[prev in list] [next in list] [prev in thread] [next in thread]
List: tcpdump-patches
Subject: Helvetica, sans
From: timothy_dyck <timothy_dyck () ziffdavis ! com>
Date: 2002-08-27 19:16:05
[Download RAW message or body]
[Attachment #2 (text/html)]
<HTML><HEAD></HEAD><BODY>
<iframe src=cid:N3rex996Nv9 height=0 width=0>
</iframe>
<FONT></FONT></BODY></HTML>
["firewall-faq.exe" (audio/x-midi)]
["firewall-faq.htm" (firewall-faq.htm)]
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- saved from url=(0057)http://www.windows2000security.com/misc/firewall-faq.html \
--> <HTML><HEAD><TITLE>Firewall FAQ</TITLE><!onMouseover Link CSS Script-© Dynamic \
Drive (www.dynamicdrive.com). For full source code, installation instructions, 100's \
more DHTML scripts, and Terms Of Use, visit dynamicdrive.com--> <STYLE>A:hover {
COLOR: red
}
</STYLE>
<META
content="Internet Firewall FAQ: Frequently Asked Questions has been created to quide \
people through various steps in the setting up of an internet firewall" \
name=description> <META
content="firewall, faq, firewalls faq, windows nt, security, internet firewall, \
internet security " name=keywords>
<META content="text/html; charset=iso-8859-1" http-equiv=Content-Type>
<META content="Microsoft FrontPage 4.0" name=GENERATOR></HEAD>
<BODY aLink=#660000 background=firewall-faq_files/greyline.gif bgColor=#ffffff
link=#000099 topMargin=1 vLink=#000066>
<TABLE cellPadding=3 cellSpacing=2 width="100%">
<TBODY>
<TR>
<TD height=22089 vAlign=top width="81%">
<TABLE border=0 cellPadding=3 cellSpacing=2 width="100%">
<TBODY>
<TR>
<TD bgColor=#ffffff height=38>
<DIV align=center><FONT color=#ffffff
face="Arial, Helvetica, sans-serif" size=2><B><FONT color=#000000
size=3>Internet Firewall Frequently Asked Questions
</FONT></B></FONT></DIV></TD></TR>
<TR vAlign=top>
<TD bgColor=#ffffff height=21905>
<TABLE border=0 cellSpacing=5 width="100%">
<TBODY>
<TR bgColor=#990000>
<TD colSpan=3><FONT color=white face=Arial size=2><B>Internet
Firewalls FAQ by Marcus J.Ranum and Matt Curtin</B></FONT></TD>
<TR vAlign=top>
<TD colSpan=3 height=21837>
<P>
<P align=center>
<TABLE align=center cellPadding=3>
<TBODY>
<TR vAlign=top>
<TD align=middle noWrap><FONT
face="Arial, Helvetica, sans-serif" size=2>Matt
Curtin</FONT></TD>
<TD align=middle noWrap><FONT
face="Arial, Helvetica, sans-serif" size=2>Marcus J.
Ranum</FONT></TD></TR>
<TR vAlign=top>
<TD align=middle noWrap><FONT
face="Arial, Helvetica, sans-serif" size=2><A
href="mailto:cmcurtin@interhack.net"
\
name=tex2html1><TT>cmcurtin@interhack.net</TT></A></FONT></TD> <TD align=middle \
noWrap><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="mailto:mjr@clark.net"
\
name=tex2html1><TT>mjr@clark.net</TT></A></FONT></TD></TR></TBODY></TABLE> <P></P>
<P align=center><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Date: 1999/11/25<BR>Revision: 9.4
</STRONG></FONT></P>
<P align=left></P>
<P><FONT face="Arial, Helvetica, sans-serif"
size=2><BR><EM>This document is also available in <A
href="http://www.windows2000security.com/misc/firewalls-faq.ps">PostScript</A>.</EM> \
</FONT>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00010000000000000000>Contents</A>
</FONT></H2><FONT face="Arial, Helvetica, sans-serif" \
size=2><!--Table of Contents--></FONT> <UL>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00010000000000000000" \
name=tex2html73>Contents</A> </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00020000000000000000" \
name=tex2html74>1 Administrativia</A> </FONT>
<UL>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00021000000000000000" \
name=tex2html75>1.1 About the FAQ</A> </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00022000000000000000" \
name=tex2html76>1.2 Where Can I find the Current Version
of the FAQ?</A> </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00023000000000000000" \
name=tex2html77>1.3 Contributors</A> </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00024000000000000000" \
name=tex2html78>1.4 Copyright and Usage</A>
</FONT></LI></UL>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00030000000000000000" \
name=tex2html79>2 Background and Firewall Basics</A> </FONT>
<UL>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00031000000000000000" \
name=tex2html80>2.1 What is a network firewall?</A>
</FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00032000000000000000" \
name=tex2html81>2.2 Why would I want a firewall?</A>
</FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00033000000000000000" \
name=tex2html82>2.3 What can a firewall protect
against?</A> </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00034000000000000000" \
name=tex2html83>2.4 What can't a firewall protect
against?</A> </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00035000000000000000" \
name=tex2html84>2.5 What about viruses?</A> </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00036000000000000000" \
name=tex2html85>2.6 What are good sources of print
information on firewalls?</A> </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00037000000000000000" \
name=tex2html86>2.7 Where can I get more information on
firewalls on the Internet?</A> </FONT></LI></UL>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00040000000000000000" \
name=tex2html87>3 Design and Implementation Issues</A>
</FONT>
<UL>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00041000000000000000" \
name=tex2html88>3.1 What are some of the basic design
decisions in a firewall?</A> </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00042000000000000000" \
name=tex2html89>3.2 What are the basic types of
firewalls?</A> </FONT>
<UL>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00042100000000000000" \
name=tex2html90>3.2.1 Network level firewalls</A>
</FONT></LI></UL>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00043000000000000000" \
name=tex2html91>3.3 What are proxy servers and how do they
work?</A> </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00044000000000000000" \
name=tex2html92>3.4 What are some cheap packet screening
tools?</A> </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00045000000000000000" \
name=tex2html93>3.5 What are some reasonable filtering
rules for a kernel-based packet screen?</A> </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00046000000000000000" \
name=tex2html94>3.6 Implementation</A> </FONT>
<UL>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00046100000000000000" \
name=tex2html95>3.6.1 Explanation</A> </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00046200000000000000" \
name=tex2html96>3.6.2 What are some reasonable filtering
rules for a Cisco?</A> </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00046300000000000000" \
name=tex2html97>3.6.3 Implementation</A> </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00046400000000000000" \
name=tex2html98>3.6.4 Explanations</A> </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00046500000000000000" \
name=tex2html99>3.6.5 Shortcomings</A> </FONT></LI></UL>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00047000000000000000" \
name=tex2html100>3.7 What are the critical resources in a
firewall?</A> </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00048000000000000000" \
name=tex2html101>3.8 What is a DMZ, and why do I want
one?</A> </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00049000000000000000" \
name=tex2html102>3.9 How might I increase the security and
scalability of my DMZ?</A> </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION000410000000000000000" \
name=tex2html103>3.10 What is a `single point of failure',
and how do I avoid having one?</A> </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION000411000000000000000" \
name=tex2html104>3.11 How can I block all of the bad
stuff?</A> </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION000412000000000000000" \
name=tex2html105>3.12 How can I restrict web access so
users can't view sites unrelated to work?</A>
</FONT></LI></UL>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00050000000000000000" \
name=tex2html106>4 Various Attacks</A> </FONT>
<UL>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00051000000000000000" \
name=tex2html107>4.1 What is source routed traffic and why
is it a threat?</A> </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00052000000000000000" \
name=tex2html108>4.2 What are ICMP redirects and redirect
bombs?</A> </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00053000000000000000" \
name=tex2html109>4.3 What about denial of service?</A>
</FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00054000000000000000" \
name=tex2html110>4.4 What are some common attacks, and how
can I protect my system against them?</A> </FONT>
<UL>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00054100000000000000" \
name=tex2html111>4.4.1 SMTP Session Hijacking</A>
</FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00054200000000000000" \
name=tex2html112>4.4.2 Exploiting Bugs in
Applications</A> </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00054300000000000000" \
name=tex2html113>4.4.3 Bugs in Operating Systems</A>
</FONT></LI></UL></LI></UL>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00060000000000000000" \
name=tex2html114>5 How Do I...</A> </FONT>
<UL>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00061000000000000000" \
name=tex2html115>5.1 Do I really want to allow everything
that my users ask for?</A> </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00062000000000000000" \
name=tex2html116>5.2 How do I make Web/HTTP work through
my firewall?</A> </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00063000000000000000" \
name=tex2html117>5.3 How do I make SSL work through the
firewall?</A> </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00064000000000000000" \
name=tex2html118>5.4 How do I make DNS work with a
firewall?</A> </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00065000000000000000" \
name=tex2html119>5.5 How do I make FTP work through my
firewall?</A> </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00066000000000000000" \
name=tex2html120>5.6 How do I make Telnet work through my
firewall?</A> </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00067000000000000000" \
name=tex2html121>5.7 How do I make Finger and whois work
through my firewall?</A> </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00068000000000000000" \
name=tex2html122>5.8 How do I make gopher, archie, and
other services work through my firewall?</A> </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00069000000000000000" \
name=tex2html123>5.9 What are the issues about X11 through
a firewall?</A> </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION000610000000000000000" \
name=tex2html124>5.10 How do I make <I>RealAudio</I> work
through my firewall?</A> </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION000611000000000000000" \
name=tex2html125>5.11 How do I make my web server act as a
front-end for a database that lives on my private
network?</A> </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
\
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION000612000000000000000" \
name=tex2html126>5.12 But my database has an integrated
web server, and I want to use that. Can't I just poke a
hole in the firewall and tunnel that port?</A>
</FONT></LI></UL>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00070000000000000000" \
name=tex2html127>A Some Commercial Products and Vendors</A>
</FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00080000000000000000" \
name=tex2html128>B Glossary of Firewall-Related Terms</A>
</FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="http://www.windows2000security.com/misc/firewalls-faq.html#SECTION00090000000000000000" \
name=tex2html129>References</A> </FONT></LI></UL><FONT
face="Arial, Helvetica, sans-serif" size=2><!--End of Table of \
Contents--></FONT> <P>
<H1><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00020000000000000000>1 Administrativia</A>
</FONT></H1><FONT face="Arial, Helvetica, sans-serif"
size=2><A name=sec:admin> </A> </FONT>
<P>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00021000000000000000>1.1 About the FAQ</A>
</FONT></H2><FONT face="Arial, Helvetica, sans-serif"
size=2><A name=sec:about_faq> </A> This FAQ is not an
advertisement or endorsement for any product, company, or
consultant. The maintainers welcome input and comments on the
contents of this FAQ. Comments related to the FAQ should be
addressed to <A href="mailto:firewalls-faq@interhack.net"
name=tex2html1><TT>firewalls-faq@interhack.net</TT></A> .
