Building Internet Firewalls - Preface
This book is a practical guide to building your own firewall. It provides step-by-step explanations of how to design and install a firewall at your site, and how to configure Internet services such as electronic mail, FTP, the World Wide Web, and others to work with a firewall. Firewalls are complex, though, and we can't boil everything down to simple rules. Too much depends on exactly what hardware, operating system, and networking you are using at your site, and what you want your users to be able to do, and not do. We've tried to give you enough rules, examples, and resources here so you'll be able to do the rest on your own.
What is a firewall, and what does it do for you? A firewall is a way to restrict access between the Internet and your internal network. You typically install a firewall at the point of maximum leverage, the point where your network connects to the Internet. The existence of a firewall at your site can greatly reduce the odds that outside attackers will penetrate your internal systems and networks. The firewall can also keep your own users from compromising your systems by sending dangerous information--unencrypted passwords and sensitive data--to the outside world.
The attacks on Internet-connected systems we are seeing today are more serious and more technically complex than those in the past. To keep these attacks from compromising our systems, we need all the help we can get. Firewalls are a highly effective way of protecting your site from these attacks. For that reason, we strongly recommend you include a firewall in your site's overall Internet security plan. However, a firewall should be only one component in that plan. It's also vital that you establish a security policy, that you implement strong host security, and that you consider the use of authentication and encryption devices that work with the firewalls you install. This book will touch on each of these topics while maintaining its focus on firewalls.
This book is divided into four parts:
Part I, Network Security, explores the problem of Internet security and focuses on firewalls as part of an effective strategy to solve that problem.
Chapter 1, Why Internet Firewalls?, introduces the major risks associated with using the Internet today; discusses what to protect, and what to protect it against; discusses various security models; and introduces firewalls in the context of what they can and can't do for your site's security.
Chapter 2, Internet Services, outlines the services users want and need from the Internet, and summarizes the security problems posed by those services.
Chapter 3, Security Strategies, outlines the basic security principles an organization needs to understand before it adopts a security policy and invests in specific security mechanisms.
Part II, Building Firewalls, describes how to build firewalls and configure services to run with them.
Chapter 4, Firewall Design, outlines the basic components and major architectures used in constructing firewalls: dual-homed hosts, screened hosts, screened subnets, and variations on these basic architectures.
Chapter 5, Bastion Hosts, presents step-by-step instructions on designing and building the bastion hosts used in many firewall configurations.
Chapter 6, Packet Filtering, describes how packet filtering systems work, and discusses what you can and can't accomplish with them in building a firewall.
Chapter 7, Proxy Systems, describes how proxy clients and servers work, and how to use these systems in building a firewall.
Chapter 8, Configuring Internet Services, describes how to configure each major Internet service to run with a firewall.
Chapter 9, Two Sample Firewalls, presents two sample configurations for basic firewalls.
Chapter 10, Authentication and Inbound Services, discusses the problem of allowing users to access your systems from the Internet, and describes a variety of authentication strategies and products.
Part III, Keeping Your Site Secure, describes how to establish a security policy for your site, maintain your firewall, and handle the security problems that may occur with even the most effective firewalls.
Chaper 11, Security Policies, discusses the importance of having a clear and well-understood security policy for your site, and what that policy should and should not contain. It also discusses ways of getting management and users to accept the policy.
Chapter 12, Maintaining Firewalls, describes how to maintain security at your firewall over time and how to keep yourself aware of new Internet security threats and technologies.
Chapter 13, Responding to Security Incidents, describes what to do when a break-in occurs, or when you suspect that your security is being breached.
Part IV, Appendixes, consists of the following summary appendixes:
Appendix A, Resources, contains a list of places you can go for further information and help with Internet security: World Wide Web pages, FTP sites, mailing lists, newsgroups, response teams, books, papers, and conferences.
Appendix B, Tools, summarizes the best freely available firewall tools and how to get them.
Appendix C, TCP/IP Fundamentals, contains background information on TCP/IP that is essential for anyone building or managing a firewall.
Who should read this book? Although the book is aimed primarily at those who need to build firewalls, large parts of it are appropriate for everyone who is concerned about Internet security. This list tells you what sections are particularly applicable to you:
You should read the entire book. As we've mentioned, a thorough knowledge of TCP/IP is essential for understanding and building firewalls. If you are not already familiar with TCP/IP, you should read at least Appendix C right now. (And we strongly recommend that you read all of Craig Hunt's excellent book, TCP/IP Network Administration (O'Reilly & Associates, 1992), from which the appendix is adapted.)
Managers of sites that are considering connecting to the Internet
You should at least read Part I of the book. The chapters in Part I will introduce you to the various types of Internet threats, services, and security approaches and strategies. They will also introduce you to firewalls and describe what they can and cannot do to enforce Internet security. You should also read Chapter 4, which provides an overview of firewall design. In addition, Appendix A will tell you where to go for more information and resources.
