BestInternetSecurity.net

Let’s begin by looking at the meaning of the word “policy”. Walt, C. (2001a) defines a policy in practical security terms as “a published document (or set of documents) in which the organization’s philosophy, strategy, policies, and practices with regard to confidentiality, integrity and availability of information.”

In other words, it’s actually management’s intention for how various stakeholders, especially employees, should uphold and follow the required security standards in operating the company’s activities.

Policies should:

• state reasons why the policy is needed
• describe what is covered by the policy – whom, what, and where
• define contacts and responsibilities to outside agencies
• discuss how violations will be handled

A recent journal by James and Coldwell (2007) states that corporate policies should consider security and ethics issues. Management should include explicit statements about the following:

• An organization’s method of handling the security of its system and information;
• Privacy and security issues of information;
• Informational assets complying with the impact of ethical behavior and conflict.

Users should be educated to recognize the value of assets, risks, and costs of compromise, as the human being is always the weakest link in security management. Therefore, when designing a security policy, human factors should be closely examined and reviewed. This view is supported by a white paper from British Telecommunication plc (BT White Paper 2004).

If you take a look at most security life cycle models, you will notice that a security policy is at the center of security processes, as shown in some typical models below:

http://www.sans.org/reading_room/whitepapers/testing/260.php (SANS Institute)

http://www.bradreese.com/andrew-r-reese.htm (BradReese.com)

http://www.audisec.com/html/philosophy.html

You should not overlook this important security tool in your organization n, should you?

Reference:

BT Write Paper (2004), ‘Why Security Policies Fail’, http://www.mis.uwec.edu/keys/Teaching/is365/208770-BT%20Why%20Security%20Policies%20Fail%20-20000718.pdf Accessed 08/08/08

James, H. and Coldwell, R.A. (1993), ‘Corporate Security: An Australian Ostrich’, Information Management & Computer Security, Vol 1, (Issue 4), 10-12

Walt, C. (2001a), ‘Introduction to Security Policies, Part One: An Overview of Policies’, SecurityFocus, August 27, 2001, http://www.securityfocus.com/print/infocus/1193 Accessed 08/08/08

Walt, C. (2001b), ‘Introduction to Security Policies, Part Three: Structuring Security Policies’, SecurityFocus, October 9, 2001, http://www.securityfocus.com/infocus/1487 Accessed 08/08/08

Weil, S. (2004), ‘How UTIL Can Improve Information Security’, December 22, http://www.securityfocus.com/infocus/1815 Accessed 08/08/08

Tags: Security Life Cycle Model

Referring to my post about TrueCrypt, I mentioned a disadvantage of using this software — you cannot use it on a computer without administrative rights.

Actually, there is a third-party GUI interface program that can be run on a computer without administrator rights, and you are still able to access the container file of TrueCrypt upon supplying the correct password.

This software is called TCExplorer, and you can access it for free here:

http://www.codeproject.com/KB/files/TCExplorer.aspx

I have been testing this for a while and I think it’s a great piece of software, especially if you want to use a TrueCrypt file on a public computer.

Here are some notes about using this software:

1   TCExplorer cannot manage the TrueCrypt file created by the latest version. I tried this software on a container file made with Version 6.0a without success. Based on information in the author’s release information, I tried the earlier version of TrueCrypt back to 2007, such as Version 4.3a, and it works fine.

2   Fortunately, Version 4.3a’s container file can still be managed by the latest TrueCrypt program, v6.0a. So what you need to do is create a v4.3a container file using the old version of the TrueCrypt program by running it once (you can download the old version of TrueCrypt here: http://www.truecrypt.org/pastversions.php) and use the latest version to manage the file, like mapping this old version container file as a drive to your computer with administrative rights.

You might wonder why the official TrueCrypt project does not offer this feature to the program. Actually, this is a common drawback of all so-called “on-the-fly” real time data encryption programs. One of the main intentions of this kind of real-time data encryption program is to use system drivers to embed all encryption processes in the system so that the user will not need to take care of the encryption/decryption process when they add or extract data files from the container file. The whole process can be made transparent to the users.

And to be able to install and use the specially created system drivers, you must have the administrative rights.

If the on-the-fly feature is not needed, then we definitely do not need to install the system drivers and hence there is no need to have the administrative rights. But then you have to take care of another security concern. The user needs to set up a temporary place to store and process the encrypted/decrypted file from the container file as now there is no real-time process to help encrypt/decrypt the file directory to the system. This place is prone to data leakage as the user must remember to clean it up after using the program.

Take the TCExplorer as an example. It automatically creates a temporary directory either in the USB thumb drive you are using or it sets up a temporary directory in your computer, such as: C:\Documents and Settings\YourUserName\Local Settings\Temp.

After using the program, you need to clean the temporary data there or risk that the decrypted files will be left there without encryption. This program does provide a feature to delete the temporary directory as shown:

But the user still has to remember to use this feature.

So perhaps this explains why the official TrueCrypt project does not provide this feature, because it introduces a security weakness to the program if we allow the user to use this program on a computer without administrative rights.

So use this program carefully if you think it can help. As the author of TCExplorer commented, there are advantages and disadvantages of using this program. The author’s intention is to provide a truly portable solution for people with documents that are not highly confidential but don’t want others to view their documents (for instance, if a thumb drive is lost). If this is what you’re looking for, then perhaps TCExplorer is right for you.

Tags: on-the-fly data encryption, USD Data Encryption, Encrypting data without administrative rights, USB Data Encryption and Decryption without administrative rights

Public Key Infrastructure is also named PKI. What is the role of Certificate Authority in PKI? Before we talk on this, let’s discuss the term “trust”.

The operation of Public Key Infrastructure strongly depends on “trust”.  And this is also related to the application of asymmetric cryptography technique.

To illustrate this, let’s suppose Bob wants to send a message to Mary securely over the Internet. He needs Mary’s public key to encrypt the message. Theoretically, it is Mary, who owns the one and only one private key of her own, who can decrypt the message. So Mary is the only recipient who can open this message. Bob achieves his objective of keeping the secrecy of this message and revealing it to Mary only.

But the problem is: how can Bob get Mary’s correct public key? Suppose hacker Tom wants to intercept their communication. He can create a fake public key for Mary and send it to Bob. Bob, without knowing that this key is fake, uses it to encrypt the message he intended to send to Mary. The message could then be compromised by Tom for he is the person who owns the corresponding private key to the fake public key he created for Mary.

Tom can then even further re-encrypt the secret message using Mary’s real public key, sending it to Mary, and she doesn’t realize that someone other than her has read the message. And worst of all, Tom can modify the message before he encrypts and sends it, compromising both the confidentiality and the integrity of the message.

How can Bob solve this problem? He can ask for a trusted third party to help verify Mary’s public key. Let’s say this third party is Peter. Peter can help Bob by signing on Mary public key using his own private key. However, there are two conditions that need to be satisfied for this verification to work:

• First Bob must have full faith in Peter’s role as a verifier.

• Second, Bob must have an authentic public key for Peter in his key database. He needs Peter’s public key to verify Mary’s signed public key and hence reconfirm the validity of Mary’s public key sent by Peter. (Without Peter’s authentic public key, Bob has no way to ensure he has Mary’s correct public key.)

If the above two conditions are satisfied, there is no way that hacker Tom can send a fake public key for Mary to Bob, because Bob can identify it as fake, with the help of Peter.

But then this leads to another problem: Bob must have a trusted and verified public key for Peter! This seems to create the very same problem involved with verifying Mary’s public key. Bob needs to repeat the same verification procedure used for Mary’s public key, looking for someone who can verify Peter’s public key. This problem can go on and on in a circle until Bob can find an ultimate trusted “root” of public keys.

In the modern public key infrastructure (PKI), the role of Peter is played by a so-called Certificate Authority (CA). In a communication system, CAs are trustworthy organizations that have the corresponding, verified public keys of the users you want to communicate to. The CA holds a database containing the signed public keys it issued for the users who have applied and obtained the public key/private key pair through it. The private key is kept by the user, and the public key is posted to the public and maintained by the CA.

You must have trusted CAs in your database or otherwise the above story can never reach its end.  Take our popular Internet Browser IE as an example. If you take a look at Tools ==> Internet Option ==> Content ==> Certificate ==> Trusted Root Certificate Authorities, you can see it contains a long list of trusted Root CAs.

The popular ones in the USA are VeriSign, Thawte, etc., which are commercial organizations. In most other regions, CAs come from Government initiatives. Take my home country of Hong Kong as an example. The official CA here is the Hong Kong Post Office, which is a governmental department, with its original function serving the postal service in Hong Kong. Government-backed organizations possess the “trust” factor, and that is an important criterion for a root Certificate Authority who needs to sign and verify its publicly issued keys.

Each CA must possess a very robust infrastructure of its Internet public key directory in serving the intended communication parties of its certificate clients.

Without CAs, you would have to verify the public key yourself. In the above case, Bob would need to verify Mary’s public key before he sends her any message encrypted by the public key he has on hand. This can be done with offline communication such as phoning Mary to verify the key, or simply getting the key from Mary by meeting her face-to-face. Of course, this is very inconvenient and impractical in most electronic communication cases.

The term steganography refers to the technique of hiding information within a certain “writings” or anything transmitted with your communication system in such a way that no one other than the intended recipient knows there is a hidden message. This technique differs from cryptography, which encrypts the message in order to prevent someone from gaining access to it, but does not conceal the fact that there is a secret message there in the first place. Steganography conceals the fact that there is a secret message at all, which avoids the unauthorized access to the message.

To reveal this interesting application, try the following program available on the Internet:

http://linux01.gwdg.de/~alatham/stego.html

JPHS is a program written by Allan Latham (alatham@flexsys-group.com) many years ago to conceal a hidden ASCII-based text message within a JPEG picture file.

After successfully downloading and decompressing the file, you can follow these steps to test out this program:

To hide the message:

1. Select a picture or image you like. Download it (if necessary) and save it as JPEG file. Note the JPEG file size.
2. Use Notepad to create a simple text file with some “secret message”. Save the file.
3. Extract the downloaded file. You should find a file named Jphswin.exe. This is the Windows Version of the program with GUI to operate steganography on the jpeg file. Upon running the file, you will see the JPHS for Windows screen.
4. First, click Open jpeg to define the JPEG file you made in Step 1 as the input jpeg file. Look at the bottom of the window. What’s the message?
5. Do you have any limitation on the data file you want to hide inside the JPEG file? (Hint: look at the description of the first row of the JPSH for Windows screen)
6. To begin the process of hiding information, click the Hide button on the JPHS toolbar. It prompts you for a passphrase. Enter something of your choice here. (What are the criteria of a good passphrase?)
7. Next, select a file you want to hide. (You can use the text file you made in Step 2.)
8. Look at the middle row of the JPHS for Windows. You will see that your hidden file has been defined.
9. The next step is to generate the output JPEG file by clicking Save jpeg (or Save As if you want to save the output jpeg file as different name). Look at the bottom of the window and make sure you get a confirmation message from JPHS before you close the program.
10. Check again with the file size of the newly generated JPEG file. Is there any change?
11. Open the two JPEG files (the original file and the new one). Can you detect any difference between the images?

To extract the hidden message:

1. Run JPHS for Windows again. Click Open jpeg and select the previously generated JPEG file with hidden information.
2. Click the Seek button and JPHS will prompt you for the passphrase of the hidden information. Enter the passphrase and click OK.
3. JPHS prompts you for a location to save the hidden data. Browse to the location and click Save.
4. To open the data, open the Windows explorer and locate the new file. Right click on the file, then select Open with, and select the appropriate application to view the information. In this exercise, Notepad can be used. You can now retrieve the hidden information.

Note: If your input secret text file is too large compared to the original JPEG file, the program will warn you that there will be statistically significant bias of the resultant JPEG file from an original JPEG file that could cause the possible detection of the embedded secret message. The bias can be so great that it could be noticed by even unsophisticated users.

So, use this program carefully, following the program’s advised size limitation of the secret message file.

Tags: Hide Information in a Picture File, tool to perform steganography

As I promised in the post about a data encryption utility called TrueCrypt, I am going to show you another utility that can be used to encrypt portable data on a USB drive. Unlike TrueCrypt, in which you must have administrative rights to activate the program for accessing the encrypted data, this program allows you to operate it on a public computer on which you do not have administrative rights.

To get this free program, go to this link:

http://www.rohos.com/free-encryption/

Similar to TrueCrypt, you must create a container file to store your encrypted files. Therefore, first use a computer that you do have administrative rights on, get the installation file, and install it on that computer.

Follow the program’s instructions to create a container file. After the file creation, you will find a system folder (_rohos) in your USB thumb drive with the container file named “rdisk.rdi” as shown below:

Please note this free version allows you to create a virtual container file with maximum volume of 1 GB.

Now map this Rohos mini drive as drive “R” in your system (“R” is the default drive letter that you can change) and load it with the data files you want to securely store. (Just copy and paste those files to the drive file by ordinary file copy process.)

Next try the Rohos drive in a computer for which you do not have administrative rights. (You can also simply log into the same computer with a limited privileges account.) You can now double click the “Rohos mini.exe” file (shown as yellow icon above) in your USB thumb drive and the program will ask you to input the password to access your container file under “_rohos” folder.

Supply the correct password used previously for the container file. Rohos will return with a browser window containing all your encrypted files.

You can double click any file to open it in its associated program. Rohos will temporarily decrypt the file and load it into the temp directory it creates on your USB memory device in order for the system application to access it.

You can save any file within the Rohos Disk Browser to the local computer by accessing the File→Save function. The software will prompt you to enter the designated folder location to store the decrypted file.

To copy any file from your local computer to this container file (and encrypt it at the same time), just drag and drop any file from any file directory to the Disk Browser Window.

To shut down the program, simply close the Browser Window. The software will prompt for confirmation to clean up any decrypted files in the temporary directory.

The beauty of this program is you can use it anywhere on any computer, even if you do not have administrative rights. It also offers both AES 256 bit and Blowfish encryption technology to protect the data. Both are world-class encryption technologies that we can depend on.

However, please note the following limitations of the program:

• You can only create a container file with a maximum capacity of 1GB for the free version. Also, you can only create one container file per USB thumb drive’s partition.
• Nothing is known about the random number generator the program uses to create the encryption key. Is there any weakness in the random number generator it is using? Unlike TrueCrypt, it does not ask for the user’s input to help create the random number to generate the encryption key.
• The program is not developed under Open-Sourced effort. Therefore, the code is proprietary and closed. Nothing is known about any possible inherent weakness in the program design because it has not been reviewed publicly by security and programming experts.

This software provider does provide a paid version with enhanced features such as storage size exceeding 1GB, allowing more than one encrypted virtual drives on single USB drive, and more.

If you have any comments and ideas about using the Rohos Mini Drive, leave me a message here.

Tags: Blow Fish, USB Data Encryption

In this article, I will use layman’s terms and descriptions to help you understand the various fundamental concepts of Risk Management in Information Security.

To illustrate those concepts, I like to use a popular diagram¹ from Common Criteria, shown below:

In the center of this diagram you’ll find the term vulnerabilities. Vulnerabilities are any weaknesses of a system. A system always contains vulnerabilities. You cannot build a 100% perfect system with no vulnerabilities, even if you have unlimited power, money, and time to build such a system. All systems contain imperfect components, and the integration of imperfect components produces an imperfect system that always possesses certain vulnerabilities.

Threats are elements from various sources that can exploit vulnerabilities and that increase risk. Risk is the probability that the system’s asset will be damaged/abused by the threats that exploit the vulnerabilities. Assets can be tangible (such as hardware/software) or intangible (such as good will and customers’ confidence).

Threats can be initiated by threat agents. A common threat agent for IT systems is people. They can accidentally or intentionally exploit vulnerabilities of a system to impact an IT system.

In order to manage risk, we deploy countermeasures (controls) to a system to reduce the vulnerabilities. The decision to deploy certain countermeasures to reduce the vulnerabilities and hence reduce risk lies solely on the information owner, who bears all consequences arising from the risk.

In a formal risk management exercise, an organization should undergo an intense brainstorming session to discover all possible threats that can exploit the vulnerabilities of a system. The difficult part of this step is not determining whether a certain threat will cause risk to a system, but the effort required to locate all possible threats to a system. Anything overlooked could lead to possible serious exposure to risks that have not been identified.

It is of the utmost importance for the owner (the “Owners” in the diagram) of an organization to identify all possible threats to its information system to the very best of his/her effort and knowledge, in order to fulfill fiduciary duties to customers and other stakeholders. Without knowing what the risks are, it’s impossible to implement suitable countermeasures to contain and mitigate those risks.

Reference:

¹Picture from Common Criteria

http://www.commoncriteria.org/docs/PDF/CCPART1V21.PDF p.14

Tags: Vulnerability, Countermeasure, Security Controls, Risk mitigation, Information Security Management, Information Risk Management

Do you worry about your data from being stolen if you lost your USB thumb drive or other portable data storage? Here is a free solution.

Try TrueCrypt.

TrueCrypt is an open sourced project providing a simple solution to encrypt your USB data (or actually data in any other movable or internal storage of your computer). The encrypted data container (let’s call it a container file) can be treated as an ordinary drive in your computer. This program mounts the container file as an ordinary drive. The container file can be made into a single standalone file or cover an entire hard disk partition on your local or remote drive.

To illustrate this, here is a screen capture of how I mapped my 68.4GB container file on one of my hard disks as P drive. After mapping, I can open my P drive as if it were an ordinary drive to store and retrieve files. All the files that are stored in this container file are encrypted.

The file container can be named with any name and any extension. So you can disguise a container file by naming it something like “song.mp3” or “picture.jpg” to make your container look, at a glance, as if it were just an mp3 or jpg file. This serves as a concealment to hide the true identity of this container file. When ordinary people browse your hard disk, they may not notice that it is an encrypted TrueCrypt container file.

You can also copy or move this container file to any storage place you want. This enhances the mobility of your data.

The encryption used to protect your data is AES, which is one of the strongest encryption methods in contemporary encryption technology.

The only price you need to pay is to manage your password carefully to access this drive. For instance, do not disclose your password to others, and choose a password that is difficult to guess. Also, use a longer password with a combination of characters, digits, and symbols.

There is an extra feature of this software that you should not miss. TrueCrypt offers the option to create a hidden volume in your container file. This is actually an invisible volume in your encrypted drive that you cannot normally view. If create this hidden volume with a different access password, when you mount your container file to your system using this different password, the mounted volume will unveil the hidden volume to you instead of the normal volume, allowing access to this hidden volume.

One reason you may need this extra hidden volume is that if someone were to force you to open the encrypted drive, you can reveal the contents within the normal drive without revealing the truly important contents inside the hidden volume.

Is TureCrypt portable? Yes or no. On one hand, it can be run without installing in a computer, allowing you to map your file in any computer that that does not have this software installed. However, you must have administrator rights on that computer in order to mount and decrypt the container file. Therefore, you cannot bring your encrypted file to a public computer and decrypt the container files there.

There are similar open sourced solutions, such asFreeOTFE. This software offers an extra feature of mapping your container file to a preferred drive letter that you assigned beforehand. However, the user interface is less appealing.

We’ll talk more about installing portable data encryption solutions without administrator rights. Stay tuned to this blog.

If you know any similar software that can do this job, leave me message here.

Tags: USB Data Encryption

Brute force password cracker is one kind of  Password Crackers. Password Crackers is a piece of software that attempts to break into a system by trying many different user names and passwords.

To break a password, a Password Cracker uses two methods of attack to break into your account.

The first method is Brute Force Attack. That is the name Brute Force Password Crackers that comes in.  In this type of attack, the software generates passwords of every possible combination of words, letters, or even symbols to try to break into your account. The longer the password, the longer it takes to break into the system. However, since computers are gearing up the speed every year (according to Moore’s law, the computer speed doubles every 18 months), the time to break a password of any certain length reduces 50% every 1.5 years.

The second method is Dictionary Attack. This is a more clever method in which the attacker uses a pool of words such as names, common vocabularies, etc., and tries various combinations of them to crack the system. The pool of effective possible choices to use in the trial and error process is much smaller than in a Brute Force Attack because of the more confined choices of numbers and letters to combine. It is very easy to get a word list. Do a search on Google for the search phrase “word list” to look for many databases available on the web.

Originally, I’d planned to write a summary on tactics you can use to choose passwords that you can easily memorize but at the same time are difficult to be cracked. But then I accidentally stumbled upon a page that has this done nicely. And in the interest of not reinventing the wheel, here is the link to that page:

http://www.wikihow.com/Remember-Your-Password

Enjoy, and if you have other innovative ways to remember difficult passwords, let me know.

I wrote this article because I need to talk about this topic to a group of local bank executives. What I have in mind is how to get them to understand the vague differences between these three terms using illustrations from our daily lives.

For these reasons, I picked up a number of books to read. Indeed, I have to give credit to the book Beyond Fear by Bruce Schneier, as he gave a number of analogies about these terms in chapter 13 of his book.

I hope writing this article can help clarify my explanation of the key concepts of these three terms.

To start, let’s use some simple ideas to describe these three terms:

Identification: Who are you?

Authentication: Prove it!

Authorization: Okay, you are allowed to do these things because we have successfully authenticated you (proved you are who you say you are)

Let’s look at an example to illustrate this. Suppose you take your passport (containing your photo and signature) and go through an immigration counter to get into a country. The immigration officer asks who you are, and you reply politely with your name. This is the step of Identification. The office then verifies your identity by looking at your photo, and may check your signature on your immigration form against that of your passport. After this process, hopefully you are authenticated by him to be the genuine holder of the passport you have shown. This is the step of Authentication. Then the officer will check against your country of origin and whether you need and have any visa to show that you have the authorization to get into the country. This is the step of Authorization.

In an Access Control system, these three steps are crucial since they control whether a person is authorized to gain access to the particular area of a system. This is essentially a Prevention Control System.

In Schneier’s book, he used another interesting example using the London Underground ticket system. A passenger can purchase a monthly ticket with unlimited travel for a month. This ticket (authorization) contains no authentication capability. The passenger has to bear another photo card (which is permanent) with a unique number for authentication. The unique number has to be written down on the monthly ticket the passenger purchases to get it validated. So, these two items form an authentication-and-authorization system. Note there is no serious identification element in this system (though you can write your name on the ticket beside the photo card number) since no one will check your ID to verify if you really own the name shown on the photo card. The London Underground only cares to prevent two persons from sharing the same monthly ticket, and your photo card is already an effective tool to prevent this from happening (unless you have a look-alike or a twin, in which case you can ride at half-price!). The ticket itself is sufficient to serve the purpose of authorization.

However, in an IT system, we need a full identification system. This is because we need the information to complete an entire authorization process (just like the previous example of using a passport to get into a country).

We also need to track against the users’ activities in the system for the purpose of having an Audit Trail (a kind of security detection control). Without a good identification element, we can still analyze the system log to uncover abnormal user activities, such as when a breach of a user’s limit of accessing certain network resources, etc. But we will have a hard time following up without knowing the identity of the user.

In this way, the three-step authentication, identification, and authorization process serves both the prevention and detection access control for an IT system.

Tags: Access Control System

The original definition of a firewall is: “a partition made of fireproof material to prevent the spread of a fire from one part of a building or ship to another or to isolate an engine compartment, as on a plane, automobile, etc.” ¹ Today, in the computer world, the term refers to any piece of hardware/software used to protect a private network from network attacks coming from external networks. It acts as a gatekeeper to keep hackers from reaching the internal network, protecting your crucial network resources from being compromised.

Many people know what a firewall does, but few understand that a firewalls needs careful configuration before it can start protecting your network.

I still remember more than 10 years ago, as I visited clients to talk about the security configuration of their network, many were proud to tell me that they had gotten firewalls installed to protect their network. (At that time, a firewall was considered advanced networking equipment!) But when I logged into their administration menu to check their firewall policies, there were none there! They didn’t know that they needed to “configure” their firewall before it would function properly.

A firewall is actually the deployment tool used carry out your network access policy. The network access policy refers to the organizational management’s intention regarding the various network access rules for both the internal employees and external visitors. Without properly configured firewall rules, a firewall’s existence is meaningless.

Take a packet-filtering firewall as an example. It works on Network and Transport Layer (TCP/IP). It hunts down filtering rules by examining the source port/destination port (Transport Layer) and IP address (IP Layer) to decide whether it will let go a particular packet in or out of your network.

For example, if your company does not allow internal employees to access ftp servers during work time, then you need to set up a firewall rule to block any access to port 20 and 21 of remote server during the office time. The following table illustrates a typical set of firewall access rules to achieve this:

The different columns’ meanings in above table are explained here:

• Direction: The direction of the packet going through the firewall, either IN or OUT, or   EITHER
• Source Addr: The source address;, either internal (INT) or external (EXT)
• Dest. Addr: The destination address, either internal (INT) or external (EXT)
• Protocol: Transport Layer Packet Type, either TCP or UDP
• Source Port: The source port at the TCP layer of the sender
• Dest. Port: The destination port at the TCP layer of the receiver
• ACK set: The acknowledge flag at the Transport Layer of the Packet, either SET (Y) or DOES-NOT-MATTER (Any)

There are many cases when packet filtering rules do not work. For example, if you want to block the users’ access to particular remote web-based email services, chances are that you will not able to control this by blocking certain designated IP numbers (as filling in the Destination Address in the above packet-filtering table) since some web-based services are based on more than one sever of varying IP addresses, and thus cannot be shut down by only a set of fixed IP addresses. In this case, you need the firewall to work at higher layer.

A firewall working at higher layer provides more refined control over network access. For previous example, if you use an application-level firewall, it can screen the URLs of web-based emails access, such as www.hotmail.com for Microsoft’s email services, and does now allow it to pass through.

An application-level firewall can even zoom into the details of the applications’ data passing through – such as the authentication information, application types, and other types of information – to decide to allow or disallow a particular network connection to continue or not. It can even carry out a detailed inspection of the users’ data going through.

A proxy server is one kind of application-level firewall. I’m sure you have heard of this type of server being used in your or some other company’s network. It’s a popular device because it provides more control of the network traffic passing through. However, it also requires more firewall computation power, so it is slower in performance. It also requires modification of the internet network client to go through the proxy before it can access external network resources.

No matter which type of firewall you are deploying, you need to work out the network access policy with senior management. Otherwise, you will not know what rules you need to set up in your firewall rule table. Simply put, you’ll be installing a tool that has no idea how to protect your network.

¹firewall. (n.d.). Dictionary.com Unabridged (v 1.1). Retrieved June 18, 2008, from Dictionary.com website: http://dictionary.reference.com/browse/firewall

Tags: Packet Filtering Firewall Application-Level Firewall