Building Internet Firewalls. 2nd Edition

(ebook) (audiobook) (audiobook)

Autorzy:: Elizabeth D. Zwicky, Simon Cooper, D. Brent Chapman

Promocja Przejdź

Building Internet Firewalls. 2nd Edition Elizabeth D. Zwicky, Simon Cooper, D. Brent Chapman - okladka książki

Building Internet Firewalls. 2nd Edition Elizabeth D. Zwicky, Simon Cooper, D. Brent Chapman - audiobook MP3

Building Internet Firewalls. 2nd Edition Elizabeth D. Zwicky, Simon Cooper, D. Brent Chapman - audiobook CD

Wydawnictwo:: O'Reilly Media (Z chęcią przeczytam książkę w języku polskim)
Ocena:: Bądź pierwszym, który oceni tę książkę
Stron:: 896
Dostępne formaty:: ePub

Mobi

Ebook (177,65 zł najniższa cena z 30 dni)

~~209,00 zł~~ (-15%)
177,65 zł

Dodaj do koszyka lub Kup na prezent Kup 1-kliknięciem

(177,65 zł najniższa cena z 30 dni)

Przenieś na półkę

Do przechowalni

In the five years since the first edition of this classic book was published, Internet use has exploded. The commercial world has rushed headlong into doing business on the Web, often without integrating sound security technologies and policies into their products and methods. The security risks--and the need to protect both business and personal data--have never been greater. We've updated Building Internet Firewalls to address these newer risks.

What kinds of security threats does the Internet pose? Some, like password attacks and the exploiting of known security holes, have been around since the early days of networking. And others, like the distributed denial of service attacks that crippled Yahoo, E-Bay, and other major e-commerce sites in early 2000, are in current headlines.

Firewalls, critical components of today's computer networks, effectively protect a system from most Internet security threats. They keep damage on one part of the network--such as eavesdropping, a worm program, or file damage--from spreading to the rest of the network. Without firewalls, network security problems can rage out of control, dragging more and more systems down.

Like the bestselling and highly respected first edition, Building Internet Firewalls, 2nd Edition, is a practical and detailed step-by-step guide to designing and installing firewalls and configuring Internet services to work with a firewall. Much expanded to include Linux and Windows coverage, the second edition describes:

Firewall technologies: packet filtering, proxying, network address translation, virtual private networks
Architectures such as screening routers, dual-homed hosts, screened hosts, screened subnets, perimeter networks, internal firewalls
Issues involved in a variety of new Internet services and protocols through a firewall
Email and News
Web services and scripting languages (e.g., HTTP, Java, JavaScript, ActiveX, RealAudio, RealVideo)
File transfer and sharing services such as NFS, Samba
Remote access services such as Telnet, the BSD "r" commands, SSH, BackOrifice 2000
Real-time conferencing services such as ICQ and talk
Naming and directory services (e.g., DNS, NetBT, the Windows Browser)
Authentication and auditing services (e.g., PAM, Kerberos, RADIUS);
Administrative services (e.g., syslog, SNMP, SMS, RIP and other routing protocols, and ping and other network diagnostics)
Intermediary protocols (e.g., RPC, SMB, CORBA, IIOP)
Database protocols (e.g., ODBC, JDBC, and protocols for Oracle, Sybase, and Microsoft SQL Server)

The book's complete list of resources includes the location of many publicly available firewall construction tools.

Wybrane bestsellery

Ebooka "Building Internet Firewalls. 2nd Edition" przeczytasz na:

czytnikach Inkbook, Kindle, Pocketbook, Onyx Booxs i innych
systemach Windows, MacOS i innych

systemach Windows, Android, iOS, HarmonyOS
na dowolnych urządzeniach i aplikacjach obsługujących formaty: PDF, EPub, Mobi

Masz pytania? Zajrzyj do zakładki Pomoc »

Audiobooka "Building Internet Firewalls. 2nd Edition" posłuchasz:

w aplikacji Ebookpoint na Android, iOS, HarmonyOs
na systemach Windows, MacOS i innych

na dowolonych urządzeniach
i aplikacjach obsługujących format MP3
(pliki spakowane w ZIP)

Masz pytania? Zajrzyj do zakładki Pomoc »

Kurs Video "Building Internet Firewalls. 2nd Edition" zobaczysz:

Oceny i opinie klientów: Building Internet Firewalls. 2nd Edition Elizabeth D. Zwicky, Simon Cooper, D. Brent Chapman (0) Weryfikacja opinii następuję na podstawie historii zamówień na koncie Użytkownika umieszczającego opinię. Użytkownik mógł otrzymać punkty za opublikowanie opinii uprawniające do uzyskania rabatu w ramach Programu Punktowego.

Szczegóły książki

ISBN Ebooka:: 978-05-965-5188-9, 9780596551889
Data wydania ebooka :: 2000-06-26 Data wydania ebooka często jest dniem wprowadzenia tytułu do sprzedaży i może nie być równoznaczna z datą wydania książki papierowej. Dodatkowe informacje możesz znaleźć w darmowym fragmencie. Jeśli masz wątpliwości skontaktuj się z nami sklep@helion.pl.
Język publikacji:: 1
Rozmiar pliku ePub:: 2.6MB
Rozmiar pliku Mobi:: 8.1MB

Zgłoś erratę
Kategorie:
Hacking
Hacking » Bezpieczeństwo sieci
Hacking » Bezpieczeństwo systemów
Hacking » Bezpieczeństwo WWW

Spis treści książki

Building Internet Firewalls, 2nd Edition
- SPECIAL OFFER: Upgrade this ebook with OReilly
- Preface
  - Scope of This Book
  - Audience
  - Platforms
  - Products
  - Examples
  - Conventions Used in This Book
  - Comments and Questions
  - Acknowledgments for the Second Edition
  - Acknowledgments for the First Edition
- I. Network Security
  - 1. Why Internet Firewalls?
    - 1.1. What Are You Trying to Protect?
      - 1.1.1. Your Data
      - 1.1.2. Your Resources
      - 1.1.3. Your Reputation
    - 1.2. What Are You Trying to Protect Against?
      - 1.2.1. Types of Attacks
        
        1.2.1.1. Intrusion
        
        1.2.1.2. Denial of service
        
        1.2.1.3. Information theft
      - 1.2.2. Types of Attackers
        
        1.2.2.1. Joyriders
        
        1.2.2.2. Vandals
        
        1.2.2.3. Scorekeepers
        
        1.2.2.4. Spies (industrial and otherwise)
      - 1.2.3. Stupidity and Accidents
      - 1.2.4. Theoretical Attacks
    - 1.3. Who Do You Trust?
    - 1.4. How Can You Protect Your Site?
      - 1.4.1. No Security
      - 1.4.2. Security Through Obscurity
      - 1.4.3. Host Security
      - 1.4.4. Network Security
      - 1.4.5. No Security Model Can Do It All
    - 1.5. What Is an Internet Firewall?
      - 1.5.1. What Can a Firewall Do?
        
        1.5.1.1. A firewall is a focus for security decisions
        
        1.5.1.2. A firewall can enforce a security policy
        
        1.5.1.3. A firewall can log Internet activity efficiently
        
        1.5.1.4. A firewall limits your exposure
      - 1.5.2. What Cant a Firewall Do?
        
        1.5.2.1. A firewall can't protect you against malicious insiders
        
        1.5.2.2. A firewall can't protect you against connections that don't go through it
        
        1.5.2.3. A firewall can't protect against completely new threats
        
        1.5.2.4. A firewall can't fully protect against viruses
        
        1.5.2.5. A firewall can't set itself up correctly
      - 1.5.3. What's Wrong with Firewalls?
        
        1.5.3.1. Firewalls interfere with the Internet
        
        1.5.3.2. Firewalls don't deal with the real problem
    - 1.6. Religious Arguments
      - 1.6.1. Buying Versus Building
      - 1.6.2. Unix Versus Windows NT
      - 1.6.3. That's Not a Firewall!
  - 2. Internet Services
    - 2.1. Secure Services and Safe Services
    - 2.2. The World Wide Web
      - 2.2.1. Web Client Security Issues
      - 2.2.2. Web Server Security Issues
    - 2.3. Electronic Mail and News
      - 2.3.1. Electronic Mail
      - 2.3.2. Usenet News
    - 2.4. File Transfer, File Sharing, and Printing
      - 2.4.1. File Transfer
      - 2.4.2. File Sharing
      - 2.4.3. Printing Systems
    - 2.5. Remote Access
      - 2.5.1. Remote Terminal Access and Command Execution
      - 2.5.2. Remote Graphic Interfaces for Microsoft Operating Systems
      - 2.5.3. Network Window Systems
    - 2.6. Real-Time Conferencing Services
    - 2.7. Naming and Directory Services
    - 2.8. Authentication and Auditing Services
    - 2.9. Administrative Services
      - 2.9.1. System Management
      - 2.9.2. Routing
      - 2.9.3. Network Diagnostics
      - 2.9.4. Time Service
    - 2.10. Databases
    - 2.11. Games
  - 3. Security Strategies
    - 3.1. Least Privilege
    - 3.2. Defense in Depth
    - 3.3. Choke Point
    - 3.4. Weakest Link
    - 3.5. Fail-Safe Stance
      - 3.5.1. Default Deny Stance: That Which Is Not Expressly Permitted Is Prohibited
      - 3.5.2. Default Permit Stance: That Which Is Not Expressly Prohibited Is Permitted
    - 3.6. Universal Participation
    - 3.7. Diversity of Defense
      - 3.7.1. Inherent Weaknesses
      - 3.7.2. Common Configuration
      - 3.7.3. Common Heritage
      - 3.7.4. Skin-Deep Differences
      - 3.7.5. Conclusion
    - 3.8. Simplicity
    - 3.9. Security Through Obscurity
- II. Building Firewalls
  - 4. Packets and Protocols
    - 4.1. What Does a Packet Look Like?
      - 4.1.1. TCP/IP/Ethernet Example
        
