|
Return to Main Menu
Audit - Detect Network Intrusions
Anonymity & Privacy
ATM - Asynchronous Transfer
Biometrics
Business Continuity Planning
Cellular Communications
Computer Crime & Investigations
Computer Hardware Tutorial
Corporate Violence in Workplace
Crypto & Encryption - Part I
Crypto & Encryption - Part II
Crypto & Encryption - Part III
Disaster Recovery Planning
Downloads - - Public Domain
Downloads - Packet Storm
Downloads - Hacker Domain
Employment and Job Opportunities
Ethics Law and Security Policy
Firewalls
Frame Relay Tutorials
FreeBSD - Berkeley Unix Clone
FreeBSD - OnlineBooks to Read
General Security Related Links
Hacking - How its done Guides
Hacked Web Sites
Information Warfare
Internet Telephony & Protocols
Intrusion Detection Library
Investigations and Courtrooms
Java Security Resources
Jobs & Employment Opportunities
Legal Resources - Legal Basics
Linux Resources - Basics
Linux Resources - Online Books
Mailing List - For Newsletters
Magazine Articles - SEARCHER
Magazine Store - CheapPrices
Military & Govt Security Docs
Networking - Internet Protocols
Novell Networking Security
Online Courses -Boost Your Skills
Pager Hardware Reprogramming
Penetration Testing -Intrusions
Physical and Facility Security
Privacy & Anonymity on the Net
Programming Tutorials
Protocols - Networking - Internet
Resume and Interview Resources
Security Magazines Online
Security Reference Library I
Security Reference Library II
Security Policy Library
Security Standards & Guidelines
Smart Cards
Telecommunication & Internet
Telecommunications Tutorials
Threat Risk Assessments
Unix Security Resources
Unix Security Online Books
VPN's - Virtual Private Networks
Virus Worms Trojans Hoaxs
Voice / IP Protocols and Standards
WIN NT Assorted Files
WIN NT Security Files
WIN 2000 Operating System
Workplace Violence
Y2K Year 2000 Information
|
Firewall Security and the Internet
Bibliography References pertaining to Firewalls - CLICK HERE
General Information
The Complete FIREWALL FAQ Resource
Firewalls in General for the NT Servers
Perdue / Coast Links
Primarily Firewalls -Links
The Complete FIREWALL FAQ Resource
Firewalls
Perdue / Coast Links
Primarily Firewalls -Links
Excellent Firewall Introduction
Another Excellent Firewall Intro
Excellent Firewall FAQ File
How to Pick a Firewall
Firewalls Complete - THE BOOK
IT Security Cookbook - THE BOOK
Understanding Firewalls by Rhino 9
Backdoors in Firewalls
Firewall Basics from Microsoft
Reports and Guides
How to pick an Internet Firewall by Marcus Ranum
NIST Special Publication 800-10 Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls
Fortified Network's Firewall Evaluation Checklist
Internet Security Threats and Firewalls by David J. Stang
Summary of Cryptography in Internet Firewalls Workshop, Aug 1995
CSI 1995 Internet Security Survey
The Firewall Report
The Firewall Policy Guide by the National Computer Security Association
Firewall Tutorial by LLSI
Firewall Company Web Sites
Cyberguard.Firewall Web Site
AltaVista Firewall 98
Ascend
Cisco PIX Firewall
CyberGuard
Eagle NT
Elron Firewall
Check Point Firewall-1
Network-1 Firewall Plus
GFX Firewall System
GNAT Box Firewall
PC week tutorial
Guardian's NetGuardian
Milkyway SecurIT
Secure Computing Firewall
SmartWall
Sonic Firewall
Kane Security Analyst
Microsoft Proxy Server
MultiTech Ethernet ProxyServer
NetRoad FireWALL 2.1
Session Wall-3
SonicWall Review
Firewall Checklists
More Firewall Product Info
Commercial Firewalls and Resellers maintained by Cathy Fulmer
Firewall Vendors list at MCI
Black Hole by Milkyway
BorderWare by Border Network Technologies
Brimstone by SOS Corp
CENTRISecure Internet Gateway by Cohesive Systems
CiscoWorks by Cisco Systems
Cyberguard by Harris Computer Systems
Data Privacy Facility by Network Systems Corporation
Eagle by Raptor Systems
Firewall-1 by CheckPoint Software Technologies
Firewall/Plus by Network-1
Gauntlet by TIS
GFX-94 Internet Firewall by Global Technology Associates
HSC GateKeeper by Herve Schauer Consultants
Interceptor by Technologic
Interlock by ANS
KarlBridge by KarlNet
NetGate by Smallworks
NetLOCK(tm) from Hughes
NetRanger from the WheelGroup
NetSeer by enterWorks.com
Netra Server by Sun
Private Internet Exchange by Network Translation
PORTUS by LSLI
SEAL by Digital
Secureconnect by Morning Star
Sidewinder by Secure Computing Corporation
Site Patrol by BBN Planet Corp
SmartWall by V-ONE
SunScreen SPF-100 by Sun Internet Commerce Group
Turnstyle Firewall System by Atlantic Systems Group
Firewall Industry Guide
Internet Firewalls - Resources This site provides the comprehensive list of resources associated with Internet firewalls.
Firewall Product Overview Internet Firewalls Frequently Asked Questions by Marcus J. Ranum and Matt Curtin
Firewall-1 Tricks & Tips PhoneBoy's Firewall-1 FAQ
The site is loaded with helpful hint for running Firewall-1.
Commercial Firewalls and Related FW Products Firewall Product Overview
Information Security Policies Made Easy -- Professional Already Written Policies on CD-ROM Reasons to Have
Check Point makers of Firewall-1
Logsurfer Homepage Logsurfer Homepage
No-Fuss Firewall No-Fuss Firewall
SecureLogix Corporation Network security products for enterprise solutions. TeleSweep is a scanner for phone lines and TeleWall is a firewall for phone lines.
Trusted Information Systems Developers of Gauntlet Firewalls, GVPN, and several other security products. TIS was recently bought out by Network Associates.
Sun Microsystem's SunScreen Firewalls
The fastest firewalls available.
Lucent Remote Access Business Unit HOME
Firewalls FAQ Background & Basics; Design & Implementation Issues; Various Attacks; How Do I...
Biodata Biodata is a global provider of cryptographic devices as well as network and communications technology products. The company's portfolio includes Internet firewalls with separate management systems, 112-bit DES data encryption products for public telecommunications
networks and ISDN routers.
The Firewall Toolkit Provides information on building free firewall and security solutions. Also the unofficial home to the TIS FWTK.
SAGUS Security Welcome to SAGUS Security's Web Site.
