Securing DNS

nullpitΔίκτυα και Επικοινωνίες

23 Οκτ 2013 (πριν από 3 χρόνια και 9 μήνες)

338 εμφανίσεις





MBAeSecurity Resources

Информация за служебно ползване от студентите на
доц. Д
-
р Стефан Дражев


Едва ли има друга област от Компютърната наука, която така
бързо да се развива и променя...


PC

1/1/2007


MBAeSecurity Resources

2007


2

|
С т е ф а н Д р а ж е в,
s t e @b u l t i ma.n e t





Web:
https://www.learnsecurityonline.com

Learn Security Online, Inc.

* Security Games * Simulators

* Challenge Servers * Courses

* Hacking Competitions * Hacklab Access

"The only thing worse than training good employees and losing them

is NOT training your employees and keeping them."
-

Zig Ziglar

Introduction to Network Security List Network Security Archives

http://www.networksecurityarchive.org/html/Security
-
Basics/




2007
-
10
:

[Date]

[Thread]

[mbox: 1555290 bytes]



2007
-
09
:

[Date]

[Thread]

[mbox: 24
78572 bytes]



2007
-
08
:

[Date]

[Thread]

[mbox: 405899 bytes, gzipped]



2007
-
07
:

[Date]

[Thread]

[mbox: 292542 bytes, gzipped]



2007
-
06
:

[Date]

[Thread]

[mbox: 262126 bytes, gzipped]



2007
-
05
:

[Date]

[Threa
d]

[mbox: 981482 bytes, gzipped]



2007
-
04
:

[Date]

[Thread]

[mbox: 1005059 bytes, gzipped]



2007
-
02
:

[Date]

[Thread]

[mbox: 174382 bytes, gzipped]



2007
-
01
:

[Date]

[Thre
ad]

[mbox: 353870 bytes, gzipped]



2006
-
12
:

[Date]

[Thread]

[mbox: 483767 bytes, gzipped]



2006
-
11
:

[Date]

[Thread]

[mbox: 431543 bytes, gzipped]



2006
-
10
:

[Date]

[Thread]

[mbox: 433501 bytes, gzipped]



2006
-
09
:

[Date]

[Thread]

[mbox: 405844 bytes, gzipped]



2006
-
08
:

[Date]

[Thread]

[mbox: 318459 bytes, gzipped]



2006
-
07
:

[Date]

[Thread]

[mbox: 2684349 bytes, gzipped]



2006
-
06
:

[Date]

[Thread]

[mbox: 54874 by
tes, gzipped]



2006
-
05
:

[Date]

[Thread]

[mbox: 322120 bytes, gzipped]



2006
-
04
:

[Date]

[Thread]

[mbox: 458332 bytes, gzipped]



2006
-
03
:

[Date]

[Thread]

[mbox: 499426 bytes, gzipped]



2006
-
02
:

[Date]

[Threa
d]

[mbox: 649717 bytes, gzipped]



2006
-
01
:

[Date]

[Thread]

[mbox: 669416 bytes, gzipped]



2005
-
12
:

[Date]

[Thread]

[mbox: 306750 bytes, gzipped]

MBAeSecurity Resources

2007


3

|
С т е ф а н Д р а ж е в,
s t e @b u l t i ma.n e t




2005
-
11
:

[Date]

[Thread]

[mbox: 509131 bytes, gzipped]



2005
-
10
:

[Date]

[Thread]

[mbox: 627769 bytes, gzipped]



2005
-
09
:

[Date]

[Thread]

[mbox: 504372 bytes, gzipped]



2005
-
08
:

[Date]

[Thread]

[mbox: 552215 bytes, gzipped]



2005
-
07
:

[Date]

[Thread]

[mbox: 439136 by
tes, gzipped]



2005
-
06
:

[Date]

[Thread]

[mbox: 255489 bytes, gzipped]



2005
-
05
:

[Date]

[Thread]

[mbox: 255945 bytes, gzipped]



2005
-
04
:

[Date]

[Thread]

[mbox: 458465 bytes, gzipped]



2005
-
03
:

[Date]

[Threa
d]

[mbox: 575438 bytes, gzipped]



2005
-
02
:

[Date]

[Thread]

[mbox: 365149 bytes, gzipped]



2005
-
01
:

[Date]

[Thread]

[mbox: 435702 bytes, gzipped]



2004
-
12
:

[Date]

[Thread]

[mbox: 500378 bytes, gzipped]



2004
-
11
:

[Date]

[Thread]

[mbox: 544820 bytes, gzipped]



2004
-
10
:

[Date]

[Thread]

[mbox: 578734 bytes, gzipped]



2004
-
09
:

[Date]

[Thread]

[mbox: 476041 bytes, gzipped]



2004
-
08
:

[Date]

[Thread]

[mbox: 213339 bytes, gzipped]


[All Lists]



if you like something more focused on web application security I i recommend

you The OWASP Live CD (LabRat) is a bootable CD akin to knoppix but dedicated

to Application Security. I
t shall serve as a vehicle and distrubition medium

for OWASP tools and guides.


http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project


Best


--


blog: www.cryptolife.org

skype me: phillip.bailey

Security/Linux Journal

http://www.linuxjournal.com/taxonomy/term/31


Phishing scams

You May Not Take the Phish Bait, but Are You
Giving Away the Pharm?


May 31, 2005
-

(HOSTSEARCH.COM)
-

As the way we communicate and
transact continues to become more sophisticated, so it seems that those
who prey upon the weak and vulnerable in society take scamming to a
MBAeSecurity Resources

2007


4

|
С т е ф а н Д р а ж е в,
s t e @b u l t i ma.n e t


new level. Internet users now have a very real and t
roubling new threat to
educate themselves about

Pharming.


Most users are now aware of email Phishing scams, where users receive
emails from

Big Bank USA


warning

that there is a security alert
which will result in the closing of their account if they don
't respond
immediately. This email directs the user to a login screen containing all
the personal and account information to the user's bank account. The
disturbing fact remains that those who are victimized by such scams are
told by their bank that their
security is their own business and that the
bank bears no liability.


Pharming has the potential to rock the financial world like an earthquake.
It brings theft to a broader scale of damage only equaled by the losses
suffered by shareholders of Enron. Phar
mers target the DNS (Domain
Name Server) in a process called cache poisoning where web addresses
are copied then counterfeited. Once the DNS is poisoned, it allows
scammers to control the server to redirect traffic toward their target copy
ripoff. A user r
outinely and comfortably types a domain such as
bigusabank.com which has actually been redirected to another location
collocated on a third world server. This counterfeit location may even
include a secure looking site such as:
bigusabank.com/34234/0982314
/465adbjkasdasd.axpx. The clone site
extracts user names, logins and other personal information. Unique to
pharming, the criminals can now quickly gather large amounts of login
identities and turn their criminal efforts into stolen money transferred to
the
ir third world bank accounts. What's worse, according to bank sources,
many third world banks not only don't condone the activity but may
actively support and actually help to sponsor such scams and provide
profit sharing with the scammers.


Several compan
ies including LogiGuard LLC provide server protection
certification. LogiGuard presents Hacker Guard as a server solution to
those desiring advanced security. Hacker Guard alerts System
Administrators in real time of changes to their home pages and server
exploits which protects websites from DNS manipulations and individual
users from malicious pharming scandals. Hacker Guard is constantly
updated for vulnerabilities that such scammers exploit to change DNS
information. LogiGuard ensures that your web host
's server is protected
to the known exploits as listed by SANS (SysAdmin Audit Network
Security) Institute which is an independent network of IT specialists that
categorize and identify new and emerging internet and network
vulnerabilities. Now more than e
ver, your web host needs to offer third
MBAeSecurity Resources

2007


5

|
С т е ф а н Д р а ж е в,
s t e @b u l t i ma.n e t


party verification to certify that their server is protected.


