 |
 |
|
INTRUSION AND FIREWALL
PROTECTION
|
| Q: What is an intrusion? |
| Q: What is a Firewall? |
| Q: How do I know if my Firewall is
working? |
| Q: How many Firewalls do I need? Do I
require both a hardware and a software Firewall? |
| Q: Why is it important to keep my
Firewall rules up-to-date? |
| Q: I just installed a firewall and I am
getting a lot of alerts. Is my computer being hacked? |
| Q: How do I report possible intrusion
attempts showing up in my Firewall logs? |
| Q: What do I do with all these Firewall
logs? |
| Q: I think my computer has been hacked,
what do I do now? |
|
|
Q: What
is an intrusion?
A:
Intrusion is the
term used when an unauthorized third party gains access to your PC.
Generally via the Internet. For example, a hacker will scan your PC
through the Internet connection to look for an open port which is a
communication channel used by programs on your PC to communicate with
programs on other PCs on a network or over the Internet. When hackers
finds an open port, they use it to enter your PC and to attack
another PC (making it look like your PC is making the attack), to store
files and data, or to gain access to your confidential information.
|
Back to top  |
|
Q: What is a
Firewall?
A:
A Firewall is required to
defend your PC against intrusion attacks. It manages the ports on your
PC to block non-authorized attempts to gain access to your PC. A
Firewall can either be a software application or a hardware device that
sits between the Internet and the network to be protected. For most
home users, a software solution such as the Firewall included in
F-Secure Security Suite will adequately
protect your system.
The Firewall is designed to prevent unauthorized access to/from a
private network and needs to be configured so that it knows which
applications can access the Internet. Many Firewalls now come
pre-configured to recognise common applications such as Internet Explorer
and e-mail traffic.
The Wilder's Advisory Security Team gives an excellent definition of
Firewalls at:
http://www.wilders.org/firewalls.htm |
| Back to top |
|
Q: How do I know if
my Firewall is working?
A:
Each Firewall has a slightly
different method of operation. Detailed information regarding your
Firewall's operation can be found on the vendor's homepage.
Depending on the type of Firewall you are using, you may also notice a
small icon next to the time in the lower right hand corner of your
screen. Right click on this icon for a menu of more options.
To configure F-Secure Security Services, please see our FAQ's or please
contact our 24/7 Tech Support line.
|
| Back to top |
|
|
Q: How many
Firewalls do I need? Do I require both a hardware and a software
Firewall?
A:Generally speaking all you need is one properly
configured
hardware or software Firewall although running both will provide
somewhat stronger protection. However, running two (or more) software
Firewalls on the same computer will normally cause conflicts that will
reduce the protection offered and in many
cases, also cause system and speed degradations that could
significantly slow down your computer.
|
| Back to top |
|
|
Q: Why is it
important to keep my Firewall rules up-to-date?
A:
Unfortunately new viruses,
compromises and exploits are released on a daily basis so it is
necessary to ensure that your Firewall has the most up-to-date
signatures so that your
computer(s) have the best possible security. Most newer Firewall
products often include automated update processes although you may have
to manually initiate these upgrades. Visit your Firewall vendor's
homepage for more information.
We Security Services provides automated updating of Firewall
rules.
|
| Back to top |
|
Q: I just installed
a firewall and I am getting a lot of alerts. Is my computer being
hacked?
A:
The key function of Firewalls
is to block unwanted access or traffic to/from your PC. To do so, a
Firewall needs to 'learn' your Internet activities by asking you
whether or not specific applications (programs on your PC) should be
allowed to have access to the Internet or not. It should only need to
ask you once and it will remember your settings in the future (make
sure you check the "remember my decision" or "do not ask for this
application again" button).
When you first install a Firewall, you will notice several alerts such
as, "Do you want to let <application name> access the Internet?".
While most newer Firewalls come with default
setups to allow the most frequently-used applications, such as Internet
Explorer and Instant Messengers, to access the Internet, you will still
need to help the Firewall "learn" which
applications you use so that it adapts itself to your online behaviour.
If you are unsure whether or not an application should have access to
the Internet, there is no need to be alarmed. More than likely it is
safe to allow the application to access the Internet. If in doubt,
perform an Internet search for that application to help you to
determine whether or not it should be allowed to access the Internet.
Simply enter the program name from the alert (e.g.: explorer.exe) into
a search engine
such as Google (http://www.google.com)
and one of the first few entries will likely provide a good explanation
of what is happening and will let you know whether or not you should be
concerned.
|
| Back to top |
|
|
Q: How do I report
possible intrusion attempts reportedshowing up in my firewall logs?
A:
To report possible intrusion
attempts, you should manually review your firewall logs. Once you have
identified the intrusion attempt in the firewall log you will need to
send it to the network administrator or abuse reporting e-mail address
of the source of the intrusion attempt.
To find the appropriate network administrator input the IP address (of
the format xxx.xxx.xxx.xxx) from your firewall log or e-mail header
into the "Whois: IP or domain name:" box at http://www.broadbandreports.com/whois . If the IP
address is a We address, then you should send the information to abuse@We.com
.
Although each provider's Security Department may have specific criteria
for submitting abuse reports, they are generally looking for the
following information, also required by We: that shows
- the source and destination IP addresses (in the format
xxx.xxx.xxx.xxx) ,
- the source and destination ports (in the format :80) and
- the timestamp (the time at which the event took place) with timezone.
Most Security Departments do not
accept attachments so it
is best to submit this information in the body of a plain
text e-mail. Review any auto-response to ensure you have provided all
details to assist in their investigation.
There are also several free services that offer small applications you
can download and point at your firewall logs. These services can help
by saving you time while reporting incidents. They also benefit ISPs by
offering aggregated reporting which significantly reduces abuse
handling time
and offers the security of ndustry valuable information about potential
new threats in realtime. Some of these services include http://www.mynetwatchman.com and http://www.dshield.org
|
| Back to top |
|
|
Q: What do I do
with all these firewall logs?
A:
Firewall logs contain basic
information about traffic coming to/from your system and the activities
that were filtered. These logs are valuable when investigating a
possible security incident on your system and are required to report
such abuse to the proper provider so they may investigate and take
action if necessary.
Most providers, including We, require reports to include only one
specific IP address. Sending the entire firewall log will only hinder
the investigation. It is important to pay attention to any
auto-response your receive back from an abuse reporting address as it
may contain important details on how to submit your reports, as
We does not accept e-mail attachments, attaching your Firewall
invalidates your report and it will need to be resubmitted within the
body of the
e-mail report.
|
| Back to top |
|
Q: I think my
computer has been hacked, what do I do now?
A:
Step 1 - Remain calm.
Warnings about common applications accessing the Internet are often
mistaken by peopleas an attempt to gain accessto their PC.
Step 2 - Disconnect your PC from the Internet either by unplugging the
Ethernet cable from your PC (looks like an oversized phone cable), by
turning off your modem or, if you have a wireless network, by powering
down the wireless router.
Step 3 - Review the details, make notes if necessary and investigate
further. Broadbandreports.com offers an excellent overview of the steps
you should take if you believe you system has been compromised. Visit http://www.broadbandreports.com/faq/8428
|
| Back to top |
|
> Did you find the information you were looking for?
 If not, please contact our 24 / 7 Tech Support
|
|