● A dynamic IP address is one that is arbitrarily assigned to a different node each time it connects to a network. Dynamic IP is often used by ISPs for dial-up access--each time a node dials up, it is assigned a different IP address. Whether your address is static or dynamic, it is used in all network traffic that you conduct. For example, as discussed in Chapter 13, Techniques to Hide Ones Identity, a Web server records your IP address when you request a Web page. This is not to intrude on your privacy; it is done so that the server knows how to send you the requested data. In a similar fashion, all network services capture your IP either temporarily or permanently so they can return data to your address. In essence, it works much like the postal service: Imagine if every letter mailed had a return address. On the Internet, things are just so. The IP is the return address. When a connection is made between your machine and a remote machine, various dialogs may ensue. I discussed some of those dialogs in Chapter 6, A Brief Primer on TCPIP. A common one--which you are apt to remember--is the TCPIP three-way handshake. At any rate, such dialogs occur, during which time your IP is known by the target machine. Under normal circumstances, where no firewall or other superseding utility such as TCP_Wrapper has been installed, the dialog between your machine and the remote machine occurs directly see Figure 27.1. FIGURE 27.1. The route of information. When I say that information travels directly, that is a very qualified term. As you can see, the process even without security measures is complex:

1. The data originates somewhere within

Your Network which, by the way, could refer to a machine in your home. In this case, you are connected to your providers network. For our purposes, your providers network is Your Network . 2. Information travels from your machine to a machine on the providers network. From there, the information travels through an Ethernet cable or other means of transport to the main server of Your Network .

3. The server of

Your Network passes this information to Router 1, which promptly pours the information through the telephone line or other high-speed connection to the Internet at large. file:F|A20Hackers20Guide20to20Protect...0Internet20Site20and20Networkch27ch27.htm 2 of 23 [5142003 8:21:10 AM] Their Server ; the information is then served via Ethernet or other transport to Their Network . NOTE: I have greatly simplified the network outlay design by providing only relevant details. In practice, there might be all sorts of devices located between Your Network and Their Network . If neither side has installed security measures, the path is deemed for all purposes direct. Router 2, for example, allows packets from any source IP address to travel directly to Their Server and ultimately, to Their Network . At no point during that travel do the packets meet an obstacle. This is a completely insecure situation. However, for many years, this was the standard. Today, the type of situation illustrated in Figure 27.1 is too dangerous. Over the years, network engineers considered a wide range of solutions, including the firewall. What Are the Components of a Firewall? The most fundamental components of a firewall exist neither in software nor hardware, but inside the mind of the person constructing it. A firewall, at its inception, is a concept rather than a product; it is an idea in the architects mind of who and what will be allowed to access the network. Who and what dramatically influence how network traffic both incoming and outgoing is routed. For this reason, constructing a firewall is part art, part common sense, part ingenuity, and part logic. Suppose the architect knows a Web server must exist on the host network. This Web server will obviously accept connections from almost any IP address. A restricted area, therefore, must be created for that server. In other words, in providing Web services from the host network, the architect must ensure that the Web server does not endanger the remaining portions of the network. Likewise, incoming mail is also an issue. Specific Components and Characteristics Firewalls can be composed of software, hardware, or, most commonly, both. The software components can be either proprietary, shareware, or freeware. The hardware can be any hardware that supports the software being used. If hardware, a firewall can and often does consist of no more than a router. As you will learn in Chapter 28, Spoofing Attacks, routers have advanced security features, including the capability to screen IP addresses. This screening process allows you to define which IP addresses are allowed to connect and which are not. file:F|A20Hackers20Guide20to20Protect...0Internet20Site20and20Networkch27ch27.htm 3 of 23 [5142003 8:21:10 AM] In any event, all firewalls share a common attribute: the capability to discriminate or the capability to deny access generally based on source address. Types of Firewalls There are different kinds of firewalls, and each type has its advantages and disadvantages. The most common type is referred to as a network-level