Table 2: NETWORK DISEASES
VIRUS A program or piece of code that is loaded onto your computer without your knowledge and runs against your wishes. Viruses can also replicate themselves. A simple virus that can make a copy of itself over and over again is relatively easy to produce. Even such a simple virus is dangerous because it will quickly use all available memory and bring the system to a halt. An even more dangerous type of virus is one capable of transmitting itself across networks and bypassing security systems
TROJAN A destructive program that masquerades as a benign application. Unlike viruses, Trojan horses do not replicate themselves but they can be just as destructive. One of the most insidious types of Trojan horse is a program that claims to rid your computer of viruses but instead introduces viruses onto your computer (partial lists).
WORM A program or algorithm that replicates itself over a computer network and usually performs malicious actions, such as using up the computer's resources and possibly shutting the system down.
BACKDOOR An undocumented way of gaining access to a program, online service or an entire computer system. The backdoor is written by the programmer who creates the code for the program. It is often only known by the programmer.
DoS Attack Short for denial-of-service attack, a type of attack on a network that is designed to bring down a network by flooding it with useless traffic. Many DoS attacks, such as the Ping of Death and Teardrop attacks, exploit limitations in the TCP/IP protocols.
definitions courtesy of Webopedia.
rationale for port knocking
You may be wondering: "What is the purpose of firewalls?". After all, if we don't want people connecting to our server, why not simply turn off the network services? An open port without an associated listening application is like a walled-in door and not a security risk, right? Well, not exactly.
The primary purpose of firewalls is to precisely define and limit the variety of communication possible within a network. System administrators tend to be justifiably paranoid and need to enforce limits to help monitoring and troubleshooting. However, the purpose of firewalls does not primarily rest in deriving a sense of control. Unless you are very familiar with your operating system, you may not be aware of all the services running on your computer.
Some operating systems install with a large number of listening services (e.g. ftp, mail, finger, telnet, time, echo, etc.) and leave their ports open. Instead of you hunting these services down and turning them off, it would be the firewall's role to deny communication to these services' ports. You might make a mistake and accidentally start the telnet service - a bad thing if your firewall doesn't block the telnet port. It might be a bad thing because you are unaware that now you have a listening application on an open port. This is somewhat equivalent to not only leaving a window open in your house while on vacation, but not even knowing that the window is there.
Aside from unwanted, but legitimate services, illegitimate services such as backdoors or trojans may be silently running on your computer. Their spread is made possible, and increasingly so, by the common practise of downloading software from unverified/untrusted sources. If you are not running an updated virus scanner and have download software from the internet (peer-to-peer, personal web sites of friends, of friends of friends, and of strangers, etc) it's likely that you are infected. If you have a firewall which blocks the illegitimate service's port then the infection is merely a nuisance.
Figure 5 | A server with IP-filtering enabled in its firwall rule set. Specific remote hosts are allowed to check mail via the POP service running on port 110. Logging of connections to port POP/110 tracks usage. Logging of the closed mysql/3306 port keeps tabs of potentially malicious remote IPs.
Firewalls control which remote computers can connect to given ports. While some ports are typically meant for general public use (e.g. http/80), communications to others might need to be tightly controlled (e.g. telnet/22, pop/110, proprietary applications, etc.). The scenario corresponding to the following rule set is shown in Figure 5.
- allow connections from everywhere to ports ftp/21, snmp/25, http/80
- allow connections from IP1,IP2,IP3 to ports POP/110 (+log all connection attempts)
- disallow connections to port mysql/3306 (+log all connection attempts)
- disallow connections to all other ports
In this example, specific remote hosts are allowed to connect to the POP service. Presumably only users at these IP addresses have legitimate reasons to connect to this service. All remote hosts are still allowed to connect to ftp/21, snmp/25 and http/80 services. Firewalls can log traffic and in this particular case logging is turned on for ports pop/110 and mysql/3306. While it's clear why logging might be turned on a port which to which connections are allowed, you may be wondering why logging is turned on for a closed port.
First, logging of closed ports can detect port scans. Port scans describe a process in which a user at a remote computer attempts to connect to all or a subset of ports in order to detect which services are running. If there is no reason for someone to be connecting to your mysql/3306 port, then any attempted connection may be a sign of malevolent intentions. Of course, it may not be a sign of anything - the user at the remote end may be simply be connecting to the wrong IP address. "Hello? ... Oh, sorry, I have the wrong IP address." Well, you get the idea.