| |
Before being able to understand a complete discussion of firewalls, it's
important to understand the basic principles that make firewalls work.
A firewall is a system or group of systems that enforces an access control
policy between two networks. The actual means by which this is accomplished
varies widely, but in principle, the firewall can be thought of as a pair of
mechanisms: one which exists to block traffic, and the other which exists to
permit traffic. Some firewalls place a greater emphasis on blocking traffic,
while others emphasize permitting traffic. Probably the most important thing to
recognize about a firewall is that it implements an access control policy. If
you don't have a good idea of what kind of access you want to allow or to deny,
a firewall really won't help you. It's also important to recognize that the
firewall's configuration, because it is a mechanism for enforcing policy,
imposes its policy on everything behind it. Administrators for firewalls
managing the connectivity for a large number of hosts therefore have a heavy
responsibility.
The Internet, like any other society, is plagued with the kind of jerks who
enjoy the electronic equivalent of writing on other people's walls with
spraypaint, tearing their mailboxes off, or just sitting in the street blowing
their car horns. Some people try to get real work done over the Internet, and
others have sensitive or proprietary data they must protect. Usually, a
firewall's purpose is to keep the jerks out of your network while still letting
you get your job done.
Many
traditional-style corporations and data centers have computing security policies
and practices that must be adhered to. In a case where a company's policies
dictate how data must be protected, a firewall is very important, since it is
the embodiment of the corporate policy. Frequently, the hardest part of hooking
to the Internet, if you're a large company, is not justifying the expense or
effort, but convincing management that it's safe to do so. A firewall provides
not only real security--it often plays an important role as a security blanket
for management.
Lastly, a firewall
can act as your corporate ``ambassador'' to the Internet. Many corporations use
their firewall systems as a place to store public information about corporate
products and services, files to download, bug-fixes, and so forth. Several of
these systems have become important parts of the Internet service structure
(e.g.: UUnet.uu.net , whitehouse.gov , gatekeeper.dec.com )
and have reflected well on their organizational sponsors.
Some firewalls permit only email traffic through them, thereby protecting the
network against any attacks other than attacks against the email service. Other
firewalls provide less strict protections, and block services that are known to
be problems.
Generally, firewalls
are configured to protect against unauthenticated interactive logins from the
``outside'' world. This, more than anything, helps prevent vandals from logging
into machines on your network. More elaborate firewalls block traffic from the
outside to the inside, but permit users on the inside to communicate freely with
the outside. The firewall can protect you against any type of network-borne
attack if you unplug it.
Firewalls are also
important since they can provide a single ``choke point'' where security and
audit can be imposed. Unlike in a situation where a computer system is being
attacked by someone dialing in with a modem, the firewall can act as an
effective ``phone tap'' and tracing tool. Firewalls provide an important logging
and auditing function; often they provide summaries to the administrator about
what kinds and amount of traffic passed through it, how many attempts there were
to break into it, etc.
This is an important point: providing this ``choke point''
can serve the same purpose on your network as a guarded gate can for your site's
physical premises. That means anytime you have a change in ``zones'' or levels
of sensitivity, such a checkpoint is appropriate. A company rarely has only an
outside gate and no receptionist or security staff to check badges on the way
in. If there are layers of security on your site, it's reasonable to expect
layers of security on your network.
|
| |
|
Firewalls can't protect very well against things like viruses. There are too
many ways of encoding binary files for transfer over networks, and too many
different architectures and viruses to try to search for them all. In other
words, a firewall cannot replace security-consciousness on the part of your
users. In general, a firewall cannot protect against a data-driven
attack--attacks in which something is mailed or copied to an internal host where
it is then executed. This form of attack has occurred in the past against
various versions of sendmail, ghostscript, and scripting mail user
agents like OutLook.
Organizations that
are deeply concerned about viruses should implement organization-wide virus
control measures. Rather than trying to screen viruses out at the firewall, make
sure that every vulnerable desktop has virus scanning software that is run when
the machine is rebooted. Blanketing your network with virus scanning software
will protect against viruses that come in via floppy disks, modems, and
Internet. Trying to block viruses at the firewall will only protect against
viruses from the Internet--and the vast majority of viruses are caught via
floppy disks.
Nevertheless, an
increasing number of firewall vendors are offering ``virus detecting''
firewalls. They're probably only useful for naive users exchanging
Windows-on-Intel executable programs and malicious-macro-capable application
documents. There are many firewall-based approaches for dealing with problems
like the ``ILOVEYOU'' worm and related attacks, but these are really
oversimplified approaches that try to limit the damage of something that is so
stupid it never should have occurred in the first place. Do not count on any
protection from attackers with this feature.
A strong firewall is
never a substitute for sensible software that recognizes the nature of what it's
handling--untrusted data from an unauthenticated party--and behaves
appropriately. Do not think that because ``everyone'' is using that mailer or
because the vendor is a gargantuan multinational company, you're safe. In fact,
it isn't true that ``everyone'' is using any mailer, and companies that
specialize in turning technology invented elsewhere into something that's ``easy
to use'' without any expertise are more likely to produce software that can be
fooled.
Some have argued that this is the case. Before pronouncing such a sweeping
prediction, however, it's worthwhile to consider what IPSEC is and what it does.
Once we know this, we can consider whether IPSEC will solve the problems that
we're trying to solve with firewalls.
IPSEC (IP SECurity)
refers to a set of standards developed by the Internet Engineering Task Force (IETF).
There are many documents that collectively define what is known as ``IPSEC'' [4].
IPSEC solves two problems which have plagued the IP protocol suite for years:
host-to-host authentication (which will let hosts know that they're talking to
the hosts they think they are) and encryption (which will prevent attackers from
being able to watch the traffic going between machines).
Note that neither of
these problems is what firewalls were created to solve. Although firewalls can
help to mitigate some of the risks present on an Internet without authentication
or encryption, there are really two classes of problems here: integrity and
privacy of the information flowing between hosts and the limits placed on what
kinds of connectivity is allowed between different networks. IPSEC addresses the
former class and firewalls the latter.
What this means is
that one will not eliminate the need for the other, but it does create some
interesting possibilities when we look at combining firewalls with IPSEC-enabled
hosts. Namely, such things as vendor-independent virtual private networks (VPNs),
better packet filtering (by filtering on whether packets have the IPSEC
authentication header), and application-layer firewalls will be able to have
better means of host verification by actually using the IPSEC authentication
header instead of ``just trusting'' the IP address presented.
There are a number of basic design issues that should be addressed by the lucky
person who has been tasked with the responsibility of designing, specifying, and
implementing or overseeing the installation of a firewall.
The first and most
important decision reflects the policy of how your company or organization wants
to operate the system: is the firewall in place explicitly to deny all services
except those critical to the mission of connecting to the Net, or is the
firewall in place to provide a metered and audited method of ``queuing'' access
in a non-threatening manner? There are degrees of paranoia between these
positions; the final stance of your firewall might be more the result of a
political than an engineering decision.
The second is: what
level of monitoring, redundancy, and control do you want? Having established the
acceptable risk level (e.g., how paranoid you are) by resolving the first issue,
you can form a checklist of what should be monitored, permitted, and denied. In
other words, you start by figuring out your overall objectives, and then combine
a needs analysis with a risk assessment, and sort the almost always conflicting
requirements out into a laundry list that specifies what you plan to implement.
The third issue is
financial. We can't address this one here in anything but vague terms, but it's
important to try to quantify any proposed solutions in terms of how much it will
cost either to buy or to implement. For example, a complete firewall product may
cost between $100,000 at the high end, and free at the low end. The free option,
of doing some fancy configuring on a Cisco or similar router will cost nothing
but staff time and a few cups of coffee. Implementing a high end firewall from
scratch might cost several man-months, which may equate to $30,000 worth of
staff salary and benefits. The systems management overhead is also a
consideration. Building a home-brew is fine, but it's important to build it so
that it doesn't require constant (and expensive) attention. It's important, in
other words, to evaluate firewalls not only in terms of what they cost now, but
continuing costs such as support.
On the technical
side, there are a couple of decisions to make, based on the fact that for all
practical purposes what we are talking about is a static traffic routing service
placed between the network service provider's router and your internal network.
The traffic routing service may be implemented at an IP level via something like
screening rules in a router, or at an application level via proxy gateways and
services.
The decision to make
is whether to place an exposed stripped-down machine on the outside network to
run proxy services for telnet, FTP, news, etc., or whether to set up a screening
router as a filter, permitting communication with one or more internal machines.
There are pluses and minuses to both approaches, with the proxy machine
providing a greater level of audit and potentially security in return for
increased cost in configuration and a decrease in the level of service that may
be provided (since a proxy needs to be developed for each desired service). The
old trade-off between ease-of-use and security comes back to haunt us with a
vengeance.
Conceptually, there are two types of firewalls:
1. Network
layer
2.
Application
layer
They are not as
different as you might think, and latest technologies are blurring the
distinction to the point where it's no longer clear if either one is ``better''
or ``worse.'' As always, you need to be careful to pick the type that meets your
needs.
Which is which depends on what mechanisms the firewall uses
to pass traffic from one security zone to another. The International Standards
Organization (ISO) Open Systems Interconnect (OSI) model for networking defines
seven layers, where each layer provides services that ``higher-level'' layers
depend on. In order from the bottom, these layers are physical, data link,
network, transport, session, presentation, application.
The important thing
to recognize is that the lower-level the forwarding mechanism, the less
examination the firewall can perform. Generally speaking, lower-level firewalls
are faster, but are easier to fool into doing the wrong thing.
These generally make
their decisions based on the source, destination addresses and ports (see
Appendix C for a more detailed discussion of
ports) in individual IP packets. A simple router is the ``traditional'' network
layer firewall, since it is not able to make particularly sophisticated
decisions about what a packet is actually talking to or where it actually came
from. Modern network layer firewalls have become increasingly sophisticated, and
now maintain internal information about the state of connections passing through
them, the contents of some of the data streams, and so on. One thing that's an
important distinction about many network layer firewalls is that they route
traffic directly though them, so to use one you either need to have a validly
assigned IP address block or to use a ``private internet'' address block [3].
Network layer firewalls tend to be very fast and tend to be very transparent to
users.
|
|
Figure
1:
Screened Host Firewall
|
|
|
|
In Figure 1, a network
layer firewall called a ``screened host firewall'' is represented. In a screened
host firewall, access to and from a single host is controlled by means of a
router operating at a network layer. The single host is a bastion host; a
highly-defended and secured strong-point that (hopefully) can resist attack.
|
|
| |
|
Figure
3:
Dual Homed Gateway
|
|
|
|
Example
Application layer firewall
: In figure 3, an application layer
firewall called a "dual homed gateway"' is represented. A dual homed gateway is
a highly secured host that runs proxy software. It has two network interfaces,
one on each network, and blocks all traffic passing through it.
The Future
of firewalls lies someplace between network layer firewalls and application
layer firewalls. It is likely that network layer firewalls will become
increasingly ``aware'' of the information going through them, and application
layer firewalls will become increasingly ``low level'' and transparent. The end
result will be a fast packet-screening system that logs and audits data as it
passes through. Increasingly, firewalls (network and application layer)
incorporate encryption so that they may protect traffic passing between them
over the Internet. Firewalls with end-to-end encryption can be used by
organizations with multiple points of Internet connectivity to use the Internet
as a ``private backbone'' without worrying about their data or passwords being
sniffed.
