Recently, Microsoft has publicised the idea that if you want to have a truly secure network, you must focus your efforts in five primary areas: perimeter defences, network defences, application defences, data defences, and host defences. In this article, I'll focus on network defences, and provide four steps you can use to secure them. What are network defences?
Network defences address the issues involved in connecting networks to each other and in operating a network as a whole. They don't address issues like external firewalls or dial-up connections, since the perimeter security layer covers these. Nor do network defences cover individual servers and workstations, since the host defences layer covers these. Instead, network defences cover things such as protocols and routers. Internal firewalls
Just because the network defences area doesn't cover external firewalls doesn't mean that it doesn't cover firewalls at all. One of the first steps that I recommend taking toward securing your network defences is to enable internal firewalls where possible. Internal firewalls are basically the same as external firewalls. The main difference is that their primary job is to protect the machine against traffic that is already on your network. There are a couple of reasons for implementing internal firewalls. First, imagine for a moment that a hacker or a virus was able to manipulate your external firewall in a way that allowed all varieties of traffic to flow through it. Normally, this would mean that it was open season against your network. However, if you had enabled internal firewalls, they would block the malicious packets that the external firewall had let slip through. The other main reason for enabling some internal firewalls is that many attacks tend to be internal in nature. At first, you might hear this statement and think that an internal attack couldn't possibly happen on your network, but I've seen internal attacks and other security breaches in every company I've ever worked for. At two of the places where I used to work, people in other departments who were hacker or administrator wannabes thought that it would be cool to probe the network to see how much information they could acquire. In both cases, they had no ill intent (or so they said); they were simply looking to impress their friends by hacking the system. Whatever their motivation, they did attempt to break through the network's security. You need to protect your network from people like this. In other places where I've worked, I've seen people bring in unauthorised software infected with Trojan horses. (Remember "Back Orifice"?) These Trojan horses broadcast on specific ports. The firewall was powerless to stop malicious packets from entering the network because they were already on the network. This kind of attack brings up an interesting point: most of the techs I know configure their external firewalls to block all but a few inbound ports and to allow all outbound traffic. I recommend being just as picky with the outbound ports as you are with the inbound ports, because you never know when a Trojan horse could be using some obscure port to broadcast information about your network to the world. Ideally, you should place internal firewalls on each PC and on each server. Several good personal firewall products are on the market, such as Norton's Personal Firewall 2003 from Symantec. However, you may not have to spend a dime on an internal firewall for your workstations, since Windows XP contains its own built-in personal firewall. To enable the Windows XP firewall, right-click on My Network Places and select the Properties command from the resulting shortcut menu to display the Network Connections window. Next, right-click on the network connection you want to protect and select Properties. Finally, select the Advanced tab and then the check box in the Internet Connection Firewall section. You can also use the Settings button to enable any ports that should remain open. Although the Windows XP firewall is intended as an Internet firewall, it works great as an internal firewall as well.