=> Gg gz Zz: <= es 2) < z ~ oO | a a oa tS = Pe = rs = a) Zz veFirewalls and Internet Security, Second EditionAddison-Wesley Professional Computing Series Brian W. Kernighan and Craig Partridge, Consulting Editors, Matthew H. Austem, Generic Programming and the STL: Using and Extending the C++ Standard Template Library David R. Butenhof, Programming with POSIX® Threads Brent Callaghan, NFS Illustrated Tom Cargill, C++ Programming Style William R. Cheswick/Steven M. Bellovin/Aviel D, Rubin, Firewalls and Internet Security, Second Edition: Repelling the Wily Hacker David A. Curry, UNIX® System Security: A Guide for Users and System Administrators Stephen C. Dewhurst, C++ Gotchas: Avoiding Common Problenss in Coding and Design Erich Gamma/Richard Helm/Ralph Johnson/John Vlissides, Design Patterns: Elements of Reusable Object-Oriented Software Erich Gamma/Richard Helm/Ralph Johnson/John Vlissides, Design Patterns CD: Elements of Reusable Object-Oriented Software Peter Haggar, Practica! Java™ Programming Language Guide David R. Hanson, € Interfaces and Implementations: Techniques for Crenting Reusable Software Mark Harrison /Michael McLennan, Effective Tel/Tk Programming: Writing Better Programs with Tel and Tk Michi Henning/Steve Vinoski, Advanced CORBA® Programming with C++ Brian W. Kernighan /Rob Pike, The Practice of Prograniming S. Keshav, An Engineering Approach to Computer Networking: ATM Networks, the Internet, and the Telephone Netoork John Lakos, Large-Scale C++ Softtoare Design ‘Scott Meyers, Effective C++ CD: 85 Specific Ways to Improve Your Programs and Designs Scott Meyers, Effective C++, Second Edition: 50 Specific Ways to Improve Your Pragrams and Designs Scott Meyers, More Effective C++: 35 New Ways to Inprove Your Programs and Designs Scott Meyers, Effective STL: 50 Specific Ways to Improve Your Use of the Standard Template Library Robert B. Murray, C++ Strategies and Tactics David R. Musser/Gillmer J. Denge/Atul Saini, STL Tutorial and Reference Guide, Second Edition: C++ Programming with the Standard Template Library John K. Ousterhout, Tel and the Tk Toolkit Craig Partridge, Gigabit Networking Radia Perlman, interconnections, Second Edition: Bridges, Routers, Switches, and Internetworking Protocols Stephen A. Rago, UNIX® System V Network Programming Curt Schimmel, LINIX® Systems for Maders Architectures: Symmetric Multiprocessing and Caching. for Kernel Programmers W. Richard Stevens, Adoanced Programming in the UNIX® Environment W. Richard Stevens, TCP/IP Milustrated, Volunte 1: The Protocols W. Richard Stevens, TCP/IP Mlustrated, Volume 3: TCP for Transactions, HTTP, NNTP, and the UNIX® Domain Protocols W. Richard Stevens/Gary R. Wright, TCP/DP Illustrated Volumes 1-3 Boxed Set John Viega/Gary MeGraw, Building Secure Software: How to Aowid Security Problems the Right Way Gary R. Wright/W, Richard Stevens, TCP/P Illustrated, Volume 2: The Imptementation Ruixi Yuan/ W. Timothy Strayer, Virtual Private Networks: Technolagies and Solutions Please see our web site (http://wwwawprofessional com /series/professionalcomputing) for more information about these tiles.Firewalls and Internet Security, Second Edition Repelling the Wily Hacker William R. Cheswick Steven M. Bellovin Aviel D. Rubin vv Addison-Wesley Boston * San Francisco * New York * Toronto + Montreal London * Munich * Paris + Madrid Capetown * Sydney + Tokyo + Singapore + Mexico CityMany of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and Addison-Wesley was aware of a trademark claim, the designations have been printed in initial capital Ieters or in all capitals. ‘The authors and publisher have taken care in the preparation of this book, but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for incidental or consequential damages in connection with or arising out of the use of the infor- mation or programs contained herein. ‘The publisher offers discounts on this book when ordered in quantity for bulk purchases and special sales, For more information, please contact: USS. Corporate and Government Sales (800) 382-3419 ccorpsales@pearsontechgroup.com For sales outside of the U.S.. please contact International Sales G17) 581-3793, international @pearsontechgroup.com Visit Addison-Wesley on the Web: www.awprotessional.com Library of Congress Cataloging-in-Publication Data Cheswick, William R Firewalls and Internet security : repelling the wily hacker / William R. Cheswick, Steven M. Bellovin and Aviel D, Rubin.— 2nd ed, p. em. Includes bibliographical references and index. ISBN 020163466 I. Firewalls (Computer security) 1, Bellovin, Steven M. Il, Rubin, Aviel D. IIL Title, TK5105,875.157C44 2003 005.8—de21 2003000644 Copyright © 2003 by AT&T and Lumeta Corproation All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form, or by any means, electronic, mechanical, photocopying, recording. of other ‘wise, without the prior consent of the publisher. Printed in the United States of America. Published simultaneously in Canada. For information on obtaining permission for use of material from this work, please submit a written request to: Pearson Education, Ine. Rights and Contracts Department 75 Arlington Street, Suite 300 Boston, MA 02116 Fax: (617) 848-7047 ISBN: 0-201-63466-X ‘Text printed on recycled paper 123456789 10—CRS—0706050403 First printing, February 2003For my mother, Ruth Cheswick, whose maiden name shall not be revealed because this is a security book, and for my father, Richard Reid Cheswick, who taught me about Monday ‘mornings, and many other things. And to Terry, Kestrel, and Lorette, who had to put up with lengthy spates of grumpy editing sessions. WRC. To my parents, Sam and Sylvia Bellovin, for everything, and to Diane, Rebecca, and Daniel, for all the best reasons in the world. SMB To my wife, Ann, my favorite person in the world: and 10 my children, Elana, Tamara, and Benny, the three best things that ever happened 10 me. ADRContents Preface to the Second Edition Preface to the First Edition | Getting Started 1 Introduction 1.1 Security Truisms... 2... eee ee 1.2 Picking a Security Policy 1.3 Host-Based Security 1.4 Perimeter Security 1.5 Strategies for a Secure Network . 1.6 The Ethics of Computer Security 1.7 WARNING 2 A Security Review of Protocols: Lower Layers 2.1 Basic Protocols 2.2 Managing Addresses and Names . 23 IPversion6 ... . 2.4 Network Address Translators 2.5 Wireless Security . 3. Security Review: The Upper Layers 3.1. Messaging 3.2 _ Internet Telephony 3.3 RPC-Based Protocols 3.4 File Transfer Protocols .......... 3.5 Remote Login 3.6 Simple Network Management | Protocol—SNMP 3.7 The Network Time Protocol 3.8 Information Services . . .viii Contents 3.9 Proprietary Protocols 68 3.10 Peer-to-Peer Networking 69 3.11 The X11 Window System 70 3.12 The Small Services nm 4 The Web: Threat or Menace? 73 4.1 The Web Protocols 74 4.2 Risks to the Clients 79 4.3 Risks to the Server 85 4.4 Web Servers vs. Firewalls 89 4.5 The Web and Databases . . 31 4.8 Parting Thoughts st ll The Threats 93 5. Classes of Attacks 95 5.1 Stealing Passwords . 95 5.2 SocialEngineering .......... 98 5.3. Bugs and Back Doors 100 5.4 Authentication Failures 103 5.5 Protocol Failures 104 5.6 Information Leakage 105 5.7 _ Exponential Attacks—Viruses and Worms 108 5.8 Denial-of-Service Attacks 107 5.9 Botnets 117 5.10 Active Attacks 117 6 The Hacker's Workbench, and Other Munitions 119 6.1 Introduction 119 6.2 Hacking Goals 121 6.3 Scanning a Network 121 6.4 Breaking into the Host 122 6.5 The Battle for the Host 123 6.6 Covering Tracks 126 6.7 Metastasis . . 127 6.8 Hacking Tools . 128 69 Tiger Teams 132 lll Safer Tools and Services 135 7 Authentication 137 7.4 Remembering Passwords 138Contents 7.2 Time-Based One-Time Passwords se 7.3 Challenge/Response One-Time Passwords 7.4 Lamport’s One-Time Password Algorithm 7.5 Smart Cards 7.6 Biometrics . . . 7.7 RADIUS se 7.8 SASL: An Authentication Framework . . 7.9 Host-to-Host Authentication 7.10 PKI... 8 Using Some Tools and Services 8.1. Inetd—Network Services 8.2 Ssh—Terminal and File Access........... 8.3 Syslog .: 8.4 Network Administration Tools ......... 8.5 Chroot—Caging Suspect Software 8.6 _Jailing the Apache Web Server 87 Aftpd—A Simple Anonymous FTP Daemon 8.8 Mail Transfer Agents eee 8.9 POP3 and IMAP 8.10 Samba: An SMB Implementation... . . 8.11 Taming Named tee 8.12 Adding SSL Support with Ssiwrap . . IV_ Firewalls and VPNs 9 Kinds of Firewalls 9.1 Packet Filters. . 9.2 Application-Level Filtering 9.3 Circuit-Level Gateways 9.4 Dynamic Packet Filters 9.5 Distributed Firewalls 9.6 What Firewalls Cannot Do . . 10 Filtering Services 10.1 Reasonable Services to Filter 10.2. Digging for Worms 10.3 Services We Don't Like 10.4 Other Services 10.5 Something New 144 145 146 147 147 148 149 149 150 153 153 154 158 159 162 165 167 168 168 169 170 170 173 175 176 185 186 188 193 194 197 198 206 207 209 210