A proxy server (sometimes referred to as an application gateway or forwarder) is
an application that mediates traffic between a protected network and the
Internet. Proxies are often used instead of router-based traffic controls, to
prevent traffic from passing directly between networks. Many proxies contain
extra logging or support for user authentication. Since proxies must
``understand'' the application protocol being used, they can also implement
protocol specific security (e.g., an FTP proxy might be configurable to permit
incoming FTP and block outgoing FTP).
Proxy servers are application specific. In order to support a
new protocol via a proxy, a proxy must be developed for it. One popular set of
proxy servers is the TIS Internet Firewall Toolkit (``FWTK'') which includes
proxies for Telnet, rlogin, FTP, X-Window, HTTP/Web, and NNTP/Usenet news. SOCKS
is a generic proxy system that can be compiled into a client-side application to
make it work through a firewall. Its advantage is that it's easy to use, but it
doesn't support the addition of authentication hooks or protocol specific
logging.
|
|
This example is written specifically
for ipfwadm on Linux, but the principles (and even much of the syntax)
applies for other kernel interfaces for packet screening on ``open source'' Unix
systems.
There are four basic categories covered by the ipfwadm
rules:
-A
Packet
Accounting
-I
Input
firewall
-O
Output
firewall
-F
Forwarding
firewall
ipfwadm
also has masquerading (-M) capabilities. For more information on
switches and options, see the ipfwadm
man page.
It's important to understand the critical resources of your firewall
architecture, so when you do capacity planning, performance optimizations, etc.,
you know exactly what you need to do, and how much you need to do it in order to
get the desired result.
What exactly the
firewall's critical resources are tends to vary from site to site, depending on
the sort of traffic that loads the system. Some people think they'll
automatically be able to increase the data throughput of their firewall by
putting in a box with a faster CPU, or another CPU, when this isn't necessarily
the case. Potentially, this could be a large waste of money that doesn't do
anything to solve the problem at hand or provide the expected scalability.
On busy systems, memory
is extremely important. You have to have enough RAM to support every instance of
every program necessary to service the load placed on that machine. Otherwise,
the swapping will start and the productivity will stop. Light swapping isn't
usually much of a problem, but if a system's swap space begins to get busy, then
it's usually time for more RAM. A system that's heavily swapping is often
relatively easy to push over the edge in a denial-of-service attack, or simply
fall behind in processing the load placed on it. This is where long email delays
start.
Beyond the system's requirement for memory, it's useful to
understand that different services use different system resources. So the
configuration that you have for your system should be indicative of the kind of
load you plan to service. A 700 MHz processor isn't going to do you much good if
all you're doing is netnews and mail, and are trying to do it on an IDE disk
with an ISA controller.
|
|
Table
1:
Critical Resources for Firewall Services
|
|
Service
|
Critical
Resource
|
|
Email
|
Disk
I/O
|
|
Netnews
|
Disk
I/O
|
|
Web
|
Host
OS Socket Performance
|
|
IP
Routing
|
Host
OS Socket Performance
|
|
Web
Cache
|
Host
OS Socket Performance, Disk I/O
|
|
``DMZ'' is an abbreviation for ``demilitarized zone''. In the context of
firewalls, this refers to a part of the network that is neither part of the
internal network nor directly part of the Internet. Typically, this is the area
between your Internet access router and your bastion host, though it can be
between any two policy-enforcing components of your architecture.
A DMZ can be created
by putting access control lists on your access router. This minimizes the
exposure of hosts on your external LAN by allowing only recognized and managed
services on those hosts to be accessible by hosts on the Internet. Many
commercial firewalls simply make a third interface off of the bastion host and
label it the DMZ. The point is that the network is neither ``inside'' nor
``outside''.
