Firewalls For Dummies 2nd Edition phần 10 pdf

In addition, SecurityFocus also maintains anumber of mailing lists on security-related issues.The Web site for SecurityFocus at www.securityfocus.comis one of thebest for getting timely

SecurityFocus, a division of Symantec Corp., is a company that providessecurity information services These services include maintaining an excel-lent Web site that provides you the latest information on security vulnerabili-ties in a variety of products In addition, SecurityFocus also maintains anumber of mailing lists on security-related issues.

The Web site for SecurityFocus at www.securityfocus.comis one of thebest for getting timely information on vulnerabilities and for finding mailinglists that help you stay up-to-date on security issues These are the mostuseful sections of the Web site:

 Mailing lists: This is what SecurityFocus.com is best known for This

section enables you to get information about and subscribe to a number

of mailing lists Some of these mailing lists cover newly discovered rity vulnerabilities and fixes for them Others deal with more specializedtopics, such as intrusion detection The best known of these lists isBugtraq, which carries the largest number of reports on security vulner-abilities Another great list is Security-Basics, which is intended to helpbeginners in the field learn the basics of computer security Use this section to learn more about each list, search messages, and subscribe

secu-to receive regular messages via e-mail

 Vulnerabilities: This is a searchable database of security vulnerabilities

in all kinds of products This database is one of the most comprehensiveaids available to find out about security problems in almost any computerproduct

 Tools: This is a comprehensive list of tools that you can use to improve

the security of your network For example, this Web site features a long,annotated list of intrusion-detection systems that you can use to assesswhether your firewall is performing correctly and whether it sufficientlyprotects your network

 Multimedia: Don’t forget to check out the audio and video presentations,

which include interviews and presentations by a list of contributors thatreads like a virtual Who’s Who of network security

www.gocsi.com

Computer Security Institute (CSI) is a membership organization that provides

a number of security-related resources The memberships and the resourcesthat are for sale on this site are useful, but you’ll also find a lot of free infor-mation that makes this site well worth visiting

CSI’s Web site at www.gocsi.comhas a section of interest to anyone working

with firewalls At the Firewall Product Resource Center link, you will find the

Firewall Search Center, which allows you to quickly compare the features of

several firewall products You can also access the archives, which contain

useful documents, such as one that explains how to test a firewall and one on

how not to build a firewall

www.isaserver.org

If you use ISA Server, you’ll love the ISAserver.org site at www.isaserver.org

Even if you don’t use ISA Server, you may want look at it to see an example of

what an independently operated, product-specific Web site should look like

ISAserver.org is devoted to all things related to ISA Server, and the amount of

information available and the links to resources make Microsoft’s own ISA

Server site look terribly incomplete This is the best

Where to start? This Web site has all information related to ISA Server that

you can imagine, but here are the most useful ones:

 Message boards: The message boards enable you to ask questions

about ISA Server and have them answered by other participants, whoinclude a number of ISA Server experts You can also learn quite a bit byreading what others have posted

 Learning Zone: The Learning Zone contains a number of well-written

tutorials that help you to configure several of ISA Server’s features thatare not as intuitive as they could be The tutorials are illustrated withample screen shots

ISAserver.org is a great site, but if you are using FireWall-1, it won’t help you

much Don’t despair You can find a good third-party support site at www

phoneboy.com Check here for the latest information about FireWall-1

www.interhack.net/pubs/fwfaq

Newsgroups have been part of the Internet for many years These are forums

where people post questions and receive helpful responses from others As

more and more people ask the same questions, volunteers compile lists of

the most frequently asked questions (FAQs) with the corresponding answers

This helps the regulars avoid having to answer the same questions over and

over, thus getting cranky in the process At the same time, a FAQ is a great

381

Chapter 20: Ten Web Sites to Visit

Much of the information in this FAQ forum is very basic, but it also containssome nuggets of excellent information, such as specific instructions on how

to make particular protocols work through your firewall and descriptions ofcommon attacks

Firewall Lists

The last of our Top Ten resources is actually two separate links By combiningthem, we can sneak in a bonus resource, and Top Ten sounds better than TopEleven Don’t you agree?

