1.It Security

8/10/2019 1.It Security

1/29

SECURITY & FIREWALL


2/29

Security & Firewall

CHAPTER 4

SECURITY & FIREWALL

CONTENTS

VARIOUS METHODS OF SOCIAL ENGINEERING

SITUATIONS TO WATCH OUT FOR

WAYS THAT INFORMATION CAN BE GLEANED FROM

EMPLOYEES.

VARIOUS WAYS TO SECURE THE USERS COMPUTER AND

NETWORK ACCESS

ENFORCED POLICIES

ENCRYPTION AND AUTHENTICATION

FIREWALLS.

INCIDENCE RESPONSE PLAN

DEAL WITH AN INCIDENT WHEN IT HAPPENS

TEST THE PLAN BEFORE AN ACTUAL INCIDENT OCCURS.

BRBRAITT, Jabalpur Ch.4/1


3/29

Security & Firewall

CHAPTER 4

SECURITY & FIREWALL

OBJECTIVES

After completion of this module you will be able to know:

various methods of social engineering

situations to watch out for

to reduce the number of ways that information can be gleaned from employees.

various ways to secure the users computer and network access

enforced policies, encryption and authentication, and properly configured and

installed firewalls.

how to formulate an incidence response plan how to deal with an incident when it happens

how to test the plan before an actual incident occurs.

In a world where security has become an enormous factor and network administrationmust cover everything from desktop support to business continuity planning, the scope of

IT duties has widened and budgets have narrowed.

This lesson covers several different aspects of security to help you find ways to keep your

network safe by spotting potential risks in the user environment before an incidenthappens and showing you how to handle a security problem, should it occur. The lesson

also helps you evaluate your disaster recovery plan. It guides you through social

engineering, safe telecommuting, and the pitfalls of wireless LAN, and then takes youthrough incident response, disaster recovery.

SOCIAL ENGINEERING

You see new articles about network security and vulnerabilities in software and hardware

every day. This visibility has caused security to become a priority in most companies.

Efforts to make sure the network is secure generally focus on how to implement hardwareand software such as intrusion detection, Web filtering, spam elimination, and patch

installation.

One of the biggest threats of which we, as security professionals, are often unaware and

cannot control is social engineering. There's very attention paid to the person-machineinteraction. This lesson focuses on some of the methods of social engineering that are

commonly used to obtain information that can enable an intruder to penetrate the best

hardware and software network defenses.

Social engineering is a method of obtaining sensitive information about a office throughexploitation of human nature. It's an attempt to influence a person into revealing

information or acting in a manner that would disclose information that normally would

not be provided. It's based on the trusting side of human nature and people's desire to be



4/29

Security & Firewall

helpful. Social engineering is hard to detect because you have very little influence over

lack of common sense or ignorance on the part of employees. Business environments arefast paced and service oriented. Human nature is trusting and often naive.

Before we get into the methods of social engineering, let's look at the planning of an

attack. An intruder seldom decides to infiltrate an office randomly. The attack is usually

very methodical.

A social engineering attack is very similar to the way intelligence agencies penetrate theirtargets:

Gather intelligence.

Select a specific vulnerable area as the entry point.

Execute the attack.

In the intelligence-gathering phase, the attacker can find readily available information

through the following:

Dumpster diving

Web pages

Ex-employees

Vendors

Contractors

Strategic partners

This information is the foundation for the next phase, in which the intruder looks for

weaknesses in the organization's personnel. Some of the most common targets are people

who work the following: Help desk

Tech support

Reception

Administrative support

These employees are most likely to be affected by an intimidation type of attack

(discussed later), simply because they handle a large volume of calls and they're trained

to deliver good customer service.

The last phase is the attack, also commonly known as the con. There are three broadcategories of attacks:

Ego attacks

Sympathy attacks

Intimidation attacks

These attacks are discussed in further detail a little later in this lesson.



5/29

Security & Firewall

ATTACK ON THE PHYSICAL LEVEL

There are two levels at which social engineering occurs: the physical level and the

psychological level. Let's first look at the physical level, which is looking for informationin ways other than direct contact with the office or anyone in the office. We'll start with

dumpster diving.

Dumpster diving

As humans, we naturally seek the path of least resistance. Instead of shredding

documents or walking them to the recycle bin, we often throw them in the nearest wastebasket. Equipment sometimes is put in the garbage. Intruders know this, so they often

don't even have to contact anyone in the office in order to extract sensitive information --

they can find it all in the office's dumpsters. This is known as dumpster diving. Again,this is the path of least resistance -- no phone calls, no visits, simply look through the

garbage.

Anyone looking to extort money from the office or to steal identities could have easily

made hundreds of thousands of rupees from the information they could have gleaned inthose dumpsters. They would have had access to Social Security numbers, addresses, and

a wealth of personal and financial information. This incredible security breach not only

jeopardized the clients, but upon release of the story in news papers, the office stockplummeted and lawsuits ensued.

In any office, the potential for this type of information access is huge. What happens

when an employee is leaving the office? He cleans out his desk. Depending on how long

the employee has been there, what ends up in the garbage could be a goldmine for anintruder. Other potential sources of information that are commonly thrown in the garbage

include

Old office directories

Old QA or testing analysis

Employee manuals

Training manuals

Hard drives

Floppy disks

CDs

Printed e-mails

TIP

All these items should be disposed of properly. You should formulate a policy ondestruction of data. The safest policy is to physically destroy the media and the

information stored on it. Destruction is the only safe method of completely removing all

traces of information stored on a removable media device. All paper-generatedinformation should be shredded and/or taken away by a bonded destruction office.



6/29

Security & Firewall

Web pages

The Web pages of an office are a great place to find out information and organizational

structure. Many companies also include the biographies of top executives. Thisinformation can be used to impersonate that person or someone who is an associate of the

executive.

For example, you could call an office and ask the receptionist for Manohar. She tells you

that Manohar is out of the office until Monday. You ask who is in charge until he returns.You are told Mary. You leave a message for Mary, requesting information that she would

have access to, saying you're working with Manohar and he said she could fax or e-mail

the information you need while he's out of the office.

Additional methods of trickery

Another form of getting information is for an intruder to get employees to enter a contest.Say, for example, that you got an old office directory through dumpster diving. You

could then send a contest letter to all employees asking them to register online at your

Web site. Because many users use the same password for various accounts, it's likely thatyou would get some network passwords from the employees who register for the contest.

E-mail social engineering is done by tricking someone into believing that the e-mail is a

legitimate request. Social engineering involves knowing the target and this includes

knowing the e-mail addresses of your target. For instance the I LOVE YOU virus usesthe social engineering technique. This virus created so much damage because it used an

emotion-triggering subject, I LOVE YOU.

