`
`The attached publication has been archived! (withdrawn), and is provided solely for historical purposes.
`It may have been superseded by another publication (indicated below).
`
`Archived Publication
`
`Series/Number:
`Title:
`
`Publication Date{s):
`
`Withdrawal Date:
`
`Withdrawal Note:
`
`I
`
`NIST Special Publication 800-10
`
`Keeping Your Site Comfortably Secure: An Introduction to Internet
`Firewalls
`
`December 1994
`
`Superseding Publication(s)
`
`The attached publication has been superseded by the following publication(s):
`
`Series/Number:
`
`Title:
`
`Author{s):
`
`Publication Date{s):
`
`URL/DOI:
`
`Additional Information (if applicable)
`
`Computer Security Division (Information Technology Lab)
`
`http://csrc.nist.gov/
`
`Contact:
`
`Latest revision of the
`
`attached publication:
`
`Related information:
`
`Withdrawal
`announcement (link):
`
`I
`
`I
`
`I
`
`Date updated: June 9, 2015
`
`AUT HEN T I C A T ED _ ~
`
`CP°;?
`
`NlSr
`
`Notionol lnotitut• of
`Stand'arch and Technology
`U.S. Oeportme.nt of Comme,ce
`
`GUEST TEK EXHIBIT 1007
`Guest Tek v. Nomadix, IPR2019-01191
`
`
`
`I ll~li1~1 liiiiiilll ii'il~ Iii 11111
`
`NIST
`PUBLICATIONS
`
`.
`.
`A11104 514051
`......... .. v p ............. ?ubhcauon 800-10
`
`U.S. DEPARTMENT OF
`COMMERCE
`Technology Administration
`National Institute of Standards
`and Technology
`
`K.eeping Your Site Comfortably
`Secure: An Introduction to
`Internet Firewalls
`
`John P. Wack
`Lisa J. Carnahan
`
`COMPUTER SECURITY
`
`L
`
`QC
`I 100
`. U57
`.800-10 -
`994
`
`NI· -I
`
`- - - - - - - - - - -- -- - - - - - - -
`
`
`
`"f1e National Institute of Standards and Technology was established in 1988 by Congress to "assist industry
`.I.. ;~ the development of technology . .. needed to improve product quality, to modernize manufacturing processes,
`
`to ensure product reliability ... and to facilitate rapid commercialization ... of products based on new scientific
`discoveries.''
`NIST, originally founded as the National Bureau of Standards in 1901, works to strengthen U.S. industry's
`competitiveness; advance science and engineering; and improve public health, safety, and the environment. One of the
`agency's basic functions is to develop, maintain, and retain custody of the na"tiona1 standards of measurement, and
`provide the means and methods for comparing standards used in science, engineering, manufacturing, commerce,
`industry, and education with the standards adopted or recognized by the Federal Government.
`As an agency of the U.S. Commerce Department's Technology Administration, NIST conducts basic and applied
`research in the physical sciences and engineering, and develops measurement techniques, test methods, standards, and
`related services. The Institute does generic and precompetitive work on new and advanced technologies. NIST's
`research facilities are located at Gaithersburg, MD 20899, and at Boulder, CO 80303. Major technical operating units
`and their principal activities are listed below. For more information contact the Public Inquiries Desk, 301-975-3058.
`
`Office of the Director
`• Advanced Technology Program
`• Quality Programs
`• International and Academic Affairs
`
`Technology Services
`• Manufacturing Extension Partnership
`• Standards Services
`• Technology Commercialization
`• Measurement Services
`• Technology Evaluation and Assessment
`• Information Services
`
`Materials Science and Engineering
`Laboratory
`• Intelligent Processing of Materials
`• Ceramics
`• Materials Reliability1
`• Polymers
`• Metallurgy
`• Reactor Radiation
`
`Chemical Science and Technology
`Laboratory
`• Biotechnology
`• Chemical Kinetics and Thermodynamics
`• Analytical Chemical Research
`• Process Measurements2
`• Surface and Microanalysis Science
`• Thermophysics2
`
`Physics Laboratory
`• Electron and Optical Physics
`• Atomic Physics
`• Molecular Physics
`• Radiometric Physics
`• Quantum Metrology
`• Ionizing Radiation
`• Time and Frequency1
`• Quantum PhySics1
`
`1 At Boulder, CO 80303.
