E-Commerce and E- Governance

Lecture 8
JIT
E-Security
Just-In-Time Manufacturing:
A Definition
 Just-In-Time Manufacturing:
A Definition
• Uses a systems approach to develop and operate a
manufacturing system
• Organizes the production process so that parts are
available when they are needed
• A method for optimizing processes that involves
continual reduction of waste
E-Security
Information System Security

1. Any business, whether it is a traditional brick-and-mortar business, a brick-

and-click a pure-play e-business, needs to be concerned about network security.

2. The Internet is a public network consisting of thousands of private computer

networks connected together. This means that a private computer network
system is exposed to potential threats from anywhere on the public network.

3. Protection against these threats requires businesses to security measures in

place. In the physical world, crimes often leave evidence finger prints,
footprints, witnesses, video on security cameras and so on.
As seen in Figure 5.1 the goals of security are:

1.Integrity of the data sent and received.

2.Confidentiality of the data so that it is not accessible to others.

3.The data ought to be available to the people for whom it is meant.

 As shown in Figure 5.2, the data sent from the source ought to reach in
destination without any tampering as shown in Figure 5.2(a). But the above
criteria shown in Figure 5.2(a) may be violated by the following:

•Interrupt the data and cut it off as shown in Figure 5.2(b).

•Intercept the data with the intent of spying on it as shown in Figure 5.2(c).

•Interrupt the data and modify it and send a different data to the receiver as
shows in Figure 5.2(d).

•Obstruct the data and fabricate new data and send it to the receiver as shown
in Figure 5.2(e).
Encryption

Software Controls (access limitations in a data base, in operating system

protect each user from other users)

Hardware Controls (smartcard)

Policies (frequent changes of passwords)

Physical Controls

 Additionally, e-businesses must protect against the unknown. New

methods of attacking networks and websites and new network security
holes are being discovered with disturbing frequency.

By carefully planning its network and website security system, an e-

business can protect itself against many known and as yet unknown
threats. An e-business must always inaction be prepared for network and
website attacks, or risk the loss of assets.
 Another very important reason to protect an e-business network and website is to
protect the e-business's relationships with its customers.

 Many Internet users perceive that there is a large risk to their privacy and
security when they buy products and services or submit personal information online.

Although the perception of risk may be greater than the actual risk, it is still a
cause for concern. An e-business must address customers' perceived shown risks just as
much as any actual risks.

An e-business cannot expect to achieve perfect security for its network
and website. own in The important issue for an e-business is to have adequate
security to protect its assets, revenue stream, customer privacy, and its own
reputation.

 Determining adequate security depends on an individual e-business's

situation. For example, a website providing information protect on flavors of dog
food may not require the same level of security as an online banking website.
An e-business must determine its security needs according to the risks involved,
the value of the assets at risk, and the cost of implementing a security system.
 Security on the Internet.

Network administrators have increasing concerns about the security of their networks
when they expose their organization's private data and networking infrastructure to Internet
crackers.

To provide the required level of protection, an organization needs a security

policy to prevent unauthorized users from accessing resources on the private network
and to protect against the unauthorized export of private information.

Even if an organization is not connected to the Internet, it may still want to

establish an internal security policy to manage user access to certain portions of the
network and protect sensitive or secret information.

The fundamental problem may be that the Internet was not designed to be very
secure, i.e. open access 1for the purposes of research was the prime consideration at
the time the Internet was implemented.

However, the phenomenal success of the Internet, combined with the

introduction of different types of users, including unethical users, has aggravated
existing security deficiencies to the extent that wide-open Internet sites risk inevitable
break-ins and resultant damages. Other factors include the following:
•Vulnerable TCP/IP services. A number of the TCP/IP services are not secure and
can be compromised by knowledgeable intruders; services used in the local area
networking environment for improving network management are especially vulnerable.

•Ease of spying and spoofing. A majority of Internet traffic is unencrypted; e-mail,

passwords, and file transfers can be monitored and captured using readily-available
software. Intruders can then reuse passwords to break into systems.

•Lack of policy. Many sites are configured unintentionally for wide-open Internet
access, without regard for the potential for abuse from the Internet; many sites permit
more TCP/IP services than they require for their operations, and do not attempt to limit
access to information about their computers that could prove valuable to intruders.

