Tài liệu Firewalls and internet security, second edition phần 1

Firewalls and Internet Security, Second Edition Addison-Wesley Professional Computing Series ____________ Brian W, Kernighan and Craig Partridge, Consulting Editors Matthew H. Austern, Generic Programming and the STL: Using and Extending the C++ Standard Template Library David R. Butenhof, Programming with POSIX® Threads Brent Callaghan, NFS Illustrated Tom Cargill, C++ Programming Style William R. Cheswick/Steven M. Bellovin/Aviel D. Rubin, Firewalls and Internet Security, Second Edition: Repelling the Wily Hacker David A. Curry, UNIX® System Security: A Guide for Lifers and System Administrators Stephen C, Dewhurst, C++ Gotchas: Avoiding Common Problems in Coding and Design Erich Gamma/Richard Helm/Ralph Johnson/John Vlissides, Design Patterns: Elements of Reusable Object-Oriented Software Erich Gaimn a /Richard Htlm/Raiph Johnson/John Vlissides, Design Patterns CD: Elements of Reusable Object-Oriented Software Pettr Haggar, Practical Java"'1 Programming Language Guide David R. Hanson, C Interfaces and Implementations: Techniques for Creating Reusable Software Mark Harrison/Michael McLennan, Effective Tcl/Tk Programming: Writing Better Programs with Tel and Tk Michi Henning /Steve Virioski, Advanced CORBA® Programming with C++ Brian W. Kemighan/Rob Pike, The Practice of Programming 5 Keshav, An Engineering Approach to Computer Networking: ATM Networks, the Internet, and the Telephone Network John Lakos, Large^Scale C++ Software Desig)> Scott Meyers, Effective C++ CD; 85 Specific Ways to Improiv Your Programs and Designs Scott Meyers, Effective C++, Second Edition: 50 Specific Ways to Improve Your Programs and Designs Scott Meyers, More Effective C++: 35 New Ways to Imprviv Your Programs and Designs Scott Meyers, Effective STL: 50 Specific Ways to Improve Your U.« of the Standard Template Library Robert B. Murray, C++ Strategies and Tactics David R. Musser/Gillmer ]. Derge/Atul Saini, STL Tutorial and Reference Guide, Second Edition: C++ Programming with the Standard Template Library John K. Ousterhout, Td and the Tk Toolkit Craig Partridge, Gigabit Networking Radia Periman, Interconnections, Second F.ditiott: Bridges, Routers, Switches, and Internetworking Protocols Stephen A. Rftgo, UNIX® System V Network Programming Curt Schimmel, UNIX® Systems for Modern Architectures: Symmetric Multifjrocessing and Caching for Kernel Programmers W. Richard Stevens, Advai\ced Programming iti the UNIX® Environment W Richard Stevens, TCP/IP Illustrated, Volume 1: The Protocols W. Richard Stevens, TCP/IP Illustrated, Volume 3: TCP for Transactions, HTTP, WWTP, and the UNIX® Domain Protocols W. Richard Stevens/Gary R. Wright, TCP/IP Illustrated Volumes 1-3 Boxed Set John Viega/Gary McCraw, Building Secure Software: How to Avoid Security Problems the Right Way Gary R. Wright/W. Richard Stevens, TCP/IP Illustrated, Volume 2: The Implementation Ruixi Yuan/ W. Timothy Strayer, Virtual Private Networks: Technologies and Solutions Please see our web site (httpV/ www.awprofessional.com /series/professionalcomputing) for more information about these titles. Firewalls and Internet Security, Second Edition Repelling the Wily Hacker William R. Cheswick Steven M. Bellovin Aviel D. Rubin Addi son-Wesley Boston • San Francisco * New York • Toronto • Montreal London • Munich * Paris • Madrid Capetown • Sydney • Tokyo • Singapore • Mexico City Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and Addison-Wesley was aware of a trademark claim, the designations have been printed in initial capital letters or in all capitals. The authors and publisher have taken care in the preparation of this book, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the information or programs contained herein. The publisher offers discounts on this book when ordered in quantity for bulk purchases and special sales. For more information, please contact: U.S. Corporate and Government Sales (800)382-3419 co jpsa le s @ pearsontechgroup. com For sales outside of the U.S., please contact: International Sales (317)581-3793 [email protected] Visit Addison-Weslev on the Web: www.awprofessional.com Library uf Congress Catuhging-in-Publication Data Cheswick, William R. Firewalls and Internet security : repelling the wily hacker /William R. Cheswick, Steven M. Bellovin and Aviel D, Rubin.— 2nd ed, p. cm. Includes bibliographical references and index. ISBN 020163466X 1, Firewalls (Computer security) I. Bellovin, Steven M. II. Rubin, Aviel D. III. Title. TK5105.875.I57C44 2003 005.&—dc21 2003000644 Copyright © 2003 by AT&T and Lumeta Corproation All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form, or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior consent of the publisher. Printed in the United States of America. Published simultaneously in Canada. For information on obtaining permission for use of material from this work, please submit a written request to: Pearson Education, Inc. Rights and Contracts Department 75 Arlington Street, Suite 300 Boston, MA 02116 Fax: (617) 848-7047 ISBN:0-201-63466-X Text printed on recycled paper 1 2 3 4 5 6 7 8 9 10—CRS—0706050403 First printing, February 2003 For my mother, Ruth Cheswick, whose maiden name shall not be revealed because this is a security book, and for my father, Richard Reid Cheswick, who taught me about Monday mornings, and many other things. And to Terry, Kestrel, and Lorette, who had TO put up with lengthy spates of grumpy editing sessions. —W.R.C. To my parents, Sam and Sylvia Bellovin. for everything, and to Diane, Rebecca, and Daniel, for all the best reasons in the world. —S.M.B To my wife, Ann, my favorite person in the world; and to my children, Elana, Tamara, and Benny, the three best things that ever happened to me. —A.D.R Contents Preface to the Second Edition Preface to the First Edition xiii xvii Getting Started 1 1 Introduction 1.1 Security Truisms . ....................................................................................... 