Firewall Setup
Firewalls and security are the two most debated topic in the Data Security Industry...
- Last build:
- Language:
- en-us
- Feed URL:
- http://www.bloglines.com/blog/firewallsetup/rss
RSS FEED IDEMS: Firewall Setup
- The Windows Firewall: You Can Turn It on Now
Some consider it one of Microsoft's greatest blunders. With the release of Windows XP Service Pack 2 (SP2), Microsoft made the conscious decision to turn on the Internet Connection Firewall (ICF) for all connections. Administrators not used to the idea of network security at the desktop scrambled to figure out what to do. Whether due to lack of time, planning or understanding of how that firewall actually worked, many elected to simply turn it off. In one fell swoop, Microsoft's decision put a black eye on the idea of host-based firewalls for a generation of systems administrators.
The problem with Microsoft's decision was not that forcing it on was a bad idea. In many ways, it wasn't. A fully developed, host-based firewall with centralized control is an excellent tool to help secure the otherwise unsecured insides of a corporate network. The problem was in getting it fully developed. Enabling it for computers attached to a domain required a Herculean effort of application testing and configuration tuning. Because of this concerning level of up-front work, the ICF in many environments went disabled with SP2. For many it remains that way today.
Some more info to grab on the topic:-
Wed, 5 Mar 2008 12:42:46 GMT - Firewall Functions in Windows
Do you still need to buy a separate firewall product if you already have
Windows running on your machines connecting to the Internet? The answer —
as always when you want a straight answer — is “It depends.”
An application that’s dedicated to performing a specific task almost alwaysdoes a better job than an operating system that’s responsible for performing
many tasks. For example, Windows comes with a built-in word processor
named WordPad, yet anyone who wants to do serious word processing installs
another word processor, such as Microsoft Word, because a specialized program
offers added functionality. The same principle also applies to the builtin
firewall functionality.
The newer versions of Windows have several features that are used in firewall
products, such as:
_ Packet filtering: Each subsequent Windows version provides more configurable
packet-filtering capabilities. Windows 98 had none. Windows 98
Second Edition (SE) and Windows Me, however, both block NetBIOS ports
on the external interface. Windows NT 4.0 allows incoming traffic destined
for the computer per individual port. Windows 2000 allows or blocks
routed incoming and outgoing traffic based on port, source address, and
destination address. You can configure Windows XP to block all incoming
traffic on an Internet connection. Finally, Windows Server 2003 extends
this capability to blocking all incoming traffic when the computer is still
initializing its network software at startup.
_ Network Address Translation (NAT/ICS): The Windows 2000 server
versions contain a flexible implementation of NAT, which is part of the
Routing and Remote Access Service. Windows 2000 also contains a simplified
and much less configurable service, Internet Connection Sharing
(ICS), which is already present in Windows 98 SE and Windows Me.
_ Encrypted tunnel: All Windows computers can create a Virtual Private
Network (VPN) connection using PPTP or L2TP. The Windows server
versions can be endpoints for these VPN tunnels.
Using these techniques, you can connect your Windows computers to the
Internet and be reasonably secure. Note, however, that many of the basic
required functions of a true firewall as discussed in Chapter 3 are not present.
Here are some shortcomings of using Windows as a complete firewall
solution:
_ (Almost) No stateful packet filters: Some of the packet filters options in
the Windows versions use stateless packet filters. This means that return
ports greater than 1023 have to remain open constantly. Stateful packet
filters are much more secure than stateless packet filters. The Internet
Connection Firewall function uses stateful packet filters.
_ No application proxies: Although packet filters inspect traffic arriving at
the external interface, packet filters can inspect only the packet header.
Application proxies can inspect the entire data portion of the packet.
Filtering based on more than the packet header is not possible.