•Complexity of configuration. Host security access controls are often complex to

configure and monitor; controls that are accidentally misconfigured often result in
unauthorized access.
 Security risks associated with a network and a website can be addressed in some
ways as follows:

Network and Website Security Risks

As part of planning a startup e-business' security, management should become

familiar with network and web server security risk terminology. Originally, hacker was
a term used to describe gifted software programmers.

Today, hacker is a slang term used to refer to someone who deliberately gains
unauthorized access to individual computers or computer networks.

Ethical hackers use their skills to find weaknesses in computer systems and make them
known, without regard for personal gain.

An e-business must protect itself against unauthorized access to its computer network,
denial-of-service traffic overloads, and the intrusion of destructive viruses.
 Denial-of-Service Attacks

A Denial-of-Service or DoS attack is an attack on a network that is designed to disable

the network by flooding it with useless traffic or activity.

While a DoS attack does not do any technical damage, it can do substantial financial
damage to an e-business, because every second an e-business's network or a website is down,
it may result in lost revenues.
The attacker first breaks into hundreds or thousands of random, insecure computers on
the Internet and installs an attack program.

Then he coordinates them all to attack the target simultaneously. Thereafter, the target is
attacked from many places at once; the traditional defences just do not work, and the system
crashes.
Viruses

Viruses are the most common security risk faced by e-businesses today. A virus is a small
program that inserts itself into other program files that then become "infected", just as a
virus in nature embeds itself in normal human cells.

 The virus is spread when an infected program is executed, and this further infects other
programs. Examples of virus effects include inability to boot, deletion of files or entire hard
drives, inability to create or save files, and thousands of other possibilities.

 A logic bomb is a virus whose attack is triggered by some event such as the date on
a computer's system clock. A logic bomb may simply release a virus or it may be a
virus itself. Viruses are generally introduced into a computer system via e-mail or by
unauthorized network access.
 Trojan horse

1. It appears to do something useful or entertaining but actually does

something else as well, such as destroying files or creating a "back door"
entry point to give an intruder access to the system.

2. A Trojan horse may be an e-mail in the form of attachment or a

downloaded program.

Worm.

 This is a special type of virus that does not directly alter program files.
Instead, a worm replaces a document or an application with its own code
and then uses that code to position itself.

 Worms are often not noticed until their uncontrolled replication consumes
system resources and slows down or stops the system
 How Vulnerable Are The Internet Sites?

The Internet, while being a useful and a vital network, is at the same time
vulnerable to attacks. Sites that are connected to the Internet face significant risk in
some form by intruders. The following factors would influence the level of risk:

•Number of systems connected to the site

•Services utilized by the site
•Interconnectivity of the site to the Internet
•Site's profile, or how well-known the site is
•Site's readiness to handle computer security incidents.

The more the number of systems that are connected, obviously the harder it is
to control their security.

Equally, if a site is connected to the Internet at several points, it is likely to be

more vulnerable to attacks than a site with a single gateway.

At the same time, though, how well prepared a site is, and the degree to which
the site relies on the Internet, can increase, or decrease the risk.
 Website Defacement

Website vandalism or defacement can be the result of a hacker

breaking into a network, accessing the website files, and modifying the
HTML to physically change Web pages.

Not only do website defacements embarrass an e-business, but some

website defacements can have serious financial repercussions.

Electronic Industrial Espionage

It is a major risk and a big dollar issue that most companies are reluctant
to discuss openly­electronic industrial espionage.

Often, e-businesses that have been hacked and had business secrets
stolen are too embarrassed to admit the break-in.
Credit Card Fraud and Theft of Customer Data

Almost all B2C purchase transactions involve credit cards. An e-business

that accepts credit cards in payment for goods and services, must secure
the credit card information in transit to its website, and it must secure stored
credit card information.

Also, systems must be in place for credit card transaction authentication

(verifying that the person placing the order really is the holder of the credit
card used in the transaction), and credit card authorization (verifying that
the charge can be made to the card number).

A hacker can break into a database server and steal thousands of credit
card numbers and other information in a matter of moments, and an e-
business might not even recognize that the hacker was there.
 Security and E-mail

E-mail users who desire confidentiality and sender authentication use

encryption. Encryption is simply intended to keep personall thoughts personal.
There are two good programs to encrypt e-mails and they are: Pretty Good Privacy
(PGP), and Privacy Enhanced Mail (PEM).

E-mail is typically encrypted for the reason that all network correspondence is
open for eavesdropping.
Privacy Enhanced Mail Standard

PEM is the Internet Privacy Enhanced Mail standard, designed, proposed, but
not yet officially adopted by the Internet Activities Board, to provide secure
electronic mail over the Internet.

