Archive for the 'Firewalls' Category
Defeating China's "Great" Firewall

“I guess it is not so “great” anymore!” – Digg User

The blog “Lightblue Touch Paper” explains how to get around the “GREAT” firewall of China.

I've heard of other ways to search around it as well.  Here are some comment from Bruce Schneier.com

digg story

I believe that the Chinese government will ultamitely not be capable of supressing the Chinese people's thirst for unrestricted knowlege.  Although, it is human nature to do what is easiest and follow the heard like sheep, it is also human nature to resist repression.

  There is only so much human beings can take.  I'm reminded of Shawshank Redemption in wich the title character mentions “time and pressure”.  Time and pressure is all it takes for a person to break.  Time and pressure. 

I'm sure the Chinese government would not call what they are doing “repression”.  They'd probably called it “protection”.  Or maybe they don't call it anything!  Internet censorship is not restricted to China.  The U.S. government also has restrictions on certain pages and content on the Internet.  Do enough searches about “terroism” and you might even get contacted by the FBI.  Fear is the driving factor for security in this country.  Blanket censorship is something I definitely DO NOT support. 

I guess only individuals can be free and only truly free in their own heart, souls and minds.  With all the breaches of privacy (or should I say complete lack of privacy) between the individual citizens in the US and the US gov't, how “free” and different is the U.S. government from the China govenment at the fundamental level?

The is a difference (freedom of speech for example) no doubt, but it seems as China moves toward freedom (with its entrance into the WTO and movement toward capitalism) the U.S. seems to be moving toward more control over its citizens as it seeks to sift though its sheep to find the wolves in sheeps clothing.

See what the International Current Affairs Society had to say:

“A group of intrepid H4X0rz have discovered how to easily bypass the Chinese governments censorship of words like 'democracy'.”

From a Chinese perspective of the GFW

Firewall – Harrison Ford

Just saw the movie Firewall on DVD.  The old man has still got it.  Harrison Ford as usual, delivers.  The man is amazing.  The consistency to his character, Jack, is impeccable. 

Firewall is about a director of security who gets manipulated into taking money out of the bank where works.  The criminals take Jack's family hostage and threaten to kill him if he doesn't cooperate. 

One thing I thought they did really well was to leave out the usual Hollywood visual effects of hacking.  You'll see them in movies like “Hackers” where hacking on a unix system looks like Tron.  In reality hacking looks very boring especially if you don't know what you are looking at.

It is a decent movie.  Perhaps I'll add it to my hacker/security/tech collection (once I start building it).

Malicious code could trick ZoneAlarm firewall

Malicious code masquerading as a trusted application could trick a
ZoneAlarm firewall into letting it connect to the Internet, security
experts have warned.

The notice was given on 28 Sept 05 by Debasis Mohanty.  Here is the official word from Zone Alarm.  This exploit affects the popular default install of Zone Alarm 5.5 and not 6.0.  

LIST OF PRODUCTS UNAFFECTED:

ZoneAlarm Pro, ZoneAlarm AntiVirus, ZoneAlarm Wireless Security, and
ZoneAlarm Security Suite version 6.0 or later automatically protect
against this attack in the default configuration.

ZoneAlarm
Pro, ZoneAlarm AntiVirus, ZoneAlarm Wireless Security, and ZoneAlarm
Security Suite version 5.5 are protected against this attack by
enabling the “Advanced Program Control” feature.

Check
Point Integrity client versions 6.0 and 5.1 are protected against this
attack by enabling the “Advanced Program Control” feature.

AFFECTED PRODUCTS:

ZoneAlarm free versions lack the “Advanced Program Control” feature and are therefore unable to prevent this bypass technique.

Recommended Actions:

Subscribers should upgrade to the latest version of their ZoneAlarm product or enable the “Advanced Program Control” feature.

In my oppinion Zone Alarm is still a great product.  This is yet
another example of a highly exposed product getting tested to its
limits like every version of Windows and Internet Explorer.

read more | digg story

Firewall Part 1: Firewall List (Internet Security At Work)

     The term “firewall” comes from what was once
an innovation in the fire safety of buildings.  It was a wall
running all the way up from the structural floor to the structural
ceiling to prevent potential fires from spreading from one area to
another. 

