|
| FreeBSD | InfoSec | Programming | Cats | Miscellaneous | |
|
|
||||||
| Basics | Exploits | Honeypots | ||||
Information Security is the never-ending struggle to protect data and resources held in computers from those who would gain illicit access to them. Access can be obtained through any number of methods, both technical and non-technical. Some of the sexier technical means include password theft, password cracking, buffer overflows, data-embedded scripting, viruses, worms, trojan horses, race-conditions, and back-channel communications. Non-technical means of breaking can be just as effective, and includes methods such as dumpster diving and social engineering.
The profession is very much like an arms race. In this race, white-hat and black-hat hackers alike are constantly striving to outpace one another. As vulnerabilities and weaknesses are discovered, patches and work-arounds must be implemented. It is a never-ending cycle of measure and countermeasure.
A lot of hackers spend their time finding means to break the security of a computer system. Whether these means be as simple as an exposed configuration file, or as complex as a buffer overflow, in the end the vulnerability is a method of getting the software to do something the designer did not intend it to do, but told it to do nonetheless.
What one does when those vulnerabilities describes the hacker in question. If s/he submits those vulnerabilites to the vendor, gives them time to produce publicly available patches, and then posts to the security community for general awareness, that hacker wears a white hat. If s/he uses the vulnerability to gain illicit access to systems running the vulnerable software, then that hacker is black-hat, and should be called a cracker
Firewalls are network security devices that control whether or not traffic can pass from one network to another. Different firewalls have varying levels of sophistication and intelligence, and the ways to deploy firewalls to protect network environments are many and varied. This web page will delineate some of the types of firewalls, the ways to deploy them, and the implications of each.
Please note that this page assumes understanding of TCP/IP.
The most elementary firewall depoyment possible is where a single system has two networks attached to it, and filters the traffic, as seen in the diagram. A typical example of this kind of set up is home networks running a dynamic NAT firewall. NAT stands for Network Address Translation. This is an environment where multiple computers exist in the Intranet, and they all access the Internet through the firewall. When the send their traffic out to the Internet, however, the firewall catches it, does dynamic NATing on it, and passes it on its way.
The dynamic NATing operation is where a Firewall will strip out the Source IP address of the original packet sent from the system on the Intranet, replace it with the IP address of the firewall on the Internet interface, and send the packet on its way. When the Internet host replies to the traffic, it has a destination address of the firewall's Internet IP. Upon recieving the packet, the firewall will again translate the address, this time making the destination address that of the Intranet system which started the conversation. Firewalls using dynamic NAT have internal logic that tracks which packets that return from the Internet belong to which TCP converstation by tracking Source IP, Destination IP, Source Port, and Destination Port, as well as the sequence numbers involved.
It is a convention in this type of set up to choose an RFC1918 address space for the internal network.
In this sort of set up, no inbound connections can be initiated from the Internet, unless the firewall does port redirection. Port redirection is when a firewall listens for connections on a given port (UDP or TCP) on its own interface. When traffic is recieved on that port, it is redirected out the other interface to the specified system on the other network. Neither party is aware that this change has taken place, each thinks it is talking to the firewall's IP on their respective networks.
This set up offers the least possible security for the Intranet environment, particularly if any ingress is allowed. In the case that the firewall or any system which offers service to systems out on the Internet should be compromised, all hosts on the Intranet are vulnerable to further attack by the intruder, who can now use the compromised host as a jumping off point.
In spite of that consideration, this set up can be quite safe for home networks, if no services are offered. If any services are offered, then they should be source restricted to the fewest possible trusted parties. Even with no Internet ingress, home-users should be wary, and always run anti-virus software, as well as monitor their Firewall logs. If someone should compromise the network, they will likely try and jump out back to the Internet, and attempt to compromise other hosts.
This next type of Firewall environment includes the addition of a new network to the topology. The new network is termed a DMZ, or DeMilitarized Zone. Some people refer to it as the DeMarkation Zone. In either case, the concept is of a network which is partially accessible from the outside world, and has limited access to the inside world of the Intranet. It is an environment which is not entirely trusted by the owner. As few systems as possible are placed within this environment, and these systems are viewed with some suspicition and distrust. Businesses and advanced home users might use this environment.
The purpose of this network is to protect the Intranet from external parties by placing a buffering network between them. The choice to place this buffering network on the same firewall as the internal network does represent an increased security risk, but it also helps to keep down the cost of the overall security solution.
The systems that would be placed in here are those which are absolutely required for external access, such as web servers, mail servers, and DNS servers. As much as is possible, these hosts should be stripped down, equiped with additional host-level security devices, and checked on a regular basis for strange activity. Most of these systems would, by necessity, have limited access to the Internal network. Webservers might have access to databases, mail servers might have access to internal mail servers, and so forth. Access should be granted only by necessity. Using RFC 1918 address spaces in the DMZ is still customary, but requires static NAT, rather than dynamic.
Static NAT is much more simple that dynamic NAT. The firewall doing the NAT operation has a list of IP addresses on one network which translate into different addresses on the second network. The list is bidirectional. Each host on a given side of the firewall will use the NAT alias that the firewall provides on the same interface. The hosts involve have no indication that a change is taking place, unless the NAT is misconfigured.
This third type of environment conveys all of the benefits of the last, but offers a little more security and more flexibility for more cost. Should the outermost firewall be compromised, than the inner one is still unaffected. The hacker would still have the task of compromising some DMZ host in order to gain penetration into the Intranet. Of course, with the outermost firewall neutralized, the task of breaking into those host becomes easier.