Tải bản đầy đủ
[Chapter 12] 12.7 Firewalls

[Chapter 12] 12.7 Firewalls

Tải bản đầy đủ

[Chapter 12] 12.7 Firewalls

The exterior router is the only connection between the enterprise network and the outside world. This
router is configured to do a minimal level of access control. It checks to make sure that no packet
coming from the external world has a source address that matches the internal network. If our network
number is 172.16, the exterior router discards any packets it receives on its exterior interface that
contain the source address 172.16. That source address should only be received by the router on its
interior interface. Security people call this type of access control packet filtering. In some ways it is
similar to the packet filtering we did in Chapter 11, Troubleshooting TCP/IP because packets are
"filtered out" based on IP header information.
The interior router does the bulk of the access control work. It filters packets not only on address but
also on protocol and port numbers to control the services that are accessible to and from the interior
network. What services are blocked by this router are up to you. If you plan to use a firewall, the
services that will be allowed and those that will be denied should be defined in your security policy
document. Almost every service can be a threat. These threats must be evaluated in light of your
security needs. Services that are intended only for internal users (NIS, NFS, X-Windows, etc.) are
almost always blocked. Services that allow writing to internal systems (the r commands, telnet, FTP,
SMTP, etc.) are usually blocked. Services that provide information about internal systems (DNS,
fingerd, etc.) are usually blocked. This doesn't leave much running! That is where the bastion host and
perimeter network come in.
The bastion host is a secure server. It provides an interconnection point between the enterprise
network and the outside world for the restricted services. Some of the services that are restricted by
the interior gateway may be essential for a useful network. Those essential services are provided
through the bastion host in a secure manner. The bastion host provides some services directly, such as

file:///C|/mynapster/Downloads/warez/tcpip/ch12_07.htm (2 of 6) [2001-10-15 09:19:00]

[Chapter 12] 12.7 Firewalls

DNS, SMTP mail services, and anonymous FTP. Other services are provided as proxy services. When
the bastion host acts as a proxy server, internal clients connect to the outside through the bastion hosts
and external systems respond back to the internal clients through the host. The bastion host can
therefore control the traffic flowing into and out of the site to any extent desired.
There can be more than one secure server, and there often is. The perimeter network connects the
servers together and connects the exterior router to the interior router. The systems on the perimeter
network are much more exposed to security threats than are the systems on the interior network. This
is as it must be. After all, the secure servers are needed to provide service to the outside world as well
as to the internal network. Isolating the systems that must be exposed on a separate network lessens
the chance that a compromise of one of those systems will lead directly to the compromise of an
internal system.
The multi-homed host architecture attempts to duplicate all of these firewall functions in a single box.
It works by replacing an IP router with a multi-homed host that does not forward packets at the IP
layer. [8] The multi-homed host effectively severs the connection between the interior and exterior
networks. To provide the interior network with some level of network connectivity, it performs
similar functions to the bastion hosts.
[8] The role that IP routers, also called gateways, play in gluing the Internet together is
covered extensively in earlier chapters.
Figure 12.5 shows a comparison between an IP router and a multi-homed host firewall. A router
handles packets up through the IP layer. The router forwards each packet based on the packet's
destination address, and the route to that destination indicated in the routing table. A host, on the other
hand, does not forward packets. The multi-homed host processes packets through the Application
Layer, which provides it with complete control over how packets are handled. [9]
[9] See the GATEWAY option in Chapter 5, for information on how to prevent a multihomed host from forwarding packets.
Figure 12.5: Firewalls versus routers

file:///C|/mynapster/Downloads/warez/tcpip/ch12_07.htm (3 of 6) [2001-10-15 09:19:00]

[Chapter 12] 12.7 Firewalls

This definition of a firewall - as a device completely distinct from an IP router - is not universally
accepted. Some people refer to routers with special security features as firewalls, but this is really just
a matter of semantics. In this book, routers with special security features are called "secure routers" or
"secure gateways." Firewalls, while they may include routers, do more than just filter packets.

12.7.1 Functions of the firewall
An intruder cannot mount a direct attack on any of the systems behind a firewall. Packets destined for
hosts behind the firewall are simply delivered to the firewall. The intruder must instead mount an
attack directly against the firewall machine. Because the firewall machine can be the target of break-in
attacks, it employs very strict security guidelines. But because there is only one firewall versus many
machines on the local network, it is easier to enforce strict security on the firewall.
The disadvantage of a firewall system is obvious. In the same manner that it restricts access from the
outside into the local network, it restricts access from the local network to the outside world. To
minimize the inconvenience caused by the firewall, the system must do many more things than a
router does. Some firewalls provide:

DNS name service for the outside world
Email forwarding
Proxy services

Only the minimal services truly needed to communicate with external systems should be provided on
a firewall system. Other common network services (NIS, NFS, rsh, rcp, finger, etc.) should generally
not be provided. Services are limited to decrease the number of holes through which an intruder can
gain access. On firewall systems, security is more important than service.

file:///C|/mynapster/Downloads/warez/tcpip/ch12_07.htm (4 of 6) [2001-10-15 09:19:00]

[Chapter 12] 12.7 Firewalls

The biggest problems for the firewall machine are ftp service and remote terminal service. To
maintain a high level of security, user accounts are discouraged on the firewall machine; however,
user data must pass through the firewall system for ftp and remote terminal services. This problem
can be handled by creating special user accounts for ftp and telnet that are shared by all internal
users. But group accounts are generally viewed as security problems. A better solution is to provide
proxy services on the firewall. To do this you need to run a proxy server on the firewall and proxy
clients on your internal system. Most commercial client software includes support for proxy services.
Many packages are compatible with SOCKS, a freely available proxy service package that can be
downloaded from the Internet.
Because to be effective a firewall must be constructed with great care, and because there are many
configuration variables for setting up a firewall machine, vendors offer special firewall software.
Some vendors sell special-purpose machines designed specifically for use as firewall systems. Before
setting up your own firewall, investigate the options available from your hardware vendor.
The details of setting up a firewall system are beyond the scope of this book. Before you proceed, I
recommend you read Building Internet Firewalls and Firewalls and Internet Security, listed in the
bibliography at the end of this chapter. Unless you have skilled UNIX systems administrators with
adequate free time, a do-it-yourself firewall installation is a mistake. Hire a company that specializes
in firewall design and installation. If your information is valuable enough to protect with a firewall, it
must be valuable enough to protect with a professionally installed firewall.
Firewall systems are useful to many sites, but for some others they are not appropriate. The
restrictions they place on individual users are not acceptable to some organizations, and these
restrictions can drive independent-minded users to find other ways to handle their communications
needs. Think seriously about your real security needs before selecting a solution.

12.7.2 Routing control
A firewall system works by controlling routing between the protected system and the rest of the
world. A carefully modified static routing table can be used to provide a similar type of protection
between internal systems on an enterprise network.
As we discussed in the chapters on routing and troubleshooting, it is necessary for your system to
have a routing table entry for every network with which it will communicate. This can be either an
explicit route for an individual network, or a default route for all networks. Without the proper routes,
your system cannot communicate with remote networks, and the remote networks cannot
communicate with your system. Regardless of how the remote site sets up its routing, it cannot
communicate with your host if your host does not have a route back to the remote site. Because of
this, you can control which remote sites are able to communicate with your system by controlling the
contents of the routing table.
For example, assume that the nuts.com personnel department is on subnet, and that the
router for their subnet is They want to talk only to other hosts on their subnet and to a
management system named hickory.nuts.com ( To implement this policy with the routing
file:///C|/mynapster/Downloads/warez/tcpip/ch12_07.htm (5 of 6) [2001-10-15 09:19:00]

[Chapter 12] 12.7 Firewalls

table, each host administrator on the personnel subnet:
1. Makes sure that no routing protocol is running, and that none is started automatically at boot
2. Disables source routing.
3. Makes sure that there is no default route in the routing table, and that a default route is not
added automatically at boot time.
4. Adds a host-specific route to (hickory.nuts.com), and makes sure that this static
route is added each time the system boots.
Using netstat to display this limited routing table on host shows the following:
# netstat -nr
Routing tables




89456 le0

The display shows the loopback route, a route to the local subnet (, and a host route to
hickory.nuts.com ( There are no other routes, so there are no other locations with which
this host can communicate. Therefore, if an intruder launched an attack against this system, he would
receive no response.
This security technique is less restrictive than an internal firewall, because it affects only the systems
that contain the data or processes that are being protected. This technique is easy to implement and
does not require special equipment or software. However, it is also much less secure than a firewall. If
any of these systems is successfully attacked, all of the systems could be compromised. Each system
being protected this way must be properly configured, while one firewall can protect a group of
systems. This works only when there are a small number of systems and they are all under the control
of a single network administrator. In a few situations, this is a possible alternative to an internal

Previous: 12.6 Encryption
12.6 Encryption

TCP/IP Network
Book Index

Next: 12.8 Words to the
12.8 Words to the Wise

[ Library Home | DNS & BIND | TCP/IP | sendmail | sendmail Reference | Firewalls | Practical Security ]

file:///C|/mynapster/Downloads/warez/tcpip/ch12_07.htm (6 of 6) [2001-10-15 09:19:00]

[Chapter 12] 12.8 Words to the Wise

Previous: 12.7 Firewalls

Chapter 12
Network Security

Next: 12.9 Summary

12.8 Words to the Wise
I am not a security expert; I am a network administrator. In my view, good security is good system
administration and vice versa. Most of this chapter is just common-sense advice. It is probably
sufficient for most circumstances, but certainly not for all.
Make sure you know whether there is an existing security policy that applies to your network or
system. If there are policies, regulations, or laws governing your situation, make sure to obey them.
Never do anything to undermine the security system established for your site.
No system is completely secure. No matter what you do, you will have problems. Realize this and
prepare for it. Prepare a disaster recovery plan and do everything necessary, so that when the worst
does happen, you can recover from it with the minimum possible disruption.
A good listing of available security publications can be found at http://csrc.nist.gov/secpub. If you
want to read more about security, I recommend the following:

RFC 1244, Site Security Handbook, P. Holbrook, J. Reynold, et al., July 1991.
RFC 1281, Guidelines for the Secure Operation of the Internet, R. Pethia, S. Crocker, and B.
Fraser, November 1991.
Practical UNIX and Internet Security, Simson Garfinkel and Gene Spafford, O'Reilly &
Associates, 1996.
Building Internet Firewalls, Brent Chapman and Elizabeth Zwicky, O'Reilly & Associates,
Computer Security Basics, Deborah Russell and G. T. Gangemi, Sr., O'Reilly & Associates,
Firewalls and Internet Security, William Cheswick and Steven Bellovin, Addison-Wesley,

Previous: 12.7 Firewalls
12.7 Firewalls

TCP/IP Network
Book Index

file:///C|/mynapster/Downloads/warez/tcpip/ch12_08.htm (1 of 2) [2001-10-15 09:19:00]

Next: 12.9 Summary
12.9 Summary

[Chapter 12] 12.8 Words to the Wise

[ Library Home | DNS & BIND | TCP/IP | sendmail | sendmail Reference | Firewalls | Practical Security ]

file:///C|/mynapster/Downloads/warez/tcpip/ch12_08.htm (2 of 2) [2001-10-15 09:19:00]