I'd like a primer on Internet firewall terminology, settings, etc.,

[H.G.P.]

I have a Security Center with one of our computers I'm trying to learn more regarding ideal settings:

1. What inbound events should I ban?

2. How high should I have security level of the firewall?

3. What exactly is happening with an "unsolicited attempt" at connection to a port?

4. What is a port?

5. What exactly is a "ping?"

6. I see I can trace event. There are "Map", Registrant" and "Network" views. How can these views be used/useful. Any tips about tracing appreciated.


Thanks (for now)!

[stomachmonkey]

A real firewall should start by denying anything that is not explicitely allowed.

1. Block everything then open only what you need and no more.

2. High then adjust to your needs.

3. You make requests of data from the net. If data tried to enter a port w/out being asked for it's unsolicited, could be benign bot traffic or could be something else.

4. Think of them as numbered doors, ftp traffic always enters through door 21, http requests through door/port 80. so if someone wants to try and break in the 1st thing they do is run a port scan, knock on the doors and listen for a hello.

You can change what ports traffic enters to make things more secure but it can also make life harder for you.

Say you are running an ftp server and you change the port from 21 to 211, since ftp applications expect to see21 by default you need to let everyone that has access rights to it change their default client settings for your site to 211.

Ping is what is sounds like, a "ping", data packet is sent from one computer to another. The receiving computer should respond to the ping. It's a first step in troubleshooting to determine if the computer on the other end is still there.

6. Why do you need to trace anything? Don't bother. Every computer on the net sees a ton of irrelelvent traffic.

[VincentVega]

Yep

Start with block all, allow nothing. Slowly open services/ports as needed per application. Whenever possible create as specific a rule as possible. For example, rather than allow inbound http/https to the webserver network, restrict to specific IP's of the webserves. Same goes for every service, in each direction.

Since you asked question 4, you really should brush up on tcp/ip first. You need a baisc understanding of udp/tcp/IP in general before you can get into securing IP.

Something like http://www.dummies.com/WileyCDA/DummiesTitle/productCd-0764517600.html is a great start.

[HardDrive]

Great responses.

H.G.P, is this a firewall product that came preinstalled on one of your machines?

[masraum]

I'm not going to try to be cryptic with my answers, but it may sound that way.

Quote:

Originally posted by H.G.P.
I have a Security Center with one of our computers I'm trying to learn more regarding ideal settings:

1. What inbound events should I ban?
any inbound connections that aren't necessary or not initiated by you/your computer.

2. How high should I have security level of the firewall?
As high as you can set it and still function. Start at the top, if you can't do some things move down a notch.

3. What exactly is happening with an "unsolicited attempt" at connection to a port?
Someone is looking for a server of some sort. It may be something innocuous like a search engine looking for webpages or it could be malicious. If you don't have any servers that you need to allow people on the internet to talk to, then don't allow any incoming connections (caveats exist)

4. What is a port?
Imagine that your IP address is like your house. If that's true then a port is like a door or window. Someplace that you can enter the house to get to something specific. If I want to get to your rec room then the quickest way is for me to go into that room through the window. Basically it's a more specific sub-address to your main address. If you had a server that was a web server, and email server, and an ftp file server, then you'd have an IP address for that server so people on the web would know where to find it, but you'd also have ports specific to the various tasks that the server performed, port 80 for http, port 110 for pop3 (email), port 25 for smtp (the other half of email), and port 21 for ftp. Based on which port someone on the web tries to connect to tells your server what they want to do.
5. What exactly is a "ping?"
It takes it's name from a sonar "ping". You send out a ping and if you hear your ping reflected back then you know something is there. It's useful for troubleshooting.


6. I see I can trace event. There are "Map", Registrant" and "Network" views. How can these views be used/useful. Any tips about tracing appreciated.
Those are just different ways to organize the results of the trace. For now I wouldn't worry too much about tracing. It sounds like you've got more to learn before that would be useful.

Thanks (for now)!

[masraum]

Is this firewall a device that will be in the network, like a small box that traffic has to go through or is it a piece of software that's installed on a PC. If it's a firewall on a PC, then is this PC inside your network talking to other PCs but behind another firewall device. ie, if you have a home router, many home routers also have firewall functionality built in that can block the rest of the world from getting into a home network, or if this is a business/corp environment, then most businesses have a firewall of some sort keeping the rest of the world out of the business network. A piece of software that installs on a PC can be used as an additional layer of security or the only layer in either a home or business setting. Depending upon what the layout is, it will probably be setup differently.

Each type is useful and can perform similar but slightly different functions.

This may be useful.
http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

The ports in TCP/UDP run from 0 - 65535. The first 1024 are supposed to be spoken for. So they should be standard. Anything above 1024 is pretty much fair game, but many of those have applications that have become de facto standards.

If you see traffic trying to come in or go out on 6346, then someone is trying to connect using a file sharing program.

Depending upon the layout of your network and what this PC is doing, it's probably a good idea to block ports 135, 137, 138, 139, and 445 both inbound and outbound. Those are commonly used to exploit Windows, but if this is on an internal lan and will be talking to other PCs on that lan, then you may need those ports for the PCs to talk to each other. If that's the case then you may need to allow those ports from a certain range of addresses but block them from others.

[masraum]

more info

how stuff works -- firewalls
http://computer.howstuffworks.com/firewall.htm

firewall basics
http://www.securitydocs.com/library/2413

Internet Firewalls FAQ
http://www.interhack.net/pubs/fwfaq/

wikipedia -- firewalls
http://en.wikipedia.org/wiki/Firewall

These and the info above should give you more info and time to come up with more questions.

[H.G.P.]

Quote:

Originally posted by HardDrive
Great responses.

H.G.P, is this a firewall product that came preinstalled on one of your machines?

Yes, pre-installed. It has features I'm still learning. One being green, tan, and red bars. (Virus, hacker, spam, ...)

I'm looking at the hacker bar index and it gives all green at the moment on the bar.

On the trace events, two of them showed trace to Shanghai, and Harbin.