SECURITY & FIREWALL

Security & Firewall

CHAPTER 4
SECURITY & FIREWALL
CONTENTS
VARIOUS METHODS OF SOCIAL ENGINEERING
SITUATIONS TO WATCH OUT FOR
WAYS THAT INFORMATION CAN BE GLEANED FROM
EMPLOYEES.
VARIOUS WAYS TO SECURE THE USERS COMPUTER AND
NETWORK ACCESS

ENFORCED POLICIES
ENCRYPTION AND AUTHENTICATION
FIREWALLS.
INCIDENCE RESPONSE PLAN
DEAL WITH AN INCIDENT WHEN IT HAPPENS
TEST THE PLAN BEFORE AN ACTUAL INCIDENT OCCURS.

BRBRAITT, Jabalpur

Ch.4/1

Security & Firewall

CHAPTER 4
SECURITY & FIREWALL
OBJECTIVES
After completion of this module you will be able to know:

various methods of social engineering

situations to watch out for

to reduce the number of ways that information can be gleaned from employees.

various ways to secure the users computer and network access

enforced policies, encryption and authentication, and properly configured and

installed firewalls.

how to formulate an incidence response plan

how to deal with an incident when it happens

how to test the plan before an actual incident occurs.

In a world where security has become an enormous factor and network administration
must cover everything from desktop support to business continuity planning, the scope of
IT duties has widened and budgets have narrowed.
This lesson covers several different aspects of security to help you find ways to keep your
network safe by spotting potential risks in the user environment before an incident
happens and showing you how to handle a security problem, should it occur. The lesson
also helps you evaluate your disaster recovery plan. It guides you through social
engineering, safe telecommuting, and the pitfalls of wireless LAN, and then takes you
through incident response, disaster recovery.

SOCIAL ENGINEERING
You see new articles about network security and vulnerabilities in software and hardware
every day. This visibility has caused security to become a priority in most companies.
Efforts to make sure the network is secure generally focus on how to implement hardware
and software such as intrusion detection, Web filtering, spam elimination, and patch
installation.
One of the biggest threats of which we, as security professionals, are often unaware and
cannot control is social engineering. There's very attention paid to the person-machine
interaction. This lesson focuses on some of the methods of social engineering that are
commonly used to obtain information that can enable an intruder to penetrate the best
hardware and software network defenses.
Social engineering is a method of obtaining sensitive information about a office through
exploitation of human nature. It's an attempt to influence a person into revealing
information or acting in a manner that would disclose information that normally would
not be provided. It's based on the trusting side of human nature and people's desire to be
BRBRAITT, Jabalpur

Ch.4/2

Security & Firewall

helpful. Social engineering is hard to detect because you have very little influence over
lack of common sense or ignorance on the part of employees. Business environments are
fast paced and service oriented. Human nature is trusting and often naive.
Before we get into the methods of social engineering, let's look at the planning of an
attack. An intruder seldom decides to infiltrate an office randomly. The attack is usually
very methodical.
A social engineering attack is very similar to the way intelligence agencies penetrate their
targets:

Gather intelligence.

Select a specific vulnerable area as the entry point.

Execute the attack.

In the intelligence-gathering phase, the attacker can find readily available information
through the following:

Dumpster diving

Web pages

Ex-employees

Vendors

Contractors

Strategic partners

This information is the foundation for the next phase, in which the intruder looks for
weaknesses in the organization's personnel. Some of the most common targets are people
who work the following:

Help desk

Tech support

Reception

Administrative support

These employees are most likely to be affected by an intimidation type of attack

(discussed later), simply because they handle a large volume of calls and they're trained
to deliver good customer service.
The last phase is the attack, also commonly known as the con. There are three broad
categories of attacks:

Ego attacks

Sympathy attacks

Intimidation attacks

These attacks are discussed in further detail a little later in this lesson.

BRBRAITT, Jabalpur

Ch.4/3

Security & Firewall

ATTACK ON THE PHYSICAL LEVEL

There are two levels at which social engineering occurs: the physical level and the
psychological level. Let's first look at the physical level, which is looking for information
in ways other than direct contact with the office or anyone in the office. We'll start with
dumpster diving.
Dumpster diving
As humans, we naturally seek the path of least resistance. Instead of shredding
documents or walking them to the recycle bin, we often throw them in the nearest waste
basket. Equipment sometimes is put in the garbage. Intruders know this, so they often
don't even have to contact anyone in the office in order to extract sensitive information -they can find it all in the office's dumpsters. This is known as dumpster diving. Again,
this is the path of least resistance -- no phone calls, no visits, simply look through the
garbage.
Anyone looking to extort money from the office or to steal identities could have easily
made hundreds of thousands of rupees from the information they could have gleaned in
those dumpsters. They would have had access to Social Security numbers, addresses, and
a wealth of personal and financial information. This incredible security breach not only
jeopardized the clients, but upon release of the story in news papers, the office stock
plummeted and lawsuits ensued.
In any office, the potential for this type of information access is huge. What happens
when an employee is leaving the office? He cleans out his desk. Depending on how long
the employee has been there, what ends up in the garbage could be a goldmine for an
intruder. Other potential sources of information that are commonly thrown in the garbage
include

Old office directories

Old QA or testing analysis

Employee manuals

Training manuals

Hard drives

Floppy disks

CDs

Printed e-mails

TIP
All these items should be disposed of properly. You should formulate a policy on
destruction of data. The safest policy is to physically destroy the media and the
information stored on it. Destruction is the only safe method of completely removing all
traces of information stored on a removable media device. All paper-generated
information should be shredded and/or taken away by a bonded destruction office.

BRBRAITT, Jabalpur

Ch.4/4

Security & Firewall

Web pages
The Web pages of an office are a great place to find out information and organizational
structure. Many companies also include the biographies of top executives. This
information can be used to impersonate that person or someone who is an associate of the
executive.
For example, you could call an office and ask the receptionist for Manohar. She tells you
that Manohar is out of the office until Monday. You ask who is in charge until he returns.
You are told Mary. You leave a message for Mary, requesting information that she would
have access to, saying you're working with Manohar and he said she could fax or e-mail
the information you need while he's out of the office.
Additional methods of trickery
Another form of getting information is for an intruder to get employees to enter a contest.
Say, for example, that you got an old office directory through dumpster diving. You
could then send a contest letter to all employees asking them to register online at your
Web site. Because many users use the same password for various accounts, it's likely that
you would get some network passwords from the employees who register for the contest.
E-mail social engineering is done by tricking someone into believing that the e-mail is a
legitimate request. Social engineering involves knowing the target and this includes
knowing the e-mail addresses of your target. For instance the I LOVE YOU virus uses
the social engineering technique. This virus created so much damage because it used an
emotion-triggering subject, I LOVE YOU.
WARNING
E-mail social engineering is a much more direct means of gaining access to a system
because attachments can launch worms, viruses, and back doors.
Ex-employees are a great source of information on the inner workings of a office,
especially if they left the office under unhappy conditions. Vendors, contractors, and
strategic partners are another fantastic source of information. It's easier to impersonate
someone from another office than it is to impersonate an employee.

