Softpanorama

May the source be with you, but remember the KISS principle ;-)
Contents Bulletin Scripting in shell and Perl Network troubleshooting History Humor

Firewalls and Firewall Rules Auditing

News See also Recommended books Recommended Links Tutorials  FAQs Snort
IP filter Firewall 1 TCP Wrappers Xinetd History Humor Etc

Firewalls also can be standalone and local.

A firewall's basic task is to control traffic between computer networks with different zones of trust. Typical examples are the Internet which is a zone with no trust and an internal network (Intranet) which is (or should be) a zone with high trust. The ultimate goal is to provide controlled interfaces between zones of differing trust levels through the enforcement of a security policy and connectivity model based on the least privilege principle and separation of duties.

Firewall is a very sharp tool like razor; and as razors they attract a lot of control freaks and maniacs who can damage the company in a very significant way using security as a fig leaf to cover their misdeeds.

To understand the scale of the danger  you can image a maniac running with a blade on a crowded street. I know several cases when some know-nothings from the security group in  a maniacal zeal to make a contribution to the corporate security blocked ICMP and/or other types of important traffic.

Actually there is something like national selection in assigning people to the security department. That means that  networking group is much safer place for the persons responsible for the firewalls policy. What I mean, is that security department are often is the dumping ground, natural habitat for people who cannot make a productive contribution in other areas. And yes this is not always true,  but still this is pretty common situation in large organizations...

Naturally know-nothings live in a paradise where there are simple, brute-force, instant-gratification answers to every problem. And please remember that many problems of the large corporation are similar to the nation-wide  problems and the politics of stupidity appeals not just to the poorly informed IQ underdogs (aka rednecks).  Actually IT rednecks is an extremely influential phenomena of enterprise IT, the phenomena which encompasses both genders.

Control freaks is represent quite another problem as for firewalls infrastructure. In this case the resulting set of firewall and set of rules soon became too complex to the extent being unmanageable and those guys bravely fight firewalls misconfigurations almost on daily basys.  In this case firewall really became counterproductive and hurt real business. Breaking with the situation and announcing that "king is naked" requires some courage on the part of IT management, the condition not the easily is easily satisfied in many corporations ;-)

A firewall allow to control IP traffic: to permit, deny data connections based on IP addresses, protocols and some additional properties of the packets (for example TTL).  Firewall also usually are capable implementing NAT.  The set of restrictions implemented constitute one of the most important part of the organization's security policy and as such should be properly documented. They should not taken on "ad hoc" basis.

Auditing firewall rules should be performed regularly as complex set of outdated roold instead of being protection represents a serious security danger (in addition to being counterproductive or even harmful for the organization).

Proper configuration of firewalls demands significant networking skills as well as level of understanding of organization infrastructure.


Top Visited
Switchboard
Latest
Past week
Past month

NEWS CONTENTS

Old News ;-)

[Aug 26, 2008] Linking Chains A methodology for developing rules for IP Chains - CiteSeerX

This paper describes a methodology for configuring a packet filter, which is one of the components of a firewall system. It takes into consideration non-obvious security nuances of the TCP/IP protocol stack that may be overlooked by system administrators. The methodology uses the TCP/IP protocol suite ' s layered architecture as the guide for the composition of the packet filter rule set. It uses the IP Chains packet filter to demonstrate a practical example. 1

[Aug 22, 2008] fwsnort 1.0.5 by Michael Rash

About: fwsnort translates snort rules into an equivalent iptables ruleset. By making use of the iptables string match module, fwsnort can detect application layer signatures which exist in many snort rules. fwsnort adds a --hex-string option to iptables, which allows snort rules that contain hex characters to be input directly into iptables rulesets without modification. In addition, fwsnort makes use of the IPTables::Parse Perl module in order to (optionally) restrict the snort rule translation to only those rules that specify traffic that could potentially be allowed through an existing iptables policy.

Changes: This release replaces the bleeding-all.rules file with the emerging-all.rules file because Matt Jonkman now releases his rule sets at emergingthreats.net. Restructured Perl module paths make it easy to introduce a "nodeps" distribution of fwsnort that does not contain any Perl modules, allowing better integration with systems that already have all necessary modules installed (including the IPTables::ChainMgr and IPTables::Parse modules). This release adds support for multiple Snort rule directories as a comma-separated list for the argument to --snort-rdir.

[Jul 21, 2008] ferm by Max Kellermann

Perl-based tool

About: ferm is a tool to maintain and setup complicated firewall rules. It allows one to reduce the tedious task of carefully inserting rules and chains, thus enabling the firewall administrator to spend more time on developing good rules, and less time on the proper implementation of those rules. These rules will be executed by the preferred kernel interface, such as ipchains and iptables, and in one pass. Firewall rules can also be split into different files and loaded at will.

Changes: Support for more netfilter modules. A "remote" mode has been added. All tables are reset correctly in "flush" mode.

psdomain.org Firewall Rule Base Best Practices

This is the companion page for my Firewall Rule Base Best Practices document. I have listed all the resources I would otherwise have put at the bottom of the document. In this way, I hope to keep them current, and to add new material when I find it without having to revise the original document. If I have written it correctly, it should need little revision as time passes and technology changes. We'll see.

Update 2003-01-27

When I started this document over three years ago, I was an InfoSec consultant working with firewalls on a day-to-day basis. As will be obvious from a look at the revision history at the bottom of this document, I have not found a great deal of time to devote to it. In addition I have since moved on, and I do not work with firewalls much in my current role.

I have been surprised at the number of requests that I get for this draft, and I apologize to all those who I've kept waiting though my lack of time. Thus, I am making this draft directly available on the Internet in the hope that it will be useful. I disclaim any and all liability-use it at your own risk.

If you would like to take over the maintenance of this document, let me know.


Recommended Links

NIST/SP 800-41 Guidelines on Firewalls and Firewall Policy, January 2002 [PDF,1,208,320 bytes]

Google Directory - Computers Security Firewalls Products Personal Firewalls

Firewall Rule Base Best Practices.doc (last updated 2003-12-31)

12 Tips on Building Firewalls by D. Brent Chapman, Elizabeth D. Zwicky, Simon Cooper 07/01/2000

CERT Security Improvement Modules (Best Practices and Implementation)

Microsoft Security Best Practices

CERT: Deploying Firewalls

Microsoft Security Tools and Checklists

Firewall Piercing mini-HOWTO

ACK Tunnel through a Firewall

OpenHack: Lessons Learned

Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls

Internet Firewalls FAQ

Commercial Firewalls

Books and other references for Internet Firewalls

Internet Firewall Essentials

CSI Firewall Archives

Security Related Port List

What Firewalls will look like in the year 2003

Slashdot Using Firewalls to Block Spyware

firewall should be configured to deny everything and only allow through what is needed. Only open ports that you need to open. Stuff like pop-ups that run on port 80 (which you need to open for at least your squid proxy) are a different matter As for blocking pop-ups and stuff like that, those are best done on the proxy server. On my proxy, I block all ad related sites (doubleclick, etc) and it is real easy to do with squid. The downside is that on some sites (like cnn) you get java errors on some of their java code. Just tell the users to say "no" to the "do you want to execute more java code from this page" and it is fine. That is the configuration I use and it works fine.