WARNING

E-mail social engineering is a much more direct means of gaining access to a system

because attachments can launch worms, viruses, and back doors.

Ex-employees are a great source of information on the inner workings of a office,especially if they left the office under unhappy conditions. Vendors, contractors, andstrategic partners are another fantastic source of information. It's easier to impersonate

someone from another office than it is to impersonate an employee.

ATTACK ON THE PSYCHOLOGICAL LEVEL

These categories of attacks -- ego, sympathy, and intimidation -- are all on the

psychological level of social engineering. This means that the intruder appeals to the

employee through the use of emotion.

Let's examine each of these attacks.

Ego attacks

An ego attack is perhaps one of the favorite types of social engineering attacks simply

because you know that as network administrators, we all have big egos. The attacker

appeals to the vanity, or ego of the victim. The victim wants to prove how smart or

knowledgeable he is and unthinkingly provides sensitive information. We're all anxiousto show how much more we know than the next person or how much better our

equipment is than theirs. The perfect scenario for this type of engineering is a user group



7/29

Security & Firewall

meeting held after work. You know of several groups that meet once a month or so after

work in some of the local clubs. Mix egos and guess what happens?

It's amazing what employees will reveal without a whole lot of coaxing. How many ofthe employees are unwitting revealing information in social settings without realizing

who they are talking to?

This can happen in any type of social setting. For example, suppose you attend a birthday

party for a friend. Some of the other attendees are also in the field and the topic ofconversation turns to servers. Everyone is comparing equipment. You'll know what

operating systems are running, what kind of equipment is running on each, and what

issues each one is having.

Talking about our jobs and comparing problems are simply part of human nature, and egoattack victims never realize what has happened, but the information extracted can be

extremely dangerous in the wrong hands.

Ego attackers also target those they sense are frustrated with their current job position.

Unhappy employees are very likely to reveal information with little prodding becausethey feel mistreated.

Attackers also have been known to pretend to be law enforcement officials, and their

victims feel obliged and sometimes even honored to help them by providing information.

Sympathy or intimidation attacks

The following are all examples social engineering that either use intimidation or prey onsympathy:

You receive a call from someone saying he's a General Manager. He states thathe's in real trouble. He's attempting to do a presentation for Microsoft and has

forgotten his password; therefore he can't log into the Web site to do the

presentation. He just changed it yesterday and can't remember what it is. He needsto have it right away because he has a room full of clients waiting and he's

starting to look incompetent. This is an extremely important client that could

mean millions of dollars in revenue for the office.

Someone you have never seen before approaches you as you're entering a secured

building. She has her hands full carrying coffee and doughnuts. She smilessweetly and says she has her ID badge in her pocket, but just doesn't seem to have

an extra hand to swipe the card and still carry all she has. She asks that you please

hold the door for her.

You receive a call from the corporate office saying that a new mail server is being

put into place and there's an immediate need to verify current user accounts andpasswords. You are told that it's not safe to send this information via e-mail, and

are asked to please print it off and fax it directly to a number given to you. You're

told that the number is a direct line for the person putting the new server intoplace.



8/29

Security & Firewall

These attacks are very successful because our business needs change daily and we live ina fast-paced world. This type of attack plays on the empathy and sympathy of the victim,

and an attacker can shop around until he finds someone who will help.

Here are some social-engineering approaches an intruder can use to get information:

Pretends to be a fellow employee or a new hire, contractor, or a vendor.

Insists there's some urgency to complete some task or obtain some information.

Needs assistance or he will be in trouble or lose his job.

Pretends to be someone influential, an authority figure, or, in some cases, a law

enforcement official, and uses that authority to coerce the victim into cooperation.

If met with resistance, uses intimidation and threats such as job sanctions or

criminal charges.

If pretending to be law enforcement officer, claims the investigation is hush-hush

and not to be discussed with anyone else.WARNING

Employees can exploit social engineering just as well as outsiders. Keep in mind thatmore damage is done to a network by disgruntled employees than by outsiders.

You'll learn how to recognize a social engineering situation shortly. Here's a scenario that

actually happened:

A user came to a network administrator with his laptop and requested that it be joined to

the domain. The administrator logged the user off the laptop, logged in as himself, andjoined the laptop to the domain. So, what's wrong with that? The user had keystroke

logging software installed on the laptop. He proceeded to go back to his work area, read

the log file, log in as the administrator, browse to the main server, and copy the SAM(Security Accounts Manager) to a file. (For those of you unfamiliar with the SAM, it

holds user account information that includes usernames and passwords.) He took the file

home and that evening ran L0phtCrack, which is password-cracking software, on the file.The next day, he had the logins and passwords for every user in the office. He

periodically logged in as other users and accessed information he should not have. As

time went by, he got bolder, logging in as the administrator and shutting down services,causing problems on the network. Eventually, his bragging got him into a bind and he

was dismissed for his actions. The best way to avoid this type of situation is to never join

a machine to the domain from a user's machine. The account should be created at the

server console instead.

Learn to recognize a social engineering situation

Well, now that you know about the methods of social engineering, it's time to look at

how to spot a potential situation. To keep from becoming a victim, you should know how

to recognize an intruder. You can be neither suspicious nor trusting of everyone, so wheredo you draw the fine line?



9/29

Security & Firewall

Remember the Manohar scenario from earlier in this lesson? If the office had a policy

requiring employees to obtain contact information when a call comes in for an out-of-the-office employee, one sign to look for would be refusal to leave contact information. In

this example, the receptionist simply states that Mr. Manohar is out of the office, and then

asks for your name and a number at which you can be reached, and what the call is in

regard to, so that your call may be properly returned. If you're an intruder, would youleave this information? Not likely. If you're a persistent intruder, you may press the

receptionist for information such as when Mr. Brown will return and who is in charge in

his absence, and act irate. This type of behavior is also a concern. The caller isdeliberately avoiding giving out information about him while trying to push the

receptionist into giving out more information about the employee.

What about someone who is rushing or is in a big hurry? We are all busy people; you're

in as big hurry as the next person. Look out for someone who tries to breeze by you asyou're entering a secure building. She may strike up a conversation, and then say she's

late for a big meeting and doesn't have time to be fishing for her ID badge, so she'll just

come in with you. If you allow this, you may be admitting an intruder into the building. A

genuine employee understands the security issue and finds her ID badge for admittance.

