book

Building Internet Firewalls, 2nd Edition

by Elizabeth D. Zwicky, Simon Cooper, D. Brent Chapman

June 2000

Intermediate to advanced

894 pages

30h 54m

English

O'Reilly Media, Inc.

Read now

Unlock full access

Preface
Scope of This BookAudiencePlatformsProductsExamplesConventions Used in This BookComments and QuestionsAcknowledgments for the Second EditionAcknowledgments for the First Edition
I. Network Security
1. Why Internet Firewalls?
1.1. What Are You Trying to Protect?1.1.1. Your Data1.1.2. Your Resources1.1.3. Your Reputation1.2. What Are You Trying to Protect Against?1.2.1. Types of Attacks1.2.1.1. Intrusion1.2.1.2. Denial of service1.2.1.3. Information theft1.2.2. Types of Attackers1.2.2.1. Joyriders1.2.2.2. Vandals1.2.2.3. Scorekeepers1.2.2.4. Spies (industrial and otherwise)1.2.3. Stupidity and Accidents1.2.4. Theoretical Attacks1.3. Who Do You Trust?1.4. How Can You Protect Your Site?1.4.1. No Security1.4.2. Security Through Obscurity1.4.3. Host Security1.4.4. Network Security1.4.5. No Security Model Can Do It All1.5. What Is an Internet Firewall?1.5.1. What Can a Firewall Do?1.5.1.1. A firewall is a focus for security decisions1.5.1.2. A firewall can enforce a security policy1.5.1.3. A firewall can log Internet activity efficiently1.5.1.4. A firewall limits your exposure1.5.2. What Can’t a Firewall Do?1.5.2.1. A firewall can’t protect you against malicious insiders1.5.2.2. A firewall can’t protect you against connections that don’t go through it1.5.2.3. A firewall can’t protect against completely new threats1.5.2.4. A firewall can’t fully protect against viruses1.5.2.5. A firewall can’t set itself up correctly1.5.3. What’s Wrong with Firewalls?1.5.3.1. Firewalls interfere with the Internet1.5.3.2. Firewalls don’t deal with the real problem1.6. Religious Arguments1.6.1. Buying Versus Building1.6.2. Unix Versus Windows NT1.6.3. That’s Not a Firewall!
2. Internet Services
2.1. Secure Services and Safe Services2.2. The World Wide Web2.2.1. Web Client Security Issues2.2.2. Web Server Security Issues2.3. Electronic Mail and News2.3.1. Electronic Mail2.3.2. Usenet News2.4. File Transfer, File Sharing, and Printing2.4.1. File Transfer2.4.2. File Sharing2.4.3. Printing Systems2.5. Remote Access2.5.1. Remote Terminal Access and Command Execution2.5.2. Remote Graphic Interfaces for Microsoft Operating Systems2.5.3. Network Window Systems2.6. Real-Time Conferencing Services2.7. Naming and Directory Services2.8. Authentication and Auditing Services2.9. Administrative Services2.9.1. System Management2.9.2. Routing2.9.3. Network Diagnostics2.9.4. Time Service2.10. Databases2.11. Games
3. Security Strategies
3.1. Least Privilege3.2. Defense in Depth3.3. Choke Point3.4. Weakest Link3.5. Fail-Safe Stance3.5.1. Default Deny Stance: That Which Is Not Expressly Permitted Is Prohibited3.5.2. Default Permit Stance: That Which Is Not Expressly Prohibited Is Permitted3.6. Universal Participation3.7. Diversity of Defense3.7.1. Inherent Weaknesses3.7.2. Common Configuration3.7.3. Common Heritage3.7.4. Skin-Deep Differences3.7.5. Conclusion3.8. Simplicity3.9. Security Through Obscurity
II. Building Firewalls
4. Packets and Protocols
4.1. What Does a Packet Look Like?4.1.1. TCP/IP/Ethernet Example4.1.1.1. Ethernet layer4.1.1.2. IP layer4.1.1.3. TCP layer4.2. IP4.2.1. IP Multicast and Broadcast4.2.2. IP Options4.2.3. IP Fragmentation4.3. Protocols Above IP4.3.1. TCP4.3.1.1. TCP options4.3.1.2. TCP sequence numbers4.3.2. UDP4.3.3. ICMP4.3.4. IP over IP and GRE4.4. Protocols Below IP4.5. Application Layer Protocols4.6. IP Version 64.7. Non-IP Protocols4.8. Attacks Based on Low-Level Protocol Details4.8.1. Port Scanning4.8.2. Implementation Weaknesses4.8.3. IP Spoofing4.8.3.1. The attacker can intercept the reply4.8.3.2. The attacker doesn’t need to see the reply4.8.3.3. The attacker doesn’t want the reply4.8.4. Packet Interception
5. Firewall Technologies
5.1. Some Firewall Definitions5.2. Packet Filtering5.2.1. Advantages of Packet Filtering5.2.1.1. One screening router can help protect an entire network5.2.1.2. Simple packet filtering is extremely efficient5.2.1.3. Packet filtering is widely available5.2.2. Disadvantages of Packet Filtering5.2.2.1. Current filtering tools are not perfect5.2.2.2. Packet filtering reduces router performance5.2.2.3. Some policies can’t readily be enforced by normal packet filtering routers5.3. Proxy Services5.3.1. Advantages of Proxying5.3.1.1. Proxy services can be good at logging5.3.1.2. Proxy services can provide caching5.3.1.3. Proxy services can do intelligent filtering5.3.1.4. Proxy systems can perform user-level authentication5.3.1.5. Proxy systems automatically provide protection for weak or faulty IP implementations5.3.2. Disadvantages of Proxying5.3.2.1. Proxy services lag behind nonproxied services5.3.2.2. Proxy services may require different servers for each service5.3.2.3. Proxy services usually require modifications to clients, applications, or procedures5.4. Network Address Translation5.4.1. Advantages of Network Address Translation5.4.1.1. Network address translation helps to enforce the firewall’s control over outbound connections5.4.1.2. Network address translation can help restrict incoming traffic5.4.1.3. Network address translation helps to conceal the internal network’s configuration5.4.2. Disadvantages of Network Address Translation5.4.2.1. Dynamic allocation requires state information that is not always available5.4.2.2. Embedded IP addresses are a problem for network address translation5.4.2.3. Network address translation interferes with some encryption and authentication systems5.4.2.4. Dynamic allocation of addresses interferes with logging5.4.2.5. Dynamic allocation of ports may interfere with packet filtering5.5. Virtual Private Networks5.5.1. Where Do You Encrypt?5.5.2. Key Distribution and Certificates5.5.3. Advantages of Virtual Private Networks5.5.3.1. Virtual private networks provide overall encryption5.5.3.2. Virtual private networks allow you to remotely use protocols that are difficult to secure any other way5.5.4. Disadvantages of Virtual Private Networks5.5.4.1. Virtual private networks involve dangerous network connections5.5.4.2. Virtual private networks extend the network you must protect
6. Firewall Architectures
6.1. Single-Box Architectures6.1.1. Screening Router6.1.1.1. Appropriate uses6.1.2. Dual-Homed Host6.1.2.1. Appropriate uses6.1.3. Multiple-Purpose Boxes6.1.3.1. Appropriate uses6.2. Screened Host Architectures6.2.1. Appropriate Uses6.3. Screened Subnet Architectures6.3.1. Perimeter Network6.3.2. Bastion Host6.3.3. Interior Router6.3.4. Exterior Router6.3.5. Appropriate Uses6.4. Architectures with Multiple Screened Subnets6.4.1. Split-Screened Subnet6.4.1.1. Appropriate uses6.4.2. Independent Screened Subnets6.4.2.1. Appropriate uses6.5. Variations on Firewall Architectures6.5.1. It’s OK to Use Multiple Bastion Hosts6.5.2. It’s OK to Merge the Interior Router and the Exterior Router6.5.3. It’s OK to Merge the Bastion Host and the Exterior Router6.5.4. It’s Dangerous to Merge the Bastion Host and the Interior Router6.5.5. It’s Dangerous to Use Multiple Interior Routers6.5.6. It’s OK to Use Multiple Exterior Routers6.5.7. It’s Dangerous to Use Both Screened Subnets and Screened Hosts6.6. Terminal Servers and Modem Pools6.7. Internal Firewalls6.7.1. Laboratory Networks6.7.2. Insecure Networks6.7.3. Extra-Secure Networks6.7.4. Joint Venture Firewalls6.7.5. A Shared Perimeter Network Allows an “Arms-Length"Relationship6.7.6. An Internal Firewall May or May Not Need Bastion Hosts
7. Firewall Design
7.1. Define Your Needs7.1.1. What Will the Firewall Actually Do?7.1.1.1. What services do you need to offer?7.1.1.2. How secure do you need to be?7.1.1.3. How much usage will there be?7.1.1.4. How much reliability do you need?7.1.2. What Are Your Constraints?7.1.2.1. What budget do you have available?7.1.2.2. What personnel do you have available?7.1.2.3. What is your environment like?7.2. Evaluate the Available Products7.2.1. Scalability7.2.2. Reliability and Redundancy7.2.3. Auditability7.2.4. Price7.2.5. Management and Configuration7.2.6. Adaptability7.2.7. Appropriateness7.3. Put Everything Together7.3.1. Where will logs go, and how?7.3.1.1. How will you back up the system?7.3.1.2. What support services does the system require?7.3.1.3. How will you access the machines?7.3.1.4. Where will routine reports go, and how?7.3.1.5. Where will alarms go, and how?