TIMESTEP - encryption solutions for virtual private networking (VPN) No description
V-ONE Corporation Home V-ONE Corporation licenses SmartGate(TM), patented, award-winning VPN technology that enables
business organizations to establish secure communications and transaction channels over public networks like the Internet.
WatchGuard Technologies - From Firewall to Firebox More than a firewall, the WatchGuard Firebox delivers complete network security from an affordable, plug-and-play security appliance.
International Computer Security Association ICSA is an independent organization offering objective views and opinions on computer security issues. Improve computer security through knowledge sharing,
information dissemination, and security products certification
COAST Internet Firewalls Hotlist comprehensive list of firewall vendors and resources
Internet Firewalls Frequently Asked Questions Frequently Asked Questions about Internet Firewalls
Isinglass IsinGlass is a script which is meant to make the average user's Linux machine more secure when connected to the Internet, for example, when dialing up via a local ISP.
Raptor Systems A lower cost yet usable firewall
Check Point FireWall-1 searchable discussion Complete searchable archives of Check Point FireWall-1 mailing list and online discussion
Merit GateD Consortium Support Services No description
SINUS Firewall Page Firewall Page
New Security Standards Makers. The Aggressor is an
advanced network monitoring, management, network vulnerability testing and administration software for network administrators, advanced users and companies which are connected to internet or WAN.
Network Security Software Firewall and network security software.
DoorStop Mac-based firewall Easy-to-use, Macintosh-based firewall software.
Firewall and Proxy server HOWTO for Linux Build an
inexpensive powerful firewall, here's how!
CyberGuard Unixware and NT-based filtering firewall.
Guardian Firewall NetGuard Control Center is a policy-based, directory-enabled software that integrates the company's Guardian Firewall and Guidepost Bandwidth Control products through a centralized management interface.
IP Filter A TCP/IP Packet Filtering package for UNIX platforms. (Darren Reed)
Progressive Systems, Inc., Home of the Phoenix Firewall Progressive Systems offers the Phoenix Adaptive Firewall. Phoenix has VPN options available, and is available on Linux, as well as an easy to use appliance. Fully functional evaluation downloads are available.
Open Source Firewall based on FreeBSD (auf Deutsch) Firewall service for small to medium sized business with no Internet experience. Web proxy, Email, Real Audio with remote monitoring and support.
Firewalls Mailing List For discussions
of Internet firewall security systems and related issues. Hosted by GNAC, Inc.
Cowboyz Monitored Internet Security The Cowboyz i Wall is an affordable, virtually-bulletproof solution for Internet and network security.
Freefire An open-source Internet firewall software. (Bernd Eckenfels)
Internet Product Watch: Firewall Products Extensive list of firewall products.
AltaVista Firewall 98 Altavista Firewall: UNIX and NT based transparent proxy firewall.
Cisco PIX Firewall Hardware based filtering firewall. Runs IOS lookalike.
Software Control AB Sofware Control AB developes and provides software tools for implementing security policies. We extend firewall functionality to the whole network.
Internet Products Inc. The
InterGate solution integrates 12 Internet services, such as firewall, DHCP, proxy server, cache, email, and DNS, into a single, easy to use, device on your network.
Technologic, Inc. The developer of the Interceptor Firewall Appliance and the all-in-one InstaGate Internet Appliance. Our products have been ICSA certified.
Sentry Telecom Systems Sentry's products facilitate computer network security and telecommunication service usage including a modem security and PBX intrusion detection firewall to
prevent telephone fraud and provide modem control. The patented Phonewall Enforcer and Phonewall Auditor provide for modem blocking, classifying telecommunication traffic and managing the secure usage of telecommunication services.
Aker Security Solutions Informatics Company specialized in Firewall and security technologies development.
ERT Group Specializes in intrusion detection systems that integrate both network and host-based to automatically detects and responds to attacks to a company’s information
systems and network infrastructure. Proxy based firewalls are part of an overall security package.
Firedoor Network Security Firedoor provides a complete software package with high security solutions for Intranets and Extranets. Firedoor products are divided into two parts; Firedoor Secure Server and Firedoor Secure Client.
SecurityDogs.com Links and information on Firewall security, Virtual Private Networks (VPN), Network Address Translation (NAT), and Quality of Service (QoS).
Checkpoint Firewall-1 Ultimate Resource PhoneBoy's Checkpoint Firewall-1 Resource Site- the definitive guide to Firewall-1 on the Web.
ConSeal Private Desktop ConSeal Private Desktop and other personal Firewall products for all Internet users.
Firewall Papers - From Network Security Information
E-Commerce Security Technologies: Fire Wall (paper)
Information for beginners. Firewalls, IDS, DMZ.
Firewalls Complete (book)
Good book about firewalls theory and practice
Fire in the Hole (paper)
About today's bulked-up solutions
Building your firewall, Part 1 (paper)
Are you letting your firewall vendor decide your architecture? Try to do it yourself!
Building your firewall, Part 2 (paper)
How to make sure your OS is ready to go.
Building your firewall, Part 3 (paper)
Implementation: Setting up firewall rules.
Improving Security on Cisco Routers (how-to)
Informal discussion of some Cisco configuration settings.
Cisco IOS Firewall Feature Set and Context-Based Access Control (paper)
This document describes the Cisco IOS Firewall feature set, and describes how to configure context-based access control, one of the Cisco IOS Firewall
feature set features.
Proxy instalation (paper)
About NT Proxy Server secure installing
Network design - firewalls (paper)
This part of the well-known book is about firewall basics
Placing Backdoors Through Firewalls (paper)
How to set it and how to protect from it.
Linux LAN & Internet Firewall Security FAQ
(paper)
Practical advice.
Checkpoint's Firewall-1 problems description (paper)
This information is old and not correct.
General Firewall White Paper (paper)
Nice description of common firewall functions
Firewalls and Internet security
(report)
Good paper with theory and firewalls description. Network security policy example.
