Real Life Experience - Server Hacked!

  Firewalls are the your first line of security defence against viruses, hackers, and trojans. It is extremely important to ensure is configured properly in order for this security tool to be effective. I would like to share with you my hands-on Real-life firewall experience:
As an IT Security Engineer, I received a high priority call from a large corporate company and the last message was Server was hacked ! When I got there, I found out that one of the main server has a user and directory created that no one in the company can identify.

There was a high-end firewall installed but guess what, the was only 1 rule set. Allow All (meaning as good as no firewall). Period. Naturally, we (security company) came in and did a technical security assessment (audit). Further, recommended and implemented the appropriate server hardening, firewall reconfiguration, IPS (Intrusion Prevention System), Anti-Virus, user security training and this company had became one of the long lasting major customer.
So the lesson learned is to install a firewall and get the rules working for you. It will do you good.
The firewall acts as the first line of defence against any Internet attacks. A typical firewall interfacing with 3 types of network. e.g. Internet (External), Internal Network and DMZ (Dimilitarized Zone).
Some of the features of a firewall which should be configured includes the following:
Able to be configured to be invisible to external parties. Do not allow "pings".
Administrator password must be at least 8 alphanumeric characters and held tightly by the person that you trust.
Tight Packet filter rules ( A must) They act by inspecting the "network packets" traveling between the firewall. It is sort of like a postoffice between the Internet and your office servers/PC. If a packet matches the packet filter's rules that state it is fine to pass through, the packet filter will pass the network packets to your Internal PC/Servers. If it does not match, the packet filter will drop the packet, or reject it (discard it, and send "error responses" to the source). Bottom line: ensure rules are configured properly.
Sync Protection : Ensure this protection is enable to protect against Sync Attack.
Typically a connection between PC and Server is establish when "3 way handshake is established". The sender PC will send a SYNC flag, then the receiving Server will send back a SYNC ACK flag. After that the sender PCwill send a SYNC ACK flag. Once these are all done, connection is established. The PC and Server can go about their business of connecting application e.g. FTP.
Now an intruder will keep on sending the server with SYNC flags. The server do not know what to do with it and will just hold them. Denial of Service attack will be established when the server cannot handle the load and deny any legitimate connections to the server.
IPS
Nowadays, a firewall is not adequate to protect the network. It should be complement with IPS which has updated signatures make access control decisions based on application content, rather than IP address or ports as traditional firewalls had done.
Gabriel Ng is a professional IT Security Consultant, IT Auditor (CISSP) and author of [http://www.comsectutorial.com] This site is setup to provide information, recommendation on hacking prevention, controls to minimise security threats from viruses, trojans, spywares, hacking based real life experience while conducting security assessment and penetration tests.