|
© 1997 The McGraw-Hill Companies, Inc. All rights reserved. Any use of this Beta Book is subject to the rules stated in the Terms of Use. |
Firewalls Complete: Table of Contents
Dedication
Acknowledgment
How is this book organized
Who should read this book?
About the author
Internetworking Protocols and Standards: An Overview
Internet Protocol (IP)
How IP Addressing Works
IP Security Risks
IP Watcher: Hijacking the IP Protocol
User Datagram Protocol (UDP)
Attacking UDP services: SATAN at easy
ISS for UNIX and Windows NT
Transmission Control Protocol (TCP)
IP Addresses
Rules
Classes and Masks
Extending IP Addresses Through CIDR
TCP/IP Security Risks and Countermeasure
IP Spoofing
Risk of Losing Confidentiality
Risk of Losing Integrity
tcpdump - A Text-based Countermeasure
Strobe: a Countermeasure for UNIX
IPSEC - an IETF IP Security Countermeasure
IPSO - a DoD IP Security Countermeasure
Routing Information Protocol (RIP)
MBONE - The Multicast Backbone
Internet Control Message Protocol (ICMP)
Internet Group Management Protocol (IGMP)
Open Shortest-Path First (OSPF)
Border Gateway Protocol Version 4 (BGP-4)
Address Resolution Protocol
Reverse Address Resolution Protocol (RARP)
Security Risks of Passing IP Datagram Through Routers
Simple Network Management Protocol (SNMP)
Watch Your ISP Connection.
The Internet Protocol Next Generation or IPv6
Address Expansion
Automatic Configuration of Network Devices
Security
Real-Time Performance
Multicasting
IPv6 Security
Network Time Protocol (NTP)
Dynamic Host Configuration Protocol (DHCP)
Windows Sockets (WINS)
Domain Name System (DNS)
Limiting DNS Information
Firewalls Concepts
The Flaws in Firewalls
Fun With DMZs
Authentication Issues
Trust at the Perimeter
Intranets
From Here…
Basic Connectivity
What Happened to TTY
What is the Baudot Code?
UNIX to UNIX CoPy (UUCP)
SLIP and PPP
Rlogin
Virtual Terminal Protocol (TELNET)
Columbia University’s KERMIT: a Secure and Reliable TELNET Server
TELNET Services Security Considerations
A Systems Manager Approach to Network Security
From Who Are You Protecting Your Network?
Is All the Security Efforts Worth?
What does Your Gut Feelings Tell You?
Watch for Confidentiality
To Err is Human!
Where is your Achilles Tendon?
The KISS Principle!
TELNET Session Security Checklist
Trivial File Transfer Protocol (TFTP)
TFTP Security Considerations
File Transfer Protocol (FTP)
Some of the Challenges of Using Firewalls
Increasing Security on IP Networks
Cryptography: Is it Enough?
Introduction
Symmetric Key Encryption (Private Keys)
Data Encryption Standard (DES)
International Data Encryption Algorithm (IDEA)
CAST
Skipjack
But is Skipjack Secure?
RC2/RC4
Asymmetric Key Encryption/Public Key Encryption:
RSA
Is RSA Algorithm Secure?
Digital Signature Standard (DSS)
Message Digest Algorithms
MD2, MD4 and MD5
Secure Hash Standard/Secure Hash Algorithm (SHS/SHA)
Certificates
Certificate Servers
DCS: What is Under the Hood?
