If your network is connected to the Internet, a whole host of security issues bubble to the surface. You probably connected your network to the Internet so that your network’s users could access the Internet. Unfortunately, however, your Internet connection is a two-way street. Not only does it enable your network’s users to step outside the bounds of your network to access the Internet, but it also enables others to step in and access your network.
And step in they will. The world is filled with hackers looking for networks like yours to break into. They may do it just for fun, or they may do it to steal your customer’s credit card numbers or to coerce your mail server into sending thousands of spam messages on their behalf. Whatever their motive, rest assured that your network will be broken into if you leave it unprotected.
This chapter presents an overview of two basic techniques for securing your network’s Internet connection: firewalls and virus protection.
Firewalls
A firewall is a security-conscious router that sits between the Internet and your network with a single-minded task: preventing them from getting to us. The firewall acts as a security guard between the Internet and your local area network (LAN). All network traffic into and out of the LAN must pass through the firewall, which prevents unauthorized access to the network.
Some type of firewall is a must-have if your network has a connection to the Internet, whether that connection is broadband (cable modem or digital subscriber line; DSL), T1, or some other high-speed connection. Without it, sooner or later a hacker will discover your unprotected network and tell his friends about it. Within a few hours, your network will be toast.
You can set up a firewall two basic ways. The easiest way is to purchase a firewall appliance, which is basically a self-contained router with built-in firewall features. Most firewall appliances include a web-based interface that enables you to connect to the firewall from any computer on your network using a browser. You can then customize the firewall settings to suit your needs.
Alternatively, you can set up a server computer to function as a firewall computer. The server can run just about any network operating system (NOS), but most dedicated firewall systems run Linux.
Whether you use a firewall appliance or a firewall computer, the firewall must be located between your network and the Internet, as shown in Figure 2-1. Here, one end of the firewall is connected to a network hub, which is in turn connected to the other computers on the network. The other end of the firewall is connected to the Internet. As a result, all traffic from the LAN to the Internet and vice versa must travel through the firewall.
The term perimeter is sometimes used to describe the location of a firewall on your network. In short, a firewall is like a perimeter fence that completely surrounds your property and forces all visitors to enter through the front gate.
The Many Types of Firewalls
Firewalls employ four basic techniques to keep unwelcome visitors out of your network. The following sections describe these basic firewall techniques.
Packet filtering
A packet-filtering firewall examines each packet that crosses the firewall and tests the packet according to a set of rules that you set up. If the packet passes the test, it’s allowed to pass. If the packet doesn’t pass, it’s rejected.
Packet filters are the least expensive type of firewall. As a result, packet-filtering firewalls are very common. However, packet filtering has a number of flaws that knowledgeable hackers can exploit. As a result, packet filtering by itself doesn’t make for a fully effective firewall.
Packet filters work by inspecting the source and destination IP and port addresses contained in each Transmission Control Protocol/Internet Protocol (TCP/IP) packet. TCP/IP ports are numbers assigned to specific services that help to identify for which service each packet is intended. For example, the port number for the HTTP protocol is 80. As a result, any incoming packets headed for an HTTP server will specify port 80 as the destination port.
Port numbers are often specified with a colon following an IP address. For example, the HTTP service on a server whose IP address is 192.168.10.133 would be 192.168.10.133:80.
Literally thousands of established ports are in use. Table 2-1 lists a few of the most popular ports.
World Wide Web (HyperText Transport Protocol; HTTP)
110
Post Office Protocol (POP3)
119
Network News Transfer Protocol (NNTP)
137
NetBIOS Name Service
138
NetBIOS Datagram Service
139
NetBIOS Session Service
143
Internet Message Access Protocol (IMAP)
161
Simple Network Management Protocol (SNMP)
194
Internet Relay Chat (IRC)
389
Lightweight Directory Access Protocol (LDAP)
396
NetWare over IP
443
HTTP over TLS/SSL (HTTPS)
The rules that you set up for the packet filter either permit or deny packets that specify certain IP addresses or ports. For example, you may permit packets that are intended for your mail server or your web server and deny all other packets. Or, you may set up a rule that specifically denies packets that are heading for the ports used by NetBIOS. This rule keeps Internet hackers from trying to access NetBIOS server resources, such as files or printers.
