1.It Security

download 1.It Security

of 29

Transcript of 1.It Security

  • 8/10/2019 1.It Security

    1/29

    SECURITY & FIREWALL

  • 8/10/2019 1.It Security

    2/29

    Security & Firewall

    CHAPTER 4

    SECURITY & FIREWALL

    CONTENTS

    VARIOUS METHODS OF SOCIAL ENGINEERING

    SITUATIONS TO WATCH OUT FOR

    WAYS THAT INFORMATION CAN BE GLEANED FROM

    EMPLOYEES.

    VARIOUS WAYS TO SECURE THE USERS COMPUTER AND

    NETWORK ACCESS

    ENFORCED POLICIES

    ENCRYPTION AND AUTHENTICATION

    FIREWALLS.

    INCIDENCE RESPONSE PLAN

    DEAL WITH AN INCIDENT WHEN IT HAPPENS

    TEST THE PLAN BEFORE AN ACTUAL INCIDENT OCCURS.

    BRBRAITT, Jabalpur Ch.4/1

  • 8/10/2019 1.It Security

    3/29

    Security & Firewall

    CHAPTER 4

    SECURITY & FIREWALL

    OBJECTIVES

    After completion of this module you will be able to know:

    various methods of social engineering

    situations to watch out for

    to reduce the number of ways that information can be gleaned from employees.

    various ways to secure the users computer and network access

    enforced policies, encryption and authentication, and properly configured and

    installed firewalls.

    how to formulate an incidence response plan how to deal with an incident when it happens

    how to test the plan before an actual incident occurs.

    In a world where security has become an enormous factor and network administrationmust cover everything from desktop support to business continuity planning, the scope of

    IT duties has widened and budgets have narrowed.

    This lesson covers several different aspects of security to help you find ways to keep your

    network safe by spotting potential risks in the user environment before an incidenthappens and showing you how to handle a security problem, should it occur. The lesson

    also helps you evaluate your disaster recovery plan. It guides you through social

    engineering, safe telecommuting, and the pitfalls of wireless LAN, and then takes youthrough incident response, disaster recovery.

    SOCIAL ENGINEERING

    You see new articles about network security and vulnerabilities in software and hardware

    every day. This visibility has caused security to become a priority in most companies.

    Efforts to make sure the network is secure generally focus on how to implement hardwareand software such as intrusion detection, Web filtering, spam elimination, and patch

    installation.

    One of the biggest threats of which we, as security professionals, are often unaware and

    cannot control is social engineering. There's very attention paid to the person-machineinteraction. This lesson focuses on some of the methods of social engineering that are

    commonly used to obtain information that can enable an intruder to penetrate the best

    hardware and software network defenses.

    Social engineering is a method of obtaining sensitive information about a office throughexploitation of human nature. It's an attempt to influence a person into revealing

    information or acting in a manner that would disclose information that normally would

    not be provided. It's based on the trusting side of human nature and people's desire to be

    BRBRAITT, Jabalpur Ch.4/2

  • 8/10/2019 1.It Security

    4/29

    Security & Firewall

    helpful. Social engineering is hard to detect because you have very little influence over

    lack of common sense or ignorance on the part of employees. Business environments arefast paced and service oriented. Human nature is trusting and often naive.

    Before we get into the methods of social engineering, let's look at the planning of an

    attack. An intruder seldom decides to infiltrate an office randomly. The attack is usually

    very methodical.

    A social engineering attack is very similar to the way intelligence agencies penetrate theirtargets:

    Gather intelligence.

    Select a specific vulnerable area as the entry point.

    Execute the attack.

    In the intelligence-gathering phase, the attacker can find readily available information

    through the following:

    Dumpster diving

    Web pages

    Ex-employees

    Vendors

    Contractors

    Strategic partners

    This information is the foundation for the next phase, in which the intruder looks for

    weaknesses in the organization's personnel. Some of the most common targets are people

    who work the following: Help desk

    Tech support

    Reception

    Administrative support

    These employees are most likely to be affected by an intimidation type of attack

    (discussed later), simply because they handle a large volume of calls and they're trained

    to deliver good customer service.

    The last phase is the attack, also commonly known as the con. There are three broadcategories of attacks:

    Ego attacks

    Sympathy attacks

    Intimidation attacks

    These attacks are discussed in further detail a little later in this lesson.

    BRBRAITT, Jabalpur Ch.4/3

  • 8/10/2019 1.It Security

    5/29

    Security & Firewall

    ATTACK ON THE PHYSICAL LEVEL

    There are two levels at which social engineering occurs: the physical level and the

    psychological level. Let's first look at the physical level, which is looking for informationin ways other than direct contact with the office or anyone in the office. We'll start with

    dumpster diving.

    Dumpster diving

    As humans, we naturally seek the path of least resistance. Instead of shredding

    documents or walking them to the recycle bin, we often throw them in the nearest wastebasket. Equipment sometimes is put in the garbage. Intruders know this, so they often

    don't even have to contact anyone in the office in order to extract sensitive information --

    they can find it all in the office's dumpsters. This is known as dumpster diving. Again,this is the path of least resistance -- no phone calls, no visits, simply look through the

    garbage.

    Anyone looking to extort money from the office or to steal identities could have easily

    made hundreds of thousands of rupees from the information they could have gleaned inthose dumpsters. They would have had access to Social Security numbers, addresses, and

    a wealth of personal and financial information. This incredible security breach not only

    jeopardized the clients, but upon release of the story in news papers, the office stockplummeted and lawsuits ensued.

    In any office, the potential for this type of information access is huge. What happens

    when an employee is leaving the office? He cleans out his desk. Depending on how long

    the employee has been there, what ends up in the garbage could be a goldmine for anintruder. Other potential sources of information that are commonly thrown in the garbage

    include

    Old office directories

    Old QA or testing analysis

    Employee manuals

    Training manuals

    Hard drives

    Floppy disks

    CDs

    Printed e-mails

    TIP

    All these items should be disposed of properly. You should formulate a policy ondestruction of data. The safest policy is to physically destroy the media and the

    information stored on it. Destruction is the only safe method of completely removing all

    traces of information stored on a removable media device. All paper-generatedinformation should be shredded and/or taken away by a bonded destruction office.

    BRBRAITT, Jabalpur Ch.4/4

  • 8/10/2019 1.It Security

    6/29

    Security & Firewall

    Web pages

    The Web pages of an office are a great place to find out information and organizational

    structure. Many companies also include the biographies of top executives. Thisinformation can be used to impersonate that person or someone who is an associate of the

    executive.

    For example, you could call an office and ask the receptionist for Manohar. She tells you

    that Manohar is out of the office until Monday. You ask who is in charge until he returns.You are told Mary. You leave a message for Mary, requesting information that she would

    have access to, saying you're working with Manohar and he said she could fax or e-mail

    the information you need while he's out of the office.

    Additional methods of trickery

    Another form of getting information is for an intruder to get employees to enter a contest.Say, for example, that you got an old office directory through dumpster diving. You

    could then send a contest letter to all employees asking them to register online at your

    Web site. Because many users use the same password for various accounts, it's likely thatyou would get some network passwords from the employees who register for the contest.

