Firewall Basics for the Beginning User: Firewall Basics for the Beginning User Outline: Outline What is a firewall? Basics of Kerio Firewall - Starting Out Why do I need personal firewall? What a personal firewall can do What personal firewall can’t do Personal firewall comparisons Credits What's a Firewall?: What's a Firewall? A security system that acts as a protective boundary between a network and the outside world Isolates computer from the internet using a "wall of code" Inspects each individual "packet" of data as it arrives at either side of the firewall Inbound to or outbound from your computer Determine whether it should be allowed to pass or be blocked PowerPoint Presentation: INTERNET Firewall Secure Private Network WHO ? WHEN ? WHAT ? HOW ? My PC Rules Determine Kerio Firewall Basics: Kerio Firewall Basics Software or hardware between your LAN and the Internet, inspecting both inbound and outbound traffic by rules that you set, which define the sort of security you want. Kerio Choices Permit Unknown Ask Me First Deny Unknown A local area network (LAN) is a group of computers and associated devices that share a common communications line or wireless link and typically share the resources of a single processor or server within a small geographic area (for example, within an office building). A local area network may serve as few as two or three users (for example, in a home network) or many as thousands of users . What Traffic Is Good/What's Bad? : What Traffic Is Good/What's Bad? Experience Reading Learning Installation Note PowerPoint Presentation: Information about the remote end-node (IP address, port and communication protocol) Detailed information about the connection Information about the local application taking part in the communication (as a client or server) Let the communication pass through or Deny Stop (filter) the communication Automatically create rule, which causes the next packet of the same type to be either permitted or denied access. This can be used in the initial configuration of Personal Firewall — the user does not need to define any rules, but as they run their favorite applications, rules can be created for them in this way . MD5 signature created - subsequent executions of that same application name will be compared against the initial signature. This would prevent a Trojan from spoofing its name to a trusted application such as outlook.exe. PowerPoint Presentation: If the communication is permitted by the user, an MD5 signature is created for the application. Signature is checked during each subsequent attempt of the application to communicate over the network. Application MD5 Signature: Application MD5 Signature Checksum of the application's executable. Application is first run (or when the application first tries to communicate via the network) Dialog displays , in which a user can permit or deny such communication. A checksum is a count of the number of bits in a transmission unit that is included with the unit so that the receiver can check to see whether the same number of bits arrived. If the counts match, it's assumed that the complete transmission was received. Both TCP and UDP communication layers provide a checksum count and verification as one of their services. PowerPoint Presentation: Shared network Wireless Router Three IP network addresses reserved for private networks Can be used by anyone setting up internal IP networks. It may be safer to use these because routers on the Internet will never forward packets coming from these addresses.: Three IP network addresses reserved for private networks Can be used by anyone setting up internal IP networks. It may be safer to use these because routers on the Internet will never forward packets coming from these addresses. SAFE PINGS ???? 10.0.0.0/8 , 172.16.0.0/12 192.168.0.0/16 . Ping is a basic Internet program that lets you verify that a particular IP address exists and can accept requests. Ping is used diagnostically to ensure that a host computer you are trying to reach is actually operating PowerPoint Presentation: I accessed IE, my browser to get to Google. Remember to Check the box so the appropriate rule will be created. PowerPoint Presentation: I also have IM. This is a connection I’ll permit, since it was initiated by the application Starting Out - Basic Guidelines (Remember - set to learning mode by default): Starting Out - Basic Guidelines (Remember - set to learning mode by default) Start in “Ask Me First” Permit everything you initiate for 2 - 5 days Default to Deny “pings” If you choose to enable, remember, for the most part you don't mind sending (outbound) "requests", or receiving (inbound) "replies", but you don't want to be replying outbound, yourself, unless absolutely necessary Deny anything you do not initiate If questionable - Deny Take a print of screen Send to Net Manager or __________________ Kerio Firewall Basics: Kerio Firewall Basics User set rules that act as filters (either defined or traffic based) Can disallow unauthorized or potentially dangerous material from entering the system Logs attempted intrusions Alerting and Logging: Alerting and Logging Key Features of Firewall - ability to alert the user when it detects an “attack,” to maintain a system log of these events Provides ability to identify threats and to fine tune the firewall configuration appropriately A key responsibility of the user is to monitor the logs and