firewall. Network-level firewalls are usually router based. That is, the rules of who and what can access your network is applied at the router level. This scheme is applied through a technique called packet filtering, which is the process of examining the packets that come to the router from the outside world. In a router-based firewall implementation, the source address of each incoming connection that is, the address from which the packets originated is examined. After each IP source address has been identified, whatever rules the architect has instituted will be enforced. For example, perhaps the architect decides that no network traffic will be accepted from any address within Microsoft Corporation. Thus, the router rejects any packets forwarded from microsoft.com . These packets never reach the internal server or the network beneath it. NOTE: Routers are about the size of a small printer. Generally, at the back of the router are connection points for Ethernet and digital telephone lines. Use these connection points to connect the telephone line T1, T3, and so on and Ethernet to your server. Routers are configured using special software. In most instances, the software is quite easy to use. Most newer implementations are controlled through a windowed interface such as the X Window system, OpenWindows, and so on. Routers range in price from used to new from 600 to 1800. Router-based firewalls are fast. Because they only perform cursory checks on the source address, there is no real demand on the router. It takes no time at all to identify a bad or restricted address. Nevertheless, the speed comes with a price: Router-based firewalls use the source address as an index. That means barring controls against such access packets sent from forged source addresses can gain at least some level of access to your server. In fairness, many packet-filtering techniques can be employed with router-based firewalls that shore up this weakness. The IP address header is not the only field of a packet that can be trapped by a router. As packet-filtering technology becomes more sophisticated, so do the schemes or rules employed by an administrator. One can now even apply rules related to state information within packets, using indexes file:F|A20Hackers20Guide20to20Protect...0Internet20Site20and20Networkch27ch27.htm 4 of 23 [5142003 8:21:10 AM] Cross Reference: For an excellent discussion of the fields that can be filtered, as well as a comprehensive look at packet filtering, Network InSecurity Through IP Packet Filtering by D. Brent Chapman is a must. Find it online at http:www.unix.geek.org.uk~arnypktfilt.ps . However, these are not the only deficiencies of packet-filtering, router-based firewalls. For example: Another problem is that a number of RPC Remote Procedure Call services are very difficult to filter effectively because the associated servers listen at ports that are assigned randomly at system startup. A service known as portmapper maps initial calls to RPC services to the assigned service numbers, but there is no such equivalent for a packet filtering router. Since the router cannot be told which ports the services reside at, it isnt possible to block completely these services unless one blocks all UDP packets RPC services mostly use UDP. Blocking all UDP would block potentially necessary services such as DNS. Thus, blocking RPC results in a dilemma. Cross Reference: The preceding paragraph is excerpted from Problems with Packet Filtering Routers by John Wack. It can be found online at http:www.telstra.com.aupubdocssecurity800- 10node51.html . Wack discusses RPC as a potential problem because the ports can be assigned dynamically at startup. However, in most cases, this type of filtering appropriately called protocol filtering is not a problem. Very sophisticated schemes can be implemented in protocol filtering, and these rely primarily on the port called by the remote host. Cross Reference: For an excellent discussion of protocol filtering and packet filtering in general, check out Packet Filtering in an IP Router by Bruce Corbridge, Robert Hening, and Charles Slater. This paper offers an inside look at exactly how packet filtering is accomplished in Telebit routers. More importantly, the document takes you through the design and implementation of the router. You can find it online at http:www.alw.nih.govSecurityFIRSTpapersfirewallcslater.ps . Packet Filtering Tools file:F|A20Hackers20Guide20to20Protect...0Internet20Site20and20Networkch27ch27.htm 5 of 23 [5142003 8:21:10 AM] TCP_Wrappers TCP_Wrappers is a program written by Wietse Venema also the co-author of the famous scanning utility, SATAN. Arguably, no other tool more easily or efficiently facilitates monitoring connections to your machine. The program works by replacing system daemons and recording all connection requests, their time, and most importantly, their origin. For these reasons, TCP_Wrappers is one of the most critical evidence-gathering tools available. TCP_Wrappers also has the capability to screen out unwanted networks and IP addresses, preventing users from such addresses from connecting. Cross Reference: TCP_Wrappers is available online at ftp:ftp.win.tue.nlpubsecuritytcp_wrappers_7.4.tar.gz . NetGate NetGate developed by SmallWorks is a rule-based packet filtering system. It was designed for use on SPARC systems running SunOS 4.1.x. Like most packet filters, NetGate can examine each and every packet it encounters and can apply various rules, based upon the source address revealed in that examination. NetGate also sports some pretty strong logging capabilities. Reportedly, the distribution can be obtained either as a binary installation 1500 or source 2500. If your company needs a product with support as opposed to freeware, I would recommend NetGate as a reasonable and economical alternative to other, more high-profile products. Cross Reference: You can find information about NetGate at http:hosaka.smallworks.comnetgatepacketfiltering.html . Internet Packet Filter This interesting package is freely available. Written by Darren Reed, the Internet Packet Filter has all the amenities of a finely coded, commercial application. Reed took particular pride in developing a package that could defeat the type of IP spoofing attack that Kevin Mitnik purportedly launched against machines at the San Diego Supercomputer Center. Some interesting tidbits: Reed provided functionality not only to discard TCP packets that were incomplete or malformed, but to do so silently your host returns no ICMP error. Internet Packet Filter also offers a comprehensive testing utility, so you can ensure your rules are sound before you implement them. The program actually can take previous logs as input, and you can watch as the rules are applied. Very cool. It is available for SunOS. file:F|A20Hackers20Guide20to20Protect...0Internet20Site20and20Networkch27ch27.htm 6 of 23 [5142003 8:21:10 AM] Cross Reference: The Internet Packet Filter can be found at ftp:coombs.anu.edu.au:pubnetkernelip_fil3.0.4.tar.gz . Audit and Logging Tools Packet filters, when used in conjunction with powerful auditing tools, can greatly assist in protecting your network and identifying intruders. The right combination of these types of tools can be every bit as effective as a commercial firewall and generally, a whole lot less expensive. Following are some good auditing tools. Argus Argus was developed at Carnegie Mellon Universitys Software Engineering Institute. Argus is known to compile without errors, at least on the following platforms: ● SunOS 4.x ● Solaris 2.3 ● SGI IRIX5.2 In the document announcing Arguss availability, authors report that Argus is suitable for network monitoring, identifying potential network problems, and perhaps most importantly, verifying access control policies. Cross Reference: The document announcing Arguss availability can be found online at ftp:ftp.sei.cmu.edupubargus-1.5argus-1.5.announce . The tool can be obtained online at ftp:ftp.sei.cmu.edupubargus-1.5 . Netlog Netlog, developed at Texas AM University, can log all TCP and UDP traffic. To use this product, you must have a C compiler that will take ANSI C conventions. This tool also supports logging of ICMP messages though the developers report that performing this logging activity soaks up a great deal of storage. Cross Reference: Netlog is available online at ftp:coast.cs.purdue.edupubtoolsunixTAMU . file:F|A20Hackers20Guide20to20Protect...0Internet20Site20and20Networkch27ch27.htm 7 of 23 [5142003 8:21:10 AM] Netman This tool is covered extensively in Chapter 12, Sniffers. However, I will reiterate that this is a suite of applications that is well crafted; it is arguably the most complete package of its kind ever made. Cross Reference: Netman is available online at ftp:ftp.cs.curtin.edu.aupubnetman . NOCOLNetConsole v4.0 NOCOLNetConsole v4.0 is a suite of standalone applications that perform a wide variety of monitoring tasks. This suite offers a Curses interface, which is great for running on a wide range of terminals it does not require the X Window system in order to work. It is extensible, has support for a Perl interface, and is quite complex. It also operates on networks running AppleTalk and Novell NetWare. Cross Reference: NOCOLNetConsole v.4.0 is available online at ftp:ftp.navya.compubvikasnocol.tar.gz . There are other platform-specific packet filters. One well-known one is packetfilter, which runs on Ultrix 4.3. It is kernel resident. Cross Reference: The man page for packetfilter is available online at http:198.233.42.11 cgi-binman2htmlpacketfilter4 . Nonetheless, many of these tools, although capable of examining and monitoring packet traffic, cannot institute access-control policies. And that is the whole purpose of a firewall. It gives the administrator the ability to finely control who can and cannot access the network. Application-Proxy FirewallsApplication Gateways Other types of firewalls exist. A common type is application-proxy firewalls sometimes referred to as application gateways. These work a bit differently from packet-filtering, router-based firewalls. Application gateways are software-based. When a remote user from the void contacts a network running an application gateway, the gateway blocks the remote connection. Instead