not have, according to organizational policy or law. face="Arial" size="2" color="#000000"> When a user performs an action that they should
not have, according to organizational policy or law.
Access Control Lists:
Rules for packet filters (typically
routers) that define which packets to pass and which to block. SIZE="2" COLOR="#ff0000">
Access Router:
A router thatconnects your network to the external Internet. Typically, this is your first line of
defense against attackers from the outside Internet. By enabling access control lists on
this router, you’ll be able to provide a level of protection for all of the hosts
"behind" that router, effectively making that network a DMZ instead of an
unprotected external LAN.
Application-Level Firewall:
Afirewall system in which service is provided by processes that maintain complete TCP
connection state and sequencing. Application level firewalls often re-address traffic so
that outgoing traffic appears to have originated from the firewall, rather than the
internal host.
Authentication:
The process ofdetermining the identity of a user that is attempting to access a system. FACE="Arial" SIZE="2" COLOR="#ff0000">
Authentication Token:
A portabledevice used for authenticating a user. Authentication tokens operate by
challenge/response, time-based code sequences, or other techniques. This may include
paper-based lists of one-time passwords. COLOR="#ff0000">
Authorization:
The process ofdetermining what types of activities are permitted. Usually, authorization is in the
context of authentication: once you have authenticated a user, they may be authorized
different types of access or activity.
Bastion Host:
A system that hasbeen hardened to resist attack, and which is installed on a network in such a way that it
is expected to potentially come under attack. Bastion hosts are often components of
firewalls, or may be "outside" Web servers or public access systems. Generally,
a bastion host is running some form of general purpose operating system (for example,
Unix, VMS, NT, etc) rather than a ROM-based or firmware operating system. FACE="Arial" SIZE="2" COLOR="#ff0000">
Challenge/Response:
face="Arial" size="2" color="#000000">An authentication technique whereby a server sendsan unpredictable challenge to the user, who computes a response using some form of
authentication token.
Chroot:
A technique under Unixwhereby a process is permanently restricted to an isolated subset of the filesystem. FACE="Arial" SIZE="2" COLOR="#ff0000">
Cryptographic Checksum:
Aone-way function applied to a file to produce a unique "fingerprint" of the file
for later reference. Checksum systems are a primary means of detecting filesystem
tampering on Unix.
Data-Driven Attack:
A form ofattack in which the attack is encoded in innocuous-seeming data which is executed by a
user or other software to implement an attack. In the case of firewalls, a data-driven
attack is a concern since it may get through the firewall in data form and launch an
attack against a system behind the firewall. COLOR="#ff0000">
Defense in Depth:
The securityapproach whereby each system on the network is secured to the greatest possible degree.
May be used in conjunction with firewalls. COLOR="#ff0000">
DNS spoofing:
Assuming the DNSname of another system by either corrupting the name service cache of a victim system, or
by compromising a domain name server for a valid domain. SIZE="2" COLOR="#ff0000">
Dual-Homed Gateway:
face="Arial" size="2" color="#000000">A dual-homed gateway is a system that has two ormore network interfaces, each of which is connected to a different network. In firewall
configurations, a dual-homed gateway usually acts to block or filter some or all of the
traffic trying to pass between the networks. COLOR="#ff0000">
Firewall:
face="Arial" size="2" color="#000000">A system or combination of systems that enforces aboundary between two or more networks. COLOR="#ff0000">
Host-based Security:
face="Arial" size="2" color="#000000">The technique of securing an individual system fromattack. Host-based security is operating system and version dependent. FACE="Arial" SIZE="2" COLOR="#ff0000">
Insider Attack:
An attackoriginating from inside a protected network. COLOR="#ff0000">
Intrusion Detection:
Detectionof break-ins or break-in attempts either manually or via software expert systems that
operate on logs or other information available on the network. SIZE="2" COLOR="#ff0000">
IP Spoofing:
An attack whereby asystem attempts to illicitly impersonate another system by using its IP network address. FACE="Arial" SIZE="2" COLOR="#ff0000">
IP Splicing or Hijacking:
Anattack whereby an active, established, session is intercepted and co-opted by the
attacker. IP Splicing attacks may occur after an authentication has been made, permitting
the attacker to assume the role of an already authorized user. Primary protections against
IP Splicing rely on encryption at the session or network layer. SIZE="2" COLOR="#ff0000">
Least Privilege:
Designingoperational aspects of a system to operate with a minimum amount of system privilege. This
reduces the authorization level at which various actions are performed and decreases the
chance that a process or user with high privileges may be caused to perform unauthorized
activity resulting in a security breach. COLOR="#ff0000">
Logging:
The process of storinginformation about events that occurred on the firewall or network. FACE="Arial" SIZE="2" COLOR="#ff0000">
Log Retention:
How long auditlogs are retained and maintained.
