THE NETFILTER/IPTABLES FRAMEWORK IN LINUX 2.4.X

Abstract

The Internet is a worldwide co ll ection of networks that all use a common protoco l for communicat ions. Many orga ni zati ons are in the process of connecting to the Internet to take advantage or Internet services and reso urces. Businesses and agencies are now using the Internet or co nsidering Internet access for a variety of purposes, inc luding exchanging e-mail, di stributing agency information to the public, and conducting research. Many organizations are connec ting their ex isting internal local area networks to the Inte rnet so that local area network work stati ons can have direct access to Internet services. Internet connecti vity can otler enormous advantages, however security needs to be a major considerat ion when plann ing an Internet connection. There are significant security ri sks associated with the I nternet that often are not obvious to new (and existing) users. In particular, intruder ac ti vities as well as vulnerabiliti es that could assist intruder activity are wides pread . Intruder activ ity is diffi cult to prcdict and at times ca n be diffi cult to discover and cOI'rcct. " It is easy to run a sccure computer system. You merely have to disconnect all dial -up Connections and permit only di rec t-wi red termi nals, put the machine ancl its terminals in a shielded room, ancl post a guard at the door." -F. T . GRAMPP AND R . H. MORRIS For better or for worse, most computer systems are not run that way today. Security is, in general , a trade-off with convenience, and most people are not wi ll ing to forgo the conven ience or remote access via networks to their computers. Inevitab ly, they suffer from some loss or sec urity. It is my purpose here to di scuss how to minimize the extent of that loss. The situation is even worse for computers hooked up to some so rt of network. Networks are risky for at least three major reasons. First, and most obvious, more points now ex ist from which an attack can be launched. A second reaso n is that you have extended the phys ical perimeter of yo ur computer system. In a simp le computer, everything is within one box. The CPU can fetch authentication data from memory, secure in the knowledge that no enemy can tamper with it or spy on it. Traditional mechani sms-mode bits, memory protection, and the like-can safeguard cri tical areas. This is not the case in a network. Messages received lllay be of uncertain provenance; messages sent are often exposed to all other systems on the net. Clearly, more caution is needed. The third reason is subtler, and dea ls with an essential di stinction between an ordinary dia l-up modem and a network. Modems, in general, offer one service, typically the abi lity to log in.