        4.1.1.1. Ethernet layer
        
        4.1.1.2. IP layer
        
        4.1.1.3. TCP layer
    - 4.2. IP
      - 4.2.1. IP Multicast and Broadcast
      - 4.2.2. IP Options
      - 4.2.3. IP Fragmentation
    - 4.3. Protocols Above IP
      - 4.3.1. TCP
        
        4.3.1.1. TCP options
        
        4.3.1.2. TCP sequence numbers
      - 4.3.2. UDP
      - 4.3.3. ICMP
      - 4.3.4. IP over IP and GRE
    - 4.4. Protocols Below IP
    - 4.5. Application Layer Protocols
    - 4.6. IP Version 6
    - 4.7. Non-IP Protocols
    - 4.8. Attacks Based on Low-Level Protocol Details
      - 4.8.1. Port Scanning
      - 4.8.2. Implementation Weaknesses
      - 4.8.3. IP Spoofing
        
        4.8.3.1. The attacker can intercept the reply
        
        4.8.3.2. The attacker doesn't need to see the reply
        
        4.8.3.3. The attacker doesn't want the reply
      - 4.8.4. Packet Interception
  - 5. Firewall Technologies
    - 5.1. Some Firewall Definitions
    - 5.2. Packet Filtering
      - 5.2.1. Advantages of Packet Filtering
        
        5.2.1.1. One screening router can help protect an entire network
        
        5.2.1.2. Simple packet filtering is extremely efficient
        
        5.2.1.3. Packet filtering is widely available
      - 5.2.2. Disadvantages of Packet Filtering
        
        5.2.2.1. Current filtering tools are not perfect
        
        5.2.2.2. Packet filtering reduces router performance
        
        5.2.2.3. Some policies can't readily be enforced by normal packet filtering routers
    - 5.3. Proxy Services
      - 5.3.1. Advantages of Proxying
        
        5.3.1.1. Proxy services can be good at logging
        
        5.3.1.2. Proxy services can provide caching
        
        5.3.1.3. Proxy services can do intelligent filtering
        
        5.3.1.4. Proxy systems can perform user-level authentication
        
        5.3.1.5. Proxy systems automatically provide protection for weak or faulty IP implementations
      - 5.3.2. Disadvantages of Proxying
        
        5.3.2.1. Proxy services lag behind nonproxied services
        
        5.3.2.2. Proxy services may require different servers for each service
        
        5.3.2.3. Proxy services usually require modifications to clients, applications, or procedures
    - 5.4. Network Address Translation
      - 5.4.1. Advantages of Network Address Translation
        
        5.4.1.1. Network address translation helps to enforce the firewall's control over outbound connections
        
        5.4.1.2. Network address translation can help restrict incoming traffic
        
        5.4.1.3. Network address translation helps to conceal the internal network's configuration
      - 5.4.2. Disadvantages of Network Address Translation
        
        5.4.2.1. Dynamic allocation requires state information that is not always available
        
        5.4.2.2. Embedded IP addresses are a problem for network address translation
        
        5.4.2.3. Network address translation interferes with some encryption and authentication systems
        
        5.4.2.4. Dynamic allocation of addresses interferes with logging
        
        5.4.2.5. Dynamic allocation of ports may interfere with packet filtering
    - 5.5. Virtual Private Networks
      - 5.5.1. Where Do You Encrypt?
      - 5.5.2. Key Distribution and Certificates
      - 5.5.3. Advantages of Virtual Private Networks
        
        5.5.3.1. Virtual private networks provide overall encryption
        
        5.5.3.2. Virtual private networks allow you to remotely use protocols that are difficult to secure any other way
      - 5.5.4. Disadvantages of Virtual Private Networks
        
        5.5.4.1. Virtual private networks involve dangerous network connections
        
        5.5.4.2. Virtual private networks extend the network you must protect
  - 6. Firewall Architectures
    - 6.1. Single-Box Architectures
      - 6.1.1. Screening Router
        
        6.1.1.1. Appropriate uses
      - 6.1.2. Dual-Homed Host
        
        6.1.2.1. Appropriate uses
      - 6.1.3. Multiple-Purpose Boxes
        
        6.1.3.1. Appropriate uses
    - 6.2. Screened Host Architectures
      - 6.2.1. Appropriate Uses
    - 6.3. Screened Subnet Architectures
      - 6.3.1. Perimeter Network
      - 6.3.2. Bastion Host
      - 6.3.3. Interior Router
      - 6.3.4. Exterior Router
      - 6.3.5. Appropriate Uses
    - 6.4. Architectures with Multiple Screened Subnets
      - 6.4.1. Split-Screened Subnet
        
        6.4.1.1. Appropriate uses
      - 6.4.2. Independent Screened Subnets
        
        6.4.2.1. Appropriate uses
    - 6.5. Variations on Firewall Architectures
      - 6.5.1. It's OK to Use Multiple Bastion Hosts
      - 6.5.2. It's OK to Merge the Interior Router and the Exterior Router
      - 6.5.3. It's OK to Merge the Bastion Host and the Exterior Router
      - 6.5.4. It's Dangerous to Merge the Bastion Host and the Interior Router
      - 6.5.5. It's Dangerous to Use Multiple Interior Routers
      - 6.5.6. It's OK to Use Multiple Exterior Routers
      - 6.5.7. It's Dangerous to Use Both Screened Subnets and Screened Hosts
    - 6.6. Terminal Servers and Modem Pools
    - 6.7. Internal Firewalls
      - 6.7.1. Laboratory Networks
      - 6.7.2. Insecure Networks
      - 6.7.3. Extra-Secure Networks
      - 6.7.4. Joint Venture Firewalls
      - 6.7.5. A Shared Perimeter Network Allows an "Arms-Length"Relationship
      - 6.7.6. An Internal Firewall May or May Not Need Bastion Hosts
  - 7. Firewall Design
    - 7.1. Define Your Needs
      - 7.1.1. What Will the Firewall Actually Do?
        
        7.1.1.1. What services do you need to offer?
        
        7.1.1.2. How secure do you need to be?
        
        7.1.1.3. How much usage will there be?
        
        7.1.1.4. How much reliability do you need?
      - 7.1.2. What Are Your Constraints?
        
        7.1.2.1. What budget do you have available?
        
        7.1.2.2. What personnel do you have available?
        
        7.1.2.3. What is your environment like?
    - 7.2. Evaluate the Available Products
      - 7.2.1. Scalability
      - 7.2.2. Reliability and Redundancy
      - 7.2.3. Auditability
      - 7.2.4. Price
      - 7.2.5. Management and Configuration
      - 7.2.6. Adaptability
      - 7.2.7. Appropriateness
    - 7.3. Put Everything Together
      - 7.3.1. Where will logs go, and how?
        