Today, if you were to type “firewall” into a search engine you would
only see the term refer to the protection of information systems. 
Sans.org defines a firewall as a system
or combination of systems that enforces a boundary between two or more
networks. Gateway that limits access between networks in accordance
with local security policy.

A firewall configuration might consist of an inexpensive Unix box kept
clean of critical data, with many modems and/or Network Interface cards
with public network ports on it, but just one carefully watched
connection back to a “trusted” private network.
    The exponential growth of the Internet has an
equally growing rate of threats from thieves, cyber terrorists and
black hat hackers with malicious intent.  The newly formed
frontier of cyberspace is a world of anarchy where people are
redefining the words debauchery and greed.  Only the most
knowledgeable and prepared patrons of the Internet will log off 
unscathed from the all malware, cons and Spam trash floating around the
Internet. 

    Network security is paramount to business and even
personal use of the Internet.  Firewalls are “walls running all
the way up from the structural floor to the structural ceiling” of your
network separating your interests from the chaotic lake of fire that is
the Internet.

    For many high end Firewalls supporting large scale
enterprises, Unix has become the center piece for security.
          
Source: Network Security Store – www.networksecuritystore.com
Monday, March 24, 2003
 
Here is a list of popular firewalls for Internet Security:

Blue Coat
Offers: With Blue Coat Director, you can rapidly deploy and configure
new devices. Using flexible configuration templates, administrators can
standardize devices easily-and still customize them based on region or
device-specific settings.

FireGuard 520 is an intelligent
load balancer for scaling multiple firewalls that increases
availability and efficiency of Internet Traffic for Enterprises and
Service Providers.

Nokia BIG-IP FireGuard    
Typically when security is added to the network, the result can be poor
or sluggish performance. Nokia BIG-IP FireGuard ensures the network
firewalls are operating at maximum efficiency, can scale to meet these
increasing needs, and are intelligently balanced to handle traffic
across security appliances to ensure smooth, uninterrupted access to
information for users. The BIG-IP FireGuard 520 provides consistent
site availability by utilizing Extended Content Verification (ECV)
which tests firewall availability beyond a standard ping test and
routes traffic away from a downed firewall.

Check Point
 Enterprise-class security for branch offices and MSPs that
includes web-based management and seamlessly integrates with Check
Point´s Enterprise Management Console, Provider-1 and SiteManager-1.

Cisco Systems
 The Cisco PIX 515E “Restricted” (PIX 515E-R) model provides an
excellent value for organizations looking for robust Cisco PIX Firewall
services with minimal interface density and VPN throughput
requirements. It includes 32 MB of RAM and support for up to three
10/100 Fast Ethernet interfaces (nomenclature has been upgraded).

McAfee
 Protect yourself while online with the advanced security of
McAfee Firewall. Easy-to-use, yet highly configurable, McAfee Firewall
secures your PCs connection to the Internet whether you connect via
DSL, cable modem or dial-up. With intrusion detection, color coded
security alerts, customizable audible alerts, detailed logging, and an
application scan for Internet enabled applications, McAfee Firewall
gives you the power you need to control the communications into and out
of your PC, ensuring that your online experience is as safe as it is
enjoyable  $27.00

NetScreen
NetScreen 5XP is an Internet security appliance integrating firewall,
virtual private networking (VPN) and traffic shaping functionality. It
features wire-speed Ethernet performance for remote offices and
telecommuters. The NetScreen-XP enables enterprises and service
providers to deliver secure, cost-effective Internet connections to
remote offices and telecommuters.

