Wednesday, February 29, 2012

Security Incident Response


UNIX System

Purpose:

This document is to serve as a “guide” for SIRT personnel when encountering a possible compromised Unix/Linux system and in no way serves as an absolute requirement to perform every tasked listed within. The SIRT personnel shall apply best effort to acquire as much information within a minimal amount of time in order identify, contain and eradicate any security threat to minimize it’s affects to the organization.

Identification Phase:

Note: Depending on the OS distribution, version and configuration, some item may be located in different areas or not present on the host.

Vital Data to Collect

Run “script {hostname}.txt
Run “date >> systeminfo.txt
Run “w >> systeminfo.txt
Run “last >> systeminfo.txt
Run “lastlog >> systeminfo.txt
Run “uname –a >> systeminfo.txt
Run “ls / –alRu > atime.txt
Run “ls / –alRc > ctime.txt
Run “ls / –alR > mtime.txt
Run “ps –aux > process.txt” (Solaris “ps –eaf > process.txt”)
Run “netstat –an > netstat.txt
Run “netstat –anp > netstatp.txt” (Solaris “lsof –i > netstatp.txt”)

Area to look for compromise

The below section is a list of area that you may want to look at for indication of compromise. This list is not all inclusive and depending on the host some of the below items may or may not be present on the host or in the location indicated.
Is a sniffer installed? Check to see if the network card is in promiscuous mode
    • Ifconfig –a (root access)
System Logs (/var/adm or /var/log)
    • /var/log/httpd/access_log check web logs access to webserver
    • syslog look for anomalies in the file
    • xferlog ftp transfer log
    • messages look for anomalies in the file

System Configuration
    • /etc/passwd to look for unauthorized users accounts or privileges
    • /etc/shadow to ensure every account requires password authentication (root access)
    • /etc/groups to look for escalation in privileges and scope of access
    • /etc/hosts to list the local DNS entries
    • /etc/hosts.allow and /etc/hosts.deny to check TCP Wrapper rules
    • /etc/crontab
    • /etc/inetd.conf and xinetd.conf to list the services initiated by the config files

Final Steps

Stop “script” command by using control-D
Run “md5sum * > md5sum.txt” on all files collected

Explanation of the collection of data.


When performing an analysis of a live Unix system for signs of Compromise, all efforts should be made to collect as much vital data that is feasible. Vital data is that data that would be lost if the system was to be powered off i.e. current processes running on the system, network connections, who currently logged on the system etc.
Command: script {hostname}.txt
Records the active terminal session activity to a file with the name of the host. Can later be printed with the lpr command. To exit from script command press the control-D, exit or logout from terminal shell.
Command: date >> systeminfo.txt
Documenting the date and time of the system is critical. It provides the Incident Respondent a time reference to gage and compare activity discovered on the system.
Command w >> systeminfo.txt
Identifies who is currently logged on the system by displaying the user IDs of the logged on users, what system they logged on from and what they are currently executing on the system.
Command last >> systeminfo.txt
Searches back through the binary file /var/log/wtmp and saves a list of all users logged in (and out) of the host since the file was created to the systeminfo.txt file.
Command lastlog >> systeminfo.txt
Formats and prints content of the binary last login log /var/log/lastlog file to the systeminfo.txt file.
Command uname –a >> systeminfo.txt
Saves system information i.e. kernel-name, kernel-version, operating system, version etc to systeminfo.txt file.
Command ls / –altRu > atime.txt
List “access times” about the files in the “/” (root) directory and below. Saves the results to the “atime.txt” file.

Command ls -altRc > ctime.txt
List “change times” about the files in the “/” (root) directory and below. Saves the results to the “ctime.txt” file.

Command ls / –altR > mtime.txt
List “modification times” about the files in the “/” directory and below. Saves the results to the “mtime.txt” file.

