General discussion

Locked

Need Firewall/Hacker Advice

By mmbarreca ·
We are running 2 networks (not connected to each other) and the back network is connected to a T1 line with no firewall. There is one PC that from time to time, drains the resources of the rest of the PCs connected to the T1. Today, someone took control of this PC and opened the Command prompt. The transcriptionist on this PC quickly cut power to her PC since she no longer had control of her mouse or keyboard.

Our "boss" states that the firewall should be provided by the T1 service but I don't think this is true. I don't know what kind of hacker was on the transcriptionist's PC or why her PC seems to be the point of entry but this is not the first time that she's lost control of her PC to what appears to be a hacker.

I have no experience with installing and configuring a firewall and have come across conflicting instructions as to how to go about this (since I know the boss won't pay to have someone come in and configure the firewall).

Questions:
1. Does anyone knowof a good reference for configuring firewalls?

2. Why would one PC drain the others on the T1 line?

3. Any way around cutting power to stop a would-be hacker?

Thanks!

This conversation is currently closed to new comments.

9 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

Firewall

by timwalsh In reply to Need Firewall/Hacker Advi ...

Hopefully this isn't just a matter of someone playing a trick on the transcriptionist.

ISPs do not generally provide any sort of firewall service unless you specifically contract for it.

1. The configuration of a firewall is going to depend greatly on the firewall device chosen, or whether you are going to try to create one.

2. The particle PC being hacked was probably the first one that the hacker could easily attack and take over. Bandwidth is not necessarily divided evenly acrossthe network unless you have some sort of bandwidth-throttling capability. If a hacker has access to your network, he may have reconfigured your router to give priority of service (and thus the majority of the bandwidth) to whatever computer he has control of.

3. In short, no. It sounds like this hacker has installed some sort of trojan horse software on this computer that allows him to seize control any time he wishes. Once he seizes control, your only recourse would be to shut the computer down. You need to discover what trojan horse software is being used and eradicate it. Depending on your experience and the resources you have available, your only recourse may be to wipe the drive on this computer and reload from scratch.

Ifyou want/need to discover what data may have been compromised, or who is doing this, you will need the services of someone experienced with computer forensics. These types of services are not cheap. Depending on how badly your network has been compromised, you may need the services of a computer security firm to help regain control. Since it sounds like the hacker has been at it for some time, there is no telling how many other computers he has compromised.

You need to tell the "boss" that he may need to come up with the bucks to do this job correctly (and completely), or risk losing total control of his network and whatever proprietary data is on it.

Collapse -

Just pounding on what tim said

by LordInfidel In reply to Firewall

he is 100% correct. It is *YOUR* responsibility to set up and maintain your own firewall. Not the ISP's.

If I was you, I would take down that connection alltogether and keep it off-line until a firewall is put in place.

Also. Any systems that were on that segment should be removed from the network. They ARE compromised.

If you have never set up a firewall I strongly reccomend getting someone in who has.

There are plenty of hardware based firewalls out there to choose from. But it takes a knowledge of protocols to set one up correctly and securely.

Collapse -

Answers pt1

by mrafrohead In reply to Need Firewall/Hacker Advi ...

What the gentlemen above states is 100% accurate, but I wanted to also throw in a few cents to the pot.

To answer your questions:

1. http://www.practicallynetworked.com/serving/firewall_config.htm

This is a good place just to start. It will help you to determine what type of hardware you may be interested in persuing and also how to basically set it up. If you need more advanced type settings, you will more than likely need to hire a Security Expert to come in and do it for you.

2. I don't quite understand what you mean by drain the others on a T1 line. I will assume two scenarios. (1) You are talking about bandwidth. If your computer is being used as a fileserver per say, you probably have multiple people logged into that machine and your bandwidth is being hogged. Which would directly affect all other machines on the network. (2) Actual PC resources, that may be caused by a poorly written trojan/virus that has a leak in it while searching throughout your network.