Firewalling and Proxy Server HOWTO (how-to)
For LINUX based PC
Keeping Your Site Comfortably Secure: An Introduction to Internet Firewalls (paper)
Sorry for some broken images in the English version
Internet Firewalls Frequently Asked
Questions (faq)
Good description
Services to be filtered (checklist)
CERT recommended
Firewalls and related software products to Download and Evaluate
| Agnitum Outpost Firewall Pro |
Shareware |
98, 2k, Me, XP |
| Protect your computer with Outpost Firewall PRO. |
| ManageEngine Firewall Analyzer |
Shareware |
XP |
| Firewall Analyzer is a Web-based firewall log analysis tool that... |
| NeT Firewall |
Shareware |
98, NT, 2k, Me, XP, 2003 |
| This firewall protects Windows-based systems not currently protected... |
| Sygate Personal Firewall |
Freeware |
98, NT, 2k, Me, XP, 95, 2003 |
| This firewall automatically protects your PC from... |
| Armor2net Personal Firewall |
Shareware |
98, 2k, Me, XP |
| This personal firewall provides... |
| Atelier Web Firewall Tester |
Shareware |
NT, 2k, XP, 2003 |
| This is a tool for probing personal firewall software strengths... |
| BitGuard Firewall |
Shareware |
98, 2k, Me, XP |
| This firewall helps control traffic and application launches,... |
| DShield Universal Firewall Parser |
Freeware |
98, NT, 2k, Me, XP |
| This is a universal DShield.org firewall log parser. |
| Kerio WinRoute Firewall |
Commercial |
NT, 2k, XP, 2003 |
| This is a corporate firewall with anti-virus support, content... |
| McAfee Firewall |
Shareware |
98, NT, 2k, Me, XP |
| This application protects your network and seamlessly fits into your... |
| Norman Personal Firewall |
Demo |
98, NT, 2k, Me, XP |
| This is both an application and a packet-level firewall and uses... |
| Primedius Free Firewall & Messenger PopUp Killer |
Freeware |
NT, 2k, XP |
| This program kills messenger pop-ups. |
| SoftPerfect Personal Firewall |
Freeware |
98, NT, 2k, Me, XP, 95, 2003 |
| This is a network firewall designed to protect your PC against attacks... |
| VisNetic Firewall |
Shareware |
98, NT, 2k, Me, XP |
| This is a packet level firewall built to protect Windows based... |
| Webroot Desktop Firewall |
Subscription |
98, 2k, Me, XP |
| This bi-directional intrusion defense system protects your computer by... |
| Firewall X-treme |
Demo |
98, NT, 2k, Me, XP |
| This program secures your personal data from hackers by automatically... |
| 3B Personal Firewall Pro |
Shareware |
98, NT, 2k, Me, XP |
| This program prevents unauthorized operations and data loss. |
| Jetico Personal Firewall |
Freeware |
98, NT, 2k, Me, XP, 2003 |
| This program protects your computer from hacker attacks and malicious... |
| MindSoft Firewall |
Shareware |
XP |
| This will protect you against external attacks, including trojans and... |
| OSsurance Desktop Kernel Firewall |
Shareware |
NT, 2k, XP, 2003 |
| This program blocks the execution of spyware, viruses, worms, Trojans,... |
| Registry Firewall |
Shareware |
98, NT, 2k, Me, XP |
| This program is designed to prevent adware and spyware from... |
| SecureUp Personal Firewall |
Shareware |
98, NT, 2k, Me, XP |
| This program offers intrusion detection and protection to your PC. |
| 602LAN SUITE |
Freeware |
98, NT, 2k, Me, XP, 2003 |
| This is a secure mail server with antivirus and anti-spam, built-in... |
| BitDefender Professional Plus |
Shareware |
98, NT, 2k, Me, XP, 2003 |
| This program integrates antivirus, firewall and anti-spam modules into... |
| FTP Navigator |
Shareware |
98, NT, 2k, Me, XP, 95, 2003 |
| This program lets you upload, download or delete data. |
| NetPeeker |
Shareware |
98, NT, 2k, Me, XP, 2003 |
| This network monitor and control tool supports personal firewall,... |
| Spytector |
Shareware |
98, NT, 2k, Me, XP, 2003 |
| Track all activities on a PC with a keylogger filter, advanced... |
| Trend Micro PC-cillin Internet Security |
Shareware |
98, 2k, Me, XP |
| Trend Micro PC-cillin Internet Security 14 integrates antivirus... |
| WebPartner Test and Performance Center |
Shareware |
NT, 2k, XP, 2003 |
| This program performs scheduled stress and load testing by executing... |
| FlamingWall |
Shareware |
XP |
| Stop Trojans and secure your applications from attempts to extract... |
| 12Ghosts Robo |
Shareware |
98, NT, 2k, Me, XP, 95 |
| This helper can respond on your behalf when certain events occur. |
| AbleGet |
Shareware |
98, 2k, Me, XP |
| Find, download and upload files. |
| AbleGet |
Shareware |
98, 2k, Me, XP, 2003 |
| Find, download and upload files and MP3s with AbleGet. |
| AbuseShield |
Shareware |
2k, XP, 2003 |
| This program picks up where anti-virus and firewall software fail by... |
| AGuardDog Suite Complete Protection |
Shareware |
98, NT, 2k, Me, XP, 2003 |
| This security tool offers several tools to help keep your computer... |
| Anti-Spy.Info |
Shareware |
98, NT, 2k, Me, XP, 95, 2003 |
| This is a security and personal privacy tool that detects and removes... |
| AntiFirewall Anonymizer |
Shareware |
98, NT, 2k, Me, XP, 95 |
| This allows you to use FTP, newsgroups, IRC, ICQ, e-mail and POP/IMAP... |
| AnVir Virus Destroyer |
Shareware |
98, NT, 2k, Me, XP, 95, 2003 |
| This is process and startup manager with advanced log... |
| Avirt Soho |
Shareware |
98, NT, 2k, Me, XP, 95 |
| This is network and Internet sharing manager. |
| CAMELOT Messaging Security Suite |
Shareware |
NT, 2k, XP, 2003 |
| COAST WebMaster |
Demo |
NT, 2k, Me, XP, 2003 |
| This is Web quality testing technology that can be used at every stage... |
| Comtun Pro proxy server |
Shareware |
98, NT, 2k, Me, XP, 95, 2003 |
| This is a Proxy and Firewall for Internet connection sharing. |
| CrushFTP |
Shareware |
98, NT, 2k, Me, XP, 95, 2003 |
| This cross-platform FTP server has users, groups, ratios, quotas, SFV... |
| Cute FTP Home |
Shareware |
98, NT, 2k, Me, XP, 95, 2003 |
| This program allows you to transfer files between your PC and remote... |
| DICE |
Shareware |
2k, XP, 2003 |
| This Windows Service Application provides IRC, HTTP and opennap... |
| DynServe Client |
Freeware |
98, NT, 2k, Me, XP, 95 |
| This program will give your computer its own domain name, such as www. |
| eMando Remote Control |
Shareware |
2k, Me, XP, 2003 |
| This is software to control any number of PCs over the Internet or a... |
| eTrust PestPatrol Anti-Spyware |
Demo |
98, NT, 2k, Me, XP |
| This security and personal privacy tool detects and eliminates... |
| Everyware RDM |
See Home Page |
98, NT, 2k, Me, XP, 95, 2003 |
| This program provides secure, remote data backup and retrieval. |
| ezProxy |
Shareware |
98, NT, 2k, Me, XP |
| This allows an entire network to share a single Internet account... |
| F-Secure Internet Security |
Shareware |
98, 2k, Me, XP |
| Protect your data and privacy when you e-mail, download music, bank,... |
| FileCourier |
Shareware |
98, 2k, Me, XP, 2003 |
| This program lets you create and e-mail FileTickets instead of... |
| FileZilla |
GPL |
98, NT, 2k, Me, XP, 95, 2003 |
| This FTP client is available in different languages. |
| Fireball CyberProtection Suite |
Commercial |
98, NT, 2k, Me, XP |
| This program combines the power and protection of a personal firewall,... |
| FlashFXP |
Shareware |
98, NT, 2k, Me, XP, 95, 2003 |
| This is an FTP and FXP client to allow FTP transfers directly between... |
| GoldTach |
Freeware |
2k, XP |
| Protect against hackers intruding into your PC and filching personal... |
| HTTP-Tunnel Client |
Freeware |
98, NT, 2k, Me, XP, 95 |
| This acts as a SOCKs server, allowing subscribers to use your Internet... |
| ICFMeister |
Shareware |
XP |
| This program monitors the activities of the Internet Connection... |
| ICUII |
Shareware |
98, NT, 2k, Me, XP, 95 |
| This communications tool works on both the Internet and on intranets. |
| InCode Virus Detector |
Demo |
98, NT, 2k, Me, XP, 95 |
| This is a firewall protection tool against viruses, worms and other... |
| Indigo Secure Lite |
Shareware |
98, NT, 2k, Me, XP |
| This is a business and customer service solution. |
| IPDog |
Shareware |
2k, XP, 2003 |
| This program shows you all open IP ports and allows you to test and... |
| iPIG WiFi Hotspot VPN Security |
Freeware |
2k, XP, 2003 |
| Protects your inbound and outbound communications such as e-mail, Web,... |
| Joltage Provider Software |
Freeware |
2k, XP |
| This is a WLAN/802.11x/Wi-Fi gateway product that features a captive... |
| JuniorNet |
Demo |
98, 2k, Me, XP, 95 |
| The JuniorNet environment delivers hundreds of constantly updating... |
| Katana |
Shareware |
2k, XP, 2003 |
| This integrated personal firewall and VPN inter-operates with... |
| Kerio WinRoute Pro |
Demo |
98, NT, 2k, Me, XP |
| This is a firewall with integrated Internet sharing capability. |
| Kiwi Syslog Daemon |
Shareware |
98, NT, 2k, Me, XP, 95, 2003 |
| This Windows Syslog Daemon receives, logs, displays and forwards... |
| Mercur Messaging Server |
Shareware |
NT, 2k, XP, 2003 |
| This is a scalable e-mail server for either LAN or Internet based... |
| Net Profile Switch |
Shareware |
NT, 2k, XP, 2003 |
| Switch your laptop computer between multiple networks. |
| NetCom |
Demo |
NT, 2k, XP, 2003 |
| Get packet-level filtering and management software with remote... |
| Netkeys ULTRA |
Demo |
98, 2k, Me, XP |
| This program provides online privacy and parental controls, firewall... |
| NetProxy |
Shareware |
98, NT, 2k, Me, XP, 95, 2003 |
| This tool lets you provide simultaneous Internet access to multiple... |
| OmniVPN |
Freeware |
2k, XP, 2003 |
| This is a firewall and virtual private network. |
| PortsLock |
Commercial |
NT, 2k, XP, 2003 |
| This is a firewall with user-level access controls for Windows... |
| PreView |
Freeware |
2k, XP, 2003 |
| This security application lets you see the relative security of your... |
| Prevx Home |
Freeware |
2k, XP |
| This free program protects your PC against the installation of spyware... |
| Proxifier |
Shareware |
98, NT, 2k, Me, XP, 95, 2003 |
| With this program you can bypass firewalls and tunnel... |
| Proxy - Pro Professional GateKeeper |
Shareware |
98, NT, 2k, Me, XP |
| This proxy server firewall allows you to share, secure and accelerate... |
| Proxy Checker |
Shareware |
98, NT, 2k, Me, XP, 2003 |
| This application tests HTTP and SOCKS proxy servers. |
| Proxy plus |
See Home Page |
98, NT, 2k, Me |
| This is a firewall, proxy and mail server for shared access to the... |
| ProxyInspector for ISA Server |
Shareware |
98, NT, 2k, Me, XP, 2003 |
| This tool analyzes the Microsoft ISA server Web proxy, firewall and... |
| SecureUp |
Shareware |
98, NT, 2k, Me |
| SecureUp is an enhancement to the security and accessibility already... |
| SeeMeMe Windows Utilities |
Shareware |
98, NT, 2k, Me, XP, 95 |
| Contains 8 tools to secure, speed up and optimize windows. |
| SolidShare |
Shareware |
98, NT, 2k, Me, XP, 2003 |
| This tool provides firewall security and Internet sharing on your LAN. |
| SpyBlocker |
Shareware |
98, NT, 2k, Me, XP, 95 |
| This spyware firewall has the ability to block the activity of... |
| Trellian Siteload |
Shareware |
98, 2k, Me, XP, 95 |
| This is a Web site and mirror management application. |
| Trojan Guarder Gold Version |
Shareware |
98, NT, 2k, Me, XP, 95, 2003 |
| Though installed with anti-virus system and firewall, your PC is still... |
| TurboCrypt |
Shareware |
2k, XP, 2003 |
| This program allows users to keep sensitive files encrypted but... |
| WebTunnel |
Demo |
98, NT, 2k, Me, XP, 2003 |
| Hide your IP address, protect your personal information, and hide... |
| WINDIY System Expert |
Shareware |
98, NT, 2k, Me, XP, 95, 2003 |
| This system toolbox includes a firewall, a... |
| WinProxy |
See Home Page |
98, NT, 2k, Me, XP, 95 |
| This is an Internet sharing and security management tool that allows... |
| WinSocks |
Shareware |
98, NT, 2k, Me, XP, 95, 2003 |
| This is a Socks 4 and 5 firewall and proxy server. |
| ZoneAlarm Pro |
Demo |
98, NT, 2k, Me, XP |
| This firewall application offers options like "lock system" and the... |
| ZoomCall Pro VideoPhone |
Shareware |
98, 2k, Me, XP, 2003 |
| This video conferencing software works with most cameras and allows... |
| Safe'n'Sec |
Shareware |
2k, XP |
| Protect your system against viruses, spyware, vulnerabilities,... |
| Servantix Network Monitor |
Shareware |
98, NT, 2k, Me, XP, 2003 |
| Monitor any IP-based device on your network including Web servers,... |
| Active@ File Recovery |
Demo |
98, NT, 2k, 95 |
| This recovers data after formatting or loss of partitions. |
| Cryptainer LE Free Encryption Software |
Freeware |
98, 2k, Me, XP, 95, 2003 |
| Creates encrypted vaults for storing data. |
| Secure IT |
Demo |
98, NT, 2k, Me, XP, 95, 2003 |
| This program compresses, encrypts, shreds and secures e-mail. |
Internet Firewalls: Frequently Asked Questions
Revision: 10.4
This document available in Postscript.and PDF.
1 Administrativia
1.1 About the FAQ
This collection of Frequenty Asked Questions (FAQs) and answers has been compiled over a period of years, seeing which questions people ask about firewalls in such fora as Usenet, mailing lists, and Web sites. If you have a question, looking here to see whether it's answered before posting your question is good form. Don't send your questions about firewalls to the FAQ maintainers.
The maintainers welcome input and comments on the contents of this FAQ. Comments related to the FAQ should be addressed to firewalls-faq@interhack.net. Before you send us mail, please be sure to see sections 1.2 and 1.3 to make sure this is the right document for you to be reading.
1.2 For Whom Is the FAQ Written?
Firewalls have come a long way from the days when this FAQ started. They've gone from being highly customized systems administered by their implementors to a mainstream commodity. Firewalls are no longer solely in the hands of those who design and implement security systems; even security-conscious end-users have them at home.
We wrote this FAQ for computer systems developers and administrators. We have tried to be fairly inclusive, making room for the newcomers, but we still assume some basic technical background. If you find that you don't understand this document, but think that you need to know more about firewalls, it might well be that you actually need to get more background in computer networking first. We provide references that have helped us; perhaps they'll also help you.
We focus predominately on "network" firewalls, but ``host'' or ``"personal'' firewalls will be addressed where appropriate.
1.3 Before Sending Mail
Note that this collection of frequently-asked questions is a result of interacting with many people of different backgrounds in a wide variety of public fora. The firewalls-faq address is not a help desk. If you're trying to use an application that says that it's not working because of a firewall and you think that you need to remove your firewall, please do not send us mail asking how.
If you want to know how to ``get rid of your firewall'' because you cannot use some application, do not send us mail asking for help. We cannot help you. Really.
Who can help you? Good question. That will depend on what exactly the problem is, but here are several pointers. If none of these works, please don't ask us for any more. We don't know.
- The provider of the software you're using.
- The provider of the hardware ``appliance'' you're using.
- The provider of the network service you're using. That is, if you're on AOL, ask them. If you're trying to use something on a corporate network, talk to your system administrator.
1.4 Where Can I find the Current Version of the FAQ?
The FAQ can be found on the Web at
It's also posted monthly to
Posted versions are archived in all the usual places. Unfortunately, the version posted to Usenet and archived from that version lack the pretty pictures and useful hyperlinks found in the web version.
1.5 Where Can I Find Non-English Versions of the FAQ?
Several translations are available. (If you've done a translation and it's not listed here, please write us so we can update the master document.)
- Norwegian
- Translation by Jon Haugsand
http://helmersol.nr.no/haandbok/doc/brannmur/brannmur-faq.html
1.6 Contributors
Many people have written helpful suggestions and thoughtful commentary. We're grateful to all contributors. We'd like to thank afew by name: Keinanen Vesa, Allen Leibowitz, Brent Chapman, Brian Boyle, D. Clyde Williamson, Richard Reiner, Humberto Ortiz Zuazaga, and Theodore Hope.
1.7 Copyright and Usage
Copyright ©1995-1996, 1998 Marcus J. Ranum. Copyright ©1998-2002 Matt Curtin. Copyright 2004, Paul D. Robertson. All rights reserved. This document may be used, reprinted, and redistributed as is providing this copyright notice and all attributions remain intact. Translations of the complete text from the original English to other languages are also explicitly allowed. Translators may add their names to the ``Contributors'' section.
2 Background and Firewall Basics
Before being able to understand a complete discussion of firewalls, it's important to understand the basic principles that make firewalls work.
2.1 What is a network firewall?
A firewall is a system or group of systems that enforces an access control policy between two or more networks. The actual means by which this is accomplished varies widely, but in principle, the firewall can be thought of as a pair of mechanisms: one which exists to block traffic, and the other which exists to permit traffic. Some firewalls place a greater emphasis on blocking traffic, while others emphasize permitting traffic. Probably the most important thing to recognize about a firewall is that it implements an access control policy. If you don't have a good idea of what kind of access
you want to allow or to deny, a firewall really won't help you. It's also important to recognize that the firewall's configuration, because it is a mechanism for enforcing policy, imposes its policy on everything behind it. Administrators for firewalls managing the connectivity for a large number of hosts therefore have a heavy responsibility.
2.2 Why would I want a firewall?
The Internet, like any other society, is plagued with the kind of jerks who enjoy the electronic equivalent of writing on other people's walls with spraypaint, tearing their mailboxes off, or just sitting in the street blowing their car horns. Some people try to get real work done over the Internet, and others have sensitive or proprietary data they must protect. Usually, a firewall's purpose is to keep the jerks out of your network while still letting you get your job done.
Many traditional-style corporations and data centers have computing security policies and practices that must be followed. In a case where a company's policies dictate how data must be protected, a firewall is very important, since it is the embodiment of the corporate policy. Frequently, the hardest part of hooking to the Internet, if you're a large company, is not justifying the expense or effort, but convincing management that it's safe to do so. A firewall provides not only real security--it often plays an important role as a security blanket for management.
Lastly, a firewall can act as your corporate ``ambassador'' to the Internet. Many corporations use their firewall systems as a place to store public information about corporate products and services, files to download, bug-fixes, and so forth. Several of these systems have become important parts of the Internet service structure (e.g., UUnet.uu.net, whitehouse.gov, gatekeeper.dec.com) and have reflected well on their organizational sponsors. Note that while this is historically true, most organizations now place public information on a Web server, often protected
by a firewall, but not normally on the firewall itself.
2.3 What can a firewall protect against?
Some firewalls permit only email traffic through them, thereby protecting the network against any attacks other than attacks against the email service. Other firewalls provide less strict protections, and block services that are known to be problems.
Generally, firewalls are configured to protect against unauthenticated interactive logins from the ``outside'' world. This, more than anything, helps prevent vandals from logging into machines on your network. More elaborate firewalls block traffic from the outside to the inside, but permit users on the inside to communicate freely with the outside. The firewall can protect you against any type of network-borne attack if you unplug it.
Firewalls are also important since they can provide a single ``choke point'' where security and audit can be imposed. Unlike in a situation where a computer system is being attacked by someone dialing in with a modem, the firewall can act as an effective ``phone tap'' and tracing tool. Firewalls provide an important logging and auditing function; often they provide summaries to the administrator about what kinds and amount of traffic passed through it, how many attempts there were to break into it, etc.
Because of this, firewall logs are critically important data. They can be used as evidence in a court of law in most countries. You should safeguard, analyze and protect yoru firewall logs accordingly.
