A Proxy

View full size imagel (.ogical Coninrujnicatior. Server 1 , pro)ty g& rv& r Rssr w Server 2 tpprn Sfcrv r ' from SCfVigii In this case, Serverl and Server2 are attempting to communicate with each other. The proxy resides between the two hosts and responds to all communications and requests between the two hosts. This ensures that the two hosts never actually communicate directly with each other. Logically, Server1 and Server2 are communicating with each other, even though physically the...

About the Authors

Wes Noonan, CISA, is a staff quality engineer at NetlQ working on their security solutions product line. Wes has more than 12 years of industry experience, specializing in Windows-based networks and network infrastructure security design and implementation. Wes is the author of Hardening Network Infrastructure (ISBN 0072255021), is a contributing co-author of CISSP Training Guide (ISBN 078972801X) and Hardening Network Security(ISBN 0072257032), and is a technical editor for Hacking Exposed...

Acknowledgments

I'd like to thank my wife for once again sacrificing the time it took me to work on another book. I couldn't do this without you. I could not have done this had Brian Ford not been willing to take a chance on bringing me in on this project. Likewise, I appreciate the chance to work with Ido Dubrawsky and look forward to future partnerships. I want to thank both Brian and Ido for the opportunity and privilege of working with them both. To Brett Bartow and Andrew Cupp, I know we drove you crazy...

Additional Reading

CCSP Self-Study Cisco Secure PIX Firewall Advanced (CSPFA), Second Edition (Cisco Press) Cheswick, William, Steven Bellovin, and Aviel Rubin. Firewalls and Internet Security Repelling the Wily Hacker, Second Edition (Addison-Wesley Professional) Comer, Douglas E. Internetworking with TCP IP Vol.1 Principles, Protocols, and Architecture, Fourth Edition (Prentice Hall) Deal, Richard. Cisco Router Firewall Security (Cisco Press) McCarty, Bill. Red Hat Linux Firewalls (Red Hat...

Advanced Firewall Troubleshooting

This chapter has focused primarily on the core tasks of a firewall to process traffic through the firewall and for the firewall to provide for connectivity and access to remote and protected hosts. However, firewalls continue to gain more advanced features and functions, and it is becoming necessary to troubleshoot those advanced features and functions. Processes such as SNMP, NTP, routing, and authentication all provide ample opportunity for something to fail that you will need to...

Appendix A Firewall and Security Tools

The nature of firewalls and how they can be used to manipulate and control network traffic can make it difficult to troubleshoot network problems where firewalls are involved. Similarly, firewalls can introduce some unique and special requirements for managing and maintaining the firewall and the firewall configuration. This appendix examines some common tools and tool usage to assist in troubleshooting, managing and maintaining firewalls.

Appliance Firewalls

Appliance firewalls are firewalls that are integrated tightly with custom-built hardware (or in some cases commodity hardware) and provide firewall services to a network. Appliance firewalls include the Cisco PIX, NetScreen firewalls, SonicWall appliances, WatchGuard Fireboxes, and Nokia firewalls all the way down to the Linksys, D-Link, and NETGEAR products for home users. The underlying operating system need not be a custom operating system. It can be a highly customized version of a...

Applications That Are Hard to Firewall

The difficulty with application firewalls stems from the fact that the transaction between the client an server is complex and can be made more so if the protocol or the data in the communication expand increases the complexity of the transaction. Protocols such as eXtensible Markup Language (XML) ar Simple Object Access Protocol (SOAP) make web application firewalls especially tricky. To provide pi web application security, the application firewall must have a detailed understanding of...

Assigning IP Addresses to the Firewall Interfaces

To communicate on the network, the firewall needs to have IP addresses assigned to the firewall interfaces. The process of doing this changed between PIX ASA version 6.x and 7.x, but the fundamental steps are the same Enable the interface, configure the interface itself, and assign an IP address to the interface. To assign IP addresses to the PIX interfaces, the administrator must enter configuration mode. Because the PIX uses a command interface that is similar to IOS, administrators enter...

Bad IP Packets

In most cases, the IP packets that are received on a network can be successfully processed and acted upon accordingly. As is true with all network communications, however, it is possible for an IP packet to either be accidentally or intentionally designed in such a way as to be a bad packet. When we say bad packet, we mean a packet that for whatever reason cannot be processed properly. In some cases, this may be the result of unreliable delivery of the data (for example, if a portion of the...

Bad TCP

Because of how TCP functions, it is susceptible to a number of bad implementations and functions, starting with the manner in which sessions are established. When TCP hosts begin to initial a session, the destination host receives a SYN, responds with a SYN ACK, and then waits for an ACK response. Malicious TCP traffic can take advantage of this process using what is known as a SYN flood. In a SYN flood, the host is inundated with session requests but no final ACK. Therefore, the host slowly...

Bad UDP

UDP is such a simple protocol that there is not a whole lot that can be done with the protocol itself to account for bad UDP traffic. UDP is particularly effective as a source of bad traffic because it is connectionless. Therefore, it is a great candidate for spoofing. Malicious users can generate traffic as a different host, and because UDP is connectionless and responses are not expected, they do not really care that the targeted host is sending the responses to the wrong host. UDP is also a...

Be Realistic When Implementing Internal Firewalls

It is easy to become overwhelmed with implementing firewalls on the internal network because we have a tendency to think that we need a full-blown firewall everywhere. Unless your company is exceedingly rich, you probably will not get 100 dedicated firewalls to filter traffic from 100 WAN connections. Keep in mind that when we are talking about firewalls, we are talking about everything from simple packet-filtering routers to full-blown application proxies. It is important to select the proper...