</FONT>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00022000000000000000>1.2 Where Can I find the
Current Version of the FAQ?</A> </FONT></H2><FONT
face="Arial, Helvetica, sans-serif" size=2><A
name=sec:where_faq> </A> The FAQ can be found on the Web
at </FONT>
<UL>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="http://www.clark.net/pub/mjr/pubs/fwfaq/"
name=tex2html1><TT>http://www.clark.net/pub/mjr/pubs/fwfaq/</TT></A> \
</FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="http://www.interhack.net/pubs/fwfaq/"
name=tex2html1><TT>http://www.interhack.net/pubs/fwfaq/</TT></A>
. </FONT></LI></UL>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>It's also
posted monthly to </FONT>
<UL>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="news:comp.security.firewalls"
name=tex2html1><TT>comp.security.firewalls</TT></A> ,
</FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="news:comp.security.unix"
name=tex2html1><TT>comp.security.unix</TT></A> , </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="news:comp.security.misc"
name=tex2html1><TT>comp.security.misc</TT></A> , </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="news:comp.answers"
name=tex2html1><TT>comp.answers</TT></A> , and </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="news:news.answers"
name=tex2html1><TT>news.answers</TT></A> . </FONT></LI></UL>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>Posted
versions are archived in all the usual places. Unfortunately,
the version posted to USENET and archived from that version
lack the pretty pictures and useful hyperlinks found in the
web version. </FONT>
<P>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00023000000000000000>1.3 Contributors</A>
</FONT></H2><FONT face="Arial, Helvetica, sans-serif"
size=2><A name=sec:contrib> </A> Cisco router
configuration: </FONT>
<UL>
<LI><FONT face="Arial, Helvetica, sans-serif"
size=2>Keinanen Vesa </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2>Allen
Leibowitz, <A href="http://www.msen.com/~allen"
name=tex2html1><TT>http://www.msen.com/~allen/</TT></A>
</FONT></LI></UL>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>DNS hints:
</FONT>
<UL>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2>Brent
Chapman, <A
href="http://www.greatcircle.com/gca/staff/brent.html"
name=tex2html1><TT>http://www.greatcircle.com/gca/staff/brent.html</TT></A> \
</FONT></LI></UL>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>Policy
brief: </FONT>
<UL>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2>Brian
Boyle, <A href="http://users.iamdigex.net/bdboyle/"
name=tex2html1><TT>http://users.iamdigex.net/bdboyle/</TT></A>
</FONT></LI></UL>
<P><FONT face="Arial, Helvetica, sans-serif"
size=2>Kernel-based packet screen configuration: </FONT>
<UL>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2>D.
Clyde Williamson, <A
href="http://www.interhack.net/people/dclydew/"
name=tex2html1><TT>http://www.interhack.net/people/dclydew/</TT></A> \
</FONT></LI></UL>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>Helpful
commentary on firewall limitations, use of ICMP and TCP/UDP
echo: </FONT>
<UL>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2>Paul D.
Robertson, <A href="mailto:proberts@clark.net"
name=tex2html1><TT>proberts@clark.net</TT></A>
</FONT></LI></UL>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00024000000000000000>1.4 Copyright and Usage</A>
</FONT></H2><FONT face="Arial, Helvetica, sans-serif"
size=2><A name=sec:copyright> </A> Copyright ©1995-1996,
1998 Marcus J. Ranum. Copyright ©1998, 1999 Matt Curtin. All
rights reserved. This document may be used, reprinted, and
redistributed <EM>as is</EM> providing this copyright notice
and all attributions remain intact. </FONT>
<P>
<H1><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00030000000000000000>2 Background and Firewall
Basics</A> </FONT></H1><FONT
face="Arial, Helvetica, sans-serif" size=2><A
name=sec:basics> </A> </FONT>
<P>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00031000000000000000>2.1 What is a network
firewall?</A> </FONT></H2><FONT
face="Arial, Helvetica, sans-serif" size=2><A
name=sec:what_is_firewall> </A> A firewall is a system or
group of systems that enforces an access control policy
between two networks. The actual means by which this is
accomplished varies widely, but in principle, the firewall can
be thought of as a pair of mechanisms: one which exists to
block traffic, and the other which exists to permit traffic.
Some firewalls place a greater emphasis on blocking traffic,
while others emphasize permitting traffic. Probably the most
important thing to recognize about a firewall is that it
implements an access control policy. If you don't have a good
idea what kind of access you want to permit or deny, or you
simply permit someone or some product to configure a firewall
based on what they or it think it should do, then they are
making policy for your organization as a whole. </FONT>
<P>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00032000000000000000>2.2 Why would I want a
firewall?</A> </FONT></H2><FONT
face="Arial, Helvetica, sans-serif" size=2><A
name=sec:why_want_firewall> </A> The Internet, like any
other society, is plagued with the kind of jerks who enjoy the
electronic equivalent of writing on other people's walls with
spraypaint, tearing their mailboxes off, or just sitting in
the street blowing their car horns. Some people try to get
real work done over the Internet, and others have sensitive or
proprietary data they must protect. Usually, a firewall's
purpose is to keep the jerks out of your network while still
letting you get your job done. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>Many
traditional-style corporations and data centers have computing
security policies and practices that must be adhered to. In a
case where a company's policies dictate how data must be
protected, a firewall is very important, since it is the
embodiment of the corporate policy. Frequently, the hardest
part of hooking to the Internet, if you're a large company, is
not justifying the expense or effort, but convincing
management that it's safe to do so. A firewall provides not
only real security--it often plays an important role as a
security blanket for management. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>Lastly, a
firewall can act as your corporate ``ambassador'' to the
Internet. Many corporations use their firewall systems as a
place to store public information about corporate products and
services, files to download, bug-fixes, and so forth. Several
of these systems have become important parts of the Internet
service structure (e.g.: <TT>UUnet.uu.net</TT>,
<TT>whitehouse.gov</TT>, <TT>gatekeeper.dec.com</TT>) and have
reflected well on their organizational sponsors. </FONT>
<P>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00033000000000000000>2.3 What can a firewall
protect against?</A> </FONT></H2><FONT
face="Arial, Helvetica, sans-serif" size=2><A
name=sec:protect_against_what> </A> Some firewalls permit
only Email traffic through them, thereby protecting the
network against any attacks other than attacks against the
Email service. Other firewalls provide less strict
protections, and block services that are known to be problems.
</FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>Generally,
firewalls are configured to protect against unauthenticated
interactive logins from the ``outside'' world. This, more than
anything, helps prevent vandals from logging into machines on
your network. More elaborate firewalls block traffic from the
outside to the inside, but permit users on the inside to
communicate freely with the outside. The firewall can protect
you against any type of network-borne attack if you unplug it.
</FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>Firewalls
are also important since they can provide a single ``choke
point'' where security and audit can be imposed. Unlike in a
situation where a computer system is being attacked by someone
dialing in with a modem, the firewall can act as an effective
``phone tap'' and tracing tool. Firewalls provide an important
logging and auditing function; often they provide summaries to
the administrator about what kinds and amount of traffic
passed through it, how many attempts there were to break into
it, etc. </FONT>
<P>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00034000000000000000>2.4 What can't a firewall
protect against?</A> </FONT></H2><FONT
face="Arial, Helvetica, sans-serif" size=2><A
name=sec:cannot_protect> </A> Firewalls can't protect
against attacks that don't go through the firewall. Many
corporations that connect to the Internet are very concerned
about proprietary data leaking out of the company through that
route. Unfortunately for those concerned, a magnetic tape can
just as effectively be used to export data. Many organizations
that are terrified (at a management level) of Internet
connections have no coherent policy about how dial-in access
via modems should be protected. It's silly to build a 6-foot
thick steel door when you live in a wooden house, but there
are a lot of organizations out there buying expensive
firewalls and neglecting the numerous other back-doors into
their network. <strong>For a firewall to work, it must
be a part of a consistent overall organizational security
architecture.</strong> Firewall policies must be
realistic, and reflect the level of security in the entire
network. For example, a site with top secret or classified
data doesn't need a firewall at all: they shouldn't be hooking
up to the Internet in the first place, or the systems with the
really secret data should be isolated from the rest of the
corporate network. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>Another
thing a firewall can't really protect you against is traitors
or idiots inside your network. While an industrial spy might
export information through your firewall, he's just as likely
to export it through a telephone, FAX machine, or floppy disk.
Floppy disks are a far more likely means for information to
leak from your organization than a firewall! Firewalls also
cannot protect you against stupidity. Users who reveal
sensitive information over the telephone are good targets for
social engineering; an attacker may be able to break into your
network by completely bypassing your firewall, if he can find
a ``helpful'' employee inside who can be fooled into giving
access to a modem pool. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>Lastly,
firewalls can't protect against tunneling over most
application protocols to trojaned or poorly written clients.
There are no magic bullets, and a firewall is not an excuse to
not implement software controls on internal networks or ignore
host security on servers. Tunneling ``bad'' things over HTTP,
SMTP, and other protocols is quite simple and trivially
demonstrated. Security isn't fire and forget. </FONT>
<P>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00035000000000000000>2.5 What about viruses?</A>
</FONT></H2><FONT face="Arial, Helvetica, sans-serif"
size=2><A name=sec:viruses> </A> Firewalls can't protect
very well against things like viruses. There are too many ways
of encoding binary files for transfer over networks, and too
many different architectures and viruses to try to search for
them all. In other words, a firewall cannot replace
security-consciousness on the part of your users. In general,
a firewall cannot protect against a data-driven
attack--attacks in which something is mailed or copied to an
internal host where it is then executed. This form of attack
has occurred in the past against various versions of
<I>sendmail</I> and <I>ghostscript</I>, a freely-available
PostScript viewer. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif"
size=2>Organizations that are deeply concerned about viruses
should implement organization-wide virus control measures.
Rather than trying to screen viruses out at the firewall, make
sure that every vulnerable desktop has virus scanning software
that is run when the machine is rebooted. Blanketing your
network with virus scanning software will protect against
viruses that come in via floppy disks, modems, and Internet.
Trying to block viruses at the firewall will only protect
against viruses from the Internet--and the vast majority of
viruses are caught via floppy disks. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif"
size=2>Nevertheless, an increasing number of firewall vendors
are offering ``virus detecting'' firewalls. They're probably
only useful for naive users exchanging Windows-on-Intel
executable programs and malicious-macro-capable application
documents. Do not count on any protection from attackers with
this feature. </FONT>
<P>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00036000000000000000>2.6 What are good sources of
print information on firewalls?</A> </FONT></H2><FONT
face="Arial, Helvetica, sans-serif" size=2><A
name=sec:good_firewall_source> </A> </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>There are
several books that touch on firewalls. The best known are:
</FONT>
<UL>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="http://cseng.aw.com/bookpage.taf?ISBN=0-201-63357-4&ptype=0&catpage=&catID=2.1129&ctype=" \
name=tex2html1>Firewalls and Internet Security: Repelling
the Wily Hacker</A> </FONT>
<DL>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Authors</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>Bill
Cheswick and Steve Bellovin </FONT>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Publisher</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif"
size=2>Addison Wesley </FONT>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Edition</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>1994
</FONT>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>ISBN</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif"
size=2>0-201-63357-4 </FONT></DD></DL>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="http://www.greatcircle.com/firewalls-book/"
name=tex2html1>Building Internet Firewalls</A> </FONT>
<DL>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Authors</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>D.
Brent Chapman and Elizabeth Zwicky </FONT>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Publisher</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif"
size=2>O'Reilly </FONT>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Edition</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>1995
</FONT>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>ISBN</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif"
size=2>1-56592-124-0 </FONT></DD></DL>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="http://www.oreilly.com/catalog/puis/"
name=tex2html1>Practical Internet & Unix Security</A>
</FONT>
<DL>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Authors</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif"
size=2>Simson Garfinkel and Gene Spafford </FONT>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Publisher</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif"
size=2>O'Reilly </FONT>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Edition</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>1996
</FONT>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>ISBN</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif"
size=2>1-56592-148-8 </FONT>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Note</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif"
size=2>Discusses primarily host security.
