A firewall is any computer you set up to evaluate the traffic coming and going through your Internet connection.

Many self-proclaimed security experts fail to address the issue of outgoing packets when implementing a firewall. Not only is it important to manage the traffic coming in to your network but you must also filter the outgoing traffic as well.

General Firewall Filtering

Generally speaking, most Internet routers can be configured as a firewall. The firewall looks at each packet as it comes and goes though it and determines what rules apply and directs the packets according to those rules.

This means if you wan no traffic coming or going to certain hacker domains or YouTube or any other such domains, then tell that to the firewall and they’ll stop all packets to or from that address.

Inbound Filtering

Inbound firewall filtering monitors the packet types and the source and destinations and decides if the packets should allowed, blocked, or changed in some way.

This is how you would set up a DMZ so the machines aren’t visible to the outside world. The rule could say if it’s a packet coming from outside the local network and outside the DMZ then it should be blocked. At this point the originating address could also be blocked for all types of traffic just in case they’re trying to break in.

Outbound Filtering

Just as important as inbound firewall rules are the outbound rules. If a machine on your local network gets compromised these outbound rules will prevent it from reaching the machine that is trying to control it.

It’s possible that the compromised machine on your network is trying to connect to a controlling computer or is trying to download your company’s personal information, these outbound filters will prevent it from reaching its destination.

Firewall rules can be quite complex and are such a fundamental piece of a security program that you don’t want to risk getting it wrong. Contact us and we can design and implement a firewall that works for you company considering both incoming traffic and outbound traffic.

Contact us a Access Technologies, a Nevada based Computer Security company.

The purpose of this DMZ is it allows your company to protect the machines on this network so they can only accept connections securely and the traffic on this network is expected to be either non-critical information of any critical data is encrypted. This way if any of the servers in the DMZ become compromised, then only the DMZ is at risk.

Some companies may need multiple levels of DMZ. As an example, if the company has a web server that connects users to their personal data, having the web server and its necessary support servers on one DMZ and the secured database supplying the web server data on another DMZ will prevent everything from becoming compromised. Furthermore, it prevents open attacks against the database server from the Internet.

A hacker would have to successfully break into a machine on the DMZ and then use that machine to try to attack the other DMZ or local network. This is generally more work that it’s worth and most importantly slowing down the attack allows your company time to recognize the attack and either thwart it or call in the authorities and put another hacker in jail.

If you’re only serving up a website, you still need an DMZ.

Contact us for information and help setting up a secure DMZ.

Fortunately, many of today’s routers come configured in somewhat secure configurations. Still, though, you wan to ensure that you aren’t leaving anything to chance by failing to evaluate the security of your router and its settings.

Many Internet facing routers today double as wireless routers. For wireless routers, here are some important issues to consider:

1. Do you have encryption required?
2. Do you have a secure encryption key?
3. Do you have wireless enabled even though it’s not needed?
4. Do you restrict access to the router through Access Control Lists?
5. Do you prevent router configuration changes from the wireless interface?

For an audit of your existing network contact Access Technologies. For a plan on creating a secure network and secure Internet presence, contact us. We can help.

You can have the most secure Internet connection and the most secure network and firewalls and DMZ but they are all worthless if you don’t address the problems with Computer Security in your company.

The difficulty with Computer Security is the training aspect. You can train your people to be alert to the issues of computer security but a month or a year later, not only have many of your people forgotten the important issues, but many people may no longer be with your company and what’s more, the attack vectors are sure to have changed in that time.

Computer Security is an issue that needs to be addressed on a regular basis.

There are two primary approaches to Computer Security:

1. Security Audits. It’s critical to evaluate your current security issues including the state of the machines and the health of your security policy.
2. Security Training. Training must be repeated to be effective. The frequency at which you renew your training depends on your turnover rate, the level of computer skills of your people, and the quality of your security policy. The better your security policy and the better it is enforced, the more Computer Security will be on the minds of your employees.

If you’re looking for more information on Computer Security Training, Security Policies, or Computer Security Audits, contact the folks at Access Technologies, a Nevada based company specializing in Computer Security issues.

The Attack

A Man-in-the-middle attack is a type of attack where you think you’re connected to your bank’s web site but are in fact connected to an attacker’s site while he’s mirroring all your activity on the real bank site.

This is typically a real-time attack in which the information you send the fake bank site is used to connect to the actual bank site and withdraw money. The reason this is real-time is that your login at the real bank site might be using a temporary password that will expire at the end of the current session. This also means that by the time you find out about the break in, it’s too late to stop it.

These types of attacks are easiest done by spoofing the DNS resolution of the victim’s DNS queries.

If you use your laptop to connect to the wireless networks at your hotels or at the airports, you’re at risk of connecting to the wrong site and if you connect to an attacker’s WiFi, then you are using his DNS server.

I’ve even known people who connect to any open wireless network available. This is a sure way to get caught with a man-in-the-middle attack.

Solution

The best solution to this type of attack is education. You should have your employees trained on this and the numerous other vectors of attack. Contact us and set up some training.

