Home > Articles > Security > Network Security

  • Print
  • + Share This
This chapter is from the book

Assessing Your Needs

How do you identify your needs? This will rely on identifying your skills, interests, and aptitudes. If you are someone who loves to play with computers, seeing them as an exciting toy and technology, you might want to use a fire-wall tool that requires a little more hands-on configuration and monitoring. If you just like to be able to turn on your computer and have it work—it's just a productivity tool or entertainment device—you'll probably want some firewall software that just looks after things for you like antivirus software does; something you just turn on and forget about. Or you could be someone in between.

So, when you are looking for software you want to consider features such as:

  • Ease of use
  • Configuration
  • Levels of protection
  • Ability to address emerging concerns
  • Intrusion detection
  • Logging
  • Licensing

Let's examine some of these items further.

Ease of Use

Simple to use and configure software comes in many forms. Most antivirus vendors are offering personal fire-wall products. You can even find suites of security software offered that include a personal firewall, antivirus software, intrusion detection software, content-filtering software, and more. Products are available for the Mac as well as Windows operating systems. There are not a lot of commercial products for Linux (or other free *nix flavors). It is the nature of the open source community to produce and make available products, but you'll not likely find the same "run it and forget it" type software for Linux. Most Linux users seem to prefer a more hands-on product anyhow.

On Linux, you always have ipchains. Iptables is available for Linux beginning with kernel 2.4. You will require knowledge of the Internet protocol (IP) as well as the operating system to configure it effectively. Furthermore, you will have to maintain current knowledge of the new threats on the Internet. Most commercial packages have update features that allow you to easily remain current.

Let's start out our attempt to provide the security defined in our policy by trying the Windows XP Internet Connection Firewall (ICF) (Figure 4–2). After all, it's free with the operating system.

Figure 4-2 FIGURE 4–2 Windows XP ICF. Enable the ICF by checking the box on the Advanced Tab of the Local Area Connection Properties dialogue. Screen shot reprinted by permission from Microsoft Corporation


There, we're done. We have now enabled the fire-wall. However, a quick look in the documentation shows us that all we have done is blocked unsolicited inbound traffic. Our security policy requires us to be able to block certain types of outbound traffic, though. So, while the product is simple to use, and may meet the needs of some users, it doesn't meet our needs.

What about another product, then? BlackICE has a preconfigured setting called paranoid that also blocks all unsolicited traffic, but again, it won't allow us to restrict outbound traffic. The signature detection used by Black-ICE can alert and block outgoing traffic that matches a known pattern that provides us with more peace of mind than XP's ICF, which just assumes everything the local computer wants to do is fine.

Almost every product available now has a selection of default configurations. These defaults do make for a very easy-to-use firewall. But, as we have seen, sometimes the preconfigured settings don't allow us to apply our security policy rules. So, ease of use is not enough of a reason to choose a personal firewall. You need to be able to modify the predefined rules as well.

Configuration

Each product works differently. Some, like ZoneAlarm (Figure 4–3), can be taught rules as you go. When an application attempts to connect to the network, you are prompted to make a choice. This style of configuration relies on the user understanding what applications need to connect to the network and allowing them, but blocking those that should not be accessing the network. Programs like your mail client and Web browser are obviously going to need to connect, but what else do you run that tries to connect?

Figure 4-3 FIGURE 4–3 ZoneAlarm. A fresh install of Zone Alarm with the defaults chosen. We have not yet begun to teach it any specific applications. Copyright © 1999–2002 Zone Labs, Inc. All rights reserved.


Having installed ZoneAlarm and chosen the pre-defined settings, we now end up teaching the product the specifics of our environment. "High Security" for the Internet zone still allows us to communicate outbound, assuming the application trying to access the zone has appropriate permissions. In that case, when ZoneAlarm prompts us to allow our browser to access the Internet, we'll say yes. Unfortunately, browsers can be used to access more than just ports 80 and 443; they can also be used for FTP, or other odd ports like 3128 or 5050. Now, we stated in our policy that we would allow HTTP, HTTPS, and FTP communication from our computer, but not some of the other ports that a browser can access. Either we'll have to find a way to block ports other than those specifically allowed, or revisit our security policy. Perhaps there are browser-based services we need to access that do not run on ports 80 or 443.

You can adjust the settings in ZoneAlarm to block specific ports. To do this, click on the Custom button for the Internet Zone, as displayed in Figure 4–3, then edit the "Block outgoing TCP ports" setting.

If you like a graphical user interface or plug-and-play type functionality, you'll like these products (see Figure 4–4). But, if you like to tinker, you're going to want to look at something else. In the Linux world, iptables comes with the 2.4 kernel. Iptables is a stateful replacement for ipchains. GUIs can be found to help you get started with ipchains, but you will find more flexibility by configuring it from scratch. There are many helpful Web sites to get you started with basic rule sets for both products. Products like these certainly allow you a very fine level of configurabil-ity. And, like most things Linux, these are free products.

