Firewalls For Dummies, 2nd Edition

FirewallsFORDUMmIES‰2NDEDITIONby Brian Komar, Ronald Beekelaar,and Joern Wettern, PhD

Firewalls For Dummies , 2nd EditionPublished byWiley Publishing, Inc.909 Third AvenueNew York, NY 10022www.wiley.comCopyright 2003 by Wiley Publishing, Inc., Indianapolis, IndianaPublished by Wiley Publishing, Inc., Indianapolis, IndianaPublished simultaneously in CanadaNo part of this publication may be reproduced, stored in a retrieval system or transmitted in any formor by any means, electronic, mechanical, photocopying, recording, scanning or otherwise, except aspermitted under Sections 107 or 108 of the 1976 United States Copyright Act, without either the priorwritten permission of the Publisher, or authorization through payment of the appropriate per-copy feeto the Copyright Clearance Center, 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978)646-8700. Requests to the Publisher for permission should be addressed to the Legal Department, WileyPublishing, Inc., 10475 Crosspoint Blvd., Indianapolis, IN 46256, (317) 572-3447, fax (317) 572-4447, e-mail:permcoordinator@wiley.com.Trademarks: Wiley, the Wiley Publishing logo, For Dummies, the Dummies Man logo, A Reference for theRest of Us!, The Dummies Way, Dummies Daily, The Fun and Easy Way, Dummies.com and related trade dressare trademarks or registered trademarks of Wiley Publishing, Inc., in the United States and other countries,and may not be used without written permission. All other trademarks are the property of their respectiveowners. Wiley Publishing, Inc., is not associated with any product or vendor mentioned in this book.LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: WHILE THE PUBLISHER AND AUTHOR HAVE USEDTHEIR BEST EFFORTS IN PREPARING THIS BOOK, THEY MAKE NO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY OR COMPLETENESS OF THE CONTENTS OF THIS BOOKAND SPECIFICALLY DISCLAIM ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR APARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES REPRESENTATIVES OR WRITTEN SALES MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOTBE SUITABLE FOR YOUR SITUATION. YOU SHOULD CONSULT WITH A PROFESSIONAL WHERE APPROPRIATE. NEITHER THE PUBLISHER NOR AUTHOR SHALL BE LIABLE FOR ANY LOSS OF PROFIT ORANY OTHER COMMERCIAL DAMAGES, INCLUDING BUT NOT LIMITED TO SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR OTHER DAMAGES.For general information on our other products and services or to obtain technical support, please contactour Customer Care Department within the U.S. at 800-762-2974, outside the U.S. at 317-572-3993, or fax317-572-4002.Wiley also publishes its books in a variety of electronic formats. Some content that appears in print maynot be available in electronic books.Library of Congress Control Number: 2003101908ISBN: 0-7645-4048-3Manufactured in the United States of America10 9 8 7 6 5 4 3 2 12B/RT/QW/QT/INis a trademark of Wiley Publishing, Inc.

About the AuthorsBrian Komar, B. Comm (Hons), a native of Canada, makes his living as aPublic Key Infrastructure (PKI) consultant, speaker, author, and trainer. Brianspeaks at conferences around the world on network design and securitytopics. His consulting practice focuses on PKI design and architecture projects and on research assignments specializing in interoperability betweendifferent vendors’ security products. In his spare time, Brian enjoys travelingand biking with his wife Krista and sharing a fine bottle of wine (or more)with his good friends.Ronald Beekelaar, M.Sc., a native of The Netherlands, makes his living as a network security consultant, author, and trainer. Ronald frequently trains networkadministrators on network design and enterprise security topics. He writesarticles for several computer magazines, mostly about operating systems andsecurity issues. Ronald lives in Utrecht, The Netherlands, with his wife Kim.They enjoy traveling abroad. If they find the time, they often travel to Europeancities, especially London, to see a theater show and visit museums.Joern Wettern, Ph.D., a native of Germany, is a network consultant andtrainer. Joern has also developed a range of training materials for a large software publisher, and these materials are used to train thousands of networkadministrators around the world. He frequently travels to several continentsto speak at computer conferences. Joern is paranoid enough to use an enterprise-class firewall to connect his home network. Somehow, he still managesto enjoy the occasional sunny day and the many rainy ones in Portland,Oregon, where he lives with his wife Loriann and three cats. In his spare time,of which there is precious little, Joern and his wife hike up the mountains ofthe Columbia Gorge and down the Grand Canyon. You can also find himattending folk music festivals and dancing like a maniac. Joern’s latest projectis to learn how to herd his cats — without much success thus far.The authors can be reached at FirewallsForDummies@hotmail.com.

DedicationTo Loriann, Krista, and Kim, and our parents.Author’s AcknowledgmentsThis second edition would not have been possible without a large number ofpeople, especially the good folks at Wiley. We want to thank Byron Hynes forbeing an excellent technical editor, and especially the humor he contributedto the project. Melody Layne for pulling us together for another run at thecontent, Paul Levesque for his insights on the content, and Rebekah Mancillafor her editorial assistance.Beyond the Wiley crew, we received help from firewall vendors who made itpossible for us to cover a number of different products and helped us withissues that came up during the writing of the book. We would like to especially thank the ISA Server and PKI teams at Microsoft and Check Point forproviding an evaluation copy of FireWall-1 NG.Finally, not a single chapter of this book would have been possible withoutour spouses, who were willing to let us work on this project and thus are thereal heroes in this story.

