Sometime around the end of 2001 I volunteered myself to write a script for team NHB's website, which was the Half-Life TFC clan that I competed with at the time. The web server the script would be running on was Linux based, thus the script had to be written in PHP and capable of using text files or a mySQL database to store the information. It was to be used to show the team's schedule for practices, competitions, etc. I suppose Perl was an option at the time, but even in 2001 PHP was a phenomenal programming language.
That script eventually became the Proverbs Web Calendar 1.0 and was released publicly Dec 31, 2001 on the Proverbs, LLC website; back then located at www.proverbs.biz. After a few updates, one major security flaw, and a few bug fixes over the course of several months, something I was definitely not expecting happened: the calendar became a popular download. Immensely popular.
At the time, around May of 2002, the websites touting the "most popular web event calendar" were bragging about 10,000+ downloads per year. Five months after the initial release and I was seeing 5000+ downloads a month, not to mention being inundated with questions, comments and suggestions from users of the calendar. I was particular amazed at the number of overseas users that were writing to me for help or with suggestions.
Continue reading "Proverbs Web Calendar 2.1" »
Stumble ThisMonday, July 27. 2009
Computer Security 101 - Part 8 - Malware
I might as well just come right out and say it upfront, during Part 2 of this series on Computer Security I lied when I spoke about the most common methods a malicious person uses to get a user's password. In this day and age of rapid information and application sharing, the number one method of gathering user passwords is through viruses and spyware. I would hazard a guess that it is also the number one method of gathering information for identity theft as well.
I am sure that some organization or another has put together specific definitions of what constitutes a virus versus a bot versus something else. For simplicity sake I'll provide my own definitions:
I am sure that some organization or another has put together specific definitions of what constitutes a virus versus a bot versus something else. For simplicity sake I'll provide my own definitions:
Virus - any malicious program capable of automatic self replication between computer systems, either through network links or removable media. Viruses can range from harmless pranks to programs that destroy computer files.Continue reading "Computer Security 101 - Part 8 - Malware" »
Spyware - any computer application or portion of an application that is designed to gather personally identifiable information from a computer. This can range from gathering the information on what websites you visit to recording usernames and passwords entered into various programs or websites.
Adware - any computer application designed to automatically display advertisements on your computer or redirect your web browser to alternate (competitor's) websites from the page you intended.
Bot - any computer application designed to perform nondestructive tasks on a computer system without the user's intervention. Bots can range from small programs that download and install other programs automatically (without the user's knowledge) to programs that perform coordinated attacks on Internet websites.
Friday, July 10. 2009
Computer Security 101 - Part 7 - Personal Firewall
I already covered firewalls during part 3 of my computer security series, but now that we are focusing on desktop security we once again have to review the subject. For part 3 the firewall topic was in regards to the perimeter, or network; which is usually a hardware based device. In part 7 the topic is desktop or personal firewalls.
I won't bore everyone by going into detail on firewalls again, but if you have not done so already, please read the original topic Computer Security 101 - Part 3 - Firewalls. Instead, I will be covering the importance of having a separate personal firewall on each and every desktop computer.
To most people, including many industry professionals, a personal firewall is considered overly redundant. There is a hardware based firewall keeping your network secure already, why would someone want a firewall running on their local computer? It is also an extra application running on the computer, taking up resources and slowing everything down. So why have one?
Continue reading "Computer Security 101 - Part 7 - Personal Firewall" »
I won't bore everyone by going into detail on firewalls again, but if you have not done so already, please read the original topic Computer Security 101 - Part 3 - Firewalls. Instead, I will be covering the importance of having a separate personal firewall on each and every desktop computer.
To most people, including many industry professionals, a personal firewall is considered overly redundant. There is a hardware based firewall keeping your network secure already, why would someone want a firewall running on their local computer? It is also an extra application running on the computer, taking up resources and slowing everything down. So why have one?
Continue reading "Computer Security 101 - Part 7 - Personal Firewall" »
Thursday, June 25. 2009
Computer Security 101 - Part 6 - User Permissions
I skipped ahead in Part 2 of my Computer Security 101 entries to cover passwords, or rather passphrases, despite it falling out of line with an outside-in approach to security. Entering into the actual desktop arena, I am going to skip ahead of a few items to cover the important field of User Permissions.
Assuming you have followed the best practices I have outlined previously in parts 1 thru 5, in order to gain access to a desktop a malicious person would need to either bypass your firewall, hack your wireless, plug a hard-line into your network or be sitting directly at a workstation. From there they would then need to begin cracking the various passphrases on your computer or network to do any major damage. While these are all possibilities, they fall in the realm of highly improbable; again, assuming you have followed the prior posted best practices. Instead the real threat comes from you: the user.
I'm not referring to malicious users, but rather the unintentional threats presented by your own daily activities, curiosity and, to a lesser extent, lack of knowledge. It is here that the greatest potential for attack on a computer system lies. It is here that most breaches in a system occur. Here be users.
Continue reading "Computer Security 101 - Part 6 - User Permissions" »
Assuming you have followed the best practices I have outlined previously in parts 1 thru 5, in order to gain access to a desktop a malicious person would need to either bypass your firewall, hack your wireless, plug a hard-line into your network or be sitting directly at a workstation. From there they would then need to begin cracking the various passphrases on your computer or network to do any major damage. While these are all possibilities, they fall in the realm of highly improbable; again, assuming you have followed the prior posted best practices. Instead the real threat comes from you: the user.
I'm not referring to malicious users, but rather the unintentional threats presented by your own daily activities, curiosity and, to a lesser extent, lack of knowledge. It is here that the greatest potential for attack on a computer system lies. It is here that most breaches in a system occur. Here be users.
Continue reading "Computer Security 101 - Part 6 - User Permissions" »
Thursday, June 11. 2009
Computer Security 101 - Parts 1 thru 5 - FAQ
Using the outside-in approach to computer security, we are now at a point to begin covering the actual computer systems. Before we get to that, I thought it prudent to put up a simple FAQ covering the common questions and/or concerns from parts 1 thru five 5. Well, really 2 thru 5, seeing as part 1 was the introduction.
This FAQ mostly covers home network security and does not replace reading the actual articles in this series, or getting help from a professional if you are completely inept in the field of computers.
1. Why are passwords important?
Passwords provide a means of proving your identity to a computer system. Without having this method of identification, everyone could pretend to be anyone they wished and the world would quickly fall into chaos, until someone finally pretended to be the guy with permissions to launch nuclear missiles; at which point the world would just end. This is all very bad.
2. How do passwords help protect me?
As mentioned in item 1, passwords provide a means of identifying you as you, rather than someone pretending to be you. Secondly, passwords are used in some systems to encrypt data so that if someone were to look at a file without the password it would appear as gibberish.
3. What is a complex password?
While the exact measurement of a complex password is system specific, the general rule requires that a password contain at least eight (8) total characters. Of those eight characters at least one must be an uppercase letter, at least one must be a lowercase letter, and one must be a number or other non-alphabetical character. This is the base guidelines, and to be honest are quite antiquated. Realistically, a password should contain at least 13 characters, with the other rules staying the same.
4. How often should I change my password?
Passwords should be changed at least once every three months, depending on what the password is for. Passwords used for more sensitive information should be changed more often than passwords used for nonsense; as an example the password to your online bank account should be changed at least once every two months, while the password for your Netflix account would not be as critical and could be changed every three months (unless you save credit card information in your Netflix account at which time it becomes more critical). Your passwords should also be changed anytime you suspect any of your accounts to have been hacked or your computer becomes infected with a virus/spyware (once the virus has been completely removed).