Designed to work with current Internet e-mail formats, PEM includes

encryption, authentication, and key management, and allows use of both public-
key and secret-key crypto-systems.

The system supports multiple cryptographic tools: for each mail message, the
specific encryption algorithm, digital signature algorithm, hash function and so
on, are specified in the header.

PEM explicitly supports only a few cryptographic algorithms; others may be

added later. It uses the DES algorithm for encryption and the RSA algorithm for
sender authentication and key management.

 PEM also provides support for non-repudiation, which allows the third-party
recipient of a forwarded message to verify the identity of the message originator
(not just the message forwarder) and to verify whether any of the original text has
been altered.
Pretty Good Privacy (PGP)

Pretty Good Privacy (PGP) is the implementation of public-key cryptography

based on RSA. It is a free software package developed by Phillip Zimmerman,
that encrypts e-mail.

Since being published in US as freeware in June 1991, PGP has spread

rapidly and has since become the de facto worldwide standard for encryption of
e-mail.

The process is so simple that anyone with a PC can do it with almost no effort.
For authentication, PGP employs the RSA public-key encryption scheme and the
MD5 (Message Digest version 5) developed by Rivest, a one-way hash function
to form a digital signature that assures the receiver that an incoming message is
authentic (that it comes from the alleged sender and that it has not been altered).
 Network and Website Security

The best way to recognize when a hacker is attempting unauthorized network

access is to monitor network performance. Setting up, logging, and monitoring
established network reference points, called benchmarks, can alert an e-business to
security problems.

A skilled system administrator and other well-trained technicians, who use

these benchmarks to monitor and manage the network and servers, are critical.
Other tools such as passwords, firewalls, intrusion detection systems, and virus
scanning software should be used to protect an e-business' network and website.
A password is a code, or more often a common word, used to gain access to a
computer network.

Passwords are only effective when used properly. Often a computer user
chooses a bad password, such as a short, common word-a name, or birthday-so that
the user can remember the password easily.

One way hackers penetrate network security is by using software that

"guesses" a password by trying millions of common words until one of the words is
accepted.
 Passwords that require a minimum length of six characters in a mix of
letters and numbers increase the number of potential passwords into billions and
make it more difficult for a hacker to guess them.

A computer user should also change passwords regularly. If a user has

access to multiple systems, it is a good idea to have different passwords on
each system.

A firewall is a software or a hardware used to isolate and protect a private

system or a network from the public network.

A firewall provides an easy-to-manage entry point to multiple systems

behind it. Firewalls can control the type of information that is allowed to pass
from the public network to the private network, as well as what services inside
the firewall are accessible from the outside.
 Businesses can install intrusion detection systems that monitor the
network for real-time intrusions and respond to intrusions in a variety of user-
detected ways.

An intrusion detection system can defend a website against DoS attacks
by adding more servers to increase the traffic the website can handle, by
using filters and routers to manage traffic, and by having a backup plan to
reroute legitimate traffic during an attack.

Cisco's Secure Intrusion Detection System, and Network ICE's ICEpac

Security Suite are two examples of intrusion detection systems.

Virus scanning software, including e-mail virus scanning, should be

installed on all network computers. Antivirus software should be kept updated.
Communication ports should be used to allow data to enter and exit the
network.

The system administrator should close all unused communication ports.

Up-to-date security patches for operating systems should be installed as soon
as the patches are available, to prevent hackers from exploiting built-in
system weaknesses.
 Transaction Security and Data Protection
Transaction security, especially for credit card transactions, and the protection
of customer data are as important as website and network security. Tools to protect
transaction data and customer data include:

•Using a predefined key to encrypt and decrypt the data during transmission;

•Using the Secure Sockets Layer (SSL) protocol to protect data transmitted over
the Internet. SSL provides encryption of data between the browser on the
customer's computer and the software on the Web server, allowing data such as
credit card­information to be transmitted securely. SSL uses digital certificates so
that a Web browser can authenticate the server it is connected to, making sure that
credit card data is going to the appropriate server;

•Moving sensitive customer information such as credit card numbers offline, or

encrypting the information if it is to be stored online;

•Removing all files and data from storage devices, including disk drives and
tapes, before getting rid of the devices; and

•Shredding all hard-copy documents containing sensitive information before

trashing them.
should also consider having its security systems tested or audited.
 E-business Risk Management Issues

An e-business should manage its e-business risks as a business issue, not just as a
technology issue. An e-business must consider the direct financial impact of immediate
loss of revenue, compensatory payments, and future revenue loss from e-business risks
such as:

•Business interruptions caused by website defacement or denial-of-service attacks;

•Litigation and settlement costs over employees' inappropriate use of e-mail and the
Internet;
•Product or service claims against items advertised and sold via a website;
•Web-related copyright, trademark, and patent infringement lawsuits; and
•Natural or weather-related disasters.

