com article titled Understanding IP Addressing (Hint: Type the title exactly as shown inside quotation marks in the search window). If you use the same search string, what does the TechWeb Encyclopedia say? What does this tell you? Now, visit your favorite search engine and look for introductory information about TCP/IP. (Hint: Using search strings like TCP/IP tutorial, TCP/IP overview, or TCP/IP introduction work much better than just TCP/IP.)

Quiz #2
Question 1: What does TCP/IP stand for? A) B) C) D) Question 2: True or False: TCP/IP is a protocol suite, not a protocol stack. A) B) Question 3: Which of the following layers are named in the TCP/IP Networking model? (Check all that apply.) A) B) C) D) E) Question 4: Which of the following protocols are associated with the Transport layer? (Check all that apply.) A) B) C) D) E) Question 5: Which of the following header fields is a firewall most likely to act upon when evaluating an IPv4 packet against the firewall ruleset? (Check all that apply.) A) B) C) D) E) Question 6: Fragment Offset Header Checksum Options Protocol Source IP Address TCP ARP UDP RIP SMTP Network Access layer Data Link layer Internet layer Transport layer Application layer True False Transport Communication Protocol/Interwork Protocol Transmission Communication Protocol/Interaction Protocol Transmission Control Protocol/Internet Protocol Transport Control Protocol/Internal Protocol

Which of the following ranges of port numbers corresponds to well-known port numbers? A) B) C) D) 0 to 1023 1024 to 2048 2049 to 65534 More than 65535

Inside a firewall
This lesson covers how a firewall works and which features and functions are found in most firewalls. You'll see how firewalls use rules and filters and keep track of network activity, and how additional encryption software can provide added protection.

How a firewall works

Now that you understand the benefits of a firewall and the relationship between firewalls and TCP/IP, you're ready to learn about how firewalls work. This lesson explains how firewalls block unwanted traffic by permitting other traffic through, based on defining various filters or rules to apply to inbound or outbound packets. It also covers typical services and functions found in most firewalls above and beyond traffic inspection and filtering, including items such as network address translation, application proxies, logging and monitoring services, plus content filtering and encryption services. The basics of firewall operation are simple: examine traffic and apply relevant rules or filters to enable or deny its transit. However, firewalls operate differently at the various layers of the TCP/IP Networking model and include other functions as well. Here you'll have a chance to discover more about the relevant details involved.

Mobile security
Security is a concern for mobile professionals working remotely, often over unsecure wireless networks. HP notebooks come with security features and software that help safeguard against viruses and intruders.

Inspection leads to action

HP 2510p notebook PC Let's jump back to the original description of a firewall: it sits between the internet or some other public network and a system or network that's under private control. Here's what happens when traffic passes through a firewall:

Notebook buying guide

1. The firewall inspects the traffic and looks into various packet headers -IP, TCP, or UDP -- and perhaps even Application layer data on a perpacket basis. 2. As it looks at specific header fields or other packet content, the firewall compares what it finds to existing filters or rules you define as part of its setup, or that come predefined as built-in defaults. 3. If a related exclusionary rule or filter applies, the firewall blocks the traffic. Sometimes, if a related inclusionary rule or filter applies, the firewall permits the traffic to pass through. When multiple rules conflict, this requires users to understand the order in which such rules apply to understand what action the firewall will take. Ordinarily, the last rule to be applied "wins." Next, you'll have a more detailed look at firewall filters and rules.

Exploring filters and rules

When configuring a firewall to do its job, a filter defines some specific pattern for which a firewall seeks a match. An exclusionary filter blocks traffic when a match occurs; an inclusionary filter permits traffic when a match occurs. Most security experts believe that the safest approach to handling traffic at a firewall starts with a single rule, "exclude everything," followed by specific inclusions only for traffic that actually should get through the firewall. To a large extent, filters and rules are two different ways of stating the same kind of information. However, a filter might be stated as follows when configuring a firewall:

Block port 80

An equivalent rule to block port 80 might be stated as:

If port=80 then deny

The difference is an action specified for a specific value, versus a conditional statement of the form "if pattern matches x, then take action y." The first approach represents a filter, the second a rule. For many firewalls, filters or rules work together to define a general rule that establishes a basic filtering posture, and then exceptions to that rule are stated to handle special cases. A pessimistic filter configuration might read something like this:

Block port all Allow port 21, 22, 25, 80, 49,152-65,535

The first filter explicitly blocks all port addresses by default, and then enables use of well-known ports for FTP, SMTP, and web services; plus the range of addresses reserved for temporary port use. By contrast, an optimistic filter configuration might read something like this:

Allow port all Deny port 23, 135-139

This set of filters permits all traffic through by default, and blocks only telnet and NetBIOS-related services. In reality, it's not a very effective security barrier because many other kinds of well-known attacks can still get through. When configuring a firewall, it's important to understand which services to let through and which well-known, registered port addresses should enter. These configuration settings are often already defined in a pessimistic mode for many low-level firewalls, so you can just state exceptions for settings you want or need. This is true for the built-in Windows Firewall that's installed and enabled by default in Windows XP Service Pack 2 and Windows Vista -- however, it's not true if you install and use a different firewall that knows how to tell the Windows Security Center controls to disable Windows Firewall.

Although it's not detrimental to a system to run two firewalls at the same time, it affords no additional protection and might slow network traffic down. Neither Microsoft nor third-party firewall vendors recommend leaving

Windows Firewall enabled if you decide to install another firewall on your PC.

Understanding firewall interfaces

In most cases, firewalls arrive with a default configuration designed to offer outbound access to common services, such as file transfer, email, web access, and so on; and to block most other forms of outbound traffic. Likewise, the default configuration generally blocks inbound traffic, requiring you to make exceptions in cases where this blocks access to services your users must see or use. Figure 3-1 shows a typical display of firewall filters, or rules, in the popular Zone Labs ZoneAlarm Pro firewall software. Programs and services appear in the Programs column, and the Access and Server columns display control settings for the client and server, respectively. ZoneAlarm Pro also offers controls over whether programs might send email.

Figure 3-1: ZoneAlarm Pro default filter settings. Enlarge image The Trusted entry permits or denies local traffic that traverses the private side of the internet link; the internet entry governs whether the traffic is permitted to enter the private side of the network or system from the internet side. The following marks describe related behavior: Green checkmark: Indicates that the protocol permits traffic flow. Red X: Indicates that traffic is blocked. Blue question mark: Indicates no explicit preference, so the program follows the defaults. This usually means the firewall blocks the traffic or asks the user for permission to proceed before any activity takes place. As shown in the first entry in Figure 3-1, this ZoneAlarm client is permitted to access web services locally and on the internet, indicated by checkmarks in the Access Trusted and Access Internet columns. Server requests can also be handled locally (a checkmark in Server Trusted), yet is questioned from the internet (a question mark in the Server Internet column). The program or user is also questioned before being permitted to send email, as indicated by the checkmark in the Send Mail column. Not all firewalls use such elegant visual displays to manage their behavior; however, all employ some method of stating equivalent filter or rule specifications.

