Securing small
Securing small
business
business
Firewalls
Firewalls
Anti
Anti
-
-
virus
virus
Anti
Introduction
Introduction
Due to the phenomenal growth of the Internet
Due to the phenomenal growth of the Internet
in the last decade companies and individuals find
in the last decade companies and individuals find
it hard to operate without a presence on the
it hard to operate without a presence on the
Internet. This means that companies are
Internet. This means that companies are
exposed to threats, which can have a major
exposed to threats, which can have a major
business impact. The fact that one needs to
business impact. The fact that one needs to
protect company and individual computers from
protect company and individual computers from
unauthorized or unwanted access is considered a
unauthorized or unwanted access is considered a
Understanding the concept
Understanding the concept
In order to pick the right Firewall,
In order to pick the right Firewall,
understanding what a firewall does is crucial.
understanding what a firewall does is crucial.
I will quickly cover basic TCP/IP concepts and
I will quickly cover basic TCP/IP concepts and
TCP Attributes
TCP Attributes
TCP runs on top of IP:
TCP runs on top of IP:
A TCP packet contains a port number:A TCP packet contains a port number:
A TCP packet contains a sequence number and A TCP packet contains a sequence number and a FLAG:
Firewalls
Firewalls
–
–
The Basic Description
The Basic Description
A firewall is a perimeter defense device:
A firewall is a perimeter defense device:
This means that any firewall splits a network into a This means that any firewall splits a network into a
trusted or protected, and un
trusted or protected, and un--trusted or unprotected trusted or unprotected side.
side.
A firewall filters traffic on a pre
A firewall filters traffic on a pre
-
-
defined set
defined set
of rules:
of rules:
Firewall limits
Firewall limits
These 2 factors limits the effectiveness of a firewall These 2 factors limits the effectiveness of a firewall
dramatically and it is important to note that a firewall dramatically and it is important to note that a firewall
does not
does not
::
Protect you from your internal network.Protect you from your internal network.
Protect you from authorized intended or untended Protect you from authorized intended or untended
malicious access. This entails using granted privileges
malicious access. This entails using granted privileges
or access for unintended operations.
or access for unintended operations.
Protect you from Protect you from
all
all
harmful attacks. Exploits found on harmful attacks. Exploits found on the Internet can use different techniques to penetratethe Internet can use different techniques to penetrate
basic firewall protection.
What kind of Firewall?
What kind of Firewall?
Features of a good firewall:
Features of a good firewall:
State full inspectionState full inspection--SPISPI
It does content checking, passing protocols It does content checking, passing protocols through a validation exercise.
through a validation exercise.
It keeps a state of connections whereby it It keeps a state of connections whereby it monitors the state of a TCP connection and monitors the state of a TCP connection and allows traffic accordingly.
allows traffic accordingly.
It does address translation.It does address translation.
Hardware
Hardware
-
-
Software
Software
Hardware:
Hardware:
Most basic routers do not include SPIMost basic routers do not include SPI
VPN routers doVPN routers do
WiredWired
Software
Software
Most OS before Win XP do not include any
Most OS before Win XP do not include any
protection.
protection.
Win XP does not include SPI but offers some
Win XP does not include SPI but offers some
basic protection
basic protection
“
“
Zone Alarm
Zone Alarm
”
”
offers SPI.
offers SPI.
Email Anti
EMAIL Origins
EMAIL Origins
Origins
Origins
Email was created by researchers as a way for them Email was created by researchers as a way for them
to communicate. This was many years before the to communicate. This was many years before the World Wide Web, what we now refer to as
World Wide Web, what we now refer to as ““The The Internet
EMAIL Security
EMAIL Security
Why is it insecure?
Why is it insecure?
It was not originally intended for widespread use It was not originally intended for widespread use
outside of research. outside of research.
It was designed to be simple and easy to operate It was designed to be simple and easy to operate
with minimum restrictions. with minimum restrictions.
Security controls were afterthoughts that had to be Security controls were afterthoughts that had to be
pasted on to the email system, instead of being part pasted on to the email system, instead of being part of the original design. Because of this, email security of the original design. Because of this, email security is inefficient and incomplete.
