Firewalls

Computer viruses! Worms! E-mail viruses! Trojan Horses! The media is always full of stories about computer viruses infecting computers all over the world, or companies scrambling to fix security holes in their software by releasing security updates. What can businesses or individuals to protect their computer? Installing a firewall may be one answer.

The Importance of Having a Firewall

While the first computer viruses were transported from computer to computer by floppy disks, computer viruses today can cover the globe in the blink of an eye over the Internet. And they’ve probably made it to your computer. You have likely had to deal with the consequences of spyware and other malicious programs that had have crawled onto your computer while you were browsing the Internet. And as a consequences, you’ve probably spent hours and hours trying to get rid of all the spyware and other malicious programs that have taken up residence on your computer.

Even if you think your computer is virus free, you are probably wrong. That is why spyware and viruses are so dangerous; you could be using your computer with no idea that they’re there.

Firewalls Will Protect your Computer

A firewall puts a wall between your home network and the Internet. Just like a real firewall keep fire from spreading from one area to another, a software firewall tries to keep computer viruses from spreading from the Internet onto your home computer or home network.

The firewall itself is a piece of software that is usually run on your router or cable moden. By attaching itself to this hardware, the firewall is the first thing any incoming traffic from the Internet meets.

The firewall’s job is to act to filter all of the traffic from the Internet that comes onto your home network. Whenever a network packet tries to come onto your home network, it has to make it by the firewall first. The firewall will analyse the packet to make sure it isn’t a viruses or some other undesirable communication. If the firewall gives it the all clear, it will let the packet continue on its journey to your home network.

How does a Firewall Know what Traffic is Good?

The firewall will use user-defined parameters and automatic parameters to decide whether the traffic should be let through or labelled dangerous and blocked. As the user, you could configure the firewall to block all traffic coming from a specific IP address. Obviously, you won’t be able to do this for all the malicious sites on the Internet – this list would be far, far too long!

For this reason, the firewall will automatically screen incoming traffic to make sure it corresponds to the kind of traffic you would want to receive by running it through a set of predetermined parameters. For instance, the firewall will usually let traffic sent from a website through to your computer, but it will not let someone remotely login to your computer.

No matter what software or hardware you use, you will always be putting your computer at risk when you connect it to the Internet. You can limit this risk as much as possible, however, by using a firewall. A firewall will let you access all the wonderful resources of the Internet without staying awake all night worrying about your home network.

Written by Steve Dolan.

In computing, a firewall is a piece of hardware and/or software which functions in a networked environment to prevent some communications forbidden by the security policy, analogous to the function of firewalls in building construction. A firewall is also called a Border Protection Device (BPD), especially in NATO contexts, or packet filter in BSD contexts.

A firewall has the basic task of controlling traffic between different zones of trust. Typical zones of trust include the Internet (a zone with no trust) and an internal network (a zone with high trust). The ultimate goal is to provide controlled connectivity between zones of differing trust levels through the enforcement of a security policy and connectivity model based on the least privilege principle.

Proper configuration of firewalls demands skill from the administrator. It requires considerable understanding of network protocols and of computer security. Small mistakes can render a firewall worthless as a security tool.

Types of firewalls

There are three basic types of firewalls depending on whether the communication is being done between a single node and the network, or between two or more networks
whether the communication is intercepted at the network layer, or at the application layer
whether the communication state is being tracked at the firewall or not
With regard to the scope of filtered communication there exist:

personal firewalls, a software application which normally filters traffic entering or leaving a single computer through the Internet
network firewalls, normally running on a dedicated network device or computer positioned on the boundary of two or more networks or DMZs (demilitarized zones). Such a firewall filters all traffic entering or leaving the connected networks.
The latter definition corresponds to the conventional, traditional meaning of “firewall” in networking.

In reference to the layers where the traffic can be intercepted, three main categories of firewalls exist:

network layer firewalls
application layer firewalls
application firewalls
These network-layer and application-layer types of firewall may overlap, even though the personal firewall does not serve a network; indeed, single systems have implemented both together.

There’s also the notion of application firewalls which are sometimes used during wide area network (WAN) networking on the world-wide web and govern the system software. An extended description would place them lower than application layer firewalls, indeed at the Operating System layer, and could alternately be called operating system firewalls.

Lastly, depending on whether the firewalls track packet states, two additional categories of firewalls exist:

stateful firewalls
stateless firewalls

Network layer firewalls
Main article: network layer firewall
Network layer firewalls operate at a (relatively low) level of the TCP/IP protocol stack as IP-packet filters, not allowing packets to pass through the firewall unless they match the rules. The firewall administrator may define the rules; or default built-in rules may apply (as in some inflexible firewall systems).

A more permissive setup could allow any packet to pass the filter as long as it does not match one or more “negative-rules”, or “deny rules”. Today network firewalls are built into most computer operating system and network appliances.

Modern firewalls can filter traffic based on many packet attributes like source IP, source port, destination IP or port, destination service like WWW or FTP. They can filter based on protocols, TTL values, netblock of originator, domain name of the source, and many other attributes.

Application-layer firewalls
Main article: application layer firewall
Application-layer firewalls work on the application level of the TCP/IP stack (i.e., all browser traffic, or all telnet or ftp traffic), and may intercept all packets traveling to or from an application. They block other packets (usually dropping them without acknowledgement to the sender). In principle, application firewalls can prevent all unwanted outside traffic from reaching protected machines.

By inspecting all packets for improper content, firewalls can even prevent the spread of the likes of viruses. In practice, however, this becomes so complex and so difficult to attempt (given the variety of applications and the diversity of content each may allow in its packet traffic) that comprehensive firewall design does not generally attempt this approach.