Perhaps the most disturbing aspect of this new threat, Pharming, is that
internet customers bear the burden of liability to maintain their own
security,
according to banking analysts. However, if your web host is not
secured, this is one strike you may not be able to detect until it is too late.
We encourage internet users to contact their web host and ask them to
provide evidence of privacy security on th
eir server which protects
individual identities.

Password
-
automation software

helps employees change or recover forgotten passwords without taking up valuable time calling the
help desk.
Baseline's

calculator shows how much time and money it can save, le
tting support staffers
focus on other problems.

"Microsoft's senior program manager for security policy, Jesper

Johansson, presents a provocative but interesting view on password

policy: He claims that prohibiting users from writing down their

passwords is

bad for security. His main point is that if users are

prohibited from writing down their passwords, they will use the same

easy to guess password everywhere." From the article: "Since not all

systems allow good passwords, I am going to pick a really crapp
y one,

use it everywhere and never change it...If I write them down and then

protect the piece of paper
--
or whatever it is I wrote them down

on
--
there is nothing wrong with that. That allows us to remember more

passwords and better passwords."

http://it.slashdot.org/article.pl?sid=05/05/24/2047228&tid=172


IMHO as a good BOFH you _MUST_ requiere that all employes use an

alphanumeric password (8 or 10 chars minimun)... i
f they dont his

emails, files, or anything else can be redirected to /dev/null ;)

No, seriously, i never heard of a "scientific analytical/statistical

research" about this subject.

But take a look at the post on slashdot

"How many have (a) password policy that says under penalty of death you shall not write
down your password?" asked Johansson, to which the majority of attendees raised their hands
in agreement. "I claim that is absolutely wrong. I claim that password polic
y should say you
should write down your password. I have 68 different passwords. If I am not allowed to write
any of them down, guess what I am going to do? I am going to use the same password on
every one of them."

According to Johansson, use of the same

password reduces overall security.

"Since not all systems allow good passwords, I am going to pick a really crappy one, use it
everywhere and never change it," Johansson said. "If I write them down and then protect the
piece of paper
--
or whatever it is I

wrote them down on
--
there is nothing wrong with that. That
allows us to remember more passwords and better passwords."

Johansson said the security industry had been giving out the wrong advice about passwords
for 20 years.

MBAeSecurity Resources

2007


6

|
С т е ф а н Д р а ж е в,
s t e @b u l t i ma.n e t


Delegates at the conference agre
ed that Johansson's advice made sense. However, some said
they did not think it was practical.

One IT administrator from an international entertainment company who asked not to be
named said that his company has a strict policy against allowing employees t
o write down
passwords. Still, he said, he collates his personal passwords in an encrypted file because it
"made more sense" than trying to remember multiple strong passwords.

A delegate from a government agency who also requested anonymity said that stor
ing a
password list in an encrypted file may work for the administrator, but it would not work for
some users because they would then forget the password to decrypt the password file.

The delegate said that even using two
-
factor authentication
--
such as an
RSA token
--
was not
safe because people often write their PIN on a piece of paper and tape it to the back of the
token.

"I know of a government minister that has done that," the delegate said.

© Federal Office for Information Security (BSI). All rights rese
rved

Contents

1

Finding Your Way Around the IT
Grundschutz

Manual

1.1


IT
Grundschutz
: the Aim, Concept and Central Idea


1.2


Structure and Interpretation of the Manual


1.3


Using the IT
Grundschutz

Manual


1.4


Brief Outline of Existing Modules


1.5


Additional Resources


1.6


Information Flow and Points of Contact


2

Using the IT
Grundschutz

Manual

2.1


IT Structure Analysis


2.2


Assessment of Protection Requirements


2.3


IT
Grundschutz

Modelling


2.4


Basic Security Check


2.5


Supplementary Security Analysis


2.6


Implementation of IT Security Safeguards


MBAeSecurity Resources

2007


7

|
С т е ф а н Д р а ж е в,
s t e @b u l t i ma.n e t


2.7


IT
Grundschutz

Certificate


3

IT
Grundschutz

of Generic Components

3.0


IT Security Management


3.1


Organisation


3.2


Personnel


3.3


Contingency Planning Concept


3.4


Data Backup Policy


3.5


Data Protection


3.6


Computer Virus Protection Concept


3.7


Crypto
-
concept


3.8


Handling of Security Incidents


3.9


Hardware and Software
Management


3.10


Outsourcing


4

Infrastructure

4.1

Buildings


4.2


Cabling

4.3


Rooms




4.3.1

Office

4.3.2

Server Room


4.3.3

Data Media Archives


4.3.4

Technical Infrastructure Room

4.4


Protective Cabinets


4.5


Working Place at Home
(Telecommuting)


4.6


Computer Centres


5

Non
-
Networked Systems

MBAeSecurity Resources

2007


8

|
С т е ф а н Д р а ж е в,
s t e @b u l t i ma.n e t


5.1


DOS PC (Single User)


5.2


UNIX System


5.3


Laptop PC


5.4


PCs with a Non
-
Constant User Population


5.5


PC under Windows NT


5.6

PC with Windows 95

5.7


Windows 2000 Client


5.8


Internet PC




5.99


Stand
-
Alone IT Systems Generally


6

Networked Systems

6.1


Server
-
Supported Network


6.2


UNIX Servers


6.3


Peer
-
to
-
Peer Services


6.4


Windows NT Network


6.5


Novell Netware 3.x


6.6


Novell Netware 4.x


6.7


Heterogeneous Networks


6.8


Network and System Management


6.9


Windows 2000 Server


6.10


S/390 and zSeries Mainframes


7

Data Transmission Systems

7.1


Exchange of Data Media


7.2


Modem


7.3


Firewall


7.4

E
-
mail

MBAeSecurity Resources

2007


9

|
С т е ф а н Д р а ж е в,
s t e @b u l t i ma.n e t


7.5


Web Servers


7.6


Remote

Access


7.7


Lotus Notes


7.8


Internet Information Server

7.9


Apache Web Server


7.10


Exchange/Outlook2000


7.11


Routers and Switches


8

Infrastructure

8.1


Telecommunications Systems (Private Branch Exchange, PBX)


8.2


Fax Machines


8.3


Answering Machines


8.4


LAN Connection of an IT system via ISDN


8.5


Fax Servers


8.6


Mobile Telephones


8.7


PDAs


9



Other IT Components



9.1


Standard Software


9.2


Databases


9.3


Telecommuting


9.4


Novell eDirectory 8.6


9.5


Archiving


Safeguards Catalogues

S 1


Infrastructure


S 2


Organisation


S 3


Personnel


MBAeSecurity Resources

2007


10

|
С т е ф а н Д р а ж е в,
s t e @b u l t i ma.n e t


S 4


Hardware & Software


S 5


Communication


S 6


Contingency Planning


Threats Catalogues

T

1


Force Majeure


T

2


Organisational Shortcomings


T

3


Human

Error


T

4


Technical Failure


T 5


Deliberate Acts


Annex



-

Additional Aids


Fax form for:



proposed changes



experience report



damage reports



Registration Form for Computer Viruses

-

KBSt Recommendation 2/95


-

References and Abbreviations


-

Registered users


-

The BSI
Grundschutz

Tool


-

BSI
-
Tool Secure UNIX Administration


-

Index



T 2.66 Lack of or Inadequate IT Security Management

The complexity of the IT systems used in many enterprises today and the trend towards
networking these systems makes it imperative to proceed in an organised fashion with regard
to planning, implementation and monitoring of the IT security process. Experie
nce shows that
it is not sufficient simply to arrange for safeguards to be implemented, as often the individuals
MBAeSecurity Resources

2007


11

|
С т е ф а н Д р а ж е в,
s t e @b u l t i ma.n e t


concerned, especially the IT users, do not have the technical expertise and/or time that are
needed to implement them properly. As a result, se
curity measures frequently fail to be
implemented at all so that it is impossible to attain a satisfactory level of security. Even if a
satisfactory level of security is achieved, it must be continuously nurtured if it is to remain
current.

