can forge ICMP Redirect
packets, and if your target host pays attention to them, you can alter
the routing tables on the host and possibly subvert the security of the
host by causing traffic to flow via a path the network manager didn't
intend. ICMP Redirects also may be employed for denial of service
attacks, where a host is sent a route that loses it connectivity, or is
sent an ICMP Network Unreachable packet telling it that it can no longer
access a particular network.</P><P>Many firewall builders screen ICMP
traffic from their network, since it limits the ability of outsiders to
ping hosts, or modify their routing tables.</P><H2><A HREF="#topic_whatdeny" NAME="head_whatdeny"
>What about denial of service?</A></H2>  <P>Denial of service is when
someone decides to make your network or firewall useless by disrupting
it, crashing it, jamming it, or flooding it. The problem with denial of
service on the Internet is that it is impossible to prevent. The reason
has to do with the distributed nature of the network: every network node
is connected via other networks which in turn connect to other networks,
etc. A firewall administrator or ISP only has control of a few of the
local elements within reach. An attacker can always disrupt a connection
"upstream" from where the victim controls it. In other words, if someone
wanted to take a network off the air, they could do it either by taking
the network off the air, or by taking the networks it connects to off
the air, ad infinitum. There are many, many, ways someone can deny
service, ranging from the complex to the brute-force. If you are
considering using Internet for a service which is absolutely time or
mission critical, you should consider your fall-back position in the
event that  the network is down or damaged.</P><H2><A HREF="#topic_glossary" NAME="head_glossary"
>Glossary of firewall related terms</A></H2><DL>
<DT>Abuse of Privilege:</DT>
<DD> When a user performs an action that they should not have,
according to organizational policy or law.
</DD>
<DT>Application-Level Firewall:</DT>
<DD> A firewall system in which service is provided by processes that
maintain complete TCP connection state and sequencing. Application level
firewalls often re-address traffic so that outgoing traffic appears to
have originated from the firewall, rather than the internal host.
</DD>
<DT>Authentication:</DT>
<DD> The process of determining the identity of a user that is
attempting to access a system.
</DD>
<DT>Authentication Token:</DT>
<DD> A portable device used for authenticating a user. Authentication
tokens operate by challenge/response, time-based code sequences, or
other techniques. This may include paper-based lists of one-time
passwords.
</DD>
<DT>Authorization:</DT>
<DD> The process of determining what types of activities are permitted.
Usually, authorization is in the context of authentication: once you
have authenticated a user, they may be authorized different types of
access or activity.
</DD>
<DT>Bastion Host:</DT>
<DD> A system that has been hardened to resist attack, and which is
installed on a network in such a way that it is expected to potentially
come under attack. Bastion hosts are often components of firewalls, or
may be &quot;outside&quot; Web servers or public access systems.
Generally, a bastion host is running some form of general purpose
operating system (e.g., UNIX, VMS, WNT, etc.) rather than a ROM-based or
firmware operating system.
</DD>
<DT>Challenge/Response:</DT>
<DD> An authentication technique whereby a server sends an
unpredictable challenge to the user, who computes a response using some
form of authentication token.
</DD>
<DT>Chroot: </DT>
<DD>A technique under UNIX whereby a process is permanently restricted
to an isolated subset of the filesystem.
</DD>
<DT>Cryptographic Checksum:</DT>
<DD> A one-way function applied to a file to produce a unique &quot;fingerprint&quot;
of the file for later reference. Checksum systems are a primary means of
detecting filesystem tampering on UNIX.
</DD>
<DT>Data Driven Attack:</DT>
<DD> A form of attack in which the attack is encoded in
innocuous-seeming data which is executed by a user or other software to
implement an attack. In the case of firewalls, a data driven attack is a
concern since it may get through the firewall in data form and launch an
attack against a system behind the firewall.
</DD>
<DT>Defense in Depth:</DT>
<DD> The security approach whereby each system on the network is
secured to the greatest possible degree. May be used in conjunction with
firewalls.
</DD>
<DT>DNS spoofing:</DT>
<DD> Assuming the DNS name of another system by either corrupting the
name service cache of a victim system, or by compromising a domain name
server for a valid domain.
</DD>
<DT>Dual Homed Gateway:</DT>
<DD> A dual homed gateway is a system that has two or more network
interfaces, each of which is connected to a different network. In
firewall configurations, a dual homed gateway usually acts to block or
filter some or all of the traffic trying to pass between the networks.
</DD>
<DT>Encrypting Router:</DT>
<DD> see Tunneling Router and Virtual Network Perimeter.
</DD>
<DT>Firewall:</DT>
<DD> A system or combination of systems that enforces a boundary
between two or more networks.
</DD>
<DT>Host-based Security:</DT>
<DD> The technique of securing an individual system from attack. Host
based security is operating system and version dependent.
</DD>
<DT>Insider Attack:</DT>
<DD> An attack originating from inside a protected network.