    E-mail social engineering is done by tricking someone into believing that the e-mail is a

    legitimate request. Social engineering involves knowing the target and this includes

    knowing the e-mail addresses of your target. For instance the I LOVE YOU virus usesthe social engineering technique. This virus created so much damage because it used an

    emotion-triggering subject, I LOVE YOU.

    WARNING

    E-mail social engineering is a much more direct means of gaining access to a system

    because attachments can launch worms, viruses, and back doors.

    Ex-employees are a great source of information on the inner workings of a office,especially if they left the office under unhappy conditions. Vendors, contractors, andstrategic partners are another fantastic source of information. It's easier to impersonate

    someone from another office than it is to impersonate an employee.

    ATTACK ON THE PSYCHOLOGICAL LEVEL

    These categories of attacks -- ego, sympathy, and intimidation -- are all on the

    psychological level of social engineering. This means that the intruder appeals to the

    employee through the use of emotion.

    Let's examine each of these attacks.

    Ego attacks

    An ego attack is perhaps one of the favorite types of social engineering attacks simply

    because you know that as network administrators, we all have big egos. The attacker

    appeals to the vanity, or ego of the victim. The victim wants to prove how smart or

    knowledgeable he is and unthinkingly provides sensitive information. We're all anxiousto show how much more we know than the next person or how much better our

    equipment is than theirs. The perfect scenario for this type of engineering is a user group

    BRBRAITT, Jabalpur Ch.4/5

  • 8/10/2019 1.It Security

    7/29

    Security & Firewall

    meeting held after work. You know of several groups that meet once a month or so after

    work in some of the local clubs. Mix egos and guess what happens?

    It's amazing what employees will reveal without a whole lot of coaxing. How many ofthe employees are unwitting revealing information in social settings without realizing

    who they are talking to?

    This can happen in any type of social setting. For example, suppose you attend a birthday

    party for a friend. Some of the other attendees are also in the field and the topic ofconversation turns to servers. Everyone is comparing equipment. You'll know what

    operating systems are running, what kind of equipment is running on each, and what

    issues each one is having.

    Talking about our jobs and comparing problems are simply part of human nature, and egoattack victims never realize what has happened, but the information extracted can be

    extremely dangerous in the wrong hands.

    Ego attackers also target those they sense are frustrated with their current job position.

    Unhappy employees are very likely to reveal information with little prodding becausethey feel mistreated.

    Attackers also have been known to pretend to be law enforcement officials, and their

    victims feel obliged and sometimes even honored to help them by providing information.

    Sympathy or intimidation attacks

    The following are all examples social engineering that either use intimidation or prey onsympathy:

    You receive a call from someone saying he's a General Manager. He states thathe's in real trouble. He's attempting to do a presentation for Microsoft and has

    forgotten his password; therefore he can't log into the Web site to do the

    presentation. He just changed it yesterday and can't remember what it is. He needsto have it right away because he has a room full of clients waiting and he's

    starting to look incompetent. This is an extremely important client that could

    mean millions of dollars in revenue for the office.

    Someone you have never seen before approaches you as you're entering a secured

    building. She has her hands full carrying coffee and doughnuts. She smilessweetly and says she has her ID badge in her pocket, but just doesn't seem to have

    an extra hand to swipe the card and still carry all she has. She asks that you please

    hold the door for her.

    You receive a call from the corporate office saying that a new mail server is being

    put into place and there's an immediate need to verify current user accounts andpasswords. You are told that it's not safe to send this information via e-mail, and

    are asked to please print it off and fax it directly to a number given to you. You're

    told that the number is a direct line for the person putting the new server intoplace.

    BRBRAITT, Jabalpur Ch.4/6

  • 8/10/2019 1.It Security

    8/29

    Security & Firewall

    These attacks are very successful because our business needs change daily and we live ina fast-paced world. This type of attack plays on the empathy and sympathy of the victim,

    and an attacker can shop around until he finds someone who will help.

    Here are some social-engineering approaches an intruder can use to get information:

    Pretends to be a fellow employee or a new hire, contractor, or a vendor.

    Insists there's some urgency to complete some task or obtain some information.

    Needs assistance or he will be in trouble or lose his job.

    Pretends to be someone influential, an authority figure, or, in some cases, a law

    enforcement official, and uses that authority to coerce the victim into cooperation.

    If met with resistance, uses intimidation and threats such as job sanctions or

    criminal charges.

    If pretending to be law enforcement officer, claims the investigation is hush-hush

    and not to be discussed with anyone else.WARNING

    Employees can exploit social engineering just as well as outsiders. Keep in mind thatmore damage is done to a network by disgruntled employees than by outsiders.

    You'll learn how to recognize a social engineering situation shortly. Here's a scenario that

    actually happened:

    A user came to a network administrator with his laptop and requested that it be joined to

    the domain. The administrator logged the user off the laptop, logged in as himself, andjoined the laptop to the domain. So, what's wrong with that? The user had keystroke

    logging software installed on the laptop. He proceeded to go back to his work area, read

    the log file, log in as the administrator, browse to the main server, and copy the SAM(Security Accounts Manager) to a file. (For those of you unfamiliar with the SAM, it

    holds user account information that includes usernames and passwords.) He took the file

    home and that evening ran L0phtCrack, which is password-cracking software, on the file.The next day, he had the logins and passwords for every user in the office. He

    periodically logged in as other users and accessed information he should not have. As

    time went by, he got bolder, logging in as the administrator and shutting down services,causing problems on the network. Eventually, his bragging got him into a bind and he

    was dismissed for his actions. The best way to avoid this type of situation is to never join

    a machine to the domain from a user's machine. The account should be created at the

    server console instead.

    Learn to recognize a social engineering situation

    Well, now that you know about the methods of social engineering, it's time to look at

    how to spot a potential situation. To keep from becoming a victim, you should know how

    to recognize an intruder. You can be neither suspicious nor trusting of everyone, so wheredo you draw the fine line?

    BRBRAITT, Jabalpur Ch.4/7

  • 8/10/2019 1.It Security

    9/29

    Security & Firewall

    Remember the Manohar scenario from earlier in this lesson? If the office had a policy

    requiring employees to obtain contact information when a call comes in for an out-of-the-office employee, one sign to look for would be refusal to leave contact information. In

    this example, the receptionist simply states that Mr. Manohar is out of the office, and then

    asks for your name and a number at which you can be reached, and what the call is in

    regard to, so that your call may be properly returned. If you're an intruder, would youleave this information? Not likely. If you're a persistent intruder, you may press the

    receptionist for information such as when Mr. Brown will return and who is in charge in

    his absence, and act irate. This type of behavior is also a concern. The caller isdeliberately avoiding giving out information about him while trying to push the

    receptionist into giving out more information about the employee.

    What about someone who is rushing or is in a big hurry? We are all busy people; you're

    in as big hurry as the next person. Look out for someone who tries to breeze by you asyou're entering a secure building. She may strike up a conversation, and then say she's

    late for a big meeting and doesn't have time to be fishing for her ID badge, so she'll just

    come in with you. If you allow this, you may be admitting an intruder into the building. A

    genuine employee understands the security issue and finds her ID badge for admittance.

