ch27.htm

Maximum Security (First Edition) 网络安全 英文版

<H4><FONT COLOR="#000077"><B>Internet Packet Filter</B></FONT></H4>
<P>This interesting package is freely available. Written by Darren Reed, the Internet
Packet Filter has all the amenities of a finely coded, commercial application. (Reed
took particular pride in developing a package that could defeat the type of IP spoofing
attack that Kevin Mitnik purportedly launched against machines at the San Diego Supercomputer
Center.) Some interesting tidbits: Reed provided functionality not only to discard
TCP packets that were incomplete or malformed, but to do so silently (your host returns
no ICMP error). Internet Packet Filter also offers a comprehensive testing utility,
so you can ensure your rules are sound before you implement them. (The program actually
can take previous logs as input, and you can watch as the rules are applied. Very
cool.) It is available for SunOS.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>The Internet Packet Filter
	can be found at <A HREF="ftp://coombs.anu.edu.au:/pub/net/kernel/ip_fil3.0.4.tar.gz"><TT>ftp://coombs.anu.edu.au:/pub/net/kernel/ip_fil3.0.4.tar.gz</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>Audit and Logging Tools</B></FONT></H3>
<P>Packet filters, when used in conjunction with powerful auditing tools, can greatly
assist in protecting your network and identifying intruders. The right combination
of these types of tools can be every bit as effective as a commercial firewall (and
generally, a whole lot less expensive). Following are some good auditing tools.
<H4><FONT COLOR="#000077"><B>Argus</B></FONT></H4>
<P>Argus was developed at Carnegie Mellon University's Software Engineering Institute.
Argus is known to compile without errors, at least on the following platforms:

<UL>
	<LI>SunOS 4.<I>x</I>
	<LI>Solaris 2.3
	<LI>SGI IRIX5.2
</UL>

<P>In the document announcing Argus's availability, authors report that Argus is
suitable for network monitoring, identifying potential network problems, and perhaps
most importantly, verifying access control policies.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>The document announcing
	Argus's availability can be found online at <A HREF="ftp://ftp.sei.cmu.edu/pub/argus-1.5/argus-1.5.announce"><TT>ftp://ftp.sei.cmu.edu/pub/argus-1.5/argus-1.5.announce</TT></A>.
	The tool can be obtained online at <A HREF="ftp://ftp.sei.cmu.edu/pub/argus-1.5/"><TT>ftp://ftp.sei.cmu.edu/pub/argus-1.5/</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H4><FONT COLOR="#000077"><B>Netlog</B></FONT></H4>
<P>Netlog, developed at Texas A&amp;M University, can log all TCP and UDP traffic.
To use this product, you must have a C compiler that will take ANSI C conventions.
This tool also supports logging of ICMP messages (though the developers report that
performing this logging activity soaks up a great deal of storage).


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Netlog is available online
	at <A HREF="ftp://coast.cs.purdue.edu/pub/tools/unix/TAMU/"><TT>ftp://coast.cs.purdue.edu/pub/tools/unix/TAMU/</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H4><FONT COLOR="#000077"><B>Netman</B></FONT></H4>
<P>This tool is covered extensively in Chapter 12, &quot;Sniffers.&quot; However,
I will reiterate that this is a suite of applications that is well crafted; it is
arguably the most complete package of its kind ever made.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Netman is available online
	at <A HREF="ftp://ftp.cs.curtin.edu.au/pub/netman/"><TT>ftp://ftp.cs.curtin.edu.au/pub/netman/</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H4><FONT COLOR="#000077"><B>NOCOL/NetConsole v4.0</B></FONT></H4>
<P>NOCOL/NetConsole v4.0 is a suite of standalone applications that perform a wide
variety of monitoring tasks. This suite offers a Curses interface, which is great
for running on a wide range of terminals (it does not require the X Window system
in order to work). It is extensible, has support for a Perl interface, and is quite
complex. It also operates on networks running AppleTalk and Novell NetWare.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>NOCOL/NetConsole v.4.0
	is available online at <A HREF="ftp://ftp.navya.com/pub/vikas/nocol.tar.gz"><TT>ftp://ftp.navya.com/pub/vikas/nocol.tar.gz</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>There are other platform-specific packet filters. One well-known one is packetfilter,
which runs on Ultrix 4.3. It is kernel resident.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>The man page for packetfilter
	is available online at <A HREF="http://198.233.42.11/ cgi-bin/man2html/packetfilter(4)"><TT>http://198.233.42.11/
	cgi-bin/man2html/packetfilter(4)</TT></A>. 
<HR>


