Professional Documents
Culture Documents
A firewall is an essential part of computer and network protection. This class for the basic computer user is designed to help you understand firewalls, how they work and the technologies behind them. You'll learn about basic internet security policies, explore common firewall configurations and uses, learn how to assess your firewall needs and find the right product to meet those needs.
Lessons
1. What is a firewall? This lesson introduces you to firewalls, and explains why you need one and how to get one. You'll also explore types of firewalls, such as software-only, standalone firewall hardware/software combinations and general-purpose internet firewalls. 2. TCP/IP tutorial Basic knowledge about TCP/IP protocolthe protocol suite that supports the internetis essential to understanding how firewalls and related technologies work. In this lesson, you'll learn about TCP/IP protocol and how firewalls use it to keep your network secure. 3. Inside a firewall This lesson covers how a firewall works and which features and functions are found in most firewalls. You'll see how firewalls use rules and filters and keep track of network activity, and how additional encryption software can provide added protection. 4. Hardware firewalls, software firewalls and secure hosts Not all firewalls are created equal. In this lesson, you'll learn about different kinds of firewalls, and the pros and cons of each. You'll also learn about what's involved in securing a network host, and keeping it as secure as possible thereafter. 5. Firewalls need security policies A security policy is a special type of document that describes what resources must be secured and who may use secured resources under what conditions. In this lesson, you'll learn about security policy and how it helps control traffic on your network. 6. Making the most of your firewall In this lesson, you'll learn about common firewall configurations, how to test and evaluate firewall effectiveness and how to select the right firewall. You'll also learn about common attacks your firewall must counter and best security practices.
What is a firewall?
This lesson introduces you to firewalls, and explains why you need one and how to get one. You'll also explore types of firewalls, such as software-only, standalone firewall hardware/software combinations and generalpurpose internet firewalls.
This class is geared toward SMB (small- and medium-size businesses) owners and home office users who want to protect their computers and networks from unauthorized intruders.
HP Thin clients
Firewalls can be intimidating, and inevitably involve numerous technical topics. You'll need to understand a little bit about networks and internet communications to understand how firewalls work, so this class gives you a gentle introduction to those topics. The class message board is your classroom and is the place you should go when you have a question about what's covered in this class, or about other firewall-related issues. Remember, your instructor and classmates are in this learning endeavor with you, so don't be afraid to speak up (virtually, of course).
What is a firewall?
When creating a link to the internet, a firewall sits between the private, or internal, side of the connection and the public, or external, side of that same connection. The connection can contain a single system or one or more networks, as shown in Figure 1-1. Simply put, a firewall's primary job is to
examine inbound traffic -- that is, traffic coming from the public side of the link destined for the private side of that link -- to make sure it's safe before permitting that traffic to pass through to the private side of the link.
Figure 1-1: A firewall. Like the physical barrier it's named after, no internet firewall is perfect, nor can it always defeat or deflect all malign traffic.
To appreciate a firewall, you must recognize that you have a system or systems which contain information that's worth protecting. This class is designed to help you cultivate that appreciation and understand exactly how a firewall works to protect crucial information. It isn't designed to teach you how to implement a particular firewall software or technology; it's a more conceptoriented class that helps you understand what firewalls are designed to do and how they work.
If you're interested in setting up a firewall, the principles and concepts covered in this class will help you select the right firewall and understand its documentation so you can get your firewall up and running.
Terms to know
A bastion is a term from medieval architecture and refers to a fortified place designed to provide a strong point of defense against outside attack. The metaphor carries over into networking: A bastion host is a computer that provides protected single points of entry and exit between outside and inside networks. Firewalls often run on bastion hosts along with routers, intrusion detection systems, and so forth. A screened host, shown in Figure 1-2, is a synonym for a bastion host; however, this terminology emphasizes a router's or firewall's role examining incoming and outgoing traffic, and filtering out unwanted or excluded traffic.
Figure 1-2: A screened host. A screened subnet, shown in Figure 1-3, is a special kind of network neighborhood, where all addresses are related to each other and described by enumeration around a specific network address, such as 192.168.1.0. It's a network that interconnects the untrusted world of external networks and trusted internal networks. By interposing various barriers and proxies between the inside and the outside, a screened subnet doesn't permit traffic to flow directly in or out of the system.
Figure 1-3: A screened subnet host. You'll learn about proxies and addressing in Lesson 3. First, you'll learn about the two primary types of firewall forms: software and hardware.
Secure desktops
HP ProtectTools embedded security is now available on select HP business desktop PCs to help you secure the sensitive data housed on each of your business PCs.
Figure 1-4: Personal firewalls, or internet appliances, on individual computers. It's important to understand that firewall devices generally include both hardware and software; however, you manage them together as a single unit. It's also important to recognize that for the same level of functionality, a firewall device generally costs more than a software-only firewall, if only because of the hardware costs involved. However, companies such as Belkin, D-Link, and Linksys offer internet appliances (that include firewall capabilities) for under $100.
Because firewalls represent the most obvious point of attack for those with less than honest intentions, most security experts recommend that you dedicate a computer or some other device, such as an internet appliance, for use as a firewall and for other related security functions. This explains the popularity of internet or security appliances -- they're usually less expensive than buying a computer and software for exclusive firewall use.
In many cases, internet or security appliances come preconfigured and ready to install and use, and require little or no expertise to put them to work. By contrast, installing and configuring software-only firewalls can involve some work, and require at least some knowledge about security, in general, and the firewall in use, in particular.
Since the release of Windows XP SP2 (Service Pack 2), Windows desktop software includes a built-in firewall called Windows Firewall, which is enabled by default. It's an adequate firewall and might be just the thing for home or small office users with just one or two PCs to protect. Next, we'll discuss why you need a firewall.
Let us help
To make decisions about your firewall, servers, and storage needs, look to HP's Servers & Storage expertise center for guidance.
If you have an internal private network, you want to protect these things on all the computers or other devices attached to that network.
Some attacks involve installing software on your system (or systems) to provide easy access for an attacker, or to engage in attacks against other systems. This latter attack turns systems into zombies, which means your computers could be used to attack other systems and networks; however, someone else is lurking in the background directing that activity. Other such attacks might be less overtly destructive and just install unwanted monitoring, reporting, remote control, or advertisement display software on your system (a common symptom of adware and spyware; more on these topics later).
You'll learn all about many security threats and attacks in Lesson 6.
When installing a firewall, make sure its capabilities are up to date. New attacks appear all the time, and old software often can't handle new threats. This applies equally to software-only and hardware firewalls. Visit vendor websites to find patches and fixes to keep any firewall current.
The how and why of these protections will follow later in the class.
more about setting the business rules that define what traffic your firewall keeps in and out in Lesson 3.
Windows Firewall doesn't limit or block outgoing traffic, although it does a pretty good job on inbound traffic. Many experts believe this lack of capability permits other firewalls that do support such screening to offer better protection and security.
The most important reason for using a firewall, and the best explanation for why you would need one, remains your need to protect your system or network against unwanted penetration, access, or compromise. There are no perfect firewalls, and therefore, no perfect protection against attacks. However, it's relatively easy to deploy reasonable protection that keeps all except the most knowledgeable and dedicated attackers from breaching your defenses. The principle at work here is similar to a burglar alarm: Although it can't keep all burglars away, if it keeps most of them away at a reasonable cost, it's probably good enough for your needs. Next up: how to obtain a firewall.
