Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: What's in a Firewall? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
What's in a Firewall?

We continue to hear reports of companies, government agencies, and systems being hacked into by the "Bad Boys" of the Internet. Most recently it was confirmed that the US Pentagon systems were hacked into and thousands of files were copied from the systems that were hacked.  When I heard this report I thought "How in the world does an organization like the Pentagon with all of the resources they have get penetrated???"  If organizations like the Pentagon have lowered defenses, how do we, the average system owner with a whole lot less resources protect ourselves?  

As I thought about it I realized that there are just too many possible "holes" that can allow the "Bad Boys" in. Once an attacker penetrates the perimeter the internal systems are unprotected.  Worms have penetrated many corporate networks through email systems, careless users, and the use of USB devices.  Once they are in they spread quickly.  

Today's worms and viruses initiate a large percentage of the attacks that take place. Today's hackers have become more and more sophisticated and continue to develop new methods to hack and avoid detection.  You think you have the door closed and voila, you turn around and there they are.  Once in, they start looking for other victims inside the network that they can infect. They can also use the infected computer to attack other computers both inside and outside your network.  Besides wasting your resources (Bandwidth and other resources) they can get you or your company in a world of legal trouble. If your "network" is being used to perform a Denial of Service (DOS)attack or network reconnaissance scan against another companies network you have a responsibility to get the attack stopped immediately.  Failure to do so can have devastating consequences.

Another concern for you would be the potential "back doors" that were opened up by the compromise.  What information does the "back door" provide access too?  Does the "back door" allow the "bad boys" of the Internet to use your systems for whatever purpose they choose?

So how do you protect yourself?  How do you minimize the potential for your systems to be infiltrated?  

If you are protecting you home computer you may need nothing more than a good firewall program installed on your computer.  These programs can help you identify potential intrusions and if configured correctly can prevent the initial access from taking place. If you have a home network (wireless or hardwired) and have multiple computers the software firewall may not be enough.  You may ant to give your home network just an extra bit of security by installing a hardware firewall.  Most small businesses and home networks can benefit from a simple inexpensive hardware firewall. For $100 or less you can get a device from Linksys, Netgear or D-Link that will allow you to setup firewall "rules" to protect your network.  These devices help protect you against attacks by screening out malicious traffic as well as prevent your computer from participating in the attacks without your knowledge.  

A while back, I worked for a small ISP.  We would get calls from our customers complaining about the speed of their connection. While investigating the speed issues I often found that the customer's computer or a computer on their "network" was infected with some malicious program that was either sending massive amounts of spam, was a partner in a botnet and was doing a lot of "talking" or they had an unsecured wireless access point (WAP) that was being used by their neighbors to steal bandwidth and Internet connection. With the use of secured access points and firewall's there were often substantial improvements in the perception of the customers.  

Large businesses/organizations need to look at Enterprise and/or Host Based firewall solutions.  There are many different ones out there and research needs to be done on what is the best fit for the organization. Things like VPN access, real time monitoring, integrated web security, IPS/IDS, Anti-spam/Anti-virus or other features will dictate which one is right for the organization.  

All of these methods work and if setup correctly will protect your environment. You will want to monitor and review logs to insure that the network remains secure.  It is an unfortunate fact of life that the firewall devices themselves may have holes that need to be "plugged".  This means that you have to stay up-to-date on your firmware/patches and make sure that you keep up on security related information for whichever device you choose.

I would be interested in what Firewall's are you using and why?  

Deb Hale

Deborah

278 Posts
ISC Handler
walla? the word you are looking for is "voila".
Anonymous
At home I use Astaro and have my network fully locked down. At current job (Health care) we use Juniper and is mostly locked down. We are switching to Palo-Alto though. My last job used a fairly locked down Check Point firewall, but it was VERY old. (Banking!)
Tri0x