_ No (or less-than-ideal) monitoring or logging: Because Windows doesn’t
have a dedicated firewall function, the monitoring and logging of packets
arriving at the interfaces is rudimentary at best. Windows 98 computers
can’t log anything that may help detect problems, except for creating
dump logs when an application crashes. Windows NT and Windows 2000
computers can report events in the Event Logs, but this capability doesn’t
compare to a true firewall log. Windows XP and Windows Server 2003 do
feature a log file to report on the Internet Connection Firewall.
_ No data caching: This is not strictly a security aspect, but data caching
can be a function that a firewall product performs. Internet access for
users on the internal network can be sped up considerably when the
Web proxy software can cache frequently requested Web pages. Using
Windows for Internet access provides no option to perform any caching
on returned Web page data.
_ No firewall mindset: Windows isn’t designed to function as a firewall.
This means that the IP implementation of the older Windows versions
may contain flaws that render it unsuitable to be directly connected to a
hostile environment, such as the Internet. Many of those weaknesses
have since been addressed in hot fixes of Service Packs, but not until
Windows NT 4.0 - with the latest Service Packs — and beyond does
Windows have a strong enough IP stack to withstand common attacks
from the Internet. Even so, it’s possible that a crash in the packet-filtering
software or the NAT process can leave the computer in a vulnerable
state, in which it will route every packet from the external network to
the internal network unfiltered.
With so many shortcomings in using Windows as a firewall, is it still safe to
dial in or otherwise directly connect to the Internet with a Windows computer?
Here’s the short answer: In our opinion, if you don’t have a true firewall
or if you don’t have Internet Connection Firewall enabled, you’re asking
for trouble.
Mon, 4 Feb 2008 11:09:00 GMT - The Value of Your Network
Before you look in more detail at what threats you face and how you can protect
yourself against these threats by using a firewall, take a minute to look
at your network and establish how much it is worth to you. The best way to
establish the value of something is to evaluate the cost of a loss. Take a look
at some different types of damage and consider the cost of each:
[1] Lost data: How important is the data on your corporate network? To answer this question, try to estimate what would happen if the data disappeared. Imagine that someone managed to break into your network and deleted all your accounting data, your customer list, and so on. Hopefully you have methods in place to restore lost data from a backup — no matter how you lose it. But, for just a second, imagine that all your corporate data is gone and you have to reconstruct it. Would your company still be in business if this happened to you tomorrow?
[2] Confidential data: If anyone were to break into your network and get access to confidential data — for example, the secret plans for the perpetual motion machine that you are developing — imagine what could happen. What would an intruder do with the data? Because you don’t know, you have to assume the worst. If the secret plans end up in the hands of a competitor, he or she may beat you to the market with a miracle machine, and the profits and the Nobel Prize in Physics go to that person instead of you. The damage may even be worse if the data that is stolen is your entire customer list, including complete contact and billing information.
[3] Downtime: Have you ever called a company to order an item or to
complain about something, and you were told, “I can’t help you, the network is down.” If so, you probably remember your reaction. The excuse sounded cheap, and you felt like taking your business somewhere else. However, network outages do happen, and often the best thing that employees can do is twiddle their thumbs and tell customers to call again later. Preventing intrusions from the Internet may cost a little bit of money, but the amount of money lost due to downtime caused by such an intrusion could cost a lot more.
[4] Staff time: Each time an attack on your network is successful, you must take time to fix the hole and to repair any damage. For example, if a virus infects the computers in your company, you may have to go to each computer to remove the virus and repair any damage. The time that you spend doing this adds up quickly, and — as the saying goes — time is money. Don’t expect to fix a large-scale problem quickly; that is, unless you are in the information technology department of an organization that we know. After a recent virus outbreak, they solved the problem by erasing the hard drives of every single computer and reinstalling everything from scratch. When the employees came to work the next morning, they realized that all of their data was lost, and they had to start the arduous task of reconstructing it from scratch. The IT people were nowhere to be found; for them the problem had been solved — the virus was gone. For everyone else the problem had just started.
