by Brian Komar, Ronald Beekelaar, and Joern Wettern, PhD Firewalls FOR DUMmIES ‰ 2ND EDITION Firewalls For Dummies ® , 2nd Edition Published by Wiley Publishing, Inc. 909 Third Avenue New York, NY 10022 www.wiley.com Copyright © 2003 by Wiley Publishing, Inc., Indianapolis, Indiana Published by Wiley Publishing, Inc., Indianapolis, Indiana Published simultaneously in Canada No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8700. Requests to the Publisher for permission should be addressed to the Legal Department, Wiley Publishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4447, e-mail: permcoordinator@wiley.com. Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com and related trade dress are trademarks or registered trademarks of Wiley Publishing, Inc., in the United States and other countries, and may not be used without written permission. All other trademarks are the property of their respective owners. Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book. LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: WHILE THE PUBLISHER AND AUTHOR HAVE USED THEIR BEST EFFORTS IN PREPARING THIS BOOK, THEY MAKE NO REPRESENTATIONS OR WAR- RANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS BOOK AND SPECIFICALLY DISCLAIM ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES REPRESENTA- TIVES OR WRITTEN SALES MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BE SUITABLE FOR YOUR SITUATION. YOU SHOULD CONSULT WITH A PROFESSIONAL WHERE APPRO- PRIATE. NEITHER THE PUBLISHER NOR AUTHOR SHALL BE LIABLE FOR ANY LOSS OF PROFIT OR ANY OTHER COMMERCIAL DAMAGES, INCLUDING BUT NOT LIMITED TO SPECIAL, INCIDENTAL, CON- SEQUENTIAL, OR OTHER DAMAGES. For general information on our other products and services or to obtain technical support, please contact our Customer Care Department within the U.S. at 800-762-2974, outside the U.S. at 317-572-3993, or fax 317-572-4002. Wiley also publishes its books in a variety of electronic formats. Some content that appears in print may not be available in electronic books. Library of Congress Control Number: 2003101908 ISBN: 0-7645-4048-3 Manufactured in the United States of America 10 9 8 7 6 5 4 3 2 1 2B/RT/QW/QT/IN is a trademark of Wiley Publishing, Inc. About the Authors Brian Komar, B. Comm (Hons), a native of Canada, makes his living as a Public Key Infrastructure (PKI) consultant, speaker, author, and trainer. Brian speaks at conferences around the world on network design and security topics. His consulting practice focuses on PKI design and architecture pro- jects and on research assignments specializing in interoperability between different vendors’ security products. In his spare time, Brian enjoys traveling and biking with his wife Krista and sharing a fine bottle of wine (or more) with his good friends. Ronald Beekelaar, M.Sc., a native of The Netherlands, makes his living as a net- work security consultant, author, and trainer. Ronald frequently trains network administrators on network design and enterprise security topics. He writes articles for several computer magazines, mostly about operating systems and security issues. Ronald lives in Utrecht, The Netherlands, with his wife Kim. They enjoy traveling abroad. If they find the time, they often travel to European cities, especially London, to see a theater show and visit museums. Joern Wettern, Ph.D., a native of Germany, is a network consultant and trainer. Joern has also developed a range of training materials for a large soft- ware publisher, and these materials are used to train thousands of network administrators around the world. He frequently travels to several continents to speak at computer conferences. Joern is paranoid enough to use an enter- prise-class firewall to connect his home network. Somehow, he still manages to enjoy the occasional sunny day and the many rainy ones in Portland, Oregon, where he lives with his wife Loriann and three cats. In his spare time, of which there is precious little, Joern and his wife hike up the mountains of the Columbia Gorge and down the Grand Canyon. You can also find him attending folk music festivals and dancing like a maniac. Joern’s latest project is to learn how to herd his cats — without much success thus far. The authors can be reached at FirewallsForDummies@hotmail.com. Dedication To Loriann, Krista, and Kim, and our parents. Author’s Acknowledgments This second edition would not have been possible without a large number of people, especially the good folks at Wiley. We want to thank Byron Hynes for being an excellent technical editor, and especially the humor he contributed to the project. Melody