Handbook of Local Area Networks, 1998 Edition:LAN Security Click Here! Search the site:   ITLibrary ITKnowledge EXPERT SEARCH Programming Languages Databases Security Web Services Network Services Middleware Components Operating Systems User Interfaces Groupware & Collaboration Content Management Productivity Applications Hardware Fun & Games EarthWeb sites Crossnodes Datamation Developer.com DICE EarthWeb.com EarthWeb Direct ERP Hub Gamelan GoCertify.com HTMLGoodies Intranet Journal IT Knowledge IT Library JavaGoodies JARS JavaScripts.com open source IT RoadCoders Y2K Info Previous Table of Contents Next The vulnerabilities described above are well-known and are, indeed, weaknesses in the protocols that are being (and, in some cases, have been) fixed. But some of the perceived “weaknesses” are part of TCP/IP’s design philosophy. Consider E-mail spoofing, shown in Exhibit 8-8-1. In this scenario, a user connects to the Simple Mail Transfer Protocol (SMTP) port at host mail.foo.com, identifies itself (ramp.able.net), and then sends mail reportedly from the President of the United States. Why does this work? Because SMTP does not verify the identity of the sender. Exhibit 8-8-1.  Sample SMTP E-mail Dialogue But is this a bug or a feature? As a “bug,” it lets anyone send mail pretending to be anyone else. As a “feature,” it allows a host to forward to another host mail that did not originate locally, providing a tremendous amount of flexibility and robustness. Again, recall that this capability was designed when the Internet was a smaller, safer place. FIREWALLS As suggested above, firewalls may be used to protect a local network from purposeful or accidental intrusions from the outside. Although most closely associated with the Internet, firewalls can be used for more protocols than just TCP/IP and, therefore, could have applicability to a variety of network interconnection scenarios. For purposes of a LAN connected to the Internet, firewalls can be generally classified into three types: •  Packet filters block packets based upon the protocol, address, and/or port identifier •  Application gateways filter traffic using application-specific rules. •  Circuit gateways act as a TCP relay; an external remote host connects to a TCP port at the gateway and the gateway, in turn, establishes a TCP connection to the intended destination on the internal local network. One type of circuit gateway is a proxy server, which can act transparently as an agent for one or more services, allowing the real server(s) and real data to be protected while only exposing the proxy system. In practice, more than one of these gateway types may be used together. Exhibit 8-8-2 shows one possible configuration of Internet information servers and firewall implementations. The user’s network is divided into two subnetworks, the so-called outside network and inside network. The outside network, or demilitarized zone (DMZ), only has public Internet information servers attached to it. These public servers are “sacrificial” systems because they do not contain critical information and they do provide access to the user’s inside network. The Bastion host (probably with proxy agents for all supported applications) acts as a gateway for all incoming and outgoing traffic between the user’s trusted systems (which are all attached to the inside network; the servers on the outside network are not trusted) and the Internet. This configuration provides a moderate level of security; both more and less secure (and costly) firewall/Bastion host/server configurations are possible. Exhibit 8-8-2.  One Possible Configuration of Public and Private Internet Information Servers, a Firewall, and Corporate LAN A detailed examination of firewalls is beyond the scope of this chapter, but it is instructive to describe some packet filtering rules because of the widespread use of this mechanism. Packet filtering, most often implemented directly in the router connecting the LAN to the Internet, offers a deceptively simple protection mechanism; while it is easy to install a set of packet filtering rules, it is often difficult to define the correct set of rules in the first place. Exhibit 8-8-3 shows a small subset of packet filtering rules that might be implemented at a router. Each rule contains the following information: •  Whether a packet matching the rule will be allowed through (permit) or blocked (deny). •  Whether the rule applies to packets coming into the LAN from the outside (in) or going out from the LAN (out). •  The protocol to which the rule applies (e.g., IP, TCP, UDP, ICMP). •  The source address and, optionally, the port number indicating the higher layer application at the source, followed by the destination address and, optionally, the port number indicating the higher layer application at the destination. The addresses may refer to any 32-bit address (any) or to a specific IP address with an indication of the number of relevant bits to examine for this rule. •  Flags, such as an indication of checking to be sure that a virtual circuit is already in place (estab). Exhibit 8-8-3.  Sample Packet Filtering Rules for ICMP and World Wide Web Traffic Given this information, how would the rules in Exhibit 8-8-3 be interpreted? In these examples, assume that the local network has an IP class C address2 of 192.168.210.0 and that the network’s public WWW server has the address 192.168.210.5. 2Recall that an IPv4 address is 32 bits in length. In a class C address, the first 24 bits refer to the Network Identifier and the remaining 8 bits are the Host Identifier. •  The first rule pair refers to the Internet Control Message Protocol (ICMP), a companion protocol to IP that notifies hosts of miscellaneous information or errors. This rule pair allows ICMP packets through the router in both directions; inbound packets can come from any IP host as long as they are addressed to some host in the 192.168.210.0 domain and outbound packets can go to any IP host as long as they come from a host in the 192.168.210.0 domain. •  The second set of rules allow any WWW packets (“eq www”) to come in from any Internet host as long as they are directed to the local Web host (192.168.210.5). In addition, the Web server can send WWW packets to the outside out as long as the packet is part of a connection has already been established; what this means is that the local server cannot initiate a connection to the outside but must respond to prompting from the outside (a security protection). •  The final rule pair allows WWW traffic from any local host to any Web server on the Internet. Note that incoming WWW traffic is only allowed if the logical connection has been established so that an external Web server cannot initiate a connection with an internal host; as above, this is a security consideration. Exhibit 8-8-3.  Sample Packet Filtering Rules for ICMP and World Wide Web Traffic Previous Table of Contents Next Use of this site is subject certain Terms & Conditions. Copyright (c) 1996-1999 EarthWeb, Inc.. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of EarthWeb is prohibited. Please read our privacy policy for details.