A lot of information on the Internet is exchanged in mailing lists where peoplepost questions and answers or announce new discoveries The field of fire-walls is no exception If you sign up for one of these lists, you will receiveperiodic e-mail with firewall news and you can send your own questions tofellow list members

The Firewall Wizards mailing list is a low-volume, moderated list that ishosted by the TruSecure Corporation, the same people who run ICSA Labs(see the Web site discussed previously) For more information about the listand how to sign up for it, go to honor.trusecure.com/mailman/listinfo/firewall-wizards

The Internet Software Consortium’s Firewalls mailing list covers all aspects

of firewalls, with a special emphasis on open-source software It has a highvolume of messages, sometimes as many as 100 a day If you don’t want youre-mail inbox to overflow, you can subscribe to a digest version You can findmore information about this list, instructions for signing up, and list archives

at www.isc.org/services/public/lists/firewalls.html

Appendix Protocol Listings and More

In This Appendix

IP protocol numbers

ICMP type numbers

TCP and UDP port listing

Creating packet filters on a firewall requires knowledge about the differentprotocol numbers and port numbers used by the IP protocol suite.This appendix summarizes the IP protocol numbers, ICMP type numbers, andTCP and UDP port numbers needed to configure the firewall

IP Protocol Numbers

Different protocols can run in a layer above the IP protocol They each have adifferent IP Protocol Number The best-known IP Protocol Numbers are TCP(6) and UDP (17) A selection of common IP protocols is shown in Table A-1.For a complete list, see www.iana.org/assignments/protocol-numbers

IP Protocol Name Description

2 IGMP Internet Group Management Protocol (multicast)

(continued)

51 AH Authentication Header (IPSec)

ICMP Type Numbers

ICMP messages are the housekeeping notices of the IP protocol When aproblem occurs with an IP packet being sent to its destination, an ICMPpacket is returned to notify the sender of the problem A selection ofcommon ICMP type numbers is shown in Table A-2

For a complete list see www.iana.org/assignments/icmp-parameters

ICMP Type Name Comment

TCP and UDP Port Listing

The TCP and UDP protocols use a 16-bit number to indicate the port number.This means that possible port numbers range from 0 to 65535 The InternetAssigned Numbers Authority (IANA) maintains a list describing which portnumber is used by which application It divides the port numbers into threeranges:

 Well Known Ports (0–1023): These ports are assigned by the IANA.

 Registered Ports (1024–49151): These ports are registered by the IANA

merely as a convenience to the Internet community

 Dynamic or Private Ports (49152–65535): The ports in this range are

not registered Any application can use these ports

In case you only have ten fingers and wonder why the division is at the

seem-ingly random number 49152, it’s because this is the hexadecimal number C000

Table A-3 contains a selection of the most common TCP and UDP ports,

sorted by protocol name

You’ll often see references to RFC1700 as the source for the definitive list of

port numbers However, that document contains a list of ports from October

1994 and will never be updated If you are interested in the latest version of

the complete list of (currently) more than 7900 port registrations, sorted by

port number, go to www.iana.org/assignments/port-numbers That port

numbers list is updated frequently

Suspicious entries in the firewall log files may be caused by Trojan horse

applications Some of these applications are included in the list below Note

that most of these malicious applications can be configured to use different

ports, so don’t assume that they use the same port listed here

Table A-3 Port Numbers (Sorted by Name)

Port TCP UDP Name (Sorted)

x Conference (H.323) call setup

Port TCP UDP Name (Sorted)

1701 x L2TP

Port TCP UDP Name (Sorted)

17 x x Quote

Port TCP UDP Name (Sorted)

• Symbols •

!option, iptablescommand, 243

• A •

-Acommand, iptablescommand, 238

ACCEPTtarget, iptablescommand, 239

access control, Check Point FireWall-1,

332–334

active caching, 85

Active Directory For Dummies

(Loughry), 302

Active Directory, ISA Server and, 302

Active Server Pages See ASP

ActiveX controls, downloading, 127

ad blocking, Norton Personal Firewall,

Advanced Application Protection Settings

dialog box, BlackICE, 279

Advanced Firewall Settings dialog box,

BlackICE, 279

AH (Authentication Header) protocol,

91–92, 152, 384 See also IPSec

encryption

Alert Tracker, Norton Personal Firewall,

290–291

alerts See also intrusion detection

Check Point FireWall-1, 335

Norton Personal Firewall, 286–291

Web site listing, 378

ZoneAlarm, 261–262, 265

Alerts & Logs panel, ZoneAlarm, 265

all-in-one tools, 21–22allow-all strategy, 51–52, 53, 123

Angell, David (DSL For Dummies), 15

anti-hacking laws, 252, 274

antivirus programs, 106, 117, 336 See also

virusesAOL (America Online), instant messagingwith, 133–134

APIPA (Automatic Private IP Addressing), 36AppleTalk protocol, 24

application filtering, 299, 361

application gateway See application proxy

Application layer, TCP/IPdefinition of, 27, 28filtering on, 299, 361protocols for, list of, 42–45Application Protection layer, BlackICE,274–275

application proxycompared to packet filtering, 66content filtering performed by, 76–79definition of, 48, 65–68