8. Packet Filtering
8.1. What Can You Do with Packet Filtering?8.1.1. Basic Packet Filtering8.1.2. Stateful or Dynamic Packet Filtering8.1.3. Protocol Checking8.2. Configuring a Packet Filtering Router8.2.1. Protocols Are Usually Bidirectional8.2.2. Be Careful of “Inbound” Versus “Outbound” Semantics8.2.3. Default Permit Versus Default Deny8.3. What Does the Router Do with Packets?8.3.1. Logging Actions8.3.2. Returning Error Codes8.3.3. Making Changes8.4. Packet Filtering Tips and Tricks8.4.1. Edit Your Filtering Rules Offline8.4.2. Reload Rule Sets from Scratch Each Time8.4.3. Replace Packet Filters Atomically8.4.4. Always Use IP Addresses, Never Hostnames8.4.5. Password Protect Your Packet Filters8.4.6. If Possible, Use Named Access Lists8.5. Conventions for Packet Filtering Rules8.6. Filtering by Address8.6.1. Risks of Filtering by Source Address8.7. Filtering by Service8.7.1. Outbound Telnet Service8.7.2. Inbound Telnet Service8.7.3. Telnet Summary8.7.4. Risks of Filtering by Source Port8.8. Choosing a Packet Filtering Router8.8.1. It Should Have Good Enough Packet Filtering Performance for Your Needs8.8.2. It Can Be a Single-Purpose Router or a General-Purpose Computer8.8.3. It Should Allow Simple Specification of Rules8.8.4. It Should Allow Rules Based on Any Header or Meta-Packet Criteria8.8.5. It Should Apply Rules in the Order Specified8.8.5.1. If the rules are applied in the order ABC8.8.5.2. If the rules are applied in the order BAC8.8.5.3. Rule B is actually not necessary8.8.5.4. Packet filtering rules are tricky8.8.6. It Should Apply Rules Separately to Incoming and Outgoing Packets, on a Per-Interface Basis8.8.7. It Should Be Able to Log Accepted and Dropped Packets8.8.8. It Should Have Good Testing and Validation Capabilities8.9. Packet Filtering Implementations for General-Purpose Computers8.9.1. Linux ipchains and Masquerading8.9.1.1. ipchains8.9.1.2. Testing ipchains rules8.9.1.3. Masquerading8.9.1.4. How masquerading works8.9.1.5. Available specialized masquerading modules8.9.1.6. Using ipchains (including masquerading)8.9.2. ipfilter8.9.3. Comparing ipfilter and ipchains8.9.4. Linux netfilter8.9.5. Windows NT Packet Filtering8.10. Where to Do Packet Filtering8.11. What Rules Should You Use?8.12. Putting It All Together
9. Proxy Systems
9.1. Why Proxying?9.2. How Proxying Works9.2.1. Using Proxy-Aware Application Software for Proxying9.2.2. Using Proxy-Aware Operating System Software9.2.3. Using Proxy-Aware User Procedures for Proxying9.2.4. Using a Proxy-Aware Router9.3. Proxy Server Terminology9.3.1. Application-Level Versus Circuit-Level Proxies9.3.2. Generic Versus Dedicated Proxies9.3.3. Intelligent Proxy Servers9.4. Proxying Without a Proxy Server9.5. Using SOCKS for Proxying9.5.1. Versions of SOCKS9.5.2. SOCKS Features9.5.3. SOCKS Components9.5.4. Converting Clients to Use SOCKS9.6. Using the TIS Internet Firewall Toolkit for Proxying9.6.1. FTP Proxying with TIS FWTK9.6.2. Telnet and rlogin Proxying with TIS FWTK9.6.3. Generic Proxying with TIS FWTK9.6.4. Other TIS FWTK Proxies9.7. Using Microsoft Proxy Server9.7.1. Proxy Server and SOCKS9.7.2. Proxy Server and WinSock9.8. What If You Can’t Proxy?9.8.1. No Proxy Server Is Available9.8.2. Proxying Won’t Secure the Service9.8.3. Can’t Modify Client or Procedures
10. Bastion Hosts
10.1. General Principles10.2. Special Kinds of Bastion Hosts10.2.1. Nonrouting Dual-Homed Hosts10.2.2. Victim Machines10.2.3. Internal Bastion Hosts10.2.4. External Service Hosts10.2.5. One-Box Firewalls10.3. Choosing a Machine10.3.1. What Operating System?10.3.2. How Fast a Machine?10.3.3. What Hardware Configuration?10.4. Choosing a Physical Location10.5. Locating Bastion Hosts on the Network10.6. Selecting Services Provided by a Bastion Host10.6.1. Multiple Services or Multiple Hosts?10.7. Disabling User Accounts on Bastion Hosts10.8. Building a Bastion Host10.9. Securing the Machine10.9.1. Start with a Minimal Clean Operating System Installation10.9.2. Fix All Known System Bugs10.9.3. Use a Checklist10.9.4. Safeguard the System Logs10.9.4.1. System logs for convenience10.9.4.2. System logs for catastrophes10.9.4.3. Logging and time10.9.4.4. Choosing what to log10.10. Disabling Nonrequired Services10.10.1. How to Disable Services10.10.1.1. Next steps after disabling services10.10.2. Running Services on Specific Networks10.10.3. Turning Off Routing10.10.4. Controlling Inbound Traffic10.10.5. Installing and Modifying Services10.10.6. Reconfiguring for Production10.10.6.1. Finalize the operating system configuration10.10.6.2. Mount filesystems as read-only10.10.7. Running a Security Audit10.10.7.1. Auditing packages10.10.7.2. Use cryptographic checksums for auditing10.10.8. Connecting the Machine10.11. Operating the Bastion Host10.11.1. Learn What the Normal Usage Profile Is10.11.2. Consider Using Software to Automate Monitoring10.12. Protecting the Machine and Backups10.12.1. Watch Reboots Carefully10.12.2. Do Secure Backups10.12.3. Other Objects to Secure
11. Unix and Linux Bastion Hosts
11.1. Which Version of Unix?11.2. Securing Unix11.2.1. Setting Up System Logs on Unix11.2.1.1. syslog Linux example11.2.1.2. System logs for catastrophe11.3. Disabling Nonrequired Services11.3.1. How Are Services Managed Under Unix?11.3.1.1. Services started by /etc/rc files or directories11.3.1.2. Services started by inetd11.3.2. Disabling Services Under Unix11.3.3. Which Services Should You Leave Enabled?11.3.4. Specific Unix Services to Disable11.3.4.1. NFS and related services11.3.4.2. Other RPC services11.3.4.3. Booting services11.3.4.4. BSD “r” command services11.3.4.5. routed11.3.4.6. fingerd11.3.4.7. ftpd11.3.4.8. Other services11.3.5. Running Services on Specific Networks11.3.6. Turning Off Routing11.4. Installing and Modifying Services11.4.1. Using the TCP Wrapper Package to Protect Services11.4.1.1. TCP Wrapper example11.4.1.2. Using netacl to protect services11.4.2. Evaluating and Configuring Unix Services11.5. Reconfiguring for Production11.5.1. Reconfigure and Rebuild the Kernel11.5.2. Remove Nonessential Programs11.5.3. Mount Filesystems as Read-Only11.6. Running a Security Audit
12. Windows NT and Windows 2000 Bastion Hosts