Define SPAM
Define SPAM
General definition
General definition
–
–
un
un
-
-
requested or unsolicited
requested or unsolicited
email, usually designed to initiate a financial
email, usually designed to initiate a financial
transaction or gather data for advertising
transaction or gather data for advertising
Most legitimate companies do not engage in SPAM Most legitimate companies do not engage in SPAM
emailing emailing
A SPAM email is typically sent to many millions of A SPAM email is typically sent to many millions of
email addresses in the expectation that even if only a email addresses in the expectation that even if only a fraction of 1% generate a response, the SPAM email fraction of 1% generate a response, the SPAM email will still produce an economic return
The new face of SPAM
The new face of SPAM
–
–
how it went
how it went
from obnoxious to hazardous
from obnoxious to hazardous
SPAM originally was mostly just advertisements
SPAM originally was mostly just advertisements
As email and Internet use have become more
As email and Internet use have become more
common since the late 1990
common since the late 1990
’
’
s, email has become
s, email has become
one of the primary ways to distribute viruses
one of the primary ways to distribute viruses
Recently, there has been increasing involvement
Recently, there has been increasing involvement
of the criminal underworld
of the criminal underworld
Identity theftIdentity theft
Self installing viruses, or how to run
Self installing viruses, or how to run
an email server without even trying
an email server without even trying
Frequently used to deliver computer programs
Frequently used to deliver computer programs
designed to infect your computer and send new
designed to infect your computer and send new
copies of the virus to other email addresses
copies of the virus to other email addresses
and/or seize control of the computer.
and/or seize control of the computer.
Can automatically install without your knowledgeCan automatically install without your knowledge
Uses your contact lists and emails for target Uses your contact lists and emails for target
addresses addresses
Someone else
Someone else
’
’
s very own email server
s very own email server
on my computer
on my computer
Capable of sending many thousands of emails per hourCapable of sending many thousands of emails per hour
Severe impact on your Internet browsing performanceSevere impact on your Internet browsing performance
Severe impact on your overall computer performanceSevere impact on your overall computer performance
Spreads virus to your friends and many othersSpreads virus to your friends and many others
May result in your email address being blocked by May result in your email address being blocked by
potential recipients. potential recipients.
May result in your ISP suspending your service until the May result in your ISP suspending your service until the
“
“
Surprises
Surprises
”
”
in email viruses
in email viruses
In addition to installing an email server on your
In addition to installing an email server on your
computer and mass emailing copies of the virus
computer and mass emailing copies of the virus
to others, most of the recent email viruses also
to others, most of the recent email viruses also
carry a separate
carry a separate
“
“
payload
payload
”
”
which installs a
which installs a
program on your computer
program on your computer
Silent install
Silent install
–
–
you are unaware that the program
you are unaware that the program
Steal my data please!
Steal my data please!
This program often carries a component that
This program often carries a component that
allows the program to receive orders from an
allows the program to receive orders from an
outside source.
outside source.
This allows an unauthorized user to take control of This allows an unauthorized user to take control of
your computer or steal your data your computer or steal your data
Often installs a “Often installs a “key loggerkey logger””, a program that , a program that
captures every keyboard entry you make and records captures every keyboard entry you make and records it for future transmission to other parties
Stealing your identity
Stealing your identity
The program can report back to the original
The program can report back to the original
sender
sender
Allows others to steal your data:Allows others to steal your data:
PasswordsPasswords
Bank account informationBank account information
Credit card informationCredit card information
Putting down
Putting down
“
“
Roots
Roots
”
”
A new type of email virus is just being seen that
A new type of email virus is just being seen that
is an even more serious threat. This is a
is an even more serious threat. This is a
“
“
Root
Root
Kit
Kit
”
”
installer.
installer.