Windows not supporting, 215Archie, port number for, 385

ARPA See DARPA

ASP (Active Server Pages),downloading, 127attachments, e-mail, 50, 105–106, 109, 258

See also downloading files

attack signatures, Norton PersonalFirewall, 285

attacks See also intrusion detection

address scans, 80back doors, 104cost of, 11–12denial-of-service (DoS), 59, 99–100,

120, 335distributed denial-of-service (DDoS), 100,

102, 252DNS zone transfer, 80eavesdropping, 107–108false alarms used to cover up, 109

Index

from inside the network, 50, 108

reasons for, 97–98, 250–253

responding to, 81–83

social engineering, 50, 109

spoofing, 37, 55, 59–60

stealing CPU cycles, 252

susceptibility to, as criteria for firewall

selection, 359Trojan horse programs, 50, 106

types of, 10, 119–120

viruses, 19, 50, 77–78, 105

worms, 99, 106, 109

.au domain, 30

auditing See logging; monitoring

Auth, port number for, 385

authentication See also passwords

Check Point FireWall-1, 333–334

Automatic Private IP Addressing See APIPA

• B •

back doors, attacks using, 104

Back Orifice, port numbers for, 385

bandwidth, 12–13

Baseline Security Analyzer (Microsoft), 372

Basic Firewall, Windows Server 2003, 232

bastion host, 174

Biff, port number for, 385binary math, 33–34birds, as transport system, 25bit, 13

black hat hackers, 103BlackICE personal firewallApplication Protection layer, 274–275configuration, 275–279, 281–283features of, 269–275

Firewall layer, 271–272IDS layer, 271–272installation, 279–280intrusion detection, 271–274, 281protection levels, 270–271user interface, 275–279

Bloomquist, Evan (Linux For Dummies), 243

BO (Back Orifice) See Back Orifice books See publications

Border Gateway Protocol See BGP

bots (robots), hackers using, 251bps (bits per second), 13

break-ins See attacks

buffer overflow bug, 103bugs, causing security vulnerabilities,102–104

business firewall See departmental

firewall; enterprise firewallbyte, 13

• C •.ca domain, 30cable modem, 15–16

caching See data caching

CarbonCopy, port number for, 385CARP (Cache Array Routing Protocol), 86carrier pigeons, as transport system, 25CCITSE (Common Criteria for InformationTechnology Security Evaluation)certification, 359

CERT/CC Web site, 376–377certification

CCITSE, 359ICSA Labs, 358, 363, 379chains, Linux, 236Chargen, port number for, 385

Check Point FireWall-1

firewall object, defining, 350–351

group account, creating, 353

user account, creating, 352–353

Web site for, 381

CIDR (Classless Inter-Domain Routing), 36

clients, thin See thin clients

ClusterXL module, Check Point FireWall-1,

339

.com domain, 30

Common Criteria for Information

Technology Security Evaluation

certification See CCITSE certification

Compaq Insight Manager, port number

for, 385

computer See also attacks

attacker’s computer, disabling, 81

characteristics of, increasing likelihood of

attacks, 250–251

dual-homed, as firewall, 172–173

theft of, 100

Computer Emergency Response Team

Coordination Center Web site See

CERT/CC Web site

Computer Security Institute Web site See

CSI Web siteConference, port numbers for, 385–386conferencing, configuring rules for, 135–136

configuration, firewall See also rules

BlackICE personal firewall, 275–279,281–283

Check Point FireWall-1, 347–355ISA Server, 317–326

Linux iptables, 234–235, 237–246Norton Personal Firewall, 288–291,293–294

ZoneAlarm personal firewall, 263–266, 268configuration, network

for Check Point FireWall-1, 339–341dual-homed firewall, 172, 176–177for ISA Server, 326–329

