Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

A Rookie's Guide to Defensive Blocks: Page 3 of 7

Sometimes the job of firewall administration will fall to an engineer who, though good at setting up routers and switches, doesn't have the devious mind-set needed to ferret out the holes in a network. He or she may be confident after installing a firewall and blocking incoming SYN connections. But is the network secure? Not by a long shot. You should limit outbound connections to approved protocols and ports because, for example, some DDoS (distributed denial of service) zombies and other Trojans phone home by connecting to IRC (Internet Relay Chat) servers. If your firewall allows only outgoing HTTP, SMTP and DNS, these Trojans won't cause damage (see "Fireproofing Against DoS Attacks.").

Be aware, however, that a lot of traffic--legitimate and illegitimate--is running over Port 80. For example, WebDAV (Web-based Distributed Authoring and Versioning) is a protocol that, among other things, lets you mount hard drives remotely. When Apple says WebDAV support is built into the new version of Mac OS X, one of the features touted is that it can work through firewalls.

Another security flaw is having a hole in the network that lets users bypass the firewall. Big offenders here are devices that have modems to allow dial-in administration. Some organizations consider attaching a modem to a computer on the LAN such a security risk that it's punishable by immediate termination. While it may be convenient to dial into a network-monitoring box to see why the corporate Internet connection is down, an attacker could gain access to the LAN if he or she can guess the passwords. This is why you should deploy internal firewalls--the biggest threat to your network likely will come from the inside, be it an outsider with a modem or an untrustworthy employee.

Network-based firewalls also are ineffective when dealing with hostile code. A network firewall by itself can't determine if the traffic passing through it is legitimate or dangerous. But personal firewalls, which shim themselves into the IP stack of an operating system, can monitor traffic closely. Unlike hardware firewalls, personal firewalls have no physical separation between public and private interfaces. The personal firewall software intercepts packets before they are sent out via the network interface and before passing incoming packets up the stack to the application (see "No Desktop Is an Island.").

Glossary
• SYN packets: Initiate the process of establishing TCP connections, which must be made before other packets can be sent.