Open Source

Untuk seluruh software yang bersifat Open Source tidak akan tenggelam oleh waktu dikarenakan banyak yang mendukung program tersebut dan software tersebut tidak kalah bersaing dengan software berbayar lainnya.

Certified

Mengambil sertifikasi semata-mata bukan untuk menjadi tenar atau sombong, tapi untuk mengetahui apakah anda mampu mengemban tanggung jawab secara moral terhadap apa yang anda telah pelajari dan bagaimana memberikan ilmu tersebut kepada orang lain tanpa pamrih.

Operating System Pentest

Sistem operasi Bactrack, Kali Linux, dll memang sangat memanjakan para Pentester dalam melaksanakan tugasnya sesuai dengan prosedur yang berlaku. Di OS tersebut disediakan beberapa tools menarik seperti untuk memperoleh information gathering, vulnerability assesment, exploit, dll.

Sherlock Holmes

Film detektif yang satu ini pasti disukai oleh beberapa rekan IT dikarenakan proses jalan ceritanya ketika memecahkan sebuah kasus tidak monoton dan memerlukan logika berpikir yang diluar kebiasaan. Daya hayal harus tinggi ketika ingin menonton film ini.

Forensic

Kegiatan forensic bidang IT sangat membutuhkan tingkat pemahaman yang tinggi akan suatu kasus yang ditangani. Tim yang menangani forensic harus bisa membaca jalan pikiran si Attacker seperti apa jika melakukan serangan. Biasanya Attacker lebih maju selangkah dibanding dengan tim pemburunya.

Selasa, 17 Desember 2013

Program Doktor (S3) Universitas Gunadarma

Berdasarkan surat Nomor 3716/D/T/2002 tertanggal 27 Desember 2002 dan bekerjasama dengan Universite De Bourgogne, Perancis, Universitas Gunadarma membuka program studi Teknologi Informasi untuk jenjang Program Doktor (S3). Program ini memberikan kesempatan bagi mahasiswa untuk bekerja bersama para ahli yang berpengalaman melakukan penelitian di bidang Teknologi Informasi terkini seperti Sistem Basis Data, Image Processing (Pengolah Citra), dan Pemodelan Simulasi.

Secara ringkas dapat dikatakan bahwa visi yang mendasari penyelenggaraan Program Doktor Teknologi Informasi Universitas Gunadarma ini adalah suatu tekad untuk mengembangkan ilmu pengetahuan bidang Teknologi Informasi/Ilmu Komputer dengan memberikan kemampuan penelitian yang tinggi kepada para mahasiswa serta memberikan wawasan yang mendalam mengenai suatu bidang disiplin ilmu.

Sebagai langkah awal, pendidikan Program Doktor yang diselenggarakan dirancang dengan cara menempatkan pengetahuan sebagai ujung tombak. 

Berdasarkan itu, diharapkan terbuka kesempatan bagi mahasiswa untuk mengembangkan kemampuan profesionalnya dalam berbagai kekhususan bidang Teknologi Informasi.

CALON MAHASISWA
 
Para calon mahasiswa yang akan mengikuti Program pendidikan Doktor ini, pada tahap awal adalah para lulusan Program Magister bidang Ilmu Teknologi Informasi/Ilmu Komputer atau yang berdekatan, diantaranya Magister Komputer, Magister Sistem Informasi atau yang berdekatan, Magister Teknik Elektro, Magister Matematika/Statistika.

Dengan perkembangan teknologi informasi pada berbagai bidang, maka calon mahasiswa dimungkinkan dari bidang lain dengan pertimbangan khusus. Untuk menampung aspirasi calon, penerimaan mahasiswa dengan beban penuh diatur dua angkatan untuk setiap tahun akademik, yaitu bulan Agustus dan Februari.

PENERIMAAN MAHASISWA BARU
 
Persyaratan penerimaan mahasiswa Program Doktor Teknologi Informasi Universitas Gunadarma adalah sebagai berikut :
A. Syarat Akademik :

1. Memiliki ijazah S2 perguruan tinggi dalam Negeri ataupun Luar negeri yang ijazahnya telah diakui oleh Direktur Jenderal Pendidikan Tinggi Depdiknas.

2. Memiliki Indeks Prestasi Kumulatif S2 minimum 3,00.

B. Syarat Penerimaan :

1. Mendaftarkan diri dengan mengisi formulir pendaftaran yang disediakan di Sekretariat Program Doktor Teknologi Informasi Universitas Gunadarma.

