Firewall Basics for the Beginning User

1
Firewall Basics for the Beginning User
2
Outline

• What is a firewall?
• Basics of Kerio Firewall - Starting Out
• Why do I need personal firewall?
• What a personal firewall can do
• What personal firewall cant do
• Personal firewall comparisons
• Credits

3
(No Transcript)
4
What's a Firewall?

• A security system that acts as a protective
  boundary between a
• network and the outside world
• Isolates computer from the internet using a
• "wall of code"
• Inspects each individual "packet" of data as it
  arrives at either side of the firewall
• Inbound to or outbound from your computer
• Determine whether it should be allowed to pass or
  be blocked

5
Rules Determine
WHO ? WHEN ? WHAT ? HOW ?
INTERNET
My PC
Secure Private Network
Firewall
6
Kerio Firewall Basics
A local area network (LAN) is a group of
computers and associated devices that share a
common communications line or wireless link and
typically share the resources of a single
processor or server within a small geographic
area (for example, within an office building). A
local area network may serve as few as two or
three users (for example, in a home network) or
many as thousands of users .

• Software or hardware between your LAN and
• the Internet, inspecting both inbound and
• outbound traffic by rules that you set, which
• define the sort of security you want.
• Kerio Choices
• Permit Unknown
• Ask Me First
• Deny Unknown

7
What Traffic Is Good/What's Bad?

• Experience
• Reading
• Learning
• Installation Note

8
(No Transcript)
9
(No Transcript)
10
Information about the remote end-node (IP
address, port and communication protocol)
Detailed information about the connection Informa
tion about the local application taking part in
the communication (as a client or server)
Let the communication pass through or Deny Stop
(filter) the communication
Automatically create rule, which causes the next
packet of the same type to be either permitted or
denied access. This can be used in the initial
configuration of Personal Firewall the user
does not need to define any rules, but as they
run their favorite applications, rules can be
created for them in this way. MD5 signature
created - subsequent executions of that same
application name will be compared against the
initial signature. This would prevent a Trojan
from spoofing its name to a trusted application
such as outlook.exe.
11

• If the communication is permitted by the user, an
  MD5
• signature is created for the application.
  Signature is checked
• during each subsequent attempt of the application
  to
• communicate over the network.

12
Application MD5 Signature
A checksum is a count of the number of bits in a
transmission unit that is included with the unit
so that the receiver can check to see whether the
same number of bits arrived. If the counts match,
it's assumed that the complete transmission was
received. Both TCP and UDP communication layers
provide a checksum count and verification as one
of their services.

• Checksum of the application's
• executable.
• Application is first run (or when the
• application first tries to communicate
• via the network)
• Dialog displays , in which a user can
• permit or deny such communication.

13
Shared network Wireless Router
14
(No Transcript)
15
Three IP network addresses reserved for private
networksCan be used by anyone setting up
internal IP networks. It may be safer to use
these because routers on the Internet will never
forward packets coming from these addresses.

• SAFE PINGS ????
• 10.0.0.0/8,
• 172.16.0.0/12
• 192.168.0.0/16.

Ping is a basic Internet program that lets you
verify that a particular IP address exists and
can accept requests. Ping is used diagnostically
to ensure that a host computer you are trying to
reach is actually operating
16
I accessed IE, my browser to get to
Google. Remember to Check the box so the
appropriate rule will be created.
17

• I also have IM.
• This is a connection Ill
• permit, since it was
• initiated by the application

18
(No Transcript)
19
Starting Out - Basic Guidelines(Remember - set
to learning mode by default)

• Start in Ask Me First
• Permit everything you initiate for 2 - 5 days
• Default to Deny pings
• If you choose to enable, remember, for the most
  part you don't mind sending (outbound)
  "requests", or receiving (inbound) "replies", but
  you don't want to be replying outbound, yourself,
  unless absolutely necessary
• Deny anything you do not initiate
• If questionable -
• Deny
• Take a print of screen
• Send to Net Manager or __________________

20
Kerio Firewall Basics

• User set rules that act as filters
• (either defined or traffic based)
• Can disallow unauthorized or
• potentially dangerous material
• from entering the system
• Logs attempted intrusions

21
Alerting and Logging

• Key Features of Firewall -
• ability to alert the user when it detects an
  attack,
• to maintain a system log of these events
• Provides ability to identify threats and to fine
  tune the firewall configuration appropriately
• A key responsibility of the user is to monitor
  the logs and take appropriate action when
  necessary.
• Not all events that appear in the log are hacker
  "attacks."
• Many different types of harmless events
• Example - ISP server pings that can appear in the
  log

22
Kerio Firewall Basics

• How A Firewall Works

23
How does a Firewall Work?

• Internet communication is accomplished by
  exchange of
• individual "packets" of data.
• Each packet is transmitted by its source machine
  toward
• its destination machine.

