Skip to main content

Firewalls and Tunnels

  • 1104 Accesses

Part of the Information Security and Cryptography book series (ISC)

Abstract

This chapter discusses perimeter-based defenses, starting with firewalls and then complementary enabling technologies for securing network communications of remote users and distance-separated peers. Generic tools called encrypted tunnels and virtual private networks (VPNs) are illustrated by SSH and IPsec. We consider risks of network-accessible services and how to securely provide such services, building familiarity with network defense options (and their limitations). Many examples put security design principles into practice, and give reminders of the primary goals of computer security: protecting data and passwords in transit, protecting resources from unauthorized network access and use, and preserving the integrity and availability of hosts in the face of network-based threats.

This is a preview of subscription content, access via your institution.

Buying options

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-83411-1_10
  • Chapter length: 28 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   59.99
Price excludes VAT (USA)
  • ISBN: 978-3-030-83411-1
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Hardcover Book
USD   79.99
Price excludes VAT (USA)

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. A. Abdou, D. Barrera, and P. C. van Oorschot. What lies beneath? Analyzing automated SSH bruteforce attacks. In Tech. and Practice of Passwords—9th Int'l Conf. (PASSWORDS 2015), pages 72-91, 2015.

    Google Scholar 

  2. B. Aboba and W. Dixon. RFC 3715: IPsec-Network Address Translation (NAT) Compatibility Requirements, Mar. 2004. Informational.

    Google Scholar 

  3. W. Aiello, S. M. Bellovin, M. Blaze, J. Ioannidis, O. Reingold, R. Canetti, and A. D. Keromytis. Efficient, DoS-resistant, secure key exchange for Internet protocols. In ACM Comp. & Comm. Security (CCS), pages 48-58, 2002. Journal version: ACM TISSEC, 2004.

    Google Scholar 

  4. T. Aura, M. Roe, and A. Mohammed. Experiences with host-to-host IPsec. In Security Protocols Workshop, 2005. Pages 3-22, and 23-30 for transcript of discussion, in Springer LNCS 4631 (2007).

    Google Scholar 

  5. R. Bejtlich. Extrusion Detection: Security Monitoring for Internal Intrusions. Addison-Wesley, 2005.

    Google Scholar 

  6. M. Blaze, J. Ioannidis, and A. D. Keromytis. Trust management for IPsec. In Netw. Dist. Sys. Security (NDSS), 2001. Journal version: ACM TISSEC, 2002.

    Google Scholar 

  7. D. B. Chapman. Network (in)security through IP packet filtering. In Proc. Summer USENIX Technical Conf., 1992.

    Google Scholar 

  8. W. R. Cheswick, S. M. Bellovin, and A. D. Rubin. Firewalls and Internet Security: Repelling the Wily Hacker (2nd edition). Addison-Wesley, 2003. First edition (1994; Cheswick, Bellovin) is free online.

    Google Scholar 

  9. J. A. Donenfeld. WireGuard: Next generation kernel network tunnel. In Netw. Dist. Sys. Security (NDSS), 2017.

    Google Scholar 

  10. B. Dowling and K. G. Paterson. A cryptographic analysis of the WireGuard protocol. In Applied Cryptography and Network Security (ACNS), pages 3-21, 2018.

    Google Scholar 

  11. S. Frankel, K. Kent, R. Lewkowski, A. D. Orebaugh, R. W. Ritchey, and S. R. Sharma. Guide to IPsec VPNs. NIST Special Publication 800-77, National Inst. Standards and Tech., USA, Dec. 2005.

    Google Scholar 

  12. R. Gerhards. RFC 5424: The Syslog Protocol, Mar. 2009. Proposed Standard. Obsoletes RFC 3164.

    Google Scholar 

  13. Information Sciences Institute (USC). RFC 791: Internet Protocol, Sept. 1981. Internet Standard (IP). Updated by RFC 1349, 2474, 6864.

    Google Scholar 

  14. Information Sciences Institute (USC). RFC 793: Transmission Control Protocol, Sept. 1981. Internet Standard (TCP). Updated by RFC 1122, 3168, 6093, 6528.

    Google Scholar 

  15. S. Ioannidis, A. D. Keromytis, S. M. Bellovin, and J. M. Smith. Implementing a distributed firewall. In ACM Comp. & Comm. Security (CCS), pages 190-199, 2000. See also: S.M. Bellovin, ``Distributed firewalls’’, pages 39-47, USENIX ;login: (Nov 1999).

    Google Scholar 

  16. C. Kaufman, P. Hoffman, Y. Nir, P. Eronen, and T. Kivinen. RFC 7296: Internet Key Exchange Protocol Version 2 (IKEv2), Oct. 2014. Internet Standard. Obsoletes RFC 5996 (preceded by 4306; and 2407, 2408, 2409); updated by RFC 7427, 7670, 8247.