2. Lulus seleksi yang ditetapkan oleh panitia penerimaan mahasiswa Program Doktor Teknologi Informasi Universitas Gunadarma yang meliputi :
a. Tes Potensial Akademik
b. Tes Bahasa Inggris (setara TOEFL dengan nilai minimum 500)
c. Tes Wawancara

3. Memperoleh rekomendasi dari Guru Besar atau pakar bidang Teknologi Informasi/Ilmu Komputer.

4. Melengkapi/memenuhi semua persyaratan yang ditetapkan oleh panitia penerimaan mahasiswa program Doktor.

BIAYA PENDIDIKAN
 
Biaya pendidikan S3 Gunadarma, terdiri dari beberapa komponen, sebagai berikut :
a. Biaya Pendaftaraan dan seleksi masuk sebesar Rp. 300.000,-
b. Biaya Pendidikan/Uang Kuliah per semester :
- Untuk 6 semester pertama sebesar Rp. 30.000.000,- per semester
- Untuk semester-semester berikutnya sebesar Rp. 10.000.000,- per semester
c. Biaya Ijazah dan wisuda sebesar Rp. 500.000,-


Download file lengkapnya :

Rabu, 11 Desember 2013

Slowloris HTTP DoS


CCCCCCCCCCOOCCOOOOO888@8@8888OOOOCCOOO888888888@@@@@@@@@8@8@@@@888OOCooocccc::::
CCCCCCCCCCCCCCCOO888@888888OOOCCCOOOO888888888888@88888@@@@@@@888@8OOCCoococc:::
CCCCCCCCCCCCCCOO88@@888888OOOOOOOOOO8888888O88888888O8O8OOO8888@88@@8OOCOOOCoc::
CCCCooooooCCCO88@@8@88@888OOOOOOO88888888888OOOOOOOOOOCCCCCOOOO888@8888OOOCc::::
CooCoCoooCCCO8@88@8888888OOO888888888888888888OOOOCCCooooooooCCOOO8888888Cocooc:
ooooooCoCCC88@88888@888OO8888888888888888O8O8888OOCCCooooccccccCOOOO88@888OCoccc
ooooCCOO8O888888888@88O8OO88888OO888O8888OOOO88888OCocoococ::ccooCOO8O888888Cooo
oCCCCCCO8OOOCCCOO88@88OOOOOO8888O888OOOOOCOO88888O8OOOCooCocc:::coCOOO888888OOCC
oCCCCCOOO88OCooCO88@8OOOOOO88O888888OOCCCCoCOOO8888OOOOOOOCoc::::coCOOOO888O88OC
oCCCCOO88OOCCCCOO8@@8OOCOOOOO8888888OoocccccoCO8O8OO88OOOOOCc.:ccooCCOOOO88888OO
CCCOOOO88OOCCOOO8@888OOCCoooCOO8888Ooc::...::coOO88888O888OOo:cocooCCCCOOOOOO88O
CCCOO88888OOCOO8@@888OCcc:::cCOO888Oc..... ....cCOOOOOOOOOOOc.:cooooCCCOOOOOOOOO
OOOOOO88888OOOO8@8@8Ooc:.:...cOO8O88c.      .  .coOOO888OOOOCoooooccoCOOOOOCOOOO
OOOOO888@8@88888888Oo:. .  ...cO888Oc..          :oOOOOOOOOOCCoocooCoCoCOOOOOOOO
COOO888@88888888888Oo:.       .O8888C:  .oCOo.  ...cCCCOOOoooooocccooooooooCCCOO
CCCCOO888888O888888Oo. .o8Oo. .cO88Oo:       :. .:..ccoCCCooCooccooccccoooooCCCC
coooCCO8@88OO8O888Oo:::... ..  :cO8Oc. . .....  :.  .:ccCoooooccoooocccccooooCCC
:ccooooCO888OOOO8OOc..:...::. .co8@8Coc::..  ....  ..:cooCooooccccc::::ccooCCooC
.:::coocccoO8OOOOOOC:..::....coCO8@8OOCCOc:...  ....:ccoooocccc:::::::::cooooooC
....::::ccccoCCOOOOOCc......:oCO8@8@88OCCCoccccc::c::.:oCcc:::cccc:..::::coooooo
.......::::::::cCCCCCCoocc:cO888@8888OOOOCOOOCoocc::.:cocc::cc:::...:::coocccccc
...........:::..:coCCCCCCCO88OOOO8OOOCCooCCCooccc::::ccc::::::.......:ccocccc:co
.............::....:oCCoooooCOOCCOCCCoccococc:::::coc::::....... ...:::cccc:cooo
 ..... ............. .coocoooCCoco:::ccccccc:::ccc::..........  ....:::cc::::coC
   .  . ...    .... ..  .:cccoCooc:..  ::cccc:::c:.. ......... ......::::c:cccco
  .  .. ... ..    .. ..   ..:...:cooc::cccccc:.....  .........  .....:::::ccoocc
       .   .         .. ..::cccc:.::ccoocc:. ........... ..  . ..:::.:::::::ccco

Welcome to Slowloris - the low bandwidth, yet greedy and poisonous HTTP client!