    Name-dropping is often used to impress the people you are conversing with. Many folks

    like to drop names -- it makes them feel more important. In social situations like the ones

    described earlier, many a conversation begins with, "The other day I was talking to so-and-so." If the speaker is talking about someone in your office, you get the feeling that he

    knows something about what is going on in your office and that you might trust him.

    Instead of proceeding to discuss the office, which is what the intruder wants, you may

    want to ask him questions such as how do you know so-and-so to get a feel for whetherthe person is being truthful or not. Of lesson, if he starts acting uneasy at the questions

    you're asking, you know that he's a potential intruder.

    Intimidation is one of the best ways to get information out of people, especially frompeople who tend to be timid by nature. Employees should be able to address intimidation

    situations without fear of punishment for not giving excellent customer service if they askadditional questions or for more information.

    Odd questions or asking for classified information can also be a dead giveaway that

    someone is fishing for attack information. In the situation where the vice president

    needed a password, the approach should be that this is a potential intruder and not a vicepresident.

    Good practices can neutralize many of these social engineering situations. We'll discuss

    these practices next.

    Promote practices that prevent attacks

    The impact of social engineering and the ease of an attack are usually high. Technical,operational, and environmental controls individually will not prevent attacks. You need a

    combination of all three along with user awareness training. Here's a list of items that can

    be useful in preventing social engineering attacks:

    All employees should have a security mind-set and be able to question situations

    that do not seem right.

    BRBRAITT, Jabalpur Ch.4/8

  • 8/10/2019 1.It Security

    10/29

    Security & Firewall

    Cleaning crews should search the wastebaskets for sensitive information and turn

    it over to management.

    Policies need to be in place for data destruction, including paper, hard drives,CDs, disks, and so on.

    Implement self-service password management to address weaknesses with helpdesk and password administration.

    Employees should have continued training in security awareness.

    Require all guests to sign in, wear a guest badge, and be escorted within the

    office.

    Have shredders located in convenient areas or hire a reputable office to pick upand shred documents.

    Extra security training in the area of social engineering and office security

    policies should be provided for security guards, receptionists, and help desk

    employees. Put policies in place for how to handle situations where an unknown person tries

    to slip in with a legitimate employee (called tailgating). Be sure that all employees

    know the policy and enforce it.

    Instruct employees on what can and cannot be discussed in social settings outsideof work.

    Encrypt information on desktops, laptops, and PDAs.

    Have polices regarding e-mail and voice mail notifications for employees on

    vacation or out of the building for a period of time.

    Have incident response teams to lessen the damage if a breach occurs.

    Apply technology where possible such as biometrics or electronic security

    badges.

    Test your defenses periodically.

    This by no means covers everything or all situations. The important factors to rememberare that there must be policies in place and that all employees must be aware of these

    policies. Training must start as soon as the job begins. Employees should know they play

    a part in the security of the office and that their jobs depend on their vigilance.

    You're faced with customer service and courtesy issues everyday. Technology cannot

    control these situations. We all must rely on each other to use our best judgment whenrevealing information about our office and ourselves. Remember, the best defense is a

    good set of policies, proper education, and continued awareness training.

    SECURE COMPUTER AND NETWORK

    We have seen the ways in which an intruder can use social engineering to attack anetwork. Here, you'll see how an intruder can use a telecommuter's computer to attack

    your network and how you can make that computer more secure.

    BRBRAITT, Jabalpur Ch.4/9

  • 8/10/2019 1.It Security

    11/29

    Security & Firewall

    Many IT professionals work from home at least part of the time. All of this makes for a

    flexible work environment. That flexibility can also cause the IT professional a hugeheadache, because you have no control over what goes on in the confines of an

    employee's home. There were strange incidents happening on the network. A cracker had

    accessed the network and was wreaking havoc. No matter what this administrator did to

    change and tighten security, the cracker always got back in. Eventually it was discoveredthat the cracker was getting into the network through the administrator's home machine,

    which was always left on and connected to the Internet.

    With information security, you cannot allow even the top leaders to sidestep or ignore

    policy. An employee cannot be allowed to work at home until the home machine issecured. This should part of the security policy and all employees should have signed a

    statement to that fact when they were hired. Should you find yourself in this situation, it

    must be passed to the next level of management or someone who manages security.

    UNDERSTAND THE HOME ENVIRONMENT

    What happens employees are allowed to work from home? They're given a office

    machine or allowed to use their own, IT sets them up to access the network, and then weforget about them.

    Let's consider a few factors about telecommuting employees. After all, they're doingoffice work. Most of them have children or spouses who use the same computer that they

    use to access the work environment. Employees who have more that one computer

    usually set up a home network. Those who care about their home aesthetics or don't wantto pull wire set up wireless networks at home.

    Here are a few scenarios, each of which poses a threat to the work environment:

    A office engineer has a daughter and a son who each have a laptop. The engineer

    purchases a wireless router and hooks up all the machines -- including the work machine

    -- so that all the machines can use the high-speed Internet connection.

    One of the reasons that wireless is so popular with home users is that you can just plug it

    in and have it start working. In this scenario, then, there's little probability that the

    engineer enabled WEP (Wired Equivalent Privacy) on the laptops, so the computers are

    left vulnerable because the information is sent in clear text.

    An employee's home workstation is running Windows 98. (In all operating systems prior

    to Windows NT, all passwords are stored in the .pwl file.) The Internet connection is

    always on, because the children want Internet access on that computer, especially in the

    summer when school's out. The virus software is disabled because it interferes with thechildren's favorite game.

    In this situation, the always-on connection leaves the machine open to. The .pwl file can

    easily be accessed for a list of passwords, and disabling the virus software leaves the

    unguarded against viruses.

    You've installed keystroke-logging software to track where your children have been on

    the Internet, because many times they use your computer unsupervised. This software

    runs constantly.

    BRBRAITT, Jabalpur Ch.4/10

  • 8/10/2019 1.It Security

    12/29

    Security & Firewall

    You've made it extremely easy for a cracker to get your password to the network, because

    all he has to do is read the log file. This is a giveaway -- he has no work to do becauseyou've done it for him. Keystroke logging software should not be used on a machine that

    has been supplied by the employer unless the employer had installed it and is aware that

    it's on the machine.

    You are constantly having issues with your computer because you let your children use it.What do you think the chances are that someone has already penetrated the network

    where he works and is slowly stealing information or planting maladies?

    Establish effective policies

    Every office should have policies in place to protect the network from attacks via home

    users. These might include the following:

    Requiring the employee to notify IT immediately if he changes his homeconnection from dial-up to high speed, so that policies and procedures can be

    addressed.

    Not permitting an office-owned PC to be used for other purposes or byunauthorized individuals.

    Not allowing virus protection software to be disabled, and requiring that it beupdated regularly.

    Requiring immediate disconnection from the network and immediate support

    contact in the event that the machine contracts a virus.

    Requiring the use of a firewall, and not permitting it to be disabled.

    Requiring that the machine be either disconnected from the network and the

    Internet or turned off completely when the employee finishes working for the day.

    Mandating that a boot disk be handy in the event a virus renders the machineunusable.

