Password Advice

Password Advice

Use of a good password is your first security defence. You should always use a password on any computer that others can access, so that no one can access your private information, use your account and impersonate you on the Internet delete your files by mistake, etc.

You should change your password regularly, where regularly is determined by your environment -- perhaps every 60 days in an office environment and every six months on a secure home computer. From least to most secure, there are three types of passwords:

• What you have. Examples include keys and pass cards. The risk is that they can be lost or stolen.

• What you know. Examples include computer account passwords and building entry passwords, information that passes from your brain through your hand to the security system. The risks are that they can be copied if you are observed entering them, and unless they are sufficiently unique they can sometimes be guessed or cracked.

• What you are. Examples include fingerprints, retina patterns, and other biometric passwords. These are much more difficult to copy (so far) and are therefore the most secure passwords.

The most common type of password on the Internet are passwords you know, mainly alphanumeric keywords. For a reasonably secure home computer, password selection might be a less critical issue, but on networks open to the Internet there are many very real threats to administrator, network, and application passwords. Many ingenious programs have been written to crack passwords at high volume, some by hackers and some as legitimate security testing tools, and are of course loose on the Internet. Many of these programs use a variety of dictionary based attacks to combine common words and word variations to try thousands of passwords as fast as the targeted system will permit. Some start by guessing a whole bunch of common passwords.

Other password cracking techniques include low-tech but surprisingly effective methods as sending an email supposedly from an authorized administrator requesting the password, making a telephone contact supposedly from the authorized company and then requesting the password for authentication, and use of electronic spy ware to capture the legitimate entry of a password and send it to the eavesdropper. As always, the human element is more unpredictable than the technical part.

To provide maximum protection, there are four basic rules for password management security:

• Pronounceable. The best password is at least eight letters, and pronounceable so that it is memorable. Your password should not be a recognizable word, and should include at least one number, to minimize the chances it can be found by "dictionary" based attacks. There is a simple trick to making them up instantly -- pretend you are two years old, combine random syllables into words, then add a number, such as "banilum4", "somi3can", and "telupson6".

• Non-clichés. Lots of people use their birthday or spouse's birthday, the name of someone from their family or friends, the name of a favorite pet, or some other high profile subject for their password. Avoid all the obvious choices, since professional hackers try these first.

• Unique. Never use the same password for more than one purpose, and change important passwords regularly without reusing old ones. Use separate passwords for your computer login, internet account, email account, and other functions. If you use the same password for more than one purpose, you run the risk that if someone knows one of your passwords then they can break into all of your accounts. (This rule may be relaxed for low threat environments such as a home office).

• Write it down. Unfortunately, the trade-off for using good password practices is that you might forget them, so you need to record them somewhere. If you don't do this, it is a statistical certainty that sooner or later you will find yourself locked out of a computer or application at a very inopportune time. The trick is finding a secure location for storage of this sensitive document. If you have a very secure storage location (locked filing cabinet, encrypted file on your main computer) than you might store it there, but make sure it is secure; if that security protection is bypassed, all of your passwords are lost.
  
  First principles are: don't leave it on your desk, store it in your wallet, or tape it to the bottom of anything. For non-electronic storage, a common but effective technique is to record your passwords in pencil on a document that stored with a lot of other documents, or on the margin of a page of a book on a shelf with a lot of other books. Therefore, even if someone had the time to search for it, it would be difficult to find, and even if found it wouldn't be obvious what it was.

Virus Protection...Virus

Virus Protection

The most important computing advice is "back up your files", which helps to safeguard your data if you ever get a virus. The second most important principle is "run an anti-virus protection program". If your anti-virus program does not include a good firewall, you must obtain one of those as well.

Modern computer viruses are more virulent than ever. It is critically essential for the protection of all of the valuable programs and information on your computer that you run a good anti-virus protection program. Most of these applications can regularly update their database over the Internet as the threats evolve and automatically keep your anti-virus protection up-to-date and your computer safe.

Commercial. The following companies are leading anti-virus protection providers:

• Avira.com
• BitDefender.com
• CentralCommand.com
• Dr. Solomon's Anti-Virus Toolkit
• F-Prot Antivirus
• F-Secure Anti-Virus
• Kapersky Labs
• McAfee Associates' VirusScan
• NOD32 Ireland
• Panda Software Anti-Virus
• Sophos Anti-Virus
• Symantec's Norton Anti-Virus
• TrendMicro.com

Maintenance. Once you have installed anti-virus protection, take the following additional protective measures:

• Never use a floppy disk, CD, DVD, tape, or other external media that has been on someone else's computer without first scanning it with your anti-virus protection program, which should be set to scan all media by default. If you lend media to someone else to copy a file, write-protect it first so that it won't get inadvertently infected.

• Protect your perimeter. Make sure your anti-virus protection settings are turned on by default to scan files incoming over email and downloaded off the Internet.

Infection. Computers that run good anti-virus protection usually don't get infected. However, if you are sure that your system has somehow got a virus anyway, you can take the following steps:

• Immediately shutdown your computer, and do not reboot it from the infected disk, in order to prevent the virus from wreaking more damage.

• Boot the computer from some clean external media such as a bootable floppy, CD, DVD, or external disk that has previously been scanned by your anti-virus protection.

• Run your anti-virus protection software from the clean boot disk, on the infected disk, and if required fix or delete infected files and replace them on the infected disk.

• If you need help or your anti-virus protection can't clean the disk, then you are best advised to take your computer to a good professional repair shop where they have tools to try and clean and recover your disk as best as possible.

Keep in mind that anti-virus protection sometimes generates false alarms -- a common cause is when a program file has changed size but for a valid reason. Another common indicator that you may have a false alarm is if your anti-virus protection claims that a file may contains a virus but doesn't know the virus's name. Don't delete files unless the anti-virus protection software specifically recommends it, recognizes the viruses name, and it otherwise looks like a reasonable suggestion.

Internet Worms....Virus

Worms - Types and Habitats

Penetration of a remote system can be accomplished in any of three ways... In each case the worm arranges to get a remote command interpreter which it can use to copy over, compile and execute the 99-line bootstrap. The bootstrap sets up its own network connection with the local worm and copies over the other files it needs, and using these pieces a remote worm is built and the infection procedure starts over again.

Internet worms are truly autonomous virtual viruses, spreading across the net, breaking into computers, and replicating without human assistance and usually without human knowledge.

Worms are particularly interesting technological constructs, with an intriguing mathematical structure and complexity. They fascinate because they take the digital imitation of life to another step -- they autonomously search for computers, penetrate them, and replicate their intelligence to continue the process.

An Internet worm can be contained in any kind of virus,program or script. Sometimes their inventor will release them into the wild in a single copy, leaving them to replicate by themselves through a variety of stratagems and protocols.

History. Worms use a variety of methods to propagate across the Internet. Early worms simply scanned the local network drives and folders and inserted themselves into programs wherever they could, trusting human beings to move disks and directories around in the normal course of things so they could continue to spread.

Since the late 1990's, many Internet worms have been Visual Basic script viruses which replicate on Windows computers by interacting with the user's email program to send themselves to many (often all) of the addresses in the address book. Once on a new machine, they repeat the process with the new user's address book, quickly expanding the number of people reached. Some of the worst outbreaks of email worms have spread around the world within just a few hours, and email remains the Internet worm's fastest known transmission method.