take appropriate action when necessary. Not all events that appear in the log are hacker "attacks." Many different types of harmless events Example - ISP server pings that can appear in the log Kerio Firewall Basics: Kerio Firewall Basics How A Firewall Works How does a Firewall Work?: How does a Firewall Work? Internet communication is accomplished by exchange of individual "packets" of data. Each packet is transmitted by its source machine toward its destination machine. “Connection" is actually comprised of individual packets traveling between those two "connected" machines. They "agree" that they're connected and each machine sends back "acknowledgement packets" to let the sending machine know that the data was received. Every Internet Packet Must Contain: Every Internet Packet Must Contain A destination address and port number. The IP address and a port number of the originating machine. (its complete source and destination addresses) An IP address always identifies a single machine on the Internet and the port is associated with a particular service or conversation happening on the machine. What a Firewall Can Do : What a Firewall Can Do Since the firewall software inspects each and every packet of data as it arrives at your computer — BEFORE it's seen by any other software running within your computer — the firewall has total veto power over your computer's receipt of anything from the Internet. A TCP/IP port is only "open" on your computer if the first arriving packet which requests the establishment of a connection is answered by your computer. If the arriving packet is simply ignored, that port of your computer will effectively disappear from the Internet. No one and nothing can connect to it! What a Firewall Can Do : What a Firewall Can Do But the real power of a firewall is derived from its ability to be selective about what it lets through and what it blocks. It can "filter" the arriving packets based upon any combination of the originating machine's IP address and port and the destination machine's IP address and port. In packet filtering, the firewall software inspects the header information (source and destination IP addresses and ports) in each incoming and, in some cases, outgoing, TCP/IP packet. Based on this information, the firewall blocks the packet or transmits it. Originating Your Own Connections to Other Machines on the Internet?: Originating Your Own Connections to Other Machines on the Internet? When you surf the web you need to connect to web servers that might have any IP address. Every packet that flows between the two machines is ack nowledging the receipt of all previous data (through "ACK" bit). A firewall determines whether an arriving packet is: initiating a new connection, or continuing an existing conversation. Permit the establishment of outbound connections/ Blocking new connection attempts from the outside. Established connection packets are allowed to pass through the firewall, New connection packet attempts are discarded. Packet Filtering Rules: Packet Filtering Rules Filtering rules define which packets should be allowed or denied communication. Without these rules Kerio Personal Firewall would only work in two modes: all communication allowed all communication denied. There exist two ways of creating the filtering rules: Automatically - either permit or deny unknown packet Manually in the Personal Firewall Administration program create rules edit rules remove rules prioritize rules (put in order) defined rules display in the Filter Rules tab Located in Firewall Administration main window(Advanced), Firewall tab). List of filtering rules: List of filtering rules PowerPoint Presentation: The filtering rules are displayed in a table, in which each line represents one rule. Individual columns have the following meaning: Checkbox — indicates whether the rule is active or not. By a single click the user can activate or deactivate the rule without the need of removing or adding it. Application icon — displays the icon of the local application, to which the rule applies. If the rule is valid for all applications a special green icon saying ANY is displayed instead. Only in rare situations should such a rule exist. Rule Description — the direction and description of a rule. The following symbols are used for direction: right arrow (outgoing packet), left arrow (incoming packet), double (both-direction) arrow (the rule applies for both outgoing and incoming packets). The rule's description can contain anything the user wishes. For an automatically created rule the name of the application is used for its description. Protocol — used communication protocol (TCP, UDP, ICMP...). The direction of the communication ( In , Out or Both ) is also displayed in brackets following the name of the protocol. Local — local port Remote — remote IP address and port (separated by a colon) Application — the local application's executable including the full path. If the application is an operating system service, the name displayed will be SYSTEM . Controls : Controls Add — adds a new rule at the end of the list Insert — inserts a new rule above the selected rule. This function spares the user of moving the new rule within the list, as it allows for inserting a new rule to any desired place. Edit — edits the selected rule Delete — removes the selected rule Arrow buttons (to the right of the list of rules) — these enable placement of a selected