Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Outline
What is a firewall? Basics of Kerio Firewall - Starting Out Why do I need personal firewall? What a personal firewall can do What personal firewall cant do Personal firewall comparisons Credits
What's a Firewall?
A security system that acts as a protective boundary between a network and the outside world Isolates computer from the internet using a "wall of code"
Inspects each individual "packet" of data as it arrives at either side of the firewall Inbound to or outbound from your computer Determine whether it should be allowed to pass or be blocked
INTERNE T
My PC
Firewall
A local area network (LAN) is a group of computers and associated devices that share a common communications line or wireless link and typically share the resources of a single processor or server within a small geographic area (for example, within an office building). A local area network may serve as few as two or three users (for example, in a home network) or many as thousands of users .
Software or hardware between your LAN and the Internet, inspecting both inbound and outbound traffic by rules that you set, which define the sort of security you want. Kerio Choices Permit Unknown Ask Me First Deny Unknown
Installation Note
Information about the remote end-node (IP address, port and communication protocol) Detailed information about the connection
Information about the local application taking part in the communication (as a client or server)
Let the communication pass through or Deny Stop (filter) the communication
Automatically create rule, which causes the next packet of the same type to be either permitted or denied access. This can be used in the initial configuration of Personal Firewall the user does not need to define any rules, but as they run their favorite applications, rules can be created for them in this way. MD5 signature created - subsequent executions of that same application name will be compared against the initial signature. This would prevent a Trojan from spoofing its name to a trusted application such as outlook.exe.
If the communication is permitted by the user, an MD5 signature is created for the application. Signature is checked during each subsequent attempt of the application to communicate over the network.
A checksum is a count of the number of bits in a transmission unit that is included with the unit so that the receiver can check to see whether the same number of bits arrived. If the counts match, it's assumed that the complete transmission was received. Both TCP and UDP communication layers provide a checksum count and verification as one of their services.
Checksum of the application's executable. Application is first run (or when the application first tries to communicate via the network) Dialog displays , in which a user can permit or deny such communication.
Shared network
Wireless Router
Three IP network addresses reserved for private networks Can be used by anyone setting up internal IP networks. It may be safer to use these because routers on the Internet will never forward packets coming from these addresses. SAFE PINGS ???? 10.0.0.0/8, 172.16.0.0/12 192.168.0.0/16.
Ping is a basic Internet program that lets you verify that a particular IP address exists and can accept requests. Ping is used diagnostically to ensure that a host computer you are trying to reach is actually operating
I also have IM. This is a connection Ill permit, since it was initiated by the application
Start in Ask Me First Permit everything you initiate for 2 - 5 days Default to Deny pings
If you choose to enable, remember, for the most part you don't mind sending (outbound) "requests", or receiving (inbound) "replies", but you don't want to be replying outbound, yourself, unless absolutely necessary
User set rules that act as filters (either defined or traffic based) Can disallow unauthorized or potentially dangerous material from entering the system Logs attempted intrusions
Key Features of Firewall ability to alert the user when it detects an attack, to maintain a system log of these events
Provides ability to identify threats and to fine tune the firewall configuration appropriately A key responsibility of the user is to monitor the logs and take appropriate action when necessary.
Not all events that appear in the log are hacker "attacks." Many different types of harmless events
Example - ISP server pings that can appear in the log
Internet communication is accomplished by exchange of individual "packets" of data. Each packet is transmitted by its source machine toward its destination machine.
Connection" is actually comprised of individual packets traveling between those two "connected" machines. They "agree" that they're connected and each machine sends back "acknowledgement packets" to let the sending machine know that the data was received.
An IP address always identifies a single machine on the Internet and the port is associated with a particular service or conversation happening on the machine.
A TCP/IP port is only "open" on your computer if the first arriving packet which requests the establishment of a connection is answered by your computer. If the arriving packet is simply ignored, that port of your computer will effectively disappear from the Internet. No one and nothing can connect to it!
But the real power of a firewall is derived from its ability to be selective about what it lets through and what it blocks.
It can "filter" the arriving packets based upon any combination of the originating machine's IP address and port and the destination machine's IP address and port.
In packet filtering, the firewall software inspects the header information (source and destination IP addresses and ports) in each incoming and, in some cases, outgoing, TCP/IP packet. Based on this information, the firewall blocks the packet or transmits it.