Nokia
Supports Check Point VPN-1/FireWall-1 SmallOffice software
     * Low total cost of ownership – setup and
configured from a remote central
location         thorough a
unique restricted shell
     * Flash based appliance – very reliable for
large deployments, no chance of
disk         failure
     * High performance VPN – will saturate T1 and
DSL lines for seamless LAN
like         connectivity for
remote offices
·    The IP71 runs a “Nokia Secured Operating System” (customized Linux)
·    $800

Norton
NetScreen 5XP is an Internet security appliance integrating firewall,
virtual private networking (VPN) and traffic shaping functionality. It
features wire-speed Ethernet performance for remote offices and
telecommuters. The NetScreen-XP enables enterprises and service
providers to deliver secure, cost-effective Internet connections to
remote offices and telecommuters.

NetScreen firewall
The Netscreen range of firewall appliances combine firewall, virtual
private networking (VPN), and traffic management functions. Every
NetScreen firewall appliance provides hardware accelerated IPSec
encryption, even for 3DES encryption, and very low latency, allowing
them to seamlessly fit into any network. Installing and managing a
Netscreen firewall appliance is easily accomplished using a built-in
WebUI, command line interface, or the NetScreen Global Pro central
firewall management system.

Netscreen firewall security
The NetScreen firewall appliance product line provides a scalable
security solution, ranging from protecting broadband telecommuters to
large corporate offices and e-business sites. NetScreen is a
full-featured firewall using technology based on stateful inspection,
securing against intruders and denial-of-service attacks.

 

RSA Security
Security Features
RSA ACE/Server software utilizes industry-leading RSA encryption
expertise and technology designed to provide a hacker-proof solution.
  

Sidewinder
SecureOS™ with patented Type Enforcement™ technology
* Hybrid firewall combines application proxies and stateful packet filtering
* Advanced filtering mechanisms; Network Address Translation NAT
250 users  5000$
SonicWall
WatchGuard

www.sans.org

Software Firewalls for N00bs: Zone Alarm Review

Its all fun and games until some one owns your box and exploits your
identity.  It is important to have more than one layer of Internet
Security.  Application firewalls such as Zone Alarm are solid
choice for home users and even some small business'. 

Zone alarm was designed
to protect your Internet connection from online criminals and attempts of the
adware programs on your computer to connect to their servers. It
basically contains a firewall, an application control, an Internet
lock, and different zones of security.

The firewall controls the door to your computer and allows only
traffic that you understand and initiate. It gives you a whole
documentation about all the access attempts and watches all the ports
of your computer. When a connection is set, first it gives you a
warning and also it gives the IP address of the connection. Therefore,
it is a great tool to keep your ports under control and see the
attempts of other users to hack into your computer.

The application control allows you to decide which applications can
and cannot use the Internet. When a program attempts to use your
Internet connection Zone Alarm asks you what you want to do about this
connection; allow or deny. By this way, you can eliminate the adware
programs like gator (the most common one which gives pop-ups every five
minutes) or bargains…etc.

The Internet lock blocks Internet traffic while your computer is
unattended or while you're not using the Internet. It can be activated
automatically with your computer's screensaver or after a set period of
inactivity.

Overall, this program protects your computer in a very concrete
way. Zone Alarm makes configuring a firewall, which sounds like a
troubling task to the majority of computer users, incredibly easy with
a wizard. Maintaining and updating settings also is a snap when you're
using the stylish interface and its simple slider controls. It is an
excellent firewall solution for about most average user. Most of you
will feel more secure with this program; especially when you see the
Internet logs of the software and zonal solutions that it offers.

Firewall Resources

Firewalls 101: How stuff works DOT com.  Great for establishing a foundation for understanding the firewall.

Firewall FAQ great for newbies and rusty IT Security test takers from the undisputed champions on Infosyssec who continue to hack the hackers.

Exhaustive Firewall Links from CERIAS.

Another great article by Cisco.  White Paper on Cisco's PIX firewall and Stateful  Firewall Security.

ISAserver.org: The No.1 unofficial ISA Server 2000
& 2004 resource site – This feed offers news, articles, tutorials
and reviews for ISA administrators. —> ISA SERVER/FIREWALL FEED

Dr. Tom Shinder's ISA Server Firewall Blog.  Not updated very often, but good info on ISA firewalls

Other Resources:
Home PC Firewall Guide.  Comprensive site about  configuring  firewalls.