Replaces key parts of your operating systemReplaces key parts of your operating system
Root Kit virus is almost impossible to detectRoot Kit virus is almost impossible to detect
Is able to take complete control of your computerIs able to take complete control of your computer
Very few anti virus programs can even detect Very few anti virus programs can even detect
Tearing out the
Tearing out the
“
“
Roots
Roots
”
”
There are only a few antiThere are only a few anti--virus companies that have virus companies that have
Root Kit detectors. Root Kit detectors.
FF--Secure has a product in Beta testing called Secure has a product in Beta testing called ““BlacklightBlacklight””
(
(www.fwww.f--secure.com/blacklightsecure.com/blacklight) that attempts to detect and ) that attempts to detect and remove Root Kits
remove Root Kits
Currently, the only fully effective remedy if infected is Currently, the only fully effective remedy if infected is
to wipe the computer hard drive clean and reinstall to wipe the computer hard drive clean and reinstall
everything everything
Fortunately, Root Kits are still very rare, but that will Fortunately, Root Kits are still very rare, but that will
What can we do?
What can we do?
Don
Don
’
’
t rely on a single defense
t rely on a single defense
–
–
use a layered
use a layered
approach
approach
Use your ISPUse your ISP’’s email virus filtering service, if s email virus filtering service, if
available available
Use a hardware firewallUse a hardware firewall
Install a software firewallInstall a software firewall
Install and maintain antiInstall and maintain anti--virus softwarevirus software
The Multi
The Multi
-
-
level Defense
level Defense
ISP Email Filtering
Firewall Anti-virus software
Anti
Anti
-
-
virus programs
virus programs
Install and keep up to date at least one anti
Install and keep up to date at least one anti
-
-
virus
virus
program
program
What capabilities should it have?What capabilities should it have?
Real time file checking Real time file checking –– should be able to check every file should be able to check every file
you use on your computer, as you open it
you use on your computer, as you open it
Real time email checking Real time email checking –– should be able to check all should be able to check all
incoming and outgoing email
Are two better than one?
Are two better than one?
Some AntiSome Anti--virus programs require more resources on virus programs require more resources on
your computer than others your computer than others
Norton and McAfee are resource intensive and will not Norton and McAfee are resource intensive and will not ““play play
well
well”” with other antiwith other anti--virus programs. Consider the virus programs. Consider the “
“horsepowerhorsepower”” of your computer before installing a second of your computer before installing a second program, especially if you are using one of these packages.
program, especially if you are using one of these packages.
AntiAnti--virus programs that appear to work reasonably virus programs that appear to work reasonably
well together are (there may be other programs as well): well together are (there may be other programs as well):
Authentium/Command Antivirus (Authentium/Command Antivirus (www.authentium.comwww.authentium.com))
AVG (AVG (www.grisoft.comwww.grisoft.com))
The Last Line of Defense: YOU
The Last Line of Defense: YOU
Learn how to identify common attributes of SPAM and Learn how to identify common attributes of SPAM and
virus emails. Listed below are some common virus emails. Listed below are some common
SPAM/virus email traits but this is not a complete list. SPAM/virus email traits but this is not a complete list.
Unusual characters in the Subject lineUnusual characters in the Subject line
Email that asks you to provide confidential information, Email that asks you to provide confidential information,
either in a reply email or by asking you to go to a website. Be
either in a reply email or by asking you to go to a website. Be
very careful about providing information such as:
very careful about providing information such as:
Credit Card number / Bank Account numberCredit Card number / Bank Account number
You
You
’
’
re still the last line of defense
re still the last line of defense
If it sounds too good to be true, it probably is.If it sounds too good to be true, it probably is.
No, there really isnNo, there really isn’’t a former Nigerian government official t a former Nigerian government official
that wants to share his $20,000,000 with you.
that wants to share his $20,000,000 with you.
Do you really want to buy stock or bonds from someone Do you really want to buy stock or bonds from someone
who makes his living sending unsolicited email? If the stock
who makes his living sending unsolicited email? If the stock
was really that good (or even existed), he wouldn
was really that good (or even existed), he wouldn’’t need to t need to spend his time trying to get you to buy it.
spend his time trying to get you to buy it.
How much do you want to entrust your health to a pill or How much do you want to entrust your health to a pill or
lotion you saw in a SPAM email, from an undocumented
lotion you saw in a SPAM email, from an undocumented
source, with no safety inspection or valid certification?
What else can we do?
What else can we do?
Don
Don
’
’
t reward SPAM
t reward SPAM
My own personal policy is to never visit a website or My own personal policy is to never visit a website or
purchase a product as a result of SPAM. purchase a product as a result of SPAM.
Take responsibility for your computer and use
Take responsibility for your computer and use
common sense
common sense
Self reliance and common sense are your most Self reliance and common sense are your most
effective tools. Remember, what happens to your effective tools. Remember, what happens to your computer is your responsibility. No software or computer is your responsibility. No software or hardware can properly protect your computer hardware can properly protect your computer without your help.
SpyWare
SpyWare
…
…
Who is Watching Me?
SpyWare, Adware & Malware
SpyWare, Adware & Malware
•
• SpyWare SpyWare is any technology that aids in gatheringis any technology that aids in gathering information about a person or organization
information about a person or organization
without their knowledge.
without their knowledge.
•
• AdWare AdWare is any software application in whichis any software application in which advertising banners are displayed while the
advertising banners are displayed while the
program is running.
program is running.
•
• MalWare MalWare is short for is short for malmalicious softicious softwareware,, software designed specifically to damage or
software designed specifically to damage or
disrupt a system, such as a virus or a Trojan
disrupt a system, such as a virus or a Trojan
horse.
How did I get this?
How did I get this?
•
• SpyWareSpyWare applications are typically bundledapplications are typically bundled
as a hidden component of freeware or as a hidden component of freeware or
shareware programs that can be shareware programs that can be
downloaded from the Internet. downloaded from the Internet. •
• Trojans/MalwareTrojans/Malware can be installed without the user's consent, can be installed without the user's consent,
as a
as a “drive“drive--by download”by download”, or as the result of clicking some , or as the result of clicking some option in a deceptive pop
Typical SpyWare/Maleware Developer
Typical SpyWare/Maleware Developer
Tricks
Tricks
•
• Hide it inside anotherHide it inside another program's installer.
program's installer.
•
• Keep asking to install until the Keep asking to install until the user says
user says YesYes.. •
• Create a false pretenseCreate a false pretense for the user needing the
for the user needing the
software.
•
• Hide software out in group Hide software out in group directories on peer
directories on peer--to peer to peer networks.
networks.
•
• Design it to look essential, or Design it to look essential, or to be invisible.
to be invisible.
•
• Design it not to uninstall, even Design it not to uninstall, even when asked.
Common Applications that
Common Applications that
have or are SpyWare
have or are SpyWare
•
•
Comet Cursor
Comet Cursor
•
•
Bonzi Buddy
Bonzi Buddy
•
• InterInter
Net Games
Net Games
•
•
CoolWebSearch
CoolWebSearch
•
•
Weather Bug
Weather Bug
•
•
Incredimail
Incredimail
•
•
Snood & Dynomite
•
•
Web Search Toolbars
Web Search Toolbars
•
•
Instant Messengers
Instant Messengers
•
•
File Sharing Programs
File Sharing Programs
•
•
Kazaa
Kazaa
•
•
Morpheus
Morpheus
Things SpyWare/Malware can do
Things SpyWare/Malware can do
•
• Leave a backdoor openLeave a backdoor open for hackers
for hackers
•
• Install other programsInstall other programs directly onto you PC
directly onto you PC
•
• Load adult orientatedLoad adult orientated images on your PC
images on your PC
•
• Dial a service, most likely adult Dial a service, most likely adult content sites, for which you
content sites, for which you
will be billed! •
• Monitor your keystrokesMonitor your keystrokes •
• Collect information aboutCollect information about you and your surfing
you and your surfing
habits
habits
•
• Modify system settingsModify system settings •
• Redirect your browserRedirect your browser •
• Send/Receive cookies to other Send/Receive cookies to other
SpyWare programs will be billed!
Signs of SpyWare/Malware
Signs of SpyWare/Malware
•
• Does your computer seem slow?Does your computer seem slow?
