Firewalls and Internet Security, Second Edition
Addison-Wesley Professional Computing Series ____________
Brian W, Kernighan and Craig Partridge, Consulting Editors
Matthew H. Austern, Generic Programming and the STL: Using and Extending the C++ Standard Template Library
David R. Butenhof, Programming with POSIX® Threads
Brent Callaghan, NFS Illustrated
Tom Cargill, C++ Programming Style
William R. Cheswick/Steven M. Bellovin/Aviel D. Rubin, Firewalls and Internet Security, Second Edition:
Repelling the Wily Hacker
David A. Curry, UNIX® System Security: A Guide for Lifers and System Administrators Stephen C, Dewhurst,
C++ Gotchas: Avoiding Common Problems in Coding and Design Erich Gamma/Richard Helm/Ralph
Johnson/John Vlissides, Design Patterns: Elements of Reusable Object-Oriented Software Erich Gaimn a
/Richard Htlm/Raiph Johnson/John Vlissides, Design Patterns CD: Elements of Reusable
Object-Oriented Software
Pettr Haggar, Practical Java"'1 Programming Language Guide
David R. Hanson, C Interfaces and Implementations: Techniques for Creating Reusable Software Mark
Harrison/Michael McLennan, Effective Tcl/Tk Programming: Writing Better Programs with Tel and Tk Michi
Henning /Steve Virioski, Advanced CORBA® Programming with C++ Brian W. Kemighan/Rob Pike, The
Practice of Programming 5 Keshav, An Engineering Approach to Computer Networking: ATM Networks, the
Internet, and the
Telephone Network
John Lakos, Large^Scale C++ Software Desig)>
Scott Meyers, Effective C++ CD; 85 Specific Ways to Improiv Your Programs and Designs Scott Meyers,
Effective C++, Second Edition: 50 Specific Ways to Improve Your Programs and Designs Scott Meyers,
More Effective C++: 35 New Ways to Imprviv Your Programs and Designs Scott Meyers, Effective STL: 50
Specific Ways to Improve Your U.« of the Standard Template Library Robert B. Murray, C++ Strategies and
Tactics David R. Musser/Gillmer ]. Derge/Atul Saini, STL Tutorial and Reference Guide, Second
Edition:
C++ Programming with the Standard Template Library
John K. Ousterhout, Td and the Tk Toolkit Craig
Partridge, Gigabit Networking
Radia Periman, Interconnections, Second F.ditiott: Bridges, Routers, Switches, and Internetworking Protocols
Stephen A. Rftgo, UNIX® System V Network Programming Curt Schimmel, UNIX® Systems for Modern
Architectures: Symmetric Multifjrocessing and Caching for
Kernel Programmers
W. Richard Stevens, Advai\ced Programming iti the UNIX® Environment W Richard Stevens, TCP/IP
Illustrated, Volume 1: The Protocols W. Richard Stevens, TCP/IP Illustrated, Volume 3: TCP for
Transactions, HTTP, WWTP, and the UNIX®
Domain Protocols
W. Richard Stevens/Gary R. Wright, TCP/IP Illustrated Volumes 1-3 Boxed Set John Viega/Gary
McCraw, Building Secure Software: How to Avoid Security Problems the Right Way Gary R.
Wright/W. Richard Stevens, TCP/IP Illustrated, Volume 2: The Implementation Ruixi Yuan/ W.
Timothy Strayer, Virtual Private Networks: Technologies and Solutions
Please see our web site (httpV/ www.awprofessional.com /series/professionalcomputing) for more information about these titles.
Firewalls and Internet Security, Second Edition
Repelling the Wily Hacker
William R. Cheswick
Steven M. Bellovin
Aviel D. Rubin
Addi son-Wesley
Boston • San Francisco * New York • Toronto • Montreal
London • Munich * Paris • Madrid Capetown •
Sydney • Tokyo • Singapore • Mexico City
Many of the designations used by manufacturers and sellers to distinguish their products are claimed as
trademarks. Where those designations appear in this book, and Addison-Wesley was aware of a trademark
claim, the designations have been printed in initial capital letters or in all capitals.
The authors and publisher have taken care in the preparation of this book, but make no expressed or
implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed
for incidental or consequential damages in connection with or arising out of the use of the information or
programs contained herein.
The publisher offers discounts on this book when ordered in quantity for bulk purchases and special sales.
