Building internet firewalls

In the five years since the first edition of this classic book was published, Internet use has exploded. The commercial world has rushed headlong into doing business on the Web, often without integrating sound security technologies and policies into their products and methods. The security risks--and the need to protect both business and personal data--have never been greater. We've updated Building Internet Firewalls to address these newer risks. What kinds of security threats does the Internet pose? Some, like password attacks and the exploiting of known security holes, have been around since the early days of networking. And others, like the distributed denial of service attacks that crippled Yahoo, E-Bay, and other major e-commerce sites in early 2000, are in current headlines.

Firewalls, critical components of today's computer networks, effectively protect a system from most Internet security threats. They keep damage on one part of the network--such as eavesdropping, a worm program, or file damage--from spreading to the rest of the network. Without firewalls, network security problems can rage out of control, dragging more and more systems down. Like the bestselling and highly respected first edition, Building Internet Firewalls, 2nd Edition, is a practical and detailed step-by-step guide to designing and installing firewalls and configuring Internet services to work with a firewall. Much expanded to include Linux and Windows coverage, the second edition describes:

• Firewall technologies: packet filtering, proxying, network address translation, virtual private networks
• Architectures such as screening routers, dual-homed hosts, screened hosts, screened subnets, perimeter networks, internal firewalls
• Issues involved in a variety of new Internet services and protocols through a firewall
• Email and News Web services and scripting languages (e.g., HTTP, Java, JavaScript, ActiveX,
• RealAudio, RealVideo)
• File transfer and sharing services such as NFS, Samba
• Remote access services such as Telnet, the BSD "r" commands, SSH,
• BackOrifice 2000
• Real-time conferencing services such as ICQ and talk
• Naming and directory services (e.g., DNS, NetBT, the Windows Browser)
• Authentication and auditing services (e.g., PAM, Kerberos, RADIUS);
• Administrative services (e.g., syslog, SNMP, SMS, RIP and other routing protocols, and ping and other network diagnostics)
• Intermediary protocols (e.g., RPC, SMB, CORBA, IIOP)
• Database protocols (e.g., ODBC, JDBC, and protocols for Oracle, Sybase, and Microsoft SQL Server

Table of Contents

Preface

I. Network Security

1. Why Internet Firewalls?
     What Are You Trying to Protect?
     What Are You Trying to Protect Against?
     Who Do You Trust?
     How Can You Protect Your Site?
     What Is an Internet Firewall?
     Religious Arguments

2. Internet Services
     Secure Services and Safe Services
     The World Wide Web
     Electronic Mail and News
     File Transfer, File Sharing, and Printing
     Remote Access
     Real-Time Conferencing Services
     Naming and Directory Services
     Authentication and Auditing Services
     Administrative Services
     Databases
     Games

3. Security Strategies
     Least Privilege
     Defense in Depth
     Choke Point
     Weakest Link
     Fail-Safe Stance
     Universal Participation
     Diversity of Defense
     Simplicity
     Security Through Obscurity

II. Building Firewalls

4. Packets and Protocols
     What Does a Packet Look Like?
     IP
     Protocols Above IP
     Protocols Below IP
     Application Layer Protocols
     IP Version 6
     Non-IP Protocols
     Attacks Based on Low-Level Protocol Details

5. Firewall Technologies
     Some Firewall Definitions
     Packet Filtering
     Proxy Services
     Network Address Translation
     Virtual Private Networks

6. Firewall Architectures
     Single-Box Architectures
     Screened Host Architectures
     Screened Subnet Architectures
     Architectures with Multiple Screened Subnets
     Variations on Firewall Architectures
     Terminal Servers and Modem Pools
     Internal Firewalls

7. Firewall Design
     Define Your Needs
     Evaluate the Available Products
     Put Everything Together

8. Packet Filtering
     What Can You Do with Packet Filtering?
     Configuring a Packet Filtering Router
     What Does the Router Do with Packets?
     Packet Filtering Tips and Tricks
     Conventions for Packet Filtering Rules
     Filtering by Address
     Filtering by Service
     Choosing a Packet Filtering Router
     Packet Filtering Implementations for General-Purpose Computers
     Where to Do Packet Filtering
     What Rules Should You Use?
     Putting It All Together

9. Proxy Systems
     Why Proxying?
     How Proxying Works
     Proxy Server Terminology
     Proxying Without a Proxy Server
     Using SOCKS for Proxying
     Using the TIS Internet Firewall Toolkit for Proxying
     Using Microsoft Proxy Server
     What If You Can't Proxy?