This is an important point: providing this ``choke point'' can serve the same purpose on your network as a guarded gate can for your site's physical premises. That means anytime you have a change in ``zones'' or levels of sensitivity, such a checkpoint is appropriate. A company rarely has only an outside gate and no receptionist or security staff to check badges on the way in. If there are layers of security on your site, it's reasonable to expect layers of security on your network.
2.4 What can't a firewall protect against?
Firewalls can't protect against attacks that don't go through the firewall. Many corporations that connect to the Internet are very concerned about proprietary data leaking out of the company through that route. Unfortunately for those concerned, a magnetic tape, compact disc, DVD, or USB flash drives can just as effectively be used to export data. Many organizations that are terrified (at a management level) of Internet connections have no coherent policy about how dial-in access via modems should be protected. It's silly to build a six-foot thick steel door when you live in a wooden
house, but there are a lot of organizations out there buying expensive firewalls and neglecting the numerous other back-doors into their network. For a firewall to work, it must be a part of a consistent overall organizational security architecture. Firewall policies must be realistic and reflect the level of security in the entire network. For example, a site with top secret or classified data doesn't need a firewall at all: they shouldn't be hooking up to the Internet in the first place, or the systems with the really secret data should be isolated from the rest of the corporate
network.
Another thing a firewall can't really protect you against is traitors or idiots inside your network. While an industrial spy might export information through your firewall, he's just as likely to export it through a telephone, FAX machine, or Compact Disc. CDs are a far more likely means for information to leak from your organization than a firewall. Firewalls also cannot protect you against stupidity. Users who reveal sensitive information over the telephone are good targets for social engineering; an attacker may be able to break into your network by completely bypassing your firewall, if
he can find a ``helpful'' employee inside who can be fooled into giving access to a modem pool. Before deciding this isn't a problem in your organization, ask yourself how much trouble a contractor has getting logged into the network or how much difficulty a user who forgot his password has getting it reset. If the people on the help desk believe that every call is internal, you have a problem that can't be fixed by tightening controls on the firewalls.
Firewalls can't protect against tunneling over most application protocols to trojaned or poorly written clients. There are no magic bullets and a firewall is not an excuse to not implement software controls on internal networks or ignore host security on servers. Tunneling ``bad'' things over HTTP, SMTP, and other protocols is quite simple and trivially demonstrated. Security isn't ``fire and forget''.
Lastly, firewalls can't protect against bad things being allowed through them. For instance, many Trojan Horses use the Internet Relay Chat (IRC) protocol to allow an attacker to control a compromised internal host from a public IRC server. If you allow any internal system to connect to any external system, then your firewall will provide no protection from this vector of attack.
2.5 What about viruses and other malware?
Firewalls can't protect very well against things like viruses or malicious software (malware). There are too many ways of encoding binary files for transfer over networks, and too many different architectures and viruses to try to search for them all. In other words, a firewall cannot replace security-consciousness on the part of your users. In general, a firewall cannot protect against a data-driven attack--attacks in which something is mailed or copied to an internal host where it is then executed. This form of attack has occurred in the past against various versions of sendmail,
ghostscript, scripting mail user agents like Outlook, and Web browsers like Internet Explorer.
Organizations that are deeply concerned about viruses should implement organization-wide virus control measures. Rather than only trying to screen viruses out at the firewall, make sure that every vulnerable desktop has virus scanning software that is run when the machine is rebooted. Blanketing your network with virus scanning software will protect against viruses that come in via floppy disks, CDs, modems, and the Internet. Trying to block viruses at the firewall will only protect against viruses from the Internet. Virus scanning at the firewall or e-mail gateway will stop a large number
of infections.
Nevertheless, an increasing number of firewall vendors are offering ``virus detecting'' firewalls. They're probably only useful for naive users exchanging Windows-on-Intel executable programs and malicious-macro-capable application documents. There are many firewall-based approaches for dealing with problems like the ``ILOVEYOU'' worm and related attacks, but these are really oversimplified approaches that try to limit the damage of something that is so stupid it never should have occurred in the first place. Do not count on any protection from attackers with this feature. (Since
``ILOVEYOU'' went around, we've seen at least a half-dozen similar attacks, including Melissa, Happy99, Code Red, and Badtrans.B, all of which were happily passed through many virus-detecting firewalls and e-mail gateways.)
A strong firewall is never a substitute for sensible software that recognizes the nature of what it's handling--untrusted data from an unauthenticated party--and behaves appropriately. Do not think that because ``everyone'' is using that mailer or because the vendor is a gargantuan multinational company, you're safe. In fact, it isn't true that ``everyone'' is using any mailer, and companies that specialize in turning technology invented elsewhere into something that's ``easy to use'' without any expertise are more likely to produce software that can be fooled. Further consideration of this
topic would be worthwhile [3], but is beyond the scope of this document.
2.6 Will IPSEC make firewalls obsolete?
Some have argued that this is the case. Before pronouncing such a sweeping prediction, however, it's worthwhile to consider what IPSEC is and what it does. Once we know this, we can consider whether IPSEC will solve the problems that we're trying to solve with firewalls.
IPSEC (IP SECurity) refers to a set of standards developed by the Internet Engineering Task Force (IETF). There are many documents that collectively define what is known as ``IPSEC'' [6]. IPSEC solves two problems which have plagued the IP protocol suite for years: host-to-host authentication (which will let hosts know that they're talking to the hosts they think they are) and encryption (which will prevent attackers from being able to watch the traffic going between machines).
Note that neither of these problems is what firewalls were created to solve. Although firewalls can help to mitigate some of the risks present on an Internet without authentication or encryption, there are really two classes of problems here: integrity and privacy of the information flowing between hosts and the limits placed on what kinds of connectivity is allowed between different networks. IPSEC addresses the former class and firewalls the latter.
What this means is that one will not eliminate the need for the other, but it does create some interesting possibilities when we look at combining firewalls with IPSEC-enabled hosts. Namely, such things as vendor-independent virtual private networks (VPNs), better packet filtering (by filtering on whether packets have the IPSEC authentication header), and application-layer firewalls will be able to have better means of host verification by actually using the IPSEC authentication header instead of ``just trusting'' the IP address presented.
2.7 What are good sources of print information on firewalls?
There are several books that touch on firewalls. The best known are:
Related references are:
- Internetworking with TCP/IP Vols I, II, and III
- Authors
- Douglas Comer and David Stevens
- Publisher
- Prentice-Hall
- Edition
- 1991
- ISBN
- 0-13-468505-9 (I), 0-13-472242-6 (II), 0-13-474222-2 (III)
- Comment
- A detailed discussion on the architecture and implementation of the Internet and its protocols. Volume I (on principles, protocols and architecture) is readable by everyone. Volume 2 (on design, implementation and internals) is more technical. Volume 3 covers client-server computing.