For more information, please contact:
U.S. Corporate and Government Sales
(800)382-3419
co jpsa le s @ pearsontechgroup. com
For sales outside of the U.S., please contact:
International Sales
(317)581-3793
[email protected]
Visit Addison-Weslev on the Web: www.awprofessional.com
Library uf Congress Catuhging-in-Publication Data
Cheswick, William R.
Firewalls and Internet security : repelling the wily hacker /William
R. Cheswick, Steven M. Bellovin and Aviel D, Rubin.— 2nd ed,
p. cm. Includes bibliographical references
and index.
ISBN 020163466X
1, Firewalls (Computer security) I. Bellovin, Steven M. II. Rubin,
Aviel D. III. Title.
TK5105.875.I57C44 2003
005.&—dc21
2003000644
Copyright © 2003 by AT&T and Lumeta Corproation
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or
transmitted in any form, or by any means, electronic, mechanical, photocopying, recording, or otherwise,
without the prior consent of the publisher. Printed in the United States of America. Published
simultaneously in Canada.
For information on obtaining permission for use of material from this work, please submit a written
request to:
Pearson Education, Inc. Rights
and Contracts Department 75
Arlington Street, Suite 300
Boston, MA 02116 Fax: (617)
848-7047
ISBN:0-201-63466-X Text printed on
recycled paper 1 2 3 4 5 6 7 8 9
10—CRS—0706050403 First printing,
February 2003
For my mother, Ruth Cheswick, whose maiden name shall not be revealed because this is a
security book, and for my father, Richard Reid Cheswick, who taught me about Monday
mornings, and many other things. And to Terry, Kestrel, and Lorette, who had TO put up with
lengthy spates of grumpy editing sessions.
—W.R.C.
To my parents, Sam and Sylvia Bellovin. for everything, and to
Diane, Rebecca, and Daniel, for all the best reasons in the world.
—S.M.B
To my wife, Ann, my favorite person in the world; and to my children, Elana,
Tamara, and Benny, the three best things that ever happened to me.
—A.D.R
Contents
Preface to the Second Edition
Preface to the First Edition
xiii
xvii
Getting Started
1
1 Introduction
1.1
Security Truisms . .......................................................................................
1.2 Picking a Security Policy.............................................................................
1.3
Host-Based Security...................................................................................
1.4
Perimeter Security ......................................................................................
1.5
Strategies for a Secure Network ................................................................
1.6
The Ethics of Computer Security
..........................................................
1.7
WARNING...................................................................................................
3
3
7
10
10
11
16
18
2 A Security Review of Protocols: Lower Layers
2.1
Basic Protocols ...........................................................................................
2.2 Managing Addresses and Names ..............................................................
2.3 IP version 6 .................................................................................................
2.4 Network Address Translators................, ....................................................
2.5 Wireless Security........................................................................................
19
19
28
34
37
38
3 Security Review: The Upper Layers
3.1
Messaging...................................................................................................
3.2 Internet Telephony
.................................................................................
3.3 RPC-Based Protocols ............................................................................
3.4 File Transfer Protocols ................................................................................
3.5 Remote Login..............................................................................................
3.6 Simple Network Management Protocol—SNMP.......................................
3.7 The Network Time Protocol
..................................................................
3.8
Information Services ...................................................................................
41
41
46
47
52
58
62
63
64
vii
viii
Contents
3.9
3.10
3.11
3.12
II
III
Proprietary Protocols .................................................................................
Peer-to-Peer Networking............................................................................
TheX11 Window System ..........................................................................
The Small Services....................................................................................
68
69
70
71
4 The Web: Threat or Menace?
4.1
The Web Protocols ....................................................................................
4.2 Risks to the Clients ....................................................................................
4.3 Risks to the Server ....................................................................................
4.4 Web Servers vs. Firewalls .........................................................................
4.5 The Web and Databases ............................................................................
4.6 Parting Thoughts........................................................................................
73
74
79
85
89
91
91
The Threats
93
5 Classes of Attacks
5.1
Stealing Passwords ....................................................................................
5.2
Social Engineering......................................................................................
5.3
Bugs and Back Doors .................................................................................
5.4
Authentication Failures ...............................................................................
5.5
Protocol Failures
....................................................................................
5.6
Information Leakage ...................................................................................
5.7
Exponential Attacks—Viruses and Worms ................................................
