Web Servers and Firewall Zones

Web and FTP Servers

Every network that has an internet connection is at risk of being compromised. Whilst there are several steps that you can take to secure your LAN, the only real solution is to close your LAN to incoming traffic, and restrict outgoing traffic.

However some services such as web or FTP servers require incoming connections. If you require these services you will need to consider whether it is essential that these servers are part of the LAN, or whether they can be placed in a physically separate network known as a DMZ (or demilitarised zone if you prefer its proper name). Ideally all servers in the DMZ will be stand alone servers, with unique logons and passwords for each server. If you require a backup server for machines within the DMZ then you should acquire a dedicated machine and keep the backup solution separate from the LAN backup solution.

The DMZ will come directly off the firewall, which means that there are two routes in and out of the DMZ, traffic to and from the internet, and traffic to and from the LAN. Traffic between the DMZ and your LAN would be treated totally separately to traffic between your DMZ and the Internet. Incoming traffic from the internet would be routed directly to your DMZ.
Therefore if any hacker where to compromise a machine within the DMZ, then the only network they would have access to would be the DMZ. The hacker would have little or no access to the LAN. It would also be the case that any virus infection or other security compromise within the LAN would not be able to migrate to the DMZ.

In order for the DMZ to be effective, you will have to keep the traffic between the LAN and the DMZ to a minimum. In the majority of cases, the only traffic required between the LAN and the DMZ is FTP. If you do not have physical access to the servers, you will also need some sort of remote management protocol such as terminal services or VNC.

Database servers

If your web servers require access to a database server, then you will need to consider where to place your database. The most secure place to locate a database server is to create yet another physically separate network called the secure zone, and to place the database server there.
The Secure zone is also a physically separate network connected directly to the firewall. The Secure zone is by definition the most secure place on the network. The only access to or from the secure zone would be the database connection from the DMZ (and LAN if required).

Exceptions to the rule

The dilemma faced by network engineers is where to put the email server. It requires SMTP connection to the internet, yet it also requires domain access from the LAN. If you where to place this server in the DMZ, the domain traffic would compromise the integrity of the DMZ, making it simply an extension of the LAN. Therefore in our opinion, the only place you can put an email server is on the LAN and allow SMTP traffic into this server. However we would recommend against allowing any form of HTTP access into this server. If your users require access to their mail from outside the network, it would be far more secure to look at some form of VPN solution. (with the firewall handling the VPN connections. LAN based VPN servers allow the VPN traffic onto the network before it is authenticated, which is never a good thing.)

Peltier Associates Breaking and Fixing Wireless Security

To the information security professional wireless networking may be thought of as a four letter word to be avoided at all costs. Regardless of the security implication wireless networking can provide cost efficiency, and because of that wireless technologies are here to stay. While many in the profession believe that wireless networks can be easily compromised, this class will show how the appropriate wireless architecture with the proper security controls can make your wireless network as secure as any other remote access point into your network.

In this three day, wireless security workshop, we will examine the cutting edge of wireless technologies. The purpose of the course is to give you a full understanding of what wireless (802.11) networks are, how they work, how people find them and exploit them, and how they can be secured. This hands-on course is based on real world examples, solutions, and deployments. In this course we will actually set up and use wireless networks, determine the tools to uncover wireless networks, and also look at how to defeat the attempts to secure wireless networks.

Course Completion
Upon the completion of our CISM course, students will have:

Constructed a wireless network architecture
Install and configure 802.1x authentication using Microsoft Windows IAS and Server 2000
Install a wireless access point
Distinguish between 802.11x standards
Defeat Wired Equivalent Privacy
Key Take Aways:

An understanding of wireless networks
A CD of common tools and documentation
An ability to search the internet for updates and more information on wireless networks
Detail of Course Content The following topics will be covered:

Wireless History
Radio Frequency (RF) Fundamentals
WLAN Infrastructure
802.11 Network Architecture
802.1X Authentication
Extensible Authentication Protocol (EAP)/(LEAP)/(PEAP)
Detection Platforms
WLAN Discovery Tools
Wireless Sniffers
Conventional Detection
Exploiting WLANs
Securing WLANs
Other Wireless Options
Legal Issues including GLBA and ISO-17799


How To Secure Your Wireless Network

People have more flexible time due to wireless network. Thanks to the invention of wireless. People can now work from home while taking care of their kids or doing house works. No more stress from traffic jam anymore. Is this great?

Well, there is something you should realize. Working from home while using a wireless local area network (WLAN) may lead to theft of sensitive information and hacker or virus infiltration unless proper measures are taken. As WLANs send information over radio waves, someone with a receiver in your area could be picking up the transmission, thus gaining access to your computer. They could load viruses on to your laptop which could be transferred to the company’s network when you go back to work.

Believe it or not! Up to 75 per cent of WLAN users do not have standard security features installed, while 20 per cent are left completely open as default configurations are not secured, but made for the users to have their network up and running ASAP. It is recommended that wireless router/access point setup be always done though a wired client.

You can setup your security by follow these steps:

  1. Change default administrative password on wireless router/access point to a secured password.
  2. Enable at least 128-bit WEP encryption on both card and access point. Change your WEP keys periodically. If equipment does not support at least 128-bit WEP encryption, consider replacing it. Although there are security issues with WEP, it represents minimum level of security, and it should be enabled.
  3. Change the default SSID on your router/access point to a hard to guess name. Setup your computer device to connect to this SSID by default.
  4. Setup router/access point not to broadcast the SSID. The same SSID needs to be setup on the client side manually. This feature may not be available on all equipment.
  5. Block anonymous Internet requests or pings. On each computer having wireless network card, network connection properties should be configured to allow connection to Access Point Networks Only. Computer to Computer (peer to peer) Connection should not be allowed.

Enable MAC filtering. Deny association to wireless network for unspecified MAC addresses. Mac or Physical addresses are available through your computer device network connection setup and they are physically written on network cards. When adding new wireless cards / computer to the network, their MAC addresses should be registered with the router /access point. Network router should have firewall features enabled and demilitarized zone (DMZ) feature disabled.

All computers should have a properly configured personal firewall in addition to a hardware firewall. You should also update router/access point firmware when new versions become available. Locating router/access point away from strangers is also helpful so they cannot reset the router/access point to default settings. You can even try to locate router/access point in the middle of the building rather than near windows to limit signal coverage outside the building.

There is no guarantee of a full protection of your wireless network, but following these suggested tips can definitely lessen your risk of exposing to attackers aiming at insecure networks.

Why use URL shorteners?

You must have seen them. Web addresses like http://tinyurl.com/2gj2z3 which, when you click on them, take you to another web page. Why use them? Are there any risks in using them?

URL stands for Uniform Resource Locator. It’s the posh technical term for a web address. Web addresses normally take the form http://www.somesite.com/somepage.html, which is not too much of a problem. But some site names can get very long, and so can page names. The increased use of database-driven sites mean that URLs can get very long indeed, and most of them is computer gobbledygook. They are impossible to type in, if you are reading them in a print article, and often get corrupted by word-wrapping when they appear in an email or blog posting.

An URL shortener is a web service that takes a long address that’s hard to type, and turns it into a short one. You should use them in articles for print publication, classified ads, emails, blog and forum postings, anywhere there is a danger that the full address may be corrupted, or that someone may need to type the address into a browser manually.

But there is a danger in using short URLs that may make people afraid to use them. The short address disguises the real destination. This makes it easy for somebody to post an innocent looking message encouraging people to click on a link that takes them to a site which infects their computer with spyware, or something equally undesirable.

Some URL shortening services have tried to address this problem. The most well-known service, TinyURL.com, has an optional preview page that shows you the target address before you go there. But you have to know to type “preview” in front of the address, or visit the site and set it as a permanent option. Those who don’t know about this are still vulnerable to deception.

A safe URL shortener would not allow the creation of links to undesirable sites. It would also always display a preview page, so the user always sees where the link is taking them before they go there. xaddr.com uses Internet blacklists to prevent its use to disguise sites that are advertised by spam. Its preview page offers a link to McAfee’s Site Advisor, which can be used to check the safety of the destination.

Next time you need to write a long web address, use an URL shortener. But to encourage confidence that no harm will come from clicking the link, pick a safe one.

5 Tips For Buying Accounting Software

Whether you are shopping for accounting software to help budget your personal or business expenses, you may find that managing all of your files with a single program helps you to save time and know exactly where your money goes. If you are familiar with the accounting process, you already know how complicated ledgers, account statements, debits and credits can be. In an effort to simplify the accounting process, a number of manufacturers have created software specifically designed to help make your life a little easier.

Before deciding on any one particular accounting software program, keep the following tips in mind:

$Because many popular online software specialty stores allow for product feedback from customers, you will have the opportunity to read reviews that may help to make your decision easier based on the experiences by others who have already used the accounting software in question. Pay close attention to customer reviews when shopping for software.

$When you consider the purchase of any type of software, including that of accounting, you will want to make sure that it is compatible with your computer and that all PC requirements are met before purchasing the product. Many software programs require a specific type of processor, available memory, etc. In order for the software to function properly your computer will need to be able to handle all of the applications contained therein. By being familiar with your computer’s configuration, you will be able to make a better selection when it comes time to purchase your new accounting software.

$When shopping for accounting software, read about the program’s description and capabilities. You will need to make sure that you are either already familiar with the application or that you will be comfortable in learning how to use it. The reason is because many retailers will not accept software that is being returned if it has already been opened. So, before you buy, consider downloading a trial version or purchase an accounting software program that you are already familiar with.