Re:Firewall policy (Score:4, Insightful)
by Anonymous Coward on Wednesday May 14, @12:55AM (#5952098)
Huh? Either this is a troll, or you just don't get it.

Any half-wit administrator should be filtering all outbound traffic, to just the ports NEEDED for the business to function (in many cases, that means the internal equipment must use the proxy for everything, or they can forget about connecting to the net). Everything else should run through a proxy/caching server, or an internal SMTP relay server. I've yet to come across any application that I've permitted my users to install, which was unable to work with a proxy server.

Not only does a proxy/caching/relay server greatly speed up overall internet access, but it allows for the company to fully log where an employee goes online, and better control their use of the net. In the event of any legal issues, the company can use those logs for either defense or prosecution.

Effective egress filtering also prevents employees (or even a virus or trojan) from using your internet connection to send spam, attack others, and anything else that the business does not need the employee to do.

If there's something wrong with your proxy server - that's likely the admin's fault, or a POS proxy server. I don't know what you use, but the squid proxy/caching server is one that I've used extensively in many environments, and it has performed without issue for quite some time.

Are you aware that most IM sessions are not encrypted, all chat messages are passed through servers that you do not and cannot control, and therefore are not secure by any stretch of the imagination. You open that barn door, and I guarantee you your users will quickly forget whatever you told them about the insecurity, and starting sending confidential and/or proprietary information via the chat tools.

A specific list of websites - well, we actually do. Mozilla/Netscape can go anywhere on the net, but IE is restricted to just a few business related sites. This works very well to curtail user's access to potentially hazardous sites, without impacting their ablity to function.

Firewalls + a good policy (Score:3, Interesting)
by rogueMonkey (669464) on Tuesday May 13, @08:32PM (#5950575)
Our site denies software installations of any type through Windows policies for anyone but power users (ie.: programmers and not even all of them). Sure there were complaints and groaning... But they weren't for crashing computers anymore. You'd be surprised of the kind of sh*t some cute screen savers (TM) install. DLL messups, preferences mangling! So while firewalling might prevent some of the symptoms of spyware (ie.: call homes) good policies both technically enforced and "socially" enforced go a long way.
Shutting the barn door (Score:3, Informative)
by Demona (7994) * on Tuesday May 13, @09:53PM (#5951088)
(http://frogfarm.org/dj/)
after the horse has left, but for what it's worth, there's Peer Guardian [methlabs.org], which uses a constantly updated list of IP addresses [methlab.tech.nu] which have been declared "bad".
Blocking the Permissioned Media "trojan" (Score:2, Informative)
by questionlp (58365) on Tuesday May 13, @10:51PM (#5951459)
(http://closedsrc.org/)
After having a couple of calls regarding the Permissioned Media "trojan" from users at work (which will still install even if you decline the Software Install prompt at the warning), I decided to look around the Net for ways to block it. I stumbled across Symantec's listing [symantec.com] of the "trojan", which provided a list of IP addresses.

So I setup outbound deny rules on the firewall for those IP addresses and DNS servers related to Permissioned Media. That stopped the problem until they started to host the download off of other IP addresses and servers... so I went back to SARC document and added the new IP addresses to the block list. For two weeks, I checked the page twice a day to see if the list changed. Since then, the problem stopped.

As far as HotBar is concerned, I setup the internal DNS caching server to be authoritative for the hotbar.com zone and pointed it to a non-active IP in the local subnet. That fixed much of the problem of people installing it... :)

I use a hosts file (Score:1)
by BladeMelbourne (518866) on Wednesday May 14, @02:49AM (#5952467)
(http://www.froggy.com.au/mike.skinner/16bitwin.htm)
My hosts file is here:
http://www.froggy.com.au/mike.skinner/16bitwin.htm

It blocks lots of adds, cookies, trackers and XXX sites. It might even block Slashdot images and adds ;-) to load much faster...

Wierd FedEx (Score:2)
by Animats (122034) on Thursday May 15, @02:31AM (#5961714)
(http://www.animats.com)
One of the very few mainstream websites to use totally wierd ports is FedEx. Their Java applet for shipping packages not only uses unusual ports, it requires that a connection be opened from the host side. If you're behind a NAT box, this is painful. Amazingly, Linksys has special support for this.
Using DNS to block spyware, IM, etc (Score:2)
by Nonesuch (90847) <nonesuch@msg.CURIEnet minus physicist> on Thursday May 15, @08:11PM (#5969097)
(http://www.msg.net/~nonesuch/ | Last Journal: Friday September 14, @01:46PM)
Better yet, block internal hosts from communicating to the Internet on port 53, and require all internal hosts to use the local nameservers instead.

On these nameservers, override the zones for the biggest spyware domains and also for AIM, Yahoo Chat and the like, adding wildcard A records directing the request to the IP address of an internal machine running a HTTPd, or to 127.0.0.1.

The effect is twofold -- this will break 90% of the spyware programs, and you will have a log of all of the internal clients with spyware installed.

I use DJBDNS [cr.yp.to] for the nameserver and publicfile [cr.yp.to] for the HTTPd, but the same effect can be obtained with BIND and Apache.

There are a few programs out there that use or will fall back to hardcoded IP addresses, but these can be dealt with by adding NULL routes at the appropriate gateway routers.

3Com upgrades Firewall Cards

By John Leyden, The Register Oct 8 2002 11:37AM

3Com has launched a rack of new embedded Firewall Cards. The range includes a new 3Com Firewall PC Card, as well as a revamp of existing Firewall Desktop PCI Cards, 3Com Firewall Server PCI Cards and 3Com Embedded Firewall Policy Server.

Designed to secure vulnerable notebooks and remote PCs, the products provide hardware firewall protection with built-in 10/100 LAN connectivity. It's a way of defending in depth against attacks using a hardware approach that is faster, more secure and, in theory, easier to manage than software firewalls (which are possibly more flexible).

Such an approach is good news for sysadmins, but much less palatable for workers downloading MP3s from work. Those potentially risky UDP ports are almost sure to be blocked with 3Com's products.

Building on 3Com's first Embedded Firewall products, launched last February, the new Firewall Cards enable network managers to extend Embedded Firewall protection to remote users connecting to the corporate network via a VPN broadband connection. The newly announced enhanced security products also automatically detect if a user is connecting from inside or outside the LAN's physical perimeter and applies the appropriate security policies for that location.

The products (which use firewall technology from Secure Computing) aim to frustrate unauthorised actions by both external, and internal, ne'er do wells.

3Com is targeting the most security-sensitive market segments with the products: government, finance, healthcare, and education (an odd one this as budgets are tight in schools and Unis and security policies tend to be less strictly enforced).

Prices for the 3Com Embedded Firewall Policy Server start at $199 (for 10 clients). Firewall PC Cards cost form $219 each or $3,999 for 20. The Firewall Desktop PCI Card with 10/100 LAN costs from $179, with discounts for bulk purchases.


Firewall Server PCI Card with 10/100 LAN will set you back $329 each, again with bulk discount.