5.8
Denial-of-Service Attacks ......................................... ,...............................
5.9
Botnets ........................................................................................................
5.10 Active Attacks .............................................................................................
95
95
98
100
103
104
105
106
107
117
117
6 The Hacker's Workbench, and Other Munitions
6.1
Introduction .................................................................................................
6.2
Hacking Goals ............................................................................................
6.3
Scanning a Network
..............................................................................
6.4
Breaking into the Host
...........................................................................
6.5
The Battle for the Host................................................................................
6.6
Covering Tracks ..........................................................................................
6.7
Metastasis...................................................................................................
6.8
Hacking Tools..............................................................................................
6.9
Tiger Teams ................................................................................................
119
119
121
121
122
123
126
127
128
132
Safer Tools and Services
135
7 Authentication........................................................................................................... 137
7.1
Remembering Passwords
.................................................................... 138
Contents ____________________________________________________________________ix
7.2
7.3
7.4
7.5
7.6
7.7
7.8
7.9
7.10
8
IV
Time-Based One-Time Passwords
.......................................................
Challenge/Response One-Time Passwords
.......................... ……….
Lamport's One-Time Password Algorithm ..................................................
Smart Cards................................................................................................
Biometrics ...................................................................................................
RADIUS.......................................................................................................
SASL: An Authentication Framework .........................................................
Host-to-Host Authentication........................................................................
PKI...............................................................................................................
144
145
146
147
147
148
149
149
150
Using Some Tools and Services
8.1
inetd-— Network Services ............................................................................
8.2 Ssh—Terminal and File Access..................................................................
153
153
154
8.3
Syslog...........................................................................................................
158
8.4
8.5
8.6
8.7
8.8
8.9
8.10
8.11
8.12
Network Administration Tools......................................................................
Chroot—Caging Suspect Software............................................................
Jailing the Apache Web Server
.............................................................
Aftpd—A Simple Anonymous FTP Daemon .........................................
Mail Transfer Agents....................................................................................
POP3 and lMAP .......................................................................................
Samba: An SMB Implementation ...............................................................
Taming Named .......................................................................................
Adding SSL Support with Sslwrap .............................................................
159
162
165
167
168
168
169
170
170
Firewalls and VPNs
9
173
Kinds of Firewalls
9.1
Packet Filters ..............................................................................................
9.2 Application-Level Filtering
........................... .........................................
9.3 Circuit-Level Gateways ...............................................................................
9.4 Dynamic Packet Fitters ...............................................................................
9.5 Distributed Firewalls
..............................................................................
9.6 What Firewalls Cannot Do ..........................................................................
175
176
185
186
188
193
194
10 Filtering Services
10.1 Reasonable Services to Filter.....................................................................
10.2 Digging for Worms
.................................................................................
10.3 Services We Don't Like ...............................................................................
10.4 Other Services
.......................................................................................
10.5 Something New................................................. . . ...................................
197
198
206
207
209
210
x ____________________________________________
Contents
11 Firewall Engineering
V
211
11.1 Rulesets......................................................................................................
212
11.2
11.3
11.4
11.5
Proxies ........................................................................................................
Building a Firewall from Scratch.................................................................
Firewall Problems .......................................................................................
Testing Firewalls .........................................................................................
214
215
227
230
12 Tunneling and VPNs
12.1 Tunnels .......................................................................................................
12.2 Virtual Private Networks (VPNs) ................................................................
12.3 Software vs. Hardware ...............................................................................
233
234
236
242
Protecting an Organization
245
13 Network Layout
13.1 Intranet Explorations ..................................................................................
13.2 Intranet Routing Tricks................................................................................
13.3 In Host We Trust
....................................................................................
13.4 Belt and Suspenders ..................................................................................
13.5 Placement Classes.....................................................................................
247
248
249
253
255
257
14 Safe Hosts in a Hostile Environment
14.1 What Do We Mean by "Secure"?
........................................................
14.2 Properties of Secure Hosts ........................................................................
14.3 Hardware Configuration
........................................................................
14.4 Field-Stripping a Host .................................................................................
14.5 Loading New Software................................................................................
14.6 Administering a Secure Host .....................................................................
14.7 Skinny-Dipping: Life Without a Firewall......................................................
259
259
260
265
266
270
271
277
15 Intrusion Detection
15.1 Where to Monitor ........................................................................................
15.2 Types of IDSs .............................................................................................
15.3 Administering an IDS..................................................................................
279
280
281
282
15.4 IDS Tools
..............................................................................................
