Table of Contents

Preface I. Network Security 1. Why Internet Firewalls? What Are You Trying to Protect? What Are You Trying to Protect Against? Who Do You Trust? How Can You Protect Your Site? What Is an Internet Firewall? Religious Arguments 2. Internet Services Secure Services and Safe Services The World Wide Web Electronic Mail and News File Transfer, File Sharing, and Printing Remote Access Real-Time Conferencing Services Naming and Directory Services Authentication and Auditing Services Administrative Services Databases Games 3. Security Strategies Least Privilege Defense in Depth Choke Point Weakest Link Fail-Safe Stance Universal Participation Diversity of Defense Simplicity Security Through Obscurity II. Building Firewalls 4. Packets and Protocols What Does a Packet Look Like? IP Protocols Above IP Protocols Below IP Application Layer Protocols IP Version 6 Non-IP Protocols Attacks Based on Low-Level Protocol Details 5. Firewall Technologies Some Firewall Definitions Packet Filtering Proxy Services Network Address Translation Virtual Private Networks 6. Firewall Architectures Single-Box Architectures Screened Host Architectures Screened Subnet Architectures Architectures with Multiple Screened Subnets Variations on Firewall Architectures Terminal Servers and Modem Pools Internal Firewalls 7. Firewall Design Define Your Needs Evaluate the Available Products Put Everything Together 8. Packet Filtering What Can You Do with Packet Filtering? Configuring a Packet Filtering Router What Does the Router Do with Packets? Packet Filtering Tips and Tricks Conventions for Packet Filtering Rules Filtering by Address Filtering by Service Choosing a Packet Filtering Router Packet Filtering Implementations for General-Purpose Computers Where to Do Packet Filtering What Rules Should You Use? Putting It All Together 9. Proxy Systems Why Proxying? How Proxying Works Proxy Server Terminology Proxying Without a Proxy Server Using SOCKS for Proxying Using the TIS Internet Firewall Toolkit for Proxying Using Microsoft Proxy Server What If You Can't Proxy? 10. Bastion Hosts General Principles Special Kinds of Bastion Hosts Choosing a Machine Choosing a Physical Location Locating Bastion Hosts on the Network Selecting Services Provided by a Bastion Host Disabling User Accounts on Bastion Hosts Building a Bastion Host Securing the Machine Disabling Nonrequired Services Operating the Bastion Host Protecting the Machine and Backups 11. Unix and Linux Bastion Hosts Which Version of Unix? Securing Unix Disabling Nonrequired Services Installing and Modifying Services Reconfiguring for Production Running a Security Audit 12. Windows NT and Windows 2000 Bastion Hosts Approaches to Building Windows NT Bastion Hosts Which Version of Windows NT? Securing Windows NT Disabling Nonrequired Services Installing and Modifying Services III. Internet Services 13. Internet Services and Firewalls Attacks Against Internet Services Evaluating the Risks of a Service Analyzing Other Protocols What Makes a Good Firewalled Service? Choosing Security-Critical Programs Controlling Unsafe Configurations 14. Intermediary Protocols Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) NetBIOS over TCP/IP (NetBT) Common Internet File System (CIFS) and Server Message Block (SMB) Common Object Request Broker Architecture (CORBA) and Internet Inter-Orb Protocol (IIOP) ToolTalk Transport Layer Security (TLS) and Secure Socket Layer (SSL) The Generic Security Services API (GSSAPI) IPsec Remote Access Service (RAS) Point-to-Point Tunneling Protocol (PPTP) Layer 2 Transport Protocol (L2TP) 15. The World Wide Web HTTP Server Security HTTP Client Security HTTP Mobile Code and Web-Related Languages Cache Communication Protocols Push Technologies RealAudio and RealVideo Gopher and WAIS 16. Electronic Mail and News Electronic Mail Simple Mail Transfer Protocol (SMTP) Other Mail Transfer Protocols Microsoft Exchange Lotus Notes and Domino Post Office Protocol (POP) Internet Message Access Protocol (IMAP) Microsoft Messaging API (MAPI) Network News Transfer Protocol (NNTP) 17. File Transfer, File Sharing, and Printing File Transfer Protocol (FTP) Trivial File Transfer Protocol (TFTP) Network File System (NFS) File Sharing for Microsoft Networks Summary of Recommendations for File Sharing Printing Protocols Related Protocols 18. Remote Access to Hosts Terminal Access (Telnet) Remote Command Execution Remote Graphical Interfaces 19. Real-Time Conferencing Services Internet Relay Chat (IRC) ICQ talk Multimedia Protocols NetMeeting Multicast and the Multicast Backbone (MBONE) 20. Naming and Directory Services Domain Name System (DNS) Network Information Service (NIS) NetBIOS for TCP/IP Name Service and Windows Internet Name Service The Windows Browser Lightweight Directory Access Protocol (LDAP) Active Directory Information Lookup Services 21. Authentication and Auditing Services What Is Authentication? Passwords Authentication Mechanisms Modular Authentication for Unix Kerberos NTLM Domains Remote Authentication Dial-in User Service (RADIUS) TACACS and Friends Auth and identd 22. Administrative Services System Management Protocols Routing Protocols Protocols for Booting and Boot-Time Configuration ICMP and Network Diagnostics Network Time Protocol (NTP) File Synchronization Mostly Harmless Protocols 23. Databases and Games Databases Games 24. Two Sample Firewalls Screened Subnet Architecture Merged Routers and Bastion Host Using General-Purpose Hardware IV. Keeping Your Site Secure 25. Security Policies Your Security Policy Putting Together a Security Policy Getting Strategic and Policy Decisions Made What If You Can't Get a Security Policy? 26. Maintaining Firewalls Housekeeping Monitoring Your System Keeping up to Date How Long Does It Take? When Should You Start Over? 27. Responding to Security Incidents Responding to an Incident What to Do After an Incident Pursuing and Capturing the Intruder Planning Your Response Being Prepared V. Appendixes A. Resources B. Tools C. Cryptography Index

