Lessons - Firewall basics
Meet the suspects In this lesson, you meet the typical perpetrators behind intrusions and attacks, learn about the uses of intrusion detection systems, common ways to prevent hacking, and common attacks that may be attempted or perpetrated against a network. You'll also get a wrap-up of best acknowledged security practices for protecting systems or networks that access the internet. The suspects in an attack generally fall into two categories: intruders and attackers. An intruder is any unauthorized person or program attempting to gain access to your system. An attacker is a program or person attempting to damage your system or prevent it from performing properly without actually breaching your security perimeter. The media often mislabels such suspects as hackers. The correct term is cracker. A hacker is someone who is knowledgeable about technology and can perform a wide range of complex activities without malicious intent. A cracker is a hacker with malicious intent. A hacker is someone you want on your side. Hopefully your IT staff includes hackers. A cracker is someone you want to keep away from your systems. Hopefully no member on your IT staff is a cracker. But who are these people? Well, describing just who exactly a cracker is can be difficult. A cracker can be someone outside or inside your organization. They can be exemployees, disgruntled customers, or have no meaningful relation to your or your organization whatsoever. They may be teenagers looking for a thrill or adults looking for revenge. They may be first-time cybercriminals using downloaded tools to attempt an amateur attack, or they may be hardened professionals using custom utilities that are nearly undetectable and quite effective. They may be male or female. They may be fellow citizens or from another country. They may be someone you know or someone you don't. Specifying who crackers are may be difficult, but specifying what they are is easy. A cracker is someone who wants to perpetrate some level of unauthorized or unwanted activity on your IT infrastructure. That activity may be little more than an annoyance, or as severe as a national security violation. You need to understand, comprehend, and be aware that there are plenty of malicious people in this world. Some of them may even direct their malevolent activities toward you and your network. Your goal is to thwart their attempts to the best of your ability. Intrusion detection
As you learned Lesson 7, an IDS (intrusion detection system) is an automated tool that monitors systems or networks for unauthorized, unwanted, or abnormal activity. An IDS scans log files and monitors real-time events to look for signs of intrusion or attack. Capabilities of an IDS are typically limited to detection and alarm. Once an IDS detects suspicious activity, it can inform administrators that an attack is occurring or has occurred. An advanced IDS can perform limited countermeasures, such as disabling access ports, services, or user accounts. Even so, don't view an IDS as a silver bullet security solution, but rather as a component in an organization's integrated security infrastructure. There are two primary types of IDS: host IDS and network IDS. A host IDS is installed on a single computer and its purpose is to monitor that one system for suspicious activities. A network IDS is deployed to monitor suspicious activities on a network.
A host IDS typically examines the activities of a system in much greater detail than a network IDS. This allows a host IDS to pinpoint the exact files, services, user accounts, and so forth, that are involved in an intrusion or attack. A host IDS can detect systemspecific attacks that a network IDS cannot detect, but a host IDS cannot detect networkbased attacks. A host IDS negatively affects performance on its host system because it must consume system resources to perform its monitoring, logging, and reporting duties.
A network IDS focuses on discovering anomalies or malicious activities in network traffic patterns and packet contents. A network IDS is installed onto dedicated hosts, similar to a bastion host where a firewall might reside. This allows all the resources in that computer to focus on monitoring network activity. You can configure many network IDSs to be invisible and inaccessible to the rest of the network. This effectively hides the IDS from intruders who may wish to disable or attack the IDS directly. A network IDS is a passive monitoring system and has little or no impact on overall network performance. However, on networks with large traffic volumes, a network IDS can fail to detect an attack, especially if that attack consumes a small fraction of total network bandwidth. A network IDS can inspect the contents of packets to discover malicious activity. However, if those transmissions are encrypted, a network IDS is unable to access their contents. A network IDS is good at detecting attempted DOS (denial of service) attacks, repeated attacks, and intrusion attempts. However, network IDS solutions can't provide specific information about whether an attack was successful, which systems were targeted, and what elements of the network were affected (users, data, applications, and so forth).