Layne for pulling us together for another run at the content, Paul Levesque for his insights on the content, and Rebekah Mancilla for her editorial assistance. Beyond the Wiley crew, we received help from firewall vendors who made it possible for us to cover a number of different products and helped us with issues that came up during the writing of the book. We would like to espe- cially thank the ISA Server and PKI teams at Microsoft and Check Point for providing an evaluation copy of FireWall-1 NG. Finally, not a single chapter of this book would have been possible without our spouses, who were willing to let us work on this project and thus are the real heroes in this story. Publisher’s Acknowledgments We’re proud of this book; please send us your comments through our online registration form located at www.dummies.com/register/. Some of the people who helped bring this book to market include the following: Acquisitions, Editorial, and Media Development Project Editor: Paul Levesque (Previous Edition: Linda Morris) Acquisitions Editor: Melody Layne Copy Editor: Rebekah Mancilla Technical Editor: Byron Hynes Editorial Manager: Leah Cameron Media Development Manager: Laura VanWinkle Media Development Supervisor: Richard Graves Editorial Assistant: Amanda Foxworth Cartoons: Rich Tennant, www.the5thwave.com Production Project Coordinator: Ryan Steffen Layout and Graphics: Seth Conley, Carrie Foster, Lauren Goddard, Michael Kruzil, Tiffany Muth, Shelley Norris, Lynsey Osborn, Jacque Schneider Proofreaders: Andy Hollandbeck, Angel Perez, Kathy Simpson, Charles Spencer, Brian Walls, TECHBOOKS Production Services Indexer: TECHBOOKS Production Services Publishing and Editorial for Technology Dummies Richard Swadley, Vice President and Executive Group Publisher Andy Cummings, Vice President and Publisher Mary C. Corder, Editorial Director Publishing for Consumer Dummies Diane Graves Steele, Vice President and Publisher Joyce Pepple, Acquisitions Director Composition Services Gerry Fahey, Vice President of Production Services Debbie Stailey, Director of Composition Services Contents at a Glance Introduction 1 Part I: Introducing Firewall Basics 7 Chapter 1: Why Do You Need a Firewall? 9 Chapter 2: IP Addressing and Other TCP/IP Basics 23 Chapter 3: Understanding Firewall Basics 47 Chapter 4: Understanding Firewall Not-So-Basics 71 Chapter 5: “The Key Is under the Mat” and Other Common Attacks 97 Part II: Establishing Rules 111 Chapter 6: Developing Policies 113 Chapter 7: Establishing Rules for Simple Protocols 121 Chapter 8: Designing Advanced Protocol Rules 143 Chapter 9: Configuring “Employees Only” and Other Specific Rules 163 Part III: Designing Network Configurations 169 Chapter 10: Setting Up Firewalls for SOHO or Personal Use 171 Chapter 11: Creating Demilitarized Zones with a Single Firewall 179 Chapter 12: Designing Demilitarized Zones with Multiple Firewalls 197 Part IV: Deploying Solutions Using Firewall Products 211 Chapter 13: Using Windows as a Firewall 213 Chapter 14: Configuring Linux as a Firewall 233 Chapter 15: Configuring Personal Firewalls: ZoneAlarm, BlackICE, and Norton Personal Firewall 249 Chapter 16: Microsoft’s Firewall: Internet Security and Acceleration Server 295 Chapter 17: The Champ: Check Point FireWall-1 Next Generation 331 Chapter 18: Choosing a Firewall That Meets Your Needs 357 Part V: The Part of Tens 365 Chapter 19: Ten Tools You Can’t Do Without 367 Chapter 20: Ten Web Sites to Visit 375 Appendix: Protocol Listings and More 383 Index 393 Table of Contents Introduction 1 About This Book 2 How to Use This Book 2 What You Don’t Need to Read 2 Foolish Assumptions 2 How This Book Is Organized 3 Part I: Introducing Firewall Basics 3 Part II: Establishing Rules 3 Part III: Designing Network Configurations 4 Part IV: Deploying Solutions Using Firewall Products 4 Part V: The Part of Tens 4 Icons Used in This Book 5 Where to Go from Here 5 Part I: Introducing Firewall Basics 7 Chapter 1: Why Do You Need a Firewall? . . . . . . . . . . . . . . . . . . . . . . . .9 Defining a Firewall 9 The Value of Your Network 11 Get Yourself Connected 12 Modem dial-up connections 13 ISDN connections 14 DSL connections 14 Cable modems 15 T1 and T3 16 Address types 17 The need for speed and security 17 TCP/IP Basics 18 What Firewalls Do 19 What Firewalls Look Like 20 A firewall that fits 20 Network router 21 Appliance 21 Software-only firewalls 21 All-in-one tools 21 Rules, Rules, Everywhere Rules 22 Chapter 2: IP Addressing and Other TCP/IP Basics . . . . . . . . . . . . . . .23 How Suite It Is: The TCP/IP Suite of Protocols 24 Sizing up the