构建Internet防火墙(第二版,影印版)
构建Internet防火墙(第二版,影印版)
Elizabeth D. Zwicky, Simon Cooper, D. Brent Chapman
出版时间:2003年06月
页数:896
从这本经典参考书的第一版出版以来,Internet经历了爆炸式的增长,而电子商务也成为企业运作和个人生活不可或缺的一部分。随着Internet的飞速膨胀,安全方面的危机也在飞速扩大:从密码嗅探到IP欺骗,从篡改网站首页到导致流行站点死机的分布式拒绝服务攻击。
防火墙是保护系统免遭Internet安全威胁的一种十分有效的方式,防火墙已经成了当今计算机网络的关键组件。与第一版一样,本书(第二版)也是一本非常实用、非常详细的指南,能够帮助读者设计和构建Internet防火墙并将Internet服务配置为使用防火墙进行工作。相比上一版,本书在内容上进行了极大的扩展,覆盖WindowssNT和Linux系统,以及Unix系统。其中详细地介绍了各种防火墙技术(数据包过滤、代理、网络地址转换、虚拟专用网)和体系结构,以及100多种Internet服务,范围从电子邮件和文件传输,到Web服务和脚本语言,还有命名方式、认证方式和数据库协议。
本书还用了几章的篇幅专门介绍安全策略、加密方式、防火墙的维护,以及安全事件的应急响应,另外还总结了一些有用的防火墙工具和其他资源。
“我曾在1991年说过你需要从11页纸的《PracticallUnixxSecurity》中去了解防火墙。时过境迁,现在需要了解更多防火墙的知识。本书严谨地、完整地介绍了防火墙的所有知识,并且循序渐进地解释了防火墙的应用方式。如果你是在使用网络,那么你就不能离了这本书。”
—— Gene Spafford教授(普度大学信息安全教育与研究中心)
“设计一个安全的网络比网络部署之后再去纠正错误总是要更简单些。这本书介绍了防火墙的基础原理,并详细介绍了正确设计网络所需要的信息。这本书对于任何想安全地操作网络的人来说,都是一本不可缺少的参考书。”
—— David LeBlanc(微软公司ITG信息安全公司主管技术官)
“这简直包含了防火墙的所有内容!管理、危机、常规安全、防御设计、策略、检测、反击等等,这本书包含了高效地实现和维护一个实用防火墙所需要的所有知识。”
—— Greg Rose(QUALCOMM公司高级工程师)
  1. Preface
  2. I. Network Security
  3. 1. Why Internet Firewalls?
  4. What Are You Trying to Protect?
  5. What Are You Trying to Protect Against?
  6. Who Do You Trust?
  7. How Can You Protect Your Site?
  8. What Is an Internet Firewall?
  9. Religious Arguments
  10. 2. Internet Services
  11. Secure Services and Safe Services
  12. The World Wide Web
  13. Electronic Mail and News
  14. File Transfer, File Sharing, and Printing
  15. Remote Access
  16. Real-Time Conferencing Services
  17. Naming and Directory Services
  18. Authentication and Auditing Services
  19. Administrative Services
  20. Databases
  21. Games
  22. 3. Security Strategies
  23. Least Privilege
  24. Defense in Depth
  25. Choke Point
  26. Weakest Link
  27. Fail-Safe Stance
  28. Universal Participation
  29. Diversity of Defense
  30. Simplicity
  31. Security Through Obscurity
  32. II. Building Firewalls
  33. 4. Packets and Protocols
  34. What Does a Packet Look Like?
  35. IP
  36. Protocols Above IP
  37. Protocols Below IP
  38. Application Layer Protocols
  39. IP Version 6
  40. Non-IP Protocols
  41. Attacks Based on Low-Level Protocol Details
  42. 5. Firewall Technologies
  43. Some Firewall Definitions
  44. Packet Filtering
  45. Proxy Services
  46. Network Address Translation
  47. Virtual Private Networks
  48. 6. Firewall Architectures
  49. Single-Box Architectures
  50. Screened Host Architectures
  51. Screened Subnet Architectures
  52. Architectures with Multiple Screened Subnets
  53. Variations on Firewall Architectures
  54. Terminal Servers and Modem Pools
  55. Internal Firewalls
  56. 7. Firewall Design
  57. Define Your Needs
  58. Evaluate the Available Products
  59. Put Everything Together
  60. 8. Packet Filtering
  61. What Can You Do with Packet Filtering?
  62. Configuring a Packet Filtering Router
  63. What Does the Router Do with Packets?
  64. Packet Filtering Tips and Tricks
  65. Conventions for Packet Filtering Rules
  66. Filtering by Address
  67. Filtering by Service
  68. Choosing a Packet Filtering Router
  69. Packet Filtering Implementations for General-Purpose Computers
  70. Where to Do Packet Filtering
  71. What Rules Should You Use?
  72. Putting It All Together
  73. 9. Proxy Systems
  74. Why Proxying?
  75. How Proxying Works
  76. Proxy Server Terminology
  77. Proxying Without a Proxy Server
  78. Using SOCKS for Proxying
  79. Using the TIS Internet Firewall Toolkit for Proxying
  80. Using Microsoft Proxy Server
  81. What If You Can’t Proxy?
  82. 10. Bastion Hosts
  83. General Principles
  84. Special Kinds of Bastion Hosts
  85. Choosing a Machine
  86. Choosing a Physical Location
  87. Locating Bastion Hosts on the Network
  88. Selecting Services Provided by a Bastion Host
  89. Disabling User Accounts on Bastion Hosts
  90. Building a Bastion Host
  91. Securing the Machine
  92. Disabling Nonrequired Services
  93. Operating the Bastion Host
  94. Protecting the Machine and Backups
  95. 11. Unix and Linux Bastion Hosts
  96. Which Version of Unix?
  97. Securing Unix
  98. Disabling Nonrequired Services
  99. Installing and Modifying Services
  100. Reconfiguring for Production
  101. Running a Security Audit
  102. 12. Windows NT and Windows 2000 Bastion Hosts
  103. Approaches to Building Windows NT Bastion Hosts
  104. Which Version of Windows NT?
  105. Securing Windows NT
  106. Disabling Nonrequired Services
  107. Installing and Modifying Services
  108. III. Internet Services
  109. 13. Internet Services and Firewalls
  110. Attacks Against Internet Services
  111. Evaluating the Risks of a Service
  112. Analyzing Other Protocols
  113. What Makes a Good Firewalled Service?
  114. Choosing Security-Critical Programs
  115. Controlling Unsafe Configurations
  116. 14. Intermediary Protocols
  117. Remote Procedure Call (RPC)
  118. Distributed Component Object Model (DCOM)
  119. NetBIOS over TCP/IP (NetBT)
  120. Common Internet File System (CIFS) and Server
  121. Message Block (SMB)
  122. Common Object Request Broker Architecture (CORBA)
  123. and Internet Inter-Orb Protocol (IIOP)
  124. ToolTalk
  125. Transport Layer Security (TLS) and Secure Socket Layer (SSL)
  126. The Generic Security Services API (GSSAPI)
  127. IPsec
  128. Remote Access Service (RAS)
  129. Point-to-Point Tunneling Protocol (PPTP)
  130. Layer 2 Transport Protocol (L2TP)
  131. 15. The World Wide Web
  132. HTTP Server Security
  133. HTTP Client Security
  134. HTTP
  135. Mobile Code and Web-Related Languages
  136. Cache Communication Protocols
  137. Push Technologies
  138. RealAudio and RealVideo
  139. Gopher and WAIS
  140. 16. Electronic Mail and News
  141. Electronic Mail
  142. Simple Mail Transfer Protocol (SMTP)
  143. Other Mail Transfer Protocols
  144. Microsoft Exchange
  145. Lotus Notes and Domino
  146. Post Office Protocol (POP)
  147. Internet Message Access Protocol (IMAP)
  148. Microsoft Messaging API (MAPI)
  149. Network News Transfer Protocol (NNTP)
  150. 17. File Transfer, File Sharing, and Printing
  151. File Transfer Protocol (FTP)
  152. Trivial File Transfer Protocol (TFTP)
  153. Network File System (NFS)
  154. File Sharing for Microsoft Networks
  155. Summary of Recommendations for File Sharing
  156. Printing Protocols
  157. Related Protocols
  158. 18. Remote Access to Hosts
  159. Terminal Access (Telnet)
  160. Remote Command Execution
  161. Remote Graphical Interfaces
  162. 19. Real-Time Conferencing Services
  163. Internet Relay Chat (IRC)
  164. ICQ
  165. talk
  166. Multimedia Protocols
  167. NetMeeting
  168. Multicast and the Multicast Backbone (MBONE)
  169. 20. Naming and Directory Services
  170. Domain Name System (DNS)
  171. Network Information Service (NIS)
  172. NetBIOS for TCP/IP Name Service and Windows Internet Name Service
  173. The Windows Browser
  174. Lightweight Directory Access Protocol (LDAP) Active Directory
  175. Information Lookup Services
  176. 21. Authentication and Auditing Services
  177. What Is Authentication?
  178. Passwords
  179. Authentication Mechanisms
  180. Modular Authentication for Unix
  181. Kerberos
  182. NTLM Domains
  183. Remote Authentication Dial-in User Service (RADIUS)
  184. TACACS and Friends
  185. Auth and identd
  186. 22. Administrative Services
  187. System Management Protocols
  188. Routing Protocols
  189. Protocols for Booting and Boot-Time Configuration
  190. ICMP and Network Diagnostics
  191. Network Time Protocol (NTP)
  192. File Synchronization
  193. Mostly Harmless Protocols
  194. 23. Databases and Games
  195. Databases
  196. Games
  197. 24. Two Sample Firewalls
  198. Screened Subnet Architecture
  199. Merged Routers and Bastion Host Using General-Purpose Hardware
  200. IV. Keeping Your Site Secure
  201. 25. Security Policies
  202. Your Security Policy
  203. Putting Together a Security Policy
  204. Getting Strategic and Policy Decisions Made
  205. What If You Can’t Get a Security Policy?
  206. 26. Maintaining Firewalls
  207. Housekeeping
  208. Monitoring Your System
  209. Keeping up to Date
  210. How Long Does It Take?
  211. When Should You Start Over?
  212. 27. Responding to Security Incidents
  213. Responding to an Incident
  214. What to Do After an Incident
  215. Pursuing and Capturing the Intruder
  216. Planning Your Response
  217. Being Prepared
  218. V. Appendixes
  219. A. Resources
  220. B. Tools
  221. C. Cryptography
  222. Index
书名:构建Internet防火墙(第二版,影印版)
国内出版社:清华大学出版社
出版时间:2003年06月
页数:896
书号:7-302-06554-3
原版书出版商:O'Reilly Media
Elizabeth D. Zwicky
 