Written by RSnake with help from John Kinsella, IPv6 version by Hugo Gonzalez and a dash of inspiration from Robert E Lee.

UPDATE 3: IPv6 version provided by Hugo Gonzalez.
UPDATE 2: Video presentation of Slowloris at DefCon (the middle section of the presentation) can be seen here: Hijacking Web 2.0 Sites with SSLstrip and SlowLoris -- Sam Bowne and RSnake at Defcon 17.

UPDATE: Amit Klein pointed me to a post written by Adrian Ilarion Ciobanu written in early 2007 that perfectly describes this denial of service attack. It was also described in 2005 in the "Programming Model Attacks" section of Apache Security. So although there was no tool released at that time these two still technically deserves all the credit for this. I apologize for having missed these.

In considering the ramifications of a slow denial of service attack against particular services, rather than flooding networks, a concept emerged that would allow a single machine to take down another machine's web server with minimal bandwidth and side effects on unrelated services and ports. The ideal situation for many denial of service attacks is where all other services remain intact but the webserver itself is completely inaccessible. Slowloris was born from this concept, and is therefore relatively very stealthy compared to most flooding tools.

Slowloris holds connections open by sending partial HTTP requests. It continues to send subsequent headers at regular intervals to keep the sockets from closing. In this way webservers can be quickly tied up. In particular, servers that have threading will tend to be vulnerable, by virtue of the fact that they attempt to limit the amount of threading they'll allow. Slowloris must wait for all the sockets to become available before it's successful at consuming them, so if it's a high traffic website, it may take a while for the site to free up it's sockets. So while you may be unable to see the website from your vantage point, others may still be able to see it until all sockets are freed by them and consumed by Slowloris. This is because other users of the system must finish their requests before the sockets become available for Slowloris to consume. If others re-initiate their connections in that brief time-period they'll still be able to see the site. So it's a bit of a race condition, but one that Slowloris will eventually always win - and sooner than later.

Slowloris also has a few stealth features built into it. Firstly, it can be changed to send different host headers, if your target is a virtual host and logs are stored seperately per virtual host. But most importantly, while the attack is underway, the log file won't be written until the request is completed. So you can keep a server down for minutes at a time without a single log file entry showing up to warn someone who might watching in that instant. Of course once your attack stops or once the session gets shut down there will be several hundred 400 errors in the web server logs. That's unavoidable as Slowloris sits today, although it may be possible to turn them into 200 OK messages instead by completing a valid request, but Slowloris doesn't yet do that.

HTTPReady quickly came up as a possible solution to a Slowloris attack, because it won't cause the HTTP server to launch until a full request is recieved. This is true only for GET and HEAD requests. As long as you give Slowloris the switch to modify it's method to POST, HTTPReady turns out to be a worthless defense against this type of attack.

This is NOT a TCP DoS, because it is actually making a full TCP connection, not a partial one, however it is making partial HTTP requests. It's the equivalent of a SYN flood but over HTTP. One example of the difference is that if there are two web-servers running on the same machine one server can be DoSed without affecting the other webserver instance. Slowloris would also theoretically work over other protocols like UDP, if the program was modified slightly and the webserver supported it. Slowloris is also NOT a GET request flooder. Slowloris requires only a few hundred requests at long term and regular intervals, as opposed to tens of thousands on an ongoing basis.

Interestingly enough, in testing this has been shown in at least one instance to lock up database connections and force other strange issues and errors to arise that can allow for fingerprinting and other odd things to become obvious once the DoS is complete and the server attempts to clean itself up. I would guess that this issue arises when the webserver is allowed to open more connections than the database is, causing the database to fail first and for longer than the webserver.

Slowloris lets the webserver return to normal almost instantly (usually within 5 seconds or so). That makes it ideal for certain attacks that may just require a brief down-time. As described in this blog post, DoS is actually very useful for certain types of attacks where timing is key, or as a diversionary tactic, etc....

