您的位置: 网站首页 > 公共课 > 计算机英语 > 第4章 SECURITY IN COMPUTER > 【4.3 NETWORK FIREWALL】

4.3 NETWORK FIREWALL

 

4.3  NETWORK FIREWALL

The purpose of a network firewall is to provide a shell around the network which will protect the systems connected to the network from various threats. The types of threats a firewall can protect against include

·    Unauthorized access to network resources: an intruder may break into a host on the network and gain unauthorized access to files.

·    Denial of service: an individual from outside of the network could, for example, send thousands of mail messages to a host on the net in an attempt to fill available disk space or load the network links.

·    Masquerading: electronic mail appearing to have originated from one individual could have been forged by another with the intent to embarrass or cause harm.

A firewall can reduce risks to network systems by filtering out inherently insecure network services. Network File System (NFS) services, for example, could be prevented from being used from outside of a network by blocking all NFS traffic to or from the network. This protects the individual hosts while still allowing the service, which is useful in a LAN environment, on the internal network. One way to avoid the problems associated with network computing would be to completely disconnect an organization's internal network from any other external system. This, of course, is not the preferred method. Instead what is needed is a way to filter access to the network while still allowing users access to the “outside world”.

In this configuration, the internal network is separated from external networks by a firewall gateway. A gateway is normally used to perform relay services between two networks. In the case of a firewall gateway, it also provides a filtering service which limits the types of information that can be passed to or from hosts located on the internal network. There are three basic techniques used for firewallspacket filtering, circuit gateway, and application gateways. Often, more than one of these is used to provide the complete firewall service.

There are several configuration schemes of firewall in the practical application of inter-network security. They usually use the following terminologies.

·    Screening router: it can be a commercial router or a host—based router with some kind of packet filtering capability.

·    Bastion host: it is a system identified by the firewall administrator as a critical strong point in the network security.

·    Dual-homed gateway: some firewalls are implemented without a screening router, by placing a system on both the private network and the Internet, and disabling TCP/IP forwarding.

·    Screened-host gateway: it is possibly the most common firewall configuration. This is implemented using a screening router and a bastion host.

·    Screened subnet: an isolated subnet is situated between the Internet and the private network. Typically, this network is isolated using screening routers, which may implement varying levels of filtering.

·    Application-level gateway: it is also called a proxy gateway and usually operates at a user level rather than the lower protocol level common to the other firewall techniques.

KEYWORDS 

gateway

网关

circuit gateway

电路网关

packet filtering

包过滤器

screening router

屏蔽路由器

application-level gateway

应用级网关

bastion host 

堡垒主机

screened subnet

屏蔽子网

dual-homed gateway

双宿主网关

screened-host gateway

屏蔽主机网关

proxy gateway

代理网关

NOTES

1gateway(网关)。连接基于不同通信协议的网络的设备,使文件可以在这些网络之间传输。网关除传输信息外,还可以将这些信息转化为接收网络所用协议认可的形式。

2packet filtering(数据包过滤器)。控制基于IP地址的网络访问的过程。防火墙常含有允许或拒绝用户进入或离开LAN的过滤器。根据数据包的来源,数据包过滤器也用于接收或丢弃像e-mail这样的数据包,以确保专用网络的安全性。

3router(路由器)。在通信网络中用于加速消息传送的一个中间设备。在一个具有多种可能连接方式的计算机的网络中,路由器可以接收传送的消息并将这些消息按最有效的可用路径转发到正确的目的地。在使用相同通信协议的一组互联的局域网中,路由器可以作为局域网之间的连接,使得消息可以从一个局域网发送到另一个局域网中。

4firewall(防火墙)。保护一个组织的网络不受黑客等威胁的安全系统。这种威胁来自于外部的其他网络,如Internet。防火墙使组织内部网络上的计算机不能直接与外部网络上的计算机通信,也使组织外部网络上的计算机不能直接与内部的计算机通信。其原理如下:所有的通信都通过组织网络外的代理服务器来决定某一消息或文件传送给组织网络是否安全。

EXERCISES

Fill in the blanks with appropriate terms or phrases.

1The purpose of a network firewall is to protect the systems connected to the network from          .

2An intruder may break into a host on the network, this action is called          .

3An attempt to fill available disk space or load the network links can cause          .

4A firewall can           out inherently insecure network services.

5A firewall gateway is used to separate the internal network from          .

6There are three basic techniques used for firewall          .

7A system that identified by the firewall administrator as a critical strong point in the network security is          .