[5] Hijacked computer: Imagine that someone broke into your computer and used it for his own purposes. If your computer is not used much anyway, this may not seem like a big deal. However, now imagine that the intruder uses your computer for illegitimate purposes. For example,a hacker uses your computer to store stolen software. When law enforcement personnel, who have partially traced the hacker’s tracks, come knocking on your door, you have some explaining to do.
[6] Reputation: Do you want to be the company that is mentioned in the local or national news as the latest victim of a computer attack? Imagine what this would do to your company’s reputation. The potential damage from such publicity has even caused some companies to sweep network intrusions under the table.
Thu, 24 Jan 2008 17:20:49 GMT - When Two Firewalls Are Better than One
Some organizations’ Security policies dictate that a single firewall protecting
the private network from the Internet is unacceptable. A single firewall can be used to deploy a DMZ that directs Internet-based traffic to a protected area of the network. However, some security personnel are uncomfortable with this design because the firewall becomes a single point of protection. If an attacker were to compromise the firewall, he or she would not only gain access to the DMZ but would also have access to the private network; therefore, security administrators generally prefer DMZ solutions with two firewalls.
Typically, the business factors that result in an organization’s deploying twoor more firewalls in its DMZ design include:
Clear definition of the DMZ: When two firewalls are used, the DMZ
physically resides between the private network and the Internet.
Increased security: By deploying two separate firewalls, an attacker
must circumvent or break through two separate firewalls to compromise
resources that are located on the private network.
You can further increase security by implementing two different manufacturers’
firewalls. When two different manufacturers’ firewalls are
used, an attacker must compromise each firewall by using different
methods and strategies.
Reduced network loads on the two firewalls: In a single firewall DMZ
solution, the firewall may have to inspect the same data twice — once
going from the Internet to the DMZ and again going from the DMZ to the
private network. When a double-firewall DMZ is used, this inspection
load is divided between two firewalls.
Mon, 21 Jan 2008 09:38:43 GMT - Finding the Most Up-To-Date Security for Your Computer
Ensuring your computer is up-to-date with all the latest security software is vital in this age of "cyber terror" because of the many viruses and worms that find their way into our systems. Having consistent and persistent security software protecting your computer should be your main online priority. If you even once let your computer guard down, you can be infected with viruses that crash your computer or worse.If you have an anti-spyware, anti-virus, and firewall program installed, you are already well on your way to complete computer security. However, you need to also make sure you have the ability to update each of these programs automatically every day or as updates are available. That is the only way to have the most current security software package and save yourself the hassle of cyber attacks down the road.
There are a number of companies which pride themselves on providing the most efficient security protection software for computers. Chances are good you already use one of their programs, which is a great thing. However, if you don't, take a look at the following companies to assess their computer security offerings.
One of the most popular and widely used anti-virus software programs is from Symantec Corporation, also known as Norton Anti-Virus. This is the leading software protection company because they make it their business to ensure they are always on top of new virus threats and how each type of computer operating system works with them. Norton software can be purchased almost anywhere computer security programs are sold; otherwise you can simply go to their web site and buy the latest version of Norton.
McAfee Corporation is another leader in this industry. Considered to be Norton's most avid competitor, they offer an extensive line of security software that can fill almost every computer security need. A nice benefit of McAfee software is that instead of having to buy a new version whenever they release it to the general public, you have the option of upgrading your current version through their online web site to save money.
AVG made by the company GRISOFT, is a security program that you can download without spending any money at all. Made for the budget conscious, they offer a free version for people using home computers. It is an excellent program that allows you to check for and delete spyware, as well as thwart threatening viruses. For zero cost, this is an excellent solution to make sure you keep your computer's security is current.
Do some research before deciding on one particular company. However as experts agree, choosing any of the above will certainly help your computer security and greatly improve your odds against susceptibility to security threats that may harm your computer.
Thu, 17 Jan 2008 23:49:08 GMT - Deploying Firewalls for Small Offices, Home Offices or for Personal Use
Atrade-off exists between how secure you want your firewall architecture
to be and how much cost and effort is associated with realizing this goal.
This trade-off is different for different companies. A small office or home office
has different security needs from larger offices or enterprise-style businesses.