competition 24 Networking for the Cold War: A very short history of TCP/IP 25 Peeling Away the Protocol Layers 26 The Numbers Game: Address Basics 28 URLs: How to Reference Resources 32 Understanding IP Addresses 33 1 and 1 is 10 33 What IP addresses mean 34 Private IP Addresses 36 Dissecting Network Traffic: The Anatomy of an IP Packet 37 Source address 37 Destination address 38 Transport layer protocol 38 Other stuff 38 The other Internet layer protocol: ICMP 38 Transport Layer Protocols 39 Staying connected: UDP and TCP 39 Ports are not only for sailors 40 Some ports are well known 41 Application Layer Protocols 42 HTTP 42 SMTP 43 POP3 43 DNS 43 Telnet 43 Complex protocols 44 FTP 44 Future protocols 45 The Keeper of the Protocols 45 Putting It All Together: How a Request Is Processed 46 Chapter 3: Understanding Firewall Basics . . . . . . . . . . . . . . . . . . . . . .47 What Firewalls Do (And Where’s the Fire, Anyway?) 48 Basic functions of a firewall 48 What a firewall can’t do 50 General Strategy: Allow-All or Deny-All 51 Packet Filtering 54 Filtering IP data 55 Stateful packet filtering 60 Network Address Translation (NAT) 62 Security aspects of NAT 63 Consequences of NAT 64 Application Proxy 65 Monitoring and Logging 68 Chapter 4: Understanding Firewall Not-So-Basics . . . . . . . . . . . . . . .71 Making Internal Servers Available: Static Address Mapping 73 Static IP address assignment 74 Static inbound translation 75 Filtering Content and More 76 Firewalls For Dummies, 2nd Edition x Detecting Intrusion 79 Detecting an intrusion in progress 80 Responding to an intrusion 81 Reacting to a security incident 82 Improving Performance by Caching and Load Balancing 83 Caching Web results 84 United we stand, dividing the load 86 Using Encryption to Prevent Modification or Inspection 88 Encryption and firewalls 88 Who are you: Authentication protocols 89 The S in HTTPS 90 IP and security: IPSec 91 Virtual Private Networks (VPNs) 92 Chapter 5: “The Key Is under the Mat” and Other Common Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97 Intrusion Attacks: A Stranger in the House 97 Denial-of-service Attacks 99 When everyone is out to get you: Distributed DoS attacks 100 How Hackers Get In 101 The key is under the mat: Insecure passwords 100 Default configurations 101 Bugs 102 Back doors 104 It’s a zoo: Viruses, worms, and Trojan horses 105 Who are you? Man-in-the-middle attacks 106 Impersonation 107 Eavesdropping 107 Inside jobs 108 Other techniques 108 Can a Firewall Really Protect Me? 109 Are You Scared Yet? 110 Part II: Establishing Rules 111 Chapter 6: Developing Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113 Defining an Internet Acceptable Use Policy 114 Defining a Security Policy 118 Setting a Security policy 118 Chapter 7: Establishing Rules for Simple Protocols . . . . . . . . . . . . .121 For Starters, Some Default Rules 123 Allowing Web Access 123 Configuring inbound firewall rules 125 Configuring outbound firewall rules 126 xi Table of Contents Finding Internet Resources 126 Providing name resolution to Internet-based clients 127 Providing Internet name resolution to internal clients 128 File Transfer Protocol (FTP) 131 Messaging and Conferencing 133 America Online (AOL) Messaging 133 MSN Messenger and Windows Messenger 134 NetMeeting 135 Thin Client Solutions 137 Citrix Metaframe 137 Windows Terminal Services 138 Internet Control Message Protocol (ICMP) 139 Chapter 8: Designing Advanced Protocol Rules . . . . . . . . . . . . . . . . .143 Rain, Sleet, Snow, and Firewalls: Getting the E-Mail Through 144 Answering the right questions 146 Allowing access to external mail services 147 Allowing access to internal mail services 148 Knock, Knock: Who Goes There? 149 RADIUS functionality 150 Configuring inbound RADIUS firewall rules 151 IPSec Encryption 152 When does IPSec fail? 154 What will the future bring? 155 Configuring a firewall to pass IPSec data 157 Let Me In: Tunneling through the Internet 158 Selecting a tunneling protocol 158 Using PPTP firewall rules 159 Using L2TP/IPSec firewall rules 160 Chapter 9: Configuring “Employees Only” and Other Specific Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163 Limiting Access by Users: Not All Are Chosen 163 Filtering Types of Content 165 Filtering Other Content 166 Preventing access to known “bad” sites 166 Implementing Content Rating 167 Setting the Clock: Filtering on Date/Time 168 Part III: Designing Network Configurations 169 Chapter 10: Setting Up Firewalls for SOHO or Personal Use . . . . . .171 No-Box Solution: ISP Firewall Service 171 Single-Box Solution: Dual-Homed Firewall 172 Screened Host 173 Bypassing the screened host 174 Firewalls For Dummies, 2nd Edition xii [...]