Free eBooks > Computers & Internet > Web Development > Security & Encryption > Encryption > Firewalls and Internet Security: Repelling the Wily Hacker

Firewalls and Internet Security: Repelling the Wily Hacker

by William R. Cheswick And Steven M. Bellovin

• thorough discussion of security-related aspects of TCP/IP;
• step-by-step plans for setting up firewalls;
• hacking and monitoring tools the authors have built to rigorously test and maintain firewalls;
• pointers to public domain security tools on the net;
• first-hand step-by-step accounts of battles with the "Berferd" hackers; and
• practical discussions of the legal aspects of security.

The best-selling first edition of Firewalls and Internet Security became the bible of Internet security by showing readers how to think about threats and solutions. The completely updated and expanded second edition defines the security problems students face in today's Internet, identifies the weaknesses of the most popular security technologies, and illustrates the ins and outs of deploying an effective firewall. Students learn how to plan and execute a security strategy that allows easy access to Internet services while defeating even the wiliest of hackers. Written by well-known senior researchers at AT&T Bell Labs, Lumeta, and Johns Hopkins University the students will benefit from the actual, real-world experiences of the authors maintaining, improving, and redesigning AT&T's Internet gateway.

It is easy to run a secure computer system. You merely have to disconnect all dial-up connections and permit only direct-wired terminals, put the machine and its terminals in a shielded room, and post a guard at the door.- F.T. Grampp and R.H. Morris

For better or for worse, most computer systems are not run that way today. Security is, in general, a trade-off with convenience, and most people are not willing to forgo the convenience of remote access via networks to their computers. Inevitably, they suffer from some loss of security. It is our purpose here to discuss how to minimize the extent of that loss.

The situation is even worse for computers hooked up to some sort of network. Networks are risky for at least three major reasons. First, and most obvious, more points now exist from which an attack can be launched. Someone who cannot get to your computer cannot attack it; by adding more connection mechanisms for legitimate users, you are also adding more vulnerabilities.

A second reason is that you have extended the physical perimeter of your computer system. In a simple computer, everything is within one box. The CPU can fetch authentication data from memory, secure in the knowledge that no enemy can tamper with it or spy on it. Traditional mechanisms - mode bits, memory protection, and the like - can safeguard critical areas. This is not the case in a network. Messages received may be of uncertain provenance; messages sent are often exposed to all other systems on the net. Clearly, more caution is needed.

The third reason is more subtle, and deals with an essential distinction between an ordinary dial-up modem and a network. Modems, in general, offer one service, typically the ability to log in. When you connect, you're greeted with a login or Username prompt; the ability to do other things, such as sending mail, is mediated through this single choke point. There may be vulnerabilities in the login service, but it is a single service, and a comparatively simple one. Networked computers, on the other hand, offer many services: login, file transfer, disk access, remote execution, phone book, system status, etc. Thus, more points are in need of protection - points that are more complex and more difficult to protect. A networked file system, for example, cannot rely on a typed password for every transaction. Furthermore, many of these services were developed under the assumption that the extent of the network was comparatively limited. In an era of globe-spanning connectivity, that assumption has broken down, sometimes with severe consequences.

Networked computers have another peculiarity worth noting: they are generally not singular entities. That is, it is comparatively uncommon, in today's environment, to attach a computer to a network solely to talk to "strange" computers. More commonly, organizations own a number of computers, and these are connected to each other and to the outside world. This is both a bane and a blessing: a bane, because networked computers often need to trust their peers, to some extent, and a blessing, because the network may be configurable so that only one computer needs to talk to the outside world. Such dedicated computers, often called "firewall gateways," are at the heart of our suggested security strategy.

Our purpose here is twofold. First, we wish to show that this strategy is useful. That is, a firewall, if properly deployed against the expected threats, will provide an organization with greatly increased security. Second, we wish to show that such gateways are necessary, and that there is a real threat to be dealt with.

Audience

This book is written primarily for the network administrator who must protect an organization from unhindered exposure to the Internet. The typical reader should have a background in system administration and networking. Some portions necessarily get intensely technical. A number of chapters are of more general interest. Readers with a casual interest can safely skip the tough stuff and still enjoy the rest of the book.

We also hope that system and network designers will read the book. Many of the problems we discuss are the direct result of a lack of security-conscious design. We hope that newer protocols and systems will be inherently more secure.

Our examples and discussion unabashedly relate to Unix systems and programs. The majority of multiuser machines on the Internet run some version of the Unix operating system. Most application-level gateways are implemented in Unix. This is not to say that other operating systems are more secure; however, there are fewer of them on the Internet, and they are less popular as targets for that reason. But the principles and philosophy apply to network gateways built in other operating systems, or even to a run-time system like MS-DOS.

Our focus is on the TCP/IP protocol suite, especially as used on the Internet. Again, this is not because TCP/IP has more security problems than other protocol stacks - we doubt that very much - rather, it is a commentary on the success of TCP/IP. By far, it is the heterogeneous networking protocol of choice, not only on workstations, for which it is the native tongue, but on virtually all machines, ranging from desktop personal computers to the largest supercomputers. The Internet links most major universities in the United States (and many others around the world), research labs, many government agencies, and even a fair number of businesses. Our organization, AT&T Bell Laboratories, is on the Internet, and much of the advice we offer in this book is the result of our experiences with that connection. We believe that the lessons we have learned are applicable to any network with similar characteristics. We have read of serious attacks on computers attached to public X.25 data networks. Firewalls are useful there, too, although naturally they would differ in detail.

This is not a book on how to administer a system in a secure fashion, although we do make some suggestions along those lines. Numerous books on that topic already exist, such as Farrow, 1991, Garfinkel and Spafford, 1991, and Curry, 1992. Nor is this a cookbook to tell you how to administer various packaged firewall gateways. The technology is too new, and any such work would be obsolete before it was even published. Rather, it is a set of guidelines that, we hope, both defines the problem space and roughly sketches the boundaries of possible solution spaces. We also describe how we constructed our latest gateway, and why we made the decisions we did. Our design decisions are directly attributable to our experience in detecting and defending against attackers.

On occasion, we speak of "reports" that something has happened. We make apologies for the obscurity. Though we have made every effort to document our sources, some of our information comes from confidential discussions with other security administrators who do not want to be identified. Network security breaches can be very embarrassing, especially when they happen to organizations that should have known better.

TerminologyBefore we proceed further, it is worthwhile making one comment on terminology. We have chosen to call the attackers "hackers." To some, this choice is insulting, a slur by the mass media on the good name of many thousands of creative programmers. That is quite true. Nevertheless, the language has changed. Bruce Sterling expressed it very well Sterling, 1992, pages 55-56:

The term "hacking" is used routinely today by almost all law enforcement officials with any professional interest in computer fraud and abuse. American police describe almost any crime committed with, by, through, or against a computer as hacking.

Most important, "hacker" is what computer intruders choose to call themselves. Nobody who hacks into systems willingly describes himself (rarely, herself) as a "computer intruder," "computer trespasser," "cracker," "wormer," "dark-side hacker," or "high- tech street gangster." Several other demeaning terms have been invented in the hope that the press and public will leave the original sense of the word alone. But few people actually use these terms.

OrganizationOur book begins by introducing the problem of security (Chapter 1) and surveying the important parts of the TCP/IP protocol suite (Chapter 2), with particular attention to security issues.

The second part of this book describes firewall construction in detail. We describe the several sorts of firewall gateways (Chapter 3) that have been built. Next, we present a comprehensive description of the construction of our third and newest gateway (Chapter 4), the variety of authentication strategies to choose from (Chapter 5), the other tools we used (Chapter 6), and the sorts of monitors we have installed (Chapter 7). We also describe the hacking tools we've built to test security (Chapter 8): you don't know if you're secure until someone has made a determined effort to breach your defenses. All of the information in this part is detailed enough to permit you to duplicate our work or to do it differently if your needs or priorities differ.

Security isn't just a matter of the present and future tenses. Chapter 9 is an attempt at a taxonomy of hacking, an analysis of different categories of attacks. Chapter 10 is quite concrete: we describe the single most determined (known?) attempt to hack our system, the so-called "Berferd" incident, and the fun we had during it. The next chapter summarizes the log data we and others have collected over the years.

In Chapter 12, we discuss the legal implications of computer security. The issues aren't always straightforward, it turns out. In Chapter 13, we show how encryption can be used in high-threat environments. Chapter 14 has some parting thoughts.

Errata to BeThough we've tried our best, we suspect that a few errors have crept into this book. You'll be able to find an errata list, and perhaps further information, on ftp.research.att, in /dist/internet_security/firewall.book. Naturally, we'd appreciate word of any bugs you find, preferably by electronic mail to firewall-book@research.att.

AcknowledgmentsThere are many people who deserve our thanks for helping with this book. We thank in particular our reviewers: Betty Archer, Robert Bonomi, Jay Borkenhagen, Brent Chapman, Lorette Ellane Petersen Archer Cheswick, Steve Crocker, Dan Doernberg, Mark Eckenwiler, Jim Ellis, Ray Kaplan, Jeff Kellem, Brian Kernighan, Barbara T. Ling, Norma Loquendi, Barry Margolin Jeff Mogul, Gene Nelson, Craig Partridge, Marcus Ranum, Peter Weinberger, Norman Wilson, and of course our editor, John Wait, whose name almost, but not quite, fits into our ordering. Acting on all of the comments we received was painful, but has made this a better book. Of course, we bear the blame for any errors, not these intrepid readers.

Bill Cheswick
ches@research.att

Steven M. Bellovin
smb@research.att

0201633574P04062001

From the Back Cover

The best-selling first edition ofFirewalls and Internet Security became the bible of Internet security by showing a generation of Internet security experts how to think about threats and solutions. This completely updated and expanded second edition defines the security problems companies face in today's Internet, identifies the weaknesses in the most popular security technologies, and illustrates the ins and outs of deploying an effective firewall. Readers will learn how to plan and execute a security strategy that allows easy access to Internet services while defeating even the wiliest of hackers.

Firewalls and Internet Security, Second Edition, draws upon the authors' experiences as researchers in the forefront of their field since the beginning of the Internet explosion.

The book begins with an introduction to their philosophy of Internet security. It progresses quickly to a dissection of possible attacks on hosts and networks and describes the tools and techniques used to perpetrate--and prevent--such attacks. The focus then shifts to firewalls and virtual private networks (VPNs), providing a step-by-step guide to firewall deployment. Readers are immersed in the real-world practices of Internet security through a critical examination of problems and practices on today's intranets, as well as discussions of the deployment of a hacking-resistant host and of intrusion detection systems (IDS). The authors scrutinize secure communications over insecure networks and conclude with their predictions about the future of firewalls and Internet security.

The book's appendixes provide an introduction to cryptography and a list of resources (also posted to the book's Web site) that readers can rely on for tracking further security developments.

Armed with the authors' hard-won knowledge of how to fight off hackers, readers of Firewalls and Internet Security, Second Edition, can make security decisions that will make the Internet--and their computers--safer.

William R. Cheswick (http://cheswick.com) is Chief Scientist at Lumeta Corporation, which explores and maps clients' network infrastructures and finds perimeter leaks. Formerly he was a senior researcher at Lucent Bell Labs, where he did pioneering work in the areas of firewall design and implementation, PC viruses, mailers, and Internet munitions.

Steven M. Bellovin (http://stevebellovin.com) is a Fellow at AT&T Labs Research, where he works on networks, security, and, especially, why the two don't get along. He is a member of the National Academy of Engineering and is one of the Security Area directors of the Internet Engineering Task Force. Long ago he was one of the creators of NetNews.