    Requiring that data be backed up if the employee is storing office information on

    a home computer.

    Requiring that the operating system and all applications on the machine be kept

    up to date.

    TIP

    Post information about patches and updates, whether the IT department supplies them or

    the employee is expected to acquire them on his own. Posting provides no excuse for an

    employee failing to comply.

    Requiring strong passwords.

    Requiring that non work-related shares be turned off.

    Mandating that auditing be turned on (if the operating system allows).

    BRBRAITT, Jabalpur Ch.4/11

  • 8/10/2019 1.It Security

    13/29

    Security & Firewall

    Although it may seem like a lot of work, it's worth your while to periodically send

    questionnaires to all employees working from home who are using office computers. Themain information you want from the employees is:

    The operating system and version

    All applications installed and their versions The type of Internet connection

    The location of the emergency boot disk

    How many other machines are using the Internet connection

    Any hardware changes

    Then compare the current responses with the condition in which the machine left the

    office. If this is done on a regular basis, you will soon be able to tell who is using thecomputer strictly for work purposes and who is not. Often, what you'll find is that

    children use the computer to play games and download music files. These require the

    installation of additional programs. They also take up disk space and may require bettervideo cards as well as extra memory.

    With policies in position, let's see how machines can be set up to securely connect to the

    work environment from home.

    SECURE HOME MACHINES

    As you learned in the previous section, you really have very little control over the homeuser. Even with good policies in place, there's no guarantee that telecommuters will

    follow them. What you can control is how the telecommuters connect to your network,

    and that's what we'll discuss now.

    When you allow telecommuters to access your network, they usually do so by firstconnecting to the Internet and then connecting to the network A VPN (Virtual Private

    Network) is a network connection that permits access via a secure tunnel created through

    an Internet connection. Using an Internet-based VPN connection is very popular for

    several reasons:

    Users in an organization can dial a local Internet access number and connect tothe corporate network for the cost of a local phone call.

    Administrative overhead is reduced with a VPN because the ISP (Internet Service

    Provider) is responsible for maintaining the connectivity once the user isconnected to the Internet.

    There are various security advantages to using a VPN, including encryption,encapsulation, and authentication.

    For users who travel, a local access number usually is available. If possible, you should

    provide this information to employees who travel -- it saves phone calls to the help deskand enables them to test the numbers before they have to give presentations.

    Figure 1 shows how a VPN works. Setting up the users' computers (clients) to connect to

    the server is a two-step process:

    BRBRAITT, Jabalpur Ch.4/12

  • 8/10/2019 1.It Security

    14/29

    Security & Firewall

    Figure 1: VPN remote access over the Internet.

    Establish an Internet connection. This can be dial-up or broadband.

    Connect to the VPN server. This involves dialing another connection.

    Once the client is setup, it can use the VPN. Here's how a client uses a VPN to access acorporate LAN through the Internet:

    The remote user dials into his local ISP and logs into the ISP's network.

    The user initiates a tunnel request to the server on the corporate network. Theserver authenticates the user and creates the other end of tunnel.

    The user then sends data through the tunnel, which is encrypted by the VPN

    software before being sent over the ISP connection.

    The server receives the encrypted data, decrypts it, and forwards it to thedestination on the corporate network. Any information sent back to the remote

    user is encrypted before being sent over the Internet.

    VPNs provide great opportunities for employee productivity while reducing long-

    distance charges, and a good VPN guarantees privacy and encryption. But it isauthentication that ensures the integrity of the data.

    We've discussed the situations that home users get themselves into and how easily

    passwords can be breached on unsecured machines. In order for a VPN to provide the

    level of security that's intended, a solid means of authentication must be established. Thisbrings us to two-factor authentication.

    In two-factor authentication, a user must supply two forms of ID before she can access a

    resource: one is something she knows, such as a password, and the other is something she

    has or is. For example, you may be required to type password and place your thumb on athumbprint scanner to properly identify yourself. Figure 2 illustrates this type of

    authentication.

    Figure 2: Two-factor authentication.

    BRBRAITT, Jabalpur Ch.4/13

  • 8/10/2019 1.It Security

    15/29

    Security & Firewall

    The most common form of this type of authentication is a smart card. The security in this

    authentication is that both are need for validation. If the card is stolen, or the PIN isdiscovered, neither one of these alone can enable someone else to log on as the user.

    Smart card readers are attached to a computer port and a digital certificate is downloaded

    to activate the card. Smart card logon requires the user to insert the card and enter a PIN

    in order to log on.

    Understand tunneling

    The purpose of a VPN is to secure your network communications. There are two broadcategories of tunneling:

    Voluntary

    Compulsory

    In voluntary tunneling, the situation is as described earlier and shown in Figure 2-1. The

    cable modem dials the ISP, and the user is then connected to the VPN server via the

    Internet.

    In compulsory tunneling, the tunnel is set up between two VPN servers that act as routersfor network traffic. This type of tunnel is most useful for connecting a remote office with

    its own network to a central office. Sometimes as an office is growing, it allows

    employees to run offices out of their homes with those employees hiring several people towork for them, or it may be in the situation where a contractor works out of an office that

    is shared by other contractors. Figure 3 shows an example of this type of tunneling.

    Figure 3: Compulsory tunneling.

    This type of server would be placed in a larger office but remote users and travelingemployees could create a connection with a local or corporate VPN server instead of

    connecting to an ISP first, thus eliminating the need to supply traveling employees with a

    list of local numbers for the ISP.

    WARNING

    Tunneling should not be used as a substitute for encryption. The strongest level of

    encryption possible needs to be used within the VPN.

    Let's take a look at personal firewalls that can be installed to help detect intrusions in

    home computers.

    BRBRAITT, Jabalpur Ch.4/14

  • 8/10/2019 1.It Security

    16/29

    Security & Firewall

    Examine personal firewalls

    The potential for crackers to access data through the telecommuter's machine has grown

    substantially, and threatens to infiltrate our networks. Cracker tools have become moresophisticated and difficult to spot. Always-connected computers, typically with static IP

    addresses, give attackers copious amounts of time to discover and exploit system

    vulnerabilities. How can a user know when his system is being threatened?

    You can help thwart attacks by making sure that all telecommuters have firewallsinstalled on their systems. Firewalls come in two varieties: software and hardware. Like

    most other solutions, each has strengths and weaknesses. By design, firewalls close off

    systems to scanning and entry by blocking ports or non-trusted services and applications.

    Software firewalls

    Software firewalls are more flexible in that they enable the user to move from network to

    network. Typically, the first time a program tries to access the Internet; a software

    firewall asks whether it should permit the communication. You can opt to have the

    firewall ask the user each time the program tries to get online. The prompts usually get soannoying that most users end up making hasty decisions with little more information than

    they originally had. Another danger is that firewall filtering can get too complicated for

    the average user to fix easily, which makes users reluctant to deny permission toanything. There should be help available to telecommuters to aid in configuring these

    types of firewalls. Its one thing to say that telecommuters have firewalls, but quite

    another to ensure that those firewalls are correctly configured.

