网络安全、过滤器和防火墙

网络安全、过滤器和防火墙 摘要:本文是对网络安全和因特网解决的一般介绍;重点将放在路由过滤器和防火墙上。作为一个建立一个安全网络的指南，它不是很明确的;它的用途仅仅是一个总的概括。虽然一些网络IP的知识不是决定因素，但是它是基本因素。 关键词:网络安全;过滤器;防火墙 在最近的十年中，计算机的使用数量已经达到非常之多。在现在相当长的一段时间里，计算机在我们日常学习和生活方面已经成为一个决定性的因素，并且更重要的是应用到商业领域方面。回顾过去，计算机应用的增长是显著的，甚至在使用计算机进行对话方面将有一个更大的突破(虽然有点延迟)。计算机领域的迅速发展主要归功于两个独立的因素，这两个因素目前拥有不同的目标和产品。第一个因素主要研究兴趣领域和实验领域;这个领域经常需要共享文件，电子邮件和其他的宽带信息。这项研究为数据的传输提供了一些协议和方案，最显著的是传输控制协议TCP/IP。在网络成长过程中的第二个因素是商业因素。在相当长的一段时间里，商业领域的兴趣主要放在共享办公室或校园网里面的数据，这导致了适合于这种特定领域里的各种不同协议的发展。 在最近的五年里，商业领域已经开始转向共享宽带数据。这就促使其努力把主要以局域网为基础的协议转换成以广域网为主的协议。这个结果导致了一个完整的咨询体系的诞生，这一体系知道如何操作路由器，网关并且可以通过点对点的连接(两种非常不同的通过网络传输数据包的方式)实现网络协议的传输。最近(在最近的两三年内)，越来越多的公司已经意识到他们需要建立一个通用的网络协议。通常选择的协议是传输控制协议TCP/IP,这是一个运行在因特网上的主要协议。传输控制协议TCP/IP的出现，允许公司之间就像通过公共网络进行连接一样，通过私人网络建立互相连接。 这是一张非常具有代性的图片:商业，政府和个体之间通过网络进行彼此沟通。而事实也是正在快速地接近这张理想化的图片，一些相关的较小的议已经从先前的次态变得非常重要起来。安全或许是这些问题中最广为人知的。当商业领域通过网络传送个人信息的时候，他们为信息能完整无缺的到达目的地，提供了一个高的标准保障协议，并且不允许除了有意的接受者以外的其他人进行拦截。个体传送的个人的通信更加要求安全的通信。最后，连接一个系统到一个能对攻击自动打开本身系统的网络。如果一个系统受到危险的攻击,则数据损失的危险性则更高。 打破破坏网络安全性的有用的方法主要有两种基本类型: , 一种方法是当它在网络上传输的时候保护数据 , 一种方法是当它在网络上传输的时候管理数据包 虽然两种方法很明显的都是实现从一个站点到另一个站点的传输，但是他们的目的是不同的。 传送安全 目前，当数据在一个公众的网络上传送时，没有一个系统可以保证在宽带上传输数据的安全性。从而采取在一些并行站点之间加密的方法来实现。不幸地是，目前没有一个方案可以很好的满足这一特定的要求。支配这一领域的有以下两个一般的方法: 虚拟个人网络: 这是一个用传输控制协议TCP/IP提供一个低层的第二TCP/IP协议的堆栈来创造一个个人网络的概念，这可能是一项比较难于了解的概念，并且通过与传输控制协议TCP/IP正常实现的比较，对此有一个更好的了解。简言之，IP传输在各种不同形式的网络的物理层上。连接到网络物理层上的每一个系统为IP通讯在链路层上的传输提供了一个标准。这种标准为IP在各种不同类型已存在的连接上的传输提供了保障，最通常的是以太网和点对点的连接(PPP和SLIP)。一旦一个IP数据包被接收到，它则被传输到传输控制协议TCP/IP栈的高层协议上(如UDP, TCP和应用层)。当一个虚拟的个人网络被执行的时候,最低层的TCP/IP协议被用来执行一个已存在的TCP/IP连接。有很多种方法可以在提取和效率之间达到一个权衡。它的优点是数据的安全传递是一步一步实现的。因为一个虚拟个人网络可以让你实现对物理层的完全控制，它是受到网路设计者的完全控制的，设计者可以在物理层(虚拟层)的连接上进行加密。通过实现这项功能，不论是在应用层(如邮件或新闻)还是在这个栈的最低层—物理层(如IP,ICMP)，所有在虚拟个人网络上的任何种类的传输都将被加密。虚拟个人网络的主要优点是:它们允许分配个人私有的地址空间(你可以在同一个网路上同时连接多台电脑)，并且可以允许数据包在一个专用的系统上进行加密和传输，以便在原机上减小负载。 包级别加密技术:另一种方法是在TCP/IP栈的更高层协议上加密。在安全保证，远程登陆加密和远程登陆协议(Kerberos，S/Key和DESlogin)等方面均采用了一些方法，这些是在栈的高层协议上加密的典型实例(应用层)。在高层协议上加密的优点是对一个虚拟个人网络进行处理的处理器是可以除去的，而当前应用软件的互用性是不受影响的，并且编译一个支持应用层加密的客户机程序比建立一个虚拟个人网络更加容易。从本质上说，在IP栈的任何层上加密都是可能的。尤其是允许在TCP层上加密，这一层对多数网络应用软件提供相当透明的传输加密技术。 这一点是值得注意的，这两种方法均可在主机执行协议的时候表现出冲击现象，并且在网络上其他机器连接这些主机的时候也可表现出冲击现象。在载入或转换一个数据包到一种新的CPU请求时间形式和已用的额外网络容量的时候，这种方式是相对简单的。加密技术是一个真正的处理器密集的程序，而且加密后的数据包应被填补成一个统一的长度，以保证一些运算法则的正确性。更深层一点的说就是这两种方法会给其他的领域(相关的安全和其他的方面—如地址分配，容错处理和负载平衡)带来一定的冲击，这就需要考虑哪一个更适合于特定的领域。 第 3页 传输规则 如今因特网在网络安全方面最通常的形式是管理哪一类数据包可以在两个网络之间进行传输。如果一个对远程主机具有破坏性行为的数据包不可能到达目的地，那么这个远程主机就不必对此数据包担心了。传输规则为主机与远程站点之间提供了一个屏蔽。这主要应用于网路的三个基本的领域内:路由器，防火墙和主机。每一个均在网络的不同的点上提供相似的服务。事实上他们之间的界限已经没有那么清晰了。在这篇文章中，我将会使用下列的定义: 路由器传输规则:任何一个规则都将在路由器和终端服务器(主机的 主要目的是转寄其他主机传输的数据包)上进行传输并且根据数据包的特 征确定相应规则。这不包括申请网关，但是包括地址的转换。 防火墙传输规则: 传输或过滤规则均通过申请网关或代理服务器执 行的。 主机传输规则: 传输规则运行在数据包的目的地上。主机在与过滤路 由器和防火墙的传输规则上起到越来越小的作用。 过滤器和路径列表 调节数据包以便其可以在两个站点之间传输，这是一个在表面上看来非常简单的概念，对任何一个路由器或防火墙来说，决定是否传送一个特定的站点的数据包不应该是并且不是困难的。不幸的是，大多数人连接到因特网的目的是以便他们可以和远程主机交换数据包。开展一个设计，这个设计允许正确的数据包在正确的时间内传输并且否定恶意的数据包，这是一个艰难的任务，这项研究超出了本文所讨论的范围。然而，一些基本的技术是值得讨论的。 , 限制内部路径，而非外部路径:几乎所有的数据包(除了那些在最低层上 处理网络能动性的协议)都被送往UDP 或 TCP目的地上。典型的是，来 自远程主机的数据包将试图到达我们已知的端口。这些端口将被应用软件 所监控，这个应用软件将提供像是邮件传送，新闻组服务，时间申请检测， 域名服务和各种不同的登录协议等服务。它对现代路由器或防火墙来说是 微不足道的，仅仅允许这些不同类型的数据包传输到提供给定服务的特定 机器上。将不被允许试图传递其他类型的数据包。这可以保护因特网内部 的主机，但是仍然允许所有的数据包的传出。不幸的是，它似乎不可能是 万能的。 , 接收数据包的问题:让我们假设除非远程用户使用一种安全的、加密的申 请如S/Key,否则你不允许他们登陆你的系统。然而，你希望允许你的用 户试图通过远端登入或 ftp连接到远程站点上。起初，这个看起来很简 单:你仅仅限制一种类型数据包进行远程连接，并且允许任何类型的外在 连接。不幸地，由于交互式协议的本性，他们必须确定一个唯一的端口数 去连接到一个确定的连接上。如果他们不这样做，在任何一个给定的时间 里，仅仅有一种类型的交互式协议在两个给定的主机上进行传输。这就导 致了一种困境:突然，一个远程站点将要试着传送一个指定的数据包到任 意的一个端口。正常地，这些数据包应该被拦截。但是如果数据包已经在 同一个端口从一个内部的网络传输到外部网络，则现代路由器和防火墙为 这些数据包的传输提供一个小型窗口。这开始允许在内部网络间进行连 接，然而，除非他们被需要，仍然否认外部网络的连接尝试。 , 动态路由过滤器:一种相对的最新技术是当一系列特殊的情况发生时,能 够有能力地动态的为远程站点添加一系列的路由过滤器的设置。