A firewall is a program or hardware device that filters the information coming in through the Internet connection into your local network or standalone computer system. If an incoming packet of information is flagged by the filters that are in place it is not allowed to pass. Without a firewall all your computers are directly accessible to anyone on the Internet, while you are connected. Usually a firewall will allow to set filters for all your servers, such as FTP, mail, Telnet, and so forth.
Firewalls typically use one or more of these methods to control traffic flowing in and out of the network:
- Packet filtering
Packets are analyzed. Only packets that make it through the filters are forwarded to the requesting system.
- Outbound filtering
Some firewalls only work in one direction. They examine packets your computer is receiving, not the ones it sends. Hostile applications such as trojan horses, worms and viruses can use your Internet connection to send sensitive information from your system. So your firewall should at least have a mechanism for filtering outbound traffic.
- Proxy service
Information from the Internet is retrieved by the firewall and then forwarded to the requesting system and vice versa.
- Stateful inspection
A method that compares certain key parts of a packet to a database of trusted information. If the comparison yields a reasonable match, the information is allowed through, otherwise it is blocked.
Implementing a firewall
There are a few ways of implementing a firewall, whereby in all methods the location of your servers and workstations play a major role in optimized security.
1. the safest method is to use a dedicated system with a built-in firewall for all your Internet server services and not to attach that system to your LAN. This method is very safe, but no system on the LAN has Internet access.
2. you can place the server/firewall on the same LAN as your systems but restrict the flow of traffic through the server. In this case local systems can go through the server/firewall to access Internet services, but no one can come in from the Internet to the local LAN. Unless someone reconfigures the firewall to support two-way traffic.
3. if you use multiple servers you should separate the servers/firewalls from your local systems. Set up your Internet server/firewall to handle the routing for the local systems and the local Internet servers separately. Local systems need one-way access to the Internet, while the local Internet servers need two-way access. You do run the risk of someone penetrating your firewall and changing router tables to get access to your LAN.
4. a second firewall can be added. This provides a backup to the first firewall in the event its router tables are compromised. In this way even if someone gets through the first firewall, the second one will stop or at least slow down the intruder.
Firewalls alone are no longer sufficient protection, because they're static devices. This means that intruders can use valid, legal packets to attack your network and compromise your security. You should use additional tools for complete protection, especially for Windows NT and the TCP/IP protocol. To spot potential problems before intruders exploit them from inside or outside your network, you can implement security tools such as port scanners, vulnerability testers, log analyzers or intrusion detectors.
Possible firewall protection
Some programs have features that allow for remote access.
- Denial of service
The hacker sends a request to the server to connect to it. When the server responds with an acknowledgement and tries to establish a session, it cannot find the system that made the request. By inundating a server with these unanswerable requests, a hacker causes a server to slow down or even crash.
- E-mail bombs
Someone sends you the same e-mail hundreds or thousands of times until your e-mail system cannot accept any more messages. That's an e-mail bomb.
To simplify procedures applications may allow you to create a script of commands. This is known as a macro. Hackers create their own macros that, depending on the application, can destroy your data or crash your computer.
- Operating system bugs
Like applications, some operating systems have backdoors. Others provide remote access with insufficient security controls or have bugs that a hacker can take advantage of.
- Redirect bombs
Hackers can change (redirect) the path information takes, by sending it to a different router.
- Remote login
When someone is able to login to your computer and control it somehow. This can be from accessing your files to running programs on your computer.
- SMTP session hijacking
SMTP is the most common method of sending e-mail over the Internet. By gaining access to a list of e-mail addresses, a person can send unsolicited e-mail (spam). This is done by redirecting the e-mail through the SMTP server of an unsuspecting host, making the sender of the e-mail difficult to trace.
Be careful of clicking on unknown links in e-mails, because you may accidentally accept a cookie that provides a backdoor to your computer.
- Source routing
In most cases, the path a packet travels over the Internet (or any other network) is determined by the routers along that path. But the source providing the packet can arbitrarily specify the route that the packet should travel. Hackers sometimes take advantage of this to make information appear to come from a trusted source or even from inside the network.
For more details see: Anti-virus information.
NCSA has a certification program that tests firewall products against a standardized suite of attacks while still letting authorized users accomplish business functions. NCSA certification provides an objective way for you to evaluate the level of security a firewall provides.
Setting filters for a firewall
You can set filters based on various conditions. Some of these are:
Each machine on the Internet is assigned a unique address called an IP address. IP addresses are 32-bit numbers, normally expressed as four octets in a dotted decimal number. (f.e.: 220.127.116.11). Any IP address can be blocked.
All servers on the Internet have readable names, called domain names, beside their IP address. These two are linked using a DNS (domain name server) server. A firewall can be setup to block access to certain domain names, or allow access to specific domain names only.
