《2774.B LINUX防火墙设计与实现 毕业设计英文翻译.doc》由会员分享,可在线阅读,更多相关《2774.B LINUX防火墙设计与实现 毕业设计英文翻译.doc(25页珍藏版)》请在三一办公上搜索。
1、西 南 交 通 大 学毕业设计(英文翻译)Firewall and Proxy Server HOWTO防火墙和代理服务器指南年 级: 学 号: 姓 名: 专 业: 计算机科学与技术指导老师: 二零零八年六Firewall and Proxy Server HOWTOMark Grennan, mark v0.80, Feb. 26, 20002. Understanding FirewallsA firewall is a structure intended to keep a fire from spreading. Building have firewalls made of bri
2、ck walls completely dividing sections of the building. In a car a firewall is the metal wall separating the engine and passenger compartments.Internet firewalls are intended to keep the flames of Internet hell out of your private LAN. Or, to keep the members of your LAN pure and chaste by denying th
3、em access the all the evil Internet temptations. ;)The first computer firewall was a nonrouting Unix host with connections to two different networks. One network card connected to the Internet and the other to the private LAN. To reach the Internet from the private network, you had to logon to the f
4、irewall (Unix) server. You then used the resources of the system to access the Internet. For example, you could use Xwindows to run Netscapes browser on the firewall system and have the display on your work station. With the browser running on the firewall it has access to both networks.This sort of
5、 dual homed system (a system with two network connections) is great if you can TRUST ALL of your users. You can simple setup a Linux system and give an account accounts on it to everyone needing Internet access. With this setup, the only computer on your private network that knows anything about the
6、 outside world is the firewall. No one can download to their personal workstations. They must first download a file to the firewall and then download the file from the firewall to their orkstation.BIG NOTE: 99% of all breakins start with gaining account level access on the system being attacked.Beca
7、use of this I dont recommend this type of firewall. It is also very limiting.2.1 Firewall PoliticsYou shouldnt believe a firewall machine is all you need. Set policies first.Firewalls are used for two purposes.1. to keep people (worms / crackers) out.2. to keep people (employees / children) in.When
8、I started working on firewalls I was surprised to learn the company I worked for were more interested in spying on their employees than keeping crackers out of their networks.At least in my state (Oklahoma) employers have the right to monitor phone calls and Internet activity as long as they inform
9、the employees they are doing it.Big Brother is not government. Big Brother = Big Business.Dont get me wrong. People should work, not play at work. And I feel the work ethic has been eroding.However, I have also observed that management types are the biggest abusers of the rules they set. I have seen
10、 hourly workers reprimanded for using the Internet to looking for bus routesto get to work while the same manager used hours of work time looking for fine restaurants and nightclubs to take prospective customers.My fix for this type of abuse is to publish the firewall logs on a Web page for everyone
11、 to see.The security business can be scary. If you are the firewall manager, watch your back.How it create a security policyI have seen some realy high folutin documentation on how to create a security policy. After many years of experence I know now say, dont believe a word of them. Create a securi
12、ty policy is simple.1. describe what you need to service2. describe the group of people you need to service3. describe which service each group needs access to4. for each service group describe how the service should be keep secure5. write a statment making all other forms of access a vialationYour
13、policy will become more complicated with time but dont try to cover to much ground now. Make it simple and clear.2.2 Types of FirewallsThere are two types of firewalls.1. Filtering Firewalls that block selected network packets.2. Proxy Servers (sometimes called firewalls) that make network connectio
14、ns for you.Packet Filtering Firewalls Packet Filtering is the type of firewall built into the Linux kernel.A filtering firewall works at the network level. Data is only allowed to leave the system if the firewall rules allow it. As packets arrive they are filtered by their type, source address, dest
15、ination address, and port information contained in each packet.Many network routers have the ability to perform some firewall services. Filtering firewalls can be thought of as a type of router. Because of this you need a deep understanding of IP packet structure to work with one.Because very little
16、 data is analyzed and logged, filtering firewalls take less CPU and create less latency in your network.Filtering firewalls do not provide for password controls. User can not identify themselves. The only identity a user has is the IP number assigned to their workstation. This can be a problem if yo
17、u are going to use DHCP (Dynamic IP assignments). This is because rules are based on IP numbers you will have to adjust the rules as new IP numbers are assigned. I dont know how to automate this process.Filtering firewalls are more transparent to the user. The user does not have to setup rules in th
