This appendix describes some of the tools and packages available on the Internet that you might find useful in building and maintaining your firewall. Many of these tools are mentioned in this book. Although this software is freely available, some of it is restricted in various ways by the authors (e.g., it may not be permitted to be used for commercial purposes or be included on a CD-ROM, etc.) or by the U.S. government (e.g., if it contains cryptography, it can't ordinarily be exported outside the United States). Carefully read the documentation files that are distributed with the packages.
Although we have used most of the software listed here, we can't take responsibility for ensuring that the copy you get will work properly and won't cause any damage to your system. As with any software, test it before you use it.
Many packages have verifiable digital signatures; the software supplier provides a cryptographic checksum for the package that has been encrypted with the supplier's private key. You can verify that you have the correct package by decrypting the checksum with the supplier's public key and calculating the checksum on the package yourself, and making sure that they match. We encourage you to take the trouble to use these signatures when you are dealing with security-sensitive software. Many people have distributed booby-trapped versions of popular software packages.
The tools in this category provide support for various types of authentication. See Chapter 21, for information about different authentication approaches.
| ftp://ftp.tis.com/pub/firewalls/toolkit/ |
The TIS Internet Firewall Toolkit (TIS FWTK), from Trusted Information Systems, is a very useful, well-designed, and well-written set of programs you might find useful for authentication and other purposes. It includes:
An authentication server that provides several mechanisms for supporting nonreusable passwords (described in Chapter 21)
An access control program, netacl (described in Chapter 11)
Proxy servers for a variety of protocols (FTP, HTTP, Gopher, rlogin, Telnet, and X11) (described in Chapter 9)
A generic proxy server for simple TCP-based protocols using one-to-one or many-to-one connections, such as NNTP (described in Chapter 9)
A wrapper (the smap package) for SMTP servers such as Sendmail to protect them from SMTP-based attacks (described in Chapter 16)
A wrapper for inetd-started servers such as telnetd and ftpd to control where they can be contacted from (much like the TCP Wrapper package described later in this appendix and in Chapter 11)
The toolkit is designed so that you can pick and choose only the pieces you need; you don't have to install the whole thing. The pieces you do install share a common configuration file, however, which makes managing configuration changes somewhat easier.
Some parts of the toolkit (the server for the nonreusable password system, for example) require a Data Encryption Standard (DES) library in some configurations. If your system doesn't already have one (look for a file named libdes.a in whatever directories code libraries are kept on your system), you can get one from:
| ftp://ftp.psy.uq.oz.au/pub/Crypto/DES/ |
TIS FWTK maintains a mailing list for discussions of improvements, bugs, fixes, and other issues among people using the toolkit; Send email to fwall-users-request@tis.com to subscribe to this list.
| ftp://athena-dist.mit.edu/pub/kerberos/ |
| ftp://coast.cs.purdue.edu/pub/tools/unix/kerberos/ |
Kerberos was developed by Project Athena at the Massachusetts Institute of Technology. From the Kerberos Frequently Asked Questions (FAQ) file:
Kerberos is a network authentication system for use on physically insecure networks, based on the key distribution model presented by Needham and Schroeder. It allows entities communicating over networks to prove their identity to each other while preventing eavesdropping or replay attacks. It also provides for data-stream integrity (detection of modification) and secrecy (preventing unauthorized reading) using cryptography systems such as DES.