|
I'd like a primer on Internet firewall terminology, settings, etc.,
I have a Security Center with one of our computers I'm trying to learn more regarding ideal settings:
1. What inbound events should I ban? 2. How high should I have security level of the firewall? 3. What exactly is happening with an "unsolicited attempt" at connection to a port? 4. What is a port? 5. What exactly is a "ping?" 6. I see I can trace event. There are "Map", Registrant" and "Network" views. How can these views be used/useful. Any tips about tracing appreciated. Thanks (for now)! |
A real firewall should start by denying anything that is not explicitely allowed.
1. Block everything then open only what you need and no more. 2. High then adjust to your needs. 3. You make requests of data from the net. If data tried to enter a port w/out being asked for it's unsolicited, could be benign bot traffic or could be something else. 4. Think of them as numbered doors, ftp traffic always enters through door 21, http requests through door/port 80. so if someone wants to try and break in the 1st thing they do is run a port scan, knock on the doors and listen for a hello. You can change what ports traffic enters to make things more secure but it can also make life harder for you. Say you are running an ftp server and you change the port from 21 to 211, since ftp applications expect to see21 by default you need to let everyone that has access rights to it change their default client settings for your site to 211. Ping is what is sounds like, a "ping", data packet is sent from one computer to another. The receiving computer should respond to the ping. It's a first step in troubleshooting to determine if the computer on the other end is still there. 6. Why do you need to trace anything? Don't bother. Every computer on the net sees a ton of irrelelvent traffic. |
Yep
Start with block all, allow nothing. Slowly open services/ports as needed per application. Whenever possible create as specific a rule as possible. For example, rather than allow inbound http/https to the webserver network, restrict to specific IP's of the webserves. Same goes for every service, in each direction. Since you asked question 4, you really should brush up on tcp/ip first. You need a baisc understanding of udp/tcp/IP in general before you can get into securing IP. Something like http://www.dummies.com/WileyCDA/DummiesTitle/productCd-0764517600.html is a great start. |
Great responses.
H.G.P, is this a firewall product that came preinstalled on one of your machines? |
Re: I'd like a primer on Internet firewall terminology, settings, etc.,
I'm not going to try to be cryptic with my answers, but it may sound that way.
Quote:
|
Is this firewall a device that will be in the network, like a small box that traffic has to go through or is it a piece of software that's installed on a PC. If it's a firewall on a PC, then is this PC inside your network talking to other PCs but behind another firewall device. ie, if you have a home router, many home routers also have firewall functionality built in that can block the rest of the world from getting into a home network, or if this is a business/corp environment, then most businesses have a firewall of some sort keeping the rest of the world out of the business network. A piece of software that installs on a PC can be used as an additional layer of security or the only layer in either a home or business setting. Depending upon what the layout is, it will probably be setup differently.
Each type is useful and can perform similar but slightly different functions. This may be useful. http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers The ports in TCP/UDP run from 0 - 65535. The first 1024 are supposed to be spoken for. So they should be standard. Anything above 1024 is pretty much fair game, but many of those have applications that have become de facto standards. If you see traffic trying to come in or go out on 6346, then someone is trying to connect using a file sharing program. Depending upon the layout of your network and what this PC is doing, it's probably a good idea to block ports 135, 137, 138, 139, and 445 both inbound and outbound. Those are commonly used to exploit Windows, but if this is on an internal lan and will be talking to other PCs on that lan, then you may need those ports for the PCs to talk to each other. If that's the case then you may need to allow those ports from a certain range of addresses but block them from others. |
more info
how stuff works -- firewalls http://computer.howstuffworks.com/firewall.htm firewall basics http://www.securitydocs.com/library/2413 Internet Firewalls FAQ http://www.interhack.net/pubs/fwfaq/ wikipedia -- firewalls http://en.wikipedia.org/wiki/Firewall These and the info above should give you more info and time to come up with more questions. |
Quote:
I'm looking at the hacker bar index and it gives all green at the moment on the bar. On the trace events, two of them showed trace to Shanghai, and Harbin. |
| All times are GMT -8. The time now is 04:39 AM. |
Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
Search Engine Optimization by vBSEO 3.6.0
Copyright 2025 Pelican Parts, LLC - Posts may be archived for display on the Pelican Parts Website