For example, a web server running on NT might be vulnerable to
a number of denial-of-service attacks against such services as RPC, NetBIOS and
SMB. These services are not required for the operation of a web server, so
blocking TCP connections to ports 135, 137, 138, and 139 on that host will
reduce the exposure to a denial-of-service attack. In fact, if you block
everything but HTTP traffic to that host, an attacker will only have one service
to attack.
This illustrates an
important principle: never offer attackers more to work with than is absolutely
necessary to support the services you want to offer the public.
A common approach for an attacker is to break into a host that's vulnerable to
attack, and exploit trust relationships between the vulnerable host and more
interesting targets.
If you are running a number of services that have different
levels of security, you might want to consider breaking your DMZ into several
``security zones''. This can be done by having a number of different networks
within the DMZ. For example, the access router could feed two ethernets, both
protected by ACLs, and therefore in the DMZ.
On one of the ethernets, you might have hosts whose purpose is
to service your organization's need for Internet connectivity. These will likely
relay mail, news, and host DNS. On the other ethernet could be your web server(s)
and other hosts that provide services for the benefit of Internet users.
In many organizations, services for Internet users tend to be
less carefully guarded and are more likely to be doing insecure things. (For
example, in the case of a web server, unauthenticated and untrusted users might
be running CGI or other executable programs. This might be reasonable for your
web server, but brings with it a certain set of risks that need to be managed.
It is likely these services are too risky for an organization to run them on a
bastion host, where a slip-up can result in the complete failure of the security
mechanisms.)
By putting hosts with similar levels of risk on networks
together in the DMZ, you can help minimize the effect of a breakin at your site.
If someone breaks into your web server by exploiting some bug in your web
server, they'll not be able to use it as a launching point to break into your
private network if the web servers are on a separate LAN from the bastion hosts,
and you don't have any trust relationships between the web server and bastion
host.
Now, keep in mind that we're running ethernet here. If someone
breaks into your web server, and your bastion host is on the same ethernet, an
attacker can install a sniffer on your web server, and watch the traffic to and
from your bastion host. This might reveal things that can be used to break into
the bastion host and gain access to the internal network.
Splitting services up not only by host, but by network, and
limiting the level of trust between hosts on those networks, you can greatly
reduce the likelihood of a breakin on one host being used to break into the
other. Succinctly stated: breaking into the web server in this case won't make
it any easier to break into the bastion host.
You can also increase
the scalability of your architecture by placing hosts on different networks. The
fewer machines that there are to share the available bandwidth, the more
bandwidth that each will get.
|
An architecture whose security hinges upon one mechanism has a single point of
failure. Software that runs bastion hosts has bugs. Applications have bugs.
Software that controls routers has bugs. It makes sense to use all of these
components to build a securely designed network, and to use them in redundant
ways.
If your firewall
architecture is a screened subnet, you have two packet filtering routers and a
bastion host. (See question 3.2 from this
section.) Your Internet access router will not permit traffic from the Internet
to get all the way into your private network. However, if you don't enforce that
rule with any other mechanisms on the bastion host and/or choke router, only one
component of your architecture needs to fail or be compromised in order to get
inside. On the other hand, if you have a redundant rule on the bastion host, and
again on the choke router, an attacker will need to defeat three
mechanisms.
Further, if the
bastion host or the choke router needs to invoke its rule to block outside
access to the internal network, you might want to have it trigger an alarm of
some sort, since you know that someone has gotten through your access router.
For firewalls where the emphasis is on security instead of connectivity, you
should consider blocking everything by default, and only specifically
allowing what services you need on a case-by-case basis.
If you block
everything, except a specific set of services, then you've already made your job
much easier. Instead of having to worry about every security problem with
everything product and service around, you only need to worry about every
security problem with a specific set of services and products. :-)
Before turning on a
service, you should consider a couple of questions:
- Is
the protocol for this product a well-known, published protocol?
- Is
the application to service this protocol available for public inspection of
its implementation?
- How
well known is the service and product?
