Runall dvi
Download 499.36 Kb. Pdf ko'rish
|
1-m
- Bu sahifa navigatsiya:
- 21.4.2 Filtering: Firewalls, Spam Filters, Censorware and Wiretaps
- 21.4.2.1 Packet Filtering
|
654
Chapter 21 ■ Network Attack and Defense staff by letting them buy Macs; but there is still going to be a residual risk. One common way of dealing with it is to strip out all executables at your firewall. 21.4.2 Filtering: Firewalls, Spam Filters, Censorware and Wiretaps The most widely sold solution to the ‘problems of Internet security’ is the firewall. This is a machine which stands between a local system and the Internet and filters out traffic that might be harmful. The idea of a ‘solution in a box’ has great appeal to many organisations, and is now so widely accepted that it’s seen as an essential part of corporate due diligence. (This in itself creates a risk — many firms prefer expensive firewalls to good ones.) Firewalls are just one example of systems that examine streams of packets and perform filtering operations. Bad packets may be thrown away, or mod- ified in such a way as to make them harmless. They may also be copied to a log or audit trail. Very similar systems are also used for Internet censorship and for law-enforcement wiretapping; almost everything I’ll discuss in this section goes across to those applications too. Developments in any of these fields potentially affect the others; and actual systems may have overlap- ping functions. For example, many corporate firewalls or mail filters screen out pornography, and some even block bad language, while ISP systems that censor child pornography or dissenting political speech may report the perpetrators automatically to the authorities. Filters come in basically three flavours, depending on whether they operate at the IP packet level, at the TCP session level or at the application level. 21.4.2.1 Packet Filtering The simplest kind of filter merely inspects packet addresses and port numbers. This functionality is also available in routers, in Linux and indeed in Windows. A firewall can block IP spoofing by ensuring that only ‘local’ packets leave a network, and only ‘foreign’ ones enter. It can also stop denial-of-service attacks in which malformed packets are sent to a host. It’s also easy to block traffic to or from ‘known bad’ IP addresses. For example, IP filtering is a major component of the censorship mechanisms in the Great Firewall of China; a list of bad IP addresses can be kept in router hardware, which enables packet filtering to be done at great speed. Basic packet filtering is also available as standard on most machines and can be used for more mundane firewalling tasks. For example, packet filters can be configured to block all traffic except that arriving on specific port numbers. The configuration might be initially to allow the ports used by common services such as email and web traffic, and then open up ports as the protected machine or subnet uses them. |