5. Can I write down my passwords?
Do you leave the keys to your car dangling from the door handle in the bad section of town? That was a rhetorical question. The answer is NO.
6. How do you expect me to remember all these complex passwords that change so often?
I don't. I expect you to use passphrases instead.
7. What is a passphrase?
Passphrases are sentences, phrases, exclamations or questions that are used in place of complex passwords. Passphrases are easier to make complex and are generally much easier to remember. "My6catsareallSiamese!" Often passphrases can include spaces, making them even easier to type. "My 6 cats are all Siamese!"
8. What is a firewall?
A firewall is a device (hardware or software based) that restricts certain types of traffic from entering or leaving a network.
9. Why do I need a firewall?
There are bad people in the world who think it is fun to screw up other people's lives. There are also people who want to steal from you. And then there are people who are just nosey and want to snoop. If these people can get to your computer they can do all sorts of bad things such as deleting all your files, stealing your bank account and credit card information, stealing incriminating files from your computer (nude photos, etc), or just using your computer to send out spam email messages. Firewalls can help keep these people from getting to your computer from the Internet.
10. Why should I restrict outbound traffic on my firewall?
There are many ways for bad people to get to your computer and firewalls do not stop all of them (i.e. malware and viruses). Once your computer is infected with a simple piece of malware it can be used to download more dangerous software from the Internet. The malware can also turn your computer into a tool for the bad guys, such as by using your computer to send out spam email messages or attack other computers. If you have ever wondered why it is so hard to catch the bad guys on the Internet, it is because they use "innocent" people's computers to do their dirty work. Restricting outgoing traffic across a firewall can help stop these things from happening.
11. What ports do I need to allow for email?
Some ISPs use alternate, or nonstandard, port numbers for their email, but for most you will need to allow outbound traffic on port 25 for SMTP and port 110 for POP3 (both are used, the first to send, the second to receive emails). You should also restrict which external Internet addresses (IP Addresses) these ports are allowed to connect with, so that you don't inadvertently allow the bad people to use your computer to send out spam emails (see question 9 above).
12. My wireless router came with WEP enabled, isn't this secure?
No. WEP is not secure. WEP is akin to locking the screen door on your house and thinking no one can break in.
13. What security option should I use on my wireless router?
WPA2 (Wi-Fi Protected Access 2) with AES (Advanced Encryption Standard) is currently the most secure wireless option. If you have a very old wireless device that does not support WPA2, your next best option is WPA, although you should check with the manufacturer for firmware updates to bring it up to WPA2, failing that you should replace your wireless device.
14. What is the SSID?
Service Set Identifier. The SSID is a nice friendly name used to identify a wireless network. This allows you to connect to "MrMoms Network" instead of some long convoluted string of hexadecimal characters.
15. Why should I turn off SSID broadcasting?
In order to connect to a wireless network, you have to know the SSID. When the SSID is broadcast, everyone in range is told what it is. By disabling SSID broadcasting you have added an additional level of protection to your wireless network and helped to prevent nosey people from "just browsing" through your network.
16. My son/daughter/niece/nephew/neighbor's kid said I don't need to do X.
Not really a question, but if X is something I said to do above or in one of the related articles: your son, daughter, niece, nephew or neighbor's kid is an idiot. If they happen to be a CISSP and have a better alternative solution to put into place, then by all means listen to them. Otherwise, I stand by my calling that precious little bundle of joy an idiot and adamantly state that you should not listen to them.
This FAQ mostly covers home network security and does not replace reading the actual articles in this series, or getting help from a professional if you are completely inept in the field of computers.
1. Why are passwords important?
Passwords provide a means of proving your identity to a computer system. Without having this method of identification, everyone could pretend to be anyone they wished and the world would quickly fall into chaos, until someone finally pretended to be the guy with permissions to launch nuclear missiles; at which point the world would just end. This is all very bad.
2. How do passwords help protect me?
As mentioned in item 1, passwords provide a means of identifying you as you, rather than someone pretending to be you. Secondly, passwords are used in some systems to encrypt data so that if someone were to look at a file without the password it would appear as gibberish.
3. What is a complex password?
While the exact measurement of a complex password is system specific, the general rule requires that a password contain at least eight (8) total characters. Of those eight characters at least one must be an uppercase letter, at least one must be a lowercase letter, and one must be a number or other non-alphabetical character. This is the base guidelines, and to be honest are quite antiquated. Realistically, a password should contain at least 13 characters, with the other rules staying the same.
4. How often should I change my password?
Passwords should be changed at least once every three months, depending on what the password is for. Passwords used for more sensitive information should be changed more often than passwords used for nonsense; as an example the password to your online bank account should be changed at least once every two months, while the password for your Netflix account would not be as critical and could be changed every three months (unless you save credit card information in your Netflix account at which time it becomes more critical). Your passwords should also be changed anytime you suspect any of your accounts to have been hacked or your computer becomes infected with a virus/spyware (once the virus has been completely removed).
5. Can I write down my passwords?
Do you leave the keys to your car dangling from the door handle in the bad section of town? That was a rhetorical question. The answer is NO.
6. How do you expect me to remember all these complex passwords that change so often?
I don't. I expect you to use passphrases instead.
7. What is a passphrase?
Passphrases are sentences, phrases, exclamations or questions that are used in place of complex passwords. Passphrases are easier to make complex and are generally much easier to remember. "My6catsareallSiamese!" Often passphrases can include spaces, making them even easier to type. "My 6 cats are all Siamese!"
8. What is a firewall?
A firewall is a device (hardware or software based) that restricts certain types of traffic from entering or leaving a network.
9. Why do I need a firewall?
There are bad people in the world who think it is fun to screw up other people's lives. There are also people who want to steal from you. And then there are people who are just nosey and want to snoop. If these people can get to your computer they can do all sorts of bad things such as deleting all your files, stealing your bank account and credit card information, stealing incriminating files from your computer (nude photos, etc), or just using your computer to send out spam email messages. Firewalls can help keep these people from getting to your computer from the Internet.
10. Why should I restrict outbound traffic on my firewall?
There are many ways for bad people to get to your computer and firewalls do not stop all of them (i.e. malware and viruses). Once your computer is infected with a simple piece of malware it can be used to download more dangerous software from the Internet. The malware can also turn your computer into a tool for the bad guys, such as by using your computer to send out spam email messages or attack other computers. If you have ever wondered why it is so hard to catch the bad guys on the Internet, it is because they use "innocent" people's computers to do their dirty work. Restricting outgoing traffic across a firewall can help stop these things from happening.
11. What ports do I need to allow for email?
Some ISPs use alternate, or nonstandard, port numbers for their email, but for most you will need to allow outbound traffic on port 25 for SMTP and port 110 for POP3 (both are used, the first to send, the second to receive emails). You should also restrict which external Internet addresses (IP Addresses) these ports are allowed to connect with, so that you don't inadvertently allow the bad people to use your computer to send out spam emails (see question 9 above).
12. My wireless router came with WEP enabled, isn't this secure?
No. WEP is not secure. WEP is akin to locking the screen door on your house and thinking no one can break in.
13. What security option should I use on my wireless router?
WPA2 (Wi-Fi Protected Access 2) with AES (Advanced Encryption Standard) is currently the most secure wireless option. If you have a very old wireless device that does not support WPA2, your next best option is WPA, although you should check with the manufacturer for firmware updates to bring it up to WPA2, failing that you should replace your wireless device.