12.1. Approaches to Building Windows NT Bastion Hosts12.2. Which Version of Windows NT?12.3. Securing Windows NT12.3.1. Setting Up System Logs Under Windows NT12.4. Disabling Nonrequired Services12.4.1. How Are Services Managed Under Windows NT?12.4.1.1. Registry keys12.4.1.2. Other ways to start programs under Windows NT12.4.2. How to Disable Services Under Windows NT12.4.3. Next Steps After Disabling Services12.4.4. Which Services Should You Leave Enabled?12.4.5. Specific Windows NT Services to Disable12.4.5.1. The Services control panel12.4.6. Turning Off Routing12.5. Installing and Modifying Services
III. Internet Services
13. Internet Services and Firewalls
13.1. Attacks Against Internet Services13.1.1. Command-Channel Attacks13.1.2. Data-Driven Attacks13.1.3. Third-Party Attacks13.1.4. False Authentication of Clients13.1.5. Hijacking13.1.6. Packet Sniffing13.1.7. Data Injection and Modification13.1.8. Replay13.1.9. Denial of Service13.1.10. Protecting Services13.2. Evaluating the Risks of a Service13.2.1. What Operations Does the Protocol Allow?13.2.1.1. What is it designed to do?13.2.1.2. Is the level of authentication and authorization it uses appropriate for doing that?13.2.1.3. Does it have any other commands in it?13.2.2. What Data Does the Protocol Transfer?13.2.3. How Well Is the Protocol Implemented?13.2.3.1. Does it have any other commands in it?13.2.4. What Else Can Come in If I Allow This Service?13.3. Analyzing Other Protocols13.4. What Makes a Good Firewalled Service?13.4.1. TCP Versus Other Protocols13.4.2. One Connection per Session13.4.3. One Session per Connection13.4.4. Assigned Ports13.4.5. Protocol Security13.5. Choosing Security-Critical Programs13.5.1. My Product Is Secure Because . . .13.5.1.1. It contains no publicly available code, so it’s secret13.5.1.2. It contains publicly available code, so it’s been well reviewed13.5.1.3. It is built entirely from scratch, so it didn’t inherit any bugs from any other products13.5.1.4. It is built on an old, well-tested code base13.5.1.5. It doesn’t run as root/Administrator/LocalSystem13.5.1.6. It doesn’t run under Unix, or it doesn’t run on a Microsoft operating system13.5.1.7. There are no known attacks against it13.5.1.8. It uses public key cryptography (or some other secure-sounding technology)13.5.2. Their Product Is Insecure Because . . .13.5.2.1. It’s been mentioned in a CERT-CC advisory or on a web site listing vulnerabilities13.5.2.2. It’s publicly available13.5.2.3. It’s been successfully attacked13.5.3. Real Indicators of Security13.5.3.1. Security was one of the design criteria13.5.3.2. The supplier can discuss how major security problems were avoided13.5.3.3. It is possible for you to review the code13.5.3.4. Somebody you know and trust actually has reviewed the code13.5.3.5. There is a security notification and update procedure13.5.3.6. The server implements a recent (but accepted) version of the protocol13.5.3.7. The program uses standard error-logging mechanisms13.5.3.8. There is a secure software distribution mechanism13.6. Controlling Unsafe Configurations
14. Intermediary Protocols
14.1. Remote Procedure Call (RPC)14.1.1. Sun RPC Authentication14.1.2. Microsoft RPC Authentication14.1.3. Packet Filtering Characteristics of RPC14.1.4. Proxying Characteristics of RPC14.1.5. Network Address Translation Characteristics of RPC14.1.6. Summary of Recommendations for RPC14.2. Distributed Component Object Model (DCOM)14.3. NetBIOS over TCP/IP (NetBT)14.3.1. Packet Filtering Characteristics of NetBT14.3.2. Proxying Characteristics of NetBT14.3.3. Network Address Translation Characteristics of NetBT14.3.4. Summary of Recommendations for NetBT14.4. Common Internet File System (CIFS) and Server Message Block (SMB)14.4.1. Authentication and SMB14.4.1.1. Share-level authentication14.4.1.2. User-level authentication14.4.2. Packet Filtering Characteristics of SMB14.4.3. Proxying Characteristics of SMB14.4.4. Network Address Translation Characteristics of SMB14.4.5. Summary of Recommendations for SMB14.5. Common Object Request Broker Architecture (CORBA) and Internet Inter-Orb Protocol (IIOP)14.5.1. Packet Filtering Characteristics of CORBA and IIOP14.5.2. Proxying Characteristics of CORBA and IIOP14.5.3. Network Address Translation Characteristics of CORBA and IIOP14.5.4. Summary of Recommendations for CORBA and IIOP14.6. ToolTalk14.6.1. Summary of Recommendations for ToolTalk14.7. Transport Layer Security (TLS) and Secure Socket Layer (SSL)14.7.1. The TLS and SSL Protocols14.7.2. Cryptography in TLS and SSL14.7.3. Use of TLS and SSL by Other Protocols14.7.4. Packet Filtering Characteristics of TLS and SSL14.7.5. Proxying Characteristics of TLS and SSL14.7.6. Network Address Translation Characteristics of TLS and SSL14.7.7. Summary of Recommendations for TLS and SSL14.8. The Generic Security Services API (GSSAPI)14.9. IPsec14.9.1. Packet Filtering Characteristics of IPsec14.9.2. Proxying Characteristics of IPsec14.9.3. Network Address Translation Characteristics of IPsec14.9.4. Summary of Recommendations for IPsec14.10. Remote Access Service (RAS)14.11. Point-to-Point Tunneling Protocol (PPTP)14.11.1. Design Weaknesses in PPTP14.11.2. Implementation Weaknesses in PPTP14.11.3. Packet Filtering Characteristics of PPTP14.11.4. Proxying Characteristics of PPTP14.11.5. Network Address Translation Characteristics of PPTP14.11.6. Summary of Recommendations for PPTP14.12. Layer 2 Transport Protocol (L2TP)14.12.1. Packet Filtering Characteristics of L2TP14.12.2. Proxying Characteristics of L2TP14.12.3. Network Address Translation Characteristics of L2TP14.12.4. Summary of Recommendations for L2TP
15. The World Wide Web
15.1. HTTP Server Security15.1.1. HTTP Extensions15.1.1.1. Tricking extensions15.1.1.2. Running unexpected external programs15.2. HTTP Client Security15.2.1. Inadvertent Release of Information15.2.1.1. Cookies15.2.2. External Viewers15.2.3. Extension Systems15.2.4. What Can You Do?15.2.5. Internet Explorer and Security Zones15.3. HTTP15.3.1. HTTP Tunneling15.3.2. Special HTTP Servers15.3.3. Packet Filtering Characteristics of HTTP15.3.4. Proxying Characteristics of HTTP15.3.5. Network Address Translation Characteristics of HTTP15.3.6. Securing HTTP15.3.6.1. Packet filtering characteristics of HTTPS and Secure HTTP15.3.6.2. Proxying characteristics of HTTPS and Secure HTTP15.3.6.3. Network address translation characteristics of HTTPS and Secure HTTP15.3.7. Summary of Recommendations for HTTP15.4. Mobile Code and Web-Related Languages15.4.1. JavaScript15.4.2. VBScript15.4.3. Java15.4.4. ActiveX15.5. Cache Communication Protocols15.5.1. Internet Cache Protocol (ICP)15.5.1.1. Packet filtering characteristics of ICP15.5.1.2. Proxying characteristics of ICP15.5.1.3. Network address translation characteristics of ICP15.5.2. Cache Array Routing Protocol (CARP)15.5.3. Web Cache Coordination Protocol (WCCP)15.5.3.1. Packet filtering characteristics of WCCP15.5.3.2. Proxying characteristics of WCCP15.5.3.3. Network address translation characteristics of WCCP15.5.4. Summary of Recommendations for Cache Communication Protocols15.6. Push Technologies15.6.1. Summary of Recommendations for Push Technologies15.7. RealAudio and RealVideo15.7.1. Risks of RealServer15.7.2. Risks of RealAudio and RealVideo Clients15.7.3. Packet Filtering Characteristics of RealAudio and RealVideo15.7.4. Proxying Characteristics of RealAudio and RealVideo15.7.5. Network Address Translation Characteristics of RealAudio and RealVideo15.7.6. Summary Recommendations for RealAudio and RealVideo15.8. Gopher and WAIS15.8.1. Packet Filtering Characteristics of Gopher and WAIS15.8.2. Proxying Characteristics of Gopher and WAIS15.8.3. Network Address Translation Characteristics of Gopher and WAIS15.8.4. Summary of Recommendations for Gopher and WAIS
16. Electronic Mail and News
16.1. Electronic Mail16.1.1. Keeping Mail Secret16.1.2. Undesirable Mail16.1.2.1. Junk mail16.1.2.2. Viruses and other hostilities16.1.3. Multimedia Internet Mail Extensions (MIME)16.1.4. S/MIME and OpenPGP16.2. Simple Mail Transfer Protocol (SMTP)16.2.1. Extended SMTP (ESMTP)16.2.2. TLS/SSL, SSMTP, and STARTTLS16.2.3. Packet Filtering Characteristics of SMTP16.2.4. Proxying Characteristics of SMTP16.2.5. Network Address Translation Characteristics of SMTP16.2.6. Configuring SMTP to Work with a Firewall16.2.7. Sendmail16.2.8. Other Freely Available SMTP Servers for Unix16.2.8.1. smail16.2.8.2. Postfix16.2.8.3. Qmail16.2.9. Commercial SMTP Servers for Unix16.2.10. Improving SMTP Security with smap and smapd16.2.11. biff16.2.12. SMTP Support in Non-SMTP Mail Systems16.2.13. SMTP Servers for Windows NT16.2.14. Summary of Recommendations for SMTP16.3. Other Mail Transfer Protocols16.4. Microsoft Exchange16.4.1. Summary of Recommendations for Microsoft Exchange16.5. Lotus Notes and Domino16.5.1. Packet Filtering Characteristics of Lotus Notes16.5.2. Proxying Characteristics of Lotus Notes16.5.3. Network Address Translation Characteristics of Lotus Notes16.5.4. Summary of Recommendations for Lotus Notes16.6. Post Office Protocol (POP)16.6.1. Packet Filtering Characteristics of POP16.6.2. Proxying Characteristics of POP16.6.3. Network Address Translation Characteristics of POP16.6.4. Summary of Recommendations for POP16.7. Internet Message Access Protocol (IMAP)16.7.1. Packet Filtering Characteristics of IMAP16.7.2. Proxying Characteristics of IMAP16.7.3. Network Address Translation Characteristics of IMAP16.7.4. Summary of Recommendations for IMAP16.8. Microsoft Messaging API (MAPI)16.9. Network News Transfer Protocol (NNTP)16.9.1. Packet Filtering Characteristics of NNTP16.9.2. Proxying Characteristics of NNTP16.9.3. Network Address Translation Characteristics of NNTP16.9.4. Summary of Recommendations for NNTP
17. File Transfer, File Sharing, and Printing
17.1. File Transfer Protocol (FTP)17.1.1. Packet Filtering Characteristics of FTP17.1.2. Proxying Characteristics of FTP17.1.3. Network Address Translation Characteristics of FTP17.1.4. Providing Anonymous FTP Service17.1.4.1. Limiting access to information17.1.4.2. Preventing people from using your server to distribute their data17.1.4.2.1. Making your incoming directory write-only17.1.4.2.2. Making anonymous read and anonymous write exclusive17.1.4.2.3. Disabling the creation of directories and certain files17.1.4.2.4. Uploading by prearrangement17.1.4.2.5. Removing the files17.1.4.3. Preventing people from using your server to attack other machines17.1.4.4. Using the wuarchive FTP daemon17.1.5. Summary of Recommendations for FTP17.2. Trivial File Transfer Protocol (TFTP)17.2.1. Packet Filtering Characteristics of TFTP17.2.2. Proxying Characteristics of TFTP17.2.3. Network Address Translation Characteristics of TFTP17.2.4. Summary of Recommendations for TFTP17.3. Network File System (NFS)17.3.1. NFS Authentication17.3.2. NFS and root17.3.3. NFS Client Vulnerabilities17.3.4. File Locking with NFS17.3.5. Automounting17.3.6. Packet Filtering Characteristics of NFS17.3.7. Proxying Characteristics of NFS17.3.8. Network Address Translation Characteristics of NFS17.4. File Sharing for Microsoft Networks17.4.1. Samba17.4.2. Distributed File System (Dfs)17.4.3. Packet Filtering, Proxying, and Network Address Translation Characteristics of Microsoft File Sharing17.5. Summary of Recommendations for File Sharing17.6. Printing Protocols17.6.1. lpr and lp17.6.1.1. LPRng17.6.1.2. Packet filtering characteristics of lpr17.6.1.3. Proxying characteristics of lpr17.6.1.4. Network address translation characteristics of lpr17.6.1.5. Packet filtering and proxying characteristics of lp17.6.2. Windows-based Printing17.6.3. Other Printing Systems17.6.4. Summary of Recommendations for Printing Protocols17.7. Related Protocols
18. Remote Access to Hosts
18.1. Terminal Access (Telnet)18.1.1. Windows 2000 Telnet18.1.2. Packet Filtering Characteristics of Telnet18.1.3. Proxying Characteristics of Telnet18.1.4. Network Address Translation Characteristics of Telnet18.1.5. Summary of Recommendations for Telnet18.2. Remote Command Execution18.2.1. BSD “r” Commands18.2.1.1. BSD “r” commands under Windows NT18.2.1.2. Packet filtering characteristics of the BSD “r” commands18.2.1.3. Proxying characteristics of the BSD “r” commands18.2.1.4. Network address translation characteristics of the BSD “r"commands18.2.1.5. Summary of recommendations for the BSD “r” command18.2.2. rexec18.2.2.1. Packet filtering characteristics of rexec18.2.2.2. Proxying characteristics of rexec18.2.2.3. Network address translation characteristics of rexec18.2.2.4. Summary of recommendations for rexec18.2.3. rex18.2.3.1. Summary of recommendations for rex18.2.4. Windows NT Remote Commands18.2.4.1. Summary of recommendations for remote commands18.2.5. Secure Shell (SSH)18.2.5.1. What makes SSH secure?18.2.5.2. SSH server authentication18.2.5.3. SSH client authentication18.2.5.4. Additional SSH options for client control18.2.5.5. SSH session hijacking protection18.2.5.6. Port forwarding18.2.5.7. Remote X11 Window System support18.2.5.8. Packet