1.2 Picking a Security Policy............................................................................. 1.3 Host-Based Security................................................................................... 1.4 Perimeter Security ...................................................................................... 1.5 Strategies for a Secure Network ................................................................ 1.6 The Ethics of Computer Security .......................................................... 1.7 WARNING................................................................................................... 3 3 7 10 10 11 16 18 2 A Security Review of Protocols: Lower Layers 2.1 Basic Protocols ........................................................................................... 2.2 Managing Addresses and Names .............................................................. 2.3 IP version 6 ................................................................................................. 2.4 Network Address Translators................, .................................................... 2.5 Wireless Security........................................................................................ 19 19 28 34 37 38 3 Security Review: The Upper Layers 3.1 Messaging................................................................................................... 3.2 Internet Telephony ................................................................................. 3.3 RPC-Based Protocols ............................................................................ 3.4 File Transfer Protocols ................................................................................ 3.5 Remote Login.............................................................................................. 3.6 Simple Network Management Protocol—SNMP....................................... 3.7 The Network Time Protocol .................................................................. 3.8 Information Services ................................................................................... 41 41 46 47 52 58 62 63 64 vii viii Contents 3.9 3.10 3.11 3.12 II III Proprietary Protocols ................................................................................. Peer-to-Peer Networking............................................................................ TheX11 Window System .......................................................................... The Small Services.................................................................................... 68 69 70 71 4 The Web: Threat or Menace? 4.1 The Web Protocols .................................................................................... 4.2 Risks to the Clients .................................................................................... 4.3 Risks to the Server .................................................................................... 4.4 Web Servers vs. Firewalls ......................................................................... 4.5 The Web and Databases ............................................................................ 4.6 Parting Thoughts........................................................................................ 73 74 79 85 89 91 91 The Threats 93 5 Classes of Attacks 5.1 Stealing Passwords .................................................................................... 5.2 Social Engineering...................................................................................... 5.3 Bugs and Back Doors ................................................................................. 5.4 Authentication Failures ............................................................................... 5.5 Protocol Failures .................................................................................... 5.6 Information Leakage ................................................................................... 5.7 Exponential Attacks—Viruses and Worms ................................................ 5.8 Denial-of-Service Attacks ......................................... ,............................... 5.9 Botnets ........................................................................................................ 5.10 Active Attacks ............................................................................................. 95 95 98 100 103 104 105 106 107 117 117 6 The Hacker's Workbench, and Other Munitions 6.1 Introduction ................................................................................................. 6.2 Hacking Goals ............................................................................................ 6.3 Scanning a Network .............................................................................. 6.4 Breaking into the Host ........................................................................... 6.5 The Battle for the Host................................................................................ 6.6 Covering Tracks .......................................................................................... 6.7 Metastasis................................................................................................... 6.8 Hacking Tools.............................................................................................. 6.9 Tiger Teams ................................................................................................ 119 119 121 121 122 123 126 127 128 132 Safer Tools and Services 135 7 Authentication........................................................................................................... 