Log In
Or create an account -> 
Imperial Library
  • Home
  • About
  • News
  • Upload
  • Forum
  • Help
  • Login/SignUp

Index
Building Internet Firewalls, 2nd Edition
SPECIAL OFFER: Upgrade this ebook with O’Reilly Preface
Scope of This Book Audience Platforms Products Examples Conventions Used in This Book Comments and Questions Acknowledgments for the Second Edition Acknowledgments for the First Edition
I. Network Security
1. Why Internet Firewalls?
1.1. What Are You Trying to Protect?
1.1.1. Your Data 1.1.2. Your Resources 1.1.3. Your Reputation
1.2. What Are You Trying to Protect Against?
1.2.1. Types of Attacks
1.2.1.1. Intrusion 1.2.1.2. Denial of service 1.2.1.3. Information theft
1.2.2. Types of Attackers
1.2.2.1. Joyriders 1.2.2.2. Vandals 1.2.2.3. Scorekeepers 1.2.2.4. Spies (industrial and otherwise)
1.2.3. Stupidity and Accidents 1.2.4. Theoretical Attacks
1.3. Who Do You Trust? 1.4. How Can You Protect Your Site?
1.4.1. No Security 1.4.2. Security Through Obscurity 1.4.3. Host Security 1.4.4. Network Security 1.4.5. No Security Model Can Do It All
1.5. What Is an Internet Firewall?
1.5.1. What Can a Firewall Do?
1.5.1.1. A firewall is a focus for security decisions 1.5.1.2. A firewall can enforce a security policy 1.5.1.3. A firewall can log Internet activity efficiently 1.5.1.4. A firewall limits your exposure
1.5.2. What Can't a Firewall Do?
1.5.2.1. A firewall can't protect you against malicious insiders 1.5.2.2. A firewall can't protect you against connections that don't go through it 1.5.2.3. A firewall can't protect against completely new threats 1.5.2.4. A firewall can't fully protect against viruses 1.5.2.5. A firewall can't set itself up correctly
1.5.3. What's Wrong with Firewalls?
1.5.3.1. Firewalls interfere with the Internet 1.5.3.2. Firewalls don't deal with the real problem
1.6. Religious Arguments
1.6.1. Buying Versus Building 1.6.2. Unix Versus Windows NT 1.6.3. That's Not a Firewall!
2. Internet Services
2.1. Secure Services and Safe Services 2.2. The World Wide Web
2.2.1. Web Client Security Issues 2.2.2. Web Server Security Issues
2.3. Electronic Mail and News
2.3.1. Electronic Mail 2.3.2. Usenet News
2.4. File Transfer, File Sharing, and Printing
2.4.1. File Transfer 2.4.2. File Sharing 2.4.3. Printing Systems
2.5. Remote Access
2.5.1. Remote Terminal Access and Command Execution 2.5.2. Remote Graphic Interfaces for Microsoft Operating Systems 2.5.3. Network Window Systems
2.6. Real-Time Conferencing Services 2.7. Naming and Directory Services 2.8. Authentication and Auditing Services 2.9. Administrative Services
2.9.1. System Management 2.9.2. Routing 2.9.3. Network Diagnostics 2.9.4. Time Service
2.10. Databases 2.11. Games
3. Security Strategies
3.1. Least Privilege 3.2. Defense in Depth 3.3. Choke Point 3.4. Weakest Link 3.5. Fail-Safe Stance
3.5.1. Default Deny Stance: That Which Is Not Expressly Permitted Is Prohibited 3.5.2. Default Permit Stance: That Which Is Not Expressly Prohibited Is Permitted
3.6. Universal Participation 3.7. Diversity of Defense
3.7.1. Inherent Weaknesses 3.7.2. Common Configuration 3.7.3. Common Heritage 3.7.4. Skin-Deep Differences 3.7.5. Conclusion
3.8. Simplicity 3.9. Security Through Obscurity
II. Building Firewalls
4. Packets and Protocols
4.1. What Does a Packet Look Like?
4.1.1. TCP/IP/Ethernet Example
4.1.1.1. Ethernet layer 4.1.1.2. IP layer 4.1.1.3. TCP layer
4.2. IP
4.2.1. IP Multicast and Broadcast 4.2.2. IP Options 4.2.3. IP Fragmentation
4.3. Protocols Above IP
4.3.1. TCP
4.3.1.1. TCP options 4.3.1.2. TCP sequence numbers
4.3.2. UDP 4.3.3. ICMP 4.3.4. IP over IP and GRE
4.4. Protocols Below IP 4.5. Application Layer Protocols 4.6. IP Version 6 4.7. Non-IP Protocols 4.8. Attacks Based on Low-Level Protocol Details
4.8.1. Port Scanning 4.8.2. Implementation Weaknesses 4.8.3. IP Spoofing
4.8.3.1. The attacker can intercept the reply 4.8.3.2. The attacker doesn't need to see the reply 4.8.3.3. The attacker doesn't want the reply
4.8.4. Packet Interception
5. Firewall Technologies
5.1. Some Firewall Definitions 5.2. Packet Filtering
5.2.1. Advantages of Packet Filtering
5.2.1.1. One screening router can help protect an entire network 5.2.1.2. Simple packet filtering is extremely efficient 5.2.1.3. Packet filtering is widely available
5.2.2. Disadvantages of Packet Filtering
5.2.2.1. Current filtering tools are not perfect 5.2.2.2. Packet filtering reduces router performance 5.2.2.3. Some policies can't readily be enforced by normal packet filtering routers
5.3. Proxy Services
5.3.1. Advantages of Proxying
5.3.1.1. Proxy services can be good at logging 5.3.1.2. Proxy services can provide caching 5.3.1.3. Proxy services can do intelligent filtering 5.3.1.4. Proxy systems can perform user-level authentication 5.3.1.5. Proxy systems automatically provide protection for weak or faulty IP implementations
5.3.2. Disadvantages of Proxying
5.3.2.1. Proxy services lag behind nonproxied services 5.3.2.2. Proxy services may require different servers for each service 5.3.2.3. Proxy services usually require modifications to clients, applications, or procedures
5.4. Network Address Translation
5.4.1. Advantages of Network Address Translation
5.4.1.1. Network address translation helps to enforce the firewall's control over outbound connections 5.4.1.2. Network address translation can help restrict incoming traffic 5.4.1.3. Network address translation helps to conceal the internal network's configuration
5.4.2. Disadvantages of Network Address Translation
5.4.2.1. Dynamic allocation requires state information that is not always available 5.4.2.2. Embedded IP addresses are a problem for network address translation 5.4.2.3. Network address translation interferes with some encryption and authentication systems 5.4.2.4. Dynamic allocation of addresses interferes with logging 5.4.2.5. Dynamic allocation of ports may interfere with packet filtering
5.5. Virtual Private Networks
5.5.1. Where Do You Encrypt? 5.5.2. Key Distribution and Certificates 5.5.3. Advantages of Virtual Private Networks
5.5.3.1. Virtual private networks provide overall encryption 5.5.3.2. Virtual private networks allow you to remotely use protocols that are difficult to secure any other way
5.5.4. Disadvantages of Virtual Private Networks
5.5.4.1. Virtual private networks involve dangerous network connections 5.5.4.2. Virtual private networks extend the network you must protect
6. Firewall Architectures
6.1. Single-Box Architectures
6.1.1. Screening Router
6.1.1.1. Appropriate uses
6.1.2. Dual-Homed Host
6.1.2.1. Appropriate uses
6.1.3. Multiple-Purpose Boxes
6.1.3.1. Appropriate uses
6.2. Screened Host Architectures
6.2.1. Appropriate Uses
6.3. Screened Subnet Architectures
6.3.1. Perimeter Network 6.3.2. Bastion Host 6.3.3. Interior Router 6.3.4. Exterior Router 6.3.5. Appropriate Uses
6.4. Architectures with Multiple Screened Subnets
6.4.1. Split-Screened Subnet
6.4.1.1. Appropriate uses
6.4.2. Independent Screened Subnets
6.4.2.1. Appropriate uses
6.5. Variations on Firewall Architectures
6.5.1. It's OK to Use Multiple Bastion Hosts 6.5.2. It's OK to Merge the Interior Router and the Exterior Router 6.5.3. It's OK to Merge the Bastion Host and the Exterior Router 6.5.4. It's Dangerous to Merge the Bastion Host and the Interior Router 6.5.5. It's Dangerous to Use Multiple Interior Routers 6.5.6. It's OK to Use Multiple Exterior Routers 6.5.7. It's Dangerous to Use Both Screened Subnets and Screened Hosts
6.6. Terminal Servers and Modem Pools 6.7. Internal Firewalls
6.7.1. Laboratory Networks 6.7.2. Insecure Networks 6.7.3. Extra-Secure Networks 6.7.4. Joint Venture Firewalls 6.7.5. A Shared Perimeter Network Allows an "Arms-Length"Relationship 6.7.6. An Internal Firewall May or May Not Need Bastion Hosts