filtering characteristics of SSH18.2.5.9. Proxying characteristics of SSH18.2.5.10. Network address translation characteristics of SSH18.2.5.11. Summary of recommendations for SSH18.3. Remote Graphical Interfaces18.3.1. X11 Window System18.3.1.1. Additional servers18.3.1.2. Packet filtering characteristics of X1118.3.1.3. Proxying characteristics of X1118.3.1.4. Network address translation characteristics of X1118.3.1.5. Summary of recommendations for XII18.3.2. Remote Graphic Interfaces for Microsoft Operating Systems18.3.3. Independent Computing Architecture (ICA)18.3.3.1. Packet filtering characteristics of ICA18.3.3.2. Proxying characteristics of ICA18.3.3.3. Network address translation characteristics of ICA18.3.4. Microsoft Terminal Server and Terminal Services18.3.4.1. Packet filtering characteristics of RDP18.3.4.2. Proxying characteristics of RDP18.3.4.3. Network address translation characteristics of RDP18.3.5. BO2K18.3.5.1. Packet filtering characteristics of BO2K18.3.5.2. Proxying characteristics of BO2K18.3.5.3. Network address translation characteristics of BO2K18.3.6. Summary of Recommendations for Windows Remote Access
19. Real-Time Conferencing Services
19.1. Internet Relay Chat (IRC)19.1.1. Packet Filtering Characteristics of IRC19.1.2. Proxying Characteristics of IRC19.1.3. Network Address Translation Characteristics of IRC19.1.4. Summary of Recommendations for IRC19.2. ICQ19.2.1. Packet Filtering Characteristics of ICQ19.2.2. Proxying Characteristics of ICQ19.2.3. Network Address Translation Characteristics of ICQ19.2.4. Summary of Recommendations for ICQ19.3. talk19.3.1. Packet Filtering Characteristics of talk19.3.2. Proxying Characteristics of talk19.3.3. Network Address Translation Characteristics of talk19.3.4. Summary of Recommendations for talk19.4. Multimedia Protocols19.4.1. T.120 and H.32319.4.1.1. Packet filtering characteristics of T.12019.4.1.2. Proxying characteristics of T.12019.4.1.3. Network address translation characteristics of T.12019.4.1.4. Packet filtering characteristics of H.32319.4.1.5. Proxying characteristics of H.32319.4.1.6. Network address translation characteristics of H.32319.4.1.7. Summary of recommendations for T.120 and H.32319.4.2. The Real-Time Transport Protocol (RTP) and the RTP Control Protocol (RTCP)19.4.2.1. Packet filtering characteristics of RTP and RTCP19.4.2.2. Proxying characteristics of RTP and RTCP19.4.2.3. Network address translation of RTP and RTCP19.4.2.4. Summary of recommendations for RTP and RTCP19.5. NetMeeting19.5.1. Packet Filtering Characteristics of NetMeeting19.5.2. Proxying Characteristics of NetMeeting19.5.3. Network Address Translation Characteristics of NetMeeting19.5.4. Summary of Recommendations for NetMeeting19.6. Multicast and the Multicast Backbone (MBONE)19.6.1. Summary of Recommendations for Multicast
20. Naming and Directory Services
20.1. Domain Name System (DNS)20.1.1. Packet Filtering Characteristics of DNS20.1.2. Proxying Characteristics of DNS20.1.3. DNS Data20.1.4. DNS Security Problems20.1.4.1. Bogus answers to DNS queries20.1.4.2. Malicious DNS queries20.1.4.3. Mismatched data between the hostname and IP address DNS trees20.1.4.4. Dynamic update20.1.4.5. Revealing too much information to attackers20.1.5. Setting Up DNS to Hide Information, Without Subdomains20.1.5.1. Set up a “fake” DNS server on the bastion host for the outside world to use20.1.5.2. Set up a real DNS server on an internal system for internal hosts to use20.1.5.3. Internal DNS clients query the internal server20.1.5.4. Bastion DNS clients also query the internal server20.1.5.5. What your packet filtering system needs to allow20.1.6. Setting Up DNS to Hide Information, with Subdomains20.1.7. Setting Up DNS Without Hiding Information20.1.8. Windows 2000 and DNS20.1.9. Network Address Translation Characteristics of DNS20.1.10. Summary of Recommendations for DNS20.2. Network Information Service (NIS)20.2.1. Summary of Recommendations for NIS20.3. NetBIOS for TCP/IP Name Service and Windows Internet Name Service20.3.1. Name Resolution Under Windows20.3.2. NetBIOS Names20.3.3. NetBT Name Service Operations20.3.3.1. General principles of NetBT operations20.3.3.2. Name registration20.3.3.3. Name refresh20.3.3.4. Name resolution20.3.3.5. Name release20.3.3.6. Conflict management20.3.4. WINS Server-Server Communication20.3.5. The WINS Manager20.3.6. Security Implications of NetBT Name Service and WINS20.3.7. Packet Filtering Characteristics of NetBT Name Service20.3.8. Proxying Characteristics of NetBT Name Service and WINS20.3.9. Network Address Translation Characteristics of NetBT Name Service and WINS20.3.10. Summary of Recommendations for NetBT Name Service and WINS20.4. The Windows Browser20.4.1. Domains and Workgroups20.4.2. Windows Browser Roles20.4.2.1. Domain master browser20.4.2.2. Master browser20.4.2.3. Backup browsers20.4.2.4. Potential browsers20.4.2.5. Browseable server20.4.2.6. Browser client20.4.3. Browser Elections20.4.4. Security Implications of the Windows Browser20.4.5. Packet Filtering Characteristics of the Windows Browser20.4.6. Proxying Characteristics of the Windows Browser20.4.7. Network Address Translation Characteristics of the Windows Browser20.4.8. Summary of Recommendations for the Windows Browser20.5. Lightweight Directory Access Protocol (LDAP)20.5.1. LDAPS20.5.2. Packet Filtering Characteristics of LDAP20.5.3. Proxying Characteristics of LDAP20.5.4. Network Address Translation Characteristics of LDAP20.5.5. Summary of Recommendations for LDAP20.6. Active Directory20.7. Information Lookup Services20.7.1. finger20.7.1.1. Packet filtering characteristics of finger20.7.1.2. Proxying characteristics of finger20.7.1.3. Network address translation characteristics of finger20.7.1.4. Summary of recommendations for finger20.7.2. whois20.7.2.1. Packet filtering characteristics of whois20.7.2.2. Proxying characteristics of whois20.7.2.3. Network address translation characteristics of whois20.7.2.4. Summary of recommendations for whois
21. Authentication and Auditing Services