- Unix System Security--A Guide for Users and System Administrators
- Author
- David Curry
- Publisher
- Addison Wesley
- Edition
- 1992
- ISBN
- 0-201-56327-4
2.8 Where can I get more information on firewalls on the Internet?
- Site Security Handbook
- http://www.rfc-editor.org/rfc/rfc2196.txt The Site Security Handbook is an information IETF document that describes the basic issues that must be addressed for building good site security. Firewalls are one part of a larger security strategy, as the Site Security Handbook shows.
- Firewalls Mailing List
- http://www.isc.org/index.pl?/ops/lists/firewalls/ The internet firewalls mailing list is a forum for firewall administrators and implementors.
- Firewall-Wizards Mailing List
- http://honor.icsalabs.com/mailman/listinfo/firewall-wizards The Firewall Wizards Mailing List is a moderated firewall and security related list that is more like a journal than a public soapbox.
- Firewall HOWTO
- http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html Describes exactly what is needed to build a firewall, particularly using Linux.
- Firewall Toolkit (FWTK) and Firewall Papers
- ftp://ftp.tis.com/pub/firewalls/
- Marcus Ranum's firewall related publications
- http://www.ranum.com/pubs/
- Texas A&M University security tools
- http://www.net.tamu.edu/ftp/security/TAMU/
- COAST Project Internet Firewalls page
- http://www.cerias.purdue.edu/coast/firewalls/
3 Design and Implementation Issues
3.1 What are some of the basic design decisions in a firewall?
There are a number of basic design issues that should be addressed by the lucky person who has been tasked with the responsibility of designing, specifying, and implementing or overseeing the installation of a firewall.
The first and most important decision reflects the policy of how your company or organization wants to operate the system: is the firewall in place explicitly to deny all services except those critical to the mission of connecting to the Net, or is the firewall in place to provide a metered and audited method of ``queuing'' access in a non-threatening manner? There are degrees of paranoia between these positions; the final stance of your firewall might be more the result of a political than an engineering decision.
The second is: what level of monitoring, redundancy, and control do you want? Having established the acceptable risk level (i.e., how paranoid you are) by resolving the first issue, you can form a checklist of what should be monitored, permitted, and denied. In other words, you start by figuring out your overall objectives, and then combine a needs analysis with a risk assessment, and sort the almost always conflicting requirements out into a laundry list that specifies what you plan to implement.
The third issue is financial. We can't address this one here in anything but vague terms, but it's important to try to quantify any proposed solutions in terms of how much it will cost either to buy or to implement. For example, a complete firewall product may cost between $100,000 at the high end, and free at the low end. The free option, of doing some fancy configuring on a Cisco or similar router will cost nothing but staff time and a few cups of coffee. Implementing a high end firewall from scratch might cost several man-months, which may equate to $30,000 worth of staff salary and
benefits. The systems management overhead is also a consideration. Building a home-brew is fine, but it's important to build it so that it doesn't require constant (and expensive) attention. It's important, in other words, to evaluate firewalls not only in terms of what they cost now, but continuing costs such as support.
On the technical side, there are a couple of decisions to make, based on the fact that for all practical purposes what we are talking about is a static traffic routing service placed between the network service provider's router and your internal network. The traffic routing service may be implemented at an IP level via something like screening rules in a router, or at an application level via proxy gateways and services.
The decision to make is whether to place an exposed stripped-down machine on the outside network to run proxy services for telnet, FTP, news, etc., or whether to set up a screening router as a filter, permitting communication with one or more internal machines. There are benefits and drawbacks to both approaches, with the proxy machine providing a greater level of audit and, potentially, security in return for increased cost in configuration and a decrease in the level of service that may be provided (since a proxy needs to be developed for each desired service). The old trade-off between
ease-of-use and security comes back to haunt us with a vengeance.
3.2 What are the basic types of firewalls?
Conceptually, there are three types of firewalls:
- Network layer
- Application layer
- Hybrids
They are not as different as you might think, and latest technologies are blurring the distinction to the point where it's no longer clear if either one is ``better'' or ``worse.'' As always, you need to be careful to pick the type that meets your needs.
Which is which depends on what mechanisms the firewall uses to pass traffic from one security zone to another. The International Standards Organization (ISO) Open Systems Interconnect (OSI) model for networking defines seven layers, where each layer provides services that ``higher-level'' layers depend on. In order from the bottom, these layers are physical, data link, network, transport, session, presentation, application.
The important thing to recognize is that the lower-level the forwarding mechanism, the less examination the firewall can perform. Generally speaking, lower-level firewalls are faster, but are easier to fool into doing the wrong thing.
These days, most firewalls fall into the ``hybrid'' category, which do network filtering as well as some amount of application inspection. The amount changes depending on the vendor, product, protocol and version, so some level of digging and/or testing is often necessary.
These generally make their decisions based on the source, destination addresses and ports (see Appendix 6 for a more detailed discussion of ports) in individual IP packets. A simple router is the ``traditional'' network layer firewall, since it is not able to make particularly sophisticated decisions about what a packet is actually talking to or where it actually came from. Modern network layer firewalls have become increasingly sophisticated, and now maintain internal information about the state of connections
passing through them, the contents of some of the data streams, and so on. One thing that's an important distinction about many network layer firewalls is that they route traffic directly though them, so to use one you either need to have a validly assigned IP address block or to use a ``private internet'' address block [5]. Network layer firewalls tend to be very fast and tend to be very transparent to users.
Figure 1: Screened Host Firewall
|
|
In Figure 1, a network layer firewall called a ``screened host firewall'' is represented. In a screened host firewall, access to and from a single host is controlled by means of a router operating at a network layer. The single host is a bastion host; a highly-defended and secured strong-point that (hopefully) can resist attack.
Figure 2: Screened Subnet Firewall
|
|
Example Network layer firewall: In Figure 2, a network layer firewall called a ``screened subnet firewall'' is represented. In a screened subnet firewall, access to and from a whole network is controlled by means of a router operating at a network layer. It is similar to a screened host, except that it is, effectively, a network of screened hosts.
These generally are hosts running proxy servers, which permit no traffic directly between networks, and which perform elaborate logging and auditing of traffic passing through them. Since the proxy applications are software components running on the firewall, it is a good place to do lots of logging and access control. Application layer firewalls can be used as network address translators, since traffic goes in one ``side'' and out the other, after having passed through an application that effectively masks the origin of the initiating connection. Having an application in the way in some
cases may impact performance and may make the firewall less transparent. Early application layer firewalls such as those built using the TIS firewall toolkit, are not particularly transparent to end users and may require some training. Modern application layer firewalls are often fully transparent. Application layer firewalls tend to provide more detailed audit reports and tend to enforce more conservative security models than network layer firewalls.
