Search Our Site

Our Newsletter

Our Ramblings

Are Home Firewalls Really That Important?

In the latter stages of the 2nd decade of the 21st century, our homes have not really changed that much from those of our parents. Aside from a new predominance of cheap throwaway furniture, todays house is largely similar to that of the 70’s. Similar, that is, until we change our point of view, examining not the visible spectrum but rather the electromagnetic spectrum. working-from-home_colorThe past 20 years have seen an explosion in our use of the airwaves and that change has not stopped at our front doors. Todays homes are filled with an argosy of gadgets, many of which independently communicate without any intervention from their human hosts. Indeed, whilst the home of the 70’s was equipped with two main communications channels, namely the desktop telephone and the front door, the contemporary home has been unrecognisably changed by the communications revolution. It is the network which has been the real change across the years, allowing us to reach out in countless different ways but also, quietly, allowing the world to reach in.

And reach in it does.

The latest Government Security Breaches Survey found that nearly three-quarters (74%) of small organisations reported a security breach in the last year; an increase on the 2013 and 2014 survey. SMEs are now being pinpointed by digital attackers. If SMEs are being targeted, rest assured that home networks are too.

So how do we protect our homes? Well, the picture isn’t as bleak as it may seem. Most ISP’s provide equipment which has a built in firewall. Firewalls form your home network’s primary defence against online security risks, and can therefore considerably boost your peace of mind concerning your network security. Without any human intervention, the stock firewall set at its default settings is pretty effective. It basically blocks everything from the outside unless it was requested by something on the inside. So far so good you may think, and you’d be right, however its that sticky part about human intervention that hides the real danger. People feel the need to change their firewall settings. Not only that, they download dodgy code, click dodgy links and generally just circumvent all that good security the firewall was designed to provide. Before long the network security is full of holes and the world starts reaching in.

Home networks are becoming ever more complex and the paucity of good quality consumer grade network equipment speaks volumes about our inevitable prioritisation of cost above just about anything. ocean-digital-home-upnp-dlna-font-b-network-b-font-font-b-device-b-font-newsIn their race to the bottom, home network equipment manufacturers need to keep their costs to the bare minimum. They do this by using free vulnerable operating systems which have no simple mechanism to ever be upgraded or more importantly fixed. Theres no getting around the fact that our homes are full of and will continue for quite some time to be full of network equipment that is of a shockingly low security standard.

This brings us nicely back to the question of the home firewall. Yes, generic router firewalls are great out of the box but they only look outwards and never inwards. It is becoming increasingly apparent that home networks which are basically the same as small business networks require better. Low cost solutions do exist and they are effective. For example for those with a spare PC hanging around, the option exists to install a free software firewall (e.g. Sophos XG Home Edition) but its far from an elegant solution to keep a dedicated PC powered up 24×7 and it is one which few consumers would countenance. Other dedicated hardware solutions exist of course but they can be expensive and are in all likelihood, business solutions. Sadly, for the consumer, the choice to manage a firewall in the home is still the preserve of the nerdy computer enthusiast who, ironically is probably less vulnerable than most.

legislationFor now the discussion remains unresolved. It is unlikely that the consumer will find it in their gift to look beyond cost to something that keeps their online lives secure enough and it will likely therefore fall to some broader agency to act. Whether that agency turns out to be the government, the banks who perhaps have most to lose, or some other combination of private sector collaborators remains to be seen. One thing however is certain. The problem is going to get worse before it gets better and it will probably take some form of paradigm shift in public perception for the motivation to be found.

Lets hope the cause of the paradigm shift isn’t too painful.

IT Security

itsecToday’s IT security teams are faced with rapidly mutating threats at every possible point of entry – from the perimeter to the desktop; from mobile to the cloud. Fueled by the fast evolution of the threat landscape and changes in network and security architectures, network security management is far more challenging and complex than just a few years ago.

Security teams must support internal and external compliance mandates, enable new services, optimize performance, ensure availability, and support the ability to troubleshoot efficiently on demand—with no room for error. That’s a lot to balance when managing network security.

The Nessus Vulnerability Scanner

In computer security, Nessus is a proprietary comprehensive vulnerability scanning program. It is free of charge for personal use in a non-enterprise environment. Its goal is to detect potential vulnerabilities on the tested systems. For example:

  • Vulnerabilities that allow a remote cracker to control or access sensitive data on a system.
  • Misconfiguration (e.g. open mail relay, missing patches, etc).
  • Default passwords, a few common passwords, and blank/absent passwords on some system accounts. Nessus can also call Hydra (an external tool) to launch a dictionary attack.
  • Denials of service against the TCP/IP stack by using mangled packets
  • Preparation for PCI DSS audits

On UNIX (including Mac OS X), it consists of nessusd, the Nessus daemon, which does the scanning, and nessus, the client, which controls scans and presents the vulnerability results to the user.
According to surveys done by sectools.org, Nessus is the world’s most popular vulnerability scanner, taking first place in the 2000, 2003, and 2006 security tools survey. Tenable estimates that it is used by over 75,000 organizations worldwide.

