Building Internet Firewalls Elizabeth D. Zwicky, Simon Cooper & D. Brent Chapman Second Edition, June 2000 ISBN: 1-56592-871-7, 890 pages Completely revised and much expanded, the new edition of the highly respected and bestselling Building Internet Firewalls now covers Unix, Linux, and Windows NT. This practical and detailed guide explains in step-by-step fashion how to design and install firewalls and configure Internet services to work with a firewall. It covers a wide range of services and protocols and offers a complete list of resources, including the location of many publicly available firewalls construction tools. Release Team[oR] 2001 CONTENTS Preface 1 Scope of This Book Audience Platforms Products Examples Conventions Used in This Book Comments and Questions Acknowledgments for the Second Edition Acknowledgments for the First Edition I Network Security 8 1 Why Internet Firewalls? 9 1.1 What Are You Trying to Protect? 1.2 What Are You Trying to Protect Against? 1.3 Who Do You Trust? 1.4 How Can You Protect Your Site? 1.5 What Is an Internet Firewall? 1.6 Religious Arguments 2 Internet Services 27 2.1 Secure Services and Safe Services 2.2 The World Wide Web 2.3 Electronic Mail and News 2.4 File Transfer, File Sharing, and Printing 2.5 Remote Access 2.6 Real-Time Conferencing Services 2.7 Naming and Directory Services 2.8 Authentication and Auditing Services 2.9 Administrative Services 2.10 Databases 2.11 Games 3 Security Strategies 42 3.1 Least Privilege 3.2 Defense in Depth 3.3 Choke Point 3.4 Weakest Link 3.5 Fail-Safe Stance 3.6 Universal Participation 3.7 Diversity of Defense 3.8 Simplicity 3.9 Security Through Obscurity II Building Firewalls 50 4 Packets and Protocols 51 4.1 What Does a Packet Look Like? 4.2 IP 4.3 Protocols Above IP 4.4 Protocols Below IP 4.5 Application Layer Protocols 4.6 IP Version 6 4.7 Non-IP Protocols 4.8 Attacks Based on Low-Level Protocol Details 5 Firewall Technologies 68 5.1 Some Firewall Definitions 5.2 Packet Filtering 5.3 Proxy Services 5.4 Network Address Translation 5.5 Virtual Private Networks 6 Firewall Architectures 81 6.1 Single-Box Architectures 6.2 Screened Host Architectures 6.3 Screened Subnet Architectures 6.4 Architectures with Multiple Screened Subnets 6.5 Variations on Firewall Architectures 6.6 Terminal Servers and Modem Pools 6.7 Internal Firewalls 7 Firewall Design 103 7.1 Define Your Needs 7.2 Evaluate the Available Products 7.3 Put Everything Together 8 Packet Filtering 108 8.1 What Can You Do with Packet Filtering? 8.2 Configuring a Packet Filtering Router 8.3 What Does the Router Do with Packets? 8.4 Packet Filtering Tips and Tricks 8.5 Conventions for Packet Filtering Rules 8.6 Filtering by Address 8.7 Filtering by Service 8.8 Choosing a Packet Filtering Router 8.9 Packet Filtering Implementations for General-Purpose Computers 8.10 Where to Do Packet Filtering 8.11 What Rules Should You Use? 8.12 Putting It All Together 9 Proxy Systems 146 9.1 Why Proxying? 9.2 How Proxying Works 9.3 Proxy Server Terminology 9.4 Proxying Without a Proxy Server 9.5 Using SOCKS for Proxying 9.6 Using the TIS Internet Firewall Toolkit for Proxying 9.7 Using Microsoft Proxy Server 9.8 What If You Can't Proxy? 10 Bastion Hosts 157 10.1 General Principles 10.2 Special Kinds of Bastion Hosts 10.3 Choosing a Machine 10.4 Choosing a Physical Location 10.5 Locating Bastion Hosts on the Network 10.6 Selecting Services Provided by a Bastion Host 10.7 Disabling User Accounts on Bastion Hosts 10.8 Building a Bastion Host 10.9 Securing the Machine 10.10 Disabling Nonrequired Services 10.11 Operating the Bastion Host 10.12 Protecting the Machine and Backups 11 Unix and Linux Bastion Hosts 176 11.1 Which Version of Unix? 11.2 Securing Unix 11.3 Disabling Nonrequired Services 11.4 Installing and Modifying Services 11.5 Reconfiguring for Production 11.6 Running a Security Audit 12 Windows NT and Windows 2000 Bastion Hosts 191 12.1 Approaches to Building Windows NT Bastion Hosts 12.2 Which Version of Windows NT? 12.3 Securing Windows NT 12.4 Disabling Nonrequired Services 12.5 Installing and Modifying Services III Internet Services 203 13 Internet Services and Firewalls 204 13.1 Attacks Against Internet Services 13.2 Evaluating the Risks of a Service 13.3 Analyzing Other Protocols 13.4 What Makes a Good Firewalled Service? 