14. What is the SSID?
Service Set Identifier. The SSID is a nice friendly name used to identify a wireless network. This allows you to connect to "MrMoms Network" instead of some long convoluted string of hexadecimal characters.
15. Why should I turn off SSID broadcasting?
In order to connect to a wireless network, you have to know the SSID. When the SSID is broadcast, everyone in range is told what it is. By disabling SSID broadcasting you have added an additional level of protection to your wireless network and helped to prevent nosey people from "just browsing" through your network.
16. My son/daughter/niece/nephew/neighbor's kid said I don't need to do X.
Not really a question, but if X is something I said to do above or in one of the related articles: your son, daughter, niece, nephew or neighbor's kid is an idiot. If they happen to be a CISSP and have a better alternative solution to put into place, then by all means listen to them. Otherwise, I stand by my calling that precious little bundle of joy an idiot and adamantly state that you should not listen to them.
Wednesday, May 6. 2009
Computer Security 101 - Part 5 - Wireless
Odds are in favor of there being a wireless network in your home or at your work. Actually, odds are in favor of there being a wireless network located at both your home and work. Even if you are one of the oddball people who do not have a wireless network setup, there is probably one broadcasting into your home or office from nearby. Wireless networks are almost everywhere and the numbers are continuing to multiply fast. Exponentially even.
In the dark ages of wireless (about a year and a half ago) there was about an 80% chance that any given wireless network was completely unsecured. Now I would gauge it at around 70% of wireless networks having inadequate security and 40% remain completely unsecured. Yes, I pulled those numbers out of my proverbial ass; but if I count the number of wireless networks that I come into contact with daily (that are outside of my control), those numbers are just about dead on.
While 40% down from 80% shows that there has been a drastic improvement in wireless security awareness over the past couple years, it is still enough to keep a person up at night. As with all things security related, I blame a lack of knowledge and lack of caring as the reasons those numbers are not down to under 10%. So let's start with the reasons for not only securing your wireless network, but ensuring it is secured properly.
First thing is first. Shutdown all wireless access points and routers that are absolutely not needed. Move onto the next step if you are doing all this for your home or a small office (two paragraphs down); otherwise grab yourself a laptop with a wireless card and start walking your perimeter. You will want a wireless card that supports at least 802.11 b and 802.11 g network standards; 802.11 n is currently an added bonus, but is increasingly becoming a requirement. As you walk around refresh the available wireless network screen and see what you see. Write down each and every wireless network you find and the locations you find it in. Write down the SSID if it is available. Write down the security level (WPA2-AES, WPA-TKIP, etc) that each wireless network lists as being used. Connect to unsecured wireless networks and see if it is part of your network or perhaps something from the Starbucks next door. There are free tools available on the Internet to help in all this (mostly for Linux, but still plenty for Windows), just don't spend any money.
Now that you have identified all the Rogue airwaves (not necessarily Rogue Networks) in your company space, see what you can identify. Use a little common sense in this practice. If a wireless network is strongest in the eastern region of your building, talk to the departments in that area. If there are other companies in the Eastern region, see if they are running wireless. Pretty simple stuff. Once you identify all that you can identify, the rest is considered a Rogue Network and needs to be found. Again, there are freely available software applications and instructions elsewhere on the Internet (like making a focused antenna with a Pringles can). Find these Rogue Networks (assuming they are actually on your company’s network) and eliminate them.
Assuming you need a wireless network to not be shutoff, the next thing to do is setup an actual secured wireless network. The best possible combination of security layers available is to segment the wireless network (at work, probably not home), use WPA2-AES protocols, disable SSID broadcast, and use strong passphrases (complex and 16 characters or longer). A company that has a RADIUS server should make use of Enterprise mode WPA2. Discuss with whoever handles your RADIUS server as to which EAP types are available. Everyone else has to use EAP-PSK, or Personal mode; again with a strong passphrase. MAC Address filtering provides very little added benefit at this point, so ignore it. It would be like putting an umbrella over a submarine to protect against the rain.
There. Done. That is currently the best configuration available for an active wireless network setup. The problem is each device (laptop, PDA, tablet, etc) that is going to connect to the wireless network must be setup now. This is generally not a big deal as it requires each device to only be setup once (set-and-forget). The real problem comes from C-level executives who believe they are tech-savvy and, worse still, salespeople (regardless of their tech level).
Both of these groups of people generally have no idea why they need an IT department to begin with. All those damn geeks do is make things more complicated than it needs to be. They do not want to call IT when their 4 year old is using mommy's laptop in the office and needs wireless access, or when a salesperson has a client in who needs to check their email. This is where wireless becomes unsecure once again. Ideally there is a strong CIO (CSO would be even better) who will insist that policy is policy and the wireless has to remain secure. Even without that CIO you still have a few things you can do to keep your network secure.
The first thing to do in the above scenario is to pick a good location for the "open" wireless. Conference rooms near the center of a building between floors two and five are excellent choices (first floor gets the most non-work traffic. Too high up in a building and, because of signal bounce, you can become a radio station broadcasting to the world). Picking locations like this for open wireless access points will reduce the likelihood of outside persons gaining access to your wireless network. Some wireless routers and access points offer further assistance here by allowing the signal broadcast strength to be reduced, thus decreasing the distance available to connect to the wireless network. Almost every sales person or C-level exec will be satisfied with someone telling them "There is wireless available in the third floor conference room," as opposed to not at all.
The next step is to segment the open wireless network from the rest of the network. As much as is possible that is. A little guided research is required to discover what the use of the wireless network will be. Leading questions are great here such as, "I can setup the third floor conference room for wireless Internet access. Will that work for your sales team?" The answer will be "yes" and you can segment that wireless network from everything but Internet access.
The last step is to turn off the wireless. A good majority of commercially available wireless routers have some sort of scheduling built-in. This can range from allowing wireless access during certain times on certain days, to perhaps blocking certain Internet protocols (block any any) during certain times of the day. These functions can be used to restrict the wireless access to business hours only, which increase the wireless security level slightly (only the truly bold are going to connect illegally to a wireless network when the IT staff is there and alert).
Under normal circumstances the obvious choice is to put into place the most secure wireless settings possible. Failing that, virtually ever business scenario for not having restricted wireless access can be mitigated by combining the various methods of securing a wireless network listed above. A little thought process combined with a few leading questions and you can once again sleep soundly at night.
In the dark ages of wireless (about a year and a half ago) there was about an 80% chance that any given wireless network was completely unsecured. Now I would gauge it at around 70% of wireless networks having inadequate security and 40% remain completely unsecured. Yes, I pulled those numbers out of my proverbial ass; but if I count the number of wireless networks that I come into contact with daily (that are outside of my control), those numbers are just about dead on.
While 40% down from 80% shows that there has been a drastic improvement in wireless security awareness over the past couple years, it is still enough to keep a person up at night. As with all things security related, I blame a lack of knowledge and lack of caring as the reasons those numbers are not down to under 10%. So let's start with the reasons for not only securing your wireless network, but ensuring it is secured properly.
1) Illegal Activities - In today's world where everything can be tracked and traced in some manner or another, it just makes sense to not use your own Internet connection if you are going to perform some sort of illegal activity. Hackers know this. Pedophiles know this. My former IT Director who tried to bring down the company network after he was fired knew this. Instead of using their own Internet connections to perform these illegal activities, they connect to one of the many unsecured wireless networks and let their activities get traced back to some unsuspecting dupe (that would be you). Of course they would have to be smart enough to change their computer name and MAC address to not get caught, but that is another story.The list goes on, but these are some of the bigger reasons for properly securing your wireless network. The really nice thing is that securing a wireless network is about the easiest thing you can do. The bad thing is all the oddball circumstances that crop up in the course of normal business that have kept many companies from securing their wireless access. Being a heck of a nice guy I will cover both sides: the straight forward secured wireless network and securing a wireless network under oddball requirements. But first up, let's take a look at the various methods available to secure a wireless network.
2) All Your Base Are - Continuing the thoughts from reason #1 above into why adequate security is necessary; if someone is going to attempt to break into a network illegally using the Internet and they are smart enough to use someone else's Internet connection to do so, I am willing to bet the farm that they are smart enough to hack a WEP secured wireless network. Although saying "WEP" and "secured" really is an oxymoron.
3) Easy Network Access - The easiest method to gain unauthorized access to a company network is through social engineering. The second easiest method, and easiest method for a home network, is through unsecured wireless. Why not just start asking people driving past if they would like to come inside and use your computer?
4) Internet Bandwidth - The speed you access the Internet is not unlimited, despite how much faster your cable modem is versus your previous AOL dialup. The more traffic running across that connection, the slower your web surfing is going to be. There are also plenty of Internet service providers who are looking at changing their billing model to include over-bandwidth pricing; meaning if you use more than what they consider your fair share of the Internet, you pay more. Now why would I want to jack up my Internet bill downloading all those adult movies when I can just attach to your wireless and make you pay the bill?
Turn Wireless Off - I would like to say I am surprised at the number of people and companies who have a wireless network and do not even know it. Rogue Wireless Networks. I am not really surprised because I know the sheer number of devices that arrive from the manufacturer with wireless turned on. Purchase a new router for your home network? Probably has wireless built in and turned on. Have a DSL Internet connection? The new DSL modems have built in firewalls, switches AND wireless; and wireless is turned on by default. Basically, turn off wireless on each device you have if it is not needed. If you are not positive beyond any reasonable doubt that it is needed, turn it off. Something will either stop working or someone will complain if it really was needed.Wireless security is constantly changing and improving, as well as having previous methods become weakened or obsolete. A few years ago you would probably have been told an eight (8) character password was sufficient to protect against a brute force attack, two years ago it would have been 13 characters, now I personally recommend 16 character complex passphrases (thanks in part to GPU offloading). There are also newer features put forward by the Wi-Fi Alliance that will automatically configure wireless security between devices using various methods. All that being said, let's actually cover the concrete security methods that should be put in place.
Segment Wireless Networks - Hopefully you have read my previous entry entitled Computer Security 101 - Part 4 - LAN. If you haven't, go read it now. Very few businesses use wireless networks for daily operations. Very few homes do for that matter. Wireless is either accidentally left on or is put into place to meet some need or another. Usually that need is Internet access for someone with a laptop who has enough pull to make your life miserable. The beauty here is that they do not need access to your entire network, just a small section of it. Through network segmentation (you did read the article I just listed, right?) you can limit the access that particular wireless network has to your overall network and effectively mitigate many security threats in doing so.
Disable SSID Broadcast - According to some silly 802.11 standard or another, wireless devices send out a broadcast beacon. Part of this broadcast beacon is the SSID (also the channel number, but if you see the broadcast you already know the channel number because, well, you see the broadcast. See how silly 802.11 standards can be?). In order to connect to that wireless device, you need to know the SSID. If you turn off the broadcasting of that SSID you require anyone who wants to connect to your wireless network to already know the SSID. Ingenious, right? Of course you also need to set the SSID to something not easily guessed, but we'll get to that in a minute.
MAC Address Filtering - A MAC (Media Access Control) address is a hardcoded 12 character hexadecimal code set into all Ethernet devices by the manufacturer that are required to be unique for each device (another one of those IEEE standards). Most wireless devices have the ability to limit which MAC addresses are allowed to talk to it. If a device connects with a MAC address not on the list, it ignores the device. Pretty simple. Except MAC addresses are easy to spoof (pretend to be). MAC Address Filtering is a pain to setup because it needs to be maintained and is lacking on its own. In combination with other methods of wireless security it will help to protect your network, but it is still an administrative nightmare to maintain for a business and rarely worth the extra protection provided.
WEP Security - Wired Equivalent Privacy. Useless security option. Really. Most of the new DSL modems I have seen recently have WEP turned on by default (along with wireless) so the company can pretend to have cared about your network security and not get sued. Of course any computer security person would shred that argument in court, so they are depending on people's ignorance to save them from a lawsuit when someone hacks the wireless network they left on by default. WEP is useless.
WPA and WPA2 - Wi-Fi Protected Access. Another set of those 802.11 standards. WPA is the old standard that made use of TKIP (Temporal Key Integrity Protocol); and was designed to replace WEP without much fuss. Unfortunately, people were able to crack the WPA-TKIP standard in 2008. Luckily, the Wi-Fi Alliance people adopted a new 802.11 standard in 2006 that became known as WPA2-AES (Advanced Encryption Standard). The difference between the two standards really is in the encryption algorithms used. Basically, use WPA2.
Pre-Shared Key (PSK) or Personal Mode - Pre-Shared Keys were introduced with WEP and carried forward into WPA and WPA2. It is a passphrase set on any wireless access point that is used to partially encrypt the data sent wirelessly. I say partially, because the encryption actually changes once the connection is established. You can read up on the entire 802.11 IEEE standards if you really care about useless information, or just want to hit that homerun during your next technical interview. Anyway, all wireless devices are supposed to support PSK and it is more than adequate for personal home networks (hence the Personal Mode pseudonym) and even most businesses; assuming the passphrase is sufficiently complex (getting to that in just another moment).
RADIUS Server or Enterprise Mode - Sometimes mistakenly called EAP or Extensible Authentication Protocol (PSK above is a flavor of EAP, hence the mistakenly part). Enterprise mode uses a RADIUS server like Microsoft IAS or Cisco ACS to provide the authentication methods for wireless connections. A pre-shared key still exists between the RADIUS server and the wireless device, but it expires after a preset period of time and is changed out automatically. This is the mode to use for any business with a RADIUS server.
Strong Passphrases - Every wireless device has at least three passphrases that can be set. The first is the one used to access the wireless device in order to make configuration changes. The second is the SSID. The third is the Pre-Shared Key (may not be used though). Treat each of these as a secure passphrase. Each of these passphrases should be unique from one another. Each of these passphrases should be exactly that, a passphrase instead of a password. Each of these passphrases should be complex in nature, meaning include at least one upper case letter, one lower case letter and one number or symbol. Each of these passphrases should be at least 16 characters long. Do not use your name or your company's name for any of these passphrases. Read my entry entitled Computer Security 101 - Part 2 - Passwords if you have not done so already.
First thing is first. Shutdown all wireless access points and routers that are absolutely not needed. Move onto the next step if you are doing all this for your home or a small office (two paragraphs down); otherwise grab yourself a laptop with a wireless card and start walking your perimeter. You will want a wireless card that supports at least 802.11 b and 802.11 g network standards; 802.11 n is currently an added bonus, but is increasingly becoming a requirement. As you walk around refresh the available wireless network screen and see what you see. Write down each and every wireless network you find and the locations you find it in. Write down the SSID if it is available. Write down the security level (WPA2-AES, WPA-TKIP, etc) that each wireless network lists as being used. Connect to unsecured wireless networks and see if it is part of your network or perhaps something from the Starbucks next door. There are free tools available on the Internet to help in all this (mostly for Linux, but still plenty for Windows), just don't spend any money.