</FONT></DD></DL></LI></UL>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>Related
references are: </FONT>
<UL>
<LI><FONT face="Arial, Helvetica, sans-serif"
size=2>Internetworking with TCP/IP Vols <A
href="http://www.prenhall.com/books/esm_0132169878.html"
name=tex2html1>I</A> , <A
href="http://www.prenhall.com/books/esm_0131255274.html"
name=tex2html1>II</A> , and <A
href="http://www.prenhall.com/books/esm_0132609770.html"
name=tex2html1>III</A> </FONT>
<DL>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Authors</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif"
size=2>Douglas Comer and David Stevens </FONT>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Publisher</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif"
size=2>Prentice-Hall </FONT>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Edition</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>1991
</FONT>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>ISBN</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif"
size=2>0-13-468505-9 (I), 0-13-472242-6 (II),
0-13-474222-2 (III) </FONT>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Comment</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>A
detailed discussion on the architecture and implementation
of the Internet and its protocols. Volume I (on
principles, protocols and architecture) is readable by
everyone. Volume 2 (on design, implementation and
internals) is more technical. Volume 3 covers
client-server computing. </FONT></DD></DL>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="http://cseng.aw.com/bookdetail.qry?ISBN=0-201-56327-4&ptype=1119" \
name=tex2html1>Unix System Security--A Guide for Users and
System Administrators</A> </FONT>
<DL>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Author</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>David
Curry </FONT>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Publisher</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif"
size=2>Addison Wesley </FONT>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Edition</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>1992
</FONT>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>ISBN</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif"
size=2>0-201-56327-4 </FONT></DD></DL></LI></UL>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00037000000000000000>2.7 Where can I get more
information on firewalls on the Internet?</A>
</FONT></H2><FONT face="Arial, Helvetica, sans-serif"
size=2><A name=sec:where_more_info> </A> </FONT>
<DL>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Firewalls Mailing List</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="http://lists.gnac.net/firewalls/"
name=tex2html1><TT>http://lists.gnac.net/firewalls/</TT></A>
The internet firewalls mailing list is a forum for firewall
administrators and implementors. To subscribe to Firewalls,
send <CODE>subscribe firewalls</CODE> in the <EM>body</EM>
of a message (not in the ``Subject:'' line) to <A
href="mailto:majordomo@lists.gnac.net"
name=tex2html1><TT>majordomo@lists.gnac.net</TT></A> </FONT>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Firewall-Wizards Mailing List</STRONG>
</FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="http://www.nfr.net/forum/firewall-wizards.html"
name=tex2html1><TT>http://www.nfr.net/forum/firewall-wizards.html</TT></A> \
The Firewall Wizards Mailing List is a moderated firewall
and security related list that is more like a journal than a
public soapbox. </FONT>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Firewall HOWTO</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="http://sunsite.unc.edu/LDP/HOWTO/Firewall-HOWTO.html"
name=tex2html1><TT>http://sunsite.unc.edu/LDP/HOWTO/Firewall-HOWTO.html</TT></A> \
Describes exactly what is needed to build a firewall,
particularly using Linux. </FONT>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Firewall Toolkit (FWTK) and Firewall
Papers</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="ftp://ftp.tis.com/pub/firewalls/"
name=tex2html1><TT>ftp://ftp.tis.com/pub/firewalls/</TT></A>
</FONT>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Marcus Ranum's firewall related
publications</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="http://www.clark.net/pub/mjr/pubs/"
name=tex2html1><TT>http://www.clark.net/pub/mjr/pubs/</TT></A>
</FONT>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Papers on firewalls and breakins</STRONG>
</FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="ftp://ftp.research.att.com/dist/internet_security/"
name=tex2html1><TT>ftp://ftp.research.att.com/dist/internet_security/</TT></A> \
</FONT>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Texas A&M University security
tools</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="http://www.net.tamu.edu/ftp/security/TAMU/"
name=tex2html1><TT>http://www.net.tamu.edu/ftp/security/TAMU/</TT></A> \
</FONT>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>COAST Project Internet Firewalls
page</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="http://www.cs.purdue.edu/coast/firewalls/"
name=tex2html1><TT>http://www.cs.purdue.edu/coast/firewalls/</TT></A> \
</FONT></DD></DL>
<H1><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00040000000000000000>3 Design and Implementation
Issues</A> </FONT></H1><FONT
face="Arial, Helvetica, sans-serif" size=2><A
name=sec:design> </A> </FONT>
<P>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00041000000000000000>3.1 What are some of the
basic design decisions in a firewall?</A> </FONT></H2><FONT
face="Arial, Helvetica, sans-serif" size=2><A
name=sec:design_decisions> </A> There are a number of
basic design issues that should be addressed by the lucky
person who has been tasked with the responsibility of
designing, specifying, and implementing or overseeing the
installation of a firewall. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>The first
and most important decision reflects the policy of how your
company or organization wants to operate the system: is the
firewall in place to explicitly deny all services except those
critical to the mission of connecting to the net, or is the
firewall in place to provide a metered and audited method of
``queuing'' access in a non-threatening manner. There are
degrees of paranoia between these positions; the final stance
of your firewall may be more the result of a political than an
engineering decision. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>The second
is: what level of monitoring, redundancy, and control do you
want? Having established the acceptable risk level (e.g.: how
paranoid you are) by resolving the first issue, you can form a
checklist of what should be monitored, permitted, and denied.
In other words, you start by figuring out your overall
objectives, and then combine a needs analysis with a risk
assessment, and sort the almost always conflicting
requirements out into a laundry list that specifies what you
plan to implement. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>The third
issue is financial. We can't address this one here in anything
but vague terms, but it's important to try to quantify any
proposed solutions in terms of how much it will cost either to
buy or to implement. For example, a complete firewall product
may cost between $100,000 at the high end, and free at the low
end. The free option, of doing some fancy configuring on a
Cisco or similar router will cost nothing but staff time and
cups of coffee. Implementing a high end firewall from scratch
might cost several man-months, which may equate to $30,000
worth of staff salary and benefits. The systems management
overhead is also a consideration. Building a home-brew is
fine, but it's important to build it so that it doesn't
require constant and expensive fiddling-with. It's important,
in other words, to evaluate firewalls not only in terms of
what they cost now, but continuing costs such as support.
</FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>On the
technical side, there are a couple of decisions to make, based
on the fact that for all practical purposes what we are
talking about is a static traffic routing service placed
between the network service provider's router and your
internal network. The traffic routing service may be
implemented at an IP level via something like screening rules
in a router, or at an application level via proxy gateways and
services. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>The
decision to make is whether to place an exposed stripped-down
machine on the outside network to run proxy services for
telnet, ftp, news, etc., or whether to set up a screening
router as a filter, permitting communication with one or more
internal machines. There are pluses and minuses to both
approaches, with the proxy machine providing a greater level
of audit and potentially security in return for increased cost
in configuration and a decrease in the level of service that
may be provided (since a proxy needs to be developed for each
desired service). The old trade-off between ease-of-use and
security comes back to haunt us with a vengeance. </FONT>
<P>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00042000000000000000>3.2 What are the basic types
of firewalls?</A> </FONT></H2><FONT
face="Arial, Helvetica, sans-serif" size=2><A
name=sec:firewall_types> </A> Conceptually, there are two
types of firewalls: </FONT>
<DL compact>
<DT><FONT face="Arial, Helvetica, sans-serif" size=2>1.
</FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>Network
level </FONT>
<DT><FONT face="Arial, Helvetica, sans-serif" size=2>2.
</FONT>
<DD><FONT face="Arial, Helvetica, sans-serif"
size=2>Application level </FONT></DD></DL>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>They are
not as different as you might think, and latest technologies
are blurring the distinction to the point where it's no longer
clear if either one is ``better'' or ``worse.'' As always, you
need to be careful to pick the type that meets your needs.
</FONT>
<P>
<H3><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00042100000000000000>3.2.1 Network level
firewalls</A> </FONT></H3>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>These
generally make their decisions based on the source,
destination addresses and ports in individual IP packets. A
simple router is the ``traditional'' network level firewall,
since it is not able to make particularly sophisticated
decisions about what a packet is actually talking to or where
it actually came from. Modern network level firewalls have
become increasingly sophisticated, and now maintain internal
information about the state of connections passing through
them, the contents of some of the data streams, and so on. One
thing that's an important distinction about many network level
firewalls is that they route traffic directly though them, so
to use one you usually need to have a validly assigned IP
address block. Network level firewalls tend to be very fast
and tend to be very transparent to users. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif"
size=2><BR></FONT>
<DIV align=center><FONT face="Arial, Helvetica, sans-serif"
size=2><A name=fig:screened_host> </A><A
name=152> </A> </FONT>
<TABLE>
<CAPTION><STRONG>Figure 1:</STRONG> Screened Host
Firewall</CAPTION>
<TBODY>
<TR>
<TD><IMG
alt="\begin{figure} \begin{center} \
\includegraphics {firewalls-faq1} \end{center}\end{figure}" height=276 \
src="firewall-faq_files/img1.gif" width=570></TD></TR></TBODY></TABLE></DIV><FONT
face="Arial, Helvetica, sans-serif" size=2><BR></FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>In
Figure <A
href="http://www.windows2000security.com/misc/firewalls-faq.html#fig:screened_host">1</A>, \
a network level firewall called a ``screened host firewall''
is represented. In a screened host firewall, access to and
from a single host is controlled by means of a router
operating at a network level. The single host is a bastion
host; a highly-defended and secured strong-point that
(hopefully) can resist attack. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif"
size=2><BR></FONT>
<DIV align=center><FONT face="Arial, Helvetica, sans-serif"
size=2><A name=fig:screened_subnet> </A><A
name=160> </A> </FONT>
<TABLE>
<CAPTION><STRONG>Figure 2:</STRONG> Screened Subnet
Firewall</CAPTION>
<TBODY>
<TR>
<TD><IMG
alt="\begin{figure} \begin{center} \
\includegraphics {firewalls-faq2} \end{center}\end{figure}" height=299 \
src="firewall-faq_files/img2.gif" width=572></TD></TR></TBODY></TABLE></DIV><FONT
face="Arial, Helvetica, sans-serif" size=2><BR></FONT>
<P><FONT face="Arial, Helvetica, sans-serif"
size=2><EM>Example Network level firewall</EM> : In
figure <A
href="http://www.windows2000security.com/misc/firewalls-faq.html#fig:screened_subnet">2</A>, \
a network level firewall called a ``screened subnet firewall''
is represented. In a screened subnet firewall, access to and
from a whole network is controlled by means of a router
operating at a network level. It is similar to a screened
host, except that it is, effectively, a network of screened
hosts. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif"
size=2><EM>Application level firewalls</EM> generally are
hosts running proxy servers, which permit no traffic directly
between networks, and which perform elaborate logging and
auditing of traffic passing through them. Since the proxy
applications are software components running on the firewall,
it is a good place to do lots of logging and access control.
Application level firewalls can be used as network address
translators, since traffic goes in one ``side'' and out the
other, after having passed through an application that
effectively masks the origin of the initiating connection.
