ch27.htm

Maximum Security (First Edition) 网络安全 英文版

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>

<HEAD>
	
	<TITLE>Maximum Security -- Ch 27 -- Firewalls</TITLE>
</HEAD>

<BODY TEXT="#000000" BGCOLOR="#FFFFFF">

<CENTER>
<H1><IMG SRC="../button/samsnet.gif" WIDTH="171" HEIGHT="66" ALIGN="BOTTOM" BORDER="0"><BR>
<FONT COLOR="#000077">Maximum Security: </FONT></H1>
</CENTER>
<CENTER>
<H2><FONT COLOR="#000077">A Hacker's Guide to Protecting Your Internet Site and Network</FONT></H2>
</CENTER>
<CENTER>
<P><A HREF="../ch26/ch26.htm"><IMG SRC="../button/previous.gif" WIDTH="128" HEIGHT="28"
ALIGN="BOTTOM" ALT="Previous chapter" BORDER="0"></A><A HREF="../ch28/ch28.htm"><IMG
SRC="../button/next.gif" WIDTH="128" HEIGHT="28" ALIGN="BOTTOM" ALT="Next chapter"
BORDER="0"></A><A HREF="../index.htm"><IMG SRC="../button/contents.gif" WIDTH="128"
HEIGHT="28" ALIGN="BOTTOM" ALT="Contents" BORDER="0"></A> 
<HR>

</CENTER>
<CENTER>
<H1><FONT COLOR="#000077">27</FONT></H1>
</CENTER>
<CENTER>
<H1><FONT COLOR="#000077">Firewalls</FONT></H1>
</CENTER>
<P>More than 50 percent of all users have heard of firewalls, but only a handful
know what a firewall really is. This is because firewalls are only used by those
actively engaged in protecting networks connected to the Internet.
<H2><FONT COLOR="#000077"><B>What Is a Firewall?</B></FONT></H2>
<P>A <I>firewall</I> is any device used to prevent outsiders from gaining access
to your network. This device is usually a combination of software and hardware. Firewalls
commonly implement exclusionary schemes or rules that sort out wanted and unwanted
addresses.</P>
<P>To understand how firewalls work, consider some of the subjects discussed earlier
in this book. First, most simple authentication procedures use the IP address as
an index. The IP address is the most universal identification index on the Internet.
This address can be either a static or dynamic address:

<UL>
	<LI>A static IP address is permanent; it is the address of a machine that is always
	connected to the Internet. There are many classes of static IP addresses. One class
	can be discovered by issuing a whois query; this class consists primarily of top-level
	machines in a network, such as domain name servers, Web servers, and root-level machines.
	These actually have registered hostnames within the whois database at InterNIC. Other
	classes of static IP addresses are addresses assigned to second- and third-level
	machines within networks dominated by domain name servers, root servers, Web servers,
	and so on. These also have permanent physical addresses. However, these machines
	might or might not possess a registered hostname. In any event, their addresses are
	registered as well.<BR>
	<BR>
	
	<LI>A dynamic IP address is one that is arbitrarily assigned to a different node
	each time it connects to a network. Dynamic IP is often used by ISPs for dial-up
	access--each time a node dials up, it is assigned a different IP address.
</UL>

<P>Whether your address is static or dynamic, it is used in all network traffic that
you conduct. For example, as discussed in Chapter 13, &quot;Techniques to Hide One's
Identity,&quot; a Web server records your IP address when you request a Web page.
This is not to intrude on your privacy; it is done so that the server knows how to
send you the requested data. In a similar fashion, all network services capture your
IP (either temporarily or permanently) so they can return data to your address. In
essence, it works much like the postal service: Imagine if every letter mailed had
a return address. On the Internet, things are just so. The IP is the return address.</P>
<P>When a connection is made between your machine and a remote machine, various dialogs
may ensue. I discussed some of those dialogs in Chapter 6, &quot;A Brief Primer on
TCP/IP.&quot; A common one--which you are apt to remember--is the TCP/IP three-way
handshake. At any rate, such dialogs occur, during which time your IP is known by
the target machine.</P>
<P>Under normal circumstances, where no firewall or other superseding utility (such
as TCP_Wrapper) has been installed, the dialog between your machine and the remote
machine occurs directly (see Figure 27.1).</P>
<P><A NAME="01"></A><A HREF="01.htm"><B>FIGURE 27.1.</B></A> <I><BR>
The route of information.</I></P>
<P>When I say that information travels directly, that is a very qualified term. As
you can see, the process (even without security measures) is complex:

<DL>
	<DD><B>1. </B>The data originates somewhere within <TT>Your Network</TT> (which,
	by the way, could refer to a machine in your home). In this case, you are connected
	to your provider's network. For our purposes, your provider's network <I>is</I> <TT>Your
	Network</TT>.<BR>
	<BR>
	<B>2. </B>Information travels from your machine to a machine on the provider's network.
	From there, the information travels through an Ethernet cable (or other means of
	transport) to the main server of <TT>Your Network</TT>.<BR>
	<BR>
	<B>3. </B>The server of <TT>Your Network</TT> passes this information to Router 1,
	which promptly pours the information through the telephone line (or other high-speed
	connection) to the Internet at large.<BR>
	<BR>
	<B>4. </B>The information travels across the Internet (passing through many routers
	and gateways along the way), ultimately reaching Router 2. Router 2 pipes the information
	into <TT>Their Server</TT>; the information is then served via Ethernet (or other
	transport) to <TT>Their Network</TT>.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>I have greatly simplified the network
	outlay design by providing only relevant details. In practice, there might be all
	sorts of devices located between <TT>Your Network</TT> and <TT>Their Network</TT>.
	
<HR>


</BLOCKQUOTE>

<P>If neither side has installed security measures, the path is deemed (for all purposes)
<I>direct</I>. Router 2, for example, allows packets from any source (IP) address
to travel directly to <TT>Their Server</TT> and ultimately, to <TT>Their Network</TT>.
At no point during that travel do the packets meet an obstacle. This is a completely
insecure situation. However, for many years, this was the standard. Today, the type
of situation illustrated in Figure 27.1 is too dangerous. Over the years, network
engineers considered a wide range of solutions, including the firewall.
<H2><FONT COLOR="#000077"><B>What Are the Components of a Firewall?</B></FONT></H2>
<P>The most fundamental components of a firewall exist neither in software nor hardware,
but inside the mind of the person constructing it. A firewall, at its inception,
is a concept rather than a product; it is an idea in the architect's mind of who
and what will be allowed to access the network. <I>Who</I> and <I>what</I> dramatically
influence how network traffic (both incoming and outgoing) is routed. For this reason,
constructing a firewall is part art, part common sense, part ingenuity, and part
logic.</P>
<P>Suppose the architect knows a Web server must exist on the host network. This
Web server will obviously accept connections from almost any IP address. A restricted
area, therefore, must be created for that server. In other words, in providing Web
services from the host network, the architect must ensure that the Web server does
not endanger the remaining portions of the network. Likewise, incoming mail is also
an issue.
<H3><FONT COLOR="#000077"><B>Specific Components and Characteristics</B></FONT></H3>
<P>Firewalls can be composed of software, hardware, or, most commonly, both. The
software components can be either proprietary, shareware, or freeware. The hardware
can be any hardware that supports the software being used.</P>
<P>If hardware, a firewall can (and often does) consist of no more than a router.
As you will learn in Chapter 28, &quot;Spoofing Attacks,&quot; routers have advanced
security features, including the capability to screen IP addresses. This screening
process allows you to define which IP addresses are allowed to connect and which
are not.</P>
<P>Other implementations consist of both hardware and software. (These can get pretty
eclectic. I have seen people using 386 boxes with shareware firewall/bridge products
on them.)</P>
<P>In any event, all firewalls share a common attribute: the capability to discriminate
or the capability to deny access generally based on source address.
<H2><FONT COLOR="#000077"><B>Types of Firewalls</B></FONT></H2>
<P>There are different kinds of firewalls, and each type has its advantages and disadvantages.
The most common type is referred to as a <I>network-level firewall</I>. Network-level
firewalls are usually router based. That is, the rules of who and what can access
your network is applied at the router level. This scheme is applied through a technique
called <I>packet filtering</I>, which is the process of examining the packets that
come to the router from the outside world.</P>
<P>In a router-based firewall implementation, the source address of each incoming
connection (that is, the address from which the packets originated) is examined.
After each IP source address has been identified, whatever rules the architect has
instituted will be enforced. For example, perhaps the architect decides that no network
traffic will be accepted from any address within Microsoft Corporation. Thus, the
router rejects any packets forwarded from <TT>microsoft.com</TT>. These packets never
reach the internal server or the network beneath it.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>Routers are about the size of a
	small printer. Generally, at the back of the router are connection points for Ethernet
	and digital telephone lines. Use these connection points to connect the telephone
	line (T1, T3, and so on) and Ethernet to your server. Routers are configured using
	special software. In most instances, the software is quite easy to use. Most newer
	implementations are controlled through a windowed interface (such as the X Window
	system, OpenWindows, and so on). Routers range in price (from used to new) from $600
	to $1800. 
<HR>


