Gift Guide

Building Internet Firewalls [NOOK Book]


In the five years since the first edition of this classic book was published, Internet use has exploded. The commercial world has rushed headlong into doing business on the Web, often without integrating sound security technologies and policies into their products and methods. The security risks--and the need to protect both business and personal data--have never been greater. We've updated Building Internet Firewalls to address these newer risks.What kinds of security threats does the Internet pose? Some, like ...

See more details below
Building Internet Firewalls

Available on NOOK devices and apps  
  • NOOK Devices
  • Samsung Galaxy Tab 4 NOOK 7.0
  • Samsung Galaxy Tab 4 NOOK 10.1
  • NOOK HD Tablet
  • NOOK HD+ Tablet
  • NOOK eReaders
  • NOOK Color
  • NOOK Tablet
  • Tablet/Phone
  • NOOK for Windows 8 Tablet
  • NOOK for iOS
  • NOOK for Android
  • NOOK Kids for iPad
  • PC/Mac
  • NOOK for Windows 8
  • NOOK for PC
  • NOOK for Mac
  • NOOK for Web

Want a NOOK? Explore Now

NOOK Book (eBook)
$27.49 price
(Save 42%)$47.99 List Price


In the five years since the first edition of this classic book was published, Internet use has exploded. The commercial world has rushed headlong into doing business on the Web, often without integrating sound security technologies and policies into their products and methods. The security risks--and the need to protect both business and personal data--have never been greater. We've updated Building Internet Firewalls to address these newer risks.What kinds of security threats does the Internet pose? Some, like password attacks and the exploiting of known security holes, have been around since the early days of networking. And others, like the distributed denial of service attacks that crippled Yahoo, E-Bay, and other major e-commerce sites in early 2000, are in current headlines.Firewalls, critical components of today's computer networks, effectively protect a system from most Internet security threats. They keep damage on one part of the network--such as eavesdropping, a worm program, or file damage--from spreading to the rest of the network. Without firewalls, network security problems can rage out of control, dragging more and more systems down.Like the bestselling and highly respected first edition, Building Internet Firewalls, 2nd Edition, is a practical and detailed step-by-step guide to designing and installing firewalls and configuring Internet services to work with a firewall. Much expanded to include Linux and Windows coverage, the second edition describes:

  • Firewall technologies: packet filtering, proxying, network address translation, virtual private networks
  • Architectures such as screening routers, dual-homed hosts, screened hosts, screened subnets, perimeter networks, internal firewalls
  • Issues involved in a variety of new Internet services and protocols through a firewall
  • Email and News
  • Web services and scripting languages (e.g., HTTP, Java, JavaScript, ActiveX, RealAudio, RealVideo)
  • File transfer and sharing services such as NFS, Samba
  • Remote access services such as Telnet, the BSD "r" commands, SSH, BackOrifice 2000
  • Real-time conferencing services such as ICQ and talk
  • Naming and directory services (e.g., DNS, NetBT, the Windows Browser)
  • Authentication and auditing services (e.g., PAM, Kerberos, RADIUS);
  • Administrative services (e.g., syslog, SNMP, SMS, RIP and other routing protocols, and ping and other network diagnostics)
  • Intermediary protocols (e.g., RPC, SMB, CORBA, IIOP)
  • Database protocols (e.g., ODBC, JDBC, and protocols for Oracle, Sybase, and Microsoft SQL Server)
The book's complete list of resources includes the location of many publicly available firewall construction tools.

The first edition explains how to design and install firewalls, and how to configure Internet services to work with a firewall. This second edition covers Linux and Windows NT, as well as Unix platforms, and a variety of new Internet services and protocols.

Read More Show Less

Editorial Reviews

"Explains how to design and install firewalls, and how to configure Internet services to work with a firewall. The second edition covers Linux and Windows NT, as well as Unix platforms, and a variety of new Internet services and protocols."
--Annotation c. Book News, Inc., Portland, OR (
Read More Show Less

Product Details

  • ISBN-13: 9780596551889
  • Publisher: O'Reilly Media, Incorporated
  • Publication date: 6/26/2000
  • Sold by: Barnes & Noble
  • Format: eBook
  • Edition number: 2
  • Pages: 896
  • Sales rank: 1,275,544
  • File size: 7 MB

Meet the Author

Zwicky is a director of Counterpane Internet Security, a managed security services company. She has been doing large-scale Unix system administration and related work for 15 years, and was a founding board member of both the System Administrators Guild (SAGE) and BayLISA (the San Francisco Bay Area system administrator group), as well as a nonvoting member of the first board of the Australian system administration group, SAGE-AU. She has been involuntarily involved in Internet security since before the 1988 Morris Internest worm. In her lighter moments, she is one of the few people who makes significant use of the rand function in PostScript, producing PostScript documents that are different every time they're printed.

Cooper is a computer professional currently workin in Silicon Valley. He has worked in different computer-related fields ranging from hardware through operating systems and device drivers to application software and systems supportin both commercial and educational environments. He has an interest in the activities of the Internet Engineering Task Force (IETF) and USENIX, is a member of the British Computer Conversation Society, and is a founding member of the Computer Museum History Center. He has released a small number of his own open source programs and has contributed time and code to the XFree86 project. In his spare time, he likes to play ice hockey, solve puzzles of a mathematical nature, and tinker with Linux.

Chapman is a networking professional in Silicon Valley. He has designed and built Internet firewall systems for a wide range of organizations, using a variety of techniques and technologies. He is the founder of the Firewalls Internet mailing list,and creator of the Majordomo mailing list management package. He is the founder, principal, and technical lead of Great Circle Associates, Inc., a highly regarded strategic consulting and training firm specializing in Internet networking and security. Over the last 15 years, he has worked in a variety of consulting, engineering, and management roles in information technology, operations, and technology marketing for a wide range of employers and clients, including the Xerox Palo Alto Research Center (PARe, Silicon Graphics, Inc. (SGI), and Covad Communiction

Read More Show Less

Read an Excerpt

Chapter 13: Internet Services and Firewalls

This chapter gives an overview of the issues involved in using Internet services through a firewall, including the risks involved in providing services and the attacks against them, ways of evaluating implementations, and ways of analyzing services that are not detailed in this book.

The remaining chapters in Part III describe the major Internet services: how they work, what their packet filtering and proxying characteristics are, what their security implications are with respect to firewalls, and how to make them work with a firewall. The purpose of these chapters is to give you the information that will help you decide which services to offer at your site and to help you configure these services so they are as safe and as functional as possible in your firewall environment. We occasionally mention things that are not, in fact, Internet services but are related protocols, languages, or APIs that are often used in the Internet context or confused with genuine Internet services.

These chapters are intended primarily as a reference; they're not necessarily intended to be read in depth from start to finish, though you might learn a lot of interesting stuff by skimming this whole part of the book.

At this point, we assume that you are familiar with what the various Internet services are used for, and we concentrate on explaining how to provide those services through a firewall. For introductory information about what particular services are used for, see Chapter 2, Internet Services.

Where we discuss the packet filtering characteristics of particular services, we use the same abstract tabular form we used to show filtering rules in Chapter 8, Packet Filtering. You'll need to translate various abstractions like "internal", "external", and so on to appropriate values for your own configuration. See Chapter 8 for an explanation of how you can translate abstract rules to rules for particular products and packages, as well as more information on packet filtering in general.

Where we discuss the proxy characteristics of particular services, we rely on concepts and terminology discussed in Chapter 9, Proxy Systems.

Throughout the chapters in Part III, we'll show how each service's packets flow through a firewall. The following figures show the basic packet flow: when a service runs directly (Figure 13-1) and when a proxy service is used (Figure 13-2). The other figures in these chapters show variations of these figures for individual services. If there are no specific figures for a particular service, you can assume that these generic figures are appropriate for that service.

TIP: We frequently characterize client port numbers as "a random port number above 1023". Some protocols specify this as a requirement, and on others, it is merely a convention (spread to other platforms from Unix, where ports below 1024 cannot be opened by regular users). Although it is theoretically allowable for clients to use ports below 1024 on non-Unix platforms, it is extraordinarily rare: rare enough that many firewalls, including ones on major public sites that handle clients of all types, rely on this distinction and report never having rejected a connection because of it.

Attacks Against Internet Services

As we discuss Internet services and their configuration, certain concepts are going to come up repeatedly. These reflect the process of evaluating exactly what risks a given service poses. These risks can be roughly divided into two categories--first, attacks that involve making allowed connections between a client and a server, including:

  • Command-channel attacks
  • Data-driven attacks
  • Third-party attacks
  • False authentication of clients and second, those attacks that get around the need to make connections, including:
  • Hijacking
  • Packet sniffing
  • Data injection and modification
  • Replay
  • Denial of service

Command-Channel Attacks

A command-channel attack is one that directly attacks a particular service's server by sending it commands in the same way it regularly receives them (down its command channel). There are two basic types of command-channel attacks; attacks that exploit valid commands to do undesirable things, and attacks that send invalid commands and exploit server bugs in dealing with invalid input.

If it's possible to use valid commands to do undesirable things, that is the fault of the person who decided what commands there should be. If it's possible to use invalid commands to do undesirable things, that is the fault of the programmer(s) who implemented the protocol. These are two separate issues and need to be evaluated separately, but you are equally unsafe in either case.