    Here's a list of the most commonly used software firewalls:

    McAfee.com Personal Firewall

    Norton Internet Security

    Sygate Personal Firewall

    ZoneAlarm

    BlackIce

    Tiny Personal Firewall

    Hardware firewalls

    Hardware firewalls provide an additional outer layer of defense that can more effectively

    hide one or more connected PCs. There are inexpensive router appliances that movetraffic between the Internet and one or more machines on home networks, which simply

    hide the IP addresses of PCs so that all outgoing traffic seems to come from the sameaddress. Recently, router manufacturers have been including actual firewalls that blockinappropriate inbound and outbound traffic making these a much better choice.

    In general, the average user will like the nature of hardware solutions because they

    operate in the background without generating as many queries and alerts as software

    firewalls. In addition, the physical installation is easy, but the normal home user won'tknow how to configure the firewall should the default settings not be strong enough.

    BRBRAITT, Jabalpur Ch.4/15

  • 8/10/2019 1.It Security

    17/29

    Security & Firewall

    Remember that even a good firewall cannot protect the user if he does not think before he

    downloads or does not exercise a proper level of caution. No system is foolproof, but theright combination of hardware, software, and good habits can make your telecommuters'

    computing environment safer.

    INTRUSION DETECTION

    We will see what actually happens when your network is invaded or damaged. Wedevelop and deploy hardware and software in such an extremely quick fashion to meet

    the demand of business and home consumers that we don't always take the time to be

    sure that these technologies are properly tested and secured. This puts our networks at

    risk not only from the professional cracker but also from curious or disgruntledemployees.

    Let's first look at intrusion detection and intrusion prevention systems that can help spot a

    potential intrusion.

    Examine intrusion detection systems

    One of the best ways to catch an intruder before too much damage is done is throughIDSs (intrusion detection systems), which are designed to analyze data, identify attacks,

    and respond to the intrusion. They're different from firewalls in that firewalls control the

    information that gets in and out of the network, whereas IDSs can identify unauthorizedactivity.

    Intrusion-detection systems are also designed to catch attacks in progress within the

    network, not just on the boundary between private and public networks. The two basic

    types of IDSs are network based and host based. As the names suggest, network-basedIDSs look at the information exchanged between machines, and host-based IDSs look at

    information that originates on the individual machines. Here are some specifics:

    Network-based IDSs monitor the packet flow and try to locate packets that mayhave gotten through the firewall and are not allowed for one reason or another.

    These systems have a complete picture of the network segment they areconfigured to protect. They see entire network packets, including the header

    information, so they're in a better position to distinguish network-borne attacks

    than host-based IDS systems are. They are best at detecting DoS (Denial ofService) attacks and unauthorized user access. Figure 4 details a network-based

    IDS monitoring traffic to the network from the firewall.

    BRBRAITT, Jabalpur Ch.4/16

  • 8/10/2019 1.It Security

    18/29

    Security & Firewall

    Figure 4: Network-based IDS.

    Host-based IDSs (sometimes called HIDSs) monitor communications on a host-

    by-host basis and monitor traffic coming into a specific host for signatures thatmight indicate malicious intention. They also monitor logs to find indications that

    intrusions or intrusions attempts are going on, and some of the HIDSs also

    monitor system calls and intercept them. These types of IDSs are good atdetecting unauthorized file modifications and user activity.

    Network-based IDSs try to locate packets not allowed on the network that the firewall

    missed. Host-based IDSs collect and analyze data that originates on the local machine or

    a computer hosting a service. Network-based IDSs tend to be more distributed.

    Host-based and network-based approaches are complementary to each other because they

    have different strengths and weaknesses. Many successful intrusion detection systems are

    built using mixes of both, and ultimately, this is what network administrators shouldconsider for their own environments.

    When an IDS alerts a network administrator of a successful or ongoing attack attempt, it's

    important to have documented plans for incident response already in place. There are

    several forms of response, including the following:

    BRBRAITT, Jabalpur Ch.4/17

  • 8/10/2019 1.It Security

    19/29

    Security & Firewall

    Redirecting or misdirecting an attacker to secured segmented areas, allowing him

    to assume that he has been successful. This serves two purposes: it prevents

    access to secured resources and gives you time to trace or track the intruder.

    ICE (Intrusion Countermeasure Equipment) can be used to provide automatic

    response in the event of intrusion detection. ICE agents have the capability to

    automatically lock down a network or to increase access security to criticalresources in the event of an alert.

    After identification of an attack, forensic analysis of infected systems can detectinformation about the identity of the attacker. This information may then be used

    to direct the attention of the proper authorities.

    Later, analysis of successful intrusions should be used to harden systems againstadditional attempts of the same nature. Planning should include access restrictions in

    addition to making the network less desirable to potential attackers.

    Explore intrusion prevention systems

    IDSs alert IT system administrators to potential security breaches within the perimeter ofa network environment, which is a good start. The problem with them is that they're

    passive and reactive. They scan for configuration weaknesses and detect attacks after

    they occur. When an attack occurs, it's reported, and combinations of antivirus and

    intrusion detection vendors develop a rapid solution to distribute, but by that time, theattack has delivered its payload and paralyzed the network or several networks. In fact,

    the damage is often already done by the time the IDS alerts you to the attack.

    Intrusion prevention software differs from traditional intrusion detection products in that

    it can actually prevent attacks rather than only detecting the occurrence of an attack. IPSarchitectures serve as the next generation of network security software that is proactive.

    Host-based IPS will become increasingly popular in the next few years, possibly pushinghost-based IDS out of the picture.

    Intrusion prevention offers considerable advantages:

    It actually secures internal resources from attacks based inside the network byrestricting behavior of potentially malicious code, providing a record of attack,

    and notifying enterprise security personnel when an attack is repelled.

    It defines appropriate behaviors and then enforces those behaviors on every end-

    user desktop and network server across an enterprise. By looking at system and

    application behavior and defining which actions are legitimate and which aresuspect, an IPS can stop an errant system action when it attempts to do something

    that is not in the realm of expected behavior.

    Rules can be configured to control which type of actions applications can perform

    on files and system resources. As an intelligent agent, these run by intercepting

    system actions, checking rules, and then allowing or denying the action in

    question based on those rules.

    BRBRAITT, Jabalpur Ch.4/18

  • 8/10/2019 1.It Security

    20/29

    Security & Firewall

    Statistical logging data can be used to generate reports that indicate overall

    network health. IT staff can monitor how current rule sets are working and adjust

    them, if necessary.

    For an intruder, the real value of your network lies in key machines such as databaseservers and the information they contain. An intruder won't celebrate breaking through

    your firewall if all it gets him is access to a couple of printers. The idea of intrusionprevention is to ensure exactly that. By allowing only certain behaviors on critical hosts,the technology leaves an intruder with little freedom to do anything malicious.

    If you have a personal firewall such as Norton Personal Firewall or ZoneAlarm, you

    may've already seen intrusion prevention in its simplest form. Recall from the above that

    this type of software relies on rules and scanning to spot inappropriate activity. It usespredefined attack signatures, and it also learns what behaviors you'll allow every time

    you click yes or no when an application wants to do something.

    WARNING

    Sometimes the data that is collected by these systems is overwhelming. When you start

    trying to do something with the intrusion detection data, you realize the magnitude ofdeciphering or reading the data is well beyond the resources and time you want to put in

    to make it effective.