</BLOCKQUOTE>

<P>Router-based firewalls are fast. Because they only perform cursory checks on the
source address, there is no real demand on the router. It takes no time at all to
identify a bad or restricted address. Nevertheless, the speed comes with a price:
Router-based firewalls use the source address as an index. That means (barring controls
against such access) packets sent from forged source addresses can gain at least
some level of access to your server.</P>
<P>In fairness, many packet-filtering techniques can be employed with router-based
firewalls that shore up this weakness. The IP address header is not the only field
of a packet that can be trapped by a router. As packet-filtering technology becomes
more sophisticated, so do the schemes or rules employed by an administrator. One
can now even apply rules related to state information within packets, using indexes
such as time, protocol, ports, and so forth.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>For an excellent discussion
	of the fields that can be filtered, as well as a comprehensive look at packet filtering,
	&quot;Network (In)Security Through IP Packet Filtering&quot; by D. Brent Chapman
	is a must. Find it online at <A HREF="http://www.unix.geek.org.uk/~arny/pktfilt.ps"><TT>http://www.unix.geek.org.uk/~arny/pktfilt.ps</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>However, these are not the only deficiencies of packet-filtering, router-based
firewalls. For example:

<DL>
	<DD>Another problem is that a number of RPC (Remote Procedure Call) services are
	very difficult to filter effectively because the associated servers listen at ports
	that are assigned randomly at system startup. A service known as portmapper maps
	initial calls to RPC services to the assigned service numbers, but there is no such
	equivalent for a packet filtering router. Since the router cannot be told which ports
	the services reside at, it isn't possible to block completely these services unless
	one blocks all UDP packets (RPC services mostly use UDP). Blocking all UDP would
	block potentially necessary services such as DNS. Thus, blocking RPC results in a
	dilemma.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>The preceding paragraph
	is excerpted from &quot;Problems with Packet Filtering Routers&quot; by John Wack.
	It can be found online at <A HREF="http://www.telstra.com.au/pub/docs/security/800-10/node51.html"><TT>http://www.telstra.com.au/pub/docs/security/800-10/node51.html</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>Wack discusses RPC as a potential problem because the ports can be assigned dynamically
at startup. However, in most cases, this type of filtering (appropriately called
<I>protocol filtering</I>) is not a problem. Very sophisticated schemes can be implemented
in protocol filtering, and these rely primarily on the port called by the remote
host.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>For an excellent discussion
	of protocol filtering and packet filtering in general, check out &quot;Packet Filtering
	in an IP Router&quot; by Bruce Corbridge, Robert Hening, and Charles Slater. This
	paper offers an inside look at exactly how packet filtering is accomplished in Telebit
	routers. More importantly, the document takes you through the design and implementation
	of the router. You can find it online at <A HREF="http://www.alw.nih.gov/Security/FIRST/papers/firewall/cslater.ps"><TT>http://www.alw.nih.gov/Security/FIRST/papers/firewall/cslater.ps</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>Packet Filtering Tools</B></FONT></H3>
<P>Packet filtering can be implemented without instituting a complete firewall. There
are many free and commercial packet-filtering tools on the Internet. Following is
a list of several such utilities.
<H4><FONT COLOR="#000077"><B>TCP_Wrappers</B></FONT></H4>
<P>TCP_Wrappers is a program written by Wietse Venema (also the co-author of the
famous scanning utility, SATAN). Arguably, no other tool more easily or efficiently
facilitates monitoring connections to your machine. The program works by replacing
system daemons and recording all connection requests, their time, and most importantly,
their origin. For these reasons, TCP_Wrappers is one of the most critical evidence-gathering
tools available. TCP_Wrappers also has the capability to screen out unwanted networks
and IP addresses, preventing users from such addresses from connecting.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>TCP_Wrappers is available
	online at <A HREF="ftp://ftp.win.tue.nl/pub/security/tcp_wrappers_7.4.tar.gz"><TT>ftp://ftp.win.tue.nl/pub/security/tcp_wrappers_7.4.tar.gz</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H4><FONT COLOR="#000077"><B>NetGate</B></FONT></H4>
<P>NetGate (developed by SmallWorks) is a rule-based packet filtering system. It
was designed for use on SPARC systems running SunOS 4.1.<I>x</I>. Like most packet
filters, NetGate can examine each and every packet it encounters and can apply various
rules, based upon the source address revealed in that examination. (NetGate also
sports some pretty strong logging capabilities.) Reportedly, the distribution can
be obtained either as a binary installation ($1500) or source ($2500). If your company
needs a product with support (as opposed to freeware), I would recommend NetGate
as a reasonable and economical alternative to other, more high-profile products.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>You can find information
	about NetGate at <A HREF="http://hosaka.smallworks.com/netgate/packetfiltering.html"><TT>http://hosaka.smallworks.com/netgate/packetfiltering.html</TT></A>.
	
<HR>


</BLOCKQUOTE>