Elizabeth D. Zwicky is a director at Counterpane Internet Security, a managed
security services company. She has been doing large-scale Unix system administra-tion
and related work for 15 years, and was a founding board member of both the
System Administrators Guild (SAGE) and BayLISA (the San Francisco Bay Area sys-tem
administrators group), as well as a nonvoting member of the first board of the
Australian system administration group, SAGE-AU. She has been involuntarily
involved in Internet security since before the 1988 Morris Internet worm. In her
lighter moments, she is one of the few people who makes significant use of the
rand function in PostScript, producing PostScript documents that are different
every time they're printed.
 
 
Simon Cooper
 
Simon Cooper is a computer professional currently working in Silicon Valley. He
has worked in different computer-related fields ranging from hardware through
operating systems and device drivers to application software and systems support
in both commercial and educational environments. He has an interest in the activi-ties
of the Internet Engineering Task Force (IETF) and USENIX, is a member of the
British Computer Conservation Society, and is a founding member of the Com-puter
Museum History Center. Simon has released a small number of his own
open source programs and has contributed time and code to the XFree86 project.
In his spare time, Simon likes to play ice hockey, solve puzzles of a mathematical
nature, and tinker with Linux.
 
 
D. Brent Chapman
 
D. Brent Chapman is a networking professional in Silicon Valley. He has designed
and built Internet firewall systems for a wide range of organizations, using a vari-ety
of techniques and technologies. He is the founder of the Firewalls Internet
mailing list, and creator of the Majordomo mailing list management package. He is
the founder, principal, and technical lead of Great Circle Associates, Inc., a highly
regarded strategic consulting and training firm specializing in Internet networking
and security. Over the last 15 years, Brent has worked in a variety of consulting,
engineering, and management roles in information technology, operations, and
technology marketing for a wide range of employers and clients, including the
Xerox Palo Alto Research Center (PARC), Silicon Graphics, Inc. (SGI), and Covad
Communications Company.
 
 
Edie Freedman designed the cover of this book, using a 19th-century engraving
from Heck's Pictorial Archive of Art and Architecture. The cover layout was pro-duced
by Emma Colby with QuarkXPress 3.3 using the ITC Garamond font. When-ever
possible, our books use a durable and flexible lay-flat binding. If the page
count exceeds this binding's limit, perfect binding is used.