Connection" is actually comprised of individual
packets traveling between those two "connected"
machines.
They "agree" that they're connected and each
machine sends back "acknowledgement packets" to
let the sending machine know that the data was
received.
24
Every Internet Packet Must Contain

• A destination address and port number.
• The IP address and a port number of the
• originating machine. (its complete source and
• destination addresses)
• An IP address always identifies a single machine
• on the Internet and the port is associated with a
• particular service or conversation happening on
• the machine.

25
What a Firewall Can Do

• Since the firewall software inspects each and
  every packet of data as it
• arrives at your computer BEFORE it's seen by
  any other software
• running within your computer the firewall has
  total veto power over
• your computer's receipt of anything from the
  Internet.
• A TCP/IP port is only "open" on your computer if
  the first arriving packet
• which requests the establishment of a connection
  is answered by your
• computer. If the arriving packet is simply
  ignored, that port of your
• computer will effectively disappear from the
  Internet. No one and nothing
• can connect to it!

26
What a Firewall Can Do

• But the real power of a firewall is derived from
  its ability to be
• selective about what it lets through and what it
  blocks.
• It can "filter" the arriving packets based upon
  any combination of
• the originating machine's IP address and port and
  the destination
• machine's IP address and port.
• In packet filtering, the firewall software
  inspects the header
• information (source and destination IP addresses
  and ports) in
• each incoming and, in some cases, outgoing,
  TCP/IP packet.
• Based on this information, the firewall blocks
  the packet or
• transmits it.

27
Originating Your Own Connections to Other
Machines on the Internet?

• When you surf the web you need to connect to web
  servers that
• might have any IP address.
• Every packet that flows between the two machines
  is
• acknowledging the receipt of all previous data
  (through "ACK" bit).
• A firewall determines whether an arriving packet
  is
• initiating a new connection, or
• continuing an existing conversation.

• Permit the establishment of outbound connections/
  Blocking new connection attempts from the
  outside.
• Established connection packets are allowed to
  pass through the firewall,
• New connection packet attempts are discarded.

28
Packet Filtering Rules

• Filtering rules define which packets should be
  allowed or denied
• communication.
• Without these rules Kerio Personal Firewall would
  only work in two modes
• all communication allowed
• all communication denied.

• There exist two ways of creating the filtering
  rules
• Automatically - either permit or deny unknown
  packet
• Manually in the Personal Firewall Administration
  program
• create rules
• edit rules
• remove rules
• prioritize rules (put in order)
• defined rules display in the Filter Rules tab
• Located in Firewall Administration main
  window(Advanced), Firewall tab).

29
List of filtering rules
30

• The filtering rules are displayed in a table, in
  which each line represents
• one rule. Individual columns have the following
  meaning
• Checkbox indicates whether the rule is active
  or not. By a single click the user can activate
  or deactivate the rule without the need of
  removing or adding it.
• Application icon displays the icon of the local
  application, to which the rule applies. If the
  rule is valid for all applications a special
  green icon saying ANY is displayed instead. Only
  in rare situations should such a rule exist.
• Rule Description the direction and description
  of a rule. The following symbols are used for
  direction right arrow (outgoing packet), left
  arrow (incoming packet), double (both-direction)
  arrow (the rule applies for both outgoing and
  incoming packets). The rule's description can
  contain anything the user wishes. For an
  automatically created rule the name of the
  application is used for its description.
• Protocol used communication protocol (TCP, UDP,
  ICMP...). The direction of the communication (In,
  Out or Both) is also displayed in brackets
  following the name of the protocol.
• Local local port
• Remote remote IP address and port (separated by
  a colon)
• Application the local application's executable
  including the full path. If the application is an
  operating system service, the name displayed will
  be SYSTEM.

31
Controls

• Add adds a new rule at the end of the list
• Insert inserts a new rule above the selected
  rule. This function spares the user of moving the
  new rule within the list, as it allows for
  inserting a new rule to any desired place.
• Edit edits the selected rule
• Delete removes the selected rule
• Arrow buttons (to the right of the list of rules)
  these enable placement of a selected rule
  within the list.
• Note that filters work from top down so the
  placement of a rule is very important

32
What a Firewall Cannot Do

• Do Firewalls Prevent Viruses and Trojans? NO!! A
  firewall can only prevent a virus or Trojan from
  accessing the internet while on your machine
• 95 of all viruses and Trojans are received via
  e-mail, through file sharing (like Kazaa or
  Gnucleus) or through direct download of a
  malicious program
• Firewalls can't prevent this -- only a good
  anti-virus software program can

33

• However, once installed on your PC, many viruses
  and Trojans "call home" using the internet to the
  hacker that designed it
• This lets the hacker activate the Trojan and
  he/she can now use your PC for his/her own
  purposes
• A firewall can block the call home and can alert
  you if there is suspicious behavior taking place
  on your system

34

• IF
• Application's executable is changed (e.g. it is
• infected by a virus or it is replaced by another
• program)
• communication is denied
• displays a warning
• asks if such a change should be accepted (e.g.
  in case of the application upgrade) or not.

