Building Internet Firewalls, 2nd Edition by Elizabeth D. Zwicky, Simon Cooper & D. Brent Chapman The unconfirmed error reports are from readers. They have not yet been approved or disproved by the author or editor and represent solely the opinion of the reader. If you have technical questions or error reports, you can send them to booktech@oreilly.com. Please specify the printing date of your copy. This page was last modified on August 20, 2002. Here's a key to the markup: [page-number]: serious technical mistake {page-number}: minor technical mistake : important language/formatting problem (page-number): language change or minor formatting problem ?page-number?: reader question or request for clarification UNCONFIRMED errors: (xvi) In the second sentence of the paragraph under "Information technology managers and users," "you should read Part III" should instead read "you should read Part IV." {46} 7th paragraph, continuing to page 47 first paragraph; AppleShare can authenticate with several methods. Apple's default authentication method uses challenge-response which is *not* vulnerable to password capture. Many Unix AppleShare servers use clear-text password authentication which *are* vulnerable to password capture. See "Inside AppleTalk" for details. {57} Time Service section; In many /etc/services files the following entries exist: time 37/tcp timserver time 37/udp timserver There's no mention of this port/service in either the Time Service section or under the NTP section. I've encountered a problem through a firewall where time 37/tcp is being blocked, because the source port range is (apparently) incorrect. Adding some discussion on the time service and how it should be used through the firewall would be helpful. (208) Figure 8-7; Arrow (1) is labelled "Port 5051" but should be "Port 5151" instead. (214) 6th Paragraph; There's a space needed between the last sentence in paragraph 6 and the previous sentence. [216] 4th bullet under "What Rules Should You Use?"; There are serious omissions in the discussion of denying all traffic with invalid source addresses. No mention is made of filtering source addresses using the IANA reserved networks, the loopback address, or link local addresses. This is all best practice that resulted from the February 2000 DDoS attacks. A link to the IANA network assignments can be included in Appendix A. There also doesn't seem to be any mention of making sure that ip directed broadcast conversion to link level broadcast is disabled on all filtering router interfaces. {326} 3rd full paragraph (under Hijacking heading); The phrase "unpredictable sequence numbers" would be technically more correct if written as "unpredictable initial sequence numbers". It appears twice in the paragraph. The corresponding section in Chapter 4 is correct. [454] somewhere in this section; Need coverage of AppleShare over TCP/IP, which has millions of clients and potential servers shipped. {495} last paragraph; Note that rexec often is used to start X-windows sessions - that's why it's widely deployed on Unix servers. Major PC and Macintosh based X-windows "servers" can use any of rsh, rexec, or xdmcp for authentication(!) and session startup. Each method has serious security concerns and different firewall implications. {522} 3rd paragraph; The text mentions that mIRC is available for most UNIX variants, but it's not. Actually it's a Windows client and not available for anything else but Windows (16 and 32-bits). You can check it yourself at www.mirc.com. Another thing I want to note regarding IRC-servers: the text says most IRC servers are independent. There are indeed many independent servers out there, but the ones that are most popular are the ones that are not independent, but are grouped into IRC networks. Soms popular IRC networks include DalNet, Undernet and EFNet. Each of those networks consist of a few dozen interconnected IRC servers all over the world. As an example see this page: http://www.undernet.org/servers.php In my opinion, as an long time IRC user, the risks of IRC are: - being tricked into receiving unsafe scripts and executables (trojans) through DCC and running those - making your IP address visible to hackers who love to port scan your machine and trying all kinds of attacks. {615} The first paragraph under "NTLM Domains" states that "It is not clear exactly what 'NTLM' stands for, although presumably it's something like 'NT Logon Manager'. "NTLM" stands for "NT LAN Manger", a hold over from the earilest days of NT. [Parts of NT evolved out of old (ancient?) Microsoft LAN Manger technology.] [639] "Open Shortest Path First (OSPF)": You say: "However, the cryptographic message digest algorithm is not specified by the standard, so in practice OSPF authentication is restricted to eight-character passwords or the same degree of authentication as RIP-2." That has been wrong for several years now, both in the first clause (theory) and in the second clause (practice). Taking them piece-wise, RFC 2178 was published as an IETF standards-track RFC in 1997 and specified the cryptographic message digest algorithm in Appendix D.3 (p 194+) which IS a full component of the OSPF standard. So it has been fully specified in the base OSPF standard. Cisco implemented and shipped OSPF with MD5 in IOS in 1996, prior to publication of RFC 2178 (though it implements that specification). All other major router vendors have supported it for at least a couple of years now. So in practice, OSPF MD5 authentication is WIDELY DEPLOYED operationally by ISPs and major corporations. For example @Home had deployed it nationwide by end of 1997 in its network. [711] Table, HTTP-3 and HTTP-4 rows; Please verify if Source-Address and Dest.Address are inverted. (815) COPS / TIGER; COPS and TIGER have been moved to http://ftp.cerias.purdue.edu/pub/tools/unix/scanners/