Command netstat –an > netstat.txt
Enumerates the open ports on the system and writes the results in the netstat.txt file
Command netstat –anp > netstatp.txt
Enumerates the open ports of the system along with mapping the name of the application and it’s process ID (PID) to the open ports.


Monday, February 27, 2012

Password Management


One Password to Rule Them ALL!!!!

If a website that you use is compromise by an attacker and they get access to your login information for that website, will they be able to access other website with that information?

One of the best security practices that anyone can follow beside creating a secure password is not using that same secure password on multiple websites. This will greatly reduce the damage that can be done to you by an attacker that has compromised a website that contains your information. If you are using a secure password, it may become a challenge to manage multiple passwords for multiple resources. This is when a password management application can be very helpful.

Password management applications are application designed to securely store your passwords for multiple resources. The password management application is usually protected by a master password that allow you access to view all the other password stored within the application – One Password to Rule Them All!!!

Password management application may have the ability to be installed on your desktop, mobile device or accessible via the web. Many password management application use some from of encryption to store the password securely in a database, have the ability to generate password for you, integrate with your local web browser and can be synced between multiple installed installations. There are many of these password management application you can choose from but there is nothing like the ones below that are FREE. :)

The following application are listed in no particular order of preference.

Lastpass

Probably the most OS supported application on the market, Lastpass is available for Windows, Mac OS, Iphone/Ipad, Linux, WebOS, Andriod, Symbian, and BlackBerry OS systems. Lastpass also include browser integration with all major web browsers (IE, Firefox, Safari, Chrome and Opera) and is accessible from the web so you never will be without access to your password when you need it. Some of the major feature of Lastpass consist of:
  • Synchronization between multiple browsers and computer that you may have installed Lastpass, so if you make a change on one system all other installations will be updated with the latest information.
  • Ability to generate strong random passwords
  • Ability to share login information securely with others
  • Export your data
  • Import data from other application
  • Accessible from the Internet
  • Backup and Restore features
Cons – Some installations of Lastpass (non-Desktop installations) require you to subscribe to the premium version of Lastpass but for some that is a small price to pay to have your password synced across multiple devices.

KeePass

As an open source application that is supported by the Internet community, KeePass is totally 100% free, all features and installation versions are free. KeePass support Windows, Mac OS, Linux, Iphone/Ipad, Android, J2ME mobile phone and PalmOS. KeePass also support some unique installation options such as PortableApps Suite, U3 Devices, Preinstalled Environments (PE), Parted Magic and Spoon.
Some of the major features of KeePass consist of:
  • Portable and No Installation Required - Accessibility
  • Multi-Language Support
  • Strong Random Password Generator
  • Export your data
  • Import your data from multiple formats
  • Open Source – source code available for you to compile yourself
Cons – Does not sync passwords across multiple installation but you may be able to use a file sync services like Dropbox to sync the database file.Have to manually backup database file.

Password Safe

As another open source application that supported by the Internet community, Password Safe is also free for desktop use but also support an Disk-on-Key and U3 version. Currently it only officially supports Windows but has a Linux beta. Some of the major features of Password Safe consist of:
  • Multi-Language Support
  • Export your data
Cons – Disk-on-Key and U3 version not free but all purchases include free upgrades for one year from date of purchases. Does not support Mac OS.

Sunday, February 12, 2012

Password Strength

How secure is your password from being compromised?

The average user will create a password using one of the following:
  • Name of a family member
  • A pet’s name
  • Favorite sports team
  • Yours or a family member birthday

They may also try to make that password “more” secure by substituting vowels with numbers, adding numbers behind it or a combination of the two. Attackers can use a process known as a dictionary attack to try to guess your password. There are public available dictionary files on the Internet that consist of thousands of entries such as popular used passwords, names, and word combinations that attackers can use to reveal your password if your password happens to be one of the entries in the dictionary files. Depending on where your password is utilized i.e. password protected file or site/system that does not have a password lockout if you enter the password incorrectly to many times, attackers can utilize what is known as a brute force attack which essentially tries every combination of characters for each position but at a cost of time depending on the length of the password. So if your password was one character, the brute force attack could possibly try 62 characters to guess your password.

