rfc2196.txt

著名的RFC文档,其中有一些文档是已经翻译成中文的的.

   not be exported to any hosts outside the local network since this
   will require that the NFS service be accessible externally. Ideally,
   external access to NFS service should be stopped by a firewall.

3.2.4  Protecting the Protection

   It is amazing how often a site will overlook the most obvious
   weakness in its security by leaving the security server itself open
   to attack.  Based on considerations previously discussed, it should
   be clear that: the security server should not be accessible from
   off-site; should offer minimum access, except for the authentication
   function, to users on-site; and should not be co-located with any
   other servers.  Further, all access to the node, including access to
   the service itself, should be logged to provide a "paper trail" in
   the event of a security breach.

3.3  Firewalls

   One of the most widely deployed and publicized security measures in
   use on the Internet is a "firewall."  Firewalls have been given the
   reputation of a general panacea for many, if not all, of the Internet
   security issues.  They are not.  Firewalls are just another tool in
   the quest for system security.  They provide a certain level of
   protection and are, in general, a way of implementing security policy
   at the network level.  The level of security that a firewall provides
   can vary as much as the level of security on a particular machine.
   There are the traditional trade-offs between security, ease of use,
   cost, complexity, etc.





Fraser, Ed.                Informational                       [Page 20]

RFC 2196              Site Security Handbook              September 1997


   A firewall is any one of several mechanisms used to control and watch
   access to and from a network for the purpose of protecting it.  A
   firewall acts as a gateway through which all traffic to and from the
   protected network and/or systems passes.  Firewalls help to place
   limitations on the amount and type of communication that takes place
   between the protected network and the another network (e.g., the
   Internet, or another piece of the site's network).

   A firewall is generally a way to build a wall between one part of a
   network, a company's internal network, for example, and another part,
   the global Internet, for example.  The unique feature about this wall
   is that there needs to be ways for some traffic with particular
   characteristics to pass through carefully monitored doors
   ("gateways").  The difficult part is establishing the criteria by
   which the packets are allowed or denied access through the doors.
   Books written on firewalls use different terminology to describe the
   various forms of firewalls. This can be confusing to system
   administrators who are not familiar with firewalls. The thing to note
   here is that there is no fixed terminology for the description of
   firewalls.

   Firewalls are not always, or even typically, a single machine.
   Rather, firewalls are often a combination of routers, network
   segments, and host computers.  Therefore, for the purposes of this
   discussion, the term "firewall" can consist of more than one physical
   device.  Firewalls are typically built using two different
   components, filtering routers and proxy servers.

   Filtering routers are the easiest component to conceptualize in a
   firewall.  A router moves data back and forth between two (or more)
   different networks.  A "normal" router takes a packet from network A
   and "routes" it to its destination on network B.  A filtering router
   does the same thing but decides not only how to route the packet, but
   whether it should route the packet.  This is done by installing a
   series of filters by which the router decides what to do with any
   given packet of data.

   A discussion concerning capabilities of a particular brand of router,
   running a particular software version is outside the scope of this
   document.  However, when evaluating a router to be used for filtering
   packets, the following criteria can be important when implementing a
   filtering policy:  source and destination IP address, source and
   destination TCP port numbers, state of the TCP "ack" bit, UDP source
   and destination port numbers, and direction of packet flow (i.e.. A-
   >B or B->A).  Other information necessary to construct a secure
   filtering scheme are whether the router reorders filter instructions
   (designed to optimize filters, this can sometimes change the meaning
   and cause unintended access), and whether it is possible to apply



Fraser, Ed.                Informational                       [Page 21]

RFC 2196              Site Security Handbook              September 1997


   filters for inbound and outbound packets on each interface (if the
   router filters only outbound packets then the router is "outside" of
   its filters and may be more vulnerable to attack).  In addition to
   the router being vulnerable, this distinction between applying
   filters on inbound or outbound packets is especially relevant for
   routers with more than 2 interfaces.  Other important issues are the
   ability to create filters based on IP header options and the fragment
   state of a packet.  Building a good filter can be very difficult and
   requires a good understanding of the type of services (protocols)
   that will be filtered.

   For better security, the filters usually restrict access between the
   two connected nets to just one host, the bastion host.  It is only
   possible to access the other network via this bastion host.  As only
   this host, rather than a few hundred hosts, can get attacked, it is
   easier to maintain a certain level of security because only this host
   has to be protected very carefully.  To make resources available to
   legitimate users across this firewall, services have to be forwarded
   by the bastion host.  Some servers have forwarding built in (like
   DNS-servers or SMTP-servers), for other services (e.g., Telnet, FTP,
   etc.), proxy servers can be used to allow access to the resources
   across the firewall in a secure way.

   A proxy server is way to concentrate application services through a
   single machine.  There is typically a single machine (the bastion
   host) that acts as a proxy server for a variety of protocols (Telnet,
   SMTP, FTP, HTTP, etc.) but there can be individual host computers for
   each service.  Instead of connecting directly to an external server,
   the client connects to the proxy server which in turn initiates a
   connection to the requested external server.  Depending on the type
   of proxy server used, it is possible to configure internal clients to
   perform this redirection automatically, without knowledge to the
   user, others might require that the user connect directly to the
   proxy server and then initiate the connection through a specified
   format.

