Firewall Basics for the Beginning User

Outline

What is a firewall? Basics of Kerio Firewall - Starting Out Why do I need personal firewall? What a personal firewall can do What personal firewall cant do Personal firewall comparisons Credits

What's a Firewall?
A security system that acts as a protective boundary between a network and the outside world Isolates computer from the internet using a "wall of code"

Inspects each individual "packet" of data as it arrives at either side of the firewall Inbound to or outbound from your computer Determine whether it should be allowed to pass or be blocked

Rules Determine WHO ? WHEN ? WHAT ? HOW ?

INTERNE T

My PC

Firewall

Secure Private Network

A local area network (LAN) is a group of computers and associated devices that share a common communications line or wireless link and typically share the resources of a single processor or server within a small geographic area (for example, within an office building). A local area network may serve as few as two or three users (for example, in a home network) or many as thousands of users .

Kerio Firewall Basics

Software or hardware between your LAN and the Internet, inspecting both inbound and outbound traffic by rules that you set, which define the sort of security you want. Kerio Choices Permit Unknown Ask Me First Deny Unknown

What Traffic Is Good/What's Bad?

Experience Reading Learning

Installation Note

Information about the remote end-node (IP address, port and communication protocol) Detailed information about the connection

Information about the local application taking part in the communication (as a client or server)

Let the communication pass through or Deny Stop (filter) the communication

Automatically create rule, which causes the next packet of the same type to be either permitted or denied access. This can be used in the initial configuration of Personal Firewall the user does not need to define any rules, but as they run their favorite applications, rules can be created for them in this way. MD5 signature created - subsequent executions of that same application name will be compared against the initial signature. This would prevent a Trojan from spoofing its name to a trusted application such as outlook.exe.

If the communication is permitted by the user, an MD5 signature is created for the application. Signature is checked during each subsequent attempt of the application to communicate over the network.

A checksum is a count of the number of bits in a transmission unit that is included with the unit so that the receiver can check to see whether the same number of bits arrived. If the counts match, it's assumed that the complete transmission was received. Both TCP and UDP communication layers provide a checksum count and verification as one of their services.

Application MD5 Signature

Checksum of the application's executable. Application is first run (or when the application first tries to communicate via the network) Dialog displays , in which a user can permit or deny such communication.

Shared network

Wireless Router

Three IP network addresses reserved for private networks Can be used by anyone setting up internal IP networks. It may be safer to use these because routers on the Internet will never forward packets coming from these addresses. SAFE PINGS ???? 10.0.0.0/8, 172.16.0.0/12 192.168.0.0/16.
Ping is a basic Internet program that lets you verify that a particular IP address exists and can accept requests. Ping is used diagnostically to ensure that a host computer you are trying to reach is actually operating

I accessed IE, my browser to get to Google.

Remember to Check the box so the appropriate rule will be created.

I also have IM. This is a connection Ill permit, since it was initiated by the application

Starting Out - Basic Guidelines

(Remember - set to learning mode by default)

Start in Ask Me First Permit everything you initiate for 2 - 5 days Default to Deny pings
If you choose to enable, remember, for the most part you don't mind sending (outbound) "requests", or receiving (inbound) "replies", but you don't want to be replying outbound, yourself, unless absolutely necessary

Deny anything you do not initiate If questionable -

Deny Take a print of screen Send to Net Manager or __________________

Kerio Firewall Basics

User set rules that act as filters (either defined or traffic based) Can disallow unauthorized or potentially dangerous material from entering the system Logs attempted intrusions

Alerting and Logging

Key Features of Firewall ability to alert the user when it detects an attack, to maintain a system log of these events

Provides ability to identify threats and to fine tune the firewall configuration appropriately A key responsibility of the user is to monitor the logs and take appropriate action when necessary.
Not all events that appear in the log are hacker "attacks." Many different types of harmless events
Example - ISP server pings that can appear in the log

Kerio Firewall Basics

How A Firewall Works

How does a Firewall Work?