Inadequate IT s
ecurity management is often a symptom of a poor overall organisation of the
IT security process and hence of IT operations as a whole. Examples of specific threats which
result from inadequate IT security management include the following:

-

Lack of persona
l responsibility.
If no IT security Management Team has been set up in an
organisation or if no IT Security Officer has been appointed and personal responsibilities for
implementing individual measures have not been clearly defined, then it is likely that
many IT
users will decline to take responsibility for IT security, maintaining that it is the responsibility of
those above them in the organisational hierarchy. Consequently safeguards which at the outset
nearly always require extra work on top of one's n
ormal duties remain unimplemented.

-

Inadequate support from management.
Usually IT Security Officers are not members of an
organisation's management team. If the latter does not unambiguously support the IT Security
Officers in their work, this could
make it difficult to effectively require that the necessary
measures are implemented, including by IT users who are above them in the organisational
hierarchy. In these circumstances, there is no guarantee that the IT security process will be fully
impleme
nted.

-

Inadequate strategic and conceptual requirements.
In many organisations the job of drawing up
an IT security concept is commissioned, its content is known to only a few insiders and its
requirements are either deliberately or unconsciously not ad
hered to in those parts of the
organisation where organisational effort would be required in order to implement it. To the extent
that the IT security concept contains strategic objectives, these are often viewed simply as a
collection of declarations of i
ntent, and insufficient resources are made available to implement
them. Frequently it is falsely assumed that in an automated environment security is automatically
generated. Sometimes spurts of activity are triggered in response to a damaging incident in
the
organisation or in other organisations with a similar structure, but at best only a subset of the
issues are properly addressed.

-

Insufficient or misdirected investment.
If the Management of an organisation is not kept informed
of the security statu
s of the IT systems and applications and of existing shortcomings through
regular IT security reports which lay down clear priorities, it is probable that insufficient resources
will be made available for the IT security process or that these will be appli
ed in an inappropriate
manner. In the latter case it is possible to have an excessively high level of security in one sub
-
area
and serious deficiencies in another. Another common observation is that expensive technical
security systems are incorrectly used
, rendering them ineffective or even transforming them into
security hazards.

-

Impracticability of safeguard concepts.
To achieve a consistent level of IT security it is necessary
MBAeSecurity Resources

2007


12

|
С т е ф а н Д р а ж е в,
s t e @b u l t i ma.n e t


that those in positions of responsibility within an organisation co
-
opera
te with each other.
Inadequate strategic direction and unclear objectives sometimes result in different interpretations
of the importance of IT security. This can have the result that the necessary co
-
operation is
ultimately not forthcoming due to the supp
osed non
-
necessity or inadequate prioritisation of the
"IT security" task, and hence that the implementability of the IT security measures cannot be
taken for granted.

-

Failure to update the IT security process.
New IT systems or new threats have a dire
ct impact on
the IT security position within an organisation. Without an effective review concept, the IT
security level will fall over time. Thus, what was once really secure slowly gives way to a
dangerous illusion of security because people are often no
t aware of the new threats.

S 4 Safeguard Catalogue
-

Hardware & Software

S 4.1

Password protection for IT systems

S 4.2

Screen Lock

S 4.3

Periodic runs of a virus detection program

S 4.4

Correct Handling of Drives for Removable Media

S 4.5

Logging of PBX administration jobs

S 4.6

Audit of the PBX configuration (target/performance reconciliation)

S 4.7

Change of preset passwords

S 4.8

Protection of the PBX operator's console

S 4.9

Use of the security mechanisms of X Windows

S 4.10

Passwor
d protection for PBX terminals

S 4.11

Screening of PBX interfaces

S 4.12

Disabling of unneeded user facilities

S 4.13

Careful allocation of identifiers

S 4.14

Mandatory password protection under UNIX

S 4.15

Secure log
-
in

S 4.16

Restrictions on access to accounts and/or terminals

MBAeSecurity Resources

2007


13

|
С т е ф а н Д р а ж е в,
s t e @b u l t i ma.n e t


S 4.17

Blocking and deletion of unnecessary accounts and terminals

S 4.18

Administrative and technical means to control access to the system
-
monitor and single
-
user mod
e

S 4.19

Restrictive allocation of attributes for UNIX system files and directories

S 4.20

Restrictive allocatio
n of attributes for UNIX user files and directories

S 4.21

Preventing unauthorised acquisition of administrator rights

S 4.22

Prevention of loss of confidentiality of sensitive data in the UNIX system

S 4.23

Secure invocation of executable files

S 4.24

Ensuring consistent system management

S 4.25

Use of logging in UNIX systems

S 4.26

Regular security checks of the UNIX system

S 4.27

Password protection in laptop PCs

S 4.28

Software re
-
installation in the case of change of laptop PC users

S 4.29

Use of an encryption product for laptop PCs

S 4.30

Utilisation of the security functions offered in application programs

S 4.31

Ensuring power supply during mobile use

S 4.32

Physical deletion of data media before and after usage

S 4.33

Use of a virus scanning program when exchangi
ng of data media and data transmission

S 4.34

Using encryption, checksums or digital signatures

S 4.35

Pre
-
dispa
tch verification of the data to be transferred

S 4.36

Blocking fax recipient numbers

S 4.37

Blocking fax sender
numbers

S 4.38

Deactivation of unnecessary service features

S 4.39

Deactivation of answering machines for period
s of absence

S 4.40

Preventing unauthorised use of computer microphones

MBAeSecurity Resources

2007


14

|
С т е ф а н Д р а ж е в,
s t e @b u l t i ma.n e t


S 4.41

Use of a suitable PC security pro
duct

S 4.42

Implementation of security functions in the IT application

S 4.43

Fax machine with automatic envelop
e sealing system

S 4.44

Checking of incoming files for macro viruses

S 4.45

Setting up a secure Peer
-
to
-
Peer env
ironment under WfW

S 4.46

Use of the log
-
on password under WfW and Windows 95

S 4.47

Logging of firewall activities

S 4.48

Password Protection under Windows NT/2000

S 4.49

Protection of the Boot
-
U
p Procedure for a Windows NT/2000 System

S 4.50

Structured system administration under Windows NT

S 4.51

User pr
ofiles to restrict the usage possibilities of Windows NT

S 4.52

Device Protection under Windows NT/2000

S 4.53

R
estrictive allocation of access rights to files and directories under Windows NT

S 4.54

Logging under Windows NT

S 4.55

Secure installation of Windows NT

S 4.56

Secure deletion under Windows operating systems

S 4.57

Deactiva
ting automatic CD
-
ROM recognition

S 4.58

Sharing of directories under Windows 95

S 4.59

Deactivation of ISDN boa
rd functions which are not required

S 4.60

Deactivation of ISDN router functions which are not required

S 4.61

Use of security mechanisms offered by ISDN components

S 4.62

Use of a D
-
channel filter

S 4.63

Security
-
related
requirements for telecommuting computers

S 4.64

Verification of data before transmission / elimination of residual information

S 4.65

Testing of new hardware and software

MBAeSecurity Resources

2007


15

|
С т е ф а н Д р а ж е в,
s t e @b u l t i ma.n e t


S 4.66

Novell Netware
-

safe transition to the year 200

S 4.67

Locking and deleting database accounts which are no longer required

S 4.68

Ensuring consistent database management

S 4.69

Regular checks of database security

S 4.70

Monitoring a database

S 4.71

Restrictive utilisation of database links

S 4.72

Database encryption

S 4.73

S
pecifying upper limits

S 4.74

Networked Windows 95 computers

S 4.75

Protection of the Registry under Windows NT/
2000

S 4.76

Secure system version of Windows NT

S 4.77

Protection of administrator accounts under Windows NT

S 4.78

Careful modifications of configurations

S 4.79

Secure access mechanisms for local administration

S 4.80

Secure access mechanisms for remote administration

S 4.81

Auditing and logging of activities in a network

S 4.82

Secure configuration of active network components

S 4.83

Updating / upgrading of software and hardware in network c
omponents

S 4.84

Use of BIOS security mechanisms

S 4.85

Design of suitable interfaces for crypto modules

S 4.86

Secure separation of roles and configuration with crypto modules

S 4.87

Physical security of crypto modules

S 4.88

Operating system security requirements when using crypto modules

S 4.89

Emission security

S 4.90

Use of cryptographic procedures on the various layers of the ISO/OSI reference model

MBAeSecurity Resources

2007


16

|
С т е ф а н Д р а ж е в,
s t e @b u l t i ma.n e t


S 4.91

Secure installa
tion of a system management system

S 4.92

Secure operation of a system management system

S 4.93

Regular integrit
y checking

S 4.94

Protection of WWW files

S 4.95

Minimal operating system

S 4.96

Deactivating DNS

S 4.97

One service per server

S 4.98

Restricting commu
nication to a minimum with packet filters

S 4.99

Protection against subsequent changes to information

S 4.100

Fi
rewalls and active content

S 4.101

Firewalls and encryption

S 4.102

C2 security under Novell 4.11

S 4.103

DHCP server under Novell Netware 4.x

S 4.104

LDAP Services for NDS

S 4.105

Initial measures after a Unix standard installation

S 4.106

Activation of system logging

S 4.107

Use of vendor resources

S 4.108

Simplified and secure network management with DNS services under Novell
NetWare 4.11

S 4.109

Software reinstallation on workstations

S 4.110

Secure installation of the RAS system

S 4.111

Secure configuration of the RAS system

S 4.112

Secure operation of the RAS system

S 4.113

U
se of an authentication server within RAS access

S 4.114

Use of the security mechanisms provided on mobile phones

MBAeSecurity Resources

2007


17

|
С т е ф а н Д р а ж е в,
s t e @b u l t i ma.n e t


S 4.115

Safeguarding the power supply of mobile phones

S 4.116

Secure installation of Lotus Notes

S 4.117

Secu
re configuration of a Lotus Notes server

S 4.118

Configuration as a Lotus Notes server

S 4.119

Instituting restrictions on access to Lotus Notes servers

S 4.120

Configuration of access control lists for Lotus Notes databases

S 4.121

Configuration of rights of access to the Lotus Notes Name and Address Book

S 4.122

Configuration for browser access to Lotus Notes

S 4.123

Configuration of SSL
-
protected browser access to Lotus Notes

S 4.124

Configuration of authentication mecha
nisms with browser access to Lotus Notes

S 4.125

Instituting restrictions on access to Lotus Notes databases with browser access

S 4.126

Secure configuration of a Lotus Notes client

S 4.127

Secure configuration of browser access to Lotus Notes

S 4.128

Secure operation of Lotus Notes

S 4.129

Secure handling of Notes ID files

S 4.130

Se
curity measures following the creation of a new Lotus Notes database

S 4.131

Encryption of Lotus Notes databases

S 4.132

Monitoring of a Lotus Notes system

S 4.133

Appropriate choice of authentication mechanisms

S 4.134

Choi
ce of suitable data formats

S 4.135

Restrictive granting of access rights to system files

S 4.136

Secure install
ation of Windows 2000

S 4.137

Secure configuration of Windows 2000

S 4.138

Configuration of Windows 2000 as doma
in controller

S 4.139

Configuration of Windows 2000 as server

MBAeSecurity Resources

2007


18

|
С т е ф а н Д р а ж е в,
s t e @b u l t i ma.n e t


S 4.140

Secure configuration of important Windows
2000 services

S 4.141

Secure configuration of DDNS under Windows 2000

S 4.142

Secure configuration of WINS under Windows 2000

S 4.143

Secure configuration of DHCP under Windows 2000

S 4.144

Use of the Windows 2000 CA

S 4.145

Secure configuration of RRAS under Windows 2000

S 4.146

Secure operation of
Windows 2000

S 4.147

Secure use of EFS under Windows 2000

S 4.148

Monitoring a Windows 2000 system

S 4.149

File and share authorisations under Windows 2000

S 4.150

Configuration of Windows 2000 as workstation

S 4.151

Secure installation of Internet PCs

S 4.152

Secure operation of Internet PCs

S 4.153

Secure installation of Novell eDirectory

S 4.154

Secure installation of Novell eDirectory client software

S 4.155

Secure configuration of Novell eDirectory

S 4.156

Secure configuration of Novell eDirectory client software

S 4.157

Configuration of Novell eDirectory access authorisations

S 4.158

Configuration of LDAP access to Novell eDirectory

S 4.159

Secure operation of Novell eDirectory

S 4.160

Monitoring of Novell eDirectory

S 4.161

Secure installation of Exchange/Outlook 2000

S 4.162

Secure configuration of Exchange 2000 servern

S 4.163

Access rights to objects of Exchange 2000

S 4.164

Browser access to Exchange 2000

MBAeSecurity Resources

2007


19

|
С т е ф а н Д р а ж е в,
s t e @b u l t i ma.n e t


S 4.165

Secure configuration of Outlook 2000

S 4.166

Secure operation of Exchange/Outlook 2000

S 4.167

Monitoring and logging of Exchange 2000 systems

S 4.168

Choise of a suitable archival system

S 4.169

Utilisation of suitable archival media

S 4.170

Choise of suitable data formats for the archival storage of documents

S 4.171

Shelter of the Integrity of the index
-
database from archival systems

S 4.172

Logging of the archival accesses

S 4.173

Regular function and recovery tests for archiving

S 4.174

Preparing the WindowNT/2000 installation for IIS

S 4.175

The secure configuration of Windows NT/2000 for IIS

S 4.176

Selection of an authentication method for web offerings

S 4.177

Assuring the integrity and authenticity of software packages

S 4.178

Protection of Administrator and user
accounts with IIS

S 4.179

Protection of security
-
critical files with IIS

S 4.180

Configuration of authentication mechanisms for access to the IIS

S 4.181

Running IIS in a separate process

S 4.
182

Monitoring of the IIS system

S 4.183

Ensuring the availability and performance of the IIS

S 4.184

Deactivati
on of unnecessary Windows system services with IIS

S 4.185

Protection of virtual directories and web applications with IIS

S 4.186

Removing the sample files and administration scripts in IIS

S 4.187

Removal of the FrontPage Server extension of IIS

S 4.188

Validation of user inputs where IIS is used

S 4.189

Protection against unauthorised program calls with IIS

MBAeSecurity Resources

2007


20

|
С т е ф а н Д р а ж е в,
s t e @b u l t i ma.n e t


S 4.190

Removal of RDS support in IIS

S 4.191

Verification of the integrity and authenticity of Apache packages

S 4.192

Configuration of the operating system for an Apache web server

S 4.193

Secure installation of an Apache web server

S 4.194

Secure basic configuration of an Apache web server

S 4.195

Configuration of access control under the Apache web server

S 4.196

Secure operation of an Apache web server

S 4.197

Server extensions for dynamic web pages where the Apache web server is use
d

S 4.198

Installation of an Apache web server in a chroot cage

S 4.199

Avoiding dangerous file formats

S 4.200

Handling of USB storage media

S 4.201

Secure basic local configuration of routers and switches

S 4.202

Secure basic network configuration of routers and switches

S 4.203

Configuration checklist for routers and switches

S 4.204

Secure administration of routers and switches

S 4.205

Logging on routers and switches

S 4.206

Protection of switch ports

S 4.207

Use and protection of system
-
related z/OS terminals

S 4.208

Protecting the start process of z/OS systems

S 4.209

Secure basic configuration of z/OS systems

S 4.210

Secure operation of the z/OS operating system

S 4.211

Use of the z/OS security system RACF

S 4.212

Protection of Linux for zSeries

S 4.213

Protecting the login process under z/OS

S 4.214

Administration of data media under z/OS systems

MBAeSecurity Resources

2007


21

|
С т е ф а н Д р а ж е в,
s t e @b u l t i ma.n e t


S 4.215

Protection of z/OS utilities that are critical to security

S 4.216

Stipulation of the system limits of z/OS

S 4.217

Workload management for z/OS systems

S 4.218

Information on character set conversion in z/OS systems

S 4.219

Licence key management for z/OS software

S 4.220

Protection of Unix System Services on z/OS systems

S 4.221

Parallel Sysplex under z/OS

S 4.222

Correct

configuration of security proxies

S 4.223

Integration of proxy servers into the security gateway

S 4.224

Integr
ation of virtual private networks into a security gateway

S 4.225

Use of a logging server on a security gateway

S 4.226

Integration of virus scanners into a security gateway

S 4.227

Use of a local NTP server for time synchronisation

S 4.228

Use of the built
-
in security mechanisms on PDAs

S 4.229

Secure operation of PDAs

S 4.230

Centra
l administration of PDAs

S 4.231

Use of additional security tools for PDAs

S 4.232

Secure use of extended memory

cards

SSH is the industry standard for remote access

to Linux, Mac OS X, and UNIX computers
because it's safe, secure, and just works from anywhere on the Internet. SSH servers like
OpenSSH and VShell have a powerful system called SFTP built
-
in.
Unrelated to the archaic
FTP protocol,
SFTP is a modern, secure system

that gives you the power to treat your
network files as if they were right on your desktop.

Stream movies and music. Run
programs. Load and save any file from any application.
Best of all, your SSH server is ready
to go.

Hands
-
On Training

Extensive hands
-
on exercises provide you with practical experience securing a Web site.
Exercises include:



Installing and configuring Microsoft IIS or Apache

MBAeSecurity Resources

2007


22

|
С т е ф а н Д р а ж е в,
s t e @b u l t i ma.n e t




Securing your Web browser



Auditing and hardening server OS



Configuring user authentication



Using SSL to encrypt Web traffic



Creating a certificate authority (CA)



Implementing a client certificate



Configuri
ng your Web server to require client certificates



Protecting browsers and servers with a proxy
-
based firewall

Course Content

http://www.learningtree.com/courses/486.htm


Introduction to Web Securi
ty

Web technologies



The Web client/server architecture



What does the Web server do?



Transferring hypertext documents with HTTP



Dynamic content technologies

Basic information assurance issues



Availability



Authentication



Confidentiality



Integrity

Securing
the Web Client

Threats and vulnerabilities



Client information leakage



How cookies work



Assessing the threats from Java, JavaScript, VBScript and ActiveX



Hostile applets and viruses

Protecting your Web browser



Disabling Java applets



Turning off cookies



Using an online virus checker



Obtaining browser certificates



Enabling and disabling signing authorities

Configuring Operating System and Network Security

Operating system security features



Authenticating users



File permissions and document roots



Operating
privileges for the server



Audit tools

MBAeSecurity Resources

2007


23

|
С т е ф а н Д р а ж е в,
s t e @b u l t i ma.n e t


Network security



Preventing IP address spoofing



Securing DNS Servers



Minimizing denial
-
of
-
service threats

Enhancing Web Server Security

Controlling access



Configuring user authentication on IIS and Apache



Restricting
access based on hostname/IP address



Enabling and configuring logging

Extended site functionality



Securing CGI script invocations



Guidelines for secure Web programming

Securing Web communications with SSL



Public key and private key encryption



Storing and di
stributing keys



Ensuring data integrity with message digests



Digitally signing data and documents



Enabling the Secure Sockets Layer (SSL)



Obtaining and installing server certificates

Issuing and Managing Certificates

Why certificates are used



Preventing
eavesdropping with public key encryption



Authenticating clients and servers



Utilizing the X.509 v3 Certificate format

Certificate authorities (CAs)



Using a public certificate authority



Non
-
authoritative certificates



Chaining certificate authorities



Classes

of certificates

Trusting CAs in servers and browsers



Importing CA certificates



Running your own certificate server



Choosing which CAs to trust



Checking certificate revocation lists

Protecting Data with Firewalls

MBAeSecurity Resources

2007


24

|
С т е ф а н Д р а ж е в,
s t e @b u l t i ma.n e t


Firewall technologies



Components of a
firewall



What firewalls can and cannot do



Using application proxies

Selecting firewall topology



Providing "defense in depth"



Siting the Web server

Security Management



Responding to security violations



Keeping up
-
to
-
date on new threats


Упражнения

1.

Turning
off cookies

A cookie is a small text file that a Web site stores on your computer to use when you return to that
site. Cookies store information you enter on a Web page, such as passwords or login information, to
save you time later. They are very small
files
, and are generally designed to make a Web site more
conv
enient to use. If you disable Cookies, some Web pages may not display properly or open at all.


To enable/disable cookies for
Internet

Explorer version 6.x



1. On the AOL toolbar, click
Settings
.

2. Click
Internet Properties (WWW)
.

3. Click the
Privacy

tab, and then click
Advanced
.

4. Click
Override def
ault settings
, and then specify how you want Internet Explorer to handle cookies
from first
-
party Web sites and third
-
party Web sites (a Web site other than the one you are currently
viewing).

-

To specify that you want Internet Explorer to always allow c
ookies to be saved on your computer,
click
Accept
.

-

To specify that you want Internet Explorer to never allow cookies to be saved on your computer,
click
Block
.

-

To specify that you want Internet Explorer to ask whether or not you want to allow a cooki
e to be
saved on your computer, click
Prompt
.

5. If you want Internet Explorer to always allow session cookies (cookies that will be deleted from
your computer when you close Internet Explorer) to be saved on your computer, click
Always allow
session cook
ies
.

6. Click
OK

to close the
Advanced Privacy Settings

window.

MBAeSecurity Resources

2007


25

|
С т е ф а н Д р а ж е в,
s t e @b u l t i ma.n e t


7. Click
OK

to close the
Internet Options
window.

8. Click the
X

in the upper
-
right corner to close the
Internet Settings
window.


Notes




You can also use the slider on the
Privacy

tab
of the Internet Options window to adjust your cookie
settings. Moving the slider up blocks more cookies, while moving the slider down allows more
cookies to be saved to your computer


2.

Obtaining certificates for client authentication

Certificates can be obt
ained from one of the following:



Certificate Authority (CA)


Create a client certificate request. After receiving the certifi
cate, export it to a password
-
protected PKCS12 file and send the password and the file to the user. Make sure the file is
securely sent. If a non
-
secure protocol such as e
-
mail, http, or ftp is used to send the file over
the Internet, the certificate's sec
urity can be compromised.



Self
-
signed certificate


You can do this while you are waiting for a CA's certificate, which can take some time.
If you
think the self
-
signed certificate provides adequate security, you can use it permanently.


For performance reasons, limit the use of this option. Validation of self
-
signed
certificates can significantly degrade a server's performance.

A
certificate management tool

is provided that creates certificate requests and self
-
signed
certificates, and stores certificates in a cl
ient key database. Certificate requests can be made
on the Host On
-
Demand server or locally
-
installed clients.

Using a browser certificate

Users who currently have a certificate for their browsers can use it directly, or they can export
the certificate
into a PKCS12 (.p12 or .pfx file type) file format and save it on their
workstations to be used for client authentication. Optionally, the certificate can be stored on
specialized external media, such as a smart card.

Certificates exported from an older br
owser are usually weakly encrypted. Use strong
encryption when accessing certificates over the Internet with an unsecure protocol, such as
http or ftp. To change the encryption strength:

1.

Click Communication > Security.

2.

Click Show Client Certificate.

3.

Locat
e the certificate and enter the current password.

4.

Click View Certificate.

5.

Click Settings.

MBAeSecurity Resources

2007


26

|
С т е ф а н Д р а ж е в,
s t e @b u l t i ma.n e t


6.

Type the current password, and choose Strong for Encryption Strength.

7.

Click OK.

Creating a client certificate request

Some CAs have Web pages that you can access for
requesting certificates. That is the easiest
way to obtain a client certificate.

To create a request in Certificate Management:

1.

On a Windows server, click Start > Programs > IBM Host On
-
Demand > Administration >
Certificate Management.

2.

On an AIX server, e
nter CertificateManagement from a command prompt. The default
location of the AIX script is /opt/IBM/HostOnDemand/bin. Please refer to
Running
Certificate
Management on AIX

for additional information.

3.

Create a HODClientKeyDb.kdb database.

4.

Follow the instructions in the Help to create the certificate request.

5.

Exit Certificate Management.

6.

Send the certificate request to the CA.

Sending the certifi
cate request to the CA

Access the CA's Web site and then follow the instructions to request the certificate. Here are
the URLs of two CAs:



VeriSign: http://www.verisign.com/



Thawte: http://www.thawte.com/

Depending on the CA you choose, you can either
e
-
mail the certificate request or incorporate
the request into the form or file provided by the CA. If you need the CA's root certificate, you
can often get it directly from the Web site.

While you are waiting for the CA to process your certificate request
, you can
create a self
-
signed certificate

to use.

Receiving the certificate

When you receive the certificate, make sure that it is in armo
red
-
64 or binary DER format.
Only certificates in these formats can be stored in the key database. The Certificate
Management program can only accept simple certificates. It cannot accept certificate chains
or PKCS7 data. The armored
-
64 form of a simple ce
rtificate starts with "
----
BEGIN
CERTIFICATE
----
" and ends with "
----
END CERTIFICATE
----
".

To receive the certificate:

1.

Click Start > Programs > IBM Host On
-
Demand > Administration > Certificate Management.

2.

Add the certificate to the key database, HODClien
tKeyDb.kdb.

3.

Export the certificate into a password
-
protected PKCS12 (.p12 file type) file. Send the
certificate and password to the user.

MBAeSecurity Resources

2007


27

|
С т е ф а н Д р а ж е в,
s t e @b u l t i ma.n e t


Make sure the certificate is securely sent. If a non
-
secure protocol such as e
-
mail, http or ftp is
used to send the
file over the Internet, the certificate's security can be compromised.

A certificate can be stored anywhere on the client's computer, on a diskette, or on a Web
server.

Related topics



Client authentication

4.

Securing an Internet Name Server

Fi l e Format:

PDF/Adobe Acrobat
-

Vi ew as HTML

unused servi ces, i t i s good
security

practi ce to di sabl e or remove any unnecessary softwa
re from the. name
server
.) For
DNS servers

provi di ng publ i c name
...

www.cert.org/archive/pdf/
dns
.pdf


Securing DNS

Domain Name System (DNS) was originally designed as an open protocol. Therefore, it
is
vulnerable to attackers. Security features in Windows

Server

2003 DNS can help you prevent
an attack on your DNS infrastructure. Before considering which of the Windows

Server

2003
security features to use, you should be aware of the following:



Common

threats to DNS security



The level of DNS security in your organization

DNS Security Threats

The following are the typical ways in which your DNS infrastructure can be threatened by
attackers:



Footprinting.

The process by which DNS zone data, includi
ng DNS domain names,
computer names, and Internet Protocol (IP) addresses for sensitive network resources, is
obtained by an attacker. An attacker commonly begins an attack by using this DNS data to
diagram, or "footprint," a network. DNS domain names and
computer names usually indicate
the function or location of a domain or computer to help users remember and identify
domains and computers more easily. An attacker takes advantage of this same DNS naming
principle to learn the function or location of domai
ns and computers in the network.



Denial
-
of
-
service attack.

A scenario in which an attacker attempts to deny the availability
of network services by flooding one or more DNS servers in the network with recursive
queries. As a DNS server is flooded with q
ueries, its CPU usage eventually reaches its
maximum, and the DNS Server service becomes unavailable. Without a fully operating DNS
server on the network, network services that use DNS are unavailable to network users.



Data modification.

An attempt by an attacker that has footprinted a network by using DNS
to use valid IP addresses in IP packets that the attacker has created. This gives these packets
the appearance of coming from a valid IP address in the network. This process is commonly

MBAeSecurity Resources

2007


28

|
С т е ф а н Д р а ж е в,
s t e @b u l t i ma.n e t


called IP "spoofing." With a valid IP address


that is, an IP address within the IP address
range of a subnet


the attacker can gain access to the network and destroy data or conduct
other attacks.



Redirection.

A scenario in which an attacker is able

to redirect queries for DNS names to
servers that are under the control of the attacker. One method of redirection involves an
attempt to pollute the DNS cache of a DNS server with erroneous DNS data that may direct
future queries to servers that are unde
r the control of the attacker. For example, if a query is
made originally for sales.wingtiptoys.com and a referral answer provides a record for a
domain name that the attacker has outside the wingtiptoys.com domain, the DNS server uses
the cached data for
the attacker's domain to resolve a query for that name. Redirection can
occur whenever an attacker has writable access to DNS data, for example, in a scenario that
includes dynamic updates that are not secure.

Mitigating DNS Security Threats

The following

sections explain three levels of DNS security that you can apply to your current
DNS configuration. You can use these three levels of security to increase the DNS security of
your organization.

Low
-
Level Security

Low
-
level security is a standard DNS deplo
yment without any security precautions
configured. You should deploy this level of DNS security only in network environments
where there is no concern for the integrity of your DNS data or in a private network where
there is no threat of external connectiv
ity:



The DNS infrastructure of your organization is fully exposed to the Internet.



Standard DNS resolution is performed by all DNS servers in your network.



All DNS servers are configured with root hints pointing to the root servers for the
Internet.



All DNS servers permit zone transfers to any server.



All DNS servers are configured to listen on all of their IP addresses.



Cache pollution prevention is disabled on all DNS servers.



Dynamic update is allowed for all DNS zones.



Use
r Datagram Protocol (UDP) and TCP/IP port

53 is open on the firewall for your network
for both source and destination addresses.

Medium
-
Level Security

Medium
-
level security uses the DNS security features that are available without running DNS
servers on
domain controllers and storing DNS zones in Active

Directory:



The DNS infrastructure of your organization has limited exposure to the Internet.

MBAeSecurity Resources

2007


29

|
С т е ф а н Д р а ж е в,
s t e @b u l t i ma.n e t




All DNS servers are configured to use forwarders to point to a specific list of internal DNS
servers when t
hey cannot resolve names locally.



All DNS servers limit zone transfers to servers that are listed in the name server (NS)
resource records in their zones.



DNS servers are configured to listen on specified IP addresses.



Cache pollution prevention i
s enabled on all DNS servers.



Dynamic update that is not secure is not allowed for any DNS zones.



Internal DNS servers communicate with external DNS servers through a firewall with a
limited list of allowed source addresses and destination addresses.



External DNS servers in front of the firewall are configured with root hints that point to the
root servers for the Internet.



All Internet name resolution is performed by using proxy servers and gateways.

High
-
Level Security

High
-
level security use
s the same configuration as medium
-
level security. It also uses the
security features that are available when the DNS Server service is running on a domain
controller and DNS zones are stored in Active

Directory. In addition, high
-
level security
completely

eliminates DNS communication with the Internet. This is not a typical
configuration, but it is recommended whenever Internet connectivity is not required:



The DNS infrastructure of your organization has no Internet communication by means of
internal DNS

servers.



Your network uses an internal DNS root and namespace, where all authority for DNS zones
is internal.



DNS servers that are configured with forwarders use internal DNS server IP addresses only.



All DNS servers limit zone transfers to
specified IP addresses.



DNS servers are configured to listen on specified IP addresses.



Cache pollution prevention is enabled on all DNS servers.



Internal DNS servers are configured with root hints that point to the internal DNS servers
that host
the root zone for your internal namespace.



All DNS servers are running on domain controllers. A discretionary access control list
(DACL) is configured on the DNS Server service to allow only specific individuals to
perform administrative tasks on the DN
S server.



All DNS zones are stored in Active

Directory. A DACL is configured to allow only specific
individuals to create, delete, or modify DNS zones.



DACLs are configured on DNS resource records to allow only specific individuals to create,
delete,

or modify DNS data.



Secure dynamic update is configured for DNS zones except the top
-
level zones and root
zones, which do not allow dynamic updates at all.

Securing DNS

MBAeSecurity Resources

2007


30

|
С т е ф а н Д р а ж е в,
s t e @b u l t i ma.n e t


The following tasks for securing DNS are described in this objective:



Securing Domain Name System Zones



Securing the Domain Name System Server Service



Securing Domain Name System Clients



5.

Firewall components

A firewall is a collection of hardware and software that, when used together, prevent
unauthorized access to a portion of a network.

A firewall con
sists of the following components:



Hardware
. Firewall hardware usually consists of a separate computer dedicated to running
the firewall software functions.



Software
. Firewall software can consist of some or all of these applications:

o

Packet filters

o

Proxy servers

o

SOCKS servers

o

Network address translation (NAT) services

o

Logging and monitoring software

o

Virtual private network (VPN) services

Contents



1 Administrativia


o

1.1 About the FAQ


o

1.2 For Whom Is the FAQ Written?


o

1.3 Before Sending Mail


o

1.4 Where Can I find
the Current Version of the FAQ?


o

1.5 Where Can I Find Non
-
English Versions of the FAQ?


o

1.6 Contributors


o

1.7 Copyright and Usage





2 Background and Firewall Basics


o

2.1 What is a network firewall?


o

2.2 Why would I want a firewall?


o

2.3 What can a fi
rewall protect against?


o

2.4 What can't a firewall protect against?


o

2.5 What about viruses and other malware?


o

2.6 Will IPSEC make firewalls obsolete?


o

2.7 What are good sources of print information on firewalls?


o

2.8 Where can I get more informat
ion on firewalls on the Internet?


MBAeSecurity Resources

2007


31

|
С т е ф а н Д р а ж е в,
s t e @b u l t i ma.n e t





3 Design and Implementation Issues


o

3.1 What are some of the basic design decisions in a firewall?


o

3.2 What are the basic types of firewalls?


o

3.3 What are proxy servers and how do they work?


o

3.4 What are some
cheap packet screening tools?


o

3.5 What are some reasonable filtering rules for a kernel
-
based packet screen?


o

3.6 What are some reasonable filtering rules for a Cisco?


o

3.7 What are the critical reso
urces in a firewall?


o

3.8 What is a DMZ, and why do I want one?


o

3.9 How might I increase the security and scalability of my DMZ?


o

3.10 What is a `single point of failure', and how do I avoid having
one?


o

3.11 How can I block all of the bad stuff?


o

3.12 How can I restrict web access so users can't view sites unrelated to work?





4 Various Attacks


o

4.1 What is source routed traffic and why is it a threat?


o

4.2 What are ICMP redirects and redirect bombs?


o

4.3 What about denial of service?


o

4.4 What are some common attacks, and how can I protect my system against them?





5 How Do I...


o

5.1 Do I really want to allow everything that my users ask for?


o

5.2 How do I make Web/HTTP work through my firewall?


o

5.3 How do I make SSL work through
the firewall?


o

5.4 How do I make DNS work with a firewall?


o

5.5 How do I make FTP work through my firewall?


o

5.6 How do I make Telnet work through my firewall?


o

5.7 How do I make Finger and whois work through my firewall?


o

5.8 How do I make gopher,

archie, and other services work through my firewall?


o

5.9 What are the issues about X11 through a firewall?


o

5.10 How do I make RealAudio work through my firewall?


o

5.11 How do I make my web server

act as a front
-
end for a database that lives on my
private network?


o

5.12 But my database has an integrated web server, and I want to use that. Can't
I
just poke a hole in the firewall and tunnel that port?


o

5.13 How Do I Make IP Multicast Work With My Firewall?





6 TCP and UDP Ports


o

6.1 What is a port?


o

6.2 How do I know which application uses what port?


o

6.3 What are LISTENING ports?


o

6.4 How do I determine what service the port is for?


MBAeSecurity Resources

2007


32

|
С т е ф а н Д р а ж е в,
s t e @b u l t i ma.n e t


o

6.5 What ports are safe to pass through a firewall?


o

6.6 The behavior of FTP


o

6.7 What software uses what FTP mode?


o

6.8 Is my firewall trying to connect outside?


o

6.9 The anatomy of a TCP connection





A. Some Commercial Products and Vendors




B. Glossary of Firewall
-
Related Terms




Bibliograp
hy



1 Administrativia


1.1 About the FAQ

This collection of Frequenty Asked Questions (FAQs) and answers has been compiled over a
period of years, seeing which questions people ask about firewalls in such fora as Usenet,
mailing lists, and Web sites.

If you have a question, looking here to see whether it's answered
before posting your question is good form. Don't send your questions about firewalls to the
FAQ maintainers.

The maintainers welcome input and comments on the contents of this FAQ. Comment
s
related to the FAQ should be addressed to
firewalls
-
faq@interhack.net.

Before you
send us mail, please be sure to see sections
1.2

and
1.3

to make sure this is the right document
for you to be readin
g.


1.2 For Whom Is the FAQ Written?

Firewalls have come a long way from the days when this FAQ started. They've gone from
being highly customized systems administered by their implementors to a mainstream
commodity. Firewalls are no longer solely in the

hands of those who design and implement
security systems; even security
-
conscious end
-
users have them at home.

We wrote this FAQ for computer systems developers and administrators. We have tried to be
fairly inclusive, making room for the newcomers, but
we still assume some basic technical
background. If you find that you don't understand this document, but think that you need to
know more about firewalls, it might well be that you actually need to get more background in
computer networking first. We prov
ide references that have helped us; perhaps they'll also
help you.

We focus predominately on "network" firewalls, but ``host'' or ``"personal'' firewalls will be
addressed where appropriate.

MBAeSecurity Resources

2007


33

|
С т е ф а н Д р а ж е в,
s t e @b u l t i ma.n e t



1.3 Before Sending Mail

Note that this collection of frequent
ly
-
asked questions is a result of interacting with many
people of different backgrounds in a wide variety of public fora.
The firewalls
-
faq address is
not a help desk.

If you're trying to use an application that says that it's not working because of
a fire
wall and you think that you need to remove your firewall, please do not send us mail
asking how.

If you want to know how to ``get rid of your firewall'' because you cannot use some
application, do not send us mail asking for help. We cannot help you. Real
ly.

Who can help you? Good question. That will depend on what exactly the problem is, but here
are several pointers. If none of these works, please don't ask us for any more. We don't know.



The provider of the software you're using.



The provider of the hardware ``appliance'' you're using.



The provider of the network service you're using. That is, if you're on AOL, ask them. If you're
trying to use something on a corporate network, talk to your system administrator.


1.4 Where Can I
find the Current Version of the FAQ?

The FAQ can be found on the Web at



http://www.compuwar.net/pubs/fwfaq/
.



http://www.interhack.net/pubs/fwfaq/
.

It's also posted monthly to



comp.security.firewalls
,



comp.security.unix
,



comp.security.misc
,



com
p.answers
, and



news.answers
.

Posted versions are archived in all the usual places. Unfortunately, the version posted to
Usenet and archived from that version lack the pretty pictures and useful hyperlinks found in
the

web version.


1.5 Where Can I Find Non
-
English Versions of the FAQ?

Several translations are available. (If you've done a translation and it's not listed here, please
write us so we can update the master document.)

Norwegian

MBAeSecurity Resources

2007


34

|
С т е ф а н Д р а ж е в,
s t e @b u l t i ma.n e t


Translation by Jon Haugsand


http://helmersol.nr.no/haandbok/doc/brannmur/brannmur
-
faq.html



1.6 Contributors

Many people have written helpful suggestions and thoughtful commentary. We're grateful to
all contributors. We'd like to thank afew by name: Keinanen

Vesa, Allen Leibowitz, Brent
Chapman, Brian Boyle, D. Clyde Williamson, Richard Reiner, Humberto Ortiz Zua
zaga, and
Theodore Hope.


1.7 Copyright and Usage

Copyright ©1995
-
1996, 1998 Marcus J. Ranum. Copyright ©1998
-
2002 Matt Curtin.
Copyright 2004, Paul D. Robertson. All rights reserved. This document may be used,
reprinted, and redistributed
as is

providin
g this copyright notice and all attributions remain
intact. Translations of the complete text from the original English to other languages are also
explicitly allowed. Translators may add their names to the ``Contributors'' section.


2 Background and Fire
wall Basics

Before being able to understand a complete discussion of firewalls, it's important to
understand the basic principles that make firewalls work.


2.1 What is a network firewall?

A firewall is a system or group of systems that enforces an acce
ss control policy between two
or more networks. The actual means by which this is accomplished varies widely, but in
principle, the firewall can be thought of as a pair of mechanisms: one which exists to block
traffic, and the other which exists to permit
traffic. Some firewalls place a greater emphasis on
blocking traffic, while others emphasize permitting traffic. Probably the most important thing
to recognize about a firewall is that it implements an access control policy. If you don't have a
good idea o
f what kind of access you want to allow or to deny, a firewall really won't help
you. It's also important to recognize that the firewall's configuration, because it is a
mechanism for enforcing policy, imposes its policy on everything behind it. Administra
tors
for firewalls managing the connectivity for a large number of hosts therefore have a heavy
responsibility.


2.2 Why would I want a firewall?

The Internet, like any other society, is plagued with the kind of jerks who enjoy the electronic
equivalent
of writing on other people's walls with spraypaint, tearing their mailboxes off, or
MBAeSecurity Resources

2007


35

|
С т е ф а н Д р а ж е в,
s t e @b u l t i ma.n e t


just sitting in the street blowing their car horns. Some people try to get real work done over
the Internet, and others have sensitive or proprietary data they must protect
. Usually, a
firewall's purpose is to keep the jerks out of your network while still letting you get your job
done.

Many traditional
-
style corporations and data centers have computing security policies and
practices that must be followed. In a case where
a company's policies dictate how data must
be protected, a firewall is very important, since it is the embodiment of the corporate policy.
Frequently, the hardest part of hooking to the Internet, if you're a large company, is not
justifying the expense or
effort, but convincing management that it's safe to do so. A firewall
provides not only real security
--
it often plays an important role as a security blanket for
management.

Lastly, a firewall can act as your corporate ``ambassador'' to the Internet. Many

corporations
use their firewall systems as a place to store public information about corporate products and
services, files to download, bug
-
fixes, and so forth. Several of these systems have become
important parts of the Internet service structure (e.g.,

UUnet.uu.net
,
whitehouse.gov
,
gatekeeper.dec.com
) and have reflected well on their organizational sponsors. Note that
while this is historically true, most organizations now place public information on a Web
server, often protected by a firewall, but not
normally on the firewall itself.


2.3 What can a firewall protect against?

Some firewalls permit only email traffic through them, thereby protecting the network against
any attacks other than attacks against the email service. Other firewalls provide les
s strict
protections, and block services that are known to be problems.

Generally, firewalls are configured to protect against unauthenticated interactive logins from
the ``outside'' world. This, more than anything, helps prevent vandals from logging into

machines on your network. More elaborate firewalls block traffic from the outside to the
inside, but permit users on the inside to communicate freely with the outside. The firewall can
protect you against any type of network
-
borne attack if you unplug it.


Firewalls are also important since they can provide a single ``choke point'' where security and
audit can be imposed. Unlike in a situation where a computer system is being attacked by
someone dialing in with a modem, the firewall can act as an effective

``phone tap'' and tracing
tool. Firewalls provide an important logging and auditing function; often they provide
summaries to the administrator about what kinds and amount of traffic passed through it, how
many attempts there were to break into it, etc.

Because of this, firewall logs are critically important data. They can be used as evidence in a
court of law in most countries. You should safeguard, analyze and protect yoru firewall logs
accordingly.

This is an important point: providing this ``choke po
int'' can serve the same purpose on your
network as a guarded gate can for your site's physical premises. That means anytime you have
a change in ``zones'' or levels of sensitivity, such a checkpoint is appropriate. A company
rarely has only an outside gat
e and no receptionist or security staff to check badges on the
MBAeSecurity Resources

2007


36

|
С т е ф а н Д р а ж е в,
s t e @b u l t i ma.n e t


way in. If there are layers of security on your site, it's reasonable to expect layers of security
on your network.


2.4 What can't a firewall protect against?

Firewalls can't protect against

attacks that don't go through the firewall. Many corporations
that connect to the Internet are very concerned about proprietary data leaking out of the
company through that route. Unfortunately for those concerned, a magnetic tape, compact
disc, DVD, or U
SB flash drives can just as effectively be used to export data. Many
organizations that are terrified (at a management level) of Internet connections have no
coherent policy about how dial
-
in access via modems should be protected. It's silly to build a
six
-
foot thick steel door when you live in a wooden house, but there are a lot of organizations
out there buying expensive firewalls and neglecting the numerous other back
-
doors into their
network.
For a firewall to work, it must be a part of a consistent ove
rall organizational
security architecture.

Firewall policies must be realistic and reflect the level of security in the
entire network. For example, a site with top secret or classified data doesn't need a firewall at
all: they shouldn't be hooking up to t
he Internet in the first place, or the systems with the
really secret data should be isolated from the rest of the corporate network.

Another thing a firewall can't really protect you against is traitors or idiots inside your
network. While an industrial
spy might export information through your firewall, he's just as
likely to export it through a telephone, FAX machine, or Compact Disc. CDs are a far more
likely means for information to leak from your organization than a firewall. Firewalls also
cannot pr
otect you against stupidity. Users who reveal sensitive information over the
telephone are good targets for social engineering; an attacker may be able to break into your
network by completely bypassing your firewall, if he can find a ``helpful'' employee
inside
who can be fooled into giving access to a modem pool. Before deciding this isn't a problem in
your organization, ask yourself how much trouble a contractor has getting logged into the
network or how much difficulty a user who forgot his password has

getting it reset. If the
people on the help desk believe that every call is internal, you have a problem that can't be
fixed by tightening controls on the firewalls.

Firewalls can't protect against tunneling over most application protocols to trojaned or

poorly
written clients. There are no magic bullets and a firewall is not an excuse to not implement
software controls on internal networks or ignore host security on servers. Tunneling ``bad''
things over HTTP, SMTP, and other protocols is quite simple an
d trivially demonstrated.
Security isn't ``fire and forget''.

Lastly, firewalls can't protect against bad things being allowed through them. For instance,
many Trojan Horses use the Internet Relay Chat (IRC) protocol to allow an attacker to control
a comp
romised internal host from a public IRC server. If you allow any internal system to
connect to any external system, then your firewall will provide no protection from this vector
of attack.

MBAeSecurity Resources

2007


37

|
С т е ф а н Д р а ж е в,
s t e @b u l t i ma.n e t



2.5 What about viruses and other malware?