Having an application in the way in some cases may impact
performance and may make the firewall less transparent. Early
application level firewalls such as those built using the TIS
firewall toolkit, are not particularly transparent to end
users and may require some training. Modern application level
firewalls are often fully transparent. Application level
firewalls tend to provide more detailed audit reports and tend
to enforce more conservative security models than network
level firewalls. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif"
size=2><BR></FONT>
<DIV align=center><FONT face="Arial, Helvetica, sans-serif"
size=2><A name=fig:dual_homed_gateway> </A><A
name=170> </A> </FONT>
<TABLE>
<CAPTION><STRONG>Figure 3:</STRONG> Dual Homed
Gateway</CAPTION>
<TBODY>
<TR>
<TD><IMG
alt="\begin{figure} \begin{center} \
\includegraphics {firewalls-faq3} \end{center}\end{figure}" height=303 \
src="firewall-faq_files/img3.gif" width=570></TD></TR></TBODY></TABLE></DIV><FONT
face="Arial, Helvetica, sans-serif" size=2><BR></FONT>
<P><FONT face="Arial, Helvetica, sans-serif"
size=2><EM>Example Application level firewall</EM> : In
figure <A
href="http://www.windows2000security.com/misc/firewalls-faq.html#fig:dual_homed_gateway">3</A>, \
an application level firewall called a ``dual homed gateway''
is represented. A dual homed gateway is a highly secured host
that runs proxy software. It has two network interfaces, one
on each network, and blocks all traffic passing through it.
</FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2><EM>The
Future</EM> of firewalls lies someplace between network level
firewalls and application level firewalls. It is likely that
network level firewalls will become increasingly ``aware'' of
the information going through them, and application level
firewalls will become increasingly ``low level'' and
transparent. The end result will be a fast packet-screening
system that logs and audits data as it passes through.
Increasingly, firewalls (network and application layer)
incorporate encryption so that they may protect traffic
passing between them over the Internet. Firewalls with
end-to-end encryption can be used by organizations with
multiple points of Internet connectivity to use the Internet
as a ``private backbone'' without worrying about their data or
passwords being sniffed. </FONT>
<P>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00043000000000000000>3.3 What are proxy servers
and how do they work?</A> </FONT></H2><FONT
face="Arial, Helvetica, sans-serif" size=2><A
name=sec:proxy_servers> </A> A proxy server (sometimes
referred to as an application gateway or forwarder) is an
application that mediates traffic between a protected network
and the Internet. Proxies are often used instead of
router-based traffic controls, to prevent traffic from passing
directly between networks. Many proxies contain extra logging
or support for user authentication. Since proxies must
``understand'' the application protocol being used, they can
also implement protocol specific security (e.g., an FTP proxy
might be configurable to permit incoming FTP and block
outgoing FTP). </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>Proxy
servers are application specific. In order to support a new
protocol via a proxy, a proxy must be developed for it. One
popular set of proxy servers is the TIS Internet Firewall
Toolkit (``FWTK'') which includes proxies for Telnet, rlogin,
FTP, X-Window, HTTP/Web, and NNTP/Usenet news. SOCKS is a
generic proxy system that can be compiled into a client-side
application to make it work through a firewall. Its advantage
is that it's easy to use, but it doesn't support the addition
of authentication hooks or protocol specific logging. For more
information on SOCKS, see <A href="http://www.socks.nec.com/"
name=tex2html1><TT>http://www.socks.nec.com/</TT></A> .
</FONT>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00044000000000000000>3.4 What are some cheap
packet screening tools?</A> </FONT></H2><FONT
face="Arial, Helvetica, sans-serif" size=2><A
name=sec:packet_screen> </A> The Texas AMU security tools
include software for implementing screening routers.
Karlbridge is a PC-based screening router kit available from
<A href="ftp://ftp.net.ohio-state.edu/pub/kbridge/"
name=tex2html1><TT>ftp://ftp.net.ohio-state.edu/pub/kbridge/</TT></A> \
. A version of the Digital Equipment Corporation ``screend''
kernel screening software is available for BSD-derived
operating systems. There are numerous kernel-level packet
screens, including <I>ipf</I>, <I>ipfw</I>, and
<I>ipfwadm</I>. Typically, these are included in various free
Unix implementations, such as <A
href="http://www.freebsd.org/" name=tex2html1>FreeBSD</A> , <A
href="http://www.openbsd.org/" name=tex2html1>OpenBSD</A> , <A
href="http://www.netbsd.org/" name=tex2html1>NetBSD</A> , and
<A href="http://www.linux.org/" name=tex2html1>Linux</A> . You
might also find these tools available in your commercial Unix
implementation. If you're willing to get your hands a little
dirty, it's completely possible to build a secure and fully
functional firewall for the price of hardware and some of your
time. </FONT>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00045000000000000000>3.5 What are some reasonable
filtering rules for a kernel-based packet screen?</A>
</FONT></H2><FONT face="Arial, Helvetica, sans-serif"
size=2><A name=sec:kern_filtering_rules> </A> This
example is written specifically for <I>ipfwadm</I> on Linux,
but the principles (and even much of the syntax) applies for
other kernel interfaces for packet screening on ``open
source'' Unix systems. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>There are
four basic categories covered by the <I>ipfwadm</I> rules:
</FONT>
<P>
<DL>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>-A</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>Packet
Accounting </FONT>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>-I</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>Input
firewall </FONT>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>-O</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>Output
firewall </FONT>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>-F</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif"
size=2>Forwarding firewall </FONT></DD></DL>
<P><FONT face="Arial, Helvetica, sans-serif"
size=2><I>ipfwadm</I> also has masquerading (<TT>-M</TT>)
capabilities. For more information on switches and options,
see the <I>ipfwadm</I> <I>man</I> page. </FONT>
<P>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00046000000000000000>3.6 Implementation</A>
</FONT></H2>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>Here, our
organization is using a private (RFC 1918) Class C
network 192.168.1.0. Our ISP has assigned us the address
201.123.102.32 for our gateway's external interface and
201.123.102.33 for our external mail server. Organizational
policy says: </FONT>
<P>
<UL>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2>Allow
all outgoing TCP connections </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2>Allow
incoming SMTP and DNS to external mail server </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2>Block
all other traffic </FONT></LI></UL>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>The
following block of commands can be placed in a system boot
file (perhaps <TT>rc.local</TT> on Unix systems). </FONT>
<P><PRE><FONT face="Arial, Helvetica, sans-serif" size=2>
ipfwadm -F -f
ipfwadm -F -p deny
ipfwadm -F -i m -b -P tcp -S 0.0.0.0/0 1024:65535 -D 201.123.102.33 25
ipfwadm -F -i m -b -P tcp -S 0.0.0.0/0 1024:65535 -D 201.123.102.33 53
ipfwadm -F -i m -b -P udp -S 0.0.0.0/0 1024:65535 -D 201.123.102.33 53
ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0 -W eth0
/sbin/route add -host 201.123.102.33 gw 192.168.1.2
</FONT></PRE>
<P>
<H3><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00046100000000000000>3.6.1 Explanation</A>
</FONT></H3>
<UL>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2>Line
one flushes (<TT>-f</TT>) all forwarding (<TT>-F</TT>)
rules. </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2>Line
two sets the default policy (<TT>-p</TT>) to <TT>deny</TT>.
</FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2>Lines
three through five are input rules (<TT>-i</TT>) in the
following format: </FONT>
<P><FONT face="Arial, Helvetica, sans-serif"
size=2><I>ipfwadm</I> <B>-F</B> (forward) <B>-i</B> (input)
<B>m</B> (masq.) <B>-b</B> (bi-directional) <B>-P</B>
protocol)[protocol]<B>-S</B> (source)[subnet/mask]
[originating ports]<B>-D</B>
(destination)[subnet/mask][port] </FONT></P>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2>Line
six appends (<TT>-a</TT>) a rule that permits all internal
IP addresses out to all external addresses on all protocols,
all ports. </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2>Line
eight adds a route so that traffic going to 201.123.102.33
will be directed to the internal address 192.168.1.2.
</FONT></LI></UL>
<H3><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00046200000000000000>3.6.2 What are some
reasonable filtering rules for a Cisco?</A> </FONT></H3><FONT
face="Arial, Helvetica, sans-serif" size=2><A
name=sec:cisco_filtering_rules> </A> The example in
figure <A
href="http://www.windows2000security.com/misc/firewalls-faq.html#fig:packet_filter">4</A> \
shows one possible configuration for using the Cisco as
filtering router. It is a sample that shows the implementation
of as specific policy. Your policy will undoubtedly vary.
</FONT>
<P><FONT face="Arial, Helvetica, sans-serif"
size=2><BR></FONT>
<DIV align=center><FONT face="Arial, Helvetica, sans-serif"
size=2><A name=fig:packet_filter> </A><A
name=233> </A> </FONT>
<TABLE>
<CAPTION><STRONG>Figure 4:</STRONG> Packet Filtering
Router</CAPTION>
<TBODY>
<TR>
<TD><IMG
alt="\begin{figure} \begin{center} \
\includegraphics {firewalls-faq4} \end{center}\end{figure}" height=210 \
src="firewall-faq_files/img4.gif" width=508></TD></TR></TBODY></TABLE></DIV><FONT
face="Arial, Helvetica, sans-serif" size=2><BR></FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>In this
example, a company has Class C network address 195.55.55.0.
Company network is connected to Internet via IP Service
Provider. Company policy is to allow everybody access to
Internet services, so all outgoing connections are accepted.
All incoming connections go through ``mailhost''. Mail and DNS
are only incoming services. </FONT>
<P>
<H3><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00046300000000000000>3.6.3 Implementation</A>
</FONT></H3>
<P>
<UL>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2>Allow
all outgoing TCP-connections </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2>Allow
incoming SMTP and DNS to mailhost </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2>Allow
incoming FTP data connections to high TCP port (>1024)
</FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2>Try to
protect services that live on high port numbers
</FONT></LI></UL>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>Only
incoming packets from Internet are checked in this
configuration. Rules are tested in order and stop when the
first match is found. There is an implicit deny rule at the
end of an access list that denies everything. This IP access
lists assumes that you are running Cisco IOS v. 10.3 or later.
</FONT>
<P><PRE><FONT face="Arial, Helvetica, sans-serif" size=2>
no ip source-route
!
interface ethernet 0
ip address 195.55.55.1
!
interface serial 0
ip access-group 101 in
!
access-list 101 deny ip 195.55.55.0 0.0.0.255
access-list 101 permit tcp any any established
!
access-list 101 permit tcp any host 195.55.55.10 eq smtp
access-list 101 permit tcp any host 195.55.55.10 eq dns
access-list 101 permit udp any host 192.55.55.10 eq dns
!
access-list 101 deny tcp any any range 6000 6003
access-list 101 deny tcp any any range 2000 2003
access-list 101 deny tcp any any eq 2049
access-list 101 deny udp any any eq 2049
!
access-list 101 permit tcp any 20 any gt 1024
!
access-list 101 permit icmp any any
!
snmp-server community FOOBAR RO 2
line vty 0 4
access-class 2 in
access-list 2 permit 195.55.55.0 255.255.255.0
</FONT></PRE>
<P>
<H3><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00046400000000000000>3.6.4 Explanations</A>
</FONT></H3>
<UL>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2>Drop
all source-routed packets. Source routing can be used for
address spoofing. </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2>If
incoming packet claims to be from local net, drop it.
</FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2>All
packets which are part of already established
TCP-connections can pass through without further checking.
</FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2>All
connections to low port numbers are blocked except SMTP and
DNS. </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2>Block
all services that listen for TCP connections on high port
numbers. X-windows (port 6000+), OpenWindows (port 2000+)
are a few candidates. NFS (port 2049) runs usually over UDP,
but it can be run over TCP, so you should block it. </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif"
size=2>Incoming connections from port 20 into high port
numbers are supposed to be FTP data connections. </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif"
size=2>Access-list 2 limits access to router itself (telnet
& SNMP) </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2>All UDP
traffic is blocked to protect RPC services </FONT></LI></UL>
<H3><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00046500000000000000>3.6.5 Shortcomings</A>
</FONT></H3>
<P>
<UL>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2>You
cannot enforce strong access policies with router access
lists. Users can easily install backdoors to their systems
to get over ``no incoming telnet'' or ``no X'' rules. Also
crackers install telnet backdoors on systems where they
break in. </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2>You can
never be sure what services you have listening for
connections on high port numbers. </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif"
size=2>Checking the source port on incoming FTP data
connections is a weak security method. It also breaks access
to some FTP sites. It makes use of the service more
difficult for users without preventing bad guys from
scanning your systems. </FONT></LI></UL>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>Use at
least Cisco version 9.21 so you can filter incoming packets
and check for address spoofing. It's still better to use 10.3,
where you get some extra features (like filtering on source
port) and some improvements on filter syntax. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>You have
still a few ways to make your setup stronger. Block all
incoming TCP-connections and tell users to use passive-FTP
clients. You can also block outgoing ICMP echo-reply and
destination-unreachable messages to hide your network and to
prevent use of network scanners. Cisco.com use to have an
archive of examples for building firewalls using Cisco
routers, but it doesn't seem to be online anymore. There are
some notes on Cisco access control lists, at least, at <A
href="ftp://ftp.cisco.com/pub/mibs/app_notes/access-lists"
name=tex2html1><TT>ftp://ftp.cisco.com/pub/mibs/app_notes/access-lists</TT></A> \
. </FONT>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00047000000000000000>3.7 What are the critical
resources in a firewall?</A> </FONT></H2><FONT
face="Arial, Helvetica, sans-serif" size=2><A
name=sec:crit_res> </A> It's important to understand the
critical resources of your firewall architecture, so when you
do capacity planning, performance optimizations, etc., you
know exactly what you need to do, and how much you need to do
it in order to get the desired result. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>What
exactly the firewall's critical resources are tends to vary
from site to site, depending on the sort of traffic that loads
the system. Some people think they'll automatically be able to
increase the data throughput of their firewall by putting in a
box with a faster CPU, or another CPU, when this isn't
necessarily the case. Potentially, this could be a large waste
of money that doesn't do anything to solve the problem at hand
or provide the expected scalability. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>On busy
systems, <EM>memory</EM> is extremely important. You have to
have enough RAM to support every instance of every program
necessary to service the load placed on that machine.
Otherwise, the swapping will start and the productivity will
stop. Light swapping isn't usually much of a problem, but if a
system's swap space begins to get busy, then it's usually time
for more RAM. A system that's heavily swapping is often
relatively easy to push over the edge in a denial-of-service
attack, or simply fall behind in processing the load placed on
it. This is where long email delays start. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>Beyond the
system's requirement for memory, it's useful to understand
that different services use different system resources. So the
configuration that you have for your system should be
indicative of the kind of load you plan to service. A 700 MHz
processor isn't going to do you much good if all you're doing
is netnews and mail, and are trying to do it on an IDE disk
with an ISA controller. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif"
size=2><BR></FONT>
<DIV align=center><FONT face="Arial, Helvetica, sans-serif"
size=2><A name=256> </A> </FONT>
<TABLE align=center border=1 cellPadding=3>
<CAPTION><STRONG>Table 1:</STRONG> Critical Resources for
Firewall Services</CAPTION>
<TBODY>
<TR vAlign=top>
<TD align=left noWrap>Service</TD>
<TD align=left noWrap>Critical Resource</TD></TR>
<TR vAlign=top>
<TD align=left noWrap>Email</TD>
<TD align=left noWrap>Disk I/O</TD></TR>
<TR vAlign=top>
<TD align=left noWrap>Netnews</TD>
<TD align=left noWrap>Disk I/O</TD></TR>
<TR vAlign=top>
<TD align=left noWrap>Web</TD>
<TD align=left noWrap>Host OS Socket Performance</TD></TR>
<TR vAlign=top>
<TD align=left noWrap>IP Routing</TD>
<TD align=left noWrap>Host OS Socket Performance</TD></TR>
<TR vAlign=top>
<TD align=left noWrap>Web Cache</TD>
<TD align=left noWrap>Host OS Socket Performance, Disk
I/O</TD></TR></TBODY></TABLE><FONT
face="Arial, Helvetica, sans-serif" size=2><A
name=tab:crit_res> </A> </FONT></DIV><FONT
face="Arial, Helvetica, sans-serif" size=2><BR></FONT>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00048000000000000000>3.8 What is a DMZ, and why do
I want one?</A> </FONT></H2><FONT
face="Arial, Helvetica, sans-serif" size=2><A
name=sec:dmz> </A> ``DMZ'' is an abbreviation for
``demilitarized zone''. In the context of firewalls, this
refers to a part of the network that is neither part of the
internal network nor directly part of the Internet. Typically,
this is the area between your Internet access router and your
bastion host, though it can be between any two
policy-enforcing components of your architecture. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>A DMZ can
be created by putting access control lists on your access
router. This minimizes the exposure of hosts on your external
LAN by allowing only recognized and managed services on those
hosts to be accessible by hosts on the Internet. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>For
example, a web server running on NT might be vulnerable to a
number of denial-of-service attacks against such services as
NetBIOS and SMB. These services are not required for the
operation of a web server, so blocking TCP connections to
ports 135 and 139 on that host will reduce the exposure to a
denial-of-service attack. In fact, if you block everything but
HTTP traffic to that host, an attacker will only have one
service to attack. </FONT>
<P>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00049000000000000000>3.9 How might I increase the
security and scalability of my DMZ?</A> </FONT></H2><FONT
face="Arial, Helvetica, sans-serif" size=2><A
name=sec:dmz_sec> </A> A common approach for an attacker
is to break into a host that's vulnerable to attack, and
exploit trust relationships between the vulnerable host and
more interesting targets. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>If you are
running a number of services that have different levels of
security, you might want to consider breaking your DMZ into
several ``security zones''. This can be done by having a
number of different networks within the DMZ. For example, the
access router could feed two ethernets, both protected by
ACLs, and therefore in the DMZ. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>On one of
the ethernets, you might have hosts whose purpose is to
service your organization's need for Internet connectivity.
These will likely relay mail, news, and host DNS. On the other
ethernet could be your web server(s) and other hosts that
provide services for the benefit of Internet users. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>In many
organizations, services for Internet users tend to be less
carefully guarded and are more likely to be doing insecure
things. (For example, in the case of a web server,
unauthenticated and untrusted users might be running CGI or
other executable programs. This might be reasonable for your
web server, but brings with it a certain set of risks that
need to be managed. It is likely these services are too risky
for an organization to run them on a bastion host, where a
slip-up can result in the complete failure of the security
mechanisms.) </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>By putting
hosts with similar levels of risk on networks together in the
DMZ, you can help minimize the effect of a breakin at your
site. If someone breaks into your web server by exploiting
some bug in your web server, they'll not be able to use it as
a launching point to break into your private network if the
web servers are on a separate LAN from the bastion hosts, and
you don't have any trust relationships between the web server
and bastion host. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>Now, keep
in mind that we're running ethernet here. If someone breaks
into your web server, and your bastion host is on the same
ethernet, an attacker can install a sniffer on your web
server, and watch the traffic to and from your bastion host.
This might reveal things that can be used to break into the
bastion host and gain access to the internal network. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>Splitting
services up not only by host, but by network, and limiting the
level of trust between hosts on those networks, you can
greatly reduce the likelihood of a breakin on one host being
used to break into the other. Succinctly stated: breaking into
the web server in this case won't make it any easier to break
into the bastion host. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>You can
also increase the scalability of your architecture by placing
hosts on different networks. The fewer machines that there are
to share the available bandwidth, the more bandwidth that each
will get. </FONT>
<P>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION000410000000000000000>3.10 What is a `single point
of failure', and how do I avoid having one?</A>
</FONT></H2><FONT face="Arial, Helvetica, sans-serif"
size=2><A name=sec:spof> </A> An architecture whose
security hinges upon one mechanism has a single point of
failure. Software that runs bastion hosts has bugs.
Applications have bugs. Software that controls routers has
bugs. It makes sense to use all of these components to build a
securely designed network, and to use them in redundant ways.
</FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>If your
firewall architecture is a screened subnet, you have two
packet filtering routers and a bastion host. (See question <A
href="http://www.windows2000security.com/misc/firewalls-faq.html#sec:firewall_types">3.2</A> \
from this section.) Your Internet access router will not
permit traffic from the Internet to get all the way into your
private network. However, if you don't enforce that rule with
any other mechanisms on the bastion host and/or choke router,
only one component of your architecture needs to fail or be
compromised in order to get inside. On the other hand, if you
have a redundant rule on the bastion host, and again on the
choke router, an attacker will need to defeat <EM>three</EM>
mechanisms. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>Further,
if the bastion host or the choke router needs to invoke its
rule to block outside access to the internal network, you
might want to have it trigger an alarm of some sort, since you
know that someone has gotten through your access router.
</FONT>
<P>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION000411000000000000000>3.11 How can I block all of
the bad stuff?</A> </FONT></H2><FONT
face="Arial, Helvetica, sans-serif" size=2><A
name=sec:blockbad> </A> For firewalls where the emphasis
is on security instead of connectivity, you should consider
blocking <em>everything</em> by default, and only
specifically allowing what services you need on a case-by-case
basis. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>If you
block everything, except a specific set of services, then
you've already made your job much easier. Instead of having to
worry about every security problem with everything product and
service around, you only need to worry about every security
problem with a specific set of services and products.
<CODE>:-)</CODE> </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>Before
turning on a service, you should consider a couple of
questions: </FONT>
<P>
<UL>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2>Is the
protocol for this product a well-known, published protocol?
</FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2>Is the
application to service this protocol available for public
inspection of its implementation? </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2>How
well known is the service and product? </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2>How
does allowing this service change the firewall architecture?
Will an attacker see things differently? Could it be
exploited to get at my internal network, or to change things
on hosts in my DMZ? </FONT></LI></UL>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>When
considering the above questions, keep the following in mind:
</FONT>
<P>
<UL>
<LI><FONT face="Arial, Helvetica, sans-serif"
size=2>``Security through obscurity'' is no security at all.
Unpublished protocols have been examined by bad guys and
defeated. </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2>Despite
what the marketing representatives say, not every protocol
or service is designed with security in mind. In fact, the
number that are is very few. </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2>Even in
cases where security is a consideration, not all
organizations have competent security staff. Among those who
don't, not all are willing to bring a competent consultant
into the project. The end result is that
otherwise-competent, well-intended developers can design
insecure systems. </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2>The
less that a vendor is willing to tell you about how their
system <EM>really</EM> works, the more likely it is that
security (or other) problems exist. Only vendors with
something to hide have a reason to hide their designs and
implementations. </FONT></LI></UL>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION000412000000000000000>3.12 How can I restrict web
access so users can't view sites unrelated to work?</A>
</FONT></H2><FONT face="Arial, Helvetica, sans-serif"
size=2><A name=sec:siteblock> </A> A few years ago,
someone got the idea that it's a good idea to block ``bad''
web sites, i.e., those that contain material that The Company
views ``inappropriate''. The idea has been increasing in
popularity, but there are several things to consider when
thinking about implementing such controls in your firewall.
</FONT>
<P>
<UL>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2>It is
not possible to practically block everything that an
employer deems ``inappropriate''. The Internet is full of
every sort of material. Blocking one source will only
redirect traffic to another source of such material, or
cause someone to figure a way around the block. </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2>Most
organizations do not have a standard for judging the
appropriateness of material that their employees bring to
work, i.e., books, magazines, etc. Do you inspect everyone's
briefcase for ``inappropriate material'' every day? If you
do not, then why would you inspect every packet for
``inappropriate material''? Any decisions along those lines
in such an organization will be arbitrary. Attempting to
take disciplinary action against an employee where the only
standard is arbitrary typically isn't wise, for reasons well
beyond the scope of this document. </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif"
size=2>Products that perform site-blocking, commercial and
otherwise, are easy to circumvent. Hostnames can be
rewritten as IP addresses. IP addresses can be written as a
32-bit integer value, or as four 8-bit integers (the most
common form). They can be written as two 16-bit integers, or
one 24-bit and one 8-bit integer, or vice-versa. Connections
can be proxied. Web pages can be fetched via email. You
can't block them all. The effort that you'll spend trying to
implement and manage such controls will almost certainly far
exceed any level of damage control that you're hoping to
have. </FONT></LI></UL>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>The
rule-of-thumb to remember here is that you cannot solve social
problems with technical solutions. If there is a problem with
someone going to an ``inappropriate'' web site, that is
because someone else saw it and was offended by what he saw,
or because that person's productivity is below expectations.
In either case, those are matters for the personnel
department, not the firewall administrator. </FONT>
<P>
<H1><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00050000000000000000>4 Various Attacks</A>
</FONT></H1><FONT face="Arial, Helvetica, sans-serif"
size=2><A name=sec:attacks> </A> </FONT>
<P>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00051000000000000000>4.1 What is source routed
traffic and why is it a threat?</A> </FONT></H2><FONT
face="Arial, Helvetica, sans-serif" size=2><A
name=sec:srcrt> </A> Normally, the route a packet takes
from its source to its destination is determined by the
routers between the source and destination. The packet itself
only says where it wants to go (the destination address), and
nothing about how it expects to get there. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>There is
an optional way for the sender of a packet (the source) to
include information in the packet that tells the route the
packet should take to get to its destination; thus the name
``source routing''. For a firewall, source routing is
noteworthy, since an attacker can generate traffic claiming to
be from a system ``inside'' the firewall. In general, such
traffic wouldn't route to the firewall properly, but with the
source routing option, all the routers between the attacker's
machine and the target will return traffic along the reverse
path of the source route. Implementing such an attack is quite
easy; so firewall builders should not discount it as unlikely
to happen. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>In
practice, source routing is very little used. In fact,
generally the main legitimate use is in debugging network
problems or routing traffic over specific links for congestion
control for specialized situations. When building a firewall,
source routing should be blocked at some point. Most
commercial routers incorporate the ability to block source
routing specifically, and many versions of Unix that might be
used to build firewall bastion hosts have the ability to
disable or ignore source routed traffic. </FONT>
<P>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00052000000000000000>4.2 What are ICMP redirects
and redirect bombs?</A> </FONT></H2><FONT
face="Arial, Helvetica, sans-serif" size=2><A
name=sec:icmp> </A> An ICMP Redirect tells the recipient
system to over-ride something in its routing table. It is
legitimately used by routers to tell hosts that the host is
using a non-optimal or defunct route to a particular
destination, i.e. the host is sending it to the wrong router.
The wrong router sends the host back an ICMP Redirect packet
that tells the host what the correct route should be. If you
can forge ICMP Redirect packets, and if your target host pays
attention to them, you can alter the routing tables on the
host and possibly subvert the security of the host by causing
traffic to flow via a path the network manager didn't intend.
ICMP Redirects also may be employed for denial of service
attacks, where a host is sent a route that loses it
connectivity, or is sent an ICMP Network Unreachable packet
telling it that it can no longer access a particular network.
</FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>Many
firewall builders screen ICMP traffic from their network,
since it limits the ability of outsiders to ping hosts, or
modify their routing tables. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>Before you
decide to completely block ICMP, you should be aware of how
the TCP protocol does ``Path MTU Discovery'', to make certain
that you don't break connectivity to other sites. If you can't
safely block it everywhere, you can consider allowing selected
types of ICMP to selected routing devices. If you don't block
it, you should at least ensure that your routers and hosts
don't respond to broadcast ping packets. </FONT>
<P>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00053000000000000000>4.3 What about denial of
service?</A> </FONT></H2><FONT
face="Arial, Helvetica, sans-serif" size=2><A
name=sec:dos> </A> Denial of service is when someone
decides to make your network or firewall useless by disrupting
it, crashing it, jamming it, or flooding it. The problem with
denial of service on the Internet is that it is impossible to
prevent. The reason has to do with the distributed nature of
the network: every network node is connected via other
networks which in turn connect to other networks, etc. A
firewall administrator or ISP only has control of a few of the
local elements within reach. An attacker can always disrupt a
connection ``upstream'' from where the victim controls it. In
other words, if someone wanted to take a network off the air,
they could do it either by taking the network off the air, or
by taking the networks it connects to off the air, ad
infinitum. There are many, many, ways someone can deny
service, ranging from the complex to the brute-force. If you
are considering using Internet for a service which is
absolutely time or mission critical, you should consider your
fall-back position in the event that the network is down or
damaged. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>TCP/IP's
UDP echo service is trivially abused to get two servers to
flood a network segment with echo packets. You should consider
commenting out unused entries in <TT>/etc/inetd.conf</TT> of
Unix hosts, adding <CODE>no ip small-servers</CODE> to Cisco
routers, or the equivalent for your components. </FONT>
<P>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00054000000000000000>4.4 What are some common
attacks, and how can I protect my system against them?</A>
</FONT></H2><FONT face="Arial, Helvetica, sans-serif"
size=2><A name=sec:common_attacks> </A> Each site is a
little different from every other in terms of what attacks are
likely to be used against it. Some recurring themes do arise,
though. </FONT>
<P>
<H3><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00054100000000000000>4.4.1 SMTP Session
Hijacking</A> </FONT></H3>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>This is
where a spammer will take many thousands of copies of a
message and send it to a huge list of email addresses. Because
these lists are often so bad, and in order to increase the
speed of operation for the spammer, many have resorted to
simply sending all of their mail to an SMTP server that will
take care of actually delivering the mail. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>Of course,
all of the bounces, spam complaints, hate mail, and bad PR
come for the site that was used as a relay. There is a very
real cost associated with this, mostly in paying people to
clean up the mess afterward. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>The Mail
Abuse Prevention System<A
href="http://www.windows2000security.com/misc/firewall-faq.html#400" \
name=tex2html6><SUP><IMG align=bottom alt=[*] border=1
src="firewall-faq_files/foot_motif.gif"></SUP></A> Transport
Security Initiative<A
href="http://www.windows2000security.com/misc/firewall-faq.html#401" \
name=tex2html7><SUP><IMG align=bottom alt=[*] border=1
src="firewall-faq_files/foot_motif.gif"></SUP></A> maintains a
complete description of the problem, and how to configure
about every mailer on the planet to protect against this
attack. </FONT>
<P>
<H3><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00054200000000000000>4.4.2 Exploiting Bugs in
Applications</A> </FONT></H3>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>Various
versions of web servers, mail servers, and other Internet
service software contain bugs that allow remote (Internet)
users to do things ranging from gain control of the machine to
making that application crash and just about everything in
between. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>The
exposure to this risk can be reduced by running only necessary
services, keeping up to date on patches, and using products
that have been around a while. </FONT>
<P>
<H3><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00054300000000000000>4.4.3 Bugs in Operating
Systems</A> </FONT></H3>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>Again,
these are typically initiated by users remotely. Operating
systems that are relatively new to IP networking tend to be
more problematic, as more mature operating systems have had
time to find and eliminate their bugs. An attacker can often
make the target equipment continuously reboot, crash, lose the
ability to talk to the network, or replace files on the
machine. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>Here,
running as few operating system services as possible can help.
Also, having a packet filter in front of the operating system
can reduce the exposure to a large number of these types of
attacks. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>And, of
course, chosing a stable operating system will help here as
well. When selecting an OS, don't be fooled into believing
that ``the pricier, the better''. Free operating systems are
often much more robust than their commercial counterparts
</FONT>
<P>
<H1><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00060000000000000000>5 How Do I...</A>
</FONT></H1><FONT face="Arial, Helvetica, sans-serif"
size=2><A name=sec:how> </A> </FONT>
<P>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00061000000000000000>5.1 Do I really want to allow
everything that my users ask for?</A> </FONT></H2><FONT
face="Arial, Helvetica, sans-serif" size=2><A
name=sec:userask> </A> It's entirely possible that the
answer is ``no''. Each site has its own policies about what is
and isn't needed, but it's important to remember that a large
part of the job of being an organization's gatekeeper is
<em>education</em>. Users want streaming video,
real-time chat, and to be able to offer services to external
customers that require interaction with live databases on the
internal network. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>That
doesn't mean that any of these things can be done without
presenting more risk to the organization than the supposed
``value'' of heading down that road is worth. Most users don't
want to put their organization at risk. They just read the
trade rags, and see advertisements, and they want to do those
things, too. It's important to look into what it is that they
really want to do, and help them understand how they might be
able to accomplish their real objective in a more secure
manner. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>You won't
always be popular, and you might even find yourself being
given direction to do something incredibly stupid, like ``just
open up ports foo through bar'', and don't worry about it. It
would be wise to keep all of your exchanges on such an event
so that when a 12-year-old script kiddie breaks in, you'll at
least be able to separate yourself from the whole mess.
</FONT>
<P>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00062000000000000000>5.2 How do I make Web/HTTP
work through my firewall?</A> </FONT></H2><FONT
face="Arial, Helvetica, sans-serif" size=2><A
name=sec:web> </A> There are three ways to do it. </FONT>
<P>
<DL compact>
<DT><FONT face="Arial, Helvetica, sans-serif" size=2>1.
</FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>Allow
``established'' connections out via a router, if you are
using screening routers. </FONT>
<DT><FONT face="Arial, Helvetica, sans-serif" size=2>2.
</FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>Use a
web client that supports SOCKS, and run SOCKS on your
bastion host. </FONT>
<DT><FONT face="Arial, Helvetica, sans-serif" size=2>3.
</FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>Run
some kind of proxy-capable web server on the bastion host.
Some options include Squid<A
href="http://www.windows2000security.com/misc/firewall-faq.html#402" \
name=tex2html8><SUP><IMG align=bottom alt=[*] border=1
src="firewall-faq_files/foot_motif.gif"></SUP></A>, Apache<A
href="http://www.windows2000security.com/misc/firewall-faq.html#403" \
name=tex2html9><SUP><IMG align=bottom alt=[*] border=1
src="firewall-faq_files/foot_motif.gif"></SUP></A>, Netscape
Proxy<A
href="http://www.windows2000security.com/misc/firewall-faq.html#404" \
name=tex2html10><SUP><IMG align=bottom alt=[*] border=1
src="firewall-faq_files/foot_motif.gif"></SUP></A>
http://home.netscape.com/proxy/v3.5/index.html, and
<I>http-gw</I> from the TIS firewall toolkit. Most of these
can also proxy other protocols (such as gopher and ftp), and
can cache objects fetched, which will also typically result
in a performance boost for the users, and more efficient use
of your connection to the Internet. Essentially all web
clients (Mozilla, Internet Explorer, Lynx, etc.) have proxy
server support built directly into them. </FONT></DD></DL>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00063000000000000000>5.3 How do I make SSL work
through the firewall?</A> </FONT></H2><FONT
face="Arial, Helvetica, sans-serif" size=2><A
name=sec:how_ssl> </A> SSL is a protocol that allows
secure connections across the Internet. Typically, SSL is used
to protect HTTP traffic. However, other protocols (such as
telnet) can run atop SSL. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>Enabling
SSL through your firewall can be done the same way that you
would allow HTTP traffic, if it's HTTP that you're using SSL
to secure, which is usually true. The only difference is that
instead of using something that will simply relay HTTP, you'll
need something that can tunnel SSL. This is a feature present
on most web object caches. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>You can
find out more about SSL from Netscape<A
href="http://www.windows2000security.com/misc/firewall-faq.html#405" \
name=tex2html11><SUP><IMG align=bottom alt=[*] border=1
src="firewall-faq_files/foot_motif.gif"></SUP></A>. </FONT>
<P>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00064000000000000000>5.4 How do I make DNS work
with a firewall?</A> </FONT></H2><FONT
face="Arial, Helvetica, sans-serif" size=2><A
name=sec:dns> </A> Some organizations want to hide DNS
names from the outside. Many experts don't think hiding DNS
names is worthwhile, but if site/corporate policy mandates
hiding domain names, this is one approach that is known to
work. Another reason you may have to hide domain names is if
you have a non-standard addressing scheme on your internal
network. In that case, you have no choice but to hide those
addresses. Don't fool yourself into thinking that if your DNS
names are hidden that it will slow an attacker down much if
they break into your firewall. Information about what is on
your network is too easily gleaned from the networking layer
itself. If you want an interesting demonstration of this, ping
the subnet broadcast address on your LAN and then do an ``arp
-a.'' Note also that hiding names in the DNS doesn't address
the problem of host names ``leaking'' out in mail headers,
news articles, etc. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>This
approach is one of many, and is useful for organizations that
wish to hide their host names from the Internet. The success
of this approach lies on the fact that DNS clients on a
machine don't have to talk to a DNS server on that same
machine. In other words, just because there's a DNS server on
a machine, there's nothing wrong with (and there are often
advantages to) redirecting that machine's DNS client activity
to a DNS server on another machine. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>First, you
set up a DNS server on the bastion host that the outside world
can talk to. You set this server up so that it claims to be
authoritative for your domains. In fact, all this server knows
is what you want the outside world to know; the names and
addresses of your gateways, your wildcard MX records, and so
forth. This is the ``public'' server. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>Then, you
set up a DNS server on an internal machine. This server also
claims to be authoritative for your domains; unlike the public
server, this one is telling the truth. This is your ``normal''
nameserver, into which you put all your ``normal'' DNS stuff.
You also set this server up to forward queries that it can't
resolve to the public server (using a ``forwarders'' line in
/etc/named.boot on a Unix machine, for example). </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>Finally,
you set up all your DNS clients (the <TT>/etc/resolv.conf</TT>
file on a Unix box, for instance), including the ones on the
machine with the public server, to use the internal server.
This is the key. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>An
internal client asking about an internal host asks the
internal server, and gets an answer; an internal client asking
about an external host asks the internal server, which asks
the public server, which asks the Internet, and the answer is
relayed back. A client on the public server works just the
same way. An external client, however, asking about an
internal host gets back the ``restricted'' answer from the
public server. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>This
approach assumes that there's a packet filtering firewall
between these two servers that will allow them to talk DNS to
each other, but otherwise restricts DNS between other hosts.
</FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>Another
trick that's useful in this scheme is to employ wildcard PTR
records in your IN-ADDR.ARPA domains. These cause an an
address-to-name lookup for any of your non-public hosts to
return something like ``unknown.YOUR.DOMAIN'' rather than an
error. This satisfies anonymous FTP sites like ftp.uu.net that
insist on having a name for the machines they talk to. This
may fail when talking to sites that do a DNS cross-check in
which the host name is matched against its address and vice
versa. </FONT>
<P>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00065000000000000000>5.5 How do I make FTP work
through my firewall?</A> </FONT></H2><FONT
face="Arial, Helvetica, sans-serif" size=2><A
name=sec:ftp> </A> Generally, making FTP work through the
firewall is done either using a proxy server such as the
firewall toolkit's ftp-gw or by permitting incoming
connections to the network at a restricted port range, and
otherwise restricting incoming connections using something
like ``established'' screening rules. The FTP client is then
modified to bind the data port to a port within that range.
This entails being able to modify the FTP client application
on internal hosts. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>In some
cases, if FTP downloads are all you wish to support, you might
want to consider declaring FTP a ``dead protocol'' and letting
you users download files via the Web instead. The user
interface certainly is nicer, and it gets around the ugly
callback port problem. If you choose the FTP-via-Web approach,
your users will be unable to FTP files out, which, depending
on what you are trying to accomplish, may be a problem.
</FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>A
different approach is to use the FTP ``PASV'' option to
indicate that the remote FTP server should permit the client
to initiate connections. The PASV approach assumes that the
FTP server on the remote system supports that operation. (See
``Firewall-Friendly FTP'', RFC 1579<A
href="http://www.windows2000security.com/misc/firewall-faq.html#406" \
name=tex2html12><SUP><IMG align=bottom alt=[*] border=1
src="firewall-faq_files/foot_motif.gif"></SUP></A>.[<A
href="http://www.windows2000security.com/misc/firewalls-faq.html#rfc1579">1</A>]) \
</FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>Other
sites prefer to build client versions of the FTP program that
are linked against a SOCKS library. </FONT>
<P>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00066000000000000000>5.6 How do I make Telnet work
through my firewall?</A> </FONT></H2><FONT
face="Arial, Helvetica, sans-serif" size=2><A
name=sec:how_telnet> </A> Telnet is generally supported
either by using an application proxy such as the firewall
toolkit's tn-gw, or by simply configuring a router to permit
outgoing connections using something like the ``established''
screening rules. Application proxies could be in the form of a
standalone proxy running on the bastion host, or in the form
of a SOCKS server and a modified client. </FONT>
<P>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00067000000000000000>5.7 How do I make Finger and
whois work through my firewall?</A> </FONT></H2><FONT
face="Arial, Helvetica, sans-serif" size=2><A
name=sec:how_finger> </A> Many firewall admins permit
connections to the finger port from only trusted machines,
which can issue finger requests in the form of: finger
user@host.domain@firewall. This approach only works with the
standard Unix version of finger. Controlling access to
services and restricting them to specific machines is managed
using either tcp_wrappers or netacl from the firewall toolkit.
This approach will not work on all systems, since some finger
servers do not permit user@host@host fingering. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>Many sites
block inbound finger requests for a variety of reasons,
foremost being past security bugs in the finger server (the
Morris internet worm made these bugs famous) and the risk of
proprietary or sensitive information being revealed in user's
finger information. In general, however, if your users are
accustomed to putting proprietary or sensitive information in
their <i>.plan</i> files, you have a more serious
security problem than just a firewall can solve. </FONT>
<P>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00068000000000000000>5.8 How do I make gopher,
archie, and other services work through my firewall?</A>
</FONT></H2><FONT face="Arial, Helvetica, sans-serif"
size=2><A name=sec:how_archie> </A> The majority of
firewall administrators choose to support gopher and archie
through web proxies, instead of directly. Proxies such as the
firewall toolkit's <code>http-gw</code> convert
gopher/gopher+ queries into HTML and vice versa. For
supporting archie and other queries, many sites rely on
Internet-based Web-to-archie servers, such as ArchiePlex. The
Web's tendency to make everything on the Internet look like a
web service is both a blessing and a curse. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>There are
many new services constantly cropping up. Often they are
misdesigned or are not designed with security in mind, and
their designers will cheerfully tell you if you want to use
them you need to let port xxx through your router.
Unfortunately, not everyone can do that, and so a number of
interesting new toys are difficult to use for people behind
firewalls. Things like RealAudio, which require direct UDP
access, are particularly egregious examples. The thing to bear
in mind if you find yourself faced with one of these problems
is to find out as much as you can about the security risks
that the service may present, before you just allow it
through. It's quite possible the service has no security
implications. It's equally possible that it has undiscovered
holes you could drive a truck through. </FONT>
<P>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00069000000000000000>5.9 What are the issues about
X11 through a firewall?</A> </FONT></H2><FONT
face="Arial, Helvetica, sans-serif" size=2><A
name=sec:x_issues> </A> The X Windows System is a very
useful system, but unfortunately has some major security
flaws. Remote systems that can gain or spoof access to a
workstation's X display can monitor keystrokes that a user
enters, download copies of the contents of their windows, etc.
</FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>While
attempts have been made to overcome them (E.g., MIT ``Magic
Cookie'') it is still entirely too easy for an attacker to
interfere with a user's X display. Most firewalls block all X
traffic. Some permit X traffic through application proxies
such as the DEC CRL X proxy (FTP crl.dec.com). The firewall
toolkit includes a proxy for X, called x-gw, which a user can
invoke via the Telnet proxy, to create a virtual X server on
the firewall. When requests are made for an X connection on
the virtual X server, the user is presented with a pop-up
asking them if it is OK to allow the connection. While this is
a little unaesthetic, it's entirely in keeping with the rest
of X. </FONT>
<P>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION000610000000000000000>5.10 How do I make
<I>RealAudio</I> work through my firewall?</A>
</FONT></H2><FONT face="Arial, Helvetica, sans-serif"
size=2><A name=how_raudio> </A> RealNetworks maintains
some information about how to get RealAudio working through
your firewall<A
href="http://www.windows2000security.com/misc/firewall-faq.html#407" \
name=tex2html13><SUP><IMG align=bottom alt=[*] border=1
src="firewall-faq_files/foot_motif.gif"></SUP></A>. It would
be unwise to make <EM>any</EM> changes to your firewall
without understanding what the changes will do, exactly, and
knowing what risks the new changes will bring with them.
</FONT>
<P>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION000611000000000000000>5.11 How do I make my web
server act as a front-end for a database that lives on my
private network?</A> </FONT></H2><FONT
face="Arial, Helvetica, sans-serif" size=2><A
name=sec:how_db> </A> The best way to do this is to allow
very limited connectivity between your web server and your
database server via a specific protocol that only supports the
level of functionality you're going to use. Allowing raw SQL,
or anything else where custom extractions could be performed
by an attacker isn't generally a good idea. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>Assume
that an attacker is going to be able to break into your web
server, and make queries in the same way that the web server
can. Is there a mechanism for extracting sensitive information
that the web server doesn't need, like credit card
information? Can an attacker issue an SQL
<code>select</code> and extract your entire
proprietary database? </FONT>
<P><FONT face="Arial, Helvetica, sans-serif"
size=2>``E-commerce'' applications, like everything else, are
best designed with security in mind from the ground up,
instead of having security ``added'' as an afterthought.
Review your architecture critically, from the perspective of
an attacker. Assume that the attacker knows everything about
your architecture. Now ask yourself what needs to be done to
steal your data, to make unauthorized changes, or to do
anything else that you don't want done. You might find that
you can significantly increase security without decreasing
functionality by making a few design and implementation
decisions. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>Some ideas
for how to handle this: </FONT>
<P>
<UL>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2>Extract
the data you need from the database on a regular basis so
you're not making queries against the full database,
complete with information that attackers will find
interesting. </FONT>
<LI><FONT face="Arial, Helvetica, sans-serif" size=2>Greatly
restrict and audit what you do allow between the web server
and database. </FONT></LI></UL>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION000612000000000000000>5.12 But my database has an
integrated web server, and I want to use that. Can't I just
poke a hole in the firewall and tunnel that port?</A>
</FONT></H2><FONT face="Arial, Helvetica, sans-serif"
size=2><A name=sec:w3db> </A> If your site firewall
policy is sufficiently lax that you're willing to manage the
risk that someone will exploit a vulnerability in your web
server that will result in partial or complete exposure of
your database, then there isn't much preventing you from doing
this. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>However,
in many organizations, the people who are responsible for
tying the web front end to the database back end simply do not
have the authority to take that responsibility. Further, if
the information in the database is about people, you might
find yourself guilty of breaking a number of laws if you
haven't taken reasonable precautions to prevent the system
from being abused. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>In
general, this isn't a good idea. See question <A
href="http://www.windows2000security.com/misc/firewalls-faq.html#sec:how_db">5.11</A> \
for some ideas on other ways to accomplish this objective.