3. Get yourself a firewall immediately.

Collapse -

pt 2

by mrafrohead In reply to Answers pt1

Personal notes. You need to disconnect all of your machines from the Internet IMMEDIATELY! It is your responsibility to contain this problem. If you do not, you will more than likely aid in affecting others that you don't even know. I recommend you purchasing Anti-virus software and installling it on all machines if it is not already done. Then update all machines with the most current definitions. Run a FULL scan on all machines. Verify that you are not compromised further before reconnecting to the net. After your machines have been cleaned, you will NEED to install a firewall. This is YOUR responsibility. NOT your ISP's. Even if your ISP is providing you with a firewall, you STILL WANT TO HAVE YOUR OWN. Don't trust the work of your ISP to secure you. Rely on yourselves to make sure it's done right. As for a firewall, if you are short on money, a very basic Linksys Router will help. For a business, I would recommend something a little more robust, but a router would be a start.

Good luck getting this taken care of.

I am not an expert in this field, but I am willing to help you if you need some. You can e-mail me at Mrafrohead@yahoo.com.

If you do message me, make sure to include this in the subject lineor I may ignore it as spam:

******NOT SPAM****** Enter subject line here ******NOT SPAM******

Mrafrohead

Collapse -

Additional----

by LordInfidel In reply to pt 2

While Mafrohead is not an expert in this field..... I am.

Take the machines off-line. And turn off that circuit until you get a firewall.

****, you would be better off taking 1 address out of your subnet and nat'ng the machines behind it.

A 2K srvr can do this quite easily if you are not familiar with linux.

Unlike maf, I will only reply thru TR.

Collapse -

Interesting, but

by Oldefar In reply to Need Firewall/Hacker Advi ...

You have already received some good advice if that TI provides the local network with Internet access. I am not going to make that assumption.

A couple of things point to local failure, most likely hardware related. First, the unclarified resource drain - a misbehaving NIC can result in a one machine "hogging" the network. This is no longer as common as it once was, but it is still a possiblility. Next, the command prompt, no keyboard, no mouse. The mouse won't work in command prompt. The keyboard lock up and command prompt screen sounds like an aborted application. You indicate that it seemed some one had taken control, but knowing if or what was on the screen to indicate this, it sounds more like a lockup. A flaky power supplycan be behind both issues.

If the T1 is connected to another of your locations, a little more research is needed. Does that site connect to the Internet? If so, is its connection to the Internet protected with a firewall?

If the T1 is connected to an ASP, how are they protected from cross customer traffic and Internet access? Unlike an ISP who is providing only access to the Internet, and ASP should be isolating their customers as part of the service.

Collapse -

Business Connection means a firewall

by Deadly Ernest In reply to Need Firewall/Hacker Advi ...

If you have a business connection that is linked to the Internet you are placing your entire business and all its data at risk without a firewall that you control, and Network Address Translation (NAT).

The ISP provides a service, just like a phone company. The phone company does not screen your calls or answers your calls, neither does an ISP screen your access.

What quality of firewall will depend upon the importance of the data on the network, and what you can afford. Put it to the boss in this way "How much will it cost us if this system and its data is destroyed or made public?"

Firewalls can cost anywhere from $1,000 upto $40,000 depending upon the quality. Some good routers come with basic firewall facilities and NAT, thismay be sufficient for a network that doee NOT have critical data. Someone needs to make a business decision.

If you PCs have Win XP they have an inbuilt firewall that would be better than nothing, but is best as an additional to one at the T1 conenction.

Collapse -

Thanks and Clarification

by mmbarreca In reply to Business Connection means ...

Thank you to everyone for your input. The machine in question was removed from the back network so now it's a matter of making sure that everyone's PC has up to date definitions and a scan, since I know the boss won't remove them from the T1 (and Icompletely agree with the cost comments - I have made several of those myself but they fall on deaf ears). I will obviously read more about this since part of the confusion was whether a firewall was hardware related or software. The back server is an old Pentium with Novell 4.1 (I believe). I have stressed the importance of a new server to bridge the two networks but that hasn't happened either.

Thanks for all of your help!

Collapse -

Get some security

by Deadly Ernest In reply to Thanks and Clarification

You need to put in some sort of security, here are some low cost options.

Get an inexpensive router with basic firewall and network address translation capability it will provide you with a major improvement in your security.

Another option would be to rebuild the removed device as a firewall and internet relay using a freeware firewall (maybe use Linux).

Or get a freeware individual firewall and install it on all the machines.

Back to Security Forum
9 total posts (Page 1 of 1)  

Related Discussions

Related Forums