12.1. Firewall
In general, an information
system is located behind the firewall. The firewall blocks unauthorized traffic
flow by establishing IP and port information control. The default firewall
settings are to block access from any IP address and port, but ports 80 and 443
are open for Web services. Port 80 handles the HTTP protocol, and port 443
handles the HTTPS protocol. The HTTP protocol supports a generic web service,
and the HTTPS protocol provides support for communication encrypted through
SSL. To support a remote file transfer, port 21 is also opened for use with the
FTP protocol. Let's briefly look at the firewall.
Figure 12-1 Firewall Concept Diagram
A firewall is located between the internal
network in charge of corporate services and the Internet. Various security
devices can be present in the network, but to keep a simple description, I
mainly describe the firewall. A basic firewall operates as follows.
(1) Setting Rule: The IP and port information are registered as exceptions for the
firewall. The IP address “210.20.20.23” opens ports 80 and 443, and the IP
address “210.20.20.24” opens ports 21 and 22.
(2) Abnormal Traffic: The service that is running on port 8080 for IP address “210.20.20.23”
is determined to be abnormal traffic and is blocked because it has not been
registered as an exception in the firewall.
(3) Normal Traffic: The service that is running on port 21 of the IP address “210.20.20.24”
passes to the internal network because it has been registered as an exception
for the firewall.
A firewall exception
rule that is registered should be chosen carefully. You can easily find an open
port with a port scanning tool. In particular FTP and Telnet services are
vulnerable to hacking and must be set so as not to be accessible from outside
the network as much as possible.
12.2
Firewall Settings for the HTTP Service
The
firewall function is supported even on a PC. By enabling the firewall on the
PC, all services coming from the outside will be cut off. You can enable the
firewall in the “Control Panel\System” and “Security\Windows Firewall\Customize
Settings” menu. Windows Firewall can be enabled in the “Home or Work (private)
network” and “Public Network” menu.
Figure 12-2 Enabling Windows Firewall
You can register a firewall exception rule in the
“Advanced Settings” menu in “Control Panel\System” and “Security\Windows
Firewall” menu. Click on “Inbound Rules” and select “new rule”, the menu opens
a screen where you can register the service step by step.
Figure 12-3 Windows Firewall Rule Properties
Select the “Rule Type” and select “Port”. This opens the
port to allow HTTP and FTP services using the TCP and UDP protocols.
Figure 12-4 Select the Rule Type
The hacker PC and client PC use port 80 to use the
WordPress service. This port should be open in the firewall. Select “TCP” in
the figure below because the HTTP protocol operates over the TCP protocol, and
enter “80” for the port.
Figure 12-5 Protocol and Ports
IPSec is a collection of protocols that support encrypted
communications between two computers in an insecure network. To use IPSec,
every device must support the IPSec Protocol within the same network area.
Therefore IPSec is not extensively used in general. Click the “Connection
Permit”.
Figure 12-6 Select the Type of Action
In the part of “profile”, check “domain”, “private” and
“in public”. In the area for the “name”, enter the name for which you can know
that the exception handling is intuitive. Enter “Apache web service”.
12.3
FTP Settings using the IIS Management Console
Click “Turn Windows features on or off” in the “Control
Panel\Programs\Programs and Features” menu. You can activate features that have
been disabled. In the “Internet Information Services” entry, select “FTP
service” and “FTP Extensibility”. In “Web Administration Tool” entry, select
“IIS Management Console”.
Figure 12-7 Enabling FTP and IIS Management Console
Install Apache and Mysql to use a web server and a DB.
Both are freely available as open source software. To run a service that can be
subjected to hacking, install WordPress, which is an open source PHP-based
blog.
Select “Internet Information Services (IIS) Manager” in
“Control Panel\System and Security\Administrative Tools”. To enter the FTP
service path and the user information, click the “Site” tab, and then select
“Add FTP Site”
Figure 12-8 Add FTP Site
Enter “serverftp” in the “FTP site name” entry, and enter
“C:\” in the “Content Directory” entry. The FTP services that are supported by
Windows have characteristics in that programs cannot exit their “Content Directory”.
Therefore, specify the top-level directory for testing.
Figure 12-9 Entering the FTP Site Info
Specify the IP and port that are bound to the FTP
service. When the IP address is not specified, the FTP service is enabled for
all IP addresses. The port is typically assigned to 21, which is commonly used
by FTP services. SSL (Secure Socket Layer) is an encryption scheme that is used
by the HTTP transport layer protocol. Select “No” for this test.
Figure 12-10 Binding and SSL Settings
Next, enter the authentication and the authorization
information. Select “Basic” for Authentication and not “Anonymous”. If you
choose “Anonymous”, you can log in as an anonymous user without the need for a
separate username and password. Select “Specified users” and enter “server” for
Authorization. Grant “Read” and “Write” permissions for this user. If write
permissions are not enabled, a client will not be able to save the file to the
FTP server.
Figure 12-11 Authentication and Authorization Information
12.4
Firewall Settings for the FTP Service
Select the “Advanced Settings” menu in the “Control
Panel\System and Security\Windows Firewall” menu to register the exceptions for
the firewall. Click on “Inbound Rules” and select the “New Rule” entry to open
a screen where you can register the service step by step. Since FTP services
are predefined, select the “FTP Server” as a “Predefined” item.
Figure 12-12 Select Rule Type
If you select the “Predefined” item, a ’’Predefined Rules”
menu appears on the left side of the screen. Check the following three services
on the screen.
Figure 12-13 Select a Predefined Rule
Select the “Work” type. When there is a service request
that corresponds to the predefined rules, select the task that is to be run. In
this case, select the “Connection Permit”. Allow both a “secure connection” and
“regular connections” to improve testability.
Figure 12-14 Select Action
Now, let’s test whether the hacker PC can connect to the
server PC
through the following
steps. First, open the Command prompt on Windows to try to establish an FTP
connection. Enter the username and password that have been preset for the
server. If the connection is properly made, you can use the “dir” command to
see the following results.
Figure 12-15 FTP Connection
Now you are ready to use the FTP service of the server
PC. Most security guides recommend blocking the FTP connection from the
outside. However, there are many sites that allow FTP access to provide
convenience and to improve the speed of file uploads. Let us now learn how the
FTP service is vulnerable to security exploits.
No comments:
Post a Comment