        7.3.1.1. How will you back up the system?
        
        7.3.1.2. What support services does the system require?
        
        7.3.1.3. How will you access the machines?
        
        7.3.1.4. Where will routine reports go, and how?
        
        7.3.1.5. Where will alarms go, and how?
  - 8. Packet Filtering
    - 8.1. What Can You Do with Packet Filtering?
      - 8.1.1. Basic Packet Filtering
      - 8.1.2. Stateful or Dynamic Packet Filtering
      - 8.1.3. Protocol Checking
    - 8.2. Configuring a Packet Filtering Router
      - 8.2.1. Protocols Are Usually Bidirectional
      - 8.2.2. Be Careful of "Inbound" Versus "Outbound" Semantics
      - 8.2.3. Default Permit Versus Default Deny
    - 8.3. What Does the Router Do with Packets?
      - 8.3.1. Logging Actions
      - 8.3.2. Returning Error Codes
      - 8.3.3. Making Changes
    - 8.4. Packet Filtering Tips and Tricks
      - 8.4.1. Edit Your Filtering Rules Offline
      - 8.4.2. Reload Rule Sets from Scratch Each Time
      - 8.4.3. Replace Packet Filters Atomically
      - 8.4.4. Always Use IP Addresses, Never Hostnames
      - 8.4.5. Password Protect Your Packet Filters
      - 8.4.6. If Possible, Use Named Access Lists
    - 8.5. Conventions for Packet Filtering Rules
    - 8.6. Filtering by Address
      - 8.6.1. Risks of Filtering by Source Address
    - 8.7. Filtering by Service
      - 8.7.1. Outbound Telnet Service
      - 8.7.2. Inbound Telnet Service
      - 8.7.3. Telnet Summary
      - 8.7.4. Risks of Filtering by Source Port
    - 8.8. Choosing a Packet Filtering Router
      - 8.8.1. It Should Have Good Enough Packet Filtering Performance for Your Needs
      - 8.8.2. It Can Be a Single-Purpose Router or a General-Purpose Computer
      - 8.8.3. It Should Allow Simple Specification of Rules
      - 8.8.4. It Should Allow Rules Based on Any Header or Meta-Packet Criteria
      - 8.8.5. It Should Apply Rules in the Order Specified
        
        8.8.5.1. If the rules are applied in the order ABC
        
        8.8.5.2. If the rules are applied in the order BAC
        
        8.8.5.3. Rule B is actually not necessary
        
        8.8.5.4. Packet filtering rules are tricky
      - 8.8.6. It Should Apply Rules Separately to Incoming and Outgoing Packets, on a Per-Interface Basis
      - 8.8.7. It Should Be Able to Log Accepted and Dropped Packets
      - 8.8.8. It Should Have Good Testing and Validation Capabilities
    - 8.9. Packet Filtering Implementations for General-Purpose Computers
      - 8.9.1. Linux ipchains and Masquerading
        
        8.9.1.1. ipchains
        
        8.9.1.2. Testing ipchains rules
        
        8.9.1.3. Masquerading
        
        8.9.1.4. How masquerading works
        
        8.9.1.5. Available specialized masquerading modules
        
        8.9.1.6. Using ipchains (including masquerading)
      - 8.9.2. ipfilter
      - 8.9.3. Comparing ipfilter and ipchains
      - 8.9.4. Linux netfilter
      - 8.9.5. Windows NT Packet Filtering
    - 8.10. Where to Do Packet Filtering
    - 8.11. What Rules Should You Use?
    - 8.12. Putting It All Together
  - 9. Proxy Systems
    - 9.1. Why Proxying?
    - 9.2. How Proxying Works
      - 9.2.1. Using Proxy-Aware Application Software for Proxying
      - 9.2.2. Using Proxy-Aware Operating System Software
      - 9.2.3. Using Proxy-Aware User Procedures for Proxying
      - 9.2.4. Using a Proxy-Aware Router
    - 9.3. Proxy Server Terminology
      - 9.3.1. Application-Level Versus Circuit-Level Proxies
      - 9.3.2. Generic Versus Dedicated Proxies
      - 9.3.3. Intelligent Proxy Servers
    - 9.4. Proxying Without a Proxy Server
    - 9.5. Using SOCKS for Proxying
      - 9.5.1. Versions of SOCKS
      - 9.5.2. SOCKS Features
      - 9.5.3. SOCKS Components
      - 9.5.4. Converting Clients to Use SOCKS
    - 9.6. Using the TIS Internet Firewall Toolkit for Proxying
      - 9.6.1. FTP Proxying with TIS FWTK
      - 9.6.2. Telnet and rlogin Proxying with TIS FWTK
      - 9.6.3. Generic Proxying with TIS FWTK
      - 9.6.4. Other TIS FWTK Proxies
    - 9.7. Using Microsoft Proxy Server
      - 9.7.1. Proxy Server and SOCKS
      - 9.7.2. Proxy Server and WinSock
    - 9.8. What If You Can't Proxy?
      - 9.8.1. No Proxy Server Is Available
      - 9.8.2. Proxying Won't Secure the Service
      - 9.8.3. Can't Modify Client or Procedures
  - 10. Bastion Hosts
    - 10.1. General Principles
    - 10.2. Special Kinds of Bastion Hosts
      - 10.2.1. Nonrouting Dual-Homed Hosts
      - 10.2.2. Victim Machines
      - 10.2.3. Internal Bastion Hosts
      - 10.2.4. External Service Hosts
      - 10.2.5. One-Box Firewalls
    - 10.3. Choosing a Machine
      - 10.3.1. What Operating System?
      - 10.3.2. How Fast a Machine?
      - 10.3.3. What Hardware Configuration?
    - 10.4. Choosing a Physical Location
    - 10.5. Locating Bastion Hosts on the Network
    - 10.6. Selecting Services Provided by a Bastion Host
      - 10.6.1. Multiple Services or Multiple Hosts?
    - 10.7. Disabling User Accounts on Bastion Hosts
    - 10.8. Building a Bastion Host
    - 10.9. Securing the Machine
      - 10.9.1. Start with a Minimal Clean Operating System Installation
      - 10.9.2. Fix All Known System Bugs
      - 10.9.3. Use a Checklist
      - 10.9.4. Safeguard the System Logs
        
        10.9.4.1. System logs for convenience
        
        10.9.4.2. System logs for catastrophes
        
        10.9.4.3. Logging and time
        
        10.9.4.4. Choosing what to log
    - 10.10. Disabling Nonrequired Services
      - 10.10.1. How to Disable Services
        
        10.10.1.1. Next steps after disabling services
      - 10.10.2. Running Services on Specific Networks
      - 10.10.3. Turning Off Routing
      - 10.10.4. Controlling Inbound Traffic
      - 10.10.5. Installing and Modifying Services
      - 10.10.6. Reconfiguring for Production
        
        10.10.6.1. Finalize the operating system configuration
        
        10.10.6.2. Mount filesystems as read-only
      - 10.10.7. Running a Security Audit
        
        10.10.7.1. Auditing packages
        
        10.10.7.2. Use cryptographic checksums for auditing
      - 10.10.8. Connecting the Machine
    - 10.11. Operating the Bastion Host
      - 10.11.1. Learn What the Normal Usage Profile Is
      - 10.11.2. Consider Using Software to Automate Monitoring
    - 10.12. Protecting the Machine and Backups
      - 10.12.1. Watch Reboots Carefully
      - 10.12.2. Do Secure Backups
      - 10.12.3. Other Objects to Secure
  - 11. Unix and Linux Bastion Hosts
    - 11.1. Which Version of Unix?
    - 11.2. Securing Unix
      - 11.2.1. Setting Up System Logs on Unix
        
        11.2.1.1. syslog Linux example
        
        11.2.1.2. System logs for catastrophe
    - 11.3. Disabling Nonrequired Services
      - 11.3.1. How Are Services Managed Under Unix?
        
        11.3.1.1. Services started by /etc/rc files or directories
        
        11.3.1.2. Services started by inetd
      - 11.3.2. Disabling Services Under Unix
      - 11.3.3. Which Services Should You Leave Enabled?
      - 11.3.4. Specific Unix Services to Disable
        
        11.3.4.1. NFS and related services
        
        11.3.4.2. Other RPC services
        
        11.3.4.3. Booting services
        
        11.3.4.4. BSD "r" command services
        
        11.3.4.5. routed
        
        11.3.4.6. fingerd
        
        11.3.4.7. ftpd
        
        11.3.4.8. Other services
      - 11.3.5. Running Services on Specific Networks
      - 11.3.6. Turning Off Routing
    - 11.4. Installing and Modifying Services
      - 11.4.1. Using the TCP Wrapper Package to Protect Services
        
        11.4.1.1. TCP Wrapper example
        
        11.4.1.2. Using netacl to protect services
      - 11.4.2. Evaluating and Configuring Unix Services
    - 11.5. Reconfiguring for Production
      - 11.5.1. Reconfigure and Rebuild the Kernel
      - 11.5.2. Remove Nonessential Programs
      - 11.5.3. Mount Filesystems as Read-Only
    - 11.6. Running a Security Audit
  - 12. Windows NT and Windows 2000 Bastion Hosts
    - 12.1. Approaches to Building Windows NT Bastion Hosts
    - 12.2. Which Version of Windows NT?
    - 12.3. Securing Windows NT
      - 12.3.1. Setting Up System Logs Under Windows NT
    - 12.4. Disabling Nonrequired Services
      - 12.4.1. How Are Services Managed Under Windows NT?
        