[A->Z->a->z->0->9]
Upper Case Letters 26
Lower Case Letters 26
Numbers 10

Total Characters 62

For a system that able to process 500,000 password per second, it would take that system up to a minute to guess your password using a brute-force attack. The time required for a brute-force attack grows exponentially with the increase in size of the password. For that same system the following is the amount of time it will take a brute force the following length passwords: 

4 Characters Password Brute Force Attack will take up to a minute
5 Characters Password Brute Force Attack will take up to 31 minutes
6 Characters Password Brute Force Attack will take up to 32 hours
7 Characters Password Brute Force Attack will take up to 82 days
12 Characters Password Brute Force Attack will take up to 207450281 years

Brute Force times were calculated using a password calculator from LastBit http://lastbit.com/pswcalc.asp

Note: Adding a special character to your password such as !@#$%^&*()_+? will also increase the time of a brute-force attack example:

5 Characters Password will now take up to 74 minutes instead of 31 minutes with out special characters.

Picking a secure password

So the best way to make sure you password will not be compromised is by selecting a secure password using the following guidelines:

  • Select a strong 6 or 7 characters password, then double it (type it twice). You now have a 12 or 14 character password but only really have to remember 6 or 7 characters.
  • If the system allows it, always include a special character i.e. !@#$%& It normally best to start your password with the special character because it can throw off password crackers before they event start to guess your password.
  • Don't use any of the following for your password, you want your password to be as random as possible so that it can't be easily guessed just by knowing information about you:
      • Name of a family member
      • A pet’s name
      • Favorite sports team
      • Yours or a family member birthday
  • Try to avoid using the same password for multiple sites and system.

By following the above guidelines, it will greatly increase the strength of you password.

Test you password strength using the Microsoft password strength page that can be found at the below URL or determine how long it would take someone to attack your password using brute-force via the GRC Interactive Brute-force Password Search Space Calculator. Double your password and see how it will greatly increase the security of your password.

GRC's Interactive Brute Force Password “Search Space” Calculator

Monday, February 6, 2012

pfSense Log Analysis with Splunk


Customizing Splunk to parse pfSense logs

For those Basement PC Techs (BPCT) out there that want to send their pfSense traffic to Splunk or have tried and realized that Splunk doesn't automatically parse the logs as it should. Well I got good news for you, I have create the necessary configuration that will allow Splunk to not only parse your data but parses the data the way you want to see your firewall traffic in Splunk by the following fields:

Source IP
Source Port
Destination IP
Destination Port
Protocol
Action (Pass or Block) 


The pfSense logs for each firewall event is split into two lines when it is sent to Splunk which Splunk doesn't automatically recognize. By editing two configuration files you can configure Splunk to parse the pfSense event as one so it can be parsed correctly. The two files that we will create/edit are the props.conf and transforms.conf. Each file will need to be created (or edited if one already exist) in the following location:

$SPLUNK_HOME/etc/system/local/
props.conf

The props.conf file is were we will configure Splunk to recognized the multi-line events sent from pfSense as one. If you want more detail on what is the purpose of the props.conf file please see the Splunk website: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Propsconf

  1. Create / Edit a props.conf file in $SPLUNK_HOME/etc/system/local/
  1. Cut and Paste the following into the props.con file:

[syslog]


SHOULD_LINEMERGE = true

TRUNCATE = 0

MUST_NOT_BREAK_AFTER = pf: .* rule ([-\d]+\/\d+)\(.*?\):

MUST_BREAK_AFTER = pf: .* (<|>) +(\d+\.\d+\.\d+\.\d+)\.?(\d*)\:

REPORT-pf2 = pf2

  1. Save the file

transforms.conf

The transforms.conf file is were we will configure Splunk to parse the pfSense events received into the fields we want to see. If you want more detail on what can be done with the transforms.conf file please visit the Splunk website: http://docs.splunk.com/Documentation/Splunk/latest/Admin/Transformsconf


  1. Create / Edit a transforms.conf file in $SPLUNK_HOME/etc/system/local/
  1. Cut and Paste the following into the transforms.conf file:

[pf2]

REGEX= .* (?<action>pass|block) .* (?<protocol>TCP|UDP|IGMP|ICMP) .* (?<src_ip>(\d+\.\d+\.\d+\.\d+))\.?(?<src_port>(\d*)) [<|>] (?<dest_ip>(\d+\.\d+\.\d+\.\d+))\.?(?<dest_port>(\d*)): (.*)


  1. Save the file
  1. Reboot Splunk in order for the new changes to take affect.

Note: Although the above "REGEX" statement may shows on multiple lines it is actually all on one line. Ensure word wrap is off when you paste the text to your transforms.conf file or download the following transforms.conf from here.

Sunday, February 5, 2012

How to configure pfSense


The "webConfigurator" - pfSense basic setup part 2

Note: The following is a continuation of the How to Install pfSense posting.

1. Using your favorite browser, connect to  you newly installed pfSense firewall via the LAN interface IP Address.  Type the IP Address of the LAN interface in your browser and you should be presented with a “Security Issue/Warning” for the server's certificate. This is a warning that your browser gives you when it receives a security certificate that the browser can not validated against a Certificate Authority. It's the browser way or warning the end user that the site may be untrustworthy.  During the installation of pfSense, a security certificate was created by the system which is known as a self-signed certificate in order to have a security certificate available to encrypt your connection between your web browser and the pfSense firewall.



2. If you take a closer look at the certificate that was issue to your browser, you will discover that the security certificate has the IP Address of your pfSense firewall but all other identifying information is blank.  Since this warning is to be excepted because the security certificate was self-signed and it does have the IP Address of your pfSense firewall, you should have a good confident level that this system is the pfSense firewall and not another system posing as your pfSense firewall.  Accept the security certificate and continue to the site. (Note: It's never a good idea to accept any certificate issued to your browser that can not be validated if your surfing on the Internet.)




3. After accepting the security certificate, you should then be presented with the pfSense webConfigurator login screen. Your first time logging into your pfSense firewall, the default username is “admin” with a password of “pfsense”. Login to you pfSense firewall.



4. After successfully login to your pfSense firewall, you will be presented with the pfSense Status Dashboard which provides you with a summary of your system information along with the status of your interfaces installed. The dashboard is configurable and can include additional information about other components of your pfSense firewall. 



5. Let's continue configuring the pfSense firewall. From the System menu select Setup Wizard to start the pfSense setup wizard.


6. You should then be greeted with the pfSense setup wizard, click the Next button to continue.



7. Complete the “General Information” section and click the Next button when complete:
       

   
Hostname:
Enter the name of what you want to call your firewall

Domain
Unless you currently have a domain, create one that will be used on your local network.

Primary DNS Server & Secondary DNS Server:
Enter the IP Address of your local Internet Provider DNS Server or  third party DNS such as OpenDNS or leave it blank to have this information automatically provided via the Override DNS setting.

Override DNS:
If you prefer pfSense to use the Primary and Secondary DNS received from your Internet service provider, ensure that “Allow DNS server to be overridden by DHCP/PPP on WAN” check-box is checked.
       
8. Configure “Time Server Information”. 

Time server hostname:
Keep default

Timezone:
Chane to your local time zone.




9. WAN Interface configuration. Unless you need to authenticate to your ISP provider  when accessing the Internet which is usually a requirement of some DSL providers or there are configuration you need in order to access the Internet, this section can be bypassed. Just click the Next button.



10. Review the "Configure LAN Interface" screen. This screen can be left as default unless you want to change the IP Address scheme provided by pfSense to match a current IP Scheme being used on your or your client network. 


