Runall dvi
Defense Against Network Attack
Download 499.36 Kb. Pdf ko'rish
|
1-m
- Bu sahifa navigatsiya:
- 21.4.2.2 Circuit Gateways
|
21.4 Defense Against Network Attack
655 However, packet filters can be defeated by a number of tricks. For example, a packet can be fragmented in such a way that the initial fragment (which passes the firewall’s inspection) is overwritten by a subsequent fragment, thereby replacing the source address with one that violates the firewall’s security policy. Another limitation is that maintaining a blacklist is difficult, and especially so when it’s not the IP address specifically you want to block, but something that resolves into an IP address, especially on a transient basis. For example, the phishermen are starting to use tricks like fast-flux in which a site’s IP address changes several times an hour. 21.4.2.2 Circuit Gateways The next step up is a more complex arrangement, a circuit gateway, that operates at level 4, typically by reassembling and examining all the packets in each TCP session. This is more expensive than simple packet filtering; its main advantage is that it can also provide the added functionality of a virtual private network whereby corporate traffic passed over the Internet is encrypted from firewall to firewall. I’ll discuss the IPSEC protocol that’s used for this in the last section of this chapter. TCP-level filtering can be used to do a few more things, such as DNS filtering. However, it can’t screen out bad things at the application level, such as malicious code, image spam and unlawful images of child abuse. Thus it may often be programmed to direct certain types of traffic to specific application filters. An example is British Telecom’s CleanFeed system, which tries to prevent its customers getting access to child pornography. As some bad sites are hosted on public web services and blocking all the web pages at the service would be excessive, TCP/IP filtering is used to redirect traffic with such sites to a proxy that can examine it in detail. Download 499.36 Kb. Do'stlaringiz bilan baham: 
|