FIREWALLS

In this unit  we will use material from the following texts
 

	Secrets & Lies: Digital Security in a Networked World by Bruce Schneier. Schneier is the "real thing" - a genuine computer security expert and heads up a company called Counterpane ISBN 0-471-25311-1 Chpt 12
dw
	E-commerce Security: Weak Links, Best Defenses by Dr. Anup Ghosh of Reliable Software Technologies www.rstcorp.com  ISBN 0-471-19223-6 Chpt 5
dac
	Electronic Commerce: Security, Risk Management and Control 2nd Edition by Greenstein and Vasarhelyi. ISBN 0-07-241081-7 2nd Edition, Chpt 11 Electronic Commerce: Security, Risk Management and Control by Greenstein and Feinman 1st Edition, Chpt 9

see details at  witiger.com/ecommerce/ecommercetextssecurity.htm

.

Learning  Objectives

After reading this unit students will be able to: explain the different things firewalls are used for understand what firewalls do in terms of procedure technically know how firewalls can be defeated, so that this knowledge can be applied to utilizing them more effectively appreciate that firewalls are a young technology and know several of the different approaches and strategies to using firewalls

.

Chapter 5 page 212

? - What do firewalls do? A - "... a firewall is usually a combination of packet filtering routers and a computer that executes a set of proxies. Proxies are simple programs that store and forward network requests based on an evaluation of a set of rules. The rules define which connections are allowed and which are not. One of the important functions that a firewall serves is to restrict the number of network services that are available to outside connections"   KEY POINTS "A Proxy is a program that takes the place of another program. Typically, firewalls act as proxies for certain networking services. When internal users use Telnet, for instance, to connect to a host on the other side of the firewall, the proxy service accepts the Telnet request and forwards it on to the real Telnet service." Greenstein & Feinman page 271

.
 

Student Alice C. in BCS 555 in November  2004 found this really great security site that has many good topics, including an explanation of firewalls reproduced in the table below.

This table with the 12 concepts explaining a firewall, comes originally from  http://www.wilders.org/firewalls.htm we have reproduced it here so as to save them bandwidth from too many people viewing the table wilders.org is a site out of Utrecht in the Netherlands

concept  1:	applications and services
hotels have guests and hire staff that serve guests.	firewall: computers have applications (e.g) email,  web browsers) and use operating services (e.g. DNS, RIP, Identification) to support these applications.
concept  2:	communication
a person in the hotel wants to phone out. He is calling frome a phone with anextension  number to another person in adifferent hotel,  also with a phone andextension number	firewall: an application or service in your pc wants to  communicate with anotherapplication or service on  another system. With TCP/IP and UDP/IP,  communication uses IP addresses of the computers  and port numbers.
concept  3:	without a firewall
without an operator, anyone may call in or out.  There may be nobody at that extension.  Alternately, the person may or may not answer their phone.	firewall: without a firewall, communications are  freely attempted, in or out.  Not all ports have services using them.  Alternately, an application/service may or may not  accept a connection attempt.
concept  4:	role of a firewall
when the operator is working s/he decides  which extensions may make calls and which other hotel and extension they may call.	firewall: when the firewall is running, it decides what  systems may communicate and what port numbers  may be used.
concept  5:	blocking incoming TCP/IP connections
an operator can block an incoming telephone  call to a person while allowingthat person to  make outgoing calls.	firewall: a firewall can block incoming connection  attempts on any particularTCP/IP ort while allowing the  same port to be used for outgoing connections.
concept  6:	this firewall is a "packet filter"
the operator can block a call, but does not  censor what is said. A security  chaperonne might help.	firewall: a (packet filter) firewall can block  communication but does not inspect the contents of the data packets.  Anti-virus software might help.
concept  7:	TCP/IP compared to UDP/IP
some people always make "person-to-person" calls and others leave a message.When you  leave a message you are never quite sure  that the other person got it.	firewall: applications either use TCP/IP to make a  connection or they use UDP/IP tosend a single  "datagram". With UDP/IP, you are never quite sure  the other application got it.
concept  8:	blocking UDP/IP data
if the operator is instructed to allow a guest  to leave messages for another person  in another hotel, then s/he  will also allow thatother person to leave  a message for the guest.	firewall: if the firewall has a rule to allow  applications/services to send UDP/IP toanother  system(s) on certain ports, that other system(s)  may send to you usingthe same ports.  The reason is that it's not clear when  the system is replying to you and  when it's taking the initiative.
concept  9:	how ports are used
the white courtesy phone in the lobby is  available for all guests to make outgoing calls.  Typically, hotel staff can be reachedat  extensions 1 to 1023. Courtesy  phoneshave extensions 1024 to 5000.  This way, guests don't tie up extensions  assigned to hotel services (room, service,  front desk).	firewall: a range of (local) ports is available for applications that communicate with services on other systems. Typically, services are available on ports 1 to 1023. Ports for temporary use range from 1024to 5000. This way, applications/services don't tie up a port assigned to your systems services (file shares, identification etc.).
concept 10:	how ports are used (2)
a convention in the hotel business is that the lounge is at ext. 80, the concierge is at ext. 53, a bellman is at ext. 23 etc. This way, guests know how to reach staff in other hotels. Guests are kindly requested not to use the staff's extensions for personal calls.	firewall: a convention in the TCP/IP and UDP/IP protocols in that particular services are available at particular ports, e.g. web servers are at port 80, DNS at 53, telnet at 23, etc. This way, your applications know how to reach services on other systems. Applications should not use these extensions inappropriately.
concept 11:	rule usage
this hotel has an operator that can be instructed to allow certain calls through under certain circumstances, such as 1) only when a certain guest is in the hotel 2) when cell phones are in use 3) when a call is going through the hotel's secure phone lines etc.	firewall: with a firewall you can make a rule that allows certain communications only under certain circumstances, such as 1) when a certain application is running 2) when dail-up connection is alive.
concept 12:	priority of rules
some instructions for the operator are more important than others. By assigning a priority to each one, one controls the order in which the operator reads and applies instructions.	firewall: some rules take precendence over others. By setting the priority you can control the order in which rules are used and applied.