21.1. What Is Authentication?21.1.1. Something You Are21.1.2. Something You Know21.1.3. Something You Have21.2. Passwords21.3. Authentication Mechanisms21.3.1. One-Time Password Software21.3.2. One-Time Password Hardware21.4. Modular Authentication for Unix21.4.1. The TIS FWTK Authentication Server21.4.1.1. Problems with the authentication server21.4.2. Pluggable Authentication Modules (PAM)21.5. Kerberos21.5.1. How It Works21.5.2. Extending Trust21.5.3. Packet Filtering Characteristics of Kerberos21.5.4. Proxying and Network Address Translation Characteristics of Kerberos21.5.5. Summary of Recommendations for Kerberos21.6. NTLM Domains21.6.1. Finding a Domain Controller21.6.2. The Logon Process21.6.3. Secure Channel Setup21.6.4. SMB Authentication21.6.5. Accessing Other Computers21.6.6. Alternate Authentication Methods21.6.7. Controller-to-Controller Communication21.6.8. The User Manager21.6.9. Packet Filtering, Proxying, and Network Address Translation Characteristics of NTLM Domain Authentication21.6.10. Summary of Recommendations for NTLM Domain Authentication21.7. Remote Authentication Dial-in User Service (RADIUS)21.7.1. Packet Filtering Characteristics of RADIUS21.7.2. Proxying Characteristics of RADIUS21.7.3. Network Address Translation Characteristics of RADIUS21.7.4. Summary of Recommendations for RADIUS21.8. TACACS and Friends21.8.1. Packet Filtering Characteristics of TACACS and Friends21.8.2. Proxying Characteristics of TACACS and Friends21.8.3. Network Address Translation Characteristics of TACACS and Friends21.8.4. Summary of Recommendations for TACACS and Friends21.9. Auth and identd21.9.1. Packet Filtering Characteristics of Auth21.9.2. Proxying Characteristics of Auth21.9.3. Network Address Translation Characteristics of Auth21.9.4. Summary of Recommendations for Auth
22. Administrative Services
22.1. System Management Protocols22.1.1. syslog22.1.1.1. Packet filtering characteristics of syslog22.1.1.2. Proxying characteristics of syslog22.1.1.3. Network address translation and syslog22.1.1.4. Summary of recommendations for syslog22.1.2. Simple Network Management Protocol (SNMP)22.1.2.1. SNMP version 322.1.2.2. Packet filtering characteristics of SNMP22.1.2.3. Proxying characteristics of SNMP22.1.2.4. Network address translation and SNMP22.1.3. System Management Server (SMS)22.1.4. Performance Monitor and Network Monitor22.1.5. Summary Recommendations for System Management22.2. Routing Protocols22.2.1. Routing Information Protocol (RIP)22.2.1.1. Packet filtering characteristics of RIP22.2.2. Open Shortest Path First (OSPF)22.2.2.1. Packet filtering characteristics of OSPF22.2.3. Internet Group Management Protocol (IGMP)22.2.3.1. Packet filtering characteristics of IGMP22.2.4. Router Discovery/ICMP Router Discovery Protocol (IRDP)22.2.4.1. Packet filtering characteristics of router discovery22.2.5. Proxying Characteristics of Routing Protocols22.2.6. Network Address Translation Characteristics of Routing Protocols22.2.7. Summary of Recommendations for Routing Protocols22.3. Protocols for Booting and Boot-Time Configuration22.3.1. bootp22.3.2. Dynamic Host Configuration Protocol (DHCP)22.3.3. Packet Filtering Characteristics of DHCP and bootp22.3.4. Proxying Characteristics of bootp and DHCP22.3.5. Network Address Translation Characteristics of Booting and Boot-Time Configuration22.3.6. Summary of Recommendations for Booting and Boot-Time Configuration22.4. ICMP and Network Diagnostics22.4.1. ping22.4.1.1. Packet filtering characteristics of ping22.4.1.2. Proxying characteristics of ping22.4.1.3. Network address translation and ping22.4.2. traceroute22.4.2.1. Packet filtering characteristics of traceroute22.4.2.2. Proxying characteristics of traceroute22.4.2.3. Network address translation and traceroute22.4.3. Other ICMP Packets22.4.3.1. Packet filtering characteristics of ICMP22.4.4. Summary of Recommendations for ICMP22.5. Network Time Protocol (NTP)22.5.1. Packet Filtering Characteristics of NTP22.5.2. Proxying Characteristics of NTP22.5.3. Network Address Translation Characteristics of NTP22.5.4. Configuring NTP to Work with a Firewall22.5.5. Summary of Recommendations for NTP22.6. File Synchronization22.6.1. rdist22.6.2. rsync22.6.2.1. Packet filtering characteristics of rsync22.6.2.2. Proxying characteristics of rsync22.6.2.3. Network address translation characteristics of rsync22.6.3. Windows NT Directory Replication22.6.4. Windows 2000 File Replication Service (FRS)22.6.5. Summary of Recommendations for File Synchronization22.7. Mostly Harmless Protocols22.7.1. Packet Filtering Characteristics of Mostly Harmless Protocols22.7.2. Proxying Characteristics of Mostly Harmless Protocols22.7.3. Network Address Translation Characteristics of Mostly Harmless Protocols22.7.4. Summary Recommendations for Mostly Harmless Protocols
23. Databases and Games
23.1. Databases23.1.1. Locating Database Servers23.1.1.1. Putting both the web server and the database on the perimeter network23.1.1.2. Putting both the web server and the database on the internal network23.1.1.3. Using the database’s protocols to connect to a perimeter web server23.1.1.4. Using a custom protocol to connect to a perimeter web server23.1.2. Open Database Connectivity (ODBC) and Java Database Connectivity ( JDBC)23.1.3. Oracle SQL*Net and Net823.1.3.1. Security implications of SQL*Net and Net823.1.3.2. Packet filtering characteristics of SQL*Net and Net823.1.3.3. Proxying characteristics of SQL*Net and Net823.1.3.4. Network address translation characteristics of SQL*Net and Net823.1.3.5. Summary of recommendations for SQL*Net and Net823.1.4. Tabular Data Stream (TDS)23.1.5. Sybase23.1.5.1. Packet filtering characteristics of Sybase23.1.5.2. Proxying characteristics of Sybase23.1.5.3. Network address translation characteristics of Sybase23.1.5.4. Summary of recommendations for Sybase23.1.6. Microsoft SQL Server23.1.6.1. Packet filtering characteristics of Microsoft SQL Server23.1.6.2. Proxying characteristics of Microsoft SQL Server23.1.6.3. Network address translation and Microsoft SQL Server23.1.6.4. Summary of recommendations for Microsoft SQL Server23.2. Games23.2.1. Quake23.2.2. Summary of Recommendations for Games
24. Two Sample Firewalls
24.1. Screened Subnet Architecture24.1.1. Service Configuration24.1.1.1. HTTP and HTTPS24.1.1.2. SMTP24.1.1.3. Telnet24.1.1.4. SSH24.1.1.5. FTP24.1.1.6. NNTP24.1.1.7. DNS24.1.2. Packet Filtering Rules24.1.2.1. Interior router24.1.2.2. Exterior router24.1.3. Other Configuration Work24.1.4. Analysis24.1.4.1. Least privilege24.1.4.2. Defense in depth24.1.4.3. Choke point24.1.4.4. Weakest link24.1.4.5. Fail-safe stance24.1.4.6. Universal participation24.1.4.7. Diversity of defense24.1.4.8. Simplicity24.1.5. Conclusions24.2. Merged Routers and Bastion Host Using General-Purpose Hardware24.2.1. Service Configuration24.2.1.1. HTTP and HTTPS24.2.1.2. SMTP24.2.1.3. Telnet24.2.1.4. SSH24.2.1.5. FTP24.2.1.6. NNTP24.2.1.7. DNS24.2.2. Packet Filtering Rules24.2.3. Other Configuration Work24.2.4. Analysis24.2.4.1. Least privilege24.2.4.2. Defense in depth24.2.4.3. Choke point24.2.4.4. Weakest link24.2.4.5. Fail-safe stance24.2.4.6. Universal participation24.2.4.7. Diversity of defense24.2.4.8. Simplicity24.2.5. Conclusions