8A firewall implemented by a screening router and bastion host is called          .

9A system that places on both the private network and the Internet and blocks TCP/IP forwarding is          .

10An isolated subnet that is situated between the Internet and the private network is          .

Afiltering           

Bdual-homed gateway

Cpacket filtering, circuit gateway and application gateway

Dvarious threats

Ebastion host           

Funauthorized access

Gscreened subnet          

Hexternal networks

Iscreened-host gateway        

Jdenial of service

READING MATERIALS

Trojan horse

The world of malicious software is often divided into two types: viral and nonviral. Viruses are little bits of code that are buried in other codes. When the “host” codes are executed, the viruses replicate themselves and may attempt to do something destructive. In this, they behave much like biological viruses.

Worms are a kind of computer parasite considered to be part of the viral camp because they replicate and spread from computer to computer.

As with viruses, a worm's malicious act is often the very act of replication; they can overwhelm computer infrastructures by generating massive numbers of e-mails or requests for connections that servers can't handle.

Worms differ from viruses, though, in that they aren’t just bits of code that exist in other files. They could be whole filesan entire Excelspreadsheet, for example. They replicate without the need for another program to be run.

Remote administration types are an example of another kind of nonviral malicious software, the Trojan horse, or more simply Trojan. The purpose of these programs isn't replication, but to penetrate and control. That masquerade as one thing when in fact they are something else, usually something destructive.

There are a number of kinds of Trojans, including spybots, which report on the Web sites a computer user visits, and keybots or keyloggers, which record and report the user's keystrokes in order to discover passwords and other confidential information.

RATs attempt to give a remote intruder administrative control of an infected computer. They work as client/server pairs. The server resides on the infected machine, while the client resides elsewhere, across the network, where it's available to a remote intruder.

Using standard TCP/IP or UDP protocols, the client sends instructions to the server. The server does what it's told to do on the infected computer.

Trojans, including RATs, are usually downloaded inadvertently by even the most savvy users. Visiting the wrong Web site or clicking on the wrong hyperlink invites the unwanted Trojan in. RATs install themselves by exploiting weaknesses in standard programs and browsers.

Once they reside on a computer, RATs are hard to detect and remove. For Windowsusers, simply pressing Ctrl+Alt+Delete won't expose RATs, because they operate in the background and don't appear in the task list.

Some especially nefarious RATs have been designed to install themselves in such a way that they're very difficult to remove even after they're discovered.

For example, a variant of the Back Orifice RAT called G_Door installs its server as Kernel32.exe in the Windowssystem directory, where it's active and locked and controls the registry keys.

The active Kernel32.exe can't be removed, and a reboot won't clear the registry keys. Every time an infected computer starts, Kernel32.exe will be restarted, and the program will be active and locked.

Some RAT servers listen on known or standard ports. Others listen on random ports, telling their clients which port and which IP address to connect to by e-mail.

Even computers that connect to the Internet through Internet service providers, which are often thought to offer better security than static broadband connections, can be susceptible to control from such RAT servers.

The ability of RAT servers to initiate connections can also allow some of them to evade firewalls. An outgoing connection is usually permitted. Once a server contacts a client, the client and server can communicate, and the server begins following the instructions of the client.

Legitimate tools are used by systems administrators to manage networks for a variety of reasons, such as logging employee usage and downloading program upgradesfunctions that are remarkably similar to those of some remote administration Trojans. The distinction between the two can be quite narrow. A remote administration tool used by an intruder becomes a RAT.

In April 2001, an unemployed British systems administrator named Gary McKinnon used a legitimate remote administration tool known as Remotely Anywhere to gain control of computers on a U.S. Navy network.

By hacking a few unguarded passwords on the target computers and using illegal copies of Remotely Anywhere, McKinnon was able to break into the Navy's network and use the remote administration tool to steal information and delete files and logs. The fact that McKinnon launched the attack from his girlfriend's e-mail account left him vulnerable to detection.

Some of the famous RATs are variants of Back Orifice; they include Netbus, SubSeven, Bionet and Hack'a'tack. These RATs tend to be families more than single programs. Hackers into a vast array of Trojans with similar capabilities morph them.

HOME NETWORK SECURITY

1. Computer Security

1Who would want to break into my computer at home?

Intruders (also referred to as hackers, attackers, or crackers) may not care about your identity. Often they want to gain control of your computer so they can use it to launch attacks on other computer systems.

Having control of your computer gives them the ability to hide their true location as they launch attacks, often against high-profile computer systems such as government or financial systems. Even if you have a computer connected to the Internet only to play the latest games or to send e-mail to friends and family, your computer may be a target.

Intruders may be able to watch all your actions on the computer, or cause damage to your computer by reformatting your hard drive or changing your data.

2How easy is it to break into my computer?

Unfortunately, intruders are always discovering new vulnerabilities (informally called “holes”) to exploit in computer software. The complexity of software makes it increasingly difficult to thoroughly test the security of computer systems.

When holes are discovered, computer vendors will usually develop patches to address the problem. However, it is up to you, the user, to obtain and install the patches, or correctly configure the software to operate more securely. Most of the incident reports of computer break-ins received at the CERT/CC could have been prevented if system administrators and users kept their computer up-to-date with patches and security fixes.

Also, some software applications have default settings that allow other users to access your computer unless you change the settings to be more secure. Examples include chat programs that let outsiders execute commands on your computer or web browsers that could allow someone to place harmful programs on your computer that run when you click on them.

2. Computer Security Risks to Home Users

1What is at risk?

Information security is concerned with three main areas:

·    Confidentiality: information should be available only to those who rightfully have access to it.

·    Integrity: information should be modified only by those who are authorized to do so.

·    Availability: information should be accessible to those who need it.

These concepts apply to home Internet users just as much as they would to any corporate or government network. You probably wouldn't let a stranger look through your important documents. In the same way, you may want to keep the tasks you perform on you confidential, whether it's tracking your investments or sending e-mail messages family and friends. Also, you should have some assurance that the information you enter into your computer remains intact and is available when you need it.

Some security risks arise from the possibility of intentional misuse of your computer by intruders via the Internet. Others are risks that you would face even if you weren't connected to the Internet (e.g. hard disk failures, theft, power outages). The bad news is that you probably cannot plan for every possible risk. The good news is that you can take some simple steps to reduce the chance that you'll be affected by the most common threatsand some of those steps help with both the intentional and accidental risks you're likely to face.

Before we get to what you can do to protect your computer or home network, let us take closer look at some of these risks.

2Intentional misuse of your Computer.

The most common methods used by intruders to gain control of home computers are briefly described below. More detailed information is available by reviewing the URLs listed in the References section below.

·    Trojan horse programs.

·    Back door and remote administration programs.

·    Denial of service.

·    Being an intermediary for another attack.

·    Unprotected Windows shares.

·    Mobile code(Java, JavaScript, and ActiveX).

·    Cross-site scripting.

·    E-mail spoofing.

·    E-mail-borne viruses.

·    Hidden file extensions.

·    Chat clients.

·    Packet sniffing.

3Accidents and other risks.

In addition to the risks associated with connecting your computer to the Internet, there are number of risks that apply even if the computer has no network connections at all. Most of these risks are well known, so we won't go into much detail in this document, but it is important to note that the common practices associated with reducing these risks may also help reduce susceptibility to the network-based risks discussed above.

·    Disk failure: Recall that availability is one of the three key elements of information security. Although all stored data can become unavailableif the media it's stored on is physically damaged, destroyed, or lostdata stored on hard disks is at higher risk due to the mechanical nature of the device. Hard disk crashes are a common cause of data loss on personal computers. Regular system backups are the only effective remedy.

·    Power failure and surges: Power problems (surges, blackouts, and brown-outs) can cause physical damage a computer, including a hard disk crash or otherwise harming the electronic components of the computer. Common mitigation methods include using surge suppressors and uninterruptible power supplies (UPS).

·    Physical theft: Physical theft of a computer, of course, results in the loss of confidentiality and availability, and (assuming the computer is ever recovered) makes the integrity of the data stored on the disk  suspect. Regular system backups (with the backups stored somewhere away from the computer) allow for recovery of the data, but backups alone cannot address confidentiality. Cryptographic tools are available that can encrypt data stored on a computer's hard disk. The CERT/CC encourages the use of these tools if the computer contains sensitive data or is at high risk of theft (e.g. 1 aptops or other portable computers).

3. Actions Home Users Can Take to Protect Their Computer Systems

The CERT/CC recommends the following practices to home users:

·    Consult your system support personnel if you work from home.

·    Use virus protection software.

·    Use a firewall.

·    Don't open unknown e-mail attachments.

·    Don't run programs of unknown origin.

·    Disable hidden filename extensions.

·    Keep all applications (including your operating system)patched.

·    Turn off your computer or disconnect from the network when not in use.

·    Disable Java, JavaScript, and ActiveX if possible.

·    Disable scripting features in email programs.

·    Make regular backups of critical data.

·    Make a boot disk in case your computer is damaged or compromised.

Firewall

When you connect your LAN to the internet, you are enabling your users to touch and communicate with the outside world. At the same time, however, you are enabling the outside world to touch and interact with your LAN. Firewalls are just a modem adaptation of that old medieval security standby: digging a deep moat around your castle. This design forced everyone entering or leaving the castle to pass over a single drawbridge, where they could be inspected by the I/O police. With networks, the same trick is possible: a company can have many LANs connected in arbitrary ways, but all traffics to or from the company is forced through an electronic drawbridge (firewall).

Basically, a firewall is a standalone process or a set of integrated processes that runs on a router or server to control the flow of networked application traffic passing through it. Typically, firewalls are placed on the entry point to a public network such as the interact. They could be considered traffic cops. The firewall's role is to the organization's security policies. Primarily these systems are TCP/IP based and, depending on the implementation, can enforce security roadblocks as well as provide administrators with answers to the following questions:

·    Who's been using my network?

·    What were they doing on my network?

·    When were they using my network?

·    Where were they going on my network?

·    Who failed to enter my network?

In general, there are three types of firewall implementations, some of which can be used together to create a more secure environment. These implementations are: packet filtering, application proxies, and circuit-level or generic-application proxies.

Packet filtering is often achieved in the router itself. Application proxies, on the other hand, usually run on standalone servers. Proxy services take a different approach than packet filters, using a (possibly) modified client program that connects to a special intermediate host that actually connects to the desired service. 

1Packet Filtering.

Consider your network data a neat little package that you have to deliver somewhere. This data could be part of an e-mail, file transfer, etc. with packet filtering, you have access to deliver the package yourself. The packet filter acts like a traffic cop; it analyzes where you are going and what you are bringing with you. However, the packet filter does not open the data package, and you still get to drive it to the destination allowed.

Most commercial routers have some kind of built-in packet filtering capability. However some routers that are controlled by ISPs may not offer administrators the ability to control the configuration of router. In those cases, administrators may opt to use a standalone packet filter behind the router.

Either way, an administrator needs to understand how to identify data packages in terms the packet filer can understand. Since all Internet traffic is based on IP (Internet Protocol), each application or “package”, can be identified through a specific TCP (Transmission Control Protocol) or UDP (User Datagram Protocol) Port. These ports are registered and defined in RFC (Request for Comment) 1700 which can be found on the Internet. For example, port 23 is for Telnet. A company could block incoming packets for all IP addresses combined with port 23. In this way, no one outside the company could log in via Telnet.

2Application Proxy.

To understand the application proxy, consider this scenario where you need to deliver your neat little package of network data. With application-level proxies, the scenario is similar, but now you need to rely on someone else to deliver the package for you. Hence the term proxy illustrates new scenario. The same rules apply as they do for packet filtering, except that you don't get to deliver your package past the gate. Someone will do it for you, but that agent needs to look inside the package first to conform its contents. If the agent has permission to deliver the contents of the package for you, he will.

Most commercial routers do not have proxy capabilities today, although we believe that proxy technology will be integrated with router code in the future. Until then, yon need to rely on a standalone system that can support application-level proxy services.

Since an application proxy needs to communicate on behalf of the sender, it needs to understand the specific language or protocols associated with a particular application. Take as an example the widely used HTTP (Hypertext Transfer Protocol) proxy. If you are using a browser on your network, it is highly likely that your IS group has an HTTP proxy configured to allow you to access the Web via a central server. That single machine understands HTTP conversations and can speak on behalf of the requesting client. This is application-level proxy. 

Of course, security and encryption also come into play, since the proxy must be able to open the “package” to look at or decode its contents. These are important issues obviously, but to do them justice would require another article.

3Circuit-Level or Generic-Application Proxy.

As with application-level proxies, you need to rely on someone to deliver for you. The difference is that if these circuit-level proxies have access to your requested destination, they will. They do not need to know what is inside.

Circuit-level proxies (specifically SOCKS) work outside of the application layers of the  protocol. These servers allow clients to pass through this centralized service and connect to source address of connection requests and can block unauthorized clients from connecting out onto recompiling and linking them with a SOCKS client library. DLL-based TCP stacks have the use of shims, eliminating the need to recompile.