In typical operation, Nessus begins by doing a port scan with one of its four internal portscanners (or it can optionally use Amap or Nmap) to determine which ports are open on the target and then tries various exploits on the open ports. The vulnerability tests, available as subscriptions, are written in NASL (Nessus Attack Scripting Language), a scripting language optimized for custom network interaction.

Tenable Network Security produces several dozen new vulnerability checks (called plugins) each week, usually on a daily basis. These checks are available for free to the general public; commercial customers are not allowed to use this Home Feed any more. The Professional Feed (which is not free) also give access to support and additional scripts (audit and compliance tests…).
Optionally, the results of the scan can be reported in various formats, such as plain text, XML, HTML and LaTeX. The results can also be saved in a knowledge base for debugging. On UNIX, scanning can be automated through the use of a command-line client. There exist many different commercial, free and open source tools for both UNIX and Windows to manage individual or distributed Nessus scanners.
If the user chooses to do so (by disabling the option ‘safe checks’), some of Nessus’s vulnerability tests may try to cause vulnerable services or operating systems to crash. This lets a user test the resistance of a device before putting it in production.
Nessus provides additional functionality beyond testing for known network vulnerabilities. For instance, it can use Windows credentials to examine patch levels on computers running the Windows operating system, and can perform password auditing using dictionary and brute force methods. Nessus 3 and later can also audit systems to make sure they have been configured per a specific policy, such as the NSA’s guide for hardening Windows servers.

 

Q. What is included in the Nessus download?
A. When you download Nessus, you receive the Nessus 4.4 scanning engine (server) that includes a flash web-based client. To receive updates under either a ProfessionalFeed or HomeFeed, you will need to register your scanner.

Q. What OS platforms does Nessus have builds for?
A. Nessus 4.4 is available and supported for a variety of operating systems and platforms:
Debian 5 (i386 and x86-64)
Fedora Core 12, 13 and 14 (i386 and x86-64)
FreeBSD 8 (i386 and x86-64)
Mac OS X 10.4, 10.5 and 10.6 (i386, x86-64, ppc)
Red Hat ES 4 / CentOS 4 (i386)
Red Hat ES 5 / CentOS 5 / Oracle Linux 5 (i386 and x86-64)
Red Hat ES 6 / CentOS 6 (i386 and x86-64) [Server, Desktop, Workstation]
Solaris 10 (sparc)
SuSE 9.3 (i386)
SuSE 10.0 and 11 (i386 and x86-64)
Ubuntu 8.04, 9.10, 10.04 and 10.10 (i386 and x86-64)
Windows XP, Server 2003, Server 2008, Server 2008 R2, Vista and 7 (i386 and x86-64)

Q. What does Nessus 4.4 cost?
A. The Nessus 4.4 scanner is available as a free download.

Q. Where can I go for more information?
A. If you still have questions about Nessus 4.4, feel free to contact us, visit http://www.rustyice.co.uk/ or post to us via our contact link.

The Problem of Tailgating in Secured Buildings

One of the biggest weaknesses of automated access control systems is the fact that most systems cannot actually control how many people enter the building when an access card is presented. Most systems allow you to control which card works at which door, but once an employee opens the door, any number of people can follow behind the employee and enter into the building. Similarly, when an employee exits the building, it is very easy for a person to grab the door and enter the building as the employee is leaving.

This practice is known as “tailgating” or “piggybacking”. Tailgating can be done overtly, where the intruder makes his presence known to the employee. In many cases, the overt “tailgater” may even call out to the employee to hold the door open for him or her. In these cases, good etiquette usually wins out over good security practices, and the intruder is willingly let into the building by the employee.

Tailgating can also be done covertly, where the intruder waits near the outside of the door and quickly enters once the employee leaves the area. This technique is used most commonly during weekends and at nights, where the actions of the more overt tailgater would be suspicious.

Solutions To The “Tailgating” Problem

First, recognize that the tailgating problem is probably the biggest weakness in your security system. This is particularly true at doors that handle a high volume of employee and visitor traffic. Many security managers spent a lot of time worrying about unauthorized duplication of access cards and computer “hackers” getting into their security system over the network. It is far more likely that someone who wants access to your facility will simply “tailgate” into the building rather than using one of these more exotic methods to breach your security.

