Abstract
This chapter discusses perimeter-based defenses, starting with firewalls and then complementary enabling technologies for securing network communications of remote users and distance-separated peers. Generic tools called encrypted tunnels and virtual private networks (VPNs) are illustrated by SSH and IPsec. We consider risks of network-accessible services and how to securely provide such services, building familiarity with network defense options (and their limitations). Many examples put security design principles into practice, and give reminders of the primary goals of computer security: protecting data and passwords in transit, protecting resources from unauthorized network access and use, and preserving the integrity and availability of hosts in the face of network-based threats.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsPreview
Unable to display preview. Download preview PDF.
References
A. Abdou, D. Barrera, and P. C. van Oorschot. What lies beneath? Analyzing automated SSH bruteforce attacks. In Tech. and Practice of Passwords—9th Int'l Conf. (PASSWORDS 2015), pages 72-91, 2015.
B. Aboba and W. Dixon. RFC 3715: IPsec-Network Address Translation (NAT) Compatibility Requirements, Mar. 2004. Informational.
W. Aiello, S. M. Bellovin, M. Blaze, J. Ioannidis, O. Reingold, R. Canetti, and A. D. Keromytis. Efficient, DoS-resistant, secure key exchange for Internet protocols. In ACM Comp. & Comm. Security (CCS), pages 48-58, 2002. Journal version: ACM TISSEC, 2004.
T. Aura, M. Roe, and A. Mohammed. Experiences with host-to-host IPsec. In Security Protocols Workshop, 2005. Pages 3-22, and 23-30 for transcript of discussion, in Springer LNCS 4631 (2007).
R. Bejtlich. Extrusion Detection: Security Monitoring for Internal Intrusions. Addison-Wesley, 2005.
M. Blaze, J. Ioannidis, and A. D. Keromytis. Trust management for IPsec. In Netw. Dist. Sys. Security (NDSS), 2001. Journal version: ACM TISSEC, 2002.
D. B. Chapman. Network (in)security through IP packet filtering. In Proc. Summer USENIX Technical Conf., 1992.
W. R. Cheswick, S. M. Bellovin, and A. D. Rubin. Firewalls and Internet Security: Repelling the Wily Hacker (2nd edition). Addison-Wesley, 2003. First edition (1994; Cheswick, Bellovin) is free online.
J. A. Donenfeld. WireGuard: Next generation kernel network tunnel. In Netw. Dist. Sys. Security (NDSS), 2017.
B. Dowling and K. G. Paterson. A cryptographic analysis of the WireGuard protocol. In Applied Cryptography and Network Security (ACNS), pages 3-21, 2018.
S. Frankel, K. Kent, R. Lewkowski, A. D. Orebaugh, R. W. Ritchey, and S. R. Sharma. Guide to IPsec VPNs. NIST Special Publication 800-77, National Inst. Standards and Tech., USA, Dec. 2005.
R. Gerhards. RFC 5424: The Syslog Protocol, Mar. 2009. Proposed Standard. Obsoletes RFC 3164.
Information Sciences Institute (USC). RFC 791: Internet Protocol, Sept. 1981. Internet Standard (IP). Updated by RFC 1349, 2474, 6864.
Information Sciences Institute (USC). RFC 793: Transmission Control Protocol, Sept. 1981. Internet Standard (TCP). Updated by RFC 1122, 3168, 6093, 6528.
S. Ioannidis, A. D. Keromytis, S. M. Bellovin, and J. M. Smith. Implementing a distributed firewall. In ACM Comp. & Comm. Security (CCS), pages 190-199, 2000. See also: S.M. Bellovin, ``Distributed firewalls’’, pages 39-47, USENIX ;login: (Nov 1999).
C. Kaufman, P. Hoffman, Y. Nir, P. Eronen, and T. Kivinen. RFC 7296: Internet Key Exchange Protocol Version 2 (IKEv2), Oct. 2014. Internet Standard. Obsoletes RFC 5996 (preceded by 4306; and 2407, 2408, 2409); updated by RFC 7427, 7670, 8247.