Beginning in 2001, the most dangerous worms started to employ weaknesses in the Windows operating system to attack machines directly across the Internet. When a significant Windows weakness was found, Microsoft would patch it, hackers would release worms to attack it a few weeks later, and any unpatched machine connected to the Internet would soon be compromised. With several hundred million machines running Windows, statistically speaking a lot don't get patched immediately, so there are always thousands of vulnerable systems. Even computers inside a firewall protected intranet are at risk as long as there is one weak link somewhere -- an unprotected machine on the Internet able to reach the rest of the intranet. Microsoft introduced automatic operating system updates to help solve this problem.

The most successful Internet worm of all time, in terms of sheer saturation, was the code red worm, which scanned the Internet for vulnerable Windows computers running the IIS web server to install itself and continue the infection. For example, a list of the code red infected computers trying to break into the LivingInternet site on August 7, 2001, can be found here. (Fortunately, the site was running on the Apache web server.)

A wide range of other inventive strains of Internet worms have employed security weaknesses in IRC, finger, and other programs and protocols. A few worms began to be discovered for Linux in the late 1990's as it became more popular across the Internet and some vulnerabilities were found, but the strong security architecture of Linux has kept the number of problems relatively low.

The first worm. The first worm disabled most of the Internet then existing. Robert Morris, a Computer Science graduate student at Cornell University and (embarrassingly) son of the Chief Scientist at the National Computer Security Center, wrote a 99 line program in the C language designed to self-replicate and propagate itself from machine to machine across the Internet. The worm performed the trick by combining a bug in the debugging mode of the sendmail program used to control email on almost all Internet computers, a bug in the finger program, and the Unix rexec and rsh commands.

On November 2, 1988, Morris released his worm, but did so from an MIT computer to disguise his origin. In his view, only one thing went wrong -- the worm started replicating at a much faster rate than he had predicted, and began crashing and disabling computers across the Internet.

Morris sent out an anonymous message telling people how to disable the worm, but because it had brought down the Internet, the message about how to disable it couldn't get through. The worm eventually infected more than 6,000 computers across the Internet. Within a day teams of programmers at the University of California at Berkeley and Purdue University reverse engineered the worm and developed methods of stopping it. The Internet then came back to normal in a couple of days.

Morris claimed that he had intended his worm as an innocent experiment and hadn't planned it to have any negative effects. Nonetheless, he was eventually convicted of violating the computer Fraud and Abuse Act (Title 18), and sentenced to three years of probation, 400 hours of community service, and a $10,050 fine. His appeal was rejected in March, 1991.

At least one good thing resulted from this incident -- the Computer Emergency Response Team, or CERT, was formed by ARPA in response to the Morris worm incident to track and provide information on Internet security threats.

Script & Macro Viruses...virus

Script & Macro Viruses

Script Viruses - Types and Habitats

Script viruses (sometimes called macro viruses) generally travel embedded in email and office automation documents, although they can be found in web pages as well.

Old fashioned program viruses are usually implemented in executable system code, whereas script viruses are usually written in a powerful high-level language that is compiled and run on the fly. They often have sophisticated functionality and direct interfaces to high level applications such as word processing, spreadsheet, email, and web programs, and can wreak considerable havoc. Since they first surfaced in office automation programs, they are sometimes also called "macro" viruses. Script viruses can also propagate through IRC protocols.

On Microsoft computers, turning on your script checking virus protection is essential. However, keep in mind that there may be an associated performance hit for some applications. Many applications on Windows are written in Visual Basic, and real-time script virus checking can double the time it takes for their usual functions to run. If you find that ordinary functions take an inordinate length of time to complete, you can try temporarily turning this feature off in your anti-virus checker -- but don't forget to turn it back on afterwards!

Active threats. The following types of script viruses are currently the most active and dangerous, on the Windows platform:

• Visual Basic is a flexible and powerful programming environment for Microsoft Windows, Office, and internet applications. Script viruses written in Visual Basic can run throughout the Microsoft architecture, giving them considerable reach and power, and making them the primary virus threat today.
  
  The first widespread Visual Basic script virus was Melissa, which brought down several of the large international corporations for several days in March 1999. Melissa traveled in a Microsoft Word document and ran when the document was opened, then opened the associated Microsoft Outlook email program, read the user's email address book, and then sent email copies of itself to the first fifty names it found. It spread very quickly.
  
  The Melissa virus architecture was quickly followed by many similar variants programmed by hackers around the world, including the ground breaking KAK, the first Visual Basic script virus that triggered as soon as an email was opened. KAK was then followed by BubbleBoy, which triggered if an email was even viewed in the preview pane. A steady stream of Visual Basic script viruses continue to circulate to this day. There are even automated, point and click programs like VBS Love Generator to help hackers produce additional variants. Script viruses which use email to send themselves to others are also a form of worm.
  The term "macro virus" is used less often, and generally refers to a virus in an office automation application macro, most commonly a Visual Basic macro in a Microsoft Word or Excel document. Macro viruses can cross system boundaries from Windows to Macintosh computers with MS Office documents. Current versions of Microsoft Office contain strong anti-macro protections to guard against known attacks.
• ActiveX is one of Microsoft's distributed application technologies that enable web pages to download programs on the fly with the full power of any executable running on your machine. This makes ActiveX modules especially efficient and powerful, but also a security risk since they can create, change, and delete files, add system programming code, or take any other action your user account is allowed on your computer.
  
  To help mitigate the risk, Microsoft provides a network architecture of encryptedsecurity certificates for ActiveX modules. This network gives you the option of refusing the download of unsigned ActiveX modules from unknown authors, and at least disclosing the signed identity of those modules that you do accept in case they later cause problems. However, this approach is not universally accepted by the general user and professional security communities, and is sometimes called "trust me now, try to catch me later". Users running Internet Explorer on Windows machines should make sure that their browser security settings are set to "disable" for unsigned ActiveX applets, and to "prompt" for signed applets.

Hypothetical threats. The following script viruses are largely theoretical, but illustrate that they can turn up wherever there is scripting code:

• Java is a standard cross platform development environment, and is often used to download scripts to add functionality like a clock or chat room interface to a web page. Java was written with a strong security model which protects your computer's data and resources, and it has so far proved remarkably resistant to script virus infection. You can turn Java off in your browser if you want to be extra careful, but it will disable some useful functionality on some web pages.
• 
  
• JAVAscript is the standard web programming language. JavaScript also has a well-defined security model that protects data and resources, and the few JavaScript viruses that have been discovered have been mainly theoretical in nature. You can turn JavaScript off in your browser settings if you want to be extra careful, but it will disable functionality on many web pages.
• MIME. The first script virus that triggered as soon as an email was opened was a MIME virus that applied to older versions of Netscape Mail, Microsoft Outlook, and Eudora Mail. In a variation on an old hacker technique, the attached MIME file was given a very long name that triggered a bug which allowed the end of the name to be run as a series of instructions, which could then be written to run the virus. However, a fix for the bug was quickly developed for each vulnerable email program, and MIME viruses have so far remained hypothetical.

