Problem solve Get help with specific problems with your technologies, process and projects.

Hardware nor software firewalls stopped a breach in my network. What more should I be doing?

I had a security breach when hackers hacked into my network. I had a similar problem before but was able to manage it by putting a hardware firewall and removing the software firewall. Unfortunately, the problem persists. What can I do?
From the information provided by you, it's hard to find the exact cause of the problem. Also, you have not mentioned the techniques you tried. It takes more than a firewall to secure a network infrastructure.

The very first step in preventing network security incidents is to identify the threats and put controls in place to prevent them from happening. Some of the important factors you should consider are:

  • At a very basic level, scan your network for potential entry points. Remove or disable any unneeded devices.
  • Check for any newly added network devices and verify configuration.
  • Check your router/firewall configurations, most importantly the routing information. Check to see if any modifications have been made since your last good configuration.
  • Make sure your firewall/router is blocking ICMP pings originating externally. It's a known fact that most of the attacks tunnel through in the protocol's echo reply. Also, block outgoing ICMP pings, lest your network be an accessory in a distributed denial-of-service attack.
  • Logs are your best friends. Turn on logging on potential network points. They provide a good amount of information in detecting problems.
  • Use tools like port scanners and network monitors to monitor network traffic and ports. Make sure only required ports are open and listening to trusted addresses.
  • Search for activities that are hallmarks of attacks. For example: a malicious script can scan the network logs on machine and then block any randomly chosen network addresses.
  • Intrusion detection system: Make sure it conforms to expected parameters and aren't hiding distributed denial-of-service attacks.
  • Watch for evidence of port scanning in your logs.
  • Web servers are one of the areas of concern. Studies have shown that many a times it's the web server that acts as door for hacker's entry inside the network. I would advise you to visit the W3C site for updated information on securing a web server.
  • The rising numbers of virtual private networks, extra-nets and intranets have created more access points for hackers. The concept of a single point of entry into your network is long gone. An exposed vulnerability in any of these can wreck havoc.
  • Make sure that the application code is reviewed before its put on the website. Eliminate any vulnerability that hacker can exploit.
  • I would also advise you to get network penetration and auditing done by some professional security group.

Hope the above helps you in finding some answers to your problem. If you can send me some more information on your current network setup, I might be able to help you better.

This was last published in February 2004

Dig Deeper on Network Security Monitoring and Analysis

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.