Life Outside The Firewall


Click here to start

Table of Contents

Life Outside The Firewall

Guidelines for Systems Which Have To Protect Themselves

1. Do the Obvious Things

Turn off extra TCP and UDP services

TCP/IP Services Come Through Two Paths

Rules for Services

Log Access to Services

Logs Are Useless Unless You Use Them

Synchronize Clocks with a Global Time Source

NTP is an inexpensive alternative

NTP Model

Typical site NTP configuration

Only Talk To Your Friends

2. Never Trust The Untrusted

Relay systems can be an exception

Relay systems can still be a problem!

NFS is not allowed outside the firewall

Stateless protocols are harder to secure

3. Don’t Fiddle With Your Firewall

Hint: If you have services on your firewall, you’ll need to fiddle...

Firewall Anecdote

4. Everything Gets Its Own Box

DNS is a special case

Logging is another special case

5. Never Use IP-based Authentication

“r” Services authentication

That’s great except...

PPT Slide

6. Use Kerberos and One-Time Passwords to Log In

Authentication methods and their flaws

Use Kerberos instead of Rshell/Rlogin/Telnet

Obtaining a Ticket

Network-wide login

Kerberos Security

Initial configuration is simple

Example of Kerberos in LAN/WAN environment

Kerberos Details (for the curious)

Kerberos details 2

Kerberos details 3

Kerberos details 4

There are three kinds of OTPs



One-Time Pad

7. Denial-of-Service Attacks are Hard to Protect Against

PPT Slide

SYN attacks allocate resources by making half-open connections

Denial of Service Attacks Use Resources

Simple steps to avoiding a DoS attack

Tweak TCP/IP to break down dead connections quickly

Allocate resources to absorb a low-level SYN attack

For socket-based applications, look for listen() call

8. You Only Trust What You Know

DNS can be fooled

PPT Slide

You can’t trust stacks

Last week’s bug (ᡖ known!)

and you definitely cannot trust Microsoft

9. Don’t Be Afraid To Say “No.”

Your threats are unexpected

Life Outside The Firewall

Author: Joel M Snyder


Home Page: