That’s right folks; rogue access points are still a legitimate concern for businesses. But it’s not just the organizations that need to be concerned; end-users need to understand that these are a legitimate threat to their personal data as well.

What are Rouge Access Points?

Businesses typically classify rogue access points in two categories. The first, and most serious, are the rogue AP’s that are plugged into the business network. Most organizations that are on the ball have a security policy that states no one should be plugging-in unauthorized access points. Hopefully this prevents users from bringing in an access point from home and setting it up in the conference room because of a shortage of data jacks. But there are those incidents, though rare, where someone gains access to the business floor and is able to plug in a rogue device. It could be someplace inconspicuous like the waiting area or even a conference or break room. You need to keep in mind that if you remove an AP from its shell, it’s not very big. They can even be concealed inside the data jack and powered over Ethernet.

Additionally, they’re not going to be broadcasting the SSID on the Rogue device and will limit connectivity during working hours as to not draw attention. If not detected and removed quickly enough, this can provide the hacker unfettered access to the corporate infrastructure. Diligent companies will have their servers locked down and segmented behind a firewall along with other security measures. What about the user workstations on that segment? How secure are they? They can be compromised for the data they hold, both personal and corporate. It’s extremely rare for us not to have some sort of personal data on our work computers. Additionally the computer can be used as a pivot point to gain access to those critical servers. Keep in mind that if someone has taken the risk to get an access point on the corporate network, they’ve probably done a significant amount of reconnaissance already. Part of this could have been to sit in a car or lobby and sniff wireless traffic in effort to gain credentials or other information about your network.

The other more interesting issue involves rogue access points that are not plugged into the network, but are close enough to cause problems. These are the ones that organizations have a vast amount of trouble dealing with because there is really nothing they can do about them. And if the company is in a major city, like New York, it’s a big headache as the entire city is blanketed by 802.11 networks.

As demonstrated by our friends at Wigle.net, just this two-block area of NYC has hundreds of WLANs. If your company is blocking Facebook or any other favorite sites, what’s stopping them from connecting to “FreePublicWiFi”, “Starbucks” or some other SSID that’s open and inviting? Or it might be an incidental connection. Many of these residential access points that you can purchase from Best Buy are set up to work right out of the box or with minimal configuration. Often people don’t think to change the SSID of the device. How many “Linksys” SSIDs do you still see today? Most people have their Wi-Fi settings configured to automatically connect to their home’s SSID whenever in range. So what do you think happens when that wireless card sees the home’s SSID when the user is at work? Now, if the user is plugged into the corporate network and connected to a rogue device at the same time, the computer is dual-homed. It’s essentially acting like an open bridge right into the network. Unknowingly, the user can be passing domain credentials and other nuggets of information that would help the hackers get deeper into the network.

Another bad guy trick that is still somewhat effective in heavily congested areas is to set up an access point (physically) close to the company and use their SSID on this device, but not have any security on it. This is typically the easiest to detect as the signal on this device is usually not as strong as the ones inside the company’s walls, as well as other detection criteria that I’ll discuss down the road.

Once you turn on tracking protection, not all third-party content is necessarily blocked. You may want to use lists to keep track of content you want to block. Lisa simulates what Active X filtering does to sites while browsing, and how to use filtering to allow only certain content to be displayed.

PKI is an asymmetric, or 2-key, encryption system containing a public key and a private key verified by a digital certificate. Lisa explains the role that certificate authorities play in authentication, as well as how to identify digital certificates.

Break into IT Security with CompTIA Security+

CompTIA Security+ Training has been totally re-designed by Lisa Szpunar to keep up-to-date with the SY0-301 certification exam from CompTIA. The course is much more than a piecemeal update with new videos, but rather an entirely new course that covers all the key fundamentals of network security, including:

• Cryptography Concepts and Tools
• Malware Prevention and Cleanup
• Application, Data and Host Security
• Everything to Pass the Security+ Exam!

Take your networking knowledge to the next level with CompTIA Security Plus Training.

A good understanding of how to create both the CSIRT and CSIRP is important to any IT security professional, whether you’re preparing for a certification exam, like the CompTIA Security+ certification or not. Understanding the benefits of incident response planning and the risks of not having a plan or a team to handle incidents is very important.

Who is Involved in an Incident Response Plan?

In the development of an incident response plan, it must first be understood by the IT staff and management that execution of the developed plan is to be performed by the Computer Security Incident Response Team (CSIRT). The team, as described in my previous article, typically consists of the following:

• CSIRT Team Leader
• Incident Lead
• Support Members
• IT Contact
• Management Representative
• Legal Representative
• Public Relations Representative
• Additional IT Incident Responders

However, the IT staff is not without responsibility. All staff members and to some degree, all members of an organization should be instructed on how to report an incident that has occurred. Education and drills are crucial to ensure proper incident response for security or disaster related issues.

What Does the Computer Security Incident Response Plan (CSIRP) Contain?

The first part of the CSIRP should contain a charter that defines the roles and responsibilities of all members. Defining the authority for major decisions like “WAN disconnection”, “reload data from most recent backups”, or “monitor and pursue the hacker vs disconnect” should not be taken lightly. Proper understanding from all levels of the organization is essential and the level of authority must be clearly spelled out in this document. If the members do not have final authority, clear ways to get approval must be identified.

One of the main sections of the CSIRP should contain the qualification for incident severity levels. Small incidents like single system viruses do not require a response by the full CSIRT, but in developing the CSIRP, different criteria can be used to define different incident severity levels. Examples of different incident severity levels are listed below:

Severity 1 – Small numbers of system probes detected on internal systems or an isolated virus that can be handled by anti-virus software.

Severity 2 – Small numbers of system probes detected on an external system or new information on potential vulnerabilities to systems.

Severity 3 – Significant numbers of system probes detected, penetration or denial of service attacks attempts with no impact on operations, or larger instances of known computer viruses that can be handled by anti-virus software. This severity may also included isolated instances of a new computer virus not handled by anti-virus software.

Severity 4 – Penetration or denial of service attacks attempted with limited impact on operations or larger widespread instances of a new computer virus not handled by anti-virus software. This severity should be used if some risk of negative financial or public relations impact may result.

Severity 5 – Successful penetration or denial of service attacks detected with significant impact on operations. This severity should be used if significant risk of negative financial or public relations impact may result.

In these examples, incidents in Severity 1 and 2 could be handled without the use of the CSIRT. The last three levels should result in CSIRT mobilization.

Incident Declaration

As I mentioned earlier in this article, it is everyone’s responsibility in an organization to know how to report and incident. When an incident requiring CSIRT mobilization occurs, a formal incident is declared. The CSIRP should clearly state how to initiate a declaration and who is responsible for activating the CSIRT. Normally, the CSIRT team leader notifies members of upper level management or the CSIRT management representative that an incident is occurring or has occurred and then mobilizes the CSIRT team as directed in the CSIRP.

Response Phases and Procedures

All CSIRPs should include a step by step response procedure for various different incidents such as: hacker penetration, virus incidents, broad scale phishing, etc. Each of these procedures should follow five phases that are inherent in incident response. CSRIPs can have these phases listed as general guidelines or integrate them into the more detailed procedures.

The five response phases are as follows:

• Alert or Warning Phase: This phase is associated with the process of discovering a security incident or at least, the potential for one. Once discovered, the incident is reported to the CSIRT. Discovery methods can include alarms from SNMP traps, firewall or IDS system alerts, anti-spam or anti-virus software alerts, or potential threats via email. The CSIRT should be alerted by an email or special call number for providing information to the CSIRT.
• Triage or Examination Phase: This phase concerns the examination process of the information provided about the incident. The CSIRT must determine if the incident is real and then assign a severity level. If the severity is of sufficient level to alert the full CSIRT team, the CSIRT team leader will take action to do so here. Additional actions must also be considered. The team must allocate resources to deal with a response, but even more critical, is the decision to protect or to pursue. In some cases, protection of all critical assets or containment of the incident is the correct choice, but some opportunities may allow the CSIRT to identify and catch the attackers. Choosing the latter may bring criminal charges against the individuals involved, but may expose the organization’s assets to potential damage in the process. Caution is highly encouraged here and clear identification of all risks involved and should be discussed and agreed upon before continuing.
• Response or Reaction Phase: The CSIRT gathers evidence in the phase. If the idea is to pursue, evidence must be collected that would be usable in court and may require a third party to be involved to do this effectively and legally. Once all evidence is collected, it must be analyzed to determine the root cause of the incident, any vulnerability exploits, the method to remove the vulnerabilities and how to resolve the incident. Additional evidence gathered should include systems or data affected, the depth of penetration of the incident into the organization’s infrastructure, and the level of compromise.
• Recovery or Repair Phase: This phase is concerned with the restoration or repair of data and systems affected by the incident and return to normal operation. Duties involved in this phase may include restoration of data from backups or a complete wipe of a system and re-installation from the original installation media. Systems should be thoroughly tested once restored before they are put back into production and tests should verify that all systems and data are no longer vulnerable to the same attack.
• Maintenance or Lessons Learned Phase: In this phase the CSIRT examines all aspects of the incident from detection to recovery. It is important to document what worked well and any part that requires improvement. If a new incident was discovered or an old response process needs improvement, the CSIRP should be updated to reflect the CSIRT findings.

Summary

As we look back on the two articles regarding incident response, it is important to recognize that detailed planning and organization is extremely important to the defense of your organization’s IT assets. Documenting procedures for different incident types should be detailed, but at a level to allow flexibility for variations to different scenarios of similar types of incidents.

Any CSIRP should be a living document and all incident processes should take advantage of the Lessons Learned phase to review and update documentation. Even the best plans require buy-in from the organization and need to be followed to be effective. If implemented properly, a CSIRP can significantly reduce the damage an incident can cause and decrease the amount of time the IT environment needs to return to normal operation.

Several IT security certifications, including the CompTIA Security+ certification, do touch on this topic. However, most IT security professionals must realize the benefits of having an Incident Response Plan and the risks of not having one.

In this article, we will explore the importance of developing a plan for responding to IT security incidents, beginning with the formation of a Computer Security Incident Response Team (CSIRT). The next article on this topic will go more in depth into incidence response planning as we discuss how to create a Computer Security Incident Response Plan (CSIRP).

Why Do You Need an Incident Response Plan?

There are several benefits for having an incident response plan in place. First of all, IT security plans contain information for dealing with protection and prevention, but also are a part of disaster recovery and business continuity. Other aspects must be considered and those are containment, failure analysis and correction, and risk management.

Creating a structured incident response plan can be a great asset to any organization. Customers that rely on your organization can be assured that information is not only protected, but methods are in place to handle different situations, should they arise. Financial benefits may also be realized as some insurance companies may offer discounts for coverage in case of loss if protection and mitigation plans are in effect.

The downsides to not having an incident response plan are obvious. The inability to contain an incident can lead to repeated incidents. Information of those incidents will eventually leak out of your organization and public opinion of your organization or more importantly, the opinion of your customers will be jeopardized. This continual cycle can only lead to disaster.

So where do we start? You have created your IT security plan and it coincides with the organization’s plans for business continuity. The next step is to create a CSIRT — a Computer Security Incident Response Team — and identify their mission.

What is a Computer Security Incident Response Team?

The CSIRT is the core team responsible for dealing with IT security incidents and managing the impact in your organization. Assembling the proper team and identifying roles and responsibilities is crucial and should not be taken lightly. IT security professionals may fill several roles on this team, but not always. Let’s take a look at what the formation of a CSIRT would look like.

1. CSIRT Team Leader: This is the person responsible for organizing and directing the CSIRT. Typical duties center on managing incident response processes, but also policies and procedure updates to deal with future incidents. This person should have a firm grasp of IT security and risk management.

2. Incident Lead: This is the person designated to coordinate responses to IT security incidents. It is possible that there could be more than one Incident Lead depending on incident types and levels of expertise. This person should be well versed in IT security and the particular type of IT equipment that incidents may occur on (i.e. servers, networks, firewalls, data archives, etc.). All information about incidents must be passed through this person before it leaves the team and is passed on to the organization or the public.

3. CSIRT Support Members: There are several support members that make up the CSIRT team that should be included. Not all organizations require them, but a solid list should include:

• IT Contact: This is a member of your IT staff and should be familiar with your IT infrastructure. Multi-members that focus on different disciplines may be asked to participate if a multi-disciplined member is not sufficient.
• Management Representative: Your team should always have a representative from the organization’s management team involved. This member is the interface to the management staff and should express concerns and ideas to and from the team. Management involvement is essential when dealing with incidents that can gravely affect the financial or operational status of the organization.
• Legal Representation: It is advisable to have some legal representation on your CSIRT. Legal ramifications and procedures against individuals that may have caused an IT security incident may need to be dealt with.
• Public Relations/Communications: This is your outlet to the public and your customer base. Maintaining good PR is always a good idea in a crisis and communicating the details of security incidents and how they are handled can save business relationships.

What Functions Should a CSIRT Perform?

Beyond the roles stated above there are some key functions that a CSIRT can provide to augment IT security staff. Functions can include:

• Additional in depth review of all IT security plans and procedures (additional pairs of eyes never hurts here).
• Central communication point when incidents occur.
• Can promote IT security awareness and can manage audits and drills.
• Assist in evaluation of new technologies and techniques prevention and containment.
• Provide risk management analysis of IT implementations and how it affects the organization.
• Investigating new security vulnerabilities and threats and the most adequate response.
• Perform the action of the emergency contact group for the organization.
• Perform the role of IT emergency system management for all remotely stored system critical information such as: passwords, IP lists, network configurations, firewall rule sets, escalation procedures, etc.