17 Posts
Stonesoft's StoneGate firewall/VPN all the way. Intelligent design, least security advisories, awesome management and log data tools, and best HA.
Tri0x
1 Posts
Brand does not seem to matter too much these days. They all seem to last around the same number of years. I split the traffic up to multiple IP's. Checkpoint for larger commercial enterprise traffic; Sonic Wall or Cisco added for remote access users; Netgear (metal case ones) for SOHO use; Low-end Cisco or Netgear for "cheap" segment isolators (e.g. sandbox or CAN).
Tri0x
1 Posts
All internet access via a Debian box, and all workstations forced into separate VLANs by switch; any communication between them (rarely actually necessary) must be explicitly permitted/facilitated by the Debian box acting as gateway. MAC-Forced Forwarding would work here too.
WLAN AP considered untrusted and only even switched on if absolutely needed for something; that, or any untrusted 'guest' machines, get their own special VLAN and its Internet connectivity can be enabled/disabled/filtered at will. Arpwatch alerting of each new device being connected to LAN (or to the WLAN AP). Total bandwidth in/out of each VLAN accounted in RRD log and graphed. All HTTP connections forced through a transparent proxy with logging in case it's necessary to carry out forensics after suspected intrusion. No outbound SMTP/DNS allowed; must use the locally-provided services. Snort IDS monitoring everything going to/from Internet, with real-time email alerts for anything at Priority 1 and periodic reviews of anything else. Considering one or more OpenBSD boxes in place of the Debian box, with CARP providing HA.
This is actually all just for my home, and I think any SO/HO ought to do these things as a minimum. For a larger network, maybe also a honeypot to alert to possible internal infections, unauthorised scanning, or emerging threats from outside. Actively scan workstations for unpatched vulnerabilities, and sniff software user-agent versions from HTTP/SMTP headers. If WLAN access is needed, maybe require VPN connection (I don't trust WPA2/802.1X) thus allowing secure off-site login via exactly the same method, even from open or untrusted networks (eg. employee's home, public WLAN, rogue access point on-site pretending to be your company's).
Steven C.

171 Posts
SOHO application. Static internet routable ip addresses obtained over VPN so local connection is DHCP (saves a ton of $$$ over static ip's from internet provider!). Colo box at another, nicer, isp has linux, iptables, openvpn. SOHO site has matching openvpn and iptables setup. DSL bridge goes to Cisco WAP running WPA2 and NAT for local mobile devices (ipads, laptops, blackberries, etc.). This WAP is on DHCPed internet connection. Linux openvpn box goes to DMZ with static NAT for servers, etc. and masquerading NAT for choke firewall in front of LAN. Snort IDS does complete packet logging to multi-TB RAID -- good for several days worth of traffic. IDS has taps on WILD, DMZ, and LAN. Plan to install tap on Cisco WAP as well soon. LAN has second Cisco WAP but machines must have recognizable MAC address to obtain dedicated DHCP address, and only those addresses will pass firewall to LAN. All servers also have host firewall, as do MAC authenticated laptops. How does one secure ipads and blackberries?
Moriah

133 Posts
We don't play around, It's got to have deep packet inspection with strict rules. Once you start the argument of USABILITY over security you have opened the door to the "bad boys" and from almost every case it's been something Stupid was over looked or due to staffing (again people don't take security seriously until their ass in in fire).

My philosophy is every transaction should have it's own rule. You don't want traffic passing wholesale with loose rules.

Loose Rules Sink Networks.
Moriah
1 Posts
I use Injoy Firewall on a non mainstream OS, I also agree with PacketScan, I have everything in and out disallowed by default with strict rules. If the fw falls over, then the default is nothing is allowed in or out, only happened once in several years but I always set things up as if the worse possible intrusion WILL happen.
IBManners

3 Posts
Use firewall for (1) preventing unauthorized machines from hosting internet facing services, (2) preventing unauthorized services on internet facing machines, and (3) blocking windows LAN protocols from reaching the internet. Notice that (1) and (2) are really for controlling employees rather than anything else.
IBManners
39 Posts
I use the application FW built into GFI's Vipre, in addition to that I run an Untangle FW with DPI attached to the gateway. I block inbound connections as adefault and only allow outbound connections that I have approved. Every three months I reset all settings to default on th application FW and start from scratch...it is a PITA but necessary.
Big "E"

9 Posts
How valuable is a firewall? It seems like all malware these days communicates via port 80 or another critical port that can't be denied at the FW. If home users can't afford an IPS or lack the technical knowledge what are they to do?
Jouser

7 Posts
On my personal laptop I use ZONEALARM EXTREME SECURITY by Checkpoint . I worked on the CP fws many years, from ver. 4.0 up to 7.1. and have great consideration on CP products.
It work as FW, AV, parental controls and some other functions, if you like and purchase ( hd crypto ... ).
In my laptop platform, WIN7 Pro 64bit also MS Security Essentials was built-in AV .
On Corporate infrastructure we used Checkpoint, different levels.
Jouser
1 Posts

Sign Up for Free or Log In to start participating in the conversation!