3Com Embedded Firewall Solution has been approved for export worldwide, subject to standard export restrictions

Securing Systems with Host-Based Firewalls - Implemented With SunScreen[tm] Lite 3.1 Software -by Martin Englund
This article provides a discussion of why host-based firewalls can be an effective alternative to choke-point based firewalls or an additional layer of security in an environment. Details are then provided on how to implement a host-based firewalls using Sun's free host-based firewall software - SunScreen[tm] SecureNet Lite

***+ Root Prompt -- Auditing Your Firewall Setup by Lance Spitzner [Apr. 10, 2000]

You've just finished implementing your new, shiny firewall. Or perhaps you've just inherited several new firewalls with the company merger. Either way, you are probably curious as to whether or not they are implemented properly. Will your firewalls keep the barbarians out there at bay? Does it meet your expectations? This paper will help you find out. Here you will find a guide on how to audit your firewall and your firewall rulebase. Examples provided here are based on Check Point FireWall-1, but should apply to most firewalls.

Where to Start

This paper can help you in one of two situations. First, you have certain expectations of what your firewall can or cannot do and you want to validate those expectations. Second, you do not know what to expect, so you need to audit your firewall to learn more. Either way, this paper can hopefully help you out. We are not going to cover how to audit or "hack" a network, that is a different subject. Also, we are not going to discuss which firewall is better then others, each firewall has its own advantages and disadvantages. What is going to make or break you is not choosing the "best" firewall, but implementing it correctly. That is the purpose of this paper, making sure our firewall is correctly implemented and behaves as we expected it.

BlackICE PC Protection 3.5
BlackIce PC Protection 3.5 is too confusing for the average user, despite its cool Trojan horse catcher. Stick with ZoneAlarm Pro 3.0 or Norton Internet Security 2002 for now.
Read Review
Check Latest Prices
ZoneAlarm Pro 3.0
ZoneAlarm Pro 3.0 is as good as personal firewalls get. Although you'll still need an antivirus product to completely protect your PC, we think that the extras in ZoneAlarm Pro are worth the cash--free alternative or not.
Read Review
Check Latest Prices

SecurityFocus unix infocus archive fwrules index

USENIX ;login July '00 - firewalls at home

Firewalls have traditionally been pretty scary things - devices that sat in protected areas in the computer room, maintained through High Wizardry, protecting the Company Network from All Evils. However, as we have seen with the DDoS attacks earlier this year, computer security is not something that should be limited to large companies with big, fat pipes coming off the Net. Neither is computer security something that is being done solely to protect the company network from what's happening outside. Not a great many people are aware that nowadays the Internet as a whole can be in trouble when a single system, yours, is compromised. With tools like Tribal Floodnet, TFN2K, and Stacheldraht, your system is not the one that is hurt the most when it is compromised. Your system could be used to participate in the next round of DDoS attacks that hits the news, or it could be used to send out spam.

A big change is happening right now: it's no longer just companies or universities that have fast enough permanent connections to be of interest to the average script kiddie out there. With cable modems and ADSL lines being installed in huge numbers, there's lots of bandwidth connected to unprotected systems. People at home never had to think about this kind of thing before. They are not aware that they are the next big target for script kiddies. The number of systems that can be compromised easily is exploding. And can the home user really be blamed? I don't think so. What's special about an average family with kids in high school owning more than one computer in the home, and connecting them together in a small network to share a hard disk or a printer? Nothing really, but unless they take specific action to prevent it, those drive shares will be accessed from across the planet. Any sysadmin who has installed snort1 on his firewall can testify that Windows shares are the most often scanned for "vulnerability."

ZDNet Story Sneak Peek ZoneAlarm 3--an even better personal firewall

This week Zone Labs announced the 3.0 versions of its wildly popular personal firewall and security products, ZoneAlarm and ZoneAlarm Pro. Key improvements include a beefed-up firewall, support for Windows XP, a much-improved user interface, and more help for users who want to understand the alerts the software presents to them.

The beta software I tested was still a work in progress and won't be released for a month or so. But the company announced the new version ahead of time, because it wanted customers to understand that XP support and other requested improvements are on the way. It also seemed to feel some competition from the Nortons of the world, recently out with their 2002 releases. I'd rather have seen the software announced when it was ready for download, but I didn't get a vote.

STILL, IT'S HARD to get upset with a company as aggressively user-friendly as Zone Labs. After building what most reviews and user comments I've seen say is a top-notch security product, the company chose a radical marketing plan: They give the software away.

Personal users (that's you and me) and non-profits (but not government or schools) can use ZoneAlarm absolutely free. Business customers pay $19.95 and those wanting some additional networking features can upgrade to the Pro version for $39.95.

The company previously sold annual subscriptions. When the subscription expired, so did the software. Now, once you install it, the application runs in perpetuity. Pricing for the new version will be announced at release, but the free version is a permanent fixture.

All the most important features are included in the free version. These are a "stealth" firewall, which makes your computer invisible to outsiders, and application control, which protects against e-mail worms and other malicious code that gets onto your machine.

THE 3.0 VERSION includes an easier-to-understand "home page"-based user interface, and does a better job of explaining the individual alerts presented to the user, including a "more info" button that links to the company's Web site for detailed explanations and technical information.

The new release also hardens the firewall. One feature "fingerprints" programs that access the Internet, as well as individual program files, to ensure a trusted application cannot be corrupted by a rogue DLL installed onto the machine.

But for all the program does--which is a lot--ZoneAlarm is not antivirus software, and Zone recommends that users install their favorite program to protect against infections. Though ZoneAlarm does protect against many of the effects of computer viruses and can stop a computer from becoming infected in the first place, it is specifically not a virus cure.

The 3.0 Pro version includes privacy protection, cookie control, and enhanced network support. There is also a new, threshold-based ad-blocker that deserves some discussion.

WHILE I DON'T LIKE ad blockers--being that they threaten my livelihood--this one makes some sense, because it blocks ads only when they take too long to download. This is especially handy if you're dialing into the Internet on a relatively slow connection. It also supports blocking pop-ups and pop-unders, which I fully endorse.

While a personal user doesn't absolutely require the Pro features, many individual users like the free version so much they upgrade anyway, as a means of supporting a software company they like. Paying corporations are also well-represented among Zone Labs' estimated 15 million users, including EDS, which recently site-licensed 125,000 copies for its employees.

Last time I checked, ZDNet users had downloaded nearly 14 million copies of ZoneAlarm, and I'm sure the new version will only add to its popularity. And while the new version won't be out until sometime around Comdex Fall time frame in mid-November, there's no reason not to download the current release and upgrade when the new one appears.

After all, the price is certainly right.

Aladdin Security content filtering, Virus and Vandal protection

PGP Security - Protecting Your Privacy - A Network Associates Company

Personal Firewall Protection and Intrusion Detection

Now remote and distributed users can benefit from the security of an "Enterprise Ready" distributed firewall. The PGP Distributed Firewall is the first product to bundle a fully configurable "Packet-Filtering" firewall with Personal Intrusion Detection in a single, installable package that is managed remotely using "Enterprise Ready" software from PGP Security. This not only gives you the ability to create silent installs, but also allows you to remotely change firewall/IDS policies, and lock them down from the end-user.

PGPfire checks data entering and leaving your computer based on filtering rules, protecting you from attacks that originate from within and outside the corporate network. PGPfire offers pre-set levels of protection and lets you define your own protection rules. If an intrusion is detected, it records the event, the source address and the time it occurred, and alerts.