由于这些 技术，路由器能够可以自动的发现可疑的行为(如ISS 或 SATAN)，并且 可以在一个较短的时间里拒绝主机或整个站点的访问。在一些情况下，这 将阻止任何类型的自动攻击对站点的破坏。 虽然过滤器和路径列表在路由器上是常见的，但是他们仍被列为具有代表性的，被放置在所有这三种类型的系统上。 地址转换:另一个优点是路由器可以把输出数据包修改为它自己的IP地址。这将阻止外部站点从内部网络上获取内部站点的任何信息，它也允许某一个技巧的运行，这些技巧可以用一个小的已分配的地址空间为额外的内部主机提供极大的空间。路由器可以用一个内网的地址和套接字来映射一个外部IP地址和套接字。当一个内部数据包被传输到外部网络的时候，可以简单的从IP头的原域中判断出路由器的IP地址。当一个外部数据包到达的时候，在它被送往内部主机前，将分析它的目的端口和映射地址。这套程序也有它的缺陷;因为他们建立在部分IP上，并且一些上层的协议编码/依赖IP地址，所以应该核对和必须重新计算。这些协议将不能运行在简单的地址转换路由器上。 网关和代理服务器的应用:防火墙和路由器的主要区别是防火墙实际上主要运行在应用层。这些应用通常包括邮件运行后台，ftp服务和网络服务。防火墙也通常运行在我们所知的网关和服务器上。这些是对程序的最好描述，这个程序可以掌握一个协议的结构，但是不执行协议的任何一种功能。然而，在打开或关闭文件的读写校验之后，来自一个外部站点的信息则是合理的，他们传送这些信息到一个真正的因特网中用于邮件收发的后台程序上，在那进行数据的处理。这就保证了那些特别易受网络交互式攻击的应用程序的安全性。使用防火墙作为这些服务的一个优点是，它使监控所有的活动变得非常的容易,并且可以非常容易的快速控制网络的传入和传出。 结论 两种基本的网络安全，传输安全和传输规则，这些组合可以保证正确的数据安全地传送到正确的地方。这应该是显然的，当主机接收信息的时候，仍需要确保主机可以对此信息进行适当的处理，这给主机的安全带来了忧虑:对每一个类型的系统来说，宽带区域的变化是可怕的。随着因特网在商业领域的发展，网络安全已经快速的成为网络发展的关键所在。在不久的将来，网络安全将成为我们每日所需的因特网和其他网络的一个重要组成部分。 第 5页 Network Security, Filters and Firewalls Abstract :This article is a general introduction to network security issues and solutions in the Internet; emphasis is placed on route filters and firewalls. It is not intended as a guide to setting up a secure network; its purpose is merely as an overview. Some knowledge of IP networking is assumed, although not crucial. Key words: Network Security, Filters and Firewalls In the last decade, the number of computers in use has exploded. For quite some time now, computers have been a crucial element in how we entertain and educate ourselves, and most importantly, how we do business. It seems obvious in retrospect that a natural result of the explosive growth in computer use would be an even more explosive (although delayed) growth in the desire and need for computers to talk with each other. The growth of this industry has been driven by two separate forces which until recently have had different goals and end products. The first factor has been research interests and laboratories; these groups have always needed to share files, email and other information across wide areas. The research labs developed several protocols and methods for this data transfer, most notably TCP/IP. Business interests are the second factor in network growth. For quite some time, businesses were primarily interested in sharing data within an office or campus environment, this led to the development of various protocols suited specifically to this task. Within the last five years, businesses have begun to need to share data across wide areas. This has prompted efforts to convert principally LAN-based protocols into WAN-friendly protocols. The result has spawned an entire industry of consultants who know how to manipulate routers, gateways and networks to force principally broadcast protocols across point-to-point links (two very different methods of transmitting packets across networks). Recently (within the last 2 or 3 years) more and more companies have realized that they need to settle on a common networking protocol. Frequently the protocol of choice has been TCP/IP, which is also the primary protocol run on the Internet. The emerging ubiquitousness of TCP/IP allows companies to interconnect with each other via private networks as well as through public networks. This is a very rosy picture: businesses, governments and individuals communicating with each other across the world. While reality is rapidly approaching this utopian picture, several relatively minor issues have changed status from low priority to extreme importance. Security is probably the most well known of these problems. When businesses send private information across the net, they place a high value on it getting to its destination intact and