| |
| |
Preface | |
| |
| |
| |
Network Security | |
| |
| |
| |
Why Internet Firewalls? | |
| |
| |
What Are You Trying to Protect? | |
| |
| |
What Are You Trying to Protect Against? | |
| |
| |
Who Do You Trust? | |
| |
| |
How Can You Protect Your Site? | |
| |
| |
What Is an Internet Firewall? | |
| |
| |
Religious Arguments | |
| |
| |
| |
Internet Services | |
| |
| |
Secure Services and Safe Services | |
| |
| |
The World Wide Web | |
| |
| |
Electronic Mail and News | |
| |
| |
File Transfer, File Sharing, and Printing | |
| |
| |
Remote Access | |
| |
| |
Real-Time Conferencing Services | |
| |
| |
Naming and Directory Services | |
| |
| |
Authentication and Auditing Services | |
| |
| |
Administrative Services | |
| |
| |
Databases | |
| |
| |
Games | |
| |
| |
| |
Security Strategies | |
| |
| |
Least Privilege | |
| |
| |
Defense in Depth | |
| |
| |
Choke Point | |
| |
| |
Weakest Link | |
| |
| |
Fail-Safe Stance | |
| |
| |
Universal Participation | |
| |
| |
Diversity of Defense | |
| |
| |
Simplicity | |
| |
| |
Security Through Obscurity | |
| |
| |
| |
Building Firewalls | |
| |
| |
| |
Packets and Protocols | |
| |
| |
What Does a Packet Look Like? | |
| |
| |
IP | |
| |
| |
Protocols Above IP | |
| |
| |
Protocols Below IP | |
| |
| |
Application Layer Protocols | |
| |
| |
IP Version 6 | |
| |
| |
Non-IP Protocols | |
| |
| |
Attacks Based on Low-Level Protocol Details | |
| |
| |
| |
Firewall Technologies | |
| |
| |
Some Firewall Definitions | |
| |
| |
Packet Filtering | |
| |
| |
Proxy Services | |
| |
| |
Network Address Translation | |
| |
| |
Virtual Private Networks | |
| |
| |
| |
Firewall Architectures | |
| |
| |
Single-Box Architectures | |
| |
| |
Screened Host Architectures | |
| |
| |
Screened Subnet Architectures | |
| |
| |
Architectures with Multiple Screened Subnets | |
| |
| |
Variations on Firewall Architectures | |
| |
| |
Terminal Servers and Modem Pools | |
| |
| |
Internal Firewalls | |
| |
| |
| |
Firewall Design | |
| |
| |
Define Your Needs | |
| |
| |
Evaluate the Available Products | |
| |
| |
Put Everything Together | |
| |
| |
| |
Packet Filtering | |
| |
| |
What Can You Do with Packet Filtering? | |
| |
| |
Configuring a Packet Filtering Router | |
| |
| |
What Does the Router Do with Packets? | |
| |
| |
Packet Filtering Tips and Tricks | |
| |
| |
Conventions for Packet Filtering Rules | |
| |
| |
Filtering by Address | |
| |
| |
Filtering by Service | |
| |
| |
Choosing a Packet Filtering Router | |
| |
| |
Packet Filtering Implementations for General-Purpose Computers | |
| |
| |
Where to Do Packet Filtering | |
| |
| |
What Rules Should You Use? | |
| |
| |
Putting It All Together | |
| |
| |
| |
Proxy Systems | |
| |
| |
Why Proxying? | |
| |
| |
How Proxying Works | |
| |
| |
Proxy Server Terminology | |
| |
| |
Proxying Without a Proxy Server | |
| |
| |
Using SOCKS for Proxying | |
| |
| |
Using the TIS Internet Firewall Toolkit for Proxying | |
| |
| |
Using Microsoft Proxy Server | |
| |
| |
What If You Can't Proxy? | |
| |
| |
| |
Bastion Hosts | |
| |
| |
General Principles | |
| |
| |
Special Kinds of Bastion Hosts | |
| |
| |
Choosing a Machine | |
| |
| |
Choosing a Physical Location | |
| |
| |
Locating Bastion Hosts on the Network | |
| |
| |
Selecting Services Provided by a Bastion Host | |
| |
| |
Disabling User Accounts on Bastion Hosts | |
| |
| |
Building a Bastion Host | |
| |
| |
Securing the Machine | |
| |
| |
Disabling Nonrequired Services | |
| |
| |
Operating the Bastion Host | |
| |
| |
Protecting the Machine and Backups | |
| |
| |
| |
Unix and Linux Bastion Hosts | |
| |
| |
Which Version of Unix? | |
| |
| |
Securing Unix | |
| |
| |
Disabling Nonrequired Services | |
| |
| |
Installing and Modifying Services | |
| |
| |
Reconfiguring for Production | |
| |
| |
Running a Security Audit | |
| |
| |
| |
Windows NT and Windows 2000 Bastion Hosts | |
| |
| |
Approaches to Building Windows NT Bastion Hosts | |
| |
| |
Which Version of Windows NT? | |
| |
| |
Securing Windows NT | |
| |
| |
Disabling Nonrequired Services | |
| |
| |
Installing and Modifying Services | |
| |
| |
| |
Internet Services | |
| |
| |
| |
Internet Services and Firewalls | |
| |
| |
Attacks Against Internet Services | |
| |
| |
Evaluating the Risks of a Service | |
| |
| |
Analyzing Other Protocols | |
| |
| |