- How
does allowing this service change the firewall architecture? Will an
attacker see things differently? Could it be exploited to get at my internal
network, or to change things on hosts in my DMZ?
When considering the
above questions, keep the following in mind:
- ``Security
through obscurity'' is no security at all. Unpublished protocols have been
examined by bad guys and defeated.
- Despite
what the marketing representatives say, not every protocol or service is
designed with security in mind. In fact, the number that are is very few.
- Even
in cases where security is a consideration, not all organizations have
competent security staff. Among those who don't, not all are willing to
bring a competent consultant into the project. The end result is that
otherwise-competent, well-intended developers can design insecure systems.
- The
less that a vendor is willing to tell you about how their system really
works, the more likely it is that security (or other) problems exist. Only
vendors with something to hide have a reason to hide their designs and
implementations.
2.10 How
can I restrict web access so users can't view sites unrelated to work?
Top
A few years ago, someone got the idea that it's a good idea to block ``bad'' web
sites, i.e., those that contain material that The Company views
``inappropriate''. The idea has been increasing in popularity, but there are
several things to consider when thinking about implementing such controls in
your firewall.
- It
is not possible to practically block everything that an employer deems
``inappropriate''. The Internet is full of every sort of material. Blocking
one source will only redirect traffic to another source of such material, or
cause someone to figure a way around the block.
- Most
organizations do not have a standard for judging the appropriateness of
material that their employees bring to work, i.e., books, magazines, etc. Do
you inspect everyone's briefcase for ``inappropriate material'' every day?
If you do not, then why would you inspect every packet for ``inappropriate
material''? Any decisions along those lines in such an organization will be
arbitrary. Attempting to take disciplinary action against an employee where
the only standard is arbitrary typically isn't wise, for reasons well beyond
the scope of this document.
- Products
that perform site-blocking, commercial and otherwise, are typically easy to
circumvent. Hostnames can be rewritten as IP addresses. IP addresses can be
written as a 32-bit integer value, or as four 8-bit integers (the most
common form). Other possibilities exist, as well. Connections can be proxied.
Web pages can be fetched via email. You can't block them all. The effort
that you'll spend trying to implement and manage such controls will almost
certainly far exceed any level of damage control that you're hoping to have.
The rule-of-thumb to
remember here is that you cannot solve social problems with technical solutions.
If there is a problem with someone going to an ``inappropriate'' web site, that
is because someone else saw it and was offended by what he saw, or
because that
person's productivity is below expectations. In either case, those are matters
for the personnel department, not the firewall administrator.
3 Various
Attacks
3.1 What
is source routed traffic and why is it a threat?
Top
Normally, the route a packet takes from its source to its destination is
determined by the routers between the source and destination. The packet itself
only says where it wants to go (the destination address), and nothing about how
it expects to get there.
There is an optional
way for the sender of a packet (the source) to include information in the packet
that tells the route the packet should take to get to its destination; thus the
name ``source routing''. For a firewall, source routing is noteworthy, since an
attacker can generate traffic claiming to be from a system ``inside'' the
firewall. In general, such traffic wouldn't route to the firewall properly, but
with the source routing option, all the routers between the attacker's machine
and the target will return traffic along the reverse path of the source route.
Implementing such an attack is quite easy; so firewall builders should not
discount it as unlikely to happen.
In practice, source
routing is very little used. In fact, generally the main legitimate use is in
debugging network problems or routing traffic over specific links for congestion
control for specialized situations. When building a firewall, source routing
should be blocked at some point. Most commercial routers incorporate the ability
to block source routing specifically, and many versions of Unix that might be
used to build firewall bastion hosts have the ability to disable or ignore
source routed traffic.
3 .2
What are ICMP redirects
and redirect bombs?