One of the biggest weaknesses of packet filtering is that it pretty much trusts that the packets themselves are telling the truth when they say who they’re from and who they’re going to. Hackers exploit this weakness by using a hacking technique called IP spoofing, in which they insert fake IP addresses in packets that they send to your network.
Another weakness of packet filtering is that it examines each packet in isolation without considering what packets have gone through the firewall before and what packets may follow. In other words, packet filtering is stateless. Rest assured that hackers have figured out how to exploit the stateless nature of packet filtering to get through firewalls.
In spite of these weaknesses, packet filter firewalls have several advantages that explain why they are commonly used:
Efficient: They hold up each inbound and outbound packet for only a few milliseconds while they look inside the packet to determine the destination and source ports and addresses. After these addresses and ports are determined, the packet filter quickly applies its rules and either sends the packet along or rejects it. In contrast, other firewall techniques have a more noticeable performance overhead.
Almost completely transparent to users: The only time a user will be aware that a packet-filter firewall is being used is when the firewall rejects packets. Other firewall techniques require that clients and/or servers be specially configured to work with the firewall.
Inexpensive: Even consumer-grade routers include built-in packet filtering.
Stateful packet inspection (SPI)
Stateful packet inspection (SPI) is a step up in intelligence from simple packet filtering. A firewall with stateful packet inspection looks at packets in groups rather than individually. It keeps track of which packets have passed through the firewall and can detect patterns that indicate unauthorized access. In some cases, the firewall may hold on to packets as they arrive until the firewall gathers enough information to make a decision about whether the packets should be authorized or rejected.
Stateful packet inspection was once found only on expensive, enterprise-level routers. Now, however, SPI firewalls are affordable enough for small- or medium-sized networks to use.
Circuit-level gateway
A circuit-level gateway manages connections between clients and servers based on TCP/IP addresses and port numbers. After the connection is established, the gateway doesn’t interfere with packets flowing between the systems.
For example, you can use a Telnet circuit-level gateway to allow Telnet connections (port 23) to a particular server and prohibit other types of connections to that server. After the connection is established, the circuit-level gateway allows packets to flow freely over the connection. As a result, the circuit-level gateway can’t prevent a Telnet user from running specific programs or using specific commands.
Application gateway
An application gateway is a firewall system that is more intelligent than a packet-filtering firewall, stateful packet inspection, or circuit-level gateway firewall. Packet filters treat all TCP/IP packets the same. In contrast, application gateways know the details about the applications that generate the packets that pass through the firewall. For example, a web application gateway is aware of the details of HTTP packets. As a result, it can examine more than just the source and destination addresses and ports to determine whether the packets should be allowed to pass through the firewall.
In addition, application gateways work as proxy servers. Simply put, a proxy server is a server that sits between a client computer and a real server. The proxy server intercepts packets that are intended for the real server and processes them. The proxy server can examine the packet and decide to pass it on to the real server, or it can reject the packet. Or, the proxy server may be able to respond to the packet itself without involving the real server at all.
For example, web proxies often store copies of commonly used web pages in a local cache. When a user requests a web page from a remote web server, the proxy server intercepts the request and checks whether it already has a copy of the page in its cache. If so, the web proxy returns the page directly to the user. If not, the proxy passes the request on to the real server.
Application gateways are aware of the details of how various types of TCP/IP servers handle sequences of TCP/IP packets to make more intelligent decisions about whether an incoming packet is legitimate or is part of an attack. As a result, application gateways are more secure than simple packet-filtering firewalls, which can deal with only one packet at a time.
The improved security of application gateways, however, comes at a price. Application gateways are more expensive than packet filters, both in terms of their purchase price and in the cost of configuring and maintaining them. In addition, application gateways slow network performance because they do more detailed checking of packets before allowing them to pass.
The Built-In Windows Firewall
Windows comes with a built-in packet-filtering firewall. If you don’t have a separate firewall router, you can use this built-in firewall to provide a basic level of protection. Note, however, that you should rely on the Windows Firewall only as a last resort. If at all possible, use a separate firewall rather than the Windows Firewall to protect your network.