The original headline-making Internet problem, the 1988 Morris worm, exploited two kinds of command-channel attacks. It attacked Sendmail by using a valid debugging command that many machines had left enabled and unsecured, and it attacked finger by giving it an overlength command, causing a buffer overflow.

Data-Driven Attacks

A data-driven attack is one that involves the data transferred by a protocol, instead of the server that implements it. Once again, there are two types of data-driven attacks; attacks that involve evil data, and attacks that compromise good data. Viruses transmitted in electronic mail messages are data-driven attacks that involve evil data. Attacks that steal credit card numbers in transit are data-driven attacks that compromise good data.

Third-Party Attacks

A third-party attack is one that doesn't involve the service you're intending to support at all but that uses the provisions you've made to support one service in order to attack a completely different one. For instance, if you allow inbound TCP connections to any port above 1024 in order to support some protocol, you are opening up a large number of opportunities for third-party attacks as people make inbound connections to completely different servers.

False Authentication of Clients

A major risk for inbound connections is false authentication: the subversion of the authentication that you require of your users, so that an attacker can successfully masquerade as one of your users. This risk is increased by some special properties of passwords.

In most cases, if you have a secret you want to pass across the network, you can encrypt the secret and pass it that way. That doesn't help if the information doesn't have to be understood to be used. For instance, encrypting passwords will not work because an attacker who is using packet sniffing can simply intercept and resend the encrypted password without having to decrypt it. (This is called a playback attack because the attacker records an interaction and plays it back later.) Therefore, dealing with authentication across the Internet requires something more complex than encrypting passwords. You need an authentication method where the data that passes across the network is nonreusable, so an attacker can't capture it and play it back.

Simply protecting you against playback attacks is not sufficient, either. An attacker who can find out or guess what the password is doesn't need to use a playback attack, and systems that prevent playbacks don't necessarily prevent password guessing. For instance, Windows NT's challenge/response system is reasonably secure against playback attacks, but the password actually entered by the user is the same every time, so if a user chooses to use "password", an attacker can easily guess what the password is.

Furthermore, if an attacker can convince the user that the attacker is your server, the user will happily hand over his username and password data, which the attacker can then use immediately or at leisure. To prevent this, either the client needs to authenticate itself to the server using some piece of information that's not passed across the connection (for instance, by encrypting the connection) or the server needs to authenticate itself to the client.


Hijacking attacks allow an attacker to take over an open terminal or login session from a user who has been authenticated and authorized by the system. Hijacking attacks generally take place on a remote computer, although it is sometimes possible to hijack a connection from a computer on the route between the remote computer and your local computer.

How can you protect yourself from hijacking attacks on the remote computer? The only way is to allow connections only from remote computers whose security you trust; ideally, these computers should be at least as secure as your own. You can apply this kind of restriction by using either packet filters or modified servers. Packet filters are easier to apply to a collection of systems, but modified servers on individual systems allow you more flexibility. For example, a modified FTP server might allow anonymous FTP from any host, but authenticated FTP only from specified hosts. You can't get this kind of control from packet filtering. Under Unix, connection control at the host level is available from Wietse Venema's TCP Wrapper or from wrappers in TIS FWTK (the netacl program); these may be easier to configure than packet filters but provide the same level of discrimination -- by host only.

Hijacking by intermediate sites can be avoided using end-to-end integrity protection. If you use end-to-end integrity protection, intermediate sites will not be able to insert authentic packets into the data stream (because they don't know the appropriate key and the packets will be rejected) and therefore won't be able to hijack sessions traversing them. The IETF IPsec standard provides this type of protection at the IP layer under the name of "Authentication Headers", or AH protocol (RFC 2402). Application layer hijacking protection, along with privacy protection, can be obtained by adding a security protocol to the application; the most common choices for this are Transport Layer Security (TLS) or the Secure Socket Layer (SSL), but there are also applications that use the Generic Security Services Application Programming Interface (GSSAPI). For remote access to Unix systems the use of SSH can eliminate the risk of network-based session hijacking. IPsec, TLS, SSL, and GSSAPI are discussed further in Chapter 14, Intermediary Protocols. ssh is discussed in Chapter 18, Remote Access to Hosts.

Hijacking at the remote computer is quite straightforward, and the risk is great if people leave connections unattended. Hijacking from intermediate sites is a fairly technical attack and is only likely if there is some reason for people to target your site in particular. You may decide that hijacking is an acceptable risk for your own organization, particularly if you are able to minimize the number of accounts that have full access and the time they spend logged in remotely. However, you probably do not want to allow hundreds of people to log in from anywhere on the Internet. Similarly, you do not want to allow users to log in consistently from particular remote sites without taking special precautions, nor do you want users to log in to particularly secure accounts or machines from the Internet.

The risk of hijacking can be reduced by having an idle session policy with strict enforcement of timeouts. In addition, it's useful to have auditing controls on remote access so that you have some hope of noticing if a connection is hijacked...

Read More Show Less

Table of Contents


I. Network Security

1. Why Internet Firewalls?
     What Are You Trying to Protect?
     What Are You Trying to Protect Against?
     Who Do You Trust?
     How Can You Protect Your Site?
     What Is an Internet Firewall?
     Religious Arguments

2. Internet Services
     Secure Services and Safe Services
     The World Wide Web
     Electronic Mail and News
     File Transfer, File Sharing, and Printing
     Remote Access
     Real-Time Conferencing Services
     Naming and Directory Services
     Authentication and Auditing Services
     Administrative Services

3. Security Strategies
     Least Privilege
     Defense in Depth
     Choke Point
     Weakest Link
     Fail-Safe Stance
     Universal Participation
     Diversity of Defense
     Security Through Obscurity

II. Building Firewalls

4. Packets and Protocols
     What Does a Packet Look Like?
     Protocols Above IP
     Protocols Below IP
     Application Layer Protocols
     IP Version 6
     Non-IP Protocols
     Attacks Based on Low-Level Protocol Details

5. Firewall Technologies
     Some Firewall Definitions
     Packet Filtering
     Proxy Services
     Network Address Translation
     Virtual Private Networks

6. Firewall Architectures
     Single-Box Architectures
     Screened Host Architectures
     Screened Subnet Architectures
     Architectures with Multiple Screened Subnets
     Variations on Firewall Architectures
     Terminal Servers and Modem Pools
     Internal Firewalls

7. Firewall Design
     Define Your Needs
     Evaluate the Available Products
     Put Everything Together

8. Packet Filtering
     What Can You Do with Packet Filtering?
     Configuring a Packet Filtering Router
     What Does the Router Do with Packets?
     Packet Filtering Tips and Tricks
     Conventions for Packet Filtering Rules
     Filtering by Address
     Filtering by Service
     Choosing a Packet Filtering Router
     Packet Filtering Implementations for General-Purpose Computers
     Where to Do Packet Filtering
     What Rules Should You Use?
     Putting It All Together

9. Proxy Systems
     Why Proxying?
     How Proxying Works
     Proxy Server Terminology
     Proxying Without a Proxy Server
     Using SOCKS for Proxying
     Using the TIS Internet Firewall Toolkit for Proxying
     Using Microsoft Proxy Server
     What If You Can't Proxy?

10. Bastion Hosts
     General Principles
     Special Kinds of Bastion Hosts
     Choosing a Machine
     Choosing a Physical Location
     Locating Bastion Hosts on the Network
     Selecting Services Provided by a Bastion Host
     Disabling User Accounts on Bastion Hosts
     Building a Bastion Host
     Securing the Machine
     Disabling Nonrequired Services
     Operating the Bastion Host
     Protecting the Machine and Backups

11. Unix and Linux Bastion Hosts
     Which Version of Unix?
     Securing Unix
     Disabling Nonrequired Services
     Installing and Modifying Services
     Reconfiguring for Production
     Running a Security Audit

12. Windows NT and Windows 2000 Bastion Hosts
     Approaches to Building Windows NT Bastion Hosts
     Which Version of Windows NT?
     Securing Windows NT
     Disabling Nonrequired Services
     Installing and Modifying Services

III. Internet Services

13. Internet Services and Firewalls
     Attacks Against Internet Services
     Evaluating the Risks of a Service
     Analyzing Other Protocols
     What Makes a Good Firewalled Service?
     Choosing Security-Critical Programs
     Controlling Unsafe Configurations

14. Intermediary Protocols
     Remote Procedure Call (RPC)
     Distributed Component Object Model (DCOM)
     NetBIOS over TCP/IP (NetBT)
     Common Internet File System (CIFS) and Server Message Block (SMB)
     Common Object Request Broker Architecture (CORBA) and Internet Inter-Orb Protocol (IIOP)
     Transport Layer Security (TLS) and Secure Socket Layer (SSL)
     The Generic Security Services API (GSSAPI)
     Remote Access Service (RAS)
     Point-to-Point Tunneling Protocol (PPTP)
     Layer 2 Transport Protocol (L2TP)

15. The World Wide Web
     HTTP Server Security
     HTTP Client Security
     Mobile Code and Web-Related Languages
     Cache Communication Protocols
     Push Technologies
     RealAudio and RealVideo
     Gopher and WAIS

16. Electronic Mail and News
     Electronic Mail
     Simple Mail Transfer Protocol (SMTP)
     Other Mail Transfer Protocols
     Microsoft Exchange
     Lotus Notes and Domino
     Post Office Protocol (POP)
     Internet Message Access Protocol (IMAP)
     Microsoft Messaging API (MAPI)
     Network News Transfer Protocol (NNTP)

17. File Transfer, File Sharing, and Printing
     File Transfer Protocol (FTP)
     Trivial File Transfer Protocol (TFTP)
     Network File System (NFS)
     File Sharing for Microsoft Networks
     Summary of Recommendations for File Sharing
     Printing Protocols
     Related Protocols

18. Remote Access to Hosts
     Terminal Access (Telnet)
     Remote Command Execution
     Remote Graphical Interfaces

19. Real-Time Conferencing Services
     Internet Relay Chat (IRC)
     Multimedia Protocols
     Multicast and the Multicast Backbone (MBONE)

20. Naming and Directory Services
     Domain Name System (DNS)
     Network Information Service (NIS)
     NetBIOS for TCP/IP Name Service and Windows Internet Name Service
     The Windows Browser
     Lightweight Directory Access Protocol (LDAP)
     Active Directory
     Information Lookup Services

21. Authentication and Auditing Services
     What Is Authentication?
     Authentication Mechanisms
     Modular Authentication for Unix
     NTLM Domains
     Remote Authentication Dial-in User Service (RADIUS)
     TACACS and Friends
     Auth and identd

22. Administrative Services
     System Management Protocols
     Routing Protocols
     Protocols for Booting and Boot-Time Configuration
     ICMP and Network Diagnostics
     Network Time Protocol (NTP)
     File Synchronization
     Mostly Harmless Protocols

23. Databases and Games

24. Two Sample Firewalls
     Screened Subnet Architecture
     Merged Routers and Bastion Host Using General-Purpose Hardware

IV. Keeping Your Site Secure

25. Security Policies
     Your Security Policy
     Putting Together a Security Policy
     Getting Strategic and Policy Decisions Made
     What If You Can't Get a Security Policy?

26. Maintaining Firewalls
     Monitoring Your System
     Keeping up to Date
     How Long Does It Take?
     When Should You Start Over?

27. Responding to Security Incidents
     Responding to an Incident
     What to Do After an Incident
     Pursuing and Capturing the Intruder
     Planning Your Response
     Being Prepared

V. Appendixes

A. Resources

B. Tools

C. Cryptography



AAA servers, 591
      fail safe, 64-67
      least privilege, 59-61
      logging (see logs)
      monitoring at choke point, 62
      to networks, 19
      remote, to hosts, 488-519
      to unbuilt bastion host, 255
access router (see exterior routers)
accidents, 14
account management, 744-745
ACK (acknowledgment) bit
      with SMTP, 432
      TCP connections, 87
Active Channels, 416
Active Directory, 53, 585-586
Active Server Pages (ASP), 387
ActiveX, 410-412
      extension systems, 38
activity logs (see logs)
address-based authentication, 51
      accepted by router, 180-183
      email (see email)
      ?ltering by, 183-185
AES (Advanced Encryption Standard) algorithm, 844
AFS (Andrew File System), 47, 818
      digital signature, 844
            DSA/DSS, 844
            Elliptic Curve, 845
      encryption, 826-829, 841-844
            selecting, 839
      evaluating, 847-848
      HMAC, 846
      key exchange, 846-847
      MD4/MD5, 845
      public key, 827
      SHA/SHA-1, 845
Andrew File System (see AFS)
anonymous FTP, 44, 286, 460-462
      via proxy server, 229
      removing ?les from, 466
      writable directories with, 462-464
      wuarchive server, 467
      (see also FTP)
APOP (version of POP), 446
AppleShare, 46
      gateways (see proxy services)
      proxy servers, 231
archives, self-decrypting, 426
ASP (Active Server Pages), 387
attackers (see intruders)
attacks (see incidents)
audit, security, 266-269, 295-296
      tools for, 815-816
Auth protocol, 627-629
authentication, 54, 148-149, 329, 591
      address-based, 51
      basic, 390
      client, network ?lesystems and, 46-47
      DNS and, 53
      false, 320-321, 326
      Microsoft RPC, 354
      mutual, 840
      network address translation, 118
      in NFS, 471-473
      protocol security and, 339
      of remote logins, 48
      SMB, 363-364, 618-619
      of SSH
            client, 502-503
            server, 501-502
      Sun RPC, 352-354
      TIS FWTK server, 605-607
      tools for, 813-815
      types of, 592-596
      for web pages, 390-391
      Windows NT, 619-620
automounting filesystems, 477-478

backup browsers, on Microsoft networks, 580
backups, 60, 162, 787
      of bastion hosts, 270-272
      of ?rewalls, 742
      logs and, 272
      using to restore system, 771
BackWeb program, 415
basic authentication, 390
bastion hosts, 103, 130, 241-272, 682
      backups of, 270-272
      building, 255
      DNS clients on, 557-558
      email addresses and, 433
      fake DNS server on, 552-554
      graphics on, 248
      internal, 243
      on internal ?rewalls, 156
      isolating, 128-133
      Linux, 273-296
      merging with routers, 140, 141
      multiple, 137-139
      network location of, 249
      nonrouting dual-homed, 243
      operating, 269-270
      operating systems for, 244-246
      physical location of, 248
      services on, 250, 252
      speed of, 246
      Unix, 245, 273-296
      usage pro?le, 269
      user accounts on, 253, 254
      Windows 2000, 297-314
      Windows NT, 245, 297-314
Berkeley Internet Name Domain (BIND), 540
bidirectionality of protocols, 172
biff service, 440
BIND (Berkeley Internet Name Domain), 540
biometric systems, 593
Blowfish algorithm, 843
BO2K program, 50, 518-519
books, on security, 810-812
booting protocols, 644-646
booting services, 284, 306
bootp protocol, 644
broadcasting, 535
browser client, on Microsoft networks, 580-581
Browser, the (see Windows Browser)
browsers, web, 36, 37-39
      as FTP clients, 457
      protocols and, 384
      security and, 390-397
BSD "r" commands (see "r" commands)
buffer overflow, as basis for attacks, 332, 408
      in packet ?ltering packages, 109
      in operating system, 257
BugTraq mailing list, 800
building bastion hosts, 255
byte compiling, 409

Cache Array Routing Protocol (CARP), 413
caching proxies, 402, 412-415
capturing intruders, 775-777
CARP (Cache Array Routing Protocol), 413
catastrophe logs, 258
      on Unix, 277
CD-ROM drive, 247
CERIAS, 797, 798
CERT advisories mailing list, 800
CERT-CC (Computer Emergency Response Team Coordination Center)
      FAQ, 802
      response teams, 785, 799
            contacting regarding incident, 768
certificate authority, 835
Certificate Revocation List (CRL), 836
CGI scripts, 387
challenge-response system, 595
chargen service, 661-663
      keeping secure, 789
      using Tripwire for, 295
choke points, 62, 701, 717
      using routers as, 166
choke router (see interior router)
chroot mechanism, 274, 461
chrootuid program, 820
CIFS (Common Internet File System), 46, 361, 480
      (see also SMB)
ciphertext, 825
circuit-level proxy servers, 231
Cisco routers, 181
      authentication, network ?lesystems and, 46-47
      DNS, configuring, 555-558
      false authentication of, 320-321, 326
      HTTP, security of, 390-397
      NFS, 474
      port numbers, 318
      RPC-based, 351
            converting to use SOCKS, 236
            for proxying, 227
      SSH, authentication, 502-503
      con?guring, 654-658
      setting, 57
COAST FTP archive, 798
code, publicly available, 340
command execution, 48
command-channel attacks, 320
      protecting against, 325
command-line arguments, 332
Common Internet File System (see CIFS)
Common Object Request Broker Architecture (see CORBA)
Computer Emergency Response Team Coordination Center (see CERT-CC)
computer games, 678-680
Computer Security Resource Clearinghouse (CSRC), 803
computer viruses, 25-26
conferences, security-related, 806-808
conferencing services, real-time, 51-52, 520-538
      audit packages, 266, 296
      clocks, 654-658
      DNS, 709
            clients, 555-558
            in screened subnet architecture, 690
      exterior routers, 695-699
      FTP, in screened subnet architecture, 688
      hardware, 247
      HTTP/HTTPS, 706
            in screened subnet architecture, 683-685
      interior routers, 691-695
      kernel, 291-293
      labeling system, 789
      machine, 264-266
            Unix, 291-295
      NIS (Network Information Service), 563
      NNTP, 709
            in screened subnet architecture, 690
      packet ?ltering router, 171-173
      SMTP, 707
            with ?rewalls, 433-434
            in screened subnet architecture, 685-686
      SSH, in screened subnet architecture, 687
      Telnet, in screened subnet architecture, 687
      between Internet and unbuilt bastion host, 255
      checking network (see ping)
      disconnecting, 766, 780
      killed by TCP, 86
      multiple Internet, 145-156
      outbound, 116
      per session, 337-338
content filtering, 395-396
      of email, 428
cookies, 391-392
COPS (Computer Oracle and Password System), 815
      auditing package, 295
CORBA (Common Object Request Broker Architecture), 365-367
crashes, system, 271
CRC (cyclic redundancy counter), 296
CRL (Certificate Revocation List), 836
cron process, 282
crypt program, 261
      checksums, 267-269, 296, 829-831
      hashes, 829-831
            distribution of, 837-838
            size and strength of, 847
      systems, components of, 825-832
cryptography, 823-848
      certificates, 834-836
            trust models of, 836
      digital signatures, 832-833
      public key, 827, 840
      random numbers, 831-832
      Secure RPC and, 353
      in SSL, 370
      in TLS, 370
      (see also encryption)
CSRC (Computer Security Resource Clearinghouse), 803
      client software for proxying, 227
      system, 772
      user procedures for proxying, 229
cyclic redundancy counter (CRC), 296