Aviel D. Rubin (http://avirubin.com) is an Associate Professor in the Computer Science Department at Johns Hopkins University and serves as the Technical Director of their Information Security Institute. He was previously Principal Researcher in the Secure Systems Research Department at AT&T Laboratories and is the author of several books.

020163466XAB01302003

But after a time, as Frodo did not show any sign of writing a book on the spot, the
hobbits returned to their questions about doings in the Shire.

Lord of the Rings
—J.R.R. TOLKIEN

The first printing of the First Edition appeared at the Las Vegas Interop in May, 1994. At that same show appeared the first of many commercial firewall products. In many ways, the field has matured since then: You can buy a decent firewall off the shelf from many vendors.

The problem of deploying that firewall in a secure and useful manner remains. We have studied many Internet access arrangements in which the only secure component was the firewall itself—it was easily bypassed by attackers going after the “protected” inside machines. Before the trivestiture of AT&T/Lucent/NCR, there were over 300,000 hosts behind at least six firewalls, plus special access arrangements with some 200 business partners.

Our first edition did not discuss the massive sniffing attacks discovered in the spring of 1994. Sniffers had been running on important Internet Service Provider (ISP) machines for months—machines that had access to a major percentage of the ISP’s packet flow. By some estimates, these sniffers captured over a million host name/user name/password sets from passing telnet, ftp, and rlogin sessions. There were also reports of increased hacker activity on military sites. It’s obvious what must have happened: If you are a hacker with a million passwords in your pocket, you are going to look for the most interesting targets, and .mil certainly qualifies.

Since the First Edition, we have been slowly losing the Internet arms race. The hackers have developed and deployed tools for attacks we had been anticipating for years. IP spoofing Shimomura, 1996 and TCP hijacking are now quite common, according to the Computer Emergency Response Team (CERT). ISPs report that attacks on the Internet’s infrastructure are increasing.

There was one attack we chose not to include in the First Edition: the SYN-flooding denial-of- service attack that seemed to be unstoppable. Of course, the Bad Guys learned about the attack anyway, making us regret that we had deleted that paragraph in the first place. We still believe that it is better to disseminate this information, informing saints and sinners at the same time. The saints need all the help they can get, and the sinners have their own channels of communication.

Crystal Ball or Bowling Ball?

Our biggest failure was neglecting to foresee how successful the Internet would become. We barely mentioned the Web and declined a suggestion to use some weird syntax when listing software resources. The syntax, of course, was the URL...

Concomitant with the growth of the Web, the patterns of Internet connectivity vastly increased. We assumed that a company would have only a few external connections—few enough that they’d be easy to keep track of, and to firewall. Today’s spaghetti topology was a surprise.

We didn’t realize that PCs would become Internet clients as soon as they did. We did, however, warn that as personal machines became more capable, they’d become more vulnerable. Experience has proved us very correct on that point.

We did anticipate high-speed home connections, though we spoke of ISDN, rather than cable modems or DSL. (We had high-speed connectivity even then, though it was slow by today’s standards.) We also warned of issues posed by home LANs, and we warned about the problems caused by roaming laptops.

We were overly optimistic about the deployment of IPv6 (which was called IPng back then, as the choice hadn’t been finalized). It still hasn’t been deployed, and its future is still somewhat uncertain.

We were correct, though, about the most fundamental point we made: Buggy host software is a major security issue. In fact, we called it the “fundamental theorem of firewalls”:

Most hosts cannot meet our requirements: they run too many programs that are too large. Therefore, the only solution is to isolate them behind a firewall if you wish to run any programs at all.

If anything, we were too conservative.

Our Approach

The field of study is also much larger—there is too much to cover in a single book. One reviewer suggested that Chapters 2 and 3 could be a six-volume set. (They were originally one mammoth chapter.) Our goal, as always, is to teach an approach to security. We took far too long to write this edition, but one of the reasons why the first edition survived as long as it did was that we concentrated on the concepts, rather than details specific to a particular product at a particular time. The right frame of mind goes a long way toward understanding security issues and making reasonable security decisions. We’ve tried to include anecdotes, stories, and comments to make our points.