</DD>
<DT>Intrusion Detection:</DT>
<DD> Detection of break-ins or break-in attempts either manually or via
software expert systems that operate on logs or other information
available on the network.
</DD>
<DT>IP Spoofing:</DT>
<DD> An attack whereby a system attempts to illicitly impersonate
another system by using its IP network address.
</DD>
<DT>IP Splicing / Hijacking:</DT>
<DD> An attack whereby an active, established, session is intercepted
and co-opted by the attacker. IP Splicing attacks may occur after an
authentication has been made, permitting the attacker to assume the role
of an already authorized user. Primary protections against IP Splicing
rely on encryption at the session or network layer.
</DD>
<DT>Least Privilege:</DT>
<DD> Designing operational aspects of a system to operate with a
minimum amount of system privilege. This reduces the authorization level
at which various actions are performed and decreases the chance that a
process or user with high privileges may be caused to perform
unauthorized activity resulting in a security breach.
</DD>
<DT>Logging:</DT>
<DD> The process of storing information about events that occurred on
the firewall or network.
</DD>
<DT>Log Retention:</DT>
<DD> How long audit logs are retained and maintained.
</DD>
<DT>Log Processing:</DT>
<DD> How audit logs are processed, searched for key events, or
summarized.
</DD>
<DT>Network-Level Firewall:</DT>
<DD> A firewall in which traffic is examined at the network protocol
packet level.
</DD>
<DT>Perimeter-based Security:</DT>
<DD> The technique of securing a network by controlling access to all
entry and exit points of the network.
</DD>
<DT>Policy:</DT>
<DD> Organization-level rules governing acceptable use of computing
resources, security practices, and operational procedures.
</DD>
<DT>Proxy:</DT>
<DD> A software agent that acts on behalf of a user. Typical proxies
accept a connection from a user, make a decision as to whether or not
the user or client IP address is permitted to use the proxy, perhaps
does additional authentication, and then completes a connection on
behalf of the user to a remote destination.
</DD>
<DT>Screened Host:</DT>
<DD> A host on a network behind a screening router. The degree to which
a screened host may be accessed depends on the screening rules in the
router.
</DD>
<DT>Screened Subnet:</DT>
<DD> A subnet behind a screening router. The degree to which the subnet
may be accessed depends on the screening rules in the router.
</DD>
<DT>Screening Router:</DT>
<DD> A router configured to permit or deny traffic based on a set of
permission rules installed by the administrator.
</DD>
<DT>Session Stealing: </DT>
<DD>See IP Splicing.
</DD>
<DT>Trojan Horse:</DT>
<DD> A software entity that appears to do something normal but which,
in fact, contains a trapdoor or attack program.
</DD>
<DT>Tunneling Router:</DT>
<DD> A router or system capable of routing traffic by encrypting it and
encapsulating it for transmission across an untrusted network, for
eventual de-encapsulation and decryption.
</DD>
<DT>Social Engineering:</DT>
<DD> An attack based on deceiving users or administrators at the target
site. Social engineering attacks are typically carried out by
telephoning users or operators and pretending to be an authorized user,
to attempt to gain illicit access to systems.
</DD>
<DT>Virtual Network Perimeter:</DT>
<DD> A network that appears to be a single protected network behind
firewalls, which actually encompasses encrypted virtual links over
untrusted networks.
</DD>
<DT>Virus:</DT>
<DD> A self-replicating code segment. Viruses may or may not contain
attack programs or trapdoors.
</DD>
</DL><H2><A HREF="#topic_contrib" NAME="head_contrib">Contributors:</A></H2>
<UL>
<LI><P>Primary Author: mjr@v-one.com - Marcus Ranum,<A HREF="http://www.v-one.com"> V-ONE Corporation</A></P></LI>
<LI><P>Cisco Config (V2.0): vjk@relevantum.fi - <A HREF="http://www.relevantum.fi:80/~vjk/"> Keinanen Vesa</A></P></LI>
<LI><P>Cisco Config (V1.0): allen@msen.com - <A HREF="http://www.msen.com/~allen">Allen Leibowitz</A></P></LI>
<LI><P>DNS Hints: brent@greatcircle.com - Brent Chapman, <A HREF="http://www.greatcircle.com"
>Great Circle Associates</A></P></LI>
<LI><P>Policy Brief: bdboyle@erenj.com - <A HREF="http://www.access.digex.net/~bdboyle"> Brian Boyle, Exxon Research</A></P></LI>
</UL>
<HR>
<A HREF="http://www.v-one.com/pubs/pubs.htm"><IMG SRC="t_back.gif" ALT="BACK" BORDER=0></A>
<P>Copyright(C) 1995 Marcus J. Ranum. All rights reserved. This
document may be used, reprinted, and redistributed <STRONG>as is</STRONG>
providing this copyright notice and all attributions remain intact.</P>
</BODY></HTML>