   There are significant security benefits which can be derived from
   using proxy servers.  It is possible to add access control lists to
   protocols, requiring users or systems to provide some level of
   authentication before access is granted.  Smarter proxy servers,
   sometimes called Application Layer Gateways (ALGs), can be written
   which understand specific protocols and can be configured to block
   only subsections of the protocol.  For example, an ALG for FTP can
   tell the difference between the "put" command and the "get" command;
   an organization may wish to allow users to "get" files from the
   Internet, but not be able to "put" internal files on a remote server.
   By contrast, a filtering router could either block all FTP access, or
   none, but not a subset.



Fraser, Ed.                Informational                       [Page 22]

RFC 2196              Site Security Handbook              September 1997


   Proxy servers can also be configured to encrypt data streams based on
   a variety of parameters.  An organization might use this feature to
   allow encrypted connections between two locations whose sole access
   points are on the Internet.

   Firewalls are typically thought of as a way to keep intruders out,
   but they are also often used as a way to let legitimate users into a
   site.  There are many examples where a valid user might need to
   regularly access the "home" site while on travel to trade shows and
   conferences, etc.  Access to the Internet is often available but may
   be through an untrusted machine or network.  A correctly configured
   proxy server can allow the correct users into the site while still
   denying access to other users.

   The current best effort in firewall techniques is found using a
   combination of a pair of screening routers with one or more proxy
   servers on a network between the two routers.  This setup allows the
   external router to block off any attempts to use the underlying IP
   layer to break security (IP spoofing, source routing, packet
   fragments), while allowing the proxy server to handle potential
   security holes in the higher layer protocols.  The internal router's
   purpose is to block all traffic except to the proxy server.  If this
   setup is rigidly implemented, a high level of security can be
   achieved.

   Most firewalls provide logging which can be tuned to make security
   administration of the network more convenient.  Logging may be
   centralized and the system may be configured to send out alerts for
   abnormal conditions.  It is important to regularly monitor these logs
   for any signs of intrusions or break-in attempts.  Since some
   intruders will attempt to cover their tracks by editing logs, it is
   desirable to protect these logs.  A variety of methods is available,
   including: write once, read many (WORM) drives; papers logs; and
   centralized logging via the "syslog" utility.  Another technique is
   to use a "fake" serial printer, but have the serial port connected to
   an isolated machine or PC which keeps the logs.

   Firewalls are available in a wide range of quality and strengths.
   Commercial packages start at approximately $10,000US and go up to
   over $250,000US.  "Home grown" firewalls can be built for smaller
   amounts of capital.  It should be remembered that the correct setup
   of a firewall (commercial or homegrown) requires a significant amount
   of skill and knowledge of TCP/IP.  Both types require regular
   maintenance, installation of software patches and updates, and
   regular monitoring.  When budgeting for a firewall, these additional
   costs should be considered in addition to the cost of the physical
   elements of the firewall.




Fraser, Ed.                Informational                       [Page 23]

RFC 2196              Site Security Handbook              September 1997


   As an aside, building a "home grown" firewall requires a significant
   amount of skill and knowledge of TCP/IP.  It should not be trivially
   attempted because a perceived sense of security is worse in the long
   run than knowing that there is no security.  As with all security
   measures, it is important to decide on the threat, the value of the
   assets to be protected, and the costs to implement security.

   A final note about firewalls.  They can be a great aid when
   implementing security for a site and they protect against a large
   variety of attacks.  But it is important to keep in mind that they
   are only one part of the solution.  They cannot protect your site
   against all types of attack.

4.  Security Services and Procedures

   This chapter guides the reader through a number of topics that should
   be addressed when securing a site.  Each section touches on a
   security service or capability that may be required to protect the
   information and systems at a site.  The topics are presented at a
   fairly high-level to introduce the reader to the concepts.

   Throughout the chapter, you will find significant mention of
   cryptography.  It is outside the scope of this document to delve into
   details concerning cryptography, but the interested reader can obtain
   more information from books and articles listed in the reference
   section of this document.

4.1  Authentication

   For many years, the prescribed method for authenticating users has
   been through the use of standard, reusable passwords.  Originally,
   these passwords were used by users at terminals to authenticate
   themselves to a central computer.  At the time, there were no
   networks (internally or externally), so the risk of disclosure of the
   clear text password was minimal.  Today, systems are connected
   together through local networks, and these local networks are further
   connected together and to the Internet.  Users are logging in from
   all over the globe; their reusable passwords are often transmitted
   across those same networks in clear text, ripe for anyone in-between
   to capture.  And indeed, the CERT* Coordination Center and other
   response teams are seeing a tremendous number of incidents involving
   packet sniffers which are capturing the clear text passwords.

   With the advent of newer technologies like one-time passwords (e.g.,
   S/Key), PGP, and token-based authentication devices, people are using
   password-like strings as secret tokens and pins.  If these secret
   tokens and pins are not properly selected and protected, the
   authentication will be easily subverted.



Fraser, Ed.                Informational                       [Page 24]

RFC 2196              Site Security Handbook              September 1997


4.1.1  One-Time passwords

   As mentioned above, given today's networked environments, it is
   recommended that sites concerned about the security and integrity of
   their systems and networks consider moving away from standard,
   reusable passwords.  There have been many incidents involving Trojan
   networ