without being intercepted by someone other than the intended recipient. Individuals sending private communications obviously desire secure communications. Finally, connecting a system to a network can open the system itself up to attacks. If a system is compromised, the risk of data loss is high. It can be useful to break network security into two general classes: , methods used to secure data as it transits a network , methods which regulate what packets may transit the network While both significantly effect the traffic going to and from a site, their objectives are quite different. 第 7页 Transit Security Currently, there are no systems in wide use that will keep data secure as it transits a public network. Several methods are available to encrypt traffic between a few coordinated sites. Unfortunately, none of the current solutions scale particularly well. Two general approaches dominate this area: Virtual Private Networks: This is the concept of creating a private network by using TCP/IP to provide the lower levels of a second TCP/IP stack. This can be a confusing concept, and is best understood by comparing it to the way TCP/IP is normally implemented. In a nutshell, IP traffic is sent across various forms of physical networks. Each system that connects to the physical network implements a standard for sending IP messages across that link. Standards for IP transmission across various types of links exist, the most common are for Ethernet and Point to Point links (PPP and SLIP). Once an IP packet is received, it is passed up to higher layers of the TCP/IP stack as appropriate (UDP, TCP and eventually the application). When a virtual private network is implemented, the lowest levels of the TCP/IP protocol are implemented using an existing TCP/IP connection. There are a number of ways to accomplish this which tradeoff between abstraction and efficiency. The advantage this gives you in terms of secure data transfer is only a single step further away. Because a VPN gives you complete control over the physical layer, it is entirely within the network designers power to encrypt the connection at the physical (virtual) layer. By doing this, all traffic of any sort over the VPN will be encrypted, whether it be at the application layer (such as Mail or News) or at the lowest layers of the stack (IP, ICMP). The primary advantages of VPNs are: they allow private address space (you can have more machines on a network), and they allow the packet encryption/translation overhead to be done on dedicated systems, decreasing the load placed on production machines. Packet Level Encryption: Another approach is to encrypt traffic at a higher layer in the TCP/IP stack. Several methods exist for the secure authentication and encryption of telnet and rlogin sessions (Kerberos, S/Key and DESlogin) which are examples of encryption at the highest level of the stack (the application layer). The advantages to encrypting traffic at the higher layer are that the processor overhead of dealing with a VPN is eliminated, inter-operability with current applications is not affected, and it is much easier to compile a client program that supports application layer encryption than to build a VPN. It is possible to encrypt traffic at essentially any of the layers in the IP stack. Particularly promising is encryption that is done at the TCP level which provides fairly transparent encryption to most network applications. It is important to note that both of these methods can have performance impacts on the hosts that implement the protocols, and on the networks which connect those hosts. The relatively simple act of encapsulating or converting a packet into a new form requires