防火墻外文翻譯

1、畢業(yè)設(shè)計(jì)(論文)英文翻譯學(xué)院名稱(chēng): 船山學(xué)院 班 級(jí): 計(jì)算機(jī)科學(xué)與技術(shù)071班 學(xué) 號(hào): 20079440140 學(xué)生姓名: 鐘鳴 2010年12月 20日Locking Up the Ports: Windows FirewallOne of Microsofts strongest responses to the ongoing buffer-overflow-worm threat was a complete rewriting of the software firewall incorporated into XP,2003,and R2.They renamed the fi

2、rewall from Internet Connection Firewall(ICF)to Windows Firewall(WF).They also added something called Ipsec bypass that extends the firewalls ability to allow you to easily require a secure server to authenticate not just incoming users,but machines.In this chapter,youll see what WF does,what issues

3、 it can raise,and how to configure it so that it suits your security needs best.What Is Windows Firewall?How can an operating system have firewall,anyway?Isnt a firewall a box with blinking lights and a bunch of cables coming out of it? The answer is that the term firewall refers to any of a number

4、of ways to shield a computer network from other networks,networks rife with untrustworthy peopleyou know,networks like the Internet.Lets dig down a bit further,however,and start with a look at what a firewall is,basically.What Firewalls DoWith the advent of the Lndustrial Revolution,people started b

5、uilding things driven by steam power,such as locomotives,ships,and the like. Creating steam required fire,and fires a scary thing,at least when it gets out of hand.To protect against fire-related problems,those locomotives,ships,and the like were designed so that a thick,sturdy, nearly fireproof wal

6、l existed between wherever the fire was keptusually a boilerand the rest of the vehicle.That way,if something caught fire in the boilers compartment,then the onboard engineers would have a bit more time to put out the fire without having to worry about the fire immediately spreading to the rest of t

7、he craft.Later on,we started using internal combustion engines an they,too,can catch fire,so things like autimobiles and private aircraft have firewalls designed into them.(In fact,the“wall”referred to when people say that something is running “balls to the wall”is the firewall.You control a small a

8、ircrafts engine speed by moving a ball-shaped control called the throttle.Pulling it back toward you reduces the engines speed; pushing the ball forward“to the firewall”increases engine speed.) Basically,then,a firewalls job is to contain bad stuff.But where engine firewalls contain a relatively sma

9、ll space so as to contain a fire, computer network firewalls attempt to contain a truly huge space the Ineternet.Firewalls exist to make it harder for dirtbags to attack our networks.How Firewalls workFirewall is one of theose words that sounds so goodjust put one box between yournetwork and the Int

10、ernet,and youre safe from all the baddiesthat people use the term to mean a lot of things.PORT-FILTERING FIREWALLSThe earliest kind of firewall was a box that sat between an internal network and the Internet.Now,if you think about it,what sort of box normally sits between our network and the Interne

11、t?Probably a router and,in fact,many firewalls are just routers with a bit of interlligence added. On the left you see the internal network (including PCs,and servers),on the right the Internet.In between is the IP router,which has at least two interfacesthe one that connects to the Internet(which m

12、aybe an Ethernet cable,a wireless connectiong,a modem,an ISDN connection,a DSL connection,a frame relay,or perhaps a cable modem),and the one that connects to the internal network(which is usually an Ethernet connection).The router is a very simple computer that listens to messages sent to if from e

13、ither the internal or external interface. Yes,thats righta router is a computer running a very simple program,heres how it works.Suppose the IP addresses that you use in your network are ones in the range of 200.100.7 to 54.(Yes,that is a range of routable addresses.Nonroutable addresses

14、didnt appear in the Internet originally;well get that in a minute.)Here are the instructions that essentially capture a routers entire program:l Listen to IP packets sent to either the internal or external interface.l If a packet needs to go to an address in the range of to54,t

15、hen resend the packet onto the internal network.l If a packet needs to go anywher else,assume that address is on the Internet,and resend the packet on the external interface.Thats all there is to it.Sure,routers can actually handle more complicated sets of,“If I get a message destined for IP range X

16、 then I should resend it on interface Y,”but my example encapsulates enough for our firewall discussion.Now lets make the routher a bit smarter.Suppose youve got some jerk trying to connect to your serverthe big PC in your networkvia TCP port 139,one of the ties up the server,and if they try logging

17、 on with enough user names and passwords,they might figure out of your accounts.(This is a simple example,so imagine that there are no account lockouts.)So you(somehow)hack the program in your routher and give it an extra rule:If a packet appears on the external interface destined for an address on

18、the internal network,and if that packet is destined for TCP port 139,just discard the packet;dont transmit itHere, then, is an example of a working firewall. A very simple one, to be sure, but a working firewall. Because the firewalls program (called the firewall rules by most) decides what to pass

19、and what not to pass based on the destination port, such a firewall is called a port-filtering firewall.Now, in my example I only blocked one port. But you may know that in the real world, people tend to configure port-filtering routers with rules like “block all incoming traffic on all ports except