Filtering packets
When it comes to understanding exactly what your firewall does while it's running, you must understand which rules or filters have been defined, and in what order, so you'll know how they'll be applied. For the set of filters described

in ZoneAlarm Pro in the preceding section, this translates into the following set of text filters:

Allow ZoneAlarm Client local client access Allow ZoneAlarm Client Internet client access Allow ZoneAlarm Client local server access Question ZoneAlarm Client Internet server access Question ZoneAlarm Client Send Mail access

In plain English, this set of filters means that end users can access local or internet web servers and that local server traffic will be accepted. However, a user who tries to interact with the ZoneAlarm Client from the internet or asks the Zone Alarm Client to send mail will have all requests for such access questioned and be permitted to proceed only if the user grants explicit permission. A message window opens stating that the Zone Alarm Client is being accessed as a server or trying to send email, and requires the user to click an Allow or Deny check box. In some cases, firewall rules or filters might be too restrictive. When this happens, certain services won't work. Even if you don't notice the situation yourself, other network users might report access problems soon after overly restrictive controls are put in place. Other rules or filters might apply at various levels, including outright enable or deny controls on protocols, services, and source addresses in IP headers, on port numbers in TCP or UDP headers (along with other TCP controls), and even on various Application layer header values or based on antispoofing checks. When traffic isn't permitted through a firewall -- remember, this applies equally to outbound traffic and inbound traffic -- that traffic is discarded. Before senders know something isn't working and can take additional action, they must wait until timeouts are exceeded, acknowledgments fail to arrive, or other passive indications that requests for service or access aren't working. This behavior is deliberate, because it: Provides little or no information to rejected senders, which is the best strategy when dealing with attackers Requires no additional action from the firewall; the fastest response to unwanted traffic is to ignore it completely, which results in no added processing power

Filtering content by domain name

If your company or organization has explicit policies about accessing inappropriate material, you can use a firewall to block outgoing requests for certain kinds of content. Often, this is handled at the domain name level so that requests for websites with questionable material can be scanned and routinely denied. Most often, this happens on the basis of pattern-matching specific domain names, or on substrings within such names, such as sex, porn, and so on. Likewise, it's common to see newsgroups in the alt.sex hierarchy blocked in many workplaces. At a deeper level, firewalls can examine the content inside Application layer data to look for and block questionable materials on the same basis. Content filtering programs, such as Resource Monitor, include large libraries of predefined filters that administrators can apply to computers or networks to prevent access to unwanted or questionable websites, newsgroups, and other online material. Some filtering software can also monitor user activity and report attempts to access materials, whether blocked or successful.

Most of the more popular do-it-all internet security suites offer software-only

firewalls that include content filters with regular updates to predefined filter or block lists. This includes such well-known products as Norton Internet Security 2007 and McAfee Total Protection.

The firewall or filtering software monitors and manages traffic between the client making access requests and the service that might otherwise be able to handle such requests. Although it's not necessarily exactly the same as an application proxy, this kind of functionality otherwise works the same way and provides definite, explicit control over who's enabled to access what. (More on application proxies later.) For access to a wealth of information on this subject, and pointers to hundreds of related products and services, search for content filtering in your favorite search engine. In the following sections, you'll learn more about other functions that firewalls usually provide, above and beyond handling inbound or outbound network traffic. These functions are designed to extend a firewall's abilities to "get between" the private and public sides of an internet connection and to observe or obscure what's happening on the private side.

Understanding network address translation

IP addresses are divided into five different classes: A, B, C, D, and E. Certain ranges of addresses in Classes A, B, and C are reserved for private use, and not coincidentally, are called private IP addresses. This means you can use these addresses inside your network, however, not on the public internet, eliminating the problem of duplicate addresses on the public side. By comparison, public IP addresses make up the rest of the A, B, and C class addresses. They're unique addresses that can't be duplicated on the public internet. Private IP addresses can't appear as either source or destination addresses in IP packets on the public internet, because they can't be resolved to a single, unique public internet host or interface. Class D and E IP addresses are reserved for other uses, such as multicast communications on the internet or experimental use. NAT (Network Address Translation) is a service that some firewalls provide. Basically, it removes the inside IP addresses from outgoing internet traffic and replaces them with the firewall's own public IP address or addresses that the firewall manages. This hides the addressing details for the private side of the network. Because private IP addresses are free and public IP addresses cost money, many SOHO users prefer to use private IP addresses on their internal networks. Attackers can't spoof private IP addresses in incoming packets, so this affords extra protection against attacks. Packets that claim to originate on the private side can't show up on the public side, because those addresses aren't permitted in public IP communications. Now that you've gotten an overview of NAT, the next section covers application proxies, which are another method of protecting an internal network from the threats of the public internet.

Defining application proxies

An application proxy is also sometimes called a proxy server, because the application proxy acts on behalf of an inside, private client in making a

connection to an outside, public application service. Here again, the principle of "getting in between" is what governs the firewall's behavior as it works as an application proxy. Instead of permitting a client to connect directly to an outside public server of some kind on the internet, an application proxy service forces that client to connect to the proxy server. Then, the proxy service establishes a connection between itself and the outside server to complete the application service connection on the client's behalf. All traffic that travels through the application proxy and the firewall on which such software usually runs can be inspected, because the proxy interrupts the flow of data between the client and the application server. This kind of service is essential for clients with private IP addresses -- the application proxy prevents internal IP addresses from becoming public knowledge by replacing their actual addresses with its own address or another address under its control. Application proxies must be defined on a per-application basis. Given the ferocious pace at which new TCP/IP Application layer protocols are introduced, this helps explain why some clients might be frustrated when they seek to access application services for which no proxy is defined. In some cases, it might be necessary to "punch a hole" through the firewall, which means setting up an allow rule or filter that enables all traffic related to that application to pass unchecked through the firewall. However, the potential for attack or harm for such blanket exceptions varies from application to application.

If you permit certain TCP/IP applications to bypass proxy services, be sure you understand and can deal with the potential consequences of bypassing security controls.

Most firewalls -- software or hardware -- are updated regularly and automatically to add new proxy services as new applications become popular. By keeping your software up to date, you can avoid most requests or requirements to bypass proxy services. Now that you understand application proxy servers, read on to learn about stateful inspection.

Exploring stateful inspection

Some firewalls do more than apply rules or filters across the board to incoming or outgoing traffic. They use a technique called stateful inspection, also known as dynamic packet inspection, which operates at the Network layer. Recall that static packet filtering looks at the information in a packet header, such as the source and destination address, protocol type, and so on. Stateful inspection, however, sets up a table to track each connection made through the firewall and applies certain checks to make sure all such connections are valid. This often involves checks of packet contents into the Transport layer (TCP or UDP) to see which kinds of services are in use, and even into the Application layer (FTP, SMTP, HTTP, and so on) to make sure that communications are valid, correct, and permitted. The statefulness that this technique supports comes from tracking ongoing communications between senders and receivers, and examining elements of those conversations to make sure they're expected and fit into the overall context for communication. This prevents a variety of possible attacks from occurring, such as: Session hijacking, in which an outside party takes over an existing conversation between two authorized parties

DoS attacks, which attempt to crash TCP/IP by presenting invalid or nonsensical TCP segments You'll learn more about security threats and attacks in Lesson 6.

The security benefit of tracking active conversations -- always knowing which TCP or UDP ports are in use -- is that the firewall can close all inactive ports until some valid connection to those ports is requested. This eliminates inactive ports from port scans, and effectively renders them invisible to attackers. Next, you'll learn about the concepts of logging and monitoring blocked traffic.