CPU-time and uses additional network capacity. Encryption can be a very CPU-intensive process and encrypted packets may need to be padded to uniform length to guarantee the robustness of some algorithms. Further, both methods have impacts on other areas (security related and otherwise- such as address allocation, fault tolerance and load balancing) that need to be considered before any choice is made as to which is best for a particular case. Traffic Regulation The most common form of network security on the Internet today is to closely regulate which types of packets can move between networks. If a packet which may do something malicious to a remote host never gets there, the remote host will be unaffected. Traffic regulation provides this screen between hosts and remote sites. This typically happens at three basic areas of the network: routers, firewalls and hosts. Each provides similar service at different points in the network. In fact the line 第 9页 between them is somewhat ill-defined and arbitrary. In this article, I will use the following definitions: Router traffic regulation: Any traffic regulation that occurs on a router or terminal server (hosts whose primary purpose is to forward the packets of other hosts) and is based on packet characteristics. This does not include application gateways but does include address translation. Firewall traffic regulation: Traffic regulation or filtering that is performed via application gateways or proxies. Host traffic regulation: Traffic regulation that is performed at the destination of a packet. Hosts are playing a smaller and smaller role in traffic regulation with the advent of filtering routers and firewalls. Filters and access lists Regulating which packets can go between two sites is a fairly simple concept on the surface- it shouldn't be and isn't difficult for any router or firewall to decide simply not to forward all packets from a particular site. Unfortunately, the reason most people connect to the Internet is so that they may exchange packets with remote sites. Developing a plan that allows the right packets through at the right time and denies the malicious packets is a thorny task which is far beyond this article's scope. A few basic techniques are worth discussing, however. , Restricting access in, but not out: Almost all packets (besides those at the lowest levels which deal with network reachability) are sent to destination sockets of either UDP or TCP. Typically, packets from remote hosts will attempt to reach one of what are known as the well known ports. These ports are monitored by applications which provide services such as Mail Transfer and Delivery, Usenet News, the time, Domain Name Service, and various login protocols. It is trivial for modern routers or firewalls only to allow these types of packets through to the specific machine that provides a given service. Attempts to send any other type of packet will not be forwarded. This protects the internal hosts, but still allows all packets to get out. Unfortunately this isn't the panacea that it might seem. , The problem of returning packets: Let's pretend that you don't want to let remote users log into your systems unless they use a secure, encrypting application such as S/Key. However, you are willing to allow your users to attempt to connect to remote sites with telnet or ftp. At first glance, this looks simple: you merely restrict remote connections to one type of packet and allow any type of outgoing connection. Unfortunately, due to the nature of interactive protocols, they must negotiate a unique port number to use once a connection is established. If they didn't, at any given time, there could only be one