Features and Benefits:

  • Stop hackers and Trojan horses
  • Personal Intrusion Detection keeps hackers and Trojan horses out
  • Ability to securely retrieve new policies from LDAP server unmatched scalable corporate management
  • Ability to build deployment packages with policy configuration pre defined unmatched scalable corporate management
  • Alerts in case of attack or if system is compromised Remote system integrity monitoring
  • Norton Internet Security 2000 2.0 Win98-2K-NT4 - Software Reviews - CNET.com Thanks to its built-in firewall, Internet Security 2000 is the most secure all-in-one Net security app we've seen and the perfect choice for anyone with an always-on connection. Costs more than McAfee Internet Guard Dog 3.0.

    CNET Review
    By Gregg Keizer
    (05/03/00)
    URL: http://software.cnet.com/software/0-352110-1204-1782503.html

    Norton Internet Security 2000 has a leg up on the competition. At a list price of $59, it's more expensive than McAfee Internet Guard Dog. But although it comes with many of the same security tools (such as Web site filters) as its competitor, only Internet Security builds a personal firewall, a barrier that protects your PC from hackers. Internet Security handles all security chores and guards your back door, so this package is ideal protection, especially for cable and DSL users.

    Easy Setup
    Even beginners can set up Internet Security 2000 in no time. Its control display is well organized, with easy-to-understand sliders for setting security and privacy options. Internet Security asks for the personal information you want to keep secure after you've installed the program so that it's clear why you need to hand over such personal data.

    Bar the Back Door
    But Internet Security's finest feature is its automatic firewall. This makes your PC invisible and unreachable to hackers who may try to connect to your machine without your knowledge. You can even set the strength of the firewall to strike a balance between intrusiveness and thoroughness; at higher settings, legitimate Internet activities might be blocked. Without a firewall, heavy Net users, especially those with an always-on DSL or cable connection, take a risk that rampaging hackers will gain access to or hijack the PC for their own underhanded purposes.

    And Internet Security also gives you complete control over the rest of its Net filters, including the data that leaves your system and what is allowed through the firewall. You can, for instance, set the security level to allow or disallow Java applets and ActiveX Controls. If you selectively keep them out, Web sites can't send code that could damage your PC. Plus, you get to specify which private info, such as credit card numbers and email addresses, Internet Security shouldn't transmit out. Internet Security lets you finesse protection site-by-site by using its Advanced Options dialog box so that you can choose different security settings for different Web sites--nice flexibility.

    Does More Than the Dog
    Like Guard Dog, Internet Security blocks banner ads (with limited success), keeps kids away from specified Net activities (access to chat programs, for instance), and lets you create multiple accounts to protect different members of your household at different levels. But Internet Security offers unique features, including an option to disable secure server access so that kids can't shop online and an online updater that keeps Internet Security informed about malevolent Java applets, viruses, and ActiveX Controls, as well as new hacker tactics.

    Safe and Secure
    Internet Security 2000's comprehensive protection costs $20 more than Guard Dog, but the additional security is well worth the money, especially if you connect to the Net via DSL or a cable modem. But even if you dial in, this package is useful if you spend a lot of time online.


    Downloadable version: Click here

    Zone Labs ZoneAlarm 2.1 Win9X-NT4-2K - Software Reviews - CNET.com

    ZoneAlarm is easy to install, and its default settings protect your system at two levels: medium, for local traffic, and high, for Internet traffic (which blocks all Internet traffic until you say otherwise). This means that whenever an application on your PC tries to access the Internet, ZoneAlarm asks you whether to allow it. However, when you customize ZoneAlarm, it becomes even more powerful. ZoneAlarm lets you grant apps such as Internet Explorer and Outlook permanent access to the Web.

    What's more, ZoneAlarm displays a little toolbar at the top of the screen that monitors network activity. The toolbar has intelligent status indicators that tell you whether the program is locked (blocked from the Internet) or open and icons that indicate which applications are currently accessing the Net.

    Lots of Extras
    Other cool features include an emergency Stop button, which immediately halts all Net traffic if, for example, an unauthorized application is sending data out. There's also an automatic Lock, which stops Internet access whenever your screensaver activates or after a prespecified period of inactivity (this ensures that no one can hack your PC while you're away). Even better, ZoneAlarm offers an idle-port-blocking feature, which automatically closes ports when applications no longer need to communicate, blocking unauthorized access. Also, in our Labs tests, ZoneAlarm was the only firewall that completely hid all the ports on our computer.

    Curing the Love Bug

    Another big bonus: although ZoneAlarm is not an antivirus app, it does sport the MailSafe feature, which isolates all incoming Visual Basic scripts, such as the Love Bug virus, until you decide what to do with them. ZoneAlarm also automatically updates itself over the Web, making sure it protects your computer against the latest threats.

    With its straight-out-of-the-box protection, unsurpassed features, and free distribution to home users, ZoneAlarm is our hands-down firewall champion.

    Surprisingly, the most secure of the three firewalls we tested was also the cheapest. A 1.6MB download from FileWorld, Zone Labs' ZoneAlarm firewall and updates are free for individual users and cost $19.95 annually for business users.

    This firewall was the easiest of the three to install on our test PC, requiring the fewest steps to get up and running. Two sliders let you independently select a range of security settings for local and Internet connections. With ZoneAlarm's sliders set to the default of high security for Internet applications and medium security for local network applications, we went back to Shields Up, where we earned a "very secure" rating. The site could read no information about the PC; some of the PC's ports were visible but closed. When we returned to the site and tested ZoneAlarm's highest security setting, our PC was in full stealth mode--no ports were detected.

    You might expect a free, powerful firewall to be difficult to use. ZoneAlarm is quite the opposite: You can easily adjust the security level with sliders for both local network and Internet access. If you click the Advanced button, you can access network settings. Though you won't get a manual or CD-ROM instructions with ZoneAlarm, we found it easy to set up without help. A nice touch in this latest version of ZoneAlarm is that it contains a MailSafe feature that claims to protect your system from viruses written in Visual Basic Script, such as "ILove You." (We didn't test this feature.)

    Bottom line: ZoneAlarm is the most secure of the three firewalls we tested--and you can't beat the price.

    All three programs made our test machine safer. Both McAfee Firewall and Norton Personal Firewall 2000 provided solid protection and myriad advanced features--but we preferred the excellent (and free) Zone Alarm.

    www.firetower.com -- useful site

    O'Reilly Network Linux for Security Applications

    A Linux firewall is a regular Linux machine, to which all available security patches and updates have been applied and from which all unnecessary services have been removed. Unnecessary services include:

    This point cannot be emphasized enough -- firewalls must be systems whose software is known to be working properly where all known security risks and exposures have been eliminated. This is the hardest part of any security administrator's job -- making sure you're up to date with the latest security advisories from CERT, the Computer Emergency Response Team, and the other information security monitoring groups. Most people get into trouble because they fail to monitor or, more often, fail to act on a known security vulnerability.

    The crux of the biscuit: packet filtering

    Packet filtering is the process by which packets coming from a network to which the firewall is attached are examined to determine how they should be handled.