The Certificate Server*
DCS Topology*
DCS Protocol*
Header Section Format*
Question Section Format*
The DCS Record*
Key Management
Kerberos
Getting to Know Kerberos Terms
What is in a Kerberos Session
A Typical Kerberos Session*
Getting a Ticket-Granting Ticket From the Kerberos Server*
Getting Application Service Tickets for Network Services from the Kerberos Server*
Summary Of Kerberos Authentication*
Cygnus’ KerbNet
Key-Exchange Algorithms (KEA)
Diffie-Hellman Public-Key Algorithm
Cryptanalysis and Attacks
Ciphertext-only Attack
Known-plaintext Attack
Chosen-plaintext Attack
Adaptive-chosen-plaintext Attack
Man-in-the-middle Attack
Chosen-ciphertext Attack
Chosen-key Attack
Rubber-hose Cryptanalysis
Timing Attack
Cryptography Applications and Application Programming Interfaces (APIs)
Data Privacy and Secure communications channel
Some Data Privacy Prime and Tools
Have a Password Policy*
Authentication
Authenticode
NT Security Support Provider Interface (SSPI)
Microsoft Cryptographic API (CryptoAPI)
Cryptography and Firewalling: The Dynamic Dual
Firewalling Challenges: The Basic Web
HTTP
The Basic Web
What to Watch for on the HTTP Protocol
Taking Advantage of S-HTTP
Using SSL to Enhance Security
Be Careful When Caching the Web!
Plugging the Holes: a Configuration Checklist
A Security Checklist
Novell’s HTTP: Better be Careful
Watch for UNIX-based Web Server Security Problems
URI/URL
File URLs
Gopher URLs
News URLs
Partial URLs
CGI
Firewalling Challenges: The Advanced Web
Extending the Web Server: Increased Risks
ISAPI
CGI
Internet Server API (ISAPI)
A Security Hole on IIS exploits ISAPI
What can you do About it?
NSAPI
Servlets
Servlets Applicability
Denali
Web Database gateways
Cold Fusion
Microsoft Advanced Data Connector (ADC)
Security of E-mail Applications
Macromedia’s Shockwave
Shockwave’s Security Hole
The Security Hole Explained
Countermeasures to the Shockwave Exploit
Code in Web pages
Java applets
ActiveX controls and Security Threats
ActiveX: Silently Manipulating Security Policies
ActiveX Security Threat Countermeasures
The APIs Security Holes and Its Firewall Interactions
Sockets
BSD sockets
Windows sockets
Java APIs
Perl modules
CGI Scripts
ActiveX
ActiveX DocObjects
Distributed Processing
XDR/RPC
RPC
COM/DCOM
What is an Internet/Intranet Firewall After All?
What are Firewalls After All?
The Purpose of a Firewall
The Firewall Role of Protection
Firewalls Providing Access Control
The Security Role of a Firewall
Promoting Privacy with a Firewall
Advantages and Disadvantages of Firewalls
Access Restrictions
Back-Door Challenges: The Modem Threat
Risk of Insider Attacks
Firewall Components
Network Security Policy
Flexibility Policy
Service-Access Policy
Firewall Design Policy
Information Policy
Dial-in and Dial-out Policy
Advanced Authentication
Packet Filtering
Procuring a Firewall
Needs Assessment
Buying a Firewall
Building a Firewall
Setting It Up
Select the Hardware Required
Install the Necessary Software
Connecting and Configuring the Computer on the Network
Testing it
Adding Security Through Firewalling Software
General Considerations When Installing a Firewall
Defining a Security Policy with a Firewall Product
Administrating a Firewall
Management Expertise
System Administration
Circuit-Level Gateways and Packet Filters
Packet Filtering
Application Gateways
IP-Level Filtering
How Vulnerable Are Internet Services?
Protecting and Configuring Vulnerable Services
Electronic Mail Security Threats
Simple Mail Transfer Protocol (SMTP)
Preventing against E-mail Attacks
Be Careful With E-Mail Attachments
Post Office Protocol (POP)
Multimedia Internet Mail Extensions (MIME)
File Transferring Issues
File Transfer Protocol (FTP)
Trivial File Transfer Protocol (TFTP)
File Service Protocol (FSP)
UNIX-to-UNIX Copy Protocol (UUCP)
The Network News Transfer Protocol (NNTP)
The Web and the HTTP Protocol
Proxying HTTP
HTTP Security Holes
Security of Conferencing
Watch This Services
Gopher
finger
whois
talk
IRC
DNS
Network Management Station (NMS)
Simple Network Management Protocol (SNMP)
traceroute
Network File System (NFS)
Confidentiality and Integrity
Setting Up a Firewall Security Policy
Assessing Your Corporate Security Risks
Data Security
Understanding and Estimating the Threat
The Virus Threat
Outside Threats
Inside Threat
A Word About Security Holes
Setting up a Security Policy
A Security Policy Template
Putting It Together: Firewall design and Implementation
Reviewing the Basics
Selecting a Firewall
Considerations About the Security Policy
Issues to Consider About Physical Security
Issues to Consider About Access Control
Issues to Consider About Authentication
Issues to Consider About Encryption
issues to Consider About Security Auditing
Issues to Consider About Training
Responding to an Incident: Your Network Under Attack
Dealing With an Incident
Network Information Service as Cracking Tool
Remote Login/Shell Service as Cracking Tool
Network File System as Cracking Tool
File Transfer Protocol Service as Cracking Tool
To Do List in Case of an Incident
Assessing the Situation
Cutting Off the Link
Analyze the Problem
Take Action
Catching an Intruder
Reviewing Security
Persecuting the Hacker: What the Legal System has to Say
What The Legal System Has To Say
The Current Regulations
Protecting Your Corporate Site
Preventing Break-ins at Your Site
Final Considerations
Proxy Servers
SOCKS
Tcpd, the TCP Wrapper
Setting Up and Configuring the Proxy Server
Firewall Maintenance
Keeping Your Firewall in Tune
Monitoring Your System
Monitoring the Unmonitored Threats
Preventive and Curative Maintenance
Preventing Security Breaches on Your Firewall
Identifying Security Holes
Recycling Your Firewall
Firewall Toolkits And Case Studies
The TIS Internet Firewall Toolkit
Case Studies: Implementing Firewalls
Firewalling a Big Organization: Application-Level Firewall and Package Filtering, a Hybrid System
Firewalling a Small Organization: Packet Filtering or Application-Level Firewall, a Proxy Implementation
Firewalling in a Subnet Architecture
Types of Firewalls and Products on the Market
Check Points’ Firewall-1 Firewall - Stateful Inspection Technology
FireWall-1 Inspection Module
Full State Awareness
Securing "Stateless" Protocols
The INSPECT Language
Stateful Inspection: Under the hood
Extensible Stateful Inspection
The INSPECT Engine
Securing Connectionless Protocols such as UDP
Securing Dynamically Allocated Port Connections
Firewall-1 Performance
Systems Requirements
CYCON’s Labyrinth Firewall - The "Labyrinth-like" System
An Integrated Stateful Inspection
Intelligent Connection Tracking
Redirecting Traffic
Transparent Redirection to Fault-Tolerant Systems*
Diverting Scanning Programs*
Network Address Translation
Load Balancing of Connections
Multi-Host Load Balancing*
Proxying - Source Address Rewriting
Spoofing - Destination Address Rewriting
IPSec - Encryption
IPSec Filter*
IPSec Gateway*
Common Use*
Protection of Attached Networks and Hosts
Protection of Individual Hosts
Systems Requirements
NetGuard’s Guardian Firewall System - MAC Layer Stateful Inspection
A Unprecedented Internet Management Tools.