Summary

So far we have discussed at a high level a key tool that an organization can utilize to effectively deal with IT security incidents. Finding the right members for your CSIRT is very important and can provide a strong resource for IT security teams to manage incidents and prevent future issues.

Maintaining IT infrastructure integrity is always important for your business, but if it is your business, managing or mismanaging incident responses could affect the financial stability of your organization. In our world of IT security threats from various sources, it is imperative to be armed with the best means to combat them.

CompTIA has updated their security exam (SY0-301), and as of the end of 2011 the SY0-201 Security Plus exam will not be available to take. While certain security concepts and applied knowledge will still be relevant to new security standards, the career benefits of current CompTIA Security Plus certification are significant.

CompTIA Security Plus Training: Now Available

The new CompTIA Security Plus Training course is much more than a series of updates that correspond to requirements of the new exam. This course has been fully re-created to make sure you have all the information you need to pass the exam.

The SY0-301 exam can also open doors to jobs with attractive organizations that hire for positions, such as security architect, security engineer, and network administrator that require up to date certification for consideration, according to CompTIA.

Some of the key lessons in this re-created course are:

• Network Security Compliance
• Operational Security
• Threats and Vulnerabilities
• Application, Data and Host Security
• Access Control and Identity Management
• Cryptography Concepts and Tools

You will also learn about essential types of attacks, as well as malware prevention and cleanup. There is also a strong focus on secure network administration best practices including disaster recovery planning and securing of applications. Ultimately, all the lessons make up comprehensive preparation for updated CompTIA Security Plus certification.

The course instructor is Lisa Szpunar, a former elementary school teacher, librarian, and network administrator. Lisa specializes in systems design and security with a Master of Science in Computer Science, CompTIA Security+ SY0-201 and SY0-301, A+, MCTS. Her unique background in education and techie expertise help make a fun and engaging learning environment for her students.

Take your networking skills to the next level with a certification and CompTIA Security Plus Training.

WLAN Authentication Methods

It is important to understand that there is a distinction between being authenticated onto a wireless network and then having the traffic passed be encrypted. It is possible to be authenticated onto a network and pass open unencrypted traffic; this section looks at the commonly used methods of authentication.

There are three main methods of authentication that are used on today’s wireless LANs:

• open authentication
• shared authentication
• EAP (Extensible Authentication Protocol) authentication

The open authentication method is the simplest of the methods used and only requires that the end device be aware of the Service-Set Identifier (SSID) used on the network, as long as the SSID is known then the device will be allowed onto the network. The problem with this method is that the SSID is typically broadcast and if it is not, it can be easy to figure out with passive capturing techniques.

The shared authentication method is commonly used on individual and small business wireless LAN implementations; this method uses a shared key (Pre-Shared Key – PSK) that is given to both sides of the connection; if they match then the device is allowed onto the network.

The third method uses the Extensible Authentication Protocol (EAP) and is the most common method used by enterprises. The EAP method utilizes an authentication server that is queried for authentication using a variety of credential options.

WLAN Encryption Methods

Along with the method used for authentication, the choice of encryption method is a very important part of deploying a wireless LAN. Many of the encryption methods that were implemented in earlier wireless LAN standards have been proven insecure and have been depreciated by more modern methods. As time goes on, this is sure to happen with all encryption techniques as they are used more commonly (thus becoming a target for exploitation) and as processing power continues to increase.

Here are the WLAN encryption methods we’ll review today:

• Wired Equivalent Privacy (WEP)
• Wi-Fi Protected Access (WPA)
• Wi-Fi Protected Access 2 (WPA2)

The first widely used standard for wireless LANs was 802.11 (prime); this included the Wired Equivalent Privacy (WEP) algorithm which was used for security. WEP utilizes RC4 for encryption and has been depreciated because of vulnerabilities that can be used to find the security keys.

In response to the vulnerabilities found in WEP, Wi-Fi Protected Access (WPA) was defined. WPA utilizes the Temporal Key Integrity Protocol (TKIP) which utilizes dynamic keys that were not supported with WEP and RC4 for encryption. The TKIP method used with WPA was utilized until vulnerabilities were found in TKIP. These vulnerabilities center on the fact that TKIP uses some of the same mechanisms that WEP does which allow similar attacks.

In response to the vulnerabilities in WPA/TKIP, the IEEE 802.11i standard was defined and implemented; the IEEE 802.11i standard is also referred to as WPA2. WPA2 replaced TKIP with Counter Mode with Cipher Block Chaining Message Authentication Code Protocol (CCMP) which is based on Advanced Encryption Standard (AES); it is common for the WPA2 encryption method to be referred to as AES. As of this writing, there are no easy methods that have been found to break AES.

Summary

How secure a wireless LAN is, greatly depends on a number of different configuration parameters that must be entered correctly. The problem with many existing wireless LANs is that the people that are implementing them simply do not have the security knowledge required to maintain a secure wireless network.

All existing and future wireless LAN implementers should make the effort to learn about the most secure methods provided by the chosen equipment (and quite possibly be part of the equipment selection process). The advantage that most modern equipment has is that the WPA2 standard is supported and not that hard to implement.

Hopefully this article can act as a primer to this education and will provide current and future WLAN administrators some information they need to secure their networks.

Wireless Security Training Resources:

If you’re interested in learning more about Wireless LAN security, then take a look at these course offerings to see which one is right for you:

• Cisco CCNA Wireless Training
• Certified Wireless Network Administrator Training
• Cisco CCNA Security Training
• CompTIA Security+ Training

Recommended Reading:

• Wireless Security Considerations: Common Security Threats to Wireless Networks
• How to Prevent Threats and Attacks on Your Cisco Network
• Warning: Your Wireless Communication Might Not Be Secure!
• Top 10 Security Threats Every IT Pro Should Know

Unlike a wired network which requires physical access to a device, a wireless network can be targeted and exploited from a distance. This article reviews some basic wireless security fundamentals and reviews some of the most common threats that exist when deploying wireless networks.

Wireless Security Basics

There are a number of basic fundamentals that a person or company needs to be aware of when deploying a wireless network. The first is a basic understanding of what frequencies will be used by the equipment being deployed; this is very important when deploying a wireless network as it affects the amount of interference that the network will be subject to depending on the specific environment.

At this point in time, there are two main frequency bands that are used for wireless LANs (802.11); these include the 2.4 GHz and 5 GHz bands. From a security perspective, the choice of frequency does not greatly affect the security risk of the network. What it does affect is the number of available non-overlapping channels that are available on the network; for the most part this will not affect security except when an attacker is attempting to jam or block a specific frequency to force wireless endpoints to switch Access Points (AP).