ATTACK ON THE PSYCHOLOGICAL LEVEL

These categories of attacks -- ego, sympathy, and intimidation -- are all on the
psychological level of social engineering. This means that the intruder appeals to the
employee through the use of emotion.
Let's examine each of these attacks.
Ego attacks
An ego attack is perhaps one of the favorite types of social engineering attacks simply
because you know that as network administrators, we all have big egos. The attacker
appeals to the vanity, or ego of the victim. The victim wants to prove how smart or
knowledgeable he is and unthinkingly provides sensitive information. We're all anxious
to show how much more we know than the next person or how much better our
equipment is than theirs. The perfect scenario for this type of engineering is a user group

BRBRAITT, Jabalpur

Ch.4/5

Security & Firewall

meeting held after work. You know of several groups that meet once a month or so after
work in some of the local clubs. Mix egos and guess what happens?
It's amazing what employees will reveal without a whole lot of coaxing. How many of
the employees are unwitting revealing information in social settings without realizing
who they are talking to?
This can happen in any type of social setting. For example, suppose you attend a birthday
party for a friend. Some of the other attendees are also in the field and the topic of
conversation turns to servers. Everyone is comparing equipment. You'll know what
operating systems are running, what kind of equipment is running on each, and what
issues each one is having.
Talking about our jobs and comparing problems are simply part of human nature, and ego
attack victims never realize what has happened, but the information extracted can be
extremely dangerous in the wrong hands.
Ego attackers also target those they sense are frustrated with their current job position.
Unhappy employees are very likely to reveal information with little prodding because
they feel mistreated.
Attackers also have been known to pretend to be law enforcement officials, and their
victims feel obliged and sometimes even honored to help them by providing information.
Sympathy or intimidation attacks
The following are all examples social engineering that either use intimidation or prey on
sympathy:

You receive a call from someone saying he's a General Manager. He states that
he's in real trouble. He's attempting to do a presentation for Microsoft and has
forgotten his password; therefore he can't log into the Web site to do the
presentation. He just changed it yesterday and can't remember what it is. He needs
to have it right away because he has a room full of clients waiting and he's
starting to look incompetent. This is an extremely important client that could
mean millions of dollars in revenue for the office.

Someone you have never seen before approaches you as you're entering a secured
building. She has her hands full carrying coffee and doughnuts. She smiles
sweetly and says she has her ID badge in her pocket, but just doesn't seem to have
an extra hand to swipe the card and still carry all she has. She asks that you please
hold the door for her.

You receive a call from the corporate office saying that a new mail server is being
put into place and there's an immediate need to verify current user accounts and
passwords. You are told that it's not safe to send this information via e-mail, and
are asked to please print it off and fax it directly to a number given to you. You're
told that the number is a direct line for the person putting the new server into
place.

BRBRAITT, Jabalpur

Ch.4/6

Security & Firewall

These attacks are very successful because our business needs change daily and we live in
a fast-paced world. This type of attack plays on the empathy and sympathy of the victim,
and an attacker can shop around until he finds someone who will help.
Here are some social-engineering approaches an intruder can use to get information:

Pretends to be a fellow employee or a new hire, contractor, or a vendor.

Insists there's some urgency to complete some task or obtain some information.

Needs assistance or he will be in trouble or lose his job.

Pretends to be someone influential, an authority figure, or, in some cases, a law

enforcement official, and uses that authority to coerce the victim into cooperation.

If met with resistance, uses intimidation and threats such as job sanctions or
criminal charges.

If pretending to be law enforcement officer, claims the investigation is hush-hush

and not to be discussed with anyone else.

WARNING
Employees can exploit social engineering just as well as outsiders. Keep in mind that
more damage is done to a network by disgruntled employees than by outsiders.
You'll learn how to recognize a social engineering situation shortly. Here's a scenario that
actually happened:
A user came to a network administrator with his laptop and requested that it be joined to
the domain. The administrator logged the user off the laptop, logged in as himself, and
joined the laptop to the domain. So, what's wrong with that? The user had keystroke
logging software installed on the laptop. He proceeded to go back to his work area, read
the log file, log in as the administrator, browse to the main server, and copy the SAM
(Security Accounts Manager) to a file. (For those of you unfamiliar with the SAM, it
holds user account information that includes usernames and passwords.) He took the file
home and that evening ran L0phtCrack, which is password-cracking software, on the file.
The next day, he had the logins and passwords for every user in the office. He
periodically logged in as other users and accessed information he should not have. As
time went by, he got bolder, logging in as the administrator and shutting down services,
causing problems on the network. Eventually, his bragging got him into a bind and he
was dismissed for his actions. The best way to avoid this type of situation is to never join
a machine to the domain from a user's machine. The account should be created at the
server console instead.
Learn to recognize a social engineering situation
Well, now that you know about the methods of social engineering, it's time to look at
how to spot a potential situation. To keep from becoming a victim, you should know how
to recognize an intruder. You can be neither suspicious nor trusting of everyone, so where
do you draw the fine line?

BRBRAITT, Jabalpur

Ch.4/7

Security & Firewall

Remember the Manohar scenario from earlier in this lesson? If the office had a policy
requiring employees to obtain contact information when a call comes in for an out-of-theoffice employee, one sign to look for would be refusal to leave contact information. In
this example, the receptionist simply states that Mr. Manohar is out of the office, and then
asks for your name and a number at which you can be reached, and what the call is in
regard to, so that your call may be properly returned. If you're an intruder, would you
leave this information? Not likely. If you're a persistent intruder, you may press the
receptionist for information such as when Mr. Brown will return and who is in charge in
his absence, and act irate. This type of behavior is also a concern. The caller is
deliberately avoiding giving out information about him while trying to push the
receptionist into giving out more information about the employee.
What about someone who is rushing or is in a big hurry? We are all busy people; you're
in as big hurry as the next person. Look out for someone who tries to breeze by you as
you're entering a secure building. She may strike up a conversation, and then say she's
late for a big meeting and doesn't have time to be fishing for her ID badge, so she'll just
come in with you. If you allow this, you may be admitting an intruder into the building. A
genuine employee understands the security issue and finds her ID badge for admittance.
Name-dropping is often used to impress the people you are conversing with. Many folks
like to drop names -- it makes them feel more important. In social situations like the ones
described earlier, many a conversation begins with, "The other day I was talking to soand-so." If the speaker is talking about someone in your office, you get the feeling that he
knows something about what is going on in your office and that you might trust him.
Instead of proceeding to discuss the office, which is what the intruder wants, you may
want to ask him questions such as how do you know so-and-so to get a feel for whether
the person is being truthful or not. Of lesson, if he starts acting uneasy at the questions
you're asking, you know that he's a potential intruder.
Intimidation is one of the best ways to get information out of people, especially from
people who tend to be timid by nature. Employees should be able to address intimidation
situations without fear of punishment for not giving excellent customer service if they ask
additional questions or for more information.
Odd questions or asking for classified information can also be a dead giveaway that
someone is fishing for attack information. In the situation where the vice president
needed a password, the approach should be that this is a potential intruder and not a vice
president.
Good practices can neutralize many of these social engineering situations. We'll discuss
these practices next.
Promote practices that prevent attacks
The impact of social engineering and the ease of an attack are usually high. Technical,
operational, and environmental controls individually will not prevent attacks. You need a
combination of all three along with user awareness training. Here's a list of items that can
be useful in preventing social engineering attacks:

All employees should have a security mind-set and be able to question situations
that do not seem right.

BRBRAITT, Jabalpur

Ch.4/8

Security & Firewall

Cleaning crews should search the wastebaskets for sensitive information and turn
it over to management.

Policies need to be in place for data destruction, including paper, hard drives,
CDs, disks, and so on.

Implement self-service password management to address weaknesses with help

desk and password administration.

Employees should have continued training in security awareness.

Require all guests to sign in, wear a guest badge, and be escorted within the
office.

Have shredders located in convenient areas or hire a reputable office to pick up

and shred documents.

Extra security training in the area of social engineering and office security
policies should be provided for security guards, receptionists, and help desk
employees.

Put policies in place for how to handle situations where an unknown person tries
to slip in with a legitimate employee (called tailgating). Be sure that all employees
know the policy and enforce it.

Instruct employees on what can and cannot be discussed in social settings outside
of work.

Encrypt information on desktops, laptops, and PDAs.

Have polices regarding e-mail and voice mail notifications for employees on
vacation or out of the building for a period of time.

Have incident response teams to lessen the damage if a breach occurs.

Apply technology where possible such as biometrics or electronic security

badges.

Test your defenses periodically.

This by no means covers everything or all situations. The important factors to remember
are that there must be policies in place and that all employees must be aware of these
policies. Training must start as soon as the job begins. Employees should know they play
a part in the security of the office and that their jobs depend on their vigilance.
You're faced with customer service and courtesy issues everyday. Technology cannot
control these situations. We all must rely on each other to use our best judgment when
revealing information about our office and ourselves. Remember, the best defense is a
good set of policies, proper education, and continued awareness training.

SECURE COMPUTER AND NETWORK

We have seen the ways in which an intruder can use social engineering to attack a
network. Here, you'll see how an intruder can use a telecommuter's computer to attack
your network and how you can make that computer more secure.

BRBRAITT, Jabalpur

Ch.4/9

Security & Firewall

Many IT professionals work from home at least part of the time. All of this makes for a
flexible work environment. That flexibility can also cause the IT professional a huge
headache, because you have no control over what goes on in the confines of an
employee's home. There were strange incidents happening on the network. A cracker had
accessed the network and was wreaking havoc. No matter what this administrator did to
change and tighten security, the cracker always got back in. Eventually it was discovered
that the cracker was getting into the network through the administrator's home machine,
which was always left on and connected to the Internet.
With information security, you cannot allow even the top leaders to sidestep or ignore
policy. An employee cannot be allowed to work at home until the home machine is
secured. This should part of the security policy and all employees should have signed a
statement to that fact when they were hired. Should you find yourself in this situation, it
must be passed to the next level of management or someone who manages security.

UNDERSTAND THE HOME ENVIRONMENT

What happens employees are allowed to work from home? They're given a office
machine or allowed to use their own, IT sets them up to access the network, and then we
forget about them.
Let's consider a few factors about telecommuting employees. After all, they're doing
office work. Most of them have children or spouses who use the same computer that they
use to access the work environment. Employees who have more that one computer
usually set up a home network. Those who care about their home aesthetics or don't want
to pull wire set up wireless networks at home.
Here are a few scenarios, each of which poses a threat to the work environment:
A office engineer has a daughter and a son who each have a laptop. The engineer
purchases a wireless router and hooks up all the machines -- including the work machine
-- so that all the machines can use the high-speed Internet connection.
One of the reasons that wireless is so popular with home users is that you can just plug it
in and have it start working. In this scenario, then, there's little probability that the
engineer enabled WEP (Wired Equivalent Privacy) on the laptops, so the computers are
left vulnerable because the information is sent in clear text.
An employee's home workstation is running Windows 98. (In all operating systems prior
to Windows NT, all passwords are stored in the .pwl file.) The Internet connection is
always on, because the children want Internet access on that computer, especially in the
summer when school's out. The virus software is disabled because it interferes with the
children's favorite game.
In this situation, the always-on connection leaves the machine open to. The .pwl file can
easily be accessed for a list of passwords, and disabling the virus software leaves the
unguarded against viruses.
You've installed keystroke-logging software to track where your children have been on
the Internet, because many times they use your computer unsupervised. This software
runs constantly.

BRBRAITT, Jabalpur

Ch.4/10

Security & Firewall

You've made it extremely easy for a cracker to get your password to the network, because
all he has to do is read the log file. This is a giveaway -- he has no work to do because
you've done it for him. Keystroke logging software should not be used on a machine that
has been supplied by the employer unless the employer had installed it and is aware that
it's on the machine.
You are constantly having issues with your computer because you let your children use it.
What do you think the chances are that someone has already penetrated the network
where he works and is slowly stealing information or planting maladies?
Establish effective policies
Every office should have policies in place to protect the network from attacks via home
users. These might include the following:

Requiring the employee to notify IT immediately if he changes his home

connection from dial-up to high speed, so that policies and procedures can be
addressed.

Not permitting an office-owned PC to be used for other purposes or by

unauthorized individuals.

Not allowing virus protection software to be disabled, and requiring that it be

updated regularly.

Requiring immediate disconnection from the network and immediate support

contact in the event that the machine contracts a virus.

Requiring the use of a firewall, and not permitting it to be disabled.

Requiring that the machine be either disconnected from the network and the
Internet or turned off completely when the employee finishes working for the day.

Mandating that a boot disk be handy in the event a virus renders the machine
unusable.

Requiring that data be backed up if the employee is storing office information on

a home computer.

Requiring that the operating system and all applications on the machine be kept
up to date.