Now that you have identified all the Rogue airwaves (not necessarily Rogue Networks) in your company space, see what you can identify. Use a little common sense in this practice. If a wireless network is strongest in the eastern region of your building, talk to the departments in that area. If there are other companies in the Eastern region, see if they are running wireless. Pretty simple stuff. Once you identify all that you can identify, the rest is considered a Rogue Network and needs to be found. Again, there are freely available software applications and instructions elsewhere on the Internet (like making a focused antenna with a Pringles can). Find these Rogue Networks (assuming they are actually on your company’s network) and eliminate them.
Assuming you need a wireless network to not be shutoff, the next thing to do is setup an actual secured wireless network. The best possible combination of security layers available is to segment the wireless network (at work, probably not home), use WPA2-AES protocols, disable SSID broadcast, and use strong passphrases (complex and 16 characters or longer). A company that has a RADIUS server should make use of Enterprise mode WPA2. Discuss with whoever handles your RADIUS server as to which EAP types are available. Everyone else has to use EAP-PSK, or Personal mode; again with a strong passphrase. MAC Address filtering provides very little added benefit at this point, so ignore it. It would be like putting an umbrella over a submarine to protect against the rain.
There. Done. That is currently the best configuration available for an active wireless network setup. The problem is each device (laptop, PDA, tablet, etc) that is going to connect to the wireless network must be setup now. This is generally not a big deal as it requires each device to only be setup once (set-and-forget). The real problem comes from C-level executives who believe they are tech-savvy and, worse still, salespeople (regardless of their tech level).
Both of these groups of people generally have no idea why they need an IT department to begin with. All those damn geeks do is make things more complicated than it needs to be. They do not want to call IT when their 4 year old is using mommy's laptop in the office and needs wireless access, or when a salesperson has a client in who needs to check their email. This is where wireless becomes unsecure once again. Ideally there is a strong CIO (CSO would be even better) who will insist that policy is policy and the wireless has to remain secure. Even without that CIO you still have a few things you can do to keep your network secure.
The first thing to do in the above scenario is to pick a good location for the "open" wireless. Conference rooms near the center of a building between floors two and five are excellent choices (first floor gets the most non-work traffic. Too high up in a building and, because of signal bounce, you can become a radio station broadcasting to the world). Picking locations like this for open wireless access points will reduce the likelihood of outside persons gaining access to your wireless network. Some wireless routers and access points offer further assistance here by allowing the signal broadcast strength to be reduced, thus decreasing the distance available to connect to the wireless network. Almost every sales person or C-level exec will be satisfied with someone telling them "There is wireless available in the third floor conference room," as opposed to not at all.
The next step is to segment the open wireless network from the rest of the network. As much as is possible that is. A little guided research is required to discover what the use of the wireless network will be. Leading questions are great here such as, "I can setup the third floor conference room for wireless Internet access. Will that work for your sales team?" The answer will be "yes" and you can segment that wireless network from everything but Internet access.
The last step is to turn off the wireless. A good majority of commercially available wireless routers have some sort of scheduling built-in. This can range from allowing wireless access during certain times on certain days, to perhaps blocking certain Internet protocols (block any any) during certain times of the day. These functions can be used to restrict the wireless access to business hours only, which increase the wireless security level slightly (only the truly bold are going to connect illegally to a wireless network when the IT staff is there and alert).
Under normal circumstances the obvious choice is to put into place the most secure wireless settings possible. Failing that, virtually ever business scenario for not having restricted wireless access can be mitigated by combining the various methods of securing a wireless network listed above. A little thought process combined with a few leading questions and you can once again sleep soundly at night.
Wednesday, April 15. 2009
Computer Security 101 - Part 4 - LAN
Continuing the outside-in approach to security, once you make it past all the routers, firewalls and Demilitarized Zones (DMZ) you eventually come upon the local area network, or LAN for short. Stop! Hold it! Router? DMZ? Why didn't this stuff get covered? How can we possibly move on when I just mentioned two things that were not covered on the way in from the Internet?
The short answer is that they were covered, just not spoken about directly. As I mentioned during Part 3, a firewall is a specialized router. If you are using a router as part of your security approach, you are using it as a firewall. As to the whole DMZ thing, well that is just the area of a network that lies between the Internet and your local network. This is usually the "optional" network port off of a firewall or, ideally, the space between an external firewall and an internal firewall. There. Happy now?
For the majority of computer networks out there, your entire network is your LAN. A good chunk of companies have wide area networks (WAN) of one flavor or another, but with technology the way it is these days, the wide part has gotten really thin. Without a geographic map for a guide, it has become increasingly more difficult to tell the difference between a local resource and a remote resource. In effect, a WAN should be treated as just another segment of your LAN.
You might have noticed that the word segment was a link up there. That's because segment is an important word when it comes to LAN security and I wanted to make sure everyone knew what it meant. The first definition listed will do. A segment is just a section or part of the whole. Nothing overly technical about that. It is important because segments are what help secure a LAN.
In order to understand this, we need to delve into a little technical mumbo-jumbo. All networks have some sort of addressing scheme, Internet Protocol (IP) addressing is the most common (FYI, there is NO SUCH THING as TCP/IP addressing, there is only IP addressing), so we will use IP addressing for this example. Every device on a network has some sort of address attached to it, again, usually an IP address. In order to talk to a device from your computer you need to have that device's IP address. With me so far?
There are three main ways to get a device's IP address. The most common method is through domain name service resolution (DNS). DNS is the IP address resolution method of the Internet and most networks. It basically works like calling telephone directory information to get a phone number. Your computer knows to dial 411 when it needs an address; the DNS server is the operator that answers 411 and tells your computer what the IP address is for a given device.
A second, older method of getting an IP address for a device is through WINS resolution. WINS has been made obsolete by DNS, but there are some networks out there that continue to use it for one reason or another. WINS works in the same way as the DNS-operator analogy above.
The last method of your computer finding an IP address (that it does not know already) is to send out a broadcast. Most network communications are unicast, meaning one device to one device. Basically like a normal phone call. Broadcast is a scream out to an entire network segment, meaning one device to every device. It is comparable to a mom in the grocery store whose 4 year old has wandered off to the cereal isle. Everyone knows little Timmy is missing.
Broadcasts might be good to find little Timmy in a grocery store, but on a network they tend to be bad. When mom screams out "Timmy" in that oh-so-shrill voice of hers, EVERYONE stops what they are doing and looks up. Broadcasts on a network are the same way, every device has to take the moment to recognize the broadcast and either ignore it, or respond. The primary security problem is in that response, notice I did say primary though.
We'll use another example to see exactly what the problem with that response is. In this example Timmy is a little mentally slow (all the screams from his mom melted his brain), but he is carrying a knapsack with $1,000,000.00 in it (Timmy is very strong). Timmy is someplace in a clothing store; in order to get that cool million bucks you just need to find Timmy. Clothing stores are generally wide open areas, with little to block sound, so when you yell out, "Timmy," he is going to respond back with a nice loud, "Here!" As I said, he is a little mentally slow, so he'll respond to anyone saying his name. One million dollars in the bank later and you are a happy camper.