`2Some elements at Boulder. CO 80303.
`
`Manufacturing Engineering Laboratory
`• Precision Engineering
`• Automated Production Technology
`• Intelligent Systems
`• Manufacturing Systems Integration
`• Fabrication Technology
`
`Electronics and Electrical Engineering
`Laboratory
`• Microelectronics
`• Law Enforcement Standards
`• Electricity
`• Semiconductor Electronics
`• Electromagnetic Fields1
`• Electromagnetic Technology'
`• Optoelectronics 1
`
`Building and Fire Research Laboratory
`• Structures
`• Building Materials
`• Building Environment
`• Fire Safety
`• Fire Science
`
`Computer Systems Laboratory
`• Office of Enterprise Integration
`• Information Systems Engineering
`• Systems and Software Technology
`• Computer Security
`• Systems and Network Architecture
`• Advanced Systems
`
`Computing and Applied Mathematics
`Laboratory
`• Applied and Computational Mathematics2
`• Statistical Enginecring2
`• Scientific Computing Environments2
`• Computer Services
`• Computer Systems and Communications2
`• Information Systems
`
`
`
`NIST Special Publication 800-10
`
`Keeping Your Site Comfortably
`Secure: An Introduction to
`Internet Firewalls
`
`John P. Wack
`
`Lisa J. Carnahan
`
`COMPUTER
`
`SECURITY
`
`Computer Systems Laboratory
`
`National Institute of Standards
`and Technology
`Gaithersburg, MD 20899-0001
`
`December 1994
`
`U.S. Department of Commerce
`Ronald H. Brown, Secretary
`
`Technology Administration
`Mary L. Good, Under Secretary for Technology
`
`National Institute of Standards and Technology
`Arati Prabhakar, Director
`
`
`
`Reports on Computer Systems Technology
`
`The National Institute of Standards and Technology (NIST) has a unique responsibility for computer
`systems technology within the Federal government. NIST's Computer Systems Laboratory (CSL) devel(cid:173)
`ops standards and guidelines, provides technical assistance, and conducts research for computers and
`related telecommunications systems to achieve more effective utilization of Federal information technol(cid:173)
`ogy resources. CSL's responsibilities include development of technical, management, physical, and ad(cid:173)
`ministrative standards and guidelines for the cost-effective security and privacy of sensitive unclassified
`information processed in Federal computers. CSL assists agencies in developing security plans and in
`improving computer security awareness training. This Special Publication 800 series reports CSL re(cid:173)
`search and guidelines to Federal agencies as well as to organizations in industry, government, and
`academia.
`
`National lns~itute of Standards and Technology Special Publication 800-10
`Natl. Inst. Stand. Teehnol. Spee. Publ. 800-10, 70 pages (Dee. 1994)
`CODEN:NSPUE2
`
`U.S. GOVERNMENT PRINTING OFFICE
`WASHINGTON: 1994
`
`For sale by the Superintendent of Documents, U.S. Government Printing Office, Washington, DC 20402
`
`
`
`Abst ract
`
`111
`
`This document provides an overview of the Internet and security-related problems. It
`then provides an overview of firewall components and the general reasoning behind fire(cid:173)
`wall usage. Several types of network access policies are described, as well as technical
`implementations of those policies. Lastly, the document contains pointers and references
`for more detailed information.
`
`The document is designed to assist users in understanding the nature of Internet-related
`security problems and what types of firewalls will solve or alleviate specific problems.