When you surf the web you need to connect to web servers that might have any IP address. Every packet that flows between the two machines is acknowledging the receipt of all previous data (through "ACK" bit). A firewall determines whether an arriving packet is: initiating a new connection, or continuing an existing conversation.
Permit the establishment of outbound connections/ Blocking new connection attempts from the outside. Established connection packets are allowed to pass through the firewall, New connection packet attempts are discarded.
Filtering rules define which packets should be allowed or denied communication. Without these rules Kerio Personal Firewall would only work in two modes: all communication allowed all communication denied.
There exist two ways of creating the filtering rules: Automatically - either permit or deny unknown packet Manually in the Personal Firewall Administration program create rules edit rules remove rules prioritize rules (put in order) defined rules display in the Filter Rules tab Located in Firewall Administration main window(Advanced), Firewall tab).
The filtering rules are displayed in a table, in which each line represents one rule. Individual columns have the following meaning: Checkbox indicates whether the rule is active or not. By a single click the user can activate or deactivate the rule without the need of removing or adding it. Application icon displays the icon of the local application, to which the rule applies. If the rule is valid for all applications a special green icon saying ANY is displayed instead. Only in rare situations should such a rule exist. Rule Description the direction and description of a rule. The following symbols are used for direction: right arrow (outgoing packet), left arrow (incoming packet), double (both-direction) arrow (the rule applies for both outgoing and incoming packets). The rule's description can contain anything the user wishes. For an automatically created rule the name of the application is used for its description. Protocol used communication protocol (TCP, UDP, ICMP...). The direction of the communication (In, Out or Both) is also displayed in brackets following the name of the protocol. Local local port
Controls
Add adds a new rule at the end of the list Insert inserts a new rule above the selected rule. This function spares the user of moving the new rule within the list, as it allows for inserting a new rule to any desired place. Edit edits the selected rule Delete removes the selected rule Arrow buttons (to the right of the list of rules) these enable placement of a selected rule within the list. Note that filters work from top down so the placement of a rule is very important
However, once installed on your PC, many viruses and Trojans "call home" using the internet to the hacker that designed it This lets the hacker activate the Trojan and he/she can now use your PC for his/her own purposes A firewall can block the call home and can alert you if there is suspicious behavior taking place on your system
IF: Application's executable is changed (e.g. it is infected by a virus or it is replaced by another program) communication is denied displays a warning asks if such a change should be accepted (e.g. in case of the application upgrade) or not.
You'll have an easier time if you can get the following information, and write it down for reference:
DNS server address(es); DHCP server address(es); The subnet mask and range of any LAN you may have, along with the statically assigned address ranges of your active machines, if you use static IP addresses locally.
Simple packet and port port filtering firewalls Kerio filters ports and IP's, and supports very basic application layer authentication, by verifying that apps are what they say they are via an MD5 hash. Fully rules based firewall,
no automation functions minimal suggested or pre-coded rules ultimate measure of effectiveness depends on sound, ordered rules.
Users will be prompted to allow or disallow traffic to their machines through the firewall. Look carefully at what the traffic is and where is it coming from. It will be up the the individual user to decided what traffic to allow and what traffic to deny. If there is a question, deny the traffic but take a snap shot of the firewall warning and send to your Net Manager or _______________ for assistance.
Top down, process until a match is found. When a match is found, apply the matching rule and STOP. Nothing below the match will be looked at at all. Using creativity, this opens up the potential for some very nice if-then conditionals. No analog to "pass", where a rule is applied and processing continues. Only options are allow and deny.
Configuration Information
Depends on both ports and application names. Users can define rules according to actual ports or they can set rules to match a program The firewall will detect common programs such as web browsers and email programs and auto configure the necessary ports as they attempt to connect to the internet. The firewall can be set to learn new programs to begin with and later changed to only allow those that have been predefined.
The firewall tends to default to "any port for detected applications Recommended that users learn the required port for each allowable Internet program and edit the remote ports to match.
Comparison
Support
If you have a Net Manager, they should be your first contact for any issues you may be experiencing. However, if you would like to contact us, or you do not have a Net Manager, please feel free to contact
SEC-
-Y
Kelley Bogart
Information
Credits
Steve Gibson, Gibson Research Corporation http://grace.com/us-firewalls.htm Kerio User Guide - can be downloaded from http://www.kerio.com/us/supp_kpf_manual.html Kerio Firewall Online Resource
http://www.broadbandreports.com/faq/security/2.5.1.+Kerio+and+pre-v3.0+Tiny+PFW