IV. Keeping Your Site Secure
25. Security Policies
25.1. Your Security Policy25.1.1. What Should a Security Policy Contain?25.1.1.1. Explanations25.1.1.2. Everybody’s responsibilities25.1.1.3. Regular language25.1.1.4. Enforcement authority25.1.1.5. Provision for exceptions25.1.1.6. Provision for reviews25.1.1.7. Discussion of specific security issues25.1.2. What Should a Security Policy Not Contain?25.1.2.1. Technical details25.1.2.2. Somebody else’s problems25.1.2.3. Problems that aren’t computer security problems25.2. Putting Together a Security Policy25.2.1. What Is Your Security Policy?25.2.2. What Is Your Site’s Security Policy?25.2.3. External Factors That Influence Security Policies25.3. Getting Strategic and Policy Decisions Made25.3.1. Enlist Allies25.3.2. Involve Everybody Who’s Affected25.3.3. Accept “Wrong” Decisions25.3.4. Present Risks and Benefits in Different Ways for Different People25.3.5. Avoid Surprises25.3.6. Condense to Important Decisions, with Implications25.3.7. Justify Everything Else in Terms of Those Decisions25.3.8. Emphasize that Many Issues Are Management and Personnel Issues, not Technical Issues25.3.9. Don’t Assume That Anything Is Obvious25.4. What If You Can’t Get a Security Policy?
26. Maintaining Firewalls
26.1. Housekeeping26.1.1. Backing Up Your Firewall26.1.2. Managing Your Accounts26.1.3. Managing Your Disk Space26.2. Monitoring Your System26.2.1. Special-Purpose Monitoring Devices26.2.2. Intrusion Detection Systems26.2.3. What Should You Watch For?26.2.4. The Good, the Bad, and the Ugly26.2.5. Responding to Probes26.2.6. Responding to Attacks26.3. Keeping up to Date26.3.1. Keeping Yourself up to Date26.3.1.1. Mailing lists26.3.1.2. Newsgroups26.3.1.3. Web sites26.3.1.4. Professional forums26.3.2. Keeping Your Systems up to Date26.4. How Long Does It Take?26.5. When Should You Start Over?
27. Responding to Security Incidents
27.1. Responding to an Incident27.1.1. Evaluate the Situation27.1.2. Start Documenting27.1.3. Disconnect or Shut Down, as Appropriate27.1.4. Analyze and Respond27.1.5. Make “Incident in Progress” Notifications27.1.5.1. Your own organization27.1.5.2. CERT-CC or other incident response teams27.1.5.3. Vendors and service providers27.1.5.4. Other sites27.1.6. Snapshot the System27.1.7. Restore and Recover27.1.8. Document the Incident27.2. What to Do After an Incident27.3. Pursuing and Capturing the Intruder27.4. Planning Your Response27.4.1. Planning for Detection27.4.2. Planning for Evaluation of the Incident27.4.3. Planning for Disconnecting or Shutting Down Machines27.4.4. Planning for Notification of People Who Need to Know27.4.4.1. Your own organization27.4.4.2. CERT-CC and other incident response teams27.4.4.3. Vendors and service providers27.4.4.4. Other sites27.4.5. Planning for Snapshots27.4.6. Planning for Restoration and Recovery27.4.7. Planning for Documentation27.4.8. Periodic Review of Plans27.5. Being Prepared27.5.1. Backing Up Your Filesystems27.5.2. Labeling and Diagramming Your System27.5.3. Keeping Secured Checksums27.5.4. Keeping Activity Logs27.5.5. Keeping a Cache of Tools and Supplies27.5.6. Testing the Reload of the Operating System27.5.7. Doing Drills
V. Appendixes
A. Resources
A.1. Web PagesA.1.1. TelstraA.1.2. CERIASA.1.3. The Linux Documentation ProjectA.1.4. The Linux Router ProjectA.2. FTP SitesA.2.1. cerias.purdue.eduA.2.2. info.cert.orgA.3. Mailing ListsA.3.1. FirewallsA.3.2. Firewall WizardsA.3.3. FWTK-USERSA.3.4. BugTraqA.3.5. NTBugTraqA.3.6. CERT-AdvisoryA.3.7. RISKSA.4. NewsgroupsA.5. Response TeamsA.5.1. CERT-CCA.5.2. FIRSTA.5.3. NIST CSRCA.6. Other OrganizationsA.6.1. Internet Engineering Task Force (IETF)A.6.2. World Wide Web Consortium (W3C)A.6.3. USENIX AssociationA.6.4. System Administrators Guild (SAGE)A.6.5. System Administration, Networking, and Security (SANS) InstituteA.7. ConferencesA.7.1. USENIX Association ConferencesA.7.1.1. USENIX Unix Security SymposiumA.7.1.2. USENIX System Administration (LISA) ConferenceA.7.1.3. USENIX Large Installation System Administration of Windows NT (LISA-NT) ConferenceA.7.1.4. USENIX Technical ConferencesA.7.2. Unix System Administration, Networking, and Security (SANS) ConferenceA.7.3. Internet Society Symposium on Network and Distributed System Security (SNDSS)A.8. PapersA.9. Books
B. Tools
B.1. Authentication ToolsB.1.1. TIS Internet Firewall Toolkit (FWTK)B.1.2. KerberosB.2. Analysis ToolsB.2.1. COPSB.2.2. TigerB.2.3. TripwireB.2.4. SATANB.2.5. SAINTB.3. Packet Filtering ToolsB.3.1. ipfilterB.4. Proxy Systems ToolsB.4.1. TIS Internet Firewall Toolkit (FWTK)B.4.2. SOCKSB.4.3. UDP Packet RelayerB.4.4. tircproxyB.5. DaemonsB.5.1. wuarchive ftpdB.5.2. GateDB.5.3. ZebraB.5.4. PostfixB.5.5. qmailB.5.6. smailB.5.7. portmapB.5.8. Andrew File System (AFS)B.5.9. rsyncB.5.10. SambaB.5.11. sshB.5.12. BO2KB.5.13. mIRCB.6. UtilitiesB.6.1. TIS Internet Firewall Toolkit (FWTK)B.6.2. TCP WrapperB.6.3. chrootuidB.6.4. inziderB.6.5. MRTGB.6.6. NOCOLB.6.7. NetCatB.6.8. NetSaintB.6.9. PGPB.6.10. trimlogB.6.11. AntiSniffB.6.12. tcpdump
C. Cryptography
C.1. What Are You Protecting and Why?C.2. Key Components of Cryptographic SystemsC.2.1. EncryptionC.2.1.1. Kinds of encryption algorithmsC.2.1.2. Encryption algorithms and key lengthC.2.2. Cryptographic Hashes, Checksums, and Message DigestsC.2.3. Integrity ProtectionC.2.4. Random NumbersC.3. Combined CryptographyC.3.1. Digital SignaturesC.3.2. CertificatesC.3.3. Certificate Trust ModelsC.3.4. Key Distribution and ExchangeC.4. What Makes a Protocol Secure?C.4.1. Selecting an AlgorithmC.4.2. Mutual AuthenticationC.4.3. Sharing a SecretC.4.4. Identifying Altered MessagesC.4.5. Destroying the Shared SecretC.5. Information About AlgorithmsC.5.1. Encryption AlgorithmsC.5.2. Digital Signature AlgorithmsC.5.3. Cryptographic Hashes and Message DigestsC.5.4. Key ExchangeC.5.5. Key Sizes and StrengthC.5.6. Evaluating Other Algorithms
Index
About the Authors
Colophon
Copyright