Here are the steps to activate the firewall in Windows:
Choose Start⇒ Control Panel.
In the Control Panel, click System and Security.
On the System and Security page, click Windows Firewall.
On the Windows Firewall page, click Turn Windows Firewall On or Off.
Note that there are two such buttons: one for home and work (private) networks and one for public networks. If you have a separate router for your work or home network, you can leave the home and work (private) network firewall turned off. But always turn on the firewall for public networks.
Do not enable Windows Firewall if you’re using a separate firewall router to protect your network. Because the other computers on the network are connected directly to the router and not to your computer, Windows Firewall won’t protect the rest of the network. Additionally, as an unwanted side effect, the rest of the network will lose the ability to access your computer.
Windows Firewall is turned on by default. If your computer is already behind a firewall, you should disable Windows Firewall. (In some cases, the network’s group policy settings may prevent you from disabling Windows Firewall. In that case, you must change the group policy so that Windows Firewall can be disabled. For more information about group policy, see Book 8, Chapter 6.)
Virus Protection
Viruses are one of the most misunderstood computer phenomena around these days. What is a virus? How does it work? How does it spread from computer to computer? I’m glad you asked.
What is a virus?
Make no mistake — viruses are real. Now that most people are connected to the Internet, viruses have really taken off. Every computer user is susceptible to attacks by computer viruses, and using a network increases your vulnerability because it exposes all network users to the risk of being infected by a virus that lands on any one network user’s computer.
Viruses don’t just spontaneously appear out of nowhere. Viruses are computer programs that are created by malicious programmers who’ve lost a few screws and should be locked up.
What makes a virus a virus is its capability to make copies of itself that can be spread to other computers. These copies, in turn, make still more copies that spread to still more computers, and so on, ad nauseam.
Then, the virus patiently waits until something triggers it — perhaps when you type a particular command or press a certain key, when a certain date arrives, or when the virus creator sends the virus a message. What the virus does when it strikes also depends on what the virus creator wants the virus to do. Some viruses harmlessly display a “gotcha” message. Some send an email to everyone it finds in your address book. Some wipe out all the data on your hard drive. Ouch.
Many years ago, in the prehistoric days of computers, viruses were passed from one computer to another by latching themselves onto floppy disks. Whenever you borrowed a floppy disk from a buddy, you ran the risk of infecting your own computer with a virus that may have stowed away on the disk.
Virus programmers have discovered that email is a very efficient method to spread their viruses. Typically, a virus masquerades as a useful or interesting email attachment, such as instructions on how to make $1,000,000 in your spare time, pictures of naked celebrities, or a Valentine’s Day greeting from your long-lost sweetheart. When a curious but unsuspecting user opens the attachment, the virus springs to life, copying itself onto the user’s computer — sometimes sending copies of itself to all the names in the user’s address book.
After the virus works its way onto a networked computer, the virus can then figure out how to spread itself to other computers on the network. It can also spread itself by burrowing into a flash drive so that when the flash drive is inserted into another computer, that computer may become infected as well.
Here are some more tidbits about protecting your network from virus attacks:
The term virus is often used to refer not only to true virus programs (which are able to replicate themselves) but also to any other type of program that’s designed to harm your computer. These programs include so-called Trojan horse programs that usually look like games but are, in reality, ransomware.
A worm is similar to a virus, but it doesn’t actually infect other files. Instead, it just copies itself onto other computers on a network. After a worm has copied itself onto your computer, there’s no telling what it may do there. For example, a worm may scan your hard drive for interesting information, such as passwords or credit card numbers, and then email them to the worm’s author.
Computer virus experts have identified several thousand “strains” of viruses. Many of them have colorful names, such as the I Love You virus, the Stoned virus, and the Michelangelo virus.
Antivirus programs can recognize known viruses and remove them from your system, and they can spot the telltale signs of unknown viruses. Unfortunately, the idiots who write viruses aren’t idiots (in the intellectual sense), so they’re constantly developing new techniques to evade detection by antivirus programs. New viruses are frequently discovered, and antivirus programs are periodically updated to detect and remove them.
