Logo
Info Security
News
Advisories
 
WebKnight
Features
Download
Support
SQL Injection
Robots
Hot Linking
DoS
Blocklists
Googlebot Verifier
Testimonials
 
Log Analysis
Features
Download
Manual
 
Databases
User Agents
Http Headers
 
Members
Login
 

Firewalling

Introduction

Firewalling has become more than just a packet filter. In the early days it was a simple TCP/IP filtering solution, it looked at the packets, looked at its source & destination port and source & destination ip address and either allowed or blocked that packet. Although the principle is very simple, it is very reliable and it also introduces a lot of security. This type of firewall is called a network firewall.

For the packets a network firewall allows, there is another type of firewall, the application firewall. This type of firewall does a deeper analysis of the packets sent to a service listening on a specific tcp/upd port. The application firewall is at a higher level in the TCP/IP stack and is closer to the application that receives or sends the packets. It has a more complete view of what really happens inside all of these packets and is designed to scan for certain types of attack and protect the application if such an attack is detected.

Network Firewall

Use a network firewall to secure ALL your internet connections. Not all firewalls are at their highest security by default. Following are a few rules to make your firewall more secure.

  • Most firewalls allow passing of certain packets like ICMP Echo Request (ping). If you don't need this functionality, deny echo requests from passing the firewall because the ping utility can be used against your system in a DoS, an OS fingerprinting scan, a ping of death attack (appending a large amount of data to the ICMP Echo Request packet and causing a kernel buffer overflow when the computer attempts to respond). Block these packets if you don't need them.
  • Do not allow passive ftp. Doing so allows outbound connections on certain ports to the attacker (think: "trojan").
  • You should deny outbound TCP connections. Especially check DNS lookups: do not allow TCP 53 (zone transfers), but only allow UDP 53 connections.
  • Be careful with what ports you open when using protocols which need so called second connections. The attacker can use the primary connection to open the firewall so he can attack the ports of the secondary connections.

ISA Server
MS Proxy 2.0
Application Firewalls

Besides using a network firewall which only works on the network layer (which packets for what port?...), you should protect the services on those ports you allow. This can be done by using special application layer filters or firewalls like:

Desktop firewalls

Protecting your servers is one thing, but you should also protect the desktop computers in your network as well. A network firewall for the desktop is also called a personal firewall.

Final note

Nowadays most network and desktop firewalls also have application layer filters (or even intrusion detection capability) built into them. This is done for content-filtering like anti-virus, spam filter, advertising filter, privacy filter, active scripting filter,...

Firewall forensics


Published: 7/02/2002Document Type: General
Last modified: 3/09/2004Target: General
Visibility: PublicLanguage: English

[top] Print Edit


Comments (use this form to send comments to the author of the page):
Text:
How much is 3
3
+ 8 ?
E-mail: (optional)