Network Defenses "Firewalls" Chpt 12

"In the digital world, a firewall is a machine that protects a company's internal network from the malicious hackers, ravenous criminals, and desultory evildoers who lurk throughout the Internet. It keeps intruders out" "firewall has changed meaning since it was first used in computer networks. The original networks were buggy and would inveterately crash. Firewalls were installed to prevent bad networking software in one part of the network from taking the rest of the network down with it... Today's firewalls act as boundaries between private networks and the vast public network". Schneier's chapter goes further to describe the different types of firewalls early firewalls based on packet filters proxy, or application gateways In Chpt 12, Schneier also talks about VPN's - Virtual Private Networks IDSs - Intrusion Detection Systems Honey Pots and Burglar Alarms Vulnerability Scanners E-mail security Encryption and Network Defenses Secrets & Lies: Digital Security in a Networked  World      by Bruce Schneier Chpt 12 Network Defenses

.

Chapter 11 Firewalls

ICSA as quoted by Greenstein and Feinman (page 268 text) ICSA - the International Computer Security Association (since Greenstein and Feinman quoted it in their book) has been taken over by an IT security company, Trusecure Corporation. The ICSA material is still available at  www.icsalabs.com/index.shtml ICSA defines a firewall as a "System or groups of systems that enforces an access control policy between two networks".  A firewall should have the following characteristics all traffic from inside the corporate network to outside the network, and vice-versa,  must pass through it only authorized traffic, as defined by the local security policy, is allowed to pass through it the system itself is immune to penetration The critical point that Greenstein and Feinman note in this section, and a point that should be understood within the context of this whole course, is "Firewalls [and any other technical and software devices] should be used as a component of enterprise security, not as the only solution. While firewalls provide a robust set of controls, they are not foolproof, and an organization that relies solely on firewalls for network security is turning a blind eye to many exposures that firewalls do not address."

.
 

Chapter 5

"Erecting a firewall ... is essential to preventing security break-ins..." Firewall Insecurity, page 210 "Firewalls are the first line of defense against malicious users, placed between the computer network to be protected and the network that is considered to be a security threat" ? - What are firewalls used for exactly? A - "Though firewalls are typically used to isolate a company's local area networks (LANS) from the Internet, firewalls are also used to partition isolate control access between internal corporate networks" E-Commerce Security: Weak Links, Best Defenses Chapter 5, 1st edition "Cracks in the Foundation"

.