This affects a number of webservers that use threaded processes and ironically attempt to limit that to prevent memory exhaustion - fixing one problem created another. This includes but is not necessarily limited to the following:

  • Apache 1.x
  • Apache 2.x
  • dhttpd
  • GoAhead WebServer
  • WebSense "block pages" (unconfirmed)
  • Trapeze Wireless Web Portal (unconfirmed)
  • Verizon's MI424-WR FIOS Cable modem (unconfirmed)
  • Verizon's Motorola Set-Top Box (port 8082 and requires auth - unconfirmed)
  • BeeWare WAF (unconfirmed)
  • Deny All WAF (unconfirmed)
There are a number of webservers that this doesn't affect as well, in my testing:

This is obviously not a complete list, and there may be a number of variations on these web-servers that are or are not vulnerable. I didn't test every configuration or variant, so your mileage may vary. This also may not work if there is an upstream device that somehow limits/buffers/proxies HTTP requests. Please note though that Slowloris only represents one variant of this attack and other variants may have different impacts on other webservers and upstream devices. This command should work on most systems, but please be sure to check the options as well:

perl slowloris.pl -dns example.com

Requirements: This is a Perl program requiring the Perl interpreter with the modules IO::Socket::INET, IO::Socket::SSL, and GetOpt::Long. Slowloris works MUCH better and faster if you have threading, so I highly encourage you to also install threads and threads::shared if you don't have those modules already. You can install modules using CPAN:
perl -MCPAN -e 'install IO::Socket::INET'
perl -MCPAN -e 'install IO::Socket::SSL'
The IPv6 version needs:
perl -MCPAN -e 'install IO::Socket::INET6'
perl -MCPAN -e 'install IO::Socket::SSL'
Windows users: You probably will not be able to successfuly execute a Slowloris denial of service from Windows even if you use Cygwin. I have not had any luck getting Slowloris to successfuly deny service from within Windows, because Slowloris requires more than a few hundred sockets to work (sometimes a thousand or more), and Windows limits sockets to around 130, from what I've seen. I highly suggest you use a *NIX operating system to execute Slowloris from for the best results, and not from within a virtual machine, as that could have unexpected results based on the parent operating system.

Version: Slowloris is currently at version 0.7 - 06/17/2009 and 0.7.1 (IPv6 version) - 04/02/2013
Getting started: perldoc slowloris.pl or perldoc slowloris6.pl

Issues: For a complete list of issues look at the Perl documentation, which explains all of the things to think about when running this denial of service attack.

Thanks: Thank you to John Kinsella for the help with threading and id and greyhat for help with testing. Big thanks to Hugo Gonzalez for IPv6 too!



SOURCE:
http://ha.ckers.org/slowloris/

Protect Apache Against Slowloris Attack

Slowloris allows a single machine to take down another machine’s web server with minimal bandwidth and side effects on unrelated services and ports. The tools used to launch Slowloris attack can be downloaded at http://ha.ckers.org/slowloris/ 

Slowloris tries to keep many connections to the target web server open and hold them open as long as possible. It accomplishes this by opening connections to the target web server and sending a partial request. Periodically, it will send subsequent HTTP headers, adding to—but never completing—the request. Affected servers will keep these connections open, filling their maximum concurrent connection pool, eventually denying additional connection attempts from clients.
Following web server has been tested and NOT affected by this kind of attack:
  • IIS6.0
  • IIS7.0
  • lighttpd
  • Squid
  • nginx
  • Cherokee
  • Netscaler
  • Cisco CSS
Since Apache is vulnerable to this attack, we should do some prevention. We need to install one Apache module called mod_antiloris. The module limits the number of threads in READ state on a per IP basis and protecting Apache against the Slowloris attack. Installation instruction as below:

1. Download the installer and install from Sourceforge.net:
$ cd /usr/local/src
$ wget http://sourceforge.net/projects/mod-antiloris/files/mod_antiloris-0.4.tar.bz2/download
$ tar -xvjf mod_antiloris-0.4.tar.bz2
$ cd mod_antiloris-*
$ apxs -a -i -c mod_antiloris.c
2. Restart Apache:
$ service httpd restart
3. Check whether mod_antiloris is loaded:
$ httpd -M | grep antiloris
   antiloris_module (shared)
or you can check using httpd fullstatus command:
$ service httpd fullstatus | grep antiloris
   mod_antiloris/0.4

For cPanel servers, don’t forget to run following command to make sure the new modifications be checked into the configuration system by running:

$ /usr/local/cpanel/bin/apache_conf_distiller --update

We have protect our web server from Slowloris attack. Try by launch the Slowloris attack to your web server and check the Apache status page to see whether it affected or not. Cheers!

SOURCE:
http://blog.secaserver.com/2011/08/protect-apache-slowloris-attack/

Kamis, 05 Desember 2013

Gathering Indonesia CISO Forum Desember 2013



Dear rekan-rekan profesional,

Indonesia CISO Forum mengadakan acara pertemuannya yang pertama. Acara ini dilakukan untuk meningkatkan pertemanan dalam komunitas antar profesional keamanan informasi di Indonesia, sekaligus menjadikan ajang tukar pikiran dan update informasi mengenai tren dan best practice keamanan informasi di Indonesia. Acara ini juga sebagai pendukung aktivitas kita di forum. Mengangkat tema “Defending Critical Infrastructure”, beberapa pembicara akan mengemukakan pendapatnya sebagai profesional keamanan informasi di industrinya masing-masing.