`Users can then use this document to assist in purchasing or planning a firewall.
`
`
`
`lV
`
`This work is a contribution
`of the National Instit ute of Standards and Technology,
`and is not subject to copyright.
`
`Because of the nature of this report, it is necessary to mention vendors and commercial
`products. The presence or absence of a particular trade name product does not imply
`criticism or endorsement by the Natio nal Institute of Standards and Technology, nor does
`it imply t hat the products identified are necessarily the best available.
`
`Acknowledgments
`
`The National Institute of Standards and Technology would like to thank the following
`individuals who reviewed d rafts of this document and advised on document structure
`and content: David Curry of Purdue University, Uwe Ellermann of the DFN-CERT
`in Germany, and Stephen Weeber of the Department of Energy's Computer Incident
`Advisory Capability (CIAC).
`
`
`
`Contents
`
`Preface
`
`1 Introduction to the Internet and Internet Security
`1.1 The Internet . . . . . . . .
`1. 1. 1 Common Services . . . .
`1.1. 2
`Internet Hosts . . . . . .
`1.2 Overview of TCP /IP Internals .
`1.2.1
`IP
`1.2.2 TCP .
`1.2.3 UDP .
`1.2.4
`ICMP
`1.2.5 TCP and UDP Port Structure .
`1.3 Security-Related Problems . . . . . ..
`1.3.1 Security Incidents on t he Internet
`1.3.2 Weak Authentication . . . . .
`1.3.3 Ease of Spying/Monitoring . . . .
`1.3.4 Ease of Spoofing . . . . ... . .
`1.3.5 Flawed LAN Services and Mutually Trusting Hosts
`1.3.6 Complex Configuration and Controls
`1.3.7 Host-based Security Does Not Scale .
`1.4 How Vulnerable Are Internet Sites? . . . . .
`
`2 Introduction to Firewalls
`2.1 The Firewall Concept . . . . . . . . . . . . .
`2.2 W hy Firewalls . . . . . . . . . . . . . . . . .
`2.2.1 Protection from Vulnerable Services .
`2.2.2 Controlled Access to Site Systems .
`2.2.3 Concentrated Security
`. . . . . . . .
`2.2.4 Enhanced Privacy . . . . . . . . . . .
`2.2.5 Logging and Statistics on Network Use, Misuse
`2.2.6 Policy Enforcement . . . ... .. : ..
`Issues and Problems with Firewalls
`. . . . . .
`2.3.1 Restricted Access to Desirable Services
`2.3.2 Large Potential for Back Doors . . . .
`2.3.3 Little Protection from Insider Attacks .
`
`2.3
`
`V
`
`ix
`
`1
`1
`2
`3
`3
`4
`5
`6
`6
`6
`8
`8
`9
`10
`10
`12
`12
`13
`13
`
`15
`15
`16
`16
`17
`17
`17
`18
`18
`18
`18
`19
`19
`
`
`
`vi
`
`CONTENTS
`
`2.3.4 Other Issues . .
`2.4 Firewall Components .
`2.4.1 Network Policy
`2.4.2 Advanced Authentication
`2.4.3 Packet Filtering . . . .
`2.4.4 Application Gateways ..
`
`3 Putting the Pieces Together: Firewall Examples
`3.1 Packet Filtering Firewall . . .
`3.2 Dual-homed Gateway Firewall
`3.3 Screened Host Firewall . . . .
`3.4 Screened Subnet Firewall . . .
`3.5
`Integrating Modem Pools with Firewalls
`
`4 Next Steps
`. . . . . . . . . . . . . . . . . . .
`4.1 Firewall Policy
`4.1.1 Steps in Creating a Service Access Policy .
`4.1.2 Flexibility in Policy . . . . . . . . . . . . .
`4.1.3 Remote User Advanced Authentication Policy
`4. 1.4 Dial-in/out Policy . . . . .. .
`4.l .5 Remote Network Connections
`4. 1.6
`Information Server Policy ..
`4.2 Procuring a Firewall
`. . . . . . . . .
`4.2.1 What Should a Firewall Contain?
`4.2.2 To Buy or Build a Firewall . . .
`4.3 Administration Issues with Firewalls
`.
`4.3.1 System Management Expertise
`4.3.2 Site System Administration
`4.3.3
`Incident Handling Contacts
`
`. .
`
`Bibliography
`
`A On-Line Sources for More Information
`A .1 F irewall-Specific Information . . . . . . . . . . . .
`A.2 NIST Computer Security Resource Clearinghouse
`A.3 Forum of Incident Response and Security Teams
`
`B Internet Firewalls Frequently Asked Questions
`
`19
`20
`21
`22
`24
`29
`
`33
`33
`34
`36
`38
`40
`
`43
`43
`43
`45
`45
`46
`46
`46
`47
`47
`49
`50
`50
`50
`51
`
`53
`
`55
`55
`55
`56
`
`59
`
`
`
`List of F igures
`
`1.1 Conceptual View of Services and Layers in TCP /IP.
`1.2 TELNET Port, IP Interaction. . . . . . . . . . . . .
`
`2.1 Router and Application Gateway F irewall Exam ple.
`2.2 Use of Advanced Authe11Lication on a Firewall to Preauthenticate TEL-
`NET, FTP Traffic.
`. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
`2.3 Representation of Packet Filtering on TELNET and SrvITP.
`. . . . . . .
`2.4 Virtual Connection Implemented by an Application Gateway and Proxy
`Services. . . . . . . . . . .
`
`4
`7
`
`15
`
`23
`25
`
`29
`
`3.1
`3.2
`3.3
`3.4
`3.5
`3.6
`
`34
`Packet F iltering Firewall. .
`Dual-homed Gateway F irewall with Rou ter.
`35
`37
`Screened Host Firewall .. .
`. .. . . . . . . .
`39
`Screened Subnet Firewall with Additional Systems.
`41
`Modem Pool Placement wit h Screened Host F irewall.
`Modem Pool P lacement with Screened Subnet and Dual-Homed Firewalls. 42
`
`Vll
`
`
`
`
`
`
`
`Preface
`
`The Internet is a world-wide collection of networks that all use a common protocol for
`communications. Many organizations are in the process of connecting to the Internet to
`take advantage of Internet services and resources. Businesses and agencies are now using
`the Internet or considering Internet access for a variety of purposes, including exchanging
`e-mail, distributing agency information to the public, and conducting research. Many
`organizations are connecting their existing internal local area networks to the Internet so
`t hat local area network workstations can have direct access to Internet services.
`
`Internet connectivity can offer enormous advantages, however security needs to be a major
`consideration when planning an Internet connection. There are significant security risks
`associated with the Internet that often are not obvious to new (and existing) users. In
`particular, intruder activity as well as vulnerabilities that could assist intruder activity
`are widespread. Intruder activity is difficult to predict and at times can be difficult to
`discover and correct. Many organizations already have lost productive time and money
`in dealing with intruder activity; some organizations have had thei r reputations suffer as
`a result of intruder activity at their sites being publicized.
`
`This publication focuses on security considerations for organizations considering Internet
`connections as well as for organizations already connected to the Internet. In particular,
`t his document focuses on Internet firewalls as one of the mechanisms and methods used
`for protecting sites against Internet-borne threats. This document recommends that
`organizations use firewall technology and other related tools to filter connections and
`limit access. This document is an expansion of the issues and guidance contained in
`NIST CSL Bulletin, Connecting lo the Internet: Security Considerations [NIST93].
`
`Purpose
`
`The purpose of this document is to provide a basis of understanding of how firewalls work
`and the steps necessary for implementing firewalls. Users can then use this document to
`assist in planning or purchasing a firewall. This document does not explain how to build
`a firewall; references are provided for more detailed information.
`
`lX
`
`
`
`X
`
`A udience
`
`PREFACE
`
`The intended a udience of t his publication is technical-level management, i.e., those indi(cid:173)
`viduals who may be responsible for implementing or maintaining Internet connections.
`T his document would also be appropriate for other management who wish to learn more
`about Internet security issues.
`
`Some technical background in computer security and computer network communications
`is assumed. However, this document is intended to be a starting point; more detailed
`information about Internet security and firewalls can be found in the references section.
`
`Document Structure
`
`T his document begins with an overview of the Internet and common services. It describes
`Internet-related security problems in detail by examining problems with various TCP / IP
`services a nd by examining other factors t hat have caused the Internet to grow less secure.
`Chapter 2 discusses firewalls, their benefits as well as their disadvantages, and then the
`various firewall components, including advanced authentication measures and network
`access policy. Chapter 3 describes several firewall configurations that illustrate how the
`firewall components fit together and can be used to implement various policies. Chapter
`4 discusses procurement, administrative issues, and other actions sites should take to
`secure t heir Internet-connected systems. Appendix A provides pointers to other books
`a nd information about firewalls a nd Internet security. Appendix B contains a collection
`of frequently asked questions about firewalls that is available on-line (see Appendix B for
`more information).
`
`Terminology
`
`Internet firewalls are often referred to as secure Internet gateways in other literature.
`T his document uses firewall to refer to a secure Internet gateway.
`
`A firewall, as defined in this document, includes a number of items such as policy, network
`arrangement, and technical controls and procedures. This document uses .firewall system
`when referring to the hosts or routers that implement the firewall.
`
`This document, when referring to a network protected by a firewall, uses protected subnet
`or protected LAN (Local Area Network) .
`
`Some people dispute whether TCP /IP protocols should be referred to as protocols or
`services. It could be argued, for example, that TELNET is a protocol, a service, or a
`command. \i\lhere it makes obvious sense, this document uses prntocol, otherwise it uses
`
`
`
`PREFACE
`
`service.
`
`XI
`
`T his document uses application gateways to refer to some firewall systems as opposed to
`bastion hosts.
`
`As much as possible, this document avoids using terms such as hacker and cracker, a nd
`uses instead the less ambiguous intruder and attacker.
`
`Background
`
`The Internet is a vital and growing network that is changing the way many organizations
`and individuals communicate and do business. However, the Internet suffers from sig(cid:173)
`nificant and widespread security problems. Many agencies and organizations have been
`attacked or probed1 by intruders, with result.ant high losses to productivity and reputa(cid:173)
`tion. In some cases, organizations have had to disconnect from the Internet temporarily,
`and have invested significant resources in correcting problems with system and network
`configuration. Sites that are unaware of or ignorant of t hese problems face a significant
`risk that they will be attacked by network intruders. Even sites that do observe good
`security practices face problems with new vulnerabilities in networking software a nd the
`persistence of some intruders.
`
`A number of factorn have contributed to this state of affairs. The f un<lamental prob(cid:173)
`lem may be that the Internet was not designed to be very secure, i.e., open access for
`the purposes of research was the prime consideration at the time the Internet was im(cid:173)
`plemented. However, the phenomenal success of the Internet in combination with the
`introduct ion of different types of users, including unethical users, has aggravated existing
`security deficiencies to the extent that wide-open Internet sites risk inevitable break-ins
`and resultant damages. Other factors include the following:
`
`• vulnerable TCP / IP services - a number of the T CP / IP services are not secure
`and can be compromised by knowledgeable intruders; services used in the local
`area networking environment for improving network management are especially
`vulnerable,
`
`• ease of spying and spoofing - the majority of Internet traffic is unencrypted;
`e-mail, passwords, and file transfers can be monitored and captured using readily(cid:173)
`available software, intruders can then reuse passwords to break into systems,
`
`• lack of policy - many sites are configured unintentionally for wide-open Internet
`access without regard for t he potential for abuse from the Internet; many sites
`
`1 Int ruders have been observed to target specific sites for intrusions by methodically scanning host
`systems for vulnerabilities. Intruders often use automated probes, i.e., software that scans all host
`systems connected to a site's network. This is sometimes referred to as probing a site.
`
`
`
`Xll
`
`PREFACE
`
`permit more TCP /IP services t han they require for t hei r operations and do not
`attempt to limit access to information about t heir computers that could prove
`valuable to intruders, and
`
`• complex ity of configuration - host security access controls are often complex to
`configure and monitor; controls that are accidentally misconfigured often result in
`unauthorized access.
`
`Solutions
`
`Fortunately, there arc readily-available solutions that can be used to improve site security.
`A firewall system is one technique that has proven highly effective for improving the
`overall level of site security. A firewall system is a collection of systems, routers, and
`policy placed at a site's central connection to a network. A firewall forces all network
`connections to pass through the gateway where they can be examined and evaluated,
`and provides other services such as advanced authentication measures to replace simple
`passwords. The firewall may then restrict access to or from selected systems, or block
`certain TCP /IP services, or provide other security features. A well-configured firewall
`system can act also as an organization's 1'public-relations vehicle" and can help to preseht
`a favorable image of the organization to other Internet users.
`
`A simple network usage policy that can be implemented by a firewall system is to provide
`access from internal to external systems, but little or no access from external to internal
`systems. However, a firewall docs not negate the need for stronger system security.
`There are many tools available for system administrators to enhance system security and
`provide additional logging capability. Such tools can check for strong passwords, log
`connection information, detect changes in system files, and provide other features that
`will help administrators detect signs of intruders and break-ins.
`
`Recommendations
`
`NIST recommends that agencies and organizations, prior to connecting to the Internet,
`develop policy that clearly identifies the Internet services they will be using and how those
`services will be used. The policy should be clear, concise, and understandable, with a
`built-in mechanisms for changing the policy. Organizations should strongly consider using
`firewall systems as part of the implementation of t hat policy. NIST recommends also
`that agencies and organizations use advanced authentication measures, i.e., smartcards,
`or authentication tokens, or other one-time password mechanisms, as an integral part of
`firewalls for authenticating connections to site systems.
`
`
`
`1
`
`Introduction to the Internet and
`Internet Security
`
`While Internet connectivity offers enormous benefits in terms of increased access to infor(cid:173)
`mation, Internet connectivity is not necessarily a good t hing for sites with low levels of
`security. The Internet suffers from glaring security problems that, if ignored, could have
`disastrous result,s for unprepared sites. Inherent problems with TCP / IP services, the
`complexity of host configuration, vulnerabilities introduced in t he software development
`process, and a variety of other factors have all contributed to making unprepared sites
`open to intruder activity and related problems.
`
`The following sections present a brief overview of the Internet, TCP /IP, and then explain
`what some of the Internet security related problems are and what factors have contributed
`to their seriousness.
`
`1.1 The Internet
`
`The Internet is a world-wide "network of networks" that use the TCP /IP (Transmission
`Control Protocol/ Internet Protocol) protocol suite for communications. The Internet was
`created initially to help foster communication among government-sponsored researchers.
`Throughout the 1980's, the Internet grew steadily to include educational institutions,
`government agencies, commercial organizations, arid international organizations. In t he
`1990's, the Internet has undergone phenomenal growth, with connections increasing faster
`than any other network ever created (including t he telephone network). Many millions of
`users are now connected to the Internet, with roughly half being business users [Cerf93].
`The Internet is being used as t he basis for the National Information Infrastructure (NII).