        12.4.1.1. Registry keys
        
        12.4.1.2. Other ways to start programs under Windows NT
      - 12.4.2. How to Disable Services Under Windows NT
      - 12.4.3. Next Steps After Disabling Services
      - 12.4.4. Which Services Should You Leave Enabled?
      - 12.4.5. Specific Windows NT Services to Disable
        
        12.4.5.1. The Services control panel
      - 12.4.6. Turning Off Routing
    - 12.5. Installing and Modifying Services
- III. Internet Services
  - 13. Internet Services and Firewalls
    - 13.1. Attacks Against Internet Services
      - 13.1.1. Command-Channel Attacks
      - 13.1.2. Data-Driven Attacks
      - 13.1.3. Third-Party Attacks
      - 13.1.4. False Authentication of Clients
      - 13.1.5. Hijacking
      - 13.1.6. Packet Sniffing
      - 13.1.7. Data Injection and Modification
      - 13.1.8. Replay
      - 13.1.9. Denial of Service
      - 13.1.10. Protecting Services
    - 13.2. Evaluating the Risks of a Service
      - 13.2.1. What Operations Does the Protocol Allow?
        
        13.2.1.1. What is it designed to do?
        
        13.2.1.2. Is the level of authentication and authorization it uses appropriate for doing that?
        
        13.2.1.3. Does it have any other commands in it?
      - 13.2.2. What Data Does the Protocol Transfer?
      - 13.2.3. How Well Is the Protocol Implemented?
        
        13.2.3.1. Does it have any other commands in it?
      - 13.2.4. What Else Can Come in If I Allow This Service?
    - 13.3. Analyzing Other Protocols
    - 13.4. What Makes a Good Firewalled Service?
      - 13.4.1. TCP Versus Other Protocols
      - 13.4.2. One Connection per Session
      - 13.4.3. One Session per Connection
      - 13.4.4. Assigned Ports
      - 13.4.5. Protocol Security
    - 13.5. Choosing Security-Critical Programs
      - 13.5.1. My Product Is Secure Because . . .
        
        13.5.1.1. It contains no publicly available code, so it's secret
        
        13.5.1.2. It contains publicly available code, so it's been well reviewed
        
        13.5.1.3. It is built entirely from scratch, so it didn't inherit any bugs from any other products
        
        13.5.1.4. It is built on an old, well-tested code base
        
        13.5.1.5. It doesn't run as root/Administrator/LocalSystem
        
        13.5.1.6. It doesn't run under Unix, or it doesn't run on a Microsoft operating system
        
        13.5.1.7. There are no known attacks against it
        
        13.5.1.8. It uses public key cryptography (or some other secure-sounding technology)
      - 13.5.2. Their Product Is Insecure Because . . .
        
        13.5.2.1. It's been mentioned in a CERT-CC advisory or on a web site listing vulnerabilities
        
        13.5.2.2. It's publicly available
        
        13.5.2.3. It's been successfully attacked
      - 13.5.3. Real Indicators of Security
        
        13.5.3.1. Security was one of the design criteria
        
        13.5.3.2. The supplier can discuss how major security problems were avoided
        
        13.5.3.3. It is possible for you to review the code
        
        13.5.3.4. Somebody you know and trust actually has reviewed the code
        
        13.5.3.5. There is a security notification and update procedure
        
        13.5.3.6. The server implements a recent (but accepted) version of the protocol
        
        13.5.3.7. The program uses standard error-logging mechanisms
        
        13.5.3.8. There is a secure software distribution mechanism
    - 13.6. Controlling Unsafe Configurations
  - 14. Intermediary Protocols
    - 14.1. Remote Procedure Call (RPC)
      - 14.1.1. Sun RPC Authentication
      - 14.1.2. Microsoft RPC Authentication
      - 14.1.3. Packet Filtering Characteristics of RPC
      - 14.1.4. Proxying Characteristics of RPC
      - 14.1.5. Network Address Translation Characteristics of RPC
      - 14.1.6. Summary of Recommendations for RPC
    - 14.2. Distributed Component Object Model (DCOM)
    - 14.3. NetBIOS over TCP/IP (NetBT)
      - 14.3.1. Packet Filtering Characteristics of NetBT
      - 14.3.2. Proxying Characteristics of NetBT
      - 14.3.3. Network Address Translation Characteristics of NetBT
      - 14.3.4. Summary of Recommendations for NetBT
    - 14.4. Common Internet File System (CIFS) and Server Message Block (SMB)
      - 14.4.1. Authentication and SMB
        
        14.4.1.1. Share-level authentication
        
        14.4.1.2. User-level authentication
      - 14.4.2. Packet Filtering Characteristics of SMB
      - 14.4.3. Proxying Characteristics of SMB
      - 14.4.4. Network Address Translation Characteristics of SMB
      - 14.4.5. Summary of Recommendations for SMB
    - 14.5. Common Object Request Broker Architecture (CORBA) and Internet Inter-Orb Protocol (IIOP)
      - 14.5.1. Packet Filtering Characteristics of CORBA and IIOP
      - 14.5.2. Proxying Characteristics of CORBA and IIOP
      - 14.5.3. Network Address Translation Characteristics of CORBA and IIOP
      - 14.5.4. Summary of Recommendations for CORBA and IIOP
    - 14.6. ToolTalk
      - 14.6.1. Summary of Recommendations for ToolTalk
    - 14.7. Transport Layer Security (TLS) and Secure Socket Layer (SSL)
      - 14.7.1. The TLS and SSL Protocols
      - 14.7.2. Cryptography in TLS and SSL
      - 14.7.3. Use of TLS and SSL by Other Protocols
      - 14.7.4. Packet Filtering Characteristics of TLS and SSL
      - 14.7.5. Proxying Characteristics of TLS and SSL
      - 14.7.6. Network Address Translation Characteristics of TLS and SSL
      - 14.7.7. Summary of Recommendations for TLS and SSL
    - 14.8. The Generic Security Services API (GSSAPI)
    - 14.9. IPsec
      - 14.9.1. Packet Filtering Characteristics of IPsec
      - 14.9.2. Proxying Characteristics of IPsec
      - 14.9.3. Network Address Translation Characteristics of IPsec
      - 14.9.4. Summary of Recommendations for IPsec
    - 14.10. Remote Access Service (RAS)
    - 14.11. Point-to-Point Tunneling Protocol (PPTP)
      - 14.11.1. Design Weaknesses in PPTP
      - 14.11.2. Implementation Weaknesses in PPTP
      - 14.11.3. Packet Filtering Characteristics of PPTP
      - 14.11.4. Proxying Characteristics of PPTP
      - 14.11.5. Network Address Translation Characteristics of PPTP
      - 14.11.6. Summary of Recommendations for PPTP
    - 14.12. Layer 2 Transport Protocol (L2TP)
      - 14.12.1. Packet Filtering Characteristics of L2TP
      - 14.12.2. Proxying Characteristics of L2TP
      - 14.12.3. Network Address Translation Characteristics of L2TP
      - 14.12.4. Summary of Recommendations for L2TP
  - 15. The World Wide Web
    - 15.1. HTTP Server Security
      - 15.1.1. HTTP Extensions
        
        15.1.1.1. Tricking extensions
        
        15.1.1.2. Running unexpected external programs
    - 15.2. HTTP Client Security
      - 15.2.1. Inadvertent Release of Information
        
        15.2.1.1. Cookies
      - 15.2.2. External Viewers
      - 15.2.3. Extension Systems
      - 15.2.4. What Can You Do?
      - 15.2.5. Internet Explorer and Security Zones
    - 15.3. HTTP
      - 15.3.1. HTTP Tunneling
      - 15.3.2. Special HTTP Servers
      - 15.3.3. Packet Filtering Characteristics of HTTP
      - 15.3.4. Proxying Characteristics of HTTP
      - 15.3.5. Network Address Translation Characteristics of HTTP
      - 15.3.6. Securing HTTP
        
        15.3.6.1. Packet filtering characteristics of HTTPS and Secure HTTP
        
        15.3.6.2. Proxying characteristics of HTTPS and Secure HTTP
        
        15.3.6.3. Network address translation characteristics of HTTPS and Secure HTTP
      - 15.3.7. Summary of Recommendations for HTTP
    - 15.4. Mobile Code and Web-Related Languages
      - 15.4.1. JavaScript
      - 15.4.2. VBScript
      - 15.4.3. Java
      - 15.4.4. ActiveX
    - 15.5. Cache Communication Protocols
      - 15.5.1. Internet Cache Protocol (ICP)
        
        15.5.1.1. Packet filtering characteristics of ICP
        
        15.5.1.2. Proxying characteristics of ICP
        
        15.5.1.3. Network address translation characteristics of ICP
      - 15.5.2. Cache Array Routing Protocol (CARP)
      - 15.5.3. Web Cache Coordination Protocol (WCCP)
        