KEY POINTS

Partitioning and Isolating users access to the entire network is critical in medium and large sized corporations since it serves several purposes. "Need to know" - if people don't need to know information in other departments, then they do not need access to it - measure to restrict access will reduce drain on system resources and circumvent internal snooping If somebody is successful hacking in to an individual's PC and that PC is in turn allowed unrestricted access to the entire corporate LAN, then they have not only hacked that individual computer, but also by extension, the whole company With many dot.coms going bankrupt and personnel at other IT companies growing increasingly nervous, internal threats and risks from company employees are growing. Partitioning and Isolating users access to the entire network is wise to protect against internal sabotage.

E-

Static  Firewalls Dynamic  Firewalls

Components of a firewall page 270 [1st ed.] Greenstein and Feinman text also some information from Prof. Dr. Horn GmbH  www.ibh.de/netglossary/net_16.htm (found by student Jenny Ng, MRK 410, March 2004) Firewalls can be placed into two categories static firewalls dynamic firewalls static firewalls   o default permit allow all traffic except that which is explicitly blocked by the firewall administrator   o default deny denies all traffic except that which is explicitly allowed by the firewall administrator "Static (constant and unchanging) packet filtering offers security against novice hackers. You can configure the filtering rules when you install a firewall to filter based on source/destination IP addresses. This sets up a static filter. But static packet filtering does not have the intelligence to selectively open and close ports; it can either open all the non-private ports or close them all. If all ports are kept open, an intruder can break in; if all ports are closed, the firewall becomes obtrusive to the users on the network." from Prof. Dr. Horn GmbH www.ibh.de/netglossary/net_16.htm

.v

KEY POINT

The difference between default permit and default deny might be as follows. The castle guard lets everybody across the drawbridge that has the password - and people that don't have the password cannot come in The castle guard lets nobody across the drawbridge, unless they are certain kinds of people, and they also have to have a password

sd

Static  Firewalls Dynamic  Firewalls

a dynamic firewalls "while static firewalls are pre configured as either default deny or default permit, dynamic firewalls manage the configuration in a more fluid fashion. Dynamic firewalls allow both denial and permission of any service to be established for a given period of time." "A dynamic firewall, in very basic terms, adapts to traffic by learning which ports are needed for a session, and closes all others. When a legitimate session is initiated, the firewall monitors the requests to open ports between the terminating points and opens only those. When the session ends, the firewall immediately closes the ports. No security holes are left on the firewall for hackers to enter." from Prof. Dr. Horn GmbH www.ibh.de/netglossary/net_16.htm

.v

Firewalls Different Approaches

Article by Deborah Radcliff of Computerworld (U.S.) - appearing in IT World March 2001 original at  http://www.ITworldcanada.com/search/DisplayArticle.cfm.......... This article is about how some security people are installing firewalls on all desktops and laptop computers, both inside and outside the corporate LAN "...firewall products are still evolving, and IT managers face a multitude of features in personal firewall software programs and hardware devices. For example, some new products allow for centralized monitoring and policy enforcement for remote desktop firewalls, while others may be less sophisticated but easier to use.  Still others offer different configuration options depending on an employee’s role or whether the remote computer is being used for personal or business use."

.

KEY POINTS

questions about "What Form Will Firewalls Take?" "While analysts predict that the market will ultimately consolidate into a single desktop  security product or suite that includes intrusion-detection tools, a firewall, a VPN and  antivirus protection, there’s no consensus on just how this will be accomplished.   Already, almost every personal firewall offers VPN capabilities. Vendors are merging  and partnering to bundle mixed products into one integrated product. And some companies, like InfoExpress and Symantec, are taking the suite approach. But then there’s the debate over where these host-based firewalls will wind up — as hardware, software or something more like a network adapter, according to analysts. That’s why many IT managers say they’ll just wait a while before deploying   host-based firewalls, in spite of the risks.