You can secure your connection to the Internet in many ways. All these solutions
rank from not secure, when you use no firewall at all, to very secure,
when you use several firewalls in sequence. Invariably, the most secure solutions
take the longest to design and deploy, the most effort to administer, and
generally are the most expensive. On the other hand, the most simple solution
may be cheap, the easiest to set up and administer, but may not provide
enough security for your network.
In this blog, we look at deploying firewalls for small offices, home offices,
or even for personal use.
No-Box Solution: ISP Firewall Service
Offices that don’t want to spend the money to set up their own network firewall
can rely on the ISP that they use to connect to the Internet to provide
the firewall function. Although not all ISPs want to provide this service, it has
the obvious benefit of being a low-cost solution.
However, for the following reasons, using an ISP to provide firewall function
isn’t necessarily an effective technique:
--) ISPs may not want to assume the responsibility of guaranteeing your
security on the Internet. Protecting against every possible attack is a
complex undertaking and requires cooperation from your users, for
example, when opening e-mail attachments.
--) The ISP solution is not customized to your needs but provides protection
to many other customers as well. This means that firewall rules
will generally be more lax than you may want them to be.
--) The ISP firewall rules may be too restrictive. If you want to use a protocol
that isn’t allowed through the ISP firewall, you may not be able to
change that configuration.
--) Generally, firewall solutions that don’t fully meet the Internet access
needs of your users may tempt them into secretly installing dial-up lines
or port redirection software to circumvent the restrictive firewall rules,
and thereby lower the security of your internal network. This is especially
true for an ISP firewall service that can’t be tailored to your specific
needs.
Single-Box Solution: Dual-Homed Firewall
The simplest solution for a firewall architecture that you can deploy yourself
is to use a single dual-homed computer as a firewall. A dual-homed computer
is simultaneously connected to two networks — for example, the internal network
and the Internet. For home users, this computer may be the only computer
that they have. Personal firewalls, such as BlackICE or ZoneAlarm, are
well suited for this scenario. For small offices or home offices, the single firewall
machine can be a desktop computer used to dial in to the ISP or a
dedicated machine. All other computers in the office are connected in a
peer-to-peer style and use that single machine to access the Internet.
The following are the advantages of using a single firewall to secure your connection
to the Internet:
--) Cost: Obviously, deploying a single firewall is less expensive than solutions
that require two or more dedicated firewall machines. This includes
the cost of the firewall software and the hardware.
--) Simplicity: The single firewall is the one place that needs to be configured
to protect the connection to the Internet. You can concentrate on
this single machine. More complex designs are harder to understand
and have more room for configuration errors.
The single dual-homed firewall solution has some distinct disadvantages as
well:
--) Single point of protection: All network traffic going to and from the
Internet is going through this single firewall. This makes it a simple
solution, but also introduces a big risk. If the firewall is compromised,
a hacker can access your entire network.
--) Long single rule list: Although it may seem an advantage that all firewall
rules are in one list, this single list may be quite long and complex. This
complexity makes it harder to understand the current rule base of the
firewall.
--) No dedicated network segment: A dual-homed firewall only connects to
two networks. One connection is to the Internet, and the other connection
is to the internal network. This may be enough to provide security
to a small business, but many businesses want a third dedicated network
segment for protecting servers that are accessible from the
Internet.
Mon, 14 Jan 2008 22:17:36 GMT - Firewall - Tips and Tricks for the Savvy User
How to Choose a Firewall: Tips and Tricks for the Savvy User Without a firewall, your computer is opened up to a host of attacks from hackers. These online criminals try to access your computer to change or steal your private information. With this information, the hacker can steal your identity, or access and use money from your bank account or credit cards.
The past few years have seen a boom in ID theft, and a corresponding boom in industries, such as firewall, working to combat identity theft. It is predicted that firewall sales will come to 3.7 billion USD in 2007 (from itnews.com). With all the choices out there, how do you determine the best one?