VI Lessons Learned
16 An Evening with Berferd
16.1 Unfriendly Acts
......................................................................................
16.2 An Evening with Berferd .............................................................................
16.3 The Day After .............................................................................................
282
285
287
287
290
294
Contents
xi
16.4 The Jail
................................................................................................
16.5 Tracing Berferd
......................................................................................
16.6 Berferd Comes Home .................................................................................
295
296
298
17 The Taking of Clark
17.1 Prelude........................................................................................................
301
302
17.2 CLARK ........................................................................................................
302
17.3
17.4
17.5
17.6
17.7
17.8
Crude Forensics .........................................................................................
Examining CLARK .......................................................................................
The Password File
...............................................................................
How Did They Get In?
...........................................................................
Better Forensics..........................................................................................
Lessons Learned ........................................................................................
303
304
310
310
311
312
18 Secure Communications over Insecure Networks
18.1 The Kerberos Authentication System.........................................................
18.2 Link-Level Encryption .................................................................................
18.3 Network-Level Encryption
.....................................................................
18.4 Application-Level Encryption ......................................................................
313
314
318
318
322
19 Where Do We Go from Here?
19.1 IPv6 ........................................................................................................
19.2 DNSsec ......................................................................................................
19.3 Microsoft and Security................................................................................
19.4 Internet Ubiquity .........................................................................................
19.5 Internet Security .........................................................................................
19.6 Conclusion ..................................................................................................
329
329
330
330
331
331
332
VII
Appendixes
A
An Introduction to Cryptography
A.1 Notation .......................................................................................................
A.2 Secret-Key Cryptography ............................................................................
A.3 Modes Of Operation .....................................................................................
A.4 Public Key Cryptography .............................................................................
A.5 Exponential Key Exchange..........................................................................
A.6 Digital Signatures ........................................................................................
A.7 Secure Hash Functions...............................................................................
A.8 Timestamps.................................................................................................
333
335
335
337
339
342
343
344
346
347
xii _________________________________________________________________
Contents
B
Keeping Up
B.1
Mailing Lists............................................................................................
B.2
Web Resources ......................................................................................
B.3
Peoples' Pages.......................................................................................
B.4
Vendor Security Sites .............................................................................
B.5
Conferences............................................................................................
349
350
351
352
352
353
Bibliography
355
List of
389
s
List oi Acronyms
391
Index
397
Preface to the Second Edition
But after a time, as Frodo did not show any sign of writing a book on the spot, the
hobbits returned to their questions about doings in the Shire.
Lord of the Rings
—J.R.R.
TOLKIEN
The first printing of the First Edition appeared at the Las Vegas Interop in May, 1994. At that
same show appeared the first of many commercial firewall products. In many ways, the field has
matured since then: You can buy a decent firewall off the shelf from many vendors.
The problem of deploying that firewall in a secure and useful manner remains. We have
studied many Internet access arrangements in which the only secure component was the firewall
itself—it was easily bypassed by attackers going after the "protected" inside machines. Before
the investiture of AT&T/Lucent/NCR, there were over 300,000 hosts behind at least six firewalls,
plus special access arrangements with some 200 business partners.
Our first edition did not discuss the massive sniffing attacks discovered in the spring of 1994.
Sniffers had been running on important Internet Service Provider (ISP) machines for
months-machines lhat had access to a major percentage of the ISP's packet flow. By some estimates,
these sniffers captured over a million host name/user name/password sets from passing telnet, ftp,
and riogin sessions. There were also reports of increased hacker activity on military sites, it's
obvious what must have happened: If you are a hacker with a million passwords in your pocket,
you are going to look for the most interesting targets, and . mil certainly qualifies.
Since the First Edition, we have been slowly losing the Internet arms race. The hackers have
developed and deployed tools for attacks we had been anticipating for years, IP spoofing
[Shimo-rnura, 1996] and TCP hijacking are now quite common, according to the Computer
Emergency Response Team (CERT). ISPs report that attacks on the Internet's infrastructure are
increasing.