    There are several packet filtering systems available for Linux, but the most commonly used is a package called IP Chains, which is based on a novel, if not arcane, system for specifying how packets can be allowed through the firewall.

    The goal of packet filtering is to examine each and every packet that could transit the firewall to ensure that it meets the rules set down by the administrators. The IP Chains system sets up a series of filters that examine a packet to determine what should be done with it; if one filter decided that the packet isn't a type that it handles, it passes it on to the next filter in the chain until the packet is either passed to the inside (protected) network, or it falls off the end of the filter chain and is rejected or dropped.

    In the simplest scenario, the firewall has to make sure that the packet is coming from an authorized host on an authorized network and going to an authorized host on an authorized network.

    Other checks might include making sure that only selected protocols (such as XWindow, FTP, or Telnet) are allowed to pass though the firewall, or, at a deeper level still, the content of the packets might be examined to ensure that they contain the kind of data they say they do and that someone isn't playing games with tunneling, say, X Window sessions over a Telnet session.

    The bottom line with regard to creating a firewall system, whether using Linux as a base or any other operating system, is to make sure that the policies that define what can pass through the box are clearly thought out and consistently applied and that the system is not just set up and never looked at again.

    ZDNet Sm@rt Partner - Hackers Breach Firewall-1

    While Checkpoint issues service pack to address vulnerabilities, hackers warn against placing too much faith in firewalls.

    By David Raikow, Sm@rt Partner

    An audience of several hundred network security professionals watched with rapt attention last week as a trio of hackers repeatedly penetrated one of the industry's most trusted and popular firewall products--Checkpoint Software's Firewall-1. The demonstration, presented at the "Black Hat" security conference in Las Vegas, challenged the widely accepted notion that firewalls are largely immune to direct attack.

    The panel--John McDonald and Thomas Lopatic of German security firm Data Protect GmbH and Dug Song of the University of Michigan--identified three general categories of firewall attacks. They began by demonstrating a number of relatively simple techniques by which an attacker could impersonate an authorized administrator, and thus gain access to the firewall application itself. A second type of attack tricked the firewall into believing an unauthorized Internet connection was actually an authorized virtual private network connection. Finally, the panel exploited a number of errors in the process used to examine traffic passing through the firewall to sneak in dangerous commands.

    While their presentation focussed on a single commercial firewall product, panel members repeatedly emphasized that most firewalls are vulnerable to the types of attacks demonstrated. "The problem is not just with [Firewall-1]," said Song. "The real problem is the blind trust most people place in their firewalls."

    Greg Smith, Checkpoint's director of product marketing for Firewall-1, pointed out that many of the attacks demonstrated relied on improper firewall configuration, and he asserted that they presented little practical threat. "Not a single customer has reported a problem with any of these issues."

    Nevertheless, Checkpoint worked with McDonald, Lopatic and Song in developing defenses against the attacks, which they released as part of Firewall-1 Service Pack 2 immediately following the demonstration. Checkpoint emphasized that the service pack should prevent all of the attacks discussed, even those dependant on misconfiguration.

    The panel also recommended a number of additional steps for "hardening" firewalls, including use of strong authentication protocols, "anti-spoofing" mechanisms and highly restrictive access rules. At the same time, they called on the IT community to abandon the "single firewall" model of network security and implement multiple lines of defense.

    However, one observer of the session, employed by a network switch manufacturer, thinks Checkpoint lost some credibility over its products. "Some of the exploited areas were because of dumb programming mistakes in the code for the firewall itself. If the [firewall] programmers can't get it right, what other problems may still be lurking?" he pondered.

    BSD Today Running a BSD-based Firewall

    Commercial Firewalls vs. Open Source Firewalls

    The first bridge that we had to cross was getting people to accept an open source firewall package. Everyone knows and trusts products like Checkpoint and Cisco's Pix firewall. A firewall is a key part of the security infrastructure. It is a stretch to ask management to trust a product, they may have never heard of, for such an important part of the network.

    When you buy a commercial firewall product, you are not buying a better quality product, but only paying for a name. That name gives your management and you confidence that there is a strong, solid company behind your firewall. With an open source firewall, you do not get that name. However, you do get the equivalent credibility through the very nature of open source. Anyone that uses it will be more than happy to tell you the good and the bad that they have gone through with the product.

    The other bonus is that open source firewalls are usually written by people that are using the product themselves. This gives them every incentive in the world of making it work right. Plus, with the open source model you can influence the direction of the program. Darren Reed of IP Filter has impressed me many times over with his openness to add features that users have asked for. You do not find that with a bigger commercial company.

    Our Firewall product

    I am a BSD guy. That is the platform I know best. With that in mind, there are two popular free firewalls we could pick from: IP Filter and IP Firewall. IP Firewall is a fine product that I have used in the past with success, but at the time it could not keep state. A stateful firewall was a requirement for this particular project, so we decided to go with IP Filter (http://coombs.anu.edu.au/~avalon/).

    There is a bit of a religious war about stateful vs. non-stateful (packet filter) firewalls. Don't take my word for which is better. Look through the book referenced above to see which would work best for you. I prefer to stay with a stateful firewall, because it allows me to only allow the initial Syn packet through. Then the firewall will allow the rest of that TCP session through. This prevents things like stealth scans from getting through your network.

    IP Filter is a nice, small, and efficient firewall that comes with the base OS of FreeBSD, OpenBSD, and NetBSD. It also runs on Solaris, SunOS, BSD/OS, Irix, and HP/UX. The cross platform nature of the product was a big feather in its cap. It would allow us to go with one Unix today, switch to a different Unix in the future, and still keep the same firewall product. The next question was: What platform are we going to run this product on?

    Testing

    After the firewall is installed and the rules are written, the most important thing is testing. You cannot setup a firewall, throw it on the network and assume it works.

    Testing the NAT (Network Address Translation) is very easy. Simply plug a machine on the internal interface and see if it works. SSH into a box on a remote network, do a "who" and see what IP it says you are coming from. Really, NAT is kind of nice in the regard that it either works or does not.

    The firewall, however, is a different story. There is really no right way of testing it. What we did was go through the rule set and double check all the rules. After that, from a remote network we ran Nessus (http://www.nessus.org/), Nmap (http://www.insecure.org/nmap/index.html) and Saint (http://www.wwdsi.com/saint/) against our public IP range. You may have some different preferred tools to use for this purpose. The key is to be creative. Try what you would do if you were trying to break into that network. Use the tools that crackers trying to break in would use.

    [Apr. 10, 2000] Root Prompt -- Auditing Your Firewall Setup by Lance Spitzner

    You've just finished implementing your new, shiny firewall. Or perhaps you've just inherited several new firewalls with the company merger. Either way, you are probably curious as to whether or not they are implemented properly. Will your firewalls keep the barbarians out there at bay? Does it meet your expectations? This paper will help you find out. Here you will find a guide on how to audit your firewall and your firewall rulebase. Examples provided here are based on Check Point FireWall-1, but should apply to most firewalls.

    Where to Start

    This paper can help you in one of two situations. First, you have certain expectations of what your firewall can or cannot do and you want to validate those expectations. Second, you do not know what to expect, so you need to audit your firewall to learn more. Either way, this paper can hopefully help you out. We are not going to cover how to audit or "hack" a network, that is a different subject. Also, we are not going to discuss which firewall is better then others, each firewall has its own advantages and disadvantages. What is going to make or break you is not choosing the "best" firewall, but implementing it correctly. That is the purpose of this paper, making sure our firewall is correctly implemented and behaves as we expected it.