TIP
Post information about patches and updates, whether the IT department supplies them or
the employee is expected to acquire them on his own. Posting provides no excuse for an
employee failing to comply.

Requiring strong passwords.

Requiring that non work-related shares be turned off.

Mandating that auditing be turned on (if the operating system allows).

BRBRAITT, Jabalpur

Ch.4/11

Security & Firewall

Although it may seem like a lot of work, it's worth your while to periodically send
questionnaires to all employees working from home who are using office computers. The
main information you want from the employees is:

The operating system and version

All applications installed and their versions

The type of Internet connection

The location of the emergency boot disk

How many other machines are using the Internet connection

Any hardware changes

Then compare the current responses with the condition in which the machine left the
office. If this is done on a regular basis, you will soon be able to tell who is using the
computer strictly for work purposes and who is not. Often, what you'll find is that
children use the computer to play games and download music files. These require the
installation of additional programs. They also take up disk space and may require better
video cards as well as extra memory.
With policies in position, let's see how machines can be set up to securely connect to the
work environment from home.

SECURE HOME MACHINES

As you learned in the previous section, you really have very little control over the home
user. Even with good policies in place, there's no guarantee that telecommuters will
follow them. What you can control is how the telecommuters connect to your network,
and that's what we'll discuss now.
When you allow telecommuters to access your network, they usually do so by first
connecting to the Internet and then connecting to the network A VPN (Virtual Private
Network) is a network connection that permits access via a secure tunnel created through
an Internet connection. Using an Internet-based VPN connection is very popular for
several reasons:

Users in an organization can dial a local Internet access number and connect to
the corporate network for the cost of a local phone call.

Administrative overhead is reduced with a VPN because the ISP (Internet Service
Provider) is responsible for maintaining the connectivity once the user is
connected to the Internet.

There are various security advantages to using a VPN, including encryption,

encapsulation, and authentication.

For users who travel, a local access number usually is available. If possible, you should
provide this information to employees who travel -- it saves phone calls to the help desk
and enables them to test the numbers before they have to give presentations.
Figure 1 shows how a VPN works. Setting up the users' computers (clients) to connect to
the server is a two-step process:
BRBRAITT, Jabalpur

Ch.4/12

Security & Firewall

Figure 1: VPN remote access over the Internet.

Establish an Internet connection. This can be dial-up or broadband.

Connect to the VPN server. This involves dialing another connection.

Once the client is setup, it can use the VPN. Here's how a client uses a VPN to access a
corporate LAN through the Internet:

The remote user dials into his local ISP and logs into the ISP's network.

The user initiates a tunnel request to the server on the corporate network. The
server authenticates the user and creates the other end of tunnel.

The user then sends data through the tunnel, which is encrypted by the VPN
software before being sent over the ISP connection.

The server receives the encrypted data, decrypts it, and forwards it to the
destination on the corporate network. Any information sent back to the remote
user is encrypted before being sent over the Internet.

VPNs provide great opportunities for employee productivity while reducing longdistance charges, and a good VPN guarantees privacy and encryption. But it is
authentication that ensures the integrity of the data.
We've discussed the situations that home users get themselves into and how easily
passwords can be breached on unsecured machines. In order for a VPN to provide the
level of security that's intended, a solid means of authentication must be established. This
brings us to two-factor authentication.
In two-factor authentication, a user must supply two forms of ID before she can access a
resource: one is something she knows, such as a password, and the other is something she
has or is. For example, you may be required to type password and place your thumb on a
thumbprint scanner to properly identify yourself. Figure 2 illustrates this type of
authentication.

Figure 2: Two-factor authentication.

BRBRAITT, Jabalpur

Ch.4/13

Security & Firewall

The most common form of this type of authentication is a smart card. The security in this
authentication is that both are need for validation. If the card is stolen, or the PIN is
discovered, neither one of these alone can enable someone else to log on as the user.
Smart card readers are attached to a computer port and a digital certificate is downloaded
to activate the card. Smart card logon requires the user to insert the card and enter a PIN
in order to log on.
Understand tunneling
The purpose of a VPN is to secure your network communications. There are two broad
categories of tunneling:

Voluntary

Compulsory

In voluntary tunneling, the situation is as described earlier and shown in Figure 2-1. The
cable modem dials the ISP, and the user is then connected to the VPN server via the
Internet.
In compulsory tunneling, the tunnel is set up between two VPN servers that act as routers
for network traffic. This type of tunnel is most useful for connecting a remote office with
its own network to a central office. Sometimes as an office is growing, it allows
employees to run offices out of their homes with those employees hiring several people to
work for them, or it may be in the situation where a contractor works out of an office that
is shared by other contractors. Figure 3 shows an example of this type of tunneling.

Figure 3: Compulsory tunneling.

This type of server would be placed in a larger office but remote users and traveling
employees could create a connection with a local or corporate VPN server instead of
connecting to an ISP first, thus eliminating the need to supply traveling employees with a
list of local numbers for the ISP.
WARNING
Tunneling should not be used as a substitute for encryption. The strongest level of
encryption possible needs to be used within the VPN.
Let's take a look at personal firewalls that can be installed to help detect intrusions in
home computers.

BRBRAITT, Jabalpur

Ch.4/14

Security & Firewall

Examine personal firewalls
The potential for crackers to access data through the telecommuter's machine has grown
substantially, and threatens to infiltrate our networks. Cracker tools have become more
sophisticated and difficult to spot. Always-connected computers, typically with static IP
addresses, give attackers copious amounts of time to discover and exploit system
vulnerabilities. How can a user know when his system is being threatened?
You can help thwart attacks by making sure that all telecommuters have firewalls
installed on their systems. Firewalls come in two varieties: software and hardware. Like
most other solutions, each has strengths and weaknesses. By design, firewalls close off
systems to scanning and entry by blocking ports or non-trusted services and applications.
Software firewalls
Software firewalls are more flexible in that they enable the user to move from network to
network. Typically, the first time a program tries to access the Internet; a software
firewall asks whether it should permit the communication. You can opt to have the
firewall ask the user each time the program tries to get online. The prompts usually get so
annoying that most users end up making hasty decisions with little more information than
they originally had. Another danger is that firewall filtering can get too complicated for
the average user to fix easily, which makes users reluctant to deny permission to
anything. There should be help available to telecommuters to aid in configuring these
types of firewalls. Its one thing to say that telecommuters have firewalls, but quite
another to ensure that those firewalls are correctly configured.
Here's a list of the most commonly used software firewalls:

McAfee.com Personal Firewall

Norton Internet Security

Sygate Personal Firewall

ZoneAlarm

BlackIce

Tiny Personal Firewall

Hardware firewalls
Hardware firewalls provide an additional outer layer of defense that can more effectively
hide one or more connected PCs. There are inexpensive router appliances that move
traffic between the Internet and one or more machines on home networks, which simply
hide the IP addresses of PCs so that all outgoing traffic seems to come from the same
address. Recently, router manufacturers have been including actual firewalls that block
inappropriate inbound and outbound traffic making these a much better choice.
In general, the average user will like the nature of hardware solutions because they
operate in the background without generating as many queries and alerts as software
firewalls. In addition, the physical installation is easy, but the normal home user won't
know how to configure the firewall should the default settings not be strong enough.