Visual Indicator of Enterprise-Wide Agent Activity:
Extended Gateway Information
Activity Monitoring Screen
Enhanced Activity Monitoring Screen:
Monitoring User’s Connectivity
Firewall Strategy Wizard
WAN Adapter Support
Logoff Command on Authentication Client
CyberGuard’s CyberGuard Firewall - Hardening the OS
The Trusted Operating System
Intuitive Remote Graphical User Interface (GUI)
Dynamic Stateful Rule Technology
Certifiable Technology
Systems Requirements
Raptor’s Eagle Firewall - An application-level Architecture
Enforcing Security at All Levels of the Network
Reliance on Dedicated Security Proxies
Using Raptor’s Firewalls Eagle Family
Graphical Policy Configuration
Consistent Management- Locally or Remote
The Flexibility to Allow "Transparent" Access
Address Redirection
Fine-grained control of VPN Tunnels
Integrated Web Blocking Capability
HTTP Service limitations*
Systems Requirements
Milkyway’s SecurIT Firewall - a Factory Hardened BSDI Kernel
A Bullet Proof Firewall
Building a Secure Kernel
SecurIT Firewall Kernel Modifications*
Kernel Security Features are Certified By CSE*
Key Management
Key Management and Certification Service*
In-house Key Management*
Manual Public Key Management*
Private Keys*
Something Else You Should Know: Ubiquitous Monitoring of All Ports
Watch for Port Numbers: The Milkyway Way*
Defending Against Common Attack Methods
Buffer Overflow*
Trojan Horses Running on the Firewall*
Spoofing*
Sniffing*
Hijacking*
Systems Requirements
Seattle Software’s Watchguard Security Management System - Combining All Major Approaches to Firewall Design
WatchGuard at Glance
WatchGuard Security Management System
WatchGuard’s Firebox
WatchGuard’s Global Console
WatchGuard Graphical Monitor
WatchGuard Reporting System
WatchGuard WebBlocker
Systems Requirements:
AltaVista Software’s Firewall 97 - The Active Firewall
AltaVista Firewall: Always in Motion
Services: a Matter of Security
Security: Supporting SSL
Management Features: Remote Management Through Tunneling
URL and Java Blocking
Enhanced Proxy
Powerful and Flexible Authentication
Dual-DNS Server
DMZ Support
Configuration
Hardware Requirements
ANS Communications’s InterLock Firewall - a Dual-Homed Application Level Gateway
ANS InterLock
ANS InterLock Service
Enhanced features in Version 4.0
InterLock’s Access Controls
InterLock’s Access Management
Audit Levels
URL-Level Controls
Log Files
InterLock’s Reports Feature
ANS InterLock Service For Intrusion Detection
Summary of InterLock’s Security Feature
Global Technology’s Gnat Box Firewall - a firewall in a floppy disk
Getting to Know GNAT Box Firewall
Outbound Packets from the Protected Network
Inbound Packets from the External Network
Outbound Packets from the PSN
How Tunnels Work in GNAT Box
Standard Features
What is GNAT Box Firewall?
Network-1 Software and Technology’s Firewall/Plus - a High Performance Multi-Protocol Firewall
About Firewall/Plus
Installation, Set-up and Use of FireWall/Plus
Selecting a Default Rule Base for FireWall/Plus
Performance Statistics
Additional and Advanced Filtering
Summary of Features of FireWall/Plus
Technical Specifications
Special Features and General Characteristics
Systems Requirements
Trusted Information Systems’s Gauntlet Internet - an application proxy-based Firewall
TIS Gauntlet Internet Firewalls
A Firewall Transparent to the User
Extending Firewall Protection to Remote Offices
Gauntlet Net Extender
Gauntlet PC Extender
Technologic’s Interceptor Firewall - an Intuitive Firewall
An Overview of Technologic’s Interceptor
Interceptor’s Components
Virtual Private Networking
Secure Encryption for All Applications
Transparent Encryption for Users
Internet Scanner
The FTP Proxy
Telnet and Rlogin Proxy
HTTP Proxy
E-Mail Proxy
X11 Proxy and Generic TCP Proxy
The Authentication Server
The Domain Name Service
Real Audio/Real Video Proxy
RADAR and Utility Command Server
Web Caching and Java and ActiveX Blocking
Multiple Firewall Management
Systems Requirements
Sun’s Sunscreen EFS Firewall - a Stateful Inspection Firewall
The SunScreen Model
Secure access control.
Ease of administration.
