Firewalls and Internet Security: Repelling the Wily HackerWritten by the people responsible for designing and maintaining AT&TUs Internet gateway, this is the definitive description and practical guide to protecting networks from hacker attacks. The book shows how to set up a "firewall" gateway--a dedicated computer equipped with safeguards that acts as a single, more easily defended Internet connection. |
Contents
Introduction | 3 |
12 Picking a Security Policy | 7 |
13 HostBased Security | 10 |
15 Strategies for a Secure Network | 11 |
16 The Ethics of Computer Security | 16 |
17 WARNING | 18 |
A Security Review of Protocols Lower Layers | 19 |
22 Managing Addresses and Names | 28 |
Filtering Services | 197 |
101 Reasonable Services to Filter | 198 |
102 Digging for Worms | 206 |
103 Services We Dont Like | 207 |
104 Other Services | 209 |
105 Something New | 210 |
Firewall Engineering | 211 |
111 Rulesets | 212 |
23 IP version 6 | 34 |
24 Network Address Translators | 37 |
25 Wireless Security | 38 |
Security Review The Upper Layers | 41 |
32 Internet Telephony | 46 |
33 RPCBased Protocols | 47 |
34 File Transfer Protocols | 52 |
35 Remote Login | 58 |
36 Simple Network Management ProtocolSNMP | 62 |
37 The Network Time Protocol | 63 |
38 Information Services | 64 |
39 Proprietary Protocols | 68 |
310 PeertoPeer Networking | 69 |
311 The X11 Window System | 70 |
312 The Small Services | 71 |
The Web Threat or Menace? | 73 |
41 The Web Protocols | 74 |
42 Risks to the Clients | 79 |
43 Risks to the Server | 85 |
44 Web Servers vs Firewalls | 89 |
45 The Web and Databases | 91 |
The Threats | 93 |
Classes of Attacks | 95 |
52 Social Engineering | 98 |
53 Bugs and Back Doors | 100 |
54 Authentication Failures | 103 |
55 Protocol Failures | 104 |
56 Information Leakage | 105 |
57 Exponential AttacksViruses and Worms | 106 |
58 DenialofService Attacks | 107 |
59 Botnets | 117 |
The Hackers Workbench and Other Munitions | 119 |
62 Hacking Goals | 121 |
64 Breaking into the Host | 122 |
65 The Battle for the Host | 123 |
66 Covering Tracks | 126 |
67 Metastasis | 127 |
68 Hacking Tools | 128 |
69 Tiger Teams | 132 |
Safer Tools and Services | 135 |
Authentication | 137 |
71 Remembering Passwords | 138 |
72 TimeBased OneTime Passwords | 144 |
73 ChallengeResponse OneTime Passwords | 145 |
74 Lamports OneTime Password Algorithm | 146 |
75 Smart Cards | 147 |
77 RADIUS | 148 |
An Authentication Framework | 149 |
710 PKI | 150 |
Using Some Tools and Services | 153 |
82 SshTerminal and File Access | 154 |
83 Syslog | 158 |
84 Network Administration Tools | 159 |
85 ChrootCaging Suspect Software | 162 |
86 Jailing the Apache Web Server | 165 |
87 AftpdA Simple Anonymous FTP Daemon | 167 |
88 Mail Transfer Agents | 168 |
An SMB Implementation | 169 |
811 Taming Named | 170 |
Firewalls and VPNs | 173 |
Kinds of Firewalls | 175 |
91 Packet Filters | 176 |
92 ApplicationLevel Filtering | 185 |
93 CircuitLevel Gateways | 186 |
94 Dynamic Packet Filters | 188 |
95 Distributed Firewalls | 193 |
96 What Firewalls Cannot Do | 194 |
112 Proxies | 214 |
113 Building a Firewall from Scratch | 215 |
114 Firewall Problems | 227 |
115 Testing Firewalls | 230 |
Tunneling and VPNs | 233 |
121 Tunnels | 234 |
122 Virtual Private Networks VPNs | 236 |
123 Software vs Hardware | 242 |
Protecting an Organization | 245 |
Network Layout | 247 |
131 Intranet Explorations | 248 |
132 Intranet Routing Tricks | 249 |
133 In Host We Trust | 253 |
134 Belt and Suspenders | 255 |
135 Placement Classes | 257 |
Safe Hosts in a Hostile Environment | 259 |
142 Properties of Secure Hosts | 260 |
143 Hardware Configuration | 265 |
144 FieldStripping a Host | 266 |
145 Loading New Software | 270 |
146 Administering a Secure Host | 271 |
Life Without a Firewall | 277 |
Intrusion Detection | 279 |
151 Where to Monitor | 280 |
152 Types of IDSs | 281 |
153 Administering an IDS | 282 |
Lessons Learned | 285 |
An Evening with Berferd | 287 |
162 An Evening with Berferd | 290 |
163 The Day After | 294 |
164 The Jail | 295 |
165 Tracing Berferd | 296 |
166 Berferd Comes Home | 298 |
The Taking of Clark | 301 |
171 Prelude | 302 |
173 Crude Forensics | 303 |
174 Examining CLARK | 304 |
175 The Password File | 310 |
177 Better Forensics | 311 |
178 Lessons Learned | 312 |
Secure Communications over Insecure Networks | 313 |
181 The Kerberos Authentication System | 314 |
182 LinkLevel Encryption | 318 |
184 ApplicationLevel Encryption | 322 |
Where Do We Go from Here? | 329 |
192 DNSsec | 330 |
194 Internet Ubiquity | 331 |
196 Conclusion | 332 |
Appendixes | 333 |
An Introduction to Cryptography | 335 |
A2 SecretKey Cryptography | 337 |
A3 Modes of Operation | 339 |
A4 Public Key Cryptography | 342 |
A5 Exponential Key Exchange | 343 |
A6 Digital Signatures | 344 |
A7 Secure Hash Functions | 346 |
A8 Timestamps | 347 |
Keeping Up | 349 |
B1 Mailing Lists | 350 |
B2 Web Resources | 351 |
B3 Peoples Pages | 352 |
B5 Conferences | 353 |
Bibliography | 355 |
List of s | 389 |
List of Acronyms | 391 |
397 | |
Other editions - View all
Firewalls And Internet Security: Repelling The Wily Hacker, 2/E William R. Cheswick No preview available - 2003 |
Common terms and phrases
algorithm allow application authentication Bellovin Berferd block browser bugs bytes CERT Advisory chroot Cited client command configuration connection cryptographic database denial-of-service attack destination dynamic packet filter e-mail encryption Engineering Task Force example file system firewall FreeBSD gateway machine hackers hacking hardware host ICMP implement inetd input inside installed interface internal Internet Engineering Task intranet IP address ipchains IPsec IPv6 JavaScript Kerberos layer login mechanism one-time password operating system options packet filter password file POP3 port number problem protect proto protocol proxy public key queries relay rlogin root router routing rules ruleset scripts Section security holes security policy sendmail sequence number server session SMTP someone system administrator TCP/IP telnet traffic trust tunnel UNIX Web server