daemons, tools for, 817-819
data, 4
      DNS, 545
            mismatched, 548
      protecting, 831
            from sniffers, 323
      theft of, 14
            (see also information theft)
      transferring, 75, 165-223
            allowing/disallowing, 167
            evaluating protocols for, 330-331
            via TCP, 86-90
            (see also email; ?les, transferring)
database protocols, connecting to web servers with, 667
database servers, locating, 664-669
data-driven attacks, 320
      protecting against, 325
daytime service, 662
DCC (Direct Client Connections), 521
DCOM (Distributed Component Object Model), 358-359
dcomcnfg program, 358
debugging operating system, 257
dedicated proxy servers, 232
Deep Crack, 599
default deny stance, 65, 172
default permit stance, 65-67, 172
defense in depth, 61-62, 701, 717
Demilitarized Zone (DMZ), 103
denial of service attacks, 8-9, 40, 324-325
      HTTP and, 385
      ICMP and, 647
      JavaScript and, 407
      protecting against, 327
DependOnGroup registry key, 304
DependOnService registry key, 304
DES (Data Encryption Standard) algorithm, 842
designing ?rewalls, 28-30
destination unreachable codes (see ICMP)
Dfs (Distributed File System), 482
DHCP (Dynamic Host Configuration Protocol), 644-646
diagramming the system, 788
dictionary attacks, 602
Diffie-Helman algorithm, 846
digital signature, 832-833
      in ActiveX, 411-412
      algorithms, 844
      in OpenPGP, 429-430
      in S/MIME, 429-430
Direct Client Connections (DCC), 521
Directory Replication (Windows NT), 660
      routing (see routers, disabling)
      services, 259-263
            on Unix, 280-282, 283-287
            on Windows NT, 307-308, 309-312
discard service, 661-663
      machine, 780
            after incident, 766
      from network, 766
            plan for, 781
disk space (see memory; resources)
disks, needs for, 247
DisplayName registry key, 304
Distributed Component Object Model (DCOM), 358-359
Distributed File System (Dfs), 482
diversity of defense systems, 68
DMZ (Demilitarized Zone), 103
DNS (Domain Name Service), 53-54, 252, 539-563
      clients, 555-558
      con?guring, 709
            to hide information, 559
            without hiding information, 559-561
            in screened subnet architecture, 690
      data, 545
      fake server, 552-554
      hiding information with, 551-558
      revealing information to attackers, 549
      server for internal hosts, 554
      Windows 2000 and, 561-562
      on Windows NT, 310
DNS Mail Exchange (MX), 433
      plan for, 786
      system after incident, 769, 785
domain controllers, 615-617
      communication among, 621
domain master browser, on Microsoft networks, 579
Domain Name Service (see DNS)
domains, on Microsoft networks, 577
Domino server, 443-445
dot (.) ?les, disabling creation of, 464
double-reverse lookups, 548, 553
DSA (Digital Signature Algorithm), 844
DSS (Digital Signature Standard) algorithm, 844
dual-homed hosts, 103
      architecture of, 123-126
      as ?rewall, 262
      nonrouting, 243
      proxy services (see proxy services)
dumpel utility, 300
dynamic packet ?ltering, FTP and, 458

echo service, 661-663
electronic mail (see email)
electronic sabotage (see denial of service attacks)
Elliptic Curve algorithm, 845, 846
email, 40-42, 251, 423-450
      attachments, 427-428
      encryption and, 425
      ?ooding, 8-9
      mailing lists, resources via, 799
      security of, 425-426
      Sendmail, 41
      SMTP, 41
      spam, 426-427
      to trace intruders, 777
      viruses, 427-428
encapsulation, 76
encrypted timestamp, 595
encrypting executables, 261, 308
encryption, 825-829
      algorithms, 826-829
            selecting, 839
            types of, 841-844
      email and, 425
      key distribution, 120
      network address translation, 118
      in OpenPGP, 429-430
      packet ?ltering perimeter, 119
      in RDP, 517
      in S/MIME, 429-430
      virtual private networks, 120
      (see also cryptography)
ErrorControl registry key, 304
errors, ICMP codes for, 175-177
ESMTP (Extended SMTP), 430-431
espionage, 14
/etc/hosts.allow ?le, 289
/etc/hosts.deny ?le, 289
/etc/inetd.conf ?le, 289
/etc/rc ?le, services started by, 278
Ethernet, packet layer, 77
Event Logger, 299, 300
Event Viewer, 299, 300
EventLog service, 308
executables, encrypting, 261, 308
Explorer (see Internet Explorer)
Extended SMTP (ESMTP), 430-431
extension systems, 37-39
exterior routers, 132-133, 682
      con?guring, in screened subnet architecture, 695-699
            with bastion host, 140
            with interior router, 139
      multiple, 145-146
            on HTTP servers, 386-390
            on HTTP clients, 394-395
            on HTTP clients, 392-394

factoring attacks, 353
fail safety, 64-67
fail-safe stance, 702, 718
false authentication of clients, 320-321
      protecting against, 326
File Replication Service (FRS), 660-661
file synchronization protocols, 658-661
File Transfer Protocol (see FTP)
      locking, with NFS, 475-477
      removing from anonymous FTP area, 466
      sharing, 43, 45-47, 470-482
            on Microsoft networks, 479-482
      synchronizing, 658-661
      transferring, 43-45, 454-470
            by prearrangement, 465
            (see also printing)
      uploading by prearrangement, 465
      automounting, 477-478
      backing up, 787
      mounting as read-only, 265, 294
      network, 45-47
?ltering, packets (see packet ?ltering)
?ltering routers (see screening routers)
?nger service, 286, 586-588
?ngerd server, 285-286
?ngerprint authentication, 593
?rewalls, 21-23
      architecture of, 122-156
      backing up, 742-743
      buying versus building, 28-30
      content-aware, 395-396
      designing, 157-164
      dual-homed host as, 262
      FAQ for, 810
      internal, 149-156
            bastion hosts on, 156
      IP multicasting and, 537
      IPv6, 95
      on joint networks, 154-156
      keeping current, 758-762
      layering, 61
      mailing lists about, 799
      maintaining, 742-763
      multiple bastion hosts, 137-139
      NTP and, 657
      one-box, 244
      recreating entirely, 762
      resources for, 797-812
      responding to
            probes of, 756-758
            security incidents, 764-793
      sample configurations, 681-719
      security policies for, 723-741
      SMTP and, 433-434
      technologies, 102-121
      testing, 203
      tools for, 813-822
      weakest link, 63
      what to protect, 4-7, 823-825
      X Window System and, 507
      (see also security)
FIRST response teams, 802
?ooding, 8-9
?ows, IPv6, 95
      man-in-the-middle, 184
      of packets, 174
      source address, 184
forwarders directive (DNS), 555
fragments, packet, 79, 81-85
FRS (File Replication Service), 660-661
FTP (File Transfer Protocol), 44-45, 286, 455-468
      anonymous, 460-464
            removing files from, 466
      con?guring, in screened subnet architecture, 688
      passive (or PASV) mode, 456-458
      proxying with TIS FWTK, 237
      resources for, 798-801
      server, preventing attacks from, 466-467
      via proxy server, 229
      write-only incoming directory, 464
      wuarchive daemon, 817
      wuarchive server, 467
      (see also TFTP)
ftpd program, 286
ftp-gw proxy server, 689
functions, SOCKS versus standard network, 236
fuser program, 336
FWALL-Users mailing list, 800

games (see computer games)
GateD routing daemon, 285
gateways, application-level (see proxy services)
general-purpose routers, 192
generic proxy servers, 232
Generic Security Services API (GSSAPI), 373
GINA (Graphical Identification and Authorization), 620
Gopher service, 419-422
      proxying with TIS FWTK, 238
Graphical Identification and Authorization (GINA), 620
graphics, on bastion host, 248
Group registry key, 305
GSSAPI (Generic Security Services API), 373

hardening machines, 255-256
      con?guration of, 247
      routers (see routers)
header packet, 76
      nested IP, 95
      packet ?ltering, 194
Hewlett-Packard printers, 486
hijacking, 321-322
      protecting against, 326
            with SSH, 503
HINFO records, 550
HMAC, 831
      algorithm, 846
host unreachable codes (see ICMP)
      bastion (see bastion hosts)
      dual-homed (see dual-homed hosts)
      multiple, 252
      screened (see screened hosts)
      security of, 18
      speed of, 246
      victim (see victim hosts)
hot fixes, and services, 314
housekeeping, 742-746
HTML (Hypertext Markup Language), 36
HTTP (Hypertext Transfer Protocol), 35, 384-422
      client security, 390-397
      con?guring, 706
            in screened subnet architecture, 683-685
      network address translation in, 403
      packet filtering in, 400-401
      proxying in, 401-403
            with TIS FWTK, 238
      server, 399
            security of, 385-390
      tunneling, 398-399
      using with databases, 669
      (see also HTTPS; Secure HTTP)
http-gw proxy, 238
HTTPS, 404-405
      con?guring, 706
            in screened subnet architecture, 683-685
hybrid proxying (see routers, proxy-aware)
Hypertext Markup Language (HTML), 36
Hypertext Transfer Protocol (HTTP), 35

ICA (Independent Computing Architecture), 50, 515-517
ICMP (Internet Control Message Protocol), 57, 91, 647-654
      echo, 648
            (see also ping)
      packets, 652-654
      returning error codes, 175-177
ICMP Router Discovery Protocol (IRDP), 642-643
ICP (Internet Cache Protocol), 412-413
ICQ, 523-525
IDEA (International Data Encryption Algorithm), 843
identd, 627-629
Igateway program, 227
IGMP (Internet Group Management Protocol), 641-642
IIOP (Internet Inter-Orb Protocol), 365-367
ImagePath registry key, 305
IMAP (Internet Message Access Protocol), 41, 448-450
immutable attribute (BSD 4.4-Lite), 295
inbound packets, 172
      ?ltering rules for, 198-203
      Telnet, 187
incident response teams, 768, 785, 802-805
      resources for, 799
incidents, 319-327
      accidental, 14
      buffer overflow, 332, 408
      command-channel attacks, 320, 325
      contacting service providers about, 785
      data-driven attacks, 320, 325
      denial of service, 324-325, 327
            ICMP and, 647
      detecting, plan for, 778
      documenting system after, 769
            planning for, 785
      email viruses, 427-428
      evaluating, plan for, 779
      factoring attacks, 353
      false authentication of clients, 320-321, 326
      hijacking, 321-322, 326
            SSH protection against, 503
      intrusions, 7
      IP spoofing, 98-99
      man-in-the-middle forgery, 185
      multiple failed logins, 755
      notifying people of, 767, 782
      packet sniffing attacks, 100-101, 322-323, 326
      password attacks, 602
      playback attacks, 321
      port scanning, 97
      practicing drills for, 793
      recovering from, 770-772
            planning for, 786
      replay attacks, 324, 326
      responding to, 758, 764-793
      reviewing, strategies for, 787
      social manipulation, 40
      third-party attacks, 320, 326
      tools and supplies for, 791
      Trojan horse, ICMP and, 647
      types of, 7-11
      using SSH, 500
      weak TCP/IP implementations, exploiting, 98
Independent Computing Architecture (see ICA)
independent screened subnet, 135-137
inetd process, 282
      modifying for anonymous FTP, 461
      services started by, 280
information lookup services, 586-590
information theft, 10-11
      espionage, 14
init process, 282
insecure networks, 151
      ?lesystems as read-only, 265, 294
      kernel, 291-293
      operating system, 256
      services, 264
            on Unix/Linux, 288-290
            on Windows NT, 313-314
      software on machine, 264, 291-295
intelligent proxy servers, 232
interior gateway protocols (see routing protocols)
interior routers, 131, 682
      con?guring, 691-695
            with bastion host, 141
            with exterior routers, 139
      multiple, 142-145
      bastion hosts, 243
      ?rewalls, 149-156
      conferencing services, real-time, 51-52
      connections to unbuilt bastion host, 255
      Control Message Protocol (see ICMP)
      defense in depth, 61
      email over (see email)
      ?rewalls (see ?rewalls)
      logging activity on (see logs)
      multiple connections to, 145-156
      Protocol (see IP)
      Relay Chat (see IRC)
      security resource, 800
      services (see Internet services)
Internet Cache Protocol (ICP), 412-413
Internet Explorer, 36
      security zones and, 396-397
Internet games (see Quake; computer games)
Internet Group Management Protocol (IGMP), 641-642
Internet Inter-Orb Protocol (IIOP), 365-367
Internet Message Access Protocol (see IMAP)
Internet Printing Protocol (IPP), 486
Internet Relay Chat (see IRC)
Internet services, 33-58, 317-348
      default deny stance, 65
      default permit stance, 65-67
      disabling, 259-263
            on Unix, 280-282, 283-287
            on Windows NT, 301-307, 308-309
      evaluating risks of, 327-334
      ?ltering by, 185-190
      installing and/or modifying
            on Unix, 288-291
            on Windows NT, 313-314
      installing/modifying, 264
      pursuing and capturing, 775-777
      recovering from, 771
      revealing DNS information to, 549
      reviewing response strategies, 787
      slower machines and, 246
      types of, 11-15
intrusions (see incidents)
inzider program, 336, 820
IP addresses
      in packet ?ltering rules, 180
      network address translation, 118
IP forwarding, disabling, 313
IP (Internet Protocol), 79-85
      fragmentation, 81-85
      multicasting, 537-538
      nested over IP, 92
      packet layer, 78
      packet routes to (see traceroute program)
      source route option, 81
      status and control messages, 91
      Version 6 (IPv6), 94
IP security protocol (IPsec), 373-377
IP source route option, 81
IP spoofing, 98-99
ipchains filtering system, 203-206
      compared to ipfilter, 211
      masquerading and, 208-210
ipfilter filtering system, 210-211
      compared to ipchains, 211
IPP (Internet Printing Protocol), 486
IPsec (IP security protocol), 373-377
IPsec Policy Agent, 309
IRC (Internet Relay Chat), 51, 520-523
IRDP (ICMP Router Discovery Protocol), 642-643

Java, 408-410
Java Database Connectivity ( JDBC), 670
JavaScript, 406-408
      extension systems, 38
JDBC ( Java Database Connectivity), 670
joint networks, 154-156
joyriders, 12
junk email, 426-427

KDC (Key Distribution Center), 611
Kerberos authentication system, 47, 609-615, 814
      POP and, 446
      in SSH, 502
Kerberos-supporting Post Of?ce Protocol (KPOP), 446
kernel, recon?guring, 291-293
Key Distribution Center (KDC), 611
key distribution, encryption, 120
keystroke timing authentication, 594
KPOP (Kerberos-supporting Post Of?ce Protocol), 446

L2TP (Layer 2 Transport Protocol), 381-383
labeling the system, 788
laboratory networks, 150
LanMan format, 598
LanManager, 480
LAN-oriented service, 252
Layer 2 Transport Protocol (L2TP), 381-383
layering ?rewalls, 61
LDAP (Lightweight Directory Access Protocol), 53, 583-585
least privilege principle, 59-61, 700, 717
legal issues
      documentation of incidents, 772
      pursuing intruders, 777
      security responsibilities, 732-734
Lightweight Directory Access Protocol (see LDAP)
Linux, xvii
      bastion host, 273-296
      Internet services on, 278-280, 282-283
            disabling, 280-282, 283-287
            installing and modifying, 288-290
      ipchains, 203-206
            compared to ipfilter, 211
            using, 208
      ipfilter, 210-211
            example, 182
            configuring, 291-295
            securing, 275-278
      masquerading, 206-210
      netfilter, 212
      syslog example, 277
      (see also Unix)
Linux Documentation Project, 798
Linux Router Project, 798
Livingston routers, 181
LMRepl service, 660
local newsgroups, 43
lockd, 476
locking files, with NFS, 475-477
      remote, 48
      successful, from unexpected site, 756
logs, 162, 257-259, 790
      of accepted/dropped packets, 201
      backups and, 272
      creating with SOCKS, 234
      memory required for, 746, 749
      network address translation, 118
      proxy services, 113
      of router actions, 173
      setting up
            on Unix, 276-278
            on Windows NT, 299-301
      trimlog program for, 822
      unexpectedly deleted or modi?ed, 756
      what to watch for, 749-754
      (see also syslog)
lookups, DNS, 541, 548
Lotus Notes, 443-445
lp/lpr printing systems, 484-485

