HostedDB - Dedicated UNIX Servers

Firewalls Complete - Beta Version
Forward

Firewalls Complete: Table of Contents

Dedication

Acknowledgment

Preface

How is this book organized

Who should read this book?

About the author

Chapter 1

Internetworking Protocols and Standards: An Overview

Internet Protocol (IP)

How IP Addressing Works

IP Security Risks

IP Watcher: Hijacking the IP Protocol

User Datagram Protocol (UDP)

Attacking UDP services: SATAN at easy

ISS for UNIX and Windows NT

Transmission Control Protocol (TCP)

IP Addresses

Rules

Classes and Masks

Extending IP Addresses Through CIDR

TCP/IP Security Risks and Countermeasure

IP Spoofing

Risk of Losing Confidentiality

Risk of Losing Integrity

tcpdump - A Text-based Countermeasure

Strobe: a Countermeasure for UNIX

IPSEC - an IETF IP Security Countermeasure

IPSO - a DoD IP Security Countermeasure

Routing Information Protocol (RIP)

MBONE - The Multicast Backbone

Internet Control Message Protocol (ICMP)

Internet Group Management Protocol (IGMP)

Open Shortest-Path First (OSPF)

Border Gateway Protocol Version 4 (BGP-4)

Address Resolution Protocol

Reverse Address Resolution Protocol (RARP)

Security Risks of Passing IP Datagram Through Routers

Simple Network Management Protocol (SNMP)

Watch Your ISP Connection.

The Internet Protocol Next Generation or IPv6

Address Expansion

Automatic Configuration of Network Devices

Security

Real-Time Performance

Multicasting

IPv6 Security

Network Time Protocol (NTP)

Dynamic Host Configuration Protocol (DHCP)

Windows Sockets (WINS)

Domain Name System (DNS)

Limiting DNS Information

Firewalls Concepts

The Flaws in Firewalls

Fun With DMZs

Authentication Issues

Trust at the Perimeter

Intranets

From Here…

Chapter 2

Basic Connectivity

What Happened to TTY

What is the Baudot Code?

UNIX to UNIX CoPy (UUCP)

SLIP and PPP

Rlogin

Virtual Terminal Protocol (TELNET)

Columbia University’s KERMIT: a Secure and Reliable TELNET Server

TELNET Services Security Considerations

A Systems Manager Approach to Network Security

From Who Are You Protecting Your Network?

Is All the Security Efforts Worth?

What does Your Gut Feelings Tell You?

Watch for Confidentiality

To Err is Human!

Where is your Achilles Tendon?

The KISS Principle!

TELNET Session Security Checklist

Trivial File Transfer Protocol (TFTP)

TFTP Security Considerations

File Transfer Protocol (FTP)

Some of the Challenges of Using Firewalls

Increasing Security on IP Networks

Chapter 3

Cryptography: Is it Enough?

Introduction

Symmetric Key Encryption (Private Keys)

Data Encryption Standard (DES)

International Data Encryption Algorithm (IDEA)

CAST

Skipjack

But is Skipjack Secure?

RC2/RC4

Asymmetric Key Encryption/Public Key Encryption:

RSA

Is RSA Algorithm Secure?

Digital Signature Standard (DSS)

Message Digest Algorithms

MD2, MD4 and MD5

Secure Hash Standard/Secure Hash Algorithm (SHS/SHA)

Certificates

Certificate Servers

DCS: What is Under the Hood?

The Certificate Server*

DCS Topology*

DCS Protocol*

Header Section Format*

Question Section Format*

The DCS Record*

Key Management

Kerberos

Getting to Know Kerberos Terms

What is in a Kerberos Session

A Typical Kerberos Session*

Getting a Ticket-Granting Ticket From the Kerberos Server*

Getting Application Service Tickets for Network Services from the Kerberos Server*

Summary Of Kerberos Authentication*

Cygnus’ KerbNet

Key-Exchange Algorithms (KEA)

Diffie-Hellman Public-Key Algorithm

Cryptanalysis and Attacks

Ciphertext-only Attack

Known-plaintext Attack

Chosen-plaintext Attack

Adaptive-chosen-plaintext Attack

Man-in-the-middle Attack

Chosen-ciphertext Attack

Chosen-key Attack

Rubber-hose Cryptanalysis

Timing Attack

Cryptography Applications and Application Programming Interfaces (APIs)

Data Privacy and Secure communications channel

Some Data Privacy Prime and Tools

Have a Password Policy*

Authentication

Authenticode

NT Security Support Provider Interface (SSPI)

Microsoft Cryptographic API (CryptoAPI)

Cryptography and Firewalling: The Dynamic Dual

Chapter 4

Firewalling Challenges: The Basic Web

HTTP

The Basic Web

What to Watch for on the HTTP Protocol

Taking Advantage of S-HTTP

Using SSL to Enhance Security

Be Careful When Caching the Web!

Plugging the Holes: a Configuration Checklist

A Security Checklist

Novell’s HTTP: Better be Careful

Watch for UNIX-based Web Server Security Problems

URI/URL

File URLs

Gopher URLs

News URLs

Partial URLs

CGI

Chapter 5

Firewalling Challenges: The Advanced Web

Extending the Web Server: Increased Risks

ISAPI

CGI

Internet Server API (ISAPI)

A Security Hole on IIS exploits ISAPI

What can you do About it?

NSAPI

Servlets

Servlets Applicability

Denali

Web Database gateways

Cold Fusion

Microsoft Advanced Data Connector (ADC)

Security of E-mail Applications

Macromedia’s Shockwave

Shockwave’s Security Hole

The Security Hole Explained

Countermeasures to the Shockwave Exploit

Code in Web pages

Java applets

ActiveX controls and Security Threats

ActiveX: Silently Manipulating Security Policies

ActiveX Security Threat Countermeasures

Chapter 6

The APIs Security Holes and Its Firewall Interactions

Sockets

BSD sockets

Windows sockets

Java APIs

Perl modules

CGI Scripts

ActiveX

ActiveX DocObjects

Distributed Processing

XDR/RPC

RPC

COM/DCOM

Chapter 7

What is an Internet/Intranet Firewall After All?

What are Firewalls After All?

The Purpose of a Firewall

The Firewall Role of Protection

Firewalls Providing Access Control

The Security Role of a Firewall

Promoting Privacy with a Firewall

Advantages and Disadvantages of Firewalls

Access Restrictions

Back-Door Challenges: The Modem Threat

Risk of Insider Attacks

Firewall Components

Network Security Policy

Flexibility Policy

Service-Access Policy

Firewall Design Policy

Information Policy

Dial-in and Dial-out Policy

Advanced Authentication

Packet Filtering

Procuring a Firewall

Needs Assessment

Buying a Firewall

Building a Firewall

Setting It Up

Select the Hardware Required

Install the Necessary Software

Connecting and Configuring the Computer on the Network

Testing it

Adding Security Through Firewalling Software

General Considerations When Installing a Firewall

Defining a Security Policy with a Firewall Product

Administrating a Firewall

Management Expertise

System Administration

Circuit-Level Gateways and Packet Filters

Packet Filtering

Application Gateways

IP-Level Filtering

Chapter 8

How Vulnerable Are Internet Services?

Protecting and Configuring Vulnerable Services

Electronic Mail Security Threats

Simple Mail Transfer Protocol (SMTP)

Preventing against E-mail Attacks

Be Careful With E-Mail Attachments

Post Office Protocol (POP)

Multimedia Internet Mail Extensions (MIME)

File Transferring Issues

File Transfer Protocol (FTP)

Trivial File Transfer Protocol (TFTP)

File Service Protocol (FSP)

UNIX-to-UNIX Copy Protocol (UUCP)

The Network News Transfer Protocol (NNTP)

The Web and the HTTP Protocol

Proxying HTTP

HTTP Security Holes

Security of Conferencing

Watch This Services

Gopher

finger

whois

talk

IRC

DNS

Network Management Station (NMS)

Simple Network Management Protocol (SNMP)

traceroute

Network File System (NFS)

Confidentiality and Integrity

Chapter 9

Setting Up a Firewall Security Policy

Assessing Your Corporate Security Risks

Data Security

Understanding and Estimating the Threat

The Virus Threat

Outside Threats

Inside Threat

A Word About Security Holes

Setting up a Security Policy

A Security Policy Template

Chapter 10

Putting It Together: Firewall design and Implementation

Reviewing the Basics

Selecting a Firewall

Considerations About the Security Policy

Issues to Consider About Physical Security

Issues to Consider About Access Control

Issues to Consider About Authentication

Issues to Consider About Encryption

issues to Consider About Security Auditing

Issues to Consider About Training

Responding to an Incident: Your Network Under Attack

Dealing With an Incident

Network Information Service as Cracking Tool

Remote Login/Shell Service as Cracking Tool

Network File System as Cracking Tool

File Transfer Protocol Service as Cracking Tool

To Do List in Case of an Incident

Assessing the Situation

Cutting Off the Link

Analyze the Problem

Take Action

Catching an Intruder

Reviewing Security

Persecuting the Hacker: What the Legal System has to Say

What The Legal System Has To Say

The Current Regulations

Protecting Your Corporate Site

Preventing Break-ins at Your Site

Final Considerations

Chapter 11

Proxy Servers

SOCKS

Tcpd, the TCP Wrapper

Setting Up and Configuring the Proxy Server

Chapter 12

Firewall Maintenance

Keeping Your Firewall in Tune

Monitoring Your System

Monitoring the Unmonitored Threats

Preventive and Curative Maintenance

Preventing Security Breaches on Your Firewall

Identifying Security Holes

Recycling Your Firewall

Chapter 13

Firewall Toolkits And Case Studies

The TIS Internet Firewall Toolkit

Case Studies: Implementing Firewalls

Firewalling a Big Organization: Application-Level Firewall and Package Filtering, a Hybrid System

Firewalling a Small Organization: Packet Filtering or Application-Level Firewall, a Proxy Implementation

Firewalling in a Subnet Architecture

Chapter 14

Types of Firewalls and Products on the Market

Check Points’ Firewall-1 Firewall - Stateful Inspection Technology

FireWall-1 Inspection Module

Full State Awareness

Securing "Stateless" Protocols

The INSPECT Language

Stateful Inspection: Under the hood

Extensible Stateful Inspection

The INSPECT Engine

Securing Connectionless Protocols such as UDP

Securing Dynamically Allocated Port Connections

Firewall-1 Performance

Systems Requirements

CYCON’s Labyrinth Firewall - The "Labyrinth-like" System

An Integrated Stateful Inspection

Intelligent Connection Tracking

Redirecting Traffic

Transparent Redirection to Fault-Tolerant Systems*

Diverting Scanning Programs*

Network Address Translation

Load Balancing of Connections

Multi-Host Load Balancing*

Proxying - Source Address Rewriting

Spoofing - Destination Address Rewriting

IPSec - Encryption

IPSec Filter*

IPSec Gateway*

Common Use*

Protection of Attached Networks and Hosts

Protection of Individual Hosts

Systems Requirements

NetGuard’s Guardian Firewall System - MAC Layer Stateful Inspection

A Unprecedented Internet Management Tools.

Visual Indicator of Enterprise-Wide Agent Activity:

Extended Gateway Information

Activity Monitoring Screen

Enhanced Activity Monitoring Screen:

Monitoring User’s Connectivity

Firewall Strategy Wizard

WAN Adapter Support

Logoff Command on Authentication Client

CyberGuard’s CyberGuard Firewall - Hardening the OS

The Trusted Operating System

Intuitive Remote Graphical User Interface (GUI)

Dynamic Stateful Rule Technology

Certifiable Technology

Systems Requirements

Raptor’s Eagle Firewall - An application-level Architecture

Enforcing Security at All Levels of the Network

Reliance on Dedicated Security Proxies

Using Raptor’s Firewalls Eagle Family

Graphical Policy Configuration

Consistent Management- Locally or Remote

The Flexibility to Allow "Transparent" Access

Address Redirection

Fine-grained control of VPN Tunnels

Integrated Web Blocking Capability

HTTP Service limitations*

Systems Requirements

Milkyway’s SecurIT Firewall - a Factory Hardened BSDI Kernel

A Bullet Proof Firewall

Building a Secure Kernel

SecurIT Firewall Kernel Modifications*

Kernel Security Features are Certified By CSE*

Key Management

Key Management and Certification Service*

In-house Key Management*

Manual Public Key Management*

Private Keys*

Something Else You Should Know: Ubiquitous Monitoring of All Ports

Watch for Port Numbers: The Milkyway Way*

Defending Against Common Attack Methods

Buffer Overflow*

Trojan Horses Running on the Firewall*

Spoofing*

Sniffing*

Hijacking*

Systems Requirements

Seattle Software’s Watchguard Security Management System - Combining All Major Approaches to Firewall Design

WatchGuard at Glance

WatchGuard Security Management System

WatchGuard’s Firebox

WatchGuard’s Global Console

WatchGuard Graphical Monitor

WatchGuard Reporting System

WatchGuard WebBlocker

Systems Requirements:

AltaVista Software’s Firewall 97 - The Active Firewall

AltaVista Firewall: Always in Motion

Services: a Matter of Security

Security: Supporting SSL

Management Features: Remote Management Through Tunneling

URL and Java Blocking

Enhanced Proxy

Powerful and Flexible Authentication

Dual-DNS Server

DMZ Support

Configuration

Hardware Requirements

ANS Communications’s InterLock Firewall - a Dual-Homed Application Level Gateway

ANS InterLock

ANS InterLock Service

Enhanced features in Version 4.0

InterLock’s Access Controls

InterLock’s Access Management

Audit Levels

URL-Level Controls

Log Files

InterLock’s Reports Feature

ANS InterLock Service For Intrusion Detection

Summary of InterLock’s Security Feature

Global Technology’s Gnat Box Firewall - a firewall in a floppy disk

Getting to Know GNAT Box Firewall

Outbound Packets from the Protected Network

Inbound Packets from the External Network

Outbound Packets from the PSN

How Tunnels Work in GNAT Box

Standard Features

What is GNAT Box Firewall?

Network-1 Software and Technology’s Firewall/Plus - a High Performance Multi-Protocol Firewall

About Firewall/Plus

Installation, Set-up and Use of FireWall/Plus

Selecting a Default Rule Base for FireWall/Plus

Performance Statistics

Additional and Advanced Filtering

Summary of Features of FireWall/Plus

Technical Specifications

Special Features and General Characteristics

Systems Requirements

Trusted Information Systems’s Gauntlet Internet - an application proxy-based Firewall

TIS Gauntlet Internet Firewalls

A Firewall Transparent to the User

Extending Firewall Protection to Remote Offices

Gauntlet Net Extender

Gauntlet PC Extender

Technologic’s Interceptor Firewall - an Intuitive Firewall

An Overview of Technologic’s Interceptor

Interceptor’s Components

Virtual Private Networking

Secure Encryption for All Applications

Transparent Encryption for Users

Internet Scanner

The FTP Proxy

Telnet and Rlogin Proxy

HTTP Proxy

E-Mail Proxy

X11 Proxy and Generic TCP Proxy

The Authentication Server

The Domain Name Service

Real Audio/Real Video Proxy

RADAR and Utility Command Server

Web Caching and Java and ActiveX Blocking

Multiple Firewall Management

Systems Requirements

Sun’s Sunscreen EFS Firewall - a Stateful Inspection Firewall

The SunScreen Model

Secure access control.

Ease of administration.