$Purchase your accounting software from a company that has been in a business for awhile and one that has a good reputation. This will ensure prompt customer service, reliability, product assurance and a timely shipment. By purchasing software from a reliable and established business, you will also gain the peace of mind in knowing that the title is authentic and not an illegal copy. The most effective way of checking out a business’s reputation is through the Better Business Bureau.

$Learn about the company’s return, refund and/or exchange policy. Although most retailers will not refund the purchase if software has been opened, they may be willing to exchange it for the exact title if the program is defective or damaged.

Router – Denial Of Service Attacks

Routers are not perfect. For that matter, nothing is. So if somebody wants to give a router more than it can handle there is a way to do this. We’re going to take a look at what are called denial of service attacks.

A router can only handle so much information coming into it at one time. Every machine has its limits and routers are no exceptions. Well, when the nasty trend of denial of service attacks started early this century, routers were unprepared for them. As they began to understand what was happening they began to compensate for the problem. But there was still a way around it. To understand this we first have to understand what a denial of service attack is.

A denial of service attack is just as it sounds. It is when someone prevents the router or routers from servicing the network. The question is, how do they do this? As previously stated, a router can only handle so much information coming into it to be routed at a time. If too much information starts coming in then the router gets overloaded and can’t forward the information fast enough. Ultimately, what happens is this slows the network down to the point where nobody can access it. In a denial of service attack, which is a deliberate attempt to cause this problem, a person will send an enormous amount of information from one computer to the router at one time. Eventually this will effectively shut down the network. The reason is because of the trickle down effect. Once the main routers start to get overloaded they start to send messages to the rest of the network that the connection is full. These messages start to cascade through the entire network until all the pathways in the network are full and nobody can communicate with any server on the network.

When companies and web sites began to understand what was happening then started to put safeguards in place. They would put checks in the router software to see if a large amount of information was coming from one IP address. If so, then it simply discarded the information and didn’t attempt to pass it on. It seemed that the problem was solved. Not so.

Hackers began to figure out that if they send this enormous amount of information from multiple computers or IP addresses, the routers would have no way of knowing that a denial of service attack was in progress because it would see all this information coming in from multiple locations. Ultimately again, the network would effectively be shut down.

In response to this, manufacturers of routers have placed additional safeguards into their routers to simply check for unusual traffic. The problem with this is that in some cases there is a large amount of traffic that is normal, like in the case of a news site being hit with an overload because a major breaking story hits the airwaves.

It remains to be seen if the hackers or the router manufacturers are going to win this war.

Password Unification

“Just because you’re big doesn’t mean you have to be dumb.”

First let me point out I’m one of those life-long students. Not because if love college, but because I can never make up my mind on what I want to do. After making some big life changes I decided to take a full year away from school. Yesterday I attempted to register for this coming spring semester to get back on track. Interestingly enough my account has been disabled… sort of… This is where the fun starts.

I expected my account to be disabled, that isn’t the issue here. The problem is how it was disabled, and the messages which I received back from the University. First my account still worked to access class registration, and the University portal but my E-Mail had been completely locked out. This is the main point of my concern. If the university had a unified technology structure the login / password information would be centralized. An account disabled one place should be disabled across campus. Instead some departments disabled my account, and other left it running while I was gone. Worst some parts of the university left it partially running, but unusable.

Strange isn’t it? Why not completely disable my account rather then just PRETEND it works only to give me a nasty permissions error when I attempt to USE the portal which I am already logged into.

Rule #1

“Never let the user see the nasty error.”

Building an application or networked system on any level requires more then just getting the job done. A developer should take the additional time to build functionality for the unexpected. In my case there should have been two things.

A friendly message explaining why my account was disabled and directions on how to re-enable my account.

Rule #2

“Avoid the circle of death; take personal responsibility for the problem.”

First I talked to my counselor who said I should talk to computer services. Computer services told me to talk to the registration office. The registration office told me to talk to my counselor. FAIL, never ending loops are bad, not just in programming but in the real world.

This could have been avoided at each step, but instead the problem was passed onto someone else. All someone had to do was research the problem, and they would have known the problem has come up in the past. The eventually solution was to force someone to register my classes over the phone rather then using my account on the Internet.

Rule #3

“Record problems and make proactive steps to resolve known issues.”

I work in IT and I know how incredibility complicated things can get. But it’s important to always take steps to prevent the situation from coming up again. I am sure that I am not the first person to have their account disabled, and because no one is following rule three; I will likely not be the last. A few simple changes to the application would easily fix the problem, but no one cares enough to do anything about it. This means me, THE CUSTOMER, THE STUDENT, THE IDOIT, to run around trying to convenience people to do their job.

Thanks for the warm welcome back akron,