You never have to worry about security until it strikes. You will never find a web security expert bragging about defenses or uptime. That's because experienced people know better. It's the novices that brag about uptime.
If you have a machine sitting on a fixed IP address you need to beware. Don't think that the bad guys aren't out there because they are. It's been said the average PC (on the Internet) gets attacked 50 times a day. This is probably conservative. Let's just say computers on the Internet are under attack constantly.
If you have a computer on the Internet I highly recommend an independent firewall. By that I mean a separate hardware device that sits between your box and the Internet. I am not a big believer in firewalls inside computers. If the bad guys can get to the computer, they have their job almost done. I don't believe in letting them get all the way to your box. Simpler is better and having a second hardware device between you and the Internet is simple and effective.
Defense One: Don't Ping
One thing an independent firewall will do is to make sure you don't ping. Most bad guys use harvesting software that sweeps the Internet looking for vulnerabilities. In other words, they kick off their harvesting software in the morning and come back to check it at night. Like fish there will be a group of IP addresses caught in their net. If your box pings, it's like singing from the rooftops. You're announcing to the world that you're out there. Once they know you're there, they can go to work.
You want your computers to be in stealth mode. That means you don't ping. When someone pings your box, they get no response. This alone can help you tremendously. If the bad guys can't detect you they don't go to work on you. You can test to see if your box pings by flipping up a DOS prompt, typing ping, space, and your IP number. If your box returns with a answer (ping), you're singing to the world.
Defense Two: Close Open Ports
Computers come from the factory like a block of Swiss cheese. They are full of holes. I don't know why, but they are. A bad guy doesn't have to attack on port 80. They can attack on any port. When you have all your ports open, you are vulnerable. This is how computers come out of the box. Bad guys can do things on open ports and you won't have any awareness of it. Firewalls close ports. As a general strategy you want to close down all ports that you're not using. If you run a web server for example, you'll want to open port 80 and 443 for the web, and 21 for ftp. The more ports you close down the better.
This is where your independent hardware firewall comes into play. They have the ability to only allow traffic on certain ports and close everything else. They also can be configured to allow traffic only from specific IP addresses. For example you can configure a server to only allow remote desktop (port 3389) from your business. Any other computer attempting to access remote desktop won't be able to. It's hardware configuration like this that cuts down on nefarious activity.
Defense Three: Open Essential Ports Only
The rule of thumb is to shut down any port that doesn't have activity on it. Put another way: don't open ports that don't have programs listening on them (no idle ports). It is harder to exploit a port that has a running service listening. If you are running a web server for example, these are the only ports that I would open:
1. Ports 20 and 21 for FTP. Note: requiring FTP only port 21 only knocks out passive mode FTP. Passive mode FTP allows transfers on any one of hundreds of available ports. The idea is that it more secure (because they can't identify what port you are using) but I don't believe it. For passive mode FTP to work you need to open hundreds of unused ports. I don't follow this logic. Personally I think it's a security hole.
2. Port 80 for http (web sites)
3. Port 443 for https (secure web sites)
4. Port 53 for DNS and updates
Everything else you shut down.
Defense Four: Ports To Close
Don't be bullied into opening ports. Ports like 25 (for sending out mail) or 3306 (database connection) are prime candidates for exploitation. It's easy to let someone talk you into opening these ports because the HAVE to have outgoing mail or the HAVE to be able to connect to their database. It's better to put these services behind your firewall and DENY access through your firewall. Think about the ramifications of opening a database port for example. They next thing you know someone on the outside has connected to your database and downloaded your schema.
Defense Five: Don't Compromise For Special One-Time Cases
It's easy to lower your guard, especially when clients are involved. But you have to stand firm to your configuration. It's those exception cases that come back to burn you. When you need to open ports, do so on an as-needed basis and do so sparingly. Think it through carefully and don't be afraid to say no. They are not the ones that have to deal with a breached network. You are. The goal in web security is to not allow anyone to see your system and/or breach your network. They will get in through the slightest crack. Many a system has been ruined because you open a port to make something work without thinking through the ramifications of your actions. Act is though your box is submerged in water. Close off every avenue where a leak can occur. That is an accurate presentation of the situation. They are out there and as ubiquitous as water.
If someone INSISTS on access on a port, give them access only on one IP. An example of this would be remote desktop. If you open port 3389 to allow remote desktop, you have just given the entire world the ability to see your desktop. Now you're down to just the username and password to keep intruders out. That is NOT the position to be in. A better approach is to allow remote desktop on ONLY one specific IP address. That way you don't have the entire world trying to infiltrate your box.
The logic of accessing only certain IPs works for all services. You could restrict FTP to a given location only. The same thing holds true of telnet (port 20) and Webmin (port 10000). The less you expose to the world the better. Don't let people go to work on your network and don't rely on usernames and passwords to keep the bad guys out.
I don't have any specific recommendations for firewalls except I do like Barracuda. Barracuda is a private company (not traded publicly). I believe they have been instrumental in limiting spam single handedly. They detect spam and put out worldwide blocks within minutes. No ISP will tolerate a Barracuda block brought on by a knucklehead on their network. Barracuda's blacklist is part of their hardware. It goes into the firewalls of tons of important companies with seconds. If you are the recipient of a Barracuda block, the whole world know it. They ONLY way you can clear it is to stop the nonsense.
Don't get complacent. The bad guys are everywhere. |