'kn

Firewalls Different Approaches

"Last December [2000], a bank in Southern California received a call from an on-line customer asking why one of the bank’s computers was trying to hack into his  system. It turned out that the machine doing the hacking belonged to the bank’s  president and had been remotely commandeered by an employee. The president  called Conqwest Inc., a Holliston, Mass.-based IT security services firm, which is now  rolling out firewall software across the bank’s 125 internal desktop, laptop and  remote computers. Until recently, companies thought antivirus and virtual private network (VPN)  technologies would keep remote worker connections safe. But as more workers have been accessing the Internet through broadband services such as cable modems, exposure to hacking attacks through those machines has increased. In October, for  example, a hacker broke into a Microsoft Corp. employee’s home computer and exploited the VPN connection to penetrate the company’s internal network. At the time of the Microsoft hack, only 15 per cent of 300 security professionals surveyed used any type of firewall to protect remote workers’ machines, even though 38 per cent of the reported attacks originated from those machines,  according to a report released by Cupertino, Calif.-based security software vendor  Symantec Corp. Some managers are tackling this threat by requiring firewalls on all desktops and laptop computers, both inside and outside the corporate LAN."

.

Network Defenses "Firewalls"

Defeating Firewalls "There are three basic ways to defeat a firewall 1. go around it ... large network has lots of connections... companies often hook their networks to suppliers networks, maybe you can get in through an unsecured supplier 2. sneak something through the firewall... to do this you have to fool the firewall authorizing tools that you have permission and authority to be accessing what you are doing. What some hackers do, says Schneier, is create a piece of code that will exploit some kind of bug (that hasn't been fixed with a patch) that will open a connection between the hacker outside the firewall and the computer inside the firewall 3. take over the firewall... as Schneier says, this is similar to bribing the gatekeeper Secrets & Lies: Digital Security in a Networked  World      by Bruce Schneier Chpt 12 page 190-191

.
 

Why  would  you disable  a firewall

a Student Robert S. in BCS 555 in December 2006 sent an interesting email in which he suggested that sometimes it is useful to understand disabling firewalls Robert explained that it is necessary to disable the firewall if you want to "remote access" your PC over the web - he explains below Robert said "I was doing some research about the firewall and how important it is to have it on our PCs .... but sometimes disabling the firewall might be useful for the owner .. Unfortunately, not all students are familiar with the " No-IP" software. This software allows the owner of the computer to access his computer from any computer connected to the internet. As we all know, the remote ip address changes all the time and it's hard to keep up with the current address to access the computer. Therefore, the No-IP allows you to create one domain name that the user can use it all the time. but to use the Remote Desktop Connection, the firewall has to be disabled which will allow everyone to access your pc! I asked a network specialist about it and he said that the safest way to prevent that is to have a complicated password on the User account and change it every two or three weeks."

.v
 

Privacy Issues and Firewalls Globally

rb Saman H. in BCS 555 in December 2006 sent a long email that covered several issues related to email filtering, government sponsored firewalls and privacy issues. . Hello Sir I have come from Iran, where the fundamental government controls the internet.  They provided huge facility to ban and censor the internet and I think there is a very important issue in e-business. Unfortunately the number of Internet users is increasing very fast and recently the government banned high speed internet too.  “Iran's Islamic government has opened a new front in its drive to stifle domestic political dissent and combat the influence of western culture - by banning high-speed internet links.”  Guardian - Robert Tait - Wednesday October 18, 2006 http://technology.guardian.co.uk/news/story/0,,1924637,00.html But fortunately I have read amazing news today from Canadian researchers in University of Toronto. They have created great software which its name is “Psiphon”. The Psiphon allows internet users in countries with internet censorship to escape from governmental firewalls and filtering. I think, it is going to be a revolution against Chinese and American censor software producers. http://today.reuters.com/news/articlenews.... I think this article related to our discussion in the class when you mentioned about “Firewalls” two weeks ago, I think there is a very important issue in e-business, because for example If I was in clothing business, and If I want to write some of those “META” codes for increasing my web site ranking, I do not have to write “Woman”, “Underwear”, “Girls” and etc in the “Meta” part because my web page will be filtering by those mess censorship computer programs. Thank you for your time

.

Firewall Resources                                   Firewall Resources

. Rana K., Joesph V., Luong C. of MRK 410 March 2004 have complied useful information on how to protect your computer system from hackers by using firewalls.  Most materials from Howstuffworks If you have a fast Internet connection into your home (either a DSL connection or a cable modem), you may have found yourself hearing about firewalls for your home network as well. It turns out that a small home network has many of the same security issues that a large corporate network does. You can use a firewall to protect your home network and family from offensive Web sites and potential hackers. What it does: A firewall is simply a program or hardware device that filters the information coming through the Internet connection into your private network or computer system. If an incoming packet of information is flagged by the filters, it is not allowed through

.
.  .