137 7.1 Remembering Passwords .................................................................... 138 Contents ____________________________________________________________________ix 7.2 7.3 7.4 7.5 7.6 7.7 7.8 7.9 7.10 8 IV Time-Based One-Time Passwords ....................................................... Challenge/Response One-Time Passwords .......................... ………. Lamport's One-Time Password Algorithm .................................................. Smart Cards................................................................................................ Biometrics ................................................................................................... RADIUS....................................................................................................... SASL: An Authentication Framework ......................................................... Host-to-Host Authentication........................................................................ PKI............................................................................................................... 144 145 146 147 147 148 149 149 150 Using Some Tools and Services 8.1 inetd-— Network Services ............................................................................ 8.2 Ssh—Terminal and File Access.................................................................. 153 153 154 8.3 Syslog........................................................................................................... 158 8.4 8.5 8.6 8.7 8.8 8.9 8.10 8.11 8.12 Network Administration Tools...................................................................... Chroot—Caging Suspect Software............................................................ Jailing the Apache Web Server ............................................................. Aftpd—A Simple Anonymous FTP Daemon ......................................... Mail Transfer Agents.................................................................................... POP3 and lMAP ....................................................................................... Samba: An SMB Implementation ............................................................... Taming Named ....................................................................................... Adding SSL Support with Sslwrap ............................................................. 159 162 165 167 168 168 169 170 170 Firewalls and VPNs 9 173 Kinds of Firewalls 9.1 Packet Filters .............................................................................................. 9.2 Application-Level Filtering ........................... ......................................... 9.3 Circuit-Level Gateways ............................................................................... 9.4 Dynamic Packet Fitters ............................................................................... 9.5 Distributed Firewalls .............................................................................. 9.6 What Firewalls Cannot Do .......................................................................... 175 176 185 186 188 193 194 10 Filtering Services 10.1 Reasonable Services to Filter..................................................................... 10.2 Digging for Worms ................................................................................. 10.3 Services We Don't Like ............................................................................... 10.4 Other Services ....................................................................................... 10.5 Something New................................................. . . ................................... 197 198 206 207 209 210 x ____________________________________________ Contents 11 Firewall Engineering V 211 11.1 Rulesets...................................................................................................... 212 11.2 11.3 11.4 11.5 Proxies ........................................................................................................ Building a Firewall from Scratch................................................................. Firewall Problems ....................................................................................... Testing Firewalls ......................................................................................... 214 215 227 230 12 Tunneling and VPNs 12.1 Tunnels ....................................................................................................... 12.2 Virtual Private Networks (VPNs) ................................................................ 12.3 Software vs. Hardware ............................................................................... 233 234 236 242 Protecting an Organization 245 13 Network Layout 13.1 Intranet Explorations .................................................................................. 13.2 Intranet Routing Tricks................................................................................ 13.3 In Host We Trust .................................................................................... 13.4 Belt and Suspenders .................................................................................. 13.5 Placement Classes..................................................................................... 247 248 249 253 255 257 14 Safe Hosts in a Hostile Environment 14.1 What Do We Mean by "Secure"? ........................................................ 14.2 Properties of Secure Hosts ........................................................................ 14.3 Hardware Configuration ........................................................................ 14.4 Field-Stripping a Host ................................................................................. 