    Application: hunt
    Stable Version: 1.0

    Brief Description:
    Tool for exploiting well-known weaknesses in the TCP/IP protocol suite

    Application: ipfwadm Dotfile module
    Stable Version: 0.25b

    Brief Description:
    GUI ipfwadm wrapper, simplifies firewall and masquerade setup

    Application: IsinGlass
    Stable Version: 1.13

    Brief Description:
    Firewall setup script designed to protect dial-up users.

    Distinguish firewall hype

    forum - Guest Feature Auditing Your Firewall Setup -- Auditing Your Firewall Setup by Lance Spitzner Tue Sep 21 1999

    TIS FireWall ToolKit (FWTK)
    Free firewall proxies for HTTP, X, SMTP, FTP, and a generic plug proxy.



    gfcc GTK+ Firwall Control Center

    gfcc (GTK+ Firewall Control Center) is a GTK+ application which can control Linux
    firewall policies and rules, based on ipchains package.

    Changes: This is a bugfix release.

    Urgency: medium

    Thanks very much to all who responded regarding low-cost firewalls for
    Solaris. Below please find a summary of the responses, for your
    reference.

    SonicWall by Sonic Systems http://www.sonicsys.com/products.html

    SonicWall is a hardware solution which provides all of the basic functionality, plus some added features. SonicWall is inexpensive at $495 for 10 IP addresses and basic functionality, and $1,495 for unlimited addresses with additional features.


    Recommended Links

    Softpanorama hot topic of the month

    Softpanorama Recommended

    Top articles

    Sites

    www.firetower.com -- useful site

    http://www.clark.net/pub/mjr/pubs/fwfaq/ Firewall FAQ


    http://cheops.anu.edu.au/~avalon/ip-filter.html IP filter offers filtering via IP, port, protocol/service, NAT, logging, etc and it can be installed on an non-dedicated server.


    http://www.waterw.com/~manowar/vendor.html List of Firewall Products and Vendors:

    http://www.icsa.net/services/consortia/firewalls/certification.shtml Information on ICSA certification for Firewall products:

    www.tis.com Trusted Information Systmes (TIS) has developed two products: the Firewall Toolkit (FWTK), and the Gauntlet Firewall. The Firewall Toolkit is freeware, more information can be found at http://www.fwtk.org. Gauntlet is a commercial product, with a price range of
    $5,000-$17,500. More information can be found at www.tis.com.

    www.ascend.com Ascend offers a product called Secure Access Firewall. I was not able to find a price on their web-site.


    Firewall Auditing and Testing

    [Apr. 10, 2000] Root Prompt -- Auditing Your Firewall Setup by Lance Spitzner

    You've just finished implementing your new, shiny firewall. Or perhaps you've just inherited several new firewalls with the company merger. Either way, you are probably curious as to whether or not they are implemented properly. Will your firewalls keep the barbarians out there at bay? Does it meet your expectations? This paper will help you find out. Here you will find a guide on how to audit your firewall and your firewall rulebase. Examples provided here are based on Check Point FireWall-1, but should apply to most firewalls.

    Where to Start

    This paper can help you in one of two situations. First, you have certain expectations of what your firewall can or cannot do and you want to validate those expectations. Second, you do not know what to expect, so you need to audit your firewall to learn more. Either way, this paper can hopefully help you out. We are not going to cover how to audit or "hack" a network, that is a different subject. Also, we are not going to discuss which firewall is better then others, each firewall has its own advantages and disadvantages. What is going to make or break you is not choosing the "best" firewall, but implementing it correctly. That is the purpose of this paper, making sure our firewall is correctly implemented and behaves as we expected it.

    Intrusion Detection for Check Point FireWall-1

    Understanding the FireWall-1 State Table

    Building Your Firewall Rulebase

    Auditing Your Firewall Setup

    FW-1 Troubleshooting Tips

    Logger for Checkpoint Firewall 1

    SECURITY: Laurent Constantin: Testing a router or firewall

    (May 4, 2001, 18:56 UTC) (1282 reads) (3 talkbacks) (Posted by mhall)
    Laurent Constantin has written in with a complete guide to testing firewalls and routers using lcrzoex. There's plenty of detail here for the aspiring security maven.

    Network scanning

    If you are going to build a firewall, or if you already have one, a periodic inspection of what traffic is allowed through is a really good idea. It is said that information security is not a destination, but a journey. Just because you have bought (or built) a firewall doesn't mean that the job is done. Firewalls are like relationships; they need constant attention if they are going to work well.

    Related Resources

    • NetMax Firewall ProSuite
    • Phoenix Adaptive Firewall
    • Building Internet Firewalls (O'Reilly Book)
    • Setting up a Firewall on OpenBSD (O'Reilly Network)
    • CERT - a major reporting center for Internet security problems.
    • CIAC - Computer Incident Advisory Capability
    • BUGTRAQ - a mailing list from SecurityFocus.com
    • SAINT home page
    • NMAP home page

    One of the best way to test a firewall is to throw a lot of packets at it and see what the firewall accepts and rejects. There are several toolkits available that can perform this function. The best known of these is called SATAN for System Administrator's Tool for Analyzing Networks. It was written by Dan Farmer, a security consultant who now works for EarthLink Networks. SATAN allows an administrator to perform a series of port scanning operations against a firewall looking for vulnerabilities; it also has a built-in database of some well-known vulnerabilities that it can try to exploit.

    A derivative work that takes most of its code-base from SATAN is SAINT (Security Administrator's Integrated Network Tool). SAINT updates some of SATAN's network scanning capabilities and is designed to work on Linux out of the box.

    Another useful tool called NMAP can help you create a map of services on a given host or find all the hosts on a given network that support a given service. This can be very helpful in tracking down services that are not supposed to be running on machines on your network.

    As I have stated before, tools such as network scanners are very powerful tools considered by most network managers to be very hostile if used on their networks without permission. Be careful how, if, when, and where you decide to experiment with them!

    David HM Spector


    Personal firewalls

    freeware downloads Personal Firewalls - free software brought to you by WebAttack.com, the largest download site for Windows Internet tools.

    ZDNet Personal Firewalls by Matthew P. Graven, PC Magazine January 3, 2001

    While you browse the latest headlines or purchase a cashmere sweater on the Web, some hacker could be lurking in the background, stealing your credit card numbers or rifling through the data stored on your system. Simply put, your Internet connection is a wide-open path to your PC that anyone connected to the Web with malicious intent and technology skills can skulk down. Broadband connections, because they're always on, are most vulnerable, but dial-up access also carries risks.

    The best solution may be a personal firewall, which is a security wall between your system and the Internet. These software-based solutions safeguard against hackers and, in some cases, keep Trojans and other unauthorized programs from secretly transferring personal information from your system over the Internet. They all run on Windows 95 and above and Windows NT 4.0 and above, and most support current versions of Microsoft Internet Explorer and Netscape Communicator.