of each type of interactive session between any given two machines. This results in a dilemma: all of a sudden, a remote site is going to try to send packets destined for a seemingly random port. Normally, these packets would be dropped. However, modern routers and firewalls now support the ability to dynamically open a small window for these packets to pass through if packets have been recently transmitted from an internal host to the external host on the same port. This allows connections that are initiated internally to connect, yet still denies external connection attempts unless they are desired. , Dynamic route filters: A relatively recent technique is the ability to dynamically add entire sets of route filters for a remote site when a particular set of circumstances occur. With these techniques, it is possible to have a router automatically detect suspicious activity (such as ISS or SATAN) and deny a machine or entire site access for a short time. In many cases this will thwart any sort of automated attack on a site. , Filters and access lists are typically placed on all three types of systems, although they are most common on routers. 第 11页 Address Translation: Another advancement has been to have a router modify tgoing packets to contain their own IP number. This prevents an external site from ou knowing any information about the internal network, it also allows for certain tricks to be played which provide for a tremendous number of additional internal hosts with a small allocated address space. The router maintains a table which maps an external IP number and socket with an internal number and socket. Whenever an internal packet is destined for the outside, it is simply forwarded with the routers IP number in the source field of the IP header. When an external packet arrives, it is analyzed for its destination port and re-mapped before it is sent on to the internal host. The procedure does have its pitfalls; checksums have to be recalculated because they are based in part on IP numbers, and some upper layer protocols encode/depend on the IP number. These protocols will not work through simple address translation routers. Application gateways and proxies: The primary difference between firewalls and routers is that firewalls actually run applications. These applications frequently include mail daemons, ftp servers and web servers. Firewalls also usually run what are known as application gateways or proxies. These are best described as programs which understand a protocol's syntax, but do not implement any of the functionality of the protocol. Rather, after verifying that a message from an external site is appropriate, they send the message on to the real daemon which processes the data. This provides security for those applications that are particularly susceptible to interactive attacks. One advantage of using a firewall for these services is that it makes it very easy to monitor all activity, and very easy to quickly control what gets in and out of a network. Conclusion There are two basic types of network security, transit security and traffic regulation, which when combined can help guarantee that the right information is securely delivered to the right place. It should be apparent that there is also a need for ensuring that the hosts that receive the information will properly process it, this raises the entire specter of host security: a wide area which varies tremendously for each type of system. With the growth in business use of the Internet, network security is rapidly becoming crucial to the development of the Internet. Soon, security will be an integral part of our day to day use of the Internet and other networks.