There was one attack we chose not to include in the First Edition: the SYN-flooding
denial-of-service attack that seemed to be unstoppable. Of course, the Bad Guys learned about the
attack anyway, making us regret that we had deleted that paragraph in the first place. We still
believe that it is better to disseminate this information, informing saints and sinners at the same
lime. The saints need all the help they can get, and the sinners have their own channels of
communication.
xiii
xiv__________________________________________________________________________
Preface
Crystal Ball or Bowling Ball?
The first edition made a number of predictions, explicitly or implicitly. Was our foresight accurate?
Our biggest failure was neglecting to foresee how successful the Internet would become. We
barely mentioned the Web and declined a suggestion to use some weird syntax when listing software resources. The syntax, of course, was the URL...
Concomitant with the growth of the Web, the patterns of Internet connectivity vastly increased.
We assumed that a company would have only a few external connections—few enough that they'd
be easy to keep track of, and to firewall. Today's spaghetti topology was a surprise.
We didn't realize that PCs would become Internet clients as soon as they did. We did. however,
warn that as personal machines became more capable, they'd become more vulnerable. Experience has proved us very correct on that point.
We did anticipate high-speed home connections, though we spoke of ISDN, rather than cable
modems or DSL. (We had high-speed connectivity even then, though it was slow by today's
standards.) We also warned of issues posed by home LANs, and we warned about the problems
caused by roaming laptops,
We were overly optimistic about the deployment of IPv6 (which was called IPng back then,
as the choice hadn't been finalized). It still hasn't been deployed, and its future is still somewhat
uncertain.
We were correct, though, about the most fundamental point we made: Buggy host software is
a major security issue. In fact, we called it the "fundamental theorem of firewalls":
Most hosts cannot meet our requirements: they run too many programs that are too
large. Therefore, the only solution is to isolate them behind a firewall if you wish to
run any programs at ail.
If anything, we were too conservative.
Our Approach
This book is nearly a complete rewrite of the first edition. The approach is different, and so are
many of the technical details. Most people don't build their own firewalls anymore. There are far
more Internet users, and the economic stakes are higher. The Internet is a factor in warfare.
The field of study is also much larger—there is too much to cover in a single book. One
reviewer suggested that Chapters 2 and 3 could be a six-volume set. (They were originally one
mammoth chapter.) Our goal, as always, is to teach an approach to security. We took far too long
to write this edition, but one of the reasons why the first edition survived as long as it did was that
we concentrated on the concepts, rather than details specific to a particular product at a particular
time. The right frame of mind goes a long way toward understanding security issues and making
reasonable security decisions. We've tried to include anecdotes, stories, and comments to make
our points.
Some complain that our approach is too academic, or too UNIX-centric. that we are too idealistic, and don't describe many of the most common computing tools. We are trying to
teach
Preface
xv
attitudes here more than specific bits and bytes. Most people have hideously poor computing
habits and network hygiene. We try to use a safer world ourselves, and are trying to convey how
we think it should be.
The chapter outline follows, but we want to emphasize the following:
It is OK to skip the hard parts.
If we dive into detail that is not useful to you. feel free to move on.
The introduction covers the overall philosophy of security, with a variety of time-tested maxims. As in the first edition. Chapter 2 discusses most of the important protocols, from a secunty
point of view. We moved material about higher-layer protocols to Chapter 3. The Web merits a
chapter of its own.
The next part discusses the threats we are dealing with: the kinds of attacks in Chapter 5, and
some of the tools and techniques used to attack hosts and networks in Chapter 6.
Part III covers some of the tools and techniques we can use to make our networking world
safer. We cover authentication tools in Chapter 7, and safer network servicing software in Chapter 8.
Part IV covers firewalls and virtual private networks (VPNs). Chapter 9 introduces various
types of firewalls and filtering techniques, and Chapter 10 summarizes some reasonable policies
for filtering some of the more essential services discussed in Chapter 2. If you don't find advice
about filtering a service you like, we probably think it is too dangerous (refer to Chapter 2).
Chapter 11 covers a lot of the deep details of firewalls, including their configuration, administration, and design. It is certainly not a complete discussion of the subject, but should give
readers a good start. VPN tunnels, including holes through firewalls, are covered in some detail
in Chapter 12. There is more detail in Chapter )8.
In Part V, we upply the.se tools and lessons to organizations. Chapter 13 examines ihe problems and practices on modem intranets. See Chapter 15 for information about deploying a
hacking-resistant host, which is useful in any part of an intranet. Though we don't especially like
intrusion detection systems (IDSs) very much, they do play a role in security, and are discussed in
Chapter 15.
The last pan offers a couple of stories and some further details. The Berferd chapter is largely
unchanged, and we have added "The Taking of Clark," a real-life story about a minor break-in
that taught useful lessons.
Chapter 18 discusses secure communications over insecure networks, in quite some detail.
For even further delail, Appendix A has a short introduction to cryptography.
The conclusion offers some predictions by the authors, with justifications. If the predictions
are wrong, perhaps the justifications will be instructive, (We don't have a great track record as
prophets.) Appendix B provides a number of resources for keeping up in this rapidly changing
field.
Errata and Updates
Everyone and every thing seems to have a Web site these days; this book is no exception. Our
"official" Web site is http: //www.wilyhacker. com. Well post an errata list there; we'll
xvi__ _____ _________________________________________________
_Preface
also keep an up-to-date list of other useful Web resources. If you find any errors—we hope there
aren't many—please let us know via e-mail at f irewall-book@wilyhacker .com.
Acknowledgments
For many kindnesses, we'd like to thank Joe Bigler, Steve "Hollywood" Branigan, Hal Burch,
Brian Clapper, David Crocker Tom Dow, Phil Edwards and the Internet Public Library, Anja
Feldmann, Karen Gcttman, Brian Kernighan, David Korman, Tom Limoncelli, Norma Loquendi,
Cat Okita, Robert Oliver, Vern Paxson, Marcus Ranum, Eric Rescorla, Guido van Rooij, Luann
Rouff (a most excellent copy editor), Abba Rubin. Peler Salus, Glenn Sieb, Karl Siil (we'll always
have Boston), Irina Stnzhevskaya, Rob Thomas, Win Treese, Dan Wallach, Frank Wojcik, Avishai
Wool, Karen Yannetta, and Miehal Zalewski, among many others.
BILL CHESWICK
[email protected]
STEVE BELLOVIN
[email protected]
AVI RUBIN
avi @rubi n.net
Preface to the First Edition
It is easy to run a secure computer system. You merely have to disconnect all dial-up
connections and permit only direct-wired terminals, put the machine and its terminals
in a shielded room, and post a guard at the door.
— F.T. GRAMPP AND R.H. MORRIS
Of course, very few people want to use such a host...
—THE WORLD
For better or for worse, most computer systems are not run that way today. Security is, in general,
a trade-off with convenience, and most people are not willing to forgo (the convenience of remote
access via networks to their computers. Inevitably, they suffer from some loss of security. It is
our purpose here to discuss how to minimize the extent of that loss.
The situation is even worse for computers hooked up to some sort of network. Networks are
risky for at least three major reasons. First, and most obvious, more points now exist from which
an attack can be launched. Someone who cannot get to your computer cannot attack it; by adding
more connection mechanisms for legitimate users, you arc also adding more vulnerabilities,
A second reason is that you have extended the physical perimeter of your computer system.
In a simple computer, everything is within one box. The CPU can fetch authentication data from
memory, secure in the knowledge that no enemy can tamper with it or spy on it. Traditional
mechanisms—mode bits, memory protection, and the like—can safeguard critical areas. This is
not the case in a network. Messages received may be of uncertain provenance; messages sent are
often exposed to all other systems on the net. Clearly, more caution is needed.
The third reason is more subtle, and deals with an essential distinction between an ordinary
dial-up modem and a network. Modems, in general, offer one service, typically the ability to
log in, When you connect, you're greeted with a login or Username prompt: the ability to
do other things, such as sending mail, is mediated through this single choke point. There may
be vulnerabilities in the login service, but it is a single service, and a comparatively simple one.
xvii
Preface to the First Edition
Networked computers, on the other hand, offer many services: login, file transfer, disk access,
remote execution, phone book, system status, etc. Thus, more points are in need of protection—
points that are more complex and more difficult to protect, A networked file system, for example,
cannot rely on a typed password for every transaction. Furthermore, many of these services were
developed under the assumption that the extent of the network was comparatively limited. In
an era of globe-spanning connectivity, that assumption has broken down, sometimes with severe
consequences.