18、eir applications to use the Internet. With most proxy servers this is not true.Proxy ServersProxies are mostly used to control, or monitor, outbound traffic. Some application proxies cache the requested data. This lowers bandwidth requirements and decreases the access the same data for the next user
19、.It also gives unquestionable evidence of what was transferred.There are two types of proxy servers.1. Application Proxies that do the work for you.2. SOCKS Proxies that cross wire ports.Application ProxyThe best example is a person telneting to another computer and then telneting from there to the
20、outside world.With a application proxy server the process is automated. As you telnet to the outside world the client send you to the proxy first. The proxy then connects to the server you requested (the outside world) and returns the data to you.Because proxy servers are handling all the communicat
21、ions, they can log everything they (you) do. For HTTP (web) proxies this includes very URL they you see. For FTP proxies this includes every file you download.They can even filter out inappropriate words from the sites you visit or scan for viruses.Application proxy servers can authenticate users. B
22、efore a connection to the outside is made, the server can ask the user to login first. To a web user this would make every site look like it required a login.SOCKS ProxyA SOCKS server is a lot like an old switch board. It simply cross wires your connection through the system to another outside conne
23、ction.Most SOCKS server only work with TCP type connections. And like filtering firewalls they dont provide for user authentication. They can however record where each user connected to.3. Firewall ArchitectureThere are lots of ways to structure your network to protect your systems using a firewall.
24、If you have a dedicated connections to the Internet through a router, you could plug the router directly into your firewall system. Or, you could go through a hub to provide for full access servers outside your firewall.3.1 Dialup ArchitectureYou may be using a dialup service like an ISDN line. In t
25、his case you might use a third network card to provide provide a filtered DMZ. This gives you full control over your Internet services and still separates them from your regular network.3.2 Single Router ArchitectureIf there is a router or cable modem between you and the Internet. If you own the rou
26、ter you could setup some hard filter rules in the router. If this router is owned by your ISP so you may not the have the needed controls.You can ask your ISP to put in filters.3.3 Firewall with Proxy ServerIf you need to monitor where users of your network are going and your network is small, you c
27、an intergrate a proxy server into your firewall. ISPs some times do this to create interest list of their users to resell to marketing agencies.You can put the proxy server on your LAN as will. In this case the firewall should have rules to only allow the proxy server to connect to the Internet for
28、the services it is providing. This way the users can get to the Internet only through the proxy.3.4 Redundent Internet ConfigurationIf you are going to run a service like YAHOO or maybe SlashDot you may want to make your system by using redundant routers and firewalls. (Check out the High Availabili
29、ty HowTo.)By using a roundrobin DNS techniques to provide access to multipule web servers from one URL and multiple ISPs, routers and firewalls using High Avaibility technics you can create a 100% uptime service.It is easy to let your network get out of hand. Keep control of every connection. It onl
30、y takes a user with a modem to compromise your LAN.4. Setting up the Linux Filtering Firewall4.1 Hardware requirementsFiltering firewalls dont require fancy hardware. They are little more then simple routers.All you need is:1. a 486DX66 with 32 meg of memory2. a 250m hard disk (500 recommended)3. ne
31、twork connections (LAN Cards, Serial Ports, Wireless?)4. monitor and keyboardWith some systems by using a serial port console, you can even eliminate the monitor and keyboard.If you need a proxy server that will handle lots of traffic, you should get the largest system you can afford.This is because
32、 for every user that connects to the system it will be creating another process. If you will have 50 or more concurrent users Im guessing you will need:1. a Pentium II with 64meg of memory2. a two gig hard disk to store all the logs3. two network connections4. monitor and keyboardThe network connect
33、ions can be any type (NIC cards, ISDN, even modems).5. Software requirements5.1 Selecting a KernelTo create a filtering firewall, you dont need any special software. Linux will do. At the time of this writing Im using RedHat 6.1.The bilt in Linux firewall have changed several times. If you are using
34、 an old Linux kernel (1.0.x or older) geta new copy. These older used ipfwadm from http:/www.xos.nl/linux/ipfwadm/ and is no longer supported.If you are using 2.2.13 or newer you will be using ipchaining as developed by.au/rustcorp/ipfwchains/ipfwchains.htmlIf you are using the newer 2.4 kernal ther
35、e is a new firewall utility with more feachers. I will write about this soon.5.2 Selecting a proxy serverIf you want to setup a proxy server you will need one of these packages.1. Squid2. The TIS Firewall Toolkit (FWTK)3. SOCKSSquid is a great package and works with Linuxs Transparent Proxy feature.