Boot & Program Viruses...Virus

Boot & Program Viruses

Boot & Program Viruses - Types and Habitats

Boot and program viruses were the first viruses. They are generally made of executable code that hides inside device boot programs and application programs, and are usually targeted for a specific computer operating system. These were the earliest types of computer viruses developed, and remained relatively common in the wild until overtaken in 1998 by script and macro viruses.

Boot viruses. Boot viruses hide in the boot code for a media device, such as a disk or CD, and run automatically when the media is loaded since boot programs are always the first code loaded from any device. Boot viruses proliferated on floppy disks and even CD's into the late 1990's, but aren't seen as often these days with the decline in importance of transferable, bootable media.

The first computer boot virus was built by a 15 year old kid named Rich Skrenta in 1982 for Apple II computers. Called "Elk cloner”, it would activate whenever a floppy disk was booted on a computer, install itself on the computer, and then infect other disks used later. Once every 50 times an infected floppy was inserted in a computer it would display the following message.

Elk Cloner: The program with a personality

It will get on all your disks
It will infiltrate your chips
Yes it's Cloner!

It will stick to you like glue
It will modify ram too
Send in the Cloner!

Skrenta launched the virus into the wild in early 1982 by infecting his school’s computer and giving out disks at a computer club. Since viruses were not yet known and there were no safegaurds, it spread around the country and continued to pop up on Apple II computers for years afterwards.

The first boot virus to infect Microsoft computers was called Brain, developed in 1986 by two Pakistani brothers, and displayed the phone number of their computer repair business.

Program viruses. Program viruses can travel on media like a CD or across the Internet email attachment. They hide in an apparently useful program and then run when the program is opened. They are often called trojan horse viruses, after the hollow wooden horse containing soldiers that Ulysses and the Greeks gave to Minerva during the Trojan war, and from which the soldiers emerged that night to open the gates of the city of Troy to the Greek armies, thereby causing the city's downfall.

Program viruses may be deliberately hidden in a program by the developer, or surreptitiously attached after the fact at some point along its travels from computer to computer. Program viruses are also sometimes the vector of infection for boot viruses and worms.

Virus infection. A greeting card program emailed to you from a friend might display a holiday animation and song, while at the same time installing a remote access virus program that gives a distant hacker control over your computer whenever you're connected to the Internet. Similarly, a shareware program downloaded and emailed to you by another friend might have been infected with a virus on his computer or the server where it was stored.

The first thing a boot or program virus often does is insert commands and settings in the operating system so that they can operate freely, undetected, and unaudited, without warning messages or access log records. Some of them even change the Basic Input Output System (BIOS) that interfaces between the computer's hardware and software to help mask their activities.

The most sophisticated program viruses include "stealth viruses", which encrypt their contents to try and avoid detection by virus protection software, and "polymorphic viruses", which alter their content every time they replicate to try and avoid detection, which exhibits behavior just like real viruses. Most anti-virus program can still catch most of these types of viruses.

Viruses

Viruses - Families and Habitats

Computer viruses of one kind or another have infected the Internet since its very first years of existence. Virus protection is now required technology for everyone that uses the Internet.

Signs that your computer might have a virus could include spontaneous startup of programs like email programs, unexplained attempts by programs on your computer to access the Internet, changes in file date stamps, unusually slow program load or run times, lots of unexplained disk activity, or failure of a program or your computer to start. However, if you have an anti-virus protection running, then problems like a slow computer or lots of disk activity are most likely caused by an inefficient system configuration, not enough memory, a fragmented disk, or other benign causes, since most viruses won't give any visible signs.

Some viruses are only annoying, displaying a message, using extra memory or disk, or changing file names. However, some are destructive and will change files and erase data, and some will erase your entire hard drive. Some run silently in the background and give outside agents complete control of your computer without your knowledge whenever you are connected to the Internet.

The Internet gives viruses a particularly efficient new path for global infection. Some email viruses have spread around the world and brought down tens of thousands of computers in just a few hours. It is absolutely essential that you run an anti-virus protection program to safeguard your computer from these serious threats.

Email Security

Corporate email: A mission-critical application

Email is well-established as a prime means of communication for business purposes that is quicker and cheaper than more traditional methods. Yet it brings with it the necessity to make one's corporate messaging system as secure as possible.

Email-related threats to network security

A variety of different elements weaken your corporate email system and while some are widely known - such as email viruses - others tend to be ignored. Emails carrying offensive messages or confidential corporate information can create immense inconvenience and expense for a company that has not equipped its mail server with the appropriate tools. The same goes for spammers who use the email system at work to send thousands of unsolicited email messages. And what about the vast damage and time-loss caused by email viruses, which seem are making ever more frequent appearances these days?

Some companies lull themselves into a false sense of security upon installing a firewall. This is a wise step to protect their intranet, but it is not enough: Firewalls prevent network access by unauthorized users. But they do not check the content of mail being sent and received by those authorized to use the system, for instance. More targeted measures are needed to counteract this and other security loopholes in a corporate network.

The threat of information leaks
Organizations often fail to acknowledge that there is a greater risk of crucial data being stolen from within the company rather than from outside.

Various studies have shown how employees use email to send out confidential corporate information. Be it because they are disgruntled and revengeful, or because they fail to realize the potentially harmful impact of such a practice, employees use email to share sensitive data that was officially intended to remain in-house.

FBI statistics, for example, reveal that among Fortune 500 companies, most data thefts in 1998 were by internal users. Again, research results carried in PC Week in March 1999 report that, out of 800 workers surveyed, 21-31% admitted to sending confidential information - like financial or product data - to recipients outside the company by email. Ten per cent of those surveyed disclosed that they had received email containing company-confidential information.

The threat of emails containing malicious or offensive content
Emails carrying sensitive information, or unsolicited mail messages sent out by corporate users are not the only problem a company has to tackle with regard to employees' email use. Emails sent by staff containing racist, sexist or other offensive material could prove equally troublesome, not to mention embarrassing - and expensive!

This factor hit the headlines during the much-publicized antitrust case against Microsoft Corp., when the US government presented as evidence the contents of emails written by top Microsoft executives describing plans to topple competitors. On a similar note, Chevron recently had to pay $2.2 million to settle a lawsuit resulting from an email message bearing sexist contents.

Under British law, employers are held responsible for emails written by employees in the course of their employment, whether or not the employer consented to the mail. The insurance company Norwich Union was asked to pay $450,000 in an out-of-court settlement as a result of emailed comments relating to competition.

Besides, offensive emails can cause considerable damage to the work environment simply by generating an unpleasant, hostile or unprofessional atmosphere.

The threat of viruses
Viruses are a major email security hazard that companies simply cannot afford to ignore. Over 11,000 different computer viruses exist to date and some 300 new ones are created each month. Their effects range from negligible to bothersome to destructive.

The extent of the problem is so great that today many companies have even begun to prohibit the use of email attachments, as this is where viruses are often embedded. Unless forewarned, users are generally unaware that they have received a virus until they open the infected attachment. By this time, it is too late: the virus is activated and starts to take over, completely infecting the hard drive and the messaging network.