S. Kent. RFC 4302: IP Authentication Header, Dec. 2005. Proposed Standard. Obsoletes RFC 2402.
S. Kent. RFC 4303: IP Encapsulating Security Payload (ESP), Dec. 2005. Proposed Standard. Obsoletes RFC 2406.
S. Kent and K. Seo. RFC 4301: Security Architecture for the Internet Protocol, Dec. 2005. Proposed Standard. Obsoletes RFC 2401; updated by RFC 7619.
D. Koblas and M. R. Koblas. SOCKS. In Proc. Summer USENIX Technical Conf., pages 77-83, 1992.
M. Leech, M. Ganis, Y. Lee, R. Kuris, D. Koblas, and L. Jones. RFC 1928: SOCKS Protocol Version 5, Mar. 1996. Proposed Standard.
L. Phifer. The Trouble with NAT. Internet Protocol Journal, 3(4):2-13, 2000.
J. Postel. RFC 768: User Datagram Protocol, Aug. 1980. Internet Standard (UDP).
J. Postel. RFC 792: Internet Control Message Protocol, Sept. 1981. Internet Standard (ICMP). Updated by RFC 950, 4884, 6633, 6918.
M. Rash. Linux Firewalls: Attack Detection and Response with iptables, psad and fwsnort. No Starch Press, 2007.
J. Schlyter and W. Griffin. RFC 4255: Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints, Jan. 2006. Proposed Standard.
J. C. Snader. VPNs Illustrated: Tunnels, VPNs, and IPsec. Addison-Wesley, 2005.
D. X. Song, D. A. Wagner, and X. Tian. Timing analysis of keystrokes and timing attacks on SSH. In USENIX Security, 2001.
P. Srisuresh and K. Egevang. RFC 3022: Traditional IP Network Address Translator (Traditional NAT), Jan. 2001. Informational. Obsoletes RFC 1631. See also RFC 2993, 3027 and 4787 (BCP 127).
P. Srisuresh and M. Holdrege. RFC 2663: IP Network Address Translator (NAT) Terminology and Considerations, Aug. 1999. Informational.
W. R. Stevens. TCP/IP Illustrated, Volume 1: The Protocols. Addison-Wesley, 1994.
R. Trost. Practical Intrusion Analysis. Addison-Wesley, 2010.
A. Wool. A quantitative study of firewall configuration errors. IEEE Computer, 37(6):62-67, 2004. A 2009 report revisits the study: https://arxiv.org/abs/0911.1240.
P. Wouters, D. Migault, J. Mattsson, Y. Nir, and T. Kivinen. RFC 8221: Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH), Oct. 2017. Proposed Standard. Obsoletes RFC 7321, 4835, 4305.
T. Ylonen. SSH—secure login connections over the Internet. In USENIX Security, pages 37-42, 1996.
T. Ylonen and C. Lonvick. RFC 4251: The Secure Shell (SSH) Protocol Architecture, Jan. 2006. Proposed Standard. Updated by RFC 8308.
T. Ylonen and C. Lonvick. RFC 4252: The Secure Shell (SSH) Authentication Protocol, Jan. 2006. Proposed Standard. Updated by RFC 8308, 8332.
T. Ylonen and C. Lonvick. RFC 4253: The Secure Shell (SSH) Transport Layer Protocol, Jan. 2006. Proposed Standard. Updated by RFC 6668, 8268, 8308, 8332.
T. Ylonen and C. Lonvick. RFC 4254: The Secure Shell (SSH) Connection Protocol, Jan. 2006. Proposed Standard. Updated by RFC 8308.
L. Yuan, J. Mai, Z. Su, H. Chen, C. Chuah, and P. Mohapatra. FIREMAN: A toolkit for firewall modeling and analysis. In IEEE Symp. Security and Privacy, pages 199-213, 2006.
E. D. Zwicky, S. Cooper, and D. B. Chapman. Building Internet Firewalls (2nd edition). O'Reilly, 2000. First edition 1995 (Chapman, Zwicky).
Author information
Authors and Affiliations
Rights and permissions
Copyright information
© 2021 The Author(s)
About this chapter
Cite this chapter
van Oorschot, P.C. (2021). Firewalls and Tunnels. In: Computer Security and the Internet. Information Security and Cryptography. Springer, Cham. https://doi.org/10.1007/978-3-030-83411-1_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-83411-1_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-83410-4
Online ISBN: 978-3-030-83411-1
eBook Packages: Computer ScienceComputer Science (R0)