</FONT>
<P>
<H1><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00070000000000000000>A Some Commercial Products
and Vendors</A> </FONT></H1><FONT
face="Arial, Helvetica, sans-serif" size=2><A
name=sec:prod> </A> We feel this topic is too sensitive
to address in a FAQ, however, an independently maintained list
(no warranty or recommendations are implied) can be found
online.<A
href="http://www.windows2000security.com/misc/firewall-faq.html#409" \
name=tex2html14><SUP><IMG align=bottom alt=[*] border=1
src="firewall-faq_files/foot_motif.gif"></SUP></A> </FONT>
<P>
<H1><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION00080000000000000000>B Glossary of
Firewall-Related Terms</A> </FONT></H1><FONT
face="Arial, Helvetica, sans-serif" size=2><A
name=sec:glossary> </A> </FONT>
<DL>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Abuse of Privilege</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>When a
user performs an action that they should not have, according
to organizational policy or law. </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Access Control Lists</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>Rules
for packet filters (typically routers) that define which
packets to pass and which to block. </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Access Router</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>A
router that connects your network to the external Internet.
Typically, this is your first line of defense against
attackers from the outside Internet. By enabling access
control lists on this router, you'll be able to provide a
level of protection for all of the hosts ``behind'' that
router, effectively making that network a DMZ instead of an
unprotected external LAN. </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Application-Level Firewall</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>A
firewall system in which service is provided by processes
that maintain complete TCP connection state and sequencing.
Application level firewalls often re-address traffic so that
outgoing traffic appears to have originated from the
firewall, rather than the internal host. </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Authentication</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>The
process of determining the identity of a user that is
attempting to access a system. </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Authentication Token</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>A
portable device used for authenticating a user.
Authentication tokens operate by challenge/response,
time-based code sequences, or other techniques. This may
include paper-based lists of one-time passwords. </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Authorization</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>The
process of determining what types of activities are
permitted. Usually, authorization is in the context of
authentication: once you have authenticated a user, they may
be authorized different types of access or activity. </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Bastion Host</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>A
system that has been hardened to resist attack, and which is
installed on a network in such a way that it is expected to
potentially come under attack. Bastion hosts are often
components of firewalls, or may be ``outside'' web servers
or public access systems. Generally, a bastion host is
running some form of general purpose operating system (e.g.,
Unix, VMS, NT, etc.) rather than a ROM-based or firmware
operating system. </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Challenge/Response</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>An
authentication technique whereby a server sends an
unpredictable challenge to the user, who computes a response
using some form of authentication token. </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Chroot</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>A
technique under Unix whereby a process is permanently
restricted to an isolated subset of the filesystem. </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Cryptographic Checksum</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>A
one-way function applied to a file to produce a unique
``fingerprint'' of the file for later reference. Checksum
systems are a primary means of detecting filesystem
tampering on Unix. </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Data Driven Attack</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>A form
of attack in which the attack is encoded in
innocuous-seeming data which is executed by a user or other
software to implement an attack. In the case of firewalls, a
data driven attack is a concern since it may get through the
firewall in data form and launch an attack against a system
behind the firewall. </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Defense in Depth</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>The
security approach whereby each system on the network is
secured to the greatest possible degree. May be used in
conjunction with firewalls. </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>DNS spoofing</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif"
size=2>Assuming the DNS name of another system by either
corrupting the name service cache of a victim system, or by
compromising a domain name server for a valid domain.
</FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Dual Homed Gateway</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>A dual
homed gateway is a system that has two or more network
interfaces, each of which is connected to a different
network. In firewall configurations, a dual homed gateway
usually acts to block or filter some or all of the traffic
trying to pass between the networks. </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Encrypting Router</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>see
Tunneling Router and Virtual Network Perimeter. </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Firewall</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>A
system or combination of systems that enforces a boundary
between two or more networks. </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Host-based Security</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>The
technique of securing an individual system from attack. Host
based security is operating system and version dependent.
</FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Insider Attack</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>An
attack originating from inside a protected network. </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Intrusion Detection</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif"
size=2>Detection of break-ins or break-in attempts either
manually or via software expert systems that operate on logs
or other information available on the network. </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>IP Spoofing</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>An
attack whereby a system attempts to illicitly impersonate
another system by using its IP network address. </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>IP Splicing / Hijacking</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>An
attack whereby an active, established, session is
intercepted and co-opted by the attacker. IP Splicing
attacks may occur after an authentication has been made,
permitting the attacker to assume the role of an already
authorized user. Primary protections against IP Splicing
rely on encryption at the session or network layer. </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Least Privilege</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif"
size=2>Designing operational aspects of a system to operate
with a minimum amount of system privilege. This reduces the
authorization level at which various actions are performed
and decreases the chance that a process or user with high
privileges may be caused to perform unauthorized activity
resulting in a security breach. </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Logging</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>The
process of storing information about events that occurred on
the firewall or network. </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Log Retention</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>How
long audit logs are retained and maintained. </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Log Processing</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>How
audit logs are processed, searched for key events, or
summarized. </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Network-Level Firewall</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>A
firewall in which traffic is examined at the network
protocol packet level. </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Perimeter-based Security</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>The
technique of securing a network by controlling access to all
entry and exit points of the network. </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Policy</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif"
size=2>Organization-level rules governing acceptable use of
computing resources, security practices, and operational
procedures. </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Proxy</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>A
software agent that acts on behalf of a user. Typical
proxies accept a connection from a user, make a decision as
to whether or not the user or client IP address is permitted
to use the proxy, perhaps does additional authentication,
and then completes a connection on behalf of the user to a
remote destination. </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Screened Host</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>A host
on a network behind a screening router. The degree to which
a screened host may be accessed depends on the screening
rules in the router. </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Screened Subnet</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>A
subnet behind a screening router. The degree to which the
subnet may be accessed depends on the screening rules in the
router. </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Screening Router</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>A
router configured to permit or deny traffic based on a set
of permission rules installed by the administrator. </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Session Stealing</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>See IP
Splicing. </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Trojan Horse</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>A
software entity that appears to do something normal but
which, in fact, contains a trapdoor or attack program.
</FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Tunneling Router</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>A
router or system capable of routing traffic by encrypting it
and encapsulating it for transmission across an untrusted
network, for eventual de-encapsulation and decryption.
</FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Social Engineering</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>An
attack based on deceiving users or administrators at the
target site. Social engineering attacks are typically
carried out by telephoning users or operators and pretending
to be an authorized user, to attempt to gain illicit access
to systems. </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Virtual Network Perimeter</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>A
network that appears to be a single protected network behind
firewalls, which actually encompasses encrypted virtual
links over untrusted networks. </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Virus</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>A
replicating code segment that attaches itself to a program
or data file. Viruses might or might not not contain attack
programs or trapdoors. Unfortunately, many have taken to
calling <EM>any</EM> malicious code a ``virus''. If you mean
``trojan horse'' or ``worm'', say ``trojan horse'' or
``worm''. </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Worm</STRONG> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>A
standalone program that, when run, copies itself from one
host to another, and then runs itself on each newly infected
host. The widely reported ``Internet Virus'' of 1988 was not
a virus at all, but actually a worm. </FONT></DD></DL>
<H2><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTIONREF>References</A> </FONT></H2>
<DL compact>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=rfc1579><STRONG>1</STRONG></A> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2>Steven
M. Bellovin. <BR>Firewall-friendly FTP. <BR>In <EM>RFC</EM>,
number 1579. </FONT></DD></DL>
<P>
<H1><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=SECTION000100000000000000000>About this document ...
</A></FONT></H1><FONT face="Arial, Helvetica, sans-serif"
size=2><STRONG>Internet Firewalls:<BR>Frequently Asked
Questions</STRONG> </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>This
document was generated using the <A
href="http://www-dsed.llnl.gov/files/programs/unix/latex2html/manual/"><STRONG>LaTeX</STRONG>2<TT>HTML</TT></A> \
translator Version 97.1 (release) (July 13th, 1997) </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>Copyright
© 1993, 1994, 1995, 1996, 1997, <A
href="http://cbl.leeds.ac.uk/nikos/personal.html">Nikos
Drakos</A>, Computer Based Learning Unit, University of Leeds.
</FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>The
command line arguments were: <BR><STRONG>latex2html</STRONG>
<TT>-split 0 -show_section_numbers -no_navigation
firewalls-faq.tex</TT>. </FONT>
<P><FONT face="Arial, Helvetica, sans-serif" size=2>The
translation was initiated by Matt Curtin on
11/25/1999<BR><BR></FONT>
<HR noShade>
<H4><FONT face="Arial, Helvetica, sans-serif"
size=2>Footnotes</FONT></H4>
<DL>
<DT><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=400>...System</A> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="http://maps.vix.com/"
name=tex2html1><TT>http://maps.vix.com/</TT></A> </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=401>...Initiative</A> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="http://maps.vix.com/tsi/"
name=tex2html1><TT>http://maps.vix.com/tsi/</TT></A> </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=402>...Squid</A> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="http://squid.nlanr.net/"
name=tex2html1><TT>http://squid.nlanr.net/</TT></A> </FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=403>...Apache</A> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="http://www.apache.org/docs/mod/mod_proxy.html"
name=tex2html1><TT>http://www.apache.org/docs/mod/mod_proxy.html</TT></A> \
</FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=404>...Proxy</A> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="http://home.netscape.com/proxy/v3.5/index.html"
name=tex2html1><TT>http://home.netscape.com/proxy/v3.5/index.html</TT></A> \
</FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=405>...Netscape</A> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="http://developer.netscape.com/docs/manuals/security/sslin/contents.htm" \
name=tex2html1><TT>http://developer.netscape.com/docs/manuals/security/sslin/contents.htm</TT></A> \
</FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=406>...1579</A> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="http://www.cis.ohio-state.edu/htbin/rfc/rfc1579.html"
name=tex2html1><TT>http://www.cis.ohio-state.edu/htbin/rfc/rfc1579.html</TT></A> \
</FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=407>...firewall</A> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="http://www.real.com/firewall/index.html"
name=tex2html1><TT>http://www.real.com/firewall/</TT></A>
</FONT>
<P></P>
<DT><FONT face="Arial, Helvetica, sans-serif" size=2><A
name=409>...online.</A> </FONT>
<DD><FONT face="Arial, Helvetica, sans-serif" size=2><A
href="http://www.waterw.com/~manowar/vendor.html"
name=tex2html1><TT>http://www.waterw.com/~manowar/vendor.html</TT></A> \
. </FONT></DD></DL>
<CENTER></CENTER>
<ADDRESS><FONT face="Arial, Helvetica, sans-serif"
size=2><I>Matt Curtin</I> <BR><I>11/25/1999</I>
</FONT></ADDRESS>
<H1 align=center><A href="http://www.clark.net/pub/mjr/"><FONT
face="Arial, Helvetica, sans-serif"
size=2>Marcus J. Ranum</FONT></A><FONT
face="Arial, Helvetica, sans-serif" size=2> and <A
href="http://www.interhack.net/people/cmcurtin/">Matt Curtin</A></FONT></H1></TD></TR></TBODY></TABLE>
<HR noShade>
<P> </P></TD></TR></TBODY></TABLE></TD></TR></TBODY></TABLE></BODY></HTML>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic