Firewalls and Internet Security: Repelling the Wily Hacker

摘要: From the Book: But after a time, as Frodo did not show any sign of writing book on spot, the hobbits returned to their questions about doings in Shire. Lord Rings —J.R.R. TOLKIEN The first printing First Edition appeared at Las Vegas Interop May, 1994. At that same many commercial firewall products. In ways, field has matured since then: You can buy decent off shelf from vendors. The problem deploying secure and useful manner remains. We have studied Internet access arrangements which only component was itself—it easily bypassed by attackers going “protected” inside machines. Before trivestiture AT&T/Lucent/NCR, there were over 300,000 hosts behind least six firewalls, plus special with some 200 business partners. Our edition discuss massive sniffing attacks discovered spring Sniffers had been running important Service Provider (ISP) machines for months—machines major percentage ISP’s packet flow. By estimates, these sniffers captured million host name/user name/password sets passing telnet, ftp, rlogin sessions. There also reports increased hacker activity military sites. It’s obvious what must happened: If you are passwords your pocket, look most interesting targets, .mil certainly qualifies. Since Edition, we slowlylosing arms race. The hackers developed deployed tools anticipating years. IP spoofing Shimomura, 1996 TCP hijacking now quite common, according Computer Emergency Response Team (CERT). ISPs report Internet’s infrastructure increasing. There one attack chose include Edition: SYN-flooding denial-of- service seemed be unstoppable. Of course, Bad Guys learned anyway, making us regret deleted paragraph place. still believe it is better disseminate this information, informing saints sinners time. need all help they get, own channels communication.Crystal Ball or Bowling Ball?The made number predictions, explicitly implicitly. Was our foresight accurate? Our biggest failure neglecting foresee how successful would become. barely mentioned Web declined suggestion use weird syntax when listing software resources. syntax, URL... Concomitant growth Web, patterns connectivity vastly increased. assumed company few external connections—few enough they’d easy keep track of, firewall. Today’s spaghetti topology surprise. We didn’t realize PCs become clients soon did. did, however, warn personal became more capable, vulnerable. Experience proved very correct point. We anticipate high-speed home connections, though spoke ISDN, rather than cable modems DSL. (We even then, slow today’s standards.) warned issues posed LANs, problems caused roaming laptops. We overly optimistic deployment IPv6 (which called IPng back choice hadn’t finalized). It hasn’t deployed, its future somewhat uncertain. We correct, though, fundamental point made: Buggy security issue. fact, “fundamental theorem firewalls”: Most cannot meet requirements: run too programs large. Therefore, solution isolate them if wish all. If anything, conservative.Our ApproachThis nearly complete rewrite edition. approach different, so technical details. Most people don’t build firewalls anymore. far users, economic stakes higher. factor warfare. The study much larger—there cover single book. One reviewer suggested Chapters 2 3 could six-volume set. (They originally mammoth chapter.) Our goal, always, teach an security. took long write edition, but reasons why survived concentrated concepts, details specific particular product right frame mind goes way toward understanding reasonable decisions. We’ve tried anecdotes, stories, comments make points. Some complain academic, UNIX-centric, idealistic, describe common computing tools. trying attitudes here bits bytes. hideously poor habits network hygiene. try safer world ourselves, convey think should be. The chapter outline follows, want emphasize following: It OK skip hard parts. If dive into detail you, feel free move on. The introduction covers overall philosophy security, variety time-tested maxims. As Chapter discusses protocols, view. moved material higher-layer protocols 3. merits own. The next part threats dealing with: kinds 5, techniques used networks 6. Part III networking safer. authentication 7, servicing 8. Part IV virtual private (VPNs). 9 introduces various types filtering techniques, 10 summarizes policies essential services discussed 2. find advice like, probably dangerous (refer 2). Chapter 11 lot deep including configuration, administration, design. discussion subject, give readers good start. VPN tunnels, holes through covered 12. 18. In V, apply lessons organizations. 13 examines practices modern intranets. See 15 information hacking-resistant host, intranet. Though especially like intrusion detection systems (IDSs) much, do play role 15. The last offers couple stories further Berferd largely unchanged, added “The Taking Clark,” real-life story minor break-in taught lessons. Chapter 18 communications insecure networks, detail. For detail, Appendix A short cryptography. The conclusion predictions authors, justifications. wrong, perhaps justifications will instructive. great record prophets.) B provides resources keeping up rapidly changing field.Errata UpdatesEveryone every thing seems site days; no exception. “official” . We’ll post errata list there; we’ll up-to-date other errors—we hope aren’t many—please let know via e-mail .AcknowledgmentsFor kindnesses, we’d thank Joe Bigler, Steve “Hollywood” Branigan, Hal Burch, Brian Clapper, David Crocker, Tom Dow, Phil Edwards Public Library, Anja Feldmann, Karen Gettman, Kernighan, Korman, Limoncelli, Norma Loquendi, Cat Okita, Robert Oliver, Vern Paxson, Marcus Ranum, Eric Rescorla, Guido van Rooij, Luann Rouff (a excellent copy editor), Abba Rubin, Peter Salus, Glenn Sieb, Karl Siil (we’ll always Boston), Irina Strizhevskaya, Rob Thomas, Win Treese, Dan Wallach, Avishai Wool, Yannetta, Michal Zalewski, among others. BILL CHESWICK STEVE BELLOVIN AVI RUBIN 020163466XP01302003