... firewall serves and the basics of configuring a firewall 2 Firewalls For Dummies, 2nd Edition About This Book We try to provide you with a book that can act as a reference guide for firewalls We don’t expect you to read the book from cover to cover but to look at specific topics that meet your needs Twenty chapters and an appendix cover all topics of firewalls and their implementation Just turn to the chapter... out about firewalls Sidebars and extra information included in the book provide additional information that can help you, but you don’t need to read them to use firewalls This additional information is marked with the Technical Stuff icon However, if you want that extra technical information, you now know where to find it! Foolish Assumptions When we sat down to come up with the outline for this book,... process of determining what protocols to allow in and out of your network If you don’t have guidelines for securing your network, coming up with a configuration for your firewall is almost impossible! 3 4 Firewalls For Dummies, 2nd Edition Part III: Designing Network Configurations Put on your helmets for a trip to the world of Demilitarized Zones (the computer kind, not the combat kind) Part III puts... Sharing: NAT for Dummies 218 Windows NT 4.0 221 Packet filtering 222 PPTP server 223 Windows 2000 224 Packet filtering 224 Network Address Translation (NAT) .227 L2TP and IPSec 229 Windows XP 230 Internet Connection Firewall (ICF) 231 Windows Server 2003 232 xiii xiv Firewalls For Dummies, 2nd Edition... organization firewall: These firewalls are designed to protect all the computers in an office of limited size that is in a single location Firewalls in this category have the capacity to screen network traffic for a limited number of computers, and the reporting and management capabilities are adequate for this function ߜ Enterprise firewall: Enterprise firewalls are appropriate for larger organizations,... of Contents, find a topic that interests you, and go to that chapter If you’re looking for configuration details for specific firewalls, jump to Part IV where we provide detailed steps on how to install and configure popular firewall products used today If you’re just looking for tips on how to configure a firewall for specific protocols, Parts II and III look at simple and advanced protocol rules in... memorize a topic related to firewalls Tips provide you with inside information on how to quickly configure a rule or get past a common hurdle when designing firewalls Where to Go from Here You have the book in your hand, and you’re ready to get started Feel free to turn to any topic in the book that interests you! Look in the Table of Contents for the topic that drew your interest to firewalls If you’re not... to firewalls If you’re not curious about any specific topic but just want an overview, turn the page and start with Part I Either way, enjoy yourself and let us help you learn about firewalls! 5 6 Firewalls For Dummies, 2nd Edition Part I Introducing Firewall Basics F In this part irewalls — who needs ’em? Well it turns out, most of us do If you or your company is connected to the Internet, you may... nowhere to be found; for them the problem had been solved — the virus was gone For everyone else the problem had just started ߜ Hijacked computer: Imagine that someone broke into your computer and used it for his own purposes If your computer is not used much anyway, this may not seem like a big deal However, now imagine that the intruder uses your computer for illegitimate purposes For example, a hacker... computer to another using TCP/IP includes information on what IP address the data comes from and what IP address it is being sent to TCP/IP defines the methods that computers connected to the Internet use to transmit information This includes dividing this information in small manageable chunks called packets Each packet contains header information and data Most firewalls examine the packet header to determine . by Brian Komar, Ronald Beekelaar, and Joern Wettern, PhD Firewalls FOR DUMmIES ‰ 2ND EDITION Firewalls For Dummies ® , 2nd Edition Published by Wiley Publishing, Inc. 909 Third Avenue New. Port Listing 384 Index 393 Firewalls For Dummies, 2nd Edition xvi Introduction W elcome to Firewalls For Dummies, a book written to help the average Joe understand how firewalls work and how to. Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for the Rest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies. com and related trade dress are