The Speakers:
- Wahyudi, CISSP (Manager of Architecture, Strategy & Security, IT Solution, CSS – PT Pertamina (Persero)
- AKBP M. Nuh Al-Azhar, MSc, CHFI, CEI (Chief of Computer Forensic Sub-Department Indonesian Police Forensic Lab Center)
- Neil Cresswell (Chief Technology Officer Indonesian Cloud) >> Digantikan Reza Kertadjaja (Executive Vice President, Indonesian Cloud)
- Petrus Christiatmodjo (Partner System Engineer VMware Indonesia)

Event details:
- Tanggal : Senin, 16 Desember 2013
- Jam  : 18.30 – Finish
- Tempat : The 3 House Bistro & Lounge, Kuningan Village, Jakarta (Belakang Setiabudi One Rasuna Said, dekat Rumah Sakit Mata Aini) -> Click for Maps
- HTM : GRATIS/FREE

*Note: Area parkir sangat terbatas. Anda bisa menggunakan layanan valet dengan biaya Rp. 15.000,- atau parkir di gedung Setiabudi One.

Rundown:
18.00 – 18.30   Registration
19.00 – 19.05   Opening
19.05 – 19.25   1st Speaker – Wahyudi, CISSP
19.25 – 19.45   2nd Speaker – M. Nuh Al-Azhar, MSc, CHFI, CEI
19.45 – 20.05   3rd Speaker – Reza Kertadjaja
20.05 – 20.25   4th Speaker – Petrus Christiatmodjo
20.25 – 20.30   Closing & Door prize
20.30 – End      Dinner

Tempat terbatas hanya bagi yang registrasi, oleh karena itu mohon registrasi untuk booking tempat anda di form registrasi event.

Register for free :

Subscribe For Free


Sumber:
http://www.ciso.co.id/acara-indonesia-ciso-forum-desember-2013/

Selasa, 03 Desember 2013

Firewall

The Internet has made large amounts of information available to the average computer user at home, in business and in education. For many people, having access to this information is no longer just an advantage, it is essential. Yet connecting a private network to the Internet can expose critical or confidential data to malicious attack from anywhere in the world. Users who connect their computers to the Internet must be aware of these dangers, their implications and how to protect their data and their critical systems. Firewalls can protect both individual computers and corporate networks from hostile intrusion from the Internet, but must be understood to be used correctly.

We are presenting this information in a Q&A (Questions and Answers) format that we hope will be useful. Our knowledge of this subject relates to firewalls in general use, and stems from our own NAT and proxy firewall technology. We welcome feedback and comments from any readers on the usefulness or content.

We are providing the best information available to us as at date of writing and intend to update it at frequent intervals as things change and/or more information becomes available. However we intend this Q&A as a guide only and recommend that users obtain specific information to determine applicability to their specific requirements. (This is another way of saying that we can't be held liable or responsible for the content.)

Introduction

Vicomsoft develops and provides Network Address Translation technology, the basis of many firewall products. Our software allows users to connect whole LANs to the Internet, while protecting them from hostile intrusion. Click here to download free trial software.

Vicomsoft have gained significant experience in the area of firewall protection and would like to make this information available to those interested in this subject. For those who would like to study this subject in more detail useful links are listed at the end of this document.

Questions

  1. What is a firewall?
  2. What does a firewall do?
  3. What can't a firewall do?
  4. Who needs a firewall?
  5. How does a firewall work?
  6. What are the OSI and TCP/IP Network models?
  7. What different types of firewalls are there?
  8. How do I implement a firewall?
  9. Is a firewall sufficient to secure my network or do I need anything else?
  10. What is IP spoofing?
  11. Firewall related problems
  12. Benefits of a firewall

1. What is a firewall?

A firewall protects networked computers from intentional hostile intrusion that could compromise confidentiality or result in data corruption or denial of service. It may be a hardware device (see Figure 1) or a software program (see Figure 2) running on a secure host computer. In either case, it must have at least two network interfaces, one for the network it is intended to protect, and one for the network it is exposed to.

A firewall sits at the junction point or gateway between the two networks, usually a private network and a public network such as the Internet. The earliest firewalls were simply routers. The term firewall comes from the fact that by segmenting a network into different physical subnetworks, they limited the damage that could spread from one subnet to another just like firedoors or firewalls.
Figure 1: Hardware Firewall.