rule within the list. Note that filters work from top down so the placement of a rule is very important What a Firewall Cannot Do: What a Firewall Cannot Do Do Firewalls Prevent Viruses and Trojans? NO!! A firewall can only prevent a virus or Trojan from accessing the internet while on your machine 95% of all viruses and Trojans are received via e-mail, through file sharing (like Kazaa or Gnucleus) or through direct download of a malicious program Firewalls can't prevent this -- only a good anti-virus software program can PowerPoint Presentation: However, once installed on your PC, many viruses and Trojans "call home" using the internet to the hacker that designed it This lets the hacker activate the Trojan and he/she can now use your PC for his/her own purposes A firewall can block the call home and can alert you if there is suspicious behavior taking place on your system PowerPoint Presentation: IF: Application's executable is changed (e.g. it is infected by a virus or it is replaced by another program) communication is denied displays a warning asks if such a change should be accepted (e.g. in case of the application upgrade) or not. Filter Rules - Before You Start: Filter Rules - Before You Start You'll have an easier time if you can get the following information, and write it down for reference: DNS server address(es); DHCP server address(es); The subnet mask and range of any LAN you may have, along with the statically assigned address ranges of your active machines, if you use static IP addresses locally. Before You Start: Before You Start Simple packet and port port filtering firewalls Kerio filters ports and IP's, and supports very basic application layer authentication, by verifying that apps are what they say they are via an MD5 hash. Fully rules based firewall, no automation functions minimal suggested or pre-coded rules ultimate measure of effectiveness depends on sound, ordered rules. PowerPoint Presentation: Users will be prompted to allow or disallow traffic to their machines through the firewall. Look carefully at what the traffic is and where is it coming from. It will be up the the individual user to decided what traffic to allow and what traffic to deny. If there is a question, deny the traffic but take a snap shot of the firewall warning and send to your Net Manager or _______________ for assistance. Creating a Basic Rule set: Creating a Basic Rule set Emphasis is on "basic." Prompts will help you set up your internet apps. A deny by default firewall The first rules you need will be a deceptively simple trilogy, very basic set of rules to allow DNS, DHCP and ICMP. The apps will follow, in due time. If you use static IP addressing (behind a router, for example), the DHCP rule is unnecessary. You may also want to provide for open access for your LAN machines, if you have a network and consider it fully trusted, near the top. Rule Priority and Ordering: Rule Priority and Ordering Very simple, and critically important. Top down, process until a match is found. When a match is found, apply the matching rule and STOP. Nothing below the match will be looked at at all. Using creativity, this opens up the potential for some very nice if-then conditionals. No analog to "pass", where a rule is applied and processing continues. Only options are allow and deny. Configuration Information :
Configuration Information Depends on both ports and application names. Users can define rules according to actual ports or they can set rules to match a program The firewall will detect common programs such as
and email programs and auto configure the necessary ports as they attempt to connect to the internet. The firewall can be set to learn new programs to begin with and later changed to only allow those that have been predefined.
PowerPoint Presentation: The firewall tends to default to "any port“ for detected applications Recommended that users learn the required port for each allowable Internet program and edit the remote ports to match. Comparison: Comparison Support: Support If you have a Net Manager, they should be your first contact for any issues you may be experiencing. However, if you would like to contact us, or you do not have a Net Manager, please feel free to contact PowerPoint Presentation: The key to security awareness is embedded in the word security SEC- -Y U - R - IT If not you, who? If not now, when? Resources at the University of Arizona: Resources at the University of Arizona Kerio Firewall https://sitelicense.arizona.edu/kerio/kerio.shtml Sophos Anti Virus https://sitelicense.arizona.edu/sophos/sophos.html VPN client software https://sitelicense.arizona.edu/vpn/vpn.shtml Policies, Procedures and Guidelines http://w3.arizona.edu/~policy/ Security Awareness http://security.arizona.edu/~security/awareness.htm PowerPoint Presentation: University Information Security Office Bob Lancaster University Information Security Officer Co-Director – CCIT, Telecommunications Lancaster@arizona.edu 621-4482 Security Incident Response Team (SIRT) firstname.lastname@example.org 626-0100 Kelley Bogart Information Security Office Analyst Bogartk@u.arizona.edu 626-8232 Credits: Credits Steve Gibson, Gibson Research Corporation http://grace.com/us-firewalls.htm Kerio User Guide - can be downloaded from http://www.kerio.com/us/supp_kpf_manual.html Kerio Firewall Online Resource http://www.broadbandreports.com/faq/security/2.5.1.+Kerio+and+pre-v3.0+Tiny+PFW