- Identifying Risks
- Assessing Your Needs
- Managing Your Firewall
- Summary
This chapter is from the book
This chapter is from the book
This chapter is from the book
Managing Your Firewall
Once you have decided on the personal firewall that meets your needs, you will need to maintain it. Like everything else in the world of computers, things change. New vulnerabilities are discovered, new exploits released, new attacks launched against your computer every day. How will you keep up? Here are a few pointers on living with and maintaining your firewall.
Logs
Logs give you a picture of what is happening on your host and what sort of traffic the firewall is seeing. You can submit logs to online communities (such as dshield) to be combined with the logs from other reporters. Doing this helps analysts identify trends and often they can find new attacks early on and notify the security community. Early identification helps us all defend ourselves more effectively.
Logs can also allow you to identify what sort of traffic your machine is initiating. If you are not expecting your computer to go out and connect to Windows shares on other computers, yet you see the traffic in your log, it's time to investigate your computer. If your 17-year-old is spending a lot of time at hacking sites, maybe it's time to have a talk.
Upgrades
So, you installed the software, or plugged in the hardware. You're done, right? Wrong. Signature updates, changes in threats (making for changes in rules), firmware upgrades, and major software upgrades will keep you busy. Even hardware appliances require the occasional upgrade, remember the SNMP vulnerability alert issued in early 2002. Generally, hardware will require a firm-ware upgrade, which can be a more complicated or at least less familiar task than a software upgrade on the computer.
SNMP
Simple Network Management Protocol is an internetwork management standard used to monitor and manage network devices like routers, switches, and even servers. The protocol defines SNMP messages used to perform functions such as information requests, configu-ration changes, response to requests, issuing alerts, and so on.
In February 2002, CERT issued an advisory regarding multiple vulnerabilities in how most vendors handled these functions. As a result, hundreds of hardware devices had to be patched to protect against a newly released tool that could exploit the vulnerabilities.
Internet Service Provider Issues
While Internet service providers (ISPs) should be embracing personal firewall technology, many are not. The many types of personal firewalls available make it very hard for an ISP helpdesk to troubleshoot client problems. They simply cannot know all the software, nor can they know how the client has configured the software. This difficulty has lead some ISPs to state outright that they will not help a client until they have removed the firewall. The security freak in me goes "Yikes!" ISPs argue they are responsible for the network connection to your computer only, not for any software you may choose to install. So, if you end up with connectivity problems, you will need to understand your personal fire-wall well enough to eliminate it as a cause of connectivity failure.
With Windows products, you can generally right-click the system tray icon that corresponds to your fire-wall and choose to shut off the firewall features. The system tray icon will then change to indicate that the firewall is not currently functioning. You can then proceed to test your Internet connection, and follow the ISP help desk's instructions without fear that a rule you created has caused the problem.
Some security experts are calling on ISPs to provide protection to their clients in some form. The reality is that unprotected, always-on computers are being used in attacks against major targets. The security world would like ISPs to take a role in protecting the Internet as a whole. Pick your personal firewall and install it while we wait to see what develops on this front.
Defense in Depth
The theory behind defense in depth is that if one layer misses the attack, another one will stop it. Corporate IT departments use this method with virus scanning. Generally, software is used to scan email as it comes in from the Internet; software is loaded on your desktop to stop viruses from spreading via removable media and to catch anything the email scanner missed. Finally, nightly antivi-rus scans of all servers are performed to catch anything that may have made it past the other two layers.
Likewise, you want to layer the defenses of your home network. Begin by disabling any services you do not use—turn off file and print sharing in Windows if you don't need it and disable services like FTP in Linux. Next, make use of any firewall features that come with your operating system, if possible. Use a router that does NAT; hiding your hosts does have its benefits. Add on third-party personal firewall software. Finally, throw in an IDS and antivirus software while you're at it. By using all these products, you have added depth to your security posture. Table 4–2 shows the layers you may want to use, working from the perimeter of your network in to the local host.
TABLE 4–2 Defense in Depth
| Layer |
Strategy |
Notes |
| 1 |
NAT |
Router at perimeter performs NAT for LAN |
| 2 |
Static packet filter |
Router at perimeter also has broad filters defined |
| 3 |
Personal firewall |
Firewall installed on local host(s) to restrict communications |
| 4 |
IDS |
IDS on local host(s) to alert on unwanted communication |
| 5 |
Disable unused services |
An attacker cannot exploit a service that isn't running |
| 6 |
AV software |
Catch malware that enters computer through means other than direct communication (email, floppy disk, FTP, etc.) |
| 7 |
Enable OS firewall features |
If applicable |