Firewalls Internet: Foire aux questions\nDate: 2004/07/26 15:34:42\nRévision: 10.4 \nCe document disponible en Postscript.et PDF.
"},{"id":"text-2","type":"text","heading":"","plain_text":"1.1 À propos de la FAQ","html":"1.1 À propos de la FAQ
"},{"id":"text-3","type":"text","heading":"","plain_text":"Cette collection de questions fréquemment posées (FAQ) et de réponses a\nété compilé sur une période de plusieurs années, en voyant quelles questions les gens\nposer des questions sur les pare-feu dans des forums tels que Usenet, des listes de diffusion et Web\ndes sites. Si vous avez une question, regardez ici pour voir si c'est\nrépondu avant de poster votre question est bonne forme. Ne pas envoyer votre\nquestions sur les pare-feu aux responsables de la FAQ.\nLes responsables maintiennent les commentaires et les contributions sur le contenu de cette\nFAQ. Les commentaires relatifs à la FAQ doivent être adressés à\nfirewalls-faq@interhack.net.\nAvant de nous envoyer du courrier, assurez-vous de bien consulter les sections\n1.2 et 1.3 pour s'assurer que c'est\nle bon document à lire.","html":"Cette collection de questions fréquemment posées (FAQ) et de réponses a\nété compilé sur une période de plusieurs années, en voyant quelles questions les gens\nposer des questions sur les pare-feu dans des forums tels que Usenet, des listes de diffusion et Web\ndes sites. Si vous avez une question, regardez ici pour voir si c'est\nrépondu avant de poster votre question est bonne forme. Ne pas envoyer votre\nquestions sur les pare-feu aux responsables de la FAQ.\nLes responsables maintiennent les commentaires et les contributions sur le contenu de cette\nFAQ. Les commentaires relatifs à la FAQ doivent être adressés à\nfirewalls-faq@interhack.net.\nAvant de nous envoyer du courrier, assurez-vous de bien consulter les sections\n1.2 et 1.3 pour s'assurer que c'est\nle bon document à lire.
"},{"id":"text-4","type":"text","heading":"","plain_text":"1.2 Pour qui la FAQ est-elle écrite?","html":"1.2 Pour qui la FAQ est-elle écrite?
"},{"id":"text-5","type":"text","heading":"","plain_text":"Les pare-feu ont parcouru un long chemin depuis le début de cette FAQ.\nIls sont passés de systèmes hautement personnalisés administrés par\nleurs implémenteurs à un produit grand public. Les pare-feu ne sont plus\nuniquement entre les mains de ceux qui conçoivent et mettent en œuvre la sécurité\nsystèmes; même les utilisateurs finaux soucieux de la sécurité les ont chez eux.\nNous avons écrit cette FAQ pour les développeurs et les administrateurs de systèmes informatiques.\nNous avons essayé d’être assez inclusifs, en laissant de la place aux nouveaux venus,\nmais nous supposons toujours des connaissances techniques de base. Si vous trouvez ça\nvous ne comprenez pas ce document, mais pensez que vous devez savoir\nPour en savoir plus sur les pare-feu, il se peut que vous ayez réellement besoin de\nplus de fond dans les réseaux informatiques d'abord. Nous fournissons des références\nqui nous ont aidés; peut-être qu'ils vont aussi vous aider.\nNous nous concentrons principalement sur les pare-feu "réseau", mais sur les pare-feu "hôtes" ou "personnels"\n seront abordés le cas échéant.","html":"Les pare-feu ont parcouru un long chemin depuis le début de cette FAQ.\nIls sont passés de systèmes hautement personnalisés administrés par\nleurs implémenteurs à un produit grand public. Les pare-feu ne sont plus\nuniquement entre les mains de ceux qui conçoivent et mettent en œuvre la sécurité\nsystèmes; même les utilisateurs finaux soucieux de la sécurité les ont chez eux.\nNous avons écrit cette FAQ pour les développeurs et les administrateurs de systèmes informatiques.\nNous avons essayé d’être assez inclusifs, en laissant de la place aux nouveaux venus,\nmais nous supposons toujours des connaissances techniques de base. Si vous trouvez ça\nvous ne comprenez pas ce document, mais pensez que vous devez savoir\nPour en savoir plus sur les pare-feu, il se peut que vous ayez réellement besoin de\nplus de fond dans les réseaux informatiques d'abord. Nous fournissons des références\nqui nous ont aidés; peut-être qu'ils vont aussi vous aider.\nNous nous concentrons principalement sur les pare-feu "réseau", mais sur les pare-feu "hôtes" ou "personnels"\n seront abordés le cas échéant.
"},{"id":"text-6","type":"text","heading":"","plain_text":"1.3 Avant d'envoyer un courrier","html":"1.3 Avant d'envoyer un courrier
"},{"id":"text-7","type":"text","heading":"","plain_text":"Notez que cette collection de questions fréquemment posées est le résultat de\ninteragir avec beaucoup de gens de différents horizons dans un large\nvariété de forums publics. L'adresse firewalls-faq n'est pas une aide\n bureau. Si vous essayez d'utiliser une application qui dit que c'est\nne fonctionne pas à cause d'un pare-feu et vous pensez que vous devez\nsupprimez votre pare-feu, veuillez ne pas nous envoyer de courrier demandant comment.\nSi vous voulez savoir comment vous "débarrasser de votre pare-feu" parce que vous\nne pouvez pas utiliser certaines applications, ne nous envoyez pas de courrier demandant de l'aide. nous\nje ne peux pas t'aider. Vraiment.\nQui peut vous aider? Bonne question. Cela dépendra de quoi exactement\nle problème est, mais voici plusieurs indications. Si aucun de ces\nfonctionne, veuillez ne plus nous en demander. Nous ne savons pas","html":"Notez que cette collection de questions fréquemment posées est le résultat de\ninteragir avec beaucoup de gens de différents horizons dans un large\nvariété de forums publics. L'adresse firewalls-faq n'est pas une aide\n bureau. Si vous essayez d'utiliser une application qui dit que c'est\nne fonctionne pas à cause d'un pare-feu et vous pensez que vous devez\nsupprimez votre pare-feu, veuillez ne pas nous envoyer de courrier demandant comment.\nSi vous voulez savoir comment vous "débarrasser de votre pare-feu" parce que vous\nne pouvez pas utiliser certaines applications, ne nous envoyez pas de courrier demandant de l'aide. nous\nje ne peux pas t'aider. Vraiment.\nQui peut vous aider? Bonne question. Cela dépendra de quoi exactement\nle problème est, mais voici plusieurs indications. Si aucun de ces\nfonctionne, veuillez ne plus nous en demander. Nous ne savons pas
"},{"id":"text-8","type":"text","heading":"","plain_text":"Le fournisseur du logiciel que vous utilisez.","html":"Le fournisseur du logiciel que vous utilisez.
"},{"id":"text-9","type":"text","heading":"","plain_text":"Le fournisseur de l'appliance matérielle que vous utilisez.","html":"Le fournisseur de l'appliance matérielle que vous utilisez.
"},{"id":"text-10","type":"text","heading":"","plain_text":"Le fournisseur du service réseau que vous utilisez. C'est, si\n vous êtes sur AOL, demandez-leur. Si vous essayez d'utiliser quelque chose sur un\n réseau d'entreprise, consultez votre administrateur système.","html":"Le fournisseur du service réseau que vous utilisez. C'est, si\n vous êtes sur AOL, demandez-leur. Si vous essayez d'utiliser quelque chose sur un\n réseau d'entreprise, consultez votre administrateur système.
"},{"id":"text-11","type":"text","heading":"","plain_text":"1.4 Où puis-je trouver la version actuelle de la FAQ?","html":"1.4 Où puis-je trouver la version actuelle de la FAQ?
"},{"id":"text-12","type":"text","heading":"","plain_text":"La FAQ peut être trouvée sur le Web à\nIl est également posté mensuellement à \nLes versions publiées sont archivées à tous les endroits habituels. Malheureusement,\nla version publiée sur Usenet et archivée à partir de cette version n’a pas la\njolies images et hyperliens utiles trouvés dans la version Web.","html":"La FAQ peut être trouvée sur le Web à\nIl est également posté mensuellement à \nLes versions publiées sont archivées à tous les endroits habituels. Malheureusement,\nla version publiée sur Usenet et archivée à partir de cette version n’a pas la\njolies images et hyperliens utiles trouvés dans la version Web.
"},{"id":"text-13","type":"text","heading":"","plain_text":"1.5 Où puis-je trouver des versions non anglaises de la FAQ?","html":"1.5 Où puis-je trouver des versions non anglaises de la FAQ?
"},{"id":"text-14","type":"text","heading":"","plain_text":"Plusieurs traductions sont disponibles. (Si vous avez fait une traduction et\nce n'est pas dans la liste, écrivez-nous pour que nous puissions mettre à jour le maître\ndocument.)","html":"Plusieurs traductions sont disponibles. (Si vous avez fait une traduction et\nce n'est pas dans la liste, écrivez-nous pour que nous puissions mettre à jour le maître\ndocument.)
"},{"id":"text-15","type":"text","heading":"","plain_text":"norvégien\nTraduction de Jon Haugsand\nhttp://helmersol.nr.no/haandbok/doc/brannmur/brannmur-faq.html","html":"norvégien\nTraduction de Jon Haugsand\nhttp://helmersol.nr.no/haandbok/doc/brannmur/brannmur-faq.html
"},{"id":"text-16","type":"text","heading":"","plain_text":"1.6 Contributeurs","html":"1.6 Contributeurs
"},{"id":"text-17","type":"text","heading":"","plain_text":"Beaucoup de gens ont écrit des suggestions utiles et des commentaires réfléchis.\nNous sommes reconnaissants à tous les contributeurs. Nous aimerions remercier quelques-uns par leur nom:\nKeinanen Vesa, Allen Leibowitz, Brent Chapman, Brian Boyle, D. Clyde Williamson, Richard Reiner, Humberto Ortiz Zuazaga et Theodore Hope.","html":"Beaucoup de gens ont écrit des suggestions utiles et des commentaires réfléchis.\nNous sommes reconnaissants à tous les contributeurs. Nous aimerions remercier quelques-uns par leur nom:\nKeinanen Vesa, Allen Leibowitz, Brent Chapman, Brian Boyle, D. Clyde Williamson, Richard Reiner, Humberto Ortiz Zuazaga et Theodore Hope.
"},{"id":"text-18","type":"text","heading":"","plain_text":"1.7 Droits d'auteur et utilisation","html":"1.7 Droits d'auteur et utilisation
"},{"id":"text-19","type":"text","heading":"","plain_text":"Copyright © 1995-1996, 1998 Marcus J. Ranum.\nCopyright © 1998-2002 Matt Curtin.\nCopyright 2004, Paul D. Robertson. Tous les droits\nréservé. Ce document peut être utilisé, réimprimé et redistribué\ncomme si fournissant cet avis de droit d'auteur et toutes les attributions\nreste intact. Traductions du texte complet de l'original\nL'anglais dans d'autres langues est également explicitement autorisé. Traducteurs\npeuvent ajouter leurs noms à la section "contributeurs".\nAvant de pouvoir comprendre une discussion complète sur les pare-feu,\nil est important de comprendre les principes de base qui font des pare-feu\ntravail.","html":"Copyright © 1995-1996, 1998 Marcus J. Ranum.\nCopyright © 1998-2002 Matt Curtin.\nCopyright 2004, Paul D. Robertson. Tous les droits\nréservé. Ce document peut être utilisé, réimprimé et redistribué\ncomme si fournissant cet avis de droit d'auteur et toutes les attributions\nreste intact. Traductions du texte complet de l'original\nL'anglais dans d'autres langues est également explicitement autorisé. Traducteurs\npeuvent ajouter leurs noms à la section "contributeurs".\nAvant de pouvoir comprendre une discussion complète sur les pare-feu,\nil est important de comprendre les principes de base qui font des pare-feu\ntravail.
"},{"id":"text-20","type":"text","heading":"","plain_text":"2.1 Qu'est-ce qu'un pare-feu de réseau?","html":"2.1 Qu'est-ce qu'un pare-feu de réseau?
"},{"id":"text-21","type":"text","heading":"","plain_text":"Un pare-feu est un système ou un groupe de systèmes qui impose un accès\npolitique de contrôle entre deux réseaux ou plus. Le moyen réel par lequel\nceci est accompli varie beaucoup, mais en principe, le pare-feu peut\nêtre considéré comme une paire de mécanismes: celui qui existe pour bloquer\ntrafic, et l'autre qui existe pour permettre le trafic. Quelques pare-feu\nmettre davantage l'accent sur le blocage du trafic, tandis que d'autres mettent l'accent sur\npermettant le trafic. Probablement la chose la plus importante à reconnaître\nà propos d'un pare-feu est qu'il implémente une politique de contrôle d'accès. Si\nvous n'avez pas une bonne idée du type d'accès que vous souhaitez autoriser ou\nnier, un pare-feu ne vous aidera vraiment pas. Il est également important de\nreconnaître que la configuration du pare-feu, car il s'agit d'un mécanisme\npour l'application de la politique, impose sa politique sur tout ce qui est derrière elle.\nLes administrateurs de pare-feu qui gèrent la connectivité d’un grand\nnombre d'hôtes ont donc une lourde responsabilité.","html":"Un pare-feu est un système ou un groupe de systèmes qui impose un accès\npolitique de contrôle entre deux réseaux ou plus. Le moyen réel par lequel\nceci est accompli varie beaucoup, mais en principe, le pare-feu peut\nêtre considéré comme une paire de mécanismes: celui qui existe pour bloquer\ntrafic, et l'autre qui existe pour permettre le trafic. Quelques pare-feu\nmettre davantage l'accent sur le blocage du trafic, tandis que d'autres mettent l'accent sur\npermettant le trafic. Probablement la chose la plus importante à reconnaître\nà propos d'un pare-feu est qu'il implémente une politique de contrôle d'accès. Si\nvous n'avez pas une bonne idée du type d'accès que vous souhaitez autoriser ou\nnier, un pare-feu ne vous aidera vraiment pas. Il est également important de\nreconnaître que la configuration du pare-feu, car il s'agit d'un mécanisme\npour l'application de la politique, impose sa politique sur tout ce qui est derrière elle.\nLes administrateurs de pare-feu qui gèrent la connectivité d’un grand\nnombre d'hôtes ont donc une lourde responsabilité.
"},{"id":"text-22","type":"text","heading":"","plain_text":"2.2 Pourquoi voudrais-je un pare-feu?","html":"2.2 Pourquoi voudrais-je un pare-feu?
"},{"id":"text-23","type":"text","heading":"","plain_text":"Internet, comme toute autre société, est en proie au genre de\nsaccades qui aiment l’équivalent électronique d’écrire sur d’autres personnes\nmurs avec du spraypaint, en déchirant leurs boîtes aux lettres, ou tout simplement assis dans\nla rue soufflant leurs cornes de voiture. Certaines personnes essaient d'obtenir un vrai travail\nfait sur Internet, et d'autres ont des données sensibles ou propriétaires\nils doivent protéger. En général, le pare-feu a pour but de garder les saccades\nde votre réseau tout en vous laissant faire votre travail.\nBeaucoup de sociétés et de centres de données de style traditionnel ont des ordinateurs\npolitiques et pratiques de sécurité à suivre. Dans un cas où\nLes politiques d'une entreprise dictent la manière dont les données doivent être protégées, un pare-feu est\ntrès important car c’est l’incarnation de la politique de l’entreprise.\nSouvent, la partie la plus difficile de la connexion à Internet, si vous êtes un\ngrande entreprise, ne justifie pas la dépense ou l'effort, mais convaincante\ngestion qu'il est prudent de le faire. Un pare-feu fournit non seulement de véritables\nsécurité – il joue souvent un rôle important en tant que couverture de sécurité pour\nla gestion.\nEnfin, un pare-feu peut agir en tant qu’ambassadeur de votre entreprise auprès du\nL'Internet. De nombreuses entreprises utilisent leurs systèmes de pare-feu comme un lieu de travail.\nstocker des informations publiques sur les produits et services de l'entreprise, des fichiers\ntélécharger, corrections de bugs, etc. Plusieurs de ces systèmes ont\ndeviennent des éléments importants de la structure de service Internet (par exemple,\nUUnet.uu.net, whitehouse.gov, gatekeeper.dec.com)\net ont bien réfléchi sur leurs sponsors organisationnels. Notez que, si cela est historiquement vrai, la plupart des entreprises placent désormais des informations publiques sur un serveur Web, souvent protégées par un pare-feu, mais pas normalement sur le pare-feu lui-même.","html":"Internet, comme toute autre société, est en proie au genre de\nsaccades qui aiment l’équivalent électronique d’écrire sur d’autres personnes\nmurs avec du spraypaint, en déchirant leurs boîtes aux lettres, ou tout simplement assis dans\nla rue soufflant leurs cornes de voiture. Certaines personnes essaient d'obtenir un vrai travail\nfait sur Internet, et d'autres ont des données sensibles ou propriétaires\nils doivent protéger. En général, le pare-feu a pour but de garder les saccades\nde votre réseau tout en vous laissant faire votre travail.\nBeaucoup de sociétés et de centres de données de style traditionnel ont des ordinateurs\npolitiques et pratiques de sécurité à suivre. Dans un cas où\nLes politiques d'une entreprise dictent la manière dont les données doivent être protégées, un pare-feu est\ntrès important car c’est l’incarnation de la politique de l’entreprise.\nSouvent, la partie la plus difficile de la connexion à Internet, si vous êtes un\ngrande entreprise, ne justifie pas la dépense ou l'effort, mais convaincante\ngestion qu'il est prudent de le faire. Un pare-feu fournit non seulement de véritables\nsécurité – il joue souvent un rôle important en tant que couverture de sécurité pour\nla gestion.\nEnfin, un pare-feu peut agir en tant qu’ambassadeur de votre entreprise auprès du\nL'Internet. De nombreuses entreprises utilisent leurs systèmes de pare-feu comme un lieu de travail.\nstocker des informations publiques sur les produits et services de l'entreprise, des fichiers\ntélécharger, corrections de bugs, etc. Plusieurs de ces systèmes ont\ndeviennent des éléments importants de la structure de service Internet (par exemple,\nUUnet.uu.net, whitehouse.gov, gatekeeper.dec.com)\net ont bien réfléchi sur leurs sponsors organisationnels. Notez que, si cela est historiquement vrai, la plupart des entreprises placent désormais des informations publiques sur un serveur Web, souvent protégées par un pare-feu, mais pas normalement sur le pare-feu lui-même.
"},{"id":"text-24","type":"text","heading":"","plain_text":"2.3 Contre quoi un pare-feu peut-il être protégé?","html":"2.3 Contre quoi un pare-feu peut-il être protégé?
"},{"id":"text-25","type":"text","heading":"","plain_text":"Certains pare-feu ne permettent que le trafic de courrier électronique à travers eux,\nprotéger le réseau contre toute attaque autre que les attaques contre\nle service de messagerie. Les autres pare-feu fournissent des protections moins strictes,\net bloquer les services qui sont connus pour être des problèmes.\nEn général, les pare-feu sont configurés pour protéger contre les utilisateurs non authentifiés.\nconnexions interactives du monde "extérieur". Ceci, plus que\nempêche les vandales de se connecter aux machines de votre ordinateur.\nréseau. Des pare-feu plus élaborés bloquent le trafic de l'extérieur vers\nà l'intérieur, mais permettent aux utilisateurs de l'intérieur de communiquer librement avec\nl'extérieur. Le pare-feu peut vous protéger contre tout type de\nattaque par le réseau si vous le débranchez.\nLes pare-feu sont également importants car ils peuvent fournir un seul « starter\npoint '' où la sécurité et l'audit peuvent être imposés. Contrairement à une situation\noù un ordinateur est attaqué par une personne composant un numéro avec un\nmodem, le pare-feu peut agir comme un "contact téléphonique" et un traçage efficaces\noutil. Les pare-feu fournissent une fonction importante de journalisation et d’audit;\nsouvent, ils fournissent à l'administrateur des résumés sur les types et\nquantité de trafic traversé, combien de tentatives ont été faites pour\ncasser dedans, etc.\nPour cette raison, les journaux de pare-feu sont des données extrêmement importantes. Ils peuvent être utilisés comme preuves devant les tribunaux de la plupart des pays. Vous devez sauvegarder, analyser et protéger les journaux de votre pare-feu en conséquence.\nC'est un point important: à condition que ce "point d'étranglement" puisse servir\nle même but sur votre réseau comme une porte gardée peut pour votre site\nlocaux physiques. Cela signifie que chaque fois que vous avez un changement dans les "zones"\nou des niveaux de sensibilité, un tel point de contrôle est approprié. Une entreprise\na rarement seulement une porte extérieure et pas de réceptionniste ou de personnel de sécurité\nvérifier les badges en entrant. S'il y a des couches de sécurité sur\nvotre site, il est raisonnable d’attendre des couches de sécurité sur votre\nréseau.","html":"Certains pare-feu ne permettent que le trafic de courrier électronique à travers eux,\nprotéger le réseau contre toute attaque autre que les attaques contre\nle service de messagerie. Les autres pare-feu fournissent des protections moins strictes,\net bloquer les services qui sont connus pour être des problèmes.\nEn général, les pare-feu sont configurés pour protéger contre les utilisateurs non authentifiés.\nconnexions interactives du monde "extérieur". Ceci, plus que\nempêche les vandales de se connecter aux machines de votre ordinateur.\nréseau. Des pare-feu plus élaborés bloquent le trafic de l'extérieur vers\nà l'intérieur, mais permettent aux utilisateurs de l'intérieur de communiquer librement avec\nl'extérieur. Le pare-feu peut vous protéger contre tout type de\nattaque par le réseau si vous le débranchez.\nLes pare-feu sont également importants car ils peuvent fournir un seul « starter\npoint '' où la sécurité et l'audit peuvent être imposés. Contrairement à une situation\noù un ordinateur est attaqué par une personne composant un numéro avec un\nmodem, le pare-feu peut agir comme un "contact téléphonique" et un traçage efficaces\noutil. Les pare-feu fournissent une fonction importante de journalisation et d’audit;\nsouvent, ils fournissent à l'administrateur des résumés sur les types et\nquantité de trafic traversé, combien de tentatives ont été faites pour\ncasser dedans, etc.\nPour cette raison, les journaux de pare-feu sont des données extrêmement importantes. Ils peuvent être utilisés comme preuves devant les tribunaux de la plupart des pays. Vous devez sauvegarder, analyser et protéger les journaux de votre pare-feu en conséquence.\nC'est un point important: à condition que ce "point d'étranglement" puisse servir\nle même but sur votre réseau comme une porte gardée peut pour votre site\nlocaux physiques. Cela signifie que chaque fois que vous avez un changement dans les "zones"\nou des niveaux de sensibilité, un tel point de contrôle est approprié. Une entreprise\na rarement seulement une porte extérieure et pas de réceptionniste ou de personnel de sécurité\nvérifier les badges en entrant. S'il y a des couches de sécurité sur\nvotre site, il est raisonnable d’attendre des couches de sécurité sur votre\nréseau.
"},{"id":"text-26","type":"text","heading":"","plain_text":"2.4 Contre quoi un pare-feu ne peut-il pas être protégé?","html":"2.4 Contre quoi un pare-feu ne peut-il pas être protégé?
"},{"id":"text-27","type":"text","heading":"","plain_text":"Les pare-feu ne peuvent pas protéger contre les attaques qui ne passent pas par la\npare-feu. De nombreuses entreprises qui se connectent à Internet sont très\npréoccupé par les données propriétaires fuyant de la société à travers\ncette route. Malheureusement pour les personnes concernées, une bande magnétique,\nles disques compacts, DVD ou clés USB peuvent être utilisés avec autant d'efficacité\nexporter des données. De nombreuses organisations qui sont terrifiées (à un management\nniveau) des connexions Internet n’a pas de politique cohérente concernant la\nl'accès via des modems doit être protégé. C'est idiot de construire un six pieds\nporte en acier épais quand vous vivez dans une maison en bois, mais il y a beaucoup de\norganisations achètent là-bas des pare-feu coûteux et négligent la\nnombreuses autres portes arrière de leur réseau. Pour qu'un pare-feu fonctionne,\nil doit faire partie d'une sécurité organisationnelle globale cohérente\narchitecture. Les stratégies de pare-feu doivent être réalistes et refléter les\nniveau de sécurité sur l'ensemble du réseau. Par exemple, un site avec top\nles données secrètes ou classifiées n’ont pas du tout besoin de pare-feu: elles\nne devrait pas être connecté à Internet en premier lieu, ou le\nles systèmes avec les données vraiment secrètes doivent être isolés du reste\ndu réseau d'entreprise.\nLes traîtres sont une autre chose contre laquelle un pare-feu ne peut pas vraiment vous protéger\nou des idiots à l'intérieur de votre réseau. Alors qu’un espion industriel pourrait exporter\ninformations via votre pare-feu, il est tout aussi susceptible de l'exporter\nvia un téléphone, un télécopieur ou un disque compact. Les CD sont un\ndes moyens beaucoup plus susceptibles de fuite d'informations de votre organisation\nqu'un pare-feu. Les pare-feu ne peuvent pas non plus vous protéger contre la stupidité.\nLes utilisateurs qui révèlent des informations sensibles par téléphone sont bons\ncibles d'ingénierie sociale; un attaquant peut être en mesure de pénétrer dans\nvotre réseau en contournant complètement votre pare-feu, s’il peut trouver un\nemployé «utile» à l'intérieur qui peut être dupe en donnant accès à un\npool de modem. Avant de décider que ce n'est pas un problème dans votre\norganisation, demandez-vous combien de problèmes un entrepreneur a à obtenir\nconnecté au réseau ou combien de difficulté un utilisateur qui a oublié son\nmot de passe a le réinitialiser. Si les membres du service d’assistance croient\nque chaque appel est interne, vous avez un problème qui ne peut pas être résolu par\nresserrement des contrôles sur les pare-feu.\nLes pare-feu ne peuvent pas protéger contre la plupart des tunnels\nprotocoles d’application à des clients victimes de chevaux de Troie ou mal écrits. Là\nn'y a pas de balles magiques et un pare-feu n'est pas une excuse pour ne pas mettre en œuvre\ncontrôles logiciels sur les réseaux internes ou ignorer la sécurité de l'hôte sur\nles serveurs. Mise en tunnel des "mauvaises" choses via HTTP, SMTP et autres\nprotocoles est assez simple et trivialement démontré. La sécurité n'est pas\n«tire et oublie».\nEnfin, les pare-feu ne peuvent pas protéger contre les mauvaises choses qui leur sont permises.\nPar exemple, de nombreux chevaux de Troie utilisent le protocole IRC (Internet Relay Chat)\npermettre à un attaquant de contrôler un hôte interne compromis à partir d'un ordinateur public\nServeur IRC. Si vous autorisez un système interne à se connecter à un serveur externe\nvotre pare-feu ne fournira aucune protection contre ce vecteur de\nattaque.","html":"Les pare-feu ne peuvent pas protéger contre les attaques qui ne passent pas par la\npare-feu. De nombreuses entreprises qui se connectent à Internet sont très\npréoccupé par les données propriétaires fuyant de la société à travers\ncette route. Malheureusement pour les personnes concernées, une bande magnétique,\nles disques compacts, DVD ou clés USB peuvent être utilisés avec autant d'efficacité\nexporter des données. De nombreuses organisations qui sont terrifiées (à un management\nniveau) des connexions Internet n’a pas de politique cohérente concernant la\nl'accès via des modems doit être protégé. C'est idiot de construire un six pieds\nporte en acier épais quand vous vivez dans une maison en bois, mais il y a beaucoup de\norganisations achètent là-bas des pare-feu coûteux et négligent la\nnombreuses autres portes arrière de leur réseau. Pour qu'un pare-feu fonctionne,\nil doit faire partie d'une sécurité organisationnelle globale cohérente\narchitecture. Les stratégies de pare-feu doivent être réalistes et refléter les\nniveau de sécurité sur l'ensemble du réseau. Par exemple, un site avec top\nles données secrètes ou classifiées n’ont pas du tout besoin de pare-feu: elles\nne devrait pas être connecté à Internet en premier lieu, ou le\nles systèmes avec les données vraiment secrètes doivent être isolés du reste\ndu réseau d'entreprise.\nLes traîtres sont une autre chose contre laquelle un pare-feu ne peut pas vraiment vous protéger\nou des idiots à l'intérieur de votre réseau. Alors qu’un espion industriel pourrait exporter\ninformations via votre pare-feu, il est tout aussi susceptible de l'exporter\nvia un téléphone, un télécopieur ou un disque compact. Les CD sont un\ndes moyens beaucoup plus susceptibles de fuite d'informations de votre organisation\nqu'un pare-feu. Les pare-feu ne peuvent pas non plus vous protéger contre la stupidité.\nLes utilisateurs qui révèlent des informations sensibles par téléphone sont bons\ncibles d'ingénierie sociale; un attaquant peut être en mesure de pénétrer dans\nvotre réseau en contournant complètement votre pare-feu, s’il peut trouver un\nemployé «utile» à l'intérieur qui peut être dupe en donnant accès à un\npool de modem. Avant de décider que ce n'est pas un problème dans votre\norganisation, demandez-vous combien de problèmes un entrepreneur a à obtenir\nconnecté au réseau ou combien de difficulté un utilisateur qui a oublié son\nmot de passe a le réinitialiser. Si les membres du service d’assistance croient\nque chaque appel est interne, vous avez un problème qui ne peut pas être résolu par\nresserrement des contrôles sur les pare-feu.\nLes pare-feu ne peuvent pas protéger contre la plupart des tunnels\nprotocoles d’application à des clients victimes de chevaux de Troie ou mal écrits. Là\nn'y a pas de balles magiques et un pare-feu n'est pas une excuse pour ne pas mettre en œuvre\ncontrôles logiciels sur les réseaux internes ou ignorer la sécurité de l'hôte sur\nles serveurs. Mise en tunnel des "mauvaises" choses via HTTP, SMTP et autres\nprotocoles est assez simple et trivialement démontré. La sécurité n'est pas\n«tire et oublie».\nEnfin, les pare-feu ne peuvent pas protéger contre les mauvaises choses qui leur sont permises.\nPar exemple, de nombreux chevaux de Troie utilisent le protocole IRC (Internet Relay Chat)\npermettre à un attaquant de contrôler un hôte interne compromis à partir d'un ordinateur public\nServeur IRC. Si vous autorisez un système interne à se connecter à un serveur externe\nvotre pare-feu ne fournira aucune protection contre ce vecteur de\nattaque.
"},{"id":"text-28","type":"text","heading":"","plain_text":"2.5 Qu'en est-il des virus et autres logiciels malveillants?","html":"2.5 Qu'en est-il des virus et autres logiciels malveillants?
"},{"id":"text-29","type":"text","heading":"","plain_text":"Les pare-feu ne protègent pas très bien contre des virus ou des\nlogiciels malveillants (malware). Il y a trop de façons d'encoder\nfichiers binaires pour le transfert sur les réseaux, et trop nombreux\narchitectures et les virus pour essayer de les rechercher tous. En d'autre\nEn d’autres termes, un pare-feu ne peut pas remplacer la conscience de la sécurité.\nvos utilisateurs. En général, un pare-feu ne peut pas protéger contre un\nattaque basée sur les données – attaques dans lesquelles quelque chose est envoyé ou copié\nun hôte interne où il est ensuite exécuté. Cette forme d'attaque a\ndans le passé contre diverses versions de envoyer un mail,\nGhostscript, scripting des agents utilisateurs de messagerie comme\nPerspective, et les navigateurs Web comme Internet Explorer.\nLes organisations profondément préoccupées par les virus doivent mettre en œuvre\nmesures de contrôle des virus à l'échelle de l'organisation. Plutôt que d'essayer de filtrer\npare-feu, assurez-vous que tous les postes de travail vulnérables\nUn logiciel antivirus est exécuté au redémarrage de la machine.\nLa couverture de votre réseau avec un logiciel antivirus protégera\ncontre les virus provenant de disquettes, de CD, de modems et d’Internet.\nEssayer de bloquer les virus au niveau du pare-feu ne protégera que contre\nvirus provenant d'Internet. Analyse antivirus au niveau du pare-feu ou du courrier électronique\npasserelle va arrêter un grand nombre d'infections.\nNéanmoins, un nombre croissant de fournisseurs de pare-feu proposent\n"pare-feu". Ils ne sont probablement utiles que pour les naïfs\nutilisateurs échangeant des programmes exécutables Windows sur Intel et\ndocuments d'application malveillants compatibles avec les macros. Il y a beaucoup de\napproches basées sur un pare-feu pour traiter des problèmes tels que le\nLe ver «ILOVEYOU» et les attaques connexes, mais ce sont vraiment\napproches trop simplistes qui tentent de limiter les dommages de quelque chose\nc'est si stupide que cela n'aurait jamais dû se produire.\nNe comptez sur aucune protection contre des attaquants dotés de cette fonctionnalité.\n(Depuis que «ILOVEYOU» a fait le tour, nous avons vu au moins une demi-douzaine\nattaques similaires, notamment Melissa, Happy99, Code Red et Badtrans.B,\nqui ont tous été heureusement traversés par de nombreux virus détectant\npare-feu et passerelles de messagerie.)\nUn pare-feu puissant ne remplace jamais un logiciel sensible qui\nreconnaît la nature de ce qu'il manipule – des données non fiables provenant d'un\npartie non authentifiée – et se comporte de manière appropriée. Ne pense pas ça\nparce que "tout le monde" utilise cette messagerie ou parce que le vendeur est un\nsociété multinationale gargantuesque, vous êtes en sécurité. En fait, ce n'est pas vrai\nque "tout le monde" utilise n’importe quel courrier, et les entreprises spécialisées\nen transformant la technologie inventée ailleurs en quelque chose qui est « facile\nd'utiliser '' sans aucune expertise sont plus susceptibles de produire des logiciels\ncela peut être dupe. Un examen plus approfondi de ce sujet serait\ndigne d'intérêt [3], mais dépasse le cadre de ce document.","html":"Les pare-feu ne protègent pas très bien contre des virus ou des\nlogiciels malveillants (malware). Il y a trop de façons d'encoder\nfichiers binaires pour le transfert sur les réseaux, et trop nombreux\narchitectures et les virus pour essayer de les rechercher tous. En d'autre\nEn d’autres termes, un pare-feu ne peut pas remplacer la conscience de la sécurité.\nvos utilisateurs. En général, un pare-feu ne peut pas protéger contre un\nattaque basée sur les données – attaques dans lesquelles quelque chose est envoyé ou copié\nun hôte interne où il est ensuite exécuté. Cette forme d'attaque a\ndans le passé contre diverses versions de envoyer un mail,\nGhostscript, scripting des agents utilisateurs de messagerie comme\nPerspective, et les navigateurs Web comme Internet Explorer.\nLes organisations profondément préoccupées par les virus doivent mettre en œuvre\nmesures de contrôle des virus à l'échelle de l'organisation. Plutôt que d'essayer de filtrer\npare-feu, assurez-vous que tous les postes de travail vulnérables\nUn logiciel antivirus est exécuté au redémarrage de la machine.\nLa couverture de votre réseau avec un logiciel antivirus protégera\ncontre les virus provenant de disquettes, de CD, de modems et d’Internet.\nEssayer de bloquer les virus au niveau du pare-feu ne protégera que contre\nvirus provenant d'Internet. Analyse antivirus au niveau du pare-feu ou du courrier électronique\npasserelle va arrêter un grand nombre d'infections.\nNéanmoins, un nombre croissant de fournisseurs de pare-feu proposent\n"pare-feu". Ils ne sont probablement utiles que pour les naïfs\nutilisateurs échangeant des programmes exécutables Windows sur Intel et\ndocuments d'application malveillants compatibles avec les macros. Il y a beaucoup de\napproches basées sur un pare-feu pour traiter des problèmes tels que le\nLe ver «ILOVEYOU» et les attaques connexes, mais ce sont vraiment\napproches trop simplistes qui tentent de limiter les dommages de quelque chose\nc'est si stupide que cela n'aurait jamais dû se produire.\nNe comptez sur aucune protection contre des attaquants dotés de cette fonctionnalité.\n(Depuis que «ILOVEYOU» a fait le tour, nous avons vu au moins une demi-douzaine\nattaques similaires, notamment Melissa, Happy99, Code Red et Badtrans.B,\nqui ont tous été heureusement traversés par de nombreux virus détectant\npare-feu et passerelles de messagerie.)\nUn pare-feu puissant ne remplace jamais un logiciel sensible qui\nreconnaît la nature de ce qu'il manipule – des données non fiables provenant d'un\npartie non authentifiée – et se comporte de manière appropriée. Ne pense pas ça\nparce que "tout le monde" utilise cette messagerie ou parce que le vendeur est un\nsociété multinationale gargantuesque, vous êtes en sécurité. En fait, ce n'est pas vrai\nque "tout le monde" utilise n’importe quel courrier, et les entreprises spécialisées\nen transformant la technologie inventée ailleurs en quelque chose qui est « facile\nd'utiliser '' sans aucune expertise sont plus susceptibles de produire des logiciels\ncela peut être dupe. Un examen plus approfondi de ce sujet serait\ndigne d'intérêt [3], mais dépasse le cadre de ce document.
"},{"id":"text-30","type":"text","heading":"","plain_text":"2.6 IPSEC rendra-t-il les pare-feu obsolètes?","html":"2.6 IPSEC rendra-t-il les pare-feu obsolètes?
"},{"id":"text-31","type":"text","heading":"","plain_text":"Certains ont soutenu que c'était le cas. Avant de prononcer un tel\nprédiction générale, cependant, il est utile d'examiner ce que IPSEC\nest et ce qu'il fait. Une fois que nous le savons, nous pouvons examiner si IPSEC\nrésoudra les problèmes que nous essayons de résoudre avec des pare-feu.\nIPSEC (IP SECurity) fait référence à un ensemble de normes développées par le\nGroupe de travail d'ingénierie Internet (IETF). Il y a beaucoup de documents qui\ndéfinir collectivement ce qu'on appelle «IPSEC» [6]. IPSEC\nrésout deux problèmes qui ont affecté la suite de protocoles IP pour\nans: authentification d'hôte à hôte (qui permettra aux hôtes de savoir que\nils parlent aux hôtes qu’ils pensent être) et le cryptage\n(ce qui empêchera les attaquants de surveiller le trafic\naller entre les machines).\nNotez qu’aucun de ces problèmes n’est ce à quoi les pare-feu ont été créés pour\nrésoudre. Bien que les pare-feu puissent aider à atténuer certains des risques\nprésent sur Internet sans authentification ni cryptage, il existe des\nvraiment deux classes de problèmes ici: l'intégrité et la vie privée de la\nl'information circulant entre les hôtes et les limites imposées à quels types\nde connectivité est autorisée entre différents réseaux. IPSEC\ns'adresse à la première classe et pare-feu à la seconde.\nCela signifie que l'un n'éliminera pas le besoin de l'autre,\nmais cela crée des possibilités intéressantes quand on regarde\ncombinaison de pare-feu avec des hôtes compatibles IPSEC. À savoir, des choses telles que\nRéseaux privés virtuels (VPN) indépendants du vendeur, meilleur paquet\nfiltrage (en filtrant sur si les paquets ont le IPSEC\nd’authentification), et les pare-feu de la couche application pourront\nd'avoir de meilleurs moyens de vérification d'hôte en utilisant réellement l'IPSEC\nen-tête d'authentification au lieu de "simplement faire confiance" à l'adresse IP\nprésenté.","html":"Certains ont soutenu que c'était le cas. Avant de prononcer un tel\nprédiction générale, cependant, il est utile d'examiner ce que IPSEC\nest et ce qu'il fait. Une fois que nous le savons, nous pouvons examiner si IPSEC\nrésoudra les problèmes que nous essayons de résoudre avec des pare-feu.\nIPSEC (IP SECurity) fait référence à un ensemble de normes développées par le\nGroupe de travail d'ingénierie Internet (IETF). Il y a beaucoup de documents qui\ndéfinir collectivement ce qu'on appelle «IPSEC» [6]. IPSEC\nrésout deux problèmes qui ont affecté la suite de protocoles IP pour\nans: authentification d'hôte à hôte (qui permettra aux hôtes de savoir que\nils parlent aux hôtes qu’ils pensent être) et le cryptage\n(ce qui empêchera les attaquants de surveiller le trafic\naller entre les machines).\nNotez qu’aucun de ces problèmes n’est ce à quoi les pare-feu ont été créés pour\nrésoudre. Bien que les pare-feu puissent aider à atténuer certains des risques\nprésent sur Internet sans authentification ni cryptage, il existe des\nvraiment deux classes de problèmes ici: l'intégrité et la vie privée de la\nl'information circulant entre les hôtes et les limites imposées à quels types\nde connectivité est autorisée entre différents réseaux. IPSEC\ns'adresse à la première classe et pare-feu à la seconde.\nCela signifie que l'un n'éliminera pas le besoin de l'autre,\nmais cela crée des possibilités intéressantes quand on regarde\ncombinaison de pare-feu avec des hôtes compatibles IPSEC. À savoir, des choses telles que\nRéseaux privés virtuels (VPN) indépendants du vendeur, meilleur paquet\nfiltrage (en filtrant sur si les paquets ont le IPSEC\nd’authentification), et les pare-feu de la couche application pourront\nd'avoir de meilleurs moyens de vérification d'hôte en utilisant réellement l'IPSEC\nen-tête d'authentification au lieu de "simplement faire confiance" à l'adresse IP\nprésenté.
"},{"id":"text-32","type":"text","heading":"","plain_text":"2.7 Quelles sont les bonnes sources d'informations imprimées sur les pare-feu?","html":"2.7 Quelles sont les bonnes sources d'informations imprimées sur les pare-feu?
"},{"id":"text-33","type":"text","heading":"","plain_text":"Il existe plusieurs livres sur les pare-feu. Les plus connus sont:\nLes références associées sont:","html":"Il existe plusieurs livres sur les pare-feu. Les plus connus sont:\nLes références associées sont:
"},{"id":"text-34","type":"text","heading":"","plain_text":"Interconnexion de réseaux avec TCP / IP Vols I, II et III","html":"Interconnexion de réseaux avec TCP / IP Vols I, II et III
"},{"id":"text-35","type":"text","heading":"","plain_text":"Auteurs\nDouglas Comer et David Stevens","html":"Auteurs\nDouglas Comer et David Stevens
"},{"id":"text-36","type":"text","heading":"","plain_text":"Éditeur\nPrentice Hall","html":"Éditeur\nPrentice Hall
"},{"id":"text-37","type":"text","heading":"","plain_text":"Édition\n1991","html":"Édition\n1991
"},{"id":"text-38","type":"text","heading":"","plain_text":"ISBN\n0-13-468505-9 (I), 0-13-472242-6 (II), 0-13-474222-2\n (III)","html":"ISBN\n0-13-468505-9 (I), 0-13-472242-6 (II), 0-13-474222-2\n (III)
"},{"id":"text-39","type":"text","heading":"","plain_text":"Commentaire\nUne discussion détaillée sur l'architecture et\n mise en œuvre de l'Internet et de ses protocoles. Volume I (sur\n principes, protocoles et architecture) est lisible par tous.\n Le volume 2 (sur la conception, la mise en œuvre et les internes) est plus\n technique. Le volume 3 couvre l’informatique client-serveur.","html":"Commentaire\nUne discussion détaillée sur l'architecture et\n mise en œuvre de l'Internet et de ses protocoles. Volume I (sur\n principes, protocoles et architecture) est lisible par tous.\n Le volume 2 (sur la conception, la mise en œuvre et les internes) est plus\n technique. Le volume 3 couvre l’informatique client-serveur.
"},{"id":"text-40","type":"text","heading":"","plain_text":"Unix System Security – Un guide pour les utilisateurs et\n Administrateurs système","html":"Unix System Security – Un guide pour les utilisateurs et\n Administrateurs système
"},{"id":"text-41","type":"text","heading":"","plain_text":"Auteur\nDavid Curry","html":"Auteur\nDavid Curry
"},{"id":"text-42","type":"text","heading":"","plain_text":"Éditeur\nAddison Wesley","html":"Éditeur\nAddison Wesley
"},{"id":"text-43","type":"text","heading":"","plain_text":"Édition\n1992","html":"Édition\n1992
"},{"id":"text-44","type":"text","heading":"","plain_text":"ISBN\n0-201-56327-4","html":"ISBN\n0-201-56327-4
"},{"id":"text-45","type":"text","heading":"","plain_text":"2.8 Où puis-je obtenir plus d'informations sur les pare-feu sur le\n L'Internet?","html":"2.8 Où puis-je obtenir plus d'informations sur les pare-feu sur le\n L'Internet?
"},{"id":"text-46","type":"text","heading":"","plain_text":"Manuel de sécurité du site\nhttp://www.rfc-editor.org/rfc/rfc2196.txt\nLe site Security Handbook est un document d’information de l’IETF qui\n décrit les questions fondamentales à prendre en compte pour bien construire\n sécurité du site. Les pare-feu font partie d'une plus grande sécurité\n stratégie, comme le montre le manuel sur la sécurité du site.","html":"Manuel de sécurité du site\nhttp://www.rfc-editor.org/rfc/rfc2196.txt\nLe site Security Handbook est un document d’information de l’IETF qui\n décrit les questions fondamentales à prendre en compte pour bien construire\n sécurité du site. Les pare-feu font partie d'une plus grande sécurité\n stratégie, comme le montre le manuel sur la sécurité du site.
"},{"id":"text-47","type":"text","heading":"","plain_text":"Liste de diffusion Firewalls\nhttp://www.isc.org/index.pl?/ops/lists/firewalls/\nLa liste de diffusion des pare-feu Internet est un forum pour pare-feu\n administrateurs et implémenteurs.","html":"Liste de diffusion Firewalls\nhttp://www.isc.org/index.pl?/ops/lists/firewalls/\nLa liste de diffusion des pare-feu Internet est un forum pour pare-feu\n administrateurs et implémenteurs.
"},{"id":"text-48","type":"text","heading":"","plain_text":"Liste de diffusion des assistants pare-feu\nhttp://honor.icsalabs.com/mailman/listinfo/firewall-wizards\nLa liste de diffusion des assistants de pare-feu est un pare-feu modéré et\n liste liée à la sécurité qui ressemble plus à un journal qu'un public\n caisse à savon.","html":"Liste de diffusion des assistants pare-feu\nhttp://honor.icsalabs.com/mailman/listinfo/firewall-wizards\nLa liste de diffusion des assistants de pare-feu est un pare-feu modéré et\n liste liée à la sécurité qui ressemble plus à un journal qu'un public\n caisse à savon.
"},{"id":"text-49","type":"text","heading":"","plain_text":"Pare-feu\nhttp://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html\nDécrit exactement ce qui est nécessaire pour construire un pare-feu, en particulier\n en utilisant Linux.","html":"Pare-feu\nhttp://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html\nDécrit exactement ce qui est nécessaire pour construire un pare-feu, en particulier\n en utilisant Linux.
"},{"id":"text-50","type":"text","heading":"","plain_text":"Firewall Toolkit (FWTK) et papiers de pare-feu\nftp://ftp.tis.com/pub/firewalls/","html":"Firewall Toolkit (FWTK) et papiers de pare-feu\nftp://ftp.tis.com/pub/firewalls/
"},{"id":"text-51","type":"text","heading":"","plain_text":"Les publications de Marcus Ranum sur le pare-feu\nhttp://www.ranum.com/pubs/","html":"Les publications de Marcus Ranum sur le pare-feu\nhttp://www.ranum.com/pubs/
"},{"id":"text-52","type":"text","heading":"","plain_text":"Outils de sécurité de l'Université Texas A & M\nhttp://www.net.tamu.edu/ftp/security/TAMU/","html":"Outils de sécurité de l'Université Texas A & M\nhttp://www.net.tamu.edu/ftp/security/TAMU/
"},{"id":"text-53","type":"text","heading":"","plain_text":"COAST Project Internet Firewalls page\nhttp://www.cerias.purdue.edu/coast/firewalls/","html":"COAST Project Internet Firewalls page\nhttp://www.cerias.purdue.edu/coast/firewalls/
"},{"id":"text-54","type":"text","heading":"","plain_text":"3.1 Quelles sont les décisions de conception de base dans un pare-feu?","html":"3.1 Quelles sont les décisions de conception de base dans un pare-feu?
"},{"id":"text-55","type":"text","heading":"","plain_text":"Un certain nombre de problèmes de conception de base doivent être résolus par\nla personne chanceuse qui a été chargé de la responsabilité de\nconcevoir, spécifier et mettre en œuvre ou superviser l'installation\nd'un pare-feu.\nLa première et la plus importante décision reflète la politique de votre\nentreprise ou organisation veut faire fonctionner le système: est le pare-feu\nen place explicitement pour refuser tous les services, sauf ceux essentiels à la\nmission de connexion au Net, ou le pare-feu est-il en place pour\nfournir une méthode mesurée et vérifiée d’accès «en file d’attente» dans un\nmanière non menaçante? Il y a des degrés de paranoïa entre ces\nles positions; la position finale de votre pare-feu pourrait être plus le résultat\nd'une décision politique qu'une décision d'ingénierie.\nLa seconde est: quel niveau de contrôle, de redondance et de contrôle font\ntu veux? Après avoir établi le niveau de risque acceptable (c.-à-d. Comment\nparanoïaque vous êtes) en résolvant le premier problème, vous pouvez former un\nliste de contrôle de ce qui devrait être surveillé, autorisé et refusé. Dans\nEn d’autres termes, vous commencez par définir vos objectifs généraux et\npuis combinez une analyse des besoins avec une évaluation des risques et triez les\npresque toujours des exigences contradictoires dans une liste de blanchisserie\nspécifie ce que vous prévoyez de mettre en œuvre.\nLe troisième problème est financier. Nous ne pouvons pas aborder celui-ci ici dans\ntout sauf des termes vagues, mais il est important d'essayer de quantifier toute\nsolutions proposées en termes de combien il en coûtera pour acheter ou\nimplémenter. Par exemple, un pare-feu complet peut coûter\nentre 100 000 $ dans le haut de gamme et gratuit dans le bas de gamme. La libre\noption, possibilité de configuration sur un routeur Cisco ou similaire\nne coûtera que du temps de personnel et quelques tasses de café.\nL'implémentation d'un pare-feu haut de gamme à partir de zéro peut coûter plusieurs\nmois-hommes, ce qui peut représenter 30 000 dollars de salaire du personnel et\navantages. Les frais généraux de gestion des systèmes sont également à prendre en compte.\nConstruire une bière maison, c'est bien, mais il est important de la construire pour que\nil ne nécessite pas d'attention constante (et coûteuse). C'est important,\nen d'autres termes, pour évaluer les pare-feu non seulement en termes de ce qu'ils\nCoût maintenant, mais coûts continus tels que le support.\nSur le plan technique, il y a quelques décisions à prendre, basées sur\nsur le fait que, à toutes fins utiles, ce dont nous parlons\nest un service de routage de trafic statique placé entre le service réseau\nle routeur du fournisseur et votre réseau interne. Le routage du trafic\nservice peut être mis en œuvre à un niveau IP via quelque chose comme filtrage\nrègles dans un routeur ou au niveau de l'application via des passerelles de proxy et\nprestations de service.\nLa décision à prendre est de savoir s'il faut placer un objet exposé dépouillé\nmachine sur le réseau extérieur pour exécuter des services proxy pour telnet, FTP,\nnouvelles, etc., ou s'il faut configurer un routeur de filtrage en tant que filtre,\npermettant la communication avec une ou plusieurs machines internes. Il y a\navantages et inconvénients des deux approches, avec la machine proxy\nfournissant un plus haut niveau d'audit et, potentiellement, de sécurité en retour\naugmentation des coûts de configuration et diminution du niveau de\nservice qui peut être fourni (puisqu’un proxy doit être développé pour\nchaque service souhaité). Le vieux compromis entre facilité d’utilisation et\nla sécurité revient nous hanter avec vengeance.","html":"Un certain nombre de problèmes de conception de base doivent être résolus par\nla personne chanceuse qui a été chargé de la responsabilité de\nconcevoir, spécifier et mettre en œuvre ou superviser l'installation\nd'un pare-feu.\nLa première et la plus importante décision reflète la politique de votre\nentreprise ou organisation veut faire fonctionner le système: est le pare-feu\nen place explicitement pour refuser tous les services, sauf ceux essentiels à la\nmission de connexion au Net, ou le pare-feu est-il en place pour\nfournir une méthode mesurée et vérifiée d’accès «en file d’attente» dans un\nmanière non menaçante? Il y a des degrés de paranoïa entre ces\nles positions; la position finale de votre pare-feu pourrait être plus le résultat\nd'une décision politique qu'une décision d'ingénierie.\nLa seconde est: quel niveau de contrôle, de redondance et de contrôle font\ntu veux? Après avoir établi le niveau de risque acceptable (c.-à-d. Comment\nparanoïaque vous êtes) en résolvant le premier problème, vous pouvez former un\nliste de contrôle de ce qui devrait être surveillé, autorisé et refusé. Dans\nEn d’autres termes, vous commencez par définir vos objectifs généraux et\npuis combinez une analyse des besoins avec une évaluation des risques et triez les\npresque toujours des exigences contradictoires dans une liste de blanchisserie\nspécifie ce que vous prévoyez de mettre en œuvre.\nLe troisième problème est financier. Nous ne pouvons pas aborder celui-ci ici dans\ntout sauf des termes vagues, mais il est important d'essayer de quantifier toute\nsolutions proposées en termes de combien il en coûtera pour acheter ou\nimplémenter. Par exemple, un pare-feu complet peut coûter\nentre 100 000 $ dans le haut de gamme et gratuit dans le bas de gamme. La libre\noption, possibilité de configuration sur un routeur Cisco ou similaire\nne coûtera que du temps de personnel et quelques tasses de café.\nL'implémentation d'un pare-feu haut de gamme à partir de zéro peut coûter plusieurs\nmois-hommes, ce qui peut représenter 30 000 dollars de salaire du personnel et\navantages. Les frais généraux de gestion des systèmes sont également à prendre en compte.\nConstruire une bière maison, c'est bien, mais il est important de la construire pour que\nil ne nécessite pas d'attention constante (et coûteuse). C'est important,\nen d'autres termes, pour évaluer les pare-feu non seulement en termes de ce qu'ils\nCoût maintenant, mais coûts continus tels que le support.\nSur le plan technique, il y a quelques décisions à prendre, basées sur\nsur le fait que, à toutes fins utiles, ce dont nous parlons\nest un service de routage de trafic statique placé entre le service réseau\nle routeur du fournisseur et votre réseau interne. Le routage du trafic\nservice peut être mis en œuvre à un niveau IP via quelque chose comme filtrage\nrègles dans un routeur ou au niveau de l'application via des passerelles de proxy et\nprestations de service.\nLa décision à prendre est de savoir s'il faut placer un objet exposé dépouillé\nmachine sur le réseau extérieur pour exécuter des services proxy pour telnet, FTP,\nnouvelles, etc., ou s'il faut configurer un routeur de filtrage en tant que filtre,\npermettant la communication avec une ou plusieurs machines internes. Il y a\navantages et inconvénients des deux approches, avec la machine proxy\nfournissant un plus haut niveau d'audit et, potentiellement, de sécurité en retour\naugmentation des coûts de configuration et diminution du niveau de\nservice qui peut être fourni (puisqu’un proxy doit être développé pour\nchaque service souhaité). Le vieux compromis entre facilité d’utilisation et\nla sécurité revient nous hanter avec vengeance.
"},{"id":"text-56","type":"text","heading":"","plain_text":"3.2 Quels sont les types de base de pare-feu?","html":"3.2 Quels sont les types de base de pare-feu?
"},{"id":"text-57","type":"text","heading":"","plain_text":"Conceptuellement, il existe trois types de pare-feu:","html":"Conceptuellement, il existe trois types de pare-feu:
"},{"id":"text-58","type":"text","heading":"","plain_text":"Couche réseau","html":"Couche réseau
"},{"id":"text-59","type":"text","heading":"","plain_text":"Couche d'application","html":"Couche d'application
"},{"id":"text-60","type":"text","heading":"","plain_text":"Hybrides","html":"Hybrides
"},{"id":"text-61","type":"text","heading":"","plain_text":"Ils ne sont pas aussi différents qu'on pourrait le penser, et les dernières technologies\nestompent la distinction au point où il n'est plus clair\nsi l'un ou l'autre est «meilleur» ou «pire». Comme toujours, vous devez être\nveillez à choisir le type qui répond à vos besoins.\nQui dépend des mécanismes que le pare-feu utilise pour passer\nle trafic d'une zone de sécurité à une autre. L'international\nModèle OSI (Open Systems Interconnect) d’organisation de normalisation (ISO) pour\nla mise en réseau définit sept couches, chaque couche fournissant des services\nque les couches "de niveau supérieur" dépendent. Dans l'ordre du bas,\nces couches sont physiques, liaison de données, réseau, transport, session,\nprésentation, application.\nLa chose importante à reconnaître est que le niveau inférieur de la\nmécanisme de transmission, moins le pare-feu peut être examiné.\nDe manière générale, les pare-feu de bas niveau sont plus rapides, mais plus faciles.\ntromper en faisant la mauvaise chose.\nDe nos jours, la plupart des pare-feu entrent dans la catégorie «hybride», ce qui\nle filtrage de réseau ainsi qu'une certaine quantité d'inspection d'application.\nLe montant change en fonction du fournisseur, du produit, du protocole et de la version,\ndonc un certain niveau de creuser et / ou de tester est souvent nécessaire.","html":"Ils ne sont pas aussi différents qu'on pourrait le penser, et les dernières technologies\nestompent la distinction au point où il n'est plus clair\nsi l'un ou l'autre est «meilleur» ou «pire». Comme toujours, vous devez être\nveillez à choisir le type qui répond à vos besoins.\nQui dépend des mécanismes que le pare-feu utilise pour passer\nle trafic d'une zone de sécurité à une autre. L'international\nModèle OSI (Open Systems Interconnect) d’organisation de normalisation (ISO) pour\nla mise en réseau définit sept couches, chaque couche fournissant des services\nque les couches "de niveau supérieur" dépendent. Dans l'ordre du bas,\nces couches sont physiques, liaison de données, réseau, transport, session,\nprésentation, application.\nLa chose importante à reconnaître est que le niveau inférieur de la\nmécanisme de transmission, moins le pare-feu peut être examiné.\nDe manière générale, les pare-feu de bas niveau sont plus rapides, mais plus faciles.\ntromper en faisant la mauvaise chose.\nDe nos jours, la plupart des pare-feu entrent dans la catégorie «hybride», ce qui\nle filtrage de réseau ainsi qu'une certaine quantité d'inspection d'application.\nLe montant change en fonction du fournisseur, du produit, du protocole et de la version,\ndonc un certain niveau de creuser et / ou de tester est souvent nécessaire.
"},{"id":"text-62","type":"text","heading":"","plain_text":"3.2.1 Pare-feu de couche réseau","html":"3.2.1 Pare-feu de couche réseau
"},{"id":"text-63","type":"text","heading":"","plain_text":"Ceux-ci prennent généralement leurs décisions en fonction de la source, de la destination\nadresses et ports (voir l’annexe 6 pour une description plus détaillée\ndiscussion sur les ports) dans des paquets IP individuels. Un simple routeur est le\nPare-feu de couche réseau « traditionnel '', car il n'est pas capable de faire\ndécisions particulièrement sophistiquées sur ce qu'un paquet est en réalité\nparler à ou d'où il vient réellement. Couche réseau moderne\nles pare-feu sont devenus de plus en plus sophistiqués, et maintenant maintenant\ninformations internes sur l'état des connexions passant par\neux, le contenu de certains flux de données, etc. Une chose\nc'est une distinction importante sur de nombreux pare-feu de couche réseau est\nqu'ils acheminent le trafic directement par eux, alors utilisez-en un\nbesoin d’avoir un bloc d’adresses IP valablement attribué ou d’utiliser un « privé\nbloc d'adresse internet [5]. Les pare-feu de la couche réseau ont tendance\nêtre très rapide et ont tendance à être très transparent pour les utilisateurs.","html":"Ceux-ci prennent généralement leurs décisions en fonction de la source, de la destination\nadresses et ports (voir l’annexe 6 pour une description plus détaillée\ndiscussion sur les ports) dans des paquets IP individuels. Un simple routeur est le\nPare-feu de couche réseau « traditionnel '', car il n'est pas capable de faire\ndécisions particulièrement sophistiquées sur ce qu'un paquet est en réalité\nparler à ou d'où il vient réellement. Couche réseau moderne\nles pare-feu sont devenus de plus en plus sophistiqués, et maintenant maintenant\ninformations internes sur l'état des connexions passant par\neux, le contenu de certains flux de données, etc. Une chose\nc'est une distinction importante sur de nombreux pare-feu de couche réseau est\nqu'ils acheminent le trafic directement par eux, alors utilisez-en un\nbesoin d’avoir un bloc d’adresses IP valablement attribué ou d’utiliser un « privé\nbloc d'adresse internet [5]. Les pare-feu de la couche réseau ont tendance\nêtre très rapide et ont tendance à être très transparent pour les utilisateurs.
"},{"id":"text-64","type":"text","heading":"","plain_text":"Figure 1:\nPare-feu hôte filtré","html":"Figure 1:\nPare-feu hôte filtré
"},{"id":"text-65","type":"text","heading":"","plain_text":"Dans la figure 1, un pare-feu de couche réseau appelé\nun "pare-feu hôte filtré" est représenté. Dans un hôte filtré\npare-feu, l’accès vers et depuis un hôte unique est contrôlé au moyen d’un\nrouteur fonctionnant sur une couche réseau. L'hôte unique est un bastion\nhôte; un point fort hautement défendu et sécurisé qui (espérons-le) peut\nrésister à l'attaque.","html":"Dans la figure 1, un pare-feu de couche réseau appelé\nun "pare-feu hôte filtré" est représenté. Dans un hôte filtré\npare-feu, l’accès vers et depuis un hôte unique est contrôlé au moyen d’un\nrouteur fonctionnant sur une couche réseau. L'hôte unique est un bastion\nhôte; un point fort hautement défendu et sécurisé qui (espérons-le) peut\nrésister à l'attaque.
"},{"id":"text-66","type":"text","heading":"","plain_text":"Figure 2:\nPare-feu de sous-réseau filtré","html":"Figure 2:\nPare-feu de sous-réseau filtré
"},{"id":"text-67","type":"text","heading":"","plain_text":"Exemple de pare-feu de couche réseau: Dans\nFigure 2, un pare-feu de couche réseau appelé\n«pare-feu de sous-réseau filtré» est représenté. Dans un sous-réseau filtré\npare-feu, l'accès à et depuis tout un réseau est contrôlé au moyen de\nun routeur fonctionnant sur une couche réseau. C'est semblable à un projeté\nhôte, sauf qu’il s’agit effectivement d’un réseau d’hôtes filtrés.","html":"Exemple de pare-feu de couche réseau: Dans\nFigure 2, un pare-feu de couche réseau appelé\n«pare-feu de sous-réseau filtré» est représenté. Dans un sous-réseau filtré\npare-feu, l'accès à et depuis tout un réseau est contrôlé au moyen de\nun routeur fonctionnant sur une couche réseau. C'est semblable à un projeté\nhôte, sauf qu’il s’agit effectivement d’un réseau d’hôtes filtrés.
"},{"id":"text-68","type":"text","heading":"","plain_text":"3.2.2 Pare-feu de la couche d'application","html":"3.2.2 Pare-feu de la couche d'application
"},{"id":"text-69","type":"text","heading":"","plain_text":"Ce sont généralement des hôtes exécutant des serveurs proxy, qui ne permettent aucune\nle trafic directement entre les réseaux et qui effectuent une journalisation élaborée\net audit du trafic qui les traverse. Depuis le proxy\nles applications sont des composants logiciels fonctionnant sur le pare-feu, c’est un\nbon endroit pour faire beaucoup de journalisation et de contrôle d'accès. Application\nLes pare-feu de couche peuvent être utilisés en tant que traducteurs d'adresses réseau, car\nle trafic va dans un côté et sort de l'autre, après avoir passé\nà travers une application qui masque efficacement l’origine du\nétablir la connexion. Avoir une application dans le chemin dans certains cas\npeut avoir un impact sur les performances et rendre le pare-feu moins transparent.\nLes premiers pare-feu de la couche d’application, tels que ceux construits avec TIS\npare-feu, ne sont pas particulièrement transparents pour les utilisateurs finaux et\npeut nécessiter une formation. Les pare-feu modernes de la couche d’application sont\nsouvent totalement transparent. Les pare-feu de couche d’application ont tendance à fournir\ndes rapports d’audit plus détaillés et ont tendance à imposer des mesures plus conservatrices.\nmodèles de sécurité que les pare-feu de couche réseau.","html":"Ce sont généralement des hôtes exécutant des serveurs proxy, qui ne permettent aucune\nle trafic directement entre les réseaux et qui effectuent une journalisation élaborée\net audit du trafic qui les traverse. Depuis le proxy\nles applications sont des composants logiciels fonctionnant sur le pare-feu, c’est un\nbon endroit pour faire beaucoup de journalisation et de contrôle d'accès. Application\nLes pare-feu de couche peuvent être utilisés en tant que traducteurs d'adresses réseau, car\nle trafic va dans un côté et sort de l'autre, après avoir passé\nà travers une application qui masque efficacement l’origine du\nétablir la connexion. Avoir une application dans le chemin dans certains cas\npeut avoir un impact sur les performances et rendre le pare-feu moins transparent.\nLes premiers pare-feu de la couche d’application, tels que ceux construits avec TIS\npare-feu, ne sont pas particulièrement transparents pour les utilisateurs finaux et\npeut nécessiter une formation. Les pare-feu modernes de la couche d’application sont\nsouvent totalement transparent. Les pare-feu de couche d’application ont tendance à fournir\ndes rapports d’audit plus détaillés et ont tendance à imposer des mesures plus conservatrices.\nmodèles de sécurité que les pare-feu de couche réseau.
"},{"id":"text-70","type":"text","heading":"","plain_text":"Figure 3:\nPasserelle à double hébergement","html":"Figure 3:\nPasserelle à double hébergement
"},{"id":"text-71","type":"text","heading":"","plain_text":"Exemple de pare-feu de couche d'application: Dans\nFigure 3, un pare-feu de couche d'application\nappelé une «passerelle à double hébergement» est représenté. Une double passerelle\nest un hôte hautement sécurisé qui exécute un logiciel proxy. Il a deux réseau\ninterfaces, une sur chaque réseau, et bloque tout le trafic passant\nà travers.\nLa plupart des pare-feu se situent maintenant quelque part entre les pare-feu de couche réseau et\npare-feu de couche d'application. Comme prévu, les pare-feu de la couche réseau\nsont de plus en plus "au courant" de l'information qui passe par\nles pare-feu de la couche d’application sont de plus en plus «faibles»\nniveau '' et transparent. Le résultat final est que maintenant il y a rapide\nsystèmes de filtrage de paquets enregistrant et vérifiant les données au fur et à mesure de leur passage\nle système. De plus en plus de pare-feu (couche réseau et application)\nincorporer un cryptage afin de protéger le trafic transitant\nentre eux sur Internet. Pare-feux avec cryptage de bout en bout\npeut être utilisé par des organisations disposant de plusieurs points Internet\nconnectivité pour utiliser Internet en tant que « backbone privé '' sans\nse soucier de leurs données ou mots de passe étant reniflés. (IPSEC,\ndécrit à la section 2.6, joue un rôle de plus en plus\nrôle important dans la construction de tels réseaux privés virtuels\nréseaux.)","html":"Exemple de pare-feu de couche d'application: Dans\nFigure 3, un pare-feu de couche d'application\nappelé une «passerelle à double hébergement» est représenté. Une double passerelle\nest un hôte hautement sécurisé qui exécute un logiciel proxy. Il a deux réseau\ninterfaces, une sur chaque réseau, et bloque tout le trafic passant\nà travers.\nLa plupart des pare-feu se situent maintenant quelque part entre les pare-feu de couche réseau et\npare-feu de couche d'application. Comme prévu, les pare-feu de la couche réseau\nsont de plus en plus "au courant" de l'information qui passe par\nles pare-feu de la couche d’application sont de plus en plus «faibles»\nniveau '' et transparent. Le résultat final est que maintenant il y a rapide\nsystèmes de filtrage de paquets enregistrant et vérifiant les données au fur et à mesure de leur passage\nle système. De plus en plus de pare-feu (couche réseau et application)\nincorporer un cryptage afin de protéger le trafic transitant\nentre eux sur Internet. Pare-feux avec cryptage de bout en bout\npeut être utilisé par des organisations disposant de plusieurs points Internet\nconnectivité pour utiliser Internet en tant que « backbone privé '' sans\nse soucier de leurs données ou mots de passe étant reniflés. (IPSEC,\ndécrit à la section 2.6, joue un rôle de plus en plus\nrôle important dans la construction de tels réseaux privés virtuels\nréseaux.)
"},{"id":"text-72","type":"text","heading":"","plain_text":"3.3 Que sont les serveurs proxy et comment fonctionnent-ils?","html":"3.3 Que sont les serveurs proxy et comment fonctionnent-ils?
"},{"id":"text-73","type":"text","heading":"","plain_text":"Un serveur proxy (parfois appelé passerelle d’application ou\nexpéditeur) est une application qui assure la médiation du trafic entre un\nréseau et Internet. Les procurations sont souvent utilisées au lieu de\ncontrôles du trafic basés sur les routeurs, pour empêcher le trafic de passer\ndirectement entre les réseaux. Beaucoup de proxies contiennent une journalisation supplémentaire ou\nsoutien à l'authentification de l'utilisateur. Puisque les mandataires doivent "comprendre"\nle protocole d'application utilisé, ils peuvent également implémenter le protocole\nsécurité spécifique (par exemple, un proxy FTP peut être configurable pour permettre\nFTP entrant et bloquer le FTP sortant).\nLes serveurs proxy sont spécifiques à l'application. Afin de soutenir une nouvelle\nprotocole via un proxy, un proxy doit être développé pour cela. Un populaire\nensemble de serveurs proxy est la boîte à outils TIS Internet Firewall («FWTK»)\nqui inclut les mandataires pour Telnet, rlogin, FTP, le système X Window,\nActualités HTTP / Web et NNTP / Usenet. SOCKS est un système de proxy générique qui\npeut être compilé dans une application côté client pour le faire fonctionner par\nun pare-feu. Son avantage est qu’il est facile à utiliser, mais ce n’est pas le cas.\nsupporte l'ajout de hooks d'authentification ou de protocole spécifique\nenregistrement. Pour plus d'informations sur SOCKS, voir\nhttp://www.socks.nec.com/.","html":"Un serveur proxy (parfois appelé passerelle d’application ou\nexpéditeur) est une application qui assure la médiation du trafic entre un\nréseau et Internet. Les procurations sont souvent utilisées au lieu de\ncontrôles du trafic basés sur les routeurs, pour empêcher le trafic de passer\ndirectement entre les réseaux. Beaucoup de proxies contiennent une journalisation supplémentaire ou\nsoutien à l'authentification de l'utilisateur. Puisque les mandataires doivent "comprendre"\nle protocole d'application utilisé, ils peuvent également implémenter le protocole\nsécurité spécifique (par exemple, un proxy FTP peut être configurable pour permettre\nFTP entrant et bloquer le FTP sortant).\nLes serveurs proxy sont spécifiques à l'application. Afin de soutenir une nouvelle\nprotocole via un proxy, un proxy doit être développé pour cela. Un populaire\nensemble de serveurs proxy est la boîte à outils TIS Internet Firewall («FWTK»)\nqui inclut les mandataires pour Telnet, rlogin, FTP, le système X Window,\nActualités HTTP / Web et NNTP / Usenet. SOCKS est un système de proxy générique qui\npeut être compilé dans une application côté client pour le faire fonctionner par\nun pare-feu. Son avantage est qu’il est facile à utiliser, mais ce n’est pas le cas.\nsupporte l'ajout de hooks d'authentification ou de protocole spécifique\nenregistrement. Pour plus d'informations sur SOCKS, voir\nhttp://www.socks.nec.com/.
"},{"id":"text-74","type":"text","heading":"","plain_text":"3.4 Quels sont certains outils bon marché de filtrage de paquets?","html":"3.4 Quels sont certains outils bon marché de filtrage de paquets?
"},{"id":"text-75","type":"text","heading":"","plain_text":"Les outils de sécurité de la Texas A & M University comprennent un logiciel pour\nmise en place de routeurs de filtrage. Karlbridge est un système de dépistage basé sur PC\nkit de routeur disponible à partir de\nftp://ftp.net.ohio-state.edu/pub/kbridge/.\nIl existe de nombreux écrans de paquets au niveau du noyau, notamment:\nipf, ipfw, ipchains, pf, et ipfwadm. Typiquement,\nceux-ci sont inclus dans diverses implémentations Unix libres, telles que\nFreeBSD,\nOpenBSD,\nNetBSD, et\nLinux. Vous pourriez aussi trouver\nces outils disponibles dans votre implémentation commerciale Unix.\nSi vous êtes prêt à vous salir les mains, c'est complètement\npossible de construire un pare-feu sécurisé et entièrement fonctionnel pour le prix\ndu matériel et une partie de votre temps.","html":"Les outils de sécurité de la Texas A & M University comprennent un logiciel pour\nmise en place de routeurs de filtrage. Karlbridge est un système de dépistage basé sur PC\nkit de routeur disponible à partir de\nftp://ftp.net.ohio-state.edu/pub/kbridge/.\nIl existe de nombreux écrans de paquets au niveau du noyau, notamment:\nipf, ipfw, ipchains, pf, et ipfwadm. Typiquement,\nceux-ci sont inclus dans diverses implémentations Unix libres, telles que\nFreeBSD,\nOpenBSD,\nNetBSD, et\nLinux. Vous pourriez aussi trouver\nces outils disponibles dans votre implémentation commerciale Unix.\nSi vous êtes prêt à vous salir les mains, c'est complètement\npossible de construire un pare-feu sécurisé et entièrement fonctionnel pour le prix\ndu matériel et une partie de votre temps.
"},{"id":"text-76","type":"text","heading":"","plain_text":"3.5 Quelles sont les règles de filtrage raisonnables pour un\n écran de paquets basé sur le noyau?","html":"3.5 Quelles sont les règles de filtrage raisonnables pour un\n écran de paquets basé sur le noyau?
"},{"id":"text-77","type":"text","heading":"","plain_text":"Cet exemple est écrit spécifiquement pour ipfwadm sur Linux,\nmais les principes (et même une grande partie de la syntaxe) s’appliquent à d’autres\ninterfaces du noyau pour le filtrage de paquets sur les systèmes Unix "open source".\nIl existe quatre catégories de base couvertes par le ipfwadm\nrègles:","html":"Cet exemple est écrit spécifiquement pour ipfwadm sur Linux,\nmais les principes (et même une grande partie de la syntaxe) s’appliquent à d’autres\ninterfaces du noyau pour le filtrage de paquets sur les systèmes Unix "open source".\nIl existe quatre catégories de base couvertes par le ipfwadm\nrègles:
"},{"id":"text-78","type":"text","heading":"","plain_text":"-UNE\nComptabilité par paquets","html":"-UNE\nComptabilité par paquets
"},{"id":"text-79","type":"text","heading":"","plain_text":"-JE\nPare-feu d'entrée","html":"-JE\nPare-feu d'entrée
"},{"id":"text-80","type":"text","heading":"","plain_text":"-O\nPare-feu de sortie","html":"-O\nPare-feu de sortie
"},{"id":"text-81","type":"text","heading":"","plain_text":"-F\nPare-feu de transmission","html":"-F\nPare-feu de transmission
"},{"id":"text-82","type":"text","heading":"","plain_text":"ipfwadm a également fait du masquerading (-M) capacités.\nPour plus d'informations sur les commutateurs et les options, reportez-vous à la\nipfwadm homme page.","html":"ipfwadm a également fait du masquerading (-M) capacités.\nPour plus d'informations sur les commutateurs et les options, reportez-vous à la\nipfwadm homme page.