    Google Scholar 

  17. S. Kent. RFC 4302: IP Authentication Header, Dec. 2005. Proposed Standard. Obsoletes RFC 2402.

    Google Scholar 

  18. S. Kent. RFC 4303: IP Encapsulating Security Payload (ESP), Dec. 2005. Proposed Standard. Obsoletes RFC 2406.

    Google Scholar 

  19. S. Kent and K. Seo. RFC 4301: Security Architecture for the Internet Protocol, Dec. 2005. Proposed Standard. Obsoletes RFC 2401; updated by RFC 7619.

    Google Scholar 

  20. D. Koblas and M. R. Koblas. SOCKS. In Proc. Summer USENIX Technical Conf., pages 77-83, 1992.

    Google Scholar 

  21. M. Leech, M. Ganis, Y. Lee, R. Kuris, D. Koblas, and L. Jones. RFC 1928: SOCKS Protocol Version 5, Mar. 1996. Proposed Standard.

    Google Scholar 

  22. L. Phifer. The Trouble with NAT. Internet Protocol Journal, 3(4):2-13, 2000.

    Google Scholar 

  23. J. Postel. RFC 768: User Datagram Protocol, Aug. 1980. Internet Standard (UDP).

    Google Scholar 

  24. J. Postel. RFC 792: Internet Control Message Protocol, Sept. 1981. Internet Standard (ICMP). Updated by RFC 950, 4884, 6633, 6918.

    Google Scholar 

  25. M. Rash. Linux Firewalls: Attack Detection and Response with iptables, psad and fwsnort. No Starch Press, 2007.

    Google Scholar 

  26. J. Schlyter and W. Griffin. RFC 4255: Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints, Jan. 2006. Proposed Standard.

    Google Scholar 

  27. J. C. Snader. VPNs Illustrated: Tunnels, VPNs, and IPsec. Addison-Wesley, 2005.

    Google Scholar 

  28. D. X. Song, D. A. Wagner, and X. Tian. Timing analysis of keystrokes and timing attacks on SSH. In USENIX Security, 2001.

    Google Scholar 

  29. P. Srisuresh and K. Egevang. RFC 3022: Traditional IP Network Address Translator (Traditional NAT), Jan. 2001. Informational. Obsoletes RFC 1631. See also RFC 2993, 3027 and 4787 (BCP 127).

    Google Scholar 

  30. P. Srisuresh and M. Holdrege. RFC 2663: IP Network Address Translator (NAT) Terminology and Considerations, Aug. 1999. Informational.

    Google Scholar 

  31. W. R. Stevens. TCP/IP Illustrated, Volume 1: The Protocols. Addison-Wesley, 1994.

    Google Scholar 

  32. R. Trost. Practical Intrusion Analysis. Addison-Wesley, 2010.

    Google Scholar 

  33. A. Wool. A quantitative study of firewall configuration errors. IEEE Computer, 37(6):62-67, 2004. A 2009 report revisits the study: https://arxiv.org/abs/0911.1240.

  34. P. Wouters, D. Migault, J. Mattsson, Y. Nir, and T. Kivinen. RFC 8221: Cryptographic Algorithm Implementation Requirements and Usage Guidance for Encapsulating Security Payload (ESP) and Authentication Header (AH), Oct. 2017. Proposed Standard. Obsoletes RFC 7321, 4835, 4305.

    Google Scholar 

  35. T. Ylonen. SSH—secure login connections over the Internet. In USENIX Security, pages 37-42, 1996.

    Google Scholar 

  36. T. Ylonen and C. Lonvick. RFC 4251: The Secure Shell (SSH) Protocol Architecture, Jan. 2006. Proposed Standard. Updated by RFC 8308.

    Google Scholar 

  37. T. Ylonen and C. Lonvick. RFC 4252: The Secure Shell (SSH) Authentication Protocol, Jan. 2006. Proposed Standard. Updated by RFC 8308, 8332.

    Google Scholar 

  38. T. Ylonen and C. Lonvick. RFC 4253: The Secure Shell (SSH) Transport Layer Protocol, Jan. 2006. Proposed Standard. Updated by RFC 6668, 8268, 8308, 8332.

    Google Scholar 

  39. T. Ylonen and C. Lonvick. RFC 4254: The Secure Shell (SSH) Connection Protocol, Jan. 2006. Proposed Standard. Updated by RFC 8308.

    Google Scholar 

  40. L. Yuan, J. Mai, Z. Su, H. Chen, C. Chuah, and P. Mohapatra. FIREMAN: A toolkit for firewall modeling and analysis. In IEEE Symp. Security and Privacy, pages 199-213, 2006.

    Google Scholar 

  41. E. D. Zwicky, S. Cooper, and D. B. Chapman. Building Internet Firewalls (2nd edition). O'Reilly, 2000. First edition 1995 (Chapman, Zwicky).

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 The Author(s)

About this chapter

Verify currency and authenticity via CrossMark

Cite this chapter

van Oorschot, P.C. (2021). Firewalls and Tunnels. In: Computer Security and the Internet. Information Security and Cryptography. Springer, Cham. https://doi.org/10.1007/978-3-030-83411-1_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-83411-1_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-83410-4

  • Online ISBN: 978-3-030-83411-1

  • eBook Packages: Computer ScienceComputer Science (R0)