14.5 Loading New Software................................................................................ 14.6 Administering a Secure Host ..................................................................... 14.7 Skinny-Dipping: Life Without a Firewall...................................................... 259 259 260 265 266 270 271 277 15 Intrusion Detection 15.1 Where to Monitor ........................................................................................ 15.2 Types of IDSs ............................................................................................. 15.3 Administering an IDS.................................................................................. 279 280 281 282 15.4 IDS Tools .............................................................................................. VI Lessons Learned 16 An Evening with Berferd 16.1 Unfriendly Acts ...................................................................................... 16.2 An Evening with Berferd ............................................................................. 16.3 The Day After ............................................................................................. 282 285 287 287 290 294 Contents xi 16.4 The Jail ................................................................................................ 16.5 Tracing Berferd ...................................................................................... 16.6 Berferd Comes Home ................................................................................. 295 296 298 17 The Taking of Clark 17.1 Prelude........................................................................................................ 301 302 17.2 CLARK ........................................................................................................ 302 17.3 17.4 17.5 17.6 17.7 17.8 Crude Forensics ......................................................................................... Examining CLARK ....................................................................................... The Password File ............................................................................... How Did They Get In? ........................................................................... Better Forensics.......................................................................................... Lessons Learned ........................................................................................ 303 304 310 310 311 312 18 Secure Communications over Insecure Networks 18.1 The Kerberos Authentication System......................................................... 18.2 Link-Level Encryption ................................................................................. 18.3 Network-Level Encryption ..................................................................... 18.4 Application-Level Encryption ...................................................................... 313 314 318 318 322 19 Where Do We Go from Here? 19.1 IPv6 ........................................................................................................ 19.2 DNSsec ...................................................................................................... 19.3 Microsoft and Security................................................................................ 19.4 Internet Ubiquity ......................................................................................... 19.5 Internet Security ......................................................................................... 19.6 Conclusion .................................................................................................. 329 329 330 330 331 331 332 VII Appendixes A An Introduction to Cryptography A.1 Notation ....................................................................................................... A.2 Secret-Key Cryptography ............................................................................ A.3 Modes Of Operation ..................................................................................... A.4 Public Key Cryptography ............................................................................. A.5 Exponential Key Exchange.......................................................................... A.6 Digital Signatures ........................................................................................ A.7 Secure Hash Functions............................................................................... A.8 Timestamps................................................................................................. 333 335 335 337 339 342 343 344 346 347 xii _________________________________________________________________ Contents B Keeping Up B.1 Mailing Lists............................................................................................ B.2 Web Resources ...................................................................................... B.3 Peoples' Pages....................................................................................... B.4 Vendor Security Sites ............................................................................. B.5 Conferences............................................................................................ 349 350 351 352 352 353 Bibliography 355 List of 389 s List oi Acronyms 391 Index 397 Preface to the Second Edition But after a time, as Frodo did not show any sign of writing a book on the spot, the hobbits returned to their questions about doings in the Shire. Lord of the Rings —J.R.R. TOLKIEN The first printing of the First Edition appeared at the Las Vegas Interop in May, 1994. At that same show appeared the first of many commercial firewall products. In many ways, the field has matured since then: You can buy a decent firewall off the shelf from many vendors. The problem of deploying that firewall in a secure and useful manner remains. We have studied many Internet access arrangements in which the only secure component was the firewall itself—it was easily bypassed by attackers going after the "protected" inside machines. Before the investiture of AT&T/Lucent/NCR, there were over 300,000 hosts behind at least six firewalls, plus special access arrangements with some 200 business partners. Our first edition did not discuss the massive sniffing attacks discovered in the spring of 1994. Sniffers had been running on important Internet Service Provider (ISP) machines for months-machines lhat had access to a major percentage of the ISP's packet flow. By some estimates, these sniffers captured over a million host name/user name/password sets from passing telnet, ftp, and riogin sessions. There were also reports of increased hacker activity on military sites, it's obvious what must have happened: If you are a hacker with a million passwords in your pocket, you are going to look for the most interesting targets, and . mil certainly qualifies. Since the First Edition, we have been slowly losing the Internet arms race. The hackers have developed and deployed tools for attacks we had been anticipating for years, IP spoofing [Shimo-rnura, 1996] and TCP hijacking are now quite common, according to the Computer Emergency Response Team (CERT). ISPs report that attacks on the Internet's infrastructure are increasing. There was one attack we chose not to include in the First Edition: the SYN-flooding denial-of-service attack that seemed to be unstoppable. Of course, the Bad Guys learned about the attack anyway, making us regret that we had deleted that paragraph in the first place. We still believe that it is better to disseminate this information, informing saints and sinners at the same lime. The saints need all the help they can get, and the sinners have their own channels of communication. xiii xiv__________________________________________________________________________ Preface Crystal Ball or Bowling Ball? The first edition made a number of predictions, explicitly or implicitly. Was our foresight accurate? Our biggest failure was neglecting to foresee how successful the Internet would become. We barely mentioned the Web and declined a suggestion to use some weird syntax when listing software resources. The syntax, of course, was the URL... Concomitant with the growth of the Web, the patterns of Internet connectivity vastly increased. We assumed that a company would have only a few external connections—few enough that they'd be easy to keep track of, and to firewall. Today's spaghetti topology was a surprise. We didn't realize that PCs would become Internet clients as soon as they did. We did. however, warn that as personal machines became more capable, they'd become more vulnerable. Experience has proved us very correct on that point. We did anticipate high-speed home connections, though we spoke of ISDN, rather than cable modems or DSL. (We had high-speed connectivity even then, though it was slow by today's standards.) We also warned of issues posed by home LANs, and we warned about the problems caused by roaming laptops, We were overly optimistic about the deployment of IPv6 (which was called IPng back then, as the choice hadn't been finalized). It still hasn't been deployed, and its future is still somewhat uncertain. We were correct, though, about the most fundamental point we made: Buggy host software is a major security issue. In fact, we called it the "fundamental theorem of firewalls": Most hosts cannot meet our requirements: they run too many programs that are too large. Therefore, the only solution is to isolate them behind a firewall if you wish to run any programs at ail. If anything, we were too conservative. Our Approach This book is nearly a complete rewrite of the first edition. The approach is different, and so are many of the technical details. Most people don't build their own firewalls anymore. There are far more Internet users, and the economic stakes are higher. The Internet is a factor in warfare. The field of study is also much larger—there is too much to cover in a single book. One reviewer suggested that Chapters 2 and 3 could be a six-volume set. (They were originally one mammoth chapter.) Our goal, as always, is to teach an approach to security. We took far too long to write this edition, but one of the reasons why the first edition survived as long as it did was that we concentrated on the concepts, rather than details specific to a particular product at a particular time. The right frame of mind goes a long way toward understanding security issues and making reasonable security decisions. We've tried to include anecdotes, stories, and comments to make our points. Some complain that our approach is too academic, or too UNIX-centric. that we are too idealistic, and don't describe many of the most common computing tools. We are trying to teach Preface xv attitudes here more than specific bits and bytes. Most people have hideously poor computing habits and network hygiene. We try to use a safer world ourselves, and are trying to convey how we think it should be. The chapter outline follows, but we want to emphasize the following: It is OK to skip the hard parts. If we dive into detail that is not useful to you. feel free to move on. The introduction covers the overall philosophy of security, with a variety of time-tested maxims. As in the first edition. Chapter 2 discusses most of the important protocols, from a secunty point of view. We moved material about higher-layer protocols to Chapter 3. The Web merits a chapter of its own. The next part discusses the threats we are dealing with: the kinds of attacks in Chapter 5, and some of the