11. The "Set Admin WebGUI Password" screen.  Enter a new pfSense “admin” user password. Recommend that your password be longer then 7 characters and incorporate a combination of Upper case/Lower case letters, number and a special character such as !, #, %, etc to make it strong.


12. Reload of pfSense web browser – After configuring a new password, pfSense will require you login again with the new password. Click the Reload button to refresh the screen and login with your new password.


13. At the end of the “Setup Wizard” you will be presented with the pfSense “Wizard Completed” page indicating that you have successfully completed the setup wizard and configured pfSense with the basic configuration to protect your and yours client network work from the dangers of the Internet.  Your pfSense firewall will automatically allow traffic destine to the Internet to leave your network but block any traffic that was not initiated from your network to enter your network.


14. Now that we have successfully configured the basic setting in pfSense we will make a couple more changes to personalize your pfSense installation. First let start with the self-signed security certificate. As you remember in step 2 the pfSense security certificate only contained the IP Address of your pfSense firewall and no other identifying information. We will now configure the security certificate with that identifying info which is useful if you decided to configure VPN access in the future and allow others to connect to your or your clients network thru the pfSense firewall.

From the pfSense menu, select System | Cert Manager to access pfSense System Certificate Authority Manager application.


15. Configure pfSense as a trusted Certificate Authority – Ensure the “CA” tab is selected and click on the “+” to create the CA.

16. From the “Method” pull down, select “Create an internal Certificate Authority” and complete the following field pressing the “Save” button when finished.

Descriptive Name:
Enter a name for CA

Method:
Create an internal Certificate Authority

Key length:
Keep at default (2048) bits

Lifetime:
Keep at default (3650) days

Country Code:  
Change to your country

State or Providence:
Enter your State or Providence

City:
Enter your City

Organization:
Enter what you would want to display as the organization that the pfSense firewall belongs. This could be a business name, household name or any other name you like to display in the security certificate.

Email Address:
Enter the email address that others can send an email if they have question about the security certificate.

Common Name:
Enter a name for the CA security certificate.


17. Your pfSense firewall should now be configured as a trusted Certificate Authority.
18. Next we will configure the Internal Certificate. Click on the “Certificates Tab” and then select “Create an internal Certificate” from Method drop down box.  Many of the fields will automatically filled-in from what was entered in the CA tab. Just complete the following fields below:

Descriptive name:
Enter a name to describe the security certificate you are creating.

Certificate Type:
From the drop down menu, select “Server Certificate

Common Name:
Enter the name of your firewall and domain i.e. firewall.mynetwork.com. If you or your client have a domain that will point to the firewall such as a static or dynamic DNS name, you can type that domain name here.

Press the "Save" button to save changes. 


19. You should now display two security certificate under the “Certificates” tab, one that was created during the installation of the pfSense and the one you just created.  Currently only the security certificate created during the installation of pfSense is in use and being used by the webConfigurator.

20. Next we will change pfSense to use the new security certificate we created for the webConfigurator. From the “System” menu, select “Advanced


21. The System: Advance screen should now be displayed. On the “Admin Access” tab, find the following setting:

Protocol:
Ensure “HTTPS” is selected

SSL Certificate:   
 In the drop down menu, change the SSL certificate to the internal certificate made n the previous steps.

TCP port:
Change port to 445. Port is changed from the standard 443 to 445 to free up port 443 for future use. Hint: VPN connections on port 443 is ensure to be allowed out from any were you may be when on the road if you later decide to configure remote VPN access.

Secure Shell Server:
Enable Secure Shell. This allow for remote console access to your firewall.

Press the "Save" button to save changes.

22. Once your save the changes in the System: Advance - Admin tab, pfSense will reissue the security certificate causing your browser to display the Security Certificate Warning again. This is to be excepted since we configured pfSense to use the new security certificate we created except this time if you look at the detail of the security certificate, it should now display the identifying information contained in the new security certificate.