</BLOCKQUOTE>

<P>Nonetheless, many of these tools, although capable of examining and monitoring
packet traffic, cannot institute access-control policies. And that is the whole purpose
of a firewall. It gives the administrator the ability to finely control who can (and
cannot) access the network.
<H3><FONT COLOR="#000077"><B>Application-Proxy Firewalls/Application Gateways</B></FONT></H3>
<P>Other types of firewalls exist. A common type is <I>application-proxy firewalls</I>
(sometimes referred to as <I>application gateways</I>). These work a bit differently
from packet-filtering, router-based firewalls. Application gateways are software-based.
When a remote user from the void contacts a network running an application gateway,
the gateway blocks the remote connection. Instead of passing the connection along,
the gateway examines various fields in the request. If these meet a set of predefined
rules, the gateway creates a bridge between the remote host and the internal host.
<I>Bridge</I> refers to a patch between two protocols. For example, in a typical
application gateway scheme, IP packets are not forwarded to the internal network.
Instead, a type of translation occurs, with the gateway as the conduit and interpreter.
This is sometimes referred to as the <I>man-in-the-middle configuration</I>.</P>
<P>The advantage of the application-gateway proxy model is the lack of IP forwarding.
More importantly, more controls can be placed on the patched connection. Finally,
such tools often offer very sophisticated logging facilities. Again, there is no
such thing as a free lunch. As you might expect, this gateway scheme has a cost in
terms of speed. Because each connection and all packet traffic are accepted, negotiated,
translated, and reforwarded, this implementation can be slower than router-based
packet filtering.</P>
<P><I>IP forwarding</I> occurs when a server that receives an external request from
the outside world forwards that information in IP format to the internal network.
Leaving IP forwarding enabled is a fatal error. If you allow IP forwarding to occur,
a cracker can get in from the outside and reach workstations on your internal network.</P>
<P>Another disadvantage of this scheme is that a proxy application must be created
for each networked service. Thus, one is used for FTP, another for Telnet, another
for HTTP, and so forth. As John Wack explains in his article titled &quot;Application
Gateways&quot;:

<DL>
	<DD>A disadvantage of application gateways is that, in the case of client-server
	protocols such as Telnet, two steps are required to connect inbound or outbound.
	Some application gateways require modified clients, which can be viewed as a disadvantage
	or an advantage, depending on whether the modified clients make it easier to use
	the firewall. A Telnet application gateway would not necessarily require a modified
	Telnet client, however it would require a modification in user behavior: the user
	has to connect (but not log in) to the firewall as opposed to connecting directly
	to the host. But a modified Telnet client could make the firewall transparent by
	permitting a user to specify the destination system (as opposed to the firewall)
	in the Telnet command. The firewall would serve as the route to the destination system
	and thereby intercept the connection, and then perform additional steps as necessary
	such as querying for a one-time password. User behavior stays the same, however at
	the price of requiring a modified client on each system.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>&quot;Application Gateways&quot;
	by John Wack can be found online at <A HREF="http://www.telstra.com.au/pub/docs/security/800-10/node52.html"><TT>http://www.telstra.com.au/pub/docs/security/800-10/node52.html</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H4><FONT COLOR="#000077"><B>TIS FWTK</B></FONT></H4>
<P>A typical example of an application-gateway firewall package is the Trusted Information
Systems (TIS) Firewall Tool Kit (hereinafter referred to as the <I>FWTK</I>). This
software package, early versions of which are free for noncommercial use, contains
many separate components. The majority of these components are proxy applications.
It includes proxies for the following services:

<UL>
	<LI>Telnet
	<LI>FTP
	<LI>rlogin
	<LI>sendmail
	<LI>HTTP
	<LI>The X Window system
</UL>

