Zoeken:

Nieuws:
TippingPoint Roadshow
IPv6 Evenement
Run op thuiswerkoploss...
XS4ALL organiseert vei...
TUNIX-opleidingen Cede...

Alerts:
Adobe Acrobat and Reade...
Kwetsbaarheid certifica...
CERT-2008-1447 DNS vuln...
Animated cursor ANI exp...
MS Internet Explorer vu...
External DNS recursion ...

KWS:
KWS
"... TUNIX is voor ons geen leverancier maar een partner. Een partner die ons waar nodig met beide benen op de grond zet en die we direct kunnen aanspreken als we zaken anders geregeld willen zien ..."

Vacatures:

Support / FAQ

TUNIX Firewall FAQ

TUNIX/Firewall FAQ

This FAQ contains questions and answers to common configuration problems on the TUNIX/Firewall. The FAQ maintainer can be reached at fwfaq@tunix.nl.

Last updated: Thu Aug 30 15:14:25 CEST 2007

This FAQ is divided into the following sections:

General - Technical

General

  1. How can I contact TUNIX support?

  • The easiest way to reach TUNIX support is by e-mailing fwsupport@tunix.nl with a clear description of your problem or question. You will receive a confirmation message with a ticket number, and your ticket will be dealt with within the period of time contractually agreed on.
    You can also phone 0900 FWSUPPORT (0900-397877678), from within the Netherlands, or +31-24-3455012 from anywhere in the world.
    In order to respond effectively, we kindly request that you:

    • send separate e-mails to discuss separate issues

    • use the same ticket number for the follow-up of the discussion

    • do not recycle ticket numbers for new issues

    • send email in plain text whenever possible, and do not attach files unless requested

    • clearly state contact person and contract number

    Please remember that for security reasons TUNIX Support will only discuss firewall configuration matters with registered contacts within your organization.

  1. Who is allowed to contact TUNIX support when there is a problem with our firewall?

  1. We need a consistent security architecture for our organization. How can TUNIX help us ?

  • The TUNIX/Firewall is capable of monitoring all in- and outgoing traffic in real time, filtering out viruses, preventing any unauthorized transfers of sensitive data, and providing authorization and authentication for connections that you have specifically decided to allow.

    However, security is not a shrink-wrapped package you can buy off the shelf, but rather a continuous process of monitoring and adapting. For a firewall to do its work reliably, it must be a part of a consistent organizational security architecture. TUNIX can help you set up an Information Security Management System and supply the required technology to implement your security policy:

    • Firewalls and VPNs with high availability Service Level Agreements

    • Firewall and intranet Anti Virus and Anti Spam solutions

    • Managed Services for Firewall and Network Intrusion Detection

    • Identification and Authentication Control; single logon on the intranet

    • Information Security Management and Training.

    To use security products in an optimal fashion, they should be embedded in the corporate management procedures. This will ensure that everybody is involved and encouraged to participate in the process, because when it comes to security, the human factor is often the weakest link.

  1. What is the difference between a firewall and an intrusion detection system? Do I need both?

  • Intrusion detection is a complementary security technology that attempts to analyze and identify any malicious traffic directed against your network. The primary task of a firewall is to implement your organization's security policy by force, and to log any attempt to circumvent this policy with as many detail as possible. However, not all traffic on your network will pass the firewall. Larger networks in particular, will have several subnets divided by routers where malicious traffic may originate.

    This is where (network) intrusion detection systems may come into play. Whereas firewalls are usually very visible security devices, guarding the borders of your network, IDSes are designed to be (nearly) invisible to any other host in the network, quietly monitoring all traffic that passes by, and logging suspicious events. Their dedicated role being network ``sniffers'', they can provide very detailed forensic information on a broad spectrum of attacks; they can even log any suspicious packets to disk for closer inspection by a network administrator. Like virus scanners, their fingerprint databases can be updated continually to account for new types of attacks. In addition, they can help network administrators to break down data collected over a longer period by providing statistical data on malicious hosts and the types of attacks they were trying to use.

    Network intrusion detection systems are no substitutes for firewalls, but they can provide a valuable addition in monitoring the security of your network. Please consult your account manager for expert advice on deployment of a TUNIX/IDS in your network.

  1. We need to exchange data with another organization in a secure way. What possibilities can TUNIX offer us?

  1. Can we rely on e-mail for critical business applications?

  • From a strictly technical point of view, the mail protocol (SMTP) was designed to be very reliable. Mail delivery is done by store and forward on every single intermediate server, and each step of the delivery process must report any errors back to the sender. So in this case, no news is good news

    Over time, however, a few shortcomings of the SMTP protocol have surfaced, and finding a solution to fix them has grown increasingly important because e-mail has become a business-critical application. One of these shortcomings is that, SMTP being a text-based protocol without authentication, it is trivial to send e-mail claiming to be from someone else. Spammers are very grateful for this, because it allows them to send mass mailings to thousands of addresses without being traceable, and at little or no cost. Instead, the costs for dealing with these huge amounts of messages are shifted to the receiving end, and valuable resources that could have been used to deliver valid messages are wasted.

    Given the fact that the volume of e-mail traffic has risen dramatically over the past few years, --mostly due to spam and viruses with false addresses-- it is remarkable that mail servers around the world can still reliably deliver most messages to the other end of the world in just a few minutes. Internet providers are trying to keep up with the huge increase mail volume by adding resources and using virus scanners and spam analysis software. At the same time, however, it is inevitable that the time to process messages may vary precisely because of these measures. In conclusion, for time-critical applications, other systems may provide better continuity.

    Please consult your account manager for expert advice on deployment strategies.

  1. What can we do to limit the amount of spam reaching our network?

  • Unsollicited bulk e-mail, or SPAM, is fast becoming a serious problem, mainly because of the amount of resources it consumes. The problem is that, unlike postal mail, the amount of electronic mail is not throttled by the cost to the sender of each copy, making it commercially interesting to send vast amounts of mail to unwilling recipients. Experts on Internet technology are discussing techniques to defeat spam altogether, but so far they have not agreed on a solution which is both technically feasible and financially viable.

    Currently, the most effective way to block spammers is by checking the remote mail server address against a so-called spam blacklist, a list of hosts known to be facilitating spam, directly or indirectly. If the host is listed, the firewall closes the connection before the actual message is transfered, and no valuable bandwidth is wasted. There are several of these blacklists, some offering paid subscriptions, while others are free. It is still possible, however, that addresses of innocent hosts get listed while some spammers may go unnoticed. Therefore, you may want to use additional local black and whitelists, to block or allow specific addresses regardless of any Internet blacklist respectively. You may also want to choose not to discard all possible spam messages, but to have them ``tagged'' with a particular subject header, to facilitate recognition by mail filters. The TUNIX/Firewall allows configuration for multiple online blacklists, as well as local black and whitelists.

    Please consult your account manager for expert advice on deployment of a spam filtering solution in your network.

  1. What is phishing, and does the TUNIX firewall protect against it?

  1. We migrated from a leased line to a VPN with much more bandwidth. Still, some applications seem slow. How come?

  • There are two key concepts determining the effective speed of a connection: bandwidth and latency. While the bandwidth of your Internet connection may be 10Mbit or even faster, the latency for packets traveling over this connection may still be quite high, up to several hundred milliseconds to overseas destinations. Leased lines generally offer low bandwidth compared to other types of connections, but they also have very low latency. On the other side of the spectrum we find satellite connections; they may have bandwidths up to several Gbit, but the latency on these connections is measured in seconds rather than milliseconds.

    The main difference between a leased line and a VPN connection over the Internet is latency. The amount of hops between your network and the remote end may be quite large, and each hop adds a few milliseconds. For interactive applications (any application where user input is expected to have an instant effect on what is displayed on the screen) any amount of latency over 100ms makes the connection feel slow. Note that the latency of the connection is actually doubled, because user input typically has to travel to a remote server, and the remote server has to update the screen on the client side, so packets have to traverse the connection twice. Network traffic that is exchanged in large chunks doesn't really suffer from latency; file transfers, for instance, may start a few milliseconds later, but they can still fill up all bandwidth of the connection.

    Please contact your account manager for expert advice on deployment of VPNs.

  1. Security scanners report a huge number of listening ports on our TUNIX Firewall. Does this mean it is insecure?

  • No, security tools scanning the TUNIX/Firewall are tricked into believing that ports are open because connections to random ports are seemingly accepted. What really happens is that the TUNIX/Firewall accepts the connection setup for logging purposes, and then drops the connection if it is not allowed by the security policy, ignoring any further traffic. The idea behind this is that we want to learn as much as possible from any unauthorized connection attempt and adjust our security defense mechanisms accordingly if necessary. A TUNIX Firewall complemented by an Intrusion Detection System (IDS) can provide even more information about malicious traffic to your firewall, coming from the Internet.

    The TUNIX/Firewall is a proxy rather than a router with an access list. This means that incoming connections are effectively terminated at the firewall. To relay data to the internal network, a new connection has to be made from the firewall to the internal host. So the firewall acts on behalf of the outside host as well as the internal host; there is never a direct connection between the two endpoints. The security policy not only determines whether this connection is made at all, but also what type of traffic is allowed to the internal host. This is a significant difference with a port filtering firewall, because, to give an example: simply opening TCP port 80 holds no guarantee that only HTTP traffic will be transfered through this channel. In fact this particular port is often used by peer-to-peer file transfer applications and instant messaging software like MSN.

    Incidentally, it is important to note that the TUNIX/Firewall is perfectly capable of behaving like a port filtering firewall, if so required. However, our belief in our security model is backed by many positive audits from security experts working in business banks and insurance companies, as well as several external security companies.

  1. We have a virus outbreak on our local network. How is this possible?

  1. I want to schedule a configuration change or update outside office hours. Is this possible?

  • The standard Service Level Agreement with TUNIX contains scheduled maintenance windows. If you want to perform maintenance or schedule an update outside these windows please contact TUNIX support.

Technical

  1. The firewall is protecting our network a bit too well; We want to open TCP/UDP ports X through Y.
    Are there any security risks involved?

  • Any traffic that has to go through a TUNIX/Firewall is mediated by application level proxies, because they allow for better access control and easier maintenance than traditional port filtering firewalls. Rather than opening a range of ports for traffic coming in or going out, you will have to configure a specific class for the type of proxy you want, specify the clients that are allowed to use it, whether or not they have to authenticate themselves and which servers they are allowed to connect to.

    Proxies typically pick up connection attempts from clients on one side of the firewall, check the connection attempt against the firewall policy, and open up new connections on behalf of the client on the other side, either the service network or the Internet. They can be divided into two classes: ``dedicated'', or content-aware, and ``transparent'', or content-unaware. The TUNIX/Firewall provides dedicated proxies for most common protocols like HTTP and FTP. New protocols --and proprietary protocols in particular-- often require proxies that are content-unaware. Unfortunately, these proxies cannot do any content inspection on the data stream; they cannot block harmful content, nor can they impose protocol-specific restrictions. A dedicated ftp proxy, for instance, would be capable of preventing clients to issue PUT commands, and by the same token an HTTP proxy could disallow POST commands. Although transparent proxies cannot do this, they do protect clients against TCP/IP-based attacks, and they will also allow administrators to control access to specific services on the basis of client and destination IPs and/or login credentials.

    The decision to allow new protocols through the firewall (or block them explicitly) mostly depends upon the balance between security and functionality. If you want to make an informed evaluation about the security implications of a new protocol you should consider a few important things:

    1. What type of connection is required? Many protocols only require a simple outgoing TCP or UDP connection. This type of protocol often poses the lowest risk and thus can be allowed through the firewall without compromising the level of security too much.

    2. Consider the character of the protocol. Some protocols are considered to be passive, that is: the server has no way of manipulating the client, whereas other protocols are definitely active, for instance IRC.

    3. What type of data is transported over this connection? It is obvious that sensitive data only be transferred over encrypted channels. There is also a risk, however, that a malicious person might try to impersonate you or your company. Think, for example, of an online order system. Connectivity you might want to block explicitly is any data exchanged by so-called ``peer-to-peer'' (P2P) software, which has grown immensely popular recently. Not only can the client software form a security risk in itself, being targeted by viruses or exploits, but there could be a legal risk for your company you probably want to avoid.

    4. Is the protocol open or proprietary ? The specification of open protocols can be reviewed by anyone, so the security risk is easier to assess.

    5. And finally, the quality of the client is often important: buggy software is ubiquitous and bugs are often exploited because ready-made tools to exploit them are widely available. A good example of such notoriously dangerous software is ICQ, and also the P2P software mentioned earlier.

    You may also want to consider the amount of bandwidth that is used by the particular protocol you want to enable, although this is not a (severe) security issue.

    It is not until you have looked at all the considerations above that you can take a well-founded and reasonable decision. Of course TUNIX support is always willing to help you make this decision. Please consult the firewall manual for a list of options to block specific content using application-level proxies. In addition, be aware that any change constitutes a modification in the security policy, and, depending on the structure of your organization, several people could, or perhaps should have a say in this.

  1. My web application is protected by SSL, so why do we need HTTPScreen?

  1. Does the TUNIX/Firewall require any regular maintenance?

  • No. The TUNIX/Firewall is sold as a managed firewall service and as part of this service all maintenance is performed by TUNIX.

  1. Are all important configuration files backed up to a TUNIX server when I issue a reconfigure all?

  • No, this happens only once a day on a preset time, usually in the middle of the night. If you manage the firewall through the GUI, a snapshot of the previous configuration is saved every time a change is made. This previous configuration can also be loaded again.

  1. There is more than one name server running on the firewall. Why is that?

  • The firewall has a classic split-DNS setup, which is needed to publish different views of your network to different parties. In most cases, there is a separate named process for each interface of the firewall. Even though keeping zone information synchronized between these name servers requires a bit more manual effort, the advantage is increased security. Typically, there is only a small number of servers in your domain that you want to expose to the Internet. On your internal network, however, you want to be able to resolve every single host. Therefore, you publish a stripped-down version of your zone on the Internet. In addition, it is vital that your internal hosts are not dependent on a service that is also reachable from the Internet, for the following reasons:

    1. external hosts may attack your name server; if it crashes, your internal hosts will not be able to resolve anything.

    2. external hosts may try to snoop information from the cache of your name server, for instance to track the domains your organization is exchanging e-mail with.

    3. external hosts may try to poison the cache of your name server with fake information, directing traffic to servers under their control.

    Explaining these attacks in further detail is beyond the scope of this FAQ. You may want to point your browser to www.securityfocus.com for more information.

  1. How can I tune Kaspersky Anti-Spam to filter out spam messages it did not catch?

  1. How many times can a user with strong authentication enter an invalid password before the firewall blocks his access and how long will the access be blocked?

  • The user can try 5 times before the account is blocked for 20 minutes.

  1. After installing SP2 on my Windows XP computer, the TUNIX/VPN for Windows client stopped working. Is there a solution?

  • SP2 limits the possibilities for applications to connect to localhost on other addresses than 127.0.0.1. The TUNIX Winplug client distinguishes between different servers by using different (fake) localhost addresses, which in fact all refer to the same device. Because of the new filtering policy after installation of SP2, the connections to localhost never reach the Winplug process.

    There are two possible solutions to solve this problem. Microsoft has created a patch, but does not (yet) want to release it for general use. It is expected this will happen after extensive testing. Microsoft, however, is willing to release this patch to individual (corporate) users. We therefore advise you to contact Microsoft or the company that provides support for your Microsoft products and to ask for patch KB884020. TUNIX has tested this patch and encountered no further problems.

    If you are hesitant to install this preliminary patch, there is also another possibility. By changing all addresses to 127.0.0.1 and choosing unique random port numbers, preferably above 1023, the TUNIX Winplug VPN client can still distinguish between individual connections, and the connections will not be blocked by the operating system.

    Please do not hesitate to contact TUNIX support if you still have problems using the Winplug VPN client on Windows XP SP2.

  1. On some websites, images appear garbled, or do not appear at all. What is going wrong?

  • Most likely, this problem occurs when the image your browser requested was dynamically generated by a script. Carelessly written scripts sometimes prepend their output with a wrong MIME-type header, for example ``text/html'', when they actually mean ``image/jpeg''. Because the TUNIX/Firewall is a security device, it enforces strict data interpretation, whereas browsers are typically rather lax. Internet Explorer, for example, will helpfully interpret and execute a snippet of Javascript deliberately renamed to .jpg to circumvent content screening proxies. The MIME-type header is therefore a very important clue for the HTTP proxy to determine what type of data it is actually receiving, and it will choose to drop the data altogether if it cannot be interpreted according to its MIME-type. If possible, please inform the website administrator of this faulty behaviour. Also, TUNIX has developed a new version of their HTTP proxy which is better capable of handling situations like these. This means that end users should run into problems like these less often.

$Id: faq.n,v 1.22 2007/08/30 13:14:22 remmelt Exp $