Log Processing:
How audit logsare processed, searched for key events, or summarized. COLOR="#ff0000">
Network-Level Firewall:
Afirewall in which traffic is examined at the network protocol packet level. FACE="Arial" SIZE="2" COLOR="#ff0000">
Perimeter-based Security:
Thetechnique of securing a network by controlling access to all entry and exit points of the
network.
Policy:
Organization-level rulesgoverning acceptable use of computing resources, security practices, and operational
procedures.
Proxy:
A software agent thatacts on behalf of a user. Typical proxies accept a connection from a user, make a decision
as to whether or not the user or client IP address is permitted to use the proxy, perhaps
does additional authentication, and then completes a connection on behalf of the user to a
remote destination.
Screened Host:
A host on anetwork behind a screening router. The degree to which a screened host may be accessed
depends on the screening rules in the router. COLOR="#ff0000">
Screened Subnet:
A subnet behinda screening router. The degree to which the subnet may be accessed depends on the
screening rules in the router.
Screening Router:
A routerconfigured to permit or deny traffic based on a set of permission rules installed by the
administrator.
Session Stealing:
See IPSplicing.
Trojan Horse:
A software entitythat appears to do something normal but which, in fact, contains a trapdoor or attack
program.
Tunneling Router:
A router orsystem capable of routing traffic by encrypting it and encapsulating it for transmission
across an untrusted network, for eventual de-encapsulation and decryption. FACE="Arial" SIZE="2" COLOR="#ff0000">
Social Engineering:
An attackbased on deceiving users or administrators at the target site. Social engineering attacks
are typically carried out by telephoning users or operators and pretending to be an
authorized user, to attempt to gain illicit access to systems. SIZE="2" COLOR="#ff0000">
Virtual Network Perimeter:
Anetwork that appears to be a single protected network behind firewalls, which actually
encompasses encrypted virtual links over untrusted networks. SIZE="2" COLOR="#ff0000">
Virus:
A replicating codesegment that attaches itself to a program or data file. Viruses might or might not contain
attack programs or trapdoors. Unfortunately, many have taken to calling any malicious code
a "virus". If you mean "trojan horse" or "worm", say
"trojan horse" or "worm". COLOR="#ff0000">
Worm:
A standalone program that,when run, copies itself from one host to another, and then runs itself on each newly
infected host. The widely reported "Internet Virus" of 1988 was not a virus at
all, but actually a worm.
color="#FF0000">Q. What’s a firewall? size="2" color="#000000">
A firewall is a system or group of systems that enforce an access control policy
between two networks.
A firewall may permit only e-mail traffic, blocking all other services; another may
block specific services that are known to be problems. Many firewalls are configured to
protect against unauthenticated interactive logins from the "outside" world.
More elaborate firewalls block traffic from the outside to the inside, but permit users on
the inside to communicate freely with the outside.
Firewalls also provide a single "choke point" where security and audit can be
imposed. It can act as an effective "phone tap" and tracing tool. Firewalls
provide an important logging and auditing function; often they provide summaries to the
administrator about the kinds and amount of traffic passed through it, how many attempts
there were to break into it, etc.
Q. Do they stop viruses? FACE="Arial" SIZE="2" COLOR="#000000">
Firewalls can’t protect very well against things like viruses. There are too many
ways of encoding binary files for transfer over networks, and too many different
architectures and viruses to try to search for them all. In other words, a firewall cannot
replace security-consciousness on the part of your users. In general, a firewall cannot
protect against a data-driven attack—attacks in which something is mailed or copied
to an internal host where it is then executed.
Organizations that are deeply concerned about viruses should implement
organization-wide virus control measures. Rather than trying to screen viruses out at the
firewall, make sure that every vulnerable desktop has virus scanning software that is run
when the machine is rebooted. Blanketing your network with virus scanning software will
protect against viruses that come in via floppy disks, modems, and the Internet. Trying to
block viruses at the firewall will only protect against viruses from the Internet while a
vast majority of viruses are caught via floppy disks.
Nevertheless, an increasing number of firewall vendors are offering "virus
detecting" firewalls. They’re probably only useful for naive users exchanging
Windows-on-Intel executable programs and malicious-macro-capable application documents.
Don’t count on serious protection here.
COLOR="#ff0000">
Q. Are there different types
of firewalls?
Conceptually, there are two: network level and application level. FACE="Arial" SIZE="2">
Network level firewalls generally make their decisions based on the source, destination
addresses and ports in individual IP packets. A simple router is the
"traditional" network level firewall, since it is not able to make particularly
sophisticated decisions about what a packet is actually talking to or where it actually
came from. Modern network level firewalls have become increasingly sophisticated, and now
maintain internal information about the state of connections passing through them, the
contents of some of the data streams, and so on. One thing that’s an important
distinction about many network level firewalls is that they route traffic directly though
them, so to use one you usually need to have a validly assigned IP address block. Network
level firewalls tend to be very fast and transparent to users.
Application level firewalls generally are hosts running proxy servers, which permit no
traffic directly between networks, and which perform elaborate logging and auditing of
traffic passing through them. Since the proxy applications are software components running
on the firewall, it is a good place to do lots of logging and access control. Application
level firewalls can be used as network address translators, since traffic goes in one
"side" and out the other, after having passed through an application that
effectively masks the origin of the initiating connection. Having an application in the
way in some cases may impact performance and may make the firewall less transparent.
Modern application level firewalls are quite transparent.
SIZE="2" COLOR="#ff0000">
Q. What’s a proxy
server?
A proxy server is an application that mediates traffic between a protected network and
the Internet. Proxies are often used instead of router-based traffic controls, to prevent
traffic from passing directly between networks. Many proxies contain extra logging or
support for user authentication. Since proxies must "understand" the application
protocol being used, they can also implement protocol specific security (for example, an
FTP proxy might be configurable to permit incoming FTP and block outgoing FTP).
FACE="Arial" SIZE="2">
Proxy servers are application-specific. In order to support a protocol via a proxy, the
proxy must support it (for example, Telnet, POP3, etc). SOCKS is a generic proxy system
that can be compiled into a client-side application to make it work through a firewall.
Its advantage is that it’s easy to use, but it doesn’t support the addition of
authentication hooks or protocol specific logging. For more information on SOCKS, see
www.socks. nec.com/.
Q. How can I block the bad
stuff?
For firewalls where the emphasis is on security instead of connectivity, you should
consider blocking everything by default, and only specifically allowing what services you
need on a case-by-case basis.
If you block everything, except a specific set of services, then you’ve already
made your job much easier. Instead of having to worry about every security problem with
every product and service around, you only need to worry about every security problem with
a specific set of services and products.
Q. What is denial of
service?
Denial of service is when someone decides to make your network or firewall useless by
disrupting it, crashing it, jamming it, or flooding it. The problem with denial of service
on the Internet is that it is impossible to prevent. The reason has to do with the
distributed nature of the network; every network node is connected via other networks
which in turn connect to other networks, etc. A firewall administrator or ISP only has
control of a few local elements within reach. An attacker can always disrupt a connection
"upstream" from where the victim controls it. In other words, if someone wanted
to take a network off the air, they could do it either by taking the network off the air,
or by taking the networks it connects to off the air, ad infinitum. There are many, many,
ways someone can deny service, ranging from the complex to the brute-force. If you are
considering using Internet for a service which is absolutely time or mission critical, you
should consider your fall-back position in the event that the
SIZE="2">network is down or damaged.
Q. How do I make Web/HTTP
work through my firewall?
There are three ways to do it.
routers.
Squid, Apache, Netscape Proxy and http-gw from the TIS firewall toolkit. Most of these can
also proxy other protocols (such as gopher and ftp), and can cache objects fetched, which
will also typically result in a performance boost for the users, and more efficient use of
your connection to the Internet. Essentially all Web clients (Mozilla, Internet Explorer,
Lynx, etc) have proxy server support built directly into them.
COLOR="#ff0000" size="3">Q. What is SMTP session hijacking? FACE="Arial" SIZE="2" COLOR="#000000">
This is where a spammer will take many thousands of copies of a message and send it to
a huge list of e-mail addresses. Because these lists are often so bad, and in order to
increase the speed of operation for the spammer, many have resorted to simply sending all
of their mail to an SMTP server that will take care of actually delivering the mail.
FACE="Arial" SIZE="2">
Of course, all of the bounces, spam complaints, hate mail, and bad PR come for the site
that was used as a relay. There is a very real cost associated with this, mostly in paying
people to clean up the mess afterward.
Q. How do I make FTP work
through my firewall?
Generally, making FTP work through the firewall is done either using a proxy server
such as the firewall toolkit’s ftp-gw or by permitting incoming connections to the
network at a restricted port range, and otherwise restricting incoming connections using
something like "established" screening rules. The FTP client is then modified to
bind the data port to a port within that range. This entails being able to modify the FTP
client application on internal hosts.
In some cases, if FTP downloads are all you wish to support, you might want to consider
declaring FTP a "dead protocol" and letting users download files via the Web
instead. The user interface certainly is nicer, and it gets around the ugly callback port
problem. If you choose the FTP-via-Web approach, your users will be unable to FTP files
out, which, depending on what you are trying to accomplish, may be a problem.
FACE="Arial" SIZE="2" COLOR="#ff0000">
Q. How do I make Telnet work
through my firewall?
Telnet is generally supported either
by using an application proxy such as the firewall toolkit’s tn-gw, or by simply
configuring a router to permit outgoing connections using something like the
"established" screening rules. Application proxies could be in the form of a
standalone proxy running on the bastion host, or in the form of a SOCKS server and a
modified client.