Endpoint devices identify wireless networks using a service set identifier (SSID) along with a set of security parameters. On most wireless deployments, the SSID is broadcast from the APs allowing the clients the ability to easily associate. It is possible to not broadcast the SSID which provides a little protection from those wireless network attackers with little operating knowledge; however for an experienced wireless attacker this is not a very effective security measure.

The real security for a wireless network comes from the selection of a proven security technique, there have been a number of different security techniques deployed that have been broken. As of this writing the most secure technique is IEEE 802.11i which is also known as WPA2. This standard provides two different modes of operation including one typically referred to as Personal or Pre-Shared Key (PSK) and Enterprise:

• WPA2-Personal – utilizes a shared key that is communicated to both sides (AP and client) before establishing a wireless connection; this key is then used to secure the traffic.
• WPA2-Enterprise – utilizes the IEEE 802.1x protocol to authenticate a wireless client using an authentication server before traffic is allowed.

Common Wireless Threats

There are a number of main threats that exist to wireless LANS, these include:

• Rogue Access Points/Ad-Hoc Networks
• Denial of Service
• Configuration Problems (Mis-Configurations/Incomplete Configurations)
• Passive Capturing

Let’s go through each of these in more detail.

• Rogue Access Points/Ad-Hoc Networks

One method that is often used by attackers targeting wireless LANS is to setup a rogue access point that is within the range of the existing wireless LAN. The idea is to ‘fool’ some of the legitimate devices into associating to this access point over the legitimate access points.

To really be effective, this type of attack requires some amount of physical access; this is required because if a user associates with a rogue access point then is unable to perform any of their normal duties the vulnerability will be short lived and not that effective. If an attacker is able to gain access to a physical port on a company network and then hook the access point into this port, it is possible to get devices to associate with the rogue access point and capture data through it for an extended period of time. The exception to this is when the wireless LAN being targeted only provides Internet access; it is much easier for a rogue access point to offer simple Internet access and leave the user unaware of their vulnerability for an extended amount of time.

On the same idea of rogue access points is unauthorized access points (not malicious) and unauthorized ad-hoc networks. In these situations, a legitimate user sets up an access point or ad-hoc network for their use but does not implement proper security techniques which provides an opening for watching attackers.

• Denial of Service

Anybody familiar with network security is aware of the concept of denial of service (DoS). It is one of the simplest network attacks to perpetrate because it only requires limiting access to services. This can be done by simply sending a large amount of traffic at a specific target. Of course, the amount of traffic required to affect a target device can be much higher than the capabilities of a single machine.

However, the flooding of traffic is not the only way to limit access to services; for wireless networks it can be much easier as the signal can be interfered with through a number of different techniques. When a wireless LAN is using the 2.4 GHz band, interference can be caused by something as simple as a microwave oven or a competing access point on the same channel. Because the 2.4 GHz band is limited to only 3 non-overlapping channels (U.S.), an attacker just needs to cause enough interference into these three channels to cause service interruption.

A denial of service attack can also be used in conjunction with a rogue access point. For example, a rogue access point could be setup in a channel not used by the legitimate access point and then a denial of service attack could be launched at the channel currently being used causing endpoint devices to try to re-associate onto a different channel which is used by the rogue access point.

• Configuration Problems

Simple configuration problems are often the cause of many vulnerabilities, this is because many consumer/SOHO grade access points ship with no security configuration. A novice user can set up one of these devices quickly and gain access. However they also open up their network to external use without further configuration.

Other potential issues with configuration include weak passphrases, weak security deployments (i.e. WEP vs WPA vs WPA2), and default SSID usage among others.

• Passive Capturing

Passive capturing is performed by simply getting within range of a target wireless LAN and then listening and capturing data. This information can be used for a number of things including attempting to break existing security settings and analyzing non-secured traffic. It is almost impossible to really prevent this type of attack because of the nature of a wireless network; what can be done is to implement high security standards using complex parameters.

Summary

The nature of a wireless network is to provide easy access to end users, but this ease of access creates a more open attack surface. Unlike a wired network that requires an attacker to physically access part of the network, a wireless network only requires that the attacker be in close proximity (and even this is relative).

The best attitude to take towards wireless security it to be constantly vigilant; ensure that the security used on a wireless network is adapted as the standards change to ensure a high level of security.

Hopefully the information within this article will be your starting point in securing your wireless networks. If you’re interested in learning more about wireless networking and wireless security, then take a look at TrainSignal’s Cisco CCNA Wireless Training and CWNA Training which focus on wireless networking and administration.

This video goes over publishing servers, a very important service in Forefront TMG. Scott will show you how being comfortable with application publishing allows for remote access to various services.

Our training applies to a beginner’s familiarity through advanced knowledge of network security to help you take advantage of all the features this security tool has to offer.

Learn more about our Forefront TMG 2010 training to see how this course can benefit your security needs.

Implementing Forefront TMG enables security tools that protect your network infrastructure from security threats by using antimalware inspection, intrusion prevention, HTTP/HTTPS inspection, and more. The concise, easy-to-use interface can have a positive impact on a company’s planning and productivity.

Microsoft Forefront TMG 2010 Training: Available Now

Our Forefront Threat Management Gateway 2010 training course guides you through the basic setup of Forefront TMG, leading into advanced tutorials that cover under-utilized features that can benefit the unique needs of a network.

Since Forefront TMG supports simple, timely threat management, learning its features through this course will enable you to adapt your firewall to address ever-changing demands of your network. For beginners, this course will help you develop skills for implementing your security, and for more advanced administrators this course will provide detailed tutorials for utilizing more configurations. No matter your level of experience, our TMG training will enhance your practical knowledge of internet security using Forefront TMG.

Instructor Scott Lowe emphasizes the entire process, from basic setup to advanced, real-world threat management scenarios. He shows you how to apply an in-depth handle of TMG’s features that will help you reduce time spent resolving security issues. Scott writes many articles for CNet’s TechRepublic, TechTarget, and TechGenix, and brings to the table 16 years of IT experience.

Don’t leave your network out to dry. Learn how Forefront TMG 2010 Training can help you optimize your security management.

So let’s go through what the vShield suite offers and how you can take advantage of it in your environment.

The vShield suite is a complimentary set of technologies. At first glance they may appear to overlap, but they do not. The suite is made up of the following products:

• vShield Manager
• vShield Zones
• vShield App
• vShield Edge
• vShield Endpoint

Let’s take a look at each one of these.

vShield Manager

The first thing we need to talk about is how you manage all these pieces and parts. Thankfully, VMware provides a single management and control appliance for vShield, and that is vShield Manager. You just deploy a Linux-based appliance and you’re ready. From vShield Manager you deploy, configure, and monitor all other vShield pieces via a simple web interface.

vShield Zones

The first one is vShield Zones, and many of you probably already have licenses for this as it’s included in vSphere Advanced, Enterprise, and Enterprise Plus. It’s a very powerful, and easy to use, virtual firewall. Ever wanted to be able to firewall virtual machines from each other or from other physical systems? This is for you! It’s simple and effective.

vShield Zones allows you to define access rules using standard 5-tuple rule sets. The 5-tuples are:

• Source Address
• Destination Address
• Source Port
• Destination Port
• Protocol

When you deploy vShield Zones to a vSphere host a “service VM” is installed. That VM is the gatekeeper for traffic flowing in and out of the system and it is what applies the security policies. It’s lightweight and not something you have to manage, but it does use some resources.

