Home > Articles > Security > Network Security

  • Print
  • + Share This
This chapter is from the book

Managing Your Firewall

Once you have decided on the personal firewall that meets your needs, you will need to maintain it. Like everything else in the world of computers, things change. New vulnerabilities are discovered, new exploits released, new attacks launched against your computer every day. How will you keep up? Here are a few pointers on living with and maintaining your firewall.

Logs

Logs give you a picture of what is happening on your host and what sort of traffic the firewall is seeing. You can submit logs to online communities (such as dshield) to be combined with the logs from other reporters. Doing this helps analysts identify trends and often they can find new attacks early on and notify the security community. Early identification helps us all defend ourselves more effectively.

Logs can also allow you to identify what sort of traffic your machine is initiating. If you are not expecting your computer to go out and connect to Windows shares on other computers, yet you see the traffic in your log, it's time to investigate your computer. If your 17-year-old is spending a lot of time at hacking sites, maybe it's time to have a talk.

Upgrades

So, you installed the software, or plugged in the hardware. You're done, right? Wrong. Signature updates, changes in threats (making for changes in rules), firmware upgrades, and major software upgrades will keep you busy. Even hardware appliances require the occasional upgrade, remember the SNMP vulnerability alert issued in early 2002. Generally, hardware will require a firm-ware upgrade, which can be a more complicated or at least less familiar task than a software upgrade on the computer.

SNMP

Simple Network Management Protocol is an internetwork management standard used to monitor and manage network devices like routers, switches, and even servers. The protocol defines SNMP messages used to perform functions such as information requests, configu-ration changes, response to requests, issuing alerts, and so on.

In February 2002, CERT issued an advisory regarding multiple vulnerabilities in how most vendors handled these functions. As a result, hundreds of hardware devices had to be patched to protect against a newly released tool that could exploit the vulnerabilities.

Internet Service Provider Issues

While Internet service providers (ISPs) should be embracing personal firewall technology, many are not. The many types of personal firewalls available make it very hard for an ISP helpdesk to troubleshoot client problems. They simply cannot know all the software, nor can they know how the client has configured the software. This difficulty has lead some ISPs to state outright that they will not help a client until they have removed the firewall. The security freak in me goes "Yikes!" ISPs argue they are responsible for the network connection to your computer only, not for any software you may choose to install. So, if you end up with connectivity problems, you will need to understand your personal fire-wall well enough to eliminate it as a cause of connectivity failure.

With Windows products, you can generally right-click the system tray icon that corresponds to your fire-wall and choose to shut off the firewall features. The system tray icon will then change to indicate that the firewall is not currently functioning. You can then proceed to test your Internet connection, and follow the ISP help desk's instructions without fear that a rule you created has caused the problem.

Some security experts are calling on ISPs to provide protection to their clients in some form. The reality is that unprotected, always-on computers are being used in attacks against major targets. The security world would like ISPs to take a role in protecting the Internet as a whole. Pick your personal firewall and install it while we wait to see what develops on this front.

Defense in Depth

The theory behind defense in depth is that if one layer misses the attack, another one will stop it. Corporate IT departments use this method with virus scanning. Generally, software is used to scan email as it comes in from the Internet; software is loaded on your desktop to stop viruses from spreading via removable media and to catch anything the email scanner missed. Finally, nightly antivi-rus scans of all servers are performed to catch anything that may have made it past the other two layers.

Likewise, you want to layer the defenses of your home network. Begin by disabling any services you do not use—turn off file and print sharing in Windows if you don't need it and disable services like FTP in Linux. Next, make use of any firewall features that come with your operating system, if possible. Use a router that does NAT; hiding your hosts does have its benefits. Add on third-party personal firewall software. Finally, throw in an IDS and antivirus software while you're at it. By using all these products, you have added depth to your security posture. Table 4–2 shows the layers you may want to use, working from the perimeter of your network in to the local host.

TABLE 4–2 Defense in Depth

Layer

Strategy

Notes

1

NAT

Router at perimeter performs NAT for LAN

2

Static packet filter

Router at perimeter also has broad filters defined

3

Personal firewall

Firewall installed on local host(s) to restrict communications

4

IDS

IDS on local host(s) to alert on unwanted communication

5

Disable unused services

An attacker cannot exploit a service that isn't running

6

AV software

Catch malware that enters computer through means other than direct communication (email, floppy disk, FTP, etc.)

7

Enable OS firewall features

If applicable


  • + Share This
  • 🔖 Save To Your Account