Obtaining a firewall
Many potential sources for internet firewalls exist, be they hardware firewalls or software firewalls, appliances, or otherwise. Because there's hardware involved, you won't find hardware firewalls or appliances actually given away at no cost to their users -- although cable or DSL users might be loaned or leased such gear that becomes part of your monthly service costs. Some software-only firewalls are available at no cost, making it possible to protect a single computer connected to the internet for free. There's a category of firewall software called a personal firewall that generally applies to use in SOHO (small office/home office), or strictly to personal networks. Firewalls in this category include the following: Built-in: This comes as part of the operating system and involves no extra costs. Freeware: You don't pay anything; it's free. Shareware: You don't pay anything up front; however, you normally must provide modest compensation to the firewall's creator if you continue to use shareware software beyond a specified trial period (normally, 30 days). Commercial: You must purchase the software before you can use it. Thus, you have numerous options for obtaining a firewall for personal use in a home office environment to protect key business systems when you or your staff works from home: If any of your PCs run Windows XP SP2 or higher (including Windows Vista), Windows Firewall comes with the operating system. Although it doesn't offer outbound traffic inspection and screening -- as most other software-only firewalls do -- it's adequate for protecting single systems and small networks. Visit a freeware or shareware download web page (such as the collection of Windows firewall shareware and freeware at tucows.com) and download a software-only firewall package. Read your PC's documentation carefully. Sometimes installing freeware can void your warranty.
If you have a cable or DSL connection to the internet, it might come with firewall software or possibly a modem or appliance with a hardware firewall built in. Some service providers offer software-only firewalls to their subscribers. Contact your service provider for more information. Purchase a shrink-wrapped software or hardware firewall product at a store, or pay to download a commercial software-only firewall from the internet. Any company or individual connected to the internet should use a firewall to protect that connection and any system(s) it serves from unauthorized access and potential harm. When you install a firewall to protect a network, you can still decide between software and hardware firewalls, and the same basic principles apply. However, because you have a network -- and presumably, multiple systems -to protect, there are more technical issues to address before you get your firewall set up and running.
Moving on
In this lesson, you learned that a firewall is designed to sit between the public and private sides of an internet connection and block or deflect unwanted incoming traffic (and often, outgoing traffic as well). In Lesson 2, you'll learn more about the protocols and services that make the internet work (and firewalls necessary) in a primer on the internet protocol suite known as TCP/IP (Transmission Control Protocol/Internet Protocol). Before you move on, do the assignment and quiz. Also, visit the message board to find out what other students are up to and to touch base with your instructor.
Assignment #1
Visit one or more of the following websites, and search on the term firewall. Read through the resulting materials to get a sense of how you might use these resources for future learning and research. The CMP TechWeb Encyclopedia Internet.com's Webopedia Marcus Ranum's and Matt Curtin's Internet Firewalls FAQ Now, visit your favorite search engine and look for introductory information about firewalls. (Hint: Using search strings like firewall tutorial, firewall overview, or firewall introduction will work much better than just firewall.) Bookmark or add those websites that you find most interesting and informative to your favorites list.
Quiz #1
Question 1: True or False: A firewall's primary job is to examine inbound traffic to make sure it's okay before permitting that traffic to pass through to the private side of the link. A) B) Question 2: Which of the following forms do internet firewalls take? (Check all that apply.) A) B) C) D) Internet appliances Software-only implementations Hardware implementations Remote access services True False
Question 3: Which of the following aspects or capabilities of your network should you seek to protect from internet attack? (Check all that apply.) A) B) C) D) E) Question 4: True or False: All firewalls work only on inbound traffic; they do not limit or block outgoing traffic. A) B) True False System integrity Hardware System contents System behavior System access
TCP/IP tutorial
Basic knowledge about TCP/IP protocolthe protocol suite that supports the internetis essential to understanding how firewalls and related technologies work. In this lesson, you'll learn about TCP/IP protocol and how firewalls use it to keep your network secure.
TCP/IP standards
TCP/IP protocols are specified in formal documents known as RFCs (Requests for Comment). Despite the tentative sounding name, RFCs govern existing (and proposed) TCP/IP protocols and services absolutely. You can review the complete collection of RFCs online at the IETF (Internet Engineering Task Force) website, including RFC 3700, the most current "Internet Official Protocol Standards."
IPv6 should be widely deployed sometime between 2010 and 2015. It embodies a pessimistic security model and will require significantly fewer add-ons to keep communications safe and secure.
and a remote file systems can be moved to list directories, manage files, make copies, and so on.
DARPA
DARPA is the arm of the U.S. Department of Defense that funded the initial research and development work that produced TCP/IP. At its inception, the agency was known just as ARPA (Advanced Research Projects Agency), and gave its name to an early precursor of the internet known as ARPANET.
In most cases, using TCP/IP means operating a number of interlinking and interdependent software components that correspond loosely to the actual protocols and services in use. They also incorporate software drivers that permit the computer to communicate with one or more network interfaces as needed.
It helps if you understand the layers into which the TCP/IP protocol suite is divided, and the roles that each of these layers plays. This division into layers corresponds to a formal model for TCP/IP known as the DARPA (Defense
Advanced Research Projects Agency) model or, more directly, as the TCP/IP networking model, which is shown in Figure 2-1.
Figure 2-1: The TCP/IP Networking model. The model defines a layered collection of protocols and services that together support all of TCP/IP's capabilities. Higher-level layers depend on lower layers to work. The four layers of the TCP/IP networking model are: Application (or Process) layer: The protocol stack interfaces with applications or processes on a host machine. Recognizable TCP/IP services, such as email, web access, file transfer, terminal emulation operate at this layer. It defines the kinds of functions and behaviors that TCP/IP makes available to users. Transport (or Host-to-Host)layer: Moves data by taking large chunks of data of arbitrary size, breaking them into smaller chunks, and managing delivery. Reliability and robustness are vital when tracking delivery, retrying failed transmissions, and reassembling received messages before sending. Internet layer: Handles addressing and routing between computers, permits multiple networks to interconnect, and provides naming and addressing schemes. Networking concepts of here (the origination point for communication) and there (the destination) are established, along with routing mechanisms. Network Access (or Network Interface) layer: Networking hardware, interface cards, and communications technologies (such as Ethernet or Token Ring), specific connection-management and WAN (wide area network) come into play. Cables, interfaces, and low-level connections to computers operate here. The following table lists common TCP/IP protocols associated with these layers. Name Acronym Explanation Newer serial line connection protocol (used in most modern operating systems and devices).
Network Access layer Point-to- PPTP Point Tunneling Protocol Point-toPoint Protocol X.25 PPP
Modern robust point-to-point communications protocol used to ferry IP across various types of point-to-point links (serial links, modems, broadband connections, and more). European ITU (International Telecommunication Union) WAN protocol widely used for low- and mediumbandwidth telephony-based networking outside the U.S. Converts from numeric IP addresses to hardware addresses on some specific network segment. Newer, exterior routing protocol used to interconnect multiple routing domains or internet backbones. Manages IP-based routing or network activity.
X.25
Internet layer Address ARP Resolution Protocol Border Gateway Protocol Internet BGP
ICMP
Control Message Protocol Internet Protocol IP Routes packets from sender to receiver. Newer, interior routing protocol used inside large private networks or routing domains. Old-fashioned, basic IP routing protocol.
Routing Information RIP Protocol Transport layer Transmission Control Protocol User Datagram Protocol Application layer File Transfer Protocol HyperText Transfer Protocol Network News Transport Protocol FTP TCP UDP
Simple Mail Transfer SMTP Supports email delivery from sender to receiver. Protocol Table 2-1: Protocols associated with TCP/IP Networking model layers. Basic firewalls operate primarily at the Internet and Transport layers; more advanced firewalls cover these layers, however, also operate at the Application layer as well. The importance of these statements will be explained in detail throughout the rest of this class. In the next section you'll learn about IP addresses.