Logging and monitoring

As they do their jobs, firewalls routinely block all kinds of traffic. When such traffic is blocked, it produces no discernable effect and requires no additional activity on the firewall's part. However, knowing which traffic has been blocked is particularly important because it can indicate an attack is underway. Nearly all firewalls routinely write information about blocked traffic, or potentially dangerous traffic patterns that have been observed to a special file under their control. This activity is called logging, and the resulting data is called a log. It's a record of the actions that a firewall takes -- mostly, blocking incoming public traffic -- as it applies its collection of rules and filters to the network traffic it handles. This log file is a silent witness of what's going on, and it grows in size while the firewall keeps chugging away in the background. Some activities or events might be judged unusual enough to warrant immediate human inspection or intervention. When certain traffic patterns are detected or suspected, a firewall can send an urgent message -- usually known as an alarm or alert -- to a specific email address or mobile phone number, or open a message window on the screen of the computer upon which the firewall software is running. Many firewalls include links to public web pages where this information is described in plain terms, with simple, clear-cut instructions on what to do next. For example, a well-known open source protocol analyzer called dsniff is often used to scan networks prior to an attack. The scan results in an entry in a firewall log file, such as:

FWROUTE,2002/03/07,20:31:44 -6:00 GMT,172.16.1.1:1034,24.93.35.32:53,UDP

This entry can indicate that somebody has been sniffing your internet connection to see what he or she can learn about your system or network. A quick search of FWROUTE on the web provides useful information about individual log file entries, as well as instructions on what to do. (Nothing, in this case, because the traffic was blocked and no other blocked traffic from the sender at 24.94.34.32 occurred at or around the same time.) The concept of firewall monitoring applies to network administrators: examine your firewall logs regularly to see what kinds of items it contains. Keep up with new software updates, patches, and fixes -- and install them on a timely basis - if your firewall doesn't handle updates automatically. Finally, stay current with security information so you'll know when your system or network might be attacked, and what to do if and when such an attack occurs. Lesson 6 covers system and network security in more detail.

The final section in this lesson covers encryption, an important part of security and protection for private networks.

Understanding encryption
Many higher-level firewalls provide a built-in encryption feature that converts clear text data into encrypted text, making it unreadable. The encryption process also generates a "key," which is required by the receiver to unencrypt the data, making it readable again. Figure 3-2 illustrates a simple example of clear and encrypted text.

Protecting your data and business

What would happen to your company if the data you depend on to generate revenue and optimize costs were unavailable or irretrievably lost? Your storage strategy and infrastructure is something you can't afford not to think about.

Figure 3-2: Example of clear text and encrypted text. When a user seeks to access an internal network remotely, he or she can use the internet to establish a remote connection that enables them to interact with network resources as if they were locally attached. To do so securely, administrators must set up secure connections to enable the outside user to access the internal network.

NAS systems

VPN
A technology known as a VPN (virtual private network) enables users to send and receive traffic across the internet without exposing the contents of that traffic in the public internet. VPNs achieve this goal by interposing a virtual network interface -- literally as part of the TCP/IP stack -- on both sides of such a connection. Part of what this virtual interface does is to encrypt, and thereby obscure, the contents of all traffic sent from one end of the VPN to the other. Because the network side of such connections generally occurs through a firewall, VPN software is often run on the firewall.

IPSec
A similar technology shows that TCP/IP technology isn't holding still, either. Despite its original optimistic security model, numerous TCP/IP protocols and services have been introduced to improve on that model. One such protocol is known as IPSec (IP Security). When connections between a user and a network need protection, it's possible for a user to run IPSec in so-called tunnel mode, which works much like a VPN to obscure only the public part of the transmission chain and encrypts that traffic as it travels over public internet links. However, IPsec offers secure links end-to-end, whereby it can encrypt and obscure traffic all the way from the sender to the receiver.

Moving on
In this lesson, you learned that a firewall offers more than filters and rules to allow or deny packets in transit; it also supports application proxies, address translation services, logging and monitoring, content filtering, and even encryption services. In Lesson 4, you'll explore hardware- and software-based

firewalls, and the need to establish a secure foundation for the deployment of software-based firewalls. Before you move on, do the assignment and quiz. Also, visit the message board to find out what other students are up to and touch base with your instructor.

Assignment #3
Visit one or more of the following websites and follow the related instructions. Read through the resulting materials to find out how you might use these resources for future learning and research, or to answer questions about specific functions or operational characteristics of firewalls: 1. Look up application proxy at Webopedia and define stateful inspection? 2. Laura Chappell is a renowned TCP/IP protocol analysis expert and has written an article that describes basic packet filtering techniques as they apply to a special-purpose software program called a protocol analyzer. The same kinds of rules and structure also apply to filtering packets at a firewall, although its abilities aren't usually as powerful or general as a protocol analyzer's abilities. In this article, pay special attention to address filters and protocol filters. They represent core functionality for firewalls, because that data is accessible in IP packet headers, as well as in higher-layer protocol headers. 3. (Optional) CERT (Computer Emergency Response Team) is a global security resource group that works out of Carnegie-Mellon University in Pittsburgh, Pennsylvania. Browse its website for specific information about the inner workings of firewalls and the benefits they provide.

Quiz #3
Question 1: When firewalls filter domain names, at which layer of the TCP/IP Networking model is this most likely to occur? A) B) C) D) Question 2: Filtering content normally applies to which kind of information access? A) B) C) D) Question 3: True or False: NAT removes the inside IP addresses from outgoing internet traffic and replaces them with the firewall's own public IP address, or addresses the firewall manages. A) B) Question 4: Which term describes the process of recording a firewall's actions? A) B) C) D) Question 5: Which of the following protocols or services use encryption to ensure privacy in communications? (Check all that apply.) A) B) C) IPSec TCP FTP Translating Auditing Filtering Logging True False Requests to access resources on the private network Delivery of private services to public consumers Requests to access resources on the public internet Delivery of private content to public consumers Network Access layer Internet layer Transport layer Application layer

D)

VPNs

Hardware firewalls, software firewalls and secure hosts

Not all firewalls are created equal. In this lesson, you'll learn about different kinds of firewalls, and the pros and cons of each. You'll also learn about what's involved in securing a network host, and keeping it as secure as possible thereafter.

Learning more about hardware firewalls

In Lesson 1, you learned that you can implement firewalls using hardware or software solutions. To recap, a hardware firewall is most often a software firewall that comes prepackaged inside some particular hardware implementation, such as a computer system, an intelligent router, or some kind of network/internet access device. This lesson explores both hardware and software firewalls, and how to establish a secure foundation upon which to deploy the software variety. This first section focuses on hardware firewall solutions.

All aspects of security protection

From the implementation of your security plan to the service agreements and warranties that will allow you to get back on your feet faster after a disaster, HP provides services to keep your focus on your business.

Looking inside hardware firewalls

A hardware firewall is a device you attach to the internet on one side and to an internal, private network on the other side. To deploy a hardware firewall, you need to install it on your boundary network connection (such as an incoming T1 line or cable or DSL connection), and then customize its filters or rules to meet your needs and situation.