Now what if Timmy was someplace in a multi-floor, multi-company office building? Walk through the front door, yell out for the kid, and you are not getting anywhere. Oh, you might get really lucky and find him standing there in the lobby, one finger in his nose, the other scratching who-knows-what; but given the number of floors, companies and rooms, the odds are against you. Makes it a lot more difficult to find that million dollar prize. Also, the more you wander the building yelling out for Timmy, the more likely someone is going to take notice and have you escorted away by security.
Relating Timmy's story back to your network, if your LAN is one big happy segment (the clothing store) with all the devices on that same segment and a hacker gets onto your LAN, it makes his life really easy to find the million dollars by using broadcast shout outs. If you divide your network up into multiple segments (the office building), you just made the hacker's job a lot more difficult. Just like with the office building, the more the hacker has to wander your network to find something, the better a chance of getting caught or, at the very least, leaving a nice trail of breadcrumbs back to them.
The second security problem with broadcasts is that everyone looks up to see mom screaming before ignoring her again. It is only an instant of time, but imagine if the grocery store was full of 1000 screeching mothers looking for Timmy. Not much shopping is going to get done in that grocery store. That is the equivalent of a broadcast attack on a LAN. Not very common, but it has happened and will bring a network to a screeching (pun intended) halt. Segmentation helps with this as well.
The better you can isolate sections of your network from one another, the more secure your LAN becomes. This is done by using subnets, which is the IP address way of breaking up a network into segments. You can think of a subnet as a telephone area code, limiting which numbers are available before you have to change to another area code. In order to do this, and make it count, you will have to use switches instead of hubs (if you are not already). You will also need to ensure your switches are not set to forward broadcast packets (usually the default setting), but are set to relay DHCP requests to a DHCP server (as needed).
Subnets can be either physically broken up networks or more practical Virtual LANs (VLAN). In the physical world, you would decide that everything attached to Switch-A belongs to Subnet-A, Switch-B to Subnet-B, etc; and then place some type of routing device between each. That can mean a lot of pieces of physical hardware. Explaining VLANs fully is a bit beyond the scope here, but using VLANs (which most modern switches support) you divide up each switch into multiple subnets based on different criteria; usually the jack number on the switch (for untagged) or with tagging. As a result of not needing tons of extra hardware, VLANs are a much more practical approach to segmentation.
Through proper network segmenting you can not only provide for a more secure LAN, but also speed up network traffic across your network. If you know accounting uses only one server and little else, you can move that server directly to the accounting subnet. You can also control what information is passed by a DHCP server to each subnet; allowing you to set everything from which DNS server a given subnet uses, to stopping Internet traffic for one particular subnet. Combine that with the above broadcast scenarios and segmentation becomes a very good thing for increasing your LAN security.
The short answer is that they were covered, just not spoken about directly. As I mentioned during Part 3, a firewall is a specialized router. If you are using a router as part of your security approach, you are using it as a firewall. As to the whole DMZ thing, well that is just the area of a network that lies between the Internet and your local network. This is usually the "optional" network port off of a firewall or, ideally, the space between an external firewall and an internal firewall. There. Happy now?
For the majority of computer networks out there, your entire network is your LAN. A good chunk of companies have wide area networks (WAN) of one flavor or another, but with technology the way it is these days, the wide part has gotten really thin. Without a geographic map for a guide, it has become increasingly more difficult to tell the difference between a local resource and a remote resource. In effect, a WAN should be treated as just another segment of your LAN.
You might have noticed that the word segment was a link up there. That's because segment is an important word when it comes to LAN security and I wanted to make sure everyone knew what it meant. The first definition listed will do. A segment is just a section or part of the whole. Nothing overly technical about that. It is important because segments are what help secure a LAN.
In order to understand this, we need to delve into a little technical mumbo-jumbo. All networks have some sort of addressing scheme, Internet Protocol (IP) addressing is the most common (FYI, there is NO SUCH THING as TCP/IP addressing, there is only IP addressing), so we will use IP addressing for this example. Every device on a network has some sort of address attached to it, again, usually an IP address. In order to talk to a device from your computer you need to have that device's IP address. With me so far?
There are three main ways to get a device's IP address. The most common method is through domain name service resolution (DNS). DNS is the IP address resolution method of the Internet and most networks. It basically works like calling telephone directory information to get a phone number. Your computer knows to dial 411 when it needs an address; the DNS server is the operator that answers 411 and tells your computer what the IP address is for a given device.
A second, older method of getting an IP address for a device is through WINS resolution. WINS has been made obsolete by DNS, but there are some networks out there that continue to use it for one reason or another. WINS works in the same way as the DNS-operator analogy above.
The last method of your computer finding an IP address (that it does not know already) is to send out a broadcast. Most network communications are unicast, meaning one device to one device. Basically like a normal phone call. Broadcast is a scream out to an entire network segment, meaning one device to every device. It is comparable to a mom in the grocery store whose 4 year old has wandered off to the cereal isle. Everyone knows little Timmy is missing.
Broadcasts might be good to find little Timmy in a grocery store, but on a network they tend to be bad. When mom screams out "Timmy" in that oh-so-shrill voice of hers, EVERYONE stops what they are doing and looks up. Broadcasts on a network are the same way, every device has to take the moment to recognize the broadcast and either ignore it, or respond. The primary security problem is in that response, notice I did say primary though.
We'll use another example to see exactly what the problem with that response is. In this example Timmy is a little mentally slow (all the screams from his mom melted his brain), but he is carrying a knapsack with $1,000,000.00 in it (Timmy is very strong). Timmy is someplace in a clothing store; in order to get that cool million bucks you just need to find Timmy. Clothing stores are generally wide open areas, with little to block sound, so when you yell out, "Timmy," he is going to respond back with a nice loud, "Here!" As I said, he is a little mentally slow, so he'll respond to anyone saying his name. One million dollars in the bank later and you are a happy camper.
Now what if Timmy was someplace in a multi-floor, multi-company office building? Walk through the front door, yell out for the kid, and you are not getting anywhere. Oh, you might get really lucky and find him standing there in the lobby, one finger in his nose, the other scratching who-knows-what; but given the number of floors, companies and rooms, the odds are against you. Makes it a lot more difficult to find that million dollar prize. Also, the more you wander the building yelling out for Timmy, the more likely someone is going to take notice and have you escorted away by security.
Relating Timmy's story back to your network, if your LAN is one big happy segment (the clothing store) with all the devices on that same segment and a hacker gets onto your LAN, it makes his life really easy to find the million dollars by using broadcast shout outs. If you divide your network up into multiple segments (the office building), you just made the hacker's job a lot more difficult. Just like with the office building, the more the hacker has to wander your network to find something, the better a chance of getting caught or, at the very least, leaving a nice trail of breadcrumbs back to them.
The second security problem with broadcasts is that everyone looks up to see mom screaming before ignoring her again. It is only an instant of time, but imagine if the grocery store was full of 1000 screeching mothers looking for Timmy. Not much shopping is going to get done in that grocery store. That is the equivalent of a broadcast attack on a LAN. Not very common, but it has happened and will bring a network to a screeching (pun intended) halt. Segmentation helps with this as well.
The better you can isolate sections of your network from one another, the more secure your LAN becomes. This is done by using subnets, which is the IP address way of breaking up a network into segments. You can think of a subnet as a telephone area code, limiting which numbers are available before you have to change to another area code. In order to do this, and make it count, you will have to use switches instead of hubs (if you are not already). You will also need to ensure your switches are not set to forward broadcast packets (usually the default setting), but are set to relay DHCP requests to a DHCP server (as needed).