The only downside to vShield Zones is that the rule sets are all IP based. You may be saying “Well, yeah… it’s a firewall, right?” but wouldn’t it be nice if you could define rule sets against logical collections of VMs?

vShield App

If you answered “Yes!” to that question then you should look at vShield App. vShield App isn’t really another product, it’s an enhancement to vShield Zone. So you will purchase licenses on a per-VM basis that you apply in vCenter and it turns vShield Zones in to vShield App. With that you get some really cool features.

First, you can now define rule sets against logical groups of VMs. These can be groups that you create, maybe a set of VMs with similar applications and security requirements, or use other existing groupings such as vApp. This way you can create one ruleset and apply it to many VMs based on business or application requirements, not just IP addresses or subnet ranges.

Second, you get a lot more insight into what your VMs are doing on the network. vShield App shows you which protocols are flowing across your virtual switches, traffic levels, and other really useful information if you want to see what your VMs are doing. It takes vShield Zones to the next level.

vShield Edge

While vShield Zones and App provide VM or application level network security, Edge moves out to the perimeter. Maybe you need to separate environments or have a multi-tenant configuration, and that’s where Edge comes in. Edge provides this segmentation while also providing “common services” to the VMs inside the perimeter. These services are:

• DHCP
• Network Address Translation (NAT)
• Site-to-Site VPN
• Web Load-balancing
• Stateful Firwalling

While it’s easy to see how this applies to a multi-tenant solution, such as a managed service provider with many customers, it can also be used by a single organization with internal groups that have different security requirements and need separation.

vShield Endpoint

Endpoint has been the forgotten vShield component, mainly because it’s not really a product or something you can just implement and use. Think of it like vStorage APIs. By themselves they don’t really do much but pair them with a good 3rd party application and you get some really cool functionality.

vShield Endpoint provides hypervisor level guest security. What I mean by that is that you can provide anti-malware, deep packet inspection, intrusion detection/prevention, etc to a guest operating system without installing complex agents inside those VMs. Instead, as data moves through the hypervisor it is inspected and permitted or denied. It does this by using a “service VM” installed on each vSphere host, very much like vShield Zones/App.

What 3rd party tools take advantage of this? Right now the most popular is Trend Micro’s Deep Security that provides anti-malware, DPI, and anti-virus protection to VMs. While making the administrator’s life simpler by not having to deploy complex agents to each VM it also helps to GREATLY reduce resources. By using these tools you can cut the resources required for this protection by 50% over doing it the old way with agents. Wow! Think about what that means for a really dense VDI environment!

Get Started with the vSphere vShield Suite

Hopefully this helps demystify the vShield suite for you. The key thing to remember is that they are a complementary set of products and technologies. You can deploy these in a layered approach to apply very configurable security policies. While not everyone needs all of the components, you can pick and choose exactly what you want.

In my new vSphere Security Training we look at these components and dive deep in to vShield Manager, vShield Zones, vShield Endpoint, and Trend Micro’s Deep Security.

In this video, instructor Jason Nash talks about how you’ll benefit from this training and who this course was designed for.

The training offers a good virtualization security primer, but it goes well beyond the basics. It will help you take advantage of all the security features that are available, including some free and paid 3rd party tools.

Learn more about our VMware vSphere Security Design Training and see if the course is right for you.

For an unfrozen caveman security architect from 2002 (caveman lawyer anyone?), securing today’s virtualized cloud environments is going to require some new training, approaches and tools. As an example, let’s look at application security in a hybrid cloud environment (apps on-site and apps externally hosted in “the cloud”).

SaaS (Software as a Service) is here to stay in the personal computing space and its toehold within enterprise IT is growing steadily. SaaS apps allow businesses to pay per use for solutions that are ready out of the box without the hassle associated with internally developed and hosted applications. As hard as your unfrozen caveman security guy tries, stopping the SaaS explosion because of security concerns will be an uphill battle. The best course of action will be to work with solutions to the management and security nightmare that SaaS can create.

Problems like silo-ed identity stores beyond IT control and no “kill switch” for quickly shutting down access of terminated employees are just a few of the issues. The unfrozen caveman security architect also has a user side of this equation to worry about. Users of SaaS are also affected in that they have multiple logins and passwords to remember. There is also no single pane of glass to enter into all their applications. Cloud application gateways help Enterprises have their cake and eat it too. VMware Horizon App Manager is one good example of this kind of product.

These cloud application gateways are called by different names, but essentially they virtualize the entry and authentication into cloud apps. They do so by linking enterprise directories to SaaS app authentication systems through mechanisms like OAUTH and SAML. This is key in allowing the single sign on features and access management for SaaS apps. Since the users use their enterprise login credentials to access all these SaaS applications, unfrozen caveman security architects have the ability to hit the “kill switch” on a user that no longer works for the company or is found to be doing nefarious activities on company time.

VMware Horizon App Manager can also simplify life for the users offering up “App Store” like interface to their authorized applications. Horizon App Manager can be the gateway to SaaS avspherepps, but can also front-end internally hosted web apps or VMware View desktops. User’s life is also simplified through having only one password for all their applications. Unfrozen caveman security architect can have his cake and eat it, too.

But an unfrozen caveman security architect, is probably jumping the gun a bit. Securing access to the VMware virtual infrastructure is probably called for first before tackling cloud computing’s myriad of security opportunities. But where to start? Well, unfrozen caveman security architect is a busy guy and doesn’t have time to miss work and travel to learn about VMware security. He would prefer to learn quickly in some sort of video-based instruction designed to jumpstart his VMware security skillset.

Well TrainSignal is launching a VMware vSphere Security Design Training course specifically catering to the his needs. This new training is introduced by TrainSignal rock star David Davis, but the meat of the presentation is instructed by VCDXers Jason Nash (@nash_j) and Lave Leverett (@wolfbrthr). These guys have some great security background, IT experiences and are both respected VMware Certified Design Experts, VMware’s highest certification. In this course they introduce the fundamentals of datacenter security and then dive deep into securing VMware vSphere. They finish up covering some of the leading VMware security tools on the market today. To learn more about this course you can visit TrainSignal’s VMware training page and order today.

In this video from our vSphere Security Design Training, VCDX Jason Nash (@nash_j) demonstrates how to create a new SSL certificate using the command prompt and how to submit it to the local certificate authority, thereby eliminating the annoying SSL certificate warning.

Jason’s new vSphere Security Training has an entire lesson dedicated to working with SSL certificates in vSphere along with vSphere security topics that will help you prepare for section 7 of the VMware Certified Advanced Professional – Datacenter Administration (VCAP – DCA) exam.

Some resort to using the same login credentials across multiple websites – a definite security faux-pas. But the motivation is clear. Forget your password and you have to go through the process of establishing and having to remember a new one.

So what’s are we to do?

Fear not, there is a technical solution to this technical problem. After I made the transition to Linux, I discovered an open source free utility called KeePassX. KeePassX allows you to store all your passwords in one database. Access is restricted by one primary password and the contents of the database are encrypted.

Instead of having to remember a myriad of passwords, with KeePassX you only have to remember one.

KeePassX Installation

If like me, you’re running Ubuntu Linux, you can install the software with this command:

sudo apt-get install keepassx

Instructions for Mac, and other Linux distros are available here. You can find the KeePassX launcher under Applications, then Accessories.

The first thing you’re going to need to do is to create a new database: File, New Database or click on the new database icon on the navigation menu. While this utility is fairly intuitive, you can access the KeePassX handbook from the Help menu for a quick introduction. Appearance and other settings can be modified from the Extras, Settings, menu item.

KeePassX Features

Entries and Grouping

KeePassX doesn’t just store passwords. In each database entry, you can store usernames, passwords, urls, attachments and notes. Entries can also be grouped by function. For example, if you visit a lot of technical websites, you might have a group called “Tech”. For banking and other financial entries, you might create another group called “Finance”. And you the integrated search function will allow you to quickly locate an entry.

Password Generator

One of the features I use most is the password generator. Having trouble coming up with a password that is both memorable and secure? This feature will generate a password, based on your requirements for length, special characters, etc. You can access this feature either from the menu: Extras, Password Generator, or when you create a new database entry.

Portability

Because the database is always encrypted (AES or Twofish), you won’t have to worry about prying eyes accessing your information. Your data is protected with either a master password or key file. This is particularly useful for those of you that need to use this utility on a USB thumb drive. KeePassX is OSI (Open Source Initiative) certified, so it can be installed and executed from any location.

Other Tidbits

There is another feature of KeePassX that you might find useful. As long as the application is running, you can use the Ctrl+V autotype function to automatically insert your username and password into a website. Simple click on the username field on the web page and either hit Ctrl + V, or right click on the entry and select “Perform Autotype”. A word of caution, though this works on my system, some have had trouble with this feature.

Additionally, the database will always hide your username and password, but if you need to quickly glance at them, you can toggle visibility by clicking on the ‘eye’ icon next to the entry.

Finally, if for some reason, you need to export a copy of your passwords database, you can export to a text file.

Summary

The reality is that the number of passwords we’re required to remember will only increase. The best way to ensure that you not only have a secure password, but also don’t have to worry about remembering them is to use a password management utility like KeePassX.

There are other tools in this space. Most notably, LastPass, which can be easily integrated into Firefox and Chrome. If there is another utility that you use, feel free to include your suggestion in the comments.

FTP by itself isn’t very secure. Information is transmitted in clear text, making it subject to interception and theft. Thus, we have more secure options, like the Very Secure FTP daemon (vsftpd). In this article, we’ll explore how to setup vsftpd under Linux.

What is VSFTPD?

The vsftp daemon runs in the background and allows you or users you designate, to copy files to and from your linux boxes, using username and password as login credentials. This ability is open to individuals or groups you may want to establish.

VSFTPD features include:

• Virtual IP configurations
• Virtual users
• Standalone or inetd operation
• Powerful per-user configurability
• Bandwidth throttling
• Per-source-IP configurability
• Per-source-IP limits
• IPv6
• Encryption support through SSL integration

How To Install VSFTP

The daemon is included in most versions of Linux. If you are using a Debian based distribution like Mint or Ubuntu, open a terminal window and type: sudo apt-get install vsftpd

If you are using a Red Hat based disto, open a terminal window and type: sudo yum install vsftp

How To Configure VSFTP

To configure vsftp, open the vsftpd.conf file in the /etc directory. For instance, if you were using gedit as your text editor, you would type: sudo gedit /etc/vsftpd.conf

First, for a secure setup, you’ll want to disable anonymous access to your ftp server. Change this line: anonymous_enable=YES to anonymous_enable=NO

With anonymous access disabled, you’ll want to allow local users to log in, by uncommenting the following line: #local_enable=YES to local_enable=YES (simply remove the # sign).

Allow write access by uncommenting this line: #write_enable=YES to write_enable=YES

Save and close the file.

Setup an FTP user account:

sudo mkdir -p /home/ftp/ftpuser
sudo useradd ftpuser -d /home/ftp/ftpuser -s /bin/false
sudo passwd ftpuser

Restart your ftp server:

Debian: sudo etc/init.d/vsftpd restart

Red Hat: sudo service vsftpd restart

Test:

netstat -a | grep ftp

Run at the command Line:

ftp ip address or hostname: ftp 100.00.00.00

Other VSFTP Configuration Options

There are many other options you can add to this file:

• Limiting the maximum number of client connections (max_clients)
• Limiting the number of connections by source IP address (max_per_ip)
• Setting the maximum rate of data transfer per anonymous login (anon_max_rate)
• Setting the maximum rate of data transfer per non-anonymous login (local_max_rate)

VSFTP Considerations and Resources

Potential issues are often as simple as username and password entry errors. But because firewalls are designed to limit access to certain ports, this is a good area to investigate if you experience issues with your installation. Be sure to check out the vsftpd html man page for more information.

SSH or secure shell, is a protocol that allows you to securely access one computer from another. Not only can you transfer files, but if you are concerned about public wi-fi security, SSH can help. Using the command line or a graphical interface, you can bypass potentially prying eyes and create a secure virtual private network (VPN) that tunnels your Internet traffic through your home computer’s connection.

To use SSH, you’ll need to install the SSH client on the computer you connect from, and an SSH server on the computer you connect to. Under Linux, the most popular software provider is the OpenSSH project.

How to Install OpenSSH

OpenSSH is of course, an open source product and contains both the client and server components.

The client software is part of the default Ubuntu installation. If you want to be able to accept SSH connections as well as request them, you’ll need the server software as well. Install it with this command:

sudo apt-get install openssh-server

How to Use SSH to Login to a Remote Computer

In order to access a remote computer, you’ll need to have an account on that machine. You may want to set up a guest account. Navigate to System > Administration > Users and Groups. Create a user (or group of users) and assign the permissions as needed.

When OpenSSH is installed and your user created, login to the remote computer with this command:

ssh username@hostname

Username is the name of the user you created and hostname is the name of the computer (or host) or its IP address. So if you had a computer at home with an account called janedoe, from the command line you would type:

ssh janedoe@222.222.2.22 or ssh janedoe@myhompc

Copying Files using SSH

Now that you’ve made the connection to your remote computer, you’ll probably want to transfer or copy some files. The secure copy command (scp) allows you to securely copy files to and from the remote box. The syntax is as follows:

scp filename.extension remoteuser@remotebox:/directory

Copying Directories using SSH

To copy an entire directory (and all of its contents) from the local machine to the remote server, use the recursive -r switch:

scp -r /local/directory remoteuser@remotebox:/remote/directory

/local/directory is the path to the local directory you want copied, and /remote/directory is the remote directory where you want the directory to be copied.

To reverse this and copy from the remote box to local, just switch things up accordingly:

scp -r remoteuser@remotebox:/remote/directory /local/directory

What about Windows?

If you need to remotely connect to your Ubuntu box from a Windows machine, you’ll need both PuTTY and TightVNC viewer. Follow the instructions here.

Final Thoughts

For more detailed information behind these communications protocols, visit the Ubuntu Wiki for your version. Also remember to keep permissions in mind if you choose to provide remote access to other users. Restrict access to only those files or directories that are absolutely required. I hope you’ve enjoyed our look into remote access under Ubuntu.

So what is FireSheep? Why should you be worried? And why shouldn’t you browse your email while enjoying a coffee at a local shop anymore?

Today we’ll take a look at what FireSheep is, why it’s both good and bad, and how you can protect yourself, while still enjoying Internet on the go.

What is FireSheep?

Essentially, FireSheep is an add-on to the web browser FireFox that demonstrates a serious security flaw in many (if not most) websites online.

It works by stealing what is called a “cookie” through the open wireless network, and using it to log in to an account.

While many websites offer encryption when you first type in your password to log in, most websites do not encrypt the rest of your session, leaving the cookie out in the open.

In fact, even if you are careful to not visit sites like Facebook, any website displaying a Facebook “Like” button will connect to Facebook, revealing your account to the malicious user. Once FireSheep captures your session, or cookie, it is able to trick the website into thinking it is legitimately logged in, giving the malicious user full access to your account.

According to Eric Butler, one of the creators of FireSheep, the add-on was not created as a “hacker tool” to help malicious people steal others’ account information. He claims that he created the add-on simply to demonstrate that there is something seriously wrong with the way websites handle security, and hopes that the add-on will bring more attention to the matter.

Why Should You Care?

FireSheep is so simple to install and use, that it can allow anyone with a bit of motivation to hijack your online accounts.

I have heard a lot of people making the point of, “It’s just a social network, it’s not like they will have my bank account or anything.” This isn’t entirely true. Currently, FireSheep is able to capture sessions from over 25 websites, including Google (gmail) and Yahoo Mail. That means if someone tries to reset your bank account password, or any other account linked to your email address, they might be able to complete the reset and gain access to your accounts with ease.

How To Protect Yourself on Open Networks

There are many ways to protect yourself from this sort of session hijack. First of all, the add-on only works on “open” networks. This means that as long as you had to put in a password to connect to the network (using WEP, WPA, etc.) you should be safe.

Use a VPN or SOCKs Proxy

If you are not on a secure network and you absolutely must use an open network, there is still hope. While business users especially should look into using a VPN (Virtual Private Network) when logging in to an unencrypted network, there are free and paid VPNs available that anyone can sign up to use.

Without going into too much detail, a VPN pulls data through an encrypted tunnel, bypassing the local security issues.

Much like a VPN, you can use OpenSSH to create an SSH Tunnel and SOCKs Proxy to log in securely. By setting up a proxy through your home computer system, you are actually logging in from your secure home computer, and pulling the information through an encrypted tunnel.

This is quite easy to set up, and as long as you are sure your home computer is safe and secure, it is an easy way to encrypt your connection from anywhere.

Force Sites to use Secure SSL

You can also force websites to use secure connections throughout the site, (as they should be,) making FireSheep useless. Some sites support this feature with a quick settings update (such as gmail,) while other websites may support using a secure connection, but not offer it as an option.

Firefox users can use certain add-ons to force the use of a secure connection. The Electronic Frontier Foundation offers up an add-on called HTTPS Everywhere which will force HTTPS on all sites that support it, and Sid Stamm has created one called Force TLS that will allow you to manually specify sites to encrypt.

Use a Private WiFi HotSpot

Finally, why not try ditching the public hotspot altogether and making your own? Many cell phone service providers offer some sort of personal WiFi service that you can use to connect to the Internet securely.

AT&T offers LaptopConnect, Verizon offers Mobile Hotspots, and T-Mobile offers Laptop Sticks. On some phones, such as many Android-based phones (and jailbroken iPhones), you can even use an app to create a personal WiFi connection; just be sure to check with your provider to be sure it’s allowed. If you do decide to go this route, remember to create an encrypted WiFi connection or you’ll run the same risk as before, if you create an open connection.

If you absolutely can’t use something more secure, like a VPN, Proxy, or secure HotSpot, your best bet would have to be using Private Browsing along with the HTTPS Anywhere add-on. You want to be sure that any time you are using an open network, that your sessions are completely encrypted.

Remember: even if you are on an encrypted website, just one unencrypted page visit is all FireSheep needs to hijack your session.

Can FireSheep Be Detected?

Yes! By using an add-on called BlackSheep, you can effectively test to see if anyone is currently using FireSheep on an open network. The add-on works by injecting fake session information at an interval, and monitoring the traffic to see if it has been hijacked, displaying a message to you if it has.

While this will work to detect FireSheep, it is important to note that BlackSheep is not a protection method, as it does nothing to stop the person from accessing your data.

If you plan to install BlackSheep, note that it uses a heavy portion of FireSheep’s code-base, so they cannot be installed on the same FireFox profile. If you need to have both installed, you will need to create a separate profile for each add-on.

The Future of Public Wifi

I believe FireSheep may bring in a new age of security awareness. With Facebook in the spotlight after various security breaches and concerns, and identity theft on the rise, it is up to businesses and website owners to stepup and offer completely secure connections throughout their websites.

While the use of secure protocols can tax server hardware, it is a necessity that has been long overlooked (or ignored.) If it comes down to it, perhaps a new method of security will need to be created to meet the demands of consumers, and server administrators.

What do you think about the future of security, or the borderline black-hat tool FireSheep? Let me know in the comments section below.

For those of us who need a bit of extra control, I’ll go over each section of the Windows 7 Firewall configuration so you can fine-tune your protection. I won’t go over everything you can customize, but try to cover the most common things, in my experience, that may need to be configured.

Accessing Windows 7 Firewall

To open the Windows 7 Firewall, simply open your start menu and type “Firewall” into the search box. You should see “Windows Firewall with Advanced Security.” Go ahead and open that up and you’ll see something similar to the photo below.