23. You may also notice that pfSense now has an alert displayed in the upper right hand corner of your screen. The alert is to notify you that pfSense has created the keys required for your SSH communication. This is the result of enabling the Secure Shell Server option on the System: Advance - Admin tab.  Click the alert to acknowledge the change and the alert should disappear.


24. One additional change that I recommend but is not required for pfSense to work is to configure pfSense to show log entries in reverse order (newest entries on top). This is really convenient when your looking at a log that may be very long and you can save time by not having to scroll to the bottom to see the latest events.

From the menu select “Status” and then “System Logs”.


25. Once on the Status: System Log screen, select the “Setting” tab and then enable the “Show log entries in reverse order (newest entries on top)" option and click the “Save” button at the bottom of the page.

26. CONGRATULATIONS -- You have now completed the Basement PC Tech basic pfSense firewall setup. Your pfSense installation should be up and running and by selecting the “Firewall” tab while you are still in the “Status” section you will be able to see all the Internet traffic that is being denied and logged by pfSense for traffic that is no longer allowed to enter yours or your client network with out authorization.

Saturday, February 4, 2012

How to Install pfSense



 pfSense Basic Install and Setup

pfSense is a FreeBSD LINUX distribution that has been customized to be used as a firewall and router. It's a pretty powerful firewall that has many of the same features found in commercial firewalls but is supported by the open source community under the General Public License (GPL) which makes it Free to all to use. As with many LINUX distribution, pfSense does not take much to run. The minimum hardware requirements to use pfSense is a computer with the following:

CPU – 100 MHz Pentium

RAM – 128 MB

CD-ROM for initial installation

1 GB hard drive

Two Network Interface Cards

This blog posting will serve as a basic tutorial for a Basement PC Tech to use as a guide to install pfSense as a basic firewall to be used on yours or your client network.

Get pfSense

  1. Download the latest version of pfSense (Version 2.0.1 was used for this tutorial)
  1. Using your favorite CD burning software, burn the pfSense ISO to CD.

Install pfSense



  1. Boot your chosen PC with the pfSense CD. You will be present with the following "Welcome to pfSense!" screen. For our basic install of pfSense, you can press [Enter] for the default option.
  1. Press the “I” key to invoke the installer.


  1. If you can see the "Configure Console" screen, chances are there aren't any changes you need to make to the console. Press the Down arrow on your keyboard to highlight the “<Accept these Setting>” option and press [Enter].

  1. On the “Select Task” window, select the “<Quick/Easy Install>” and press [Enter].

  1. At the “Are you SURE?” screen, confirm your decision to install pfSense by highlighting the “< OK >”  option and pressing [Enter]. Any data currently on the first hard drive of the system will be destroyed in order to install pfSense. 

  1. Take a break :) - It can take up to 10 minutes for pfSense to finish this stage of the install depending on your hardware. pfSense is formatting your drive and copying the software to your system. 


  1. At the “Install Kernel(s)” screen, ensure “< Symmetric multiprocessing kernel (more than one processor) >” is highlighted and press [Enter].