7. Firewall Design
7.1. Define Your Needs
7.1.1. What Will the Firewall Actually Do?
7.1.1.1. What services do you need to offer? 7.1.1.2. How secure do you need to be? 7.1.1.3. How much usage will there be? 7.1.1.4. How much reliability do you need?
7.1.2. What Are Your Constraints?
7.1.2.1. What budget do you have available? 7.1.2.2. What personnel do you have available? 7.1.2.3. What is your environment like?
7.2. Evaluate the Available Products
7.2.1. Scalability 7.2.2. Reliability and Redundancy 7.2.3. Auditability 7.2.4. Price 7.2.5. Management and Configuration 7.2.6. Adaptability 7.2.7. Appropriateness
7.3. Put Everything Together
7.3.1. Where will logs go, and how?
7.3.1.1. How will you back up the system? 7.3.1.2. What support services does the system require? 7.3.1.3. How will you access the machines? 7.3.1.4. Where will routine reports go, and how? 7.3.1.5. Where will alarms go, and how?
8. Packet Filtering
8.1. What Can You Do with Packet Filtering?
8.1.1. Basic Packet Filtering 8.1.2. Stateful or Dynamic Packet Filtering 8.1.3. Protocol Checking
8.2. Configuring a Packet Filtering Router
8.2.1. Protocols Are Usually Bidirectional 8.2.2. Be Careful of "Inbound" Versus "Outbound" Semantics 8.2.3. Default Permit Versus Default Deny
8.3. What Does the Router Do with Packets?
8.3.1. Logging Actions 8.3.2. Returning Error Codes 8.3.3. Making Changes
8.4. Packet Filtering Tips and Tricks
8.4.1. Edit Your Filtering Rules Offline 8.4.2. Reload Rule Sets from Scratch Each Time 8.4.3. Replace Packet Filters Atomically 8.4.4. Always Use IP Addresses, Never Hostnames 8.4.5. Password Protect Your Packet Filters 8.4.6. If Possible, Use Named Access Lists
8.5. Conventions for Packet Filtering Rules 8.6. Filtering by Address
8.6.1. Risks of Filtering by Source Address
8.7. Filtering by Service
8.7.1. Outbound Telnet Service 8.7.2. Inbound Telnet Service 8.7.3. Telnet Summary 8.7.4. Risks of Filtering by Source Port
8.8. Choosing a Packet Filtering Router
8.8.1. It Should Have Good Enough Packet Filtering Performance for Your Needs 8.8.2. It Can Be a Single-Purpose Router or a General-Purpose Computer 8.8.3. It Should Allow Simple Specification of Rules 8.8.4. It Should Allow Rules Based on Any Header or Meta-Packet Criteria 8.8.5. It Should Apply Rules in the Order Specified
8.8.5.1. If the rules are applied in the order ABC 8.8.5.2. If the rules are applied in the order BAC 8.8.5.3. Rule B is actually not necessary 8.8.5.4. Packet filtering rules are tricky
8.8.6. It Should Apply Rules Separately to Incoming and Outgoing Packets, on a Per-Interface Basis 8.8.7. It Should Be Able to Log Accepted and Dropped Packets 8.8.8. It Should Have Good Testing and Validation Capabilities
8.9. Packet Filtering Implementations for General-Purpose Computers
8.9.1. Linux ipchains and Masquerading
8.9.1.1. ipchains 8.9.1.2. Testing ipchains rules 8.9.1.3. Masquerading 8.9.1.4. How masquerading works 8.9.1.5. Available specialized masquerading modules 8.9.1.6. Using ipchains (including masquerading)
8.9.2. ipfilter 8.9.3. Comparing ipfilter and ipchains 8.9.4. Linux netfilter 8.9.5. Windows NT Packet Filtering
8.10. Where to Do Packet Filtering 8.11. What Rules Should You Use? 8.12. Putting It All Together
9. Proxy Systems
9.1. Why Proxying? 9.2. How Proxying Works
9.2.1. Using Proxy-Aware Application Software for Proxying 9.2.2. Using Proxy-Aware Operating System Software 9.2.3. Using Proxy-Aware User Procedures for Proxying 9.2.4. Using a Proxy-Aware Router
9.3. Proxy Server Terminology
9.3.1. Application-Level Versus Circuit-Level Proxies 9.3.2. Generic Versus Dedicated Proxies 9.3.3. Intelligent Proxy Servers
9.4. Proxying Without a Proxy Server 9.5. Using SOCKS for Proxying
9.5.1. Versions of SOCKS 9.5.2. SOCKS Features 9.5.3. SOCKS Components 9.5.4. Converting Clients to Use SOCKS
9.6. Using the TIS Internet Firewall Toolkit for Proxying
9.6.1. FTP Proxying with TIS FWTK 9.6.2. Telnet and rlogin Proxying with TIS FWTK 9.6.3. Generic Proxying with TIS FWTK 9.6.4. Other TIS FWTK Proxies
9.7. Using Microsoft Proxy Server
9.7.1. Proxy Server and SOCKS 9.7.2. Proxy Server and WinSock
9.8. What If You Can't Proxy?
9.8.1. No Proxy Server Is Available 9.8.2. Proxying Won't Secure the Service 9.8.3. Can't Modify Client or Procedures
10. Bastion Hosts
10.1. General Principles 10.2. Special Kinds of Bastion Hosts
10.2.1. Nonrouting Dual-Homed Hosts 10.2.2. Victim Machines 10.2.3. Internal Bastion Hosts 10.2.4. External Service Hosts 10.2.5. One-Box Firewalls
10.3. Choosing a Machine
10.3.1. What Operating System? 10.3.2. How Fast a Machine? 10.3.3. What Hardware Configuration?
10.4. Choosing a Physical Location 10.5. Locating Bastion Hosts on the Network 10.6. Selecting Services Provided by a Bastion Host
10.6.1. Multiple Services or Multiple Hosts?
10.7. Disabling User Accounts on Bastion Hosts 10.8. Building a Bastion Host 10.9. Securing the Machine
10.9.1. Start with a Minimal Clean Operating System Installation 10.9.2. Fix All Known System Bugs 10.9.3. Use a Checklist 10.9.4. Safeguard the System Logs
10.9.4.1. System logs for convenience 10.9.4.2. System logs for catastrophes 10.9.4.3. Logging and time 10.9.4.4. Choosing what to log
10.10. Disabling Nonrequired Services
10.10.1. How to Disable Services
10.10.1.1. Next steps after disabling services
10.10.2. Running Services on Specific Networks 10.10.3. Turning Off Routing 10.10.4. Controlling Inbound Traffic 10.10.5. Installing and Modifying Services 10.10.6. Reconfiguring for Production
10.10.6.1. Finalize the operating system configuration 10.10.6.2. Mount filesystems as read-only
10.10.7. Running a Security Audit
10.10.7.1. Auditing packages 10.10.7.2. Use cryptographic checksums for auditing
10.10.8. Connecting the Machine
10.11. Operating the Bastion Host
10.11.1. Learn What the Normal Usage Profile Is 10.11.2. Consider Using Software to Automate Monitoring
10.12. Protecting the Machine and Backups
10.12.1. Watch Reboots Carefully 10.12.2. Do Secure Backups 10.12.3. Other Objects to Secure
11. Unix and Linux Bastion Hosts
11.1. Which Version of Unix? 11.2. Securing Unix
11.2.1. Setting Up System Logs on Unix
11.2.1.1. syslog Linux example 11.2.1.2. System logs for catastrophe
11.3. Disabling Nonrequired Services
11.3.1. How Are Services Managed Under Unix?
11.3.1.1. Services started by /etc/rc files or directories 11.3.1.2. Services started by inetd
11.3.2. Disabling Services Under Unix 11.3.3. Which Services Should You Leave Enabled? 11.3.4. Specific Unix Services to Disable
11.3.4.1. NFS and related services 11.3.4.2. Other RPC services 11.3.4.3. Booting services 11.3.4.4. BSD "r" command services 11.3.4.5. routed 11.3.4.6. fingerd 11.3.4.7. ftpd 11.3.4.8. Other services
11.3.5. Running Services on Specific Networks 11.3.6. Turning Off Routing
11.4. Installing and Modifying Services
11.4.1. Using the TCP Wrapper Package to Protect Services
11.4.1.1. TCP Wrapper example 11.4.1.2. Using netacl to protect services
11.4.2. Evaluating and Configuring Unix Services
11.5. Reconfiguring for Production
11.5.1. Reconfigure and Rebuild the Kernel 11.5.2. Remove Nonessential Programs 11.5.3. Mount Filesystems as Read-Only
11.6. Running a Security Audit
12. Windows NT and Windows 2000 Bastion Hosts
12.1. Approaches to Building Windows NT Bastion Hosts 12.2. Which Version of Windows NT? 12.3. Securing Windows NT
12.3.1. Setting Up System Logs Under Windows NT
12.4. Disabling Nonrequired Services
12.4.1. How Are Services Managed Under Windows NT?
12.4.1.1. Registry keys 12.4.1.2. Other ways to start programs under Windows NT
12.4.2. How to Disable Services Under Windows NT 12.4.3. Next Steps After Disabling Services 12.4.4. Which Services Should You Leave Enabled? 12.4.5. Specific Windows NT Services to Disable
12.4.5.1. The Services control panel
12.4.6. Turning Off Routing
12.5. Installing and Modifying Services
III. Internet Services
13. Internet Services and Firewalls
13.1. Attacks Against Internet Services
13.1.1. Command-Channel Attacks 13.1.2. Data-Driven Attacks 13.1.3. Third-Party Attacks 13.1.4. False Authentication of Clients 13.1.5. Hijacking 13.1.6. Packet Sniffing 13.1.7. Data Injection and Modification 13.1.8. Replay 13.1.9. Denial of Service 13.1.10. Protecting Services
13.2. Evaluating the Risks of a Service
13.2.1. What Operations Does the Protocol Allow?
13.2.1.1. What is it designed to do? 13.2.1.2. Is the level of authentication and authorization it uses appropriate for doing that? 13.2.1.3. Does it have any other commands in it?
13.2.2. What Data Does the Protocol Transfer? 13.2.3. How Well Is the Protocol Implemented?
13.2.3.1. Does it have any other commands in it?
13.2.4. What Else Can Come in If I Allow This Service?
13.3. Analyzing Other Protocols 13.4. What Makes a Good Firewalled Service?
13.4.1. TCP Versus Other Protocols 13.4.2. One Connection per Session 13.4.3. One Session per Connection 13.4.4. Assigned Ports 13.4.5. Protocol Security
13.5. Choosing Security-Critical Programs
13.5.1. My Product Is Secure Because . . .
13.5.1.1. It contains no publicly available code, so it's secret 13.5.1.2. It contains publicly available code, so it's been well reviewed 13.5.1.3. It is built entirely from scratch, so it didn't inherit any bugs from any other products 13.5.1.4. It is built on an old, well-tested code base 13.5.1.5. It doesn't run as root/Administrator/LocalSystem 13.5.1.6. It doesn't run under Unix, or it doesn't run on a Microsoft operating system 13.5.1.7. There are no known attacks against it 13.5.1.8. It uses public key cryptography (or some other secure-sounding technology)
13.5.2. Their Product Is Insecure Because . . .
13.5.2.1. It's been mentioned in a CERT-CC advisory or on a web site listing vulnerabilities 13.5.2.2. It's publicly available 13.5.2.3. It's been successfully attacked
13.5.3. Real Indicators of Security
13.5.3.1. Security was one of the design criteria 13.5.3.2. The supplier can discuss how major security problems were avoided 13.5.3.3. It is possible for you to review the code 13.5.3.4. Somebody you know and trust actually has reviewed the code 13.5.3.5. There is a security notification and update procedure 13.5.3.6. The server implements a recent (but accepted) version of the protocol 13.5.3.7. The program uses standard error-logging mechanisms 13.5.3.8. There is a secure software distribution mechanism
13.6. Controlling Unsafe Configurations
14. Intermediary Protocols
14.1. Remote Procedure Call (RPC)
14.1.1. Sun RPC Authentication 14.1.2. Microsoft RPC Authentication 14.1.3. Packet Filtering Characteristics of RPC 14.1.4. Proxying Characteristics of RPC 14.1.5. Network Address Translation Characteristics of RPC 14.1.6. Summary of Recommendations for RPC
14.2. Distributed Component Object Model (DCOM) 14.3. NetBIOS over TCP/IP (NetBT)
14.3.1. Packet Filtering Characteristics of NetBT 14.3.2. Proxying Characteristics of NetBT 14.3.3. Network Address Translation Characteristics of NetBT 14.3.4. Summary of Recommendations for NetBT
14.4. Common Internet File System (CIFS) and Server Message Block (SMB)
14.4.1. Authentication and SMB
14.4.1.1. Share-level authentication 14.4.1.2. User-level authentication
14.4.2. Packet Filtering Characteristics of SMB 14.4.3. Proxying Characteristics of SMB 14.4.4. Network Address Translation Characteristics of SMB 14.4.5. Summary of Recommendations for SMB
14.5. Common Object Request Broker Architecture (CORBA) and Internet Inter-Orb Protocol (IIOP)
14.5.1. Packet Filtering Characteristics of CORBA and IIOP 14.5.2. Proxying Characteristics of CORBA and IIOP 14.5.3. Network Address Translation Characteristics of CORBA and IIOP 14.5.4. Summary of Recommendations for CORBA and IIOP
14.6. ToolTalk
14.6.1. Summary of Recommendations for ToolTalk
14.7. Transport Layer Security (TLS) and Secure Socket Layer (SSL)
14.7.1. The TLS and SSL Protocols 14.7.2. Cryptography in TLS and SSL 14.7.3. Use of TLS and SSL by Other Protocols 14.7.4. Packet Filtering Characteristics of TLS and SSL 14.7.5. Proxying Characteristics of TLS and SSL 14.7.6. Network Address Translation Characteristics of TLS and SSL 14.7.7. Summary of Recommendations for TLS and SSL
14.8. The Generic Security Services API (GSSAPI) 14.9. IPsec
14.9.1. Packet Filtering Characteristics of IPsec 14.9.2. Proxying Characteristics of IPsec 14.9.3. Network Address Translation Characteristics of IPsec 14.9.4. Summary of Recommendations for IPsec
14.10. Remote Access Service (RAS) 14.11. Point-to-Point Tunneling Protocol (PPTP)
14.11.1. Design Weaknesses in PPTP 14.11.2. Implementation Weaknesses in PPTP 14.11.3. Packet Filtering Characteristics of PPTP 14.11.4. Proxying Characteristics of PPTP 14.11.5. Network Address Translation Characteristics of PPTP 14.11.6. Summary of Recommendations for PPTP
14.12. Layer 2 Transport Protocol (L2TP)
14.12.1. Packet Filtering Characteristics of L2TP 14.12.2. Proxying Characteristics of L2TP 14.12.3. Network Address Translation Characteristics of L2TP 14.12.4. Summary of Recommendations for L2TP
15. The World Wide Web
15.1. HTTP Server Security
15.1.1. HTTP Extensions
15.1.1.1. Tricking extensions 15.1.1.2. Running unexpected external programs
15.2. HTTP Client Security
15.2.1. Inadvertent Release of Information
15.2.1.1. Cookies
15.2.2. External Viewers 15.2.3. Extension Systems 15.2.4. What Can You Do? 15.2.5. Internet Explorer and Security Zones
15.3. HTTP
15.3.1. HTTP Tunneling 15.3.2. Special HTTP Servers 15.3.3. Packet Filtering Characteristics of HTTP 15.3.4. Proxying Characteristics of HTTP 15.3.5. Network Address Translation Characteristics of HTTP 15.3.6. Securing HTTP
15.3.6.1. Packet filtering characteristics of HTTPS and Secure HTTP 15.3.6.2. Proxying characteristics of HTTPS and Secure HTTP 15.3.6.3. Network address translation characteristics of HTTPS and Secure HTTP
15.3.7. Summary of Recommendations for HTTP
15.4. Mobile Code and Web-Related Languages
15.4.1. JavaScript 15.4.2. VBScript 15.4.3. Java 15.4.4. ActiveX
15.5. Cache Communication Protocols
15.5.1. Internet Cache Protocol (ICP)
15.5.1.1. Packet filtering characteristics of ICP 15.5.1.2. Proxying characteristics of ICP 15.5.1.3. Network address translation characteristics of ICP
15.5.2. Cache Array Routing Protocol (CARP) 15.5.3. Web Cache Coordination Protocol (WCCP)
15.5.3.1. Packet filtering characteristics of WCCP 15.5.3.2. Proxying characteristics of WCCP 15.5.3.3. Network address translation characteristics of WCCP
15.5.4. Summary of Recommendations for Cache Communication Protocols
15.6. Push Technologies
15.6.1. Summary of Recommendations for Push Technologies
15.7. RealAudio and RealVideo
15.7.1. Risks of RealServer 15.7.2. Risks of RealAudio and RealVideo Clients 15.7.3. Packet Filtering Characteristics of RealAudio and RealVideo 15.7.4. Proxying Characteristics of RealAudio and RealVideo 15.7.5. Network Address Translation Characteristics of RealAudio and RealVideo 15.7.6. Summary Recommendations for RealAudio and RealVideo
15.8. Gopher and WAIS
15.8.1. Packet Filtering Characteristics of Gopher and WAIS 15.8.2. Proxying Characteristics of Gopher and WAIS 15.8.3. Network Address Translation Characteristics of Gopher and WAIS 15.8.4. Summary of Recommendations for Gopher and WAIS
16. Electronic Mail and News
16.1. Electronic Mail
16.1.1. Keeping Mail Secret 16.1.2. Undesirable Mail
16.1.2.1. Junk mail 16.1.2.2. Viruses and other hostilities
16.1.3. Multimedia Internet Mail Extensions (MIME) 16.1.4. S/MIME and OpenPGP
16.2. Simple Mail Transfer Protocol (SMTP)
16.2.1. Extended SMTP (ESMTP) 16.2.2. TLS/SSL, SSMTP, and STARTTLS 16.2.3. Packet Filtering Characteristics of SMTP 16.2.4. Proxying Characteristics of SMTP 16.2.5. Network Address Translation Characteristics of SMTP 16.2.6. Configuring SMTP to Work with a Firewall 16.2.7. Sendmail 16.2.8. Other Freely Available SMTP Servers for Unix
16.2.8.1. smail 16.2.8.2. Postfix 16.2.8.3. Qmail
16.2.9. Commercial SMTP Servers for Unix 16.2.10. Improving SMTP Security with smap and smapd 16.2.11. biff 16.2.12. SMTP Support in Non-SMTP Mail Systems 16.2.13. SMTP Servers for Windows NT 16.2.14. Summary of Recommendations for SMTP
16.3. Other Mail Transfer Protocols 16.4. Microsoft Exchange
16.4.1. Summary of Recommendations for Microsoft Exchange
16.5. Lotus Notes and Domino
16.5.1. Packet Filtering Characteristics of Lotus Notes 16.5.2. Proxying Characteristics of Lotus Notes 16.5.3. Network Address Translation Characteristics of Lotus Notes 16.5.4. Summary of Recommendations for Lotus Notes
16.6. Post Office Protocol (POP)
16.6.1. Packet Filtering Characteristics of POP 16.6.2. Proxying Characteristics of POP 16.6.3. Network Address Translation Characteristics of POP 16.6.4. Summary of Recommendations for POP
16.7. Internet Message Access Protocol (IMAP)
16.7.1. Packet Filtering Characteristics of IMAP 16.7.2. Proxying Characteristics of IMAP 16.7.3. Network Address Translation Characteristics of IMAP 16.7.4. Summary of Recommendations for IMAP
16.8. Microsoft Messaging API (MAPI) 16.9. Network News Transfer Protocol (NNTP)
16.9.1. Packet Filtering Characteristics of NNTP 16.9.2. Proxying Characteristics of NNTP 16.9.3. Network Address Translation Characteristics of NNTP 16.9.4. Summary of Recommendations for NNTP
17. File Transfer, File Sharing, and Printing
17.1. File Transfer Protocol (FTP)
17.1.1. Packet Filtering Characteristics of FTP 17.1.2. Proxying Characteristics of FTP 17.1.3. Network Address Translation Characteristics of FTP 17.1.4. Providing Anonymous FTP Service
17.1.4.1. Limiting access to information 17.1.4.2. Preventing people from using your server to distribute their data
17.1.4.2.1. Making your incoming directory write-only 17.1.4.2.2. Making anonymous read and anonymous write exclusive 17.1.4.2.3. Disabling the creation of directories and certain files 17.1.4.2.4. Uploading by prearrangement 17.1.4.2.5. Removing the files
17.1.4.3. Preventing people from using your server to attack other machines 17.1.4.4. Using the wuarchive FTP daemon
17.1.5. Summary of Recommendations for FTP
17.2. Trivial File Transfer Protocol (TFTP)
17.2.1. Packet Filtering Characteristics of TFTP 17.2.2. Proxying Characteristics of TFTP 17.2.3. Network Address Translation Characteristics of TFTP 17.2.4. Summary of Recommendations for TFTP
17.3. Network File System (NFS)
17.3.1. NFS Authentication 17.3.2. NFS and root 17.3.3. NFS Client Vulnerabilities 17.3.4. File Locking with NFS 17.3.5. Automounting 17.3.6. Packet Filtering Characteristics of NFS 17.3.7. Proxying Characteristics of NFS 17.3.8. Network Address Translation Characteristics of NFS
17.4. File Sharing for Microsoft Networks
17.4.1. Samba 17.4.2. Distributed File System (Dfs) 17.4.3. Packet Filtering, Proxying, and Network Address Translation Characteristics of Microsoft File Sharing
17.5. Summary of Recommendations for File Sharing 17.6. Printing Protocols
17.6.1. lpr and lp
17.6.1.1. LPRng 17.6.1.2. Packet filtering characteristics of lpr 17.6.1.3. Proxying characteristics of lpr 17.6.1.4. Network address translation characteristics of lpr 17.6.1.5. Packet filtering and proxying characteristics of lp
17.6.2. Windows-based Printing 17.6.3. Other Printing Systems 17.6.4. Summary of Recommendations for Printing Protocols
17.7. Related Protocols
18. Remote Access to Hosts
18.1. Terminal Access (Telnet)
18.1.1. Windows 2000 Telnet 18.1.2. Packet Filtering Characteristics of Telnet 18.1.3. Proxying Characteristics of Telnet 18.1.4. Network Address Translation Characteristics of Telnet 18.1.5. Summary of Recommendations for Telnet
18.2. Remote Command Execution
18.2.1. BSD "r" Commands
18.2.1.1. BSD "r" commands under Windows NT 18.2.1.2. Packet filtering characteristics of the BSD "r" commands 18.2.1.3. Proxying characteristics of the BSD "r" commands 18.2.1.4. Network address translation characteristics of the BSD "r"commands 18.2.1.5. Summary of recommendations for the BSD "r" command
18.2.2. rexec
18.2.2.1. Packet filtering characteristics of rexec 18.2.2.2. Proxying characteristics of rexec 18.2.2.3. Network address translation characteristics of rexec 18.2.2.4. Summary of recommendations for rexec
18.2.3. rex
18.2.3.1. Summary of recommendations for rex
18.2.4. Windows NT Remote Commands
18.2.4.1. Summary of recommendations for remote commands
18.2.5. Secure Shell (SSH)
18.2.5.1. What makes SSH secure? 18.2.5.2. SSH server authentication 18.2.5.3. SSH client authentication 18.2.5.4. Additional SSH options for client control 18.2.5.5. SSH session hijacking protection 18.2.5.6. Port forwarding 18.2.5.7. Remote X11 Window System support 18.2.5.8. Packet filtering characteristics of SSH 18.2.5.9. Proxying characteristics of SSH 18.2.5.10. Network address translation characteristics of SSH 18.2.5.11. Summary of recommendations for SSH
18.3. Remote Graphical Interfaces
18.3.1. X11 Window System
18.3.1.1. Additional servers 18.3.1.2. Packet filtering characteristics of X11 18.3.1.3. Proxying characteristics of X11 18.3.1.4. Network address translation characteristics of X11 18.3.1.5. Summary of recommendations for XII
18.3.2. Remote Graphic Interfaces for Microsoft Operating Systems 18.3.3. Independent Computing Architecture (ICA)
18.3.3.1. Packet filtering characteristics of ICA 18.3.3.2. Proxying characteristics of ICA 18.3.3.3. Network address translation characteristics of ICA
18.3.4. Microsoft Terminal Server and Terminal Services
18.3.4.1. Packet filtering characteristics of RDP 18.3.4.2. Proxying characteristics of RDP 18.3.4.3. Network address translation characteristics of RDP
18.3.5. BO2K
18.3.5.1. Packet filtering characteristics of BO2K 18.3.5.2. Proxying characteristics of BO2K 18.3.5.3. Network address translation characteristics of BO2K
18.3.6. Summary of Recommendations for Windows Remote Access
19. Real-Time Conferencing Services
19.1. Internet Relay Chat (IRC)
19.1.1. Packet Filtering Characteristics of IRC 19.1.2. Proxying Characteristics of IRC 19.1.3. Network Address Translation Characteristics of IRC 19.1.4. Summary of Recommendations for IRC
19.2. ICQ
19.2.1. Packet Filtering Characteristics of ICQ 19.2.2. Proxying Characteristics of ICQ 19.2.3. Network Address Translation Characteristics of ICQ 19.2.4. Summary of Recommendations for ICQ
19.3. talk
19.3.1. Packet Filtering Characteristics of talk 19.3.2. Proxying Characteristics of talk 19.3.3. Network Address Translation Characteristics of talk 19.3.4. Summary of Recommendations for talk
19.4. Multimedia Protocols
19.4.1. T.120 and H.323
19.4.1.1. Packet filtering characteristics of T.120 19.4.1.2. Proxying characteristics of T.120 19.4.1.3. Network address translation characteristics of T.120 19.4.1.4. Packet filtering characteristics of H.323 19.4.1.5. Proxying characteristics of H.323 19.4.1.6. Network address translation characteristics of H.323 19.4.1.7. Summary of recommendations for T.120 and H.323
19.4.2. The Real-Time Transport Protocol (RTP) and the RTP Control Protocol (RTCP)
19.4.2.1. Packet filtering characteristics of RTP and RTCP 19.4.2.2. Proxying characteristics of RTP and RTCP 19.4.2.3. Network address translation of RTP and RTCP 19.4.2.4. Summary of recommendations for RTP and RTCP
19.5. NetMeeting
19.5.1. Packet Filtering Characteristics of NetMeeting 19.5.2. Proxying Characteristics of NetMeeting 19.5.3. Network Address Translation Characteristics of NetMeeting 19.5.4. Summary of Recommendations for NetMeeting
19.6. Multicast and the Multicast Backbone (MBONE)
19.6.1. Summary of Recommendations for Multicast
20. Naming and Directory Services
20.1. Domain Name System (DNS)
20.1.1. Packet Filtering Characteristics of DNS 20.1.2. Proxying Characteristics of DNS 20.1.3. DNS Data 20.1.4. DNS Security Problems
20.1.4.1. Bogus answers to DNS queries 20.1.4.2. Malicious DNS queries 20.1.4.3. Mismatched data between the hostname and IP address DNS trees 20.1.4.4. Dynamic update 20.1.4.5. Revealing too much information to attackers
20.1.5. Setting Up DNS to Hide Information, Without Subdomains
20.1.5.1. Set up a "fake" DNS server on the bastion host for the outside world to use 20.1.5.2. Set up a real DNS server on an internal system for internal hosts to use 20.1.5.3. Internal DNS clients query the internal server 20.1.5.4. Bastion DNS clients also query the internal server 20.1.5.5. What your packet filtering system needs to allow
20.1.6. Setting Up DNS to Hide Information, with Subdomains 20.1.7. Setting Up DNS Without Hiding Information 20.1.8. Windows 2000 and DNS 20.1.9. Network Address Translation Characteristics of DNS 20.1.10. Summary of Recommendations for DNS
20.2. Network Information Service (NIS)
20.2.1. Summary of Recommendations for NIS
20.3. NetBIOS for TCP/IP Name Service and Windows Internet Name Service
20.3.1. Name Resolution Under Windows 20.3.2. NetBIOS Names 20.3.3. NetBT Name Service Operations
20.3.3.1. General principles of NetBT operations 20.3.3.2. Name registration 20.3.3.3. Name refresh 20.3.3.4. Name resolution 20.3.3.5. Name release 20.3.3.6. Conflict management
20.3.4. WINS Server-Server Communication 20.3.5. The WINS Manager 20.3.6. Security Implications of NetBT Name Service and WINS 20.3.7. Packet Filtering Characteristics of NetBT Name Service 20.3.8. Proxying Characteristics of NetBT Name Service and WINS 20.3.9. Network Address Translation Characteristics of NetBT Name Service and WINS 20.3.10. Summary of Recommendations for NetBT Name Service and WINS
20.4. The Windows Browser
20.4.1. Domains and Workgroups 20.4.2. Windows Browser Roles
20.4.2.1. Domain master browser 20.4.2.2. Master browser 20.4.2.3. Backup browsers 20.4.2.4. Potential browsers 20.4.2.5. Browseable server 20.4.2.6. Browser client
20.4.3. Browser Elections 20.4.4. Security Implications of the Windows Browser 20.4.5. Packet Filtering Characteristics of the Windows Browser 20.4.6. Proxying Characteristics of the Windows Browser 20.4.7. Network Address Translation Characteristics of the Windows Browser 20.4.8. Summary of Recommendations for the Windows Browser
20.5. Lightweight Directory Access Protocol (LDAP)
20.5.1. LDAPS 20.5.2. Packet Filtering Characteristics of LDAP 20.5.3. Proxying Characteristics of LDAP 20.5.4. Network Address Translation Characteristics of LDAP 20.5.5. Summary of Recommendations for LDAP
20.6. Active Directory 20.7. Information Lookup Services
20.7.1. finger
20.7.1.1. Packet filtering characteristics of finger 20.7.1.2. Proxying characteristics of finger 20.7.1.3. Network address translation characteristics of finger 20.7.1.4. Summary of recommendations for finger
20.7.2. whois
20.7.2.1. Packet filtering characteristics of whois 20.7.2.2. Proxying characteristics of whois 20.7.2.3. Network address translation characteristics of whois 20.7.2.4. Summary of recommendations for whois
21. Authentication and Auditing Services
21.1. What Is Authentication?
21.1.1. Something You Are 21.1.2. Something You Know 21.1.3. Something You Have
21.2. Passwords 21.3. Authentication Mechanisms
21.3.1. One-Time Password Software 21.3.2. One-Time Password Hardware
21.4. Modular Authentication for Unix
21.4.1. The TIS FWTK Authentication Server
21.4.1.1. Problems with the authentication server
21.4.2. Pluggable Authentication Modules (PAM)
21.5. Kerberos
21.5.1. How It Works 21.5.2. Extending Trust 21.5.3. Packet Filtering Characteristics of Kerberos 21.5.4. Proxying and Network Address Translation Characteristics of Kerberos 21.5.5. Summary of Recommendations for Kerberos
21.6. NTLM Domains
21.6.1. Finding a Domain Controller 21.6.2. The Logon Process 21.6.3. Secure Channel Setup 21.6.4. SMB Authentication 21.6.5. Accessing Other Computers 21.6.6. Alternate Authentication Methods 21.6.7. Controller-to-Controller Communication 21.6.8. The User Manager 21.6.9. Packet Filtering, Proxying, and Network Address Translation Characteristics of NTLM Domain Authentication 21.6.10. Summary of Recommendations for NTLM Domain Authentication
21.7. Remote Authentication Dial-in User Service (RADIUS)
21.7.1. Packet Filtering Characteristics of RADIUS 21.7.2. Proxying Characteristics of RADIUS 21.7.3. Network Address Translation Characteristics of RADIUS 21.7.4. Summary of Recommendations for RADIUS
21.8. TACACS and Friends
21.8.1. Packet Filtering Characteristics of TACACS and Friends 21.8.2. Proxying Characteristics of TACACS and Friends 21.8.3. Network Address Translation Characteristics of TACACS and Friends 21.8.4. Summary of Recommendations for TACACS and Friends
21.9. Auth and identd
21.9.1. Packet Filtering Characteristics of Auth 21.9.2. Proxying Characteristics of Auth 21.9.3. Network Address Translation Characteristics of Auth 21.9.4. Summary of Recommendations for Auth
22. Administrative Services
22.1. System Management Protocols
22.1.1. syslog
22.1.1.1. Packet filtering characteristics of syslog 22.1.1.2. Proxying characteristics of syslog 22.1.1.3. Network address translation and syslog 22.1.1.4. Summary of recommendations for syslog
22.1.2. Simple Network Management Protocol (SNMP)
22.1.2.1. SNMP version 3 22.1.2.2. Packet filtering characteristics of SNMP 22.1.2.3. Proxying characteristics of SNMP 22.1.2.4. Network address translation and SNMP
22.1.3. System Management Server (SMS) 22.1.4. Performance Monitor and Network Monitor 22.1.5. Summary Recommendations for System Management
22.2. Routing Protocols
22.2.1. Routing Information Protocol (RIP)
22.2.1.1. Packet filtering characteristics of RIP
22.2.2. Open Shortest Path First (OSPF)
22.2.2.1. Packet filtering characteristics of OSPF
22.2.3. Internet Group Management Protocol (IGMP)
22.2.3.1. Packet filtering characteristics of IGMP
22.2.4. Router Discovery/ICMP Router Discovery Protocol (IRDP)
22.2.4.1. Packet filtering characteristics of router discovery
22.2.5. Proxying Characteristics of Routing Protocols 22.2.6. Network Address Translation Characteristics of Routing Protocols 22.2.7. Summary of Recommendations for Routing Protocols
22.3. Protocols for Booting and Boot-Time Configuration
22.3.1. bootp 22.3.2. Dynamic Host Configuration Protocol (DHCP) 22.3.3. Packet Filtering Characteristics of DHCP and bootp 22.3.4. Proxying Characteristics of bootp and DHCP 22.3.5. Network Address Translation Characteristics of Booting and Boot-Time Configuration 22.3.6. Summary of Recommendations for Booting and Boot-Time Configuration
22.4. ICMP and Network Diagnostics
22.4.1. ping
22.4.1.1. Packet filtering characteristics of ping 22.4.1.2. Proxying characteristics of ping 22.4.1.3. Network address translation and ping
22.4.2. traceroute
22.4.2.1. Packet filtering characteristics of traceroute 22.4.2.2. Proxying characteristics of traceroute 22.4.2.3. Network address translation and traceroute
22.4.3. Other ICMP Packets
22.4.3.1. Packet filtering characteristics of ICMP
22.4.4. Summary of Recommendations for ICMP
22.5. Network Time Protocol (NTP)
22.5.1. Packet Filtering Characteristics of NTP 22.5.2. Proxying Characteristics of NTP 22.5.3. Network Address Translation Characteristics of NTP 22.5.4. Configuring NTP to Work with a Firewall 22.5.5. Summary of Recommendations for NTP
22.6. File Synchronization
22.6.1. rdist 22.6.2. rsync
22.6.2.1. Packet filtering characteristics of rsync 22.6.2.2. Proxying characteristics of rsync 22.6.2.3. Network address translation characteristics of rsync
22.6.3. Windows NT Directory Replication 22.6.4. Windows 2000 File Replication Service (FRS) 22.6.5. Summary of Recommendations for File Synchronization
22.7. Mostly Harmless Protocols
22.7.1. Packet Filtering Characteristics of Mostly Harmless Protocols 22.7.2. Proxying Characteristics of Mostly Harmless Protocols 22.7.3. Network Address Translation Characteristics of Mostly Harmless Protocols 22.7.4. Summary Recommendations for Mostly Harmless Protocols
23. Databases and Games
23.1. Databases
23.1.1. Locating Database Servers
23.1.1.1. Putting both the web server and the database on the perimeter network 23.1.1.2. Putting both the web server and the database on the internal network 23.1.1.3. Using the database's protocols to connect to a perimeter web server 23.1.1.4. Using a custom protocol to connect to a perimeter web server
23.1.2. Open Database Connectivity (ODBC) and Java Database Connectivity ( JDBC) 23.1.3. Oracle SQL*Net and Net8
23.1.3.1. Security implications of SQL*Net and Net8 23.1.3.2. Packet filtering characteristics of SQL*Net and Net8 23.1.3.3. Proxying characteristics of SQL*Net and Net8 23.1.3.4. Network address translation characteristics of SQL*Net and Net8 23.1.3.5. Summary of recommendations for SQL*Net and Net8
23.1.4. Tabular Data Stream (TDS) 23.1.5. Sybase
23.1.5.1. Packet filtering characteristics of Sybase 23.1.5.2. Proxying characteristics of Sybase 23.1.5.3. Network address translation characteristics of Sybase 23.1.5.4. Summary of recommendations for Sybase
23.1.6. Microsoft SQL Server
23.1.6.1. Packet filtering characteristics of Microsoft SQL Server 23.1.6.2. Proxying characteristics of Microsoft SQL Server 23.1.6.3. Network address translation and Microsoft SQL Server 23.1.6.4. Summary of recommendations for Microsoft SQL Server
23.2. Games
23.2.1. Quake 23.2.2. Summary of Recommendations for Games
24. Two Sample Firewalls
24.1. Screened Subnet Architecture
24.1.1. Service Configuration
24.1.1.1. HTTP and HTTPS 24.1.1.2. SMTP 24.1.1.3. Telnet 24.1.1.4. SSH 24.1.1.5. FTP 24.1.1.6. NNTP 24.1.1.7. DNS
24.1.2. Packet Filtering Rules
24.1.2.1. Interior router 24.1.2.2. Exterior router
24.1.3. Other Configuration Work 24.1.4. Analysis
24.1.4.1. Least privilege 24.1.4.2. Defense in depth 24.1.4.3. Choke point 24.1.4.4. Weakest link 24.1.4.5. Fail-safe stance 24.1.4.6. Universal participation 24.1.4.7. Diversity of defense 24.1.4.8. Simplicity
24.1.5. Conclusions
24.2. Merged Routers and Bastion Host Using General-Purpose Hardware
24.2.1. Service Configuration
24.2.1.1. HTTP and HTTPS 24.2.1.2. SMTP 24.2.1.3. Telnet 24.2.1.4. SSH 24.2.1.5. FTP 24.2.1.6. NNTP 24.2.1.7. DNS
24.2.2. Packet Filtering Rules 24.2.3. Other Configuration Work 24.2.4. Analysis
24.2.4.1. Least privilege 24.2.4.2. Defense in depth 24.2.4.3. Choke point 24.2.4.4. Weakest link 24.2.4.5. Fail-safe stance 24.2.4.6. Universal participation 24.2.4.7. Diversity of defense 24.2.4.8. Simplicity
24.2.5. Conclusions
IV. Keeping Your Site Secure
25. Security Policies
25.1. Your Security Policy
25.1.1. What Should a Security Policy Contain?
25.1.1.1. Explanations 25.1.1.2. Everybody's responsibilities 25.1.1.3. Regular language 25.1.1.4. Enforcement authority 25.1.1.5. Provision for exceptions 25.1.1.6. Provision for reviews 25.1.1.7. Discussion of specific security issues
25.1.2. What Should a Security Policy Not Contain?
25.1.2.1. Technical details 25.1.2.2. Somebody else's problems 25.1.2.3. Problems that aren't computer security problems
25.2. Putting Together a Security Policy
25.2.1. What Is Your Security Policy? 25.2.2. What Is Your Site's Security Policy? 25.2.3. External Factors That Influence Security Policies
25.3. Getting Strategic and Policy Decisions Made
25.3.1. Enlist Allies 25.3.2. Involve Everybody Who's Affected 25.3.3. Accept "Wrong" Decisions 25.3.4. Present Risks and Benefits in Different Ways for Different People 25.3.5. Avoid Surprises 25.3.6. Condense to Important Decisions, with Implications 25.3.7. Justify Everything Else in Terms of Those Decisions 25.3.8. Emphasize that Many Issues Are Management and Personnel Issues, not Technical Issues 25.3.9. Don't Assume That Anything Is Obvious
25.4. What If You Can't Get a Security Policy?
26. Maintaining Firewalls
26.1. Housekeeping
26.1.1. Backing Up Your Firewall 26.1.2. Managing Your Accounts 26.1.3. Managing Your Disk Space
26.2. Monitoring Your System
26.2.1. Special-Purpose Monitoring Devices 26.2.2. Intrusion Detection Systems 26.2.3. What Should You Watch For? 26.2.4. The Good, the Bad, and the Ugly 26.2.5. Responding to Probes 26.2.6. Responding to Attacks
26.3. Keeping up to Date
26.3.1. Keeping Yourself up to Date
26.3.1.1. Mailing lists 26.3.1.2. Newsgroups 26.3.1.3. Web sites 26.3.1.4. Professional forums
26.3.2. Keeping Your Systems up to Date
26.4. How Long Does It Take? 26.5. When Should You Start Over?
27. Responding to Security Incidents
27.1. Responding to an Incident
27.1.1. Evaluate the Situation 27.1.2. Start Documenting 27.1.3. Disconnect or Shut Down, as Appropriate 27.1.4. Analyze and Respond 27.1.5. Make "Incident in Progress" Notifications
27.1.5.1. Your own organization 27.1.5.2. CERT-CC or other incident response teams 27.1.5.3. Vendors and service providers 27.1.5.4. Other sites
27.1.6. Snapshot the System 27.1.7. Restore and Recover 27.1.8. Document the Incident
27.2. What to Do After an Incident 27.3. Pursuing and Capturing the Intruder 27.4. Planning Your Response
27.4.1. Planning for Detection 27.4.2. Planning for Evaluation of the Incident 27.4.3. Planning for Disconnecting or Shutting Down Machines 27.4.4. Planning for Notification of People Who Need to Know
27.4.4.1. Your own organization 27.4.4.2. CERT-CC and other incident response teams 27.4.4.3. Vendors and service providers 27.4.4.4. Other sites
27.4.5. Planning for Snapshots 27.4.6. Planning for Restoration and Recovery 27.4.7. Planning for Documentation 27.4.8. Periodic Review of Plans
27.5. Being Prepared
27.5.1. Backing Up Your Filesystems 27.5.2. Labeling and Diagramming Your System 27.5.3. Keeping Secured Checksums 27.5.4. Keeping Activity Logs 27.5.5. Keeping a Cache of Tools and Supplies 27.5.6. Testing the Reload of the Operating System 27.5.7. Doing Drills
V. Appendixes
A. Resources
A.1. Web Pages
A.1.1. Telstra A.1.2. CERIAS A.1.3. The Linux Documentation Project A.1.4. The Linux Router Project
A.2. FTP Sites
A.2.1. cerias.purdue.edu A.2.2. info.cert.org
A.3. Mailing Lists
A.3.1. Firewalls A.3.2. Firewall Wizards A.3.3. FWTK-USERS A.3.4. BugTraq A.3.5. NTBugTraq A.3.6. CERT-Advisory A.3.7. RISKS
A.4. Newsgroups A.5. Response Teams
A.5.1. CERT-CC A.5.2. FIRST A.5.3. NIST CSRC
A.6. Other Organizations
A.6.1. Internet Engineering Task Force (IETF) A.6.2. World Wide Web Consortium (W3C) A.6.3. USENIX Association A.6.4. System Administrators Guild (SAGE) A.6.5. System Administration, Networking, and Security (SANS) Institute
A.7. Conferences
A.7.1. USENIX Association Conferences
A.7.1.1. USENIX Unix Security Symposium A.7.1.2. USENIX System Administration (LISA) Conference A.7.1.3. USENIX Large Installation System Administration of Windows NT (LISA-NT) Conference A.7.1.4. USENIX Technical Conferences
A.7.2. Unix System Administration, Networking, and Security (SANS) Conference A.7.3. Internet Society Symposium on Network and Distributed System Security (SNDSS)
A.8. Papers A.9. Books
B. Tools
B.1. Authentication Tools
B.1.1. TIS Internet Firewall Toolkit (FWTK) B.1.2. Kerberos
B.2. Analysis Tools
B.2.1. COPS B.2.2. Tiger B.2.3. Tripwire B.2.4. SATAN B.2.5. SAINT
B.3. Packet Filtering Tools
B.3.1. ipfilter
B.4. Proxy Systems Tools
B.4.1. TIS Internet Firewall Toolkit (FWTK) B.4.2. SOCKS B.4.3. UDP Packet Relayer B.4.4. tircproxy
B.5. Daemons
B.5.1. wuarchive ftpd B.5.2. GateD B.5.3. Zebra B.5.4. Postfix B.5.5. qmail B.5.6. smail B.5.7. portmap B.5.8. Andrew File System (AFS) B.5.9. rsync B.5.10. Samba B.5.11. ssh B.5.12. BO2K B.5.13. mIRC
B.6. Utilities
B.6.1. TIS Internet Firewall Toolkit (FWTK) B.6.2. TCP Wrapper B.6.3. chrootuid B.6.4. inzider B.6.5. MRTG B.6.6. NOCOL B.6.7. NetCat B.6.8. NetSaint B.6.9. PGP B.6.10. trimlog B.6.11. AntiSniff B.6.12. tcpdump
C. Cryptography
C.1. What Are You Protecting and Why? C.2. Key Components of Cryptographic Systems
C.2.1. Encryption
C.2.1.1. Kinds of encryption algorithms C.2.1.2. Encryption algorithms and key length
C.2.2. Cryptographic Hashes, Checksums, and Message Digests C.2.3. Integrity Protection C.2.4. Random Numbers
C.3. Combined Cryptography
C.3.1. Digital Signatures C.3.2. Certificates C.3.3. Certificate Trust Models C.3.4. Key Distribution and Exchange
C.4. What Makes a Protocol Secure?
C.4.1. Selecting an Algorithm C.4.2. Mutual Authentication C.4.3. Sharing a Secret C.4.4. Identifying Altered Messages C.4.5. Destroying the Shared Secret
C.5. Information About Algorithms
C.5.1. Encryption Algorithms C.5.2. Digital Signature Algorithms C.5.3. Cryptographic Hashes and Message Digests C.5.4. Key Exchange C.5.5. Key Sizes and Strength C.5.6. Evaluating Other Algorithms
Index About the Authors Colophon SPECIAL OFFER: Upgrade this ebook with O’Reilly
  • ← Prev
  • Back
  • Next →
  • ← Prev
  • Back
  • Next →

Chief Librarian: Las Zenow <zenow@riseup.net>
Fork the source code from gitlab.

This is a mirror of the Tor onion service:
http://kx5thpx2olielkihfyo4jgjqfb7zx7wxr3sd4xzt26ochei4m6f7tayd.onion