"},{"id":"text-83","type":"text","heading":"","plain_text":"3.5.1 Mise en œuvre","html":"3.5.1 Mise en œuvre
"},{"id":"text-84","type":"text","heading":"","plain_text":"Ici, notre organisation utilise un réseau privé de classe C (RFC 1918)\n192.168.1.0. Notre FAI nous a attribué l'adresse 201.123.102.32 pour\nl'interface externe de notre passerelle et 201.123.102.33 pour notre externe\nserveur de courrier. La politique organisationnelle dit:","html":"Ici, notre organisation utilise un réseau privé de classe C (RFC 1918)\n192.168.1.0. Notre FAI nous a attribué l'adresse 201.123.102.32 pour\nl'interface externe de notre passerelle et 201.123.102.33 pour notre externe\nserveur de courrier. La politique organisationnelle dit:
"},{"id":"text-85","type":"text","heading":"","plain_text":"Autoriser toutes les connexions TCP sortantes","html":"Autoriser toutes les connexions TCP sortantes
"},{"id":"text-86","type":"text","heading":"","plain_text":"Autoriser les serveurs SMTP et DNS entrants vers un serveur de messagerie externe","html":"Autoriser les serveurs SMTP et DNS entrants vers un serveur de messagerie externe
"},{"id":"text-87","type":"text","heading":"","plain_text":"Bloquer tout autre trafic","html":"Bloquer tout autre trafic
"},{"id":"text-88","type":"text","heading":"","plain_text":"Le bloc de commandes suivant peut être placé dans un fichier de démarrage du système.\n(peut-être rc.local sur les systèmes Unix).","html":"Le bloc de commandes suivant peut être placé dans un fichier de démarrage du système.\n(peut-être rc.local sur les systèmes Unix).
"},{"id":"text-89","type":"text","heading":"","plain_text":"ipfwadm -F -f\n ipfwadm -F -p nier\n ipfwadm -F -i m -b -P tcp -S 0.0.0.0/0 1024: 65535 -D 201.123.102.33 25\n ipfwadm -F -i m -b -P tcp -S 0.0.0.0/0 1024: 65535 -D 201.123.102.33 53\n ipfwadm -F -i m -b -P udp -S 0.0.0.0/0 1024: 65535 -D 201.123.102.33 53\n ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0 -W eth0","html":"ipfwadm -F -f\n ipfwadm -F -p nier\n ipfwadm -F -i m -b -P tcp -S 0.0.0.0/0 1024: 65535 -D 201.123.102.33 25\n ipfwadm -F -i m -b -P tcp -S 0.0.0.0/0 1024: 65535 -D 201.123.102.33 53\n ipfwadm -F -i m -b -P udp -S 0.0.0.0/0 1024: 65535 -D 201.123.102.33 53\n ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0 -W eth0
"},{"id":"text-90","type":"text","heading":"","plain_text":" / sbin / route add -host 201.123.102.33 gw 192.168.1.2","html":"/ sbin / route add -host 201.123.102.33 gw 192.168.1.2
"},{"id":"text-91","type":"text","heading":"","plain_text":"3.5.2 Explication","html":"3.5.2 Explication
"},{"id":"text-92","type":"text","heading":"","plain_text":"3.6 Quelles sont les règles de filtrage raisonnables pour un Cisco?","html":"3.6 Quelles sont les règles de filtrage raisonnables pour un Cisco?
"},{"id":"text-93","type":"text","heading":"","plain_text":"L’exemple de la figure 4 montre une possibilité\nconfiguration pour utiliser Cisco en tant que routeur de filtrage. C'est un échantillon\ncela montre la mise en œuvre de la politique spécifique. Votre politique sera\nsans aucun doute varier.","html":"L’exemple de la figure 4 montre une possibilité\nconfiguration pour utiliser Cisco en tant que routeur de filtrage. C'est un échantillon\ncela montre la mise en œuvre de la politique spécifique. Votre politique sera\nsans aucun doute varier.
"},{"id":"text-94","type":"text","heading":"","plain_text":"Figure 4:\nRouteur de filtrage de paquets","html":"Figure 4:\nRouteur de filtrage de paquets
"},{"id":"text-95","type":"text","heading":"","plain_text":"Dans cet exemple, une entreprise a l'adresse réseau 195.55.55.0 de classe C.\nLe réseau de l'entreprise est connecté à Internet via le fournisseur de services IP.\nLa politique de la société est de permettre à tout le monde d’accéder aux services Internet.\ntoutes les connexions sortantes sont acceptées. Toutes les connexions entrantes vont\nvia « mailhost ''. Mail et DNS ne sont que des services entrants.","html":"Dans cet exemple, une entreprise a l'adresse réseau 195.55.55.0 de classe C.\nLe réseau de l'entreprise est connecté à Internet via le fournisseur de services IP.\nLa politique de la société est de permettre à tout le monde d’accéder aux services Internet.\ntoutes les connexions sortantes sont acceptées. Toutes les connexions entrantes vont\nvia « mailhost ''. Mail et DNS ne sont que des services entrants.
"},{"id":"text-96","type":"text","heading":"","plain_text":"3.6.1 Mise en œuvre","html":"3.6.1 Mise en œuvre
"},{"id":"text-97","type":"text","heading":"","plain_text":"Autoriser toutes les connexions TCP sortantes","html":"Autoriser toutes les connexions TCP sortantes
"},{"id":"text-98","type":"text","heading":"","plain_text":"Autoriser les adresses SMTP et DNS entrantes sur mailhost","html":"Autoriser les adresses SMTP et DNS entrantes sur mailhost
"},{"id":"text-99","type":"text","heading":"","plain_text":"Autoriser les connexions de données FTP entrantes au port TCP élevé (1024)","html":"Autoriser les connexions de données FTP entrantes au port TCP élevé (1024)
"},{"id":"text-100","type":"text","heading":"","plain_text":"Essayez de protéger les services qui vivent sur des numéros de port élevés","html":"Essayez de protéger les services qui vivent sur des numéros de port élevés
"},{"id":"text-101","type":"text","heading":"","plain_text":"Seuls les paquets entrants provenant d'Internet sont vérifiés dans cette configuration.\nRules are tested in order and stop when the first match is found.\nThere is an implicit deny rule at the end of an access list that\ndenies everything. This IP access list assumes that you are running\nCisco IOS v. 10.3 or later.","html":"Seuls les paquets entrants provenant d'Internet sont vérifiés dans cette configuration.\nRules are tested in order and stop when the first match is found.\nThere is an implicit deny rule at the end of an access list that\ndenies everything. This IP access list assumes that you are running\nCisco IOS v. 10.3 or later.
"},{"id":"text-102","type":"text","heading":"","plain_text":"no ip source-route\n!\ninterface ethernet 0 \nip address 195.55.55.1 \nno ip directed-broadcast\n!\ninterface serial 0 \nno ip directed-broadcast\nip access-group 101 in \n!\naccess-list 101 deny ip 127.0.0.0 0.255.255.255 any\naccess-list 101 deny ip 10.0.0.0 0.255.255.255 any\naccess-list 101 deny ip 172.16.0.0 0.15.255.255 any\naccess-list 101 deny ip 192.168.0.0 0.0.255.255 any\naccess-list 101 deny ip any 0.0.0.255 255.255.255.0\naccess-list 101 deny ip any 0.0.0.0 255.255.255.0\n!\naccess-list 101 deny ip 195.55.55.0 0.0.0.255 \naccess-list 101 permit tcp any any established \n!\naccess-list 101 permit tcp any host 195.55.55.10 eq smtp \naccess-list 101 permit tcp any host 195.55.55.10 eq dns \naccess-list 101 permit udp any host 192.55.55.10 eq dns \n!\naccess-list 101 deny tcp any any range 6000 6003 \naccess-list 101 deny tcp any any range 2000 2003 \naccess-list 101 deny tcp any any eq 2049 \naccess-list 101 deny udp any any eq 2049 \n!\naccess-list 101 permit tcp any 20 any gt 1024 \n!\naccess-list 101 permit icmp any any \n!\nsnmp-server community FOOBAR RO 2 \nline vty 0 4 \naccess-class 2 in \naccess-list 2 permit 195.55.55.0 0.0.0.255","html":"no ip source-route\n!\ninterface ethernet 0 \nip address 195.55.55.1 \nno ip directed-broadcast\n!\ninterface serial 0 \nno ip directed-broadcast\nip access-group 101 in \n!\naccess-list 101 deny ip 127.0.0.0 0.255.255.255 any\naccess-list 101 deny ip 10.0.0.0 0.255.255.255 any\naccess-list 101 deny ip 172.16.0.0 0.15.255.255 any\naccess-list 101 deny ip 192.168.0.0 0.0.255.255 any\naccess-list 101 deny ip any 0.0.0.255 255.255.255.0\naccess-list 101 deny ip any 0.0.0.0 255.255.255.0\n!\naccess-list 101 deny ip 195.55.55.0 0.0.0.255 \naccess-list 101 permit tcp any any established \n!\naccess-list 101 permit tcp any host 195.55.55.10 eq smtp \naccess-list 101 permit tcp any host 195.55.55.10 eq dns \naccess-list 101 permit udp any host 192.55.55.10 eq dns \n!\naccess-list 101 deny tcp any any range 6000 6003 \naccess-list 101 deny tcp any any range 2000 2003 \naccess-list 101 deny tcp any any eq 2049 \naccess-list 101 deny udp any any eq 2049 \n!\naccess-list 101 permit tcp any 20 any gt 1024 \n!\naccess-list 101 permit icmp any any \n!\nsnmp-server community FOOBAR RO 2 \nline vty 0 4 \naccess-class 2 in \naccess-list 2 permit 195.55.55.0 0.0.0.255
"},{"id":"text-103","type":"text","heading":"","plain_text":"3.6.2 Explanations","html":"3.6.2 Explanations
"},{"id":"text-104","type":"text","heading":"","plain_text":"Drop all source-routed packets. Source routing can be used for\n address spoofing.","html":"Drop all source-routed packets. Source routing can be used for\n address spoofing.
"},{"id":"text-105","type":"text","heading":"","plain_text":"Drop directed broadcasts, which are used in smurf attacks.","html":"Drop directed broadcasts, which are used in smurf attacks.
"},{"id":"text-106","type":"text","heading":"","plain_text":"If an incoming packet claims to be from a local net, loopback\n network, or private network, drop it.","html":"If an incoming packet claims to be from a local net, loopback\n network, or private network, drop it.
"},{"id":"text-107","type":"text","heading":"","plain_text":"All packets which are part of already established\n TCP-connections can pass through without further checking.","html":"All packets which are part of already established\n TCP-connections can pass through without further checking.
"},{"id":"text-108","type":"text","heading":"","plain_text":"All connections to low port numbers are blocked except SMTP and\n DNS.","html":"All connections to low port numbers are blocked except SMTP and\n DNS.
"},{"id":"text-109","type":"text","heading":"","plain_text":"Block all services that listen for TCP connections on high port\n Nombres. X11 (port 6000+), OpenWindows (port 2000+) are a few\n candidates. NFS (port 2049) runs usually over UDP, but it can be run\n over TCP, so you should block it.","html":"Block all services that listen for TCP connections on high port\n Nombres. X11 (port 6000+), OpenWindows (port 2000+) are a few\n candidates. NFS (port 2049) runs usually over UDP, but it can be run\n over TCP, so you should block it.
"},{"id":"text-110","type":"text","heading":"","plain_text":"Incoming connections from port 20 into high port numbers are\n supposed to be FTP data connections.","html":"Incoming connections from port 20 into high port numbers are\n supposed to be FTP data connections.
"},{"id":"text-111","type":"text","heading":"","plain_text":"Access-list 2 limits access to router itself (telnet & SNMP)","html":"Access-list 2 limits access to router itself (telnet & SNMP)
"},{"id":"text-112","type":"text","heading":"","plain_text":"All UDP traffic is blocked to protect RPC services","html":"All UDP traffic is blocked to protect RPC services
"},{"id":"text-113","type":"text","heading":"","plain_text":"3.6.3 Shortcomings","html":"3.6.3 Shortcomings
"},{"id":"text-114","type":"text","heading":"","plain_text":"You cannot enforce strong access policies with router access\n lists. Users can easily install backdoors to their systems to get\n over « no incoming telnet'' or « no X11'' rules. Also crackers\n install telnet backdoors on systems where they break in.","html":"You cannot enforce strong access policies with router access\n lists. Users can easily install backdoors to their systems to get\n over « no incoming telnet'' or « no X11'' rules. Also crackers\n install telnet backdoors on systems where they break in.
"},{"id":"text-115","type":"text","heading":"","plain_text":"You can never be sure what services you have listening for\n connections on high port numbers. (You can't be sure of what\n services you have listening for connections on low port numbers,\n either, especially in highly decentralized environments where people\n can put their own machines on the network or where they can get\n administrative access to their own machines.)","html":"You can never be sure what services you have listening for\n connections on high port numbers. (You can't be sure of what\n services you have listening for connections on low port numbers,\n either, especially in highly decentralized environments where people\n can put their own machines on the network or where they can get\n administrative access to their own machines.)
"},{"id":"text-116","type":"text","heading":"","plain_text":"Checking the source port on incoming FTP data connections is a\n weak security method. It also breaks access to some FTP sites. Il\n makes use of the service more difficult for users without preventing\n bad guys from scanning your systems.","html":"Checking the source port on incoming FTP data connections is a\n weak security method. It also breaks access to some FTP sites. Il\n makes use of the service more difficult for users without preventing\n bad guys from scanning your systems.
"},{"id":"text-117","type":"text","heading":"","plain_text":"Use at least Cisco version 9.21 so you can filter incoming packets and\ncheck for address spoofing. It's still better to use 10.3, where you\nget some extra features (like filtering on source port) and some\nimprovements on filter syntax.\nYou have still a few ways to make your setup stronger. Block all\nincoming TCP-connections and tell users to use passive-FTP clients.\nYou can also block outgoing ICMP echo-reply and\ndestination-unreachable messages to hide your network and to prevent\nuse of network scanners. Cisco.com use to have an archive of examples\nfor building firewalls using Cisco routers, but it doesn't seem to be\nonline anymore. There are some notes on Cisco access control lists,\nat least, at ftp://ftp.cisco.com/pub/mibs/app_notes/access-lists.","html":"Use at least Cisco version 9.21 so you can filter incoming packets and\ncheck for address spoofing. It's still better to use 10.3, where you\nget some extra features (like filtering on source port) and some\nimprovements on filter syntax.\nYou have still a few ways to make your setup stronger. Block all\nincoming TCP-connections and tell users to use passive-FTP clients.\nYou can also block outgoing ICMP echo-reply and\ndestination-unreachable messages to hide your network and to prevent\nuse of network scanners. Cisco.com use to have an archive of examples\nfor building firewalls using Cisco routers, but it doesn't seem to be\nonline anymore. There are some notes on Cisco access control lists,\nat least, at ftp://ftp.cisco.com/pub/mibs/app_notes/access-lists.
"},{"id":"text-118","type":"text","heading":"","plain_text":"3.7 What are the critical resources in a firewall?","html":"3.7 What are the critical resources in a firewall?
"},{"id":"text-119","type":"text","heading":"","plain_text":"It's important to understand the critical resources of your firewall\narchitecture, so when you do capacity planning, performance\noptimizations, etc., you know exactly what you need to do, and how\nmuch you need to do it in order to get the desired result.\nWhat exactly the firewall's critical resources are tends to vary from\nsite to site, depending on the sort of traffic that loads the system.\nSome people think they'll automatically be able to increase the data\nthroughput of their firewall by putting in a box with a faster CPU, or\nanother CPU, when this isn't necessarily the case. Potentially, this\ncould be a large waste of money that doesn't do anything to solve the\nproblem at hand or provide the expected scalability.\nOn busy systems, Mémoire is extremely important. Vous devez\nhave enough RAM to support every instance of every program necessary\nto service the load placed on that machine. Otherwise, the swapping\nwill start and the productivity will stop. Light swapping isn't\nusually much of a problem, but if a system's swap space begins to get\nbusy, then it's usually time for more RAM. A system that's heavily\nswapping is often relatively easy to push over the edge in a\ndenial-of-service attack, or simply fall behind in processing the load\nplaced on it. This is where long email delays start.\nBeyond the system's requirement for memory, it's useful to understand\nthat different services use different system resources. Alors le\nconfiguration that you have for your system should be indicative of\nthe kind of load you plan to service. A 1400 MHz processor isn't\ngoing to do you much good if all you're doing is netnews and mail, and\nare trying to do it on an IDE disk with an ISA controller.","html":"It's important to understand the critical resources of your firewall\narchitecture, so when you do capacity planning, performance\noptimizations, etc., you know exactly what you need to do, and how\nmuch you need to do it in order to get the desired result.\nWhat exactly the firewall's critical resources are tends to vary from\nsite to site, depending on the sort of traffic that loads the system.\nSome people think they'll automatically be able to increase the data\nthroughput of their firewall by putting in a box with a faster CPU, or\nanother CPU, when this isn't necessarily the case. Potentially, this\ncould be a large waste of money that doesn't do anything to solve the\nproblem at hand or provide the expected scalability.\nOn busy systems, Mémoire is extremely important. Vous devez\nhave enough RAM to support every instance of every program necessary\nto service the load placed on that machine. Otherwise, the swapping\nwill start and the productivity will stop. Light swapping isn't\nusually much of a problem, but if a system's swap space begins to get\nbusy, then it's usually time for more RAM. A system that's heavily\nswapping is often relatively easy to push over the edge in a\ndenial-of-service attack, or simply fall behind in processing the load\nplaced on it. This is where long email delays start.\nBeyond the system's requirement for memory, it's useful to understand\nthat different services use different system resources. Alors le\nconfiguration that you have for your system should be indicative of\nthe kind of load you plan to service. A 1400 MHz processor isn't\ngoing to do you much good if all you're doing is netnews and mail, and\nare trying to do it on an IDE disk with an ISA controller.
"},{"id":"text-120","type":"text","heading":"","plain_text":"Tableau 1:\nCritical Resources for Firewall Services","html":"Tableau 1:\nCritical Resources for Firewall Services
"},{"id":"text-121","type":"text","heading":"","plain_text":"Un service\nCritical Resource","html":"Un service\nCritical Resource
"},{"id":"text-122","type":"text","heading":"","plain_text":"Email\nDisk I/O","html":"Email\nDisk I/O
"},{"id":"text-123","type":"text","heading":"","plain_text":"Netnews\nDisk I/O","html":"Netnews\nDisk I/O
"},{"id":"text-124","type":"text","heading":"","plain_text":"Web\nHost OS Socket Performance","html":"Web\nHost OS Socket Performance
"},{"id":"text-125","type":"text","heading":"","plain_text":"IP Routing\nHost OS Socket Performance","html":"IP Routing\nHost OS Socket Performance
"},{"id":"text-126","type":"text","heading":"","plain_text":"Web Cache\nHost OS Socket Performance, Disk I/O","html":"Web Cache\nHost OS Socket Performance, Disk I/O
"},{"id":"text-127","type":"text","heading":"","plain_text":"3.8 What is a DMZ, and why do I want one?","html":"3.8 What is a DMZ, and why do I want one?
"},{"id":"text-128","type":"text","heading":"","plain_text":"« DMZ'' is an abbreviation for « demilitarized zone''. In the context\nof firewalls, this refers to a part of the network that is neither\npart of the internal network nor directly part of the Internet.\nTypically, this is the area between your Internet access router and\nyour bastion host, though it can be between any two policy-enforcing\ncomponents of your architecture.\nA DMZ can be created by putting access control lists on your access\nrouter. This minimizes the exposure of hosts on your external LAN by\nallowing only recognized and managed services on those hosts to be\naccessible by hosts on the Internet. Many commercial firewalls simply\nmake a third interface off of the bastion host and label it the DMZ,\nthe point is that the network is neither « inside'' nor « outside''.\nFor example, a web server running on NT might be vulnerable to a\nnumber of denial-of-service attacks against such services as RPC,\nNetBIOS and SMB. These services are not required for the operation of\na web server, so blocking TCP connections to ports 135, 137, 138, and\n139 on that host will reduce the exposure to a denial-of-service\nattack. In fact, if you block everything but HTTP traffic to that\nhost, an attacker will only have one service to attack.\nThis illustrates an important principle: never offer attackers more to\nwork with than is absolutely necessary to support the services you\nwant to offer the public.","html":"« DMZ'' is an abbreviation for « demilitarized zone''. In the context\nof firewalls, this refers to a part of the network that is neither\npart of the internal network nor directly part of the Internet.\nTypically, this is the area between your Internet access router and\nyour bastion host, though it can be between any two policy-enforcing\ncomponents of your architecture.\nA DMZ can be created by putting access control lists on your access\nrouter. This minimizes the exposure of hosts on your external LAN by\nallowing only recognized and managed services on those hosts to be\naccessible by hosts on the Internet. Many commercial firewalls simply\nmake a third interface off of the bastion host and label it the DMZ,\nthe point is that the network is neither « inside'' nor « outside''.\nFor example, a web server running on NT might be vulnerable to a\nnumber of denial-of-service attacks against such services as RPC,\nNetBIOS and SMB. These services are not required for the operation of\na web server, so blocking TCP connections to ports 135, 137, 138, and\n139 on that host will reduce the exposure to a denial-of-service\nattack. In fact, if you block everything but HTTP traffic to that\nhost, an attacker will only have one service to attack.\nThis illustrates an important principle: never offer attackers more to\nwork with than is absolutely necessary to support the services you\nwant to offer the public.
"},{"id":"text-129","type":"text","heading":"","plain_text":"3.9 How might I increase the security and scalability of my\n DMZ?","html":"3.9 How might I increase the security and scalability of my\n DMZ?
"},{"id":"text-130","type":"text","heading":"","plain_text":"A common approach for an attacker is to break into a host that's\nvulnerable to attack, and exploit trust relationships between the\nvulnerable host and more interesting targets.\nIf you are running a number of services that have different levels of\nsecurity, you might want to consider breaking your DMZ into several\n« security zones''. This can be done by having a number of different\nnetworks within the DMZ. For example, the access router could feed\ntwo Ethernets, both protected by ACLs, and therefore in the DMZ.\nOn one of the Ethernets, you might have hosts whose purpose is to\nservice your organization's need for Internet connectivity. Celles-ci\nwill likely relay mail, news, and host DNS. On the other Ethernet\ncould be your web server(s) and other hosts that provide services for\nthe benefit of Internet users.\nIn many organizations, services for Internet users tend to be less\ncarefully guarded and are more likely to be doing insecure things.\n(For example, in the case of a web server, unauthenticated and\nuntrusted users might be running CGI, PHP, or other executable\nprogrammes. This might be reasonable for your web server, but brings\nwith it a certain set of risks that need to be managed. It is likely\nthese services are too risky for an organization to run them on a\nbastion host, where a slip-up can result in the complete failure of\nthe security mechanisms.)\nBy putting hosts with similar levels of risk on networks together in\nthe DMZ, you can help minimize the effect of a breakin at your site.\nIf someone breaks into your web server by exploiting some bug in your\nweb server, they'll not be able to use it as a launching point to\nbreak into your private network if the web servers are on a separate\nLAN from the bastion hosts, and you don't have any trust relationships\nbetween the web server and bastion host.\nNow, keep in mind that this is Ethernet. If someone breaks into your\nweb server, and your bastion host is on the same Ethernet, an attacker\ncan install a sniffer on your web server, and watch the traffic to and\nfrom your bastion host. This might reveal things that can be used to\nbreak into the bastion host and gain access to the internal network.\n(Switched Ethernet can reduce your exposure to this kind of problem,\nbut will not eliminate it.)\nSplitting services up not only by host, but by network, and limiting\nthe level of trust between hosts on those networks, you can greatly\nreduce the likelihood of a breakin on one host being used to break\ninto the other. Succinctly stated: breaking into the web server in\nthis case won't make it any easier to break into the bastion host.\nYou can also increase the scalability of your architecture by placing\nhosts on different networks. The fewer machines that there are to\nshare the available bandwidth, the more bandwidth that each will get.","html":"A common approach for an attacker is to break into a host that's\nvulnerable to attack, and exploit trust relationships between the\nvulnerable host and more interesting targets.\nIf you are running a number of services that have different levels of\nsecurity, you might want to consider breaking your DMZ into several\n« security zones''. This can be done by having a number of different\nnetworks within the DMZ. For example, the access router could feed\ntwo Ethernets, both protected by ACLs, and therefore in the DMZ.\nOn one of the Ethernets, you might have hosts whose purpose is to\nservice your organization's need for Internet connectivity. Celles-ci\nwill likely relay mail, news, and host DNS. On the other Ethernet\ncould be your web server(s) and other hosts that provide services for\nthe benefit of Internet users.\nIn many organizations, services for Internet users tend to be less\ncarefully guarded and are more likely to be doing insecure things.\n(For example, in the case of a web server, unauthenticated and\nuntrusted users might be running CGI, PHP, or other executable\nprogrammes. This might be reasonable for your web server, but brings\nwith it a certain set of risks that need to be managed. It is likely\nthese services are too risky for an organization to run them on a\nbastion host, where a slip-up can result in the complete failure of\nthe security mechanisms.)\nBy putting hosts with similar levels of risk on networks together in\nthe DMZ, you can help minimize the effect of a breakin at your site.\nIf someone breaks into your web server by exploiting some bug in your\nweb server, they'll not be able to use it as a launching point to\nbreak into your private network if the web servers are on a separate\nLAN from the bastion hosts, and you don't have any trust relationships\nbetween the web server and bastion host.\nNow, keep in mind that this is Ethernet. If someone breaks into your\nweb server, and your bastion host is on the same Ethernet, an attacker\ncan install a sniffer on your web server, and watch the traffic to and\nfrom your bastion host. This might reveal things that can be used to\nbreak into the bastion host and gain access to the internal network.\n(Switched Ethernet can reduce your exposure to this kind of problem,\nbut will not eliminate it.)\nSplitting services up not only by host, but by network, and limiting\nthe level of trust between hosts on those networks, you can greatly\nreduce the likelihood of a breakin on one host being used to break\ninto the other. Succinctly stated: breaking into the web server in\nthis case won't make it any easier to break into the bastion host.\nYou can also increase the scalability of your architecture by placing\nhosts on different networks. The fewer machines that there are to\nshare the available bandwidth, the more bandwidth that each will get.
"},{"id":"text-131","type":"text","heading":"","plain_text":"3.10 What is a `single point of failure', and how do I avoid\n having one?","html":"3.10 What is a `single point of failure', and how do I avoid\n having one?
"},{"id":"text-132","type":"text","heading":"","plain_text":"An architecture whose security hinges upon one mechanism has a single\npoint of failure. Software that runs bastion hosts has bugs.\nApplications have bugs. Software that controls routers has bugs. Il\nmakes sense to use all of these components to build a securely\ndesigned network, and to use them in redundant ways.\nIf your firewall architecture is a screened subnet, you have two\npacket filtering routers and a bastion host. (See question\n3.2 from this section.) Your Internet access\nrouter will not permit traffic from the Internet to get all the way\ninto your private network. However, if you don't enforce that rule\nwith any other mechanisms on the bastion host and/or choke router,\nonly one component of your architecture needs to fail or be\ncompromised in order to get inside. On the other hand, if you have a\nredundant rule on the bastion host, and again on the choke router, an\nattacker will need to defeat Trois mechanisms.\nFurther, if the bastion host or the choke router needs to invoke its\nrule to block outside access to the internal network, you might want\nto have it trigger an alarm of some sort, since you know that someone\nhas gotten through your access router.","html":"An architecture whose security hinges upon one mechanism has a single\npoint of failure. Software that runs bastion hosts has bugs.\nApplications have bugs. Software that controls routers has bugs. Il\nmakes sense to use all of these components to build a securely\ndesigned network, and to use them in redundant ways.\nIf your firewall architecture is a screened subnet, you have two\npacket filtering routers and a bastion host. (See question\n3.2 from this section.) Your Internet access\nrouter will not permit traffic from the Internet to get all the way\ninto your private network. However, if you don't enforce that rule\nwith any other mechanisms on the bastion host and/or choke router,\nonly one component of your architecture needs to fail or be\ncompromised in order to get inside. On the other hand, if you have a\nredundant rule on the bastion host, and again on the choke router, an\nattacker will need to defeat Trois mechanisms.\nFurther, if the bastion host or the choke router needs to invoke its\nrule to block outside access to the internal network, you might want\nto have it trigger an alarm of some sort, since you know that someone\nhas gotten through your access router.
"},{"id":"text-133","type":"text","heading":"","plain_text":"3.11 How can I block all of the bad stuff?","html":"3.11 How can I block all of the bad stuff?
"},{"id":"text-134","type":"text","heading":"","plain_text":"For firewalls where the emphasis is on security instead of\nconnectivity, you should consider blocking tout par\ndefault, and only specifically allowing what services you need on a\ncase-by-case basis.\nIf you block everything, except a specific set of services, then\nyou've already made your job much easier. Instead of having to worry\nabout every security problem with everything product and service\naround, you only need to worry about every security problem with a\nspecific set of services and products.\nBefore turning on a service, you should consider a couple of\nquestions:","html":"For firewalls where the emphasis is on security instead of\nconnectivity, you should consider blocking tout par\ndefault, and only specifically allowing what services you need on a\ncase-by-case basis.\nIf you block everything, except a specific set of services, then\nyou've already made your job much easier. Instead of having to worry\nabout every security problem with everything product and service\naround, you only need to worry about every security problem with a\nspecific set of services and products.\nBefore turning on a service, you should consider a couple of\nquestions:
"},{"id":"text-135","type":"text","heading":"","plain_text":"Is the protocol for this product a well-known, published\n protocol?","html":"Is the protocol for this product a well-known, published\n protocol?
"},{"id":"text-136","type":"text","heading":"","plain_text":"Is the application to service this protocol available for public\n inspection of its implementation?","html":"Is the application to service this protocol available for public\n inspection of its implementation?
"},{"id":"text-137","type":"text","heading":"","plain_text":"How well known is the service and product?","html":"How well known is the service and product?
"},{"id":"text-138","type":"text","heading":"","plain_text":"How does allowing this service change the firewall architecture?\n Will an attacker see things differently? Could it be exploited to\n get at my internal network, or to change things on hosts in my DMZ?","html":"How does allowing this service change the firewall architecture?\n Will an attacker see things differently? Could it be exploited to\n get at my internal network, or to change things on hosts in my DMZ?
"},{"id":"text-139","type":"text","heading":"","plain_text":"When considering the above questions, keep the following in mind:","html":"When considering the above questions, keep the following in mind:
"},{"id":"text-140","type":"text","heading":"","plain_text":"« Security through obscurity'' is no security at all.\n Unpublished protocols have been examined by bad guys and defeated.","html":"« Security through obscurity'' is no security at all.\n Unpublished protocols have been examined by bad guys and defeated.
"},{"id":"text-141","type":"text","heading":"","plain_text":"Despite what the marketing representatives say, not every\n protocol or service is designed with security in mind. In fact, the\n number that are is very few.","html":"Despite what the marketing representatives say, not every\n protocol or service is designed with security in mind. In fact, the\n number that are is very few.
"},{"id":"text-142","type":"text","heading":"","plain_text":"Even in cases where security is a consideration, not all\n organizations have competent security staff. Among those who don't,\n not all are willing to bring a competent consultant into the\n projet. The end result is that otherwise-competent, well-intended\n developers can design insecure systems.","html":"Even in cases where security is a consideration, not all\n organizations have competent security staff. Among those who don't,\n not all are willing to bring a competent consultant into the\n projet. The end result is that otherwise-competent, well-intended\n developers can design insecure systems.
"},{"id":"text-143","type":"text","heading":"","plain_text":"The less that a vendor is willing to tell you about how their\n système vraiment works, the more likely it is that security\n (or other) problems exist. Only vendors with something to hide have\n a reason to hide their designs and\n implémentations [2].","html":"The less that a vendor is willing to tell you about how their\n système vraiment works, the more likely it is that security\n (or other) problems exist. Only vendors with something to hide have\n a reason to hide their designs and\n implémentations [2].
"},{"id":"text-144","type":"text","heading":"","plain_text":"3.12 How can I restrict web access so users can't view sites\n unrelated to work?","html":"3.12 How can I restrict web access so users can't view sites\n unrelated to work?
"},{"id":"text-145","type":"text","heading":"","plain_text":"A few years ago, someone got the idea that it's a good idea to block\n« bad'' web sites, i.e., those that contain material that The Company\nviews « inappropriate''. The idea has been increasing in popularity,\nbut there are several things to consider when thinking about\nimplementing such controls in your firewall.","html":"A few years ago, someone got the idea that it's a good idea to block\n« bad'' web sites, i.e., those that contain material that The Company\nviews « inappropriate''. The idea has been increasing in popularity,\nbut there are several things to consider when thinking about\nimplementing such controls in your firewall.
"},{"id":"text-146","type":"text","heading":"","plain_text":"It is not possible to practically block everything that an\n employer deems « inappropriate''. The Internet is full of every sort\n of material. Blocking one source will only redirect traffic to\n another source of such material, or cause someone to figure a way\n around the block.","html":"It is not possible to practically block everything that an\n employer deems « inappropriate''. The Internet is full of every sort\n of material. Blocking one source will only redirect traffic to\n another source of such material, or cause someone to figure a way\n around the block.
"},{"id":"text-147","type":"text","heading":"","plain_text":"Most organizations do not have a standard for judging the\n appropriateness of material that their employees bring to work,\n e.g., books and magazines. Do you inspect everyone's briefcase for\n « inappropriate material'' every day? If you do not, then why would\n you inspect every packet for « inappropriate material''? Tout\n decisions along those lines in such an organization will be\n arbitrary. Attempting to take disciplinary action against an\n employee where the only standard is arbitrary typically isn't wise,\n for reasons well beyond the scope of this document.","html":"Most organizations do not have a standard for judging the\n appropriateness of material that their employees bring to work,\n e.g., books and magazines. Do you inspect everyone's briefcase for\n « inappropriate material'' every day? If you do not, then why would\n you inspect every packet for « inappropriate material''? Tout\n decisions along those lines in such an organization will be\n arbitrary. Attempting to take disciplinary action against an\n employee where the only standard is arbitrary typically isn't wise,\n for reasons well beyond the scope of this document.
"},{"id":"text-148","type":"text","heading":"","plain_text":"Products that perform site-blocking, commercial and otherwise,\n are typically easy to circumvent. Hostnames can be rewritten as IP\n adresses. IP addresses can be written as a 32-bit integer value,\n or as four 8-bit integers (the most common form). Autre\n possibilities exist, as well. Connections can be proxied. Web\n pages can be fetched via email. You can't block them all. le\n effort that you'll spend trying to implement and manage such\n controls will almost certainly far exceed any level of damage\n control that you're hoping to have.","html":"Products that perform site-blocking, commercial and otherwise,\n are typically easy to circumvent. Hostnames can be rewritten as IP\n adresses. IP addresses can be written as a 32-bit integer value,\n or as four 8-bit integers (the most common form). Autre\n possibilities exist, as well. Connections can be proxied. Web\n pages can be fetched via email. You can't block them all. le\n effort that you'll spend trying to implement and manage such\n controls will almost certainly far exceed any level of damage\n control that you're hoping to have.
"},{"id":"text-149","type":"text","heading":"","plain_text":"The rule-of-thumb to remember here is that you cannot solve social\nproblems with technology. If there is a problem with someone going to\nan « inappropriate'' web site, that is because someone else saw it and\nwas offended by what he saw, or because that person's productivity is\nbelow expectations. In either case, those are matters for the\npersonnel department, not the firewall administrator.","html":"The rule-of-thumb to remember here is that you cannot solve social\nproblems with technology. If there is a problem with someone going to\nan « inappropriate'' web site, that is because someone else saw it and\nwas offended by what he saw, or because that person's productivity is\nbelow expectations. In either case, those are matters for the\npersonnel department, not the firewall administrator.
"},{"id":"text-150","type":"text","heading":"","plain_text":"4.1 What is source routed traffic and why is it a threat?","html":"4.1 What is source routed traffic and why is it a threat?
"},{"id":"text-151","type":"text","heading":"","plain_text":"Normally, the route a packet takes from its source to its destination\nis determined by the routers between the source and destination. le\npacket itself only says where it wants to go (the destination\naddress), and nothing about how it expects to get there.\nThere is an optional way for the sender of a packet (the source) to\ninclude information in the packet that tells the route the packet\nshould take to get to its destination; thus the name « source routing''.\nFor a firewall, source routing is noteworthy, since an attacker can\ngenerate traffic claiming to be from a system « inside'' the firewall.\nIn general, such traffic wouldn't route to the firewall properly, but\nwith the source routing option, all the routers between the attacker's\nmachine and the target will return traffic along the reverse path of\nthe source route. Implementing such an attack is quite easy; alors\nfirewall builders should not discount it as unlikely to happen.\nIn practice, source routing is very little used. In fact, generally\nthe main legitimate use is in debugging network problems or routing\ntraffic over specific links for congestion control for specialized\nsituations. When building a firewall, source routing should be\nblocked at some point. Most commercial routers incorporate the\nability to block source routing specifically, and many versions of\nUnix that might be used to build firewall bastion hosts have the\nability to disable or to ignore source routed traffic.","html":"Normally, the route a packet takes from its source to its destination\nis determined by the routers between the source and destination. le\npacket itself only says where it wants to go (the destination\naddress), and nothing about how it expects to get there.\nThere is an optional way for the sender of a packet (the source) to\ninclude information in the packet that tells the route the packet\nshould take to get to its destination; thus the name « source routing''.\nFor a firewall, source routing is noteworthy, since an attacker can\ngenerate traffic claiming to be from a system « inside'' the firewall.\nIn general, such traffic wouldn't route to the firewall properly, but\nwith the source routing option, all the routers between the attacker's\nmachine and the target will return traffic along the reverse path of\nthe source route. Implementing such an attack is quite easy; alors\nfirewall builders should not discount it as unlikely to happen.\nIn practice, source routing is very little used. In fact, generally\nthe main legitimate use is in debugging network problems or routing\ntraffic over specific links for congestion control for specialized\nsituations. When building a firewall, source routing should be\nblocked at some point. Most commercial routers incorporate the\nability to block source routing specifically, and many versions of\nUnix that might be used to build firewall bastion hosts have the\nability to disable or to ignore source routed traffic.
"},{"id":"text-152","type":"text","heading":"","plain_text":"4.2 What are ICMP redirects and redirect bombs?","html":"4.2 What are ICMP redirects and redirect bombs?