Top 8 Firewalls  [2004]    free trial and demo versions

. Rana K., Joesph V., Luong C. of MRK 410 March 2004 have complied useful information on how to protect your computer system from hackers by using firewalls.  The following is a list of free trial and demo versions of the most popular firewall software that anyone can use to protect from unscrupulous people or those who abuse unprotected computers: ZoneAlarm v4.5.538  Get protection for DSL and cable connections with this free utility. Sygate Personal Firewall v5.5  Secure your sensitive files from threats both inside and outside your network. Tiny Personal Firewall v5.5.1298  Allow your PC to selectively receive data from the Internet. Norton Internet Security 2004  Protect your PC from Internet-borne threats, viruses, and pop-up windows. BlackIce PC Protection  Thwart Internet intruders and collect information on the attacks. Kerio Personal Firewall v2.1 Build a barrier between your personal computer and the Internet. McAfee Personal Firewall Plus  Safeguard your PC from Internet bad guys with this firewall software. VisNetic Firewall v2.1.3  Set rules for what type of data can access your PC.  Most materials from Howstuffworks

. .

Firewall Resources

. Jeanette O. and Ashley S. of MRK 410 in march 2004 found an article on Ecommerce Times that  gives an insite in to what CEO 's and IT personnal  need to now about new firewall technology, new trends, evolving firewalls, Detection, IT Checklist and Pricing Factor. James Maquire and Stephanie Losi  ecommercetimes.com Jan 6th, 2003 .  New Trends "One growing trend is that more employees are working remotely, rather than at corporate headquarters. Therefore, today's firewalls, though built to guard against remote access, must also be sophisticated enough to allow the right kinds of remote access, Yankee Group network security" Evolving Firewalls "Firewalls have evolved to respond to these new needs. "A lot of new developments are going on at once," Richard Stiennon, Internet security research director at Gartner, told the E-Commerce Times. "There's a trend towards higher speed, higher throughput, and central firewalls that can handle many connections, so [administrators] can segment a network into many zones and apply security policy [variably across] the zones. The most important trend is the need to do better defense of application servers  behind the firewall."

. .

Firewall Resources

Detection "When a firewall intercepts the individual packets that comprise a message sent over a network, it reassembles them to check for protocol validity. If that firewall includes a network security switch, it not only reassembles the packets, but also scans each message for viruses, providing a total intrusion detection package" IT Checklist  According to NetScreen's Philip, CIOs mulling over a firewall purchase should ask themselves several questions:  Is the solution able to deal with network attacks, or denial-of-service attacks?  Can the platform interpret traffic flows and open up connections only as a result of an outgoing communication? etc... Pricing Factor. "Standard pricing is about $20,000 for an enterprise-level firewall, including hardware and software," Stiennon said. However, he noted, a firewall that enables high throughput and can serve a large network could cost $50,000 or more." "Philip said NetScreen's offerings range from approximately $500 for a small office platform to more than $200,000 for the highest-end solution. In between are several price points. The NetScreen-204, a 400-meg firewall with four ports, starts about  $10,000."

. .
 

Chapter 5 Chapter 5

? How do people hack in, and what would firewalls do? A - "Successful attacks are made possible by bugs in the network services, errors in configuration, or the lack of access-control mechanisms. Firewalls combat these types of attacks by preventing connections to all services except those permitted by the firewall. What is less well understood is that many attacks are launched through the services that are permitted by the firewall." "The firewall serves as a choke point between the Internet and internal machines...The firewall proxies can control access to both the Internet and to the internal network by evaluating a set of rules for each connection attempt to a network service. The rules specify which type of network traffic is permitted on either side of the firewall, where connections are allowed from, and to which machines connections are permitted."

. .
 
 
 

witiger.com	CONTACT I MAIN PAGE I NEWS GALLERY I E-BIZ SHORTCUTS I INT'L BIZ SHORTCUTS I MKTG&BUSINESS SHORTCUTS I TEACHING SCHEDULE
	.
	MISTAKES I TEXTS USED I IMAGES I RANK I DISCLAIMER I STUDENT CONTRIBUTORS I FORMER STUDENTS I
	.

.