        15.5.3.1. Packet filtering characteristics of WCCP
        
        15.5.3.2. Proxying characteristics of WCCP
        
        15.5.3.3. Network address translation characteristics of WCCP
      - 15.5.4. Summary of Recommendations for Cache Communication Protocols
    - 15.6. Push Technologies
      - 15.6.1. Summary of Recommendations for Push Technologies
    - 15.7. RealAudio and RealVideo
      - 15.7.1. Risks of RealServer
      - 15.7.2. Risks of RealAudio and RealVideo Clients
      - 15.7.3. Packet Filtering Characteristics of RealAudio and RealVideo
      - 15.7.4. Proxying Characteristics of RealAudio and RealVideo
      - 15.7.5. Network Address Translation Characteristics of RealAudio and RealVideo
      - 15.7.6. Summary Recommendations for RealAudio and RealVideo
    - 15.8. Gopher and WAIS
      - 15.8.1. Packet Filtering Characteristics of Gopher and WAIS
      - 15.8.2. Proxying Characteristics of Gopher and WAIS
      - 15.8.3. Network Address Translation Characteristics of Gopher and WAIS
      - 15.8.4. Summary of Recommendations for Gopher and WAIS
  - 16. Electronic Mail and News
    - 16.1. Electronic Mail
      - 16.1.1. Keeping Mail Secret
      - 16.1.2. Undesirable Mail
        
        16.1.2.1. Junk mail
        
        16.1.2.2. Viruses and other hostilities
      - 16.1.3. Multimedia Internet Mail Extensions (MIME)
      - 16.1.4. S/MIME and OpenPGP
    - 16.2. Simple Mail Transfer Protocol (SMTP)
      - 16.2.1. Extended SMTP (ESMTP)
      - 16.2.2. TLS/SSL, SSMTP, and STARTTLS
      - 16.2.3. Packet Filtering Characteristics of SMTP
      - 16.2.4. Proxying Characteristics of SMTP
      - 16.2.5. Network Address Translation Characteristics of SMTP
      - 16.2.6. Configuring SMTP to Work with a Firewall
      - 16.2.7. Sendmail
      - 16.2.8. Other Freely Available SMTP Servers for Unix
        
        16.2.8.1. smail
        
        16.2.8.2. Postfix
        
        16.2.8.3. Qmail
      - 16.2.9. Commercial SMTP Servers for Unix
      - 16.2.10. Improving SMTP Security with smap and smapd
      - 16.2.11. biff
      - 16.2.12. SMTP Support in Non-SMTP Mail Systems
      - 16.2.13. SMTP Servers for Windows NT
      - 16.2.14. Summary of Recommendations for SMTP
    - 16.3. Other Mail Transfer Protocols
    - 16.4. Microsoft Exchange
      - 16.4.1. Summary of Recommendations for Microsoft Exchange
    - 16.5. Lotus Notes and Domino
      - 16.5.1. Packet Filtering Characteristics of Lotus Notes
      - 16.5.2. Proxying Characteristics of Lotus Notes
      - 16.5.3. Network Address Translation Characteristics of Lotus Notes
      - 16.5.4. Summary of Recommendations for Lotus Notes
    - 16.6. Post Office Protocol (POP)
      - 16.6.1. Packet Filtering Characteristics of POP
      - 16.6.2. Proxying Characteristics of POP
      - 16.6.3. Network Address Translation Characteristics of POP
      - 16.6.4. Summary of Recommendations for POP
    - 16.7. Internet Message Access Protocol (IMAP)
      - 16.7.1. Packet Filtering Characteristics of IMAP
      - 16.7.2. Proxying Characteristics of IMAP
      - 16.7.3. Network Address Translation Characteristics of IMAP
      - 16.7.4. Summary of Recommendations for IMAP
    - 16.8. Microsoft Messaging API (MAPI)
    - 16.9. Network News Transfer Protocol (NNTP)
      - 16.9.1. Packet Filtering Characteristics of NNTP
      - 16.9.2. Proxying Characteristics of NNTP
      - 16.9.3. Network Address Translation Characteristics of NNTP
      - 16.9.4. Summary of Recommendations for NNTP
  - 17. File Transfer, File Sharing, and Printing
    - 17.1. File Transfer Protocol (FTP)
      - 17.1.1. Packet Filtering Characteristics of FTP
      - 17.1.2. Proxying Characteristics of FTP
      - 17.1.3. Network Address Translation Characteristics of FTP
      - 17.1.4. Providing Anonymous FTP Service
        
        17.1.4.1. Limiting access to information
        
        17.1.4.2. Preventing people from using your server to distribute their data
        
        17.1.4.2.1. Making your incoming directory write-only
        
        17.1.4.2.2. Making anonymous read and anonymous write exclusive
        
        17.1.4.2.3. Disabling the creation of directories and certain files
        
        17.1.4.2.4. Uploading by prearrangement
        
        17.1.4.2.5. Removing the files
        
        17.1.4.3. Preventing people from using your server to attack other machines
        
        17.1.4.4. Using the wuarchive FTP daemon
      - 17.1.5. Summary of Recommendations for FTP
    - 17.2. Trivial File Transfer Protocol (TFTP)
      - 17.2.1. Packet Filtering Characteristics of TFTP
      - 17.2.2. Proxying Characteristics of TFTP
      - 17.2.3. Network Address Translation Characteristics of TFTP
      - 17.2.4. Summary of Recommendations for TFTP
    - 17.3. Network File System (NFS)
      - 17.3.1. NFS Authentication
      - 17.3.2. NFS and root
      - 17.3.3. NFS Client Vulnerabilities
      - 17.3.4. File Locking with NFS
      - 17.3.5. Automounting
      - 17.3.6. Packet Filtering Characteristics of NFS
      - 17.3.7. Proxying Characteristics of NFS
      - 17.3.8. Network Address Translation Characteristics of NFS
    - 17.4. File Sharing for Microsoft Networks
      - 17.4.1. Samba
      - 17.4.2. Distributed File System (Dfs)
      - 17.4.3. Packet Filtering, Proxying, and Network Address Translation Characteristics of Microsoft File Sharing
    - 17.5. Summary of Recommendations for File Sharing
    - 17.6. Printing Protocols
      - 17.6.1. lpr and lp
        
        17.6.1.1. LPRng
        
        17.6.1.2. Packet filtering characteristics of lpr
        
        17.6.1.3. Proxying characteristics of lpr
        
        17.6.1.4. Network address translation characteristics of lpr
        
        17.6.1.5. Packet filtering and proxying characteristics of lp
      - 17.6.2. Windows-based Printing
      - 17.6.3. Other Printing Systems
      - 17.6.4. Summary of Recommendations for Printing Protocols
    - 17.7. Related Protocols
  - 18. Remote Access to Hosts
    - 18.1. Terminal Access (Telnet)
      - 18.1.1. Windows 2000 Telnet
      - 18.1.2. Packet Filtering Characteristics of Telnet
      - 18.1.3. Proxying Characteristics of Telnet
      - 18.1.4. Network Address Translation Characteristics of Telnet
      - 18.1.5. Summary of Recommendations for Telnet
    - 18.2. Remote Command Execution
      - 18.2.1. BSD "r" Commands
        
        18.2.1.1. BSD "r" commands under Windows NT
        
        18.2.1.2. Packet filtering characteristics of the BSD "r" commands
        
        18.2.1.3. Proxying characteristics of the BSD "r" commands
        
        18.2.1.4. Network address translation characteristics of the BSD "r"commands
        
        18.2.1.5. Summary of recommendations for the BSD "r" command
      - 18.2.2. rexec
        
        18.2.2.1. Packet filtering characteristics of rexec
        
        18.2.2.2. Proxying characteristics of rexec
        
        18.2.2.3. Network address translation characteristics of rexec
        
        18.2.2.4. Summary of recommendations for rexec
      - 18.2.3. rex
        
        18.2.3.1. Summary of recommendations for rex
      - 18.2.4. Windows NT Remote Commands
        
        18.2.4.1. Summary of recommendations for remote commands
      - 18.2.5. Secure Shell (SSH)
        
        18.2.5.1. What makes SSH secure?
        
        18.2.5.2. SSH server authentication
        
        18.2.5.3. SSH client authentication
        
        18.2.5.4. Additional SSH options for client control
        
        18.2.5.5. SSH session hijacking protection
        
        18.2.5.6. Port forwarding
        
        18.2.5.7. Remote X11 Window System support
        
        18.2.5.8. Packet filtering characteristics of SSH
        
        18.2.5.9. Proxying characteristics of SSH
        
        18.2.5.10. Network address translation characteristics of SSH
        
        18.2.5.11. Summary of recommendations for SSH
    - 18.3. Remote Graphical Interfaces
      - 18.3.1. X11 Window System
        
        18.3.1.1. Additional servers
        
        18.3.1.2. Packet filtering characteristics of X11
        
        18.3.1.3. Proxying characteristics of X11
        
        18.3.1.4. Network address translation characteristics of X11
        
        18.3.1.5. Summary of recommendations for XII
      - 18.3.2. Remote Graphic Interfaces for Microsoft Operating Systems
      - 18.3.3. Independent Computing Architecture (ICA)
        
