![]() |
|||
![]()
|
![]() |
![]() Click Here! |
![]() |
The vulnerabilities described above are well-known and are, indeed, weaknesses in the protocols that are being (and, in some cases, have been) fixed. But some of the perceived weaknesses are part of TCP/IPs design philosophy. Consider E-mail spoofing, shown in Exhibit 8-8-1. In this scenario, a user connects to the Simple Mail Transfer Protocol (SMTP) port at host mail.foo.com, identifies itself (ramp.able.net), and then sends mail reportedly from the President of the United States. Why does this work? Because SMTP does not verify the identity of the sender.
But is this a bug or a feature? As a bug, it lets anyone send mail pretending to be anyone else. As a feature, it allows a host to forward to another host mail that did not originate locally, providing a tremendous amount of flexibility and robustness. Again, recall that this capability was designed when the Internet was a smaller, safer place. FIREWALLS As suggested above, firewalls may be used to protect a local network from purposeful or accidental intrusions from the outside. Although most closely associated with the Internet, firewalls can be used for more protocols than just TCP/IP and, therefore, could have applicability to a variety of network interconnection scenarios. For purposes of a LAN connected to the Internet, firewalls can be generally classified into three types:
In practice, more than one of these gateway types may be used together. Exhibit 8-8-2 shows one possible configuration of Internet information servers and firewall implementations. The users network is divided into two subnetworks, the so-called outside network and inside network. The outside network, or demilitarized zone (DMZ), only has public Internet information servers attached to it. These public servers are sacrificial systems because they do not contain critical information and they do provide access to the users inside network. The Bastion host (probably with proxy agents for all supported applications) acts as a gateway for all incoming and outgoing traffic between the users trusted systems (which are all attached to the inside network; the servers on the outside network are not trusted) and the Internet. This configuration provides a moderate level of security; both more and less secure (and costly) firewall/Bastion host/server configurations are possible.
A detailed examination of firewalls is beyond the scope of this chapter, but it is instructive to describe some packet filtering rules because of the widespread use of this mechanism. Packet filtering, most often implemented directly in the router connecting the LAN to the Internet, offers a deceptively simple protection mechanism; while it is easy to install a set of packet filtering rules, it is often difficult to define the correct set of rules in the first place. Exhibit 8-8-3 shows a small subset of packet filtering rules that might be implemented at a router. Each rule contains the following information:
Given this information, how would the rules in Exhibit 8-8-3 be interpreted? In these examples, assume that the local network has an IP class C address2 of 192.168.210.0 and that the networks public WWW server has the address 192.168.210.5.
|
![]() |
|
Use of this site is subject certain Terms & Conditions. Copyright (c) 1996-1999 EarthWeb, Inc.. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of EarthWeb is prohibited. Please read our privacy policy for details. |