13.5 Choosing Security-Critical Programs 13.6 Controlling Unsafe Configurations 14 Intermediary Protocols 223 14.1 Remote Procedure Call (RPC) 14.2 Distributed Component Object Model (DCOM) 14.3 NetBIOS over TCP/IP (NetBT) 14.4 Common Internet File System (CIFS) and Server Message Block (SMB) 14.5 Common Object Request Broker Architecture (CORBA) and Internet Inter-Orb Protocol (IIOP) 14.6 ToolTalk 14.7 Transport Layer Security (TLS) and Secure Socket Layer (SSL) 14.8 The Generic Security Services API (GSSAPI) 14.9 IPsec 14.10 Remote Access Service (RAS) 14.11 Point-to-Point Tunneling Protocol (PPTP) 14.12 Layer 2 Transport Protocol (L2TP) 15 The World Wide Web 245 15.1 HTTP Server Security 15.2 HTTP Client Security 15.3 HTTP 15.4 Mobile Code and Web-Related Languages 15.5 Cache Communication Protocols 15.6 Push Technologies 15.7 RealAudio and RealVideo 15.8 Gopher and WAIS 16 Electronic Mail and News 268 16.1 Electronic Mail 16.2 Simple Mail Transfer Protocol (SMTP) 16.3 Other Mail Transfer Protocols 16.4 Microsoft Exchange 16.5 Lotus Notes and Domino 16.6 Post Office Protocol (POP) 16.7 Internet Message Access Protocol (IMAP) 16.8 Microsoft Messaging API (MAPI) 16.9 Network News Transfer Protocol (NNTP) 17. File Transfer, File Sharing, and Printing 287 17.1 File Transfer Protocol (FTP) 17.2 Trivial File Transfer Protocol (TFTP) 17.3 Network File System (NFS) 17.4 File Sharing for Microsoft Networks 17.5 Summary of Recommendations for File Sharing 17.6 Printing Protocols 17.7 Related Protocols 18 Remote Access to Hosts 307 18.1 Terminal Access (Telnet) 18.2 Remote Command Execution 18.3 Remote Graphical Interfaces 19 Real-Time Conferencing Services 328 19.1 Internet Relay Chat (IRC) 19.2 ICQ 19.3 talk 19.4 Multimedia Protocols 19.5 NetMeeting 19.6 Multicast and the Multicast Backbone (MBONE) 20. Naming and Directory Services 341 20.1 Domain Name System (DNS) 20.2 Network Information Service (NIS) 20.3 NetBIOS for TCP/IP Name Service and Windows Internet Name Service 20.4 The Windows Browser 20.5 Lightweight Directory Access Protocol (LDAP) 20.6 Active Directory 20.7 Information Lookup Services 21 Authentication and Auditing Services 373 21.1 What Is Authentication? 21.2 Passwords 21.3 Authentication Mechanisms 21.4 Modular Authentication for Unix 21.5 Kerberos 21.6 NTLM Domains 21.7 Remote Authentication Dial-in User Service (RADIUS) 21.8 TACACS and Friends 21.9 Auth and identd 22 Administrative Services 397 22.1 System Management Protocols 22.2 Routing Protocols 22.3 Protocols for Booting and Boot-Time Configuration 22.4 ICMP and Network Diagnostics 22.5 Network Time Protocol (NTP) 22.6 File Synchronization 22.7 Mostly Harmless Protocols 23 Databases and Games 418 23.1 Databases 23.2 Games 24 Two Sample Firewalls 428 24.1 Screened Subnet Architecture 24.2 Merged Routers and Bastion Host Using General-Purpose Hardware IV Keeping Your Site Secure 456 25 Security Policies 457 25.1 Your Security Policy 25.2 Putting Together a Security Policy 25.3 Getting Strategic and Policy Decisions Made 25.4 What If You Can't Get a Security Policy? 26 Maintaining Firewalls 468 26.1 Housekeeping 26.2 Monitoring Your System 26.3 Keeping up to Date 26.4 How Long Does It Take? 26.5 When Should You Start Over? 27 Responding to Security Incidents 481 27.1 Responding to an Incident 27.2 What to Do After an Incident 27.3 Pursuing and Capturing the Intruder 27.4 Planning Your Response 27.5 Being Prepared V Appendixes 500 A Resources 501 A.1 Web Pages A.2 FTP Sites A.3 Mailing Lists A.4 Newsgroups A.5 Response Teams A.6 Other Organizations A.7 Conferences A.8 Papers A.9 Books B Tools 513 B.1 Authentication Tools B.2 Analysis Tools B.3 Packet Filtering Tools B.4 Proxy Systems Tools B.5 Daemons B.6 Utilities C Cryptography 520 C.1 What Are You Protecting and Why? C.2 Key Components of Cryptographic Systems C.3 Combined Cryptography C.4 What Makes a Protocol Secure? C.5 Information About Algorithms Colophon 535 Introduction In the five years since the first edition of this classic book was published, Internet use has exploded. The commercial world has rushed headlong into doing business on the Web, often without integrating sound security technologies and policies into their products and methods. The security risks - and the need to protect both business and personal data - have never been greater. We've updated Building Internet Firewalls to address these newer risks. What kinds of security threats does the Internet pose? Some, like password attacks and the exploiting of known security holes, have been around since the early days of networking. And others, like the distributed denial of service attacks that crippled Yahoo, E-Bay, and other major e-commerce sites in early 2000, are in current headlines. Firewalls, critical components of today's computer networks, effectively protect a system from most Internet security threats. They keep damage on one part of the network - such as eavesdropping, a worm program, or file damage - from spreading to the rest of the network. Without firewalls, network security problems can rage out of control, dragging more and more systems down. Like the bestselling and highly respected first edition, Building Internet Firewalls, 2nd Edition, is a practical and detailed step-by-step guide to designing and installing firewalls and configuring Internet services to work with a firewall. Much expanded to include Linux and Windows coverage, the second edition describes: • Firewall technologies: packet filtering, proxying, network address translation, virtual private networks • Architectures such as screening routers, dual-homed hosts, screened hosts, screened subnets, perimeter networks, internal firewalls • Issues involved in a variety of new Internet services and protocols through a firewall • Email and News • Web services and scripting languages (e.g., HTTP, Java, JavaScript, ActiveX, RealAudio, RealVideo) • File transfer and sharing services such as NFS, Samba • Remote access services such as Telnet, the BSD "r" commands, SSH, BackOrifice 2000 • Real-time conferencing services such as ICQ and talk • Naming and directory services (e.g., DNS, NetBT, the Windows Browser) • Authentication and auditing services (e.g., PAM, Kerberos, RADIUS); • Administrative services (e.g., syslog, SNMP, SMS, RIP and other routing protocols, and ping and other network diagnostics) • Intermediary protocols (e.g., RPC, SMB, CORBA, IIOP) • Database protocols (e.g., ODBC, JDBC, and protocols for Oracle, Sybase, and Microsoft SQL Server) The book's complete list of resources includes the location of many publicly available firewall construction tools. Building Internet Firewalls p age 1 Preface This book is a practical guide to building your own firewall. It provides step-by-step explanations of how to design and install a firewall at your site and how to configure Internet services such as electronic mail, FTP, the World Wide Web, and others to work with a firewall. Firewalls are complex, though, and we can't boil everything down to simple rules. Too much depends on exactly what hardware, operating system, and networking you are using at your site, and what you want your users to be able to do and not do. We've tried to give you enough rules, examples, and resources here so you'll be able to do the rest on your own. What is a firewall, and what does it do for you? A firewall is a way to restrict access between the Internet and your internal network. You typically install a firewall at the point of maximum leverage, the point where your network connects to the Internet. The existence of a firewall at your site can greatly reduce the odds that outside attackers will penetrate your internal systems and networks. The firewall can also keep your own users from compromising your systems by sending dangerous information - unencrypted passwords and sensitive data - to the outside world. The attacks on Internet-connected systems we are seeing today are more serious and more technically complex than those in the past. To keep these attacks from compromising our systems, we need all the help we can get. Firewalls are a highly effective way of protecting sites from these attacks. For that reason, we strongly recommend you include a firewall in your site's overall Internet security plan. However, a firewall should be only one component in that plan. It's also vital that you establish a security policy, that you implement strong host security, and that you consider the use of authentication and encryption devices that work with the firewalls you install. This book will touch on each of these topics while maintaining its focus on firewalls. Building Internet Firewalls p age 2 Scope of This Book This book is divided into five parts. Part I explores the problem of Internet security and focuses on firewalls as part of an effective strategy to address that problem. Chapter 1 introduces the major risks associated with using the Internet today; discusses what to protect, and what to protect against; discusses various security models; and introduces firewalls in the context of what they can and can't do for your site's security. Chapter 2 outlines the services users want and need from the Internet, and summarizes the security problems posed by those services. Chapter 3 outlines the basic security principles an organization needs to understand before it adopts a security policy and invests in specific security mechanisms. Part II describes how to build firewalls. Chapter 4 describes the basic network concepts firewalls work with. Chapter 5 explains the terms and technologies used in building firewalls. Chapter 6 describes the major architectures used in constructing firewalls, and the situations they are best suited to. Chapter 7 presents the process of designing a firewall. Chapter 8 describes how packet filtering systems work, and discusses what you can and can't accomplish with them in building a firewall. Chapter 9 describes how proxy clients and servers work, and how to use these systems in building a firewall. Chapter 10 presents a general overview of the process of designing and building the bastion hosts used in many firewall configurations. Chapter 11 presents the details of designing and building a Unix or Linux bastion host. Chapter 12 presents the details of designing and building a Windows NT bastion host. Building Internet Firewalls p age 3 Part III describes how to configure services in the firewall environment. Chapter 13 describes the general issues involved in selecting and configuring services in the firewall environment. Chapter 14 discusses basic protocols that are used by multiple services. Chapter 15 discusses the Web and related services. Chapter 16 discusses services used for transferring electronic mail and Usenet news. Chapter 17 discusses the services used for moving files from one place to another. Chapter 18 discusses services that allow you to use one computer from another computer. Chapter 19 discusses services that allow people to interact with each other online. Chapter 20 discusses the services used to distribute information about hosts and users. Chapter 21 discusses services used to identify users before they get access to resources, to keep track of what sort of access they should have, and to keep records of who accessed what and when. Chapter 22 discusses other services used to administer machines and networks. Chapter 23 discusses the remaining two major classes of popular Internet services, databases and games. Chapter 24 presents two sample configurations for basic firewalls. Part IV describes how to establish a security policy for your site, maintain your firewall, and handle the security problems that may occur with even the most effective firewalls. Chapter 25 discusses the importance of having a clear and well-understood security policy for your site, and what that policy should and should not contain. It also discusses ways of getting management and users to accept the policy. Chapter 26 describes how to maintain security at your firewall over time and how to keep yourself aware of new Internet security threats and technologies. Chapter 27 describes what to do when a break-in occurs, or when you suspect that your security is being breached. Part V consists of the following summary appendixes: Appendix A contains a list of places you can go for further information and help with Internet security: World Wide Web pages, FTP sites, mailing lists, newsgroups, response teams, books, papers, and conferences. Appendix B summarizes the best freely available firewall tools and how to get them. Appendix C contains background information on cryptography that is useful to anyone trying to decrypt the marketing materials for security products. [...]