DNS Attacks

Domain Name Resolution, often referred to as Domain Name Service (DNS) attacks are the preferred approach for Man-in-the-middle attacks.

There are occasionally vulnerabilities reported in the major DNS service providers, such as BIND, which will allow a hijacker to force your DNS server to feed you the wrong IP address for a host name. That way, when you think you’re going to you bank’s website, you’re really going to the attacker’s site and he’s using your user name and password to log in to your bank account while you think you’re logging in.

You don’t even need a vulnerability in the DNS software to suffer this fate. Any time you are relying on a service you don’t control, you can be fed false domain name information. This is common for hackers that leave open WiFi and broadband access. If you accidentally let your laptop log into one of these, you are believing everything the attacker’s domain name service is giving you, and that’s usually not what you want.

The problem with DNS attacks and man-in-the-middle attacks is that you seldom know you’ve been attacked until you start seeing your bank accounts dwindling.

DNS Attack Solution

So, what’s the solution to this type of attack? The first thing is to ensure that your software is up to date, especially your DNS software.

The second solution is training. It’s important that every company that ever has employees traveling has their employees trained on the most current attack methods and the best ways to avoid them.

Training

We provide numerous training opportunities for both the small and large company to keep their employees informed. Give us a call.

Test Leftovers

In this last case study, the client left his web server configured to display directories. The attacker got a listing of the directory in the CGI directory structure and started looking for easy targets. The most attractive target was the “private” directory which contained many tools that were run from the web interface. At this point the attacker used a file to download the company’s commissions database.

Solution — Turning off directory listings is a big first step to preventing this, but sometimes even the robots.txt file is just as bad. Many websites have a file that tells the search engines which directories not to index. Sometimes these directories have names like, “Test”, or “private”. No better place to go looking if you’re attacking. The second solution was to put access-control restrictions on the internal tools directories. Upon further investigation we found that many of the programmers had left test files lying about in the CGI directory that would give away the farm. As for recovering the data that was stolen — well, the machine where the attacker came from was compromised as well so we never found out who it was.

• Return to More Internet Security Case Studies
• Return to the Internet Security Information Home Page

Microsoft Web Server

Like so many in the news, this client refused to update his Web Server software since “every time it would break more than it fixed.” As painful as it may be to update your MS products, it’s always more difficult and expensive to recover from relying on a broken system. There are so many secure systems on the market today, there’s no reason to stick with one that you know is broken.

This client was compromised and defaced by attackers that knew MS vulnerabilities and exploited them to gain Administrator access to the Windows machines. The attackers then defaced the website and changed the administrator’s password.

Solution — The only solution in this case was to reinstall Windows and restore from backups. If this client hadn’t made recent backups, this could possibly have been more expense than the company could bare.

• Testfile Security Case Study
• Return to More Internet Security Case Studies
• Return to the Internet Security Information Home Page

Microsoft Sharing Vulnerabilities

Sometimes even the best protected network can get infected. In this case, a client had a very strict firewall policy that did wonders at keeping out trouble, even at the expense of a less usable network. Internet access was only allowed between certain sites and even the e-mail server was outside the firewall.

In this case, the client felt so secure with a firewall that he enabled sharing across many machines within his network. Sharing in read-only would have reduced the impact of this break-in but unfortunately they had full permissions and without passwords except in two cases where the password was the machine name.

The infection came from the client’s laptop which he plugged in at home to a DSL line. Since the DSL did not have a firewall, the laptop was compromised. Then, when he connected the laptop to his office network it infected everything.

Solution — The only way to clean up this disaster was to reformat and reinstall all software on all the machines. Never think that since you have strong security in some areas means you can ignore security in others.

• IIS Security Case Study
• Return to More Internet Security Case Studies
• Return to the Internet Security Information Home Page

Session ID Hijacking

I got a concerned call from a client upset by what his webmaster had reported as “strange” web activities by some of the customers. Their web application was reporting error messages coming from multiple users. Their software used cookies to uniquely identify their customers’ sessions.

Further investigation of the error logs showed that although the errors were coming from multiple customers, the IP address on all the errors was the same.

The attacker had looked at his cookies to find the session ID. When the system assigned a unique ID, it assigned the IDs in numerical order, even though the number was hidden in text. For example, the IDs looked like abc1ABC1 and abc2ABC2.

The attacker had guessed that there must be someone else on the system with abc3ABC3 so he changed his cookie value and inherited someone else’s session. Once his identity was masked by the other user’s ID, he started testing the system for weaknesses, and was producing the error messages that alerted the webmaster.

Solution — Taking out the unsuccessful attempt to obfuscate the session ID and instead generating a random number proved to solve the problem. Further investigation into the system showed that the attacker was wasting his time dealing with the cookies. The web server was configured to allow reading directory data from the web directory and the customer database was available and visible in this directory listing. The worst part was that the customer database was a text file and the passwords weren’t even encrypted.

We also turned off directory listings of the web directories and expired all the customer passwords. What a mess!

• Sharing Security Case Study
• Return to More Internet Security Case Studies
• Return to the Internet Security Information Home Page