36、 I will be describing how to setup this server.AT the time of this writing, Network Associates and Trusted Information Systems (TIS) , have merged. So keep watching their web sites for more information about changes. Mean while, the Tool Kit can still be had at. Trusted Information System put out a
37、collection of programs designed to facilitate firewalling. With this toolkit, you set up one daemon for each service (WWW, telnet ect.) you will be using.6. Preparing the Linux systemInstall as little of the Linux system as you can. My installation started with a server configuration and then I turn
38、 off ever unneeded service in /etc/inetd.conf. For more security you should uninstall the unneeded service.Because most distributions dont dome with a kernel usefull to your perpose. You will need to compile your own kernal. It is best if you do this on a computer other then the firewall. If you do
39、install a C compiler and utilities on your firewall, remove them after you have completed comfiguring your kernel.6.1 Compiling the KernelStart with a clean minimal installation of your Linux distribution. The less software you have loaded the less holes, backdoors and/or bugs there will be to intro
40、duce security problems in your server.Pick a stable kernel. I am using kernel 2.2.13 kernel for my system. So this documentation is based on its settings.You well need to recompile the Linux kernel with the appropriate options. If you havent recompiled yourkernel before you should read the Kernel HO
41、WTO, the Ethernet HOWTO, and the NET2 HOWTO.Here are the network related setting I know work. I have marked some with a ?. If you will be using this feature, turn it on as well.I use make menuconfig to edit my kernel settings. Packet socket Kernel/User netlink socket* Network firewalls Socket Filter
42、ing Unix domain sockets* TCP/IP networking IP: multicasting* IP: advanced router IP: kernel level autoconfiguration* IP: firewalling? IP: always defragment (required for masquerading)? IP: transparent proxy support? IP: masquerading Protocolspecific masquerading support will be built as modules.? IP
43、: ICMP masquerading Protocolspecific masquerading support will be built as modules. IP: masquerading special modules support* IP: optimize as router not host IP: tunneling IP: GRE tunnels over IP? IP: aliasing support* IP: TCP syncookie support (not enabled per default) (it is safe to leave these un
44、touched) IP: Reverse ARP* IP: Allow large windows (not recommended if 16Mb of memory) The IPv6 protocol (EXPERIMENTAL) The IPX protocol Appletalk DDP CCITT X.25 Packet Layer (EXPERIMENTAL) LAPB Data Link Driver (EXPERIMENTAL) Bridging (EXPERIMENTAL) 802.2 LLC (EXPERIMENTAL) Acorn Econet/AUN protocol
45、s (EXPERIMENTAL) WAN router Fast switching (read help!) Forwarding between high speed interfaces PU is too slow to handle full bandwidthQoS and/or fair queueing After making all the setting you need you should recompile, reinstall the kernel and reboot.I use the command:make dep;make clean;make bzli
46、lo;make modules;make modules_install;init 6 to accomplish all of this in one step.6.2 Configuring two network cardsIf you have two network cards in your computer, you may need to add an append statement to your /etc/lilo.conf file to describe the IRQ and address of both cards. My lilo append stateme
47、nt looks like this:append=ether=12,0x300,eth0 ether=15,0x340,eth16.3 Configuring the Network AddressesNow we arrive at the fun part of our setup. Im not going to go deep into how to setup a LAN. Read the NetworkingHOWTO to solve your problems here.Your goal is to provide two network connection to your filtering firewall system. One on the Internet (unsecured side) and one on the LAN (secure side).Anyway, you have a few decisions to make.1. Will you use Real IP number or Make some up for your LAN.2. Will your ISP assign the number or wil