<P>The FWTK is a comprehensive system. Nonetheless, it does not protect your network
immediately upon installation. This is not a product that you simply install and
abandon. The TIS FWTK is a <I>tool kit</I>. After you unpack the software, you must
make certain decisions. You must also understand what you are doing. This is not
a simple configuration problem. If you make erroneous rules or decisions along the
way, your network might be unreachable from the void, even from friendly networks.
Reading the documentation is paramount.</P>
<P>The beautiful thing about the FWTK is that it has excellent access control built
into its design. For example, you can allow or deny access (connection) from a network,
a part of a network, or even a single address. In this respect, it has granular access
control.</P>


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Before you get the TIS
	FWTK, you should probably examine a posting of a message from Marcus Ranum, one of
	the developers of TIS FWTK. This is a short, entertaining document that gives some
	insight into how the FWTK started. That document is located online at <A HREF="http://www.micrognosis.com/~nreadwin/fwtk/history.txt">http://www.micrognosis.com/~nreadwin/fwtk/history.txt</A>.<BR>
	
<HR>
</P>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Obtain a copy of the
	TIS Firewall Tool Kit at <A HREF="ftp://ftp.tis.com/pub/firewalls/toolkit/dist/"><TT>ftp://ftp.tis.com/pub/firewalls/toolkit/dist/</TT></A>.<BR>
	
<HR>
</P>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>The FWTK requires a UNIX
	system and a C compiler. Moreover, although the FWTK is known to compile on SunOS
	and BSD without problems, configuration issues exist for Linux. To sort out these
	problems quickly, there is no better document than &quot;Creating a Linux Firewall
	using the TIS Toolkit&quot; by Benjamin Ewy. That document is located online at <A
	HREF="http://www.ssc.com/lj/issue25/1204.html"><TT>http://www.ssc.com/lj/issue25/1204.html</TT></A>.
	Patches for use with the FWTK on Linux are located online at <A HREF="ftp://ftp.tisl.ukans.edu/pub/security/firewalls/fwtkpatches.tgz"><TT>ftp://ftp.tisl.ukans.edu/pub/security/firewalls/fwtkpatches.tgz</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>The reason I mention the TIS FWTK is because it was the first, full-fledged firewall
of this class. It was a ground breaker in the firewall field.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>&quot;Thinking About
	Firewalls,&quot; also by Marcus Ranum, is a very good document about firewalls in
	general. This document details the types of firewalls that can be implemented and
	their advantages and disadvantages. It can be found online at <A HREF="http://hp735c.csc.cuhk.hk/ThinkingFirewalls.html"><TT>http://hp735c.csc.cuhk.hk/ThinkingFirewalls.html</TT></A>.<BR>
	
<HR>
</P>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>Another extremely popular firewall
	in this class is SOCKS, which is based on the application-proxy model. The connect
	request is intercepted by SOCKS and translated. Thus, a direct connection never occurs
	between your network and the outside world. SOCKS is of great significance because
	it is so well established that support for it is already included in many browser
	packages, most notably Netscape Navigator.<BR>
	
<HR>
</P>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>There is a very comprehensive
	coverage of SOCKS technology on the Internet. The document is so well designed and
	written that anyone can get a solid grasp of how SOCKS works in just a few moments.
	That document is at <A HREF="http://www.socks.nec.com/introduction.html"><TT>http://www.socks.nec.com/introduction.html</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>It is my opinion that application-gateway systems (proxy-based firewalls) are
more secure. This is because there is no IP forwarding scheme. That means IP packets
from the void cannot reach any machine on your internal network.
<H2><FONT COLOR="#000077"><B>Firewalls Generally</B></FONT></H2>
<P>One of the main ideas behind a firewall is that your network will remain theoretically
invisible (or at least unreachable) to anyone not authorized to connect. This process
works through the exclusionary schemes that one can apply using a firewall.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>CAUTION:</B></FONT><B> </B>Your firewalled network will
	not be entirely invisible. At least one scanner, called <I>Jakal</I>, can scan for
	services running behind a firewall. Jakal, a stealth scanner, will scan a domain
	(behind a firewall) without leaving any trace of the scan. According to the authors,
	all alpha test sites were unable to log any activity (though it is reported that
	&quot;some firewalls did allow SYN | FIN to pass through&quot;). Refer to Chapter
	9, &quot;Scanners,&quot; for the scoop on that utility. 
<HR>


</BLOCKQUOTE>

<P>Theoretically, a firewall is the most stringent security measure you can implement
(barring, of course, disconnecting your system from the Internet). Nevertheless,