Internet communication is accomplished by exchange of individual "packets" of data. Each packet is transmitted by its source machine toward its destination machine.
Connection" is actually comprised of individual packets traveling between those two "connected" machines. They "agree" that they're connected and each machine sends back "acknowledgement packets" to let the sending machine know that the data was received.

Every Internet Packet Must Contain

A destination address and port number. The IP address and a port number of the originating machine. (its complete source and destination addresses)

An IP address always identifies a single machine on the Internet and the port is associated with a particular service or conversation happening on the machine.

What a Firewall Can Do

Since the firewall software inspects each and every packet of data as it arrives at your computer BEFORE it's seen by any other software running within your computer the firewall has total veto power over your computer's receipt of anything from the Internet.

A TCP/IP port is only "open" on your computer if the first arriving packet which requests the establishment of a connection is answered by your computer. If the arriving packet is simply ignored, that port of your computer will effectively disappear from the Internet. No one and nothing can connect to it!

What a Firewall Can Do

But the real power of a firewall is derived from its ability to be selective about what it lets through and what it blocks.

It can "filter" the arriving packets based upon any combination of the originating machine's IP address and port and the destination machine's IP address and port.
In packet filtering, the firewall software inspects the header information (source and destination IP addresses and ports) in each incoming and, in some cases, outgoing, TCP/IP packet. Based on this information, the firewall blocks the packet or transmits it.

Originating Your Own Connections to Other Machines on the Internet?

When you surf the web you need to connect to web servers that might have any IP address. Every packet that flows between the two machines is acknowledging the receipt of all previous data (through "ACK" bit). A firewall determines whether an arriving packet is: initiating a new connection, or continuing an existing conversation.
Permit the establishment of outbound connections/ Blocking new connection attempts from the outside. Established connection packets are allowed to pass through the firewall, New connection packet attempts are discarded.

Packet Filtering Rules

Filtering rules define which packets should be allowed or denied communication. Without these rules Kerio Personal Firewall would only work in two modes: all communication allowed all communication denied.

There exist two ways of creating the filtering rules: Automatically - either permit or deny unknown packet Manually in the Personal Firewall Administration program create rules edit rules remove rules prioritize rules (put in order) defined rules display in the Filter Rules tab Located in Firewall Administration main window(Advanced), Firewall tab).

List of filtering rules

The filtering rules are displayed in a table, in which each line represents one rule. Individual columns have the following meaning: Checkbox indicates whether the rule is active or not. By a single click the user can activate or deactivate the rule without the need of removing or adding it. Application icon displays the icon of the local application, to which the rule applies. If the rule is valid for all applications a special green icon saying ANY is displayed instead. Only in rare situations should such a rule exist. Rule Description the direction and description of a rule. The following symbols are used for direction: right arrow (outgoing packet), left arrow (incoming packet), double (both-direction) arrow (the rule applies for both outgoing and incoming packets). The rule's description can contain anything the user wishes. For an automatically created rule the name of the application is used for its description. Protocol used communication protocol (TCP, UDP, ICMP...). The direction of the communication (In, Out or Both) is also displayed in brackets following the name of the protocol. Local local port

Remote remote IP address and port (separated by a colon)

Application the local application's executable including the full path. If the application is an operating system service, the name displayed will be SYSTEM.

Controls
Add adds a new rule at the end of the list Insert inserts a new rule above the selected rule. This function spares the user of moving the new rule within the list, as it allows for inserting a new rule to any desired place. Edit edits the selected rule Delete removes the selected rule Arrow buttons (to the right of the list of rules) these enable placement of a selected rule within the list. Note that filters work from top down so the placement of a rule is very important

What a Firewall Cannot Do

Do Firewalls Prevent Viruses and Trojans? NO!! A firewall can only prevent a virus or Trojan from accessing the internet while on your machine 95% of all viruses and Trojans are received via e-mail, through file sharing (like Kazaa or Gnucleus) or through direct download of a malicious program Firewalls can't prevent this -- only a good anti-virus software program can

However, once installed on your PC, many viruses and Trojans "call home" using the internet to the hacker that designed it This lets the hacker activate the Trojan and he/she can now use your PC for his/her own purposes A firewall can block the call home and can alert you if there is suspicious behavior taking place on your system

IF: Application's executable is changed (e.g. it is infected by a virus or it is replaced by another program) communication is denied displays a warning asks if such a change should be accepted (e.g. in case of the application upgrade) or not.