Hardware firewall providing protection to a Local Network.
Hardware Firewall
Figure 2: Computer with Firewall Software.
Computer running firewall software to provide protection
Computer with Firewall Software

2. What does a firewall do?

A firewall examines all traffic routed between the two networks to see if it meets certain criteria. If it does, it is routed between the networks, otherwise it is stopped. A firewall filters both inbound and outbound traffic. It can also manage public access to private networked resources such as host applications. It can be used to log all attempts to enter the private network and trigger alarms when hostile or unauthorized entry is attempted. Firewalls can filter packets based on their source and destination addresses and port numbers. This is known as address filtering. Firewalls can also filter specific types of network traffic. This is also known as protocol filtering because the decision to forward or reject traffic is dependant upon the protocol used, for example HTTP, ftp or telnet. Firewalls can also filter traffic by packet attribute or state.

3. What can't a firewall do?

A firewall cannot prevent individual users with modems from dialling into or out of the network, bypassing the firewall altogether. Employee misconduct or carelessness cannot be controlled by firewalls. Policies involving the use and misuse of passwords and user accounts must be strictly enforced. These are management issues that should be raised during the planning of any security policy but that cannot be solved with firewalls alone.

The arrest of the Phonemasters cracker ring brought these security issues to light. Although they were accused of breaking into information systems run by AT&T Corp., British Telecommunications Inc., GTE Corp., MCI WorldCom, Southwestern Bell, and Sprint Corp, the group did not use any high tech methods such as IP spoofing (see question 10). They used a combination of social engineering and dumpster diving. Social engineering involves skills not unlike those of a confidence trickster. People are tricked into revealing sensitive information. Dumpster diving or garbology, as the name suggests, is just plain old looking through company trash. Firewalls cannot be effective against either of these techniques.

4. Who needs a firewall?

Anyone who is responsible for a private network that is connected to a public network needs firewall protection. Furthermore, anyone who connects so much as a single computer to the Internet via modem should have personal firewall software. Many dial-up Internet users believe that anonymity will protect them. They feel that no malicious intruder would be motivated to break into their computer. Dial up users who have been victims of malicious attacks and who have lost entire days of work, perhaps having to reinstall their operating system, know that this is not true. Irresponsible pranksters can use automated robots to scan random IP addresses and attack whenever the opportunity presents itself.

5. How does a firewall work?

There are two access denial methodologies used by firewalls. A firewall may allow all traffic through unless it meets certain criteria, or it may deny all traffic unless it meets certain criteria (see figure 3). The type of criteria used to determine whether traffic should be allowed through varies from one type of firewall to another. Firewalls may be concerned with the type of traffic, or with source or destination addresses and ports. They may also use complex rule bases that analyse the application data to determine if the traffic should be allowed through. How a firewall determines what traffic to let through depends on which network layer it operates at. A discussion on network layers and architecture follows.

Figure 3: Basic Firewall Operation.
Basic Firewall Operation

6. What are the OSI and TCP/IP Network models?

To understand how firewalls work it helps to understand how the different layers of a network interact. Network architecture is designed around a seven layer model. Each layer has its own set of responsibilities, and handles them in a well-defined manner. This enables networks to mix and match network protocols and physical supports. In a given network, a single protocol can travel over more than one physical support (layer one) because the physical layer has been dissociated from the protocol layers (layers three to seven). Similarly, a single physical cable can carry more than one protocol. The TCP/IP model is older than the OSI industry standard model which is why it does not comply in every respect. The first four layers are so closely analogous to OSI layers however that interoperability is a day to day reality.

Firewalls operate at different layers to use different criteria to restrict traffic. The lowest layer at which a firewall can work is layer three. In the OSI model this is the network layer. In TCP/IP it is the Internet Protocol layer. This layer is concerned with routing packets to their destination. At this layer a firewall can determine whether a packet is from a trusted source, but cannot be concerned with what it contains or what other packets it is associated with. Firewalls that operate at the transport layer know a little more about a packet, and are able to grant or deny access depending on more sophisticated criteria. At the application level, firewalls know a great deal about what is going on and can be very selective in granting access.

Figure 4: The OSI and TCP/IP models
The OSI and TCP/IP models
It would appear then, that firewalls functioning at a higher level in the stack must be superior in every respect. This is not necessarily the case. The lower in the stack the packet is intercepted, the more secure the firewall. If the intruder cannot get past level three, it is impossible to gain control of the operating system.

Figure 5: Professional Firewalls Have Their Own IP Layer
Professional Firewalls Have Their Own IP Layer
Professional firewall products catch each network packet before the operating system does, thus, there is no direct path from the Internet to the operating system's TCP/IP stack. It is therefore very difficult for an intruder to gain control of the firewall host computer then "open the doors" from the inside.

