Académique Documents
Professionnel Documents
Culture Documents
Contents
Internet Firewalls
Information Gathering
Service-Dependent Filtering
Service-Independent Filtering
Bastion Host
10
11
11
11
12
13
Summary
14
References
15
A Technology Overview
By Chuck Semeria
Chuck Semeria has worked for
3Com for the past six years. In
his position as a marketing
engineer in the network
systems division, he develops
classroom and independent
study courses for the education services department
in the customer services
organization.
Internet Firewalls
An Internet firewall is a system or group of
systems that enforces a security policy
between an organizations network and the
Internet. The firewall determines which
inside services may be accessed from the
outside, which outsiders are permitted access
Secu
d line
et
Intern ewall
fir ystem
s
ice
te off
Remo
Lease
e
Fram
Relay
rate H
Corpo
ms
Mode
efens
eter d
erim
rity p
ernet
nt
The I
ice
te off
Remo
et
ntern
The I
et
Intern ewall
fir ystem
s
twork
te ne
Priva
ole
rity h
Secu
efens
ter d
erime
rity p
Secu
te
Priva k
or
netw
SLIP
et
Intern ewall
fir ystem
s
Glossary
Back door
A security hole in a compromised system that allows
continued access to the system
by an intruder even if the
original attack is discovered.
et
Internervice r
s
e
provid
et
ntern
The I
Bastion host
A designated Internet firewall
system specifically armored
and protected against attacks.
Circuit-level gateway
A specialized function that
relays TCP connections without
performing any additional
packet processing or filtering.
Internet firewall
A system or group of systems
that enforces an access control
policy between an organizations network and the
Internet.
Packet filtering
A feature that allows a router
to make a permit/deny decision
for each packet based on the
packet header information that
is made available to the IP forwarding process.
Proxy service
Special-purpose, applicationlevel code installed on an
Internet firewall gateway. The
proxy service allows the
network administrator to permit
or deny specific applications or
specific features of an application.
Trojan horse
A packet sniffer that hides its
sniffing activity. These packet
sniffers can collect account
names and passwords for
Internet services, allowing a
hacker to gain unauthorized
access to other machines.
After information about the targeted organizations network is gathered, the hacker
attempts to probe each host for security weaknesses. There are a number of tools that a
hacker can use to automatically scan the individual hosts residing on a network; for example:
Since the list of known service vulnerabilities is rather short, a knowledgeable
hacker can write a small program that
attempts to connect to specific service ports
on a targeted host. The output of the
program is a list of hosts that support
services that are exposed to attack.
There are several publicly available tools,
such as the Internet Security Scanner (ISS)
or the Security Analysis Tool for Auditing
Networks (SATAN), that scan an entire
domain or subnetwork and look for security
holes. These programs determine the weaknesses of each system with respect to several
common system vulnerabilities. Intruders
use the information collected from these
scans to gain unauthorized access to the
targeted organizations systems.
A clever network administrator can use
these tools within their private network to
discover potential security weaknesses and
determine which hosts need to be updated with
new software patches.
Accessing Protected Systems
Acronyms
CERT
Computer Emergency Response
Team
DNS
Domain Name Service
FAQ
Frequently Asked Questions
FTP
File Transfer Protocol
ICMP
Internet Control Message
Protocol
ISP
Internet service provider
ISS
Internet Security Scanner
NAT
Network Address Translator
PCMCIA
Personal Computer Memory
Card International Association
PPP
Point-to-Point Protocol
RFC
Request for Comment
SATAN
Security Analysis Tool for
Auditing Networks
SLIP
Serial Line Internet Protocol
SMTP
Simple Mail Transfer Protocol
TCP
Transmission Control Protocol
UDP
User Datagram Protocol
Everything not specifically denied is permitted. This stance assumes that a firewall
should forward all traffic, and that each
potentially harmful service should be shut
off on a case-by-case basis. This approach
creates a more flexible environment, with
more services available to the user community. The disadvantage is that it puts
ease of use ahead of security, putting the
network administrator in a reactive mode
and making it increasingly difficult to
provide security as the size of the protected
network grows.
twork
te ne
Priva
et
ntern
The I
etPack
g
filterin
r
route
Secu
efens
eter d
erim
rity p
There are certain types of attacks that are difficult to identify using basic packet header
information because the attacks are service
independent. Routers can be configured to
protect against these types of attacks, but
they are more difficult to specify since the
filtering rules require additional information
that can be learned only by examining the
routing table, inspecting for specific IP
options, checking for a special fragment
offset, and so on. Examples of these types of
attacks include:
Source IP Address Spoofing Attacks. For this
type of attack, the intruder transmits packets
from the outside that pretend to originate from
an internal host: the packets falsely contain the
source IP address of an inside system. The
Insid
vel ga
FTP Out
In proxy
t
Telne Out
In proxy
tion-le
ca
Appli
de
Outsi
xy
t-pro
Clien ction
e
n
con
y
tewa
er
-serv
Proxy ection
n
con
ver
e ser
Insid
nt
e clie
Outsid
10
nectio
e con
Outsid
tewa
vel ga
it-le
Circu
Out
Insid
In
Out
nectio
e con
In
e hos
Insid
In
Out
e hos
Outsid
11
etPack
g
filterin
r
route
e
utsid
Insid
twork
te ne
Priva
et
ntern
The I
Insid
n
Bastio
host
de
Outsi
et
ntern
The I
etPack
g
filterin
r
route
ation
Inform er
r
se v
12
te
Priva sts
o
ork h
netw
Insid
n
Bastio
host
te
Priva sts
o
ork h
w
t
e
n
de
Outsi
nt
The I
ation
Inform er
serv
etPack
g
r
e
t
fil in
r
route
ernet
n
Bastio
host
e
Insid
r
route
twork
te ne
Priva
Insid
ms
Mode
DMZ
tside
Ou
et
ntern
The I
e
Outsid
r
route
ation
Inform er
serv
13
14
References
Textbooks
http://lcweb.loc.gov/global/internet/
security.html
Library of Congress page containing
links to documents on computer security.
http://www.telstra.com.au/pub/docs/security/
Telstra page containing links to documents on computer security.