The same software you can purchase and install as a software firewall is often found pre-installed on hardware-based firewalls. For example, the well-known software firewall product Firewall-1 from Check Point Software comes installed on a variety of hardware firewall products. In some cases, a hardware device with firewall capabilities might include other functions as well, such as a cable modem or DSL interface, a multiport switch, DHCP services, DNS proxy, and more. In such cases, these devices might be called internet appliances or security appliances because they provide everything needed to attach one or more computers safely to the internet in a single box. An example of this type of firewall product is the Cisco PIX security appliance. There are a few hardware firewalls whose software component is burned into an ASIC (Application-Specific Integrated Circuit) chip. Such true hardware firewalls offer the benefit of increased speed and are completely impervious to core system alterations because the software is burned into its CPU (central processing unit). The content filter rules for an ASIC-based firewall are usually stored on a removable media device that the firewall treats as a read-only source, such as a CD-ROM or flash memory card, To upgrade a true hardware firewall, you must replace the ASIC chip. This is the stumbling block for widespread deployment and adoption of true hardware firewalls. Typical hardware firewalls, which employ a customized computer with a preinstalled, especially hardened operating system and firewall product, are popular solutions. Often called standalone firewalls or firewalls-in-a-box, they enable network administrators to quickly deploy a firewall using technology that's intentionally different from what's used throughout their networks. For example, for networks comprised primarily of Windows systems, deploying a hardware firewall based on a Linux, Unix, or Macintosh operating system adds another dimension of protection to that network. Attackers need to compromise and bypass the firewall first, and then switch tactics when attempting to infiltrate

HP Security vulnerability assessment for SMB

the actual network. Using a different operating system to protect the most commonly used operating system within a network is enough of a deterrent to foil many wouldbe intruders. Very few crackers are skilled at infiltrating more than one operating system. Using that to your advantage is smart security.

Identifying the advantages of hardware firewalls

Hardware firewalls are generally faster than software firewalls. Whereas network administrators might install software firewalls on whatever computer(s) they have available, hardware firewalls are tuned to operate efficiently and are dedicated to a single function -- namely filtering of traffic and content. Hardware firewalls are also faster to set up than software firewalls, primarily because the software portion of the firewall is already pre-installed on such products. However, that aspect is insignificant. The security that a firewall offers should be the driving reason you select any particular firewall, not the length of time required to install it. In the grand scheme of protecting your network, a few extra hours spent installing a security solution is well worth the effort if it succeeds at thwarting an attack.

Whether you're working with a hardware or a software firewall, it'll take some time to fully configure that product as well as to implement and test content and traffic filters.

Generally, fewer compatibility issues occur with hardware firewalls than with software firewalls. The pre-installed software found in firewall-in-a-box solutions is tested for compatibility with the hardware components within the host system. By comparison, software firewalls require system administrators to match their intended host's operating system and hardware components with the system requirements of the firewall software. This is often done through a process involving trial and error, along with online research to determine the cause of errors and appropriate solutions.

Identifying the disadvantages of hardware firewalls

Hardware firewalls do have some drawbacks. If a hardware firewall fails, you might have to replace the whole device. Hardware firewalls generally offer few troubleshooting controls and corrective measures. Most of the components in a hardware firewall are proprietary; often, just opening the case can void your warranty. In addition, when you experience a problem with a hardware firewall that you can't quickly resolve via technical support emails or phone calls, a reboot, or some quick alteration to its startup parameters, this usually means you must ship the device to the vendor for repair or replacement. This might leave your network unprotected in the interim. Many internet appliances cost under $150, which is a reasonable price to merit maintaining spares to avoid downtime. Ask your vendor if it can cross-ship a loaner to provide a temporary replacement for your inbound unit. Another limitation of some hardware firewalls is a design that prevents you from installing component upgrades. Here again, if you own one of these devices, you'll have to ship the device to the manufacturer for upgrades or obtain a new model as a replacement. Many such appliances, however, include built-in firmware upgrade utilities, enabling you to easily download and update the software and parameters that enable a hardware firewall to do its job. Finally, it's important to recognize that for the same level of functionality, a

hardware firewall often costs more than a software-only firewall, because of the costs of the extra hardware involved. Regardless, you can purchase a hardware firewall with dual WAN ports, a built-in four-port Gigabit Ethernet switch, and various IP service capabilities (DHCP, NAT, and various proxies, including DNS) for under $150. Next up, you'll get a better understanding of software firewalls.

Understanding software firewalls

A software firewall is, in concept, no different from any other network service that you install on a computer system. In this form, a firewall is a program that runs on a computer connected to the internet and might be attached to an intranet, an internal, private network. The firewall software grabs all incoming traffic and inspects it to decide if it'll enable that traffic to enter the computer on which it's running, or pass it onto the internal network. The vast majority of software firewalls also inspect outbound traffic as well, in part to impose access controls on content, and in part to look for evidence that one or more systems on the internal network has been compromised and needs immediate attention and possible repair.

A secure workstation
Add an extra layer of security by installing a personal firewall on your HP workstation.

Software firewall pros and cons

HP xw6600 workstation The benefits of a software firewall include a broad range of options. There are significantly more software firewall products than there are hardware firewall products. This enables you to compare and contrast many choices to meet your specific needs. Another benefit of software firewalls is that you supply the hardware and the operating system. This means you can upgrade and improve the capabilities of the host computer without involving the firewall vendor. However, this aspect of software firewalls also has a downside: You must make sure that the host meets minimum system requirements for the firewall product. Software firewalls generally require more computing horsepower to manage high traffic volumes properly at a reasonable level of performance as compared to equivalent hardware firewalls. Finally, just like hardware firewalls, software firewalls can offer additional services or capabilities, including proxying, NAT, and application gateway services. Workstation buying guide

Software firewall best practices

On networks of any size, it's important to dedicate any software firewall host as a single-purpose system, because installing other services or applications on a firewall host reduces whatever security the firewall can offer. Always remember that a software firewall is only as secure as the host system that supports it. If the host has hardware or software vulnerabilities, limitations, or flaws, the firewall itself might also be vulnerable to failure, downtime, or attack. If an attacker can make your host operating system freeze or obtain unrestricted system access, that attacker can render your firewall useless. It's of utmost importance that the host for a firewall be maintained vigilantly. Perform these tasks: Immediately replace defective hardware or hardware near its MTBF (mean time between failures) Patch all known security holes or vulnerabilities Use any means to make the host as secure and hardened as possible, such as locking it in a secure server room

Many operating systems can serve as a host platform for a software firewall. However, when you need to protect a network, select an operating system that offers reliable security -- Windows Server 2003 or 2008, Windows Vista Business, Windows XP Professional, and the latest Linux distributions or Unix packages. Otherwise, the host's security foundation won't be strong enough to support the protection that the firewall can offer.

Mac OS X is actually Unix-based, so it benefits from native security features present in Unix.

If you need a firewall just to protect a single system, you need a personal firewall. A personal firewall is a firewall product designed to protect the system on which it's installed. Personal firewall products are available for most client, desktop, workstation, or standalone operating systems. Many security experts recommend that all computers be outfitted with personal firewalls, in addition to erecting separate firewalls at network boundaries between the "inside" and the internet. Next, learn techniques and best practices for establishing a secure host system for software firewalls.

Establishing a secure host system for software firewalls

When deploying a software firewall, you must use a secure and reliable host system to support it. There are a variety of steps you need to complete before you actually install firewall software to ensure your system is as secure as possible. These are explained in the following sections.

Procuring the right hardware

The first step in establishing a secure host system is to meet minimum system requirements for the firewall product you plan to deploy. This includes hardware components, such as CPU, RAM (random access memory), hard disk space, and network interface throughput, as well as the operating system software. Whenever possible, install as much high-speed, high-capacity hardware on the host as your budget permits. Software firewalls require significant computing power, so it's better to build in more than you need so you won't constrict yourself with underperforming systems that can hinder productivity.

Installing and patching the software

After you have the right hardware, install the operating system and any applicable upgrades, updates, patches, fixes, and so on to establish the most secure and up-to-date system possible. Then, remove anything from the operating system or the firewall product that's not essential for proper functioning. In other words, if it's not a core component or an essential service, remove it, uninstall it, or disable it. The less unnecessary code running on a host, the fewer vulnerabilities it exposes, and the more processing power that remains available for firewall processing.

