Building internet firewalls: Phần 2

Part 1 of the is serial Tài liệu Pc Underground to part 2 of you will continue to learn about relevant issues such as: This part of the book describes the details of how to configure Internet services in a firewall environment. It presents general principles and then describes the details for nearly a hundred specific services. It concludes with two extended examples of configurations for sample firewalls.
Nội dung trích xuất từ tài liệu:
Building internet firewalls: Phần 2 Building Internet Firewalls Part III: Internet ServicesThis part of the book describes the details of how to configure Internet services in a firewall environment. It presents general principles and then describes the details for nearly a hundred specific services. It concludes with two extended examples of configurations for sample firewalls. page 203 Building Internet FirewallsChapter 13. Internet Services and FirewallsThis chapter gives an overview of the issues involved in using Internet services through a firewall, including therisks involved in providing services and the attacks against them, ways of evaluating implementations, and waysof analyzing services that are not detailed in this book.The remaining chapters in Part III describe the major Internet services: how they work, what their packetfiltering and proxying characteristics are, what their security implications are with respect to firewalls, and how tomake them work with a firewall. The purpose of these chapters is to give you the information that will help youdecide which services to offer at your site and to help you configure these services so they are as safe and asfunctional as possible in your firewall environment. We occasionally mention things that are not, in fact, Internetservices but are related protocols, languages, or APIs that are often used in the Internet context or confused withgenuine Internet services.These chapters are intended primarily as a reference; theyre not necessarily intended to be read in depth fromstart to finish, though you might learn a lot of interesting stuff by skimming this whole part of the book.At this point, we assume that you are familiar with what the various Internet services are used for, and weconcentrate on explaining how to provide those services through a firewall. For introductory information aboutwhat particular services are used for, see Chapter 2.Where we discuss the packet filtering characteristics of particular services, we use the same abstract tabular formwe used to show filtering rules in Chapter 8. Youll need to translate various abstractions like internal,external, and so on to appropriate values for your own configuration. See Chapter 8 for an explanation of howyou can translate abstract rules to rules for particular products and packages, as well as more information onpacket filtering in general.Where we discuss the proxy characteristics of particular services, we rely on concepts and terminology discussedin Chapter 9.Throughout the chapters in Part III, well show how each services packets flow through a firewall. The followingfigures show the basic packet flow: when a service runs directly (Figure 13.1) and when a proxy service is used(Figure 13.2). The other figures in these chapters show variations of these figures for individual services. If thereare no specific figures for a particular service, you can assume that these generic figures are appropriate for thatservice. Figure 13.1. A generic direct service page 204 Building Internet Firewalls Figure 13.2. A generic proxy service We frequently characterize client port numbers as a random port number above 1023. Some protocols specify this as a requirement, and on others, it is merely a convention (spread to other platforms from Unix, where ports below 1024 cannot be opened by regular users). Although it is theoretically allowable for clients to use ports below 1024 on non-Unix platforms, it is extraordinarily rare: rare enough that many firewalls, including ones on major public sites that handle clients of all types, rely on this distinction and report never having rejected a connection because of it.13.1 Attacks Against Internet ServicesAs we discuss Internet services and their configuration, certain concepts are going to come up repeatedly. Thesereflect the process of evaluating exactly what risks a given service poses. These risks can be roughly divided intotwo categories - first, attacks that involve making allowed connections between a client and a server, including: • C ...