building_internet_firewalls_second_edition.pdf

Building Internet Firewalls

Elizabeth D. Zwicky, Simon Cooper & D. Brent Chapman

Second Edition, June 2000

ISBN: 1-56592-871-7, 890 pages

Completely revised and much expanded, the new edition of the highly respected and

bestselling Building Internet Firewalls now covers Unix, Linux, and Windows NT.

This practical and detailed guide explains in step-by-step fashion how to design and

install firewalls and configure Internet services to work with a firewall.

It covers a wide range of services and protocols and offers a complete list of

resources, including the location of many publicly available firewalls construction tools.

Release Team[oR] 2001

CONTENTS

Preface

Scope of This Book

Audience

Platforms

Products

Examples

Conventions Used in This Book

Comments and Questions

Acknowledgments for the Second Edition

Acknowledgments for the First Edition

I Network Security

1.1 What Are You Trying to Protect?

1.2 What Are You Trying to Protect Against?

1.3 Who Do You Trust?

1.4 How Can You Protect Your Site?

1.5 What Is an Internet Firewall?

1.6 Religious Arguments

2 InternetServices

2.1 Secure Services and Safe Services

2.2 The World Wide Web

2.3 Electronic Mail and News

2.4 File Transfer, File Sharing, and Printing

2.5 Remote Access

2.6 Real-Time Conferencing Services

2.7 Naming and Directory Services

2.8 Authentication and Auditing Services

2.9 Administrative Services

2.10 Databases

2.11 Games

3 SecurityStrategies

3.1 Least Privilege

3.2 Defense in Depth

3.3 Choke Point

3.4 Weakest Link

3.5 Fail-Safe Stance

3.6 Universal Participation

3.7 Diversity of Defense

3.8 Simplicity

3.9 Security Through Obscurity

II BuildingFirewalls

4.1 What Does a Packet Look Like?

4.2 IP

4.3 Protocols Above IP

4.4 Protocols Below IP

4.5 Application Layer Protocols

4.6 IP Version 6

4.7 Non-IP Protocols

4.8 Attacks Based on Low-Level Protocol Details

5 FirewallTechnologies

5.1 Some Firewall Definitions

5.2 Packet Filtering

5.3 Proxy Services

5.4 Network Address Translation

5.5 Virtual Private Networks

6 FirewallArchitectures

6.1 Single-Box Architectures

6.2 Screened Host Architectures

6.3 Screened Subnet Architectures

6.4 Architectures with Multiple Screened Subnets

6.5 Variations on Firewall Architectures

6.6 Terminal Servers and Modem Pools

6.7 Internal Firewalls

7 FirewallDesign

103

7.1 Define Your Needs

7.2 Evaluate the Available Products

7.3 Put Everything Together

1 WhyInternetFirewalls?

4 Packets and Protocols

8.1 What Can You Do with Packet Filtering?

8.2 Configuring a Packet Filtering Router

8.3 What Does the Router Do with Packets?

8.4 Packet Filtering Tips and Tricks

8.5 Conventions for Packet Filtering Rules

8.6 Filtering by Address

8.7 Filtering by Service

8.8 Choosing a Packet Filtering Router

8.9 Packet Filtering Implementations for General-Purpose Computers

8.10 Where to Do Packet Filtering

8.11 What Rules Should You Use?

8.12 Putting It All Together

108

9 ProxySystems

146

9.1 Why Proxying?

9.2 How Proxying Works

9.3 Proxy Server Terminology

9.4 Proxying Without a Proxy Server

9.5 Using SOCKS for Proxying

9.6 Using the TIS Internet Firewall Toolkit for Proxying

9.7 Using Microsoft Proxy Server

9.8 What If You Can't Proxy?

10 Bastion Hosts

157

10.1 General Principles

10.2 Special Kinds of Bastion Hosts

10.3 Choosing a Machine

10.4 Choosing a Physical Location

10.5 Locating Bastion Hosts on the Network

10.6 Selecting Services Provided by a Bastion Host

10.7 Disabling User Accounts on Bastion Hosts

10.8 Building a Bastion Host

10.9 Securing the Machine

10.10 Disabling Nonrequired Services