About the Author

Elizabeth D. Zwicky is a director at Counterpane Internet Security, a managed security services company. She has been doing large-scale Unix system administration and related work for 15 years, and was a founding board member of both the System Administrators Guild (SAGE) and BayLISA (the San Francisco Bay Area system administrators group), as well as a nonvoting member of the first board of the Australian system administration group, SAGE-AU. She has been involuntarily involved in Internet security since before the 1988 Morris Internet worm. In her lighter moments, she is one of the few people who makes significant use of the rand function in PostScript, producing PostScript documents that are different every time they're printed. Simon Cooper is a computer professional currently working in Silicon Valley. He has worked in different computer-related fields ranging from hardware through operating systems and device drivers to application software and systems support in both commercial and educational environments. He has an interest in the activities of the Internet Engineering Task Force (IETF) and USENIX, is a member of the British Computer Conservation Society, and is a founding member of the Computer Museum History Center. Simon has released a small number of his own open source programs and has contributed time and code to the XFree86 project. In his spare time, Simon likes to play ice hockey, solve puzzles of a mathematical nature, and tinker with Linux. D. Brent Chapman is a networking professional in Silicon Valley. He has designed and built Internet firewall systems for a wide range of organizations, using a variety of techniques and technologies. He is the founder of the Firewalls Internet mailing list, and creator of the Majordomo mailing list management package. He is the founder, principal, and technical lead of Great Circle Associates, Inc., a highly regarded strategic consulting and training firm specializing in Internet networking and security. Over the last 15 years, Brent has worked in a variety of consulting, engineering, and management roles in information technology, operations, and technology marketing for a wide range of employers and clients, including the Xerox Palo Alto Research Center (PARC), Silicon Graphics, Inc. (SGI), and Covad Communications Company.