Name-dropping is often used to impress the people you are conversing with. Many folks

like to drop names -- it makes them feel more important. In social situations like the ones

described earlier, many a conversation begins with, "The other day I was talking to so-and-so." If the speaker is talking about someone in your office, you get the feeling that he

knows something about what is going on in your office and that you might trust him.

Instead of proceeding to discuss the office, which is what the intruder wants, you may

want to ask him questions such as how do you know so-and-so to get a feel for whetherthe person is being truthful or not. Of lesson, if he starts acting uneasy at the questions

you're asking, you know that he's a potential intruder.

Intimidation is one of the best ways to get information out of people, especially frompeople who tend to be timid by nature. Employees should be able to address intimidation

situations without fear of punishment for not giving excellent customer service if they askadditional questions or for more information.

Odd questions or asking for classified information can also be a dead giveaway that

someone is fishing for attack information. In the situation where the vice president

needed a password, the approach should be that this is a potential intruder and not a vicepresident.

Good practices can neutralize many of these social engineering situations. We'll discuss

these practices next.

Promote practices that prevent attacks

The impact of social engineering and the ease of an attack are usually high. Technical,operational, and environmental controls individually will not prevent attacks. You need a

combination of all three along with user awareness training. Here's a list of items that can

be useful in preventing social engineering attacks:

All employees should have a security mind-set and be able to question situations

that do not seem right.



10/29

Security & Firewall

Cleaning crews should search the wastebaskets for sensitive information and turn

it over to management.

Policies need to be in place for data destruction, including paper, hard drives,CDs, disks, and so on.

Implement self-service password management to address weaknesses with helpdesk and password administration.

Employees should have continued training in security awareness.

Require all guests to sign in, wear a guest badge, and be escorted within the

office.

Have shredders located in convenient areas or hire a reputable office to pick upand shred documents.

Extra security training in the area of social engineering and office security

policies should be provided for security guards, receptionists, and help desk

employees. Put policies in place for how to handle situations where an unknown person tries

to slip in with a legitimate employee (called tailgating). Be sure that all employees

know the policy and enforce it.

Instruct employees on what can and cannot be discussed in social settings outsideof work.

Encrypt information on desktops, laptops, and PDAs.

Have polices regarding e-mail and voice mail notifications for employees on

vacation or out of the building for a period of time.

Have incident response teams to lessen the damage if a breach occurs.

Apply technology where possible such as biometrics or electronic security

badges.

Test your defenses periodically.

This by no means covers everything or all situations. The important factors to rememberare that there must be policies in place and that all employees must be aware of these

policies. Training must start as soon as the job begins. Employees should know they play

a part in the security of the office and that their jobs depend on their vigilance.

You're faced with customer service and courtesy issues everyday. Technology cannot

control these situations. We all must rely on each other to use our best judgment whenrevealing information about our office and ourselves. Remember, the best defense is a

good set of policies, proper education, and continued awareness training.

SECURE COMPUTER AND NETWORK

We have seen the ways in which an intruder can use social engineering to attack anetwork. Here, you'll see how an intruder can use a telecommuter's computer to attack

your network and how you can make that computer more secure.



11/29

Security & Firewall

Many IT professionals work from home at least part of the time. All of this makes for a

flexible work environment. That flexibility can also cause the IT professional a hugeheadache, because you have no control over what goes on in the confines of an

employee's home. There were strange incidents happening on the network. A cracker had

accessed the network and was wreaking havoc. No matter what this administrator did to

change and tighten security, the cracker always got back in. Eventually it was discoveredthat the cracker was getting into the network through the administrator's home machine,

which was always left on and connected to the Internet.

With information security, you cannot allow even the top leaders to sidestep or ignore

policy. An employee cannot be allowed to work at home until the home machine issecured. This should part of the security policy and all employees should have signed a

statement to that fact when they were hired. Should you find yourself in this situation, it

must be passed to the next level of management or someone who manages security.

UNDERSTAND THE HOME ENVIRONMENT

What happens employees are allowed to work from home? They're given a office

machine or allowed to use their own, IT sets them up to access the network, and then weforget about them.

Let's consider a few factors about telecommuting employees. After all, they're doingoffice work. Most of them have children or spouses who use the same computer that they

use to access the work environment. Employees who have more that one computer

usually set up a home network. Those who care about their home aesthetics or don't wantto pull wire set up wireless networks at home.

Here are a few scenarios, each of which poses a threat to the work environment:

A office engineer has a daughter and a son who each have a laptop. The engineer

purchases a wireless router and hooks up all the machines -- including the work machine

-- so that all the machines can use the high-speed Internet connection.

One of the reasons that wireless is so popular with home users is that you can just plug it

in and have it start working. In this scenario, then, there's little probability that the

engineer enabled WEP (Wired Equivalent Privacy) on the laptops, so the computers are

left vulnerable because the information is sent in clear text.

An employee's home workstation is running Windows 98. (In all operating systems prior

to Windows NT, all passwords are stored in the .pwl file.) The Internet connection is

always on, because the children want Internet access on that computer, especially in the

summer when school's out. The virus software is disabled because it interferes with thechildren's favorite game.

In this situation, the always-on connection leaves the machine open to. The .pwl file can

easily be accessed for a list of passwords, and disabling the virus software leaves the

unguarded against viruses.

You've installed keystroke-logging software to track where your children have been on

the Internet, because many times they use your computer unsupervised. This software

runs constantly.



12/29

Security & Firewall

You've made it extremely easy for a cracker to get your password to the network, because

all he has to do is read the log file. This is a giveaway -- he has no work to do becauseyou've done it for him. Keystroke logging software should not be used on a machine that

has been supplied by the employer unless the employer had installed it and is aware that

it's on the machine.

You are constantly having issues with your computer because you let your children use it.What do you think the chances are that someone has already penetrated the network

where he works and is slowly stealing information or planting maladies?

Establish effective policies

Every office should have policies in place to protect the network from attacks via home

users. These might include the following:

Requiring the employee to notify IT immediately if he changes his homeconnection from dial-up to high speed, so that policies and procedures can be

addressed.

Not permitting an office-owned PC to be used for other purposes or byunauthorized individuals.

Not allowing virus protection software to be disabled, and requiring that it beupdated regularly.

Requiring immediate disconnection from the network and immediate support

contact in the event that the machine contracts a virus.

Requiring the use of a firewall, and not permitting it to be disabled.

Requiring that the machine be either disconnected from the network and the

Internet or turned off completely when the employee finishes working for the day.

Mandating that a boot disk be handy in the event a virus renders the machineunusable.

Requiring that data be backed up if the employee is storing office information on

a home computer.

Requiring that the operating system and all applications on the machine be kept

up to date.

TIP

Post information about patches and updates, whether the IT department supplies them or

the employee is expected to acquire them on his own. Posting provides no excuse for an

employee failing to comply.

Requiring strong passwords.

Requiring that non work-related shares be turned off.

Mandating that auditing be turned on (if the operating system allows).



13/29

Security & Firewall

Although it may seem like a lot of work, it's worth your while to periodically send

questionnaires to all employees working from home who are using office computers. Themain information you want from the employees is:

The operating system and version

All applications installed and their versions The type of Internet connection

The location of the emergency boot disk

How many other machines are using the Internet connection

Any hardware changes

Then compare the current responses with the condition in which the machine left the

office. If this is done on a regular basis, you will soon be able to tell who is using thecomputer strictly for work purposes and who is not. Often, what you'll find is that

children use the computer to play games and download music files. These require the

installation of additional programs. They also take up disk space and may require bettervideo cards as well as extra memory.

With policies in position, let's see how machines can be set up to securely connect to the

work environment from home.

SECURE HOME MACHINES

As you learned in the previous section, you really have very little control over the homeuser. Even with good policies in place, there's no guarantee that telecommuters will

follow them. What you can control is how the telecommuters connect to your network,

and that's what we'll discuss now.

When you allow telecommuters to access your network, they usually do so by firstconnecting to the Internet and then connecting to the network A VPN (Virtual Private

Network) is a network connection that permits access via a secure tunnel created through

an Internet connection. Using an Internet-based VPN connection is very popular for

several reasons:

Users in an organization can dial a local Internet access number and connect tothe corporate network for the cost of a local phone call.

Administrative overhead is reduced with a VPN because the ISP (Internet Service

Provider) is responsible for maintaining the connectivity once the user isconnected to the Internet.

There are various security advantages to using a VPN, including encryption,encapsulation, and authentication.

For users who travel, a local access number usually is available. If possible, you should

provide this information to employees who travel -- it saves phone calls to the help deskand enables them to test the numbers before they have to give presentations.

Figure 1 shows how a VPN works. Setting up the users' computers (clients) to connect to

the server is a two-step process:



14/29

Security & Firewall

Figure 1: VPN remote access over the Internet.

Establish an Internet connection. This can be dial-up or broadband.

Connect to the VPN server. This involves dialing another connection.

Once the client is setup, it can use the VPN. Here's how a client uses a VPN to access acorporate LAN through the Internet:

The remote user dials into his local ISP and logs into the ISP's network.

The user initiates a tunnel request to the server on the corporate network. Theserver authenticates the user and creates the other end of tunnel.

The user then sends data through the tunnel, which is encrypted by the VPN

software before being sent over the ISP connection.

The server receives the encrypted data, decrypts it, and forwards it to thedestination on the corporate network. Any information sent back to the remote

user is encrypted before being sent over the Internet.

VPNs provide great opportunities for employee productivity while reducing long-

distance charges, and a good VPN guarantees privacy and encryption. But it isauthentication that ensures the integrity of the data.

We've discussed the situations that home users get themselves into and how easily

passwords can be breached on unsecured machines. In order for a VPN to provide the

level of security that's intended, a solid means of authentication must be established. Thisbrings us to two-factor authentication.

In two-factor authentication, a user must supply two forms of ID before she can access a

resource: one is something she knows, such as a password, and the other is something she

has or is. For example, you may be required to type password and place your thumb on athumbprint scanner to properly identify yourself. Figure 2 illustrates this type of

authentication.

Figure 2: Two-factor authentication.



15/29

Security & Firewall

The most common form of this type of authentication is a smart card. The security in this

authentication is that both are need for validation. If the card is stolen, or the PIN isdiscovered, neither one of these alone can enable someone else to log on as the user.

Smart card readers are attached to a computer port and a digital certificate is downloaded

to activate the card. Smart card logon requires the user to insert the card and enter a PIN

in order to log on.

Understand tunneling

The purpose of a VPN is to secure your network communications. There are two broadcategories of tunneling:

Voluntary

Compulsory

In voluntary tunneling, the situation is as described earlier and shown in Figure 2-1. The

cable modem dials the ISP, and the user is then connected to the VPN server via the

Internet.

In compulsory tunneling, the tunnel is set up between two VPN servers that act as routersfor network traffic. This type of tunnel is most useful for connecting a remote office with

its own network to a central office. Sometimes as an office is growing, it allows

employees to run offices out of their homes with those employees hiring several people towork for them, or it may be in the situation where a contractor works out of an office that

is shared by other contractors. Figure 3 shows an example of this type of tunneling.

Figure 3: Compulsory tunneling.

This type of server would be placed in a larger office but remote users and travelingemployees could create a connection with a local or corporate VPN server instead of

connecting to an ISP first, thus eliminating the need to supply traveling employees with a

list of local numbers for the ISP.

WARNING

Tunneling should not be used as a substitute for encryption. The strongest level of

encryption possible needs to be used within the VPN.

Let's take a look at personal firewalls that can be installed to help detect intrusions in

home computers.



16/29

Security & Firewall

Examine personal firewalls

The potential for crackers to access data through the telecommuter's machine has grown

substantially, and threatens to infiltrate our networks. Cracker tools have become moresophisticated and difficult to spot. Always-connected computers, typically with static IP

addresses, give attackers copious amounts of time to discover and exploit system

vulnerabilities. How can a user know when his system is being threatened?

You can help thwart attacks by making sure that all telecommuters have firewallsinstalled on their systems. Firewalls come in two varieties: software and hardware. Like

most other solutions, each has strengths and weaknesses. By design, firewalls close off

systems to scanning and entry by blocking ports or non-trusted services and applications.

Software firewalls

Software firewalls are more flexible in that they enable the user to move from network to

network. Typically, the first time a program tries to access the Internet; a software

firewall asks whether it should permit the communication. You can opt to have the

firewall ask the user each time the program tries to get online. The prompts usually get soannoying that most users end up making hasty decisions with little more information than

they originally had. Another danger is that firewall filtering can get too complicated for

the average user to fix easily, which makes users reluctant to deny permission toanything. There should be help available to telecommuters to aid in configuring these

types of firewalls. Its one thing to say that telecommuters have firewalls, but quite

another to ensure that those firewalls are correctly configured.

Here's a list of the most commonly used software firewalls:

McAfee.com Personal Firewall

Norton Internet Security

Sygate Personal Firewall

ZoneAlarm

BlackIce

Tiny Personal Firewall

Hardware firewalls

Hardware firewalls provide an additional outer layer of defense that can more effectively

hide one or more connected PCs. There are inexpensive router appliances that movetraffic between the Internet and one or more machines on home networks, which simply

hide the IP addresses of PCs so that all outgoing traffic seems to come from the sameaddress. Recently, router manufacturers have been including actual firewalls that blockinappropriate inbound and outbound traffic making these a much better choice.

In general, the average user will like the nature of hardware solutions because they

operate in the background without generating as many queries and alerts as software

firewalls. In addition, the physical installation is easy, but the normal home user won'tknow how to configure the firewall should the default settings not be strong enough.



17/29

Security & Firewall

Remember that even a good firewall cannot protect the user if he does not think before he

downloads or does not exercise a proper level of caution. No system is foolproof, but theright combination of hardware, software, and good habits can make your telecommuters'

computing environment safer.

INTRUSION DETECTION

We will see what actually happens when your network is invaded or damaged. Wedevelop and deploy hardware and software in such an extremely quick fashion to meet

the demand of business and home consumers that we don't always take the time to be

sure that these technologies are properly tested and secured. This puts our networks at

risk not only from the professional cracker but also from curious or disgruntledemployees.

Let's first look at intrusion detection and intrusion prevention systems that can help spot a

potential intrusion.

Examine intrusion detection systems

One of the best ways to catch an intruder before too much damage is done is throughIDSs (intrusion detection systems), which are designed to analyze data, identify attacks,

and respond to the intrusion. They're different from firewalls in that firewalls control the

information that gets in and out of the network, whereas IDSs can identify unauthorizedactivity.

Intrusion-detection systems are also designed to catch attacks in progress within the

network, not just on the boundary between private and public networks. The two basic

types of IDSs are network based and host based. As the names suggest, network-basedIDSs look at the information exchanged between machines, and host-based IDSs look at

information that originates on the individual machines. Here are some specifics:

Network-based IDSs monitor the packet flow and try to locate packets that mayhave gotten through the firewall and are not allowed for one reason or another.

These systems have a complete picture of the network segment they areconfigured to protect. They see entire network packets, including the header

information, so they're in a better position to distinguish network-borne attacks

than host-based IDS systems are. They are best at detecting DoS (Denial ofService) attacks and unauthorized user access. Figure 4 details a network-based

IDS monitoring traffic to the network from the firewall.



18/29

Security & Firewall

Figure 4: Network-based IDS.

Host-based IDSs (sometimes called HIDSs) monitor communications on a host-

by-host basis and monitor traffic coming into a specific host for signatures thatmight indicate malicious intention. They also monitor logs to find indications that

intrusions or intrusions attempts are going on, and some of the HIDSs also

monitor system calls and intercept them. These types of IDSs are good atdetecting unauthorized file modifications and user activity.

Network-based IDSs try to locate packets not allowed on the network that the firewall

missed. Host-based IDSs collect and analyze data that originates on the local machine or

a computer hosting a service. Network-based IDSs tend to be more distributed.

Host-based and network-based approaches are complementary to each other because they

have different strengths and weaknesses. Many successful intrusion detection systems are

built using mixes of both, and ultimately, this is what network administrators shouldconsider for their own environments.

When an IDS alerts a network administrator of a successful or ongoing attack attempt, it's

important to have documented plans for incident response already in place. There are

several forms of response, including the following:



19/29

Security & Firewall

Redirecting or misdirecting an attacker to secured segmented areas, allowing him

to assume that he has been successful. This serves two purposes: it prevents

access to secured resources and gives you time to trace or track the intruder.

ICE (Intrusion Countermeasure Equipment) can be used to provide automatic

response in the event of intrusion detection. ICE agents have the capability to

automatically lock down a network or to increase access security to criticalresources in the event of an alert.

After identification of an attack, forensic analysis of infected systems can detectinformation about the identity of the attacker. This information may then be used

to direct the attention of the proper authorities.

Later, analysis of successful intrusions should be used to harden systems againstadditional attempts of the same nature. Planning should include access restrictions in

addition to making the network less desirable to potential attackers.

Explore intrusion prevention systems

IDSs alert IT system administrators to potential security breaches within the perimeter ofa network environment, which is a good start. The problem with them is that they're

passive and reactive. They scan for configuration weaknesses and detect attacks after

they occur. When an attack occurs, it's reported, and combinations of antivirus and

intrusion detection vendors develop a rapid solution to distribute, but by that time, theattack has delivered its payload and paralyzed the network or several networks. In fact,

the damage is often already done by the time the IDS alerts you to the attack.

Intrusion prevention software differs from traditional intrusion detection products in that

it can actually prevent attacks rather than only detecting the occurrence of an attack. IPSarchitectures serve as the next generation of network security software that is proactive.

Host-based IPS will become increasingly popular in the next few years, possibly pushinghost-based IDS out of the picture.

Intrusion prevention offers considerable advantages:

It actually secures internal resources from attacks based inside the network byrestricting behavior of potentially malicious code, providing a record of attack,

and notifying enterprise security personnel when an attack is repelled.

It defines appropriate behaviors and then enforces those behaviors on every end-

user desktop and network server across an enterprise. By looking at system and

application behavior and defining which actions are legitimate and which aresuspect, an IPS can stop an errant system action when it attempts to do something

that is not in the realm of expected behavior.

Rules can be configured to control which type of actions applications can perform

on files and system resources. As an intelligent agent, these run by intercepting

system actions, checking rules, and then allowing or denying the action in

question based on those rules.



20/29

Security & Firewall

Statistical logging data can be used to generate reports that indicate overall

network health. IT staff can monitor how current rule sets are working and adjust

them, if necessary.

For an intruder, the real value of your network lies in key machines such as databaseservers and the information they contain. An intruder won't celebrate breaking through

your firewall if all it gets him is access to a couple of printers. The idea of intrusionprevention is to ensure exactly that. By allowing only certain behaviors on critical hosts,the technology leaves an intruder with little freedom to do anything malicious.

If you have a personal firewall such as Norton Personal Firewall or ZoneAlarm, you

may've already seen intrusion prevention in its simplest form. Recall from the above that

this type of software relies on rules and scanning to spot inappropriate activity. It usespredefined attack signatures, and it also learns what behaviors you'll allow every time

you click yes or no when an application wants to do something.

WARNING

Sometimes the data that is collected by these systems is overwhelming. When you start

trying to do something with the intrusion detection data, you realize the magnitude ofdeciphering or reading the data is well beyond the resources and time you want to put in

to make it effective.