Creating an installation log

It's common to deploy multiple instances of the same firewall, especially in large organizations. For this reason, it's important to document your installation procedure so you or others can repeat it successfully and consistently. The best way to document your installation is to create a log for each host. Here are some worthwhile items to include:

A complete inventory of all hardware components The name and version of the operating system and any installed or applied upgrades, updates, patches, fixes, and so on The details on all driver versions for all hardware components A list of all removed, uninstalled, or disabled applications or services with step-by-step procedures for performing each operation As you make changes to any host, no matter how insignificant, add those details to its log. This log should contain all firewall configuration settings, content filter rules, troubleshooting steps, and so forth. It should also be detailed enough that another person can use it as a guide to deploy an exact duplicate or firewall system. You'll also find this log extremely helpful when troubleshooting problems.

Securing the host system

After you create the installation log, lock down the host system. This means securing your computer from a software perspective so it's as impervious to hacking as is humanly or digitally possible.

Enlarge image The steps you follow to lock down a host system differ from operating system to operating system, and are usually detailed in a security baseline checklist. Visit the operating system manufacturer's website to get a copy of the checklist for your version of the software, or query your favorite search engine for security baseline checklist operating system, where operating system is the name and version of the operating system your firewall uses. If you look up subjects related to hardening the system or hardening the operating system, you'll also find a lot of useful and relevant information.

Installing and testing your firewall software

Install and perform initial configuration of the firewall product. This, too, means visiting the vendor's website and downloading and installing patches and fixes for the firewall software just as you did for the underlying operating system. After it's installed and functioning, and has been completely updated, perform a complete system backup. Periodically back up this system, especially after making any significant system changes, such as applying updates or major configuration alterations. Remember, every time you change the firewall software, record it in the host or firewall log. Finally, perform a security scan from outside your firewall to verify it's working properly. A good security scanning product is ShieldsUP! from Gibson Research. Also check the free security audits available at SecuritySpace.com.

Moving on
In this lesson, you learned to implement firewalls as hardware-based solutions

or as software products deployed onto existing hardware. You also learned that maintaining the security of the host system is essential to the effectiveness of any firewall. In Lesson 5, you'll explore the need for a security policy to guide and focus development and implementation of a firewall. Before you move on, complete the assignment and take the quiz for this lesson. At any time, stop by the message board to post comments and questions, or just join the discussion on firewalls with your classmates.

Assignment #4
For this assignment, you'll research firewall products to learn which features they offer, which hardware and software they require, and how much they cost. In addition, read reputable and reliable product reviews to learn about common installation and administration problems with software and hardware firewalls. To start your research: Visit CNET's Firewall Software website to browse their store and read reviews of hardware and software firewall products. Go to NetworkWorld.com and browse the firewall offers in the Buyer's Guide section of the website.

Quiz #4
Question 1: True or False: The same product that's available as a software firewall can sometimes be found as a preinstalled product on a hardware firewall. A) B) Question 2: What's the primary drawback to some hardware firewalls? A) B) C) D) Question 3: What's the most important factor in maintaining overall security when deploying a software firewall? A) B) C) D) Question 4: What's the best method of testing a firewall to ensure it's working properly? A) B) C) D) Ask a neighborhood cracker to attack your system. Keep your system patched and updated. Test your system with an external security scan. Monitor system logs regularly to look for signs of trouble. Scanning for viruses Documenting the installation process Lots of additional RAM Securing the host system They often include other functions, such as a cable modem. They're nearly impervious to tampering. Upgrading the device might require returning it to the vendor. They offer faster performance than many software firewalls. True False

Firewalls need security policies

A security policy is a special type of document that describes what resources must be secured and who may use secured resources under what conditions. In this lesson, you'll learn about security policy and how it helps control traffic on your network.

Defining your security policy

Welcome back. In previous lessons, you learned about hardware and software firewalls and how they work. This lesson discusses the ins and outs of a firewall-specific security policy. Such a policy clearly and deliberately defines the need for firewalls within an organization. It also provides direction and instruction on why and how to deploy firewalls and how to configure them to meet organizational security policy requirements.

Looking inside a security policy

A security policy is a general statement of the business rules that define or dictate the goals and purposes of security within an organization. Security policies provide the foundation for a formalized security structure, as shown in Figure 5-1.

Figure 5-1: The formalized security structure. When you start with a solid security policy, you can easily add other elements to create a formalized security structure, such as standards, guidelines, and procedures. Each of these types of documents plays a role in the design and deployment of security within an organization. Security policies are strategic documents. They define the overall purpose and direction for security. The other documents mentioned -- standards, guidelines, and procedures -- are tactical because they define the steps necessary to achieve or realize an organization's security goals.

Recognizing security policy types and categories

There are three types of security policies: Organizational: Generally apply to an entire organization or a significant department or division. Consider these "blanket" or "general" security policy descriptions. Issue specific: Focus on some particular issue, service, or problem, to address specific topics in specific ways. System specific: Focus on hardware and software security on a per-system basis, to describe and prescribe appropriate security regimes.

Security policies can also be sorted into one of three categories: Regulatory: Ensure that an organization complies with all applicable regulations and laws regarding its specific industry or business activity. Regulatory policies are compulsory. Advisory: Define acceptable behaviors and activities. Advisory policies offer strong advice that can be enforced by defining consequences for noncompliance. Though not compulsory, such policies are usually followed anyway because of the adverse consequences of failure to comply. Informative: Discuss an organization's goals and objectives. Informative policies are suggestions and can't be legally enforced. Enforcement should be driven by an assessment of whether the costs and risks involved in noncompliance are much less than the costs of implementation and monitoring the policy. Security policy categories usually apply to specific businesses; depending on your industry, no policies might apply or there might be many policies that you must follow. Look to industry organizations for insight into already defined regulatory, advisory, and informative policies that should be considered for or included within your organization's own security policy. An overall security policy is a collection or library of many types of specific policies. Update each component policy on as as-needed basis to keep the overall "living" security policy current.

Figure 5-2: A security policy library.

Defining firewall security policies

A firewall security policy can be an organizational or an issue-specific policy. At best, it's an advisory policy because no industry regulates exact configurations for firewalls. In addition, a firewall security policy can't exist in a vacuum. It must be accompanied by an overall organization-wide security policy that establishes goals related to maintaining physical security, staff training and awareness; and system-specific security controls. Finally, a firewall security policy is an important element in the overall security solution for any organization. The next section gives you tips for creating an overall security policy.