Publisher’s AcknowledgmentsWe’re proud of this book; please send us your comments through our online registration formlocated at www.dummies.com/register/.Some of the people who helped bring this book to market include the following:Acquisitions, Editorial, and MediaDevelopmentProductionProject Editor: Paul Levesque(Previous Edition: Linda Morris)Acquisitions Editor: Melody LayneCopy Editor: Rebekah MancillaTechnical Editor: Byron HynesEditorial Manager: Leah CameronMedia Development Manager:Laura VanWinkleMedia Development Supervisor:Richard GravesProject Coordinator: Ryan SteffenLayout and Graphics: Seth Conley,Carrie Foster, Lauren Goddard,Michael Kruzil, Tiffany Muth,Shelley Norris, Lynsey Osborn,Jacque SchneiderProofreaders: Andy Hollandbeck, Angel Perez,Kathy Simpson, Charles Spencer,Brian Walls, TECHBOOKS ProductionServicesIndexer: TECHBOOKS Production ServicesEditorial Assistant: Amanda FoxworthCartoons: Rich Tennant, www.the5thwave.comPublishing and Editorial for Technology DummiesRichard Swadley, Vice President and Executive Group PublisherAndy Cummings, Vice President and PublisherMary C. Corder, Editorial DirectorPublishing for Consumer DummiesDiane Graves Steele, Vice President and PublisherJoyce Pepple, Acquisitions DirectorComposition ServicesGerry Fahey, Vice President of Production ServicesDebbie Stailey, Director of Composition Services

Contents at a GlanceIntroduction .1Part I: Introducing Firewall Basics .7Chapter 1: Why Do You Need a Firewall? .9Chapter 2: IP Addressing and Other TCP/IP Basics .23Chapter 3: Understanding Firewall Basics .47Chapter 4: Understanding Firewall Not-So-Basics .71Chapter 5: “The Key Is under the Mat” and Other Common Attacks .97Part II: Establishing Rules .111Chapter 6: Developing Policies .113Chapter 7: Establishing Rules for Simple Protocols .121Chapter 8: Designing Advanced Protocol Rules .143Chapter 9: Configuring “Employees Only” and Other Specific Rules .163Part III: Designing Network Configurations .169Chapter 10: Setting Up Firewalls for SOHO or Personal Use .171Chapter 11: Creating Demilitarized Zones with a Single Firewall .179Chapter 12: Designing Demilitarized Zones with Multiple Firewalls .197Part IV: Deploying Solutions UsingFirewall Products .211Chapter 13: Using Windows as a Firewall .213Chapter 14: Configuring Linux as a Firewall .233Chapter 15: Configuring Personal Firewalls: ZoneAlarm, BlackICE,and Norton Personal Firewall .249Chapter 16: Microsoft’s Firewall: Internet Security and Acceleration Server .295Chapter 17: The Champ: Check Point FireWall-1 Next Generation .331Chapter 18: Choosing a Firewall That Meets Your Needs .357Part V: The Part of Tens .365Chapter 19: Ten Tools You Can’t Do Without .367Chapter 20: Ten Web Sites to Visit .375Appendix: Protocol Listings and More .383Index .393

Table of ContentsIntroduction.1About This Book .2How to Use This Book .2What You Don’t Need to Read .2Foolish Assumptions .2How This Book Is Organized .3Part I: Introducing Firewall Basics .3Part II: Establishing Rules .3Part III: Designing Network Configurations .4Part IV: Deploying Solutions Using Firewall Products .4Part V: The Part of Tens .4Icons Used in This Book .5Where to Go from Here .5Part I: Introducing Firewall Basics .7Chapter 1: Why Do You Need a Firewall? . . . . . . . . . . . . . . . . . . . . . . . .9Defining a Firewall .9The Value of Your Network .11Get Yourself Connected .12Modem dial-up connections .13ISDN connections .14DSL connections .14Cable modems .15T1 and T3 .16Address types .17The need for speed and security .17TCP/IP Basics .18What Firewalls Do .19What Firewalls Look Like .20A firewall that fits .20Network router .21Appliance .21Software-only firewalls .21All-in-one tools .21Rules, Rules, Everywhere Rules .22Chapter 2: IP Addressing and Other TCP/IP Basics . . . . . . . . . . . . . . .23How Suite It Is: The TCP/IP Suite of Protocols .24Sizing up the competition .24Networking for the Cold War: A very short history of TCP/IP .25

xFirewalls For Dummies, 2nd EditionPeeling Away the Protocol Layers .26The Numbers Game: Address Basics .28URLs: How to Reference Resources .32Understanding IP Addresses .331 and 1 is 10 .33What IP addresses mean .34Private IP Addresses .36Dissecting Network Traffic: The Anatomy of an IP Packet .37Source address .37Destination address .38Transport layer protocol .38Other stuff .38The other Internet layer protocol: ICMP .38Transport Layer Protocols .39Staying connected: UDP and TCP .39Ports are not only for sailors .40Some ports are well known .41Application Layer Protocols .42HTTP .42SMTP .43POP3 .43DNS .43Telnet .43Complex protocols .44FTP .44Future protocols .45The Keeper of the Protocols .45Putting It All Together: How a Request Is Processed .46Chapter 3: Understanding Firewall Basics . . . . . . . . . . . . . . . . . . . . . .47What Firewalls Do (And Where’s the Fire, Anyway?) .48Basic functions of a firewall .48What a firewall can’t do .50General Strategy: Allow-All or Deny-All .51Packet Filtering .54Filtering IP data .55Stateful packet filtering .60Network Address Translation (NAT) .62Security aspects of NAT .63Consequences of NAT .64Application Proxy .65Monitoring and Logging .68Chapter 4: Understanding Firewall Not-So-Basics . . . . . . . . . . . . . . .71Making Internal Servers Available: Static Address Mapping .73Static IP address assignment .74Static inbound translation .75Filtering Content and More .76