 |
 |
|
INTRUSION AND FIREWALL PROTECTION
|
| Q: What is an intrusion? |
| Q: What is a firewall? |
| Q: How do I know if my firewall is working? |
| Q: How many firewalls do I need? Do I require both a hardware and a software firewall? |
| Q: Why is it important to keep my firewall rules up-to-date? |
| Q: I just installed a firewall and I am getting a lot of alerts. Is my computer being hacked? |
| Q: How do I report possible intrusion attempts showing up in my firewall logs? |
| Q: What do I do with all these firewall logs? |
| Q: I think my computer has been hacked, what do I do now? |
|
|
Q: What is an intrusion?
A: Intrusion is the term used when an unauthorized third party gains access to your PC. Generally via the Internet. For example, a hacker will scan your PC through the Internet connection to look for an open port which is a communication channel used by programs on your PC to communicate with programs on other PCs on a network or over the Internet. When hackers find an open port, they use it to enter your PC and to attack another PC (making it look like your PC is making the attack), to store files and data, or to gain access to your confidential information.
|
Back to top  |
|
Q: What is a firewall?
A: A firewall is required to defend your PC against intrusion attacks. It manages the ports on your PC to block non-authorized attempts to gain access to your PC. A firewall can either be a software application or a hardware device that sits between the Internet and the network to be protected. For most users, a software solution such as the firewall included in COGECO's Security Services suite will adequately protect your system.
The firewall is designed to prevent unauthorized access to/from a private network and needs to be configured so that it knows which applications can access the Internet. Many firewalls now come pre-configured to recognize common applications such as Internet Explorer and e-mail traffic.
The Wilder's Advisory Security Team gives an excellent definition of firewalls at: http://www.wilders.org/firewalls.htm
|
| Back to top |
|
Q: How do I know if my firewall is working?
A: Each firewall has a slightly different method of operation. Detailed information regarding your firewall's operation can be found on the vendor's homepage.
Depending on the type of firewall you are using, you may also notice a small icon next to the time in the lower right hand corner of your screen. Right click on this icon for a menu of more options.
To configure COGECO Security Services, please see our support pages.
|
| Back to top |
|
|
Q: How many firewalls do I need? Do I require both a hardware and a software firewall?
A:Generally speaking all you need is one properly configured
hardware or software firewall although running both will provide somewhat stronger protection. However, running two (or more) software firewalls on the same computer will normally cause conflicts that will reduce the protection offered and in many
cases, also cause system and speed degradations that could significantly slow down your computer.
|
| Back to top |
|
|
Q: Why is it important to keep my firewall rules up-to-date?
A: Unfortunately new viruses, compromises and exploits are released on a daily basis so it is necessary to ensure that your firewall has the most up-to-date signatures so that your
computer(s) have the best possible security. Most newer firewall products often include automated update processes although you may have to manually initiate these upgrades. Visit your firewall vendor's homepage for more information.
COGECO Security Services provides automated updating of firewall rules.
|
| Back to top |
|
Q: I just installed a firewall and I am getting a lot of alerts. Is my computer being hacked?
A: The key function of firewalls is to block unwanted access or traffic to/from your PC. To do so, a firewall needs to 'learn' your Internet activities by asking you whether or not specific applications (programs on your PC) should be allowed to have access to the Internet or not. It should only need to ask you once and it will remember your settings in the future (make sure you check the "remember my decision" or "do not ask for this application again" button).
When you first install a firewall, you will notice several alerts such as, "Do you want to let <application name> access the Internet?". While most new firewalls come with default setups to allow the most frequently-used applications, such as Internet Explorer and Instant Messengers, to access the Internet, you will still need to help the firewall "learn" which applications you use so that it adapts itself to your online behavior.
If you are unsure whether or not an application should have access to the Internet, there is no need to be alarmed. More than likely it is safe to allow the application to access the Internet. If in doubt, perform an Internet search for that application to help you to determine whether or not it should be allowed to access the Internet. Simply enter the program name from the alert (e.g.: explorer.exe) into a search engine
such as Google (http://www.google.com) and one of the first few entries will likely provide a good explanation of what is happening and will let you know whether or not you should be concerned.
Examples of common firewall false positives for those with a technical inclination can be found here.
|
| Back to top |
|
|
Q: How do I report possible intrusion attempts showing up in my firewall logs?
A: To report possible intrusion attempts, you should manually review your firewall logs. Once you have identified the intrusion attempt in the firewall log you will need to send it to the network administrator or abuse reporting e-mail address of the source of the intrusion attempt.
To find the appropriate network administrator input the IP address (of the format xxx.xxx.xxx.xxx) from your firewall log or e-mail header into the "Whois: IP or domain name:" box at http://www.broadbandreports.com/whois . If the IP
address is a COGECO address, then you should send the information to security@cogeco.net .
Although each provider's Security Department may have specific criteria for submitting abuse reports, they are generally looking for the following information, also required by COGECO: that shows
- the source and destination IP addresses (in the format xxx.xxx.xxx.xxx) ,
- the source and destination ports (in the format :80) and
- the timestamp (the time at which the event took place) with time zone.
Most Security Departments do not accept attachments so it
is best to submit this information in the body of a plain
text e-mail. Review any auto-response to ensure you have provided all details to assist in their investigation.
There are also several free services that offer small applications you can download and point at your firewall logs. These services can help by saving you time while reporting incidents. They also benefit ISPs by offering aggregated reporting which significantly reduces abuse handling time
and offers the security of industry valuable information about potential new threats in real-time. Some of these services include http://www.mynetwatchman.com and http://www.dshield.org
|
| Back to top |
|
|
Q: What do I do with all these firewall logs?
A: Firewall logs contain basic information about traffic coming to/from your system and the activities that were filtered. These logs are valuable when investigating a possible security incident on your system and are required to report such abuse to the proper provider so they may investigate and take action if necessary.
Most providers, including COGECO, require reports to include only one specific IP address. Sending the entire firewall log will only hinder the investigation. It is important to pay attention to any auto-response your receive back from an abuse reporting address as it may contain important details on how to submit your reports, as COGECO does not accept e-mail attachments, attaching your firewall invalidates your report and it will need to be resubmitted within the body of the
e-mail report.
|
| Back to top |
|
Q: I think my computer has been hacked, what do I do now?
A: Step 1 - Remain calm. Warnings about common applications accessing the Internet are often mistaken by people as an attempt to gain accessto their PC.
Step 2 - Disconnect your PC from the Internet either by unplugging the Ethernet cable from your PC (looks like an oversized phone cable), by turning off your modem or, if you have a wireless network, by powering down the wireless router.
Step 3 - Review the details, make notes if necessary and investigate further. Broadbandreports.com offers an excellent overview of the steps you should take if you believe you system has been compromised. Visit http://www.broadbandreports.com/faq/8428
|
| Back to top |
|
> Did you find the information you were looking for?
 If not, please contact the webmaster. |
|