of passing the connection file:F|A20Hackers20Guide20to20Protect...0Internet20Site20and20Networkch27ch27.htm 8 of 23 [5142003 8:21:10 AM] The advantage of the application-gateway proxy model is the lack of IP forwarding. More importantly, more controls can be placed on the patched connection. Finally, such tools often offer very sophisticated logging facilities. Again, there is no such thing as a free lunch. As you might expect, this gateway scheme has a cost in terms of speed. Because each connection and all packet traffic are accepted, negotiated, translated, and reforwarded, this implementation can be slower than router-based packet filtering. IP forwarding occurs when a server that receives an external request from the outside world forwards that information in IP format to the internal network. Leaving IP forwarding enabled is a fatal error. If you allow IP forwarding to occur, a cracker can get in from the outside and reach workstations on your internal network. Another disadvantage of this scheme is that a proxy application must be created for each networked service. Thus, one is used for FTP, another for Telnet, another for HTTP, and so forth. As John Wack explains in his article titled Application Gateways: A disadvantage of application gateways is that, in the case of client-server protocols such as Telnet, two steps are required to connect inbound or outbound. Some application gateways require modified clients, which can be viewed as a disadvantage or an advantage, depending on whether the modified clients make it easier to use the firewall. A Telnet application gateway would not necessarily require a modified Telnet client, however it would require a modification in user behavior: the user has to connect but not log in to the firewall as opposed to connecting directly to the host. But a modified Telnet client could make the firewall transparent by permitting a user to specify the destination system as opposed to the firewall in the Telnet command. The firewall would serve as the route to the destination system and thereby intercept the connection, and then perform additional steps as necessary such as querying for a one-time password. User behavior stays the same, however at the price of requiring a modified client on each system. Cross Reference: Application Gateways by John Wack can be found online at http:www.telstra.com.aupubdocssecurity800- 10node52.html . TIS FWTK A typical example of an application-gateway firewall package is the Trusted Information Systems TIS file:F|A20Hackers20Guide20to20Protect...0Internet20Site20and20Networkch27ch27.htm 9 of 23 [5142003 8:21:10 AM] ● Telnet ● FTP ● rlogin ● sendmail ● HTTP ● The X Window system The FWTK is a comprehensive system. Nonetheless, it does not protect your network immediately upon installation. This is not a product that you simply install and abandon. The TIS FWTK is a tool kit. After you unpack the software, you must make certain decisions. You must also understand what you are doing. This is not a simple configuration problem. If you make erroneous rules or decisions along the way, your network might be unreachable from the void, even from friendly networks. Reading the documentation is paramount. The beautiful thing about the FWTK is that it has excellent access control built into its design. For example, you can allow or deny access connection from a network, a part of a network, or even a single address. In this respect, it has granular access control. Cross Reference: Before you get the TIS FWTK, you should probably examine a posting of a message from Marcus Ranum, one of the developers of TIS FWTK. This is a short, entertaining document that gives some insight into how the FWTK started. That document is located online at http:www.micrognosis.com~nreadwinfwtkhistory.txt . Cross Reference: Obtain a copy of the TIS Firewall Tool Kit at ftp:ftp.tis.compubfirewallstoolkitdist . Cross Reference: The FWTK requires a UNIX system and a C compiler. Moreover, although the FWTK is known to compile on SunOS and BSD without problems, configuration issues exist for Linux. To sort out these problems quickly, there is no better document than Creating a Linux Firewall using the TIS Toolkit by Benjamin Ewy. That document is located online at http:www.ssc.comljissue251204.html . Patches for use with the FWTK on Linux are located online at ftp:ftp.tisl.ukans.edupubsecurityfirewallsfwtkpatches.tgz . file:F|A20Hackers20Guide20to20Protec...Internet20Site20and20Networkch27ch27.htm 10 of 23 [5142003 8:21:10 AM] The reason I mention the TIS FWTK is because it was the first, full-fledged firewall of this class. It was a ground breaker in the firewall field. Cross Reference: Thinking About Firewalls, also by Marcus Ranum, is a very good document about firewalls in general. This document details the types of firewalls that can be implemented and their advantages and disadvantages. It can be found online at http:hp735c.csc.cuhk.hkThinkingFirewalls.html . NOTE: Another extremely popular firewall in this class is SOCKS, which is based on the application-proxy model. The connect request is intercepted by SOCKS and translated. Thus, a