        18.3.3.1. Packet filtering characteristics of ICA
        
        18.3.3.2. Proxying characteristics of ICA
        
        18.3.3.3. Network address translation characteristics of ICA
      - 18.3.4. Microsoft Terminal Server and Terminal Services
        
        18.3.4.1. Packet filtering characteristics of RDP
        
        18.3.4.2. Proxying characteristics of RDP
        
        18.3.4.3. Network address translation characteristics of RDP
      - 18.3.5. BO2K
        
        18.3.5.1. Packet filtering characteristics of BO2K
        
        18.3.5.2. Proxying characteristics of BO2K
        
        18.3.5.3. Network address translation characteristics of BO2K
      - 18.3.6. Summary of Recommendations for Windows Remote Access
  - 19. Real-Time Conferencing Services
    - 19.1. Internet Relay Chat (IRC)
      - 19.1.1. Packet Filtering Characteristics of IRC
      - 19.1.2. Proxying Characteristics of IRC
      - 19.1.3. Network Address Translation Characteristics of IRC
      - 19.1.4. Summary of Recommendations for IRC
    - 19.2. ICQ
      - 19.2.1. Packet Filtering Characteristics of ICQ
      - 19.2.2. Proxying Characteristics of ICQ
      - 19.2.3. Network Address Translation Characteristics of ICQ
      - 19.2.4. Summary of Recommendations for ICQ
    - 19.3. talk
      - 19.3.1. Packet Filtering Characteristics of talk
      - 19.3.2. Proxying Characteristics of talk
      - 19.3.3. Network Address Translation Characteristics of talk
      - 19.3.4. Summary of Recommendations for talk
    - 19.4. Multimedia Protocols
      - 19.4.1. T.120 and H.323
        
        19.4.1.1. Packet filtering characteristics of T.120
        
        19.4.1.2. Proxying characteristics of T.120
        
        19.4.1.3. Network address translation characteristics of T.120
        
        19.4.1.4. Packet filtering characteristics of H.323
        
        19.4.1.5. Proxying characteristics of H.323
        
        19.4.1.6. Network address translation characteristics of H.323
        
        19.4.1.7. Summary of recommendations for T.120 and H.323
      - 19.4.2. The Real-Time Transport Protocol (RTP) and the RTP Control Protocol (RTCP)
        
        19.4.2.1. Packet filtering characteristics of RTP and RTCP
        
        19.4.2.2. Proxying characteristics of RTP and RTCP
        
        19.4.2.3. Network address translation of RTP and RTCP
        
        19.4.2.4. Summary of recommendations for RTP and RTCP
    - 19.5. NetMeeting
      - 19.5.1. Packet Filtering Characteristics of NetMeeting
      - 19.5.2. Proxying Characteristics of NetMeeting
      - 19.5.3. Network Address Translation Characteristics of NetMeeting
      - 19.5.4. Summary of Recommendations for NetMeeting
    - 19.6. Multicast and the Multicast Backbone (MBONE)
      - 19.6.1. Summary of Recommendations for Multicast
  - 20. Naming and Directory Services
    - 20.1. Domain Name System (DNS)
      - 20.1.1. Packet Filtering Characteristics of DNS
      - 20.1.2. Proxying Characteristics of DNS
      - 20.1.3. DNS Data
      - 20.1.4. DNS Security Problems
        
        20.1.4.1. Bogus answers to DNS queries
        
        20.1.4.2. Malicious DNS queries
        
        20.1.4.3. Mismatched data between the hostname and IP address DNS trees
        
        20.1.4.4. Dynamic update
        
        20.1.4.5. Revealing too much information to attackers
      - 20.1.5. Setting Up DNS to Hide Information, Without Subdomains
        
        20.1.5.1. Set up a "fake" DNS server on the bastion host for the outside world to use
        
        20.1.5.2. Set up a real DNS server on an internal system for internal hosts to use
        
        20.1.5.3. Internal DNS clients query the internal server
        
        20.1.5.4. Bastion DNS clients also query the internal server
        
        20.1.5.5. What your packet filtering system needs to allow
      - 20.1.6. Setting Up DNS to Hide Information, with Subdomains
      - 20.1.7. Setting Up DNS Without Hiding Information
      - 20.1.8. Windows 2000 and DNS
      - 20.1.9. Network Address Translation Characteristics of DNS
      - 20.1.10. Summary of Recommendations for DNS
    - 20.2. Network Information Service (NIS)
      - 20.2.1. Summary of Recommendations for NIS
    - 20.3. NetBIOS for TCP/IP Name Service and Windows Internet Name Service
      - 20.3.1. Name Resolution Under Windows
      - 20.3.2. NetBIOS Names
      - 20.3.3. NetBT Name Service Operations
        
        20.3.3.1. General principles of NetBT operations
        
        20.3.3.2. Name registration
        
        20.3.3.3. Name refresh
        
        20.3.3.4. Name resolution
        
        20.3.3.5. Name release
        
        20.3.3.6. Conflict management
      - 20.3.4. WINS Server-Server Communication
      - 20.3.5. The WINS Manager
      - 20.3.6. Security Implications of NetBT Name Service and WINS
      - 20.3.7. Packet Filtering Characteristics of NetBT Name Service
      - 20.3.8. Proxying Characteristics of NetBT Name Service and WINS
      - 20.3.9. Network Address Translation Characteristics of NetBT Name Service and WINS
      - 20.3.10. Summary of Recommendations for NetBT Name Service and WINS
    - 20.4. The Windows Browser
      - 20.4.1. Domains and Workgroups
      - 20.4.2. Windows Browser Roles
        
        20.4.2.1. Domain master browser
        
        20.4.2.2. Master browser
        
        20.4.2.3. Backup browsers
        
        20.4.2.4. Potential browsers
        
        20.4.2.5. Browseable server
        
        20.4.2.6. Browser client
      - 20.4.3. Browser Elections
      - 20.4.4. Security Implications of the Windows Browser
      - 20.4.5. Packet Filtering Characteristics of the Windows Browser
      - 20.4.6. Proxying Characteristics of the Windows Browser
      - 20.4.7. Network Address Translation Characteristics of the Windows Browser
      - 20.4.8. Summary of Recommendations for the Windows Browser
    - 20.5. Lightweight Directory Access Protocol (LDAP)
      - 20.5.1. LDAPS
      - 20.5.2. Packet Filtering Characteristics of LDAP
      - 20.5.3. Proxying Characteristics of LDAP
      - 20.5.4. Network Address Translation Characteristics of LDAP
      - 20.5.5. Summary of Recommendations for LDAP
    - 20.6. Active Directory
    - 20.7. Information Lookup Services
      - 20.7.1. finger
        
        20.7.1.1. Packet filtering characteristics of finger
        
        20.7.1.2. Proxying characteristics of finger
        
        20.7.1.3. Network address translation characteristics of finger
        
        20.7.1.4. Summary of recommendations for finger
      - 20.7.2. whois
        
        20.7.2.1. Packet filtering characteristics of whois
        
        20.7.2.2. Proxying characteristics of whois
        
        20.7.2.3. Network address translation characteristics of whois
        
        20.7.2.4. Summary of recommendations for whois
  - 21. Authentication and Auditing Services
    - 21.1. What Is Authentication?
      - 21.1.1. Something You Are
      - 21.1.2. Something You Know
      - 21.1.3. Something You Have
    - 21.2. Passwords
    - 21.3. Authentication Mechanisms
      - 21.3.1. One-Time Password Software
      - 21.3.2. One-Time Password Hardware
    - 21.4. Modular Authentication for Unix
      - 21.4.1. The TIS FWTK Authentication Server
        
        21.4.1.1. Problems with the authentication server
      - 21.4.2. Pluggable Authentication Modules (PAM)
    - 21.5. Kerberos
      - 21.5.1. How It Works
      - 21.5.2. Extending Trust
      - 21.5.3. Packet Filtering Characteristics of Kerberos
      - 21.5.4. Proxying and Network Address Translation Characteristics of Kerberos
      - 21.5.5. Summary of Recommendations for Kerberos
    - 21.6. NTLM Domains
      - 21.6.1. Finding a Domain Controller
      - 21.6.2. The Logon Process
      - 21.6.3. Secure Channel Setup
      - 21.6.4. SMB Authentication
      - 21.6.5. Accessing Other Computers
      - 21.6.6. Alternate Authentication Methods
      - 21.6.7. Controller-to-Controller Communication
      - 21.6.8. The User Manager
      - 21.6.9. Packet Filtering, Proxying, and Network Address Translation Characteristics of NTLM Domain Authentication
      - 21.6.10. Summary of Recommendations for NTLM Domain Authentication
    - 21.7. Remote Authentication Dial-in User Service (RADIUS)
      - 21.7.1. Packet Filtering Characteristics of RADIUS
      - 21.7.2. Proxying Characteristics of RADIUS
      - 21.7.3. Network Address Translation Characteristics of RADIUS
      - 21.7.4. Summary of Recommendations for RADIUS
    - 21.8. TACACS and Friends
      - 21.8.1. Packet Filtering Characteristics of TACACS and Friends
      - 21.8.2. Proxying Characteristics of TACACS and Friends
      - 21.8.3. Network Address Translation Characteristics of TACACS and Friends
      - 21.8.4. Summary of Recommendations for TACACS and Friends
    - 21.9. Auth and identd
      - 21.9.1. Packet Filtering Characteristics of Auth
      - 21.9.2. Proxying Characteristics of Auth
      - 21.9.3. Network Address Translation Characteristics of Auth
      - 21.9.4. Summary of Recommendations for Auth
  - 22. Administrative Services
    - 22.1. System Management Protocols
      - 22.1.1. syslog
        