  1. At the “Reboot” screen, remove the pfSense CD and ensure that “< Reboot >” is highlighted and press [Enter].
  1. After the system reboots, you will be presented with the initial “Welcome to pfSense!” menu. Press [Enter] to select the default.
    Note: This is the default action of pfSense and if now key is press before the pause timer reaches 0, the default boot profile will be used. 
  1. During the boot phase of pfSense, the detected network interface cards will be display which can be used by pfSense.  
    Note: If you do not see all your network card listed, press the [CTRL – C] keys to end the setup script and then select option “6” (Halt system). After system shuts down, confirm that your network interface cards a properly seated and/or working. After you have remediated the issue with the network interface cards, boot pfSense and repeat step 9 and forward of this tutorial.
  1. Since this is a basic setup of pfSense, we will not be configuring a “VLAN” so type “n” and press [Enter].
  1. From the list of valid interfaces found by pfSense, type the name of the network interface card that will be connected directly to the Internet (cable modem, dsl, etc)
  1. From the list of valid interfaces found by pfSense, type the name of the network interface card that will be connected to your internal network. This will serve as your “LAN” interface. Repeat this step for each additional network interface card listed as a valid interface by pfSense and will be use by the firewall i.e. wireless, DMZ, etc. Once you are finished, press the [Enter] to select nothing and move to the next step of the setup.
  1. Confirm that you have selected the correct network interface cards for each interface on your firewall and type “y” and press [Enter].
  1. Once you are complete this initial setup, you will be presented with the pfSense console menu. Your firewall is now up and running. We have finished all configuration steps required to be done from the pfSense console. You can actually disconnect the monitor and keyboard from the system (as an added security precaution) for all other configuration will be done via the web console. (See The "webConfigurator" - pfSense basic setup part 2 )

Thursday, February 2, 2012

Free Firewalls


As a Basement PC Tech (BPCT) your friends and clients except you to assist them with not only their mysterious computer issues but they also except you to help them protect themselves from the evils of the world. In a previous blog (Free Anti-Virus Software for EVERYONE!!!!) I provided a list of free anti-virus applications that could be used by your clients and friends as a security defense against malicious code (malware) that may try to exploit their systems. In this blog I will review what I believe to be the first line of defense when it comes to protecting computers on yours and your clients networks – FIREWALLS.

What is a firewall?

According to Wikipedia:

Firewall may refer to:

  • Firewall (construction), a barrier inside a building or vehicle, designed to limit the spread of fire, heat and structural collapse
  • Firewall (automobile), the part of the vehicle that separates the engine from the driver and passengers
  • Firewall (computing), a technological barrier designed to prevent unauthorized or unwanted communications between computer networks or hosts

All three definitions can be summed up to one definition: A firewall is a barrier designed to protect you from a danger on the other side.

Many users may be familiar with the firewall that is part of the Windows operating system. This is what is considered to be a host-based firewall, a firewall installed on the host to prevent certain traffic from accessing or leaving your computer system. Most commonly firewalls are placed at the boarder of a network to prevent unwanted communications from entering the network from what is considered to be a less secure networks.

During the infancy of the Internet, large organization such as corporation, educational institutions or the Government were the only entities that could afford a firewall, had the required skills to configure them correctly and had the need for one. Large organization were the only entities that had direct connections to the Internet. Consumers at this time were just learning about the Internet and connecting to it via dial-up.

Now times have changed and with the introduction of broadband Internet access, large organization are not the only ones that have a constant connection to the Internet or the only ones that need to protect themselves from the dangers of the Internet.

I'm surprised at the number of people I discover that do not have a network firewall. Although Windows has a firewall embedded in the operating system which may deflect an attack to your computer system why late an attacker or malicious traffic get that close to your system? What protecting all the other items you may have connected to your network such as game consoles, burglar alarm systems, smartTV and DVD players.


A network firewall is your network 1st line of defense against defending off attackers or preventing malicious traffic from entering your network. 


In future blogs I will cover many of these free software based network firewalls that you as a BPCT can utilize on yours and your clients networks. The following list are some of the most popular Firewall Distributions out on the Internet.

List of Free Firewall Distributions

Endian Firewall – Community Edition http://www.endian.com/us/community/download/
m0n0wall http://m0n0.ch/wall/downloads.php
PfSense Firewall http://www.pfsense.org/index.php?option=com_content&task=view&id=58&Itemid=46
SmoothWall Express http://www.smoothwall.org/get/
IPCop Firewall http://www.ipcop.org/download.php
untangle http://www.untangle.com/
ClearOS http://www.clearfoundation.com/
Astaro Security Gateway – Free Home Use Firewall http://www.astaro.com/landingpages/en-worldwide-homeuse