The danger of viruses transmitted through macros, another common form of virus transmission, is that they allow the user to continue working and sharing documents. This way, the virus spreads faster, infecting more and more users. One such macro virus, known as Melissa, reared its ugly head on March 26, 1999. Melissa forced organizations the world over - among them Microsoft and Intel - to suspend all email transactions. This may well have been an effective response to the new viral onslaught, when timely action was taken - but it also signified incalculable productivity loss, despite stemming data loss. As a result, Melissa left a huge dent in corporate coffers: "It is responsible for millions of dollars worth of damage", an April 1999 issue of InfoWorld reported.

Other fiercely destructive viruses followed fast on Melissa's trail, such as the Chernobyl (CIH) virus and the Explore Worm, both of which wipe out files, resulting in data loss. Again, companies like Microsoft, Intel, Boeing and Forrester Research were reported in the press as having shut down their mail servers when hit by the Explore Worm outbreak in June 1999. And, as if all this were not enough, anti-virus researchers predict that more damaging email viruses are yet to come.

The threat of spam
About 90 per cent of email users receive spam - or unsolicited commercial mail - at least once a week, a survey conducted by the Gartner Group shows. The research results, issued in June 1999, revealed that almost half those surveyed were spammed six or more times a week. The study surveyed 13,000 email users.

Although the U.S. Congress and state legislatures are seeking to ban spam, and the Federal Trade Commission sues spammers whose junk mail deceives consumers, unwanted mail is on the increase.

As well as consuming bandwidth and slowing down email systems, spam is a frustrating time-waster, forcing employees to sift through and delete mounds of junk mail. It also proves irritating and offensive to recipients who feel their privacy has been invaded. However, there is a third aspect to spam: it constitutes a security hazard.

Spammers can use a corporate mail server to send out their unsolicited messages, often bringing trouble upon the unwitting organization. Virgin Net recently underwent such an experience when one of its subscribers apparently used its network to send out 250,000 junk messages. As a result of this individual's actions, Virgin Net was put onto the Real-time Blackhole List (RBL), an undesirable listing which leads other ISPs to reject mail coming from that company.

SPAM Filtering

Protecting against security breaches

Corporate security policy
The security menaces are many, but effective solutions do exist. The first step to enhance security recommended by cyber-security consultants is the formulation of a corporate email policy document. This is used to inform all members of the organization which messaging practices are deemed unacceptable.

Without being overly restrictive, such documents should provide guidelines and procedures to be followed by employees in their use of email at the workplace. Examples of the kinds of email messages that could prove detrimental to the organization should be supplied. The overriding point to be emphasized is that by adopting this policy, the company and its staff stand to gain by benefiting from messaging security that is as watertight as possible.

Next, the organization must acquire new security tools to help enforce these regulations, informing all users that this measure is being taken.

Security software
Corporations may choose from a selection of email security packages. Some solutions are created to tackle a particular menace alone while others contain a convenient bundle of tools to deal with the various hazards. It is up to each organization to select the software that best suits their needs.

As always, price is bound to be one of the determining factors in making the right choice. Another essential characteristic to seek is a product that is as transparent to the user as possible. A package that installs on the existing corporate email system and is easy to use means that a company can enjoy the security benefits offered immediately upon installation. This section examines the different email security features available on the market, either separately or as part of a solution.

Preventing information leaks
A content checking tool is a must to prevent users from sending out confidential or sensitive corporate information via email. This tool automatically scans the contents of each message being mailed.

To be effectual, this tool should link to a quarantining feature that isolates emails with suspect content and prevents them from being sent unless an authorized person within the organization has approved the message.

Content checking
Likewise, a content screening tool is necessary to prevent corporate users from sending or receiving malicious, offensive, or inappropriate emails. This should be coupled with a tried and tested quarantining feature that bars emails with suspect content from being sent or received unless an authorized person within the organization has approved the message first.

Combating viruses
A reliable virus scanner screens all incoming and outbound messages and attachments for email viruses and worms.

Of course, it is not enough for a package to detect a virus. A good security tool must be able to block the infected documents or clean them before the email reaches the addressee. Additionally, the anti-virus solution should notify the recipient and/or network administrator of the email-borne virus. This way, viruses are stopped in their tracks before they do any harm and senders can be alerted that their systems are infected.

Eliminating spam
An efficient anti-spam tool will pick up words and phrases that usually appear in unsolicited commercial emails and block the unwanted message from entering the system. While preventing inconvenience to recipients, this saves the corporation time that employees would otherwise have wasted reading and deleting junk mail - paid work time that could be better applied.

Advanced anti-spam features include the detection of incorrect 'From' headers and addresses in the email body, typical spam practices, as well as the facility to be programmed to block emails containing any phrases the company chooses. Another essential ingredient is the ability to prevent spammers from using the corporate system to send out vast quantities of mail, a practice known as mail relaying.

Also effective against spam is a quarantining feature that deters email messages with dubious content from going through. This feature acts as a kind of clearinghouse, allowing an authorized person to approve the filtered messages before they are sent or received.

A powerful solution that arms your Exchange Server 2000

GFI MailSecurity for Exchange/SMTP
Your only true defence is to install a comprehensive email security solution to safeguard your mail server and network. GFI MailSecurity for Exchange/SMTP provides email content checking, exploit detection and anti-virus for Exchange/SMTP. it can be deployed at the gateway level, or at information store level (based on the Exchange 2000 VS API).

Key features include: Multiple virus engines - Don't depend on 1 only; Email content & attachment checking - Quarantine dangerous emails; Exploit shield - Email intrusion detection & defence; Email threats engine - Analyses & defuses HTML scripts, .exe files & more. Other features include:

• Automatic removal of HTML scripts

• Automatic quarantining of Microsoft Word documents with macros

• Detects attachment extension hiding

• Rules-based configuration

• Apply rules to AD users or groups

• Approve/reject quarantined mail using the moderator client/email client/public folders

• Lexical analysis

• Seamless integration with Exchange Server 2000 through VS API

• Anti-spam (gateway version)

• Great value

All About Malicious Codes

Abstract

Malicious code refers to a broad category of software threats to your network and systems. Perhaps the most sophisticated types of threats to computer systems are presented by malicious codes that exploit vulnerabilities in computer systems. Any code which modifies or destroys data, steals data , allows unauthorized access Exploits or damage a system, and does something that user did not intend to do, is called malicious code. This paper will briefly introduce you to the various types of malicious code you will encounter, including Viruses, Trojan horses, Logic bombs and Worms.

Taxonomy of malicious Code

A computer program is a sequence of symbols that are caucused to achieve a desired functionality; the program is termed malicious when their sequences of instructions are used to intentionally cause adverse affects to the system. In the other words we can’t call any “bug” as a Malicious Code. Malicious codes are also called programmed threats. The following figure provides an overall taxonomy of Malicious Code.

Figure 1 Malicious Code Taxonomy

Taxonomy is a system of classification allowing one to uniquely identify something. As presented in the above figure, threats can be divided into two categories:

• Independents: are self contained program that can be scheduled and ran by the operating system.



• Needs host program: are essentially fragments of programs that can not exist independently of some actual application program, utility or system program.