Managers and users of sites that are already connected to the Internet
You should read all of the chapters we've cited for the managers in the previous category. In addition, you should read Part III, which explains the kinds of issues that may arise at your site over time, e.g., how to develop a security policy, keep up to date, and react if someone attacks your site.
To a large extent, this book is platform-independent. Because most of the information provided here consists of general principles, most of it should be applicable to you, regardless of what equipment, software, and networking you are using. The most platform-specific issue is what type of system to use as a bastion host. People have successfully built bastion hosts (which we describe in Chapter 5 of this book) using all kinds of computers, including UNIX systems, Windows NT machines, Macintoshes, VMS VAXes, and others.
Having said this, we must acknowledge that there is a strong UNIX orientation to the specific examples in this book. There are several reasons for this. This is a book about building firewalls, and at the present time, the richest source of freely available tools for accomplishing this task is in the UNIX world. As a result, the vast majority of the firewalls being built today use UNIX systems as their bastion hosts (although, of course, many other types of machines may be included in the overall configurations). We expect that this situation may change in the next few years, as more commercial systems become available for many types of systems. Another reason is, of course, that our own experience is primarily in the UNIX world.
Please address comments and questions concerning this book to the publisher:
O'Reilly & Associates
103 Morris Street, Suite A
Sebastopol, CA 95472
1-800-998-9938 (in the U.S. or Canada) 1-707-829-0515 (international or
You can also send us messages electronically. See the insert in the book for information about all of O'Reilly & Associates' online services.
To ask technical questions or to comment on the book, send email to:
Information related to this book is available via anonymous FTP at:
and on the World Wide Web at:
Errata are available from:
When we set out to write this book, we had no idea that it would consume so much time and energy. We would never have succeeded without the help of many people.
Special thanks to Ed DeHart and Craig Hunt. Ed worked with Brent in the early stages of this book and wrote the foreword to it; we appreciate all that he has done to help. TCP/IP is essential for understanding the basics of firewall construction, and Craig Hunt, author of TCP/IP Network Administration has kindly let us excerpt much of that book's Chapter 1 and Chapter 2 in this book's Appendix C so readers who do not already have a TCP/IP background can get a jump start.
Thanks to all those who reviewed drafts of the book before publication and made helpful suggestions: Fred Avolio, Steve Bellovin, Niels Bjergstrom, Rik Farrow, Simson Garfinkel, Eliot Lear, Evi Nemeth, Steve Simmons, Steve Romig, Gene Spafford, Phil Trubey, and Mark Verber. Thanks as well to Eric Allman for answering many Sendmail questions and Paul Traina for answering many Cisco questions.
Thanks to all the people at O'Reilly & Associates who turned this manuscript into a finished book: to Mary Anne Weeks Mayo, the wonderful and patient project manager/copyeditor for the book; Len Muellner, Ellen Siever, and Norm Walsh who converted the book from Word to SGML and contributed their tool-tweaking prowess; Chris Reilley who created the many excellent diagrams; Edie Freedman who designed the cover and Nancy Priest who designed the interior layout; John Files and Juliette Muellner who assisted with production; Seth Maislin who prepared the index; and Sheryl Avruch and Kismet McDonough-Chan who did the final quality control on the book.
Brent says: I would like to extend personal thanks to my friends and family, for keeping me going for a year and a half while I worked on the book; to my staff at Great Circle Associates, for keeping my business going; to the many hundreds of folks who've attended my Internet Security Firewalls Tutorial, for providing the impetus for this whole endeavor (and for keeping my bills paid!); and to the many thousands of subscribers to the Firewalls mailing list on the Internet, for providing a stimulating environment to develop many of the ideas found in this book. I also owe a lot of thanks to Debby Russell, our editor at O'Reilly & Associates, for all her help and guidance, and to our technical reviewers, for all their wonderful comments and suggestions. Most of all, though, I'd like to thank my very good friend and coauthor, Elizabeth Zwicky, without whose collaboration and encouragement this book probably never would have been finished, and certainly wouldn't have been as good.
Elizabeth says: My thanks go to my friends, my family, and my colleagues at Silicon Graphics, for an almost infinite patience with my tendency to alternate between obsessing about the book and refusing to discuss anything even tangentially related to it. I'd like to particularly thank Arnold Zwicky, Diana Smetters, Greg Rose, Eliot Lear, and Jeanne Dusseault for their expert moral support (often during similar crises of their own). But the most thanks for this effort have to go to Debby and Brent, for giving me a chance to be part of an unexpected but extremely rewarding project.
Great Circle Associates, Inc.
2608 Buena Vista Ave.
Alameda, CA 94501 USA
Please report problems to Webmaster@GreatCircle.COM
Copyright © 2017 Great Circle Associates, Inc.
USA Toll Free: 877 GRT CRCL
(877 478 2725)
International: +1 415 861 3588
Fax: +1 415 552 2982