Securing Your Internet Connection: Scott McCulley, Doug Nomura, Vik Varma
By: Mike Kimball - Revised: 2006-06-20 devin
Facts about Security
$45 Billion Loss of Proprietary Information in 1999
(Source: American society for Industrial Security and Pricewaterhouse Coopers Survey,
http://www.pwc.com.)
41.8% of sites do NOT have a firewall.
38.8% have not had a security analysis of their network.
48% have no network auditing tools.
48% have no tools to detect intrusion.
643 orgainizations surveyed by CSI.
90% detected breaches.
At least 74% suffered financial losses.
42% quantified losses.
- $266M loss
- Proprietary info and financial fraud
85% detected viruses.
60% detected DOS attack.
79% detected violation of AUP.
64% detected website vandalism.
Security is not the Firewall
What is a firewall? A system that enforces a policy controlling access between multiple networks. Operates at the network layer, inspecting packets and applying rulesets to them. Host and Network based.
Why do I need a firewall? To give security and privacy. To comply with organizational policies. To log internet usage. Because of increase in broadband connections.
Traditional Firewall Paradigm That which is not expressly permitted is denied.
What are some of the Threats? Threats from the outside by vandals and curious crackers. Industrial spies. Threats from inside. threats on shared media. Viruses/Worms/Trojan Horses.
Types of firewalls Router-based. Application Proxy. Hybrid Firewalls.
Screening Router
May be a commercial router (i.e. Cisco). May be a host based router with packet filtering capability. Has some logging capability.
Screening Router Pros Low overhead, high throughput. Fast. Less processing required. Transparent to the user.
Screening Router Cons Packets are not inspected. Vulnerable to "tunneling" attacks. Generally poor logging.
Example access list (wrong) access-list 113 deny ip 204.73.73.0 0.0.0.255 any log
access-list 113 permit tcp any any established
access-list 113 deny icmp any any echo
access-list 113 deny permit tcp any host 204.73.73.4 eq domain
.
.
.
access-list 113 permit ip any any
Wrong code is in this last line. Also, comments would be helpful...
Example access list (correct)
!
! http/https
!
access-list 101 permit tcp any eq www host x.x.x.x gt 1023 established
access-list 101 permit tcp any gt 1023 host x.x.x.x eq www
access-list 101 permit tcp any eq 443 host x.x.x.x gt 1023 established
access-list 101 permit tcp any gt 1023 host x.x.x.x eq 443
.
.
.
! default deny
access-list 101 deny ip any any log
Always include access lists, like a second set of rules to protect you.
Application Firewall
Pros Does not allow direct traffic between separated networks. Handles, stores, and forwards both inbound and outbound traffic. Has built-in logging and extensive security. Allows for the implementation of protocol specific security (e.g. allows outbound telnet but prevents inbound telnet. Excellent user authentication. Excellent logging.
Cons Much slower. Does not support every possible type of connection.
Gauntlet (example of Application firewall) Multi-homed host. Available on NT, Solaris, HP/UX (works OK in VPC, but is slow). Can be very secure but requires a certain level of expertise. Has a fairly easy, intuitive UI.
http://www.nai.com.
Gauntlet Config File
http-gw: backend /usr/local/etc/http-gw
http-gw: proxy-exec ./http-gw
http-gw: proxy-type http-gw
http-gw: bind-port 80
http-gw: timeout 7200
http-gw: userid uucp
http-gw: groupid 6
http-gw: accept-count 10
http-gw" state on
Gauntlet Management Config
500MHz G3 PowerBook, 256MB RAM, VirtualPC, NT 4.0 SP5, Gauntlet Firewall Management tool.
Other Application firewall software Netbarrier - Mac-based and fairly secure
Webshield - via VPC, works fairly well...
Also visit
http://www.securemac.com/
Packet Filter Firewall
Pros Easy setup. Easy configuration and maintenance via GUI. Fast throughput. Commercial support available.
Cons False sense of security (i.e. it doesn't check the packet info, and isn't protocol-specific, so it is vulnerable to tunneling attacks). Poor licensing and license counting. Too easy to configure.
Firewall-1 (example of packet filter firewall) Multi-homed host, very similar to screening router, easy to configure,
http://www.checkpoint.com.
Mac-based Firewalls
Host based
Network based
300MHz G3, System 8.6, 160MB RAM, probed with Nmap and Cybercop Scanner. Do they do the job?
Pros
Easy setup, inexpensive, Mac OS, they do the job.
Cons
Logging is poor, Flexibility is poor.
Other Firewall Options
Cisco PIX, Sonicwall, Linux w/ ipfwadm or ipchains, FreeBSD/OpenBSD with ipNAT, FWTK on Linux PPC. Freeware firewall is inexpensive, open source, and highly customizable. However, no commercial support, open source, and steep learning curve. One final option is firewall managed by 3rd party such as Genuity (of course then necessary resources or expertise do not reside in-house).
About Logging
Log as much as possible. Create graphs, summaries, alerts. Daily and Weekly reports. Save the logs. LOOK AT the logs.
What are my logs telling me? http://www.robertgraham.com/pubs/firewall-seen.html (link dead)
http://www.sans.org/y2k/FAQ.html (link dead)
Notes about Virus Protection
Don't abandon Virex. Other packages are expensive and difficult.
Mac Virus Archives:
http://www.icsa.net/
Intrusion Detection
Syslog monitoring. Host-based.
Network monitoring: Etherpeek, or NFR (
http://www.nfr.net/)