In a typical IDS deployment, you use a network IDS to monitor the network as a whole and host IDS to safeguard mission-critical systems. This tactic exploits the best features of both forms of IDS. An IDS is an excellent complementary security mechanism for a firewall. A firewall is deployed to keep out unwanted traffic and an IDS can monitor for malicious traffic that makes it past the firewall. Common paths to cracking Protecting your system from potential attack is an important part of maintaining security. Thwarting crackers primarily consists of applying safeguards and countermeasures as new attack methodologies and vulnerabilities are discovered. These safeguards and countermeasures are usually deployed as a response to attacks or discoveries on systems that have already been hardened. Every system in a network should be hardened by completing each of the following tasks, roughly in the same order presented here: 1. Define an organizational security policy. 2. Set security standards, guidelines, and procedures for all systems within the organization. 3. Update the operating systems and software with patches from their respective vendors. 4. Configure each system to whatever level of security your security policy mandates, considering also the system's function/purpose, and the sensitivity and confidentiality of assets it holds. 5. Establish a common security baseline for all systems. 6. Deploy security mechanisms such as firewalls and IDS as needed. 7. Implement physical security controls. 8. Train users to maintain security and work within the boundaries defined by the security policy. Once this preventative security hardening is complete, you must then respond to new attacks and patch newly revealed vulnerabilities. Should your network fall victim to an attack, investigate the incident thoroughly to discover all elements that made the attack or intrusion possible. After that information is known, you can formulate a response by closing down access ports, reconfiguring services, or installing vendor-supplied updates to correct coding errors, correct software deficiencies, and so forth. As new attack methods are discovered or new vulnerabilities in a product become known, most vendors release patches, updates, or hotfixes to correct such problems. Test these fixes for effectiveness and safety on a test or lab network, and then install them on your productions systems once their effectiveness is proven to improve overall security. Always remember that no system is 100 percent secure. You must maintain security over time to be effective. The process of maintaining security includes:
Testing, evaluating, and auditing security Correcting, patching, or improving security as needed
Responding to attacks Implementing safeguards and countermeasures
Types of attacks Firewalls are a key element in any security solution. However, firewalls are not effective against every type of attack, so other security controls must be included in an effective solution. This section explores many of the common attacks that systems can face and indicates whether most firewalls are effective against them.
Application backdoors: An application backdoor is a programmatic door to your system created by the original programmer of a software product. Backdoors can give someone unauthorized access or control over that application or its host system. Some backdoors are installed intentionally, whereas others result from coding errors. Firewalls are typically ineffective against backdoors because accessing a backdoor usually occurs over authorized connections. The best way to protect yourself against backdoors is to use well-tested, reputable software. Brute force and dictionary attacks: Brute force and dictionary attacks attempt to guess the password for some user account, device, or service. Brute force attacks systematically try every possible character combination, whereas dictionary attacks use a predefined password list. Firewalls are ineffective against brute force and dictionary attacks because they occur over authorized connections attempting to log into an account or service. A good way to avoid such attacks is to limit the number of failed login attempts a system allows before it blocks access to a particular account or from a particular IP address. You should also make creating secure passwords part of your security policy. Bulk email attacks: Bulk email attacks, also known as spamming or email bombs, occur when a large number of email messages are sent to a single user or email server. This kind of attack seeks to disable productive access to the email server or prevent the user from reading legitimate email. Firewalls are ineffective against bulk email attacks because email is normally an authorized service is allowed to traverse the firewall. DoS: A DoS attack is any activity that prevents a system or a network from performing its normal activities, such as responding to legitimate requests for services or resources. Firewalls are only partially effective against DoS attacks. Once a DoS attack method is known, a firewall can be configured to prevent it. However, firewalls cannot respond to new forms of DoS attacks dynamically, nor can they easily protect networks against DoS attacks over open and active services, such as the web or email. When zombies (other PCs subverted to mount attacks by some cracker in the background) are used to mount an attack from multiple systems at the same time, these are known as DDoS (distributed DoS) attacks.
Macros: A macro is a program written in a programming language that is automatically executed by an application whenever the macro is loaded into memory by that application. Macros can be embedded in email messages, documents, spreadsheets, databases, and so on. Microsoft Office, Internet Explorer, and Outlook are vulnerable to malicious macro attacks. Firewalls are ineffective against macros because they're usually undetected or simply not inspected when the data file containing a macro traverses the firewall. Port scanning: Port scanning is the process of testing every possible TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) port for open services that may not have been properly secured by the website's operators. Firewalls are partially effective against port scanning because they can block access to closed ports. Remote login: A remote login occurs when a remote system connects to another system over a network or the internet. The connection can be any type of link between two systems that involves an authentication process. This would include VPN (virtual private network) links, user account-specific FTP (File Transfer Protocol) connections, and Telnet sessions. Remote logins can grant distant users access to download files to complete control of the system. Firewalls are effective only against remote logins of unauthorized services or Trojan horse services. Many organizations employ remote connection tools, such as VPNs, to grant distant users access to their private networks. Firewalls are typically configured to allow these types of connections. Software errors: Errors in the coding of an operating system, software, or device drivers can introduce security vulnerabilities. These could allow intruders unwanted access or permit DoS attacks. When exploitation of software errors occurs over authorized connections, firewalls are ineffective in preventing such attacks. Source routing: Source routing is a complex attack that involves editing the headers of packets used in an attack. Typically, as packets are transmitted over a TCP/IP network, routers between the source and destination determine the actual path they take. Source routing occurs when the source (the sender) of packets predetermines the primary route over which packets must be delivered. Crackers can use source routing to make attacking packets appear as if they originated from a trusted location, such as inside a private network or a trusted partner network. Most firewalls are effective against source routing attacks, especially those that make inbound packets seem like they originated from the private network. Spoofing attacks: Spoofing is the art and science of pretending to be something different from what you actually are. Spoofing is often used to fake the source and/or destination addresses in attack packets. Firewalls are effective against spoofing attacks.
Viruses: A virus is a malicious code that's capable of duplicating and spreading itself. Some viruses can cause damage to a system through file corruption and deletion. Other viruses cause DoS conditions as they consume system resources when they spawn and reproduce themselves. Viruses can spread through programs, documents, or email. Firewalls are ineffective against viruses unless they employ a built-in or add-on antivirus scanner to search for viruses in all traffic that crosses the border device. Spyware: A spyware program that monitors system activity and records data of potential interest to crackers (such as passwords, account names, credit card numbers, and other sensitive data of potential value if compromised) is the worst type of spyware. Other types simply monitor user activity and report on it so that advertisers or retailers can identify and target choice sales prospects. Spyware is usually installed surreptitiously, without the consent of the user of the machine on which it takes up residence. It can be a real pain to recognize and remove, but can also cause system slowdowns, instability, and even crashing. Firewalls can be effective against some spyware, but depending on how the program operates, it may not be. As with viruses, it's best to obtain a specialized application that keeps you system free of spyware. Adware: Adware is software that facilitates delivery of unwanted advertisements, web pages, or other content to a desktop, usually through a web browser. All kinds of unwanted software elements can be involved with adware, but like spyware, it's usually installed surreptitiously without user consent. Like viruses and spyware, firewalls can be ineffective against certain types of adware because they're often installed after an unknowing user clicks a link or installs a program that has adware hidden in it. Because a user initiated the installation or clicked the link, a firewall can interpret this as a legitimate request. Do yourself a favor and install an anti-adware application.
As you can see, the number of attacks that a firewall cannot protect against is significant. That should reinforce the notion that a firewall is by no means a total security solution, but must instead be integrated into a complete security implementation. This doesn't mean that firewalls aren't useful and can't help protect your network -- they are a key element in network protection as previous lessons in this course have shown. However, the best way to create a complete network security policy is to understand all possible threats and select the best collection of solutions to prepare for and deter them.
Best security practices
The Microsoft "Protect Your PC" web page recommends installing a firewall and antivirus software and keeping Windows patched and up-to-date. Although these elements are indeed important to protecting PCs (and the networks to which they may be attached), they don't cover all the bases that need covering to maintain adequate PC
protection any more (or other types of systems, for that matter). Most security experts also recommend that the following other security elements be part of any PC's basic security capabilities to deal with threats that the internet can pose:
Anti-adware/spyware software: Given how pervasive and potentially destructive adware and spyware can be, it's imprudent to access the internet without such protection. Here again, numerous good freeware programs are available, including Microsoft's own AntiSpyware, Lavasoft's Ad-Aware SE Personal, or Patrick Kolla's Spybot Search & Destroy. Most security experts also recommend using multiple anti-adware/spyware packages for regular scanning, with one assigned to real-time monitoring, because no single anti-spyware/adware package has been demonstrated to be 100 percent effective against all known forms of adware and spyware.
Recent studies indicate that the vast majority of systems not protected with such tools are infected with 50 or more spyware or adware items.
Anti-spam/spam-blocking software: Recent statistics demonstrate that four out of every five email messages traveling over the internet are unwanted spam. Nobody should open an inbox without multiple layers of anti-spam protection at work, including spam screening from your ISP, your email provider, and possibly from an anti-spam screening service. When it hits your inbox, use add-in anti-spam software and use your email package's spam or junk mail filters. Pop-up blockers: An increasing number of web browsers (including the version of IE that ships with Windows XP SP2) include built-in tools to block pop-up ads and unwanted browser windows. That said, there are lots of free pop-up blockers available, including those from well-known portals like Google and Yahoo!. It's also a good idea to monitor software that web pages seek to install, including active content and so-called BHOs (browser helper objects). The SP2 version of Internet Explorer also protects against those, as do other modern browsers; older browsers can take advantage of numerous freeware and shareware programs for protection, too.
When combined with antivirus software, a firewall, and regular, frequent operating system updates (especially security updates), using all of the preceding elements is enough to provide sufficient coverage to maintain reasonable system security and integrity. It's an ongoing effort, however, and something that must be monitored and watched regularly, because as new threats or exploits are discovered, new ways to protect against them will also become necessary.
In this course, you learned the basics about how firewalls work and what roles they play in more complete security solutions. You met TCP/IP -- the protocol stack that drives
internet communications -- and discovered how firewalls work to make TCP/IP communications more secure. Although this one course can't turn you into a networking or firewall guru, you should have a better idea about what you can expect a firewall to do for you, be better able to work with IT professionals to install and maintain a SOHO or enterprise firewall, or perhaps to manage your own firewall at home. Before you leave the course, be sure to complete the assignment and quiz. Also, visit the Message Board to ask any questions you might have about firewalls and network security. Thanks for taking this course and good luck in your future networking adventures!
Planning for attacks assignment
Assignments are designed to help you apply the information learned in the lessons. Reviewing best security practices There are nearly as many opinions on best security practices as there are pundits prepared to pronounce them. That said, a lot of this information is well worth reading and reviewing, if only to get a sense of the range of practices, policies, and procedures that are worth considering when formulating your own approach. The following list of resources is just a small sampling of what's widely available, but all are real nonpareils of this genre. Be sure to bookmark or add those to your favorites that you find most useful and informative.
CERT (formerly known as the Computing Emergency Response Team at Carnegie Mellon University) is a source of all kinds of important information security news, information, analysis, and guidance. Among many other resources available on the website, the Home Computer Security section is a great source of information for SOHO users seeking secure systems and networks. For corporate users, the Guide to System and Network Security practices is invaluable. Markus Jansson's Securing yourself & your computer is a great Q&A that can guide home and small office users through the process of tightening up and securing their PCs. It takes some time to work your way through the questions and answers, but is well worth the effort. Microsoft maintains an entire collection of documents, tutorials, how-tos, and more, at its Security At Home web pages. Here again, there's a lot of material to explore and investigate, but the time and effort expended in doing so will reap security rewards for those who do so.
Though it was pulled together in February, 2002, the PC Magazine article Keeping It Safe: A Checklist for Internet Security remains pretty relevant even in 2005 as these materials are updated. Read this
material to get a sense of the range and kinds of activities involved in making internet-connected systems as safe as possible.
TomCat Internet Solutions has put together a set of instructions on how to Secure Your Home Computer that covers most of the conceivable bases as well or better than any other current resources around. They update these materials regularly, so this is a great place to start your review. Quizzes are designed to give you a chance to test your knowledge.
1. What's the primary purpose of an IDS? A. B. C. D. To actively repel attackers To track down the origin of intruders To monitor for unwanted activity To dynamically reconfigure security controls
2. True or False: An intruder or an attacker can be just about anyone. A. B. True False
3. True or False: A host IDS is good at detecting DoS attacks. A. B. True False
4. What's the first step in deploying barriers to prevent attacks? A. B. C. D. Create a security policy Harden the host Deploy an IDS Implement physical access controls
5. Firewalls are effective against which of the following types of attack? (Check all that apply.) A. Application backdoors
B. C. D. E.
Bulk e-mail attacks DoS Port scanning Source routing