35
Filter Rules -Before You Start

• You'll have an easier time if you can get the
  following information, and write it down for
  reference
• DNS server address(es)
• DHCP server address(es)
• The subnet mask and range of any LAN you may
  have, along with the statically assigned address
  ranges of your active machines, if you use static
  IP addresses locally.

36
Before You Start

• Simple packet and port port filtering firewalls
• Kerio filters ports and IP's, and supports very
  basic application layer authentication, by
  verifying that apps are what they say they are
  via an MD5 hash.
• Fully rules based firewall,
• no automation functions
• minimal suggested or pre-coded rules
• ultimate measure of effectiveness depends on
  sound, ordered rules.

37

• Users will be prompted to allow or disallow
  traffic to their machines through the firewall.
• Look carefully at what the traffic is and where
  is it coming from.
• It will be up the the individual user to decided
  what traffic to allow and what traffic to deny.
• If there is a question, deny the traffic but take
  a snap shot of the firewall warning and send to
  your Net Manager or _______________ for
  assistance.

38
Creating a Basic Rule set

• Emphasis is on "basic."
• Prompts will help you set up your internet apps.
• A deny by default firewall
• The first rules you need will be a deceptively
  simple trilogy,
• very basic set of rules to allow DNS, DHCP and
  ICMP.
• The apps will follow, in due time.
• If you use static IP addressing (behind a router,
  for example), the DHCP rule is unnecessary. You
  may also want to provide for open access for your
  LAN machines, if you have a network and consider
  it fully trusted, near the top.

39
Rule Priority and Ordering

• Very simple, and critically important.
• Top down, process until a match is found.
• When a match is found, apply the matching rule
  and STOP.
• Nothing below the match will be looked at at all.
  
• Using creativity, this opens up the potential for
  some very nice if-then conditionals.
• No analog to "pass", where a rule is applied and
  processing continues.
• Only options are allow and deny.

40
Configuration Information

• Depends on both ports and application names.
• Users can define rules according to actual ports
• or they can set rules to match a program
• The firewall will detect common programs such
• as web browsers and email programs and auto
• configure the necessary ports as they attempt
• to connect to the internet.
• The firewall can be set to learn new programs
• to begin with and later changed to only allow
• those that have been predefined.

41

• The firewall tends to default to "any port for
  detected applications
• Recommended that users learn the
• required port for each allowable Internet
• program and edit the remote ports to
• match.

42
Comparison
43
Support

• If you have a Net Manager, they should be your
  first contact for any issues you may be
  experiencing. However, if you would like to
  contact us, or you do not have a Net Manager,
  please feel free to contact

44
The key to security awareness is embedded in the
word security
SEC- -Y
U - R - IT
If not you, who? If not now, when?
45
Resources at the University of Arizona

• Kerio Firewall
• https//sitelicense.arizona.edu/kerio/kerio.shtml
• Sophos Anti Virus
• https//sitelicense.arizona.edu/sophos/sophos.html
  
• VPN client software
• https//sitelicense.arizona.edu/vpn/vpn.shtml
• Policies, Procedures and Guidelines
• http//w3.arizona.edu/policy/
• Security Awareness
• http//security.arizona.edu/security/awareness.ht
  m

46

• University Information Security Office
• Bob Lancaster
• University Information Security Officer
• Co-Director CCIT, Telecommunications
• Lancaster_at_arizona.edu
• 621-4482
• Security Incident Response Team (SIRT)
• sirt_at_arizona.edu
• 626-0100
• Kelley Bogart
• Information Security Office Analyst
• Bogartk_at_u.arizona.edu
• 626-8232

47
Credits

• Steve Gibson, Gibson Research Corporation
• http//grace.com/us-firewalls.htm
• Kerio User Guide - can be downloaded from
• http//www.kerio.com/us/supp_kpf_manual.html
• Kerio Firewall Online Resource
• http//www.broadbandreports.com/faq/security/2.5.1
  .Kerioandpre-v3.0TinyPFW