You must also differentiate between these software threats that do not replicate and these that do. (Replication is a process that a code reproduces or duplicates itself.)The former are fragments of programs that are to be activated when the host program is invoked to perform a specific function , the latter consist of either a program fragment or an independent program (worm , zombie ) that when executed may produce one or more copies of itself to be activated later on the same system or some other system . In the following, I briefly survey each at these parts of malicious software.

Trap doors

defined - 1.syn.Back doors a bad thing. 2. A Trap door function is one which is easy to compute but very difficult to compute the inverse of [Jargon Dictionary]
A trap door is a secret entry point into a program that allows someone that is aware at the trap door to gain access without going through the usual security access procedure. In many cases attacks using trap doors can give a great degree of access to the application, important data, or given the hosting system. Trap doors have been used legitimately by programmers to debug and test programs, some of the legitimate reasons for trap doors are:

1. Intentionally leaves them for testing, and make testing easier.
   
   
2. Intentionally leaves them for covert means of access. In the other words, allows access in event of errors.
   
   
3. Intentionally leaves them for fixing bugs.

But they may use illegitimately, to provide future, illegal access. Trap doors become threats when they are used by unscrupulous programmers to gain unauthorized access.

Back door is another name for a trap door, back doors provide immediate access to a system by passing employed authentication and security protocols, Attackers can use back doors to bypass security control and gain control at a system without time consuming hacking.

Logic Bombs

defined - The logic bomb is code embedded in some legitimate program that execute when a certain predefined events occurs, these codes surreptitiously inserted into an application or operating system that causes it to perform some destructive or security – compromising activity whenever specified conditions are met [Jargon Dictionary]

A bomb may sent a note to an attacker when a user is logged on to the internet and is using an specific program such as a word processor, this message informs the attacker that the user is ready for an attack, figure 2 shows a logic bomb in operation .Notice that this bomb dose not actually begin the attack but tells the attacker that the victim has met needed state for an attack to begin.

Figure 2 Logic Bombs

1. Attacker implants logic bomb
2. Victim reports installation
3. Attacker sends attack message
4. Victim dose as logic bomb installation

Examples of conditions that can be used as triggers for a logic bomb are the presence or absence at certain files, a particular day of the week or date, or a particular user running the application. One triggered a bomb may alter or delete data or entire files, cause a machine half or do some other damage.

Trojan Horses

defined - A malicious, security –breaking program that is disguised as something benign, such as directory lister, archiver, game, or (in one notorious 1990 case on Mac) a program to find and destroy viruses!" [Jargon Dictionary]

A Trojan horse is a useful, or apparently useful program or command procedure containing hidden code that when invoked performs some unwanted or harmful function. Trojan Horses can be used to accomplish functions indirectly that an unauthorized user could not accomplish directly. For example, to gain access to the files of another user on a shared system, a user could create a Trojan Horse program that when executed, changed the invoking user’s file permissions so that the file are readable by any user, the another example of Trojan horse program is a compiler that has been modified to insert additional code into certain programs as they are compiled such as a system login program, the code creates a trap door in the login program that permits the author to log on to the system using a special password. Another common motivation for the Trojan horse is data destruction.
The program appears to be performing a useful function but it may also be quietly deleting the victim’s files.

Zombie

A zombie is a program that secretly takes over another internet-attached computer and then uses that computer to launch attacks that are difficult to trace to the zombie’s creator. Zombies are used in Denial of service attacks, typically against targeted web sites. The zombie is planted on hundreds of computers belonging to unsuspecting third parties and then used to overwhelm the target website by launching on overwhelming onslaught of internet traffic.

Viruses

defined - [From the obvious analogy with biological viruses]. A cracker program that searches out other programs and 'infects' them by embedding a copy of itself in them so that they become Trojan horses. When these programs are executed, the embedded virus is executed too, thus propagating the ' infection ' this normally happens invisibly to the user. Unlike a worm, a virus can not infect other computers without assistance. It is propagated by vectors such as humans trading programs with their friends the virus may do nothing but propagate itself and then allow the program to run normally. Usually, however, after propagating silently for a while, it starts doing things like writing cute messages on the terminal or playing strange tricks with the display. Many nasty viruses, written by particularly perversely minded crackers, do irreversible. Damage, like nuking the entire user’s files… [Jargon Dictionary]

A virus is a program that can ' infect ' other programs by modifying them , the modification include a copy of the virus program , which can then go on to infect other programs . Therefore the key characteristic of virus is the ability to self replicate by modifying a normal program file with a copy of itself. On Nov, 1983 Fred Cohen ("father of computer virus") thought of the idea of computer viruses as a graduate student at USC. Cohen wrote the first documented virus and demonstrated on the USC campus network. “Virus” named after biological virus the following table shows details:

Biological Virus	Computer Virus
Consist of DNA or RNA strand surrounded by protein shell to bond to host cell	Consist of set of instructions stored in host program
No life outside of host cell	Active only when host program is executed
Replicates by taking over host’s metabolic machinery with it’s own DNA/RNA	Replicates when host program is executed or host file is opened
Copies infect other cells	Copies infect (attach to) other host program

A virus can do anything that other programs do. The only difference is that it attaches itself to another program and executes secretly when the host program is run. Once a virus is executing, it can perform any function such as erasing files and programs. During its lifetime a typical virus goes through the following four phases:

• Dormant phase: The virus is idle the virus will eventually be activated by some event, such as a date. The presence of another program or file, or the capacity of the disk exceeding some limit, not all viruses have this stage.



• Propagation phase: The virus places an identical copy of itself into other programs or into certain system areas on the disk. Each infected program will now contain a clone of the virus, which will itself enter a propagation phase.



• Triggering phase: The virus is activated to perform the function for which it was intended. As with the dormant phase, the triggering phase can be caused by a variety of system events, including a count of the number of times that this copy of the virus has made copies of itself.



• Execution phase: The function is performed. The function may be harmless, such as a message on the screen, or damaging, such as the destruction of programs and data files.

Virus Anatomy
Virus Structure has four ports
Mark can prevent re-infection attempts
Infection Mechanism causes spread to other files
Triggers are conditions for delivering payload
Payload is the possible damage to infected computer

Figure 3 Anatomy of Virus

Mark (optional)

Infection Mechanism

Trigger (optional)

Payload (optional)

Memory – resident virus: lodges in main memory as part of a resident system program. From that point on, virus infects every program that executes.

Program file virus: Infects programs such as Exe/Com/Sys – files. The following figures show details:

Figure 5 Program File Viruses

Polymorphic virus: creates copies during replication that are functionally equivalents but have distinctly different bit patterns. In this case the “signature “of the virus will vary with each copy. To achieve this variation, the virus may randomly insert superfluous instructions or interchange the order of independent in-generally called a mutation engine, creates a random encryption key to encrypt the reminder of the virus. The key is stored with the virus, and the mutation engine itself is altered. When an infected program is invoked, the virus uses the stored random key to decrypt the virus, when the virus replicates, a different random key is selected.