tools and techniques used to attack hosts and networks in Chapter 6. Part III covers some of the tools and techniques we can use to make our networking world safer. We cover authentication tools in Chapter 7, and safer network servicing software in Chapter 8. Part IV covers firewalls and virtual private networks (VPNs). Chapter 9 introduces various types of firewalls and filtering techniques, and Chapter 10 summarizes some reasonable policies for filtering some of the more essential services discussed in Chapter 2. If you don't find advice about filtering a service you like, we probably think it is too dangerous (refer to Chapter 2). Chapter 11 covers a lot of the deep details of firewalls, including their configuration, administration, and design. It is certainly not a complete discussion of the subject, but should give readers a good start. VPN tunnels, including holes through firewalls, are covered in some detail in Chapter 12. There is more detail in Chapter )8. In Part V, we upply the.se tools and lessons to organizations. Chapter 13 examines ihe problems and practices on modem intranets. See Chapter 15 for information about deploying a hacking-resistant host, which is useful in any part of an intranet. Though we don't especially like intrusion detection systems (IDSs) very much, they do play a role in security, and are discussed in Chapter 15. The last pan offers a couple of stories and some further details. The Berferd chapter is largely unchanged, and we have added "The Taking of Clark," a real-life story about a minor break-in that taught useful lessons. Chapter 18 discusses secure communications over insecure networks, in quite some detail. For even further delail, Appendix A has a short introduction to cryptography. The conclusion offers some predictions by the authors, with justifications. If the predictions are wrong, perhaps the justifications will be instructive, (We don't have a great track record as prophets.) Appendix B provides a number of resources for keeping up in this rapidly changing field. Errata and Updates Everyone and every thing seems to have a Web site these days; this book is no exception. Our "official" Web site is http: //www.wilyhacker. com. Well post an errata list there; we'll xvi__ _____ _________________________________________________ _Preface also keep an up-to-date list of other useful Web resources. If you find any errors—we hope there aren't many—please let us know via e-mail at f irewall-book@wilyhacker .com. Acknowledgments For many kindnesses, we'd like to thank Joe Bigler, Steve "Hollywood" Branigan, Hal Burch, Brian Clapper, David Crocker Tom Dow, Phil Edwards and the Internet Public Library, Anja Feldmann, Karen Gcttman, Brian Kernighan, David Korman, Tom Limoncelli, Norma Loquendi, Cat Okita, Robert Oliver, Vern Paxson, Marcus Ranum, Eric Rescorla, Guido van Rooij, Luann Rouff (a most excellent copy editor), Abba Rubin. Peler Salus, Glenn Sieb, Karl Siil (we'll always have Boston), Irina Stnzhevskaya, Rob Thomas, Win Treese, Dan Wallach, Frank Wojcik, Avishai Wool, Karen Yannetta, and Miehal Zalewski, among many others. BILL CHESWICK [email protected] STEVE BELLOVIN [email protected] AVI RUBIN avi @rubi n.net Preface to the First Edition It is easy to run a secure computer system. You merely have to disconnect all dial-up connections and permit only direct-wired terminals, put the machine and its terminals in a shielded room, and post a guard at the door. — F.T. GRAMPP AND R.H. MORRIS Of course, very few people want to use such a host... —THE WORLD For better or for worse, most computer systems are not run that way today. Security is, in general, a trade-off with convenience, and most people are not willing to forgo (the convenience of remote access via networks to their computers. Inevitably, they suffer from some loss of security. It is our purpose here to discuss how to minimize the extent of that loss. The situation is even worse for computers hooked up to some sort of network. Networks are risky for at least three major reasons. First, and most obvious, more points now exist from which an attack can be launched. Someone who cannot get to your computer cannot attack it; by adding more connection mechanisms for legitimate users, you arc also adding more vulnerabilities, A second reason is that you have extended the physical perimeter of your computer system. In a simple computer, everything is within one box. The CPU can fetch authentication data from memory, secure in the knowledge that no enemy can tamper with it or spy on it. Traditional mechanisms—mode bits, memory protection, and the like—can safeguard critical areas. This is not the case in a network. Messages received may be of uncertain provenance; messages sent are often exposed to all other systems on the net. Clearly, more caution is needed. The third reason is more subtle, and deals with an essential distinction between an ordinary dial-up modem and a network. Modems, in general, offer one service, typically the ability to log in, When you connect, you're greeted with a login or Username prompt: the ability to do other things, such as sending mail, is mediated through this single choke point. There may be vulnerabilities in the login service, but it is a single service, and a comparatively simple one. xvii Preface to the First Edition Networked computers, on the other hand, offer many services: login, file transfer, disk access, remote execution, phone book, system status, etc. Thus, more points are in need of protection— points that are more complex and more difficult to protect, A networked file system, for example, cannot rely on a typed password for every transaction. Furthermore, many of these services were developed under the assumption that the extent of the network was comparatively limited. In an era of globe-spanning connectivity, that assumption has broken down, sometimes with severe consequences. Networked computers have another peculiarity worth noting: they are generally not singular entities. That is, it is comparatively uncommon, in today's environment, to attach a computer to a network solely to talk to "strange" computers. Organizations own a number of computers, and these are connected to each other and to the outside world. This is both a bane and a blessing: a bane, because networked computers often need to trust their peers, and a blessing, because the network may be configurable so that only one computer needs to talk to the outside world. Such dedicated computers, often called "firewall gateways," are at the heart of our suggested security strategy. Our purpose here is twofold. First, we wish to show that this strategy is useful. That is, a firewall, if properly deployed against the expected threats, will provide an organization with greatly increased security. Second, we wish to show that such gateways arc necessary, and that there is a real threat to be dealt with. Audience This book is written primarily for the network administrator who must protect an organization from unhindered exposure to the Internet. The typical reader should have a background in system administration and networking. Some portions necessarily get intensely technical. A number of chapters are of more general interest. Readers with a casual interest can safely skip the tough stuff and still enjoy the rest of the book, We also hope that system and network designers will read the book. Many of the problems we discuss are the direct result of a lack of security-conscious design. We hope that newer protocols and systems will be inherently more secure. Our examples and discussion unabashedly relate to UNIX systems and programs. UNIX-style systems have historically been the leaders in exploiting and utilizing the Internet. They still tend to provide better performance and lower cost than various alternatives. Linux is a fine operating system, and its source code is freely available. You can see for yourself how things work, which can be quite useful in this business. But we are not preaching UNIX here—pick the operating system you know best: you are less likely to make a rookie mistake with it. But the principles and philosophy apply to network gateways built on other operating systems, or even to a run-time system like MS-DOS. Our focus is on the TCP/IP protocol suite, especially as used on the Internet. This is not because TCP/IP has more security problems than other protocol stacks—we doubt that very much— rather, it is a commentary on the success of TCP/IP. Fans of XNS, DEC net, SNA, netware, and Preface to the First Edition xix others; have to concede that TCP/IP has won the hearts and minds of the world by nearly any measure you can name. Most of these won't vanish—indeed, many arc now carried over IP links, just as ATM almost always carries IP. By far, it is the heterogeneous networking protocol of choice, not only on workstations, for which it is the native tongue, but on virtually all machines, ranging from desktop personal computers to the largest supercomputers. Much of the advice we offer in this book is the result of our experiences with our companies' intrants and firewalls. Most of the lessons we have learned are applicable to any network with similar characteristics. We have read of serious attacks on computers attached to public X.25 data networks. Firewalls are useful there, too, although naturally they would differ in detail. This is not a book on how to administer a system in a secure fashion, although we do make some suggestions along those lines. Numerous books on that topic already exist, such us [Farrow. 19 9 1 ] . [Garfinkel and Spatfford, 1996]. and [Curry. 1992]. Nor is this a cookbook to tell you how to administer various packaged firewall gateways. The technology is too new. and any such work would be obsolete before it was even published. Rather, it is a set of guidelines that, we hope, both defines the problem space and roughly sketches the boundaries of possible solution spaces. We also describe how we constructed our latest gateway, and why we made the decisions we did. Our design decisions are directly attributable to our experience in detecting and defending against attackers. On occasion, we speak of "reports" that something has happened. We make apologies for the obscurity. Though we have made every effort to document our sources, some of our information comes from confidential discussions with other security administrators who do not want to be identified. Network security breaches can be very embarrassing, especially when they happen to organizations that should have known better. Terminology You keep using that word. I don't think it means what you think it means. Inigo Montoya in The Princess Bride —W ILLIAM GOLDMAN [GOLDMAN, 1998] Before we proceed further, it is worthwhile making one comment on terminology. We have chosen to cull the attackers "hackers'' To some, this choice is insulting, a slur by the mass media on the good name of many thousands of creative programmers. That is quite true. Nevertheless, the language has changed. Bruce Sterling expressed it very well [Sterling. 1992, pages 55-561: The term "hacking" is used routinely today by almost all law enforcement officials with any professional interest in computer fraud and abuse. American police describe almost any crime committed with, by, through, or against a computer as hacking. Most important, "hacker" is what computer intruders choose to call themselves. Nobody who hacks into systems willingly describes himself (rarely, herself) as a "computer intruder." "computer trespasser," "cracker," "wormer." "dark-side hacker." or "high-tech street gangster" Sev-