10.11 Operating the Bastion Host

10.12 Protecting the Machine and Backups

11 Unix and Linux Bastion Hosts

176

11.1 Which Version of Unix?

11.2 Securing Unix

11.3 Disabling Nonrequired Services

11.4 Installing and Modifying Services

11.5 Reconfiguring for Production

11.6 Running a Security Audit

12 Windows NT and Windows 2000 Bastion Hosts

191

12.1 Approaches to Building Windows NT Bastion Hosts

12.2 Which Version of Windows NT?

12.3 Securing Windows NT

12.4 Disabling Nonrequired Services

12.5 Installing and Modifying Services

III Internet Services

203

13 Internet Services and Firewalls

204

13.1 Attacks Against Internet Services

13.2 Evaluating the Risks of a Service

13.3 Analyzing Other Protocols

13.4 What Makes a Good Firewalled Service?

13.5 Choosing Security-Critical Programs

13.6 Controlling Unsafe Configurations

14.1 Remote Procedure Call (RPC)

14.2 Distributed Component Object Model (DCOM)

14.3 NetBIOS over TCP/IP (NetBT)

14.4 Common Internet File System (CIFS) and Server Message Block (SMB)

14.5 Common Object Request Broker Architecture (CORBA) and Internet Inter-Orb Protocol (IIOP)

14.6 ToolTalk

14.7 Transport Layer Security (TLS) and Secure Socket Layer (SSL)

14.8 The Generic Security Services API (GSSAPI)

14.9 IPsec

14.10 Remote Access Service (RAS)

14.11 Point-to-Point Tunneling Protocol (PPTP)

14.12 Layer 2 Transport Protocol (L2TP)

223

8 PacketFiltering

14 Intermediary Protocols

15.1 HTTP Server Security

15.2 HTTP Client Security

15.3 HTTP

15.4 Mobile Code and Web-Related Languages

15.5 Cache Communication Protocols

15.6 Push Technologies

15.7 RealAudio and RealVideo

15.8 Gopher and WAIS

245

16 Electronic Mail and News

268

16.1 Electronic Mail

16.2 Simple Mail Transfer Protocol (SMTP)

16.3 Other Mail Transfer Protocols

16.4 Microsoft Exchange

16.5 Lotus Notes and Domino

16.6 Post Office Protocol (POP)

16.7 Internet Message Access Protocol (IMAP)

16.8 Microsoft Messaging API (MAPI)

16.9 Network News Transfer Protocol (NNTP)

17. File Transfer, File Sharing, and Printing

287

17.1 File Transfer Protocol (FTP)

17.2 Trivial File Transfer Protocol (TFTP)

17.3 Network File System (NFS)

17.4 File Sharing for Microsoft Networks

17.5 Summary of Recommendations for File Sharing

17.6 Printing Protocols

17.7 Related Protocols

18 Remote Access to Hosts

307

18.1 Terminal Access (Telnet)

18.2 Remote Command Execution

18.3 Remote Graphical Interfaces

19 Real-Time Conferencing Services

328

19.1 Internet Relay Chat (IRC)

19.2 ICQ

19.3 talk

19.4 Multimedia Protocols

19.5 NetMeeting

19.6 Multicast and the Multicast Backbone (MBONE)

20.1 Domain Name System (DNS)

20.2 Network Information Service (NIS)

20.3 NetBIOS for TCP/IP Name Service and Windows Internet Name Service

20.4 The Windows Browser

20.5 Lightweight Directory Access Protocol (LDAP)

20.6 Active Directory

20.7 Information Lookup Services

341

21.1 What Is Authentication?

21.2 Passwords

21.3 Authentication Mechanisms

21.4 Modular Authentication for Unix

21.5 Kerberos

21.6 NTLM Domains

21.7 Remote Authentication Dial-in User Service (RADIUS)

21.8 TACACS and Friends

21.9 Auth and identd

373

22.1 System Management Protocols

22.2 Routing Protocols

22.3 Protocols for Booting and Boot-Time Configuration

22.4 ICMP and Network Diagnostics

22.5 Network Time Protocol (NTP)

22.6 File Synchronization

22.7 Mostly Harmless Protocols

397

23.1 Databases

23.2 Games

418

15 The World Wide Web

20. Naming and Directory Services

21 Authentication and Auditing Services

22 Administrative Services

23 Databases and Games

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: