SIG Meeting December 1 1997
FIREWALLS

Unfortuantely our scheduled speaker became quite ill prior to the meeting, so our SIG meeting was mainly a discussion. We discovered we had many resources familiar with the topic of Firewalls. Here is some resource information that was brought out at the meeting.

1. Firewall protection is a network issue not a system issue. It not only depends on protection provided by each of the operating systems on the network, but also on the attitude of those operating the systems on the network.

2. Firewalls on machines with as little other functional responsibilities (other than being a firewall) are much more effective than adding firewall software to loaded servers. In other words, the best firewalls have been stripped of all other tasks which limits what an intruder can use them for.

3. Successful Firewalls start with a well thought out Security Policy which in turn begins with a well reasoned factual assessment of the network environment: What do you have that needs protection, Who has to have what kind of access, Who is on the local network, what can you trust them for, what can't you trust them for, what don't you know about others on the network.

Here are some resources (some of them fun reading) for investigating this subject further:

• As/400 Security in a Client/Server Environment
  Joseph S. Park (1995)
  ISBN: 0471116831

• Building Internet Firewalls
  D. Brent Chapman, Elizabeth D. Zwicky (1995)
  ISBN: 1565921240

• Commonsense Computer Security: Your Practical Guide to Information Protection
  Martin R. Smith (1994)
  ISBN: 0077078055

• Computer Crime: A Crimefighter's Handbook
  David J. Icove, David, Seger, Karl Icove, Karl A. Seger, Vonstorch (1995)
  ISBN: 1565920864

• Computer Security
  John M. Carroll (1996)
  ISBN: 0750696001

• Computer Security Basics
  Deborah Russell, G.T. Gangemi (1991)
  ISBN: 0937175714

• Computer Security Handbook
  Arthur E. Hutt, Seymour Bosworth, Douglas B. Hoyt (1995)
  ISBN: 0471118540

• Cyber Crime: How to Protect Yourself from Computer Criminals
  Laura E. Quarantiello (1996)
  ISBN: 0936653744

• E-Mail Security : How to Keep Your Electronic Messages Private
  Bruce Schneier (1995)
  ISBN: 047105318X

• Firewalls and Internet Security: Repelling the Wily Hacker
  William R. Cheswick, Steven M. Bellovin (1994)
  ISBN: 0201633574

• Fundamentals of Computer Security Technology
  Edward G. Amoroso (1994)
  ISBN: 0131089293

• Hacker Proof: The Ultimate Guide to Network Security
  Lars Klander, Edward J. Renehan (1997)
  ISBN: 188413355X

• Halting the Hacker: A Practical Guide to Computer Security
  Donald L. Pipkin (1997)
  ISBN: 013243718X

• Information Warfare : Chaos on the Electronic Superhighway
  Winn Schwartau (1996)
  ISBN: 1560251328

• Internet Firewalls and Network Security
  Chris Hare, Karanjit S. Siyan (1996)
  ISBN: 1562056328

• Internet Firewalls and Network Security
  Karanjit, Ph.D. Siyan, Chris Hare (1996)
  ISBN: 1562054376

• Internet Security: Professional Reference
  Derek Atkins, Tom Sheldon, Tim Petru, Joel Snyder (1997)
  ISBN: 156205760X

• Internet Security for Business
  Terry Bernstein, Anish B. Bhimani, Eugene Schultz, Carol Siegel (1996)
  ISBN: 0471137529

• Lan Times Guide to Security and Data Integrity
  Marc Farley, Tom Stearns, Jeffrey Hsu (1996)
  ISBN: 0078821665

• Legislating Privacy : Technology, Social Values, and Public Policy
  Priscilla M. Regan (1995)
  ISBN: 0807822264

• Maximum Security: A Hacker's Guide to Protecting Your Internet Site and Network
  Anonymous (1997)
  ISBN: 1575212684

• The Ncsa Guide to PC and Lan Security
  Stephen Cobb (1996)
  ISBN: 0079121683

• Personal Computer Security
  Edward Tiley (1996)
  ISBN: 1568848145

• Practical Unix and Internet Security
  Simson Garfinkel, Gene Spafford (1996)
  ISBN: 1565921488

• Protect Your MacIntosh
  Bruce Schneier (1994)
  ISBN: 1566091012

• Protecting Your Web Site With Firewalls
  Marcus Goncalves, Vinicius A. Goncalves (1997)
  ISBN: 0136282075

• Protection and Security on the Information Superhighway
  Frederick B. Cohen (1995)
  ISBN: 0471113891

• Secrets of a Super Hacker
  Knightmare, the Knightmare (1994)
  ISBN: 1559501065

• Security in Computing
  Charles P. Pfleeger (1996)
  ISBN: 0133374866

• Web Commerce Cookbook
  Gordon McComb (1997)
  ISBN: 0471196630

• Web Security Sourcebook
  Avi Rubin, Daniel Geer, Marcus J. Ranum, Aviel D. Rubin, dan Geer (1997)
  ISBN: 047118148X

• Web Security & Commerce (Nutshell Handbook)
  Simson Garfinkel, Gene Spafford (1997)
  ISBN: 1565922697
  http://www.amazon.com/exec/obidos/ISBN=1565922697/t/0560-5831826-082656

• Access Control and Personal Identification Systems
  Dan M. Bowers (1988)
  ISBN: 0409900834

• Inside The Windows NT File System.
  Helen Custer. (1994)
  ISBN: 1-55615-660-X

• Inside Windows NT Server 4.
  Drew Heywood. (1996)
  ISBN: 1-56205-649-2.

• Internet Security Secrets
  John R. Vacca. (1996)
  ISBN: 1-56884-457-3.

• Managing Windows NT Server 4.
  Howard Hilliker 1996
  ISBN: 1-56205-576-3

• Microsoft Windows NT Workstation 4.0 Resource Kit.
  Microsoft Press. (1996)
  ISBN: 1-57231-343-9

• NetWare to Internet Gateways.
  James E. Gaskin. (1996)
  ISBN: 0-13-521774-1

• Network and Internetwork Security: Principles and Practice.
  William Stallings. (1995)
  ISBN: 0-02-415483-0

• Network Security: How to Plan for It and Achieve It.
  Richard H. Baker. (1994)
  ISBN: 0-07-005141-0

• Novell's Guide to Integrating NetWare and TCP/IP.
  Drew Heywood. (1996)
  ISBN: 1-56884-818-8

• Novell's Guide to NetWare LAN Analysis.
  Dan E. Hakes and Laura Chappell. (1994)
  ISBN: 0-7821-1143-2

• NT Server: Management and Control.
  Kenneth L. Spencer. (1995)
  ISBN: 0-13-107046-0

• Peter Norton's Complete Guide to Windows NT 4.0 Workstation.
  Peter Norton and John Paul Mueller. (1996)
  ISBN: 0-672-30-901-7

• Protect Your Privacy: The PGP User's Guide.
  William Stallings. (1994)
  ISBN: 0-13-185596-4.

• The Complete Guide to NetWare 4.1.
  James E. Gaskin. (1995)
  ISBN: 0-7821-1500A.

• The NetWare to Internet Connection.
  Morgan Stern. (1996)
  ISBN: 0.7821-17066

• UNIX Security for the Organization.
  R. Bringle Bryant. (1994)
  ISBN: 0-672-30571-2.

• UNIX Security: A Practical Tutorial.
  N. Derek Arnold.
  ISBN: 0-07-002560-6 (1993)

• UNIX System Security: How to Protect Your Data and Prevent Intruders.
  Rick Farrow. (1991)
  ISBN: 0-201-57030-0

• UNIX System Security Essentials.
  Christoph Braun and Siemens Nixdorf. (1995)
  ISBN: 0-201-42775-3

• UNIX System Security.
  David A. Curry. (1992)
  ISBN: 0-201-56327-4

• UNIX Unleashed. 1994
  Susan Peppard, Pete Holsberg, James Armstrong Jr., Salim Douba, S.Lee Henry, Ron Rose, Richard Rummel, Scott Parker, Ann Marshall, Ron Dippold, Chris Negus, John Valley, Jeff Smith, Dave Taylor, Sydney Weinstein and David Till
  ISBN: 0-672-30402-3.

• Windows NT Administration: Single Systems to Heterogeneous Networks.
  Marshall Brain and Shay Woodard. (1994)
  ISBN: 0-13-176694-5

***Note Credit to "[email protected]" who compiled this list for the [email protected] mail reflector.

Incidentally to join that list, which discusses firewall technology in considerable technical detail, send e-mail to [email protected], with the message: subscribe firewalls as the text. Here are some mail additional mail lists and web sites of interest to those concerned about securing systems on the Internet.

1. Brent Chapman's Firewalls mail list.
2. The official moderated exploit list is the Computer Emergency Response Team or CERT. They report most major significant security exploits although often not until the manufacturer has developed a fix that can be referenced. It is a relatively low traffic list.

3. A very effective "unoffical" unmoderated list Bugtraq keeps its members aware of exploits sometimes within hours of their first appearance. It has a fairly high traffic volume.

4. The Rootshell.com web page links to many of the exploits.

Step 1 --- Work with the corporate folks ... understand what they are planning to do firewall-wise. If you "go off on your own," then you will get hunted down and gathered back in the future. Also, for best company safety, you should really try to work with them to understand their policy, stance, firewall implementation type (app level, network level) ... and how it would be configured (authenticated proxies? porno filtering proxies? firewall protected on the "inside" also? what secure access mechanism? can connect from outside ? (to admin it?), etc, etc. --- all those details) Corporate Security is your friend ... or should be. Who are the company auditors? As long as you are on this corporate friend-building, talk to them -- do they have an understanding on the Internet and firewalls ? If not, you can work with them to form policy/standards/etc. (big win here!)

Step 2 -- Understand a bit more about the types of firewalls out there (not just product types, but firewall types: packet filtering, application level and hybrid ... and all the types in between). Read the Cheswick and Bellovin book, the Building Internet Firewalls, Brent Chapman and Liz Zwickey ... heck read most any firewall type book you can find :-) Take a class. etc.

Step 3 -- share some progress on the decision making to the firewalls mailing list. We'll listen, email back, etc. Don't share anything you wouldn't want the public to know.

Step 4 -- Hire someone with experience to help out if need be. There are some good consulting firms around ... there are some cheap, mediocre ones, also, so be careful.