You are previewing Firewalls and Internet Security: Repelling the Wily Hacker, Second Edition.
O'Reilly logo
Firewalls and Internet Security: Repelling the Wily Hacker, Second Edition

Book Description

The best-selling first edition of Firewalls and Internet Security became the bible of Internet security by showing a generation of Internet security experts how to think about threats and solutions. This completely updated and expanded second edition defines the security problems companies face in today's Internet, identifies the weaknesses in the most popular security technologies, and illustrates the ins and outs of deploying an effective firewall. Readers will learn how to plan and execute a security strategy that allows easy access to Internet services while defeating even the wiliest of hackers.

Firewalls and Internet Security, Second Edition, draws upon the authors' experiences as researchers in the forefront of their field since the beginning of the Internet explosion.

The book begins with an introduction to their philosophy of Internet security. It progresses quickly to a dissection of possible attacks on hosts and networks and describes the tools and techniques used to perpetrate--and prevent--such attacks. The focus then shifts to firewalls and virtual private networks (VPNs), providing a step-by-step guide to firewall deployment. Readers are immersed in the real-world practices of Internet security through a critical examination of problems and practices on today's intranets, as well as discussions of the deployment of a hacking-resistant host and of intrusion detection systems (IDS). The authors scrutinize secure communications over insecure networks and conclude with their predictions about the future of firewalls and Internet security.

The book's appendixes provide an introduction to cryptography and a list of resources (also posted to the book's Web site) that readers can rely on for tracking further security developments.

Armed with the authors' hard-won knowledge of how to fight off hackers, readers of Firewalls and Internet Security, Second Edition, can make security decisions that will make the Internet--and their computers--safer.



