One of the most common and best sold solution to the problems related to internet security is the firewall. The firewall represents a machine that is positioned between a local network and the Internet, and it filters out traffic with harmful potential. This idea was so catchy to many organizations, and has now become so widely accepted that it’s seen as an essential part of corporate due diligence. Firewalls can be divided into three big categories, depending on whether they filter at the IP packet level, at the TCP session level, or at the application level.
The simplest kind of firewall merely filters packet addresses and port numbers. This functionality is also available in routers and in Linux. It can block the kind of IP spoofing attack discussed earlier by ensuring that no packet that appears to come from a host on the local network is allowed to enter from outside. It can also stop denial-ofservice
attacks in which malformed packets are sent to a host, or the host is persuaded to connect to itself (both of which can be a problem for people still running Windows 95).
Basic packet filtering is available as standard in Linux, but, as far as incoming attacks are concerned, it can be defeated by a number of tricks. For example, a packet can be fragmented in such a way that the initial fragment (which passes the firewall’s inspection) is overwritten by a subsequent fragment, thereby replacing an address with one that violates the firewall’s security policy.
More complex firewalls, called circuit gateways, reassemble and examine all the packets in each TCP circuit. This is more expensive than simple packet filtering, and can also provide added functionality, such as providing a virtual private network over the Internet by doing encryption from firewall to firewall, and screening out black-listed
Web sites or newsgroups (there have been reports of Asian governments building national firewalls for this purpose).
However, circuit-level protection can’t prevent attacks at the application level, such as malicious code.
The third type of firewall is the application relay, which acts as a proxy for one or more services, such as mail, telnet, and Web. It’s at this level that you can enforce rules such as stripping out macros from incoming Word documents, and removing active content from Web pages. These can provide very comprehensive protection against a wide range of threats.
Whether your organization has firewalls and a security policy or not, it’s prudent to regularly evaluate your security approach. Review and answer the following questions before implementing any further firewall technology and/or security policy additions or changes.
Identify which resources must absolutely be secure and in which order of priority:
- Mission critical
- Redundant back-up system(s)
- Base systems
Identify minimum security needs for the following WAN connections:
- Employee remote dial-up
- Office-to-office VPN
- Employee and vendor broadband (DSL, cable modem, etc.)
- Vendor access
- Business-to-business access
Does your security team have quick access to this network documentation?
- Network diagrams
- Trending data
- Protocol utilization
- Data points
- Access points
- Major vendors’ point of contact information (ISP, telco, firewall vendor)
Does your security team know the order in which systems must be restored?
- The security response team must have a full understanding of which systems need to be restored to full operation and in what order.
- Does this order meet your business objectives and priorities?
Does your information disclosure policy address the following in relationship to a security issue?
- What information is shared with others?
- Is information shared internally, departmentally, externally, etc?
- Under which circumstances?
- Mission critical information?
- Secondary intrusion information?
- Who has the authority to initiate information disclosure (Chief Security Officer, legal, HR)?
Have you provided a way of documenting, distributing, and following up on security violation reports? For example:
- Denied access messages
- Failed passwords/login attempts
- Attempts to access back doors
Have you provided for alternative communication methods for intruder attacks/penetrations? Consider using:
- Cell phones
- Numeric pager codes
- Fax machines
Have you established your cycle of updates and mock drills?
- Are policies and procedures updated regularly (quarterly, bi-annually, annually)?
- Do you involve multiple departments (IT, HR, legal, upper management)?
- Do you run periodic drills to test your systems and your procedures?
Have you reviewed the legality of your security policy and procedures?
Working with your HR department and legal counsel, consider the following:
- Are your policies enforceable?
- Do your polices and practices conform to local, state, and federal laws?
- Are you providing due diligence to protect confidential information?
- Is there a clear-cut procedure for a chain of custody for documentation from an intrusion?
- Are the team and the company legitimately protected in case of a severe intrusion?
- What would be your company’s risks if an attacker were to penetrate the systems of another company that uses your systems?
- Do your policies and procedures provide for proper care of customer information?
- What are your liabilities if confidential data (corporate, vendor, customer) is taken and used by an intruder?
Have you reviewed lessons learned?
- Does your firewall intruder-alert detection system work?
- Do your response procedures work?
- Do your processes provide for the correct steps to neutralize any additional threats?
- What did not work?
What can be changed to bolster your procedures?