An e-business should put in place an effective risk management program that
includes the following:

•Network and website security and intruder detection programs

•Antivirus protection
•Firewalls
•Sound security policies and procedures
•Employee education.
 The Firewall Concept

An Internet firewall is a system or group of systems that enforces a security

policy between an organization's network and the Internet.

The firewall determines which inside services may be accessed from the outside,
which outsiders are permitted access to the permitted inside services, and which
outside services may be accessed by insiders.

 For a firewall to be effective, all traffic to and from the Internet must pass
through the firewall, where it can be inspected.

The firewall must permit only authorized traffic to pass, and the firewall itself must
be immune to penetration. Unfortunately, a firewall system cannot offer any protection
once an attacker has got through or around the firewall.

It is important to note that an Internet firewall is not just a router, a bastion host,
or a combination of devices that provides security for a network.

 The firewall is part of an overall security policy that creates a perimeter defense
designed to protect the information resources of the organization.
 This security policy must include published security guidelines to inform
users of their responsibilities; corporate policies defining network access,
service access, local and remote user authentication, dial-in and dial-out,
disk and data encryption, and virus protection measures and employee
training.

 All potential points of network attack must be protected with the same
level of network security. Setting up an Internet firewall without a
comprehensive security policy is like placing a steel door on a tent.

A firewall is an approach to security. It helps implement a larger

security policy that defines the services and access to be permitted, and it is
an implementation of that policy in terms of a network configuration, one or
more host systems and routers, and other security measures such as
advanced authentication in place of static passwords.

 The main purpose of a firewall system is to control access to or from a

protected network, i.e. a site. It implements a network access policy by
forcing connections to pass through the firewall, where they can be
examined and evaluated.
 A firewall system can be a router, a personal computer, a host, or a
collection of hosts, set up specifically to shield a site or a subnet from
protocols and services that can be abused from hosts outside the subnet.

 A firewall system is usually located at a higher-level gateway, such as a

site's connection to the Internet. However, firewall systems can be located at
lower­level gateways to provide protection for some smaller collection of hosts
or subnets.
Protection of Vulnerable Services

A firewall can greatly improve network security and reduce risks to hosts on
the subnet by filtering inherently insecure services.

As a result, the subnet network environment is exposed to fewer risks, since
only selected protocols will be able to pass through the firewall.

For example, a firewall could prohibit certain vulnerable services such as

Network File System (NFS) from entering or leaving a protected subnet.

 This provides the benefit of preventing the services from being exploited by
outside attackers, but at the same time permits the use of these services with
greatly reduced risk of exploitation.

Firewalls can also provide protection from routing-based attacks, such as

source routing, and attempts to redirect routing paths to compromised sites
via Internet Control Message Protocol or ICMP redirects.
A firewall could reject all source-routed packets and ICMP redirects and
then inform administrators of the incidents.

Controlled Access to Site Systems

A firewall also provides the ability to control access to site systems. For
example, some hosts can be made reachable from outside networks,
whereas others can be effectively sealed off from unwanted access.

A site could prevent outside access to its hosts except for special cases
such as mail servers or information servers.

This brings to the fore an access policy that firewalls are particularly
adept at enforcing: do not provide access to hosts or services that do not
require access. If, for example, a user requires little or no network' access
to her desktop workstation, then a firewall can enforce this policy.
 Concentrated Security
A firewall can actually be less expensive for an organization in that all or most
modified software and additional security software could be located on the firewall
systems as opposed to being distributed on many hosts.

 In particular, one-time password systems and other add­ on authentication

software could be located at the firewall as opposed to each system that needed to
be accessed from the Internet.

Enhanced Privacy

Privacy is of great concern to certain sites, since what would normally be

considered innocuous information, might actually contain clues that would be useful
to an attacker.

Using a firewall, some sites wish to block services such as finger and Domain
Name Service. Finger displays information about users, such as their last login time,
whether they have read mail, and other items.