      auditing (see audit, security)
      backing up, 787
      choosing, 244-248
      con?guring, 264-266
            on Unix/Linux, 291-295
      connecting, 269
      disconnecting or shutting down, 780
      hardening, 255-256
      hardware (see hardware)
      physical location of, 248
      securing, 256-259, 347-348
            on Unix/Linux, 275-278
            on Windows NT, 299-301
      software (see software)
      speed of, 246
mail (see email)
mail delivery agent (MDA), 423
mail servers, evaluating, 427
mail transfer agent (MTA), 423
mail user agent (MUA), 423
mailing lists, keeping current, 758, 799
maintaining ?rewalls, 742-763
management tools, 55
managing accounts, 744-745
man-in-the-middle forgery, 184
MAPI (Microsoft Messaging API), 450
masquerading, 206-210
master browser, on Microsoft networks, 579-580
MBONE (Multicast Backbone), 52, 535-538
MD4 algorithm, 601, 845
MDA (mail delivery agent), 423
memory, 247
      for logs, 746, 749
      managing, 745
merging interior and exterior routers, 139
message digests, 829-831
meta-packets, and ?ltering, 194
Microsoft DNS server, disabling, 310
Microsoft Exchange, 41, 442-443
Microsoft Internet Explorer (see Internet Explorer)
Microsoft Messaging API (MAPI), 450
Microsoft networks
      browser roles, 579-581
      common security problems in, 514
      domains, 577
      file sharing on, 479-482
      workgroups, 577
Microsoft Proxy Server, 238-239
Microsoft RPC, 350, 442
      authentication, 354
      (see also RPC)
Microsoft SQL Server (see SQL Server)
Microsoft TCP/IP printing services, disabling, 310
Microsoft Terminal Server/Terminal Services, 517-518
MIME (Multimedia Internet Mail Extensions), 428-429
      extensions (see S/MIME; OpenPGP)
mobile code systems, 406-412
modem pools, 148-149
modifying services, 264
      on Unix, 288-290
      on Windows NT, 313-314
monitoring system, 746-758
      automatically, 269
Morris worm, 330, 333
mountd, 283, 472, 478
mounting ?lesystems, 265, 294
mrouter, 92
MRTG program, 270
MTA (mail transfer agent), 423
MUA (mail user agent), 423
Multicase Backbone (see MBONE)
multicast IP, 92
multicasting, 535-538
Multimedia Internet Mail Extensions
      (see MIME)
MX records, 552

named programs (DNS), 555
naming services (see DNS)
NAT (see network address translation)
nested IP over IP, 92
Net Logon service, 309
Net8, 670-674
netacl program, 290
NetBEUI, 480
NetBIOS, 480
      disabling, 310
NetBIOS names, 565, 568-569
NetBIOS over TCP/IP (see NetBT)
NetBT, 359-361, 480, 565-576
      disabling, 311
      name service, 568-572
Netcaster, 416
netcat program, 335
netfilter filtering system, 212
NetMeeting, 533-535
NetSaint program, 270
Netscape Navigator, 36
netstat program, 308, 336
      architecture (see ?rewalls, architecture of)
      checking connectivity of (see ping)
      diagnostics, 647-654
      disconnecting from
            after incident, 766
            plan to, 781
      File System (see NFS)
      ?lesystems, 45-47
      functions, SOCKS version of, 236
      independent screened, 135-137
      insecure, 151
      internal, locating web and database servers on, 666
      joint, 154-156
      lab/test, 150
      location of bastion host on, 249
      management services, 55, 630-663
      monitoring automatically, 269
      perimeter, 103, 129, 682
            locating web and database servers on, 665
      protecting internally, 149-156
      security (see security)
      split-screened, architecture of, 133-135
      taps, 11
      Time Protocol (see NTP)
      transferring information across (see packet ?ltering)
      virtual private (see VPN)
network address translation (NAT), 103, 114-116
      advantages/disadvantages, 116-118
Network Information Service (see NIS)
Network Monitor, 635
Network News Transfer Protocol (see NNTP)
network unreachable codes (see ICMP)
newsgroups, 42, 450-453
      keeping current via, 759
      private, 43
      security resources via, 801
NFS (Network File System), 46, 350, 470-479
      client, 474
      disabling, 283
      file locking with, 475-477
NIS+, 564
NIS (Network Information Service), 54, 350, 540, 563-565
      disabling, 283
NIST CSRC (Computer Security Resource Clearinghouse), 803
NNTP (Network News Transfer Protocol), 42, 450-453
      con?guring, 709
            in screened subnet architecture, 690
      proxying, 232
NOCOL program, 270
nonrouting dual-homed hosts, 243, 262
notifying people of incidents, 767, 782
NT LM Security Support Provider, 308
NTBugTraq mailing list, 800
NTLM domains, 615-622
NTP (Network Time Protocol), 57, 654-658
      proxying, 232

ObjectName registry key, 305
ODBC (Open Database Connectivity), 669-670
on program, 49
one-time passwords, 600-605
Open Database Connectivity (ODBC), 669-670
Open Shortest Path First (OSPF), 639-641
OpenPGP, 429-430
operating systems
      choosing, 273-275, 298-299
            for bastion host, 244-246
      ?xing bugs in, 257
      installation of, 256
      Linux (see Linux)
      multiple, proxying and, 225
      proxy-aware, 228
      testing reload of, 792
      Unix (see Unix)
      Windows NT (see Windows NT)
Oracle Net8, 670-674
Oracle SQL*Net, 670-674
OSPF (Open Shortest Path First), 639-641
OTP system, 600-603
      ?nger requests, 587
      packets, 172
            ?ltering rules for, 198-203
            Telnet, 186

packages, auditing, 266-269
      Unix, 295-296
packet ?ltering, 75-77, 103, 104-110, 165-223
      by address, 183-185
      administering systems, 178-180
      bastion hosts, protection for, 264
      bugs in packages, 109
      conventions for, 193
      dynamic, 169-170
      examples of, 216-223
      with exterior router, 132
      implementations, on general-purpose computers, 203-214
      inbound vs. outbound, 198-203
      with interior router, 131
      IP (see IP)
      perimeter, encryption and, 119
            choosing, 190-202
            configuring, 171-178
      rules for, 180-185, 216, 217-223, 710-716
            editing offline, 178
            IP addresses in, 180
            reloading, 178
            in screened subnet architecture, 691-699
            sequence of, 194-198
            updating, 179
      with screened host architecture, 126-128
      by service, 185-190
      by source port, 189
      stateful, 169-170
      testing, 203
      tools for, 816
      where to do, 214-216
      on Windows NT, 212-214
packet sniffing attacks, 322-323
      protecting against, 326
packets, 75, 103
      accepted/dropped, logging, 201
      forged, 174
      fragmenting, 79, 81-85
      handling (by router), 173-177
      headers of, 76
      ICMP, 652-654
      inbound vs. outbound, 172
      snif?ng, 100-101, 326
            programs, 322-323
      source-routed, 263
      structure, 75-97
      TCP, 86-90
      UDP, 90
      (see also traceroute program)
page process, 282
PAM (Pluggable Authentication Modules), 607-609
papers, security-related, 808-810
passive (or PASV) mode, FTP, 456-458
password aging, 745
passwords, 594-600
      automatically generated, 599
      cracking, 599
      false authentication and, 321
      one-time, 596, 600-605
      for packet ?lters, 180
      on PostScript printers, 483
      in SSH, 503
      stealing with network taps, 11
      time-based, 609
      Unix, 597
      on web pages, 390
      Windows NT, 598
      (see also authentication)
patches, 761
pcbind service, 284
Performance Monitor, 635
performance, with multiple interior routers, 143
perimeter networks, 103, 129
      shared, 155
PGP program, 308
ping program, 57, 647-649
PKIX (Public-Key Infrastructure X.509), 835
plaintext, 825
platforms, xvii
playback attacks, 321
Plug and Play service, 309
Pluggable Authentication Modules (PAM), 607-609
plug-gw proxy, 238
plug-ins, 37, 393
PlugPlayServiceType registry key, 305
Pointcast program, 415
Point-to-Point Protocol (PPP), 378-381
policy, security (see security, policies for)
POP (Post Of?ce Protocol), 41, 445-448
port forwarding, in SSH, 503-505
port numbers
      assigned, 338
            finding, 336
      client, 318
      setting, 356
portmap service, 284, 818
portmapper server, 351, 478
      network address translation, 118
      scanning, 97
      source, ?ltering by, 189
Postfix program, 437
      files, 393
      printers, attacks from, 483
PPP (Point-to-Point Protocol), 378-381
printing, 60, 483-487
      Hewlett-Packard printers, 486
      PostScript printers, 483
      systems, 47
      Windows-based, 486
private newsgroups, 43
privileges, root, 435
probes, responding to, 756-758
procedures for proxying, custom, 229
processing speed, 246
programming languages, web-related, 406-412
      evaluating security of, 339-346
            on HTTP clients, 394-395
            on HTTP servers, 386-390
      removing nonessential, 293
      uploading on HTTP servers, 390
      removing nonessential on Windows NT, 308
promiscuous mode, 249
Protected Storage service, 309
protocol checking, 170-171
protocol modification, 339
      analyzing, 333-336
      assigned port numbers, 338
      bidirectionality of, 172
      custom, 669
      evaluating, 327-334
      file synchronization, 658-661
      implementation of, evaluating, 331-333
      above IP, 85-93
      below IP, 93
      non-IP, 96
      from OSI, 441
      routing, 637-644
      security of, 838-841
            proxying and, 339
      time-dependence of, 655
Proxy Server, 238-239
proxy services, 104, 110-113, 224-240
      advantages/disadvantages, 113-114
      application- versus circuit-level, 231
      generic vs. dedicated, 232
      intelligent servers, 232
      Microsoft Proxy Server, 238-239
      multiple operating systems, 225
      protocol security, 339
      without proxy server, 232
      SOCKS package for, 233-236
      software for, 226-230
      TIS Internet Firewalls Toolkit for, 237-238
      tools for, 816
      when unable to provide, 239
public key cryptography, 827, 840
      in SSH, 501, 502
      (see also cryptography)
Public-Key Infrastructure X.509 (PKIX), 835
pull technology, 415
pursuing intruders, 775-777
push technologies, 415-416

Qmail program, 438
Quake, 679

"r" command services, 285
"r" commands, 285, 492-495
      NAT characteristics of, 495
      packet ?ltering characteristics of, 493-494
      proxy services characteristics of, 494
RADIUS (Remote Authentication Dial-in User Service), 622-625
random numbers, 831-832
RAS (Remote Access Service), 377-378
      disabling, 310
RC2/RC4 algorithms, 843
RCMD service, 497-498
RCONSOLE service, 497-498
rcp transfer program, 45
rdist program, 658
RDP (Remote Desktop Protocol), 49, 517
read-only ?lesystems, 265, 294
RealAudio/RealVideo, 417-419
RealNetworks, 417-419
RealServer, 417
real-time conferencing services, 520-538
rebooting, 271
recording activity (see logs)
recovering after incident, 770-772
      plan for, 786
registry keys
      insecure, 306
&nb sp;     permissions on, 314
      for services, 304-306
      command execution, 491-507
      computers, hijacking, 321-322
      terminal access, 48
Remote Access Service (see RAS)
Remote Authentication Dial-in User Service (RADIUS), 622-625
Remote Desktop Protocol (see RDP)
remote graphical interfaces
      Windows operating systems, 49, 514-519
      X Window System, 507-514
Remote Procedure Call (see RPC)
REMOTE service, 497-498
remote terminal access (see Telnet)
replay attacks, 324
      protecting against, 326
reputation, 6, 40
resources, 5
      (see also memory)
response teams (see incident response teams)
retina authentication, 593
reverse lookups, 548, 553
reviewing security policies, 728
rex service, 497
rexec server, 495-496
rhosts authentication mechanism, 502
RIP (Routing Information Protocol), 637-639
RISKS mailing list, 801
rlogin program, 49
      proxying with TIS FWTK, 238
root privileges, required by Sendmail, 435
routed server, 285
router discovery, 642-643
routers, 165
      as choke point, 166
      choosing, 190-202
      disabling, 262-263
            on Unix/Linux, 287-288
            on Windows NT, 312-313
      exterior (or access) (see exterior routers)
      handling packets, 173-177
      interior (see interior routers)
      logging actions of, 173
      merging interior and exterior, 139
      multicast, 92
      network address translation, 103
      proxy-aware, 230
      returning ICMP error codes, 175-177
      screening (see screening routers)
      single-purpose vs. general-purpose, 192
      testing, 151
      where to ?lter, 214-216
routing protocols, 56, 637-644
RPC Locator server, 351
RPC (Remote Procedure Call), 349-358
      disabling, 283
      network address translation in, 357
      packet filtering in, 354-356
      portmapper server, 351
      proxying in, 357
      RPC Locator server, 351
      service number, 350
      on Windows NT, 309
RSA algorithm, 841, 847
rsh program, 49
rsync program, 658-660

sabotage (see denial of service attacks)
SAGE (System Administrators Guild), 805
Samba, 481-482
sandbox security model, 408-410
SANS Institute, 806
SATAN (Security Administrator's Tool for Analyzing Networks), 295, 816
sc command, 304
scanning ports, 97
SCM (Service Control Manager), 302
scorekeepers, 13
screened hosts
      architecture of, 126-128
      screened subnets and, 147
screened subnets
      architecture of, 128-133, 681-704
      screened hosts and, 147
screening routers, 75, 104-110, 122-123
      acceptable addresses for, 180-183
      choosing, 190-202
      con?guring, 171-173
      proxy systems, 225
      rules for, 180-223
      where to use, 214-216
      (see also packet ?ltering)
Secure HTTP, 404-405
Secure RPC, 353
secure shell (see SSH)
Secure Socket Layer (see SSL)
      ActiveX and, 410
      against system failure, 64-67
      audit, 266-269
            on Unix, 295-296
      of backups, 270-272
      bastion host speed and, 246
      books on, 810-812
      of BSD "r" commands, 492
            on Unix/Linux, 492
            on Windows, 493
      of checksums, 789
      choke points, 701, 717
      of computer games, 678
      of database protocols, 664
      default deny stance, 172
      default permit stance, 172
      defense in depth, 701, 717
      designing for network, 28-30
      diversity of defense, 68, 703, 718
      of DNS, 547-550
      drills for, practicing, 793
      of email, 425-426
      fail-safe stance, 702, 718
      of FTP, 460
      host, 18
      of HTTP, 385-397
      of ICMP, 647
      incident response teams (see incident response teams)
      incidents (see incidents)
      of IRC, 520
      of Java, 409
      of JavaScript, 407
      lack of, 17
      least privilege, 700, 717
      legal responsibilities, 732-734
      of lpr and lp printing systems, 484
      of machine, 256-259
            Unix/Linux, 276-277
            Windows NT, 299-301
      models, 17-21
      modem pools, 148-149
      of Net8, 670-671
      netacl, 290
      of NetBT name service, 574
            insecure, 151
            protecting, 149-156
      of NIS, 563
      of NNTP, 451
      operating system bugs, 257
      of passwords, 597
      policies for, 23, 723-741
            reviewing, 728
      of POP, 446
      of PostScript printers, 483
      of programs
            evaluating, 339-346
            indicators of, 344-346
      of protocols, 838-841
            proxying and, 339
      of push technologies, 416
      of rdist, 658
      of remote graphical interfaces
            on Windows operating systems, 514-515
      resources for, 797-812
      of routing protocols, 637
      sandbox model, 408-410
      of Sendmail, 434-436
      simplicity of, 70
      of SNMP, 632
      of SQL*Net, 670-671
      of SSH, 500-501
      strategies for, 59-70
      TCP Wrapper, 289
      terminal servers, 148-149
      time information and, 655
      universal participation, 67, 702, 718
      of VBScript, 408
      weakest link, 63, 701, 718
      when proxying is ineffective, 240
      when system crashes, 271
      of whois service, 589
      of Windows Browser, 582-583
      of WINS, 574
      of X Window System, 507
      zones, Internet Exporer and, 396-397
      (see also ?rewalls)
security manager (Java), 409
self-decrypting archives, 426
Sendmail, 41, 60, 434-436
      Morris worm, 330, 333
      (see also SMTP)
      AAA, 591
      caching, 402, 412-415
      database, locating, 664-669
            for internal hosts, 554
            setting up fake, 552-554
      FTP, preventing attacks from, 466-467
      HTTP, 399
            security of, 385-390
      KDC, 611
      mail, evaluating, 427
      proxy (see proxy services)
      routed, 285
      SMB authentication, 618-619
            commercial, 438
            freely available, 436-438
            for Windows NT, 440-441
      SSH, authentication, 501-502
      TIS FWTK authentication, 605-607
      web, 39-40
      Windows Browser, 576-583
      WINS, communication among, 573
      wuarchive, 467
Server Message Block (SMB) (see SMB)
Service Control Manager (see SCM)
service packs, services and, 314
services, 317-348
      biff, 440
      booting, on Unix, 284
      contacting providers about incidents, 768, 785
      disabling those not required, 259-263
            on Unix/Linux, 280-282, 283-287
            on Windows NT, 307-308, 309-312
            on Unix/Linux, 282-283
            on Windows NT, 308-309
      evaluating risks of, 327-334
      information lookup, 586-590
      installing and modifying, 264
            on Unix/Linux, 288-290
            on Windows NT, 313-314
      LAN-oriented, 252
      management of, on Unix/Linux, 278-280
      network management (see network, management services)
      protecting with TCP Wrapper, 289
      proxy (see proxy services)
      "r" commands, 285
      real-time conferencing, 520-538
      registry keys for, 304-306
      selecting for bastion host, 250
      started by /etc/rc, 278
      Windows NT, 301-307
setgid/setuid capabilities, 274
sharing files, 43, 45-47, 470-482
      on Microsoft networks, 479-482
SHA/SHA-1 algorithms, 845
shell scripts, 278
shutting down systems, 766, 780
Simple Mail Transfer Protocol (see SMTP)
Simple Network Management Protocol (see SNMP)
Simple Public Key Infrastructure (SPKI), 835
Simple TCP/IP printing services, disabling, 311
single-purpose routers, 192
S/Key password program, 600-603
Skipjack algorithm, 843
smail program, 436-437
smap/smapd programs, 437, 439
Smart Card service, 309
SMB (Server Message Block), 361-365, 480
      authentication, 363-364, 618-619
      (see also CIFS)
S/MIME, 429-430
SMS (System Management Server), 635
SMTP (Simple Mail Transfer Protocol), 41, 251, 430-441
      con?guring, 707
            ?rewalls and, 433-434
            in screened subnet architecture, 685-686
      proxying, 232
            commercial, 438
            freely available, 436-438
            for Windows NT, 440-441
      for Unix (see Sendmail)
snapshots, system, 769
      planning for, 785
sniffers, 322-323
      protecting against, 326
      (see also packet sniffing attacks)
snif?ng for passwords, 602
SNMP (Simple Network Management Protocol), 55-56, 632-634
      disabling, on Windows NT, 311-312
snuf?e program, 261
social manipulation attacks, 40
SOCKS package, 233-236, 817
      functions, 236
      HTTP proxying on, in screened subnet architecture, 685
      modi?ed ?nger service, 588
      proxy system for ping, 649
      versions, 234
      (see also proxy services)
      installing on machine, 264-266, 291-295
      proxying, 111, 114, 226-230
            (see also proxy services)
      routers (see routers)
      system monitoring, 269
      viruses, 26
source address
      ?ltering by, 183-185
      forgery, 184
source port, ?ltering by, 189
source routing, 263
      option, IP, 81
spam, 426-427
speed, processing, 246
spell command, Unix, 296
spies, 14
SPKI (Simple Public Key Infrastructure), 835
split-screened subnets, architecture of, 133-135
Spooler service, 309
SQL Server, 676-678
SQL*Net, 670-674
SSH (secure shell), 499-507
      con?guring, in screened subnet architecture, 687
      security of, 500-501
      X Window System, support for, 506
SSL (Secure Socket Layer), 368-372
      email and, 431
SSMTP, 431
Start registry key, 305
startup scripts, 278
statd, 475
Subkeys registry key, 306
subnet architecture, screened, 128-133, 681-704
Sun RPC, 350
      authentication, 352-354
      (see also RPC)
swap process, 282
Sybase, 674-676
syslog protocol, 630-631
      daemons, 276-277
      example output from, 751-753
syslogd process, 282
      crashes, watching carefully, 271
      cryptographic, components of, 825-832
      customized, 772
      defense, diversity of, 68
      documenting after incident, 769, 785
      failure of, 64-67
      keeping up-to-date, 760
      labeling and diagramming, 788
      logs (see logs)
      monitoring, 269, 746-758
      operating, testing reload of, 792
      rebuilding, 771
      restoring after incident, 770-772
            planning for, 786
      shutting down, 766
System Management Server (SMS), 635

Tabular Data Stream (TDS), 674
TACACS, 625-627
Tag registry key, 305
talk conferencing system, 338, 525-528
tapes, needs for, 247
taps, 11
      (see also packet sniffing attacks)
TCP (Transmission Control Protocol), 86-90
      packet filtering in, 337
      proxying in, 336
      RPC and, 351
      sequence numbers, 89-90
TCP Wrapper package, 289-291, 820
tcpd program, 289
      NetBIOS over, 359-361
      packet, 77-79
      weak implementations, exploiting, 98
      on Windows NT, 310, 311
TDS (Tabular Data Stream), 674
Telebit NetBlazer, 181
Telnet, 48, 186-189, 488-491
      con?guring, in screened subnet architecture, 687
      inbound, 187
            vs. outbound, 489
      outbound, 186
      packet ?ltering characteristics of, 491
      proxy services characteristics of, 491
      proxying with TIS FWTK, 238
Telstra, 797
terminal servers, 148-149
Terminal Server/Services, 49
test networks, 150
      ?rewalls, 203
      reload of operating system, 792
      routers, 151
TFTP (Trivial File Transport Protocol), 45, 468-470
theft of information (see information theft)
third-party attacks, 320
      protecting against, 326
Tiger auditing package, 295, 815
time service, 57
time-based passwords, 609
timestamp, encrypted, 595
TIS Internet Firewalls Toolkit (TIS FWTK), 814
      authentication server, 605-607
      FTP proxy server, 459
      ftp-gw-proxy server, 689
      HTTP proxying on, in screened subnet architecture, 685
      for proxying, 237-238
TLS (Transport Layer Security), 369-371
      email and, 431
      for ?rewalls, 813-822
      for security incidents, 791
ToolTalk, 367-368
traceroute program, 56, 649-652
tracert (see traceroute program)
transferring ?les (see ?les, transferring)
transparency, 110
      of client changes for proxying, 228
transparent proxying (see routers, proxy-aware)
Transport Layer Security (see TLS)
trees, DNS, 545
trimlog program, 822
Triple A server, 591
Triple DES algorithm, 842
Tripwire package, 295, 815
Trivial File Transport Protocol (see TFTP)
Trojan horse attacks, ICMP and, 647
      HTTP, 398-399
      multicast, 537-538
      SSH, of X Window System, 509
TXT records, 550
Type registry key, 305

UCE (Unsolicited Commercial Email), 426
UDP (User Datagram Protocol), 90
      Packet Relayer, 817
      RPC and, 351
unicasting, 535
universal participation, 67, 702, 718
Unix, xvii
      bastion host, 245, 273-296
      checksum programs, 296
      Internet services on, 278-280, 282-283
            disabling, 280-282, 283-288
            installing and modifying, 288-290
            protecting with TCP Wrapper, 289
      ipfilter, 210-211
            compared to ipchains, 211
            configuring, 291-295
            securing, 275-278
      operating system versions, 273-275
      passwords, 597
      software, for system monitoring, 270
      system logs, setting up, 276-278
      window system, 50
Unsolicited Commercial Email (UCE), 426
uploading programs on HTTP servers, 390
usage pro?le, 269
Usenet news, 42
Usenet newsgroups (see newsgroups)
USENIX Association, 804
      conferences, 806
user accounts, on bastion host, 253, 254
User Diagram Protocol (see UDP)
User Manager for Domains, 621
utilities for ?rewalls, 820-822

validating ?rewalls, 203
vandals, 12
VBScript, 408
      extension systems, 38
victim hosts, 243, 251
viewers, external, on HTTP clients, 392-394
Virtual Local Area Network (VLAN), 101
virtual private network (VPN), 104, 120
viruses, 25-26
      email, 427-428
      on Windows NT, 306
Visual Basic (see VBScript)
VLAN (Virtual Local Area Network), 101
voiceprint authentication, 593
VPN (virtual private network), 104, 120

WAIS (Wide Area Information Servers), 419-422
WCCP (Web Cache Coordination Protocol), 414-415
weakest link, 63, 701, 718
web browsers, 36, 37-39
      as FTP clients, 457
      protocols and, 384
      security and, 390-397
Web Cache Coordination Protocol (WCCP), 414-415
web of trust, 836
web pages on firewalls, 797-798
web servers, 39-40
web-related programming languages, 406-412
whois service, 588-590
Wide Area Information Servers (WAIS), 419-422
window systems, 50
Windows 2000
      Active Directory, 585-586
      bastion host, 297-314
      DNS and, 53, 561-562
      File Replication Service (FRS), 660-661
      Kerberos authentication system in, 610
      packet filtering on, 213
      printing, 486
      SMB on, 364
      Telnet on, 488
Windows 2000 Server, 298
Windows 95, printing, 486
Windows Browser, 576-583
      elections, 581-582
      security, 582-583
Windows Internet Name Service (see WINS)
Windows NT
      bastion host, 245, 297-314
      diagnosing problems, 635
      Directory Replication, 660
      file permissions, 314
      file-sharing protocols, 46
      machine, securing, 299-301
      operating system versions, 298-299
      packet filtering on, 212-214
      passwords, 598
      printing, 486
      proxying services (see Microsoft Proxy Server)
      "r" commands supported by, 493
      remote command services, 497-498
      RPC on, 350, 356
      services on, 301-307, 308-309
            disabling, 307-308, 309-312
            installing and modifying, 313-314
      SMTP servers for, 41, 440-441
      SNMP agents, 56
      system logs, setting up, 299-301
      system monitoring for, 270
      Telnet on, 488
      tracking usage, 635
      versions, xvii
Windows NT Resource Kit, 299
      "r" commands supported by, 493
      remote command services, 497
Windows NT Server, 298
Windows operating systems
      authentication, 619-620
      machines running, managing, 635
      name resolution in, 567-568
      NTLM domains, 615
      remote graphical interfaces for, 514-519
WINS manager, 574
WINS (Windows Internet Name Service), 53, 565-576
      servers, communication among, 573
WinSock proxy, 239
workgroups, on Microsoft networks, 577
World Wide Web (see WWW)
      daemon, 817
      server, 467
WWW (World Wide Web), 35-36, 384-422
      (see also Internet)

X Window System, 507-514
      supported by SSH, 506
X11 window system, 50
X.400 mail protocol, 441
x-gw proxy, 238
XTACACS, 625-627

YP (Yellow Pages) (see NIS)

zone transfers, DNS, 541

Read More Show Less

Customer Reviews

Average Rating 5
( 1 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Terms of Use.
  • - Barnes & reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously
Sort by: Showing 1 Customer Reviews
  • Anonymous

    Posted August 23, 2000

    Excellent Guide to Firewalls

    In this day and age, attacks by so-called 'hackers' against companies' internal networks are always a threat and virtually any business, government or educational institution needs to protect itself against this threat. Firewalls (while not 100% safe) offer an excellent protection against such attacks. These attacks as the books can come in many forms, such as 'denial of service' attacks. This updated second edition offers a lot of information about setting up and maintaining a firewall. It describes different types of firewalls, the tools (both software & hardware) you can use to set up your firewall, which Internet services (World Wide Web, electronic mail and netnews, FTP, telnet, teleconferencing, etc) you can decide to put through a firewall, and maintaining it once the firewall has been set up. There's a lot of good common-sense information in here too, when it talks about how you go about deciding what should and shouldn't be protected, who will have access to which services, what kind of security policies to set up, and what to do when you do have any type of 'break-in.' I learned quite a bit about firewalls from this book and anyone who needs to learn about firewalls should get a copy of this book if they already haven't.

    Was this review helpful? Yes  No   Report this review
Sort by: Showing 1 Customer Reviews

If you find inappropriate content, please report it to Barnes & Noble
Why is this product inappropriate?
Comments (optional)