Often, incidents happen even though you have firewalls and intrusion detection. So,

you've got ten thousand alarms going off, five of them are probably valid, two of themyou really need to do something about, but you don't have the time or the resources to

find what those five are and what the two really are. You end up doing nothing because

you don't know how to respond. Please do not let this happen. Make the time andresource to use these tools effectively.

Preventing actual damage to your company's business functionality is critical to

protecting today's open networks. Intrusion prevention technology serves as a strategy forthose who desire proactive and preventive security measures in the face of attacks.

No incident response solution is complete without a proper plan, so let's tackle that next.

PLAN YOUR INCIDENT RESPONSE

Incident response refers to the actions an organization should take when it detects an

attack, whether ongoing or after the fact. It's similar in concept to a DRP (disaster

recovery plan) for responding to disasters. Incident response plans are needed so that youcan intelligently react to an intrusion. More importantly, there's the issue of legal liability.

You're potentially liable for damages caused by a cracker using your machine. You must

be able to prove to a court that you took reasonable measures to defend yourself fromcrackers. Having an incident response plan definitely helps in this area. Unplannedapplication and operating system outages have become commonplace. When an incident

occurs, the last thing you should do is panic, which, of course, is exactly what happens if

there is no plan in place or you have no idea where it is.

Don't overlook the effect an incident has on employees. The interruption to the workplacenot only causes confusion but also disrupts their schedules. Proper planning should be

beneficial to customers as well as employees.



21/29

Security & Firewall

The components of an Incidence Response Plan should include preparation, roles, rules,

and procedures.

Prepare

Although the preparation requirements may be different for each office, some of thebasics should include:

A war room where the response team can assemble and strategize.

A response team that will handle all facets of the incident.

Contact information for the response team, vendors, and third-party providers.

Change-control policies, which are useful especially when an application or

operating system needs to be rolled back.

Software listing of the operating systems and applications being used so the scope

of the incident can be properly assessed.

Monitoring tools to determine the health of the machines.

Assign roles

The incidence response team is responsible for containing the damage and getting the

systems back up and running properly. These steps include determination of the incident,formal notification to the appropriate departments, and recovering essential network

resources. With this in mind, the team should comprise the following personnel:

Technical operations: Security and IT personnel

Internal communications support: Someone to handle management, employees,

and food for the response team (Yes, food is an important part of the response

process!)

External communications support: Vendor, business partner, and press handling

Applications development: Developers of in-house applications and interfaces

Create rules

Some basic rules should apply to the response team, which could include the following:

The entire team is responsible for the success of the incident handling.

No one on the team is allowed to leave until the incident is handled.

Everyone works from the war room. This is the central command post and

investigation takes place here.

Lastly, procedures need to be put into place. Let's discuss those procedures now.

Plan the procedures

Incidents happen from time to time in most of organizations no matter how strict security

policies and procedures are. It's important to realize that proper incident handling is just

as vital as the planning stage, and its presence may make the difference between being



22/29

Security & Firewall

able to recover quickly, and ruining business and customer relations. Customers need to

see that the company has enough expertise to deal with the problem.

Larger organizations should have an Incident Response Team. In the previous section, wediscussed the department members that should be assigned this task. Realize that this

team is not a full-time assignment; it's just a group of people who have obligations to act

in a responsible manner in case of an incident.

The basic premise of incident handling and response is that the company needs to have aclear action plan on what procedures should take place when an incident happens. These

procedures should include:

Conducting initial assessment: Identify the initial infected resources by getting

some preliminary information as to what kind of attack you are dealing with and

what potential damage exists.

Initial communication: Notify key personnel, such as the security department andthe response team.

Assemble the response team: Converge in the war room for duty assignment.Decide who will be the lead for the incident.

Initial containment of the incident: Diagnose the problem and identify potentialsolutions. Set priorities and follow them closely. The incident response team has

to be clear about what to do, especially if the potential damage is high.

Intrusion evaluation: Shoot the problem to additional teams if necessary. The key

is to understand what actually happened and how severe the attack was.

Collect forensic evidence: Gather all of the information learned about the incident

up to this moment and store it in a secure location on secure media, in case it's

needed for potential legal action.

Communicate the incident in public: Public communications may be subdivided

into several categories:

Law enforcement: An incident of large proportion or repetitive pattern should berelayed to municipal, provincial, or federal authorities.

Other companies: The incident may be reported to IT security companies for help

or notification to other companies.

Customers: Customers should be notified as soon as there is something to be said.

News media: If the company is large enough, and the event is worthy of a news

story, expect to be contacted by the media. There needs to be one personauthorized to speak to the media. Incident handling personnel must be aware of

this and direct all media queries to appropriate team member.

Restore service: Implement and test a solution. If it was an unknown attack orattack that is known to have ill effects on the system, it may be in the best

interests of the company to completely reinstall the system.

Monitor: Be sure that recovery was successful.



23/29

Security & Firewall

Prepare an incident report: Determine and document the incident cause and

solution. This report is an internal document that puts everything in perspective,

from the minute the incident was noticed until the minute the service wasrestored.

Calculate damage: The ultimate dollar figure should look beyond actual and

obvious losses associated with service outages and business interruptions toinclude all costs resulting from the incident, such as legal fees, loss of proprietary

information, system downtime costs, labor costs, hardware/software costs,

consulting fees, bad reputation, and publicity.

Summary and updates: Gather the entire security response team for a meeting andreview the process and timelines in detail making any modifications that are

necessary to the plan.

Periodic analysis: Check that the modifications made are appropriate.

This is a brief model and by no means is a complete plan. Every company must evaluate

its needs and plan accordingly. Once a plan is formulated, it must be tested, which bringsus to the last part of this lesson.

Test the plan

You formulate a plan, put it on a shelf, and when an incident happens, you realize there

are huge flaws in the plan. You forgot something or the person that you picked to dointernal communications support did an extremely poor job of handling his

responsibilities and left even though the rules for the team stated otherwise. The security

response team lead needs to be sure that every person onboard did the best they could andperformed the most appropriate action given the circumstances. This person also needs to

look at the situation to see if the overall strategy of the department is useful or where it

needs changing or fixing. The only way to do this before an actual incident is to test theplan ahead of time.

The approach taken to test the plan depends on the strategies selected by the company.

Many times tests are conducted by what are called Tiger Teams. This can be an outside

group of consultants. The tests are often conducted without notification to thedepartments involved in order to see how well the plan functions.

The following are key components of a testing plan:

Define the test purpose and approach: Specify the incident that is to be tested.

How a virus infection is handled will be different from how to handle a Denial ofService attack or a Web server defacement.