Choosing Wisely There are four main things a good firewall needs to supply. It needs to have good features, be easy to use, be reliable, and have technical support and updates available.
Features to look for are the ability to block cookies, websites, browser history logs, and other undesirable things. Blocking these decreases your susceptibility to viruses and attacks. Individual settings are a plus, because you could visit some sites that your children cannot, or limit their time differently than yours.
Ease of use means the firewall is simple. Not only is it intuitive, but it should customize itself to your computer through its preset defaults. Installation should be quick and straightforward.
Reliable software responds correctly to unknown information. By responding correctly, it will keep harmful software, such as Trojans, out. These things coming in could cause your computer to automatically restart or shut off, losing any of your unsaved data.
Technical Support is preferably free, and should be over either the phone or the internet. Upgrades should be simple to find and use, sometimes automatic.
Learn as much about the Firewall Software as possible before you buy. Check for online reviews and forum posts. Ask around to see if your friends or family has used the software you are considering, and see what their opinion of it is. Act quickly, as you never know how much of your information is already in jeopardy.
Thu, 10 Jan 2008 11:38:51 GMT - Firewall management tools
Firewalls are an invaluable layer in a comprehensive security design. The catch, of course, is the phrase "properly configured." Most firewall configurations begin simple and secure, but grow more complex and ineffectual over time. In this blog we will discuss reasons for these problems, and how to choose a firewall management solution to keep clients firewalls effective and manageable.
There are three primary culprits that contribute to firewall configuration complexity:
The 'fix-it-now' mentality
As help desk calls concerning unknown applications and protocols begin piling up, it is easier for overtaxed firewall administrators to resolve problems with "shot-gun" approaches such as adding rules allowing "Any" sources or protocols.
Multi-vendor systems
Managing firewalls from different vendors can seriously amplify an administrator's workload. Often concepts do not translate from vendor to vendor, and those concepts that do are implemented in ways so differing, you begin to wonder if it was done on purpose.
Tactical vs. strategic effects
Short-term fixes lead to lengthy rule base configurations and duplicate or orphaned rules, and over permissive policies. Without effective management tools firewalls lose their strategic place within the security infrastructure.
How can you help your clients tackle these problems? Typically, firewall management approaches fall into one of three categories:
Homegrown / open source
The do-it-yourself approach to firewall management can be both inexpensive and effective if you have the expertise and are not afraid of a little work. However, lack of a comprehensive open source project to manage both configuration and reporting, and limited vendor integrations are significant drawbacks.
Firewall vendor
Most of the larger firewall vendors (Check Point, Cisco, Juniper, etc.) have centralized firewall management systems offering configuration, logging and historical reporting. The strengths and features of the systems vary widely with each vendor, but the common weakness is that each system only supports that vendor's firewall.
Third party
A few companies have introduced products aimed at cross platform firewall management and monitoring. Third-party products can offer more management features and broader support than management tools from firewall vendors.
The best choice for your client will be dictated by the number and type of firewalls deployed, as well as the feature set you need in order to effectively manage the firewalls. Here are some things to consider when choosing an effective solution – be it open source or a third-party product:
Multi-vendor support
Obviously, the solution needs to support your client's current firewall vendors, but you should look for or build a solution that supports many firewall vendors in the same range as the client's current deployment. You never know when your client's environment will change. A management tool that supports changing infrastructures is invaluable.
Best practices analysis
Firewall vendors implement technology in different ways, but best practices, such as denying all traffic not explicitly allowed and logging suspicious activity, are universally accepted, and should be implemented and monitored across all firewalls in any firewall management solution.
Flexible reporting
Pre-built or "canned" reporting quickly produces reports with general information, but also look for the ability to define reports on all information collected. This level of granularity is imperative for reporting on unusual patterns or specific incident scenarios.
Firewalls require careful configuration and monitoring to remain effective. The tools and approaches mentioned here can greatly enhance the management and security of your client's first line of network defense.
Mon, 7 Jan 2008 16:02:24 GMT