"},{"id":"text-153","type":"text","heading":"","plain_text":"An ICMP Redirect tells the recipient system to override something in\nits routing table. It is legitimately used by routers to tell hosts\nthat the host is using a non-optimal or defunct route to a particular\ndestination, i.e., the host is sending it to the wrong router. le\nwrong router sends the host back an ICMP Redirect packet that tells\nthe host what the correct route should be. If you can forge ICMP\nRedirect packets, and if your target host pays attention to them, you\ncan alter the routing tables on the host and possibly subvert the\nsecurity of the host by causing traffic to flow via a path the network\nmanager didn't intend. ICMP Redirects also may be employed for denial\nof service attacks, where a host is sent a route that loses it\nconnectivity, or is sent an ICMP Network Unreachable packet telling it\nthat it can no longer access a particular network.\nMany firewall builders screen ICMP traffic from their network, since\nit limits the ability of outsiders to ping hosts, or modify their\nrouting tables.\nBefore you decide to block all ICMP packets, you should be aware of\nhow the TCP protocol does « Path MTU Discovery'', to make certain that\nyou don't break connectivity to other sites. If you can't safely\nblock it everywhere, you can consider allowing selected types of ICMP\nto selected routing devices. If you don't block it, you should at\nleast ensure that your routers and hosts don't respond to broadcast\nping packets.","html":"An ICMP Redirect tells the recipient system to override something in\nits routing table. It is legitimately used by routers to tell hosts\nthat the host is using a non-optimal or defunct route to a particular\ndestination, i.e., the host is sending it to the wrong router. le\nwrong router sends the host back an ICMP Redirect packet that tells\nthe host what the correct route should be. If you can forge ICMP\nRedirect packets, and if your target host pays attention to them, you\ncan alter the routing tables on the host and possibly subvert the\nsecurity of the host by causing traffic to flow via a path the network\nmanager didn't intend. ICMP Redirects also may be employed for denial\nof service attacks, where a host is sent a route that loses it\nconnectivity, or is sent an ICMP Network Unreachable packet telling it\nthat it can no longer access a particular network.\nMany firewall builders screen ICMP traffic from their network, since\nit limits the ability of outsiders to ping hosts, or modify their\nrouting tables.\nBefore you decide to block all ICMP packets, you should be aware of\nhow the TCP protocol does « Path MTU Discovery'', to make certain that\nyou don't break connectivity to other sites. If you can't safely\nblock it everywhere, you can consider allowing selected types of ICMP\nto selected routing devices. If you don't block it, you should at\nleast ensure that your routers and hosts don't respond to broadcast\nping packets.
"},{"id":"text-154","type":"text","heading":"","plain_text":"4.3 What about denial of service?","html":"4.3 What about denial of service?
"},{"id":"text-155","type":"text","heading":"","plain_text":"Denial of service is when someone decides to make your network or\nfirewall useless by disrupting it, crashing it, jamming it, or\nflooding it. The problem with denial of service on the Internet is\nthat it is impossible to prevent. The reason has to do with the\ndistributed nature of the network: every network node is connected via\nother networks which in turn connect to other networks, etc. A\nfirewall administrator or ISP only has control of a few of the local\nelements within reach. An attacker can always disrupt a connection\n« upstream'' from where the victim controls it. In other words, if\nsomeone wanted to take a network off the air, he could do it either by\ntaking the network off the air, or by taking the networks it connects\nto off the air, ad infinitum. There are many, many, ways someone can\ndeny service, ranging from the complex to the trivial brute-force. Si\nyou are considering using Internet for a service which is absolutely\ntime or mission critical, you should consider your fallback position\nin the event that the network is down or damaged.\nTCP/IP's UDP echo service is trivially abused to get two servers to\nflood a network segment with echo packets. You should consider\ncommenting out unused entries in /etc/inetd.conf of Unix hosts,\najouter no ip small-servers to Cisco routers, or the equivalent\nfor your components.","html":"Denial of service is when someone decides to make your network or\nfirewall useless by disrupting it, crashing it, jamming it, or\nflooding it. The problem with denial of service on the Internet is\nthat it is impossible to prevent. The reason has to do with the\ndistributed nature of the network: every network node is connected via\nother networks which in turn connect to other networks, etc. A\nfirewall administrator or ISP only has control of a few of the local\nelements within reach. An attacker can always disrupt a connection\n« upstream'' from where the victim controls it. In other words, if\nsomeone wanted to take a network off the air, he could do it either by\ntaking the network off the air, or by taking the networks it connects\nto off the air, ad infinitum. There are many, many, ways someone can\ndeny service, ranging from the complex to the trivial brute-force. Si\nyou are considering using Internet for a service which is absolutely\ntime or mission critical, you should consider your fallback position\nin the event that the network is down or damaged.\nTCP/IP's UDP echo service is trivially abused to get two servers to\nflood a network segment with echo packets. You should consider\ncommenting out unused entries in /etc/inetd.conf of Unix hosts,\najouter no ip small-servers to Cisco routers, or the equivalent\nfor your components.
"},{"id":"text-156","type":"text","heading":"","plain_text":"4.4 What are some common attacks, and how can I protect my\n system against them?","html":"4.4 What are some common attacks, and how can I protect my\n system against them?
"},{"id":"text-157","type":"text","heading":"","plain_text":"Each site is a little different from every other in terms of what\nattacks are likely to be used against it. Some recurring themes do\narise, though.","html":"Each site is a little different from every other in terms of what\nattacks are likely to be used against it. Some recurring themes do\narise, though.
"},{"id":"text-158","type":"text","heading":"","plain_text":"4.4.1 SMTP Server Hijacking (Unauthorized Relaying)","html":"4.4.1 SMTP Server Hijacking (Unauthorized Relaying)
"},{"id":"text-159","type":"text","heading":"","plain_text":"This is where a spammer will take many thousands of copies of a\nmessage and send it to a huge list of email addresses. Because these\nlists are often so bad, and in order to increase the speed of\noperation for the spammer, many have resorted to simply sending all of\ntheir mail to an SMTP server that will take care of actually\ndelivering the mail.\nOf course, all of the bounces, spam complaints, hate mail, and bad PR\ncome for the site that was used as a relay. There is a very real cost\nassociated with this, mostly in paying people to clean up the mess\nafterward.\nThe Mail Abuse Prevention\nSystème1Transport Security Initiative2maintains a complete description of the problem, and how to configure\nabout every mailer on the planet to protect against this attack.","html":"This is where a spammer will take many thousands of copies of a\nmessage and send it to a huge list of email addresses. Because these\nlists are often so bad, and in order to increase the speed of\noperation for the spammer, many have resorted to simply sending all of\ntheir mail to an SMTP server that will take care of actually\ndelivering the mail.\nOf course, all of the bounces, spam complaints, hate mail, and bad PR\ncome for the site that was used as a relay. There is a very real cost\nassociated with this, mostly in paying people to clean up the mess\nafterward.\nThe Mail Abuse Prevention\nSystème1Transport Security Initiative2maintains a complete description of the problem, and how to configure\nabout every mailer on the planet to protect against this attack.
"},{"id":"text-160","type":"text","heading":"","plain_text":"4.4.2 Exploiting Bugs in Applications","html":"4.4.2 Exploiting Bugs in Applications
"},{"id":"text-161","type":"text","heading":"","plain_text":"Various versions of web servers, mail servers, and other Internet\nservice software contain bugs that allow remote (Internet) users to do\nthings ranging from gain control of the machine to making that\napplication crash and just about everything in between.\nThe exposure to this risk can be reduced by running only necessary\nservices, keeping up to date on patches, and using products that have\nbeen around a while.","html":"Various versions of web servers, mail servers, and other Internet\nservice software contain bugs that allow remote (Internet) users to do\nthings ranging from gain control of the machine to making that\napplication crash and just about everything in between.\nThe exposure to this risk can be reduced by running only necessary\nservices, keeping up to date on patches, and using products that have\nbeen around a while.
"},{"id":"text-162","type":"text","heading":"","plain_text":"4.4.3 Bugs in Operating Systems","html":"4.4.3 Bugs in Operating Systems
"},{"id":"text-163","type":"text","heading":"","plain_text":"Again, these are typically initiated by users remotely. en fonctionnement\nsystems that are relatively new to IP networking tend to be more\nproblematic, as more mature operating systems have had time to find\nand eliminate their bugs. An attacker can often make the target\nequipment continuously reboot, crash, lose the ability to talk to the\nnetwork, or replace files on the machine.\nHere, running as few operating system services as possible can help.\nAlso, having a packet filter in front of the operating system can\nreduce the exposure to a large number of these types of attacks.\nAnd, of course, chosing a stable operating system will help here as\nwell. When selecting an OS, don't be fooled into believing that « the\npricier, the better''. Free operating systems are often much more\nrobust than their commercial counterparts","html":"Again, these are typically initiated by users remotely. en fonctionnement\nsystems that are relatively new to IP networking tend to be more\nproblematic, as more mature operating systems have had time to find\nand eliminate their bugs. An attacker can often make the target\nequipment continuously reboot, crash, lose the ability to talk to the\nnetwork, or replace files on the machine.\nHere, running as few operating system services as possible can help.\nAlso, having a packet filter in front of the operating system can\nreduce the exposure to a large number of these types of attacks.\nAnd, of course, chosing a stable operating system will help here as\nwell. When selecting an OS, don't be fooled into believing that « the\npricier, the better''. Free operating systems are often much more\nrobust than their commercial counterparts
"},{"id":"text-164","type":"text","heading":"","plain_text":"5.1 Do I really want to allow everything that my users ask\n for?","html":"5.1 Do I really want to allow everything that my users ask\n for?
"},{"id":"text-165","type":"text","heading":"","plain_text":"It's entirely possible that the answer is « no''. Each site has its own\npolicies about what is and isn't needed, but it's important to\nremember that a large part of the job of being an organization's\ngatekeeper is éducation. Users want streaming video,\nreal-time chat, and to be able to offer services to external customers\nthat require interaction with live databases on the internal network.\nThat doesn't mean that any of these things can be done without\npresenting more risk to the organization than the supposed « value''\nof heading down that road is worth. Most users don't want to put\ntheir organization at risk. They just read the trade rags, see\nadvertisements, and they want to do those things, too. It's important\nto look into what it is that they really want to do, and to help them\nunderstand how they might be able to accomplish their real objective\nin a more secure manner.\nYou won't always be popular, and you might even find yourself being\ngiven direction to do something incredibly stupid, like « just open up\nports foo through bar''. If that happens, don't worry about it. Il\nwould be wise to keep all of your exchanges on such an event so that\nwhen a 12-year-old script kiddie breaks in, you'll at least be able to\nseparate yourself from the whole mess.","html":"It's entirely possible that the answer is « no''. Each site has its own\npolicies about what is and isn't needed, but it's important to\nremember that a large part of the job of being an organization's\ngatekeeper is éducation. Users want streaming video,\nreal-time chat, and to be able to offer services to external customers\nthat require interaction with live databases on the internal network.\nThat doesn't mean that any of these things can be done without\npresenting more risk to the organization than the supposed « value''\nof heading down that road is worth. Most users don't want to put\ntheir organization at risk. They just read the trade rags, see\nadvertisements, and they want to do those things, too. It's important\nto look into what it is that they really want to do, and to help them\nunderstand how they might be able to accomplish their real objective\nin a more secure manner.\nYou won't always be popular, and you might even find yourself being\ngiven direction to do something incredibly stupid, like « just open up\nports foo through bar''. If that happens, don't worry about it. Il\nwould be wise to keep all of your exchanges on such an event so that\nwhen a 12-year-old script kiddie breaks in, you'll at least be able to\nseparate yourself from the whole mess.
"},{"id":"text-166","type":"text","heading":"","plain_text":"5.2 How do I make Web/HTTP work through my firewall?","html":"5.2 How do I make Web/HTTP work through my firewall?
"},{"id":"text-167","type":"text","heading":"","plain_text":"There are three ways to do it.","html":"There are three ways to do it.
"},{"id":"text-168","type":"text","heading":"","plain_text":"Allow « established'' connections out via a router, if you are\n using screening routers.","html":"Allow « established'' connections out via a router, if you are\n using screening routers.
"},{"id":"text-169","type":"text","heading":"","plain_text":"Use a web client that supports SOCKS, and run SOCKS on your\n bastion host.","html":"Use a web client that supports SOCKS, and run SOCKS on your\n bastion host.
"},{"id":"text-170","type":"text","heading":"","plain_text":"Run some kind of proxy-capable web server on the bastion host.\n Some options include\n Squid3,\n Apache4,\n Netscape Proxy5,\n et http-gw from the TIS firewall toolkit. Most of\n these can also proxy other protocols (such as gopher and ftp), and\n can cache objects fetched, which will also typically result in a\n performance boost for the users, and more efficient use of your\n connection to the Internet. Essentially all web clients (Mozilla,\n Internet Explorer, Lynx, etc.) have proxy server support built\n directly into them.","html":"Run some kind of proxy-capable web server on the bastion host.\n Some options include\n Squid3,\n Apache4,\n Netscape Proxy5,\n et http-gw from the TIS firewall toolkit. Most of\n these can also proxy other protocols (such as gopher and ftp), and\n can cache objects fetched, which will also typically result in a\n performance boost for the users, and more efficient use of your\n connection to the Internet. Essentially all web clients (Mozilla,\n Internet Explorer, Lynx, etc.) have proxy server support built\n directly into them.
"},{"id":"text-171","type":"text","heading":"","plain_text":"5.3 How do I make SSL work through the firewall?","html":"5.3 How do I make SSL work through the firewall?
"},{"id":"text-172","type":"text","heading":"","plain_text":"SSL is a protocol that allows secure connections across the Internet.\nTypically, SSL is used to protect HTTP traffic. However, other\nprotocols (such as telnet) can run atop SSL.\nEnabling SSL through your firewall can be done the same way that you\nwould allow HTTP traffic, if it's HTTP that you're using SSL to\nsecure, which is usually true. The only difference is that instead of\nusing something that will simply relay HTTP, you'll need something\nthat can tunnel SSL. This is a feature present on most web object\ncaches.\nYou can find out more about SSL from Netscape6.","html":"SSL is a protocol that allows secure connections across the Internet.\nTypically, SSL is used to protect HTTP traffic. However, other\nprotocols (such as telnet) can run atop SSL.\nEnabling SSL through your firewall can be done the same way that you\nwould allow HTTP traffic, if it's HTTP that you're using SSL to\nsecure, which is usually true. The only difference is that instead of\nusing something that will simply relay HTTP, you'll need something\nthat can tunnel SSL. This is a feature present on most web object\ncaches.\nYou can find out more about SSL from Netscape6.
"},{"id":"text-173","type":"text","heading":"","plain_text":"5.4 How do I make DNS work with a firewall?","html":"5.4 How do I make DNS work with a firewall?
"},{"id":"text-174","type":"text","heading":"","plain_text":"Some organizations want to hide DNS names from the outside. Beaucoup\nexperts don't think hiding DNS names is worthwhile, but if\nsite/corporate policy mandates hiding domain names, this is one\napproach that is known to work. Another reason you may have to hide\ndomain names is if you have a non-standard addressing scheme on your\ninternal network. In that case, you have no choice but to hide those\nadresses. Don't fool yourself into thinking that if your DNS names\nare hidden that it will slow an attacker down much if they break into\nyour firewall. Information about what is on your network is too easily\ngleaned from the networking layer itself. If you want an interesting\ndemonstration of this, ping the subnet broadcast address on your LAN\nand then do an « arp -a.'' Note also that hiding names in the DNS\ndoesn't address the problem of host names « leaking'' out in mail\nheaders, news articles, etc.\nThis approach is one of many, and is useful for organizations that\nwish to hide their host names from the Internet. The success of this\napproach lies on the fact that DNS clients on a machine don't have to\ntalk to a DNS server on that same machine. In other words, just\nbecause there's a DNS server on a machine, there's nothing wrong with\n(and there are often advantages to) redirecting that machine's DNS\nclient activity to a DNS server on another machine.\nFirst, you set up a DNS server on the bastion host that the outside\nworld can talk to. You set this server up so that it claims to be\nauthoritative for your domains. In fact, all this server knows is what\nyou want the outside world to know; the names and addresses of your\ngateways, your wildcard MX records, and so forth. This is the « public''\nserveur.\nThen, you set up a DNS server on an internal machine. This server also\nclaims to be authoritative for your domains; unlike the public server,\nthis one is telling the truth. This is your « normal'' nameserver, into\nwhich you put all your « normal'' DNS stuff. You also set this server up\nto forward queries that it can't resolve to the public server (using a\n« forwarders'' line in /etc/named.boot on a Unix machine, for example).\nFinally, you set up all your DNS clients (the /etc/resolv.conf\nfile on a Unix box, for instance), including the ones on the machine\nwith the public server, to use the internal server. This is the key.\nAn internal client asking about an internal host asks the internal\nserver, and gets an answer; an internal client asking about an\nexternal host asks the internal server, which asks the public server,\nwhich asks the Internet, and the answer is relayed back. A client on\nthe public server works just the same way. An external client,\nhowever, asking about an internal host gets back the « restricted''\nanswer from the public server.\nThis approach assumes that there's a packet filtering firewall between\nthese two servers that will allow them to talk DNS to each other, but\notherwise restricts DNS between other hosts.\nAnother trick that's useful in this scheme is to employ wildcard PTR\nrecords in your IN-ADDR.ARPA domains. These cause an an\naddress-to-name lookup for any of your non-public hosts to return\nsomething like « unknown.YOUR.DOMAIN'' rather than an error. Ce\nsatisfies anonymous FTP sites like ftp.uu.net that insist on having a\nname for the machines they talk to. This may fail when talking to\nsites that do a DNS cross-check in which the host name is matched\nagainst its address and vice versa.","html":"Some organizations want to hide DNS names from the outside. Beaucoup\nexperts don't think hiding DNS names is worthwhile, but if\nsite/corporate policy mandates hiding domain names, this is one\napproach that is known to work. Another reason you may have to hide\ndomain names is if you have a non-standard addressing scheme on your\ninternal network. In that case, you have no choice but to hide those\nadresses. Don't fool yourself into thinking that if your DNS names\nare hidden that it will slow an attacker down much if they break into\nyour firewall. Information about what is on your network is too easily\ngleaned from the networking layer itself. If you want an interesting\ndemonstration of this, ping the subnet broadcast address on your LAN\nand then do an « arp -a.'' Note also that hiding names in the DNS\ndoesn't address the problem of host names « leaking'' out in mail\nheaders, news articles, etc.\nThis approach is one of many, and is useful for organizations that\nwish to hide their host names from the Internet. The success of this\napproach lies on the fact that DNS clients on a machine don't have to\ntalk to a DNS server on that same machine. In other words, just\nbecause there's a DNS server on a machine, there's nothing wrong with\n(and there are often advantages to) redirecting that machine's DNS\nclient activity to a DNS server on another machine.\nFirst, you set up a DNS server on the bastion host that the outside\nworld can talk to. You set this server up so that it claims to be\nauthoritative for your domains. In fact, all this server knows is what\nyou want the outside world to know; the names and addresses of your\ngateways, your wildcard MX records, and so forth. This is the « public''\nserveur.\nThen, you set up a DNS server on an internal machine. This server also\nclaims to be authoritative for your domains; unlike the public server,\nthis one is telling the truth. This is your « normal'' nameserver, into\nwhich you put all your « normal'' DNS stuff. You also set this server up\nto forward queries that it can't resolve to the public server (using a\n« forwarders'' line in /etc/named.boot on a Unix machine, for example).\nFinally, you set up all your DNS clients (the /etc/resolv.conf\nfile on a Unix box, for instance), including the ones on the machine\nwith the public server, to use the internal server. This is the key.\nAn internal client asking about an internal host asks the internal\nserver, and gets an answer; an internal client asking about an\nexternal host asks the internal server, which asks the public server,\nwhich asks the Internet, and the answer is relayed back. A client on\nthe public server works just the same way. An external client,\nhowever, asking about an internal host gets back the « restricted''\nanswer from the public server.\nThis approach assumes that there's a packet filtering firewall between\nthese two servers that will allow them to talk DNS to each other, but\notherwise restricts DNS between other hosts.\nAnother trick that's useful in this scheme is to employ wildcard PTR\nrecords in your IN-ADDR.ARPA domains. These cause an an\naddress-to-name lookup for any of your non-public hosts to return\nsomething like « unknown.YOUR.DOMAIN'' rather than an error. Ce\nsatisfies anonymous FTP sites like ftp.uu.net that insist on having a\nname for the machines they talk to. This may fail when talking to\nsites that do a DNS cross-check in which the host name is matched\nagainst its address and vice versa.
"},{"id":"text-175","type":"text","heading":"","plain_text":"5.5 How do I make FTP work through my firewall?","html":"5.5 How do I make FTP work through my firewall?
"},{"id":"text-176","type":"text","heading":"","plain_text":"Generally, making FTP work through the firewall is done either using a\nproxy server such as the firewall toolkit's ftp-gw or by permitting\nincoming connections to the network at a restricted port range, and\notherwise restricting incoming connections using something like\n« established'' screening rules. The FTP client is then modified to bind\nthe data port to a port within that range. This entails being able to\nmodify the FTP client application on internal hosts.\nIn some cases, if FTP downloads are all you wish to support, you might\nwant to consider declaring FTP a « dead protocol'' and letting you users\ndownload files via the Web instead. The user interface certainly is\nnicer, and it gets around the ugly callback port problem. Si vous\nchoose the FTP-via-Web approach, your users will be unable to FTP\nfiles out, which, depending on what you are trying to accomplish, may\nbe a problem.\nA different approach is to use the FTP « PASV'' option to indicate\nthat the remote FTP server should permit the client to initiate\nconnections. The PASV approach assumes that the FTP server on the\nremote system supports that operation. (See « Firewall-Friendly\nFTP'' [1].)\nOther sites prefer to build client versions of the FTP program that\nare linked against a SOCKS library.","html":"Generally, making FTP work through the firewall is done either using a\nproxy server such as the firewall toolkit's ftp-gw or by permitting\nincoming connections to the network at a restricted port range, and\notherwise restricting incoming connections using something like\n« established'' screening rules. The FTP client is then modified to bind\nthe data port to a port within that range. This entails being able to\nmodify the FTP client application on internal hosts.\nIn some cases, if FTP downloads are all you wish to support, you might\nwant to consider declaring FTP a « dead protocol'' and letting you users\ndownload files via the Web instead. The user interface certainly is\nnicer, and it gets around the ugly callback port problem. Si vous\nchoose the FTP-via-Web approach, your users will be unable to FTP\nfiles out, which, depending on what you are trying to accomplish, may\nbe a problem.\nA different approach is to use the FTP « PASV'' option to indicate\nthat the remote FTP server should permit the client to initiate\nconnections. The PASV approach assumes that the FTP server on the\nremote system supports that operation. (See « Firewall-Friendly\nFTP'' [1].)\nOther sites prefer to build client versions of the FTP program that\nare linked against a SOCKS library.
"},{"id":"text-177","type":"text","heading":"","plain_text":"5.6 How do I make Telnet work through my firewall?","html":"5.6 How do I make Telnet work through my firewall?
"},{"id":"text-178","type":"text","heading":"","plain_text":"Telnet is generally supported either by using an application proxy\nsuch as the firewall toolkit's tn-gw, or by simply configuring a\nrouter to permit outgoing connections using something like the\n« established'' screening rules. Application proxies could be in the\nform of a standalone proxy running on the bastion host, or in the form\nof a SOCKS server and a modified client.","html":"Telnet is generally supported either by using an application proxy\nsuch as the firewall toolkit's tn-gw, or by simply configuring a\nrouter to permit outgoing connections using something like the\n« established'' screening rules. Application proxies could be in the\nform of a standalone proxy running on the bastion host, or in the form\nof a SOCKS server and a modified client.
"},{"id":"text-179","type":"text","heading":"","plain_text":"5.7 How do I make Finger and whois work through my firewall?","html":"5.7 How do I make Finger and whois work through my firewall?
"},{"id":"text-180","type":"text","heading":"","plain_text":"Many firewall admins permit connections to the finger port from only\ntrusted machines, which can issue finger requests in the form of:\nfinger user@host.domain@firewall. This approach only works with the\nstandard Unix version of finger. Controlling access to services and\nrestricting them to specific machines is managed using either\ntcp_wrappers or netacl from the firewall toolkit. This approach will\nnot work on all systems, since some finger servers do not permit\nuser@host@host fingering.\nMany sites block inbound finger requests for a variety of reasons,\nforemost being past security bugs in the finger server (the Morris\ninternet worm made these bugs famous) and the risk of proprietary or\nsensitive information being revealed in user's finger information. Dans\ngeneral, however, if your users are accustomed to putting proprietary\nor sensitive information in their .plan files, you have a more\nserious security problem than just a firewall can solve.","html":"Many firewall admins permit connections to the finger port from only\ntrusted machines, which can issue finger requests in the form of:\nfinger user@host.domain@firewall. This approach only works with the\nstandard Unix version of finger. Controlling access to services and\nrestricting them to specific machines is managed using either\ntcp_wrappers or netacl from the firewall toolkit. This approach will\nnot work on all systems, since some finger servers do not permit\nuser@host@host fingering.\nMany sites block inbound finger requests for a variety of reasons,\nforemost being past security bugs in the finger server (the Morris\ninternet worm made these bugs famous) and the risk of proprietary or\nsensitive information being revealed in user's finger information. Dans\ngeneral, however, if your users are accustomed to putting proprietary\nor sensitive information in their .plan files, you have a more\nserious security problem than just a firewall can solve.
"},{"id":"text-181","type":"text","heading":"","plain_text":"5.8 How do I make gopher, archie, and other services work\n through my firewall?","html":"5.8 How do I make gopher, archie, and other services work\n through my firewall?
"},{"id":"text-182","type":"text","heading":"","plain_text":"The majority of firewall administrators choose to support gopher and\narchie through web proxies, instead of directly. Proxies such as the\nfirewall toolkit's http-gw convert gopher/gopher+ queries\ninto HTML and vice versa. For supporting archie and other queries,\nmany sites rely on Internet-based Web-to-archie servers, such as\nArchiePlex. The Web's tendency to make everything on the Internet look\nlike a web service is both a blessing and a curse.\nThere are many new services constantly cropping up. Often they are\nmisdesigned or are not designed with security in mind, and their\ndesigners will cheerfully tell you if you want to use them you need to\nlet port xxx through your router. Unfortunately, not everyone can do\nthat, and so a number of interesting new toys are difficult to use for\npeople behind firewalls. Things like RealAudio, which require direct\nUDP access, are particularly egregious examples. The thing to bear in\nmind if you find yourself faced with one of these problems is to find\nout as much as you can about the security risks that the service may\npresent, before you just allow it through. It's quite possible the\nservice has no security implications. It's equally possible that it\nhas undiscovered holes you could drive a truck through.","html":"The majority of firewall administrators choose to support gopher and\narchie through web proxies, instead of directly. Proxies such as the\nfirewall toolkit's http-gw convert gopher/gopher+ queries\ninto HTML and vice versa. For supporting archie and other queries,\nmany sites rely on Internet-based Web-to-archie servers, such as\nArchiePlex. The Web's tendency to make everything on the Internet look\nlike a web service is both a blessing and a curse.\nThere are many new services constantly cropping up. Often they are\nmisdesigned or are not designed with security in mind, and their\ndesigners will cheerfully tell you if you want to use them you need to\nlet port xxx through your router. Unfortunately, not everyone can do\nthat, and so a number of interesting new toys are difficult to use for\npeople behind firewalls. Things like RealAudio, which require direct\nUDP access, are particularly egregious examples. The thing to bear in\nmind if you find yourself faced with one of these problems is to find\nout as much as you can about the security risks that the service may\npresent, before you just allow it through. It's quite possible the\nservice has no security implications. It's equally possible that it\nhas undiscovered holes you could drive a truck through.
"},{"id":"text-183","type":"text","heading":"","plain_text":"5.9 What are the issues about X11 through a firewall?","html":"5.9 What are the issues about X11 through a firewall?
"},{"id":"text-184","type":"text","heading":"","plain_text":"The X Windows System is a very useful system, but unfortunately has\nsome major security flaws. Remote systems that can gain or spoof\naccess to a workstation's X11 display can monitor keystrokes that a\nuser enters, download copies of the contents of their windows, etc.\nWhile attempts have been made to overcome them (E.g., MIT « Magic\nCookie'') it is still entirely too easy for an attacker to interfere\nwith a user's X11 display. Most firewalls block all X11 traffic. Certains\npermit X11 traffic through application proxies such as the DEC CRL X11\nproxy (FTP crl.dec.com). The firewall toolkit includes a proxy for\nX11, called x-gw, which a user can invoke via the Telnet proxy, to\ncreate a virtual X11 server on the firewall. When requests are made\nfor an X11 connection on the virtual X11 server, the user is presented\nwith a pop-up asking them if it is OK to allow the connection. Tandis que\nthis is a little unaesthetic, it's entirely in keeping with the rest\nof X11.","html":"The X Windows System is a very useful system, but unfortunately has\nsome major security flaws. Remote systems that can gain or spoof\naccess to a workstation's X11 display can monitor keystrokes that a\nuser enters, download copies of the contents of their windows, etc.\nWhile attempts have been made to overcome them (E.g., MIT « Magic\nCookie'') it is still entirely too easy for an attacker to interfere\nwith a user's X11 display. Most firewalls block all X11 traffic. Certains\npermit X11 traffic through application proxies such as the DEC CRL X11\nproxy (FTP crl.dec.com). The firewall toolkit includes a proxy for\nX11, called x-gw, which a user can invoke via the Telnet proxy, to\ncreate a virtual X11 server on the firewall. When requests are made\nfor an X11 connection on the virtual X11 server, the user is presented\nwith a pop-up asking them if it is OK to allow the connection. Tandis que\nthis is a little unaesthetic, it's entirely in keeping with the rest\nof X11.
"},{"id":"text-185","type":"text","heading":"","plain_text":"5.10 How do I make RealAudio work through my firewall?","html":"5.10 How do I make RealAudio work through my firewall?
"},{"id":"text-186","type":"text","heading":"","plain_text":"RealNetworks maintains some information about how to get RealAudio\nworking through your firewall7. It would be unwise to\nfaire tout changes to your firewall without understanding what\nthe changes will do, exactly, and knowing what risks the new changes\nwill bring with them.","html":"RealNetworks maintains some information about how to get RealAudio\nworking through your firewall7. It would be unwise to\nfaire tout changes to your firewall without understanding what\nthe changes will do, exactly, and knowing what risks the new changes\nwill bring with them.
"},{"id":"text-187","type":"text","heading":"","plain_text":"5.11 How do I make my web server act as a front-end for a\n database that lives on my private network?","html":"5.11 How do I make my web server act as a front-end for a\n database that lives on my private network?
"},{"id":"text-188","type":"text","heading":"","plain_text":"The best way to do this is to allow very limited connectivity between\nyour web server and your database server via a specific protocol that\nonly supports the level of functionality you're going to use.\nAllowing raw SQL, or anything else where custom extractions could be\nperformed by an attacker isn't generally a good idea.\nAssume that an attacker is going to be able to break into your web\nserver, and make queries in the same way that the web server can. Est\nthere a mechanism for extracting sensitive information that the web\nserver doesn't need, like credit card information? Can an attacker\nissue an SQL sélectionner and extract your entire proprietary\ndatabase?\n« E-commerce'' applications, like everything else, are best designed\nwith security in mind from the ground up, instead of having security\n« added'' as an afterthought. Review your architecture critically, from\nthe perspective of an attacker. Assume that the attacker knows\neverything about your architecture. Now ask yourself what needs to be\ndone to steal your data, to make unauthorized changes, or to do\nanything else that you don't want done. You might find that you can\nsignificantly increase security without decreasing functionality by\nmaking a few design and implementation decisions.\nSome ideas for how to handle this:","html":"The best way to do this is to allow very limited connectivity between\nyour web server and your database server via a specific protocol that\nonly supports the level of functionality you're going to use.\nAllowing raw SQL, or anything else where custom extractions could be\nperformed by an attacker isn't generally a good idea.\nAssume that an attacker is going to be able to break into your web\nserver, and make queries in the same way that the web server can. Est\nthere a mechanism for extracting sensitive information that the web\nserver doesn't need, like credit card information? Can an attacker\nissue an SQL sélectionner and extract your entire proprietary\ndatabase?\n« E-commerce'' applications, like everything else, are best designed\nwith security in mind from the ground up, instead of having security\n« added'' as an afterthought. Review your architecture critically, from\nthe perspective of an attacker. Assume that the attacker knows\neverything about your architecture. Now ask yourself what needs to be\ndone to steal your data, to make unauthorized changes, or to do\nanything else that you don't want done. You might find that you can\nsignificantly increase security without decreasing functionality by\nmaking a few design and implementation decisions.\nSome ideas for how to handle this:
"},{"id":"text-189","type":"text","heading":"","plain_text":"Extract the data you need from the database on a regular basis\n so you're not making queries against the full database, complete\n with information that attackers will find interesting.","html":"Extract the data you need from the database on a regular basis\n so you're not making queries against the full database, complete\n with information that attackers will find interesting.
"},{"id":"text-190","type":"text","heading":"","plain_text":"Greatly restrict and audit what you do allow between the web\n server and database.","html":"Greatly restrict and audit what you do allow between the web\n server and database.
"},{"id":"text-191","type":"text","heading":"","plain_text":"5.12 But my database has an integrated web server, and I want\n to use that. Can't I just poke a hole in the firewall and tunnel\n that port?","html":"5.12 But my database has an integrated web server, and I want\n to use that. Can't I just poke a hole in the firewall and tunnel\n that port?
"},{"id":"text-192","type":"text","heading":"","plain_text":"If your site firewall policy is sufficiently lax that you're willing\nto manage the risk that someone will exploit a vulnerability in your\nweb server that will result in partial or complete exposure of your\ndatabase, then there isn't much preventing you from doing this.\nHowever, in many organizations, the people who are responsible for\ntying the web front end to the database back end simply do not have\nthe authority to take that responsibility. Further, if the\ninformation in the database is about people, you might find yourself\nguilty of breaking a number of laws if you haven't taken reasonable\nprecautions to prevent the system from being abused.\nIn general, this isn't a good idea. See question 5.11 for\nsome ideas on other ways to accomplish this objective.","html":"If your site firewall policy is sufficiently lax that you're willing\nto manage the risk that someone will exploit a vulnerability in your\nweb server that will result in partial or complete exposure of your\ndatabase, then there isn't much preventing you from doing this.\nHowever, in many organizations, the people who are responsible for\ntying the web front end to the database back end simply do not have\nthe authority to take that responsibility. Further, if the\ninformation in the database is about people, you might find yourself\nguilty of breaking a number of laws if you haven't taken reasonable\nprecautions to prevent the system from being abused.\nIn general, this isn't a good idea. See question 5.11 for\nsome ideas on other ways to accomplish this objective.
"},{"id":"text-193","type":"text","heading":"","plain_text":"5.13 How Do I Make IP Multicast Work With My Firewall?","html":"5.13 How Do I Make IP Multicast Work With My Firewall?
"},{"id":"text-194","type":"text","heading":"","plain_text":"IP multicast is a means of getting IP traffic from one host to a set\nof hosts without using broadcasting; that is, instead of every host\ngetting the traffic, only those that want it will get it, without each\nhaving to maintain a separate connection to the server. IP unicast is\nwhere one host talks to another, multicast is where one host talks to\na set of hosts, and broadcast is where one host talks to all hosts.\nThe public Internet has a multicast backbone (« MBone'') where users\ncan engage in multicast traffic exchange. Common uses for the MBone\nare streams of IETF meetings and similar such interaction. Getting\none's own network connected to the MBone will require that the\nupstream provider route multicast traffic to and from your network.\nAdditionally, your internal network will have to support multicast\nrouting.\nThe role of the firewall in multicast routing, conceptually, is no\ndifferent from its role in other traffic routing. That is, a policy\nthat identifies which multicast groups are and aren't allowed must be\ndefined and then a system of allowing that traffic according to policy\nmust be devised. Great detail on how exactly to do this is beyond the\nscope of this document. Fortunately, RFC 2588 [4]\ndiscusses the subject in more detail. Unless your firewall product\nsupports some means of selective multicast forwarding or you have the\nability to put it in yourself, you might find forwarding multicast\ntraffic in a way consistent with your security policy to be a bigger\nheadache than it's worth.","html":"IP multicast is a means of getting IP traffic from one host to a set\nof hosts without using broadcasting; that is, instead of every host\ngetting the traffic, only those that want it will get it, without each\nhaving to maintain a separate connection to the server. IP unicast is\nwhere one host talks to another, multicast is where one host talks to\na set of hosts, and broadcast is where one host talks to all hosts.\nThe public Internet has a multicast backbone (« MBone'') where users\ncan engage in multicast traffic exchange. Common uses for the MBone\nare streams of IETF meetings and similar such interaction. Getting\none's own network connected to the MBone will require that the\nupstream provider route multicast traffic to and from your network.\nAdditionally, your internal network will have to support multicast\nrouting.\nThe role of the firewall in multicast routing, conceptually, is no\ndifferent from its role in other traffic routing. That is, a policy\nthat identifies which multicast groups are and aren't allowed must be\ndefined and then a system of allowing that traffic according to policy\nmust be devised. Great detail on how exactly to do this is beyond the\nscope of this document. Fortunately, RFC 2588 [4]\ndiscusses the subject in more detail. Unless your firewall product\nsupports some means of selective multicast forwarding or you have the\nability to put it in yourself, you might find forwarding multicast\ntraffic in a way consistent with your security policy to be a bigger\nheadache than it's worth.
"},{"id":"text-195","type":"text","heading":"","plain_text":"by Mikael Olsson\nThis appendix will begin at a fairly « basic'' level, so even if the\nfirst points seem childishly self-evident to you, you might still\nlearn something from skipping ahead to something later in the text.","html":"by Mikael Olsson\nThis appendix will begin at a fairly « basic'' level, so even if the\nfirst points seem childishly self-evident to you, you might still\nlearn something from skipping ahead to something later in the text.
"},{"id":"text-196","type":"text","heading":"","plain_text":"6.1 What is a port?","html":"6.1 What is a port?
"},{"id":"text-197","type":"text","heading":"","plain_text":"A « port'' is « virtual slot'' in your TCP and UDP stack that is used\nto map a connection between two hosts, and also between the TCP/UDP\nlayer and the actual applications running on the hosts.\nThey are numbered 0-65535, with the range 0-1023 being marked as\n« reserved'' or « privlileged'', and the rest (1024-65535) as\n« dynamic'' or « unprivileged''.\nThere are basically two uses for ports:","html":"A « port'' is « virtual slot'' in your TCP and UDP stack that is used\nto map a connection between two hosts, and also between the TCP/UDP\nlayer and the actual applications running on the hosts.\nThey are numbered 0-65535, with the range 0-1023 being marked as\n« reserved'' or « privlileged'', and the rest (1024-65535) as\n« dynamic'' or « unprivileged''.\nThere are basically two uses for ports:
"},{"id":"text-198","type":"text","heading":"","plain_text":"« Listening'' on a port.\nThis is used by server applications waiting for users to connect, to\n get to some « well known service'', for instance HTTP (TCP port 80),\n Telnet (TCP port 23), DNS (UDP and sometimes TCP port 53).","html":"« Listening'' on a port.\nThis is used by server applications waiting for users to connect, to\n get to some « well known service'', for instance HTTP (TCP port 80),\n Telnet (TCP port 23), DNS (UDP and sometimes TCP port 53).
"},{"id":"text-199","type":"text","heading":"","plain_text":"Opening a « dynamic'' port.\nBoth sides of a TCP connection need to be identified by IP addresses\n and port numbers. Hence, when you want to « connect'' to a server\n process, your end of the communications channel also needs a « port''.\n This is done by choosing a port above 1024 on your machine that is\n not currently in use by another communications channel, and using it\n as the « sender'' in the new connection.","html":"Opening a « dynamic'' port.\nBoth sides of a TCP connection need to be identified by IP addresses\n and port numbers. Hence, when you want to « connect'' to a server\n process, your end of the communications channel also needs a « port''.\n This is done by choosing a port above 1024 on your machine that is\n not currently in use by another communications channel, and using it\n as the « sender'' in the new connection.
"},{"id":"text-200","type":"text","heading":"","plain_text":"Dynamic ports may also be used as « listening'' ports in some\napplications, most notably FTP.\nPorts in the range 0-1023 are almost always server ports. Ports in\nthe range 1024-65535 are usually dynamic ports (i.e., opened\ndynamically when you connect to a server port). cependant, tout\nport may be used as a server port, and tout port may be used as\nan « outgoing'' port.\nSo, to sum it up, here's what happens in a basic connection:","html":"Dynamic ports may also be used as « listening'' ports in some\napplications, most notably FTP.\nPorts in the range 0-1023 are almost always server ports. Ports in\nthe range 1024-65535 are usually dynamic ports (i.e., opened\ndynamically when you connect to a server port). cependant, tout\nport may be used as a server port, and tout port may be used as\nan « outgoing'' port.\nSo, to sum it up, here's what happens in a basic connection:
"},{"id":"text-201","type":"text","heading":"","plain_text":"At some point in time, a server application on host 1.2.3.4\n decides to « listen'' at port 80 (HTTP) for new connections.","html":"At some point in time, a server application on host 1.2.3.4\n decides to « listen'' at port 80 (HTTP) for new connections.
"},{"id":"text-202","type":"text","heading":"","plain_text":"You (5.6.7.8) want to surf to 1.2.3.4, port 80, and your browser\n issues a connect call to it.","html":"You (5.6.7.8) want to surf to 1.2.3.4, port 80, and your browser\n issues a connect call to it.
"},{"id":"text-203","type":"text","heading":"","plain_text":"The connect call, realising that it doesn't yet have local port\n number, goes hunting for one. The local port number is necessary\n since when the replies come back some time in the future, your\n TCP/IP stack will have to know to what application to pass the\n reply. It does this by remembering what application uses which local\n port number. (This is grossly simplified, no flames from\n programmers, please.)","html":"The connect call, realising that it doesn't yet have local port\n number, goes hunting for one. The local port number is necessary\n since when the replies come back some time in the future, your\n TCP/IP stack will have to know to what application to pass the\n reply. It does this by remembering what application uses which local\n port number. (This is grossly simplified, no flames from\n programmers, please.)
"},{"id":"text-204","type":"text","heading":"","plain_text":"Your TCP stack finds an unused dynamic port, usually somewhere\n above 1024. Let's assume that it finds 1029.","html":"Your TCP stack finds an unused dynamic port, usually somewhere\n above 1024. Let's assume that it finds 1029.
"},{"id":"text-205","type":"text","heading":"","plain_text":"Your first packet is then sent, from your local IP, 5.6.7.8,\n port 1029, to 1.2.3.4, port 80.","html":"Your first packet is then sent, from your local IP, 5.6.7.8,\n port 1029, to 1.2.3.4, port 80.
"},{"id":"text-206","type":"text","heading":"","plain_text":"The server responds with a packet from 1.2.3.4, port 80, to you,\n 5.6.7.8, port 1029.","html":"The server responds with a packet from 1.2.3.4, port 80, to you,\n 5.6.7.8, port 1029.
"},{"id":"text-207","type":"text","heading":"","plain_text":"This procedure is actually longer than this, read on for a more\n in-depth explanation of TCP connect sequences.","html":"This procedure is actually longer than this, read on for a more\n in-depth explanation of TCP connect sequences.
"},{"id":"text-208","type":"text","heading":"","plain_text":"6.2 How do I know which application uses what port?","html":"6.2 How do I know which application uses what port?
"},{"id":"text-209","type":"text","heading":"","plain_text":"There are several lists outlining the « reserved'' and « well known''\nports, as well as « commonly used'' ports, and the best one is:\nftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers.\nFor those of you still reading RFC 1700 to find out what port number\ndoes what, STOP DOING IT. It is horribly out of date, and it won't be\nless so tomorrow.\nNow, as for trusting this information: These lists do not, in any way,\nconstitute any kind of holy bible on which ports do what.\nWait, let me rephrase that: THERE IS NO WAY OF RELIABLY DETERMINING\nWHAT PORT DOES WHAT SIMPLY BY LOOKING IN A LIST.","html":"There are several lists outlining the « reserved'' and « well known''\nports, as well as « commonly used'' ports, and the best one is:\nftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers.\nFor those of you still reading RFC 1700 to find out what port number\ndoes what, STOP DOING IT. It is horribly out of date, and it won't be\nless so tomorrow.\nNow, as for trusting this information: These lists do not, in any way,\nconstitute any kind of holy bible on which ports do what.\nWait, let me rephrase that: THERE IS NO WAY OF RELIABLY DETERMINING\nWHAT PORT DOES WHAT SIMPLY BY LOOKING IN A LIST.
"},{"id":"text-210","type":"text","heading":"","plain_text":"6.3 What are LISTENING ports?","html":"6.3 What are LISTENING ports?
"},{"id":"text-211","type":"text","heading":"","plain_text":"Suppose you did « netstat -a'' on your machine and ports 1025 and 1030\nshowed up as LISTENing. What do they do?\nRight, let's take a look in the assigned port numbers list.","html":"Suppose you did « netstat -a'' on your machine and ports 1025 and 1030\nshowed up as LISTENing. What do they do?\nRight, let's take a look in the assigned port numbers list.
"},{"id":"text-212","type":"text","heading":"","plain_text":"blackjack 1025/tcp network blackjack\n iad1 1030/tcp BBN IAD","html":"blackjack 1025/tcp network blackjack\n iad1 1030/tcp BBN IAD
"},{"id":"text-213","type":"text","heading":"","plain_text":"Wait, what's happening? Has my workstation stolen my VISA number and\ndecided to go play blackjack with some rogue server on the internet?\nAnd what's that software that BBN has installed?\nThis is NOT where you start panicking and send mail to the firewalls\nlist. In fact, this question has been asked maybe a dozen times during\nthe past six months, and every time it's been answered. Not that THAT\nkeeps people from asking the same question again.\nIf you are asking this question, you are most likely using a windows\nboîte. The ports you are seeing are (most likely) two listening ports\nthat the RPC subsystem opens when it starts up.\nThis is an example of where dynamicly assigned ports may be used by\nserver processes. Applications using RPC will later on connect to port\n135 (the netbios « portmapper'') to query where to find some RPC\nservice, and get an answer back saying that that particular service\nmay be contacted on port 1025.\nNow, how do we know this, since there's no « list'' describing these\nports? Simple: There's no substitute for experience. And using the\nmailing list search engines also helps a hell of a lot.","html":"Wait, what's happening? Has my workstation stolen my VISA number and\ndecided to go play blackjack with some rogue server on the internet?\nAnd what's that software that BBN has installed?\nThis is NOT where you start panicking and send mail to the firewalls\nlist. In fact, this question has been asked maybe a dozen times during\nthe past six months, and every time it's been answered. Not that THAT\nkeeps people from asking the same question again.\nIf you are asking this question, you are most likely using a windows\nboîte. The ports you are seeing are (most likely) two listening ports\nthat the RPC subsystem opens when it starts up.\nThis is an example of where dynamicly assigned ports may be used by\nserver processes. Applications using RPC will later on connect to port\n135 (the netbios « portmapper'') to query where to find some RPC\nservice, and get an answer back saying that that particular service\nmay be contacted on port 1025.\nNow, how do we know this, since there's no « list'' describing these\nports? Simple: There's no substitute for experience. And using the\nmailing list search engines also helps a hell of a lot.
"},{"id":"text-214","type":"text","heading":"","plain_text":"6.4 How do I determine what service the port is for?","html":"6.4 How do I determine what service the port is for?
"},{"id":"text-215","type":"text","heading":"","plain_text":"Since it is impossible to learn what port does what by looking in a\nlist, how do i do it?\nThe old hands-on way of doing it is by shutting down nearly every\nservice/daemon running on your machine, doing netstat -a et\ntaking note of what ports are open. There shouldn't be very many\nlistening ones. Then you start turning all the services on, one by\none, and take note of what new ports show up in your netstat output.\nAnother way, that needs more guess work, is simply telnetting to the\nports and see what comes out. If nothing comes out, try typing some\ngibberish and slamming Enter a few times, and see if something turns\nup. If you get binary garble, or nothing at all, this obviously won't\nT'aider. :-)\nHowever, this will only tell you what listening ports are used. Il\nwon't tell you about dynamically opened ports that may be opened later\non by these applications.\nThere are a few applications that might help you track down the ports\nutilisé.\nOn Unix systems, there's a nice utility called lsof ça arrive\npreinstalled on many systems. It will show you all open port numbers\nand the names of the applications that are using them. Ça signifie\nthat it might show you a lot of locally opened files aswell as TCP/IP\nsockets. Read the help text. :-)\nOn windows systems, nothing comes preinstalled to assist you in this\ntask. (What's new?) There's a utility called « Inzider'' which\ninstalls itself inside the windows sockets layer and dynamically\nremembers which process opens which port. The drawback of this\napproach is that it can't tell you what ports were opened before\ninzider started, but it's the best that you'll get on windows (to my\nknowledge).\nhttp://ntsecurity.nu/toolbox/inzider/.","html":"Since it is impossible to learn what port does what by looking in a\nlist, how do i do it?\nThe old hands-on way of doing it is by shutting down nearly every\nservice/daemon running on your machine, doing netstat -a et\ntaking note of what ports are open. There shouldn't be very many\nlistening ones. Then you start turning all the services on, one by\none, and take note of what new ports show up in your netstat output.\nAnother way, that needs more guess work, is simply telnetting to the\nports and see what comes out. If nothing comes out, try typing some\ngibberish and slamming Enter a few times, and see if something turns\nup. If you get binary garble, or nothing at all, this obviously won't\nT'aider. :-)\nHowever, this will only tell you what listening ports are used. Il\nwon't tell you about dynamically opened ports that may be opened later\non by these applications.\nThere are a few applications that might help you track down the ports\nutilisé.\nOn Unix systems, there's a nice utility called lsof ça arrive\npreinstalled on many systems. It will show you all open port numbers\nand the names of the applications that are using them. Ça signifie\nthat it might show you a lot of locally opened files aswell as TCP/IP\nsockets. Read the help text. :-)\nOn windows systems, nothing comes preinstalled to assist you in this\ntask. (What's new?) There's a utility called « Inzider'' which\ninstalls itself inside the windows sockets layer and dynamically\nremembers which process opens which port. The drawback of this\napproach is that it can't tell you what ports were opened before\ninzider started, but it's the best that you'll get on windows (to my\nknowledge).\nhttp://ntsecurity.nu/toolbox/inzider/.
"},{"id":"text-216","type":"text","heading":"","plain_text":"6.5 What ports are safe to pass through a firewall?","html":"6.5 What ports are safe to pass through a firewall?
"},{"id":"text-217","type":"text","heading":"","plain_text":"ALL.\nNo, wait, NONE.\nNo, wait, uuhhh… I've heard that all ports above 1024 are safe since\nthey're only dynamic??\nPas vraiment. You CANNOT tell what ports are safe simply by looking at\nits number, simply because that is really all it is. A number. Vous\ncan't mount an attack through a 16-bit number.\nThe security of a « port'' depends on what application you'll reach\nthrough that port.\nA common misconception is that ports 25 (SMTP) and 80 (HTTP) are safe\nto pass through a firewall. *meep* WRONG. Just because everyone is\ndoing it doesn't mean that it is safe.\nAgain, the security of a port depends on what application you'll reach\nthrough that port.\nIf you're running a well-written web server, that is designed from the\nground up to be secure, you can probably feel reasonably assured that\nit's safe to let outside people access it through port 80. Otherwise,\nyou CAN'T.\nThe problem here is not in the network layer. It's in how the\napplication processes the data that it receives. This data may be\nreceived through port 80, port 666, a serial line, floppy or through\nsinging telegram. If the application is not safe, it does not matter\nhow the data gets to it. The application data is where the real danger\nlies.\nIf you are interested in the security of your application, go\ns'abonner à\nbugtraq8or or try searching their archives.\nThis is more of an application security issue rather than a firewall\nsecurity issue. One could argue that a firewall should stop all\npossible attacks, but with the number of new network protocols, NOT\ndesigned with security in mind, and networked applications, neither\ndesigned with security in mind, it becomes impossible for a firewall\nto protect against all data-driven attacks.","html":"ALL.\nNo, wait, NONE.\nNo, wait, uuhhh… I've heard that all ports above 1024 are safe since\nthey're only dynamic??\nPas vraiment. You CANNOT tell what ports are safe simply by looking at\nits number, simply because that is really all it is. A number. Vous\ncan't mount an attack through a 16-bit number.\nThe security of a « port'' depends on what application you'll reach\nthrough that port.\nA common misconception is that ports 25 (SMTP) and 80 (HTTP) are safe\nto pass through a firewall. *meep* WRONG. Just because everyone is\ndoing it doesn't mean that it is safe.\nAgain, the security of a port depends on what application you'll reach\nthrough that port.\nIf you're running a well-written web server, that is designed from the\nground up to be secure, you can probably feel reasonably assured that\nit's safe to let outside people access it through port 80. Otherwise,\nyou CAN'T.\nThe problem here is not in the network layer. It's in how the\napplication processes the data that it receives. This data may be\nreceived through port 80, port 666, a serial line, floppy or through\nsinging telegram. If the application is not safe, it does not matter\nhow the data gets to it. The application data is where the real danger\nlies.\nIf you are interested in the security of your application, go\ns'abonner à\nbugtraq8or or try searching their archives.\nThis is more of an application security issue rather than a firewall\nsecurity issue. One could argue that a firewall should stop all\npossible attacks, but with the number of new network protocols, NOT\ndesigned with security in mind, and networked applications, neither\ndesigned with security in mind, it becomes impossible for a firewall\nto protect against all data-driven attacks.
"},{"id":"text-218","type":"text","heading":"","plain_text":"6.6 The behavior of FTP","html":"6.6 The behavior of FTP
"},{"id":"text-219","type":"text","heading":"","plain_text":"Or, « Why do I have to open all ports above 1024 to my FTP server?''\nFTP doesn't really look a whole lot like other applications from a\nnetworking perspective.\nIt keeps one listening port, port 21, which users connect to. All it\ndoes is let people log on, and establish ANOTHER connection to do\nactual data transfers. This second connection is usually on some port\nabove 1024.\nThere are two modes, « active'' (normal) and « passive'' mode. Ce\nword describes the server's behaviour.\nIn active mode, the client (5.6.7.8) connects to port 21 on the server\n(1.2.3.4) and logs on. When file transfers are due, the client\nallocates a dynamic port above 1024, informs the server about which\nport it opened, and then the server opens a new connection to that\nport. This is the « active'' role of the server: it actively\nestablishes new connections to the client.\nIn passive mode, the connection to port 21 is the same. When file\ntransfers are due, the SERVER allocates a dynamic port above 1024,\ninforms the client about which port it opened, and then the CLIENT\nopens a new connection to that port. This is the « passive'' role of\nthe server: it waits for the client to establish the second (data)\nlien.\nIf your firewall doesn't inspect the application data of the FTP\ncommand connection, it won't know that it needs to dynamically open\nnew ports above 1024.\nOn a side note: The traditional behaviour of FTP servers in active\nmode is to establish the data session FROM port 20, and to the dynamic\nport on the client. FTP servers are steering away from this behaviour\nsomewhat due to the need to run as « root'' on unix systems in order\nto be able to allocate ports below 1024. Running as « root'' is not\ngood for security, since if there's a bug in the software, the\nattacker would be able to compromise the entire machine. The same goes\nfor running as « Administrator'' or « SYSTEM'' (« LocalSystem'') on NT\nmachines, although the low port problem does not apply on NT.\nTo sum it up, if your firewall understands FTP, it'll be able to\nhandle the data connections by itself, and you won't have to worry\nabout ports above 1024.\nIf it does NOT, there are four issues that you need to address:","html":"Or, « Why do I have to open all ports above 1024 to my FTP server?''\nFTP doesn't really look a whole lot like other applications from a\nnetworking perspective.\nIt keeps one listening port, port 21, which users connect to. All it\ndoes is let people log on, and establish ANOTHER connection to do\nactual data transfers. This second connection is usually on some port\nabove 1024.\nThere are two modes, « active'' (normal) and « passive'' mode. Ce\nword describes the server's behaviour.\nIn active mode, the client (5.6.7.8) connects to port 21 on the server\n(1.2.3.4) and logs on. When file transfers are due, the client\nallocates a dynamic port above 1024, informs the server about which\nport it opened, and then the server opens a new connection to that\nport. This is the « active'' role of the server: it actively\nestablishes new connections to the client.\nIn passive mode, the connection to port 21 is the same. When file\ntransfers are due, the SERVER allocates a dynamic port above 1024,\ninforms the client about which port it opened, and then the CLIENT\nopens a new connection to that port. This is the « passive'' role of\nthe server: it waits for the client to establish the second (data)\nlien.\nIf your firewall doesn't inspect the application data of the FTP\ncommand connection, it won't know that it needs to dynamically open\nnew ports above 1024.\nOn a side note: The traditional behaviour of FTP servers in active\nmode is to establish the data session FROM port 20, and to the dynamic\nport on the client. FTP servers are steering away from this behaviour\nsomewhat due to the need to run as « root'' on unix systems in order\nto be able to allocate ports below 1024. Running as « root'' is not\ngood for security, since if there's a bug in the software, the\nattacker would be able to compromise the entire machine. The same goes\nfor running as « Administrator'' or « SYSTEM'' (« LocalSystem'') on NT\nmachines, although the low port problem does not apply on NT.\nTo sum it up, if your firewall understands FTP, it'll be able to\nhandle the data connections by itself, and you won't have to worry\nabout ports above 1024.\nIf it does NOT, there are four issues that you need to address:
"},{"id":"text-220","type":"text","heading":"","plain_text":"Firewalling an FTP server in active mode\nYou need to let your server open new connections to the outside\n world on ports 1024 and above","html":"Firewalling an FTP server in active mode\nYou need to let your server open new connections to the outside\n world on ports 1024 and above
"},{"id":"text-221","type":"text","heading":"","plain_text":"Firewalling an FTP server in passive mode\nYou need to let the outside world connect to ports 1024 and above on\n your server. CAUTION!!!! There may be applications running on some\n of these ports that you do NOT want outside people using. Disallow\n access to these ports before allowing access to the 1024-65535 port\n range.","html":"Firewalling an FTP server in passive mode\nYou need to let the outside world connect to ports 1024 and above on\n your server. CAUTION!!!! There may be applications running on some\n of these ports that you do NOT want outside people using. Disallow\n access to these ports before allowing access to the 1024-65535 port\n range.
"},{"id":"text-222","type":"text","heading":"","plain_text":"Firewalling FTP clients in active mode\nYou need to let the outside world connect to ports 1024 and above on\n your clients. CAUTION!!!! There may be applications running on some\n of these ports that you do NOT want outside people using. Disallow\n access to these ports before allowing access to the 1024-65535 port\n range.","html":"Firewalling FTP clients in active mode\nYou need to let the outside world connect to ports 1024 and above on\n your clients. CAUTION!!!! There may be applications running on some\n of these ports that you do NOT want outside people using. Disallow\n access to these ports before allowing access to the 1024-65535 port\n range.
"},{"id":"text-223","type":"text","heading":"","plain_text":"Firewalling FTP clients in passive mode\nYou need to let your clients open new connections to the outside\n world on ports 1024 and above.","html":"Firewalling FTP clients in passive mode\nYou need to let your clients open new connections to the outside\n world on ports 1024 and above.
"},{"id":"text-224","type":"text","heading":"","plain_text":"Again, if your firewall understands FTP, none of the four points above\napply to you. Let the firewall do the job for you.","html":"Again, if your firewall understands FTP, none of the four points above\napply to you. Let the firewall do the job for you.
"},{"id":"text-225","type":"text","heading":"","plain_text":"6.7 What software uses what FTP mode?","html":"6.7 What software uses what FTP mode?
"},{"id":"text-226","type":"text","heading":"","plain_text":"It is up to the client to decide what mode to use; the default mode\nwhen a new connection is opened is « active mode''.\nMost FTP clients come preconfigured to use active mode, but provide an\noption to use « passive'' (« PASV'') mode. An exception is the\nwindows command line FTP client which only operates in active mode.\nWeb Browsers generally use passive mode when connecting via FTP, with\na weird exception: MSIE 5 will use active FTP when FTP:ing in « File\nExplorer'' mode and passive FTP when FTP:ing in « Web Page'' mode.\nThere is no reason whatsoever for this behaviour; je suppose que\nsomeone in Redmond with no knowledge of FTP decided that « Of course\nwe'll use active mode when we're in file explorer mode, since that\nlooks more active than a web page''. Go figure.","html":"It is up to the client to decide what mode to use; the default mode\nwhen a new connection is opened is « active mode''.\nMost FTP clients come preconfigured to use active mode, but provide an\noption to use « passive'' (« PASV'') mode. An exception is the\nwindows command line FTP client which only operates in active mode.\nWeb Browsers generally use passive mode when connecting via FTP, with\na weird exception: MSIE 5 will use active FTP when FTP:ing in « File\nExplorer'' mode and passive FTP when FTP:ing in « Web Page'' mode.\nThere is no reason whatsoever for this behaviour; je suppose que\nsomeone in Redmond with no knowledge of FTP decided that « Of course\nwe'll use active mode when we're in file explorer mode, since that\nlooks more active than a web page''. Go figure.
"},{"id":"text-227","type":"text","heading":"","plain_text":"6.8 Is my firewall trying to connect outside?","html":"6.8 Is my firewall trying to connect outside?
"},{"id":"text-228","type":"text","heading":"","plain_text":"My firewall logs are telling me that my web server is trying to\nconnect from port 80 to ports above 1024 on the outside. Quel est\nthis?!\nIf you are seeing dropped packets from port 80 on your web server (or\nfrom port 25 on your mail server) to high ports on the outside, they\nusually DO NOT mean that your web server is trying to connect\nsomewhere.\nThey are the result of the firewall timing out a connection, and\nseeing the server retransmitting old responses (or trying to close the\nconnection) to the client.\nTCP connections always involve packets traveling in BOTH directions in\nthe connection.\nIf you are able to see the TCP flags in the dropped packets, you'll\nsee that the ACK flag is set but not the SYN flag, meaning that this\nis actually not a new connection forming, but rather a response of a\npreviously formed connection.\nRead point 8 below for an in-depth explanation of what happens when\nTCP connections are formed (and closed)","html":"My firewall logs are telling me that my web server is trying to\nconnect from port 80 to ports above 1024 on the outside. Quel est\nthis?!\nIf you are seeing dropped packets from port 80 on your web server (or\nfrom port 25 on your mail server) to high ports on the outside, they\nusually DO NOT mean that your web server is trying to connect\nsomewhere.\nThey are the result of the firewall timing out a connection, and\nseeing the server retransmitting old responses (or trying to close the\nconnection) to the client.\nTCP connections always involve packets traveling in BOTH directions in\nthe connection.\nIf you are able to see the TCP flags in the dropped packets, you'll\nsee that the ACK flag is set but not the SYN flag, meaning that this\nis actually not a new connection forming, but rather a response of a\npreviously formed connection.\nRead point 8 below for an in-depth explanation of what happens when\nTCP connections are formed (and closed)
"},{"id":"text-229","type":"text","heading":"","plain_text":"6.9 The anatomy of a TCP connection","html":"6.9 The anatomy of a TCP connection
"},{"id":"text-230","type":"text","heading":"","plain_text":"TCP is equipped with 6 « flags'', which may be ON or OFF. These flags\nsont:","html":"TCP is equipped with 6 « flags'', which may be ON or OFF. These flags\nsont:
"},{"id":"text-231","type":"text","heading":"","plain_text":"FIN\n« Controlled'' connection close","html":"FIN\n« Controlled'' connection close
"},{"id":"text-232","type":"text","heading":"","plain_text":"SYN\nOpen new connection","html":"SYN\nOpen new connection
"},{"id":"text-233","type":"text","heading":"","plain_text":"RST\n« Immediate'' connection close","html":"RST\n« Immediate'' connection close
"},{"id":"text-234","type":"text","heading":"","plain_text":"PSH\nInstruct receiver host to push the data up to the\n application rather than just queue it","html":"PSH\nInstruct receiver host to push the data up to the\n application rather than just queue it
"},{"id":"text-235","type":"text","heading":"","plain_text":"ACK\n« Acknowledge'' a previous packet","html":"ACK\n« Acknowledge'' a previous packet
"},{"id":"text-236","type":"text","heading":"","plain_text":"URG\n« Urgent'' data which needs to be processed immediately","html":"URG\n« Urgent'' data which needs to be processed immediately
"},{"id":"text-237","type":"text","heading":"","plain_text":"In this example, your client is 5.6.7.8, and the port assigned to you\ndynamically is 1049. The server is 1.2.3.4, port 80.\nYou begin the connection attempt:","html":"In this example, your client is 5.6.7.8, and the port assigned to you\ndynamically is 1049. The server is 1.2.3.4, port 80.\nYou begin the connection attempt:
"},{"id":"text-238","type":"text","heading":"","plain_text":"5.6.7.8:1049 -> 1.2.3.4:80 SYN=ON\nThe server receives this packet and understands that someone wants to\nform a new connection. A response is sent:","html":"5.6.7.8:1049 -> 1.2.3.4:80 SYN=ON\nThe server receives this packet and understands that someone wants to\nform a new connection. A response is sent:
"},{"id":"text-239","type":"text","heading":"","plain_text":"1.2.3.4:80 -> 5.6.7.8:1049 SYN=ON ACK=ON\nThe client receives the response, and informs that the response\nis received","html":"1.2.3.4:80 -> 5.6.7.8:1049 SYN=ON ACK=ON\nThe client receives the response, and informs that the response\nis received
"},{"id":"text-240","type":"text","heading":"","plain_text":"5.6.7.8:1049 -> 1.2.3.4:80 ACK=ON\nHere, the connection is opened. This is called a three-way handshake.\nIts purpose is to verify to BOTH hosts that they have a working\nconnection between them.\nThe internet being what it is, unreliable and flooded, there are\nprovisions to compensate for packet loss.\nIf the client sends out the initial SYN without receiving a SYN+ACK\nwithin a few seconds, it'll resend the SYN.\nIf the server sends out the SYN+ACK without receiving an ACK in a few\nseconds, it'll resend the SYN+ACK packet.\nThe latter is actually the reason that SYN flooding works so well. Si\nyou send out SYN packets from lots of different ports, this will tie\nup a lot of resources on the server. If you also refuse to respond to\nthe returned SYN+ACK packets, the server will KEEP these connections\nfor a long time, resending the SYN+ACK packets. Some servers will not\naccept new connections while there are enough connections currently\nforming; this is why SYN flooding works.\nAll packets transmitted in either direction after the three-way\nhandshake will have the ACK bit set. Stateless packet filters make\nuse of this in the so called « established'' filters: They will only\nlet packets through that have the ACK bit set. This way, no packet may\npass through in a certain direction that could form a new connection.\nTypically, you don't allow outside hosts to open new connections to\ninside hosts by requiring the ACK bit set on these packets.\nWhen the time has come to close the connection, there are two ways of\ndoing it: Using the FIN flag, or using the RST flag. Using FIN flags,\nboth implementations are required to send out FIN flags to indicate\nthat they want to close the connection, and then send out\nacknowledgements to these FINs, indicating that they understood that\nthe other end wants to close the connection. When sending out RST's,\nthe connection is closed forcefully, and you don't really get an\nindication of whether the other end understood your reset order, or\nthat it has in fact received all data that you sent to it.\nThe FIN way of closing the connection also exposes you to a\ndenial-of-service situation, since the TCP stack needs to remember the\nclosed connection for a fairly long time, in case the other end hasn't\nreceived one of the FIN packets.\nIf sufficiently many connections are opened and closed, you may end up\nhaving « closed'' connections in all your connection slots. This way,\nyou wouldn't be able to dynamically allocate more connections, seeing\nthat they're all used. Different OSes handle this situation\ndifféremment.\nWe feel this topic is too sensitive to address in a FAQ, however, an\nindependently maintained list (no warranty or recommendations are\nimplied) can be found\nen ligne.9","html":"5.6.7.8:1049 -> 1.2.3.4:80 ACK=ON\nHere, the connection is opened. This is called a three-way handshake.\nIts purpose is to verify to BOTH hosts that they have a working\nconnection between them.\nThe internet being what it is, unreliable and flooded, there are\nprovisions to compensate for packet loss.\nIf the client sends out the initial SYN without receiving a SYN+ACK\nwithin a few seconds, it'll resend the SYN.\nIf the server sends out the SYN+ACK without receiving an ACK in a few\nseconds, it'll resend the SYN+ACK packet.\nThe latter is actually the reason that SYN flooding works so well. Si\nyou send out SYN packets from lots of different ports, this will tie\nup a lot of resources on the server. If you also refuse to respond to\nthe returned SYN+ACK packets, the server will KEEP these connections\nfor a long time, resending the SYN+ACK packets. Some servers will not\naccept new connections while there are enough connections currently\nforming; this is why SYN flooding works.\nAll packets transmitted in either direction after the three-way\nhandshake will have the ACK bit set. Stateless packet filters make\nuse of this in the so called « established'' filters: They will only\nlet packets through that have the ACK bit set. This way, no packet may\npass through in a certain direction that could form a new connection.\nTypically, you don't allow outside hosts to open new connections to\ninside hosts by requiring the ACK bit set on these packets.\nWhen the time has come to close the connection, there are two ways of\ndoing it: Using the FIN flag, or using the RST flag. Using FIN flags,\nboth implementations are required to send out FIN flags to indicate\nthat they want to close the connection, and then send out\nacknowledgements to these FINs, indicating that they understood that\nthe other end wants to close the connection. When sending out RST's,\nthe connection is closed forcefully, and you don't really get an\nindication of whether the other end understood your reset order, or\nthat it has in fact received all data that you sent to it.\nThe FIN way of closing the connection also exposes you to a\ndenial-of-service situation, since the TCP stack needs to remember the\nclosed connection for a fairly long time, in case the other end hasn't\nreceived one of the FIN packets.\nIf sufficiently many connections are opened and closed, you may end up\nhaving « closed'' connections in all your connection slots. This way,\nyou wouldn't be able to dynamically allocate more connections, seeing\nthat they're all used. Different OSes handle this situation\ndifféremment.\nWe feel this topic is too sensitive to address in a FAQ, however, an\nindependently maintained list (no warranty or recommendations are\nimplied) can be found\nen ligne.9
"},{"id":"text-241","type":"text","heading":"","plain_text":"Abuse of Privilege\nWhen a user performs an action that they\n should not have, according to organizational policy or law.","html":"Abuse of Privilege\nWhen a user performs an action that they\n should not have, according to organizational policy or law.
"},{"id":"text-242","type":"text","heading":"","plain_text":"Access Control Lists\nRules for packet filters (typically\n routers) that define which packets to pass and which to block.","html":"Access Control Lists\nRules for packet filters (typically\n routers) that define which packets to pass and which to block.
"},{"id":"text-243","type":"text","heading":"","plain_text":"Access Router\nA router that connects your network to the\n external Internet. Typically, this is your first line of defense\n against attackers from the outside Internet. By enabling access\n control lists on this router, you'll be able to provide a level of\n protection for all of the hosts « behind'' that router, effectively\n making that network a DMZ instead of an unprotected external LAN.","html":"Access Router\nA router that connects your network to the\n external Internet. Typically, this is your first line of defense\n against attackers from the outside Internet. By enabling access\n control lists on this router, you'll be able to provide a level of\n protection for all of the hosts « behind'' that router, effectively\n making that network a DMZ instead of an unprotected external LAN.
"},{"id":"text-244","type":"text","heading":"","plain_text":"Application-Layer Firewall\nA firewall system in which service\n is provided by processes that maintain complete TCP connection state\n and sequencing. Application layer firewalls often re-address traffic\n so that outgoing traffic appears to have originated from the\n firewall, rather than the internal host.","html":"Application-Layer Firewall\nA firewall system in which service\n is provided by processes that maintain complete TCP connection state\n and sequencing. Application layer firewalls often re-address traffic\n so that outgoing traffic appears to have originated from the\n firewall, rather than the internal host.
"},{"id":"text-245","type":"text","heading":"","plain_text":"Authentification\nThe process of determining the identity of a\n user that is attempting to access a system.","html":"Authentification\nThe process of determining the identity of a\n user that is attempting to access a system.
"},{"id":"text-246","type":"text","heading":"","plain_text":"Authentication Token\nA portable device used for authenticating\n a user. Authentication tokens operate by challenge/response,\n time-based code sequences, or other techniques. This may include\n paper-based lists of one-time passwords.","html":"Authentication Token\nA portable device used for authenticating\n a user. Authentication tokens operate by challenge/response,\n time-based code sequences, or other techniques. This may include\n paper-based lists of one-time passwords.
"},{"id":"text-247","type":"text","heading":"","plain_text":"Autorisation\nThe process of determining what types of\n activities are permitted. Usually, authorization is in the context\n of authentication: once you have authenticated a user, they may be\n authorized different types of access or activity.","html":"Autorisation\nThe process of determining what types of\n activities are permitted. Usually, authorization is in the context\n of authentication: once you have authenticated a user, they may be\n authorized different types of access or activity.
"},{"id":"text-248","type":"text","heading":"","plain_text":"Bastion Host\nA system that has been hardened to resist attack,\n and which is installed on a network in such a way that it is\n expected to potentially come under attack. Bastion hosts are often\n components of firewalls, or may be « outside'' web servers or public\n access systems. Generally, a bastion host is running some form of\n general purpose operating system (e.g., Unix, VMS, NT, etc.) rather\n than a ROM-based or firmware operating system.","html":"Bastion Host\nA system that has been hardened to resist attack,\n and which is installed on a network in such a way that it is\n expected to potentially come under attack. Bastion hosts are often\n components of firewalls, or may be « outside'' web servers or public\n access systems. Generally, a bastion host is running some form of\n general purpose operating system (e.g., Unix, VMS, NT, etc.) rather\n than a ROM-based or firmware operating system.
"},{"id":"text-249","type":"text","heading":"","plain_text":"Challenge/Response\nAn authentication technique whereby a\n server sends an unpredictable challenge to the user, who computes a\n response using some form of authentication token.","html":"Challenge/Response\nAn authentication technique whereby a\n server sends an unpredictable challenge to the user, who computes a\n response using some form of authentication token.
"},{"id":"text-250","type":"text","heading":"","plain_text":"Chroot\nA technique under Unix whereby a process is permanently\n restricted to an isolated subset of the filesystem.","html":"Chroot\nA technique under Unix whereby a process is permanently\n restricted to an isolated subset of the filesystem.
"},{"id":"text-251","type":"text","heading":"","plain_text":"Cryptographic Checksum\nA one-way function applied to a file to\n produce a unique « fingerprint'' of the file for later reference.\n Checksum systems are a primary means of detecting filesystem\n tampering on Unix.","html":"Cryptographic Checksum\nA one-way function applied to a file to\n produce a unique « fingerprint'' of the file for later reference.\n Checksum systems are a primary means of detecting filesystem\n tampering on Unix.
"},{"id":"text-252","type":"text","heading":"","plain_text":"Data Driven Attack\nA form of attack in which the attack is\n encoded in innocuous-seeming data which is executed by a user or\n other software to implement an attack. In the case of firewalls, a\n data driven attack is a concern since it may get through the\n firewall in data form and launch an attack against a system behind\n the firewall.","html":"Data Driven Attack\nA form of attack in which the attack is\n encoded in innocuous-seeming data which is executed by a user or\n other software to implement an attack. In the case of firewalls, a\n data driven attack is a concern since it may get through the\n firewall in data form and launch an attack against a system behind\n the firewall.
"},{"id":"text-253","type":"text","heading":"","plain_text":"Defense in Depth\nThe security approach whereby each system on\n the network is secured to the greatest possible degree. May be used\n in conjunction with firewalls.","html":"Defense in Depth\nThe security approach whereby each system on\n the network is secured to the greatest possible degree. May be used\n in conjunction with firewalls.
"},{"id":"text-254","type":"text","heading":"","plain_text":"DNS spoofing\nAssuming the DNS name of another system by either\n corrupting the name service cache of a victim system, or by\n compromising a domain name server for a valid domain.","html":"DNS spoofing\nAssuming the DNS name of another system by either\n corrupting the name service cache of a victim system, or by\n compromising a domain name server for a valid domain.
"},{"id":"text-255","type":"text","heading":"","plain_text":"Dual Homed Gateway\nA dual homed gateway is a system that has\n two or more network interfaces, each of which is connected to a\n different network. In firewall configurations, a dual homed gateway\n usually acts to block or filter some or all of the traffic trying to\n pass between the networks.","html":"Dual Homed Gateway\nA dual homed gateway is a system that has\n two or more network interfaces, each of which is connected to a\n different network. In firewall configurations, a dual homed gateway\n usually acts to block or filter some or all of the traffic trying to\n pass between the networks.
"},{"id":"text-256","type":"text","heading":"","plain_text":"Encrypting Router\nsee Tunneling Router and Virtual Network\n Perimeter.","html":"Encrypting Router\nsee Tunneling Router and Virtual Network\n Perimeter.
"},{"id":"text-257","type":"text","heading":"","plain_text":"Pare-feu\nA system or combination of systems that enforces a\n boundary between two or more networks.","html":"Pare-feu\nA system or combination of systems that enforces a\n boundary between two or more networks.
"},{"id":"text-258","type":"text","heading":"","plain_text":"Host-based Security\nThe technique of securing an individual\n system from attack. Host based security is operating system and\n version dependent.","html":"Host-based Security\nThe technique of securing an individual\n system from attack. Host based security is operating system and\n version dependent.
"},{"id":"text-259","type":"text","heading":"","plain_text":"Insider Attack\nAn attack originating from inside a protected\n network.","html":"Insider Attack\nAn attack originating from inside a protected\n network.
"},{"id":"text-260","type":"text","heading":"","plain_text":"Intrusion Detection\nDetection of break-ins or break-in\n attempts either manually or via software expert systems that operate\n on logs or other information available on the network.","html":"Intrusion Detection\nDetection of break-ins or break-in\n attempts either manually or via software expert systems that operate\n on logs or other information available on the network.
"},{"id":"text-261","type":"text","heading":"","plain_text":"IP Spoofing\nAn attack whereby a system attempts to illicitly\n impersonate another system by using its IP network address.","html":"IP Spoofing\nAn attack whereby a system attempts to illicitly\n impersonate another system by using its IP network address.
"},{"id":"text-262","type":"text","heading":"","plain_text":"IP Splicing / Hijacking\nAn attack whereby an active,\n established, session is intercepted and co-opted by the attacker. IP\n Splicing attacks may occur after an authentication has been made,\n permitting the attacker to assume the role of an already authorized\n utilisateur. Primary protections against IP Splicing rely on encryption at\n the session or network layer.","html":"IP Splicing / Hijacking\nAn attack whereby an active,\n established, session is intercepted and co-opted by the attacker. IP\n Splicing attacks may occur after an authentication has been made,\n permitting the attacker to assume the role of an already authorized\n utilisateur. Primary protections against IP Splicing rely on encryption at\n the session or network layer.
"},{"id":"text-263","type":"text","heading":"","plain_text":"Least Privilege\nDesigning operational aspects of a system to\n operate with a minimum amount of system privilege. This reduces the\n authorization level at which various actions are performed and\n decreases the chance that a process or user with high privileges may\n be caused to perform unauthorized activity resulting in a security\n breach.","html":"Least Privilege\nDesigning operational aspects of a system to\n operate with a minimum amount of system privilege. This reduces the\n authorization level at which various actions are performed and\n decreases the chance that a process or user with high privileges may\n be caused to perform unauthorized activity resulting in a security\n breach.
"},{"id":"text-264","type":"text","heading":"","plain_text":"Enregistrement\nThe process of storing information about events that\n occurred on the firewall or network.","html":"Enregistrement\nThe process of storing information about events that\n occurred on the firewall or network.
"},{"id":"text-265","type":"text","heading":"","plain_text":"Log Retention\nHow long audit logs are retained and maintained.","html":"Log Retention\nHow long audit logs are retained and maintained.
"},{"id":"text-266","type":"text","heading":"","plain_text":"Log Processing\nHow audit logs are processed, searched for key\n events, or summarized.","html":"Log Processing\nHow audit logs are processed, searched for key\n events, or summarized.
"},{"id":"text-267","type":"text","heading":"","plain_text":"Network-Layer Firewall\nA firewall in which traffic is examined\n at the network protocol packet layer.","html":"Network-Layer Firewall\nA firewall in which traffic is examined\n at the network protocol packet layer.
"},{"id":"text-268","type":"text","heading":"","plain_text":"Perimeter-based Security\nThe technique of securing a network\n by controlling access to all entry and exit points of the network.","html":"Perimeter-based Security\nThe technique of securing a network\n by controlling access to all entry and exit points of the network.
"},{"id":"text-269","type":"text","heading":"","plain_text":"Politique\nOrganization-level rules governing acceptable use of\n computing resources, security practices, and operational procedures.","html":"Politique\nOrganization-level rules governing acceptable use of\n computing resources, security practices, and operational procedures.
"},{"id":"text-270","type":"text","heading":"","plain_text":"Proxy\nA software agent that acts on behalf of a user. Typical\n proxies accept a connection from a user, make a decision as to\n whether or not the user or client IP address is permitted to use the\n proxy, perhaps does additional authentication, and then completes a\n connection on behalf of the user to a remote destination.","html":"Proxy\nA software agent that acts on behalf of a user. Typical\n proxies accept a connection from a user, make a decision as to\n whether or not the user or client IP address is permitted to use the\n proxy, perhaps does additional authentication, and then completes a\n connection on behalf of the user to a remote destination.
"},{"id":"text-271","type":"text","heading":"","plain_text":"Screened Host\nA host on a network behind a screening router.\n The degree to which a screened host may be accessed depends on the\n screening rules in the router.","html":"Screened Host\nA host on a network behind a screening router.\n The degree to which a screened host may be accessed depends on the\n screening rules in the router.
"},{"id":"text-272","type":"text","heading":"","plain_text":"Screened Subnet\nA subnet behind a screening router. The degree\n to which the subnet may be accessed depends on the screening rules\n in the router.","html":"Screened Subnet\nA subnet behind a screening router. The degree\n to which the subnet may be accessed depends on the screening rules\n in the router.
"},{"id":"text-273","type":"text","heading":"","plain_text":"Screening Router\nA router configured to permit or deny traffic\n based on a set of permission rules installed by the administrator.","html":"Screening Router\nA router configured to permit or deny traffic\n based on a set of permission rules installed by the administrator.
"},{"id":"text-274","type":"text","heading":"","plain_text":"Session Stealing\nSee IP Splicing.","html":"Session Stealing\nSee IP Splicing.
"},{"id":"text-275","type":"text","heading":"","plain_text":"Trojan Horse\nA software entity that appears to do something\n normal but which, in fact, contains a trapdoor or attack program.","html":"Trojan Horse\nA software entity that appears to do something\n normal but which, in fact, contains a trapdoor or attack program.
"},{"id":"text-276","type":"text","heading":"","plain_text":"Tunneling Router\nA router or system capable of routing traffic\n by encrypting it and encapsulating it for transmission across an\n untrusted network, for eventual de-encapsulation and decryption.","html":"Tunneling Router\nA router or system capable of routing traffic\n by encrypting it and encapsulating it for transmission across an\n untrusted network, for eventual de-encapsulation and decryption.
"},{"id":"text-277","type":"text","heading":"","plain_text":"Social Engineering\nAn attack based on deceiving users or\n administrators at the target site. Social engineering attacks are\n typically carried out by telephoning users or operators and\n pretending to be an authorized user, to attempt to gain illicit\n access to systems.","html":"Social Engineering\nAn attack based on deceiving users or\n administrators at the target site. Social engineering attacks are\n typically carried out by telephoning users or operators and\n pretending to be an authorized user, to attempt to gain illicit\n access to systems.
"},{"id":"text-278","type":"text","heading":"","plain_text":"Virtual Network Perimeter\nA network that appears to be a\n single protected network behind firewalls, which actually\n encompasses encrypted virtual links over untrusted networks.","html":"Virtual Network Perimeter\nA network that appears to be a\n single protected network behind firewalls, which actually\n encompasses encrypted virtual links over untrusted networks.
"},{"id":"text-279","type":"text","heading":"","plain_text":"Virus\nA replicating code segment that attaches itself to a\n program or data file. Viruses might or might not not contain attack\n programs or trapdoors. Unfortunately, many have taken to calling\n tout malicious code a « virus''. If you mean « trojan horse'' or\n « worm'', say « trojan horse'' or « worm''.","html":"Virus\nA replicating code segment that attaches itself to a\n program or data file. Viruses might or might not not contain attack\n programs or trapdoors. Unfortunately, many have taken to calling\n tout malicious code a « virus''. If you mean « trojan horse'' or\n « worm'', say « trojan horse'' or « worm''.
"},{"id":"text-280","type":"text","heading":"","plain_text":"Worm\nA standalone program that, when run, copies itself from\n one host to another, and then runs itself on each newly infected\n host. The widely reported « Internet Virus'' of 1988 was not a virus\n at all, but actually a worm.","html":"Worm\nA standalone program that, when run, copies itself from\n one host to another, and then runs itself on each newly infected\n host. The widely reported « Internet Virus'' of 1988 was not a virus\n at all, but actually a worm.
"},{"id":"text-281","type":"text","heading":"","plain_text":"Notes de bas de page","html":"Notes de bas de page
"},{"id":"text-282","type":"text","heading":"","plain_text":"…\nSystème1\nhttp://mail-abuse.org/","html":"…\nSystème1\nhttp://mail-abuse.org/
"},{"id":"text-283","type":"text","heading":"","plain_text":"… Initiative2\nhttp://mail-abuse.org/tsi/","html":"… Initiative2\nhttp://mail-abuse.org/tsi/
"},{"id":"text-284","type":"text","heading":"","plain_text":"… Squid3\nhttp://squid.nlanr.net/","html":"… Squid3\nhttp://squid.nlanr.net/
"},{"id":"text-285","type":"text","heading":"","plain_text":"… Apache4\nhttp://www.apache.org/docs/mod/mod_proxy.html","html":"… Apache4\nhttp://www.apache.org/docs/mod/mod_proxy.html
"},{"id":"text-286","type":"text","heading":"","plain_text":"… Proxy5\nhttp://home.netscape.com/proxy/v3.5/index.html","html":"… Proxy5\nhttp://home.netscape.com/proxy/v3.5/index.html
"},{"id":"text-287","type":"text","heading":"","plain_text":"… Netscape6","html":"… Netscape6
"},{"id":"text-288","type":"text","heading":"","plain_text":"http://developer.netscape.com/docs/manuals/security/sslin/contents.htm","html":"http://developer.netscape.com/docs/manuals/security/sslin/contents.htm
"},{"id":"text-289","type":"text","heading":"","plain_text":"… firewall7\n \n http://www.real.com/firewall/","html":"… firewall7\n \n http://www.real.com/firewall/
"},{"id":"text-290","type":"text","heading":"","plain_text":"…\nbugtraq8\nhttp://www.securityfocus.com","html":"…\nbugtraq8\nhttp://www.securityfocus.com
"},{"id":"text-291","type":"text","heading":"","plain_text":"…\nen ligne.9\nhttp://www.thegild.com/firewall/.","html":"…\nen ligne.9\nhttp://www.thegild.com/firewall/.
"},{"id":"text-292","type":"text","heading":"","plain_text":"paul@compuwar.net","html":"paul@compuwar.net
"},{"id":"text-293","type":"text","heading":"","plain_text":"Click to rate this post!\n \n [Total: 0 Average: 0]","html":"Click to rate this post!\n \n [Total: 0 Average: 0]
"}],"sections":[{"id":"text-1","heading":"Text","content":"Firewalls Internet: Foire aux questions\nDate: 2004/07/26 15:34:42\nRévision: 10.4 \nCe document disponible en Postscript.et PDF."},{"id":"text-2","heading":"Text","content":"1.1 À propos de la FAQ"},{"id":"text-3","heading":"Text","content":"Cette collection de questions fréquemment posées (FAQ) et de réponses a\nété compilé sur une période de plusieurs années, en voyant quelles questions les gens\nposer des questions sur les pare-feu dans des forums tels que Usenet, des listes de diffusion et Web\ndes sites. Si vous avez une question, regardez ici pour voir si c'est\nrépondu avant de poster votre question est bonne forme. Ne pas envoyer votre\nquestions sur les pare-feu aux responsables de la FAQ.\nLes responsables maintiennent les commentaires et les contributions sur le contenu de cette\nFAQ. Les commentaires relatifs à la FAQ doivent être adressés à\nfirewalls-faq@interhack.net.\nAvant de nous envoyer du courrier, assurez-vous de bien consulter les sections\n1.2 et 1.3 pour s'assurer que c'est\nle bon document à lire."},{"id":"text-4","heading":"Text","content":"1.2 Pour qui la FAQ est-elle écrite?"},{"id":"text-5","heading":"Text","content":"Les pare-feu ont parcouru un long chemin depuis le début de cette FAQ.\nIls sont passés de systèmes hautement personnalisés administrés par\nleurs implémenteurs à un produit grand public. Les pare-feu ne sont plus\nuniquement entre les mains de ceux qui conçoivent et mettent en œuvre la sécurité\nsystèmes; même les utilisateurs finaux soucieux de la sécurité les ont chez eux.\nNous avons écrit cette FAQ pour les développeurs et les administrateurs de systèmes informatiques.\nNous avons essayé d’être assez inclusifs, en laissant de la place aux nouveaux venus,\nmais nous supposons toujours des connaissances techniques de base. Si vous trouvez ça\nvous ne comprenez pas ce document, mais pensez que vous devez savoir\nPour en savoir plus sur les pare-feu, il se peut que vous ayez réellement besoin de\nplus de fond dans les réseaux informatiques d'abord. Nous fournissons des références\nqui nous ont aidés; peut-être qu'ils vont aussi vous aider.\nNous nous concentrons principalement sur les pare-feu "réseau", mais sur les pare-feu "hôtes" ou "personnels"\n seront abordés le cas échéant."},{"id":"text-6","heading":"Text","content":"1.3 Avant d'envoyer un courrier"},{"id":"text-7","heading":"Text","content":"Notez que cette collection de questions fréquemment posées est le résultat de\ninteragir avec beaucoup de gens de différents horizons dans un large\nvariété de forums publics. L'adresse firewalls-faq n'est pas une aide\n bureau. Si vous essayez d'utiliser une application qui dit que c'est\nne fonctionne pas à cause d'un pare-feu et vous pensez que vous devez\nsupprimez votre pare-feu, veuillez ne pas nous envoyer de courrier demandant comment.\nSi vous voulez savoir comment vous "débarrasser de votre pare-feu" parce que vous\nne pouvez pas utiliser certaines applications, ne nous envoyez pas de courrier demandant de l'aide. nous\nje ne peux pas t'aider. Vraiment.\nQui peut vous aider? Bonne question. Cela dépendra de quoi exactement\nle problème est, mais voici plusieurs indications. Si aucun de ces\nfonctionne, veuillez ne plus nous en demander. Nous ne savons pas"},{"id":"text-8","heading":"Text","content":"Le fournisseur du logiciel que vous utilisez."},{"id":"text-9","heading":"Text","content":"Le fournisseur de l'appliance matérielle que vous utilisez."},{"id":"text-10","heading":"Text","content":"Le fournisseur du service réseau que vous utilisez. C'est, si\n vous êtes sur AOL, demandez-leur. Si vous essayez d'utiliser quelque chose sur un\n réseau d'entreprise, consultez votre administrateur système."},{"id":"text-11","heading":"Text","content":"1.4 Où puis-je trouver la version actuelle de la FAQ?"},{"id":"text-12","heading":"Text","content":"La FAQ peut être trouvée sur le Web à\nIl est également posté mensuellement à \nLes versions publiées sont archivées à tous les endroits habituels. Malheureusement,\nla version publiée sur Usenet et archivée à partir de cette version n’a pas la\njolies images et hyperliens utiles trouvés dans la version Web."},{"id":"text-13","heading":"Text","content":"1.5 Où puis-je trouver des versions non anglaises de la FAQ?"},{"id":"text-14","heading":"Text","content":"Plusieurs traductions sont disponibles. (Si vous avez fait une traduction et\nce n'est pas dans la liste, écrivez-nous pour que nous puissions mettre à jour le maître\ndocument.)"},{"id":"text-15","heading":"Text","content":"norvégien\nTraduction de Jon Haugsand\nhttp://helmersol.nr.no/haandbok/doc/brannmur/brannmur-faq.html"},{"id":"text-16","heading":"Text","content":"1.6 Contributeurs"},{"id":"text-17","heading":"Text","content":"Beaucoup de gens ont écrit des suggestions utiles et des commentaires réfléchis.\nNous sommes reconnaissants à tous les contributeurs. Nous aimerions remercier quelques-uns par leur nom:\nKeinanen Vesa, Allen Leibowitz, Brent Chapman, Brian Boyle, D. Clyde Williamson, Richard Reiner, Humberto Ortiz Zuazaga et Theodore Hope."},{"id":"text-18","heading":"Text","content":"1.7 Droits d'auteur et utilisation"},{"id":"text-19","heading":"Text","content":"Copyright © 1995-1996, 1998 Marcus J. Ranum.\nCopyright © 1998-2002 Matt Curtin.\nCopyright 2004, Paul D. Robertson. Tous les droits\nréservé. Ce document peut être utilisé, réimprimé et redistribué\ncomme si fournissant cet avis de droit d'auteur et toutes les attributions\nreste intact. Traductions du texte complet de l'original\nL'anglais dans d'autres langues est également explicitement autorisé. Traducteurs\npeuvent ajouter leurs noms à la section "contributeurs".\nAvant de pouvoir comprendre une discussion complète sur les pare-feu,\nil est important de comprendre les principes de base qui font des pare-feu\ntravail."},{"id":"text-20","heading":"Text","content":"2.1 Qu'est-ce qu'un pare-feu de réseau?"},{"id":"text-21","heading":"Text","content":"Un pare-feu est un système ou un groupe de systèmes qui impose un accès\npolitique de contrôle entre deux réseaux ou plus. Le moyen réel par lequel\nceci est accompli varie beaucoup, mais en principe, le pare-feu peut\nêtre considéré comme une paire de mécanismes: celui qui existe pour bloquer\ntrafic, et l'autre qui existe pour permettre le trafic. Quelques pare-feu\nmettre davantage l'accent sur le blocage du trafic, tandis que d'autres mettent l'accent sur\npermettant le trafic. Probablement la chose la plus importante à reconnaître\nà propos d'un pare-feu est qu'il implémente une politique de contrôle d'accès. Si\nvous n'avez pas une bonne idée du type d'accès que vous souhaitez autoriser ou\nnier, un pare-feu ne vous aidera vraiment pas. Il est également important de\nreconnaître que la configuration du pare-feu, car il s'agit d'un mécanisme\npour l'application de la politique, impose sa politique sur tout ce qui est derrière elle.\nLes administrateurs de pare-feu qui gèrent la connectivité d’un grand\nnombre d'hôtes ont donc une lourde responsabilité."},{"id":"text-22","heading":"Text","content":"2.2 Pourquoi voudrais-je un pare-feu?"},{"id":"text-23","heading":"Text","content":"Internet, comme toute autre société, est en proie au genre de\nsaccades qui aiment l’équivalent électronique d’écrire sur d’autres personnes\nmurs avec du spraypaint, en déchirant leurs boîtes aux lettres, ou tout simplement assis dans\nla rue soufflant leurs cornes de voiture. Certaines personnes essaient d'obtenir un vrai travail\nfait sur Internet, et d'autres ont des données sensibles ou propriétaires\nils doivent protéger. En général, le pare-feu a pour but de garder les saccades\nde votre réseau tout en vous laissant faire votre travail.\nBeaucoup de sociétés et de centres de données de style traditionnel ont des ordinateurs\npolitiques et pratiques de sécurité à suivre. Dans un cas où\nLes politiques d'une entreprise dictent la manière dont les données doivent être protégées, un pare-feu est\ntrès important car c’est l’incarnation de la politique de l’entreprise.\nSouvent, la partie la plus difficile de la connexion à Internet, si vous êtes un\ngrande entreprise, ne justifie pas la dépense ou l'effort, mais convaincante\ngestion qu'il est prudent de le faire. Un pare-feu fournit non seulement de véritables\nsécurité – il joue souvent un rôle important en tant que couverture de sécurité pour\nla gestion.\nEnfin, un pare-feu peut agir en tant qu’ambassadeur de votre entreprise auprès du\nL'Internet. De nombreuses entreprises utilisent leurs systèmes de pare-feu comme un lieu de travail.\nstocker des informations publiques sur les produits et services de l'entreprise, des fichiers\ntélécharger, corrections de bugs, etc. Plusieurs de ces systèmes ont\ndeviennent des éléments importants de la structure de service Internet (par exemple,\nUUnet.uu.net, whitehouse.gov, gatekeeper.dec.com)\net ont bien réfléchi sur leurs sponsors organisationnels. Notez que, si cela est historiquement vrai, la plupart des entreprises placent désormais des informations publiques sur un serveur Web, souvent protégées par un pare-feu, mais pas normalement sur le pare-feu lui-même."},{"id":"text-24","heading":"Text","content":"2.3 Contre quoi un pare-feu peut-il être protégé?"},{"id":"text-25","heading":"Text","content":"Certains pare-feu ne permettent que le trafic de courrier électronique à travers eux,\nprotéger le réseau contre toute attaque autre que les attaques contre\nle service de messagerie. Les autres pare-feu fournissent des protections moins strictes,\net bloquer les services qui sont connus pour être des problèmes.\nEn général, les pare-feu sont configurés pour protéger contre les utilisateurs non authentifiés.\nconnexions interactives du monde "extérieur". Ceci, plus que\nempêche les vandales de se connecter aux machines de votre ordinateur.\nréseau. Des pare-feu plus élaborés bloquent le trafic de l'extérieur vers\nà l'intérieur, mais permettent aux utilisateurs de l'intérieur de communiquer librement avec\nl'extérieur. Le pare-feu peut vous protéger contre tout type de\nattaque par le réseau si vous le débranchez.\nLes pare-feu sont également importants car ils peuvent fournir un seul « starter\npoint '' où la sécurité et l'audit peuvent être imposés. Contrairement à une situation\noù un ordinateur est attaqué par une personne composant un numéro avec un\nmodem, le pare-feu peut agir comme un "contact téléphonique" et un traçage efficaces\noutil. Les pare-feu fournissent une fonction importante de journalisation et d’audit;\nsouvent, ils fournissent à l'administrateur des résumés sur les types et\nquantité de trafic traversé, combien de tentatives ont été faites pour\ncasser dedans, etc.\nPour cette raison, les journaux de pare-feu sont des données extrêmement importantes. Ils peuvent être utilisés comme preuves devant les tribunaux de la plupart des pays. Vous devez sauvegarder, analyser et protéger les journaux de votre pare-feu en conséquence.\nC'est un point important: à condition que ce "point d'étranglement" puisse servir\nle même but sur votre réseau comme une porte gardée peut pour votre site\nlocaux physiques. Cela signifie que chaque fois que vous avez un changement dans les "zones"\nou des niveaux de sensibilité, un tel point de contrôle est approprié. Une entreprise\na rarement seulement une porte extérieure et pas de réceptionniste ou de personnel de sécurité\nvérifier les badges en entrant. S'il y a des couches de sécurité sur\nvotre site, il est raisonnable d’attendre des couches de sécurité sur votre\nréseau."},{"id":"text-26","heading":"Text","content":"2.4 Contre quoi un pare-feu ne peut-il pas être protégé?"},{"id":"text-27","heading":"Text","content":"Les pare-feu ne peuvent pas protéger contre les attaques qui ne passent pas par la\npare-feu. De nombreuses entreprises qui se connectent à Internet sont très\npréoccupé par les données propriétaires fuyant de la société à travers\ncette route. Malheureusement pour les personnes concernées, une bande magnétique,\nles disques compacts, DVD ou clés USB peuvent être utilisés avec autant d'efficacité\nexporter des données. De nombreuses organisations qui sont terrifiées (à un management\nniveau) des connexions Internet n’a pas de politique cohérente concernant la\nl'accès via des modems doit être protégé. C'est idiot de construire un six pieds\nporte en acier épais quand vous vivez dans une maison en bois, mais il y a beaucoup de\norganisations achètent là-bas des pare-feu coûteux et négligent la\nnombreuses autres portes arrière de leur réseau. Pour qu'un pare-feu fonctionne,\nil doit faire partie d'une sécurité organisationnelle globale cohérente\narchitecture. Les stratégies de pare-feu doivent être réalistes et refléter les\nniveau de sécurité sur l'ensemble du réseau. Par exemple, un site avec top\nles données secrètes ou classifiées n’ont pas du tout besoin de pare-feu: elles\nne devrait pas être connecté à Internet en premier lieu, ou le\nles systèmes avec les données vraiment secrètes doivent être isolés du reste\ndu réseau d'entreprise.\nLes traîtres sont une autre chose contre laquelle un pare-feu ne peut pas vraiment vous protéger\nou des idiots à l'intérieur de votre réseau. Alors qu’un espion industriel pourrait exporter\ninformations via votre pare-feu, il est tout aussi susceptible de l'exporter\nvia un téléphone, un télécopieur ou un disque compact. Les CD sont un\ndes moyens beaucoup plus susceptibles de fuite d'informations de votre organisation\nqu'un pare-feu. Les pare-feu ne peuvent pas non plus vous protéger contre la stupidité.\nLes utilisateurs qui révèlent des informations sensibles par téléphone sont bons\ncibles d'ingénierie sociale; un attaquant peut être en mesure de pénétrer dans\nvotre réseau en contournant complètement votre pare-feu, s’il peut trouver un\nemployé «utile» à l'intérieur qui peut être dupe en donnant accès à un\npool de modem. Avant de décider que ce n'est pas un problème dans votre\norganisation, demandez-vous combien de problèmes un entrepreneur a à obtenir\nconnecté au réseau ou combien de difficulté un utilisateur qui a oublié son\nmot de passe a le réinitialiser. Si les membres du service d’assistance croient\nque chaque appel est interne, vous avez un problème qui ne peut pas être résolu par\nresserrement des contrôles sur les pare-feu.\nLes pare-feu ne peuvent pas protéger contre la plupart des tunnels\nprotocoles d’application à des clients victimes de chevaux de Troie ou mal écrits. Là\nn'y a pas de balles magiques et un pare-feu n'est pas une excuse pour ne pas mettre en œuvre\ncontrôles logiciels sur les réseaux internes ou ignorer la sécurité de l'hôte sur\nles serveurs. Mise en tunnel des "mauvaises" choses via HTTP, SMTP et autres\nprotocoles est assez simple et trivialement démontré. La sécurité n'est pas\n«tire et oublie».\nEnfin, les pare-feu ne peuvent pas protéger contre les mauvaises choses qui leur sont permises.\nPar exemple, de nombreux chevaux de Troie utilisent le protocole IRC (Internet Relay Chat)\npermettre à un attaquant de contrôler un hôte interne compromis à partir d'un ordinateur public\nServeur IRC. Si vous autorisez un système interne à se connecter à un serveur externe\nvotre pare-feu ne fournira aucune protection contre ce vecteur de\nattaque."},{"id":"text-28","heading":"Text","content":"2.5 Qu'en est-il des virus et autres logiciels malveillants?"},{"id":"text-29","heading":"Text","content":"Les pare-feu ne protègent pas très bien contre des virus ou des\nlogiciels malveillants (malware). Il y a trop de façons d'encoder\nfichiers binaires pour le transfert sur les réseaux, et trop nombreux\narchitectures et les virus pour essayer de les rechercher tous. En d'autre\nEn d’autres termes, un pare-feu ne peut pas remplacer la conscience de la sécurité.\nvos utilisateurs. En général, un pare-feu ne peut pas protéger contre un\nattaque basée sur les données – attaques dans lesquelles quelque chose est envoyé ou copié\nun hôte interne où il est ensuite exécuté. Cette forme d'attaque a\ndans le passé contre diverses versions de envoyer un mail,\nGhostscript, scripting des agents utilisateurs de messagerie comme\nPerspective, et les navigateurs Web comme Internet Explorer.\nLes organisations profondément préoccupées par les virus doivent mettre en œuvre\nmesures de contrôle des virus à l'échelle de l'organisation. Plutôt que d'essayer de filtrer\npare-feu, assurez-vous que tous les postes de travail vulnérables\nUn logiciel antivirus est exécuté au redémarrage de la machine.\nLa couverture de votre réseau avec un logiciel antivirus protégera\ncontre les virus provenant de disquettes, de CD, de modems et d’Internet.\nEssayer de bloquer les virus au niveau du pare-feu ne protégera que contre\nvirus provenant d'Internet. Analyse antivirus au niveau du pare-feu ou du courrier électronique\npasserelle va arrêter un grand nombre d'infections.\nNéanmoins, un nombre croissant de fournisseurs de pare-feu proposent\n"pare-feu". Ils ne sont probablement utiles que pour les naïfs\nutilisateurs échangeant des programmes exécutables Windows sur Intel et\ndocuments d'application malveillants compatibles avec les macros. Il y a beaucoup de\napproches basées sur un pare-feu pour traiter des problèmes tels que le\nLe ver «ILOVEYOU» et les attaques connexes, mais ce sont vraiment\napproches trop simplistes qui tentent de limiter les dommages de quelque chose\nc'est si stupide que cela n'aurait jamais dû se produire.\nNe comptez sur aucune protection contre des attaquants dotés de cette fonctionnalité.\n(Depuis que «ILOVEYOU» a fait le tour, nous avons vu au moins une demi-douzaine\nattaques similaires, notamment Melissa, Happy99, Code Red et Badtrans.B,\nqui ont tous été heureusement traversés par de nombreux virus détectant\npare-feu et passerelles de messagerie.)\nUn pare-feu puissant ne remplace jamais un logiciel sensible qui\nreconnaît la nature de ce qu'il manipule – des données non fiables provenant d'un\npartie non authentifiée – et se comporte de manière appropriée. Ne pense pas ça\nparce que "tout le monde" utilise cette messagerie ou parce que le vendeur est un\nsociété multinationale gargantuesque, vous êtes en sécurité. En fait, ce n'est pas vrai\nque "tout le monde" utilise n’importe quel courrier, et les entreprises spécialisées\nen transformant la technologie inventée ailleurs en quelque chose qui est « facile\nd'utiliser '' sans aucune expertise sont plus susceptibles de produire des logiciels\ncela peut être dupe. Un examen plus approfondi de ce sujet serait\ndigne d'intérêt [3], mais dépasse le cadre de ce document."},{"id":"text-30","heading":"Text","content":"2.6 IPSEC rendra-t-il les pare-feu obsolètes?"},{"id":"text-31","heading":"Text","content":"Certains ont soutenu que c'était le cas. Avant de prononcer un tel\nprédiction générale, cependant, il est utile d'examiner ce que IPSEC\nest et ce qu'il fait. Une fois que nous le savons, nous pouvons examiner si IPSEC\nrésoudra les problèmes que nous essayons de résoudre avec des pare-feu.\nIPSEC (IP SECurity) fait référence à un ensemble de normes développées par le\nGroupe de travail d'ingénierie Internet (IETF). Il y a beaucoup de documents qui\ndéfinir collectivement ce qu'on appelle «IPSEC» [6]. IPSEC\nrésout deux problèmes qui ont affecté la suite de protocoles IP pour\nans: authentification d'hôte à hôte (qui permettra aux hôtes de savoir que\nils parlent aux hôtes qu’ils pensent être) et le cryptage\n(ce qui empêchera les attaquants de surveiller le trafic\naller entre les machines).\nNotez qu’aucun de ces problèmes n’est ce à quoi les pare-feu ont été créés pour\nrésoudre. Bien que les pare-feu puissent aider à atténuer certains des risques\nprésent sur Internet sans authentification ni cryptage, il existe des\nvraiment deux classes de problèmes ici: l'intégrité et la vie privée de la\nl'information circulant entre les hôtes et les limites imposées à quels types\nde connectivité est autorisée entre différents réseaux. IPSEC\ns'adresse à la première classe et pare-feu à la seconde.\nCela signifie que l'un n'éliminera pas le besoin de l'autre,\nmais cela crée des possibilités intéressantes quand on regarde\ncombinaison de pare-feu avec des hôtes compatibles IPSEC. À savoir, des choses telles que\nRéseaux privés virtuels (VPN) indépendants du vendeur, meilleur paquet\nfiltrage (en filtrant sur si les paquets ont le IPSEC\nd’authentification), et les pare-feu de la couche application pourront\nd'avoir de meilleurs moyens de vérification d'hôte en utilisant réellement l'IPSEC\nen-tête d'authentification au lieu de "simplement faire confiance" à l'adresse IP\nprésenté."},{"id":"text-32","heading":"Text","content":"2.7 Quelles sont les bonnes sources d'informations imprimées sur les pare-feu?"},{"id":"text-33","heading":"Text","content":"Il existe plusieurs livres sur les pare-feu. Les plus connus sont:\nLes références associées sont:"},{"id":"text-34","heading":"Text","content":"Interconnexion de réseaux avec TCP / IP Vols I, II et III"},{"id":"text-35","heading":"Text","content":"Auteurs\nDouglas Comer et David Stevens"},{"id":"text-36","heading":"Text","content":"Éditeur\nPrentice Hall"},{"id":"text-37","heading":"Text","content":"Édition\n1991"},{"id":"text-38","heading":"Text","content":"ISBN\n0-13-468505-9 (I), 0-13-472242-6 (II), 0-13-474222-2\n (III)"},{"id":"text-39","heading":"Text","content":"Commentaire\nUne discussion détaillée sur l'architecture et\n mise en œuvre de l'Internet et de ses protocoles. Volume I (sur\n principes, protocoles et architecture) est lisible par tous.\n Le volume 2 (sur la conception, la mise en œuvre et les internes) est plus\n technique. Le volume 3 couvre l’informatique client-serveur."},{"id":"text-40","heading":"Text","content":"Unix System Security – Un guide pour les utilisateurs et\n Administrateurs système"},{"id":"text-41","heading":"Text","content":"Auteur\nDavid Curry"},{"id":"text-42","heading":"Text","content":"Éditeur\nAddison Wesley"},{"id":"text-43","heading":"Text","content":"Édition\n1992"},{"id":"text-44","heading":"Text","content":"ISBN\n0-201-56327-4"},{"id":"text-45","heading":"Text","content":"2.8 Où puis-je obtenir plus d'informations sur les pare-feu sur le\n L'Internet?"},{"id":"text-46","heading":"Text","content":"Manuel de sécurité du site\nhttp://www.rfc-editor.org/rfc/rfc2196.txt\nLe site Security Handbook est un document d’information de l’IETF qui\n décrit les questions fondamentales à prendre en compte pour bien construire\n sécurité du site. Les pare-feu font partie d'une plus grande sécurité\n stratégie, comme le montre le manuel sur la sécurité du site."},{"id":"text-47","heading":"Text","content":"Liste de diffusion Firewalls\nhttp://www.isc.org/index.pl?/ops/lists/firewalls/\nLa liste de diffusion des pare-feu Internet est un forum pour pare-feu\n administrateurs et implémenteurs."},{"id":"text-48","heading":"Text","content":"Liste de diffusion des assistants pare-feu\nhttp://honor.icsalabs.com/mailman/listinfo/firewall-wizards\nLa liste de diffusion des assistants de pare-feu est un pare-feu modéré et\n liste liée à la sécurité qui ressemble plus à un journal qu'un public\n caisse à savon."},{"id":"text-49","heading":"Text","content":"Pare-feu\nhttp://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html\nDécrit exactement ce qui est nécessaire pour construire un pare-feu, en particulier\n en utilisant Linux."},{"id":"text-50","heading":"Text","content":"Firewall Toolkit (FWTK) et papiers de pare-feu\nftp://ftp.tis.com/pub/firewalls/"},{"id":"text-51","heading":"Text","content":"Les publications de Marcus Ranum sur le pare-feu\nhttp://www.ranum.com/pubs/"},{"id":"text-52","heading":"Text","content":"Outils de sécurité de l'Université Texas A & M\nhttp://www.net.tamu.edu/ftp/security/TAMU/"},{"id":"text-53","heading":"Text","content":"COAST Project Internet Firewalls page\nhttp://www.cerias.purdue.edu/coast/firewalls/"},{"id":"text-54","heading":"Text","content":"3.1 Quelles sont les décisions de conception de base dans un pare-feu?"},{"id":"text-55","heading":"Text","content":"Un certain nombre de problèmes de conception de base doivent être résolus par\nla personne chanceuse qui a été chargé de la responsabilité de\nconcevoir, spécifier et mettre en œuvre ou superviser l'installation\nd'un pare-feu.\nLa première et la plus importante décision reflète la politique de votre\nentreprise ou organisation veut faire fonctionner le système: est le pare-feu\nen place explicitement pour refuser tous les services, sauf ceux essentiels à la\nmission de connexion au Net, ou le pare-feu est-il en place pour\nfournir une méthode mesurée et vérifiée d’accès «en file d’attente» dans un\nmanière non menaçante? Il y a des degrés de paranoïa entre ces\nles positions; la position finale de votre pare-feu pourrait être plus le résultat\nd'une décision politique qu'une décision d'ingénierie.\nLa seconde est: quel niveau de contrôle, de redondance et de contrôle font\ntu veux? Après avoir établi le niveau de risque acceptable (c.-à-d. Comment\nparanoïaque vous êtes) en résolvant le premier problème, vous pouvez former un\nliste de contrôle de ce qui devrait être surveillé, autorisé et refusé. Dans\nEn d’autres termes, vous commencez par définir vos objectifs généraux et\npuis combinez une analyse des besoins avec une évaluation des risques et triez les\npresque toujours des exigences contradictoires dans une liste de blanchisserie\nspécifie ce que vous prévoyez de mettre en œuvre.\nLe troisième problème est financier. Nous ne pouvons pas aborder celui-ci ici dans\ntout sauf des termes vagues, mais il est important d'essayer de quantifier toute\nsolutions proposées en termes de combien il en coûtera pour acheter ou\nimplémenter. Par exemple, un pare-feu complet peut coûter\nentre 100 000 $ dans le haut de gamme et gratuit dans le bas de gamme. La libre\noption, possibilité de configuration sur un routeur Cisco ou similaire\nne coûtera que du temps de personnel et quelques tasses de café.\nL'implémentation d'un pare-feu haut de gamme à partir de zéro peut coûter plusieurs\nmois-hommes, ce qui peut représenter 30 000 dollars de salaire du personnel et\navantages. Les frais généraux de gestion des systèmes sont également à prendre en compte.\nConstruire une bière maison, c'est bien, mais il est important de la construire pour que\nil ne nécessite pas d'attention constante (et coûteuse). C'est important,\nen d'autres termes, pour évaluer les pare-feu non seulement en termes de ce qu'ils\nCoût maintenant, mais coûts continus tels que le support.\nSur le plan technique, il y a quelques décisions à prendre, basées sur\nsur le fait que, à toutes fins utiles, ce dont nous parlons\nest un service de routage de trafic statique placé entre le service réseau\nle routeur du fournisseur et votre réseau interne. Le routage du trafic\nservice peut être mis en œuvre à un niveau IP via quelque chose comme filtrage\nrègles dans un routeur ou au niveau de l'application via des passerelles de proxy et\nprestations de service.\nLa décision à prendre est de savoir s'il faut placer un objet exposé dépouillé\nmachine sur le réseau extérieur pour exécuter des services proxy pour telnet, FTP,\nnouvelles, etc., ou s'il faut configurer un routeur de filtrage en tant que filtre,\npermettant la communication avec une ou plusieurs machines internes. Il y a\navantages et inconvénients des deux approches, avec la machine proxy\nfournissant un plus haut niveau d'audit et, potentiellement, de sécurité en retour\naugmentation des coûts de configuration et diminution du niveau de\nservice qui peut être fourni (puisqu’un proxy doit être développé pour\nchaque service souhaité). Le vieux compromis entre facilité d’utilisation et\nla sécurité revient nous hanter avec vengeance."},{"id":"text-56","heading":"Text","content":"3.2 Quels sont les types de base de pare-feu?"},{"id":"text-57","heading":"Text","content":"Conceptuellement, il existe trois types de pare-feu:"},{"id":"text-58","heading":"Text","content":"Couche réseau"},{"id":"text-59","heading":"Text","content":"Couche d'application"},{"id":"text-60","heading":"Text","content":"Hybrides"},{"id":"text-61","heading":"Text","content":"Ils ne sont pas aussi différents qu'on pourrait le penser, et les dernières technologies\nestompent la distinction au point où il n'est plus clair\nsi l'un ou l'autre est «meilleur» ou «pire». Comme toujours, vous devez être\nveillez à choisir le type qui répond à vos besoins.\nQui dépend des mécanismes que le pare-feu utilise pour passer\nle trafic d'une zone de sécurité à une autre. L'international\nModèle OSI (Open Systems Interconnect) d’organisation de normalisation (ISO) pour\nla mise en réseau définit sept couches, chaque couche fournissant des services\nque les couches "de niveau supérieur" dépendent. Dans l'ordre du bas,\nces couches sont physiques, liaison de données, réseau, transport, session,\nprésentation, application.\nLa chose importante à reconnaître est que le niveau inférieur de la\nmécanisme de transmission, moins le pare-feu peut être examiné.\nDe manière générale, les pare-feu de bas niveau sont plus rapides, mais plus faciles.\ntromper en faisant la mauvaise chose.\nDe nos jours, la plupart des pare-feu entrent dans la catégorie «hybride», ce qui\nle filtrage de réseau ainsi qu'une certaine quantité d'inspection d'application.\nLe montant change en fonction du fournisseur, du produit, du protocole et de la version,\ndonc un certain niveau de creuser et / ou de tester est souvent nécessaire."},{"id":"text-62","heading":"Text","content":"3.2.1 Pare-feu de couche réseau"},{"id":"text-63","heading":"Text","content":"Ceux-ci prennent généralement leurs décisions en fonction de la source, de la destination\nadresses et ports (voir l’annexe 6 pour une description plus détaillée\ndiscussion sur les ports) dans des paquets IP individuels. Un simple routeur est le\nPare-feu de couche réseau « traditionnel '', car il n'est pas capable de faire\ndécisions particulièrement sophistiquées sur ce qu'un paquet est en réalité\nparler à ou d'où il vient réellement. Couche réseau moderne\nles pare-feu sont devenus de plus en plus sophistiqués, et maintenant maintenant\ninformations internes sur l'état des connexions passant par\neux, le contenu de certains flux de données, etc. Une chose\nc'est une distinction importante sur de nombreux pare-feu de couche réseau est\nqu'ils acheminent le trafic directement par eux, alors utilisez-en un\nbesoin d’avoir un bloc d’adresses IP valablement attribué ou d’utiliser un « privé\nbloc d'adresse internet [5]. Les pare-feu de la couche réseau ont tendance\nêtre très rapide et ont tendance à être très transparent pour les utilisateurs."},{"id":"text-64","heading":"Text","content":"Figure 1:\nPare-feu hôte filtré"},{"id":"text-65","heading":"Text","content":"Dans la figure 1, un pare-feu de couche réseau appelé\nun "pare-feu hôte filtré" est représenté. Dans un hôte filtré\npare-feu, l’accès vers et depuis un hôte unique est contrôlé au moyen d’un\nrouteur fonctionnant sur une couche réseau. L'hôte unique est un bastion\nhôte; un point fort hautement défendu et sécurisé qui (espérons-le) peut\nrésister à l'attaque."},{"id":"text-66","heading":"Text","content":"Figure 2:\nPare-feu de sous-réseau filtré"},{"id":"text-67","heading":"Text","content":"Exemple de pare-feu de couche réseau: Dans\nFigure 2, un pare-feu de couche réseau appelé\n«pare-feu de sous-réseau filtré» est représenté. Dans un sous-réseau filtré\npare-feu, l'accès à et depuis tout un réseau est contrôlé au moyen de\nun routeur fonctionnant sur une couche réseau. C'est semblable à un projeté\nhôte, sauf qu’il s’agit effectivement d’un réseau d’hôtes filtrés."},{"id":"text-68","heading":"Text","content":"3.2.2 Pare-feu de la couche d'application"},{"id":"text-69","heading":"Text","content":"Ce sont généralement des hôtes exécutant des serveurs proxy, qui ne permettent aucune\nle trafic directement entre les réseaux et qui effectuent une journalisation élaborée\net audit du trafic qui les traverse. Depuis le proxy\nles applications sont des composants logiciels fonctionnant sur le pare-feu, c’est un\nbon endroit pour faire beaucoup de journalisation et de contrôle d'accès. Application\nLes pare-feu de couche peuvent être utilisés en tant que traducteurs d'adresses réseau, car\nle trafic va dans un côté et sort de l'autre, après avoir passé\nà travers une application qui masque efficacement l’origine du\nétablir la connexion. Avoir une application dans le chemin dans certains cas\npeut avoir un impact sur les performances et rendre le pare-feu moins transparent.\nLes premiers pare-feu de la couche d’application, tels que ceux construits avec TIS\npare-feu, ne sont pas particulièrement transparents pour les utilisateurs finaux et\npeut nécessiter une formation. Les pare-feu modernes de la couche d’application sont\nsouvent totalement transparent. Les pare-feu de couche d’application ont tendance à fournir\ndes rapports d’audit plus détaillés et ont tendance à imposer des mesures plus conservatrices.\nmodèles de sécurité que les pare-feu de couche réseau."},{"id":"text-70","heading":"Text","content":"Figure 3:\nPasserelle à double hébergement"},{"id":"text-71","heading":"Text","content":"Exemple de pare-feu de couche d'application: Dans\nFigure 3, un pare-feu de couche d'application\nappelé une «passerelle à double hébergement» est représenté. Une double passerelle\nest un hôte hautement sécurisé qui exécute un logiciel proxy. Il a deux réseau\ninterfaces, une sur chaque réseau, et bloque tout le trafic passant\nà travers.\nLa plupart des pare-feu se situent maintenant quelque part entre les pare-feu de couche réseau et\npare-feu de couche d'application. Comme prévu, les pare-feu de la couche réseau\nsont de plus en plus "au courant" de l'information qui passe par\nles pare-feu de la couche d’application sont de plus en plus «faibles»\nniveau '' et transparent. Le résultat final est que maintenant il y a rapide\nsystèmes de filtrage de paquets enregistrant et vérifiant les données au fur et à mesure de leur passage\nle système. De plus en plus de pare-feu (couche réseau et application)\nincorporer un cryptage afin de protéger le trafic transitant\nentre eux sur Internet. Pare-feux avec cryptage de bout en bout\npeut être utilisé par des organisations disposant de plusieurs points Internet\nconnectivité pour utiliser Internet en tant que « backbone privé '' sans\nse soucier de leurs données ou mots de passe étant reniflés. (IPSEC,\ndécrit à la section 2.6, joue un rôle de plus en plus\nrôle important dans la construction de tels réseaux privés virtuels\nréseaux.)"},{"id":"text-72","heading":"Text","content":"3.3 Que sont les serveurs proxy et comment fonctionnent-ils?"},{"id":"text-73","heading":"Text","content":"Un serveur proxy (parfois appelé passerelle d’application ou\nexpéditeur) est une application qui assure la médiation du trafic entre un\nréseau et Internet. Les procurations sont souvent utilisées au lieu de\ncontrôles du trafic basés sur les routeurs, pour empêcher le trafic de passer\ndirectement entre les réseaux. Beaucoup de proxies contiennent une journalisation supplémentaire ou\nsoutien à l'authentification de l'utilisateur. Puisque les mandataires doivent "comprendre"\nle protocole d'application utilisé, ils peuvent également implémenter le protocole\nsécurité spécifique (par exemple, un proxy FTP peut être configurable pour permettre\nFTP entrant et bloquer le FTP sortant).\nLes serveurs proxy sont spécifiques à l'application. Afin de soutenir une nouvelle\nprotocole via un proxy, un proxy doit être développé pour cela. Un populaire\nensemble de serveurs proxy est la boîte à outils TIS Internet Firewall («FWTK»)\nqui inclut les mandataires pour Telnet, rlogin, FTP, le système X Window,\nActualités HTTP / Web et NNTP / Usenet. SOCKS est un système de proxy générique qui\npeut être compilé dans une application côté client pour le faire fonctionner par\nun pare-feu. Son avantage est qu’il est facile à utiliser, mais ce n’est pas le cas.\nsupporte l'ajout de hooks d'authentification ou de protocole spécifique\nenregistrement. Pour plus d'informations sur SOCKS, voir\nhttp://www.socks.nec.com/."},{"id":"text-74","heading":"Text","content":"3.4 Quels sont certains outils bon marché de filtrage de paquets?"},{"id":"text-75","heading":"Text","content":"Les outils de sécurité de la Texas A & M University comprennent un logiciel pour\nmise en place de routeurs de filtrage. Karlbridge est un système de dépistage basé sur PC\nkit de routeur disponible à partir de\nftp://ftp.net.ohio-state.edu/pub/kbridge/.\nIl existe de nombreux écrans de paquets au niveau du noyau, notamment:\nipf, ipfw, ipchains, pf, et ipfwadm. Typiquement,\nceux-ci sont inclus dans diverses implémentations Unix libres, telles que\nFreeBSD,\nOpenBSD,\nNetBSD, et\nLinux. Vous pourriez aussi trouver\nces outils disponibles dans votre implémentation commerciale Unix.\nSi vous êtes prêt à vous salir les mains, c'est complètement\npossible de construire un pare-feu sécurisé et entièrement fonctionnel pour le prix\ndu matériel et une partie de votre temps."},{"id":"text-76","heading":"Text","content":"3.5 Quelles sont les règles de filtrage raisonnables pour un\n écran de paquets basé sur le noyau?"},{"id":"text-77","heading":"Text","content":"Cet exemple est écrit spécifiquement pour ipfwadm sur Linux,\nmais les principes (et même une grande partie de la syntaxe) s’appliquent à d’autres\ninterfaces du noyau pour le filtrage de paquets sur les systèmes Unix "open source".\nIl existe quatre catégories de base couvertes par le ipfwadm\nrègles:"},{"id":"text-78","heading":"Text","content":"-UNE\nComptabilité par paquets"},{"id":"text-79","heading":"Text","content":"-JE\nPare-feu d'entrée"},{"id":"text-80","heading":"Text","content":"-O\nPare-feu de sortie"},{"id":"text-81","heading":"Text","content":"-F\nPare-feu de transmission"},{"id":"text-82","heading":"Text","content":"ipfwadm a également fait du masquerading (-M) capacités.\nPour plus d'informations sur les commutateurs et les options, reportez-vous à la\nipfwadm homme page."},{"id":"text-83","heading":"Text","content":"3.5.1 Mise en œuvre"},{"id":"text-84","heading":"Text","content":"Ici, notre organisation utilise un réseau privé de classe C (RFC 1918)\n192.168.1.0. Notre FAI nous a attribué l'adresse 201.123.102.32 pour\nl'interface externe de notre passerelle et 201.123.102.33 pour notre externe\nserveur de courrier. La politique organisationnelle dit:"},{"id":"text-85","heading":"Text","content":"Autoriser toutes les connexions TCP sortantes"},{"id":"text-86","heading":"Text","content":"Autoriser les serveurs SMTP et DNS entrants vers un serveur de messagerie externe"},{"id":"text-87","heading":"Text","content":"Bloquer tout autre trafic"},{"id":"text-88","heading":"Text","content":"Le bloc de commandes suivant peut être placé dans un fichier de démarrage du système.\n(peut-être rc.local sur les systèmes Unix)."},{"id":"text-89","heading":"Text","content":"ipfwadm -F -f\n ipfwadm -F -p nier\n ipfwadm -F -i m -b -P tcp -S 0.0.0.0/0 1024: 65535 -D 201.123.102.33 25\n ipfwadm -F -i m -b -P tcp -S 0.0.0.0/0 1024: 65535 -D 201.123.102.33 53\n ipfwadm -F -i m -b -P udp -S 0.0.0.0/0 1024: 65535 -D 201.123.102.33 53\n ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0 -W eth0"},{"id":"text-90","heading":"Text","content":" / sbin / route add -host 201.123.102.33 gw 192.168.1.2"},{"id":"text-91","heading":"Text","content":"3.5.2 Explication"},{"id":"text-92","heading":"Text","content":"3.6 Quelles sont les règles de filtrage raisonnables pour un Cisco?"},{"id":"text-93","heading":"Text","content":"L’exemple de la figure 4 montre une possibilité\nconfiguration pour utiliser Cisco en tant que routeur de filtrage. C'est un échantillon\ncela montre la mise en œuvre de la politique spécifique. Votre politique sera\nsans aucun doute varier."},{"id":"text-94","heading":"Text","content":"Figure 4:\nRouteur de filtrage de paquets"},{"id":"text-95","heading":"Text","content":"Dans cet exemple, une entreprise a l'adresse réseau 195.55.55.0 de classe C.\nLe réseau de l'entreprise est connecté à Internet via le fournisseur de services IP.\nLa politique de la société est de permettre à tout le monde d’accéder aux services Internet.\ntoutes les connexions sortantes sont acceptées. Toutes les connexions entrantes vont\nvia « mailhost ''. Mail et DNS ne sont que des services entrants."},{"id":"text-96","heading":"Text","content":"3.6.1 Mise en œuvre"},{"id":"text-97","heading":"Text","content":"Autoriser toutes les connexions TCP sortantes"},{"id":"text-98","heading":"Text","content":"Autoriser les adresses SMTP et DNS entrantes sur mailhost"},{"id":"text-99","heading":"Text","content":"Autoriser les connexions de données FTP entrantes au port TCP élevé (1024)"},{"id":"text-100","heading":"Text","content":"Essayez de protéger les services qui vivent sur des numéros de port élevés"},{"id":"text-101","heading":"Text","content":"Seuls les paquets entrants provenant d'Internet sont vérifiés dans cette configuration.\nRules are tested in order and stop when the first match is found.\nThere is an implicit deny rule at the end of an access list that\ndenies everything. This IP access list assumes that you are running\nCisco IOS v. 10.3 or later."},{"id":"text-102","heading":"Text","content":"no ip source-route\n!\ninterface ethernet 0 \nip address 195.55.55.1 \nno ip directed-broadcast\n!\ninterface serial 0 \nno ip directed-broadcast\nip access-group 101 in \n!\naccess-list 101 deny ip 127.0.0.0 0.255.255.255 any\naccess-list 101 deny ip 10.0.0.0 0.255.255.255 any\naccess-list 101 deny ip 172.16.0.0 0.15.255.255 any\naccess-list 101 deny ip 192.168.0.0 0.0.255.255 any\naccess-list 101 deny ip any 0.0.0.255 255.255.255.0\naccess-list 101 deny ip any 0.0.0.0 255.255.255.0\n!\naccess-list 101 deny ip 195.55.55.0 0.0.0.255 \naccess-list 101 permit tcp any any established \n!\naccess-list 101 permit tcp any host 195.55.55.10 eq smtp \naccess-list 101 permit tcp any host 195.55.55.10 eq dns \naccess-list 101 permit udp any host 192.55.55.10 eq dns \n!\naccess-list 101 deny tcp any any range 6000 6003 \naccess-list 101 deny tcp any any range 2000 2003 \naccess-list 101 deny tcp any any eq 2049 \naccess-list 101 deny udp any any eq 2049 \n!\naccess-list 101 permit tcp any 20 any gt 1024 \n!\naccess-list 101 permit icmp any any \n!\nsnmp-server community FOOBAR RO 2 \nline vty 0 4 \naccess-class 2 in \naccess-list 2 permit 195.55.55.0 0.0.0.255"},{"id":"text-103","heading":"Text","content":"3.6.2 Explanations"},{"id":"text-104","heading":"Text","content":"Drop all source-routed packets. Source routing can be used for\n address spoofing."},{"id":"text-105","heading":"Text","content":"Drop directed broadcasts, which are used in smurf attacks."},{"id":"text-106","heading":"Text","content":"If an incoming packet claims to be from a local net, loopback\n network, or private network, drop it."},{"id":"text-107","heading":"Text","content":"All packets which are part of already established\n TCP-connections can pass through without further checking."},{"id":"text-108","heading":"Text","content":"All connections to low port numbers are blocked except SMTP and\n DNS."},{"id":"text-109","heading":"Text","content":"Block all services that listen for TCP connections on high port\n Nombres. X11 (port 6000+), OpenWindows (port 2000+) are a few\n candidates. NFS (port 2049) runs usually over UDP, but it can be run\n over TCP, so you should block it."},{"id":"text-110","heading":"Text","content":"Incoming connections from port 20 into high port numbers are\n supposed to be FTP data connections."},{"id":"text-111","heading":"Text","content":"Access-list 2 limits access to router itself (telnet & SNMP)"},{"id":"text-112","heading":"Text","content":"All UDP traffic is blocked to protect RPC services"},{"id":"text-113","heading":"Text","content":"3.6.3 Shortcomings"},{"id":"text-114","heading":"Text","content":"You cannot enforce strong access policies with router access\n lists. Users can easily install backdoors to their systems to get\n over « no incoming telnet'' or « no X11'' rules. Also crackers\n install telnet backdoors on systems where they break in."},{"id":"text-115","heading":"Text","content":"You can never be sure what services you have listening for\n connections on high port numbers. (You can't be sure of what\n services you have listening for connections on low port numbers,\n either, especially in highly decentralized environments where people\n can put their own machines on the network or where they can get\n administrative access to their own machines.)"},{"id":"text-116","heading":"Text","content":"Checking the source port on incoming FTP data connections is a\n weak security method. It also breaks access to some FTP sites. Il\n makes use of the service more difficult for users without preventing\n bad guys from scanning your systems."},{"id":"text-117","heading":"Text","content":"Use at least Cisco version 9.21 so you can filter incoming packets and\ncheck for address spoofing. It's still better to use 10.3, where you\nget some extra features (like filtering on source port) and some\nimprovements on filter syntax.\nYou have still a few ways to make your setup stronger. Block all\nincoming TCP-connections and tell users to use passive-FTP clients.\nYou can also block outgoing ICMP echo-reply and\ndestination-unreachable messages to hide your network and to prevent\nuse of network scanners. Cisco.com use to have an archive of examples\nfor building firewalls using Cisco routers, but it doesn't seem to be\nonline anymore. There are some notes on Cisco access control lists,\nat least, at ftp://ftp.cisco.com/pub/mibs/app_notes/access-lists."},{"id":"text-118","heading":"Text","content":"3.7 What are the critical resources in a firewall?"},{"id":"text-119","heading":"Text","content":"It's important to understand the critical resources of your firewall\narchitecture, so when you do capacity planning, performance\noptimizations, etc., you know exactly what you need to do, and how\nmuch you need to do it in order to get the desired result.\nWhat exactly the firewall's critical resources are tends to vary from\nsite to site, depending on the sort of traffic that loads the system.\nSome people think they'll automatically be able to increase the data\nthroughput of their firewall by putting in a box with a faster CPU, or\nanother CPU, when this isn't necessarily the case. Potentially, this\ncould be a large waste of money that doesn't do anything to solve the\nproblem at hand or provide the expected scalability.\nOn busy systems, Mémoire is extremely important. Vous devez\nhave enough RAM to support every instance of every program necessary\nto service the load placed on that machine. Otherwise, the swapping\nwill start and the productivity will stop. Light swapping isn't\nusually much of a problem, but if a system's swap space begins to get\nbusy, then it's usually time for more RAM. A system that's heavily\nswapping is often relatively easy to push over the edge in a\ndenial-of-service attack, or simply fall behind in processing the load\nplaced on it. This is where long email delays start.\nBeyond the system's requirement for memory, it's useful to understand\nthat different services use different system resources. Alors le\nconfiguration that you have for your system should be indicative of\nthe kind of load you plan to service. A 1400 MHz processor isn't\ngoing to do you much good if all you're doing is netnews and mail, and\nare trying to do it on an IDE disk with an ISA controller."},{"id":"text-120","heading":"Text","content":"Tableau 1:\nCritical Resources for Firewall Services"},{"id":"text-121","heading":"Text","content":"Un service\nCritical Resource"},{"id":"text-122","heading":"Text","content":"Email\nDisk I/O"},{"id":"text-123","heading":"Text","content":"Netnews\nDisk I/O"},{"id":"text-124","heading":"Text","content":"Web\nHost OS Socket Performance"},{"id":"text-125","heading":"Text","content":"IP Routing\nHost OS Socket Performance"},{"id":"text-126","heading":"Text","content":"Web Cache\nHost OS Socket Performance, Disk I/O"},{"id":"text-127","heading":"Text","content":"3.8 What is a DMZ, and why do I want one?"},{"id":"text-128","heading":"Text","content":"« DMZ'' is an abbreviation for « demilitarized zone''. In the context\nof firewalls, this refers to a part of the network that is neither\npart of the internal network nor directly part of the Internet.\nTypically, this is the area between your Internet access router and\nyour bastion host, though it can be between any two policy-enforcing\ncomponents of your architecture.\nA DMZ can be created by putting access control lists on your access\nrouter. This minimizes the exposure of hosts on your external LAN by\nallowing only recognized and managed services on those hosts to be\naccessible by hosts on the Internet. Many commercial firewalls simply\nmake a third interface off of the bastion host and label it the DMZ,\nthe point is that the network is neither « inside'' nor « outside''.\nFor example, a web server running on NT might be vulnerable to a\nnumber of denial-of-service attacks against such services as RPC,\nNetBIOS and SMB. These services are not required for the operation of\na web server, so blocking TCP connections to ports 135, 137, 138, and\n139 on that host will reduce the exposure to a denial-of-service\nattack. In fact, if you block everything but HTTP traffic to that\nhost, an attacker will only have one service to attack.\nThis illustrates an important principle: never offer attackers more to\nwork with than is absolutely necessary to support the services you\nwant to offer the public."},{"id":"text-129","heading":"Text","content":"3.9 How might I increase the security and scalability of my\n DMZ?"},{"id":"text-130","heading":"Text","content":"A common approach for an attacker is to break into a host that's\nvulnerable to attack, and exploit trust relationships between the\nvulnerable host and more interesting targets.\nIf you are running a number of services that have different levels of\nsecurity, you might want to consider breaking your DMZ into several\n« security zones''. This can be done by having a number of different\nnetworks within the DMZ. For example, the access router could feed\ntwo Ethernets, both protected by ACLs, and therefore in the DMZ.\nOn one of the Ethernets, you might have hosts whose purpose is to\nservice your organization's need for Internet connectivity. Celles-ci\nwill likely relay mail, news, and host DNS. On the other Ethernet\ncould be your web server(s) and other hosts that provide services for\nthe benefit of Internet users.\nIn many organizations, services for Internet users tend to be less\ncarefully guarded and are more likely to be doing insecure things.\n(For example, in the case of a web server, unauthenticated and\nuntrusted users might be running CGI, PHP, or other executable\nprogrammes. This might be reasonable for your web server, but brings\nwith it a certain set of risks that need to be managed. It is likely\nthese services are too risky for an organization to run them on a\nbastion host, where a slip-up can result in the complete failure of\nthe security mechanisms.)\nBy putting hosts with similar levels of risk on networks together in\nthe DMZ, you can help minimize the effect of a breakin at your site.\nIf someone breaks into your web server by exploiting some bug in your\nweb server, they'll not be able to use it as a launching point to\nbreak into your private network if the web servers are on a separate\nLAN from the bastion hosts, and you don't have any trust relationships\nbetween the web server and bastion host.\nNow, keep in mind that this is Ethernet. If someone breaks into your\nweb server, and your bastion host is on the same Ethernet, an attacker\ncan install a sniffer on your web server, and watch the traffic to and\nfrom your bastion host. This might reveal things that can be used to\nbreak into the bastion host and gain access to the internal network.\n(Switched Ethernet can reduce your exposure to this kind of problem,\nbut will not eliminate it.)\nSplitting services up not only by host, but by network, and limiting\nthe level of trust between hosts on those networks, you can greatly\nreduce the likelihood of a breakin on one host being used to break\ninto the other. Succinctly stated: breaking into the web server in\nthis case won't make it any easier to break into the bastion host.\nYou can also increase the scalability of your architecture by placing\nhosts on different networks. The fewer machines that there are to\nshare the available bandwidth, the more bandwidth that each will get."},{"id":"text-131","heading":"Text","content":"3.10 What is a `single point of failure', and how do I avoid\n having one?"},{"id":"text-132","heading":"Text","content":"An architecture whose security hinges upon one mechanism has a single\npoint of failure. Software that runs bastion hosts has bugs.\nApplications have bugs. Software that controls routers has bugs. Il\nmakes sense to use all of these components to build a securely\ndesigned network, and to use them in redundant ways.\nIf your firewall architecture is a screened subnet, you have two\npacket filtering routers and a bastion host. (See question\n3.2 from this section.) Your Internet access\nrouter will not permit traffic from the Internet to get all the way\ninto your private network. However, if you don't enforce that rule\nwith any other mechanisms on the bastion host and/or choke router,\nonly one component of your architecture needs to fail or be\ncompromised in order to get inside. On the other hand, if you have a\nredundant rule on the bastion host, and again on the choke router, an\nattacker will need to defeat Trois mechanisms.\nFurther, if the bastion host or the choke router needs to invoke its\nrule to block outside access to the internal network, you might want\nto have it trigger an alarm of some sort, since you know that someone\nhas gotten through your access router."},{"id":"text-133","heading":"Text","content":"3.11 How can I block all of the bad stuff?"},{"id":"text-134","heading":"Text","content":"For firewalls where the emphasis is on security instead of\nconnectivity, you should consider blocking tout par\ndefault, and only specifically allowing what services you need on a\ncase-by-case basis.\nIf you block everything, except a specific set of services, then\nyou've already made your job much easier. Instead of having to worry\nabout every security problem with everything product and service\naround, you only need to worry about every security problem with a\nspecific set of services and products.\nBefore turning on a service, you should consider a couple of\nquestions:"},{"id":"text-135","heading":"Text","content":"Is the protocol for this product a well-known, published\n protocol?"},{"id":"text-136","heading":"Text","content":"Is the application to service this protocol available for public\n inspection of its implementation?"},{"id":"text-137","heading":"Text","content":"How well known is the service and product?"},{"id":"text-138","heading":"Text","content":"How does allowing this service change the firewall architecture?\n Will an attacker see things differently? Could it be exploited to\n get at my internal network, or to change things on hosts in my DMZ?"},{"id":"text-139","heading":"Text","content":"When considering the above questions, keep the following in mind:"},{"id":"text-140","heading":"Text","content":"« Security through obscurity'' is no security at all.\n Unpublished protocols have been examined by bad guys and defeated."},{"id":"text-141","heading":"Text","content":"Despite what the marketing representatives say, not every\n protocol or service is designed with security in mind. In fact, the\n number that are is very few."},{"id":"text-142","heading":"Text","content":"Even in cases where security is a consideration, not all\n organizations have competent security staff. Among those who don't,\n not all are willing to bring a competent consultant into the\n projet. The end result is that otherwise-competent, well-intended\n developers can design insecure systems."},{"id":"text-143","heading":"Text","content":"The less that a vendor is willing to tell you about how their\n système vraiment works, the more likely it is that security\n (or other) problems exist. Only vendors with something to hide have\n a reason to hide their designs and\n implémentations [2]."},{"id":"text-144","heading":"Text","content":"3.12 How can I restrict web access so users can't view sites\n unrelated to work?"},{"id":"text-145","heading":"Text","content":"A few years ago, someone got the idea that it's a good idea to block\n« bad'' web sites, i.e., those that contain material that The Company\nviews « inappropriate''. The idea has been increasing in popularity,\nbut there are several things to consider when thinking about\nimplementing such controls in your firewall."},{"id":"text-146","heading":"Text","content":"It is not possible to practically block everything that an\n employer deems « inappropriate''. The Internet is full of every sort\n of material. Blocking one source will only redirect traffic to\n another source of such material, or cause someone to figure a way\n around the block."},{"id":"text-147","heading":"Text","content":"Most organizations do not have a standard for judging the\n appropriateness of material that their employees bring to work,\n e.g., books and magazines. Do you inspect everyone's briefcase for\n « inappropriate material'' every day? If you do not, then why would\n you inspect every packet for « inappropriate material''? Tout\n decisions along those lines in such an organization will be\n arbitrary. Attempting to take disciplinary action against an\n employee where the only standard is arbitrary typically isn't wise,\n for reasons well beyond the scope of this document."},{"id":"text-148","heading":"Text","content":"Products that perform site-blocking, commercial and otherwise,\n are typically easy to circumvent. Hostnames can be rewritten as IP\n adresses. IP addresses can be written as a 32-bit integer value,\n or as four 8-bit integers (the most common form). Autre\n possibilities exist, as well. Connections can be proxied. Web\n pages can be fetched via email. You can't block them all. le\n effort that you'll spend trying to implement and manage such\n controls will almost certainly far exceed any level of damage\n control that you're hoping to have."},{"id":"text-149","heading":"Text","content":"The rule-of-thumb to remember here is that you cannot solve social\nproblems with technology. If there is a problem with someone going to\nan « inappropriate'' web site, that is because someone else saw it and\nwas offended by what he saw, or because that person's productivity is\nbelow expectations. In either case, those are matters for the\npersonnel department, not the firewall administrator."},{"id":"text-150","heading":"Text","content":"4.1 What is source routed traffic and why is it a threat?"},{"id":"text-151","heading":"Text","content":"Normally, the route a packet takes from its source to its destination\nis determined by the routers between the source and destination. le\npacket itself only says where it wants to go (the destination\naddress), and nothing about how it expects to get there.\nThere is an optional way for the sender of a packet (the source) to\ninclude information in the packet that tells the route the packet\nshould take to get to its destination; thus the name « source routing''.\nFor a firewall, source routing is noteworthy, since an attacker can\ngenerate traffic claiming to be from a system « inside'' the firewall.\nIn general, such traffic wouldn't route to the firewall properly, but\nwith the source routing option, all the routers between the attacker's\nmachine and the target will return traffic along the reverse path of\nthe source route. Implementing such an attack is quite easy; alors\nfirewall builders should not discount it as unlikely to happen.\nIn practice, source routing is very little used. In fact, generally\nthe main legitimate use is in debugging network problems or routing\ntraffic over specific links for congestion control for specialized\nsituations. When building a firewall, source routing should be\nblocked at some point. Most commercial routers incorporate the\nability to block source routing specifically, and many versions of\nUnix that might be used to build firewall bastion hosts have the\nability to disable or to ignore source routed traffic."},{"id":"text-152","heading":"Text","content":"4.2 What are ICMP redirects and redirect bombs?"},{"id":"text-153","heading":"Text","content":"An ICMP Redirect tells the recipient system to override something in\nits routing table. It is legitimately used by routers to tell hosts\nthat the host is using a non-optimal or defunct route to a particular\ndestination, i.e., the host is sending it to the wrong router. le\nwrong router sends the host back an ICMP Redirect packet that tells\nthe host what the correct route should be. If you can forge ICMP\nRedirect packets, and if your target host pays attention to them, you\ncan alter the routing tables on the host and possibly subvert the\nsecurity of the host by causing traffic to flow via a path the network\nmanager didn't intend. ICMP Redirects also may be employed for denial\nof service attacks, where a host is sent a route that loses it\nconnectivity, or is sent an ICMP Network Unreachable packet telling it\nthat it can no longer access a particular network.\nMany firewall builders screen ICMP traffic from their network, since\nit limits the ability of outsiders to ping hosts, or modify their\nrouting tables.\nBefore you decide to block all ICMP packets, you should be aware of\nhow the TCP protocol does « Path MTU Discovery'', to make certain that\nyou don't break connectivity to other sites. If you can't safely\nblock it everywhere, you can consider allowing selected types of ICMP\nto selected routing devices. If you don't block it, you should at\nleast ensure that your routers and hosts don't respond to broadcast\nping packets."},{"id":"text-154","heading":"Text","content":"4.3 What about denial of service?"},{"id":"text-155","heading":"Text","content":"Denial of service is when someone decides to make your network or\nfirewall useless by disrupting it, crashing it, jamming it, or\nflooding it. The problem with denial of service on the Internet is\nthat it is impossible to prevent. The reason has to do with the\ndistributed nature of the network: every network node is connected via\nother networks which in turn connect to other networks, etc. A\nfirewall administrator or ISP only has control of a few of the local\nelements within reach. An attacker can always disrupt a connection\n« upstream'' from where the victim controls it. In other words, if\nsomeone wanted to take a network off the air, he could do it either by\ntaking the network off the air, or by taking the networks it connects\nto off the air, ad infinitum. There are many, many, ways someone can\ndeny service, ranging from the complex to the trivial brute-force. Si\nyou are considering using Internet for a service which is absolutely\ntime or mission critical, you should consider your fallback position\nin the event that the network is down or damaged.\nTCP/IP's UDP echo service is trivially abused to get two servers to\nflood a network segment with echo packets. You should consider\ncommenting out unused entries in /etc/inetd.conf of Unix hosts,\najouter no ip small-servers to Cisco routers, or the equivalent\nfor your components."},{"id":"text-156","heading":"Text","content":"4.4 What are some common attacks, and how can I protect my\n system against them?"},{"id":"text-157","heading":"Text","content":"Each site is a little different from every other in terms of what\nattacks are likely to be used against it. Some recurring themes do\narise, though."},{"id":"text-158","heading":"Text","content":"4.4.1 SMTP Server Hijacking (Unauthorized Relaying)"},{"id":"text-159","heading":"Text","content":"This is where a spammer will take many thousands of copies of a\nmessage and send it to a huge list of email addresses. Because these\nlists are often so bad, and in order to increase the speed of\noperation for the spammer, many have resorted to simply sending all of\ntheir mail to an SMTP server that will take care of actually\ndelivering the mail.\nOf course, all of the bounces, spam complaints, hate mail, and bad PR\ncome for the site that was used as a relay. There is a very real cost\nassociated with this, mostly in paying people to clean up the mess\nafterward.\nThe Mail Abuse Prevention\nSystème1Transport Security Initiative2maintains a complete description of the problem, and how to configure\nabout every mailer on the planet to protect against this attack."},{"id":"text-160","heading":"Text","content":"4.4.2 Exploiting Bugs in Applications"},{"id":"text-161","heading":"Text","content":"Various versions of web servers, mail servers, and other Internet\nservice software contain bugs that allow remote (Internet) users to do\nthings ranging from gain control of the machine to making that\napplication crash and just about everything in between.\nThe exposure to this risk can be reduced by running only necessary\nservices, keeping up to date on patches, and using products that have\nbeen around a while."},{"id":"text-162","heading":"Text","content":"4.4.3 Bugs in Operating Systems"},{"id":"text-163","heading":"Text","content":"Again, these are typically initiated by users remotely. en fonctionnement\nsystems that are relatively new to IP networking tend to be more\nproblematic, as more mature operating systems have had time to find\nand eliminate their bugs. An attacker can often make the target\nequipment continuously reboot, crash, lose the ability to talk to the\nnetwork, or replace files on the machine.\nHere, running as few operating system services as possible can help.\nAlso, having a packet filter in front of the operating system can\nreduce the exposure to a large number of these types of attacks.\nAnd, of course, chosing a stable operating system will help here as\nwell. When selecting an OS, don't be fooled into believing that « the\npricier, the better''. Free operating systems are often much more\nrobust than their commercial counterparts"},{"id":"text-164","heading":"Text","content":"5.1 Do I really want to allow everything that my users ask\n for?"},{"id":"text-165","heading":"Text","content":"It's entirely possible that the answer is « no''. Each site has its own\npolicies about what is and isn't needed, but it's important to\nremember that a large part of the job of being an organization's\ngatekeeper is éducation. Users want streaming video,\nreal-time chat, and to be able to offer services to external customers\nthat require interaction with live databases on the internal network.\nThat doesn't mean that any of these things can be done without\npresenting more risk to the organization than the supposed « value''\nof heading down that road is worth. Most users don't want to put\ntheir organization at risk. They just read the trade rags, see\nadvertisements, and they want to do those things, too. It's important\nto look into what it is that they really want to do, and to help them\nunderstand how they might be able to accomplish their real objective\nin a more secure manner.\nYou won't always be popular, and you might even find yourself being\ngiven direction to do something incredibly stupid, like « just open up\nports foo through bar''. If that happens, don't worry about it. Il\nwould be wise to keep all of your exchanges on such an event so that\nwhen a 12-year-old script kiddie breaks in, you'll at least be able to\nseparate yourself from the whole mess."},{"id":"text-166","heading":"Text","content":"5.2 How do I make Web/HTTP work through my firewall?"},{"id":"text-167","heading":"Text","content":"There are three ways to do it."},{"id":"text-168","heading":"Text","content":"Allow « established'' connections out via a router, if you are\n using screening routers."},{"id":"text-169","heading":"Text","content":"Use a web client that supports SOCKS, and run SOCKS on your\n bastion host."},{"id":"text-170","heading":"Text","content":"Run some kind of proxy-capable web server on the bastion host.\n Some options include\n Squid3,\n Apache4,\n Netscape Proxy5,\n et http-gw from the TIS firewall toolkit. Most of\n these can also proxy other protocols (such as gopher and ftp), and\n can cache objects fetched, which will also typically result in a\n performance boost for the users, and more efficient use of your\n connection to the Internet. Essentially all web clients (Mozilla,\n Internet Explorer, Lynx, etc.) have proxy server support built\n directly into them."},{"id":"text-171","heading":"Text","content":"5.3 How do I make SSL work through the firewall?"},{"id":"text-172","heading":"Text","content":"SSL is a protocol that allows secure connections across the Internet.\nTypically, SSL is used to protect HTTP traffic. However, other\nprotocols (such as telnet) can run atop SSL.\nEnabling SSL through your firewall can be done the same way that you\nwould allow HTTP traffic, if it's HTTP that you're using SSL to\nsecure, which is usually true. The only difference is that instead of\nusing something that will simply relay HTTP, you'll need something\nthat can tunnel SSL. This is a feature present on most web object\ncaches.\nYou can find out more about SSL from Netscape6."},{"id":"text-173","heading":"Text","content":"5.4 How do I make DNS work with a firewall?"},{"id":"text-174","heading":"Text","content":"Some organizations want to hide DNS names from the outside. Beaucoup\nexperts don't think hiding DNS names is worthwhile, but if\nsite/corporate policy mandates hiding domain names, this is one\napproach that is known to work. Another reason you may have to hide\ndomain names is if you have a non-standard addressing scheme on your\ninternal network. In that case, you have no choice but to hide those\nadresses. Don't fool yourself into thinking that if your DNS names\nare hidden that it will slow an attacker down much if they break into\nyour firewall. Information about what is on your network is too easily\ngleaned from the networking layer itself. If you want an interesting\ndemonstration of this, ping the subnet broadcast address on your LAN\nand then do an « arp -a.'' Note also that hiding names in the DNS\ndoesn't address the problem of host names « leaking'' out in mail\nheaders, news articles, etc.\nThis approach is one of many, and is useful for organizations that\nwish to hide their host names from the Internet. The success of this\napproach lies on the fact that DNS clients on a machine don't have to\ntalk to a DNS server on that same machine. In other words, just\nbecause there's a DNS server on a machine, there's nothing wrong with\n(and there are often advantages to) redirecting that machine's DNS\nclient activity to a DNS server on another machine.\nFirst, you set up a DNS server on the bastion host that the outside\nworld can talk to. You set this server up so that it claims to be\nauthoritative for your domains. In fact, all this server knows is what\nyou want the outside world to know; the names and addresses of your\ngateways, your wildcard MX records, and so forth. This is the « public''\nserveur.\nThen, you set up a DNS server on an internal machine. This server also\nclaims to be authoritative for your domains; unlike the public server,\nthis one is telling the truth. This is your « normal'' nameserver, into\nwhich you put all your « normal'' DNS stuff. You also set this server up\nto forward queries that it can't resolve to the public server (using a\n« forwarders'' line in /etc/named.boot on a Unix machine, for example).\nFinally, you set up all your DNS clients (the /etc/resolv.conf\nfile on a Unix box, for instance), including the ones on the machine\nwith the public server, to use the internal server. This is the key.\nAn internal client asking about an internal host asks the internal\nserver, and gets an answer; an internal client asking about an\nexternal host asks the internal server, which asks the public server,\nwhich asks the Internet, and the answer is relayed back. A client on\nthe public server works just the same way. An external client,\nhowever, asking about an internal host gets back the « restricted''\nanswer from the public server.\nThis approach assumes that there's a packet filtering firewall between\nthese two servers that will allow them to talk DNS to each other, but\notherwise restricts DNS between other hosts.\nAnother trick that's useful in this scheme is to employ wildcard PTR\nrecords in your IN-ADDR.ARPA domains. These cause an an\naddress-to-name lookup for any of your non-public hosts to return\nsomething like « unknown.YOUR.DOMAIN'' rather than an error. Ce\nsatisfies anonymous FTP sites like ftp.uu.net that insist on having a\nname for the machines they talk to. This may fail when talking to\nsites that do a DNS cross-check in which the host name is matched\nagainst its address and vice versa."},{"id":"text-175","heading":"Text","content":"5.5 How do I make FTP work through my firewall?"},{"id":"text-176","heading":"Text","content":"Generally, making FTP work through the firewall is done either using a\nproxy server such as the firewall toolkit's ftp-gw or by permitting\nincoming connections to the network at a restricted port range, and\notherwise restricting incoming connections using something like\n« established'' screening rules. The FTP client is then modified to bind\nthe data port to a port within that range. This entails being able to\nmodify the FTP client application on internal hosts.\nIn some cases, if FTP downloads are all you wish to support, you might\nwant to consider declaring FTP a « dead protocol'' and letting you users\ndownload files via the Web instead. The user interface certainly is\nnicer, and it gets around the ugly callback port problem. Si vous\nchoose the FTP-via-Web approach, your users will be unable to FTP\nfiles out, which, depending on what you are trying to accomplish, may\nbe a problem.\nA different approach is to use the FTP « PASV'' option to indicate\nthat the remote FTP server should permit the client to initiate\nconnections. The PASV approach assumes that the FTP server on the\nremote system supports that operation. (See « Firewall-Friendly\nFTP'' [1].)\nOther sites prefer to build client versions of the FTP program that\nare linked against a SOCKS library."},{"id":"text-177","heading":"Text","content":"5.6 How do I make Telnet work through my firewall?"},{"id":"text-178","heading":"Text","content":"Telnet is generally supported either by using an application proxy\nsuch as the firewall toolkit's tn-gw, or by simply configuring a\nrouter to permit outgoing connections using something like the\n« established'' screening rules. Application proxies could be in the\nform of a standalone proxy running on the bastion host, or in the form\nof a SOCKS server and a modified client."},{"id":"text-179","heading":"Text","content":"5.7 How do I make Finger and whois work through my firewall?"},{"id":"text-180","heading":"Text","content":"Many firewall admins permit connections to the finger port from only\ntrusted machines, which can issue finger requests in the form of:\nfinger user@host.domain@firewall. This approach only works with the\nstandard Unix version of finger. Controlling access to services and\nrestricting them to specific machines is managed using either\ntcp_wrappers or netacl from the firewall toolkit. This approach will\nnot work on all systems, since some finger servers do not permit\nuser@host@host fingering.\nMany sites block inbound finger requests for a variety of reasons,\nforemost being past security bugs in the finger server (the Morris\ninternet worm made these bugs famous) and the risk of proprietary or\nsensitive information being revealed in user's finger information. Dans\ngeneral, however, if your users are accustomed to putting proprietary\nor sensitive information in their .plan files, you have a more\nserious security problem than just a firewall can solve."},{"id":"text-181","heading":"Text","content":"5.8 How do I make gopher, archie, and other services work\n through my firewall?"},{"id":"text-182","heading":"Text","content":"The majority of firewall administrators choose to support gopher and\narchie through web proxies, instead of directly. Proxies such as the\nfirewall toolkit's http-gw convert gopher/gopher+ queries\ninto HTML and vice versa. For supporting archie and other queries,\nmany sites rely on Internet-based Web-to-archie servers, such as\nArchiePlex. The Web's tendency to make everything on the Internet look\nlike a web service is both a blessing and a curse.\nThere are many new services constantly cropping up. Often they are\nmisdesigned or are not designed with security in mind, and their\ndesigners will cheerfully tell you if you want to use them you need to\nlet port xxx through your router. Unfortunately, not everyone can do\nthat, and so a number of interesting new toys are difficult to use for\npeople behind firewalls. Things like RealAudio, which require direct\nUDP access, are particularly egregious examples. The thing to bear in\nmind if you find yourself faced with one of these problems is to find\nout as much as you can about the security risks that the service may\npresent, before you just allow it through. It's quite possible the\nservice has no security implications. It's equally possible that it\nhas undiscovered holes you could drive a truck through."},{"id":"text-183","heading":"Text","content":"5.9 What are the issues about X11 through a firewall?"},{"id":"text-184","heading":"Text","content":"The X Windows System is a very useful system, but unfortunately has\nsome major security flaws. Remote systems that can gain or spoof\naccess to a workstation's X11 display can monitor keystrokes that a\nuser enters, download copies of the contents of their windows, etc.\nWhile attempts have been made to overcome them (E.g., MIT « Magic\nCookie'') it is still entirely too easy for an attacker to interfere\nwith a user's X11 display. Most firewalls block all X11 traffic. Certains\npermit X11 traffic through application proxies such as the DEC CRL X11\nproxy (FTP crl.dec.com). The firewall toolkit includes a proxy for\nX11, called x-gw, which a user can invoke via the Telnet proxy, to\ncreate a virtual X11 server on the firewall. When requests are made\nfor an X11 connection on the virtual X11 server, the user is presented\nwith a pop-up asking them if it is OK to allow the connection. Tandis que\nthis is a little unaesthetic, it's entirely in keeping with the rest\nof X11."},{"id":"text-185","heading":"Text","content":"5.10 How do I make RealAudio work through my firewall?"},{"id":"text-186","heading":"Text","content":"RealNetworks maintains some information about how to get RealAudio\nworking through your firewall7. It would be unwise to\nfaire tout changes to your firewall without understanding what\nthe changes will do, exactly, and knowing what risks the new changes\nwill bring with them."},{"id":"text-187","heading":"Text","content":"5.11 How do I make my web server act as a front-end for a\n database that lives on my private network?"},{"id":"text-188","heading":"Text","content":"The best way to do this is to allow very limited connectivity between\nyour web server and your database server via a specific protocol that\nonly supports the level of functionality you're going to use.\nAllowing raw SQL, or anything else where custom extractions could be\nperformed by an attacker isn't generally a good idea.\nAssume that an attacker is going to be able to break into your web\nserver, and make queries in the same way that the web server can. Est\nthere a mechanism for extracting sensitive information that the web\nserver doesn't need, like credit card information? Can an attacker\nissue an SQL sélectionner and extract your entire proprietary\ndatabase?\n« E-commerce'' applications, like everything else, are best designed\nwith security in mind from the ground up, instead of having security\n« added'' as an afterthought. Review your architecture critically, from\nthe perspective of an attacker. Assume that the attacker knows\neverything about your architecture. Now ask yourself what needs to be\ndone to steal your data, to make unauthorized changes, or to do\nanything else that you don't want done. You might find that you can\nsignificantly increase security without decreasing functionality by\nmaking a few design and implementation decisions.\nSome ideas for how to handle this:"},{"id":"text-189","heading":"Text","content":"Extract the data you need from the database on a regular basis\n so you're not making queries against the full database, complete\n with information that attackers will find interesting."},{"id":"text-190","heading":"Text","content":"Greatly restrict and audit what you do allow between the web\n server and database."},{"id":"text-191","heading":"Text","content":"5.12 But my database has an integrated web server, and I want\n to use that. Can't I just poke a hole in the firewall and tunnel\n that port?"},{"id":"text-192","heading":"Text","content":"If your site firewall policy is sufficiently lax that you're willing\nto manage the risk that someone will exploit a vulnerability in your\nweb server that will result in partial or complete exposure of your\ndatabase, then there isn't much preventing you from doing this.\nHowever, in many organizations, the people who are responsible for\ntying the web front end to the database back end simply do not have\nthe authority to take that responsibility. Further, if the\ninformation in the database is about people, you might find yourself\nguilty of breaking a number of laws if you haven't taken reasonable\nprecautions to prevent the system from being abused.\nIn general, this isn't a good idea. See question 5.11 for\nsome ideas on other ways to accomplish this objective."},{"id":"text-193","heading":"Text","content":"5.13 How Do I Make IP Multicast Work With My Firewall?"},{"id":"text-194","heading":"Text","content":"IP multicast is a means of getting IP traffic from one host to a set\nof hosts without using broadcasting; that is, instead of every host\ngetting the traffic, only those that want it will get it, without each\nhaving to maintain a separate connection to the server. IP unicast is\nwhere one host talks to another, multicast is where one host talks to\na set of hosts, and broadcast is where one host talks to all hosts.\nThe public Internet has a multicast backbone (« MBone'') where users\ncan engage in multicast traffic exchange. Common uses for the MBone\nare streams of IETF meetings and similar such interaction. Getting\none's own network connected to the MBone will require that the\nupstream provider route multicast traffic to and from your network.\nAdditionally, your internal network will have to support multicast\nrouting.\nThe role of the firewall in multicast routing, conceptually, is no\ndifferent from its role in other traffic routing. That is, a policy\nthat identifies which multicast groups are and aren't allowed must be\ndefined and then a system of allowing that traffic according to policy\nmust be devised. Great detail on how exactly to do this is beyond the\nscope of this document. Fortunately, RFC 2588 [4]\ndiscusses the subject in more detail. Unless your firewall product\nsupports some means of selective multicast forwarding or you have the\nability to put it in yourself, you might find forwarding multicast\ntraffic in a way consistent with your security policy to be a bigger\nheadache than it's worth."},{"id":"text-195","heading":"Text","content":"by Mikael Olsson\nThis appendix will begin at a fairly « basic'' level, so even if the\nfirst points seem childishly self-evident to you, you might still\nlearn something from skipping ahead to something later in the text."},{"id":"text-196","heading":"Text","content":"6.1 What is a port?"},{"id":"text-197","heading":"Text","content":"A « port'' is « virtual slot'' in your TCP and UDP stack that is used\nto map a connection between two hosts, and also between the TCP/UDP\nlayer and the actual applications running on the hosts.\nThey are numbered 0-65535, with the range 0-1023 being marked as\n« reserved'' or « privlileged'', and the rest (1024-65535) as\n« dynamic'' or « unprivileged''.\nThere are basically two uses for ports:"},{"id":"text-198","heading":"Text","content":"« Listening'' on a port.\nThis is used by server applications waiting for users to connect, to\n get to some « well known service'', for instance HTTP (TCP port 80),\n Telnet (TCP port 23), DNS (UDP and sometimes TCP port 53)."},{"id":"text-199","heading":"Text","content":"Opening a « dynamic'' port.\nBoth sides of a TCP connection need to be identified by IP addresses\n and port numbers. Hence, when you want to « connect'' to a server\n process, your end of the communications channel also needs a « port''.\n This is done by choosing a port above 1024 on your machine that is\n not currently in use by another communications channel, and using it\n as the « sender'' in the new connection."},{"id":"text-200","heading":"Text","content":"Dynamic ports may also be used as « listening'' ports in some\napplications, most notably FTP.\nPorts in the range 0-1023 are almost always server ports. Ports in\nthe range 1024-65535 are usually dynamic ports (i.e., opened\ndynamically when you connect to a server port). cependant, tout\nport may be used as a server port, and tout port may be used as\nan « outgoing'' port.\nSo, to sum it up, here's what happens in a basic connection:"},{"id":"text-201","heading":"Text","content":"At some point in time, a server application on host 1.2.3.4\n decides to « listen'' at port 80 (HTTP) for new connections."},{"id":"text-202","heading":"Text","content":"You (5.6.7.8) want to surf to 1.2.3.4, port 80, and your browser\n issues a connect call to it."},{"id":"text-203","heading":"Text","content":"The connect call, realising that it doesn't yet have local port\n number, goes hunting for one. The local port number is necessary\n since when the replies come back some time in the future, your\n TCP/IP stack will have to know to what application to pass the\n reply. It does this by remembering what application uses which local\n port number. (This is grossly simplified, no flames from\n programmers, please.)"},{"id":"text-204","heading":"Text","content":"Your TCP stack finds an unused dynamic port, usually somewhere\n above 1024. Let's assume that it finds 1029."},{"id":"text-205","heading":"Text","content":"Your first packet is then sent, from your local IP, 5.6.7.8,\n port 1029, to 1.2.3.4, port 80."},{"id":"text-206","heading":"Text","content":"The server responds with a packet from 1.2.3.4, port 80, to you,\n 5.6.7.8, port 1029."},{"id":"text-207","heading":"Text","content":"This procedure is actually longer than this, read on for a more\n in-depth explanation of TCP connect sequences."},{"id":"text-208","heading":"Text","content":"6.2 How do I know which application uses what port?"},{"id":"text-209","heading":"Text","content":"There are several lists outlining the « reserved'' and « well known''\nports, as well as « commonly used'' ports, and the best one is:\nftp://ftp.isi.edu/in-notes/iana/assignments/port-numbers.\nFor those of you still reading RFC 1700 to find out what port number\ndoes what, STOP DOING IT. It is horribly out of date, and it won't be\nless so tomorrow.\nNow, as for trusting this information: These lists do not, in any way,\nconstitute any kind of holy bible on which ports do what.\nWait, let me rephrase that: THERE IS NO WAY OF RELIABLY DETERMINING\nWHAT PORT DOES WHAT SIMPLY BY LOOKING IN A LIST."},{"id":"text-210","heading":"Text","content":"6.3 What are LISTENING ports?"},{"id":"text-211","heading":"Text","content":"Suppose you did « netstat -a'' on your machine and ports 1025 and 1030\nshowed up as LISTENing. What do they do?\nRight, let's take a look in the assigned port numbers list."},{"id":"text-212","heading":"Text","content":"blackjack 1025/tcp network blackjack\n iad1 1030/tcp BBN IAD"},{"id":"text-213","heading":"Text","content":"Wait, what's happening? Has my workstation stolen my VISA number and\ndecided to go play blackjack with some rogue server on the internet?\nAnd what's that software that BBN has installed?\nThis is NOT where you start panicking and send mail to the firewalls\nlist. In fact, this question has been asked maybe a dozen times during\nthe past six months, and every time it's been answered. Not that THAT\nkeeps people from asking the same question again.\nIf you are asking this question, you are most likely using a windows\nboîte. The ports you are seeing are (most likely) two listening ports\nthat the RPC subsystem opens when it starts up.\nThis is an example of where dynamicly assigned ports may be used by\nserver processes. Applications using RPC will later on connect to port\n135 (the netbios « portmapper'') to query where to find some RPC\nservice, and get an answer back saying that that particular service\nmay be contacted on port 1025.\nNow, how do we know this, since there's no « list'' describing these\nports? Simple: There's no substitute for experience. And using the\nmailing list search engines also helps a hell of a lot."},{"id":"text-214","heading":"Text","content":"6.4 How do I determine what service the port is for?"},{"id":"text-215","heading":"Text","content":"Since it is impossible to learn what port does what by looking in a\nlist, how do i do it?\nThe old hands-on way of doing it is by shutting down nearly every\nservice/daemon running on your machine, doing netstat -a et\ntaking note of what ports are open. There shouldn't be very many\nlistening ones. Then you start turning all the services on, one by\none, and take note of what new ports show up in your netstat output.\nAnother way, that needs more guess work, is simply telnetting to the\nports and see what comes out. If nothing comes out, try typing some\ngibberish and slamming Enter a few times, and see if something turns\nup. If you get binary garble, or nothing at all, this obviously won't\nT'aider. :-)\nHowever, this will only tell you what listening ports are used. Il\nwon't tell you about dynamically opened ports that may be opened later\non by these applications.\nThere are a few applications that might help you track down the ports\nutilisé.\nOn Unix systems, there's a nice utility called lsof ça arrive\npreinstalled on many systems. It will show you all open port numbers\nand the names of the applications that are using them. Ça signifie\nthat it might show you a lot of locally opened files aswell as TCP/IP\nsockets. Read the help text. :-)\nOn windows systems, nothing comes preinstalled to assist you in this\ntask. (What's new?) There's a utility called « Inzider'' which\ninstalls itself inside the windows sockets layer and dynamically\nremembers which process opens which port. The drawback of this\napproach is that it can't tell you what ports were opened before\ninzider started, but it's the best that you'll get on windows (to my\nknowledge).\nhttp://ntsecurity.nu/toolbox/inzider/."},{"id":"text-216","heading":"Text","content":"6.5 What ports are safe to pass through a firewall?"},{"id":"text-217","heading":"Text","content":"ALL.\nNo, wait, NONE.\nNo, wait, uuhhh… I've heard that all ports above 1024 are safe since\nthey're only dynamic??\nPas vraiment. You CANNOT tell what ports are safe simply by looking at\nits number, simply because that is really all it is. A number. Vous\ncan't mount an attack through a 16-bit number.\nThe security of a « port'' depends on what application you'll reach\nthrough that port.\nA common misconception is that ports 25 (SMTP) and 80 (HTTP) are safe\nto pass through a firewall. *meep* WRONG. Just because everyone is\ndoing it doesn't mean that it is safe.\nAgain, the security of a port depends on what application you'll reach\nthrough that port.\nIf you're running a well-written web server, that is designed from the\nground up to be secure, you can probably feel reasonably assured that\nit's safe to let outside people access it through port 80. Otherwise,\nyou CAN'T.\nThe problem here is not in the network layer. It's in how the\napplication processes the data that it receives. This data may be\nreceived through port 80, port 666, a serial line, floppy or through\nsinging telegram. If the application is not safe, it does not matter\nhow the data gets to it. The application data is where the real danger\nlies.\nIf you are interested in the security of your application, go\ns'abonner à\nbugtraq8or or try searching their archives.\nThis is more of an application security issue rather than a firewall\nsecurity issue. One could argue that a firewall should stop all\npossible attacks, but with the number of new network protocols, NOT\ndesigned with security in mind, and networked applications, neither\ndesigned with security in mind, it becomes impossible for a firewall\nto protect against all data-driven attacks."},{"id":"text-218","heading":"Text","content":"6.6 The behavior of FTP"},{"id":"text-219","heading":"Text","content":"Or, « Why do I have to open all ports above 1024 to my FTP server?''\nFTP doesn't really look a whole lot like other applications from a\nnetworking perspective.\nIt keeps one listening port, port 21, which users connect to. All it\ndoes is let people log on, and establish ANOTHER connection to do\nactual data transfers. This second connection is usually on some port\nabove 1024.\nThere are two modes, « active'' (normal) and « passive'' mode. Ce\nword describes the server's behaviour.\nIn active mode, the client (5.6.7.8) connects to port 21 on the server\n(1.2.3.4) and logs on. When file transfers are due, the client\nallocates a dynamic port above 1024, informs the server about which\nport it opened, and then the server opens a new connection to that\nport. This is the « active'' role of the server: it actively\nestablishes new connections to the client.\nIn passive mode, the connection to port 21 is the same. When file\ntransfers are due, the SERVER allocates a dynamic port above 1024,\ninforms the client about which port it opened, and then the CLIENT\nopens a new connection to that port. This is the « passive'' role of\nthe server: it waits for the client to establish the second (data)\nlien.\nIf your firewall doesn't inspect the application data of the FTP\ncommand connection, it won't know that it needs to dynamically open\nnew ports above 1024.\nOn a side note: The traditional behaviour of FTP servers in active\nmode is to establish the data session FROM port 20, and to the dynamic\nport on the client. FTP servers are steering away from this behaviour\nsomewhat due to the need to run as « root'' on unix systems in order\nto be able to allocate ports below 1024. Running as « root'' is not\ngood for security, since if there's a bug in the software, the\nattacker would be able to compromise the entire machine. The same goes\nfor running as « Administrator'' or « SYSTEM'' (« LocalSystem'') on NT\nmachines, although the low port problem does not apply on NT.\nTo sum it up, if your firewall understands FTP, it'll be able to\nhandle the data connections by itself, and you won't have to worry\nabout ports above 1024.\nIf it does NOT, there are four issues that you need to address:"},{"id":"text-220","heading":"Text","content":"Firewalling an FTP server in active mode\nYou need to let your server open new connections to the outside\n world on ports 1024 and above"},{"id":"text-221","heading":"Text","content":"Firewalling an FTP server in passive mode\nYou need to let the outside world connect to ports 1024 and above on\n your server. CAUTION!!!! There may be applications running on some\n of these ports that you do NOT want outside people using. Disallow\n access to these ports before allowing access to the 1024-65535 port\n range."},{"id":"text-222","heading":"Text","content":"Firewalling FTP clients in active mode\nYou need to let the outside world connect to ports 1024 and above on\n your clients. CAUTION!!!! There may be applications running on some\n of these ports that you do NOT want outside people using. Disallow\n access to these ports before allowing access to the 1024-65535 port\n range."},{"id":"text-223","heading":"Text","content":"Firewalling FTP clients in passive mode\nYou need to let your clients open new connections to the outside\n world on ports 1024 and above."},{"id":"text-224","heading":"Text","content":"Again, if your firewall understands FTP, none of the four points above\napply to you. Let the firewall do the job for you."},{"id":"text-225","heading":"Text","content":"6.7 What software uses what FTP mode?"},{"id":"text-226","heading":"Text","content":"It is up to the client to decide what mode to use; the default mode\nwhen a new connection is opened is « active mode''.\nMost FTP clients come preconfigured to use active mode, but provide an\noption to use « passive'' (« PASV'') mode. An exception is the\nwindows command line FTP client which only operates in active mode.\nWeb Browsers generally use passive mode when connecting via FTP, with\na weird exception: MSIE 5 will use active FTP when FTP:ing in « File\nExplorer'' mode and passive FTP when FTP:ing in « Web Page'' mode.\nThere is no reason whatsoever for this behaviour; je suppose que\nsomeone in Redmond with no knowledge of FTP decided that « Of course\nwe'll use active mode when we're in file explorer mode, since that\nlooks more active than a web page''. Go figure."},{"id":"text-227","heading":"Text","content":"6.8 Is my firewall trying to connect outside?"},{"id":"text-228","heading":"Text","content":"My firewall logs are telling me that my web server is trying to\nconnect from port 80 to ports above 1024 on the outside. Quel est\nthis?!\nIf you are seeing dropped packets from port 80 on your web server (or\nfrom port 25 on your mail server) to high ports on the outside, they\nusually DO NOT mean that your web server is trying to connect\nsomewhere.\nThey are the result of the firewall timing out a connection, and\nseeing the server retransmitting old responses (or trying to close the\nconnection) to the client.\nTCP connections always involve packets traveling in BOTH directions in\nthe connection.\nIf you are able to see the TCP flags in the dropped packets, you'll\nsee that the ACK flag is set but not the SYN flag, meaning that this\nis actually not a new connection forming, but rather a response of a\npreviously formed connection.\nRead point 8 below for an in-depth explanation of what happens when\nTCP connections are formed (and closed)"},{"id":"text-229","heading":"Text","content":"6.9 The anatomy of a TCP connection"},{"id":"text-230","heading":"Text","content":"TCP is equipped with 6 « flags'', which may be ON or OFF. These flags\nsont:"},{"id":"text-231","heading":"Text","content":"FIN\n« Controlled'' connection close"},{"id":"text-232","heading":"Text","content":"SYN\nOpen new connection"},{"id":"text-233","heading":"Text","content":"RST\n« Immediate'' connection close"},{"id":"text-234","heading":"Text","content":"PSH\nInstruct receiver host to push the data up to the\n application rather than just queue it"},{"id":"text-235","heading":"Text","content":"ACK\n« Acknowledge'' a previous packet"},{"id":"text-236","heading":"Text","content":"URG\n« Urgent'' data which needs to be processed immediately"},{"id":"text-237","heading":"Text","content":"In this example, your client is 5.6.7.8, and the port assigned to you\ndynamically is 1049. The server is 1.2.3.4, port 80.\nYou begin the connection attempt:"},{"id":"text-238","heading":"Text","content":"5.6.7.8:1049 -> 1.2.3.4:80 SYN=ON\nThe server receives this packet and understands that someone wants to\nform a new connection. A response is sent:"},{"id":"text-239","heading":"Text","content":"1.2.3.4:80 -> 5.6.7.8:1049 SYN=ON ACK=ON\nThe client receives the response, and informs that the response\nis received"},{"id":"text-240","heading":"Text","content":"5.6.7.8:1049 -> 1.2.3.4:80 ACK=ON\nHere, the connection is opened. This is called a three-way handshake.\nIts purpose is to verify to BOTH hosts that they have a working\nconnection between them.\nThe internet being what it is, unreliable and flooded, there are\nprovisions to compensate for packet loss.\nIf the client sends out the initial SYN without receiving a SYN+ACK\nwithin a few seconds, it'll resend the SYN.\nIf the server sends out the SYN+ACK without receiving an ACK in a few\nseconds, it'll resend the SYN+ACK packet.\nThe latter is actually the reason that SYN flooding works so well. Si\nyou send out SYN packets from lots of different ports, this will tie\nup a lot of resources on the server. If you also refuse to respond to\nthe returned SYN+ACK packets, the server will KEEP these connections\nfor a long time, resending the SYN+ACK packets. Some servers will not\naccept new connections while there are enough connections currently\nforming; this is why SYN flooding works.\nAll packets transmitted in either direction after the three-way\nhandshake will have the ACK bit set. Stateless packet filters make\nuse of this in the so called « established'' filters: They will only\nlet packets through that have the ACK bit set. This way, no packet may\npass through in a certain direction that could form a new connection.\nTypically, you don't allow outside hosts to open new connections to\ninside hosts by requiring the ACK bit set on these packets.\nWhen the time has come to close the connection, there are two ways of\ndoing it: Using the FIN flag, or using the RST flag. Using FIN flags,\nboth implementations are required to send out FIN flags to indicate\nthat they want to close the connection, and then send out\nacknowledgements to these FINs, indicating that they understood that\nthe other end wants to close the connection. When sending out RST's,\nthe connection is closed forcefully, and you don't really get an\nindication of whether the other end understood your reset order, or\nthat it has in fact received all data that you sent to it.\nThe FIN way of closing the connection also exposes you to a\ndenial-of-service situation, since the TCP stack needs to remember the\nclosed connection for a fairly long time, in case the other end hasn't\nreceived one of the FIN packets.\nIf sufficiently many connections are opened and closed, you may end up\nhaving « closed'' connections in all your connection slots. This way,\nyou wouldn't be able to dynamically allocate more connections, seeing\nthat they're all used. Different OSes handle this situation\ndifféremment.\nWe feel this topic is too sensitive to address in a FAQ, however, an\nindependently maintained list (no warranty or recommendations are\nimplied) can be found\nen ligne.9"},{"id":"text-241","heading":"Text","content":"Abuse of Privilege\nWhen a user performs an action that they\n should not have, according to organizational policy or law."},{"id":"text-242","heading":"Text","content":"Access Control Lists\nRules for packet filters (typically\n routers) that define which packets to pass and which to block."},{"id":"text-243","heading":"Text","content":"Access Router\nA router that connects your network to the\n external Internet. Typically, this is your first line of defense\n against attackers from the outside Internet. By enabling access\n control lists on this router, you'll be able to provide a level of\n protection for all of the hosts « behind'' that router, effectively\n making that network a DMZ instead of an unprotected external LAN."},{"id":"text-244","heading":"Text","content":"Application-Layer Firewall\nA firewall system in which service\n is provided by processes that maintain complete TCP connection state\n and sequencing. Application layer firewalls often re-address traffic\n so that outgoing traffic appears to have originated from the\n firewall, rather than the internal host."},{"id":"text-245","heading":"Text","content":"Authentification\nThe process of determining the identity of a\n user that is attempting to access a system."},{"id":"text-246","heading":"Text","content":"Authentication Token\nA portable device used for authenticating\n a user. Authentication tokens operate by challenge/response,\n time-based code sequences, or other techniques. This may include\n paper-based lists of one-time passwords."},{"id":"text-247","heading":"Text","content":"Autorisation\nThe process of determining what types of\n activities are permitted. Usually, authorization is in the context\n of authentication: once you have authenticated a user, they may be\n authorized different types of access or activity."},{"id":"text-248","heading":"Text","content":"Bastion Host\nA system that has been hardened to resist attack,\n and which is installed on a network in such a way that it is\n expected to potentially come under attack. Bastion hosts are often\n components of firewalls, or may be « outside'' web servers or public\n access systems. Generally, a bastion host is running some form of\n general purpose operating system (e.g., Unix, VMS, NT, etc.) rather\n than a ROM-based or firmware operating system."},{"id":"text-249","heading":"Text","content":"Challenge/Response\nAn authentication technique whereby a\n server sends an unpredictable challenge to the user, who computes a\n response using some form of authentication token."},{"id":"text-250","heading":"Text","content":"Chroot\nA technique under Unix whereby a process is permanently\n restricted to an isolated subset of the filesystem."},{"id":"text-251","heading":"Text","content":"Cryptographic Checksum\nA one-way function applied to a file to\n produce a unique « fingerprint'' of the file for later reference.\n Checksum systems are a primary means of detecting filesystem\n tampering on Unix."},{"id":"text-252","heading":"Text","content":"Data Driven Attack\nA form of attack in which the attack is\n encoded in innocuous-seeming data which is executed by a user or\n other software to implement an attack. In the case of firewalls, a\n data driven attack is a concern since it may get through the\n firewall in data form and launch an attack against a system behind\n the firewall."},{"id":"text-253","heading":"Text","content":"Defense in Depth\nThe security approach whereby each system on\n the network is secured to the greatest possible degree. May be used\n in conjunction with firewalls."},{"id":"text-254","heading":"Text","content":"DNS spoofing\nAssuming the DNS name of another system by either\n corrupting the name service cache of a victim system, or by\n compromising a domain name server for a valid domain."},{"id":"text-255","heading":"Text","content":"Dual Homed Gateway\nA dual homed gateway is a system that has\n two or more network interfaces, each of which is connected to a\n different network. In firewall configurations, a dual homed gateway\n usually acts to block or filter some or all of the traffic trying to\n pass between the networks."},{"id":"text-256","heading":"Text","content":"Encrypting Router\nsee Tunneling Router and Virtual Network\n Perimeter."},{"id":"text-257","heading":"Text","content":"Pare-feu\nA system or combination of systems that enforces a\n boundary between two or more networks."},{"id":"text-258","heading":"Text","content":"Host-based Security\nThe technique of securing an individual\n system from attack. Host based security is operating system and\n version dependent."},{"id":"text-259","heading":"Text","content":"Insider Attack\nAn attack originating from inside a protected\n network."},{"id":"text-260","heading":"Text","content":"Intrusion Detection\nDetection of break-ins or break-in\n attempts either manually or via software expert systems that operate\n on logs or other information available on the network."},{"id":"text-261","heading":"Text","content":"IP Spoofing\nAn attack whereby a system attempts to illicitly\n impersonate another system by using its IP network address."},{"id":"text-262","heading":"Text","content":"IP Splicing / Hijacking\nAn attack whereby an active,\n established, session is intercepted and co-opted by the attacker. IP\n Splicing attacks may occur after an authentication has been made,\n permitting the attacker to assume the role of an already authorized\n utilisateur. Primary protections against IP Splicing rely on encryption at\n the session or network layer."},{"id":"text-263","heading":"Text","content":"Least Privilege\nDesigning operational aspects of a system to\n operate with a minimum amount of system privilege. This reduces the\n authorization level at which various actions are performed and\n decreases the chance that a process or user with high privileges may\n be caused to perform unauthorized activity resulting in a security\n breach."},{"id":"text-264","heading":"Text","content":"Enregistrement\nThe process of storing information about events that\n occurred on the firewall or network."},{"id":"text-265","heading":"Text","content":"Log Retention\nHow long audit logs are retained and maintained."},{"id":"text-266","heading":"Text","content":"Log Processing\nHow audit logs are processed, searched for key\n events, or summarized."},{"id":"text-267","heading":"Text","content":"Network-Layer Firewall\nA firewall in which traffic is examined\n at the network protocol packet layer."},{"id":"text-268","heading":"Text","content":"Perimeter-based Security\nThe technique of securing a network\n by controlling access to all entry and exit points of the network."},{"id":"text-269","heading":"Text","content":"Politique\nOrganization-level rules governing acceptable use of\n computing resources, security practices, and operational procedures."},{"id":"text-270","heading":"Text","content":"Proxy\nA software agent that acts on behalf of a user. Typical\n proxies accept a connection from a user, make a decision as to\n whether or not the user or client IP address is permitted to use the\n proxy, perhaps does additional authentication, and then completes a\n connection on behalf of the user to a remote destination."},{"id":"text-271","heading":"Text","content":"Screened Host\nA host on a network behind a screening router.\n The degree to which a screened host may be accessed depends on the\n screening rules in the router."},{"id":"text-272","heading":"Text","content":"Screened Subnet\nA subnet behind a screening router. The degree\n to which the subnet may be accessed depends on the screening rules\n in the router."},{"id":"text-273","heading":"Text","content":"Screening Router\nA router configured to permit or deny traffic\n based on a set of permission rules installed by the administrator."},{"id":"text-274","heading":"Text","content":"Session Stealing\nSee IP Splicing."},{"id":"text-275","heading":"Text","content":"Trojan Horse\nA software entity that appears to do something\n normal but which, in fact, contains a trapdoor or attack program."},{"id":"text-276","heading":"Text","content":"Tunneling Router\nA router or system capable of routing traffic\n by encrypting it and encapsulating it for transmission across an\n untrusted network, for eventual de-encapsulation and decryption."},{"id":"text-277","heading":"Text","content":"Social Engineering\nAn attack based on deceiving users or\n administrators at the target site. Social engineering attacks are\n typically carried out by telephoning users or operators and\n pretending to be an authorized user, to attempt to gain illicit\n access to systems."},{"id":"text-278","heading":"Text","content":"Virtual Network Perimeter\nA network that appears to be a\n single protected network behind firewalls, which actually\n encompasses encrypted virtual links over untrusted networks."},{"id":"text-279","heading":"Text","content":"Virus\nA replicating code segment that attaches itself to a\n program or data file. Viruses might or might not not contain attack\n programs or trapdoors. Unfortunately, many have taken to calling\n tout malicious code a « virus''. If you mean « trojan horse'' or\n « worm'', say « trojan horse'' or « worm''."},{"id":"text-280","heading":"Text","content":"Worm\nA standalone program that, when run, copies itself from\n one host to another, and then runs itself on each newly infected\n host. The widely reported « Internet Virus'' of 1988 was not a virus\n at all, but actually a worm."},{"id":"text-281","heading":"Text","content":"Notes de bas de page"},{"id":"text-282","heading":"Text","content":"…\nSystème1\nhttp://mail-abuse.org/"},{"id":"text-283","heading":"Text","content":"… Initiative2\nhttp://mail-abuse.org/tsi/"},{"id":"text-284","heading":"Text","content":"… Squid3\nhttp://squid.nlanr.net/"},{"id":"text-285","heading":"Text","content":"… Apache4\nhttp://www.apache.org/docs/mod/mod_proxy.html"},{"id":"text-286","heading":"Text","content":"… Proxy5\nhttp://home.netscape.com/proxy/v3.5/index.html"},{"id":"text-287","heading":"Text","content":"… Netscape6"},{"id":"text-288","heading":"Text","content":"http://developer.netscape.com/docs/manuals/security/sslin/contents.htm"},{"id":"text-289","heading":"Text","content":"… firewall7\n \n http://www.real.com/firewall/"},{"id":"text-290","heading":"Text","content":"…\nbugtraq8\nhttp://www.securityfocus.com"},{"id":"text-291","heading":"Text","content":"…\nen ligne.9\nhttp://www.thegild.com/firewall/."},{"id":"text-292","heading":"Text","content":"paul@compuwar.net"},{"id":"text-293","heading":"Text","content":"Click to rate this post!\n \n [Total: 0 Average: 0]"}],"media":{"primary_image":""},"relations":[{"rel":"canonical","href":"https://tutos-gameserver.fr/2019/05/03/firewalls-internet-foire-aux-questions-serveur-dimpression/"},{"rel":"alternate","href":"https://tutos-gameserver.fr/2019/05/03/firewalls-internet-foire-aux-questions-serveur-dimpression/llm","type":"text/html"},{"rel":"alternate","href":"https://tutos-gameserver.fr/2019/05/03/firewalls-internet-foire-aux-questions-serveur-dimpression/llm.json","type":"application/json"},{"rel":"llm-manifest","href":"https://tutos-gameserver.fr/llm-endpoints-manifest.json","type":"application/json"}],"http_headers":{"X-LLM-Friendly":"1","X-LLM-Schema":"1.1.0","Content-Security-Policy":"default-src 'none'; img-src * data:; style-src 'unsafe-inline'"},"license":"CC BY-ND 4.0","attribution_required":true,"allow_cors":false}