Identify the test team: Specify whether employees or outside consultants willconduct the test. No response team members should be on the test team because

they will be responsible for handling the incident.

Structure the test: Plan exactly what you want to accomplish and set up the

equipment in a testing environment.



24/29

Security & Firewall

Conduct the test: To be most effective, this should be done without prior

notification to the departments involved, because that is how incidents happen.

Analyze test results: Evaluate how well or poorly everyone responded and howeasily the incident was resolved.

Modify the plan: After a dry run, there are usually some modifications. Be surethey're implemented.

FIREWALL

CONTENTS

Various Generations of Firewalls

FAQ.

OBJECTIVES

After completion of this module you will be able to know:

The different Generations of Firewalls

Why firewall is needed?

Answers for FAQ

In its most basic terms, a firewall is a system designed to control access between twonetworks.

There are many different kinds of firewallspacket filters, application gateways, or

proxy servers. These firewalls can be delivered in the form of software that runs on an

operating system, like Windows or Linux. Or, these firewalls could be dedicatedhardware devices that were designed solely as firewalls.

UNDERSTAND THE EVOLUTION OF FIREWALLS

Learn how firewalls have progressed from simple packet filtering to more sophisticated

application-level filtering.

Webopedia.com defines a firewall as a system designed to prevent unauthorized accessto or from a private network. Although technically accurate, this definition tells us only

what a firewall doesand doesnt address the more important question of how it does it.

For administrators who are continually focused on keeping their networks secure, it ishelpful to take a closer look at the way firewalls function and how they have evolved in

recent years to better protect our corporate networks.

First-generation firewalls: Packet filteringStatic packet filters

One of the simplest and least expensive forms of firewall protection is known as static

packet filtering. With static packet filtering, each packet entering or leaving the network

is checked and either passed or rejected depending on a set of user-defined rules. Dealingwith each individual packet, the firewall applies its rule set to determine which packet to

allow or disallow. You can compare this type of security to the Gate-keeper at a club who



25/29

Security & Firewall

allows people over 21 to enter and turns back those who do not meet the age rule

requirements. The static packet filtering firewall examines each packet based on thefollowing criteria:

Source IP address

Destination IP address TCP/UDP source port

TCP/UDP destination port

For example, to allow e-mail to and from an SMTP server, a rule would be inserted into

the firewall that allowed all network traffic with a TCP source and destination port of 25

(SMTP) and the IP address of the mail server as either the source or destination IPaddress. If this were the only filter applied, all non-SMTP network traffic originating

outside of the firewall with a destination IP address of the mail server would be blocked

by the firewall.

Many people have asked the question, Is a router with an access list a firewall? Theanswer is yes, a packet filter firewall can essentially be a router with packet filtering

capabilities. (Almost all routers can do this.) Packet filters are an attractive option where

your budget is limited and where security requirements are deemed rather low.

But there are drawbacks. Basic packet filtering firewalls are susceptible to IP spoofing,where an intruder tries to gain unauthorized access to computers by sending messages to

a computer with an IP address indicating that the message is coming from a trusted host.

Information security experts believe that packet filtering firewalls offer the least securitybecause they allow a direct connection between endpoints through the firewall. This

leaves the potential for a vulnerability to be exploited. Another shortcoming is that this

form of firewall rarely provides sufficient logging or reporting capabilities.

STATEFUL PACKET INSPECTION

Within the same generation of static packet filtering firewalls are firewalls known asstateful packet inspection firewalls. This approach examines the contents of packets

rather than just filtering them; that is, it considers their contents as well as their addresses.

You can compare this to the security screener at an airport. A ticket validates that youmust be traveling from your source to your destination; however, your carry-on contents

must be checked to get to your final destination.

These firewalls are called stateful because they can permit outgoing sessions while

denying incoming sessions. They take into account the state of the connections theyhandle so that, for example, a legitimate incoming packet can be matched with the

outbound request for that packet and allowed in. Conversely, an incoming packetmasquerading as a response to a nonexistent outbound request can be blocked. By usingsomething known as session or intelligent filtering, most stateful inspection firewalls can

effectively track information about the beginning and end of network sessions to

dynamically control filtering decisions. The filter uses smart rules, thus enhancing the

filtering process and controlling the network session rather than controlling the individualpackets.



26/29

Security & Firewall

Basic routers typically do not perform stateful packet inspections unless they have a

special module. A dedicated firewall device or server (with software) is usually requiredwhen the level of security demands stateful inspection of data in and out of a network.

Although stateful packet inspection offers improved security and better logging of

activities over static packet filters, it has its drawbacks as well. Setting up stateful packet

examination rules is more complicated and, like static packet filtering, the approachallows a direct connection between endpoints through the firewall.

SECOND-GENERATION FIREWALLS: PROXY SERVICES

The next generation of firewalls attempted to increase the level of security between

trusted and untrusted networks. Known as application proxy or gateway firewalls, thisapproach to protection is significantly different from packet filters and stateful packet

inspection. An application gateway firewall uses software to intercept connections for

each Internet protocol and to perform security inspection. It involves what is commonlyknown as proxy services. The proxy acts as an interface between the user on the internal

trusted network and the Internet. Each computer communicates with the other by passing

all network traffic through the proxy program. The proxy program evaluates data sentfrom the client and decides which to pass on and which to drop. Communications

between the client and server occur as though the proxy weren't there, with the proxy

acting like the client when talking with the server, and like the server when talking with

the client. This is analogous to a language translator who is the one actually directing andsending the communication on behalf of the individuals.

Many information security experts believe proxy firewalls offer the highest degree of

security because the firewall does not let endpoints communicate directly with one

another. Thus, vulnerability in a protocol that could slip by a packet filter or statefulpacket inspection firewall could be caught by the proxy program. In addition, the proxy

firewall can offer the best logging and reporting of activities.

Of course, this security solution is far from perfect. For one thing, to utilize the proxy

firewall, a protocol must have a proxy associated with it. Failure to have a proxy mayprevent a protocol from being handled correctly by the firewall and potentially dropped.

Also, there is usually a performance penalty for using such a firewall due to the

additional processing for application-level protocols.

FIREWALLS EVOLVED: THE THIRD GENERATION

The newest generation of firewalls may be defined as state-of-the-art perimeter security

integrated within major network components. These systems alert administrators in real

time about suspicious activity that may be occurring on their systems. Although it's a lotto swallow, this new generation of firewall has evolved to meet the major requirements

demanded by corporate networks of increased security while minimizing the impact on

network performance. The requirements of the third generation of firewalls will be evenmore demanding due to the growing support for VPNs, wireless communication, and

enhanced virus protection. The most difficult element of this evolution is maintaining the

firewall's simplicity (and hence its maintainability and security) without compromising

flexibility.