Subnets can be either physically broken up networks or more practical Virtual LANs (VLAN). In the physical world, you would decide that everything attached to Switch-A belongs to Subnet-A, Switch-B to Subnet-B, etc; and then place some type of routing device between each. That can mean a lot of pieces of physical hardware. Explaining VLANs fully is a bit beyond the scope here, but using VLANs (which most modern switches support) you divide up each switch into multiple subnets based on different criteria; usually the jack number on the switch (for untagged) or with tagging. As a result of not needing tons of extra hardware, VLANs are a much more practical approach to segmentation.
Through proper network segmenting you can not only provide for a more secure LAN, but also speed up network traffic across your network. If you know accounting uses only one server and little else, you can move that server directly to the accounting subnet. You can also control what information is passed by a DHCP server to each subnet; allowing you to set everything from which DNS server a given subnet uses, to stopping Internet traffic for one particular subnet. Combine that with the above broadcast scenarios and segmentation becomes a very good thing for increasing your LAN security.
Wednesday, April 1. 2009
Computer Security 101 - Part 3 - Firewalls
When it comes to computer and network security, I believe in an outside-in approach. Start as far away from your computer as possible and work your way back, putting up as many roadblocks in the way as you can. This approach has served me well in the past, and will likely continue to do so in the future. And so we will continue delving into computer security at the network perimeter with the firewall.
Before we begin I should point out that passwords were covered first and foremost due to their very nature. That is to say, everything has passwords of one sort or another. Firewalls included. So it would have been negligent of me to not cover passwords first. Now we can move on. Thank you for your patience.
There are a lot of people out there who do not know what a firewall really is, let alone understand what it does. This group of people includes many IT professionals, even very seasoned professionals. I often get a look of disbelief during technical interviews when I am asked about experience with a particular firewall or another, because I always respond with something along the lines of "a firewall is a firewall."
Usually my resume is directly in front of them and lists my Check Point Certified Security Administrator NG, Cisco Certified Network Associate, and Certified Information Security Manager certificates; as well as a plethora of various hardware that I have worked on (such as PIX or Watchguard firewalls). So when the person across the desk asks me if I have experience with a Sonic firewall, well, "a firewall is a firewall" is about as polite an answer as I can give. Sometimes I just blow the interview right there and go into sassy mode. But I digress.
A firewall is a firewall is a firewall. Period. Some are better than others, but they all do the same basic thing and are configured the same way. The interface might be different, but just because one car has a digital speedometer does not make it any more difficult to drive than one with a standard needle (analog) speedometer. Let’s dive in to what that same basic thing is.
In the beginning we had routers. Routers route network traffic. Then someone said, hey, let’s make a specialized router that does the same thing, only less of it, call it a firewall and charge additional money for it. Thus the firewall was born.
If you were to think of your network as a company, with the computers as departments and the software running on the computers as people; firewalls would be the mailroom. Any type of parcel has three things that are readily available to be seen: 1) The address the parcel was sent to, 2) The address the parcel came from, and 3) How the parcel was delivered (FedEx, UPS, USPS, etc). A good mailroom looks at these three things and determines what to do with the parcel. Simple and easy.
A mailroom example of what is taking place with that parcel: A letter arrives addressed to the CEO of the company, there is no return address, and the letter arrived with a bulk mail (USPS) stamp on it. What do you think the mailroom is going to do with that letter? Were I a CEO, I would fire a few people for delivering junk mail to me; thus the mailroom might trash the letter outright or they might decide to deliver it someplace else, say the CEO's secretary (sorry, administrative assistant). It really would depend on the instructions given to the mailroom, right?
Next a big brown box arrives that is addressed only to the company itself. The box arrived via UPS ground. A good mailroom is going to look at the packing slip to find a little more information. They immediately notice the parcel arrived from Dell Computer Corp, and move the box on down to the IT department without a second thought.
Mailroom gets a letter for Jane Smith, well there is no Jane Smith here: RETURN TO SENDER. And the mailroom never accepts C.O.D. parcels.
This is exactly what a firewall does. It is behaves like a good mailroom staff with instructions on what to do with each parcel that arrives; only it deals with data as its parcel. There are three things that are readily available to a firewall: 1) The address the data is sent to, 2) The address the data came from, and 3) What port the data is being delivered on. Simple and easy.
Configuring a firewall is about the same as giving instructions to the mailroom. "Only allow marketing to send out bulk mailers." "Anything that comes in from Dell goes to IT." "Only John can send out packages using the freight company." Etc, etc. The only differences are in what the address looks like (hint, it’s an IP address instead of a postal address) and instead of saying "UPS Next Day Delivery," we use port numbers.
The bulk of setting up a firewall comes before you even touch it. Before you can set it up, you need to know what the instructions are going to be. The best instruction is always return everything to sender that comes in and don't let anyone use the stamp machine to send out. In firewall terms, this is "deny any any". It should always be your starting point; everything else gets built on top of that and creates a pecking order for what happens with the data parcels. This works for a firewall just like a mailroom: John can use the stamp machine. You are not John; therefore you get denied the use of the stamp machine.
Coming up with the instructions to give the firewall are relatively easy, but usually takes a few minutes to do. It involves a little research to see what software applications are used to do what on your network. This includes sending and receiving email, browsing the web, running a SageTV placeshifter server or playing online games. If something needs to talk to the Internet, it needs a rule for the firewall. You just need to figure out (look up) what those rules need to be.
A few simple guidelines for setting up rules:
Continuing the mailroom analogy... A fruit basket arrives addressed to Gertrude in Accounting delivered by the flower delivery guy. Every company accepts deliveries from the flower delivery guy. The flower delivery guy is HTTP on Port 80. So the mailroom rushes that fruit basket over to Gertrude, only instead of pineapples, the fruit basket contained pineapple grenades. Boom. Poor Gertrude. And poor everyone in Accounting.
An Application Layer Firewall is like if the mailroom X-rayed every piece of mail that came through there. More so, they were allowed and required to open every parcel that comes and goes to take a quick peek to make sure the package is what it says it is. That is exactly what an Application Layer Firewall does, because the Internet is chock full of people trying to send pineapple grenades to Gertrude; and Gertrude (bless her little heart) is trying to send socks to her nephew in Utah using the company's UPS account.
A last note on firewalls, primarily for corporate IT people: Two firewalls are better than one. The best setup for a firewall is to have an external firewall that handles incoming traffic, such as allowing traffic to your web server, and a second internal firewall that handles outgoing traffic. The external firewall can be in drop-in mode (meaning it knows all the external IP addresses that your company uses, but is not performing NAT translations, just filtering). The internal firewall connects to the external firewall, gets one of those external IP addresses, provides NAT translations (using that external IP) and should be an Application Layer Firewall. More internal firewalls are even better, but two should suffice. Between the two firewalls are your outside only services (web servers, email forwarders, porn, etc). You can even get creative and place honey pots between them, but that is a bit beyond the scope here.
Firewalls are as complicated as you want to make them, but really you should be making them very simple. Keep in mind that a firewall performs the same tasks as a good mailroom. If you do your homework to determine what traffic you need to allow (port numbers), where the traffic should be coming from, and where it should be going to; then you have 99% of what it takes to setup a secure firewall. The other 1% is just punching in that information.