... used between a site and the Internet Firewalls offer significant benefits, but they can't solve every security problem The following sections briefly summarize what firewalls can and cannot do to protect your systems and your data page 20 Building Internet Firewalls 1.5.1 What Can a Firewall Do? Firewalls can do a lot for your site's security In fact, some advantages of using firewalls extend even beyond... chance to be part of an unexpected but extremely rewarding project page 7 Building Internet Firewalls Part I: Network Security This part of the book explores the problem of Internet security and focuses on firewalls as part of an effective strategy to solve that problem It introduces firewalls, introduces the major services Internet users need, and summarizes the security problems posed by those services... outlines the major security principles you need to understand before beginning to build firewalls page 8 Building Internet Firewalls Chapter 1 Why Internet Firewalls? It is scarcely possible to enter a bookstore, read a magazine or a newspaper, or listen to a news broadcast without seeing or hearing something about the Internet in some guise It's become so popular that no advertisement is complete without... to the Internet (This is discussed in more detail in Chapter 10.) You'll also want to consider using host security on your internal machines in general, to address security problems other than attacks from the Internet page 18 Building Internet Firewalls 1.4.5 No Security Model Can Do It All No security model can solve all your problems No security model - short of "maximum security prison" - can prevent... building those firewalls In building construction, a firewall is designed to keep a fire from spreading from one part of the building to another In theory, an Internet firewall serves a similar purpose: it prevents the dangers of the Internet from spreading to your internal network In practice, an Internet firewall is more like a moat of a medieval castle than a firewall in a modern building It serves... teammates - thanks for such an active alternative to writing Enormous thanks to Elizabeth for asking me to coauthor and for coaching me through the process Finally, thanks to Debby, Sue, and the staff of O'Reilly for putting this book into the hands of our readers page 6 Building Internet Firewalls Acknowledgments for the First Edition Note: We've preserved these acknowledgments for the first edition. .. "better than firewalls" , you'll discover that they're lightly disguised firewalls marketed by people with restrictive definitions of what a firewall is page 23 Building Internet Firewalls 1.6 Religious Arguments The world is full of "religious arguments", philosophical debates on which people hold strong and divisive beliefs Firewalls are no exception to this rule 1.6.1 Buying Versus Building Initially,... there is to it page 26 Building Internet Firewalls Chapter 2 Internet Services In Chapter 1, we discussed, in general terms, what you're trying to protect when you connect to the Internet: your data, your resources, and your reputation In designing an Internet firewall, your concerns are more specific: what you need to protect are those services you're going to use or provide over the Internet There are... 5 Building Internet Firewalls Comments and Questions We have tested and verified the information in this book to the best of our ability, but you may find that features have changed (or even that we have made mistakes!) Please let us know about any errors you find, as well as your suggestions for future editions, by writing to: O'Reilly & Associates 101 Morris Street Sebastopol, CA 95472 (800) 99 8-9 938... dial-up bulletin-board systems, software brought in on floppies from home or other sites, and even software that comes pre-infected from manufacturers are just as common as virus-infected software on the Internet Whatever you do to address those threats will also address the problem of software transferred through the firewall The most practical way to address the virus problem is through host-based . highly respected first edition, Building Internet Firewalls, 2nd Edition, is a practical and detailed step-by-step guide to designing and installing firewalls and configuring Internet services to. Building Internet Firewalls Elizabeth D. Zwicky, Simon Cooper & D. Brent Chapman Second Edition, June 2000 ISBN: 1-5 659 2-8 7 1-7 , 890 pages Completely. expanded, the new edition of the highly respected and bestselling Building Internet Firewalls now covers Unix, Linux, and Windows NT. This practical and detailed guide explains in step-by-step fashion