Figure 4-4 FIGURE 4–4 ZoneAlarm. Prompt to allow Internet Explorer to access the Internet. We can check the "Remember..." box to tell ZoneAlarm not to prompt us in the future. Copyright © 1999–2002 Zone Labs, Inc. All rights reserved.


Let's consider an ipchains rule set that will allow for the functionality we are interested in.

Chain input (policy REJECT):
Num   target    prot       opt               source           destination      ports
1     ACCEPT    tcp        -y--l-           0.0.0.0/0         localhost         80->*
2     ACCEPT    tcp        -y—-l-           0.0.0.0/0         localhost         443->*
3     ACCEPT    tcp        -y—l             0.0.0.0/0         localhost         110->*
4     ACCEPT    tcp        -y--l-           0.0.0.0/0         localhost         25->*
5     ACCEPT    tcp        -y--l-           0.0.0.0/0         localhost         21->*
6     ACCEPT    tcp        -y--l-           0.0.0.0/0         localhost         5000->*
7     ACCEPT    udp        l-               0.0.0.0/0         localhost         53->*

Chain output (policy REJECT):
Num    target   prot       opt            source            destination       ports
1      ACCEPT   tcp        -y--l-         localhost         0.0.0.0/0          * ->80
2      ACCEPT   tcp        -y—-l-         localhost         0.0.0.0/0          * ->443
3      ACCEPT   tcp        -y--l-         localhost         0.0.0.0/0          * ->110
4      ACCEPT   tcp        -y--l-         localhost         0.0.0.0/0          * ->25
5      ACCEPT   tcp        -y--l-         localhost         0.0.0.0/0          * ->21
6      ACCEPT   tcp        -y--l-         localhost         employer/0         * ->5000
7      ACCEPT   udp        l-             localhost         dnsserver/0        * ->53

This should do the trick for us. But we've enabled logging so that when we try to use the various services, we can check the log if something doesn't work.

One very big consideration is our desire to use a virtual private network (VPN). If you use VPN software to connect to an employer's network, you must be sure that the firewall you select will allow the VPN software to function. Most can be configured to allow VPN traffic, but testing is always advisable. Check with your corporate IT department, as they may already know which products work and how to configure them. The catch with a VPN comes in the way that a tunnel is established. In short, your host will initiate the communication, but the VPN device at the remote location will send SYN packets back as part of setting up the tunnel. To many firewalls, these SYN packets appear to be unsolicited; however, they are part of the VPN application, just not part of an already established TCP session.

Protection Levels

Having decided how much work you want to do to remain protected, you need to look at your security policy again. The policy will help you decide what level of protection you are going to need. Will the product you have chosen automatically provide that level? Or are you going to have to teach it some settings? For example, Windows XP allows you to easily signify that you are running certain common services and allow related traffic through. You cannot con-figure it to allow you to set up a VPN, though. So, while it may meet all your ease-of-use requirements, it may not allow you the functionality you need.

Generally, products provide three basic protection levels: none, medium/low, and high (see Figure 4–5). "None," or no protection, is just that; the firewall features are turned off and all traffic is allowed to pass in or out of your system. Using this level could be one way you can test that your computer can communicate during troubleshooting steps. Generally, though, you do not want to set your protection to "none" unless you are using some other means of protecting your computer.

The medium level of security typically allows the average user to use every standard Internet service; you should be able to game, use streaming media, and even instant messaging services without additional configura-tion of the firewall rules. You may still have to respond to pop-ups and grant the applications permission to access the network, though.

Figure 4-5 FIGURE 4–5 GNOME-Lokkit configuration. The Lokkit tool can be used to configure basic settings for the ipchains firewall in Linux. Screen shot copyright 2002 Red Hat, Inc. All rights reserved. Reprinted with permission from Red Hat, Inc.


Finally, a high level of security typically restricts everything that isn't necessary for you to actually connect to the Internet. DHCP must be allowed so that your computer can get an IP address from your ISP and DNS replies are necessary for functionality as well.

Updates

How is the software updated? Is it costly in dollars or time? Is it realistic to think that you will perform the update regularly? You might love the challenge of getting iptables con-figured properly. Will it still be fun if you have to reconfigure it every week? You might be better off finding a product that has an automatic update feature (Figure 4–6).

Figure 4-6 FIGURE 4–6 ZoneAlarm updates. This screen will pop up when the program recognizes that there is an update available. You can configure the update features in the Overview window of the program. Copyright © 1999–2002 Zone Labs, Inc. All rights reserved.

Do such products even exist for your chosen operating system?

As new vulnerabilities are found and exploits written, the threats to your information systems change. Vulnerabilities are found in personal firewalls; firewalls are just software products, after all. Even hardware appliances use software, although it is called firmware. So, how will you react to these new threats? Will you be able to easily, even automatically, update your software or firmware or will you end up having to add rules or install a whole new version? Admittedly, one of the joys with much commercial software is that it can be updated easily, often as easily as updating antivirus software. The technically pure among you may be bothered by the lack of control over what is happening with an automatic update. However, I think we can agree that personal firewalls are as necessary today as antivirus software. And like antivirus software, personal firewalls must be kept current.