        22.1.1.1. Packet filtering characteristics of syslog
        
        22.1.1.2. Proxying characteristics of syslog
        
        22.1.1.3. Network address translation and syslog
        
        22.1.1.4. Summary of recommendations for syslog
      - 22.1.2. Simple Network Management Protocol (SNMP)
        
        22.1.2.1. SNMP version 3
        
        22.1.2.2. Packet filtering characteristics of SNMP
        
        22.1.2.3. Proxying characteristics of SNMP
        
        22.1.2.4. Network address translation and SNMP
      - 22.1.3. System Management Server (SMS)
      - 22.1.4. Performance Monitor and Network Monitor
      - 22.1.5. Summary Recommendations for System Management
    - 22.2. Routing Protocols
      - 22.2.1. Routing Information Protocol (RIP)
        
        22.2.1.1. Packet filtering characteristics of RIP
      - 22.2.2. Open Shortest Path First (OSPF)
        
        22.2.2.1. Packet filtering characteristics of OSPF
      - 22.2.3. Internet Group Management Protocol (IGMP)
        
        22.2.3.1. Packet filtering characteristics of IGMP
      - 22.2.4. Router Discovery/ICMP Router Discovery Protocol (IRDP)
        
        22.2.4.1. Packet filtering characteristics of router discovery
      - 22.2.5. Proxying Characteristics of Routing Protocols
      - 22.2.6. Network Address Translation Characteristics of Routing Protocols
      - 22.2.7. Summary of Recommendations for Routing Protocols
    - 22.3. Protocols for Booting and Boot-Time Configuration
      - 22.3.1. bootp
      - 22.3.2. Dynamic Host Configuration Protocol (DHCP)
      - 22.3.3. Packet Filtering Characteristics of DHCP and bootp
      - 22.3.4. Proxying Characteristics of bootp and DHCP
      - 22.3.5. Network Address Translation Characteristics of Booting and Boot-Time Configuration
      - 22.3.6. Summary of Recommendations for Booting and Boot-Time Configuration
    - 22.4. ICMP and Network Diagnostics
      - 22.4.1. ping
        
        22.4.1.1. Packet filtering characteristics of ping
        
        22.4.1.2. Proxying characteristics of ping
        
        22.4.1.3. Network address translation and ping
      - 22.4.2. traceroute
        
        22.4.2.1. Packet filtering characteristics of traceroute
        
        22.4.2.2. Proxying characteristics of traceroute
        
        22.4.2.3. Network address translation and traceroute
      - 22.4.3. Other ICMP Packets
        
        22.4.3.1. Packet filtering characteristics of ICMP
      - 22.4.4. Summary of Recommendations for ICMP
    - 22.5. Network Time Protocol (NTP)
      - 22.5.1. Packet Filtering Characteristics of NTP
      - 22.5.2. Proxying Characteristics of NTP
      - 22.5.3. Network Address Translation Characteristics of NTP
      - 22.5.4. Configuring NTP to Work with a Firewall
      - 22.5.5. Summary of Recommendations for NTP
    - 22.6. File Synchronization
      - 22.6.1. rdist
      - 22.6.2. rsync
        
        22.6.2.1. Packet filtering characteristics of rsync
        
        22.6.2.2. Proxying characteristics of rsync
        
        22.6.2.3. Network address translation characteristics of rsync
      - 22.6.3. Windows NT Directory Replication
      - 22.6.4. Windows 2000 File Replication Service (FRS)
      - 22.6.5. Summary of Recommendations for File Synchronization
    - 22.7. Mostly Harmless Protocols
      - 22.7.1. Packet Filtering Characteristics of Mostly Harmless Protocols
      - 22.7.2. Proxying Characteristics of Mostly Harmless Protocols
      - 22.7.3. Network Address Translation Characteristics of Mostly Harmless Protocols
      - 22.7.4. Summary Recommendations for Mostly Harmless Protocols
  - 23. Databases and Games
    - 23.1. Databases
      - 23.1.1. Locating Database Servers
        
        23.1.1.1. Putting both the web server and the database on the perimeter network
        
        23.1.1.2. Putting both the web server and the database on the internal network
        
        23.1.1.3. Using the database's protocols to connect to a perimeter web server
        
        23.1.1.4. Using a custom protocol to connect to a perimeter web server
      - 23.1.2. Open Database Connectivity (ODBC) and Java Database Connectivity ( JDBC)
      - 23.1.3. Oracle SQL*Net and Net8
        
        23.1.3.1. Security implications of SQL*Net and Net8
        
        23.1.3.2. Packet filtering characteristics of SQL*Net and Net8
        
        23.1.3.3. Proxying characteristics of SQL*Net and Net8
        
        23.1.3.4. Network address translation characteristics of SQL*Net and Net8
        
        23.1.3.5. Summary of recommendations for SQL*Net and Net8
      - 23.1.4. Tabular Data Stream (TDS)
      - 23.1.5. Sybase
        
        23.1.5.1. Packet filtering characteristics of Sybase
        
        23.1.5.2. Proxying characteristics of Sybase
        
        23.1.5.3. Network address translation characteristics of Sybase
        
        23.1.5.4. Summary of recommendations for Sybase
      - 23.1.6. Microsoft SQL Server
        
        23.1.6.1. Packet filtering characteristics of Microsoft SQL Server
        
        23.1.6.2. Proxying characteristics of Microsoft SQL Server
        
        23.1.6.3. Network address translation and Microsoft SQL Server
        
        23.1.6.4. Summary of recommendations for Microsoft SQL Server
    - 23.2. Games
      - 23.2.1. Quake
      - 23.2.2. Summary of Recommendations for Games
  - 24. Two Sample Firewalls
    - 24.1. Screened Subnet Architecture
      - 24.1.1. Service Configuration
        
        24.1.1.1. HTTP and HTTPS
        
        24.1.1.2. SMTP
        
        24.1.1.3. Telnet
        
        24.1.1.4. SSH
        
        24.1.1.5. FTP
        
        24.1.1.6. NNTP
        
        24.1.1.7. DNS
      - 24.1.2. Packet Filtering Rules
        
        24.1.2.1. Interior router
        
        24.1.2.2. Exterior router
      - 24.1.3. Other Configuration Work
      - 24.1.4. Analysis
        
        24.1.4.1. Least privilege
        
        24.1.4.2. Defense in depth
        
        24.1.4.3. Choke point
        
        24.1.4.4. Weakest link
        
        24.1.4.5. Fail-safe stance
        
        24.1.4.6. Universal participation
        
        24.1.4.7. Diversity of defense
        
        24.1.4.8. Simplicity
      - 24.1.5. Conclusions
    - 24.2. Merged Routers and Bastion Host Using General-Purpose Hardware
      - 24.2.1. Service Configuration
        
        24.2.1.1. HTTP and HTTPS
        
        24.2.1.2. SMTP
        
        24.2.1.3. Telnet
        
        24.2.1.4. SSH
        
        24.2.1.5. FTP
        
        24.2.1.6. NNTP
        
        24.2.1.7. DNS
      - 24.2.2. Packet Filtering Rules
      - 24.2.3. Other Configuration Work
      - 24.2.4. Analysis
        
        24.2.4.1. Least privilege
        
        24.2.4.2. Defense in depth
        
        24.2.4.3. Choke point
        
        24.2.4.4. Weakest link
        
        24.2.4.5. Fail-safe stance
        
        24.2.4.6. Universal participation
        
        24.2.4.7. Diversity of defense
        
        24.2.4.8. Simplicity
      - 24.2.5. Conclusions
- IV. Keeping Your Site Secure
  - 25. Security Policies
    - 25.1. Your Security Policy
      - 25.1.1. What Should a Security Policy Contain?
        