direct connection never occurs between your network and the outside world. SOCKS is of great significance because it is so well established that support for it is already included in many browser packages, most notably Netscape Navigator. Cross Reference: There is a very comprehensive coverage of SOCKS technology on the Internet. The document is so well designed and written that anyone can get a solid grasp of how SOCKS works in just a few moments. That document is at http:www.socks.nec.comintroduction.html . It is my opinion that application-gateway systems proxy-based firewalls are more secure. This is because there is no IP forwarding scheme. That means IP packets from the void cannot reach any machine on your internal network. Firewalls Generally One of the main ideas behind a firewall is that your network will remain theoretically invisible or at least unreachable to anyone not authorized to connect. This process works through the exclusionary schemes that one can apply using a firewall. CAUTION: Your firewalled network will not be entirely invisible. At least one scanner, called Jakal, can scan for services running behind a firewall. Jakal, a stealth scanner, will scan a domain behind a firewall without leaving any trace of the scan. According to the authors, all alpha test sites were unable to log any activity though it is reported that some file:F|A20Hackers20Guide20to20Protec...Internet20Site20and20Networkch27ch27.htm 11 of 23 [5142003 8:21:10 AM] Theoretically, a firewall is the most stringent security measure you can implement barring, of course, disconnecting your system from the Internet. Nevertheless, issues regarding this stringent security environment remain. One is that security with a firewall can be configured so stringently that it can actually impair the process of networking. For example, some studies suggest that the use of a firewall is impractical in environments where users critically depend on distributed applications. Because firewalls implement such a strict security policy, these environments become bogged down. What they gain in security, they lose in functionality. Universities are a perfect example of this type of environment. Research in universities is often conducted where two or more departments often on network segments located far from each other are involved in the compilation of data and corroboration of research efforts. In these environments, it is very difficult to work under such tight security restraints. A second issue regarding firewalls is that they lead to placing most of your eggs in one basket. Because a firewall is your face to the void, a breach can cause your internal network to be easily destroyed. That is, firewalls can foster a climate in which they are the only real access control and security you have. Firewalls are almost always described as the bottleneck of a network, where all authentication is to be done. This seems suitable as long as firewalls are infallible. But what if they arent? What if a technique is discovered to crack any firewall? Networks that rely on firewalls would be completely exposed, and odds of survival would be slim. Before you construct a firewall, you should undertake some serious research. When you construct a firewall, you must know your network intimately. This requires true organization. Various network segments either on the same network or different ones will need to communicate with each other. These networks can communicate through automated processes or human interaction. Automated processes might prove easy to accommodate. Human-initiated processes, however, can differ dramatically. For some organizations, a firewall is just plain impractical. ISPs are within this class. One could quickly lose customers by instituting harsh security policies. Indeed, some contend that firewalls are not needed. These people argue that solid system administration practices will render the same benefit as a firewall, without slowing the network or making connections difficult. There are other problems with establishing a firewall as well. If FTP, Telnet, Gopher, HTTP, RPC, rlogin, and NFS were the only protocols that the Internet would ever use, a firewall would pose only limited problems with access. After all, proxies have been written for all of these applications. The problem is, these are not the only services; new services crop up each month. Thus, to provide your internal users with effective Internet access, you must keep up with the applications now emerging. Proxies for such services will generally be obtainable, but after the new service or protocol has already been on the market for some time. Of course, some time is generally only a few months, but during those months, your internal users will fuss. file:F|A20Hackers20Guide20to20Protec...Internet20Site20and20Networkch27ch27.htm 12 of 23 [5142003 8:21:10 AM] The construction of a firewall is not for the faint of heart. It is for a system administrator or other individual who intimately knows the network to be firewalled. The process is not simple; the steps include

1. Identifying topology and protocol needs 2. Developing policies