`
`1
`
`
`
`2
`
`1.1 THE INTERNET
`
`1.1.1 Common Services
`
`There are a number of services associated with TCP / IP and t he Internet. T he most com(cid:173)
`monly used service is electronic mail (e-mail), implemented by the Simple Mail Transfer
`Protocol (SMTP). Also, T ELNET (terminal emulation), for remote terminal access, a nd
`FTP (file transfer protocol) are used widely. Beyond that, there are a number of services
`and protocols used for remote printing, remote file and disk sharing, management of
`distributed databases, and for information services. Following is a brief list of t he most
`common services:
`
`• SMTP - Simple Mai l Transfer Protocol, used for sending and receiving electronic
`mail,
`
`• TELN ET - used for connecting to remote systems c~nnected via the network, uses
`basic terminal emulation features,
`
`• FTP - File Transfer Protocol, used to retrieve or store files on networked systems,
`
`• D N S - Domain Name Service, used by T ELNET, FTP, and other services for
`translating host names to IP addresses,
`
`• informat ion-based services, su ch as
`
`gopher - a menu-oriented information browser and server that can provide a
`user-friendly interface to other information-based services,
`WA IS - \r\Tide Area Information Service, used for indexing and searching with
`databases of files, and
`- WWW / h ttp - \i\Torld Wide Web, a superset of FTP, gopher, \,VAIS, other
`information services, using the hypertext transfer protocol (http), with Mosaic
`being a popular WWW client,
`
`• RPC-based services - Remote Procedure Call services, such as
`
`N FS - Network File System, allows systems to share directories and disks,
`causes a remote directory or disk to appear to be local, and
`N IS - Network Information Services, allows multiple systems to share
`databases, e.g., the password file, to permit centralized management,
`
`• X W indow System - a graphical windowing system and set of application Ii braries
`for use on workstations, and
`
`• rlogin, rsh , a nd ot h er " r " serv ices - employs a concept of mutually trusting
`hosts, for executing commands on other systems without requiring a password.
`
`
`
`1.1.2 Internet Hosts
`
`3
`
`Although TCP / IP can be used equally well in a local area or wide area networking
`environment, a common use is for file and printer sharing at t he local area networking
`level and for electronic mail and remote terminal access at both the local and the wide area
`networking levels. Gopher and Mosaic arc increasingly popular; bot h present problems
`to firewall designers as will be discussed in later sections.
`
`1.1.2
`
`Internet Hosts
`
`Many host systems connected to the Internet run a version of the UNIX operating system.
`TCP / IP was first implemented in the early 1980's for t he version of UNIX written at
`the University of California at Berkeley known as the Berkeley Software Distribution
`(BSD). Many modern versions of U\TIX derive t heir networking code directly from the
`BSD releases, thus UNIX provides a more-or-less standard set of TCP /IP services. This
`standard of sorts has resulted in ma ny different versions of UNIX suffering from the same
`vulnerabilities, however it has also provided a common means for implementing firewall
`strategics such as IP packet filtering. It is important to note that BSD UNIX source
`code is fairly easy to obtain free from Internet sites, t hus many good and bad people
`have been able to study the code for potential flaws and exploitable vulnerabilities.
`
`Although UNIX is the predominant Internet host operating system, many other types
`of operating systems and computers are connected to t he Internet, including systems
`running Digital Equipment Corporation 's VMS, NeXT, mainframe operating systems,
`and personal computer operating systems such as for DOS, Microsoft ·windows, and for
`Apple systems. Although personal computer systems often provide only client services,
`i.e., one can use TELNET to connect from but not to a personal computer, increasingly
`powerful personal computers arc also beginning to provide, at low cost, the same services
`as larger hosts. Versions of UNIX for the personal computer, including Linux, FreeBSD,
`and BSDi, and other operating systems such as Microsoft Windows NT, can provide the
`same services and applications that were, until recently, found only on larger systems.
`T he ramifications of this arc t hat more people arc able to u tilizc a wider array of TCP /IP
`services t han ever before. While this is good in that the benefits of networking are more
`available, it has negative consequences in t hat t here is more potential for harm from
`intruders (as well as uneducated but well-intentioned users who, to some sites, may
`appear to be intruders).