Figure 3: Dual Homed Gateway
|
|
Example Application layer firewall: In Figure 3, an application layer firewall called a ``dual homed gateway'' is represented. A dual homed gateway is a highly secured host that runs proxy software. It has two network interfaces, one on each network, and blocks all traffic passing through it.
Most firewalls now lie someplace between network layer firewalls and application layer firewalls. As expected, network layer firewalls have become increasingly ``aware'' of the information going through them, and application layer firewalls have become increasingly ``low level'' and transparent. The end result is that now there are fast packet-screening systems that log and audit data as they pass through the system. Increasingly, firewalls (network and application layer) incorporate encryption so that they may protect traffic passing between them over the Internet. Firewalls with
end-to-end encryption can be used by organizations with multiple points of Internet connectivity to use the Internet as a ``private backbone'' without worrying about their data or passwords being sniffed. (IPSEC, described in Section 2.6, is playing an increasingly significant role in the construction of such virtual private networks.)
3.3 What are proxy servers and how do they work?
A proxy server (sometimes referred to as an application gateway or forwarder) is an application that mediates traffic between a protected network and the Internet. Proxies are often used instead of router-based traffic controls, to prevent traffic from passing directly between networks. Many proxies contain extra logging or support for user authentication. Since proxies must ``understand'' the application protocol being used, they can also implement protocol specific security (e.g., an FTP proxy might be configurable to permit incoming FTP and block outgoing FTP).
Proxy servers are application specific. In order to support a new protocol via a proxy, a proxy must be developed for it. One popular set of proxy servers is the TIS Internet Firewall Toolkit (``FWTK'') which includes proxies for Telnet, rlogin, FTP, the X Window System, HTTP/Web, and NNTP/Usenet news. SOCKS is a generic proxy system that can be compiled into a client-side application to make it work through a firewall. Its advantage is that it's easy to use, but it doesn't support the addition of authentication hooks or protocol specific logging. For more information on SOCKS, see
http://www.socks.nec.com/.
3.4 What are some cheap packet screening tools?
The Texas A&M University security tools include software for implementing screening routers. Karlbridge is a PC-based screening router kit available from ftp://ftp.net.ohio-state.edu/pub/kbridge/.
There are numerous kernel-level packet screens, including ipf, ipfw, ipchains, pf, and ipfwadm. Typically, these are included in various free Unix implementations, such as FreeBSD, OpenBSD, NetBSD, and Linux. You might also find these tools available in your commercial Unix implementation.
If you're willing to get your hands a little dirty, it's completely possible to build a secure and fully functional firewall for the price of hardware and some of your time.
3.5 What are some reasonable filtering rules for a kernel-based packet screen?
This example is written specifically for ipfwadm on Linux, but the principles (and even much of the syntax) applies for other kernel interfaces for packet screening on ``open source'' Unix systems.
There are four basic categories covered by the ipfwadm rules:
- -A
- Packet Accounting
- -I
- Input firewall
- -O
- Output firewall
- -F
- Forwarding firewall
ipfwadm also has masquerading (-M) capabilities. For more information on switches and options, see the ipfwadm man page.
Here, our organization is using a private (RFC 1918) Class C network 192.168.1.0. Our ISP has assigned us the address 201.123.102.32 for our gateway's external interface and 201.123.102.33 for our external mail server. Organizational policy says:
- Allow all outgoing TCP connections
- Allow incoming SMTP and DNS to external mail server
- Block all other traffic
The following block of commands can be placed in a system boot file (perhaps rc.local on Unix systems).
ipfwadm -F -f
ipfwadm -F -p deny
ipfwadm -F -i m -b -P tcp -S 0.0.0.0/0 1024:65535 -D 201.123.102.33 25
ipfwadm -F -i m -b -P tcp -S 0.0.0.0/0 1024:65535 -D 201.123.102.33 53
ipfwadm -F -i m -b -P udp -S 0.0.0.0/0 1024:65535 -D 201.123.102.33 53
ipfwadm -F -a m -S 192.168.1.0/24 -D 0.0.0.0/0 -W eth0
/sbin/route add -host 201.123.102.33 gw 192.168.1.2
3.6 What are some reasonable filtering rules for a Cisco?
The example in Figure 4 shows one possible configuration for using the Cisco as filtering router. It is a sample that shows the implementation of as specific policy. Your policy will undoubtedly vary.
Figure 4: Packet Filtering Router
|
|
In this example, a company has Class C network address 195.55.55.0. Company network is connected to Internet via IP Service Provider. Company policy is to allow everybody access to Internet services, so all outgoing connections are accepted. All incoming connections go through ``mailhost''. Mail and DNS are only incoming services.
- Allow all outgoing TCP-connections
- Allow incoming SMTP and DNS to mailhost
- Allow incoming FTP data connections to high TCP port (
 1024)
- Try to protect services that live on high port numbers
Only incoming packets from Internet are checked in this configuration. Rules are tested in order and stop when the first match is found. There is an implicit deny rule at the end of an access list that denies everything. This IP access list assumes that you are running Cisco IOS v. 10.3 or later.
no ip source-route
!
interface ethernet 0
ip address 195.55.55.1
no ip directed-broadcast
!
interface serial 0
no ip directed-broadcast
ip access-group 101 in
!
access-list 101 deny ip 127.0.0.0 0.255.255.255 any
access-list 101 deny ip 10.0.0.0 0.255.255.255 any
access-list 101 deny ip 172.16.0.0 0.15.255.255 any
access-list 101 deny ip 192.168.0.0 0.0.255.255 any
access-list 101 deny ip any 0.0.0.255 255.255.255.0
access-list 101 deny ip any 0.0.0.0 255.255.255.0
!
access-list 101 deny ip 195.55.55.0 0.0.0.255
access-list 101 permit tcp any any established
!
access-list 101 permit tcp any host 195.55.55.10 eq smtp
access-list 101 permit tcp any host 195.55.55.10 eq dns
access-list 101 permit udp any host 192.55.55.10 eq dns
!
access-list 101 deny tcp any any range 6000 6003
access-list 101 deny tcp any any range 2000 2003
access-list 101 deny tcp any any eq 2049
access-list 101 deny udp any any eq 2049
!
access-list 101 permit tcp any 20 any gt 1024
!
access-list 101 permit icmp any any
!
snmp-server community FOOBAR RO 2
line vty 0 4
access-class 2 in
access-list 2 permit 195.55.55.0 0.0.0.255
- Drop all source-routed packets. Source routing can be used for address spoofing.
- Drop directed broadcasts, which are used in smurf attacks.
- If an incoming packet claims to be from a local net, loopback network, or private network, drop it.
- All packets which are part o
|