Intrusion Detection

As noted in an earlier chapter, personal firewalls are being combined with intrusion detection features to enhance your protection. If this feature is important to you, obviously it will affect your choices. Essentially, some personal firewalls will adjust their rule set to react to an attack. The drawbacks to this include the potential for a denial of service attack against you. If the attack is spoofed, you may be denying access to innocent parties, and this in turn may deny you the ability to go somewhere or do something you want. What if someone tried an Xmas scan against you, using the IP address of your mail server? When your IDS reacts and changes the fire-wall rule set, you may be denied the ability to retrieve email. Oops. Generally, for the small home user, this may not be a big concern. A similar function in a corporate firewall could be very problematic.

XMAS SCAN

An Xmas scan has the TCP flags FIN, URG, and PSH set in the header. These flags are never normally set in TCP packets, so they are indicative of a crafted packet. Since RFC 793 indicates that a RST packet should be returned in this case, an attacker can use these crafted packets to map your network.

A Full-Xmas scan has all TCP flags set: SYN, ACK, RST, FIN, URG, and PSH. Again, this pattern should never be seen.

The name comes from the appearance of the flags on the packet—they are all lit up, like a Christmas tree.

Now, if all you are interested in is seeing and understanding attacks, most products can be made to take care of this. Once you are alerted, you can take steps to stop an attack and block traffic intelligently. That is to say, a computer is dumb and only follows the instructions it is given. You can look into the incident a little more carefully and decide if you really want to block your mail server.

In Linux, iptables can be combined with a product like snort to provide alerting capabilities. Right now, Internet Security Systems' BlackICE PC Protection product is the Windows personal firewall that sells itself on its IDS-firewall integration. The current version of the software allows you to restrict which applications have access to the Internet, block inbound and outbound traffic based on simple rules, and will use intrusion signatures to block traffic that matches known malicious patterns. For example, Figure 4–1 showed how a tool like Trinoo could be used to cause a DDOS by allowing an attacker to control many master and slave computers. Well, BlackICE can detect Trinoo traffic leaving your host and block it. So, even if you managed to be infected with Trinoo, you would not be used as part of the DDOS attack against some victim. Furthermore, you would be notified of this activity and could take steps to clean up your system.

There are over 1,500 items in the BlackICE intrusions database. Table 4–1 just gives you a brief glimpse at the types of intrusions that are included.

TABLE 4–1 Select Intrusions Identified by BlackICE

Name

Information

Back Orifice Scan

Someone is scanning your system looking for the Back Orifice Trojan. This does not indicate an infection.

Code Red I

Worm attempting to propagate.

ISS Scan

Someone is using the commercially available ISS scanner to scan your system.

Subseven

IRC Notification Attempt by local machine to notify attacker that Subseven is installed. Indicates your system is probably compromised.

TCP Xmas Scan

Crafted packets used to try to map systems.

Trinoo Master Activity

A Trinoo Master is scanning your system to see if the Trinoo Daemon is installed.

Trinoo Daemon Activity

A Trinoo Master has tried to send a command to you.


Logs

The level, depth, breadth, and clarity of logging available to you are dependent on the product you chose to use (Figures 4–7 and 4–8). Logging varies from a line with the source and destination information and an attack "name" to full hexadecimal dumps of packet contents.

When the software assigns an attack name to a traffic pattern, this is based on a signature. You trust that the information is correct, but you are not getting the whole picture. I have seen products that link the attack name to a description of the attack. This is a nice feature for educating yourself. When you get the complete packet dumps in your logs you can identify exactly what is happening—if you take the time to understand them. Be realistic about the amount of time and effort you are willing to put into log review.

Figure 4-7 FIGURE 4–7 BlackICE alert. By default, this is all the log information you see. There are some more details available in the GUI, but to see the complete packet, you must enable packet capture or evidence capture in the BlackICE configuration settings. Copyright © 2002, Internet Security Systems, Inc. All rights reserved worldwide.


Figure 4-8 FIGURE 4–8 BlackICE packet. This data was captured for the highlighted ICMP entry above when the evidence capture feature was turned on. You must use a product like Microsoft's Network Monitor to view these packet captures. Screen shot reprinted by permission from Microsoft Corporation.


See Chapter 6 for a more in-depth discussion of logs and how to use them.

Licensing

When choosing your product, take into consideration the licensing rules and fees. Some commercial products are free for home use. When you want to use them in a business setting, even if it's just your home-based business, you will need to pay. Sometimes your corporate IT group will license software for employees. This can be good from a cost perspective, but they may also be centrally collecting and reviewing the logs. So, you may give up some privacy to use their software. Check before you decide if this is an important concern for you.

Of course, there is always open source, if you like the operating system choices you have. There is no point, at this time, in deciding to use iptables if you're only willing to run Windows 2000.

After the initial licensing fees, you may need and want to pay a yearly maintenance or subscription fee. As with antivirus subscriptions, this can be a wise investment—ensuring you are always current on the software (firewall engine) and attack signatures where applicable.

  • + Share This
  • 🔖 Save To Your Account

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020