Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

What's in a Firewall?

Published: 2011-07-15
Last Updated: 2011-07-15 21:35:45 UTC
by Deborah Hale (Version: 1)
12 comment(s)

We continue to hear reports of companies, government agencies, and systems being hacked into by the "Bad Boys" of the Internet. Most recently it was confirmed that the US Pentagon systems were hacked into and thousands of files were copied from the systems that were hacked.  When I heard this report I thought "How in the world does an organization like the Pentagon with all of the resources they have get penetrated???"  If organizations like the Pentagon have lowered defenses, how do we, the average system owner with a whole lot less resources protect ourselves?  

As I thought about it I realized that there are just too many possible "holes" that can allow the "Bad Boys" in. Once an attacker penetrates the perimeter the internal systems are unprotected.  Worms have penetrated many corporate networks through email systems, careless users, and the use of USB devices.  Once they are in they spread quickly.  

Today's worms and viruses initiate a large percentage of the attacks that take place. Today's hackers have become more and more sophisticated and continue to develop new methods to hack and avoid detection.  You think you have the door closed and voila, you turn around and there they are.  Once in, they start looking for other victims inside the network that they can infect. They can also use the infected computer to attack other computers both inside and outside your network.  Besides wasting your resources (Bandwidth and other resources) they can get you or your company in a world of legal trouble. If your "network" is being used to perform a Denial of Service (DOS)attack or network reconnaissance scan against another companies network you have a responsibility to get the attack stopped immediately.  Failure to do so can have devastating consequences.

Another concern for you would be the potential "back doors" that were opened up by the compromise.  What information does the "back door" provide access too?  Does the "back door" allow the "bad boys" of the Internet to use your systems for whatever purpose they choose?

So how do you protect yourself?  How do you minimize the potential for your systems to be infiltrated?  

If you are protecting you home computer you may need nothing more than a good firewall program installed on your computer.  These programs can help you identify potential intrusions and if configured correctly can prevent the initial access from taking place. If you have a home network (wireless or hardwired) and have multiple computers the software firewall may not be enough.  You may ant to give your home network just an extra bit of security by installing a hardware firewall.  Most small businesses and home networks can benefit from a simple inexpensive hardware firewall. For $100 or less you can get a device from Linksys, Netgear or D-Link that will allow you to setup firewall "rules" to protect your network.  These devices help protect you against attacks by screening out malicious traffic as well as prevent your computer from participating in the attacks without your knowledge.  

A while back, I worked for a small ISP.  We would get calls from our customers complaining about the speed of their connection. While investigating the speed issues I often found that the customer's computer or a computer on their "network" was infected with some malicious program that was either sending massive amounts of spam, was a partner in a botnet and was doing a lot of "talking" or they had an unsecured wireless access point (WAP) that was being used by their neighbors to steal bandwidth and Internet connection. With the use of secured access points and firewall's there were often substantial improvements in the perception of the customers.  

Large businesses/organizations need to look at Enterprise and/or Host Based firewall solutions.  There are many different ones out there and research needs to be done on what is the best fit for the organization. Things like VPN access, real time monitoring, integrated web security, IPS/IDS, Anti-spam/Anti-virus or other features will dictate which one is right for the organization.  

All of these methods work and if setup correctly will protect your environment. You will want to monitor and review logs to insure that the network remains secure.  It is an unfortunate fact of life that the firewall devices themselves may have holes that need to be "plugged".  This means that you have to stay up-to-date on your firmware/patches and make sure that you keep up on security related information for whichever device you choose.

I would be interested in what Firewall's are you using and why?  

Deb Hale

Keywords: firewalls
12 comment(s)
Diary Archives