10. Bastion Hosts
     General Principles
     Special Kinds of Bastion Hosts
     Choosing a Machine
     Choosing a Physical Location
     Locating Bastion Hosts on the Network
     Selecting Services Provided by a Bastion Host
     Disabling User Accounts on Bastion Hosts
     Building a Bastion Host
     Securing the Machine
     Disabling Nonrequired Services
     Operating the Bastion Host
     Protecting the Machine and Backups

11. Unix and Linux Bastion Hosts
     Which Version of Unix?
     Securing Unix
     Disabling Nonrequired Services
     Installing and Modifying Services
     Reconfiguring for Production
     Running a Security Audit

12. Windows NT and Windows 2000 Bastion Hosts
     Approaches to Building Windows NT Bastion Hosts
     Which Version of Windows NT?
     Securing Windows NT
     Disabling Nonrequired Services
     Installing and Modifying Services

III. Internet Services

13. Internet Services and Firewalls
     Attacks Against Internet Services
     Evaluating the Risks of a Service
     Analyzing Other Protocols
     What Makes a Good Firewalled Service?
     Choosing Security-Critical Programs
     Controlling Unsafe Configurations

14. Intermediary Protocols
     Remote Procedure Call (RPC)
     Distributed Component Object Model (DCOM)
     NetBIOS over TCP/IP (NetBT)
     Common Internet File System (CIFS) and Server Message Block (SMB)
     Common Object Request Broker Architecture (CORBA) and Internet Inter-Orb Protocol (IIOP)
     ToolTalk
     Transport Layer Security (TLS) and Secure Socket Layer (SSL)
     The Generic Security Services API (GSSAPI)
     IPsec
     Remote Access Service (RAS)
     Point-to-Point Tunneling Protocol (PPTP)
     Layer 2 Transport Protocol (L2TP)

15. The World Wide Web
     HTTP Server Security
     HTTP Client Security
     HTTP
     Mobile Code and Web-Related Languages
     Cache Communication Protocols
     Push Technologies
     RealAudio and RealVideo
     Gopher and WAIS

16. Electronic Mail and News
     Electronic Mail
     Simple Mail Transfer Protocol (SMTP)
     Other Mail Transfer Protocols
     Microsoft Exchange
     Lotus Notes and Domino
     Post Office Protocol (POP)
     Internet Message Access Protocol (IMAP)
     Microsoft Messaging API (MAPI)
     Network News Transfer Protocol (NNTP)

17. File Transfer, File Sharing, and Printing
     File Transfer Protocol (FTP)
     Trivial File Transfer Protocol (TFTP)
     Network File System (NFS)
     File Sharing for Microsoft Networks
     Summary of Recommendations for File Sharing
     Printing Protocols
     Related Protocols

18. Remote Access to Hosts
     Terminal Access (Telnet)
     Remote Command Execution
     Remote Graphical Interfaces

19. Real-Time Conferencing Services
     Internet Relay Chat (IRC)
     ICQ
     talk
     Multimedia Protocols
     NetMeeting
     Multicast and the Multicast Backbone (MBONE)

20. Naming and Directory Services
     Domain Name System (DNS)
     Network Information Service (NIS)
     NetBIOS for TCP/IP Name Service and Windows Internet Name Service
     The Windows Browser
     Lightweight Directory Access Protocol (LDAP)
     Active Directory
     Information Lookup Services

21. Authentication and Auditing Services
     What Is Authentication?
     Passwords
     Authentication Mechanisms
     Modular Authentication for Unix
     Kerberos
     NTLM Domains
     Remote Authentication Dial-in User Service (RADIUS)
     TACACS and Friends
     Auth and identd

22. Administrative Services
     System Management Protocols
     Routing Protocols
     Protocols for Booting and Boot-Time Configuration
     ICMP and Network Diagnostics
     Network Time Protocol (NTP)
     File Synchronization
     Mostly Harmless Protocols

23. Databases and Games
     Databases
     Games

24. Two Sample Firewalls
     Screened Subnet Architecture
     Merged Routers and Bastion Host Using General-Purpose Hardware

IV. Keeping Your Site Secure

25. Security Policies
     Your Security Policy
     Putting Together a Security Policy
     Getting Strategic and Policy Decisions Made
     What If You Can't Get a Security Policy?

26. Maintaining Firewalls
     Housekeeping
     Monitoring Your System
     Keeping up to Date
     How Long Does It Take?
     When Should You Start Over?

27. Responding to Security Incidents
     Responding to an Incident
     What to Do After an Incident
     Pursuing and Capturing the Intruder
     Planning Your Response
     Being Prepared

V. Appendixes

A. Resources

B. Tools

C. Cryptography

Index