Antivirus programs
The best way to protect your network from virus infection is to use an antivirus program. These programs have a catalog of several thousand known viruses that they can detect and remove. In addition, they can spot the types of changes that viruses typically make to your computer’s files, thus decreasing the likelihood that some previously unknown virus will go undetected.
Windows comes with a built-in antivirus program called Windows Defender. Although it is serviceable, better alternatives are available. Popular options include Avast (www.avast.com), which is free and provides significantly better protection than Windows, Symantec Security by Symantec, and VirusScan Enterprise by McAfee.
The people who make antivirus programs have their fingers on the pulse of the virus world and frequently release updates to their software to combat the latest viruses. Because virus writers are constantly developing new viruses, your antivirus software is next to worthless unless you keep it up to date by downloading the latest updates.
Here are several approaches to deploying antivirus protection on your network:
Install antivirus software on each network user’s computer. This technique would be the most effective if you could count on all your users to keep their antivirus software up to date. Because that’s an unlikely proposition, you may want to adopt a more reliable approach to virus protection.
Managed antivirus services place antivirus client software on each client computer in your network. Then, an antivirus server automatically updates the clients on a regular basis to make sure that they’re kept up to date.
Server-based antivirus software protects your network servers from viruses. For example, you can install antivirus software on your mail server to scan all incoming mail for viruses and remove them before your network users ever see them.
Some firewall appliances include antivirus enforcement checks that don’t allow your users to access the Internet unless their antivirus software is up to date. This type of firewall provides the best antivirus protection available.
Safe computing
Besides using an antivirus program, you can take a few additional precautions to ensure virus-free computing. If you haven’t talked to your kids about these safe-computing practices, you had better do so soon.
Regularly back up your data. If a virus hits you, and your antivirus software can’t repair the damage, you may need the backup to recover your data. Make sure that you restore from a backup that was created before you were infected by the virus!
If you buy software from a store and discover that the seal has been broken on the disc package, take the software back. Don’t try to install it on your computer. You don’t hear about tainted software as often as you hear about tainted beef, but if you buy software that’s been opened, it may well be laced with a virus infection.
Use your antivirus software to scan your disk for virus infection after your computer has been to a repair shop or worked on by a consultant. These guys don’t intend harm, but they occasionally spread viruses accidentally, simply because they work on so many strange computers.
Don’t open email attachments from people you don’t know or attachments you weren’t expecting.
Use your antivirus software to scan any floppy disk or CD that doesn’t belong to you before you access any of its files.
Using Windows Action Center
Windows Action Center, which comes with Windows, monitors the status of security-related issues on your computer. You can summon the Windows Action Center by opening the Control Panel, clicking System and Security, and then clicking Action Center; see Figure 2-3.
The Windows Action Center alerts you to issues with your computer’s security status as well as reminds you of maintenance that should be done, such as installing operating system updates.
Here are additional points to ponder concerning the Windows Action Center:
A flag icon appears in the notification area on the right end of the Windows taskbar to alert you to items you should attend to in the Windows Action Center.
Earlier versions of Windows included a similar feature called the Windows Security Center, which you can access from the Control Panel.
Understanding what firewalls do
Some type of firewall is a must-have if your network has a connection to the Internet, whether that connection is broadband (cable modem or digital subscriber line; DSL), T1, or some other high-speed connection. Without it, sooner or later a hacker will discover your unprotected network and tell his friends about it. Within a few hours, your network will be toast.
The term perimeter is sometimes used to describe the location of a firewall on your network. In short, a firewall is like a perimeter fence that completely surrounds your property and forces all visitors to enter through the front gate.
Windows Firewall is turned on by default. If your computer is already behind a firewall, you should disable Windows Firewall. (In some cases, the network’s group policy settings may prevent you from disabling Windows Firewall. In that case, you must change the group policy so that Windows Firewall can be disabled. For more information about group policy, see Book 8, 
The people who make antivirus programs have their fingers on the pulse of the virus world and frequently release updates to their software to combat the latest viruses. Because virus writers are constantly developing new viruses, your antivirus software is next to worthless unless you keep it up to date by downloading the latest updates.