Understanding IP addresses
One of the most important functions of the Internet layer in the TCP/IP Networking Model relates to addressing. In general, IP addresses enable every system on the internet to be completely and uniquely identified. IP uses a three-part addressing scheme. Symbolic names consist of internet domain names that take the form www.microsoft.com or ftp.hp.com. To be valid, any domain name must correspond to at least one unique numeric IP address. Domain names point to numeric IP addresses, mediated by the TCP/IP application service known as the DNS (Domain Name System), which translates from the symbolic to the numeric form. A logical numeric (IP) address for IPv4 is often expressed in dotted decimal notation -- a set of four numbers separated by dots, as in 10.6.120.78. Each of these four numbers must be less than 256 in decimal value, because each represents an eight-bit number. IP uses this kind of address to uniquely identify all hosts and interfaces on the internet. Most people call eight-bit numbers bytes; however, TCP/IP experts like to call them octets, which means the same thing. For physical numeric addresses, network interfaces are encoded with a six-
byte numeric address as part of the manufacturing process. This is known as a MAC (Media Access Control) layer address. The first three bytes identify the manufacturer, and the second three bytes represent a unique counter value. No two physical interfaces can ever have the same physical address. The rest of this class focuses on numeric IP addresses. Next, take a look inside an IP packet.
Identifying IP packets
Each protocol defines a set of rules for information exchange, as well as a set of formats for messages to take. Rules for IP packets define the overall shape of TCP/IP communications, because most messages ultimately occupy IP packets -- moving from sender to receiver. Learning the basic IP packet layout and initial fields (called header fields in TCP/IP lingo) will help you understand how TCP/IP behaves, and how firewalls operate.
IP packet layout
Figure 2-2 shows a map of an IP header, which contains the following named fields whose lengths are denoted by their sizes in that diagram.
Figure 2-2: A map of the IP header. Enlarge image A brief description of each field name: IP Version: Identifies the version of IP in use. IPv4 is most common, which shows up as a 4 in this field. IPv6 is the newest version and follows a different layout. Header Length: Specifies the length of the IP header in bytes, divided by four (because all IP headers must take lengths divisible by four, this shortens the number of possible header lengths used). ToS (Type of Service): Consists of two subfields. The first three bits define precedence. Routers can use this value to prioritize through traffic. Actual ToS value occurs in the next four bits and specifies general routing characteristics. See RFC 1349 for complete details about different kinds of TCP/IP services. Total Length: Specifies the actual length of the IP header, plus any valid data in the data portion of the packet (called the payload), not including any padding (extra unused bytes added to meet minimum length requirements). Identification: A unique packet identifier that can be used to reassemble fragments if an IP packet must be broken into smaller pieces (fragmentation) en route from sender to receiver. Flags: A three-bit number used to control or describe packet fragmentation. Bit 1 is always set to 0. If bit 2 is set to 0, the packet might be fragmented; if set to 1, it might not be fragmented. If bit 3 is set to 0, it identifies the last fragment in the series; if set to 1, additional fragments are forthcoming. Fragment Offset: If an IP packet must traverse a network segment that can't carry a packet as large as the original packet as sent, it has to be chopped into smaller chunks, called fragments. The offset value helps the IP software reassemble all fragments upon receipt.
Some clever network attacks use illegal or invalid offset values to confuse IP software; many firewalls do the math and deny packets with invalid values. TTL (Time to Live): Denotes the remaining lifetime of an IP packet, counting hops through routers. Typical starting values are 32, 64, and 128. This field is designed to make sure that IP packets will die after a certain time in transit, so they can't travel forever on the internet. Protocol: Identifies what kind of protocol occurs in the payload of the IP packet. Firewalls pay close attention to this value because they use it to decide which packets to let through, or block packets of a particular protocol type. Header Checksum: Provides an error detection mechanism on the header contents. Used as a quality control mechanism. Source IP Address: Contains the IP address of the packet's (putative) sender. Firewalls can use this information in several ways to block traffic. Destination IP Address: Contains the IP address of the packet's intended recipient (or recipients). Options: Any of a variety of settings that provide various types of additional IP routing data or controls. Seldom used except when testing and debugging. Essentially, a firewall can inspect key header fields quickly and block or enable transit of IP packets accordingly. A firewall is most likely to act on the Fragment Offset, Protocol, and Source IP Address fields when evaluating an IPv4 packet against the firewall ruleset. The same controls are also possible in Application layer packet headers, as you'll learn in the following section.
Figure 2-3: TCP header fields that firewalls typically inspect. An example of a UDP packet is shown in Figure 2-4.
Figure 2-4: UDP header fields that firewalls typically inspect. Without going into too much detail, firewalls can glean and act on all kinds of useful information at the Transport layer (within the TCP and UDP header fields) and Application layer (within the headers for whichever of the hundreds of TCP/IP application protocols happens to be in use). However, the more headers a firewall must read, and the more kinds of information it must act on, the less quickly it works. Packets move across the internet at a furious rate; reading more deeply into packets takes more time and requires more complex software. There's a tradeoff between speed and efficiency.
This explains why firewalls are more important at the edges of the internet infrastructure, where traffic rates are slower and there's more time to inspect such traffic (and where there are also more individual systems and networks that organizations or individuals need to protect).
On the internet backbone, traffic rates might be tens of thousands to millions of times greater than at the edges. At extreme traffic levels, highly specialized IP routers act on IP header contents; however, they don't have time to dig deeper into packet structures as they race through them. What kinds of information do firewalls look for at the Transport and Application layers? The following table summarizes the kinds of information that firewalls use to block or enable traffic to pass through a network link. Transport layer Source port Identifies the application or process that sent the packet using UDP or TCP transports.
Destination Identifies the application or process to which the packet is sent, port both for UDP and TCP transports. When attempts to access unwanted or unused port addresses occur, firewalls can block traffic based on destination port numbers. TCP sequence number TCP data offset A number that identifies each individual TCP packet, called a segment. Used to reassemble incoming packets at the receiving end; however, can also be manipulated in an attack. As with fragmented IP packets, firewalls can sometimes examine values supplied for TCP packets, to make sure the numbers add up properly and no deliberate attempts to confuse the IP software are underway.
TCP flags To establish a working connection, TCP goes through a deliberate initial sequence of packet exchanges between computers. Numerous clever attacks start the sequence, then leave it hanging, or just flood a recipient with initial packets. Most Internet boundary devices, including routers and firewalls, look for and deny incoming packets that meet related attack profiles. Application layer Message type Within most application protocols, packets are labeled as one type or another. Some firewalls look for patterns of incoming message types to identify and block potential attacks.
Many Application layer protocols provide domain name data. This can be compared to the originating IP address for a packet in a maneuver called a reverse DNS lookup (instead of translating a domain name to an IP address, it translates an IP address into a domain name) to make sure both sides agree. A common attack signature is known as spoofing, which occurs when a false source address or domain name is supplied. Firewalls often perform such checks on incoming traffic.
Command Many TCP/IP application protocols use a sequence of content request/reply messages to do their jobs. Some firewalls read the syntax of specific incoming application commands, and can enable or deny them based on the potential impact of the requests being made. This is as deep into TCP/IP packet structure as even the most sophisticated firewalls available today ever go. Table 2-2: Key packet contents of interest to firewalls at the Transport and Application layers.
Moving on
That's it for TCP/IP basics. In this lesson, you learned that for a firewall to do its job, it needs to examine the contents of the traffic that tries to pass through it. In Lesson 3, you'll learn about the inner workings of a firewall and the kinds of services a firewall most commonly performs. Before you move on, do the assignment and quiz. Also, visit the message board to find out what other students are up to and touch base with your instructor.
Assignment #2
Visit at least one the following websites, and follow related instructions. Read through the materials referenced to get a sense of how you might use these resources for future learning and research, or to answer specific questions about TCP/IP. IANA (Internet Assigned Numbers Authority) maintains the official list of assigned IP and UDP port numbers. Visit and read the initial sections of the document entitled Port Numbers . You'll find this an invaluable reference any time you need information about TCP or UDP port numbers in the future. The IETF operates an indexed website for Internet RFCs . Use it to look up RFCs 1918, 3000, and 959. Which RFC governs private IP addressing? Which governs FTP? Which describes current standard protocols and BCPs (best current practices)? Use Google to locate and find the 3Com article titled Understanding IP Addressing (Hint: Type the title exactly as shown inside quotation marks in the search window). If you use the same search string, what does the TechWeb Encyclopedia say? What does this tell you? Now, visit your favorite search engine and look for introductory information about TCP/IP. (Hint: Using search strings like TCP/IP tutorial, TCP/IP overview, or TCP/IP introduction work much better than just TCP/IP.)
Quiz #2
Question 1: What does TCP/IP stand for? A) B) C) D) Question 2: True or False: TCP/IP is a protocol suite, not a protocol stack. A) B) Question 3: Which of the following layers are named in the TCP/IP Networking model? (Check all that apply.) A) B) C) D) E) Question 4: Which of the following protocols are associated with the Transport layer? (Check all that apply.) A) B) C) D) E) Question 5: Which of the following header fields is a firewall most likely to act upon when evaluating an IPv4 packet against the firewall ruleset? (Check all that apply.) A) B) C) D) E) Question 6: Fragment Offset Header Checksum Options Protocol Source IP Address TCP ARP UDP RIP SMTP Network Access layer Data Link layer Internet layer Transport layer Application layer True False Transport Communication Protocol/Interwork Protocol Transmission Communication Protocol/Interaction Protocol Transmission Control Protocol/Internet Protocol Transport Control Protocol/Internal Protocol
Which of the following ranges of port numbers corresponds to well-known port numbers? A) B) C) D) 0 to 1023 1024 to 2048 2049 to 65534 More than 65535
Inside a firewall
This lesson covers how a firewall works and which features and functions are found in most firewalls. You'll see how firewalls use rules and filters and keep track of network activity, and how additional encryption software can provide added protection.
Mobile security
Security is a concern for mobile professionals working remotely, often over unsecure wireless networks. HP notebooks come with security features and software that help safeguard against viruses and intruders.
1. The firewall inspects the traffic and looks into various packet headers -IP, TCP, or UDP -- and perhaps even Application layer data on a perpacket basis. 2. As it looks at specific header fields or other packet content, the firewall compares what it finds to existing filters or rules you define as part of its setup, or that come predefined as built-in defaults. 3. If a related exclusionary rule or filter applies, the firewall blocks the traffic. Sometimes, if a related inclusionary rule or filter applies, the firewall permits the traffic to pass through. When multiple rules conflict, this requires users to understand the order in which such rules apply to understand what action the firewall will take. Ordinarily, the last rule to be applied "wins." Next, you'll have a more detailed look at firewall filters and rules.
Block port 80
The difference is an action specified for a specific value, versus a conditional statement of the form "if pattern matches x, then take action y." The first approach represents a filter, the second a rule. For many firewalls, filters or rules work together to define a general rule that establishes a basic filtering posture, and then exceptions to that rule are stated to handle special cases. A pessimistic filter configuration might read something like this:
Block port all Allow port 21, 22, 25, 80, 49,152-65,535
The first filter explicitly blocks all port addresses by default, and then enables use of well-known ports for FTP, SMTP, and web services; plus the range of addresses reserved for temporary port use. By contrast, an optimistic filter configuration might read something like this:
This set of filters permits all traffic through by default, and blocks only telnet and NetBIOS-related services. In reality, it's not a very effective security barrier because many other kinds of well-known attacks can still get through. When configuring a firewall, it's important to understand which services to let through and which well-known, registered port addresses should enter. These configuration settings are often already defined in a pessimistic mode for many low-level firewalls, so you can just state exceptions for settings you want or need. This is true for the built-in Windows Firewall that's installed and enabled by default in Windows XP Service Pack 2 and Windows Vista -- however, it's not true if you install and use a different firewall that knows how to tell the Windows Security Center controls to disable Windows Firewall.
Although it's not detrimental to a system to run two firewalls at the same time, it affords no additional protection and might slow network traffic down. Neither Microsoft nor third-party firewall vendors recommend leaving
Windows Firewall enabled if you decide to install another firewall on your PC.
Figure 3-1: ZoneAlarm Pro default filter settings. Enlarge image The Trusted entry permits or denies local traffic that traverses the private side of the internet link; the internet entry governs whether the traffic is permitted to enter the private side of the network or system from the internet side. The following marks describe related behavior: Green checkmark: Indicates that the protocol permits traffic flow. Red X: Indicates that traffic is blocked. Blue question mark: Indicates no explicit preference, so the program follows the defaults. This usually means the firewall blocks the traffic or asks the user for permission to proceed before any activity takes place. As shown in the first entry in Figure 3-1, this ZoneAlarm client is permitted to access web services locally and on the internet, indicated by checkmarks in the Access Trusted and Access Internet columns. Server requests can also be handled locally (a checkmark in Server Trusted), yet is questioned from the internet (a question mark in the Server Internet column). The program or user is also questioned before being permitted to send email, as indicated by the checkmark in the Send Mail column. Not all firewalls use such elegant visual displays to manage their behavior; however, all employ some method of stating equivalent filter or rule specifications.
Filtering packets
When it comes to understanding exactly what your firewall does while it's running, you must understand which rules or filters have been defined, and in what order, so you'll know how they'll be applied. For the set of filters described
in ZoneAlarm Pro in the preceding section, this translates into the following set of text filters:
Allow ZoneAlarm Client local client access Allow ZoneAlarm Client Internet client access Allow ZoneAlarm Client local server access Question ZoneAlarm Client Internet server access Question ZoneAlarm Client Send Mail access
In plain English, this set of filters means that end users can access local or internet web servers and that local server traffic will be accepted. However, a user who tries to interact with the ZoneAlarm Client from the internet or asks the Zone Alarm Client to send mail will have all requests for such access questioned and be permitted to proceed only if the user grants explicit permission. A message window opens stating that the Zone Alarm Client is being accessed as a server or trying to send email, and requires the user to click an Allow or Deny check box. In some cases, firewall rules or filters might be too restrictive. When this happens, certain services won't work. Even if you don't notice the situation yourself, other network users might report access problems soon after overly restrictive controls are put in place. Other rules or filters might apply at various levels, including outright enable or deny controls on protocols, services, and source addresses in IP headers, on port numbers in TCP or UDP headers (along with other TCP controls), and even on various Application layer header values or based on antispoofing checks. When traffic isn't permitted through a firewall -- remember, this applies equally to outbound traffic and inbound traffic -- that traffic is discarded. Before senders know something isn't working and can take additional action, they must wait until timeouts are exceeded, acknowledgments fail to arrive, or other passive indications that requests for service or access aren't working. This behavior is deliberate, because it: Provides little or no information to rejected senders, which is the best strategy when dealing with attackers Requires no additional action from the firewall; the fastest response to unwanted traffic is to ignore it completely, which results in no added processing power
Most of the more popular do-it-all internet security suites offer software-only
firewalls that include content filters with regular updates to predefined filter or block lists. This includes such well-known products as Norton Internet Security 2007 and McAfee Total Protection.
The firewall or filtering software monitors and manages traffic between the client making access requests and the service that might otherwise be able to handle such requests. Although it's not necessarily exactly the same as an application proxy, this kind of functionality otherwise works the same way and provides definite, explicit control over who's enabled to access what. (More on application proxies later.) For access to a wealth of information on this subject, and pointers to hundreds of related products and services, search for content filtering in your favorite search engine. In the following sections, you'll learn more about other functions that firewalls usually provide, above and beyond handling inbound or outbound network traffic. These functions are designed to extend a firewall's abilities to "get between" the private and public sides of an internet connection and to observe or obscure what's happening on the private side.
connection to an outside, public application service. Here again, the principle of "getting in between" is what governs the firewall's behavior as it works as an application proxy. Instead of permitting a client to connect directly to an outside public server of some kind on the internet, an application proxy service forces that client to connect to the proxy server. Then, the proxy service establishes a connection between itself and the outside server to complete the application service connection on the client's behalf. All traffic that travels through the application proxy and the firewall on which such software usually runs can be inspected, because the proxy interrupts the flow of data between the client and the application server. This kind of service is essential for clients with private IP addresses -- the application proxy prevents internal IP addresses from becoming public knowledge by replacing their actual addresses with its own address or another address under its control. Application proxies must be defined on a per-application basis. Given the ferocious pace at which new TCP/IP Application layer protocols are introduced, this helps explain why some clients might be frustrated when they seek to access application services for which no proxy is defined. In some cases, it might be necessary to "punch a hole" through the firewall, which means setting up an allow rule or filter that enables all traffic related to that application to pass unchecked through the firewall. However, the potential for attack or harm for such blanket exceptions varies from application to application.
If you permit certain TCP/IP applications to bypass proxy services, be sure you understand and can deal with the potential consequences of bypassing security controls.
Most firewalls -- software or hardware -- are updated regularly and automatically to add new proxy services as new applications become popular. By keeping your software up to date, you can avoid most requests or requirements to bypass proxy services. Now that you understand application proxy servers, read on to learn about stateful inspection.
DoS attacks, which attempt to crash TCP/IP by presenting invalid or nonsensical TCP segments You'll learn more about security threats and attacks in Lesson 6.
The security benefit of tracking active conversations -- always knowing which TCP or UDP ports are in use -- is that the firewall can close all inactive ports until some valid connection to those ports is requested. This eliminates inactive ports from port scans, and effectively renders them invisible to attackers. Next, you'll learn about the concepts of logging and monitoring blocked traffic.
This entry can indicate that somebody has been sniffing your internet connection to see what he or she can learn about your system or network. A quick search of FWROUTE on the web provides useful information about individual log file entries, as well as instructions on what to do. (Nothing, in this case, because the traffic was blocked and no other blocked traffic from the sender at 24.94.34.32 occurred at or around the same time.) The concept of firewall monitoring applies to network administrators: examine your firewall logs regularly to see what kinds of items it contains. Keep up with new software updates, patches, and fixes -- and install them on a timely basis - if your firewall doesn't handle updates automatically. Finally, stay current with security information so you'll know when your system or network might be attacked, and what to do if and when such an attack occurs. Lesson 6 covers system and network security in more detail.
The final section in this lesson covers encryption, an important part of security and protection for private networks.
Understanding encryption
Many higher-level firewalls provide a built-in encryption feature that converts clear text data into encrypted text, making it unreadable. The encryption process also generates a "key," which is required by the receiver to unencrypt the data, making it readable again. Figure 3-2 illustrates a simple example of clear and encrypted text.
Figure 3-2: Example of clear text and encrypted text. When a user seeks to access an internal network remotely, he or she can use the internet to establish a remote connection that enables them to interact with network resources as if they were locally attached. To do so securely, administrators must set up secure connections to enable the outside user to access the internal network.
NAS systems
VPN
A technology known as a VPN (virtual private network) enables users to send and receive traffic across the internet without exposing the contents of that traffic in the public internet. VPNs achieve this goal by interposing a virtual network interface -- literally as part of the TCP/IP stack -- on both sides of such a connection. Part of what this virtual interface does is to encrypt, and thereby obscure, the contents of all traffic sent from one end of the VPN to the other. Because the network side of such connections generally occurs through a firewall, VPN software is often run on the firewall.
IPSec
A similar technology shows that TCP/IP technology isn't holding still, either. Despite its original optimistic security model, numerous TCP/IP protocols and services have been introduced to improve on that model. One such protocol is known as IPSec (IP Security). When connections between a user and a network need protection, it's possible for a user to run IPSec in so-called tunnel mode, which works much like a VPN to obscure only the public part of the transmission chain and encrypts that traffic as it travels over public internet links. However, IPsec offers secure links end-to-end, whereby it can encrypt and obscure traffic all the way from the sender to the receiver.
Moving on
In this lesson, you learned that a firewall offers more than filters and rules to allow or deny packets in transit; it also supports application proxies, address translation services, logging and monitoring, content filtering, and even encryption services. In Lesson 4, you'll explore hardware- and software-based
firewalls, and the need to establish a secure foundation for the deployment of software-based firewalls. Before you move on, do the assignment and quiz. Also, visit the message board to find out what other students are up to and touch base with your instructor.
Assignment #3
Visit one or more of the following websites and follow the related instructions. Read through the resulting materials to find out how you might use these resources for future learning and research, or to answer questions about specific functions or operational characteristics of firewalls: 1. Look up application proxy at Webopedia and define stateful inspection? 2. Laura Chappell is a renowned TCP/IP protocol analysis expert and has written an article that describes basic packet filtering techniques as they apply to a special-purpose software program called a protocol analyzer. The same kinds of rules and structure also apply to filtering packets at a firewall, although its abilities aren't usually as powerful or general as a protocol analyzer's abilities. In this article, pay special attention to address filters and protocol filters. They represent core functionality for firewalls, because that data is accessible in IP packet headers, as well as in higher-layer protocol headers. 3. (Optional) CERT (Computer Emergency Response Team) is a global security resource group that works out of Carnegie-Mellon University in Pittsburgh, Pennsylvania. Browse its website for specific information about the inner workings of firewalls and the benefits they provide.
Quiz #3
Question 1: When firewalls filter domain names, at which layer of the TCP/IP Networking model is this most likely to occur? A) B) C) D) Question 2: Filtering content normally applies to which kind of information access? A) B) C) D) Question 3: True or False: NAT removes the inside IP addresses from outgoing internet traffic and replaces them with the firewall's own public IP address, or addresses the firewall manages. A) B) Question 4: Which term describes the process of recording a firewall's actions? A) B) C) D) Question 5: Which of the following protocols or services use encryption to ensure privacy in communications? (Check all that apply.) A) B) C) IPSec TCP FTP Translating Auditing Filtering Logging True False Requests to access resources on the private network Delivery of private services to public consumers Requests to access resources on the public internet Delivery of private content to public consumers Network Access layer Internet layer Transport layer Application layer
D)
VPNs
The same software you can purchase and install as a software firewall is often found pre-installed on hardware-based firewalls. For example, the well-known software firewall product Firewall-1 from Check Point Software comes installed on a variety of hardware firewall products. In some cases, a hardware device with firewall capabilities might include other functions as well, such as a cable modem or DSL interface, a multiport switch, DHCP services, DNS proxy, and more. In such cases, these devices might be called internet appliances or security appliances because they provide everything needed to attach one or more computers safely to the internet in a single box. An example of this type of firewall product is the Cisco PIX security appliance. There are a few hardware firewalls whose software component is burned into an ASIC (Application-Specific Integrated Circuit) chip. Such true hardware firewalls offer the benefit of increased speed and are completely impervious to core system alterations because the software is burned into its CPU (central processing unit). The content filter rules for an ASIC-based firewall are usually stored on a removable media device that the firewall treats as a read-only source, such as a CD-ROM or flash memory card, To upgrade a true hardware firewall, you must replace the ASIC chip. This is the stumbling block for widespread deployment and adoption of true hardware firewalls. Typical hardware firewalls, which employ a customized computer with a preinstalled, especially hardened operating system and firewall product, are popular solutions. Often called standalone firewalls or firewalls-in-a-box, they enable network administrators to quickly deploy a firewall using technology that's intentionally different from what's used throughout their networks. For example, for networks comprised primarily of Windows systems, deploying a hardware firewall based on a Linux, Unix, or Macintosh operating system adds another dimension of protection to that network. Attackers need to compromise and bypass the firewall first, and then switch tactics when attempting to infiltrate
the actual network. Using a different operating system to protect the most commonly used operating system within a network is enough of a deterrent to foil many wouldbe intruders. Very few crackers are skilled at infiltrating more than one operating system. Using that to your advantage is smart security.
Whether you're working with a hardware or a software firewall, it'll take some time to fully configure that product as well as to implement and test content and traffic filters.
Generally, fewer compatibility issues occur with hardware firewalls than with software firewalls. The pre-installed software found in firewall-in-a-box solutions is tested for compatibility with the hardware components within the host system. By comparison, software firewalls require system administrators to match their intended host's operating system and hardware components with the system requirements of the firewall software. This is often done through a process involving trial and error, along with online research to determine the cause of errors and appropriate solutions.
hardware firewall often costs more than a software-only firewall, because of the costs of the extra hardware involved. Regardless, you can purchase a hardware firewall with dual WAN ports, a built-in four-port Gigabit Ethernet switch, and various IP service capabilities (DHCP, NAT, and various proxies, including DNS) for under $150. Next up, you'll get a better understanding of software firewalls.
A secure workstation
Add an extra layer of security by installing a personal firewall on your HP workstation.
Many operating systems can serve as a host platform for a software firewall. However, when you need to protect a network, select an operating system that offers reliable security -- Windows Server 2003 or 2008, Windows Vista Business, Windows XP Professional, and the latest Linux distributions or Unix packages. Otherwise, the host's security foundation won't be strong enough to support the protection that the firewall can offer.
Mac OS X is actually Unix-based, so it benefits from native security features present in Unix.
If you need a firewall just to protect a single system, you need a personal firewall. A personal firewall is a firewall product designed to protect the system on which it's installed. Personal firewall products are available for most client, desktop, workstation, or standalone operating systems. Many security experts recommend that all computers be outfitted with personal firewalls, in addition to erecting separate firewalls at network boundaries between the "inside" and the internet. Next, learn techniques and best practices for establishing a secure host system for software firewalls.
A complete inventory of all hardware components The name and version of the operating system and any installed or applied upgrades, updates, patches, fixes, and so on The details on all driver versions for all hardware components A list of all removed, uninstalled, or disabled applications or services with step-by-step procedures for performing each operation As you make changes to any host, no matter how insignificant, add those details to its log. This log should contain all firewall configuration settings, content filter rules, troubleshooting steps, and so forth. It should also be detailed enough that another person can use it as a guide to deploy an exact duplicate or firewall system. You'll also find this log extremely helpful when troubleshooting problems.
Enlarge image The steps you follow to lock down a host system differ from operating system to operating system, and are usually detailed in a security baseline checklist. Visit the operating system manufacturer's website to get a copy of the checklist for your version of the software, or query your favorite search engine for security baseline checklist operating system, where operating system is the name and version of the operating system your firewall uses. If you look up subjects related to hardening the system or hardening the operating system, you'll also find a lot of useful and relevant information.
Moving on
In this lesson, you learned to implement firewalls as hardware-based solutions
or as software products deployed onto existing hardware. You also learned that maintaining the security of the host system is essential to the effectiveness of any firewall. In Lesson 5, you'll explore the need for a security policy to guide and focus development and implementation of a firewall. Before you move on, complete the assignment and take the quiz for this lesson. At any time, stop by the message board to post comments and questions, or just join the discussion on firewalls with your classmates.
Assignment #4
For this assignment, you'll research firewall products to learn which features they offer, which hardware and software they require, and how much they cost. In addition, read reputable and reliable product reviews to learn about common installation and administration problems with software and hardware firewalls. To start your research: Visit CNET's Firewall Software website to browse their store and read reviews of hardware and software firewall products. Go to NetworkWorld.com and browse the firewall offers in the Buyer's Guide section of the website.
Quiz #4
Question 1: True or False: The same product that's available as a software firewall can sometimes be found as a preinstalled product on a hardware firewall. A) B) Question 2: What's the primary drawback to some hardware firewalls? A) B) C) D) Question 3: What's the most important factor in maintaining overall security when deploying a software firewall? A) B) C) D) Question 4: What's the best method of testing a firewall to ensure it's working properly? A) B) C) D) Ask a neighborhood cracker to attack your system. Keep your system patched and updated. Test your system with an external security scan. Monitor system logs regularly to look for signs of trouble. Scanning for viruses Documenting the installation process Lots of additional RAM Securing the host system They often include other functions, such as a cable modem. They're nearly impervious to tampering. Upgrading the device might require returning it to the vendor. They offer faster performance than many software firewalls. True False
Welcome back. In previous lessons, you learned about hardware and software firewalls and how they work. This lesson discusses the ins and outs of a firewall-specific security policy. Such a policy clearly and deliberately defines the need for firewalls within an organization. It also provides direction and instruction on why and how to deploy firewalls and how to configure them to meet organizational security policy requirements.
Figure 5-1: The formalized security structure. When you start with a solid security policy, you can easily add other elements to create a formalized security structure, such as standards, guidelines, and procedures. Each of these types of documents plays a role in the design and deployment of security within an organization. Security policies are strategic documents. They define the overall purpose and direction for security. The other documents mentioned -- standards, guidelines, and procedures -- are tactical because they define the steps necessary to achieve or realize an organization's security goals.
Security policies can also be sorted into one of three categories: Regulatory: Ensure that an organization complies with all applicable regulations and laws regarding its specific industry or business activity. Regulatory policies are compulsory. Advisory: Define acceptable behaviors and activities. Advisory policies offer strong advice that can be enforced by defining consequences for noncompliance. Though not compulsory, such policies are usually followed anyway because of the adverse consequences of failure to comply. Informative: Discuss an organization's goals and objectives. Informative policies are suggestions and can't be legally enforced. Enforcement should be driven by an assessment of whether the costs and risks involved in noncompliance are much less than the costs of implementation and monitoring the policy. Security policy categories usually apply to specific businesses; depending on your industry, no policies might apply or there might be many policies that you must follow. Look to industry organizations for insight into already defined regulatory, advisory, and informative policies that should be considered for or included within your organization's own security policy. An overall security policy is a collection or library of many types of specific policies. Update each component policy on as as-needed basis to keep the overall "living" security policy current.
issues. The SANS (SysAdmin, Audit, Network, Security) Institute operates a Security Policy Project that offers numerous templates and examples of security policies. It doesn't offer a firewall security policy per se; however, you can use the sample Internet DMZ Equipment Policy, Router Security Policy, and Server Security Policy documents to create a firewall security policy of your own. Each of these individual policies represents an excellent example of a security policy that can help you define the goals, purpose, and objectives of the firewalls within your organization. The SANS policy resources are offered at no cost to the IT security community. You can access these templates and any of the other policy resources directly from the SANS website. Even if you own or work in a very small business, review these sample documents so you know which issues to address. Although you might decide not to implement formal processes and procedures, you should still evaluate how you want to regulate traffic using your firewall. To build your own firewall security policy, start with a template or example policy and customize it to fit your organization's security needs. Although each organization's policy is unique, most security policies address common elements, such as: Purpose: A clear statement of the reason(s) the security policy exists. For example: This document discusses the security configuration baseline with which all firewalls deployed at XYZ Corp should comply. Scope: Identifies which sections, divisions, or departments of an organization are subject to the policy. The scope can also define or indicate those sections that are exempt from the policy. For example: This document applies to all departments of XYZ Corp. The extranet department and the R&D department are exempt from this document if their department-specific policy defines a contradictory requirement. Policy: Clearly defines which requirements, conditions, configurations, standards, and so on must be followed or implemented. Items in this section of the policy might: Specify what kind of authentication is required to make configuration changes Require logging of all traffic Specify the conditions under which you can enable VPN (virtual private network) connections Specify which internet services are permitted to transit the firewall Describe what inbound content will be filtered or blocked Responsibilities: Identifies the individual or group responsible for implementing policy conditions. This section might also define implementation restrictions, checks and balances, and audit reviews. Enforcement: Discusses the consequences of violating the policy. Often, security policy violations can result in termination of employment, official censure, loss of pay or privileges, and so on. Definitions: Defines terms and acronyms to ensure that everyone reading the policy understands what's discussed. Revision History: Documents and dates all changes to the firewall policy
after its initial creation and deployment. This essential part of any policy ensures that only the latest and most up-to-date version is followed. A security policy, even for a specific issue or area, such as firewalls, can become a complex and detailed document. It's important to expend sufficient time and effort to research and develop any security policy.
Statistics show that most security breaches aren't a result of deficiencies in hardware or lax software security controls. They often arise from blatant oversights or errors in related security policy documents. Poor policy decisions and inept operational procedures can render even the most reliable and capable security controls ineffective.
The next section explores policies dictating appropriate internet access, such as web, FTP, electronic chatting, messaging, news, and more.
As the value of data, resources, processes, and so on supported by a network increases, so does the need for stronger security. Stronger security usually directly translates into fewer unrestricted capabilities for all users.
Fortunately, stronger security doesn't necessarily mean you must terminate all internet access. However, it does mean placing serious restrictions on the types of traffic enabled to cross in to and out of the network. Internet access is not an all-or-nothing proposition; instead, it relates to numerous individual information services. You're probably already familiar with many of them: web, FTP, chat, messaging, newsgroups, email, telnet, VPN, streaming audio, streaming video, and so on. You can configure firewalls to grant or restrict traffic related to each of these services on a per-user basis. As discussed in earlier lessons, you can use firewalls to filter by source and destination addresses, application services, and even traffic content. By defining exactly which types of traffic are permitted and what types are restricted in your security policy, you can translate that policy into a set of rules and filters configured in your firewall. It might also be smart to constrain certain types of "insecure" internet traffic -- most notably, FTP, telnet, and SMTP -- to use only encrypted channels or to switch users to more secure alternatives, such as SFTP (Secure File Transfer Protocol), stelnet, and secure email transmission protocols or tools. Now that you have a better idea of the intricacies of the internet portion of a security policy, read on to learn about email policies and restrictions your company might need to enforce.
The details of establishing VPN access are specific to particular firewalls and clients. Review your firewall documentation to learn how to set up VPN access to your network.
VPNs must be addressed in your firewall security policy. If you enable VPNs, define which VPN protocols are permitted and exactly who can use VPN connections. VPNs offer identity authentication to verify connection partners and employ encryption to protect transmission of data over public networks. A remote system also can connect into a firewall-protected LAN by a process called tunneling in. Basically, tunneling in occurs when a communication connection is established through an unrestricted hole in a firewall's security barrier. Often called punching a hole in the firewall, this process involves defining a specific protocol and port that enables traffic to pass without restriction. Always restrict tunneling in because it opens an unprotected connection point in your firewall and communication services used when tunneling in often don't support authentication, encryption, or other security mechanisms. Next up, you'll find out about content filtering.
Moving on
In this lesson, you learned about the different elements of a security policy and the issues to consider as you define one for your organization or your home
network. In Lesson 6, you'll find out how the different elements discussed so far in the class -- networks, protocols, hardware, software, and security policies -come together in firewall configurations, and how to establish best security practices whereas fending off common attacks and exploits. Before you more on, complete the assignment and take the quiz. Also, visit the message board to find out what other students are up to and touch base with your instructor.
Assignment #5
Regardless of the size of your network or organization, it's wise to formulate a security policy that meets your particular needs. If you already have a security policy, review it and evaluate it for completeness: When was its last revision? How relevant is it to current security risks? Does it need to be revised? If you don't yet have a policy, now's a good time to start one. For more information on avoiding the pitfalls of poor policy design and for help developing solid security policies, visit at least two of the following web pages: SANS InfoSec Reading Room - Security Policy Issues RFC 2196 Site Security Handbook IT Security Policies & Network Security Policies and How To Deliver Them Ruskwig Security Policies
Quiz #5
Question 1: Which of the following is the base or foundation document for a formalized security structure? A) B) C) D) Question 2: True or False: Regulatory policies are compulsory. A) B) Question 3: Which one of the following isn't considered a tactical document? A) B) C) D) Question 4: The level of internet access granted to each user should be based on which of the following criteria? A) B) C) D) Question 5: Which internet information service is the most commonly used transport or delivery mechanism for malicious code? A) B) C) Web Email FTP User desire Work tasks Available bandwidth Operating system security Procedure Standard Policy Guideline True False Security procedure Security standard Security policy Security guideline
D)
Telnet
Adware
Adware is software that facilitates delivery of unwanted advertisements, web pages, or other content to a desktop, usually through a web browser. Like viruses and spyware, firewalls can be ineffective against certain types of adware because they're often installed entirely covertly. Because a user initiated the installation or clicked the link, a firewall can interpret this as a legitimate request.
Application backdoors
An application backdoor is a programmatic door to your system created by the original programmer of a software product. Backdoors can give someone unauthorized access or control over that application or its host system. Some backdoors are installed intentionally, whereas others result from coding errors. Firewalls are generally ineffective against backdoors because accessing a backdoor usually occurs over authorized connections. The best way to protect against backdoors is to use well-tested, reputable software.
DoS
A DoS (denial of service) attack is any activity that prevents a system or a
network from performing its normal activities, such as responding to legitimate requests for services or resources. Firewalls are only partially effective against DoS attacks. After a DoS attack method is known, a firewall can be configured to prevent it. However, firewalls can't respond to new forms of DoS attacks dynamically, nor can they easily protect networks against DoS attacks over open and active services, such as the web or email. When zombies -- other PCs subverted to mount attacks by some cracker in the background -- are used to mount an attack from multiple systems at the same time, these are known as DDoS (distributed DoS) attacks.
Macros
A macro written in a programming language and is automatically executed by an application whenever the macro is loaded into memory by that application. Macros can be embedded in email messages, documents, spreadsheets, databases, and so on. Microsoft Office, Microsoft Internet Explorer, and Microsoft Outlook are vulnerable to malicious macro attacks. Firewalls are ineffective against macros because they're usually undetected or just not inspected when the data file containing a macro traverses the firewall.
Port scanning
Port scanning is the process of testing every possible TCP and UDP port for open services that might not have been properly secured by the website's operators. Firewalls are partially effective against port scanning because they can block access to closed ports.
Remote login
A remote login occurs when a remote system connects to another system over a network or the internet. The connection can be any type of link between two systems that involves an authentication process. This includes VPN links, user account-specific FTP connections, and telnet sessions. Remote logins can grant distant users access to download files or gain complete control of the system. Firewalls are effective only against remote logins of unauthorized services or Trojan horse services. Many organizations employ remote connection tools, such as VPNs, to grant distant users access to their private networks. Generally, administrators configure firewalls to enable these types of connections.
Software errors
Errors in coding an operating system, software, or device drivers can introduce security vulnerabilities. These can give intruders unwanted access or permit DoS attacks. When exploitation of software errors occurs over authorized connections, firewalls are ineffective against such attacks.
Source routing
Source routing is a complex attack that involves editing the headers of packets used in an attack. As packets are transmitted over a TCP/IP network, routers between the source and destination determine the actual path they take. Source routing occurs when the source (the sender) of packets predetermines the primary route over which packets must be delivered. Crackers can use source routing to make attacking packets appear as if they originated from a trusted location, such as inside a private network or a trusted partner network. Most firewalls are effective against source routing attacks, especially those that make inbound packets seem like they originated from the private network.
Spoofing attacks
Spoofing is the art and science of pretending to be something different from what you actually are. Spoofing is often used to fake the source and/or destination addresses in attack packets. Firewalls are effective against spoofing attacks.
Viruses
A virus is a malicious code capable of duplicating and spreading itself. Some viruses can cause damage to a system through file corruption and deletion. Other viruses cause DoS conditions as they consume system resources when they spawn and reproduce themselves. Viruses can spread through programs, documents, or email. Firewalls are ineffective against viruses unless they employ a built-in or add-on antivirus scanner to search for viruses in all traffic crossing the border device.
Spyware
A spyware program that monitors system activity and records data of potential interest to crackers (such as passwords, account names, credit card numbers, and other sensitive data) is the worst type of spyware. Other types just monitor user activity and report on it so advertisers or retailers can identify and target choice sales prospects. Spyware is usually installed surreptitiously, without the consent of the PC's owner, and can cause system slowdowns, instability, and even crashes. Firewalls can be effective against some spyware; however, you should install and use an antispyware program to keep your system free of spyware. As you can see, a firewall can't protect against a significant number of attacks. That should reinforce the notion that a firewall is by no means a total security solution; it must instead be integrated into a complete security implementation. You'll learn about intrusion detection systems in the next section.
Detecting intrusions
An IDS (intrusion detection system) is an automated tool that monitors systems or networks for unauthorized, unwanted, or abnormal activity. An IDS scans log files and monitors real-time events to look for signs of intrusion or attack. IDS capabilities are generally limited to detection and alarm. After an IDS detects suspicious activity, it can inform administrators that an attack is occurring or has occurred. An advanced IDS can perform limited countermeasures, such as disabling access ports, services, or user accounts. Even so, don't view an IDS as a silver bullet security solution; see it as a component in an organization's integrated security infrastructure. There are two primary types of IDS: host IDS and network IDS. A host IDS is installed on a single computer and its purpose is to monitor that system for suspicious activities. A network IDS is deployed to monitor suspicious activities on a network.
A powerful workstation
Combining processing power and graphics technology, the HP workstation delivers impressive scalability and power in addition to the security you demand from your workstations.
HP xw8600 workstation
Host IDS
A host IDS examines the activities of a system in much greater detail than a
network IDS. This enables a host IDS to pinpoint the exact files, services, user accounts, and so forth, that are involved in an intrusion or attack. A host IDS can detect system-specific attacks that a network IDS cannot detect; however, a host IDS can't detect network-based attacks. A host IDS negatively affects performance on its host system because it must consume system resources to perform its monitoring, logging, and reporting duties.
Network IDS
A network IDS focuses on discovering anomalies or malicious activities in network traffic patterns and packet contents. You install a network IDS onto dedicated hosts, similar to a bastion host where a firewall might reside. This enables all the resources in that computer to focus on monitoring network activity. You can configure many network IDSs to be invisible and inaccessible to the rest of the network. This effectively hides the IDS from intruders who may wish to disable or attack the IDS directly. A network IDS is a passive monitoring system and has little or no impact on overall network performance. However, on networks with large traffic volumes, a network IDS can fail to detect an attack, especially if that attack consumes a small fraction of total network bandwidth. A network IDS can inspect the contents of packets to discover malicious activity. However, if those transmissions are encrypted, a network IDS is unable to access their contents.
A network IDS is good at detecting attempted DoS attacks, repeated attacks, and intrusion attempts. However, network IDS solutions can't provide specific information about whether an attack was successful, which systems were targeted, and which elements of the network were affected.
In an ordinary IDS deployment, you use a network IDS to monitor the network as a whole and host IDSs to safeguard mission-critical systems. This tactic exploits the best features of both forms of IDS. An IDS is an excellent complementary security mechanism for a firewall. A firewall is deployed to keep out unwanted traffic, and an IDS monitors for malicious traffic that makes it past the firewall. Next, pick up some best security practices to keep your PCs and network safe.
Hardening systems
Protecting your system from potential attack is an important part of maintaining security. Thwarting crackers primarily consists of applying safeguards and countermeasures as new attack methods and vulnerabilities are discovered. These safeguards and countermeasures are usually deployed in response to attacks or discoveries on systems that have already been hardened. Every system in a network should be hardened by completing each of the following tasks, roughly in the same order presented here: 1. Define an organizational security policy. 2. Set security standards, guidelines, and procedures for all systems within the organization. 3. Update the operating systems and software with patches from their respective vendors. 4. Configure each system to the level your security policy mandates, considering also the system's function/purpose, and the sensitivity and confidentiality of assets it holds. 5. Establish a common security baseline for all systems. 6. Deploy security mechanisms such as firewalls and IDS as needed. 7. Implement physical security controls. 8. Train users to maintain security and work within the boundaries defined by the security policy. After this hardening is complete, respond to new attacks and patch newly revealed vulnerabilities. Should your network fall victim to an attack, investigate the incident thoroughly to discover all elements that made the attack or intrusion possible. When you know that information, you can formulate a response by closing down access ports, reconfiguring services, or installing vendor-supplied updates to correct coding errors, software deficiencies, and so forth. As new attack methods are discovered or new vulnerabilities in a product become known, most vendors release patches, updates, or hotfixes to correct problems. Test these fixes for effectiveness and safety on a test or lab network, and then install them on your productions systems after their effectiveness is shown to improve overall security. Always remember that no system is 100 percent secure. You must maintain security over time to be effective.
Moving on
In this class, you learned the basics about how firewalls work and what roles they play in complete security solutions. You also met TCP/IP -- the protocol stack that drives internet communications -- and discovered how firewalls work to make TCP/IP communications more secure. Before you leave the class, complete the assignment and quiz for this lesson. Also, visit the message board to ask any questions you have about firewalls and network security. Thanks for taking this class, and good luck in your future networking adventures!
Assignment #6
Selecting the right firewall to install can be daunting. However, by performing a systematic review of what's available, you can pinpoint the features and capabilities your organization needs. After you build a list of required and desired or optional features, you can quickly narrow your search. As you review your firewall options, closely evaluate the following: Hardware or software solution
Firewall operating system and hardware requirements Throughput, performance, and reliability Upgradability, end-user troubleshooting support, and configuration versatility Methods or types of content filtering: static, dynamic, content, application, and so on NAT Proxy capabilities Routing capabilities Auditing, logging, monitoring, and alerting capabilities Centralized management Encryption VPN support Remote control capabilities After you've established a list of features you want in a firewall, review your security policy, and then compare and adjust that list accordingly. It's essential to match firewall capabilities with your security policy at every stage of design and implementation.
Quiz #6
Question 1: Firewalls are effective against which of the following types of attack? (Check all that apply.) A) B) C) D) E) Question 2: True or False: An intruder or an attacker can be just about anyone. A) B) Question 3: True or False: A cracker is someone knowledgeable about technology and can perform a wide range of complex activities without malicious intent. A) B) Question 4: What's the first step in deploying barriers to prevent attacks? A) B) C) D) 2003 - 2008 Powered, Inc. Create a security policy Harden the host Deploy an IDS Implement physical access controls True False True False Application backdoors Bulk email attacks DoS Port scanning Source routing