020163466XB01302003

Table of Contents

  1. Copyright
    1. Dedication
  2. Addison-Wesley Professional Computing Series
  3. Preface to the Second Edition
    1. Crystal Ball or Bowling Ball?
    2. Our Approach
    3. Errata and Updates
    4. Acknowledgments
  4. Preface to the First Edition
    1. Audience
    2. Terminology
    3. Acknowledgments
  5. I. Getting Started
    1. 1. Introduction
      1. 1.1. Security Truisms
      2. 1.2. Picking a Security Policy
        1. 1.2.1. Policy Questions
        2. 1.2.2. Stance
      3. 1.3. Host-Based Security
      4. 1.4. Perimeter Security
      5. 1.5. Strategies for a Secure Network
        1. 1.5.1. Host Security
        2. 1.5.2. Gateways and Firewalls
        3. 1.5.3. DMZs
        4. 1.5.4. Encryption—Communications Security
      6. 1.6. The Ethics of Computer Security
      7. 1.7. WARNING
    2. 2. A Security Review of Protocols: Lower Layers
      1. 2.1. Basic Protocols
        1. 2.1.1. IP
          1. IP Addresses
        2. 2.1.2. ARP
        3. 2.1.3. TCP
          1. TCP Open
          2. TCP Sessions
        4. 2.1.4. SCTP
        5. 2.1.5. UDP
        6. 2.1.6. ICMP
      2. 2.2. Managing Addresses and Names
        1. 2.2.1. Routers and Routing Protocols
          1. BGP
        2. 2.2.2. The Domain Name System
          1. DNSsec
        3. 2.2.3. BOOTP and DHCP
      3. 2.3. IP version 6
        1. 2.3.1. IPv6 Address Formats
        2. 2.3.2. Neighbor Discovery
        3. 2.3.3. DHCPv6
        4. 2.3.4. Filtering IPv6
      4. 2.4. Network Address Translators
      5. 2.5. Wireless Security
        1. 2.5.1. Fixing WEP
    3. 3. Security Review: The Upper Layers
      1. 3.1. Messaging
        1. 3.1.1. SMTP
        2. 3.1.2. MIME
        3. 3.1.3. POP version 3
        4. 3.1.4. IMAP Version 4
        5. 3.1.5. Instant Messaging
      2. 3.2. Internet Telephony
        1. 3.2.1. H.323
        2. 3.2.2. SIP
      3. 3.3. RPC-Based Protocols
        1. 3.3.1. RPC and Rpcbind
        2. 3.3.2. NIS
        3. 3.3.3. NFS
        4. 3.3.4. Andrew
      4. 3.4. File Transfer Protocols
        1. 3.4.1. TFTP
        2. 3.4.2. FTP
        3. 3.4.3. SMB Protocol
      5. 3.5. Remote Login
        1. 3.5.1. Telnet
        2. 3.5.2. The “r” Commands
        3. 3.5.3. Ssh
      6. 3.6. Simple Network Management Protocol—SNMP
      7. 3.7. The Network Time Protocol
      8. 3.8. Information Services
        1. 3.8.1. Finger: Looking Up People
        2. 3.8.2. Whois—Database Lookup Service
        3. 3.8.3. LDAP
        4. 3.8.4. World Wide Web
        5. 3.8.5. NNTP—Network News Transfer Protocol
        6. 3.8.6. Multicasting and the MBone
      9. 3.9. Proprietary Protocols
        1. 3.9.1. RealAudio
        2. 3.9.2. Oracle’s SQL*Net
        3. 3.9.3. Other Proprietary Services
      10. 3.10. Peer-to-Peer Networking
      11. 3.11. The X11 Window System
        1. 3.11.1. xdm
      12. 3.12. The Small Services
    4. 4. The Web: Threat or Menace?
      1. 4.1. The Web Protocols
        1. 4.1.1. HTTP
          1. Maintaining Connection State
        2. 4.1.2. SSL
        3. 4.1.3. FTP
        4. 4.1.4. URLs
      2. 4.2. Risks to the Clients
        1. 4.2.1. ActiveX
        2. 4.2.2. Java and Applets
        3. 4.2.3. JavaScript
        4. 4.2.4. Browsers
      3. 4.3. Risks to the Server
        1. 4.3.1. Access Controls
        2. 4.3.2. Server-Side Scripts
        3. 4.3.3. Securing the Server Host
        4. 4.3.4. Choice of Server
      4. 4.4. Web Servers vs. Firewalls
      5. 4.5. The Web and Databases
      6. 4.6. Parting Thoughts
  6. II. The Threats
    1. 5. Classes of Attacks
      1. 5.1. Stealing Passwords
      2. 5.2. Social Engineering
      3. 5.3. Bugs and Back Doors
      4. 5.4. Authentication Failures
        1. 5.4.1. Authentication Races
      5. 5.5. Protocol Failures
      6. 5.6. Information Leakage
      7. 5.7. Exponential Attacks—Viruses and Worms
      8. 5.8. Denial-of-Service Attacks
        1. 5.8.1. Attacks on a Network Link
        2. 5.8.2. Attacking the Network Layer
          1. Killer and ICMP Packets
          2. SYN Packet Attacks
          3. Application-Level Attacks—Spam
        3. 5.8.3. DDoS
        4. 5.8.4. What to Do About a Denial-of-Service Attack
          1. Filter Out the Bad Packets
          2. Improve the Processing Software