SunScreen SPF-200 and SunScreen EFS Security Solutions

SunScreen SPF’s Features

SunScreen SPF-200

Features and Benefits

SunScreen EFS

Features and Benefits

System Requirements

Solstice FireWall-1 3.0

Solstice FireWall-1 Features

Comprehensive Services Support

Encryption Support for Data Privacy - Virtual Private Networks

Client Authentication

Anti-Spoofing and SNMP Management

Secure Computing’s Borderware Firewall: Combining Packet Filters and Circuit-Level Gateways

The BorderWare Firewall Server

Transparency

Network Address Translation

Packet Filtering

Circuit-Level Gateway

Applications Servers

Audit Trails and Alarms

Transparent Proxies

BorderWare Application Services

Mail Servers (SMTP and POP)

Mail Domain Name Hiding*

POP Mail Server*

Anonymous FTP Server

News Server

Web Server

Finger (Information) Server

Encryption Features

Automatic Backups

Security Features

Ukiah Software’s NetRoad Firewall: a Multi-Level Architecture Firewall

NetRoad FireWall for Windows NT and NetWare

Security for Mixed Protocol (IP and IPX) Networks

Simple Management and NDS Integration

Multi-level Firewall Security and User Authentication

NetWare and NT Firewall Support

High Performance

Future Evolution of the NetRoad FireWALL Platform

System Requirements

Secure Computing’s Sidewinder Firewall: a Type Enforcement Security

The Sidewinder Security Server

The Patented Type Enforcement Security

Remote Management

Access Controls

Extensive Event Monitoring

Advanced Filtering

Email filtering

Web page filtering

Java applet filtering

IBM’s Internet Connection Secure Server Firewall: a Type Enforcement Security

The IBM Firewall V3.1 for AIX

Great Level of Protection

Greater Accessibility

IBM Firewall Filtering

IBM Firewall as an Application-Level Proxy

IBM Firewall as a Circuit-Level Proxy

Use of Encryption

Managing the IBM Firewall

Main IBM Firewall Features

Network Address Translation

SafeMail

Strong Authentication

Hardening

Communicating through Virtual Private Networks

Using the Network Security Auditor

Administering the Firewall

Enterprise Firewall Manager

System requirements

Appendix A:

List of Firewall Resellers and Related Tools

AlterNet:

Atlantic Computing Technology Corporation

ARTICON Information Systems GmbH

Cisco Routers

Cohesive Systems

Collage Communications, Inc.

Conjungi Corporation

Cypress Systems Corporation, (Raptor reseller)

Data General Corp. (Gauntlet Reseller)

Decision-Science Applications, Inc.

E92 PLUS LTD

Enterprise System Solutions, Inc.(BorderWare reseller)

E.S.N - Serviço e Comércio de Informática Ltda.

FSA Corporation

IConNet

Igateway by Sun Consulting.

Ingress Consulting Group, LTD

INTERNET GmbH

Jeff Flynn & Associates

Media Communications eur ab, (Gauntlet Reseller)

Mergent International, Inc. (Gauntlet Reseller)

Momentum Pty Ltd

NetPartners (Phil Trubey), (JANUS Reseller)

Network Translation Services

OpenSystems, Inc.

PDC

PENTA

PRC

Racal-Airtech Ltd, (Eagle reseller)

RealTech Systems

Sea Change Corporation, (JANUS reseller)

Security Dynamics Technologies

Softway Pty Ltd, (Gauntlet Reseller)

Spanning Tree Technologies Network Security Analysis Tool

Stalker by Haystack Labs, Inc.

Stonesoft Corporation

TeleCommerce

Trident Data Systems, (SunScreen provider)

Tripcom Systems Inc.

Trusted Network Solutions (Pty) Ltd.

UNIXPAC AUSTRALIA

X + Open Systems Pty Ltd., (Internet Consultants)

Zeuros Limited

Firewall Tools: Public Domain and Shareware, Etc.

Drawbridge

Freestone by SOS Corporation

fwtk - TIS Firewall Toolkit

ISS

SOCKS

Chapter 15

Glossary

Bibliography & Webliography

Partial Webliography List

A Division of the McGraw-Hill Companies