Windows 7 Firewall Advanced Security Interface

Let’s take a look at the Windows 7 Firewall Interface. The first thing you’ll notice is that there is a lot going on. Don’t worry though, the interface is actually quite simple to use and makes things fairly simple to read, even if the interface is a bit different than what we’re used to.

On the left, you’ll see a menu system including Inbound and Outbound Rules, Connection Security rules, and a menu item for monitoring the firewall. In the center box, you’ll see what you will be working with. This is where you’ll see all of the current rules and settings, and where you can edit them.

On the right side, you’ll see an Actions menu. This menu will let you import and export policies, restore, diagnose, or repair (just in case,) along with a few special actions depending on the current menu we’re currently working in. You generally won’t need to use the action menu too much, unless you have policies already saved on your computer that you would like to import.

Getting Started with Advanced Security

The first thing we’ll want to do is make sure the firewall is turned on. On the main firewall page, you should see a section labeled “Overview.” In this section, you should see a Domain Profile, a Private Profile, and a Public Profile. For each of these profiles, choose if you would like to have the firewall on, or off.

To turn the firewall on, look under each profile. The first shield image you should see will be either red, or green, along with text to explain whether the firewall is turned on or off. If it’s off, click on the arrow below labeled “Windows Firewall Properties” and turn it on.

Exempting a Computer from Firewall

Let’s say you have a media server, or even just a computer that sometimes streams content to others in your network. You obviously trust your server, so you want to let it access the computer your on so you can send and receive media as needed without having to authenticate server side. We’ll need to set it up as a trusted computer. In Windows 7 Firewall, this is called an Authentication Exemption.

To set up an authentication exemption, go to “Connection and Security Rules” in the left hand menu. Next, click on “New Rule” in the Action menu. Here you will see the different types on security rules and exemptions you can create. There is also a short description of each to help you figure out if a machine on your network or outside of your network needs any special rules set. In this case, choose “Authentication Exemption” and then click next. Here you can add machines that are exempt from authenticating, click “Add” and you’ll be able to set the IP Address or IP Address range to exemplify. Click OK and then next again to get to the next step in the Wizard. The final step allows you to name the security rule. It’s a good idea to name the rule after the machine(s) you are setting the rule for so you can easily go back to it if needed.

Setting Inbound and Outbound Rules

So let’s say you just installed a new application that needs access to the Internet. You trust the application and want to give it full access to the Internet. The first thing you will need to figure out, is if it needs access to incoming traffic, outgoing traffic, or both. In this example, let’s assume that the application needs to both send, and receive data from the Internet. First, let’s set up an inbound rule to make sure that the application can pull data from the Internet. To set an inbound rule, click on the Inbound Rule menu item on the left side menu, and then click “New Rule…” in the Action menu.

Here, you can create a rule for programs, ports, predefined rules (the HomeGroup, for example,) and custom rules. In this example, we’ll create a program rule. You’ll see a choice for “All Programs” or a specific program path. Choosing All Programs is rarely recommended, so we’ll browse for the program instead. After you choose your program, you’ll be able to set the rule itself.

In most cases, “Allow the connection” will be the best choice, however, you can choose to only allow the connection if it is secure. You also get the choice to block the connection, which although it is the opposite of what we’re trying to do in this example, it is good to remember that we can also block specific applications from accessing sending and receiving. Choose “Allow the connection” and click next. Again, you will be prompted to choose which profiles the rules apply to, and be given the ability to name the rule. For outgoing traffic, the exact same process applies, except in the Outbound Rules section.

So Far, So Good!

Now that you’re able to set up exemptions for computers you trust, and allow or deny applications from sending or receiving data, you are well on your way to having complete control over your computer system.

In this article, I’ll go over the basics of setting up your Windows 7 Firewall to best suit your needs. I’ll go over everything from turning it on, to setting up profiles and allowing or blocking applications from accessing the network.

Enabling and Disabling the Windows 7 Firewall

If you have just recently installed Windows 7, you have probably already come across prompts to enable or disable the Windows 7 Firewall. If you need to enable or disable the firewall, you can simply revisit the setting in your Control Panel, here’s how:

1. Open the Control Panel
2. Click “System and Security”
3. Click “Windows Firewall”

On this page, you’ll see two sections, one on the left with a list of options starting with “Control Panel Home” and a larger section on the right containing information about the firewall’s status and state.

To enable or disable the firewall, look for and click on “Turn Windows Firewall On or Off” on the left side menu. You’ll be taken to a page where you can choose to turn your Windows firewall on or off, as well as some control over profiles, and notifications.

The first section is for your Home or Work profile. Here you can choose to turn your firewall on or off, as well as whether you would like to block incoming connections or be notified when Windows Firewall blocks a new program. Generally, it is a good idea to keep the firewall on with notifications, but without blocking all incoming connections.

The section below is for a much less predictable profile, Public. The public profile is meant for when you’re on a network that you may or may not trust, at a coffee shop for example. The settings remain the same, but you may wish to block incoming connections whenever on a public network, just in case. Whatever you choose to do, it usually is a bad idea to go without a firewall using the public profile.

Allowing and Disallowing a Program to Communicate through Windows 7 Firewall

Back on the Windows Firewall section of your Control Panel, click on “Allow a Program of Feature through the Windows Firewall” to start setting up rules for specific programs and features. This is much like the Inbound and Outbound Rules section of the Advanced Firewall Settings page, but with a more simplified approach.

On this page, you will be given a list of all programs and features that have rules set within the firewall. If the program is not listed, it can be added using the “Allow another program…” button on the bottom right side of the page. If you are unsure about what a certain feature does, you can double click on it to bring up a short description of the feature.

On the right side of the program or feature are two check boxes. Simply check the box for each profile you would like to allow the program to run with. The left box is for Private profiles like Work or Home, and the right box is for the Public profile.

Keeping You Windows 7 PC Safe

Remember, allowing a program to communicate through a firewall is like opening a door to the network and Internet. Anything can come in, and anything can go out. Be sure you trust the application and its source before unblocking any application. Never allow a program that you don’t recognize to communicate through the firewall.

As an added security measure, revisit the Windows 7 firewall often and block applications (or ports) that no longer need to be opened.

Using a firewall is always a good idea. The Windows 7 firewall is a great security measure on any Windows 7 PC, but it isn’t the only option. Some Anti-Virus suites for example, offer their own firewall as well. Being safe doesn’t require you to use a certain firewall, and no solution is perfect for everyone. Whichever you choose, be sure to always have at least one firewall running at all times.

Advanced Security with Windows 7 Firewall

That’s about it for this article, but be sure to check out my next article on the Advanced Settings available in Windows 7 Firewall. You will learn how to create specific inbound and outbound rules for applications, as well as how to give a separate computer or server that you trust, full access to your machine without having to authenticate so you can allow applications and information to stream freely between them. Stay safe!