What Makes a Good Firewalled Service? | |
| |
| |
Choosing Security-Critical Programs | |
| |
| |
Controlling Unsafe Configurations | |
| |
| |
| |
Intermediary Protocols | |
| |
| |
Remote Procedure Call (RPC) | |
| |
| |
Distributed Component Object Model (DCOM) | |
| |
| |
NetBIOS over TCP/IP (NetBT) | |
| |
| |
Common Internet File System (CIFS) and Server Message Block (SMB) | |
| |
| |
Common Object Request Broker Architecture (CORBA) and Internet Inter-Orb Protocol (IIOP) | |
| |
| |
ToolTalk | |
| |
| |
Transport Layer Security (TLS) and Secure Socket Layer (SSL) | |
| |
| |
The Generic Security Services API (GSSAPI) | |
| |
| |
IPsec | |
| |
| |
Remote Access Service (RAS) | |
| |
| |
Point-to-Point Tunneling Protocol (PPTP) | |
| |
| |
Layer 2 Transport Protocol (L2TP) | |
| |
| |
| |
The World Wide Web | |
| |
| |
HTTP Server Security | |
| |
| |
HTTP Client Security | |
| |
| |
HTTP | |
| |
| |
Mobile Code and Web-Related Languages | |
| |
| |
Cache Communication Protocols | |
| |
| |
Push Technologies | |
| |
| |
RealAudio and RealVideo | |
| |
| |
Gopher and WAIS | |
| |
| |
| |
Electronic Mail and News | |
| |
| |
Electronic Mail | |
| |
| |
Simple Mail Transfer Protocol (SMTP) | |
| |
| |
Other Mail Transfer Protocols | |
| |
| |
Microsoft Exchange | |
| |
| |
Lotus Notes and Domino | |
| |
| |
Post Office Protocol (POP) | |
| |
| |
Internet Message Access Protocol (IMAP) | |
| |
| |
Microsoft Messaging API (MAPI) | |
| |
| |
Network News Transfer Protocol (NNTP) | |
| |
| |
| |
File Transfer, File Sharing, and Printing | |
| |
| |
File Transfer Protocol (FTP) | |
| |
| |
Trivial File Transfer Protocol (TFTP) | |
| |
| |
Network File System (NFS) | |
| |
| |
File Sharing for Microsoft Networks | |
| |
| |
Summary of Recommendations for File Sharing | |
| |
| |
Printing Protocols | |
| |
| |
Related Protocols | |
| |
| |
| |
Remote Access to Hosts | |
| |
| |
Terminal Access (Telnet) | |
| |
| |
Remote Command Execution | |
| |
| |
Remote Graphical Interfaces | |
| |
| |
| |
Real-Time Conferencing Services | |
| |
| |
Internet Relay Chat (IRC) | |
| |
| |
ICQ | |
| |
| |
Talk | |
| |
| |
Multimedia Protocols | |
| |
| |
NetMeeting | |
| |
| |
Multicast and the Multicast Backbone (MBONE) | |
| |
| |
| |
Naming and Directory Services | |
| |
| |
Domain Name System (DNS) | |
| |
| |
Network Information Service (NIS) | |
| |
| |
NetBIOS for TCP/IP Name Service and Windows Internet Name Service | |
| |
| |
The Windows Browser | |
| |
| |
Lightweight Directory Access Protocol (LDAP) | |
| |
| |
Active Directory | |
| |
| |
Information Lookup Services | |
| |
| |
| |
Authentication and Auditing Services | |
| |
| |
What Is Authentication? | |
| |
| |
Passwords | |
| |
| |
Authentication Mechanisms | |
| |
| |
Modular Authentication for Unix | |
| |
| |
Kerberos | |
| |
| |
NTLM Domains | |
| |
| |
Remote Authentication Dial-in User Service (RADIUS) | |
| |
| |
TACACS and Friends | |
| |
| |
Auth and identd | |
| |
| |
| |
Administrative Services | |
| |
| |
System Management Protocols | |
| |
| |
Routing Protocols | |
| |
| |
Protocols for Booting and Boot-Time Configuration | |
| |
| |
ICMP and Network Diagnostics | |
| |
| |
Network Time Protocol (NTP) | |
| |
| |
File Synchronization | |
| |
| |
Mostly Harmless Protocols | |
| |
| |
| |
Databases and Games | |
| |
| |
Databases | |
| |
| |
Games | |
| |
| |
| |
Two Sample Firewalls | |
| |
| |
Screened Subnet Architecture | |
| |
| |
Merged Routers and Bastion Host Using General-Purpose Hardware | |
| |
| |
| |
Keeping Your Site Secure | |
| |
| |
| |
Security Policies | |
| |
| |
Your Security Policy | |
| |
| |
Putting Together a Security Policy | |
| |
| |
Getting Strategic and Policy Decisions Made | |
| |
| |
What If You Can't Get a Security Policy? | |
| |
| |
| |
Maintaining Firewalls | |
| |
| |
Housekeeping | |
| |
| |
Monitoring Your System | |
| |
| |
Keeping up to Date | |
| |
| |
How Long Does It Take? | |
| |
| |
When Should You Start Over? | |
| |
| |
| |
Responding to Security Incidents | |
| |
| |
Responding to an Incident | |
| |
| |
What to Do After an Incident | |
| |
| |
Pursuing and Capturing the Intruder | |
| |
| |
Planning Your Response | |
| |
| |
Being Prepared | |
| |
| |
| |
Appendixes | |
| |
| |
| |
Resources | |
| |
| |
| |
Tools | |
| |
| |
| |
Cryptography | |
| |
| |
Index | |