Broadcast and Multicast

Most of this discussion of IP traffic has revolved around the process of unicast traffic, which is traffic that is addressed for a single host. However, IP traffic can also be broadcast or multicast traffic, providing for some flexibility in how traffic is delivered. Broadcast traffic is traffic that is destined to all hosts on a given subnet or to all hosts on all subnets. Broadcasts take advantage of the fact that the electrical signal is actually received by all hosts unless otherwise...

Central Office

Although referred to as a central office implementation, the key to this implementation is not necessarily that it exists at the central office. Rather, the central office implementation refers to an implementation that has a number of common elements A concentration of resources must be protected by the firewall. A significant number of internal users need access to external resources through the firewall (for example, if the firewall handles the majority of the company's Internet access)....

Introduction to Firewalls

Depending on whom you talk to, a firewall is either the cornerstone of their organization's security infrastructure, or it is a device that has woefully failed to live up to expectations. How can one device have such a contrast in perceptions The biggest reason for this is a misunderstanding of what a firewall is and is not, and what a firewall can and cannot do. This chapter looks at what a firewall is and how a firewall works to illustrate what are the reasonable expectations for a firewall....

Firewall Security Policies

The term security policy has a number of meanings in the industry. On one hand, it refers to the written policies that dictate how the organization manages the security of their resources. On the other hand, it refers to the actual configuration of the device in question, such as with an access control list (ACL). This chapter looks at both forms of security policy as they relate to firewalls The written security policies (sometimes referred to as information security policies) that define what...

Managing Firewalls

This chapter looks at the management of firewalls. From the perspective of the small office home user, the firewall is a single device that protects the home network from malicious trafficit keeps out the bad stuff and provides the end user a more secure online experience. For the enterprise, the firewall can be both an inbound filter as well as an outbound filter depending on how the security policy calls for enforcing the edge network. Either way, the firewall (or in the case of enterprises,...

What Is My Firewall Telling Me

You have purchased, installed, configured, and are running a firewall. You think it is doing a marvelous job of protecting resources and keeping your network safe and secure. But is it really doing those things Network and security data and information are arguably the most valuable assets in a firewall administrator's toolbox when combined with the knowledge of how to use them. Firewall data and information greatly increase your ability to identify security compromises and assist in general...

Going Beyond Basic Firewall Features

Modern firewalls provide a wide variety of significant services to the end user, whether it is a personal firewall or a network firewall used to protect an enterprise network. Firewall capabilities have increased dramatically over the past few years, and they have quickly become a nexus of security services to a network (or an individual machine). This increase of capabilities has caused firewall administrators to reevaluate and in some cases redefine the expectations of what a firewall can do....

Firewall Basics

This chapter covers the basics of firewalls. Firewalls can be distinguished in a variety of ways from the size of the network they are designed to operate in to the way they provide protection. This chapter examines the basic taxonomy of firewalls and uses the convention of classifying firewalls based on sizepersonal or desktop firewalls, small office home office (SOHO) firewalls, and enterpriselevel firewalls. In addition, this chapter discusses the various ways firewalls defend the networks...

TCPIP for Firewalls

Much like humans may speak English, German, or Russian, computers may speak any number of languages IPX SPX, AppleTalk, and TCP IP being just a few of them. Because of the portability and scalability of TCP IP, TCP IP has been settled on as the de facto standard method for providing communication services between hosts on a network and in particular across the Internet. Much like a human language, TCP IP has a defined structure and set of rules that control how hosts communicate. Therefore,...

Personal Firewalls Windows Firewall and Trend Micros PCcillin

Firewall technology has moved both upward into the large enterprise and serviceprovider space as well as all the way down to the desktop level. Desktop firewalls, also known as personal firewalls, are designed to protect a single system. These firewalls have been around for a long time in the Linux and BSD space but only relatively recently have they made a significant entrance into the Windows desktop. Many computer vendors now bundle a personal firewall with a trial license on every system...

Broadband Routers and Firewalls

Depending on the report you want to accept, between 53 percent and 62 percent of Internet access in the United States is provided by broadband connections. Outside the United States, broadband access percentages can exceed 75 percent of all Internet access methods Although broadband Internet access provides for increased download speeds and an explosion of Internet-based services and resources, it also introduces some unique problems to the small office home office (SOHO) and home user markets....

Cisco PIX Firewall and ASA Security Appliance

One of the most widely deployed firewalls on the Internet is the Cisco PIX Firewall. The PIX, along with the new Cisco Adaptive Security Appliance (ASA), is poised to improve Cisco's market share of the firewall and virtual private network (VPN) marketplace by providing advanced security, increased performance, and more robust functionality. Originally acquired from a company called Network Translations back in the early to mid-1990s, the PIX has undergone significant development and...

Linux Based Firewalls

Linuxbased firewalls come in a variety of flavors. Originally, Linux-based firewalls were based on the ipfw code (which itself was taken from the Berkeley Software Distribution BSD of UNIX). This code comprised the original version of firewall capabilities within the Linux kernel. The next evolutionary step beyond ipfw was the ipfwadm utility (which was actually a rewrite of BSD's ipfw utility). This firewall code and utility began to be available in Linux kernels in the 1.0 series and provided...

Application Proxy Firewalls

Application proxy firewalls are perhaps the most complex firewalls to implement. This complexity is due in large part to the fact that unlike other firewall technologies, application proxy firewalls can make filtering decisions based on the actual application data, which requires that firewall administrators better understand the applications that will traverse the firewall. Practically speaking, two elements comprise an application proxy firewall Application layer filtering This chapter looks...

Choosing Between the PIX and the ASA

One of the first questions to answer when trying to determine what Cisco firewall your environment requires is what the difference between the Cisco PIX Firewall and the Cisco ASA is. The ASA is essentially the latest version of the Cisco firewall solution and is based largely on the PIX software. In fact, the Cisco ASA and enterprise versions of the PIX (PIX 515E and larger) actually run the same firewall software starting with the 7.x code base. In the case of the PIX, this firewall software...

Cisco PIX Firewall and ASA Models

To implement a Cisco PIX or ASA in a given network, you need only purchase the PIX or ASA hardware and software from Cisco. Cisco PIXs come in all sizesfrom small office home office (SOHO) models to large enterprise or service provider models. The trick is to know what size PIX or ASA is appropriate for your network. In general, you can classify the PIX or ASA products into three solutions Medium- to large-office solution Enterprise office and service provider solution

Command Syntax Conventions

The conventions used to present command syntax in this book are the same conventions used in the IOS Command Reference. The Command Reference describes these conventions as follows Boldface indicates commands and keywords that are entered literally as shown. In actual configuration examples and output (not general command syntax), boldface indicates commands that are manually input by the user (such as a show command). Italics indicate arguments for which you supply actual values. Vertical bars...

Common Applications Using IP

The most common applications that use IP tend to revolve around access to Internet-based resources such as web servers and mail servers. In addition, file and print services are the most common application that is implemented in most Web browsers and web servers allow users to access graphical content using HTTP, which uses TCP port 80. In addition, if secure web browsing is required, the data can be secured using Secure Sockets Layer (SSL), commonly known as HTTPS, which uses TCP port 443....

Common Firewall Management Tasks

One of the first things to accomplish when deploying a new firewall, whether this is for an enterprise deployment in a small office or home office, is to configure some basic aspects of networking. Doing changing the default administrative password, configuring the default gateway, configuring the IP at internal and external (and possibly other) interfaces, and configuring the logging of messages from addition to these tasks, the firewall administrator must also manage the configuration of the...

Common Routing Protocols

There are a number of common routing protocols that most environments use. Routing Information Protocol RIP is a distance vector routing protocols that uses the hop count exclusively to make routing decisions. RIP supports a maximum hop count of 15 hops, making any destination that requires more than 15 hops to be unreachable. Therefore, RIP is suited for small and relatively simple network environments. RIP has two different versions 1 and 2. RIPvl is a classful routing protocol, which means...

Common Security Policies

Each organization has unique security requirements and therefore their own unique security policies. However, most if not all environments require a number of common security policies, including the following Management-access policy Filtering policy Routing policy Demilitarized zone (DMZ) policy Generally applicable policies Firewall policies (that is, the access policies on the actual firewalls) are covered later in this chapter.

Compromise of Personal Information and Spyware

Personal information, in particular financial information, is the holy grail of many attackers. With that information, an attacker can either use or sell the data to someone who will use it to engage in all sorts of financial-based frauds. Literally millions of dollars of fraudulent purchases are made every year using personal information that was obtained illegally. Financial information is only one component in the compromise of personal information. Another risk is the compromise of private...

Configuring Administration

On the Administration tab, you can define how the router will be managed and how logging should be configured. You can also perform software upgrades and reset the router to the factory defaults. The Management screen is used to specify what the router password is. Keep in mind that all users will access the router web-based interface using the same password, so you should consider using a unique password for the router and sharing the password with as few people as possible. In addition, you...

Configuring Applications Gaming

The name of the Applications & Gaming tab is somewhat misleading because although the settings are typically going to be implemented by home users to support their gaming applications, in function the Applications & Gaming tab is where the configuration of filtering from external sources to internal resources is performed. This tab has five screens On the Port Range Forwarding screen, you can configure the router to permit certain types of traffic from all external hosts over the...

Configuring Basic Setup

The BEFSR41v4 Setup tab consists of four screens On the Basic Setup screen, you can configure how the router connects to the service provider (for example, using DHCP or PPPoE). Depending on which connection type you specify, additional options will be made available on the screen. You can also specify the host and domain name as well as the maximum transmission unit (MTU) for the router, if it is required by your service provider. The Basic Setup screen is also where you configure the local...

Configuring Linksys

Linksys uses a web-based interface to perform all configuration functions. This interface is accessible by default from any internal host and is accessed using a web browser such as Microsoft Internet Explorer. Upon accessing the web-based interface, you are prompted with a Username Password dialog box. Refer to the user guide of your appropriate router for the relevant information, but typically the username password combination of admin admin is the default user account. You can change the...

Configuring Logging on the Firewall

One of the most valuable capabilities of any firewall is the ability to log events so that the administrator can be informed of and aware of what is going on with the firewall. Cisco PIX ASA firewalls use syslog for the logging of all events on the firewall (syslog and logging in general is discussed in much greater detail in Chapter 12, What Is My Firewall Telling Me ), which allows an administrator to be able to read parse the logs for important events or events that may require additional...

Configuring Net Filter

The NetFilter packet filter is configured through the iptables command utility. Like its predecessor, ipchains, iptables enables firewall administrators to control a wide variety of features in the NetFilter packet filter. Chief among these are adding or inserting filter rules within a preexisting set of rules, defining the policy of the various chains in the filter, or creating userdefined chains for specific purposes such as testing for denialofservice (DoS) attacks or other specific The path...

Configuring Security

The Security tab consists of two screens, Filter and VPN Passthrough. In both instances, the configuration applies to traffic from the internal network accessing external resources (egress filtering). The Filter screen is where you can configure IP address, port, and MAC address filtering of internal hosts. For example, if you want to prevent host 192.168.173.115 from accessing the Internet, you can specify that IP address in the Filter IP Address Range fields, and the router will not allow...

Configuring the Cisco PIXASA

Complete configuration of the Cisco PIX is beyond the scope of this book. However, we can cover some of the initial steps required to set up the PIX and to allow an administrator access to the graphical user interface (GUI), the Adaptive Security Device Manager (ASDM) (previously known as the PIX Device Manager PDM for software versions previous to 7.0). To initially configure a PIX out of the box, connect a serial connecter to the console port of the PIX (which is typically outlined with a...

Configuring the Firewall for Remote Management Access

The PIX ASA firewall supports three primary methods of remote management access Both Telnet and SSH are used to provide CLI access to the firewall, whereas the ASDM PDM provides an HTTPS-based GUI management console. Telnet remote management is the simplest, yet least secure, method of remotely managing the firewall. The reason for this is that Telnet does not encrypt the data in transmit and in fact sends the data in cleartext. This makes it easy for a malicious user to capture the data and...

Configuring the Firewall Name Domain Name and Passwords

Now that the firewall has been assigned IP addresses and the interfaces are functioning properly the next step is to configure some basic firewall configuration values such as the firewall host name, domain name, and passwords. The commands to perform these configurations are the same for all versions of the PIX ASA software. You can configure the host name by running the hostname name command, and the domain name is configured by running the domainname domain command from the global...

Configuring the Firewall Routing Settings

With IP connectivity established, the next step is to configure routing for the firewall. The firewall supports both static routes and dynamic routing using Open Shortest Path First (OSPF for more information about configuring OSPF routing, see Cisco ASA and PIX Firewall Handbook Cisco Press ). You can configure static routes on all software versions by running the route interface-name ip-address netmask gateway-ip metric tunneled command. This same command can be used to set the default route...

Configuring the Trend Micro Firewall

Configuring the Trend Micro firewall is straightforward and easy. When the firewall software, which is a part of Trend Micro's PC-cillin Internet security suite, has been installed, the main control panel should be opened. This can be done either by right-clicking the Trend Micro Internet security suite icon in the notification area at the lower right of the Windows taskbar and then choosing the Open Main option or by just double-clicking the icon. Alternatively, the user can open PC-cillin's...

Content Filtering

Many enterprises are beginning to concern themselves with the use of the corporate Internet connection by their employees. The unmanaged access to inappropriate or distracting web content can involve significant legal risk and may well jeopardize network security. Additionally, unmanaged access to web content typically results in significant reduction of employee productivity. These issues cannot be easily ignored by many companies. One of the newer features being required of firewalls is the...

Default Passwords

When you purchase a new firewall (or any network device in general) such as a Cisco PIX, a Linksys, a NetScreen, or a SonicWall, out of the box the device has some default passwords set (and in some cases there is no default password). This is because the manufacturer must allow for initial access to the device for the end user to configure it. Most recent documentation for any device admonishes the end user to immediately change the default password to something else. Table 11-1 shows common...

Denial of Service

A DoS attack entails a threat that simply prevents legitimate traffic from being able to access the protected resource. A common DoS is one that causes the services or server itself to crash, thus rendering the service being provided inaccessible. This attack is commonly done by exploiting buffer overflows in software and protocols or by sending data to the host that the host does not know how to respond to, thus causing the host to crash. A variant of the DoS that has gained traction and is...

Determining If You Need a Firewall

It is convenient (and accurate) to say that you always need a firewall if you are connecting to the Internet. Firewalls should not be relegated exclusively to the realm of providing access to and protection from Internet-based resources. Instead, you should consider implementing a firewall any time a resource needs to be protected, regardless of where the protected resource is located, or where the requesting traffic will be coming from. Firewalls can, and in many cases should, be used to...

Determining Reachability

PING is built upon the Internet Control Message Protocol (ICMP) and uses a system of echo and echo-reply messages to indicate whether a host is reachable. When a source host attempts to determine whether a destination host is reachable, it generates an ICMP echo packet for the destination host. When the destination host receives the echo packet, it responds with an echo-reply packet, allowing the source host to ascertain that the destination is reachable. If for some reason the destination host...

Determining Which Physical Addresses Are Known

A fundamental aspect of network communications is the need for two hosts to be able to physically identify and communicate with each other. This is handled in TCP IP by the Address Resolution Protocol (ARP). ARP builds and maintains a table of MAC address to IP address associations, allowing a host to be able to physically identify local hosts and address them accordingly. If the host has the wrong physical address, however, the data will not be successfully delivered. This mis-addressing is...

Developing a Troubleshooting Checklist

There is an old saying that when you practice what you need to do in the time of a crisis, when the crisis occurs the reaction tends to be automatic. When the firewall is down is not the time to try to figure out what you should be looking at to resolve the problem. Instead, develop a troubleshooting checklist in advance. The reason is simple There will already be enough stress and confusion as a result of the failure there is no need to increase either by not having a plan. Your...

Different Classes of Routing Protocols

Although each routing protocol has its own specific functionality, they can all be generally classified as falling into three categories Distance vector Distance vector routing protocols are relatively simplistic in design and tend to use a distance to determine the best path. The distance is measured by counting how many times a packet goes through a router, known as a hop, until it arrives at the destination network. The smaller the hop count, the shorter and better the route. Distance vector...

Different Types of Office Requirements

Although every firewall implementation is truly unique, a couple of fundamental designs from which virtually all firewall designs are created. The first question to ask when implementing a firewall is whether the firewall is going be located at a central location or a remote location. When you have answered that question, you need to examine the resources that need to be protected. With that in mind, the next step is to determine how many demilitarized zones (DMZs), if any, need to be...

Dual Firewall Architecture

The dual-firewall architecture is more complex than the single-firewall architecture, but it is also a more secure overall design and provides for a much more granular level of control over traffic traversing the firewalls. This is because the architecture uses two firewalls, ideally of different vendors and models, to act as exterior and interior firewalls providing a DMZ segment between the two firewalls, as shown in Figure 9-3. Like previous designs, traffic is permitted into the DMZ segment...

Dual Firewall System

With a dual-firewall architecture, the firewall system consists of the following layers Network segment between external router and exterior firewall Figure 9-5 depicts a dual-firewall system. yross FiHuring at Intoror Firewall yross FiHuring at Intoror Firewall JfOSS FlllCflng jt Emarlot Firewall Egress FlU& nng at Enterntf FKHJtEf JfOSS FlllCflng jt Emarlot Firewall Egress FlU& nng at Enterntf FKHJtEf The only real physical difference with the dual-firewall system over the...

Egress Filters

Practically speaking, egress filters are almost identical to ingress filters. The difference lies in what an egress filter applies to. Unlike ingress filters, egress filters apply to traffic that is coming from a trusted network to an untrusted network. As a result, egress filters typically are applied either on firewall interfaces that connect to the internal network or to a DMZ segment. A simple way of thinking of ingress and egress filters is that an ingress filter filters traffic coming in,...

Enterprise Office and Service Provider Solution

The next two models of the PIX firewall are designed specifically for large enterprises and service providers the PIX 525 and 535. The 525 is produced in a 2U form factor and can accommodate up to ten Fast Ethernet or two Fast Ethernet and three Gigabit Ethernet interfaces. The PIX 535 also comes in a 2U form factor and can accommodate 14 Fast Ethernet or 9 Gigabit Ethernet interfaces. Both models provide all manner of high-availability functionality such as zero-downtime upgrade and VPN...

Example 111 Configuring Net Filter with IPTables

iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p tcp -s 0.0.0.0 0 -d 10.16.17.202 --dport 22 -m state --state NEW - iptables -A INPUT -p tcp -s 0.0.0.0 0 -d 10.16.17.202 --dport 25 -m state --state NEW -j iptables -A INPUT -p tcp -s 0.0.0.0 0 -d 10.16.17.202 --dport 80 -m state --state NEW -j iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT --reject-with icmp-host-prohibited -j REJECT Example 11-2 provides a similar configuration with the PIX command...

Example 113 PIX Logging

The command logging on tells the device to turn on logging on the device, and the logging timest ensures that a date time field is inserted in each syslog message sent to the remote syslog server. T informational command specifies the level of logging to be conducted. The reason why Information use for logging with the PIX is because it provides enough information to monitor the traffic going th without overwhelming the administrator with unnecessary information. Level 7, Debug, is typically u...

Example 114 Using RCS for Configuration Control

Enter description, terminated with single '.' or end of file > > Initial configuration of external edge router root sauron configs 127 ls -ltotal 26 drwxrwx--- 2 root sysadmin 512 Aug 29 10 06 RCS -rw-r----- 1 root other 11879 Aug 29 10 06 frodo.cfg The ci command checks the configuration into the repository. The i flag tells the RCS software to cr< new repository. The co command is used to check items out of the repository. The l flag also locks t specific user who issued the co command....

Example 115 Checking in Changes to the RCS Repository

New revision 1.2 previous revision 1.1 enter log message, terminated with single '.' or end of file > > Added new external NAT address, 172.16.45.152 -> 192.168.155.152 - idubraws root sauron configs 33 ls -ltotal 2 drwxrwx--- 2 root sysadmin 512 Aug 29 10 20 RCS RCS, CVS, and other open source revision-control systems provide an easy, low-cost way of managi configuration changes. Change-control logging is the process by which information is entered in the change-control system made to a...

Example 116 Viewing the RCS Log for Configuration Changes

root sauron configs 13 6 rlog frodo.cfg total revisions 2 selected revisions 2 Initial configuration of external edge router date 2005 08 29 14 19 59 author root state Added new external NAT address, 172.16.45.152 -> date 2005 08 29 13 51 42 author root state The output in Example 11-6 provides a lot of information. For example, the working file is identified line. In addition, it shows how many revisions have been made to the file (in the example, two revis made). A description of the file...

Example 117 Viewing Differences in Configuration Revisions

RCS file RCS frodo.cfg,v retrieving revision 1.1 retrieving revision 1.2 diff -rl.1 -r1.2 73a74 > ip nat inside source static 172.16.45.152 66.92.161.152 Although RCS is useful for a small site, an enterprise network administrator would be better served configuration management tools such as the CiscoWorks Management Center for Firewalls. This tool revision control for the configurations but also a workflow tool that provides for separation of duty a administrators. This prevents a single...

Example 131 Telnetting to TCP port 80 to Test Connectivity

C Documents and Settings wnoonan> telnet web server 80 GET HTTP 1.0 HTTP 1.1 200 OK Content-Length 2795 Content-Type text html Content-Location http 192.168.173.101 Default.htm Last-Modified Tue, 23 Nov 2004 05 23 47 GMT ETag f9fcf19b1cd1c41 336 Connection close< additional output snipped> By just telnetting to TCP port 80 and typing GET HTTP 1.0 and then pressing Enter a few times, I can retrieve the default web page for the server, which at least verifies that the target host is...

Example 141 Using Telnet to Access a Server on TCP Port 443 HTTPS

< DOCTYPE HTML PUBLIC - IETF DTD HTML 2.0 EN> < title> 400 Bad Request< title> < p> Your browser sent a request that this server could not understand.< br > Reason You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please.< br > < blockquote> Hint < a < address> Apache 2.0.52 (Unix) mod ssl 2.0.52 OpenSSL 0.9.7d DAV 2 www.innocentvictimcompany.com Port 443< address> Connection to 10.16.17.223 closed by...

Example 142 OpenSSL

3 openssl s_client -connect 10.16.17.223 443 depth 0 C US ST Maryland L Silver Spring O dubrawsky.org OU IT CN Ido Dubrawsky verify error num 18 self signed certificate depth 0 C US ST Maryland L Silver Spring O dubrawsky.org OU IT CN Ido Dubrawsky verify error num 10 certificate has expired depth 0 C US ST Maryland L Silver Spring O dubrawsky.org OU IT CN Ido Dubrawsky emailAddress idubraws dubrawsky.org notAfter Oct 6 01 35 00 2005 GMT verify return 1 0 s C US ST Maryland L Silver Spring O...

Example A1 ACL to Permit Only Certain ICMP Message Types

As a best practice, your external firewall interface (and all corresponding IP addresses) should not allow any other ICMP traffic. This will prevent someone from being able to ping the firewall external IP address to determine whether it is accessible and will also protect against malicious ICMP-based traffic such as a ping of death. Another aspect of reachability is to show how the device was reachable. In other words, what path through the network was taken to the destination host To answer...

Example A10 Basic Nmap SYN Port Scan Against a Cisco Secure PIX Firewall

root keoland nmap nmap -sS -P0 -O -vv 10.10.10.1 Starting nmap 3.93 ( http www.insecure.org nmap ) at 2005-10-04 14 10 CDT Initiating ARP Ping Scan against 10.10.10.1 1 port at 14 10 The ARP Ping Scan took 0.01s to scan 1 total hosts. Initiating SYN Stealth Scan against firewall.myco.com (10.10.10.1) 1668 ports at 14 10 Discovered open port 443 tcp on 10.10.10.1 Discovered open port 25 tcp on 10.10.10.1 Discovered open port 21 tcp on 10.10.10.1 Discovered open port 80 tcp on 10.10.10.1 SYN...

Example A6 Red Hat Linux IP Configuration

wnoonan keoland wnoonan ifconfig -a eth0 Link encap Ethernet HWaddr 00 D0 09 DC B4 2B inet addr 192.168.1.118 Bcast 192.168.1.127 Mask 2 55.255.255.224 inet6 addr fe80 2d0 9ff fedc b42b 64 Scope Link UP BROADCAST RUNNING MULTICAST MTU 1500 Metric 1 RX packets 2443 errors 0 dropped 0 overruns 0 TX packets 201 errors 0 dropped 0 overruns 0 RX bytes 224 572 (219.3 Kb) TX bytes 30513 (29.7

Example A7 Running TCPDump to Capture Data

Tcpdump verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 9 6 bytes 08 39 28.375994 IP 192.168.1.114.1620 > linuxhost.myco.local.ssh . ack 189711522 win 64448 08 39 28.416215 IP linuxhost.myco.local.ssh > 192.168.1.114.1620 P 1 225(224) ack 0 win 8576 08 39 28.414651 IP linuxhost.myco.local.32 76 9 > windowshost.myco.local.domain 28200+ PTR 118.173.168.192.in-addr.arpa. (46) 0 8 39 28.414855 IP...

Example A8 Configuring a Cisco Secure PIX Firewall to Use Syslog

Firewall (config) logging host inside 192.168.1.101 firewall (config) logging trap informational firewall (config) logging timestamp A valuable component of logging events is the ability to perform log analysis. Whereas most syslog servers enable you to log events, few enable you to perform event correlation or event analysis. In addition, it quickly becomes an insurmountable task for a human being to review the logs in a timely fashion to identify security events or negative trends. Therefore,...

Example A9 Nmap Usage Screen

C Download Hacking Tools Nmap nmap-3 . 93> nmap Nmap 3.93 Usage nmap Scan Type(s) Options < host or net Some Common Scan Types ('*' options require root privileges) * -sS TCP SYN stealth port scan (default if privileged (root)) -sT TCP connect() port scan (default for unprivileged users) -sP ping scan (Find any reachable machines) * -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only) -sV Version scan probes open ports determining service & -sR RPC scan (use with other scan types)...

Examples of Security Policies

You have two primary security policies to use as a baseline in designing your security policy. The first is the closed security policy, also known as the minimalist security policy. The other is an open security policy, also known as generally a bad idea. The closed security policy is based on the premise that by default all access is denied, and only access that is explicitly required will be permitted. The benefit of this approach is that the security policy will be designed only to allow...

Figure 111 Symantec Internet Security Configuration

Symantec Firewall Configuration Figure 11-2. Symantec Firewall Configuration giotxTramc Live update _ opiians. ParKfid FUrtYoil prctccLs vuuf (OKKWtir frsm unaiAhc ed iCcMS- The PIX Device Manager (for PIX operating systems up to versions 6.3(5)), known as the Cisco Adaptive Security Device Manager in PIX version 7.0, is a Java applet that is downloaded from the PIX or ASA device and runs locally through the client browser. Figure 11-3 shows the PIX Device Manager screen.

Figure 1110 Access Denied Without Proper Credentials

When the configuration repository directory has been secured sufficiently, the next step is to check i configuration to the repository. The initial configuration is the starting point that you will use as a kr configuration for the device. Any changes made after the initial configuration is tracked using the co repository. By doing this, you will be able to reconstruct a good configuration in case a specific chan needs to be removed. In addition, by using revision control, you can find out who...

Figure 113 Cisco PIX Device Manager

FttliM SW lS iii NX 10 1 1 Pi 11 Ctfrigu-flinft IWnfcHinq rS H 'Njn - litiikicplrfrt41JioiHic.l3ti lPWVUffrMI 7AH BWrtjjplirfii 4M WMflniSC ASDHVpialpn > L Dg Tv ) P XJ1 flhfvi l upj- Iva Kl 'llWiii TOI* Finn It Ml Td JIWT'nnrf GJ14B H 'Njn - litiikicplrfrt41JioiHic.l3ti lPWVUffrMI 7AH BWrtjjplirfii 4M WMflniSC ASDHVpialpn > L Dg Tv ) P XJ1 flhfvi l upj- Iva Kl 'llWiii TOI* Finn It Ml Td JIWT'nnrf GJ14B Faninlniftcat)Kluft- rpLl nndcLlpulknp-IrnlT Sl-ilF Faninlniftcat)Kluft- rpLl...

Figure 115 Webmin IPTables Rules Interface

N i f- u > - . -i j r-v> ri-J T rj* t p J .4 U I1 J' I si fcrtrJi-* ii.f ' i I jaw-acd* Tl ta* i is ix - jz- 11 m i nfc Ke f MV-J - UTiSi + M'- (, (T .BJ PB- rfttt * H PHVk Li. Trr J-.-. . . wi * i t *. n JTT.V I prTWtBii JETsd kuna c- r j Jl'.p> j r*3 tiyjia c HT -'i ClAfc w ii> 4 lii JI - J ,ulfVI R kJHf *r i i< wi y h iCnJ4 w& m i-s * nuwiHtf Cldr l> t> M m in nr-1A- rmipn*-m kr-l t .uii.Jj ' > < 1 t vjUlii . JJ . bLiC-b'i fiM. jirJij il.i < i'l M .v.l km Uk.L Ci J'. a...

Figure 119 Final Security Settings for Folder

General j Web Sharing Sharing Security r- Allow inheritable permissions from parent to propagate to this object General j Web Sharing Sharing Security I7 administrator DUBRAWSKY_GRG admii-ii .1 When that is accomplished, access to the folder is limited to only those with the proper credentials, 11-10.

Figure 123 Microsoft ISA Server Log Data

* IM Stf *rr 0IH TptriF Mltm 1 Viasoft iX T- t SMTJrr cfr Uxtte*xar ir gj Entwpris s Matt C G iftSilJn rtOw i *' 1 o,Jw BS is iR zow *npiN m5 isa wite iiiii r HyCW -J- T nyi r, (.I,) y i -. . . y 1- jnflmiUii ,- if afUBmnjaiia M nm H aMfN M il fi afi M t IjddfJ r* ifWOi i il iuW SfltfHKLiil L ir jnflmiUii ,- if afUBmnjaiia M nm H aMfN M il fi afi M t IjddfJ r* ifWOi i il iuW SfltfHKLiil L ir L - Jn -Hii p i -M CHViHlififi L - Jn -Hii p i -M CHViHlififi

Figure 125 How Spoofing Works

In the example in Figure 12-5, the attacker builds packets with a source IP address of 209.165.201.1 (the IP address of the innocent victim) to transmit to the firewall. When the firewall receives the data, it logs the packets as coming from 209.165.201.1 because that is what the source IP address of the packet is. In reality, the packet came from the attacker, but the firewall has no way of knowing that. In fact, if the firewall needs to respond to any of the traffic that it received, it will...

Figure 131 Connectivity Testing Flowchart

The first step is to attempt to ping the target host by its host name. If this succeeds, it validates that everything from name resolution to physical delivery of the data is functioning properly. If this is not successful, the next step is to attempt to ping the target host by its IP address. This eliminates name resolution as part of the problem. If this succeeds, the problem is likely going to be related to name resolution (either Domain Name System DNS resolution or NetBIOS name...

Figure 134 Failed Connection to Website

J J J Q I . wn__ Mi_j El pr_ The snvt at www. frt jv fj c tahrq loo bog id r pond. Tta Liiu cull bi infcia*fi jiat i bjiT. Tr> a ui f a ft* If Jj U Ufl im tf lj*J 4 h PdPgWL. iJ-W-l JLJilW.ii''* rat *Jli Il TM I. TT .-'* rr Ar-TL > . trofctqftd ftp 4 rrcinif. m i un Hurl r *a> l c omih a m t & tf.t wflb. One of the first steps to take is to test the connectivity. Doing so involves verifying that the firewall is up and running as well as verifying that the Internet connection is...

Figure 136 Verifying Firewall Functioning

Type ticlp nt 1 tor a list fl EIVTIIIV LD 70H> plJeci Oli TlLU O -Jtug-0 5 E ftS FLasll W129F-J00S 0 OliiritfSQDO, JZKE ISiisiiiiujl- Pbyjlc I& CcEjiac (.'gntismut gn ti > s not ficen incdiiii-d sua If the firewall is up and running, the next step is to test the Internet connection on the outside interface of the firewall. You can do this by pinging a system out on the Internet. Doing so is somewhat tricky because many networks filter out unsolicited ICMP requests. However, some of the...

Figure 137 Testing Internet Connectivity

I liJuf L-iVi irP n r c, coma i--j 'fli 35 j & 3100KUP uUV. t'ltfJC'G . cOil) Server r.n at rcnio . dubr . ro AU-meSieai 216,109.110.70, 16. log , 1 IE, 71, Z 16 . 10 . 119'.2 16 .10 . 116 .77 US. 209 .117, 106, 216,105.117.109, 2 16 . 1D9. 117,205, 2l& . IDS . lia, 67 vm. jahiio. cam (ldiibr A m(< ma Jt t duiS ldidjcivs 56 fliggin -1 ptn gqndftli j -1xi iemjjCIai11 s paajvord Type hilp oe 1 2' icc a list ui ivaiLiLle Ciumnd . pJng imtflidi ilt.lt , 110, 70 216 .105. US.70 response...

Figure 138 Checking Server Connectivity

In this example, the assumption is that the web server is not responding because it does not respond to a ping or to the Telnet connection to the web server port, 80. In more complex cases, you might need to review the firewall configuration to ensure that it is not blocking the traffic unnecessarily. Also, consider that in some cases it is not your end of the connection that may be problematic but the other end. In many cases, you might need to search the vendor's documentation to ensure that...

Figure 141 URL Filtering with the Cisco PIX Firewall

The following is a description of the process in Figure 14-1 1. The client sends the initial connection to the web server, which replies back as expected. This reply is held at the firewall, however, until a filtering determination has been made. 2. At the same time, the firewall connects to the filtering server using connection 2 to query the filtering server about whether the traffic should be permitted. 3. The filtering server replies to the firewall with whether the traffic should be...

Figure 144 IPsec Encapsulated Security Payload Header

The fields in the ESP header are as follows SPI This pseudo-random value identifies the security association for this traffic. Sequence Number This monotonically increasing counter identifies the sequence of this packet within the connection. This is used to prevent replay attacks. Payload Data This variable-length field contains data that is described by the Next Header field. Padding These null bytes are used to ensure that the fields fall on 8-byte boundaries. Pad Length This 8-bit field...

Figure 146 IPsec ESP in Tunnel Mode

View full size image Before Applying ESP When configuring a firewall to either terminate or to allow IPsec traffic to pass, you must consider the mode. Most firewalls perform some Network Address Translation (NAT) function on the IP packets flowing through them. The modifications, namely the change of the source IP address, made by the NAT process in the firewall can impair the ability of IPsec traffic to travel through the firewall because any changes to the headers of the IP packets may...

Figure 310 UDP Header Structure

31 31 The UDP header contains two 32-bit words with the following fields and meanings Source Port (16 bits) This field represents the source protocol or application. This allows the source to know which application the data belongs to so that responses can be delivered to the appropriate source application. In most cases, the source port is a random high-level port number (> 1024) generated by the application. Destination Port (16 bits) This field represents the destination protocol or...

Figure 311 Physical Addressing of Data Between Hosts

Piiysfci I Address DO.Oi 4 -3C 7fl 50 Pli MCniJldiiKifts iK'.os -nn 7a.,' 0 The process in Figure 3-11 is as follows 1. Host A logically addresses the data for Host B but physically addresses it to 00 05 9A 3C 78 00, the router interface physical address. 2. The router receives the data, because it is physically addressed to it, but realizes that logically it must be delivered to Host B. Therefore, it rebuilds the frame, using the physical address of the interface on the same network as Host B...

Figure 312 Address Classes

Classless Interdomain Routing (CIDR) Although the classful address space is a great idea, the truth is that not everyone needs networks with the number of hosts that each class of address provides. For example, if you have more than 255 hosts that you need to connect to a network, using the classful address space you have to bump up to a full Class B, providing for 65,534 hosts on the network. Obviously, that is far more hosts than is necessary. To address this deficiency, CIDR was implemented....

Figure 411 Trend Micro Internet Security Window

From this window, the user can modify the firewall profiles by clicking the Firewall Profiles button in the middle of the window. This opens up the profile selection window shown in Figure 4-12. At this window, users can choose to enable or disable the firewall as well as choose the specific profile they want to apply to the firewall. Additionally, they can add and configure a new profile if the default profiles are insufficient to meet their needs.

Figure 412 Trend Micro Firewall Profiles

The default profiles include an office network connection, a home network connection, a wireless network connection, and a direct connection to the Internet. Each one has specific exceptions to the firewall policy for various services. The office network, wireless network, and direction connection profiles each have a list of specific exceptions for various services such as HTTP, Secure Shell (SSH), DNS, and others in the firewall profile. The home network profile, however, has no preconfigured...

Figure 413 Trend Micro Firewall Security Level

PtoflleName Securityueve Exteollonusl Security Level Choose s High, Medium, or Lowsatujity levelftirtl> l& Urawall profile. Soc m tty level -Bl Ks intoning traffic untess ellowed in Hie Exception -Al lews oulgo m p (raffle u n I e ss Oloc kedin the Exc eplion usl. -Blocks network virus attacks and oilier known threats. The security level feature of the Trend Micro firewall enables the end user to adjust the overall protection provided by the firewall. There are three security levels...

Figure 414 Trend Micro Firewall Exception List

Profile Name Security Level xtepii on Lis Exception List Oflfira toe direction Of Irttemel Iraffie, IP address Dr r rtge nf IP addresses, ports, and p nolo c ois for exce utkms Oflfira toe direction Of Irttemel Iraffie, IP address Dr r rtge nf IP addresses, ports, and p nolo c ois for exce utkms This opens a new window where a wide variety of information about the exception can be entered, such as the protocol to use, the direction of traffic, the port number(s) the traffic uses, whether to...

Figure 415 Trend Micro Network Virus Emergency Center

Network Virus Emergency Center Back ( ) fJBi.vDrkviruzeE- spidlv nfec1 l ompule-tv quickly sprea ding (tlrOU& ft W6 iMeniet and other notwworks. Vau ian specify actions to Irelp pievent inTethpri ftg m nfi wprk viruses P _WIMDAA-WEB WORM_SQLP1434A MSD3 026_RPC_D MS 3- J( _WORK5. (H)T_ASN 1_ WORM WrrTY.A VVORH_AeO0OT . . ii hEpJAwiv.rrer dm c n i n.TAinfa Mru e- cvrl .'d hEp JA*w.lrfln dm ie .eomMaTafrlnj seat w Wd. hltp jWww. renrtmirm c i.tiM r.fgJVIru e-icyglo.fd m- a m it rp.t...

Figure 42 Windows XP Control Panel

510 CdE Ytrm ftr.& ttt T> +i Hrip f* i wH-rah, Sj Tr* K ml Auijk Offritt** U rtiJiHfly I iptintia D-alr, Tmiff, Liciijuaije. and Region l OfiUonk f* i wH-rah, Sj Tr* K ml Auijk Offritt** U rtiJiHfly I iptintia Choose Security Center at the lower-right corner of the window to open the Windows Security Center window. Choose Windows Firewall at the lower-left corner, as shown in Figure 4-3.