Boot Sector Virus: Boot sector viruses infect the system area of the disk that is read when the disk is initially accessed or booted. This area can include the master boot record the operation system’s boot sector or both. A virus infecting these areas typically takes the system instructions it finds and moves them to some other area on the disk. The virus is then free to place its own code in the boot record. When the system initializes, the virus loads into memory and simply points to the new location for the system instructions. The system then boots in a normal fashion except the virus is now resident in memory. A boot sector virus can replicate without your executing any programs from an infected disk. Simply accessing the disk is sufficient. For example, most PCs do a systems check on boot up that verifies the operation of the floppy drive even this verification process is sufficient to activate a boot sector virus if one exist on a floppy left in the machine and the hard drive can also become infected.

Stealth Virus: A format virus explicitly designed to hide itself from detection by antivirus software. When the virus is loaded into memory, it monitors system calls to files and disk sectors, when a call is trapped the, virus modifies the information returned to the process making the call so that it sees the original uninfected information. This aids the virus in avoiding detection. For example many boot sector viruses contain stealth ability. If the infected disk is booted, programs such as FDISK report a normal boot record. The virus is intercepting sector calls from FDISK and returning the original boot sector information. If you boot the system from a clean floppy disk however, the drive is inaccessible. If you run FDISK again, the program reports a corrupted boot sector on the drive. To use stealth, however, the virus must be actively running in memory, which means that the stealth portion of the virus is vulnerable to detect by antivirus.

Macro Virus: it is set of macro commands, specific to an application, which automatically executes in an unsolicited manner and spread to that application’s documents. According to the national computer security agency (www.ncsa.com), macro viruses now make up two – thirds of all computer viruses. Macro viruses are particularly threatening for a number of reasons:

1. A macro virus is platform independent. Virtually all of the macro viruses infect Microsoft word documents. Any hardware platform and operating system that supports word can be infected.
2. Macro viruses infect documents, not executable portions of code. Most of the information introduced on to a computer system is in the form of a document rather than a program.
3. Macro viruses are easily spread. A very common method is by electronic mail.

Macro viruses take advantage of a feature found in word and other office applications such as Microsoft Excel, namely the macro. In essence, a macro is an executable program embedded in a word processing document or other type of file. What makes it possible to create a macro virus is the auto executing macro this is a macro that is automatically invoked, without explicit user input. Common auto execute events are opening a file, closing a file and starting an application. Once a macro is running, it can copy itself to other documents, delete files and cause other sorts of damage to the users In Microsoft word. There are three types of auto executing macros:

1. Auto execute: If a macro named Auto exec is in the "Normal. Dot" template or in a global template stored in word’s start up directory, it is executed whenever word is started
2. Auto macro: An auto macro executes when a defined event occurs, such as opening or closing a document
3. Command macro: If a macro in a global macro file or a macro attached to a document has the name of an existing word command, it is executed whenever the user invoked that command.

A common technique for spreading a macro virus is as follows:
An auto macro or command macro is attached to a word document that is introduced into a system by e-mail or disk transfer. After the document is opened, the macro executes. The macro copies itself to the global macro file. When the next session of word opens, the infected global macro is active. When this macro executes, it can replicates itself and cause damage.

Email Virus: A more recent development in malicious software is the e-mail virus. The first rapidly spreading e-mail viruses, such as Melissa, made use of a Microsoft word macro embedded in an attachment. If the recipient opens the e-mail attachment, the word macro is activated then:

1. The e-mail virus sends itself to everyone on the mailing list in the user’s e-mail package



2. The virus does local damage

Worms

Can one IP packet cripple the Internet within 10 minutes? On January 25Th 2003 “SQL Sapphire Slammer “worm causes more than 1.2 billion US dollars damage, 70% South Korea’s network paralyzed, 300,000 ISP subscribers in Portugal knocked offline, 13,000 Bank of America machines shut down, Continental Airline’s ticketing system crippled.

Figure 6 SQL Sapphire / Slammer Worm

Worm (n)
[From ‘tape worm’ in John Brunner’s novel “The Shockwave Rider “… ], A program that propagates itself over a network, reproducing itself as it goes … [Jargon Dictionary]

Worm is also self-replicating but a stand-alone program that exploits security holes to compromise other computers and spread copies of itself through the network. Unlike viruses, worms do not need to parasitically attach to other programs. Because of the recursive structure of this propagation, the spread rate of worms is very fast and poses a big threat on the Internet infrastructure as a whole.

Worm Anatomy

Mark: structurally similar to viruses, except a stand-alone program instead of program fragment
Infection Mechanism: searches for weakly protected computers through a network (i.e., worms are network based)
Triggers: are Conditions for delivering payload
Payload: might drop a Trojan horse or parasitically infect files, so worms can have Trojan horse or virus characteristics

Figure 7 Worms Anatomy

Mark (optional)

Infection Mechanism

Trigger (optional)

Payload (optional)

More On Data Security

SafeConduct

Application Access Security for New and Legacy Systems

SSL Standard
SafeConduct brings benefits of the Secure Sockets Layer (SSL) v3.0 standard, including digital certificate authentication and 256-bit data encryption, to any point-to-point Internet or VPN application data traffic. The SafeConduct product family transparently works with new and legacy applications. Using SSL data security standard, the most widely used protocol for security data transmission on the Internet, SafeConduct eliminates significant information security and privacy risks.

Secure channel
SafeConduct (for ODBC SSL, OLE DB SSL, JDBC SSL, or .NET provider SSL) builds an invisible and secure channel between two TCP/IP nodes. Before any application data traffic is sent, SafeConduct authenticates the machines, securely negotiates encryption keys, transmits secured user ID/password data, and finally transmits secured application data between the two nodes. SafeConduct prevents unauthorized machines from accessing applications. Application security is ensured by preventing unauthorized access to any application data transmitted over TCP/IP networks.

SafeConduct (using SSL security) monitors and intercepts TCP/IP data at pre-configured port addresses. Once secure communication is established between the two TCP/IP nodes, SafeConduct routes application data traffic to the true destination application port address. SafeConduct Server may be installed on a machine other than the one of the server application in order to redirect requirements for SSL encryption processing. SafeConduct Server acts as an SSL proxy.

Server and Client for all platforms
The SafeConduct product family includes the SafeConduct Server, the SafeConduct Windows Client, and the SafeConduct Java Client. The SafeConduct Windows client runs on Windows client and server platforms as an application or service. The SafeConduct Java Client can be used on multiple client and server platforms including, but not limited to Linux, Solaris, Windows, IBM OS390 and zOS, IBM iSeries/AS400, IBM AIX, Mac OSX, and OS/2. The SafeConduct Server can similarly be used on multiple client and server platforms.

The SafeConduct Server includes support to allow an administrator to remotely terminate its function. This allows systems administrators to easily prevent application access during maintenance or batch processing periods.

Key Features			Benefits
SSL and TSL support - 256 bit encryption			Data protected from unauthorized access
NIST FIPS 140-2 validated crypto and SSL functions			Approved US Government standards
Node-to-Node authentication			Assurance that only authorized point-to-point pairs may exchange data
No change required to application source code			Protect Investments
Broad platform support			Single tool for enterprise deployment
Data encryption using the DigitalSignature Standard (DSS), with theDigital Signature Algorithm (DSA) and RSA algorithm			Standards-based, secure architecture
Extensive internal and Windows log reporting and accessibility			Audit tool for data analysis
Graphical tools for certificate generation and management			Faster administration processing
Optional integration with certificates obtained from an external certificate authority			Flexible support for third-party security

System Requirements:

Server
Any platform with Java Run-time Environment 1.3 and later

Client
Any platform with Java Run-time Environment 1.3 and later
or
Windows 2003/XP/2000/NT/ME/98

All About Firewalls

A firewall is an integrated collection of security measures designed to prevent unauthorized electronic access to a networked computer system. It is also a device or set of devices configured to permit, deny, encrypt, decrypt, or proxy all computer traffic between different security domains based upon a set of rules and other criteria.