But, finger could leak information to attackers about how often a system is
used, whether the system has active users connected, and whether the system
could be attacked without drawing attention.
 Firewalls can also be used to block DNS information about site systems;
thus, the names and IP addresses of site systems would not be available to
Internet hosts.

Some sites feel that by blocking this information, they are hiding
information that would otherwise be useful to attackers.

Need for Usage Statistics on Network

If all access to and from the Internet passes through a firewall, the firewall
can log accesses and provide valuable statistics about network usage.

 A firewall, with appropriate alarms that sound when suspicious activity

occurs, can also provide details on whether the firewall and network are being
probed or attacked.
It is important to collect statistics about network usage and evidence of
probing for a number of reasons.

Of primary importance is, knowing whether the firewall is withstanding

probes and attacks, and determining whether the controls on the firewall are
adequate. Network usage -statistics are also important as input into network
requirements studies and risk analysis activities.
 Policy Enforcement

Lastly, but perhaps most importantly, a firewall provides the means for
implementing and enforcing a network access policy. In effect, a firewall
provides access control to users and services.

 Thus, a network access policy can be enforced by a-firewall, whereas

without a firewall, such a policy depends entirely on the cooperation of the
users.

A site may be able to depend on its own users for their cooperation.
However, it cannot or it should not depend on the Internet users in general.

Firewall Components

The primary components (or aspects) of a firewall are:

Network policy
Advanced authentication mechanisms
Packet filtering
Application gateways.
The following sections describe each of these components in detail.
Firewall design policy.

The firewall design policy is specific to the firewall. It defines the rules used to
implement the service access policy.

One cannot design this policy in a vacuum isolated from understanding issues
such as firewall capabilities and limitations, and threats and vulnerabilities
associated with TCP/IP. Firewalls generally implement one of the following two
basic design policies:

Permit any service unless it is expressly denied

Deny any service unless it is expressly permitted.

A firewall that implements the first policy allows all services to pass into the site
by default, with the exception of those services that the service access policy has
identified as disallowed.
A firewall that implements the second policy denies all services by default,
but passes those services 'that have been identified as allowed.

This second policy follows the classic access model used in all areas of
information security.
 TABLE 5.3
E-RISK INSURANCE

E-risk insurance Coverage

Computer Virus Protects against losses that occur when employees open infected
e-mail attachments or download virus-laden software.
Transmission

Extortion and Reward Responds to Internet extortion demands and/or pays rewards to
help capture saboteurs.

Unauthorized Access/ Covers failure to protect against third-party access to data and
transactions.
Unauthorized Use

Specialized Network Responds to breach of network security and resulting losses.

Security

Protects against intellectual property infringement losses.

Media Liability

Covers defensive and offensive costs when battling over patent

Patent Infringement
infringement issues.

Computer Server and Services Errors & Protects e-businesses against liability for errors and omissions
Omissions when their professional advice causes a client's financial loss.
Advanced Authentication

Security lapses on the identity of Internet users have occurred in part due to
the weaknesses associated with traditional passwords. For years, users have
been advised to choose passwords that would be difficult to guess, or not to
reveal their passwords.

 However, even if users follow this advice (and, many do not), the fact that
intruders can and do monitor the Internet
for passwords that are transmitted in the clear has rendered traditional
passwords obsolete.

 Advanced authentication measures such as smartcards, authentication

tokens, biometrics, and software-based mechanisms are designed to counter
the weaknesses of traditional passwords.

 While the authentication techniques vary, they are indeed similar in one
aspect. The passwords generated by advanced authentication devices cannot
be reused by an attacker who has monitored a connection.

Given the inherent problems with passwords on the Internet, an Internet-

accessible firewall that does not use or does not contain the hooks to use
advanced authentication makes little sense.
Some of the more popular advanced authentication devices in use today are
called one­time password systems.

A smartcard or authentication token, for example, generates a response that

the host system can use in place of a traditional password.

The token or card works in conjunction with software or hardware on the

host, and therefore, the generated response is unique for every login.

The result is a one-time password which, if monitored, cannot be reused by

an intruder to gain access to an account.

Since firewalls can centralize and control site access, the firewall is the
logical place for the advanced authentication software or hardware to be
located.

Although advanced authentication measures' could be used at each host, it

is more practical and manageable to centralize the measures at the firewall.