SunScreen SPF-200 and SunScreen EFS Security Solutions
SunScreen SPF’s Features
SunScreen SPF-200
Features and Benefits
SunScreen EFS
Features and Benefits
System Requirements
Solstice FireWall-1 3.0
Solstice FireWall-1 Features
Comprehensive Services Support
Encryption Support for Data Privacy - Virtual Private Networks
Client Authentication
Anti-Spoofing and SNMP Management
Secure Computing’s Borderware Firewall: Combining Packet Filters and Circuit-Level Gateways
The BorderWare Firewall Server
Transparency
Network Address Translation
Packet Filtering
Circuit-Level Gateway
Applications Servers
Audit Trails and Alarms
Transparent Proxies
BorderWare Application Services
Mail Servers (SMTP and POP)
Mail Domain Name Hiding*
POP Mail Server*
Anonymous FTP Server
News Server
Web Server
Finger (Information) Server
Encryption Features
Automatic Backups
Security Features
Ukiah Software’s NetRoad Firewall: a Multi-Level Architecture Firewall
NetRoad FireWall for Windows NT and NetWare
Security for Mixed Protocol (IP and IPX) Networks
Simple Management and NDS Integration
Multi-level Firewall Security and User Authentication
NetWare and NT Firewall Support
High Performance
Future Evolution of the NetRoad FireWALL Platform
System Requirements
Secure Computing’s Sidewinder Firewall: a Type Enforcement Security
The Sidewinder Security Server
The Patented Type Enforcement Security
Remote Management
Access Controls
Extensive Event Monitoring
Advanced Filtering
Email filtering
Web page filtering
Java applet filtering
IBM’s Internet Connection Secure Server Firewall: a Type Enforcement Security
The IBM Firewall V3.1 for AIX
Great Level of Protection
Greater Accessibility
IBM Firewall Filtering
IBM Firewall as an Application-Level Proxy
IBM Firewall as a Circuit-Level Proxy
Use of Encryption
Managing the IBM Firewall
Main IBM Firewall Features
Network Address Translation
SafeMail
Strong Authentication
Hardening
Communicating through Virtual Private Networks
Using the Network Security Auditor
Administering the Firewall
Enterprise Firewall Manager
System requirements
List of Firewall Resellers and Related Tools
AlterNet:
Atlantic Computing Technology Corporation
ARTICON Information Systems GmbH
Cisco Routers
Cohesive Systems
Collage Communications, Inc.
Conjungi Corporation
Cypress Systems Corporation, (Raptor reseller)
Data General Corp. (Gauntlet Reseller)
Decision-Science Applications, Inc.
E92 PLUS LTD
Enterprise System Solutions, Inc.(BorderWare reseller)
E.S.N - Serviço e Comércio de Informática Ltda.
FSA Corporation
IConNet
Igateway by Sun Consulting.
Ingress Consulting Group, LTD
INTERNET GmbH
Jeff Flynn & Associates
Media Communications eur ab, (Gauntlet Reseller)
Mergent International, Inc. (Gauntlet Reseller)
Momentum Pty Ltd
NetPartners (Phil Trubey), (JANUS Reseller)
Network Translation Services
OpenSystems, Inc.
PDC
PENTA
PRC
Racal-Airtech Ltd, (Eagle reseller)
RealTech Systems
Sea Change Corporation, (JANUS reseller)
Security Dynamics Technologies
Softway Pty Ltd, (Gauntlet Reseller)
Spanning Tree Technologies Network Security Analysis Tool
Stalker by Haystack Labs, Inc.
Stonesoft Corporation
TeleCommerce
Trident Data Systems, (SunScreen provider)
Tripcom Systems Inc.
Trusted Network Solutions (Pty) Ltd.
UNIXPAC AUSTRALIA
X + Open Systems Pty Ltd., (Internet Consultants)
Zeuros Limited
Firewall Tools: Public Domain and Shareware, Etc.
Drawbridge
Freestone by SOS Corporation
fwtk - TIS Firewall Toolkit
ISS
SOCKS
Chapter 15
Glossary
Bibliography & Webliography
Partial Webliography List
COMPUTING
MCGRAW-HILL | Beta Books
| Contact Us
| Order Information
| Online Catalog
Computing McGraw-Hill is an imprint of the McGraw-Hill Professional Book Group.
Copyright © 1997
The McGraw-Hill Companies. All rights reserved. Any use is subject to the
Terms of Use; the corporation also has a comprehensive
Privacy Policy governing information we may collect from our customers.
|