•
• Do you see programs you donDo you see programs you don’’tt remember installing?
remember installing?
•
• When you start your Internet browser,When you start your Internet browser, does it open to a page you've never
does it open to a page you've never
seen before?
seen before?
•
• Do you see a sudden increase in popupDo you see a sudden increase in popup advertisements on pages where you've
advertisements on pages where you've
never seen them before?
never seen them before?
•
Ways to avoid SpyWare/Malware
Ways to avoid SpyWare/Malware
•
• Keep Windows up to date.Keep Windows up to date.
•
• Keep your Antivirus up to date.Keep your Antivirus up to date.
•
• Install software only from Web sites you trustInstall software only from Web sites you trust.. •
• Read the fine print on free software.Read the fine print on free software.
“
“There is no such thing as a free lunchThere is no such thing as a free lunch””
•
• Use a tool to help detect and removeUse a tool to help detect and remove unwanted software
IE Defense
IE Defense
•
• Set your Internet Security settings to at least Medium.Set your Internet Security settings to at least Medium. •
• Open Internet Explorer and click the Open Internet Explorer and click the Tools Tools menu andmenu and then the
then the Internet Options...Internet Options...subsub--menu.menu. •
• Click on the Click on the Security Security tab at the top. Next click on thetab at the top. Next click on the
Internet
Internet icon. The icon. The Security Level Security Level bar should be set tobar should be set to Medium.
Medium.
•
• Next click on the Next click on the Restricted Sites Restricted Sites icon. The icon. The SecuritySecurity Level
Level bar should be set to High.bar should be set to High. •
• Next click on the Next click on the Trusted Sites Trusted Sites icon. The icon. The Security LevelSecurity Level
bar should be set to Low.
Pop up Blockers
Pop up Blockers
The Google Toolbar
The Google Toolbar
-- for IEfor IEhttp://toolbar.google.com/
http://toolbar.google.com/
Maxthon
Maxthon
–
–
Tabbed BrowserTabbed Browserhttp://www.maxthon.com
Ad
SpySweeper
Tools of Defense
Tools of Defense
•
•
Set up IE in a secure fashion
Set up IE in a secure fashion
•
•
A good popup blocker
A good popup blocker
•
•
A good Antivirus
A good Antivirus
•
•
A good removal tool
A good removal tool
SpySweeper (by Webroot) SpySweeper (by Webroot)
http://www.rockbridge.net
http://www.rockbridge.net
SpybotSpybot--Search & Destroy (by Spybot) Search & Destroy (by Spybot)
http://www.download.com
http://www.download.com
AdAd--aware (by Lavasoft)aware (by Lavasoft)
http://www.download.com
SpyWare
SpyWare
…
…
Don
Don
’
’
t Be A Victim!
t Be A Victim!
Questions?
What does RGV do to
What does RGV do to
Two Layered Protection
Two Layered Protection
RGV Outsourcers mail Filtering
RGV Outsourcers mail Filtering
SpamSpam
VirusesViruses
RGV Implements its own filtering
RGV Implements its own filtering
Spam Spam
VirusesViruses
August 18, 2005 Combined
August 18, 2005 Combined
Domain
Domain MessagesMessages BytesBytes % of % of Bytes Bytes Blocked Blocked Msgs Msgs % of % of Msgs Msgs rockbridge.net rockbridge.net 30,13630,136 369,495,216369,495,216 62.0 62.0 21,697 21,697 78.7 78.7 Domain
Domain Viruses Viruses Quarantined Quarantined rockbridge.net
What Next?
What Next?
RGV will introduce a new free service
RGV will introduce a new free service
Web Filtering
Web Filtering
Residential Customers Parental Control
Residential Customers Parental Control
Parents will be able to control and limit their Parents will be able to control and limit their
children
Web Filtering
Web Filtering
SMB Customers
SMB Customers
Will be able to control and limit use of each Will be able to control and limit use of each
Protect yourself
Protect yourself
Develop a policy
Develop a policy
Implement the policy
Implement the policy
Evaluate the solution
Evaluate the solution