Some complain that our approach is too academic, or too UNIX-centric, that we are too idealistic, and don’t describe many of the most common computing tools. We are trying to teach attitudes here more than specific bits and bytes. Most people have hideously poor computing habits and network hygiene. We try to use a safer world ourselves, and are trying to convey how we think it should be.

The chapter outline follows, but we want to emphasize the following:

     It is OK to skip the hard parts.

If we dive into detail that is not useful to you, feel free to move on.

The introduction covers the overall philosophy of security, with a variety of time-tested maxims. As in the first edition, Chapter 2 discusses most of the important protocols, from a security point of view. We moved material about higher-layer protocols to Chapter 3. The Web merits a chapter of its own.

The next part discusses the threats we are dealing with: the kinds of attacks in Chapter 5, and some of the tools and techniques used to attack hosts and networks in Chapter 6. Part III covers some of the tools and techniques we can use to make our networking world safer. We cover authentication tools in Chapter 7, and safer network servicing software in Chapter 8.

Part IV covers firewalls and virtual private networks (VPNs). Chapter 9 introduces various types of firewalls and filtering techniques, and Chapter 10 summarizes some reasonable policies for filtering some of the more essential services discussed in Chapter 2. If you don’t find advice about filtering a service you like, we probably think it is too dangerous (refer to Chapter 2).

Chapter 11 covers a lot of the deep details of firewalls, including their configuration, administration, and design. It is certainly not a complete discussion of the subject, but should give readers a good start. VPN tunnels, including holes through firewalls, are covered in some detail in Chapter 12. There is more detail in Chapter 18.

In Part V, we apply these tools and lessons to organizations. Chapter 13 examines the problems and practices on modern intranets. See Chapter 15 for information about deploying a hacking-resistant host, which is useful in any part of an intranet. Though we don’t especially like intrusion detection systems (IDSs) very much, they do play a role in security, and are discussed in Chapter 15.

The last part offers a couple of stories and some further details. The Berferd chapter is largely unchanged, and we have added “The Taking of Clark,” a real-life story about a minor break-in that taught useful lessons.

Chapter 18 discusses secure communications over insecure networks, in quite some detail. For even further detail, Appendix A has a short introduction to cryptography.

The conclusion offers some predictions by the authors, with justifications. If the predictions are wrong, perhaps the justifications will be instructive. (We don’t have a great track record as prophets.) Appendix B provides a number of resources for keeping up in this rapidly changing field.

Errata and Updates

Acknowledgments

BILL CHESWICK
ches@cheswick.com

STEVE BELLOVIN
smb@stevebellovin.com

AVI RUBIN
avi@rubin.net

020163466XP01302003

Related Free eBooks

• Firewalls and Internet Security
• Maximum Security:A Hacker's Guide to Protecting Your Internet Site and Network
• Internet Security Professional Reference, 2nd Edition
• Java & Internet Security
• Practical Unix & Internet Security, 3rd Edition
• Using Term to Pierce an Internet Firewall mini-HOWTO
• Building Internet Firewalls O Reilly
• "Computer, Network & Internet Security"
• Internet Security
• Mission Critical Internet Security
• Practical UNIX and Internet Security
• Introduction To Computer, Internet And Network Systems Security
• Cisco Secure Internet Security Solutions
• Building Internet Firewalls, 2nd edition
• Maximum Security: A Hackers' Guide
• Building Internet Firewalls
• Practical Unix & Internet Security
• AS/400 Internet Security Scenarios: A Practical Approach
• AS/400 Internet Security: Developing a Digital Certificate Infrastructure
• AS/400 Internet Security: Implementing AS/400 Virtual Private Networks
• Internet Security in the Network Computing Framework
• AS/400 Internet Security: IBM Firewall for AS/400
• The Domino Defense: Security in Lotus Notes 4.5 and the Internet
• AS/400 Internet Security: Protecting Your AS/400 from HARM in the Internet
• Practical Unix And Internet Security 3rd Edition

Related Tags