    Network Ice's Blackice Defender 2.1 (Company Info, www.networkice.com, $39.95 direct, is a personal firewall that specializes in precise and detailed intrusion detection. It's so protective that even Internet Connection Sharing (ICS) -- Windows' protocol for allowing two or more systems to share an Internet connection -- is treated as an attack until you apply the clear-cut configuration changes specified on Network Ice's Web site. You choose a level of protection -- Trusting, Cautious, Nervous, or Paranoid -- and the program takes care of the rest. If it detects an attack, Blackice Defender can immediately lock out any further access by that particular IP address, trace and log the intrusion, and alert you to the incident.

    Because some malicious code attempts to access your PC's ports, which are used for networking connections, Zone Labs' extremely easy-to-configure ZoneAlarm 2.1 (Company Info, www.zonelabs.com; free for personal use, $19.95 per year for businesses;) blocks all your ports. It also blocks NetBIOS security holes. For example, though NetBIOS intentionally allows networked systems to share files, this capability can inadvertently allow others to browse through your PC's contents.

    ZoneAlarm also warns you when a program attempts to access the Internet; you can allow access always, block it always, or have ZoneAlarm ask each time.

    ZoneAlarm Pro 1.0 ($39.95 per year) adds a number of features, including support for ICS and enhanced e-mail protection. A nice feature, ZoneAlarm's MailSafe renames executable e-mail attachments, so you can't accidentally launch them.

    Also free for personal use, Aladdin Knowledge Systems' eSafe Desktop 2.2 (Company Info, www.ealaddin.com, concentrates on defending against malicious code in active content such as scripts, Java, and ActiveX controls. Known vandals such as the Back Orifice Trojan are blocked before they're even saved to disk. Other active content is quarantined in a "sandbox" that permits execution while protecting system resources against any potential invasive acts. The product's advanced configuration dialog is daunting in its complexity, but you may never need to use it except to enable the content filters, which are disabled by default.

    Network Associates' McAfee Firewall 2.1 (Company Info, www.mcafee-at-home.com, $29 direct, analyzes network and Internet communication to and from your computer, so it can both prevent hackers from accessing your system and block unauthorized programs from calling out over the Net. When it detects an attempt to use the Internet, McAfee Firewall asks whether it should trust the program. Based on your answer, it will always allow or always deny that program access. McAfee Firewall fails in key areas. It requires Microsoft Internet Explorer 4.0 or later, doesn't support Internet Connection Sharing, and lacks full support for Windows 2000.

    Network Associates' McAfee Internet Guard Dog 3.0 (Company Info, www.mcafee-at-home.com, $39 direct, is fanatical about protecting your private information. When any application attempts to send your specified personal information over the Net, whether through Web forms, e-mail, chat, or instant messaging, Guard Dog intercepts it. You can permit or block the application's use of your information, either always or on a case-by-case basis. On first launch, the program sets off a flurry of activity, confirming such things as whether your e-mail program is allowed to send out your e-mail address. This initial configuration, however, is accomplished fairly quickly.

    Privacy settings are user specific: You can permit your own credit card numbers to be sent on the Web but not allow your children to send these numbers. Any attempted violations are logged. Among other actions, the unique Security Check feature scans your hard drive for files containing personal or financial information and adds them to the list of guarded files. Access to these files is blocked from all applications that aren't specifically approved. Guard Dog also deters programs from formatting your disks or reading your password files and stops attempts by ActiveX controls to delete or scan files.

    Among its many other features are site blocking, secure password storage, cookie blocking, and a full copy of McAfee VirusScan. The Pro version ($49 direct) adds an integrated copy of McAfee Firewall. Guard Dog runs on Windows 9x and Windows Me.

    Symantec Corp.'s Norton Personal Firewall 2001 (Company Info, www.symantec.com; $49.95 direct, is loaded with dozens of preset rules. Some are program specific, such as one that denies all access to the NetBus Trojan. Others apply systemwide, like a function that stops attempts to connect to drives through NetBIOS. If an unknown application attempts an Internet connection, a wizard leads you through the process of defining a new rule.

    The Norton Privacy Control module lets you specify confidential information that should not be transmitted through Web forms. For instance, you can protect your credit card number against Internet Explorer's AutoComplete feature. This module does not filter information from being sent via chat, e-mail, or instant messenger.

    Latest prices: Aladdin Knowledge Systems eSafe Desktop 2.2
    Latest prices: McAfee Internet Guard Dog 3.0
    Latest prices: Network ICE BlackICE Defender 2.1
    Latest prices: Symantec Norton Personal Firewall 2001 2.5
    Latest prices: Zone Labs ZoneAlarm 2.1.44
    Latest prices: All Network - Communications Equipment
    Latest prices: All Network Utilities
    Latest prices: All Utilities

    InternetNews - Intranet News -- Personal Firewalls Fail the Leak Test

    In an attempt to show that personal firewalls may afford their users little protection against serious threats, a respected PC security expert has released a new software tool that pokes holes in many of the leading desktop security packages.

    Security-conscious Internet users, especially those on broadband connections, have made desktop firewall software into a booming business for companies like Symantec and Network Associates. But according to Steve Gibson, president of Gibson Research, almost all of these utilities only provide "pseudo protection" against attacks. That's because they put most of their effort into blocking incoming hacker attacks, while paying only scant attention to what he calls internal extrusion.

    "I really believe the problem of software in your computer misbehaving is much bigger than the problem of hacker attacks. Most people don't have any vulnerabilities; there's nothing a hacker can do to you. So I argue against the necessity of any kind of inbound blocking tool," said Gibson.

    To prove his point, Gibson has developed a free utility called LeakTest. The 27-Kbytes program is a trojan-horse/spyware simulator that attempts to slip past a personal firewall's defenses and connect to a server on the Internet.

    Not surprisingly, popular intrusion detection programs like BlackIce Defender from Network Ice fail to catch the outgoing connection and report it to the user. But more disturbingly, several firewalls that claim to offer outbound detection are also fooled by LeakTest. Among them, the best selling Norton Personal Firewall and McAfeeFirewall.

    Both are among a small number of desktop firewall programs that attempt to address the problem of unauthorized outbound leakage, but Gibson says they fall short and can be easily fooled or bypassed because they come pre-programmed to allow some applications to pass through the firewall.

    "This idea of allowing all these apps pre-approval is ludicrous. It's trivial to get permission out of the firewall without notifying the user," said Gibson, who observed that only one firewall, ZoneLab's ZoneAlarm, prevents malware from masquerading as a trusted program.

    "They do a cryptographic signature of the programs you're allowing. That's not hard to do, but they're the only ones who do it," he said.

    Tom Powledge, Symantec's product manager for Norton Internet Security, said the risks outlined by Gibson are low if users are running both a firewall and anti-virus software. And he said Symantec knows of no instances of programs that specifically target Norton Personal Firewall, which is shipped with NIS.

    But in response to Gibson's critique, Symantec plans to revise the application integrity checking feature in NIS, with an update available to users over Live Update by early next week. In the meantime, Powledge said concerned users can turn off automatic firewall rule creation.

    Judging by comments on the LeakTest message board at Gibson's site, plenty of users are concerned about the newly exposed porosity of their favorite firewall software. But Symantec's Powledge said their fears could have been avoided if Gibson had given vendors the customary advance notice before releasing LeakTest.