Function

A firewall is a dedicated appliance, or software running on another computer, which inspects network traffic passing through it, and denies or permits passage based on a set of rules.

A firewall's basic task is to regulate some of the flow of traffic between computer networks of different trust levels. Typical examples are the Internet which is a zone with no trust and an internal network which is a zone of higher trust. A zone with an intermediate trust level, situated between the Internet and a trusted internal network, is often referred to as a "perimeter network" or Demilitarized zone (DMZ).

A firewall's function within a network is similar to physical firewalls with fire doors in building construction. In the former case, it is used to prevent network intrusion to the private network. In the latter case, it is intended to contain and delay structural fire from spreading to adjacent structures.

Without proper configuration, a firewall can often become worthless. Standard security practices dictate a "default-deny" firewall ruleset, in which the only network connections which are allowed are the ones that have been explicitly allowed. Unfortunately, such a configuration requires detailed understanding of the network applications and endpoints required for the organization's day-to-day operation. Many businesses lack such understanding, and therefore implement a "default-allow" ruleset, in which all traffic is allowed unless it has been specifically blocked. This configuration makes inadvertent network connections and system compromise much more likely.

Network firewall

A firewall is a system or group of systems that enforces an access control policy between two or more networks. The actual means by which this is accomplished varies widely, but in principle, the firewall can be thought of as a pair of mechanisms: one which exists to block traffic, and the other which exists to permit traffic. Some firewalls place a greater emphasis on blocking traffic, while others emphasize permitting traffic. Probably the most important thing to recognize about a firewall is that it implements an access control policy. If you don't have a good idea of what kind of access you want to allow or to deny, a firewall really won't help you. It's also important to recognize that the firewall's configuration, because it is a mechanism for enforcing policy, imposes its policy on everything behind it. Administrators for firewalls managing the connectivity for a large number of hosts therefore have a heavy responsibility.

Why would I want a firewall?

The Internet, like any other society, is plagued with the kind of jerks who enjoy the electronic equivalent of writing on other people's walls with spraypaint, tearing their mailboxes off, or just sitting in the street blowing their car horns. Some people try to get real work done over the Internet, and others have sensitive or proprietary data they must protect. Usually, a firewall's purpose is to keep the jerks out of your network while still letting you get your job done.

Many traditional-style corporations and data centers have computing security policies and practices that must be followed. In a case where a company's policies dictate how data must be protected, a firewall is very important, since it is the embodiment of the corporate policy. Frequently, the hardest part of hooking to the Internet, if you're a large company, is not justifying the expense or effort, but convincing management that it's safe to do so. A firewall provides not only real security--it often plays an important role as a security blanket for management.

Lastly, a firewall can act as your corporate ``ambassador'' to the Internet. Many corporations use their firewall systems as a place to store public information about corporate products and services, files to download, bug-fixes, and so forth. Several of these systems have become important parts of the Internet service structure (e.g., UUnet.uu.net, whitehouse.gov, gatekeeper.dec.com) and have reflected well on their organizational sponsors. Note that while this is historically true, most organizations now place public information on a Web server, often protected by a firewall, but not normally on the firewall itself.

What can a firewall protect against?

Some firewalls permit only email traffic through them, thereby protecting the network against any attacks other than attacks against the email service. Other firewalls provide less strict protections, and block services that are known to be problems.

Generally, firewalls are configured to protect against unauthenticated interactive logins from the ``outside'' world. This, more than anything, helps prevent vandals from logging into machines on your network. More elaborate firewalls block traffic from the outside to the inside, but permit users on the inside to communicate freely with the outside. The firewall can protect you against any type of network-borne atta 1000 ck if you unplug it.

Firewalls are also important since they can provide a single ``choke point'' where security and audit can be imposed. Unlike in a situation where a computer system is being attacked by someone dialing in with a modem, the firewall can act as an effective ``phone tap'' and tracing tool. Firewalls provide an important logging and auditing function; often they provide summaries to the administrator about what kinds and amount of traffic passed through it, how many attempts there were to break into it, etc.

Because of this, firewall logs are critically important data. They can be used as evidence in a court of law in most countries. You should safeguard, analyze and protect yoru firewall logs accordingly.

This is an important point: providing this ``choke point'' can serve the same purpose on your network as a guarded gate can for your site's physical premises. That means anytime you have a change in ``zones'' or levels of sensitivity, such a checkpoint is appropriate. A company rarely has only an outside gate and no receptionist or security staff to check badges on the way in. If there are layers of security on your site, it's reasonable to expect layers of security on your network.

What can't a firewall protect against?

Firewalls can't protect against attacks that don't go through the firewall. Many corporations that connect to the Internet are very concerned about proprietary data leaking out of the company through that route. Unfortunately for those concerned, a magnetic tape, compact disc, DVD, or USB flash drives can just as effectively be used to export data. Many organizations that are terrified (at a management level) of Internet connections have no coherent policy about how dial-in access via modems should be protected. It's silly to build a six-foot thick steel door when you live in a wooden house, but there are a lot of organizations out there buying expensive firewalls and neglecting the numerous other back-doors into their network. For a firewall to work, it must be a part of a consistent overall organizational security architecture. Firewall policies must be realistic and reflect the level of security in the entire network. For example, a site with top secret or classified data doesn't need a firewall at all: they shouldn't be hooking up to the Internet in the first place, or the systems with the really secret data should be isolated from the rest of the corporate network.

Another thing a firewall can't really protect you against is traitors or idiots inside your network. While an industrial spy might export information through your firewall, he's just as likely to export it through a telephone, FAX machine, or Compact Disc. CDs are a far more likely means for information to leak from your organization than a firewall. Firewalls also cannot protect you against stupidity. Users who reveal sensitive information over the telephone are good targets for social engineering; an attacker may be able to break into your network by completely bypassing your firewall, if he can find a ``helpful'' employee inside who can be fooled into giving access to a modem pool. Before deciding this isn't a problem in your organization, ask yourself how much trouble a contractor has getting logged into the network or how much difficulty a user who forgot his password has getting it reset. If the people on the help desk believe that every call is internal, you have a problem that can't be fixed by tightening controls on the firewalls.

Firewalls can't protect against tunneling over most application protocols to trojaned or poorly written clients. There are no magic bullets and a firewall is not an excuse to not implement software controls on internal networks or ignore host security on servers. Tunneling ``bad'' things over HTTP, SMTP, and other protocols is quite simple and trivially demonstrated. Security isn't ``fire and forget''.

Lastly, firewalls 1000 can't protect against bad things being allowed through them. For instance, many Trojan Horses use the Internet Relay Chat (IRC) protocol to allow an attacker to control a compromised internal host from a public IRC server. If you allow any internal system to connect to any external system, then your firewall will provide no protection from this vector of attack.