Protocols are usually in text format, and describe how client and server are to establish communication. Some protocols that you can set firewall filters for:
- IP (Internet Protocol) - the main delivery system for information over the Internet
- TCP (Transport Control Protocol) - used to break apart and rebuild information that travels over the Internet
- HTTP (Hyper Text Transfer Protocol) - used for Web pages
- FTP (File Transfer Protocol) - used to download and upload files
- UDP (User Datagram Protocol) - used for information that requires no response, such as streaming audio and video
- ICMP (Internet Control Message Protocol) - used by a router to exchange information with other routers
- SMTP (Simple Mail Transport Protocol) - used to send text-based information (e-mail)
- SNMP (Simple Network Management Protocol) - used to collect system information from a remote computer
- Telnet - used to perform commands on a remote computer
Any server machine makes its services available to the Internet using ports, one for each service that is available on the server. A Web server is typically available on port 80, or port 8080, while the FTP server is usually available on port 21. Any port can be filtered.
Specific words and phrases
The firewall will search through each packet of information for an exact match of the text listed in the filter. You can include as many words, phrases and variations as you need to setup a correct filter.
A method for determining whether a system is connected to the Internet at a particular address. You ping a system by sending an Echo Request packet. If the target is connected, you'll receive a 'pong' in response. Most operating systems have this program. Try entering the command:
ping domain.com (any domain name or IP address)
Operating System Fingerprinting
By sending or receiving a special packet, one can determine whether a system is connected to an IP address and which operating system it is running.
TCP and UDP use port numbers to identify higher layer services. Systems administrators use port scanners to determine what TCP/UDP services are available on a server. A basic rule of server security is to disable any service that the system isn't using because any open TCP/UDP service offers intruders a possible entry into your system. You can use a port scanner to ensure that only the desired TCP/UDP services are running.
Port numbers 0 through 1023 are well-known ports that systems administrators usually use for system processes or for programs that privileged users are running. If attackers exploit a well-known port, they can potentially gain control of a server. Attackers use several generic schemes to scan ports.
TCP connect() scanning
is the most basic form of TCP scanning. An attacker's host issues a connect() system call to every interesting port on the target machine. If the port is listening, connect() will succeed; otherwise, the port is unreachable and the service is unavailable. This scheme is fast and doesn't require any special privileges.
TCP SYN scanning
attempts to set up a TCP virtual connection. Establishing a TCP virtual connection requires a three-way handshake, in which one host sends a TCP segment with the synchronize (SYN) flag set, the other host responds with a segment that has the acknowledge valid (ACK) and SYN flags set, and the first host responds with a segment that has only the ACK flag set. In SYN scanning, a querying host sends a SYN segment to every port. If the server responds with a SYN-ACK segment the service is available. If the server responds with a reset (RST) segment the service is unavailable.
TCP FIN scanning
the attacker's querying host skips the three-way handshake and sends a finish (FIN) segment to all interested TCP ports. Sending a FIN segment closes an open TCP connection. If the port is open, the system is supposed to ignore the FIN because there is no existing connection; if the port is closed, the system generates an RST segment. Lack of a response identifies an active port to an attacker. This method doesn't work well on most Windows systems because Microsoft's TCP implementation always sends a RST in response to a FIN.
uses the FTP PORT command and the upload capability at an FTP server behind the firewall. This attack lets a client connect with other systems that otherwise wouldn't be accessible.
UDP Internet Control Message Protocol (ICMP) port unreachable scanning
is one of the few UDP scans. UDP is a connectionless protocol, so it's harder to scan than TCP because UDP ports aren't required to respond to probes. Most implementations generate an ICMP port_unreachable error when a user (or intruder) sends a packet to a closed UDP port.
You can perform port scans by using several tools that employ a combination of methods to detect attacks. The FTP and HTTP services are vulnerabilities simply because they're always running. The medium risk vulnerability FTP service is susceptible because it has anonymous access enabled, and the HTTP service is high risk because attackers can exploit the $DATA hole in Microsoft's Internet Information Server (IIS). This vulnerability affects many IIS installations because an attacker can download the Active Server Pages (ASP) source by appending a ::$DATA string to the URL. This action can expose usernames and passwords that systems administrators have hard-coded within scripts.
Many port scanners suggest possible fixes, such as shutting down the service or installing a hotfix. Although shutting off the service might not be an option, knowing that a vulnerability exists helps you balance the risk exposure with the benefit.
Vulnerability testing is similar to port scanning, but you use vulnerability testing for specific Operating Systems rather than TCP/IP communications protocols. Many security vulnerabilities are OS specific, so a good rule of secure management is to avoid advertising your servers' OS. However, clues such as .asp file extensions, use of .htm rather than .html, and home pages named default.htm usually identify an IIS server to an attacker. In addition, many tools help attackers determine a system's OS, and to use these tools attackers need only the server's IP address. Systems administrators are well advised to use software to examine their systems for OS vulnerabilities. Most vulnerability testers will also tell you where you can get more information, such as pointers to Microsoft articles and links to hot fixes and service packs, and suggest corrective measures, such as instructions for updating the Registry to secure your systems. New OS vulnerabilities appear all the time. You need to do scan security frequently with an up-to-date database of OS vulnerabilities.
Hardware firewalls are secure and not expensive anymore. The router is connected to a cable or a DSL modem and functions as gateway, DHCP server, virtual server and applications server. You configure the router via a browser interface that resides on your computer by entering its local IP address. You can set many filters for each of the functions of the router.
A software firewall can be installed on a standalone computer with an Internet connection. This computer is considered a gateway because it provides the main or only point of access between your computer and the Internet. Firewall programs can be found in SimplytheBest Software.