    "We were seeing no concern about this, and no exploits have been written. And while this makes customers aware of a potential issue, it also makes hackers aware," said Powledge.

    But Gibson, who had an earlier run-in with RealNetworks over the privacy behavior of its RealDownload product, said he's learned that unless pressure is brought to bear, companies are resistant to change.

    "These firewalls are not going to get better unless there's someone saying and able to prove -- and to enable the user to prove -- that these things are junk."


    Firewall-1

    ***+ Root Prompt -- Auditing Your Firewall Setup by Lance Spitzner [Apr. 10, 2000]

    You've just finished implementing your new, shiny firewall. Or perhaps you've just inherited several new firewalls with the company merger. Either way, you are probably curious as to whether or not they are implemented properly. Will your firewalls keep the barbarians out there at bay? Does it meet your expectations? This paper will help you find out. Here you will find a guide on how to audit your firewall and your firewall rulebase. Examples provided here are based on Check Point FireWall-1, but should apply to most firewalls.

    Where to Start

    This paper can help you in one of two situations. First, you have certain expectations of what your firewall can or cannot do and you want to validate those expectations. Second, you do not know what to expect, so you need to audit your firewall to learn more. Either way, this paper can hopefully help you out. We are not going to cover how to audit or "hack" a network, that is a different subject. Also, we are not going to discuss which firewall is better then others, each firewall has its own advantages and disadvantages. What is going to make or break you is not choosing the "best" firewall, but implementing it correctly. That is the purpose of this paper, making sure our firewall is correctly implemented and behaves as we expected it.


    SunScreen

    Securing Systems with Host-Based Firewalls - Implemented With SunScreen[tm] Lite 3.1 Software
    -by Martin Englund
    This article provides a discussion of why host-based firewalls can be an effective alternative to choke-point based firewalls or an additional layer of security in an environment. Details are then provided on how to implement a host-based firewalls using Sun's free host-based firewall software - SunScreen[tm] SecureNet Lite


    BlackIce

    BlackICE Defender , a software review from WebAttack.com -- ...
    ... BlackICE Defender by Network ICE BlackICE Defender is a unique Network/Internet
    security tool that combines a packet filtering personal firewall and an ...
    www.webattack.com/reviews/blackice_rv.shtml - 21k - Cached - Similar pages


    Zonealarm

    Zonelabs is an awesome company with a great product. They also know how to do business. They don't lie to or try to shaft their customers, they support their product and they price it reasonably. It's too bad there are not more companies like them. Zone Alarm's splash screen can be disabled. In Windows Explorer, go to C:\Windows\All Users\Start Menu\Programs\StartUp and right-click on the ZoneAlarm shortcut. Select Properties. The Target command line will say something like, "C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe". Just add the switch " -nosplash" (without quotes) and it will no longer show a splash screen at startup. So that it looks like this: "C:\Program Files\Zone Labs\ZoneAlarm\zonealarm.exe" -nosplash (i.e. put a space between the " and the hyphen)

    If you've disabled the pop-up alert window from within the program, you'll see a -nopopup switch already present in the command line.

    Win XP's firewall is weak at best (and then there's the TRUST issue), so don't pass up this terrific firewall program.

    Download ZoneAlarm v2.6 (free)
    Download ZoneAlarm Pro v2.6
    Understanding ZoneAlarm's Security Alerts
    Installing ZoneAlarm

    I'm currently a user of Zone Alarm 2, and really enjoy it's features. The noted feature of blocking popup-ads sounds like a winner in my book..

    however, I was hoping to hear more on added protection against Firewall Evasion. You mentioned "finger-printing" to prevent infected applications from accessing the net, but that's just a bugfix from 2.0's existing feature which did that already, but it only checked the .exe

    What Zone Alarm really needs is the ability to authorize which programs are allowed to access which sites. Programmers are already aware that a great number of average users are installing Zone Alarm, so they just find ways around the Firewall. Notably, if a program is meant to access the internet, say an FTP client, the user will give that program permission to act as a Server and Access The Internet. So the programmer simply anticipates this, waits for the user to use the program a few times, by then they trust it enough to add it to Zone Alarm, before finally phoning home with all sorts of evil-goodness. Zone Alarm needs to track which sites (not just by IP, but by DNS) the user allows the program to access, and deny all others.

    Anyway, It's still a great tool. Perhaps not as secure as ConSeal or other firewalls out there, but definitely not as needy and troublesome either.

    Roadrunner


    ummmm David....most of the "new" features you laid out for us already exist in the current version.

    That said, this is the best personal firewall bar none. Check out the review and independant study at the Shields Up! security site. It was the only personal firewall to pass the site owner's "Leak Test" (i.e. it didn't let stuff out that shouldn't get out). ZoneAlarm was the only reason I new I had the Nimda virus (and it stopped it from infecting other machines by not letting it connect to other servers).

    Anyone using zonealarm should also install mynetwatchman (download at mynetwatchman.com), especially those on dsl or cable connections. It analyzes firewall logs and sends information on hack attempts back to the author's site, where statistics are aggregated and reports of the abuse are sent to the offender's ISP. Take an active roll in shutting down the script kiddies!!!

    That person has other problems. I've been using various versions of ZA with a cable connection (first Cox@Home, and now Roadrunner), with absolutely NO problems.

    E-Safe

    Aladdin Security Portal software security, software protection, Internet security, content filtering, Virus and Vandal protection, license management, electronic software distribution



    Etc

    FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available in our efforts to advance understanding of environmental, political, human rights, economic, democracy, scientific, and social justice issues, etc. We believe this constitutes a 'fair use' of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit exclusivly for research and educational purposes.   If you wish to use copyrighted material from this site for purposes of your own that go beyond 'fair use', you must obtain permission from the copyright owner. 

    ABUSE: IPs or network segments from which we detect a stream of probes might be blocked for no less then 90 days. Multiple types of probes increase this period.  

    Society

    Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

    Quotes

    War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotesSomerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose BierceBernard Shaw : Mark Twain Quotes

    Bulletin:

    Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

    History:

    Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOSProgramming Languages History : PL/1 : Simula 67 : C : History of GCC developmentScripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

    Classic books:

    The Peter Principle : Parkinson Law : 1984 : The Mythical Man-MonthHow to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

    Most popular humor pages:

    Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

    The Last but not Least


    Copyright © 1996-2016 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. This document is an industrial compilation designed and created exclusively for educational use and is distributed under the Softpanorama Content License.

    The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

    Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

    FAIR USE NOTICE This site contains copyrighted material the use of which has not always been specifically authorized by the copyright owner. We are making such material available to advance understanding of computer science, IT technology, economic, scientific, and social issues. We believe this constitutes a 'fair use' of any such copyrighted material as provided by section 107 of the US Copyright Law according to which such material can be distributed without profit exclusively for research and educational purposes.

    This is a Spartan WHYFF (We Help You For Free) site written by people for whom English is not a native language. Grammar and spelling errors should be expected. The site contain some broken links as it develops like a living tree...

    You can use PayPal to make a contribution, supporting development of this site and speed up access. In case softpanorama.org is down you can use the at softpanorama.info

    Disclaimer:

    The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

    Last modified: September 12, 2017