Linux Server Security (2nd Edition( [Electronic resources] نسخه متنی

2.1. Some Terminology

Let''s get some definitions cleared up before we
proceed. These may not be the same definitions
you''re used to or prefer, but
they''re the ones I use in this chapter:

Application gateway (or application-layer gateway)

A firewall or other proxy server possessing application-layer
intelligence, e.g., able to distinguish legitimate application
behavior from disallowed behavior, rather than dumbly reproducing
client data verbatim to servers and vice versa. Each service that is
to be proxied with this level of intelligence must, however, be
explicitly supported (i.e., "coded
in"). Application gateways may use packet filtering
or a Generic Service Proxy to handle services for which they have no
application-specific awareness.

Bastion host

A system that runs publicly accessible services but is usually not
itself a firewall. Bastion hosts are what we put on DMZs (although
they can be put anywhere). The term implies that a certain amount of
system hardening (see "Hardened
system," later in this list) has been done, but
sadly, this is not always the case.

DMZ (demilitarized zone)

A network, containing publicly accessible services, that is isolated
from the "internal" network proper.
Preferably, it should also be isolated from the outside world. (It
used to be reasonable to leave bastion hosts outside the firewall but
exposed directly to the outside world; as we''ll
discuss shortly, this is no longer justifiable or necessary.)
Firewall

A system or network that isolates one network from another. This can
be a router, a computer running special software in addition to or
instead of its standard operating system, a dedicated hardware
device, or any other device or network of devices that performs some
combination of packet filtering, application-layer proxying, and
other network-access control. In this discussion, the term will
generally refer to a single multihomed host.

Generic Service Proxy (GSP)

A proxy service (see later in this list) that has no
application-specific intelligence. These are nonetheless generally
preferable over packet filtering, since proxies provide better
protection against TCP/IP stack-based attacks by interrupting and
re-initiating each transaction they proxy. Firewalls that use the
SOCKS
protocol rely heavily on GSPs.

Hardened system

A computer on which all unnecessary services have been disabled or
uninstalled, all current OS patches have been applied, and that in
general has been configured in as secure a fashion as possible while
still providing the services for which it''s needed.
This is the subject of Chapter 3.

Internal network

What we''re trying to protect: end-user systems,
servers containing private data, and all other systems to which we do
not wish the outside world to initiate connections. This is also
called the "protected" or
"trusted" network.

Multihomed host

Any computer having more than one logical or physical network
interface (not counting loopback interfaces).

Packet filtering

Inspecting the IP headers of packets and passing or dropping them
based primarily on some combination of their source IP address,
destination IP address, source port, and destination port (service).
Application data is not considered, nor are intentionally malformed
packets necessarily noticed, assuming their IP headers can be read.
Packet filtering is a necessary part of nearly all
firewalls'' functionality but is not considered, by
itself, to be sufficient protection against any but the most
straightforward attacks. Some routers are limited to packet
filtering, though nowadays most support some form or another of
stateful packet filtering.

Perimeter network

The portion or portions of an organization''s network
that are directly connected to the Internet, plus any DMZ networks
(see earlier in this list). This isn''t a precise
term, but if you have much trouble articulating where your
network''s perimeter ends and your protected/trusted
network begins, you may need to re-examine your network architecture.

Proxying

An intermediary in all interactions of a given service type (FTP,
HTTP, etc.) between internal hosts and untrusted/external hosts. In
the case of SOCKS, which uses Generic Service Proxies, the proxy may
authenticate each connection it proxies. In the case of application
gateways, the proxy intelligently parses application-layer data for
anomalies.

Stateful packet filtering

At its simplest, the tracking of TCP sessions: using
packets'' TCP header information to determine which
packets belong to which transactions, and thus filtering more
effectively. At its most sophisticated, stateful packet filtering
refers to the tracking of not only TCP headers, but also some amount
of application-layer information (e.g., end-user commands) for each
session being inspected. Linux''s iptables include
modules that can statefully track most kinds of TCP transactions and
even some UDP transactions.

TCP/IP stack attack

A network attack that exploits vulnerabilities in its
target''s TCP/IP stack (kernel-code or drivers).
These are, by definition, OS specific: Windows systems, for example,
tend to be vulnerable to different stack attacks than Linux systems.
With the exceptions of "stealth
scanning" and of TCP-sequence-number attacks (used
in IP spoofing), stack attacks are becoming less common.

That''s a lot of jargon, but it''s
useful jargon (useful enough, in fact, to make sense of the majority
of firewall vendors'' propaganda!). Now
we''re ready to dig into DMZ architecture.