BRBRAITT, Jabalpur

Ch.4/15

Security & Firewall

Remember that even a good firewall cannot protect the user if he does not think before he
downloads or does not exercise a proper level of caution. No system is foolproof, but the
right combination of hardware, software, and good habits can make your telecommuters'
computing environment safer.

INTRUSION DETECTION
We will see what actually happens when your network is invaded or damaged. We
develop and deploy hardware and software in such an extremely quick fashion to meet
the demand of business and home consumers that we don't always take the time to be
sure that these technologies are properly tested and secured. This puts our networks at
risk not only from the professional cracker but also from curious or disgruntled
employees.
Let's first look at intrusion detection and intrusion prevention systems that can help spot a
potential intrusion.
Examine intrusion detection systems
One of the best ways to catch an intruder before too much damage is done is through
IDSs (intrusion detection systems), which are designed to analyze data, identify attacks,
and respond to the intrusion. They're different from firewalls in that firewalls control the
information that gets in and out of the network, whereas IDSs can identify unauthorized
activity.
Intrusion-detection systems are also designed to catch attacks in progress within the
network, not just on the boundary between private and public networks. The two basic
types of IDSs are network based and host based. As the names suggest, network-based
IDSs look at the information exchanged between machines, and host-based IDSs look at
information that originates on the individual machines. Here are some specifics:

Network-based IDSs monitor the packet flow and try to locate packets that may
have gotten through the firewall and are not allowed for one reason or another.
These systems have a complete picture of the network segment they are
configured to protect. They see entire network packets, including the header
information, so they're in a better position to distinguish network-borne attacks
than host-based IDS systems are. They are best at detecting DoS (Denial of
Service) attacks and unauthorized user access. Figure 4 details a network-based
IDS monitoring traffic to the network from the firewall.

BRBRAITT, Jabalpur

Ch.4/16

Security & Firewall

Figure 4: Network-based IDS.

Host-based IDSs (sometimes called HIDSs) monitor communications on a hostby-host basis and monitor traffic coming into a specific host for signatures that
might indicate malicious intention. They also monitor logs to find indications that
intrusions or intrusions attempts are going on, and some of the HIDSs also
monitor system calls and intercept them. These types of IDSs are good at
detecting unauthorized file modifications and user activity.

Network-based IDSs try to locate packets not allowed on the network that the firewall
missed. Host-based IDSs collect and analyze data that originates on the local machine or
a computer hosting a service. Network-based IDSs tend to be more distributed.
Host-based and network-based approaches are complementary to each other because they
have different strengths and weaknesses. Many successful intrusion detection systems are
built using mixes of both, and ultimately, this is what network administrators should
consider for their own environments.
When an IDS alerts a network administrator of a successful or ongoing attack attempt, it's
important to have documented plans for incident response already in place. There are
several forms of response, including the following:

BRBRAITT, Jabalpur

Ch.4/17

Security & Firewall

Redirecting or misdirecting an attacker to secured segmented areas, allowing him

to assume that he has been successful. This serves two purposes: it prevents
access to secured resources and gives you time to trace or track the intruder.

ICE (Intrusion Countermeasure Equipment) can be used to provide automatic

response in the event of intrusion detection. ICE agents have the capability to
automatically lock down a network or to increase access security to critical
resources in the event of an alert.

After identification of an attack, forensic analysis of infected systems can detect

information about the identity of the attacker. This information may then be used
to direct the attention of the proper authorities.

Later, analysis of successful intrusions should be used to harden systems against

additional attempts of the same nature. Planning should include access restrictions in
addition to making the network less desirable to potential attackers.
Explore intrusion prevention systems
IDSs alert IT system administrators to potential security breaches within the perimeter of
a network environment, which is a good start. The problem with them is that they're
passive and reactive. They scan for configuration weaknesses and detect attacks after
they occur. When an attack occurs, it's reported, and combinations of antivirus and
intrusion detection vendors develop a rapid solution to distribute, but by that time, the
attack has delivered its payload and paralyzed the network or several networks. In fact,
the damage is often already done by the time the IDS alerts you to the attack.
Intrusion prevention software differs from traditional intrusion detection products in that
it can actually prevent attacks rather than only detecting the occurrence of an attack. IPS
architectures serve as the next generation of network security software that is proactive.
Host-based IPS will become increasingly popular in the next few years, possibly pushing
host-based IDS out of the picture.
Intrusion prevention offers considerable advantages:

It actually secures internal resources from attacks based inside the network by
restricting behavior of potentially malicious code, providing a record of attack,
and notifying enterprise security personnel when an attack is repelled.

It defines appropriate behaviors and then enforces those behaviors on every enduser desktop and network server across an enterprise. By looking at system and
application behavior and defining which actions are legitimate and which are
suspect, an IPS can stop an errant system action when it attempts to do something
that is not in the realm of expected behavior.

Rules can be configured to control which type of actions applications can perform
on files and system resources. As an intelligent agent, these run by intercepting
system actions, checking rules, and then allowing or denying the action in
question based on those rules.

BRBRAITT, Jabalpur

Ch.4/18

Security & Firewall

Statistical logging data can be used to generate reports that indicate overall
network health. IT staff can monitor how current rule sets are working and adjust
them, if necessary.

For an intruder, the real value of your network lies in key machines such as database
servers and the information they contain. An intruder won't celebrate breaking through
your firewall if all it gets him is access to a couple of printers. The idea of intrusion
prevention is to ensure exactly that. By allowing only certain behaviors on critical hosts,
the technology leaves an intruder with little freedom to do anything malicious.
If you have a personal firewall such as Norton Personal Firewall or ZoneAlarm, you
may've already seen intrusion prevention in its simplest form. Recall from the above that
this type of software relies on rules and scanning to spot inappropriate activity. It uses
predefined attack signatures, and it also learns what behaviors you'll allow every time
you click yes or no when an application wants to do something.
WARNING
Sometimes the data that is collected by these systems is overwhelming. When you start
trying to do something with the intrusion detection data, you realize the magnitude of
deciphering or reading the data is well beyond the resources and time you want to put in
to make it effective.
Often, incidents happen even though you have firewalls and intrusion detection. So,
you've got ten thousand alarms going off, five of them are probably valid, two of them
you really need to do something about, but you don't have the time or the resources to
find what those five are and what the two really are. You end up doing nothing because
you don't know how to respond. Please do not let this happen. Make the time and
resource to use these tools effectively.
Preventing actual damage to your company's business functionality is critical to
protecting today's open networks. Intrusion prevention technology serves as a strategy for
those who desire proactive and preventive security measures in the face of attacks.
No incident response solution is complete without a proper plan, so let's tackle that next.