15
References (Continued)
http://mls.saic.com/docs.html
Science Applications International
Corporations (SAIC) page containing
links to documents on computer security.
http://burgau.inesc.pt/docs/security/firewall/
index.html
General index page containing links to
documents on firewalls.
http://csrc.ncsl.nist.gov/first/resources/
from-cd95/pap.htm
Forum of Incident Response and
Security Teams (FIRST) page containing links to documents on network
security.
http://burgau.inesc.pt/docs/security/
IP-security/index.html
General index page containing links to
documents on IP security.
http://web1.cohesive.com/original/centri/
info.htm#applevel
Cohesive Systems page containing links
to documents on network security.
http://www.netsurf.com/nsf/v01/01/resource/
firewall.html
General index page containing links to
documents on firewalls.
16
ftp://ftp.uni-paderborn.de/doc/FAQ/comp.
security.misc/
General index page containing links to
security-related Frequently Asked
Questions (FAQs).
3Com Corporation
P.O. Box 58145
5400 Bayfront Plaza
Santa Clara, CA
95052-8145
Phone: 800-NET-3Com
or 408-764-5000
Fax: 408-764-5001
World Wide Web:
http://www.3com.com
3Com ANZA
ANZA East
Phone: 61 2 9937 5000
Fax: 61 2 9956 6247
ANZA West
Phone: 61 3 9653 9515
Fax: 61 3 9653 9505
3Com Asia Limited
Beijing, China
Phone: 8610 8492568
Fax: 8610 8492789
Shanghai, China
Phone: 86 21 3740220
Ext. 6115
Fax: 86 21 3552079
Hong Kong
Phone: 852 2501 1111
Fax: 852 2537 1149
Indonesia
Phone: 6221 523 9181
Fax: 6221 523 9156
Korea
Phone: 82 2 319 4711
Fax: 82 2 319 4710
Malaysia
Phone: 60 3 732 7910
Fax: 60 3 732 7912
Singapore
Phone: 86 21 6374 0220
Ext. 6155
Fax: 86 21 6355 2079
Taiwan
Phone: 886 2 377 5850
Fax: 886 2 377 5860
Thailand
Phone: 622 231 8151 2
Fax: 622 231 8121
Poland
Phone: 48 22 6451351
Fax: 48 22 6451352
Switzerland
Phone: 41 31 9984555
Fax: 41 31 9984550
3Com Ireland
Phone: 353 1 820 7077
Fax: 353 1 820 7107
3Com Canada
Calgary
Phone: 403 265 3266
Fax: 403 265 3268
Montreal
Phone: 514 874 8008
Fax: 514 393 1249
Toronto
Phone: 416 498 3266
Fax: 416 498 1262
Vancouver
Phone: 604 434 3266
Fax: 604 434 3264
3Com European HQ
Phone: 44 1628 897000
Fax: 44 1628 897041
3Com France
Phone: 33 1 69 86 68 00
Fax: 33 1 69 07 11 54
3Com GmbH
Germany
Phone: 49 89 627320
Fax: 49 89 62732233
Berlin
Phone: 49 30 3498790
Fax: 49 30 34987999
3Com Japan
Phone: 81 3 3345 7251
Fax: 81 3 3345 7261
3Com Latin America
U.S. Headquarters
Phone: 408-764-6075
Fax: 408-764-5730
Argentina
Phone: 541 815 7164
Fax: 541 815 7165
Brazil
Phone: 55 11 546 0869
Fax: 55 11 246 6813
Chile
Phone: 562 633 9242
Fax: 562 633 8935
Colombia
Phone: 571 618 4584
Fax: 571 618 4534
Mexico
Phone: 525 520 7841
Fax: 525 520 7837
3Com Mediterraneo
Milano, Italy
Phone: 39 2 253011
Fax: 39 2 27304244
Rome, Italy
Phone: 39 6 5917756
Fax: 39 6 5918969
Spain
Phone: 34 1 3831700
Fax: 34 1 3831703
3Com Middle East
Phone: 971 4 349049
Fax: 971 4 349803
3Com Nordic AB
Sweden
Phone: 46 8 632 91 00
Fax: 46 8 632 09 05
Norway
Phone: 47 22 18 40 03
Fax: 47 22 18 23 85
Denmark
Phone: 45 33 37 71 17
Fax: 45 33 32 43 70
Finland
Phone: 358 0 435 420 67
Fax: 358 0 435 422 00
3Com South Africa
Phone: 27 11 803 7404/5
Fax: 27 11 803 7411
3Com UK Ltd.
Buckinghamshire
Phone: 44 1628 897000
Fax: 44 1628 897003
Manchester
Phone: 44 161 873 7717
Fax: 44 161 873 8053
Scotland
Phone: 44 131 220 8228
Fax: 44 131 226 1410
1996 3Com Corporation. All rights reserved. 3Com is a publicly owned corporation (NASDAQ.COMS). 3Com is a registered trademark of 3Com Corporation. Other
brand and product names may be trademarks or registered trademarks of their respective owners.
Printed in U.S.A.
500619-001 7/96