Securing Your Internet Connection: Scott McCulley, Doug Nomura, Vik Varma

By: Mike Kimball - Revised: 2006-06-20 devin

Facts about Security

$45 Billion Loss of Proprietary Information in 1999
(Source: American society for Industrial Security and Pricewaterhouse Coopers Survey,

41.8% of sites do NOT have a firewall.
38.8% have not had a security analysis of their network.
48% have no network auditing tools.
48% have no tools to detect intrusion.

643 orgainizations surveyed by CSI.
90% detected breaches.
At least 74% suffered financial losses.
42% quantified losses.
  • $266M loss
  • Proprietary info and financial fraud
85% detected viruses.
60% detected DOS attack.
79% detected violation of AUP.
64% detected website vandalism.

Security is not the Firewall

What is a firewall?
A system that enforces a policy controlling access between multiple networks. Operates at the network layer, inspecting packets and applying rulesets to them. Host and Network based.

Why do I need a firewall?
To give security and privacy. To comply with organizational policies. To log internet usage. Because of increase in broadband connections.

Traditional Firewall Paradigm
That which is not expressly permitted is denied.

What are some of the Threats?
Threats from the outside by vandals and curious crackers. Industrial spies. Threats from inside. threats on shared media. Viruses/Worms/Trojan Horses.

Types of firewalls
Router-based. Application Proxy. Hybrid Firewalls.

Screening Router

May be a commercial router (i.e. Cisco). May be a host based router with packet filtering capability. Has some logging capability.

Screening Router Pros
Low overhead, high throughput. Fast. Less processing required. Transparent to the user.

Screening Router Cons
Packets are not inspected. Vulnerable to "tunneling" attacks. Generally poor logging.

Example access list (wrong)
access-list 113 deny ip any log
access-list 113 permit tcp any any established
access-list 113 deny icmp any any echo
access-list 113 deny permit tcp any host eq domain
access-list 113 permit ip any any

Wrong code is in this last line. Also, comments would be helpful...

Example access list (correct)
! http/https
access-list 101 permit tcp any eq www host x.x.x.x gt 1023 established
access-list 101 permit tcp any gt 1023 host x.x.x.x eq www
access-list 101 permit tcp any eq 443 host x.x.x.x gt 1023 established
access-list 101 permit tcp any gt 1023 host x.x.x.x eq 443
! default deny
access-list 101 deny ip any any log

Always include access lists, like a second set of rules to protect you.

Application Firewall

Does not allow direct traffic between separated networks. Handles, stores, and forwards both inbound and outbound traffic. Has built-in logging and extensive security. Allows for the implementation of protocol specific security (e.g. allows outbound telnet but prevents inbound telnet. Excellent user authentication. Excellent logging.

Much slower. Does not support every possible type of connection.

Gauntlet (example of Application firewall)
Multi-homed host. Available on NT, Solaris, HP/UX (works OK in VPC, but is slow). Can be very secure but requires a certain level of expertise. Has a fairly easy, intuitive UI.
Gauntlet Config File
http-gw: backend /usr/local/etc/http-gw
http-gw: proxy-exec ./http-gw
http-gw: proxy-type http-gw
http-gw: bind-port 80
http-gw: timeout 7200
http-gw: userid uucp
http-gw: groupid 6
http-gw: accept-count 10
http-gw" state on

Gauntlet Management Config
500MHz G3 PowerBook, 256MB RAM, VirtualPC, NT 4.0 SP5, Gauntlet Firewall Management tool.
Other Application firewall software
Netbarrier - Mac-based and fairly secure
Webshield - via VPC, works fairly well...
Also visit

Packet Filter Firewall

Easy setup. Easy configuration and maintenance via GUI. Fast throughput. Commercial support available.

False sense of security (i.e. it doesn't check the packet info, and isn't protocol-specific, so it is vulnerable to tunneling attacks). Poor licensing and license counting. Too easy to configure.

Firewall-1 (example of packet filter firewall)
Multi-homed host, very similar to screening router, easy to configure,

Mac-based Firewalls

Host based
Network based
300MHz G3, System 8.6, 160MB RAM, probed with Nmap and Cybercop Scanner. Do they do the job?
Easy setup, inexpensive, Mac OS, they do the job.

Logging is poor, Flexibility is poor.

Other Firewall Options

Cisco PIX, Sonicwall, Linux w/ ipfwadm or ipchains, FreeBSD/OpenBSD with ipNAT, FWTK on Linux PPC. Freeware firewall is inexpensive, open source, and highly customizable. However, no commercial support, open source, and steep learning curve. One final option is firewall managed by 3rd party such as Genuity (of course then necessary resources or expertise do not reside in-house).

About Logging

Log as much as possible. Create graphs, summaries, alerts. Daily and Weekly reports. Save the logs. LOOK AT the logs.

What are my logs telling me? (link dead) (link dead)

Notes about Virus Protection

Don't abandon Virex. Other packages are expensive and difficult.
Mac Virus Archives:

Intrusion Detection

Syslog monitoring. Host-based.
Network monitoring: Etherpeek, or NFR (