multiple firewall DMZ, 197–198, 200–210screened host, 173–174

three-pronged firewall DMZ, 180–181,186–195

connection See Internet connection

connectionless protocol, 39connection-oriented protocol, 39content filtering

application proxy performing, 76–79Check Point FireWall-1 support for,335–336

configuring rules for, 77–79content rating as criteria for, 167–168date and time as criteria for, 168definition of, 49, 72

strategies for, 166types of content filtered, 165–166content inspection, 166, 335–336CPU cycles, stealing, 252

cracking passwords, 101CSI (Computer Security Institute) Web site,380–381

The Cuckoo’s Egg (Stoll), 83

CuSeeMe, port numbers for, 386CyberCop Monitor (NetworkAssociates), 372

CyberCop Scanner (NetworkAssociates), 372

395

Index

-doption, iptablescommand, 241

Dark Reign 2, port number for, 386

DARPA (Defense Advanced Research

Projects Agency), 25data

date, restricting Web access based on, 168

Daytime, port number for, 386

DDoS (distributed denial-of-service) attack,

100, 102, 252 See also DoS attack

.de domain, 30

Defense Advanced Research Projects

Agency See DARPA Demilitarized Zone See DMZ

denial-of-service attack See DDoS attack;

DoS attackdeny-all strategy, 51–54, 123

departmental firewall, 20

destination address, in IP header, 38

destination NAT See DNAT

destination-portoption, iptables

command, 242DHCP (Dynamic Host Configuration

Protocol), 219, 227, 386DHTML (Dynamic HyperText Markup

Language), downloading, 127

dial-up connection See modem dial-up

connection

Digital Subscriber Line See DSL

DirectPlay, port number for, 386

Discard, port number for, 386

distributed caching, 85

distributed denial-of-service attack See

DDoS attack

328–329configurations of, 180–182definition of, 179–180multi-pronged firewalls and, 195–196packet filters for, with ISA Server, 323–326DNAT (destination NAT), Linux, 237, 245–246

DNATtarget, iptablescommand, 239DNS (Domain Name System) protocolconfiguring rules for, 127–131, 177definition of, 43, 126–127

port numbers for, 386

DNS name See also URL

definition of, 29–32investigation software for, 368–369DNS round robin, 87

DNS serverforwarding queries to ISP, 128, 130–131internal, 175–176

root hints used by, 128, 129DNS zone transfer, 80

Domain Name System protocol See DNS

protocol

domains, of DNS name, 29–31 See also DNS

protocolDoom, port number for, 386

doorman See firewall

DoS (denial-of-service) attack, 59, 99–100,

120, 335 See also DDoS attack

dotted decimal format, for IP address, 29downloading cache content, 85

downloading files See also FTP; viruses

e-mail attachments, 50, 105–106, 109, 258policies regarding, 113, 116, 117

precautions regarding, 258preventing, 165

downloading Web page content, 127, 165,

335 See also content filtering

downtime, cost of, 11–12

DROPtarget, iptablescommand, 239DSL (Digital Subscriber Line), 14–15

DSL For Dummies (Angell), 15

dual-homed computer as firewall, 172–173Dynamic Host Configuration Protocol

See DHCP

Dynamic HyperText Markup Language.

See DHTML

dynamic IP address, 17

dynamic packet filtering, 61, 298, 323 See

also stateful packet filtering

ZoneAlarm features for, 265

E-mail Protection panel, ZoneAlarm,

265–266

employees See users

EmuMail, 146

Encapsulating Security Payload protocol

See ESP protocol

ESP (Encapsulating Security Payload)

protocol, 91–92, 152, 383 See also

IPSec encryptionEthereal software, 373–374Events tab, BlackICE, 276

!(exclamation point) option, iptables

File Transfer Protocol See FTP

filter table, Linux, 236

filtering See application filtering; content

filtering; packet filtering

Finger, port number for See EFS firewall See also configuration, firewall;

enterprise firewall; personal firewall;

rules; specific firewalls

bug history of, 362certification of, 358, 359, 363, 379choosing, 357–362

cost of, 362definition of, 1, 9–10, 19extensibility of, 361features of, 19–20, 48–49, 254–257,358–362

ISP providing, 171–172licensing options for, 362limitations of, 50–51, 109–110mailing lists about, 382multiple, load balancing between, 49, 72,86–87, 301

product support for, 360types of, 20–22

Windows features for, 214–216

397

Index