27/29

Security & Firewall

The most recent category of firewalls attempting to meet this demand performs what has

been termed stateful multilevel inspection, or SMLI. SMLI firewalls eliminate theredundancy and CPU-intensive nature of proxy firewalls. SMLI's unique approach

screens the entire packet, OSI layers 2 through 7, and rapidly compares each packet to

known bit patterns of friendly packets before deciding whether to pass the traffic.

Coupled with or integrated into an intrusion-detection system (IDS), SMLI offers the firstglimpse of this new definition of a firewall. Among the products that use this new

technology are Check Points FireWall-1, Elron Softwares Internet Manager, and

SonicWalls line of access security products.

FREQUENTLY ASKED QUESTIONS

Why would you want a firewall?

Firewalls will protect your network from unwanted traffic. Many times, the unwanted

traffic is harmful traffic from hackers trying to exploit your network. You want a firewall

to protect your network, just as you want locks on your door and windows at your home.

Is a proxy server a firewall?

A proxy server is a form of a firewall. In legal terms, a proxy is someone who goes and

performs some action on your behalf. A proxy server performs network transactions on

your behalf. The most common use for this is a Web-proxy server. A Web-proxy willtake requests from users Web browsers, get the Web pages from the Internet, and return

them to the users browser. Many times, a proxy server also performs authentication to

see who is requesting the Web pages and also logs the pages that are requested and the

user they are from.

What is NAT?

NAT is Network Address Translation. NAT is usually used to translate from

real/global/public Internet addresses to inside/local/private addresses. These privateaddresses are usually IP addresses: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.

NAT provides some security for your network as you do not have a real Internet IPaddress and your network, usually, cannot be accessed from the Internet without some

outbound connection first being created from your private/inside network.

However, you still need a firewall to protect your network as NAT only hides your

network but doesnt really stop any packets from entering your network.

Do firewalls stop Viruses, Trojans, Adware, and Spyware?

No, in general, firewalls do not stop Viruses, Trojans, Adware, or Spyware. Firewalls,usually, only protect your network from inbound traffic from an outside (Internet)

network. You still need antivirus software, anti-adware and anti-spyware software

applications to protect your system when it does go out on the Internet.

How do I know that my firewall is really protecting my network?

Just like any security system, a firewall should, periodically, be tested. To test a firewall,

you could have a professional security-consulting company do a security vulnerability

scan. However, this is usually something you can do yourself. To do this, you could use a



28/29

Security & Firewall

port-scanner or a more advanced tool like a vulnerability assessment tool (such as Retina,

Saint, or ISS).

What are the different types of firewalls?

The different types of firewalls are:

Packet filter A packet filter looks at each packet entering the network and, based on itspolicies, permits or denies these packets. A Cisco IOS Access Control List (ACL) is a

basic firewall that works in this way.

Stateful packet filter A stateful packet filter also has rules; however, it keeps track of

the TCP connection state so it is able to monitor the conversations as they happen onthe network. It knows the normal flow of the conversations and knows when the

conversations are over. Thus, it more intelligently is able to permit and deny packets

entering the network. Because of this, a stateful packet filter (stateful firewall) is muchmore secure than a regular packet filter.

Application gateway An application gateway is a system that works for certain

applications only. It knows the language that that application/protocol uses and itmonitors all communications. An example would be a SMTP gateway.

Proxy Server A proxy server performs network transactions on your behalf. The most

common use for this is a Web-proxy server. A Web-proxy will take requests from users

Web browsers, get the Web pages from the Internet, and return them to the users

browser.

What do VPNs have to do with firewalls?

Virtual Private Networks (VPN) are used to encrypt traffic from a private network and

send it over a public network. Typically, this is used to protect sensitive traffic as it goes

over the Internet. Many times, you will have a VPN encryption device combined with a

firewall as the private network traffic that is being encrypted also needs to be protectedfrom hackers on the public network.

If I have a firewall, do I have a DMZ?

No, you do not necessarily have a DMZ (De-Military Zone) if you have a firewall. ADMZ is a network that is semi-protected (not on the public network but also not on the

fully-protected private network). Many hardware firewalls create a DMZ for public mail

servers and Web servers. Most small networks or homes do not have DMZ networks.Most medium-to-large corporate networks would have a DMZ.

What are IDS and IPS? Also, what do they have to do with firewalls?

An Intrusion Detection System (IDS) monitors for harmful traffic and alerts you when itenters your network. This is much like a burglar alarm.

An Intrusion Prevention System (IPS) goes farther and prevents the harmful traffic fromentering your network.

IDS/IPS systems recognize more that just Layer 3 or Layer 4 traffic. They fully

understand how hackers use traffic to exploit networks and detect or prevent that harmful



29/29

Security & Firewall

traffic on your network. Today, many IDS/IPS systems are integrated with firewalls and

routers.

What is a DoS attack and will a firewall protect me from it?

A Denial of Service (DoS) attack is something that renders servers, routers, or networksincapable of responding to network requests in a timely manner.

Firewalls can protect your network and its servers from being barraged by DoS traffic

and allow them to respond to legitimate requests, thus, allowing your company to

continue its business over the network.

How do you configure, monitor, and control a firewall?

As there are many different types of firewalls, there are also many different types of

firewall interfaces. You could have a command line interface (CLI), a Web-based

interface, or some other proprietary program that is used to configure the firewall.

For example, with Cisco PIX firewalls, you can configure them with the CLI interface(called PixOs), or the PIX Device Manager (PDM), a Java-based interface that works

with a Web browser.

How do I know what firewall I should use?

The size of the firewall you choose is usually based on the volume of traffic your network

links receive or the bandwidth of your network links. You also must take intoconsideration other things for which you might be using the firewall, such as VPN, IDS,

and logging.

What are some new features to look for in firewalls?

Firewalls, today, are offering more and more features built into the firewall. Some of

them are: intrusion prevention, hardware-based acceleration, and greater recognition of

applications (moving up the OSI model towards layer 7).How can I configure an inexpensive firewall?

There are a wide variety of firewalls available today. Perhaps the most basic firewall isthe personal PC firewall, such as that built into Windows XP. Next come more advanced

PC software firewalls, like ZoneAlarm Pro or BlackICE. There are midrange firewall

solutions like Microsoft ISA or hardware firewalls. Next on the scale are large Cisco PIXor Checkpoint firewalls used for large businesses or Internet Service Providers.

1.It Security

Documents

Transcript of 1.It Security