A firewall is responsible for controlling access among devices such as computers, networks and servers. Firewalls are deployed between the safe zone and the unsafe zones such as the internet. Firewalls acts as filters for network traffic. Network connections traverse the firewall and unauthorized packets are stopped. The filtering mechanism is based on IP addresses and ports.
Originally, firewalls was designed a gateway to deny or access network resources. Firewalls can also inspect the contents of the data packets to filter other packets, block packets that contain offensive information and block intrusion attempts.
Firewall can be configured to monitor different traffic at particular times of the day and night. Traffic for inbound mail, inbound spam and inbound virus can be configured to be monitored day and night while those for video conferencing are configured to be on during the day.
Monitor performance statistics are such as availability and response time are derived from monitoring tools. Based on the threshold configurations, notifications and alarms are generated if FTP or SFTP services attributed to the system are noticed during the day. These apply to file transfer, uptime, streaming and login time statistics.
The fact that there is a slight improvement in network traffic performance in spite the use of two bastion hosts and firewall product is discouraging. However, firewalls are configured to allow access to the web server automatically granting access to the legitimate user and hackers. The firewall cannot differentiate between a hacker and a safe user. Performance in traffic management is still evident because there might be known errors in the web server and applications that are taken advantage of by intruders. A hacker can utilize an overflow capacity limitation on a web server by sending information more than the server is expecting.
Firewalls are categorized into three classes, stateful firewalls, packet filters and application layer firewalls. Packet filters are used at the network and transport layers. The packet filter receives the packets, determine the appropriate activity based on the policy definition and perform the action on the filters. It only works on the IP address – layer two, port numbers – layer one, and transport protocol- layer three. All this information resides on the packet header and there is no need to inspect the payload. Stateful firewalls are used to tighten security because they track open connections and only allows traffic which either matches an existing connection or opens and new connection.
Stateful firewalls maintain the state of the data arrived in addition into conducting the same operations as packet filter. This feature allows the creation of rules that monitor session given the server/client architecture of most communications. Finally, application layer firewalls filter traffic at the network, transport and application layer. Under this scenario, filtering at the application layers introduces proxies to inspect the contents of the packets thereby acting like intrusion detection systems.
Firewalls can be merged with other security devices to simplify management. Intrusion Prevention Systems is a combination of firewalls and IDS. Despite the installation of enterprise class firewalls, company employees continue to report harmful executable code attached to emails. This is because firewalls cannot protect against transfer of virus-infected software of files. Viruses are in numerous types in different operating systems and utilize different ways of encoding and binary compression. Therefore, firewalls cannot be expected to accurately scan each and every file for potential viruses.
In order to protect workstations and computers against these types of threats, organizations can deploy anti-virus software to protect against their arrival from floppy disks or any other source. Anti-virus protection is one of the best ways of protecting networks due to proliferation of viruses borne by e-mail messages. In order to protect the company resources, antivirus is installed at the SMTP gateway in addition to desktop antivirus protection for each
Even after configuring firewalls I realized a number of unsuccessful logins to the FTP server. This is possible because firewalls cannot protect data-driven attacks. A data driven attack occurs when harmless data is mailed or copied to an external host and is executed to launch an attack. A data driven attack causes a host to modify security-related files, making it easier for an intruder to gain access to the system.
The first response to a suspected unauthorized access involves noting the date and time the changes occurred along with the pages and files suspected to be compromised. Next is to disable the FTP access in the control panel and changing the passwords of any FTP accounts. If it is possible enable or upload a holding page which will aid in the investigation process. Avoid deleting any files as they may prove necessary during investigation. To save the affected files, rename them and move them out of the web root to prevent being used or viewed again.
Once the FTP access is secured institute an enquiry procedure to determine the initial motive of the attack. These may include investigating outside attack as well as inside staff.
References
Bejtlich, R. (2004). The Tao of Network Security Monitoring: Beyond Intrusion Detection. Pearson Education.
Kizza, J. M. (2009). A guide to computer network security. Springer.
Mansfield-Devine, S. (2011). DDoS: threats and mitigation. Network Security. Springer .
Park, C.-S. S.-S. (2010). A Study of Effect of Information Security Management System [ISMS] Certification on Organization Performance. JCSNS International Journal of Computer Science and Network Security , 10(3): 10-21.