        25.1.1.1. Explanations
        
        25.1.1.2. Everybody's responsibilities
        
        25.1.1.3. Regular language
        
        25.1.1.4. Enforcement authority
        
        25.1.1.5. Provision for exceptions
        
        25.1.1.6. Provision for reviews
        
        25.1.1.7. Discussion of specific security issues
      - 25.1.2. What Should a Security Policy Not Contain?
        
        25.1.2.1. Technical details
        
        25.1.2.2. Somebody else's problems
        
        25.1.2.3. Problems that aren't computer security problems
    - 25.2. Putting Together a Security Policy
      - 25.2.1. What Is Your Security Policy?
      - 25.2.2. What Is Your Site's Security Policy?
      - 25.2.3. External Factors That Influence Security Policies
    - 25.3. Getting Strategic and Policy Decisions Made
      - 25.3.1. Enlist Allies
      - 25.3.2. Involve Everybody Who's Affected
      - 25.3.3. Accept "Wrong" Decisions
      - 25.3.4. Present Risks and Benefits in Different Ways for Different People
      - 25.3.5. Avoid Surprises
      - 25.3.6. Condense to Important Decisions, with Implications
      - 25.3.7. Justify Everything Else in Terms of Those Decisions
      - 25.3.8. Emphasize that Many Issues Are Management and Personnel Issues, not Technical Issues
      - 25.3.9. Don't Assume That Anything Is Obvious
    - 25.4. What If You Can't Get a Security Policy?
  - 26. Maintaining Firewalls
    - 26.1. Housekeeping
      - 26.1.1. Backing Up Your Firewall
      - 26.1.2. Managing Your Accounts
      - 26.1.3. Managing Your Disk Space
    - 26.2. Monitoring Your System
      - 26.2.1. Special-Purpose Monitoring Devices
      - 26.2.2. Intrusion Detection Systems
      - 26.2.3. What Should You Watch For?
      - 26.2.4. The Good, the Bad, and the Ugly
      - 26.2.5. Responding to Probes
      - 26.2.6. Responding to Attacks
    - 26.3. Keeping up to Date
      - 26.3.1. Keeping Yourself up to Date
        
        26.3.1.1. Mailing lists
        
        26.3.1.2. Newsgroups
        
        26.3.1.3. Web sites
        
        26.3.1.4. Professional forums
      - 26.3.2. Keeping Your Systems up to Date
    - 26.4. How Long Does It Take?
    - 26.5. When Should You Start Over?
  - 27. Responding to Security Incidents
    - 27.1. Responding to an Incident
      - 27.1.1. Evaluate the Situation
      - 27.1.2. Start Documenting
      - 27.1.3. Disconnect or Shut Down, as Appropriate
      - 27.1.4. Analyze and Respond
      - 27.1.5. Make "Incident in Progress" Notifications
        
        27.1.5.1. Your own organization
        
        27.1.5.2. CERT-CC or other incident response teams
        
        27.1.5.3. Vendors and service providers
        
        27.1.5.4. Other sites
      - 27.1.6. Snapshot the System
      - 27.1.7. Restore and Recover
      - 27.1.8. Document the Incident
    - 27.2. What to Do After an Incident
    - 27.3. Pursuing and Capturing the Intruder
    - 27.4. Planning Your Response
      - 27.4.1. Planning for Detection
      - 27.4.2. Planning for Evaluation of the Incident
      - 27.4.3. Planning for Disconnecting or Shutting Down Machines
      - 27.4.4. Planning for Notification of People Who Need to Know
        
        27.4.4.1. Your own organization
        
        27.4.4.2. CERT-CC and other incident response teams
        
        27.4.4.3. Vendors and service providers
        
        27.4.4.4. Other sites
      - 27.4.5. Planning for Snapshots
      - 27.4.6. Planning for Restoration and Recovery
      - 27.4.7. Planning for Documentation
      - 27.4.8. Periodic Review of Plans
    - 27.5. Being Prepared
      - 27.5.1. Backing Up Your Filesystems
      - 27.5.2. Labeling and Diagramming Your System
      - 27.5.3. Keeping Secured Checksums
      - 27.5.4. Keeping Activity Logs
      - 27.5.5. Keeping a Cache of Tools and Supplies
      - 27.5.6. Testing the Reload of the Operating System
      - 27.5.7. Doing Drills
- V. Appendixes
  - A. Resources
    - A.1. Web Pages
      - A.1.1. Telstra
      - A.1.2. CERIAS
      - A.1.3. The Linux Documentation Project
      - A.1.4. The Linux Router Project
    - A.2. FTP Sites
      - A.2.1. cerias.purdue.edu
      - A.2.2. info.cert.org
    - A.3. Mailing Lists
      - A.3.1. Firewalls
      - A.3.2. Firewall Wizards
      - A.3.3. FWTK-USERS
      - A.3.4. BugTraq
      - A.3.5. NTBugTraq
      - A.3.6. CERT-Advisory
      - A.3.7. RISKS
    - A.4. Newsgroups
    - A.5. Response Teams
      - A.5.1. CERT-CC
      - A.5.2. FIRST
      - A.5.3. NIST CSRC
    - A.6. Other Organizations
      - A.6.1. Internet Engineering Task Force (IETF)
      - A.6.2. World Wide Web Consortium (W3C)
      - A.6.3. USENIX Association
      - A.6.4. System Administrators Guild (SAGE)
      - A.6.5. System Administration, Networking, and Security (SANS) Institute
    - A.7. Conferences
      - A.7.1. USENIX Association Conferences
        
        A.7.1.1. USENIX Unix Security Symposium
        
        A.7.1.2. USENIX System Administration (LISA) Conference
        
        A.7.1.3. USENIX Large Installation System Administration of Windows NT (LISA-NT) Conference
        
        A.7.1.4. USENIX Technical Conferences
      - A.7.2. Unix System Administration, Networking, and Security (SANS) Conference
      - A.7.3. Internet Society Symposium on Network and Distributed System Security (SNDSS)
    - A.8. Papers
    - A.9. Books
  - B. Tools
    - B.1. Authentication Tools
      - B.1.1. TIS Internet Firewall Toolkit (FWTK)
      - B.1.2. Kerberos
    - B.2. Analysis Tools
      - B.2.1. COPS
      - B.2.2. Tiger
      - B.2.3. Tripwire
      - B.2.4. SATAN
      - B.2.5. SAINT
    - B.3. Packet Filtering Tools
      - B.3.1. ipfilter
    - B.4. Proxy Systems Tools
      - B.4.1. TIS Internet Firewall Toolkit (FWTK)
      - B.4.2. SOCKS
      - B.4.3. UDP Packet Relayer
      - B.4.4. tircproxy
    - B.5. Daemons
      - B.5.1. wuarchive ftpd
      - B.5.2. GateD
      - B.5.3. Zebra
      - B.5.4. Postfix
      - B.5.5. qmail
      - B.5.6. smail
      - B.5.7. portmap
      - B.5.8. Andrew File System (AFS)
      - B.5.9. rsync
      - B.5.10. Samba
      - B.5.11. ssh
      - B.5.12. BO2K
      - B.5.13. mIRC
    - B.6. Utilities
      - B.6.1. TIS Internet Firewall Toolkit (FWTK)
      - B.6.2. TCP Wrapper
      - B.6.3. chrootuid
      - B.6.4. inzider
      - B.6.5. MRTG
      - B.6.6. NOCOL
      - B.6.7. NetCat
      - B.6.8. NetSaint
      - B.6.9. PGP
      - B.6.10. trimlog
      - B.6.11. AntiSniff
      - B.6.12. tcpdump
  - C. Cryptography
    - C.1. What Are You Protecting and Why?
    - C.2. Key Components of Cryptographic Systems
      - C.2.1. Encryption
        
        C.2.1.1. Kinds of encryption algorithms
        
        C.2.1.2. Encryption algorithms and key length
      - C.2.2. Cryptographic Hashes, Checksums, and Message Digests
      - C.2.3. Integrity Protection
      - C.2.4. Random Numbers
    - C.3. Combined Cryptography
      - C.3.1. Digital Signatures
      - C.3.2. Certificates
      - C.3.3. Certificate Trust Models
      - C.3.4. Key Distribution and Exchange
    - C.4. What Makes a Protocol Secure?
      - C.4.1. Selecting an Algorithm
      - C.4.2. Mutual Authentication
      - C.4.3. Sharing a Secret
      - C.4.4. Identifying Altered Messages
      - C.4.5. Destroying the Shared Secret
    - C.5. Information About Algorithms
      - C.5.1. Encryption Algorithms
      - C.5.2. Digital Signature Algorithms
      - C.5.3. Cryptographic Hashes and Message Digests
      - C.5.4. Key Exchange
      - C.5.5. Key Sizes and Strength
      - C.5.6. Evaluating Other Algorithms
- Index
- About the Authors
- Colophon
- SPECIAL OFFER: Upgrade this ebook with OReilly