    Often, incidents happen even though you have firewalls and intrusion detection. So,

    you've got ten thousand alarms going off, five of them are probably valid, two of themyou really need to do something about, but you don't have the time or the resources to

    find what those five are and what the two really are. You end up doing nothing because

    you don't know how to respond. Please do not let this happen. Make the time andresource to use these tools effectively.

    Preventing actual damage to your company's business functionality is critical to

    protecting today's open networks. Intrusion prevention technology serves as a strategy forthose who desire proactive and preventive security measures in the face of attacks.

    No incident response solution is complete without a proper plan, so let's tackle that next.

    PLAN YOUR INCIDENT RESPONSE

    Incident response refers to the actions an organization should take when it detects an

    attack, whether ongoing or after the fact. It's similar in concept to a DRP (disaster

    recovery plan) for responding to disasters. Incident response plans are needed so that youcan intelligently react to an intrusion. More importantly, there's the issue of legal liability.

    You're potentially liable for damages caused by a cracker using your machine. You must

    be able to prove to a court that you took reasonable measures to defend yourself fromcrackers. Having an incident response plan definitely helps in this area. Unplannedapplication and operating system outages have become commonplace. When an incident

    occurs, the last thing you should do is panic, which, of course, is exactly what happens if

    there is no plan in place or you have no idea where it is.

    Don't overlook the effect an incident has on employees. The interruption to the workplacenot only causes confusion but also disrupts their schedules. Proper planning should be

    beneficial to customers as well as employees.

    BRBRAITT, Jabalpur Ch.4/19

  • 8/10/2019 1.It Security

    21/29

    Security & Firewall

    The components of an Incidence Response Plan should include preparation, roles, rules,

    and procedures.

    Prepare

    Although the preparation requirements may be different for each office, some of thebasics should include:

    A war room where the response team can assemble and strategize.

    A response team that will handle all facets of the incident.

    Contact information for the response team, vendors, and third-party providers.

    Change-control policies, which are useful especially when an application or

    operating system needs to be rolled back.

    Software listing of the operating systems and applications being used so the scope

    of the incident can be properly assessed.

    Monitoring tools to determine the health of the machines.

    Assign roles

    The incidence response team is responsible for containing the damage and getting the

    systems back up and running properly. These steps include determination of the incident,formal notification to the appropriate departments, and recovering essential network

    resources. With this in mind, the team should comprise the following personnel:

    Technical operations: Security and IT personnel

    Internal communications support: Someone to handle management, employees,

    and food for the response team (Yes, food is an important part of the response

    process!)

    External communications support: Vendor, business partner, and press handling

    Applications development: Developers of in-house applications and interfaces

    Create rules

    Some basic rules should apply to the response team, which could include the following:

    The entire team is responsible for the success of the incident handling.

    No one on the team is allowed to leave until the incident is handled.

    Everyone works from the war room. This is the central command post and

    investigation takes place here.

    Lastly, procedures need to be put into place. Let's discuss those procedures now.

    Plan the procedures

    Incidents happen from time to time in most of organizations no matter how strict security

    policies and procedures are. It's important to realize that proper incident handling is just

    as vital as the planning stage, and its presence may make the difference between being

    BRBRAITT, Jabalpur Ch.4/20

  • 8/10/2019 1.It Security

    22/29

    Security & Firewall

    able to recover quickly, and ruining business and customer relations. Customers need to

    see that the company has enough expertise to deal with the problem.

    Larger organizations should have an Incident Response Team. In the previous section, wediscussed the department members that should be assigned this task. Realize that this

    team is not a full-time assignment; it's just a group of people who have obligations to act

    in a responsible manner in case of an incident.

    The basic premise of incident handling and response is that the company needs to have aclear action plan on what procedures should take place when an incident happens. These

    procedures should include:

    Conducting initial assessment: Identify the initial infected resources by getting

    some preliminary information as to what kind of attack you are dealing with and

    what potential damage exists.

    Initial communication: Notify key personnel, such as the security department andthe response team.

    Assemble the response team: Converge in the war room for duty assignment.Decide who will be the lead for the incident.

    Initial containment of the incident: Diagnose the problem and identify potentialsolutions. Set priorities and follow them closely. The incident response team has

    to be clear about what to do, especially if the potential damage is high.

    Intrusion evaluation: Shoot the problem to additional teams if necessary. The key

    is to understand what actually happened and how severe the attack was.

    Collect forensic evidence: Gather all of the information learned about the incident

    up to this moment and store it in a secure location on secure media, in case it's

    needed for potential legal action.

    Communicate the incident in public: Public communications may be subdivided

    into several categories:

    Law enforcement: An incident of large proportion or repetitive pattern should berelayed to municipal, provincial, or federal authorities.

    Other companies: The incident may be reported to IT security companies for help

    or notification to other companies.

    Customers: Customers should be notified as soon as there is something to be said.

    News media: If the company is large enough, and the event is worthy of a news

    story, expect to be contacted by the media. There needs to be one personauthorized to speak to the media. Incident handling personnel must be aware of

    this and direct all media queries to appropriate team member.

    Restore service: Implement and test a solution. If it was an unknown attack orattack that is known to have ill effects on the system, it may be in the best

    interests of the company to completely reinstall the system.

    Monitor: Be sure that recovery was successful.

    BRBRAITT, Jabalpur Ch.4/21

  • 8/10/2019 1.It Security

    23/29

    Security & Firewall

    Prepare an incident report: Determine and document the incident cause and

    solution. This report is an internal document that puts everything in perspective,

    from the minute the incident was noticed until the minute the service wasrestored.

    Calculate damage: The ultimate dollar figure should look beyond actual and

    obvious losses associated with service outages and business interruptions toinclude all costs resulting from the incident, such as legal fees, loss of proprietary

    information, system downtime costs, labor costs, hardware/software costs,

    consulting fees, bad reputation, and publicity.

    Summary and updates: Gather the entire security response team for a meeting andreview the process and timelines in detail making any modifications that are

    necessary to the plan.

    Periodic analysis: Check that the modifications made are appropriate.

    This is a brief model and by no means is a complete plan. Every company must evaluate

    its needs and plan accordingly. Once a plan is formulated, it must be tested, which bringsus to the last part of this lesson.

    Test the plan

    You formulate a plan, put it on a shelf, and when an incident happens, you realize there

    are huge flaws in the plan. You forgot something or the person that you picked to dointernal communications support did an extremely poor job of handling his

    responsibilities and left even though the rules for the team stated otherwise. The security

    response team lead needs to be sure that every person onboard did the best they could andperformed the most appropriate action given the circumstances. This person also needs to

    look at the situation to see if the overall strategy of the department is useful or where it

    needs changing or fixing. The only way to do this before an actual incident is to test theplan ahead of time.

    The approach taken to test the plan depends on the strategies selected by the company.

    Many times tests are conducted by what are called Tiger Teams. This can be an outside

    group of consultants. The tests are often conducted without notification to thedepartments involved in order to see how well the plan functions.

    The following are key components of a testing plan:

    Define the test purpose and approach: Specify the incident that is to be tested.

    How a virus infection is handled will be different from how to handle a Denial ofService attack or a Web server defacement.

    Identify the test team: Specify whether employees or outside consultants willconduct the test. No response team members should be on the test team because

    they will be responsible for handling the incident.

    Structure the test: Plan exactly what you want to accomplish and set up the

    equipment in a testing environment.

    BRBRAITT, Jabalpur Ch.4/22

  • 8/10/2019 1.It Security

    24/29

    Security & Firewall

    Conduct the test: To be most effective, this should be done without prior

    notification to the departments involved, because that is how incidents happen.

    Analyze test results: Evaluate how well or poorly everyone responded and howeasily the incident was resolved.

    Modify the plan: After a dry run, there are usually some modifications. Be surethey're implemented.

    FIREWALL

    CONTENTS

    Various Generations of Firewalls

    FAQ.

    OBJECTIVES

    After completion of this module you will be able to know:

    The different Generations of Firewalls

    Why firewall is needed?

    Answers for FAQ

    In its most basic terms, a firewall is a system designed to control access between twonetworks.

    There are many different kinds of firewallspacket filters, application gateways, or

    proxy servers. These firewalls can be delivered in the form of software that runs on an

    operating system, like Windows or Linux. Or, these firewalls could be dedicatedhardware devices that were designed solely as firewalls.

    UNDERSTAND THE EVOLUTION OF FIREWALLS

    Learn how firewalls have progressed from simple packet filtering to more sophisticated

    application-level filtering.

    Webopedia.com defines a firewall as a system designed to prevent unauthorized accessto or from a private network. Although technically accurate, this definition tells us only

    what a firewall doesand doesnt address the more important question of how it does it.

    For administrators who are continually focused on keeping their networks secure, it ishelpful to take a closer look at the way firewalls function and how they have evolved in

    recent years to better protect our corporate networks.

    First-generation firewalls: Packet filteringStatic packet filters

    One of the simplest and least expensive forms of firewall protection is known as static

    packet filtering. With static packet filtering, each packet entering or leaving the network

    is checked and either passed or rejected depending on a set of user-defined rules. Dealingwith each individual packet, the firewall applies its rule set to determine which packet to

    allow or disallow. You can compare this type of security to the Gate-keeper at a club who

    BRBRAITT, Jabalpur Ch.4/23

  • 8/10/2019 1.It Security

    25/29

    Security & Firewall

    allows people over 21 to enter and turns back those who do not meet the age rule

    requirements. The static packet filtering firewall examines each packet based on thefollowing criteria:

    Source IP address

    Destination IP address TCP/UDP source port

    TCP/UDP destination port

    For example, to allow e-mail to and from an SMTP server, a rule would be inserted into

    the firewall that allowed all network traffic with a TCP source and destination port of 25

    (SMTP) and the IP address of the mail server as either the source or destination IPaddress. If this were the only filter applied, all non-SMTP network traffic originating

    outside of the firewall with a destination IP address of the mail server would be blocked

    by the firewall.

    Many people have asked the question, Is a router with an access list a firewall? Theanswer is yes, a packet filter firewall can essentially be a router with packet filtering

    capabilities. (Almost all routers can do this.) Packet filters are an attractive option where

    your budget is limited and where security requirements are deemed rather low.

    But there are drawbacks. Basic packet filtering firewalls are susceptible to IP spoofing,where an intruder tries to gain unauthorized access to computers by sending messages to

    a computer with an IP address indicating that the message is coming from a trusted host.

    Information security experts believe that packet filtering firewalls offer the least securitybecause they allow a direct connection between endpoints through the firewall. This

    leaves the potential for a vulnerability to be exploited. Another shortcoming is that this

    form of firewall rarely provides sufficient logging or reporting capabilities.

    STATEFUL PACKET INSPECTION

    Within the same generation of static packet filtering firewalls are firewalls known asstateful packet inspection firewalls. This approach examines the contents of packets

    rather than just filtering them; that is, it considers their contents as well as their addresses.

    You can compare this to the security screener at an airport. A ticket validates that youmust be traveling from your source to your destination; however, your carry-on contents

    must be checked to get to your final destination.

    These firewalls are called stateful because they can permit outgoing sessions while

    denying incoming sessions. They take into account the state of the connections theyhandle so that, for example, a legitimate incoming packet can be matched with the

    outbound request for that packet and allowed in. Conversely, an incoming packetmasquerading as a response to a nonexistent outbound request can be blocked. By usingsomething known as session or intelligent filtering, most stateful inspection firewalls can

    effectively track information about the beginning and end of network sessions to

    dynamically control filtering decisions. The filter uses smart rules, thus enhancing the

    filtering process and controlling the network session rather than controlling the individualpackets.

    BRBRAITT, Jabalpur Ch.4/24

  • 8/10/2019 1.It Security

    26/29

    Security & Firewall

    Basic routers typically do not perform stateful packet inspections unless they have a

    special module. A dedicated firewall device or server (with software) is usually requiredwhen the level of security demands stateful inspection of data in and out of a network.

    Although stateful packet inspection offers improved security and better logging of

    activities over static packet filters, it has its drawbacks as well. Setting up stateful packet

    examination rules is more complicated and, like static packet filtering, the approachallows a direct connection between endpoints through the firewall.

    SECOND-GENERATION FIREWALLS: PROXY SERVICES

    The next generation of firewalls attempted to increase the level of security between

    trusted and untrusted networks. Known as application proxy or gateway firewalls, thisapproach to protection is significantly different from packet filters and stateful packet

    inspection. An application gateway firewall uses software to intercept connections for

    each Internet protocol and to perform security inspection. It involves what is commonlyknown as proxy services. The proxy acts as an interface between the user on the internal

    trusted network and the Internet. Each computer communicates with the other by passing

    all network traffic through the proxy program. The proxy program evaluates data sentfrom the client and decides which to pass on and which to drop. Communications

    between the client and server occur as though the proxy weren't there, with the proxy

    acting like the client when talking with the server, and like the server when talking with

    the client. This is analogous to a language translator who is the one actually directing andsending the communication on behalf of the individuals.

    Many information security experts believe proxy firewalls offer the highest degree of

    security because the firewall does not let endpoints communicate directly with one

    another. Thus, vulnerability in a protocol that could slip by a packet filter or statefulpacket inspection firewall could be caught by the proxy program. In addition, the proxy

    firewall can offer the best logging and reporting of activities.

    Of course, this security solution is far from perfect. For one thing, to utilize the proxy

    firewall, a protocol must have a proxy associated with it. Failure to have a proxy mayprevent a protocol from being handled correctly by the firewall and potentially dropped.

    Also, there is usually a performance penalty for using such a firewall due to the

    additional processing for application-level protocols.

    FIREWALLS EVOLVED: THE THIRD GENERATION

    The newest generation of firewalls may be defined as state-of-the-art perimeter security

    integrated within major network components. These systems alert administrators in real

    time about suspicious activity that may be occurring on their systems. Although it's a lotto swallow, this new generation of firewall has evolved to meet the major requirements

    demanded by corporate networks of increased security while minimizing the impact on

    network performance. The requirements of the third generation of firewalls will be evenmore demanding due to the growing support for VPNs, wireless communication, and

    enhanced virus protection. The most difficult element of this evolution is maintaining the

    firewall's simplicity (and hence its maintainability and security) without compromising

    flexibility.

    BRBRAITT, Jabalpur Ch.4/25

  • 8/10/2019 1.It Security

    27/29

    Security & Firewall

    The most recent category of firewalls attempting to meet this demand performs what has

    been termed stateful multilevel inspection, or SMLI. SMLI firewalls eliminate theredundancy and CPU-intensive nature of proxy firewalls. SMLI's unique approach

    screens the entire packet, OSI layers 2 through 7, and rapidly compares each packet to

    known bit patterns of friendly packets before deciding whether to pass the traffic.

    Coupled with or integrated into an intrusion-detection system (IDS), SMLI offers the firstglimpse of this new definition of a firewall. Among the products that use this new

    technology are Check Points FireWall-1, Elron Softwares Internet Manager, and

    SonicWalls line of access security products.

    FREQUENTLY ASKED QUESTIONS

    Why would you want a firewall?

    Firewalls will protect your network from unwanted traffic. Many times, the unwanted

    traffic is harmful traffic from hackers trying to exploit your network. You want a firewall

    to protect your network, just as you want locks on your door and windows at your home.

    Is a proxy server a firewall?

    A proxy server is a form of a firewall. In legal terms, a proxy is someone who goes and

    performs some action on your behalf. A proxy server performs network transactions on

    your behalf. The most common use for this is a Web-proxy server. A Web-proxy willtake requests from users Web browsers, get the Web pages from the Internet, and return

    them to the users browser. Many times, a proxy server also performs authentication to

    see who is requesting the Web pages and also logs the pages that are requested and the

    user they are from.

    What is NAT?

    NAT is Network Address Translation. NAT is usually used to translate from

    real/global/public Internet addresses to inside/local/private addresses. These privateaddresses are usually IP addresses: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.

    NAT provides some security for your network as you do not have a real Internet IPaddress and your network, usually, cannot be accessed from the Internet without some

    outbound connection first being created from your private/inside network.

    However, you still need a firewall to protect your network as NAT only hides your

    network but doesnt really stop any packets from entering your network.

    Do firewalls stop Viruses, Trojans, Adware, and Spyware?

    No, in general, firewalls do not stop Viruses, Trojans, Adware, or Spyware. Firewalls,usually, only protect your network from inbound traffic from an outside (Internet)

    network. You still need antivirus software, anti-adware and anti-spyware software

    applications to protect your system when it does go out on the Internet.

    How do I know that my firewall is really protecting my network?

    Just like any security system, a firewall should, periodically, be tested. To test a firewall,

    you could have a professional security-consulting company do a security vulnerability

    scan. However, this is usually something you can do yourself. To do this, you could use a

    BRBRAITT, Jabalpur Ch.4/26

  • 8/10/2019 1.It Security

    28/29

    Security & Firewall

    port-scanner or a more advanced tool like a vulnerability assessment tool (such as Retina,

    Saint, or ISS).

    What are the different types of firewalls?

    The different types of firewalls are:

    Packet filter A packet filter looks at each packet entering the network and, based on itspolicies, permits or denies these packets. A Cisco IOS Access Control List (ACL) is a

    basic firewall that works in this way.

    Stateful packet filter A stateful packet filter also has rules; however, it keeps track of

    the TCP connection state so it is able to monitor the conversations as they happen onthe network. It knows the normal flow of the conversations and knows when the

    conversations are over. Thus, it more intelligently is able to permit and deny packets

    entering the network. Because of this, a stateful packet filter (stateful firewall) is muchmore secure than a regular packet filter.

    Application gateway An application gateway is a system that works for certain

    applications only. It knows the language that that application/protocol uses and itmonitors all communications. An example would be a SMTP gateway.

    Proxy Server A proxy server performs network transactions on your behalf. The most

    common use for this is a Web-proxy server. A Web-proxy will take requests from users

    Web browsers, get the Web pages from the Internet, and return them to the users

    browser.

    What do VPNs have to do with firewalls?

    Virtual Private Networks (VPN) are used to encrypt traffic from a private network and

    send it over a public network. Typically, this is used to protect sensitive traffic as it goes

    over the Internet. Many times, you will have a VPN encryption device combined with a

    firewall as the private network traffic that is being encrypted also needs to be protectedfrom hackers on the public network.

    If I have a firewall, do I have a DMZ?

    No, you do not necessarily have a DMZ (De-Military Zone) if you have a firewall. ADMZ is a network that is semi-protected (not on the public network but also not on the

    fully-protected private network). Many hardware firewalls create a DMZ for public mail

    servers and Web servers. Most small networks or homes do not have DMZ networks.Most medium-to-large corporate networks would have a DMZ.

    What are IDS and IPS? Also, what do they have to do with firewalls?

    An Intrusion Detection System (IDS) monitors for harmful traffic and alerts you when itenters your network. This is much like a burglar alarm.

    An Intrusion Prevention System (IPS) goes farther and prevents the harmful traffic fromentering your network.

    IDS/IPS systems recognize more that just Layer 3 or Layer 4 traffic. They fully

    understand how hackers use traffic to exploit networks and detect or prevent that harmful

    BRBRAITT, Jabalpur Ch.4/27

  • 8/10/2019 1.It Security

    29/29

    Security & Firewall

    traffic on your network. Today, many IDS/IPS systems are integrated with firewalls and

    routers.

    What is a DoS attack and will a firewall protect me from it?

    A Denial of Service (DoS) attack is something that renders servers, routers, or networksincapable of responding to network requests in a timely manner.

    Firewalls can protect your network and its servers from being barraged by DoS traffic

    and allow them to respond to legitimate requests, thus, allowing your company to

    continue its business over the network.

    How do you configure, monitor, and control a firewall?

    As there are many different types of firewalls, there are also many different types of

    firewall interfaces. You could have a command line interface (CLI), a Web-based

    interface, or some other proprietary program that is used to configure the firewall.

    For example, with Cisco PIX firewalls, you can configure them with the CLI interface(called PixOs), or the PIX Device Manager (PDM), a Java-based interface that works

    with a Web browser.

    How do I know what firewall I should use?

    The size of the firewall you choose is usually based on the volume of traffic your network

    links receive or the bandwidth of your network links. You also must take intoconsideration other things for which you might be using the firewall, such as VPN, IDS,

    and logging.

    What are some new features to look for in firewalls?

    Firewalls, today, are offering more and more features built into the firewall. Some of

    them are: intrusion prevention, hardware-based acceleration, and greater recognition of

    applications (moving up the OSI model towards layer 7).How can I configure an inexpensive firewall?

    There are a wide variety of firewalls available today. Perhaps the most basic firewall isthe personal PC firewall, such as that built into Windows XP. Next come more advanced

    PC software firewalls, like ZoneAlarm Pro or BlackICE. There are midrange firewall

    solutions like Microsoft ISA or hardware firewalls. Next on the scale are large Cisco PIXor Checkpoint firewalls used for large businesses or Internet Service Providers.