Content preview from Building Internet Firewalls, 2nd Edition

Chapter 27. Responding to Security Incidents

The CERT Coordination Center (CERT-CC) reports that, despite increased awareness, the first time many organizations start thinking about how to handle a computer security incident is after an intrusion has occurred. Obviously, this isn’t a great approach. You need a plan for how you’re going to respond to a computer security incident at your site, and you need to develop that plan well before an incident occurs.

There isn’t room here to detail everything you need to know to deal with a security incident: attacks are many and varied and change constantly; responding to them can involve a byzantine assortment of legal and technical issues. This chapter is intended to give you an outline of the issues involved and the practical steps you can take ahead of time to smooth the process. Appendix A, provides a list of resources that may provide additional help.

Responding to an Incident

This section discusses a number of steps you’ll need to take when you respond to a security incident. You won’t necessarily need to follow these steps in the order they’re given, and not all of these steps are appropriate for all incidents. But, we recommend that you at least contemplate each of them when you find yourself dealing with an incident.

In Section 27.4, later in this chapter, we’ll look again at each of these steps and help you figure out how to work them into the overall response plan that you should develop before an incident actually occurs.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Publisher Resources

ISBN: 1565928717Errata Page

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills

Building Internet Firewalls, 2nd Edition

by Elizabeth D. Zwicky, Simon Cooper, D. Brent Chapman

Chapter 27. Responding to Security Incidents

Responding to an Incident

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.