The XML Firewall exemplifies a more recent kind of application-layer firewall.

Proxies
A proxy device (running either on dedicated hardware or as software on a general-purpose machine) may act as a firewall by responding to input packets (connection requests, for example) in the manner of an application, whilst blocking other packets.

Proxies make tampering with an internal system from the external network more difficult, and misuse of one internal system would not necessarily cause a security breach exploitable from outside the firewall (as long as the application proxy remains intact and properly configured). Conversely, intruders may hijack a publicly-reachable system and use it as a proxy for their own purposes; the proxy then masquerades as that system to other internal machines. While use of internal address spaces enhances security, crackers may still employ methods such as IP spoofing to attempt to pass packets to a target network.

Network address translation
Firewalls often have network address translation (NAT) functionality, and the hosts protected behind a firewall commonly use so-called “private address space”, as defined in RFC 1918. Administrators often set up such scenarios in an effort (of debatable effectiveness) to disguise the internal address or network.

Check List for Linux Security

Linus Torvald of Finland. It has grown into a full-fledge 32-bit operating system. It is solid, stable and provides support for an incredible number of applications. It has very powerful capabilities and runs very fast and rarely crashes.

Unfortunately Linux machines are broken almost every day. This happens not because it is an insecure operating system. It contains all the necessary tools to make it very secure. But the truth is. It hasn’t become significantly more secure with the increase in popularity. On the other hand, our understanding of the hackers methods and the wide variety of tools and techniques available contributed to help system administrators to secure their Linux computers. Our goal in this article is to list the most critical situations, and how to prevent an invasion with simple measures.

1- Weak passwords ? By far the first and most used method used by hackers to try penetrating a Linux system is cracking a password, preferently of the user root. Usually they will target a common user first, and then, using his/her access to the operating system, try to get a privileged access cracking the root password. Good password policy, and good passwords are absolutely critical to the security on any computer. Some common mistakes when selecting a password:
A- use “password” as password.
B- use the name of the computer.
C- a well-know name from science, sports or politics.
D- reference to movies.
E- anything that is part of the user web site.
F? references associated with the account.

The latest version of Linux offer shadowed passwords. If a cracker can see an encrypted password, crack it would a simple task. So, instead of storing the password in the passwd file, they are now stored in the shadow file which is readable only for root. Before a hacker can crack a password he needs to figure out an account name. So, simple accounts names must be avoided as well. Another security measure is to apply a “no login” to the account in the passwd file. This must be done to all the accounts that don’t need to log in to the system. Examples are: apache, mysql, ftp and other.

Limit which terminals root may log in from. If the root account is allowed to log in only in certain terminals that are considered secure, it will be almost impossible for a hacker to penetrate the system. This can be done listing the allowed terminals on /etc/security. The login program will consider insecure any terminal that is not listed on this file, which is readable, only by root.

2- Open Network Ports

Any Linux default installation will provide the Operating System with tons of software and services. Several of them are not necessary or even wanted by the administrator. Removing these software and services will close the path to several attacks and improve security. The /sbin/chkconfig program can be used to stop services from automatically starting at run levels 3, 4 and 5. Log in as root and type /sbin/chkconfig –list to view all the services set to start automatically. Select the ones you don’t need and type /sbin/chkconfig 345 name_of_service off. You must do that to all services you don’t want to keep running. Also, the xinetd server can be used to disable other services as well.

3- Old Software Versions

Everyday vulnerabilities are found in programs, and most of them are fixed constantly. It is important, and sometimes critical, to keep up with the changes. There are mailing lists for every Linux distribution where one can have security related information’s, and the latest vulnerabilities found.
Some place to watch for security holes are:
? http://www.redhat.com/mailman/listinfo/redhat-announce-list
? http://www.debian.org/MailingLists/
? http://www.mandrakesecure.net/en/mlist.php
? http://www.suse.com/us/private/support/security/index.html
? http://www.freebsd.org/security/index.html
? http://www.linuxtoday.com/
? http://www.lwn.net/
It is crucial to insure that the security released patches are applied to the programs as soon as they area available. The hacker community will be aware of the discovered holes and will try to explore them before the fixes are applied.

4- Insecure and Badly Configured Programs

There are some programs that have a history of security problems. To name a few IMAP, POP, FTP, port map and NFS, are the most known. The good thing is that most of these programs can be replaced by a secure version like spop, sftp or scp.

It is important that, before deploying any service, the administrator investigate its security history. Sometimes simple configuration measures can prevent serious headaches in the future.

Some advices regarding a web server configuration are well worth to mention:

- Never run the web server as a privileged user;
- Do not keep clients’ confidential data on the web server ? Credit card numbers, phone numbers, mailing addresses, must be recorded on a different machine.
- Make sure the privileged data that a user supplies on a form does not show up as a default for the next person to use the form;
- Establish acceptable values for data that is supplied by web clients.
- Check vulnerabilities on CGI programs.

5- Stale and Unnecessary Accounts

When a user no longer uses his /her account, make sure it is removed from the system. This stale account won’t have this password changed periodically leaving a hole. Publicly readable or writable files owned by that account must be removed. When you remove an unnecessary service make sure you remove or disable the correspondent account.

Security Resources in the web

Bugtraq ? Includes detailed discussions of Unix security holes
http://www.securityfocus.com/

Firewalls ? Discuss the design, construction, operation, and maintenance of firewall systems.

http://www.isc.org/services/public/lists/firewalls.html

RISKS Discuss risks to society from computers

http://www.risks.org/

Insecure.org

http://www.insecure.org/