Networked computers have another peculiarity worth noting: they are generally not singular
entities. That is, it is comparatively uncommon, in today's environment, to attach a computer to
a network solely to talk to "strange" computers. Organizations own a number of computers, and
these are connected to each other and to the outside world. This is both a bane and a blessing:
a bane, because networked computers often need to trust their peers, and a blessing, because the
network may be configurable so that only one computer needs to talk to the outside world. Such
dedicated computers, often called "firewall gateways," are at the heart of our suggested security
strategy.
Our purpose here is twofold. First, we wish to show that this strategy is useful. That is,
a firewall, if properly deployed against the expected threats, will provide an organization with
greatly increased security. Second, we wish to show that such gateways arc necessary, and that
there is a real threat to be dealt with.
Audience
This book is written primarily for the network administrator who must protect an organization
from unhindered exposure to the Internet. The typical reader should have a background in system
administration and networking. Some portions necessarily get intensely technical. A number of
chapters are of more general interest.
Readers with a casual interest can safely skip the tough stuff and still enjoy the rest
of the book,
We also hope that system and network designers will read the book. Many of the problems we
discuss are the direct result of a lack of security-conscious design. We hope that newer protocols
and systems will be inherently more secure.
Our examples and discussion unabashedly relate to UNIX systems and programs. UNIX-style
systems have historically been the leaders in exploiting and utilizing the Internet. They still tend
to provide better performance and lower cost than various alternatives. Linux is a fine operating
system, and its source code is freely available. You can see for yourself how things work, which
can be quite useful in this business.
But we are not preaching UNIX here—pick the operating system you know best: you are
less likely to make a rookie mistake with it. But the principles and philosophy apply to network
gateways built on other operating systems, or even to a run-time system like MS-DOS.
Our focus is on the TCP/IP protocol suite, especially as used on the Internet. This is not because TCP/IP has more security problems than other protocol stacks—we doubt that very
much— rather, it is a commentary on the success of TCP/IP. Fans of XNS, DEC net, SNA,
netware, and
Preface to the First Edition
xix
others; have to concede that TCP/IP has won the hearts and minds of the world by nearly any measure you can name. Most of these won't vanish—indeed, many arc now carried over IP links, just
as ATM almost always carries IP. By far, it is the heterogeneous networking protocol of choice,
not only on workstations, for which it is the native tongue, but on virtually all machines, ranging
from desktop personal computers to the largest supercomputers.
Much of the advice we offer in this book is the result of our experiences with our companies'
intrants and firewalls. Most of the lessons we have learned are applicable to any network with
similar characteristics. We have read of serious attacks on computers attached to public X.25 data
networks. Firewalls are useful there, too, although naturally they would differ in detail.
This is not a book on how to administer a system in a secure fashion, although we do make
some suggestions along those lines. Numerous books on that topic already exist, such us [Farrow.
19 9 1 ] . [Garfinkel and Spatfford, 1996]. and [Curry. 1992]. Nor is this a cookbook to tell you how
to administer various packaged firewall gateways. The technology is too new. and any such work
would be obsolete before it was even published. Rather, it is a set of guidelines that, we hope,
both defines the problem space and roughly sketches the boundaries of possible solution spaces.
We also describe how we constructed our latest gateway, and why we made the decisions we did.
Our design decisions are directly attributable to our experience in detecting and defending against
attackers.
On occasion, we speak of "reports" that something has happened. We make apologies for the
obscurity. Though we have made every effort to document our sources, some of our information
comes from confidential discussions with other security administrators who do not want to be
identified. Network security breaches can be very embarrassing, especially when they happen to
organizations that should have known better.
Terminology
You keep using that word. I don't think it means what you think it means.
Inigo Montoya in The Princess Bride
—W ILLIAM GOLDMAN [GOLDMAN, 1998]
Before we proceed further, it is worthwhile making one comment on terminology. We have
chosen to cull the attackers "hackers'' To some, this choice is insulting, a slur by the mass media
on the good name of many thousands of creative programmers. That is quite true. Nevertheless,
the language has changed. Bruce Sterling expressed it very well [Sterling. 1992, pages 55-561:
The term "hacking" is used routinely today by almost all law enforcement officials with any
professional interest in computer fraud and abuse. American police describe almost any crime
committed with, by, through, or against a computer as hacking.
Most important, "hacker" is what computer intruders choose to call themselves. Nobody who
hacks into systems willingly describes himself (rarely, herself) as a "computer intruder." "computer trespasser," "cracker," "wormer." "dark-side hacker." or "high-tech street gangster" Sev-