Professional firewall products catch each network packet before the operating system does, thus, there is no direct path from the Internet to the operating system's TCP/IP stack. It is therefore very difficult for an intruder to gain control of the firewall host computer then "open the doors" from the inside.

According To Byte Magazine*, traditional firewall technology is susceptible to misconfiguration on non-hardened OSes. More recently, however, "...firewalls have moved down the protocol stack so far that the OS doesn't have to do much more than act as a bootstrap loader, file system and GUI". The author goes on to state that newer firewall code bypasses the operating system's IP layer altogether, never permitting "potentially hostile traffic to make its way up the protocol stack to applications running on the system".
*June 1998

7. What different types of firewalls are there?

Firewalls fall into four broad categories: packet filters, circuit level gateways, application level gateways and stateful multilayer inspection firewalls.

Packet filtering firewalls work at the network level of the OSI model, or the IP layer of TCP/IP. They are usually part of a router. A router is a device that receives packets from one network and forwards them to another network. In a packet filtering firewall each packet is compared to a set of criteria before it is forwarded. Depending on the packet and the criteria, the firewall can drop the packet, forward it or send a message to the originator. Rules can include source and destination IP address, source and destination port number and protocol used. The advantage of packet filtering firewalls is their low cost and low impact on network performance. Most routers support packet filtering. Even if other firewalls are used, implementing packet filtering at the router level affords an initial degree of security at a low network layer. This type of firewall only works at the network layer however and does not support sophisticated rule based models (see Figure 5). Network Address Translation (NAT) routers offer the advantages of packet filtering firewalls but can also hide the IP addresses of computers behind the firewall, and offer a level of circuit-based filtering.

Figure 6: Packet Filtering Firewall
Packet Filtering Firewall
Circuit level gateways work at the session layer of the OSI model, or the TCP layer of TCP/IP. They monitor TCP handshaking between packets to determine whether a requested session is legitimate. Information passed to remote computer through a circuit level gateway appears to have originated from the gateway. This is useful for hiding information about protected networks. Circuit level gateways are relatively inexpensive and have the advantage of hiding information about the private network they protect. On the other hand, they do not filter individual packets.

Figure 7: Circuit level Gateway
Circuit level Gateway
Application level gateways, also called proxies, are similar to circuit-level gateways except that they are application specific. They can filter packets at the application layer of the OSI model. Incoming or outgoing packets cannot access services for which there is no proxy. In plain terms, an application level gateway that is configured to be a web proxy will not allow any ftp, gopher, telnet or other traffic through. Because they examine packets at application layer, they can filter application specific commands such as http:post and get, etc. This cannot be accomplished with either packet filtering firewalls or circuit level neither of which know anything about the application level information. Application level gateways can also be used to log user activity and logins. They offer a high level of security, but have a significant impact on network performance. This is because of context switches that slow down network access dramatically. They are not transparent to end users and require manual configuration of each client computer. (See Figure 7)

Figure 8: Application level Gateway
Application level Gateway
Stateful multilayer inspection firewalls combine the aspects of the other three types of firewalls. They filter packets at the network layer, determine whether session packets are legitimate and evaluate contents of packets at the application layer. They allow direct connection between client and host, alleviating the problem caused by the lack of transparency of application level gateways. They rely on algorithms to recognize and process application layer data instead of running application specific proxies. Stateful multilayer inspection firewalls offer a high level of security, good performance and transparency to end users. They are expensive however, and due to their complexity are potentially less secure than simpler types of firewalls if not administered by highly competent personnel. (See Figure 8).

Figure 9: Stateful Multilayer Inspection Firewall
Stateful Multilayer Inspection Firewall

8. How do I implement a firewall?

We suggest you approach the task of implementing a firewall by going through the following steps:
  1. Determine the access denial methodology to use.
    It is recommended you begin with the methodology that denies all access by default. In other words, start with a gateway that routes no traffic and is effectively a brick wall with no doors in it.
  2. Determine inbound access policy.
    If all of your Internet traffic originates on the LAN this may be quite simple. A straightforward NAT router will block all inbound traffic that is not in response to requests originating from within the LAN. As previously mentioned, the true IP addresses of hosts behind the firewall are never revealed to the outside world, making intrusion extremely difficult. Indeed, local host IP addresses in this type of configuration are usually non-public addresses, making it impossible to route traffic to them from the Internet. Packets coming in from the Internet in response to requests from local hosts are addressed to dynamically allocated port numbers on the public side of the NAT router. These change rapidly making it difficult or impossible for an intruder to make assumptions about which port numbers to use.

