Table of Contents
Life Outside �The Firewall
Guidelines for Systems Which Have To Protect Themselves
1. Do the Obvious Things
Turn off extra TCP and UDP services
TCP/IP Services Come Through Two Paths
Rules for Services
Log Access to Services
Logs Are Useless Unless You Use Them
Synchronize Clocks with a Global Time Source
NTP is an inexpensive alternative
NTP Model
Typical site NTP configuration
Only Talk To Your Friends
2. Never Trust The Untrusted
Relay systems can be an exception
Relay systems can still be a problem!
NFS is not allowed outside the firewall
Stateless protocols are harder to secure
3. Don’t Fiddle With Your Firewall
Hint: If you have services on your firewall, you’ll need to fiddle...
Firewall Anecdote
4. Everything Gets Its Own Box
DNS is a special case
Logging is another special case
5. Never Use IP-based Authentication
“r” Services authentication
That’s great except...
PPT Slide
http://www.cs.purdue.edu/homes/swlodin/cmad/report.html
6. Use Kerberos and One-Time Passwords to Log In
Authentication methods and their flaws
Use Kerberos instead of Rshell/Rlogin/Telnet
Obtaining a Ticket
Network-wide login
Kerberos Security
Initial configuration is simple
Example of Kerberos in LAN/WAN environment
Kerberos Details (for the curious)
Kerberos details 2
Kerberos details 3�
Kerberos details 4
There are three kinds of OTPs
Time-synchronized
Challenge/Response
One-Time Pad
7. Denial-of-Service Attacks are Hard to Protect Against
PPT Slide
SYN attacks allocate resources by making half-open connections
Denial of Service Attacks Use Resources
Simple steps to avoiding a DoS attack
Tweak TCP/IP to break down dead connections quickly
Allocate resources to absorb a low-level SYN attack
For socket-based applications, look for listen() call
8. You Only Trust What You Know
DNS can be fooled
PPT Slide
You can’t trust stacks
Last week’s bug (ᡖ known!)
and you definitely cannot trust Microsoft
9. Don’t Be Afraid To Say “No.”
Your threats are unexpected
Life Outside The Firewall
|