Top
An ICMP Redirect tells the recipient system to over-ride something in its
routing table. It is legitimately used by routers to tell hosts that the host is
using a non-optimal or defunct route to a particular destination, i.e. the host
is sending it to the wrong router. The wrong router sends the host back an ICMP
Redirect packet that tells the host what the correct route should be. If you can
forge ICMP Redirect packets, and if your target host pays attention to them, you
can alter the routing tables on the host and possibly subvert the security of
the host by causing traffic to flow via a path the network manager didn't
intend. ICMP Redirects also may be employed for denial of service attacks, where
a host is sent a route that loses it connectivity, or is sent an ICMP Network
Unreachable packet telling it that it can no longer access a particular network.
Many firewall
builders screen ICMP traffic from their network, since it limits the ability of
outsiders to ping hosts, or modify their routing tables.
Before you decide to
completely block ICMP, you should be aware of how the TCP protocol does ``Path
MTU Discovery'', to make certain that you don't break connectivity to other
sites. If you can't safely block it everywhere, you can consider allowing
selected types of ICMP to selected routing devices. If you don't block it, you
should at least ensure that your routers and hosts don't respond to broadcast
ping packets.
3.3 What
about denial of service?
Top
Denial of service is when someone decides to make your network or firewall
useless by disrupting it, crashing it, jamming it, or flooding it. The problem
with denial of service on the Internet is that it is impossible to prevent. The
reason has to do with the distributed nature of the network: every network node
is connected via other networks which in turn connect to other networks, etc. A
firewall administrator or ISP only has control of a few of the local elements
within reach. An attacker can always disrupt a connection ``upstream'' from
where the victim controls it. In other words, if someone wanted to take a
network off the air, they could do it either by taking the network off the air,
or by taking the networks it connects to off the air, ad infinitum. There are
many, many, ways someone can deny service, ranging from the complex to the
brute-force. If you are considering using Internet for a service which is
absolutely time or mission critical, you should consider your fall-back position
in the event that the network is down or damaged.
TCP/IP's UDP echo
service is trivially abused to get two servers to flood a network segment with
echo packets. You should consider commenting out unused entries in /etc/inetd.conf
of Unix hosts, adding no
ip small-servers to Cisco
routers, or the equivalent for your components.
3.4 What
are some common attacks, and how can I protect my system against them?
Top
Each site is a little different from every other in terms of what attacks are
likely to be used against it. Some recurring themes do arise, though.
This is where a
spammer will take many thousands of copies of a message and send it to a huge
list of email addresses. Because these lists are often so bad, and in order to
increase the speed of operation for the spammer, many have resorted to simply
sending all of their mail to an SMTP server that will take care of actually
delivering the mail.
Of course, all of the
bounces, spam complaints, hate mail, and bad PR come for the site that was used
as a relay. There is a very real cost associated with this, mostly in paying
people to clean up the mess afterward.
The Mail Abuse
Prevention System
![[*]](http:www.indoeuro.com/images/s.htmf5.gif)
Transport Security Initiative
![[*]](http://www.indoeuro.com/images/s.htmf5.gif)
maintains a complete description of the problem, and how to configure about
every mailer on the planet to protect against this attack.
Various versions of
web servers, mail servers, and other Internet service software contain bugs that
allow remote (Internet) users to do things ranging from gain control of the
machine to making that application crash and just about everything in between.
The exposure to this
risk can be reduced by running only necessary services, keeping up to date on
patches, and using products that have been around a while.
Again, these are
typically initiated by users remotely. Operating systems that are relatively new
to IP networking tend to be more problematic, as more mature operating systems
have had time to find and eliminate their bugs. An attacker can often make the
target equipment continuously reboot, crash, lose the ability to talk to the
network, or replace files on the machine.
Here, running as few
operating system services as possible can help. Also, having a packet filter in
front of the operating system can reduce the exposure to a large number of these
types of attacks.
And, of course,
chosing a stable operating system will help here as well. When selecting an OS,
don't be fooled into believing that ``the pricier, the better''. Free operating
systems are often much more robust than their commercial counterparts.
|