PLAN YOUR INCIDENT RESPONSE

Incident response refers to the actions an organization should take when it detects an
attack, whether ongoing or after the fact. It's similar in concept to a DRP (disaster
recovery plan) for responding to disasters. Incident response plans are needed so that you
can intelligently react to an intrusion. More importantly, there's the issue of legal liability.
You're potentially liable for damages caused by a cracker using your machine. You must
be able to prove to a court that you took reasonable measures to defend yourself from
crackers. Having an incident response plan definitely helps in this area. Unplanned
application and operating system outages have become commonplace. When an incident
occurs, the last thing you should do is panic, which, of course, is exactly what happens if
there is no plan in place or you have no idea where it is.
Don't overlook the effect an incident has on employees. The interruption to the workplace
not only causes confusion but also disrupts their schedules. Proper planning should be
beneficial to customers as well as employees.
BRBRAITT, Jabalpur

Ch.4/19

Security & Firewall

The components of an Incidence Response Plan should include preparation, roles, rules,
and procedures.
Prepare
Although the preparation requirements may be different for each office, some of the
basics should include:

A war room where the response team can assemble and strategize.

A response team that will handle all facets of the incident.

Contact information for the response team, vendors, and third-party providers.

Change-control policies, which are useful especially when an application or

operating system needs to be rolled back.

Software listing of the operating systems and applications being used so the scope
of the incident can be properly assessed.

Monitoring tools to determine the health of the machines.

Assign roles
The incidence response team is responsible for containing the damage and getting the
systems back up and running properly. These steps include determination of the incident,
formal notification to the appropriate departments, and recovering essential network
resources. With this in mind, the team should comprise the following personnel:

Technical operations: Security and IT personnel

Internal communications support: Someone to handle management, employees,

and food for the response team (Yes, food is an important part of the response
process!)

External communications support: Vendor, business partner, and press handling

Applications development: Developers of in-house applications and interfaces

Create rules
Some basic rules should apply to the response team, which could include the following:

The entire team is responsible for the success of the incident handling.

No one on the team is allowed to leave until the incident is handled.

Everyone works from the war room. This is the central command post and
investigation takes place here.

Lastly, procedures need to be put into place. Let's discuss those procedures now.
Plan the procedures
Incidents happen from time to time in most of organizations no matter how strict security
policies and procedures are. It's important to realize that proper incident handling is just
as vital as the planning stage, and its presence may make the difference between being

BRBRAITT, Jabalpur

Ch.4/20

Security & Firewall

able to recover quickly, and ruining business and customer relations. Customers need to
see that the company has enough expertise to deal with the problem.
Larger organizations should have an Incident Response Team. In the previous section, we
discussed the department members that should be assigned this task. Realize that this
team is not a full-time assignment; it's just a group of people who have obligations to act
in a responsible manner in case of an incident.
The basic premise of incident handling and response is that the company needs to have a
clear action plan on what procedures should take place when an incident happens. These
procedures should include:

Conducting initial assessment: Identify the initial infected resources by getting

some preliminary information as to what kind of attack you are dealing with and
what potential damage exists.

Initial communication: Notify key personnel, such as the security department and
the response team.

Assemble the response team: Converge in the war room for duty assignment.
Decide who will be the lead for the incident.

Initial containment of the incident: Diagnose the problem and identify potential
solutions. Set priorities and follow them closely. The incident response team has
to be clear about what to do, especially if the potential damage is high.

Intrusion evaluation: Shoot the problem to additional teams if necessary. The key
is to understand what actually happened and how severe the attack was.

Collect forensic evidence: Gather all of the information learned about the incident
up to this moment and store it in a secure location on secure media, in case it's
needed for potential legal action.

Communicate the incident in public: Public communications may be subdivided

into several categories:

Law enforcement: An incident of large proportion or repetitive pattern should be

relayed to municipal, provincial, or federal authorities.

Other companies: The incident may be reported to IT security companies for help
or notification to other companies.

Customers: Customers should be notified as soon as there is something to be said.

News media: If the company is large enough, and the event is worthy of a news
story, expect to be contacted by the media. There needs to be one person
authorized to speak to the media. Incident handling personnel must be aware of
this and direct all media queries to appropriate team member.

Restore service: Implement and test a solution. If it was an unknown attack or

attack that is known to have ill effects on the system, it may be in the best
interests of the company to completely reinstall the system.

Monitor: Be sure that recovery was successful.

BRBRAITT, Jabalpur

Ch.4/21

Security & Firewall

Prepare an incident report: Determine and document the incident cause and
solution. This report is an internal document that puts everything in perspective,
from the minute the incident was noticed until the minute the service was
restored.

Calculate damage: The ultimate dollar figure should look beyond actual and
obvious losses associated with service outages and business interruptions to
include all costs resulting from the incident, such as legal fees, loss of proprietary
information, system downtime costs, labor costs, hardware/software costs,
consulting fees, bad reputation, and publicity.

Summary and updates: Gather the entire security response team for a meeting and
review the process and timelines in detail making any modifications that are
necessary to the plan.

Periodic analysis: Check that the modifications made are appropriate.

This is a brief model and by no means is a complete plan. Every company must evaluate
its needs and plan accordingly. Once a plan is formulated, it must be tested, which brings
us to the last part of this lesson.
Test the plan
You formulate a plan, put it on a shelf, and when an incident happens, you realize there
are huge flaws in the plan. You forgot something or the person that you picked to do
internal communications support did an extremely poor job of handling his
responsibilities and left even though the rules for the team stated otherwise. The security
response team lead needs to be sure that every person onboard did the best they could and
performed the most appropriate action given the circumstances. This person also needs to
look at the situation to see if the overall strategy of the department is useful or where it
needs changing or fixing. The only way to do this before an actual incident is to test the
plan ahead of time.
The approach taken to test the plan depends on the strategies selected by the company.
Many times tests are conducted by what are called Tiger Teams. This can be an outside
group of consultants. The tests are often conducted without notification to the
departments involved in order to see how well the plan functions.
The following are key components of a testing plan:

Define the test purpose and approach: Specify the incident that is to be tested.
How a virus infection is handled will be different from how to handle a Denial of
Service attack or a Web server defacement.

Identify the test team: Specify whether employees or outside consultants will
conduct the test. No response team members should be on the test team because
they will be responsible for handling the incident.

Structure the test: Plan exactly what you want to accomplish and set up the
equipment in a testing environment.

BRBRAITT, Jabalpur

Ch.4/22

Security & Firewall

Conduct the test: To be most effective, this should be done without prior
notification to the departments involved, because that is how incidents happen.

Analyze test results: Evaluate how well or poorly everyone responded and how
easily the incident was resolved.

Modify the plan: After a dry run, there are usually some modifications. Be sure
they're implemented.

FIREWALL
CONTENTS

Various Generations of Firewalls

FAQ.

OBJECTIVES
After completion of this module you will be able to know:

The different Generations of Firewalls

Why firewall is needed?

Answers for FAQ

In its most basic terms, a firewall is a system designed to control access between two
networks.
There are many different kinds of firewallspacket filters, application gateways, or
proxy servers. These firewalls can be delivered in the form of software that runs on an
operating system, like Windows or Linux. Or, these firewalls could be dedicated
hardware devices that were designed solely as firewalls.

UNDERSTAND THE EVOLUTION OF FIREWALLS

Learn how firewalls have progressed from simple packet filtering to more sophisticated
application-level filtering.
Webopedia.com defines a firewall as a system designed to prevent unauthorized access
to or from a private network. Although technically accurate, this definition tells us only
what a firewall does and doesnt address the more important question of how it does it.
For administrators who are continually focused on keeping their networks secure, it is
helpful to take a closer look at the way firewalls function and how they have evolved in
recent years to better protect our corporate networks.

First-generation firewalls: Packet filtering

Static packet filters
One of the simplest and least expensive forms of firewall protection is known as static
packet filtering. With static packet filtering, each packet entering or leaving the network
is checked and either passed or rejected depending on a set of user-defined rules. Dealing
with each individual packet, the firewall applies its rule set to determine which packet to
allow or disallow. You can compare this type of security to the Gate-keeper at a club who

BRBRAITT, Jabalpur

Ch.4/23

Security & Firewall

allows people over 21 to enter and turns back those who do not meet the age rule
requirements. The static packet filtering firewall examines each packet based on the
following criteria:

Source IP address

Destination IP address

TCP/UDP source port

TCP/UDP destination port

For example, to allow e-mail to and from an SMTP server, a rule would be inserted into
the firewall that allowed all network traffic with a TCP source and destination port of 25
(SMTP) and the IP address of the mail server as either the source or destination IP
address. If this were the only filter applied, all non-SMTP network traffic originating
outside of the firewall with a destination IP address of the mail server would be blocked
by the firewall.
Many people have asked the question, Is a router with an access list a firewall? The
answer is yes, a packet filter firewall can essentially be a router with packet filtering
capabilities. (Almost all routers can do this.) Packet filters are an attractive option where
your budget is limited and where security requirements are deemed rather low.
But there are drawbacks. Basic packet filtering firewalls are susceptible to IP spoofing,
where an intruder tries to gain unauthorized access to computers by sending messages to
a computer with an IP address indicating that the message is coming from a trusted host.
Information security experts believe that packet filtering firewalls offer the least security
because they allow a direct connection between endpoints through the firewall. This
leaves the potential for a vulnerability to be exploited. Another shortcoming is that this
form of firewall rarely provides sufficient logging or reporting capabilities.
STATEFUL PACKET INSPECTION
Within the same generation of static packet filtering firewalls are firewalls known as
stateful packet inspection firewalls. This approach examines the contents of packets
rather than just filtering them; that is, it considers their contents as well as their addresses.
You can compare this to the security screener at an airport. A ticket validates that you
must be traveling from your source to your destination; however, your carry-on contents
must be checked to get to your final destination.
These firewalls are called stateful because they can permit outgoing sessions while
denying incoming sessions. They take into account the state of the connections they
handle so that, for example, a legitimate incoming packet can be matched with the
outbound request for that packet and allowed in. Conversely, an incoming packet
masquerading as a response to a nonexistent outbound request can be blocked. By using
something known as session or intelligent filtering, most stateful inspection firewalls can
effectively track information about the beginning and end of network sessions to
dynamically control filtering decisions. The filter uses smart rules, thus enhancing the
filtering process and controlling the network session rather than controlling the individual
packets.

BRBRAITT, Jabalpur

Ch.4/24

Security & Firewall

Basic routers typically do not perform stateful packet inspections unless they have a
special module. A dedicated firewall device or server (with software) is usually required
when the level of security demands stateful inspection of data in and out of a network.
Although stateful packet inspection offers improved security and better logging of
activities over static packet filters, it has its drawbacks as well. Setting up stateful packet
examination rules is more complicated and, like static packet filtering, the approach
allows a direct connection between endpoints through the firewall.

SECOND-GENERATION FIREWALLS: PROXY SERVICES

The next generation of firewalls attempted to increase the level of security between
trusted and untrusted networks. Known as application proxy or gateway firewalls, this
approach to protection is significantly different from packet filters and stateful packet
inspection. An application gateway firewall uses software to intercept connections for
each Internet protocol and to perform security inspection. It involves what is commonly
known as proxy services. The proxy acts as an interface between the user on the internal
trusted network and the Internet. Each computer communicates with the other by passing
all network traffic through the proxy program. The proxy program evaluates data sent
from the client and decides which to pass on and which to drop. Communications
between the client and server occur as though the proxy weren't there, with the proxy
acting like the client when talking with the server, and like the server when talking with
the client. This is analogous to a language translator who is the one actually directing and
sending the communication on behalf of the individuals.
Many information security experts believe proxy firewalls offer the highest degree of
security because the firewall does not let endpoints communicate directly with one
another. Thus, vulnerability in a protocol that could slip by a packet filter or stateful
packet inspection firewall could be caught by the proxy program. In addition, the proxy
firewall can offer the best logging and reporting of activities.
Of course, this security solution is far from perfect. For one thing, to utilize the proxy
firewall, a protocol must have a proxy associated with it. Failure to have a proxy may
prevent a protocol from being handled correctly by the firewall and potentially dropped.
Also, there is usually a performance penalty for using such a firewall due to the
additional processing for application-level protocols.

FIREWALLS EVOLVED: THE THIRD GENERATION

The newest generation of firewalls may be defined as state-of-the-art perimeter security
integrated within major network components. These systems alert administrators in real
time about suspicious activity that may be occurring on their systems. Although it's a lot
to swallow, this new generation of firewall has evolved to meet the major requirements
demanded by corporate networks of increased security while minimizing the impact on
network performance. The requirements of the third generation of firewalls will be even
more demanding due to the growing support for VPNs, wireless communication, and
enhanced virus protection. The most difficult element of this evolution is maintaining the
firewall's simplicity (and hence its maintainability and security) without compromising
flexibility.

