[ Pobierz całość w formacie PDF ]
attacked from the bastion host should it be overcome. Be very particular about the specific services that are permitted to exist between your bastion host and your internal network. These configured and shared services can be the target of an attacker if the bastion host is ever compromised. 9-12 Solaris Network Security Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService August 1996 9 Fundamental Concepts Limitations Problems that are not addressed using firewalls: Attacks initiated from inside the firewall Attack methodologies not presently discovered Attacks originating from viruses Attacks resulting from insufficient filtering requirements Attacks facilitated through the absence of basic host security Attacks originating from connections not known to firewall Firewalls 9-13 Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService August 1996 9 Module Checklist Having completed this module, you should be able to answer the following: What is a firewall and what is it designed to do? What are the critical components of firewalls? What are the capabilities of firewalls? What are the limitations of firewalls? 9-14 Solaris Network Security Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService August 1996 Introduction to the Inspection Language A Objectives Upon completion of this Appendix, you will be able to: Describe the basic advantages and disadvantages of using the Inspection Language. Describe the major elements of the Inspection Language. A-1 Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService August 1996 A General Solstice FireWall-1 is equipped with a powerful language with which you can run rule descriptions without the GUI. This language is called Filter Script language (or Inspection Language). Advantages of Using Inspection Languages The following possibilities should be pointed out: Rules can be assigned to specific interfaces. The limitation of commands is eliminated; random commands can be defined. The limitation of protocol variants is eliminated. The restrictions in the GUI are not important. Example: Service Manager other services (fields incoming and outgoing) Disadvantages When using the Inspection language, the created filter cannot be further used with the GUI. It is difficult to write bigger filters without mistakes, as a test mechanism such as Policy Verify does not exist. When to Use Inspection Language Normally the GUI is used to describe the policy. Its capabilities are no longer sufficient, the Inspection Language will be used. Through this procedure, necessary predefinitions are automatically included. A-2 Solaris Network Security Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService August 1996 A General When to Use Inspection Language (Continued) While starting this language, it should be mentioned that you can analyze the filter script created by the GUI. A subwindow is opened in the Rulebase Editor by the Policy View, which contains the filter script. Introduction to the Inspection Language A-3 Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService August 1996 A Arranging the Decision Statements The decision statements can be roughly divided into three parts: Scope The Scope contains the relevant interfaces and systems. Action Here the treatment of the packets is decided. Condition This part contains the necessary information about Source, Destination, and Service. Scope Block The Scope Block consists of three parts: Direction.Interfaces @ Hosts. Direction The direction in which the packets must be monitored. Allowed values are: Incoming (=>) Outgoing ( Eitherbound ( ) A-4 Solaris Network Security Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService August 1996 A Arranging the Decision Statements Scope Block (Continued) Interfaces The participating interfaces. Single interfaces are specified, several of which are summarized in braces {le0,ipd0}. You can specify the key word all. Hosts The host name is separated by an ampersand (@). As with the Interfaces, braces or all are possible. Introduction to the Inspection Language A-5 Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService August 1996 A Arranging the Decision Statements Action Block The Action Block, principally, has the following form: action log alert_action log_type The action block can consist of one action and (or) one protocol statement. The latter requires a form of logging and can contain an alarm action. All variants are shown below: action action log log_type action log alert_action log_type log log_type log alert_action log_type Theaction block can theoretically be empty, but this would not make sense. Action This field can have the values accept, reject or drop. Log This keyword initiates the protocolling. It can also appear in the condition block (separated by a comma). Log_type Here every $FWDIR/lib/formats.def-defined protocol format can be entered. Predetermined are, for example, long and short. Alert_action The basic format is , whereas the optional string (with [ and ] braced) is entered into the protocol, and the command will be started. The agreed-upon protocol format (log_type) is delivered to the command by means of a standard entry. A-6 Solaris Network Security Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService August 1996 A Arranging the Decision Statements Condition Block The condition block is freely formidable. Single statements, separated by a comma will be joined by the logical AND operator. The key word or acts as an OR operator. The latter, is stronger bound; the binding behavior can, as usual, be manipulated by brackets. Key Words Three key words describe the interpretation of the following data: src (source) A description of the senders follows. dst (destination) The receiving network objects follow. svc (service) The service names follow. This keyword may also be omitted if a specific service is designated. To enable the creation of a group, the introducing keyword is followed by the following combinations: Is Is not In Not in Introduction to the Inspection Language A-7 Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService August 1996 A Arranging the Decision Statements Examples Two simple examples are: eitherbound ipd0@serial-gate reject src not in my.com,\ dst in my.com, (finger or FTP or Telnet) short; # Source Destination Proto. Action Track Install On 1 !my.com my.com finger Reject Short serial-gate Telnet log FTP The major difference to the GUI rule is that, here, only the interface ipd0 will be controlled. all@my-host accept tcp, established; This rule relates to the earlier edition of the Established TCP
[ Pobierz całość w formacie PDF ] zanotowane.pldoc.pisz.plpdf.pisz.plgrolux.keep.pl
|