Creating your overall security policy

The best way to develop any policy is to work from a template or an example policy. Many organizations specialize in policy development or overall security

issues. The SANS (SysAdmin, Audit, Network, Security) Institute operates a Security Policy Project that offers numerous templates and examples of security policies. It doesn't offer a firewall security policy per se; however, you can use the sample Internet DMZ Equipment Policy, Router Security Policy, and Server Security Policy documents to create a firewall security policy of your own. Each of these individual policies represents an excellent example of a security policy that can help you define the goals, purpose, and objectives of the firewalls within your organization. The SANS policy resources are offered at no cost to the IT security community. You can access these templates and any of the other policy resources directly from the SANS website. Even if you own or work in a very small business, review these sample documents so you know which issues to address. Although you might decide not to implement formal processes and procedures, you should still evaluate how you want to regulate traffic using your firewall. To build your own firewall security policy, start with a template or example policy and customize it to fit your organization's security needs. Although each organization's policy is unique, most security policies address common elements, such as: Purpose: A clear statement of the reason(s) the security policy exists. For example: This document discusses the security configuration baseline with which all firewalls deployed at XYZ Corp should comply. Scope: Identifies which sections, divisions, or departments of an organization are subject to the policy. The scope can also define or indicate those sections that are exempt from the policy. For example: This document applies to all departments of XYZ Corp. The extranet department and the R&D department are exempt from this document if their department-specific policy defines a contradictory requirement. Policy: Clearly defines which requirements, conditions, configurations, standards, and so on must be followed or implemented. Items in this section of the policy might: Specify what kind of authentication is required to make configuration changes Require logging of all traffic Specify the conditions under which you can enable VPN (virtual private network) connections Specify which internet services are permitted to transit the firewall Describe what inbound content will be filtered or blocked Responsibilities: Identifies the individual or group responsible for implementing policy conditions. This section might also define implementation restrictions, checks and balances, and audit reviews. Enforcement: Discusses the consequences of violating the policy. Often, security policy violations can result in termination of employment, official censure, loss of pay or privileges, and so on. Definitions: Defines terms and acronyms to ensure that everyone reading the policy understands what's discussed. Revision History: Documents and dates all changes to the firewall policy

after its initial creation and deployment. This essential part of any policy ensures that only the latest and most up-to-date version is followed. A security policy, even for a specific issue or area, such as firewalls, can become a complex and detailed document. It's important to expend sufficient time and effort to research and develop any security policy.

Statistics show that most security breaches aren't a result of deficiencies in hardware or lax software security controls. They often arise from blatant oversights or errors in related security policy documents. Poor policy decisions and inept operational procedures can render even the most reliable and capable security controls ineffective.

The next section explores policies dictating appropriate internet access, such as web, FTP, electronic chatting, messaging, news, and more.

Creating an internet access policy

Within a firewall security policy or the overall security policy for an organization, you must address several issues. These deal primarily with an internal user's ability to access internet-based resources and services. Many users automatically assume that if they have a computer connected to a network, they also have total, unfettered internet access. Unfortunately, the state of the world as well as the insecurities and threats in cyberspace make completely unrestricted access to the internet unsafe and unwise in most IT environments. Internet access should be granted based on a documented need for online access to resources related to completion of specific work-related tasks, and subject to security constraints on the IT environment.

As the value of data, resources, processes, and so on supported by a network increases, so does the need for stronger security. Stronger security usually directly translates into fewer unrestricted capabilities for all users.

Fortunately, stronger security doesn't necessarily mean you must terminate all internet access. However, it does mean placing serious restrictions on the types of traffic enabled to cross in to and out of the network. Internet access is not an all-or-nothing proposition; instead, it relates to numerous individual information services. You're probably already familiar with many of them: web, FTP, chat, messaging, newsgroups, email, telnet, VPN, streaming audio, streaming video, and so on. You can configure firewalls to grant or restrict traffic related to each of these services on a per-user basis. As discussed in earlier lessons, you can use firewalls to filter by source and destination addresses, application services, and even traffic content. By defining exactly which types of traffic are permitted and what types are restricted in your security policy, you can translate that policy into a set of rules and filters configured in your firewall. It might also be smart to constrain certain types of "insecure" internet traffic -- most notably, FTP, telnet, and SMTP -- to use only encrypted channels or to switch users to more secure alternatives, such as SFTP (Secure File Transfer Protocol), stelnet, and secure email transmission protocols or tools. Now that you have a better idea of the intricacies of the internet portion of a security policy, read on to learn about email policies and restrictions your company might need to enforce.

Creating an email access policy

Email is the most widely used internet information service. Unfortunately, it has also become the most popular delivery mechanism for viruses, Trojan horses, and other malicious code and attacks. Many organizations rely on email for communication with customers, partners, and others. Issues or services this important should have a separate, focused security policy document that integrates with firewall security policy. Email uses three primary protocols: POP3 (Post Office Protocol version 3), and IMAP (Internet Message Access Protocol). SMTP is the protocol clients use to submit outbound messages to email servers and to move email from server to server on the way to recipients' email inbox(es). Email clients use POP3 or IMAP to retrieve email from their inboxes on an email server. POP3 is more widely used; however, IMAP supports built-in encryption. Based on this information, consider writing your firewall security policy to require IMAP instead of POP3 for email downloads. Also specify that IMAP and SMTP should be enabled to pass through the firewall, although you might also want to add content or source/destination filters to restrict potential abuse. Another important aspect of email to consider is attachments. An attachment is some kind of file attached to an email message, delivering one or more text documents or non-textual objects from sender to receiver. An attachment can be a picture, a document, a program, or other type of file. Attachments can also contain malicious code, such as a worm or a virus. As part of your firewall implementation, require virus scanning on all IMAP, POP3, and SMTP traffic employed in your organization. You might also decide not to enable attachments at all. If your network and your data are highly sensitive and valuable, stopping attachments at the border firewall provides a meaningful safeguard against damage, theft, or infection. The most secure networks, such as those used in the defense industry or at the NSA (National Security Agency), don't enable access to outside networks, nor do they generally enable ordinary users to download files onto or upload files from such networks. You've learned about email policies and restrictions. Now find out how to create a VPN access policy.

Your greatest asset

Your greatest asset is a reliable server on which to run your email and network data applications, such as the high-performing and easy-to-manage ProLiant server.

HP ProLiant ML310 G4 server series

Server buying guide

Creating a VPN access policy

As you learned in Lesson 3, VPNs make it possible to establish a normal, secure network connection between distant systems. A VPN connection functions exactly the same as a normal direct network connection, although VPN links are often slower than normal network connections. VPNs can be established between two individual systems; however, a remote client often establishes a VPN connection with a centralized LAN (local area network). A VPN's primary benefit is enabling remote clients to connect to the office LAN with minimal expense. The remote system connects to the internet via a local connection -- modem dialup, cable, DSL, and so on -- and then establishes a VPN link with the LAN through its dedicated internet connection.

The details of establishing VPN access are specific to particular firewalls and clients. Review your firewall documentation to learn how to set up VPN access to your network.

VPNs must be addressed in your firewall security policy. If you enable VPNs, define which VPN protocols are permitted and exactly who can use VPN connections. VPNs offer identity authentication to verify connection partners and employ encryption to protect transmission of data over public networks. A remote system also can connect into a firewall-protected LAN by a process called tunneling in. Basically, tunneling in occurs when a communication connection is established through an unrestricted hole in a firewall's security barrier. Often called punching a hole in the firewall, this process involves defining a specific protocol and port that enables traffic to pass without restriction. Always restrict tunneling in because it opens an unprotected connection point in your firewall and communication services used when tunneling in often don't support authentication, encryption, or other security mechanisms. Next up, you'll find out about content filtering.

Creating a content filtering policy

Content filtering must be addressed in a firewall security policy. Decide whether to enable all traffic through the firewall without restriction, or to filter traffic based on a clearly defined set of acceptable use rules for traffic and content. As security in your organization increases, so does the need to restrict content flow through firewalls. Acceptable use describes the activities and functions an IT infrastructure can use without violating company policy. More specifically, it tells users what they can and can't do on the local network and on the internet using company equipment. To establish an acceptable use policy, create an exhaustive list of acceptable and unacceptable activities or traffic content restrictions. Some examples of entries typical in an acceptable use list include: No trafficking or trading in copy-protected files, such as audio and video, or any types of copyrighted materials No pornography No email distribution lists originating from the local network No executable program/code attachments to email No access to nonwork-related websites, such as sports, adult content, games, entertainment, and so on No traffic originating from outside the network, except for VPN links No NNTP newsgroups From this list, you can easily create firewall specific rules to control and manage inbound and outbound traffic. However, before you set up your content and traffic rules, and configure your firewall appropriately, run the list of acceptable content by the people who it will most affect -- the organization's employees. You might find that prohibiting certain kinds of content (such as ZIP files or executables) might have a negative impact on the way some employees do their jobs. This doesn't mean you have to change your security rules -- you might be able to find other, more secure ways for employees to send and receive such files. However, gathering input from employees before you make a change to your firewall will save you time and energy later.

Moving on
In this lesson, you learned about the different elements of a security policy and the issues to consider as you define one for your organization or your home

network. In Lesson 6, you'll find out how the different elements discussed so far in the class -- networks, protocols, hardware, software, and security policies -come together in firewall configurations, and how to establish best security practices whereas fending off common attacks and exploits. Before you more on, complete the assignment and take the quiz. Also, visit the message board to find out what other students are up to and touch base with your instructor.

Assignment #5
Regardless of the size of your network or organization, it's wise to formulate a security policy that meets your particular needs. If you already have a security policy, review it and evaluate it for completeness: When was its last revision? How relevant is it to current security risks? Does it need to be revised? If you don't yet have a policy, now's a good time to start one. For more information on avoiding the pitfalls of poor policy design and for help developing solid security policies, visit at least two of the following web pages: SANS InfoSec Reading Room - Security Policy Issues RFC 2196 Site Security Handbook IT Security Policies & Network Security Policies and How To Deliver Them Ruskwig Security Policies

Quiz #5
Question 1: Which of the following is the base or foundation document for a formalized security structure? A) B) C) D) Question 2: True or False: Regulatory policies are compulsory. A) B) Question 3: Which one of the following isn't considered a tactical document? A) B) C) D) Question 4: The level of internet access granted to each user should be based on which of the following criteria? A) B) C) D) Question 5: Which internet information service is the most commonly used transport or delivery mechanism for malicious code? A) B) C) Web Email FTP User desire Work tasks Available bandwidth Operating system security Procedure Standard Policy Guideline True False Security procedure Security standard Security policy Security guideline

D)

Telnet

Making the most of your firewall

In this lesson, you'll learn about common firewall configurations, how to test and evaluate firewall effectiveness and how to select the right firewall. You'll also learn about common attacks your firewall must counter and best security practices.

Identifying types of attacks

As you know by this point in the class, firewalls are a key element in any security solution. However, firewalls aren't effective against every type of attack, so other security controls must be included in an effective solution. This section explores many of the common attacks that systems can face and indicates whether most firewalls are effective against them.

Meet the suspects

The suspects in an attack generally fall into two categories: intruders and attackers. An intruder is any unauthorized person or program attempting to gain access to your system. An attacker is a program or person attempting to damage your system or prevent it from performing properly without actually breaching your security perimeter. The media often mislabels such suspects as hackers. The correct term is cracker. A hacker is someone who is knowledgeable about technology and can perform a wide range of complex activities without malicious intent. A cracker is a hacker with malicious intent.

Adware
Adware is software that facilitates delivery of unwanted advertisements, web pages, or other content to a desktop, usually through a web browser. Like viruses and spyware, firewalls can be ineffective against certain types of adware because they're often installed entirely covertly. Because a user initiated the installation or clicked the link, a firewall can interpret this as a legitimate request.

Application backdoors
An application backdoor is a programmatic door to your system created by the original programmer of a software product. Backdoors can give someone unauthorized access or control over that application or its host system. Some backdoors are installed intentionally, whereas others result from coding errors. Firewalls are generally ineffective against backdoors because accessing a backdoor usually occurs over authorized connections. The best way to protect against backdoors is to use well-tested, reputable software.

Brute force and dictionary attacks

Brute force and dictionary attacks attempt to guess the password for a user account, device, or service. Brute force attacks systematically try every possible character combination, whereas dictionary attacks use a predefined password list. Firewalls are ineffective against brute force and dictionary attacks because they occur over authorized connections attempting to log into an account or service. A good way to avoid such attacks is to limit the number of failed login attempts a system permits before it blocks access to a particular account or from a particular IP address. Make creating secure passwords part of your security policy.

Bulk email attacks

Bulk email attacks, also known as spamming or email bombs, occur when a large number of email messages are sent to a single user or email server. This kind of attack seeks to disable productive access to the email server or prevent the user from reading legitimate email. Firewalls are ineffective against bulk email attacks because email is normally an authorized service permitted to traverse the firewall.

DoS
A DoS (denial of service) attack is any activity that prevents a system or a

network from performing its normal activities, such as responding to legitimate requests for services or resources. Firewalls are only partially effective against DoS attacks. After a DoS attack method is known, a firewall can be configured to prevent it. However, firewalls can't respond to new forms of DoS attacks dynamically, nor can they easily protect networks against DoS attacks over open and active services, such as the web or email. When zombies -- other PCs subverted to mount attacks by some cracker in the background -- are used to mount an attack from multiple systems at the same time, these are known as DDoS (distributed DoS) attacks.

Macros
A macro written in a programming language and is automatically executed by an application whenever the macro is loaded into memory by that application. Macros can be embedded in email messages, documents, spreadsheets, databases, and so on. Microsoft Office, Microsoft Internet Explorer, and Microsoft Outlook are vulnerable to malicious macro attacks. Firewalls are ineffective against macros because they're usually undetected or just not inspected when the data file containing a macro traverses the firewall.

Port scanning
Port scanning is the process of testing every possible TCP and UDP port for open services that might not have been properly secured by the website's operators. Firewalls are partially effective against port scanning because they can block access to closed ports.

Remote login
A remote login occurs when a remote system connects to another system over a network or the internet. The connection can be any type of link between two systems that involves an authentication process. This includes VPN links, user account-specific FTP connections, and telnet sessions. Remote logins can grant distant users access to download files or gain complete control of the system. Firewalls are effective only against remote logins of unauthorized services or Trojan horse services. Many organizations employ remote connection tools, such as VPNs, to grant distant users access to their private networks. Generally, administrators configure firewalls to enable these types of connections.

Software errors
Errors in coding an operating system, software, or device drivers can introduce security vulnerabilities. These can give intruders unwanted access or permit DoS attacks. When exploitation of software errors occurs over authorized connections, firewalls are ineffective against such attacks.

Source routing
Source routing is a complex attack that involves editing the headers of packets used in an attack. As packets are transmitted over a TCP/IP network, routers between the source and destination determine the actual path they take. Source routing occurs when the source (the sender) of packets predetermines the primary route over which packets must be delivered. Crackers can use source routing to make attacking packets appear as if they originated from a trusted location, such as inside a private network or a trusted partner network. Most firewalls are effective against source routing attacks, especially those that make inbound packets seem like they originated from the private network.

Spoofing attacks
Spoofing is the art and science of pretending to be something different from what you actually are. Spoofing is often used to fake the source and/or destination addresses in attack packets. Firewalls are effective against spoofing attacks.