    If your requirements involve secure access to LAN based services from Internet based hosts, then you will need to determine the criteria to be used in deciding when a packet originating from the Internet may be allowed into the LAN. The stricter the criteria, the more secure your network will be. Ideally you will know which public IP addresses on the Internet may originate inbound traffic. By limiting inbound traffic to packets originating from these hosts, you decrease the likelihood of hostile intrusion. You may also want to limit inbound traffic to certain protocol sets such as ftp or http. All of these techniques can be achieved with packet filtering on a NAT router. If you cannot know the IP addresses that may originate inbound traffic, and you cannot use protocol filtering then you will need more a more complex rule based model and this will involve a stateful multilayer inspection firewall.
  3. Determine outbound access policy
    If your users only need access to the web, a proxy server may give a high level of security with access granted selectively to appropriate users. As mentioned, however, this type of firewall requires manual configuration of each web browser on each machine. Outbound protocol filtering can also be transparently achieved with packet filtering and no sacrifice in security. If you are using a NAT router with no inbound mapping of traffic originating from the Internet, then you may allow LAN users to freely access all services on the Internet with no security compromise. Naturally, the risk of employees behaving irresponsibly with email or with external hosts is a management issue and must be dealt with as such.
  4. Determine if dial-in or dial-out access is required.
    Dial-in requires a secure remote access PPP server that should be placed outside the firewall. If dial-out access is required by certain users, individual dial-out computers must be made secure in such a way that hostile access to the LAN through the dial-out connection becomes impossible. The surest way to do this is to physically isolate the computer from the LAN. Alternatively, personal firewall software may be used to isolate the LAN network interface from the remote access interface.
  5. Decide whether to buy a complete firewall product, have one implemented by a systems integrator or implement one yourself.
    Once the above questions have been answered, it may be decided whether to buy a complete firewall product or to configure one from multipurpose routing or proxy software. This decision will depend as much on the availability of in-house expertise as on the complexity of the need. A satisfactory firewall may be built with little expertise if the requirements are straightforward. However, complex requirements will not necessarily entail recourse to external resources if the system administrator has sufficient grasp of the elements. Indeed, as the complexity of the security model increases, so does the need for in-house expertise and autonomy.

9. Is a firewall sufficient to secure my network or do I need anything else?

The firewall is an integral part of any security program, but it is not a security program in and of itself. Security involves data integrity (has it been modified?), service or application integrity (is the service available, and is it performing to spec?), data confidentiality (has anyone seen it?) and authentication (are they really who they say they are?). Firewalls only address the issues of data integrity, confidentiality and authentication of data that is behind the firewall. Any data that transits outside the firewall is subject to factors out of the control of the firewall. It is therefore necessary for an organization to have a well planned and strictly implemented security program that includes but is not limited to firewall protection.

10. What is IP spoofing?

Many firewalls examine the source IP addresses of packets to determine if they are legitimate. A firewall may be instructed to allow traffic through if it comes from a specific trusted host. A malicious cracker would then try to gain entry by "spoofing" the source IP address of packets sent to the firewall. If the firewall thought that the packets originated from a trusted host, it may let them through unless other criteria failed to be met. Of course the cracker would need to know a good deal about the firewall's rule base to exploit this kind of weakness. This reinforces the principle that technology alone will not solve all security problems. Responsible management of information is essential. One of Courtney's laws sums it up: "There are management solutions to technical problems, but no technical solutions to management problems".

An effective measure against IP spoofing is the use of a Virtual Private Network (VPN) protocol such as IPSec. This methodology involves encryption of the data in the packet as well as the source address. The VPN software or firmware decrypts the packet and the source address and performs a checksum. If either the data or the source address have been tampered with, the packet will be dropped. Without access to the encryption keys, a potential intruder would be unable to penetrate the firewall.

11. Firewall related problems

Firewalls introduce problems of their own. Information security involves constraints, and users don't like this. It reminds them that Bad Things can and do happen. Firewalls restrict access to certain services. The vendors of information technology are constantly telling us "anything, anywhere, any time", and we believe them naively. Of course they forget to tell us we need to log in and out, to memorize our 27 different passwords, not to write them down on a sticky note on our computer screen and so on.

Firewalls can also constitute a traffic bottleneck. They concentrate security in one spot, aggravating the single point of failure phenomenon. The alternatives however are either no Internet access, or no security, neither of which are acceptable in most organizations.

12. Benefits of a firewall

Firewalls protect private local area networks from hostile intrusion from the Internet. Consequently, many LANs are now connected to the Internet where Internet connectivity would otherwise have been too great a risk.

Firewalls allow network administrators to offer access to specific types of Internet services to selected LAN users. This selectivity is an essential part of any information management program, and involves not only protecting private information assets, but also knowing who has access to what. Privileges can be granted according to job description and need rather than on an all-or-nothing basis.

Source :