Filter Rules Before You Start

You'll have an easier time if you can get the following information, and write it down for reference:
DNS server address(es); DHCP server address(es); The subnet mask and range of any LAN you may have, along with the statically assigned address ranges of your active machines, if you use static IP addresses locally.

Before You Start

Simple packet and port port filtering firewalls Kerio filters ports and IP's, and supports very basic application layer authentication, by verifying that apps are what they say they are via an MD5 hash. Fully rules based firewall,
no automation functions minimal suggested or pre-coded rules ultimate measure of effectiveness depends on sound, ordered rules.

Users will be prompted to allow or disallow traffic to their machines through the firewall. Look carefully at what the traffic is and where is it coming from. It will be up the the individual user to decided what traffic to allow and what traffic to deny. If there is a question, deny the traffic but take a snap shot of the firewall warning and send to your Net Manager or _______________ for assistance.

Creating a Basic Rule set

Emphasis is on "basic." Prompts will help you set up your internet apps. A deny by default firewall The first rules you need will be a deceptively simple trilogy,

very basic set of rules to allow DNS, DHCP and ICMP. The apps will follow, in due time. If you use static IP addressing (behind a router, for example), the DHCP rule is unnecessary. You may also want to provide for open access for your LAN machines, if you have a network and consider it fully trusted, near the top.

Rule Priority and Ordering

Very simple, and critically important.

Top down, process until a match is found. When a match is found, apply the matching rule and STOP. Nothing below the match will be looked at at all. Using creativity, this opens up the potential for some very nice if-then conditionals. No analog to "pass", where a rule is applied and processing continues. Only options are allow and deny.

Configuration Information

Depends on both ports and application names. Users can define rules according to actual ports or they can set rules to match a program The firewall will detect common programs such as web browsers and email programs and auto configure the necessary ports as they attempt to connect to the internet. The firewall can be set to learn new programs to begin with and later changed to only allow those that have been predefined.

The firewall tends to default to "any port for detected applications Recommended that users learn the required port for each allowable Internet program and edit the remote ports to match.

Comparison

Support

If you have a Net Manager, they should be your first contact for any issues you may be experiencing. However, if you would like to contact us, or you do not have a Net Manager, please feel free to contact

The key to security awareness is embedded in the word security

SEC-

-Y

If not you, who? If not now, when?

Resources at the University of Arizona

Kerio Firewall https://sitelicense.arizona.edu/kerio/kerio.shtml

Sophos Anti Virus https://sitelicense.arizona.edu/sophos/sophos.html

VPN client software https://sitelicense.arizona.edu/vpn/vpn.shtml Policies, Procedures and Guidelines http://w3.arizona.edu/~policy/ Security Awareness http://security.arizona.edu/~security/awareness.htm

University Information Security Office

Bob Lancaster
University

Security Incident Response Team (SIRT)

sirt@arizona.edu
626-0100

Information Security Officer Co-Director CCIT, Telecommunications Lancaster@arizona.edu 621-4482

Kelley Bogart
Information

Security Office Analyst Bogartk@u.arizona.edu 626-8232

Credits
Steve Gibson, Gibson Research Corporation http://grace.com/us-firewalls.htm Kerio User Guide - can be downloaded from http://www.kerio.com/us/supp_kpf_manual.html Kerio Firewall Online Resource

http://www.broadbandreports.com/faq/security/2.5.1.+Kerio+and+pre-v3.0+Tiny+PFW