Before we begin I should point out that passwords were covered first and foremost due to their very nature. That is to say, everything has passwords of one sort or another. Firewalls included. So it would have been negligent of me to not cover passwords first. Now we can move on. Thank you for your patience.
There are a lot of people out there who do not know what a firewall really is, let alone understand what it does. This group of people includes many IT professionals, even very seasoned professionals. I often get a look of disbelief during technical interviews when I am asked about experience with a particular firewall or another, because I always respond with something along the lines of "a firewall is a firewall."
Usually my resume is directly in front of them and lists my Check Point Certified Security Administrator NG, Cisco Certified Network Associate, and Certified Information Security Manager certificates; as well as a plethora of various hardware that I have worked on (such as PIX or Watchguard firewalls). So when the person across the desk asks me if I have experience with a Sonic firewall, well, "a firewall is a firewall" is about as polite an answer as I can give. Sometimes I just blow the interview right there and go into sassy mode. But I digress.
A firewall is a firewall is a firewall. Period. Some are better than others, but they all do the same basic thing and are configured the same way. The interface might be different, but just because one car has a digital speedometer does not make it any more difficult to drive than one with a standard needle (analog) speedometer. Let’s dive in to what that same basic thing is.
In the beginning we had routers. Routers route network traffic. Then someone said, hey, let’s make a specialized router that does the same thing, only less of it, call it a firewall and charge additional money for it. Thus the firewall was born.
If you were to think of your network as a company, with the computers as departments and the software running on the computers as people; firewalls would be the mailroom. Any type of parcel has three things that are readily available to be seen: 1) The address the parcel was sent to, 2) The address the parcel came from, and 3) How the parcel was delivered (FedEx, UPS, USPS, etc). A good mailroom looks at these three things and determines what to do with the parcel. Simple and easy.
A mailroom example of what is taking place with that parcel: A letter arrives addressed to the CEO of the company, there is no return address, and the letter arrived with a bulk mail (USPS) stamp on it. What do you think the mailroom is going to do with that letter? Were I a CEO, I would fire a few people for delivering junk mail to me; thus the mailroom might trash the letter outright or they might decide to deliver it someplace else, say the CEO's secretary (sorry, administrative assistant). It really would depend on the instructions given to the mailroom, right?
Next a big brown box arrives that is addressed only to the company itself. The box arrived via UPS ground. A good mailroom is going to look at the packing slip to find a little more information. They immediately notice the parcel arrived from Dell Computer Corp, and move the box on down to the IT department without a second thought.
Mailroom gets a letter for Jane Smith, well there is no Jane Smith here: RETURN TO SENDER. And the mailroom never accepts C.O.D. parcels.
This is exactly what a firewall does. It is behaves like a good mailroom staff with instructions on what to do with each parcel that arrives; only it deals with data as its parcel. There are three things that are readily available to a firewall: 1) The address the data is sent to, 2) The address the data came from, and 3) What port the data is being delivered on. Simple and easy.
Configuring a firewall is about the same as giving instructions to the mailroom. "Only allow marketing to send out bulk mailers." "Anything that comes in from Dell goes to IT." "Only John can send out packages using the freight company." Etc, etc. The only differences are in what the address looks like (hint, it’s an IP address instead of a postal address) and instead of saying "UPS Next Day Delivery," we use port numbers.
The bulk of setting up a firewall comes before you even touch it. Before you can set it up, you need to know what the instructions are going to be. The best instruction is always return everything to sender that comes in and don't let anyone use the stamp machine to send out. In firewall terms, this is "deny any any". It should always be your starting point; everything else gets built on top of that and creates a pecking order for what happens with the data parcels. This works for a firewall just like a mailroom: John can use the stamp machine. You are not John; therefore you get denied the use of the stamp machine.
Coming up with the instructions to give the firewall are relatively easy, but usually takes a few minutes to do. It involves a little research to see what software applications are used to do what on your network. This includes sending and receiving email, browsing the web, running a SageTV placeshifter server or playing online games. If something needs to talk to the Internet, it needs a rule for the firewall. You just need to figure out (look up) what those rules need to be.
A few simple guidelines for setting up rules:
1) Permitting all outgoing traffic is a very bad thing. So don't do it. Spend the 15 minutes to find out what traffic needs to go out and to where.You can't surf porn without allowing web traffic, so odds are you will want to allow outgoing HTTP (port 80) and HTTPS (port 443). Not much you can do there, but it does provide a big loophole. Other programs use these ports to bypass firewalls, and that is a bad thing. The fix is an Application Layer Firewall. If you are setting up your firewall for home use, don't worry about it. If you are doing it for a company and you have not yet purchased your firewall, or have the budget to "upgrade" your firewall, get an Application Layer Firewall.
2) If you have a dedicated email server, it should be the only thing on your network that can send or receive email. That is to say that POP3 (port 110) and SMTP (port 25) should only be permitted to and from that server.
3) If you do not have a dedicated email server (meaning you get your email from your ISP) you should block incoming SMTP & POP3, and allow outgoing SMTP & POP3 **ONLY** to your email provider (these are the addresses that look like smtpout.yourprovider.com that you put into Outlook when you setup your email account).
4) If you have a dedicated DNS server, it should be the only thing on your network that can send out DNS lookup packets (port 53).
5) If you do not have a dedicated DNS server you should only allow outgoing DNS traffic to go to your ISP's DNS server (your ISP gave you this address someplace).
6) Unless you handle your own DNS services for an Internet server, you should block incoming DNS requests.
7) Explicitly stating where any outgoing traffic is going to is a very good thing. If your game requires port 9110 to be open, then only allow port 9110 to be open with an outbound address of the game server.
Continuing the mailroom analogy... A fruit basket arrives addressed to Gertrude in Accounting delivered by the flower delivery guy. Every company accepts deliveries from the flower delivery guy. The flower delivery guy is HTTP on Port 80. So the mailroom rushes that fruit basket over to Gertrude, only instead of pineapples, the fruit basket contained pineapple grenades. Boom. Poor Gertrude. And poor everyone in Accounting.
An Application Layer Firewall is like if the mailroom X-rayed every piece of mail that came through there. More so, they were allowed and required to open every parcel that comes and goes to take a quick peek to make sure the package is what it says it is. That is exactly what an Application Layer Firewall does, because the Internet is chock full of people trying to send pineapple grenades to Gertrude; and Gertrude (bless her little heart) is trying to send socks to her nephew in Utah using the company's UPS account.
A last note on firewalls, primarily for corporate IT people: Two firewalls are better than one. The best setup for a firewall is to have an external firewall that handles incoming traffic, such as allowing traffic to your web server, and a second internal firewall that handles outgoing traffic. The external firewall can be in drop-in mode (meaning it knows all the external IP addresses that your company uses, but is not performing NAT translations, just filtering). The internal firewall connects to the external firewall, gets one of those external IP addresses, provides NAT translations (using that external IP) and should be an Application Layer Firewall. More internal firewalls are even better, but two should suffice. Between the two firewalls are your outside only services (web servers, email forwarders, porn, etc). You can even get creative and place honey pots between them, but that is a bit beyond the scope here.
Firewalls are as complicated as you want to make them, but really you should be making them very simple. Keep in mind that a firewall performs the same tasks as a good mailroom. If you do your homework to determine what traffic you need to allow (port numbers), where the traffic should be coming from, and where it should be going to; then you have 99% of what it takes to setup a secure firewall. The other 1% is just punching in that information.