The practice of overt tailgating can be reduced somewhat through employee security awareness training. If employees are frequently reminded of the tailgating problem, they are less likely to let a person that they do not know into the building deliberately.

It is difficult to overcome the problem of covert tailgating through employee security awareness alone. While it would be possible to ask employees to wait at the door until it locks after they pass, it is probably not likely that this procedure would be followed except under the most extreme circumstances.

The problem of covert tailgating can usually only be reliably solved through the use of special “anti-tailgating” devices.

“Anti-Tailgating” Devices

To minimize the problem of tailgating, the security industry has created a number of “anti-tailgating” devices. These devices include mechanical and optical turnstiles, security revolving doors, security portals, and doorway anti-tailgating devices.

The essential function of each of these devices is that they permit only one person to enter or leave the building at a time. They either do this by providing a physical barrier that only allows one person to pass, or electronically by providing sensors that detect when a person attempts to tailgate in, or when more than one person tries to enter using the same card.

The following is a brief summary of each of the common types of anti-tailgating devices:

HALF-HEIGHT MECHANICAL TURNSTILE

  • Approximate cost: |£2,000 to £3,500 per opening.
  • PROS: Lowest cost anti-tailgating device, readily accepted by most users, relatively unobtrusive, well-proven and reliable.
  • CONS: Can easily be climbed over or under, requires separate door or gate for emergency exit and for handicapped users, easily defeated by knowledgeable intruder.
  • Comments: Good choice for visitor lobbies or employee entrances that are constantly attended by a security officer and where cost is a consideration.

FULL-HEIGHT MECHANICAL TURNSTILE

  • Approximate cost: £3,500 to £5,000 per opening.
  • PROS: Provides good security at a moderate cost. Well-proven and reliable.
  • CONS: Obtrusive in appearance, requires separate door or gate for emergency exit and for handicapped users, lacks sophisticated anti-piggybacking detection features.
  • Comments: Good choice for commercial and industrial facilities where security and cost considerations are more important than appearance.

OPTICAL TURNSTILE

  • Approximate cost: £11,000 to £15,000 per opening.
  • PROS: Aesthetically-pleasing appearance, accommodates handicapped users, does not require separate emergency exit, has sophisticated anti-piggybacking detection systems, provides good visual and audible cues to users.
  • CONS: Expensive, provides little or no physical barrier, must be used at an entrance manned by security guard, relatively high “false alarm” rate.
  • Comments: Good choice for use in manned building lobbies where aesthetics prevent the use of a half-height manual turnstile.

SECURITY REVOLVING DOOR

  • Approximate cost: £22,000 to £38,000 per opening.
  • PROS: Provides best protection against tailgating and piggybacking, fast, handles high volumes of traffic, unobtrusive in appearance, provides energy savings when used at exterior entrances.
  • CONS: Very expensive, requires separate door or gate for emergency exit and for handicapped users, door cannot be used for loading/unloading of large objects, relatively high maintenance costs.
  • Comments: Good choice for use at unattended building entrances where appearance is important.

SECURITY PORTAL

  • Approximate cost: £22,000 to £38,000 per opening.
  • PROS: Provides good protection against tailgating and piggybacking, unobtrusive in appearance, accommodates handicapped users, does not require separate emergency exit, allows load/unloading of large objects.
  • CONS: Very expensive, relatively slow, cannot support large volumes of traffic, high maintenance costs.
  • Comments: Good choice for use at unattended building entrances with relatively low traffic volumes and for entrances into high security internal areas, such as computer rooms.

DOORWAY ANTI-TAILGATING DEVICE

  • Approximate cost: £3,000 to £5,000 per opening.
  • PROS: Easy add-on to existing doors; provides good protection against tailgating and piggybacking, unobtrusive in appearance, accommodates handicapped users, does not require separate emergency exit, allows loading/unloading of large objects, relatively inexpensive.
  • CONS: Must be used at an entrance manned by security guard, does not provide good visual and audible cues to users.
  • Comments: Good choice for use at doorways with relatively low traffic volumes and where conditions do not permit the use of another type of device.

Other Anti-Tailgating Systems

There are several new anti-tailgating detection systems on the market. These include closed-circuit television camera systems equipped with video analytics software, and machine vision sensors that use infrared imaging technology. Both of these systems “look” at the entrance point and use computer software to detect tailgaters. Once a tailgater is detected, an audible alarm is activated to alert the security guard.

While this new technology looks promising in the long run, it is our opinion that these systems are still too new and unproven for use in most applications.

Have additional questions about the prevention of tailgating?  Please contact us.