 Figure 5.3 illustrates that a site without a firewall using advanced

authentication permits unauthenticated application traffic, such as Telnet or
FTP, directly to site systems.
 If the hosts do not use advanced authentication, then intruders could
attempt to crack passwords or could monitor the network for login sessions
that would include the passwords.

The figure also shows a site with a firewall using advanced authentication,
such that Telnet or FTP sessions originating from the Internet to site systems
must pass the advanced authentication before being permitted to the site
systems.

The site systems may still require static passwords before permitting
access. However, these passwords would be protected against exploitation,
even if the passwords are monitored, as long as the advanced authentication
measures and other firewall components prevent intruders from penetrating or
bypassing the firewall.

Packet Filtering
IP packet filtering is done, usually, using a packet filtering router designed
for filtering packets, as they pass between the router's interfaces. A packet
filtering router usually can filter IP packets based on some or all of the
following fields:
•Source IP address
•Destination IP address
•TCP/UDP source port
•TCP/UDP destination port.

Not -all packet filtering routers currently filter the source TCP/UDP port, though
vendors have now started incorporating this capability. Some routers examine
the router's network interfaces in which a packet arrives, and then use this as an
additional filtering criterion.

Some UNIX hosts provide packet filtering capability, although most do not.
Filtering can be used in a variety of ways to block connections from or to specific
hosts or networks, and to block connections to specific ports.

 A site might wish to block connections from certain addresses, such as from
hosts or sites that it considers to be hostile or untrustworthy. Alternatively, a site
may wish to block connections from all addresses external to the site (with
certain exceptions, such as SMTP for receiving e-mail) (see Figure 5.4).
Application Gateways

To counter some of the weaknesses associated with packet filtering routers,
firewalls need to use software applications to forward and filter connections for
services such as Telnet and FTP.

Such an application is referred to as a proxy service, while the host running the
proxy service is referred to as an application gateway.

Application gateways and packet filtering routers can be combined to provide higher
levels of security and flexibility than if either were used alone.
As an example of packet filtering, consider a policy to allow only certain
connections to a network of address 123.4.*.*.

 Telnet connections will be allowed to only one host, 123.4.5.6, which may be the
site's Telnet application gateway, and SMTP connections will be allowed to two
hosts, 123.4.5.7. and '123.4.5.8, which may be the site's two electronic mail
gateways.

 NNTP (Network News Transfer Protocol) is allowed only from the site's NNTP
feed system, 129.6.48.254, and only to the site's NNTP server, 123.4.5.9, and NTP
(Network Time Protocol) is allowed to all hosts. All other services and packets are to
be blocked. An example of the rule-set is in Table 5.4.
 TABLE 5.4
PACKET FILTERING TABLE

Type Source address Destination addressSource Destination Action

port port
TCP * 123.4.5.6 >1023 23 permit

TCP * 123.4.5.6 >1023 25 permit

TCP * 123.4.5.6 >1023 2 permit

TCP 129.6.58.254 123.4.5.6 >1023 119 permit

UDP * 123.4.*.* >1023 123 permit

* * * * * deny
 The first rule allows TCP packets from any source address and port greater
than 1023 on the Internet to the destination address of 123.4.5.6 and port of 23
at the site.

Port 23 is the port associated with the Telnet server, and all Telnet clients
should have unprivileged source ports of 1024 or higher. The second and third
rules work in a similar fashion, except packets to destination addresses 123.4.5.7
and 123.4.5.8, and port 25 for SMTP, are permitted.

The fourth rule permits packets to the site's NNTP server, but only from
source address 129.6.48.254 to destination address 123.4.5.9 and port 119
(129.6.48.254 is the only NNTP server that the site should receive news from,
thus access to the site for NNTP is restricted to only that system).

The fifth rule permits NTP traffic, which uses UDP as opposed to TCP, from
any source to any destination address at the site.

 Finally, the sixth rule denies all other packets-if this rule is not present, the
router may or may not deny all subsequent packets. This is a very basic example
of packet filtering. Actual rules permit more complex filtering and greater
flexibility.
 While some of these services such as Telnet or FTP are inherently
risky, blocking access to these services completely may be too drastic a step
for many sites.

Not all systems generally require access to all services. For example,
restricting Telnet or FTP access from the Internet to only those systems that
require the access can improve the security of users at no cost.

 Services such as NNTP may seem to pose little threat, but restricting
these services to only those systems that need them helps to create a
cleaner network environment and reduces the likelihood of exploitation from
yet-to-be-discovered vulnerabilities and threats.