Viruses
A virus is a malicious code capable of duplicating and spreading itself. Some viruses can cause damage to a system through file corruption and deletion. Other viruses cause DoS conditions as they consume system resources when they spawn and reproduce themselves. Viruses can spread through programs, documents, or email. Firewalls are ineffective against viruses unless they employ a built-in or add-on antivirus scanner to search for viruses in all traffic crossing the border device.

Spyware
A spyware program that monitors system activity and records data of potential interest to crackers (such as passwords, account names, credit card numbers, and other sensitive data) is the worst type of spyware. Other types just monitor user activity and report on it so advertisers or retailers can identify and target choice sales prospects. Spyware is usually installed surreptitiously, without the consent of the PC's owner, and can cause system slowdowns, instability, and even crashes. Firewalls can be effective against some spyware; however, you should install and use an antispyware program to keep your system free of spyware. As you can see, a firewall can't protect against a significant number of attacks. That should reinforce the notion that a firewall is by no means a total security solution; it must instead be integrated into a complete security implementation. You'll learn about intrusion detection systems in the next section.

Detecting intrusions
An IDS (intrusion detection system) is an automated tool that monitors systems or networks for unauthorized, unwanted, or abnormal activity. An IDS scans log files and monitors real-time events to look for signs of intrusion or attack. IDS capabilities are generally limited to detection and alarm. After an IDS detects suspicious activity, it can inform administrators that an attack is occurring or has occurred. An advanced IDS can perform limited countermeasures, such as disabling access ports, services, or user accounts. Even so, don't view an IDS as a silver bullet security solution; see it as a component in an organization's integrated security infrastructure. There are two primary types of IDS: host IDS and network IDS. A host IDS is installed on a single computer and its purpose is to monitor that system for suspicious activities. A network IDS is deployed to monitor suspicious activities on a network.

A powerful workstation
Combining processing power and graphics technology, the HP workstation delivers impressive scalability and power in addition to the security you demand from your workstations.

HP xw8600 workstation

Host IDS
A host IDS examines the activities of a system in much greater detail than a

network IDS. This enables a host IDS to pinpoint the exact files, services, user accounts, and so forth, that are involved in an intrusion or attack. A host IDS can detect system-specific attacks that a network IDS cannot detect; however, a host IDS can't detect network-based attacks. A host IDS negatively affects performance on its host system because it must consume system resources to perform its monitoring, logging, and reporting duties.

HP Hardware support with disk retention service

Network IDS
A network IDS focuses on discovering anomalies or malicious activities in network traffic patterns and packet contents. You install a network IDS onto dedicated hosts, similar to a bastion host where a firewall might reside. This enables all the resources in that computer to focus on monitoring network activity. You can configure many network IDSs to be invisible and inaccessible to the rest of the network. This effectively hides the IDS from intruders who may wish to disable or attack the IDS directly. A network IDS is a passive monitoring system and has little or no impact on overall network performance. However, on networks with large traffic volumes, a network IDS can fail to detect an attack, especially if that attack consumes a small fraction of total network bandwidth. A network IDS can inspect the contents of packets to discover malicious activity. However, if those transmissions are encrypted, a network IDS is unable to access their contents.

A network IDS is good at detecting attempted DoS attacks, repeated attacks, and intrusion attempts. However, network IDS solutions can't provide specific information about whether an attack was successful, which systems were targeted, and which elements of the network were affected.

In an ordinary IDS deployment, you use a network IDS to monitor the network as a whole and host IDSs to safeguard mission-critical systems. This tactic exploits the best features of both forms of IDS. An IDS is an excellent complementary security mechanism for a firewall. A firewall is deployed to keep out unwanted traffic, and an IDS monitors for malicious traffic that makes it past the firewall. Next, pick up some best security practices to keep your PCs and network safe.

Using best security practices

As you know by now, putting a complete security protection solution in place includes much more than just installing and running a firewall. The following are best practices for securing your environment: Install a firewall, and antivirus, antispyware, and antispam protection software. Enable pop-up blockers in your web browsers. Keep your operating systems and all applications patched and up-to-date. Install one or more IDS solutions if your environment requires the additional protection. When combined, all of these solutions provide sufficient coverage to maintain reasonable system security and integrity. It's an ongoing effort, however, and must be monitored and watched regularly, because as new threats or exploits are discovered, new ways to protect against them will become necessary. Visit the Microsoft "Protect Your Computer" web page for additional information on protecting your systems.

Hardening systems
Protecting your system from potential attack is an important part of maintaining security. Thwarting crackers primarily consists of applying safeguards and countermeasures as new attack methods and vulnerabilities are discovered. These safeguards and countermeasures are usually deployed in response to attacks or discoveries on systems that have already been hardened. Every system in a network should be hardened by completing each of the following tasks, roughly in the same order presented here: 1. Define an organizational security policy. 2. Set security standards, guidelines, and procedures for all systems within the organization. 3. Update the operating systems and software with patches from their respective vendors. 4. Configure each system to the level your security policy mandates, considering also the system's function/purpose, and the sensitivity and confidentiality of assets it holds. 5. Establish a common security baseline for all systems. 6. Deploy security mechanisms such as firewalls and IDS as needed. 7. Implement physical security controls. 8. Train users to maintain security and work within the boundaries defined by the security policy. After this hardening is complete, respond to new attacks and patch newly revealed vulnerabilities. Should your network fall victim to an attack, investigate the incident thoroughly to discover all elements that made the attack or intrusion possible. When you know that information, you can formulate a response by closing down access ports, reconfiguring services, or installing vendor-supplied updates to correct coding errors, software deficiencies, and so forth. As new attack methods are discovered or new vulnerabilities in a product become known, most vendors release patches, updates, or hotfixes to correct problems. Test these fixes for effectiveness and safety on a test or lab network, and then install them on your productions systems after their effectiveness is shown to improve overall security. Always remember that no system is 100 percent secure. You must maintain security over time to be effective.

Moving on
In this class, you learned the basics about how firewalls work and what roles they play in complete security solutions. You also met TCP/IP -- the protocol stack that drives internet communications -- and discovered how firewalls work to make TCP/IP communications more secure. Before you leave the class, complete the assignment and quiz for this lesson. Also, visit the message board to ask any questions you have about firewalls and network security. Thanks for taking this class, and good luck in your future networking adventures!

Assignment #6
Selecting the right firewall to install can be daunting. However, by performing a systematic review of what's available, you can pinpoint the features and capabilities your organization needs. After you build a list of required and desired or optional features, you can quickly narrow your search. As you review your firewall options, closely evaluate the following: Hardware or software solution

Firewall operating system and hardware requirements Throughput, performance, and reliability Upgradability, end-user troubleshooting support, and configuration versatility Methods or types of content filtering: static, dynamic, content, application, and so on NAT Proxy capabilities Routing capabilities Auditing, logging, monitoring, and alerting capabilities Centralized management Encryption VPN support Remote control capabilities After you've established a list of features you want in a firewall, review your security policy, and then compare and adjust that list accordingly. It's essential to match firewall capabilities with your security policy at every stage of design and implementation.

Quiz #6
Question 1: Firewalls are effective against which of the following types of attack? (Check all that apply.) A) B) C) D) E) Question 2: True or False: An intruder or an attacker can be just about anyone. A) B) Question 3: True or False: A cracker is someone knowledgeable about technology and can perform a wide range of complex activities without malicious intent. A) B) Question 4: What's the first step in deploying barriers to prevent attacks? A) B) C) D) 2003 - 2008 Powered, Inc. Create a security policy Harden the host Deploy an IDS Implement physical access controls True False True False Application backdoors Bulk email attacks DoS Port scanning Source routing