Design and Implementation Issues

What are some of the basic design decisions in a firewall?

There are a number of basic design issues that should be addressed by the lucky person who has been tasked with the responsibility of designing, specifying, and implementing or overseeing the installation of a firewall.

The first and most important decision reflects the policy of how your company or organization wants to operate the system: is the firewall in place explicitly to deny all services except those critical to the mission of connecting to the Net, or is the firewall in place to provide a metered and audited method of ``queuing'' access in a non-threatening manner? There are degrees of paranoia between these positions; the final stance of your firewall might be more the result of a political than an engineering decision.

The second is: what level of monitoring, redundancy, and control do you want? Having established the acceptable risk level (i.e., how paranoid you are) by resolving the first issue, you can form a checklist of what should be monitored, permitted, and denied. In other words, you start by figuring out your overall objectives, and then combine a needs analysis with a risk assessment, and sort the almost always conflicting requirements out into a laund 1000 ry list that specifies what you plan to implement.

The third issue is financial. We can't address this one here in anything but vague terms, but it's important to try to quantify any proposed solutions in terms of how much it will cost either to buy or to implement. For example, a complete firewall product may cost between $100,000 at the high end, and free at the low end. The free option, of doing some fancy configuring on a Cisco or similar router will cost nothing but staff time and a few cups of coffee. Implementing a high end firewall from scratch might cost several man-months, which may equate to $30,000 worth of staff salary and benefits. The systems management overhead is also a consideration. Building a home-brew is fine, but it's important to build it so that it doesn't require constant (and expensive) attention. It's important, in other words, to evaluate firewalls not only in terms of what they cost now, but continuing costs such as support.

On the technical side, there are a couple of decisions to make, based on the fact that for all practical purposes what we are talking about is a static traffic routing service placed between the network service provider's router and your internal network. The traffic routing service may be implemented at an IP level via something like screening rules in a router, or at an application level via proxy gateways and services.

The decision to make is whether to place an exposed stripped-down machine on the outside network to run proxy services for telnet, FTP, news, etc., or whether to set up a screening router as a filter, permitting communication with one or more internal machines. There are benefits and drawbacks to both approaches, with the proxy machine providing a greater level of audit and, potentially, security in return for increased cost in configuration and a decrease in the level of service that may be provided (since a proxy needs to be developed for each desired service). The old trade-off between ease-of-use and security comes back to haunt us with a vengeance.

What are the basic types of firewalls?

Conceptually, there are three types of firewalls:

1. Network layer
2. Application layer
3. Hybrids

They are not as different as you might think, and latest technologies are blurring the distinction to the point where it's no longer clear if either one is ``better'' or ``worse.'' As always, you need to be careful to pick the type that meets your needs.

Which is which depends on what mechanisms the firewall uses to pass traffic from one security zone to another. The International Standards Organization (ISO) Open Systems Interconnect (OSI) model for networking defines seven layers, where each layer provides services that ``higher-level'' layers depend on. In order from the bottom, these layers are physical, data link, network, transport, session, presentation, application.

The important thing to recognize is that the lower-level the forwarding mechanism, the less examination the firewall can perform. Generally speaking, lower-level firewalls are faster, but are easier to fool into doing the wrong thing.

These days, most firewalls fall into the ``hybrid'' category, which do network filtering as well as some amount of application inspection. The amount changes depending on the vendor, product, protocol and version, so some level of digging and/or testing is often necessary.

Network layer firewalls

These generally make their decisions based on the source, destination addresses and ports in individual IP packets. A simple router is the ``traditional'' network layer firewall, since it is not able to make particularly sophisticated decisions about what a packet is actually talking to or where it actually came from. Modern networ 1000 k layer firewalls have become increasingly sophisticated, and now maintain internal information about the state of connections passing through them, the contents of some of the data streams, and so on. One thing that's an important distinction about many network layer firewalls is that they route traffic directly though them, so to use one you either need to have a validly assigned IP address block or to use a ``private internet'' address block layer firewalls tend to be very fast and tend to be very transparent to users.

Figure 1: Screened Host Firewall

In Figure 1, a network layer firewall called a ``screened host firewall'' is represented. In a screened host firewall, access to and from a single host is controlled by means of a router operating at a network layer. The single host is a bastion host; a highly-defended and secured strong-point that (hopefully) can resist attack.

Figure 2: Screened Subnet Firewall

Example Network layer firewall: In Figure, a network layer firewall called a ``screened subnet firewall'' is represented. In a screened subnet firewall, access to and from a whole network is controlled by means of a router operating at a network layer. It is similar to a screened host, except that it is, effectively, a network of screened hosts.

Application layer firewalls

These generally are hosts running proxy servers, which permit no traffic directly between networks, and which perform elaborate logging and auditing of traffic passing through them. Since the proxy applications are software components running on the firewall, it is a good place to do lots of logging and access control. Application layer firewalls can be used as network address translators, since traffic goes in one ``side'' and out the other, after having passed through an application that effectively masks the origin of the initiating connection. Having an application in the way in some cases may impact performance and may make the firewall less transparent. Early application layer firewalls such as those built using the TIS firewall toolkit, are not particularly transparent to end users and may require some training. Modern application layer firewalls are often fully transparent. Application layer firewalls tend to provide more detailed audit reports and tend to enforce more conservative security models than network layer firewalls.

Figure 3: Dual Homed Gateway

Example Application layer firewall: In Figure above, an application layer firewall called a ``dual homed gateway'' is represented. A dual homed gateway is a highly secured host that runs proxy software. It has two network interfaces, one on each network, and blocks all traffic passing through it.

Most firewalls now lie someplace between network layer firewalls and application layer firewalls. As expected, network layer firewalls have become increasingly ``aware'' of the informa 1000 tion going through them, and application layer firewalls have become increasingly ``low level'' and transparent. The end result is that now there are fast packet-screening systems that log and audit data as they pass through the system. Increasingly, firewalls (network and application layer) incorporate encryption so that they may protect traffic passing between them over the Internet. Firewalls with end-to-end encryption can be used by organizations with multiple points of Internet connectivity to use the Internet as a ``private backbone'' without worrying about their data or passwords being sniffed.

What are proxy servers and how do they work?

A proxy server (sometimes referred to as an application gateway or forwarder) is an application that mediates traffic between a protected network and the Internet. Proxies are often used instead of router-based traffic controls, to prevent traffic from passing directly between networks. Many proxies contain extra logging or support for user authentication. Since proxies must ``understand'' the application protocol being used, they can also implement protocol specific security (e.g., an FTP proxy might be configurable to permit incoming FTP and block outgoing FTP).

Proxy servers are application specific. In order to support a new protocol via a proxy, a proxy must be developed for it. One popular set of proxy servers is the TIS Internet Firewall Toolkit (``FWTK'') which includes proxies for Telnet, rlogin, FTP, the X Window System, HTTP/Web, and NNTP/Usenet news. SOCKS is a generic proxy system that can be compiled into a client-side application to make it work through a firewall. Its advantage is that it's easy to use, but it doesn't support the addition of authentication hooks or protocol specific logging.