          3. Hunt Them Down Like Dogs
          4. Increase the Capacity of the Target
        5. 5.8.5. Backscatter
      9. 5.9. Botnets
      10. 5.10. Active Attacks
    2. 6. The Hacker’s Workbench, and Other Munitions
      1. 6.1. Introduction
      2. 6.2. Hacking Goals
      3. 6.3. Scanning a Network
      4. 6.4. Breaking into the Host
      5. 6.5. The Battle for the Host
        1. 6.5.1. Setuid root Programs
        2. 6.5.2. Rootkit
      6. 6.6. Covering Tracks
        1. 6.6.1. Back Doors
      7. 6.7. Metastasis
      8. 6.8. Hacking Tools
        1. 6.8.1. Crack—Dictionary Attacks on Unix Passwords
        2. 6.8.2. Dsniff—Password Sniffing Tool
        3. 6.8.3. Nmap—Find and Identify Hosts
        4. 6.8.4. Nbaudit—Check NetBIOS Share Information
        5. 6.8.5. Juggernaut—TCP Hijack Tool
        6. 6.8.6. Nessus—Port Scanning
        7. 6.8.7. DDoS Attack Tools
        8. 6.8.8. Ping of Death—Issuing Pathological Packets
        9. 6.8.9. Virus Construction Kits
        10. 6.8.10. Other Tools
      9. 6.9. Tiger Teams
  7. III. Safer Tools and Services
    1. 7. Authentication
      1. 7.1. Remembering Passwords
        1. 7.1.1. Rolling the Dice
        2. 7.1.2. The Real Cost of Passwords
      2. 7.2. Time-Based One-Time Passwords
      3. 7.3. Challenge/Response One-Time Passwords
      4. 7.4. Lamport’s One-Time Password Algorithm
      5. 7.5. Smart Cards
      6. 7.6. Biometrics
      7. 7.7. RADIUS
      8. 7.8. SASL: An Authentication Framework
      9. 7.9. Host-to-Host Authentication
        1. 7.9.1. Network-Based Authentication
        2. 7.9.2. Cryptographic Techniques
      10. 7.10. PKI
    2. 8. Using Some Tools and Services
      1. 8.1. Inetd—Network Services
      2. 8.2. Ssh—Terminal and File Access
        1. 8.2.1. Single-Factor Authentication for ssh
        2. 8.2.2. Two-Factor Authentication
        3. 8.2.3. Authentication Shortcomings
        4. 8.2.4. Server Authentication
      3. 8.3. Syslog
      4. 8.4. Network Administration Tools
        1. 8.4.1. Network Monitoring
        2. 8.4.2. Using Tcpdump
        3. 8.4.3. Ping, Traceroute, and Dig
      5. 8.5. Chroot—Caging Suspect Software
      6. 8.6. Jailing the Apache Web Server
        1. 8.6.1. CGI Wrappers
        2. 8.6.2. Security of This Web Server
      7. 8.7. Aftpd—A Simple Anonymous FTP Daemon
      8. 8.8. Mail Transfer Agents
        1. 8.8.1. Postfix
      9. 8.9. POP3 and IMAP
      10. 8.10. Samba: An SMB Implementation
      11. 8.11. Taming Named
      12. 8.12. Adding SSL Support with Sslwrap
  8. IV. Firewalls and VPNs
    1. 9. Kinds of Firewalls
      1. 9.1. Packet Filters
        1. 9.1.1. Network Topology and Address-Spoofing
        2. 9.1.2. Routing Filters
        3. 9.1.3. Sample Configurations
        4. 9.1.4. Packet-Filtering Performance
      2. 9.2. Application-Level Filtering
      3. 9.3. Circuit-Level Gateways
      4. 9.4. Dynamic Packet Filters
        1. 9.4.1. Implementation Options
        2. 9.4.2. Replication and Topology
        3. 9.4.3. The Safety of Dynamic Packet Filters
      5. 9.5. Distributed Firewalls
      6. 9.6. What Firewalls Cannot Do
    2. 10. Filtering Services
      1. 10.1. Reasonable Services to Filter
        1. 10.1.1. DNS
        2. 10.1.2. Web
        3. 10.1.3. FTP
        4. 10.1.4. TCP
        5. 10.1.5. NTP
        6. 10.1.6. SMTP/Mail
        7. 10.1.7. POP3/IMAP
        8. 10.1.8. ssh
      2. 10.2. Digging for Worms
      3. 10.3. Services We Don’t Like
        1. 10.3.1. UDP
        2. 10.3.2. H.323 and SIP
        3. 10.3.3. RealAudio
        4. 10.3.4. SMB
        5. 10.3.5. X Windows
      4. 10.4. Other Services
        1. 10.4.1. IPsec, GRE, and IP over IP
        2. 10.4.2. ICMP
      5. 10.5. Something New
    3. 11. Firewall Engineering
      1. 11.1. Rulesets
      2. 11.2. Proxies
      3. 11.3. Building a Firewall from Scratch
        1. 11.3.1. Building a Simple, Personal Firewall
        2. 11.3.2. Building a Firewall for an Organization
          1. Ipftest
        3. 11.3.3. Application-Based Filtering
      4. 11.4. Firewall Problems
        1. 11.4.1. Inadvertent Problems
        2. 11.4.2. Intentional Subversions
        3. 11.4.3. Handling IP Fragments
        4. 11.4.4. The FTP Problem
        5. 11.4.5. Firewalking
        6. 11.4.6. Administration
      5. 11.5. Testing Firewalls
        1. 11.5.1. Tiger Teams
        2. 11.5.2. Rule Inspection
          1. The Rules
          2. Manual Inspection
          3. Computer-Assisted Inspection
    4. 12. Tunneling and VPNs
      1. 12.1. Tunnels
        1. 12.1.1. Tunnels Good and Bad
      2. 12.2. Virtual Private Networks (VPNs)
        1. 12.2.1. Remote Branch Offices
        2. 12.2.2. Joint Ventures
        3. 12.2.3. Telecommuting
          1. Direct Connection to a Company
          2. Connecting Through an ISP
          3. Networking on the Road
      3. 12.3. Software vs. Hardware
        1. 12.3.1. VPN in Software
        2. 12.3.2. VPN in Hardware
  9. V. Protecting an Organization
    1. 13. Network Layout
      1. 13.1. Intranet Explorations
      2. 13.2. Intranet Routing Tricks
      3. 13.3. In Host We Trust
      4. 13.4. Belt and Suspenders
      5. 13.5. Placement Classes
    2. 14. Safe Hosts in a Hostile Environment
      1. 14.1. What Do We Mean by “Secure”?
      2. 14.2. Properties of Secure Hosts
        1. 14.2.1. Secure Clients
          1. Windows and Macintoshes
          2. Single-User, Unix-Like Systems
          3. Multi-User Hosts
        2. 14.2.2. Secure Servers
        3. 14.2.3. Secure Routers and Other Network Elements
      3. 14.3. Hardware Configuration
      4. 14.4. Field-Stripping a Host
      5. 14.5. Loading New Software
      6. 14.6. Administering a Secure Host
        1. 14.6.1. Access
        2. 14.6.2. Console Access
        3. 14.6.3. Logging
        4. 14.6.4. Backup
        5. 14.6.5. Software Updates
        6. 14.6.6. Watching the Roost
      7. 14.7. Skinny-Dipping: Life Without a Firewall
    3. 15. Intrusion Detection
      1. 15.1. Where to Monitor
      2. 15.2. Types of IDSs
      3. 15.3. Administering an IDS
      4. 15.4. IDS Tools
        1. 15.4.1. Snort
  10. VI. Lessons Learned
    1. 16. An Evening with Berferd
      1. 16.1. Unfriendly Acts
      2. 16.2. An Evening with Berferd
      3. 16.3. The Day After
      4. 16.4. The Jail
      5. 16.5. Tracing Berferd
      6. 16.6. Berferd Comes Home
    2. 17. The Taking of Clark
      1. 17.1. Prelude
      2. 17.2. Clark
      3. 17.3. Crude Forensics
      4. 17.4. Examining Clark
        1. 17.4.1. /usr/lib
        2. 17.4.2. /usr/var/tmp
      5. 17.5. The Password File
      6. 17.6. How Did They Get In?
        1. 17.6.1. How Did They Become Root?
        2. 17.6.2. What Did They Get of Value?
      7. 17.7. Better Forensics
      8. 17.8. Lessons Learned
    3. 18. Secure Communications over Insecure Networks
      1. 18.1. The Kerberos Authentication System
        1. 18.1.1. Limitations
      2. 18.2. Link-Level Encryption
      3. 18.3. Network-Level Encryption
        1. 18.3.1. ESP and AH
        2. 18.3.2. Key Management for IPsec
      4. 18.4. Application-Level Encryption
        1. 18.4.1. Remote Login: Ssh
        2. 18.4.2. SSL—The Secure Socket Layer
          1. Protocol Overview
          2. Security
        3. 18.4.3. Authenticating SNMP
        4. 18.4.4. Secure Electronic Mail
          1. S/MIME
          2. PGP
        5. 18.4.5. Transmission Security vs. Object Security
        6. 18.4.6. Generic Security Service Application Program Interface
    4. 19. Where Do We Go from Here?
      1. 19.1. IPv6
      2. 19.2. DNSsec
      3. 19.3. Microsoft and Security
      4. 19.4. Internet Ubiquity
      5. 19.5. Internet Security
      6. 19.6. Conclusion
  11. VII. Appendixes
    1. A. An Introduction to Cryptography
      1. A.1. Notation
      2. A.2. Secret-Key Cryptography
      3. A.3. Modes of Operation
        1. A.3.1. Electronic Code Book Mode
        2. A.3.2. Cipher Block Chaining Mode
        3. A.3.3. Output Feedback Mode
        4. A.3.4. Cipher Feedback Mode
        5. A.3.5. Counter Mode
        6. A.3.6. One-Time Passwords
        7. A.3.7. Master Keys
      4. A.4. Public Key Cryptography
      5. A.5. Exponential Key Exchange
      6. A.6. Digital Signatures
      7. A.7. Secure Hash Functions
      8. A.8. Timestamps
    2. B. Keeping Up
      1. B.1. Mailing Lists
      2. B.2. Web Resources
      3. B.3. Peoples’ Pages
      4. B.4. Vendor Security Sites
      5. B.5. Conferences
  12. Bibliography
  13. List of s
  14. List of Acronyms