`
`1.2 Overview of TCP /IP Internals
`
`T his section provides a simplified overview of TCP /IP for the purposes of later dis(cid:173)
`cussion on Internet-related security problems. [Com9l a], [Com91b], [Ford94], [Hunt92],
`
`
`
`4
`
`1.2 OVERVIEW OF TCP/IP INTERNALS
`
`and [Bel89] provide more complete descriptions; readers who wish to learn more should
`consult these references.
`
`Part of the popularity of the TCP / IP protocol suite is due to its ability to be implemented
`on top of a variety of communicatio ns channels and lower-level protocols such as T l and
`X.25, Ethernet, and RS-232-controlled serial lines. Most sites use Ethernet connections
`at local area. networks to connect hosts and client systerns, and then connect that network
`via a Tl line to a regional network (i.e., a regioual TCP /IP backbone) that connects to
`other organizational networks and backbones. Sites c:ustomarily have one c:om1ection
`to the Internet, but large sites often have two or more connections. Modem speeds a.re
`increasing as new communications standards are being approved, thus versions of TCP /IP
`that operate over the switched telephone ncLwork arc becoming more popular. Many siLes
`and individuals use PPP (Point-to~Point Protocol) and SLIP (Serial Line IP), to connect
`networks and workstations to other networks using the switched telephone network.
`
`TCP /IP is more correctly a suite of protocols including TCP and IP, UDP (User Data(cid:173)
`gram Protocol), ICMP (Internet Control Message Protocol), and several others. The
`TCP /IP protocol suite does not conform exact ly to the Open Systems Interconnection's
`seven layer model, but rather could be pict,ured ac; shown in figure 1.1.
`
`APPLICATION LAYER
`
`TCP
`
`TRANSPORT LAYER
`
`IP
`
`ICMP
`
`NE1WORK LAYER
`
`Figure 1.1: Conceptual View of Services and Layers in TCP / IP.
`
`PHYSICAL LAYER
`
`1.2.1
`
`IP
`
`The IP layer receives packets delivered by lower-level layers, e.g., an Ethernet device
`driver, and passes the packets "up" to the higher-layer TCP or UDP layers. Conversely,
`
`
`
`1.2.2 TCP
`
`5
`
`IP transmits packets that have been received from the TCP or UDP layers to the lower(cid:173)
`level layer.
`
`IP packets are unreliable datagrams in that IP does nothing to ensure that IP packets
`are delivered in sequential order or are not damaged by errors. The IP packets contain
`the address of the host from which the packet was sent, referred to as t he source address,
`and the address of the host that is to receive the packet, referred to as the destination
`address.
`
`The higher-level TCP and UDP services generally assume that the source address in a
`packet is valid when accepting a packet. In other words, the IP address forms t he basis
`of authentication for many services; the services t rust that the packet has been sent from
`a valid host and that host is indeed who it says it is. IP does contain an option known
`as IP Source Routing, which can be used to specify a direct route to a destination and
`return path back to the origination. The route could involve the use of other routers
`or hosts that normally would not be used to forward packets to the destination. A
`source routed IP packet, to some TCP and UDP services, appears to come from the last
`system in the route as opposed to coming from t he true origination. This option exists
`for testing purposes, however [Bel89] points out that source routing can be used to trick
`systems into permitting connections from systems that otherwise would not be permitted
`to connect. Thus, that a number of services trust and rely on t he authenticity of the IP
`source address is problematic and can lead to breakins and intruder activity.
`
`1.2.2 TCP
`
`If t he IP packets contain encapsulated TCP packets, the IP software will pass them
`"up" to the TCP software layer. TCP sequentially orders the packets and performs error
`correction, and implements virtual circuits, or connections between hosts. The TCP
`packets contain sequence numbers and acknowledgements of received packets so that
`packets rec