BRBRAITT, Jabalpur

Ch.4/25

Security & Firewall

The most recent category of firewalls attempting to meet this demand performs what has
been termed stateful multilevel inspection, or SMLI. SMLI firewalls eliminate the
redundancy and CPU-intensive nature of proxy firewalls. SMLI's unique approach
screens the entire packet, OSI layers 2 through 7, and rapidly compares each packet to
known bit patterns of friendly packets before deciding whether to pass the traffic.
Coupled with or integrated into an intrusion-detection system (IDS), SMLI offers the first
glimpse of this new definition of a firewall. Among the products that use this new
technology are Check Points FireWall-1, Elron Softwares Internet Manager, and
SonicWalls line of access security products.

FREQUENTLY ASKED QUESTIONS

Why would you want a firewall?
Firewalls will protect your network from unwanted traffic. Many times, the unwanted
traffic is harmful traffic from hackers trying to exploit your network. You want a firewall
to protect your network, just as you want locks on your door and windows at your home.
Is a proxy server a firewall?
A proxy server is a form of a firewall. In legal terms, a proxy is someone who goes and
performs some action on your behalf. A proxy server performs network transactions on
your behalf. The most common use for this is a Web-proxy server. A Web-proxy will
take requests from users Web browsers, get the Web pages from the Internet, and return
them to the users browser. Many times, a proxy server also performs authentication to
see who is requesting the Web pages and also logs the pages that are requested and the
user they are from.
What is NAT?
NAT is Network Address Translation. NAT is usually used to translate from
real/global/public Internet addresses to inside/local/private addresses. These private
addresses are usually IP addresses: 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16.
NAT provides some security for your network as you do not have a real Internet IP
address and your network, usually, cannot be accessed from the Internet without some
outbound connection first being created from your private/inside network.
However, you still need a firewall to protect your network as NAT only hides your
network but doesnt really stop any packets from entering your network.
Do firewalls stop Viruses, Trojans, Adware, and Spyware?
No, in general, firewalls do not stop Viruses, Trojans, Adware, or Spyware. Firewalls,
usually, only protect your network from inbound traffic from an outside (Internet)
network. You still need antivirus software, anti-adware and anti-spyware software
applications to protect your system when it does go out on the Internet.
How do I know that my firewall is really protecting my network?
Just like any security system, a firewall should, periodically, be tested. To test a firewall,
you could have a professional security-consulting company do a security vulnerability
scan. However, this is usually something you can do yourself. To do this, you could use a

BRBRAITT, Jabalpur

Ch.4/26

Security & Firewall

port-scanner or a more advanced tool like a vulnerability assessment tool (such as Retina,
Saint, or ISS).
What are the different types of firewalls?
The different types of firewalls are:
Packet filter A packet filter looks at each packet entering the network and, based on its
policies, permits or denies these packets. A Cisco IOS Access Control List (ACL) is a
basic firewall that works in this way.
Stateful packet filter A stateful packet filter also has rules; however, it keeps track of
the TCP connection state so it is able to monitor the conversations as they happen on
the network. It knows the normal flow of the conversations and knows when the
conversations are over. Thus, it more intelligently is able to permit and deny packets
entering the network. Because of this, a stateful packet filter (stateful firewall) is much
more secure than a regular packet filter.
Application gateway An application gateway is a system that works for certain
applications only. It knows the language that that application/protocol uses and it
monitors all communications. An example would be a SMTP gateway.
Proxy Server A proxy server performs network transactions on your behalf. The most
common use for this is a Web-proxy server. A Web-proxy will take requests from users
Web browsers, get the Web pages from the Internet, and return them to the users
browser.
What do VPNs have to do with firewalls?
Virtual Private Networks (VPN) are used to encrypt traffic from a private network and
send it over a public network. Typically, this is used to protect sensitive traffic as it goes
over the Internet. Many times, you will have a VPN encryption device combined with a
firewall as the private network traffic that is being encrypted also needs to be protected
from hackers on the public network.
If I have a firewall, do I have a DMZ?
No, you do not necessarily have a DMZ (De-Military Zone) if you have a firewall. A
DMZ is a network that is semi-protected (not on the public network but also not on the
fully-protected private network). Many hardware firewalls create a DMZ for public mail
servers and Web servers. Most small networks or homes do not have DMZ networks.
Most medium-to-large corporate networks would have a DMZ.
What are IDS and IPS? Also, what do they have to do with firewalls?
An Intrusion Detection System (IDS) monitors for harmful traffic and alerts you when it
enters your network. This is much like a burglar alarm.
An Intrusion Prevention System (IPS) goes farther and prevents the harmful traffic from
entering your network.
IDS/IPS systems recognize more that just Layer 3 or Layer 4 traffic. They fully
understand how hackers use traffic to exploit networks and detect or prevent that harmful

BRBRAITT, Jabalpur

Ch.4/27

Security & Firewall

traffic on your network. Today, many IDS/IPS systems are integrated with firewalls and
routers.
What is a DoS attack and will a firewall protect me from it?
A Denial of Service (DoS) attack is something that renders servers, routers, or networks
incapable of responding to network requests in a timely manner.
Firewalls can protect your network and its servers from being barraged by DoS traffic
and allow them to respond to legitimate requests, thus, allowing your company to
continue its business over the network.
How do you configure, monitor, and control a firewall?
As there are many different types of firewalls, there are also many different types of
firewall interfaces. You could have a command line interface (CLI), a Web-based
interface, or some other proprietary program that is used to configure the firewall.
For example, with Cisco PIX firewalls, you can configure them with the CLI interface
(called PixOs), or the PIX Device Manager (PDM), a Java-based interface that works
with a Web browser.
How do I know what firewall I should use?
The size of the firewall you choose is usually based on the volume of traffic your network
links receive or the bandwidth of your network links. You also must take into
consideration other things for which you might be using the firewall, such as VPN, IDS,
and logging.
What are some new features to look for in firewalls?
Firewalls, today, are offering more and more features built into the firewall. Some of
them are: intrusion prevention, hardware-based acceleration, and greater recognition of
applications (moving up the OSI model towards layer 7).
How can I configure an inexpensive firewall?
There are a wide variety of firewalls available today. Perhaps the most basic firewall is
the personal PC firewall, such as that built into Windows XP. Next come more advanced
PC software firewalls, like ZoneAlarm Pro or BlackICE. There are midrange firewall
solutions like Microsoft ISA or hardware firewalls. Next on the scale are large Cisco PIX
or Checkpoint firewalls used for large businesses or Internet Service Providers.

BRBRAITT, Jabalpur

Ch.4/28