20、 for such-and-such port ranges.” Additionally, consider that the one rule that Ive shown you”block all traffic destined for an internal IP address on TCP port 139”refers only to incoming traffic. Port-filtering firewalls can, however, usually filter outgoing traffic as well. For example, your firm m

21、ight have discovered at some time that employees were running websites of their own that featured, well, content of questionable legality and taste, and so you want to keep people from running web servers on every computer except for your official web server. If the official web server had address 2

22、03, then you could create a firewall rule that said, “If a packet appears on the internal interface destined for some address on the Internet, and if the packet originated from port 80, and if the packets source does not have the IP address 3, then discard it.” Youll see, however

23、, that WF does not offer you the option to block outgoing traffic, just incoming traffic.NAT FirewallsFor almost anyone who first started doing Internet networking after about 1996, that example might have seemed odd. Put routable addresses to every desktop machine? Crazy, you might think. But the n

24、otion of creating an internal network of IP addresses in the range of 10.x.x.x, or 192.168.x.x, or the range of IP addresses from through 55 first appeared in March 1994 with RFC 1597, “Address Allocation for Private Internets.” The idea was that people might need IP addresses

25、 to run a TCP/IP-based network but might not need access to the public Internet. Of course, thats not the case for most of us. You want lots of IP addresses, so the three ranges of “private network addresses” are widely used, but you also want to be able to have those networks talk to the public Int

26、ernet, which is where May 1994s RFC 1631, “The IP Network Address Translator,” fills the bill.NAT routers have at least two interfaces, as did the simple router, but NAT routers contain a somewhat more complex routing program. A single NAT router may have only one routable IP address on its external

27、 interface, but that routers also clever enough to be able to allow all of those “private” non routableaddresses to carry on conversations with systems on the Internet by sharing that one routable IP address. (This was covered in more detail in Chapter 6 of Mastering Windows Server 2003.) The toughe

28、st part of NAT routing is that notion that the router can carry on a bunch of different conversations between its internal computers and various servers out on the public Internet. For example, suppose ten systems behind the NAT router were all talking to Microsofts web server. When Microsofts web s

29、erver responds to one of the ten systems, how does the NAT router know which of its internal systems this is destined for? The answer is that every system talking to Microsofts web server talks to that web server on port 80, but the web server responds to each of those systems on different ports. So

30、, for example, if the web server were to respond to all ten systems at the same time, then the IP packets that comprise those responseswould all specify a source IP address of whatever Microsofts web server is, and port 80. But while the destination IP addresses would all be the samethe routable IP

31、address of the NAT routereach of them would be destined for a different TCP port number. The NAT router must, then, keep track of the fact that X machine on the inside intranet is having a conversation with Y machine on the Internet, and that conversation uses Z port number. That information is call

32、ed the state, and any router that keeps track of states of conversations is said to be a stateful router. Thatll be useful later.But how do Internet conversations start on a NAT system? In every case, a system on the intranet must initiate the conversation by contacting a server on the Internet. Tha

33、ts worth highlighting:NOTE In client-server communications, which is pretty much the only kind of communications we do on the Internet, the client starts the conversation by sending an unsolicited request to the server. Well return to this notion a bit later, but for now, remember that client reques

34、ts are seen as unsolicited packets to a server, and server packets are always responses of some kind.This leads to an interesting side-effect of NAT: its a kind of firewall. Inasmuch as all of those systems attached to the inner interface of the NAT router have nonroutable addresses, it is flatly im

35、possible for a system on the public Internet to initiate a conversation. It can only respond, which means that a NAT router says to the Internet, “Internet, I love you but I dont trust youso do me a favor and only speak to me when I first speak to you.”Let me not, however, leave you with the idea th

36、at a NAT routers “firewallish” nature is great protection for your network. Remember that any internal computer can start up a conversation, so all a bad guy needs to attack your network is one computer on the inside to “invite it in.” How would that happen? If someone visited a website and download

37、ed a malicious ActiveX control. Or if someone opened an email attachment that included some malware.Software FirewallsNow Ive explained enough firewall background to start telling you how WF works. Youve already read that a simple NAT router without any official firewall features acts as something o

38、f a firewall in passing because of its stateful nature. That leads us to software firewalls.The idea of a software firewall isnt a new one. In fact, some of the earliest firewalls were actually just complex pieces of software that you installed on a regular old computer. Youd then put two Ethernet c

39、ards in the computerone connected to the intranet, one to the Internetand that was your firewall. Nor is that an outdated notion; one of the most popular firewalls among Windows users is Microsofts Internet Security and Acceleration Server, or ISA Server.But Im not talking here about something like

40、ISA Server, which lets you create the computer that stands between your network and the Internet. Im talking instead about something called a “personal firewall,” a piece of software that you might run on every single computer in your network. It is a program that runs on a computer and that acts in

41、 some way to restrict the flow of IP traffic into or, in some cases, out of the computer so as to keep bad programs out.Loads of personal firewalls have appeared over the years. The first one that I recall hearing of was called Black Ice. One thats been around for almost as long but seems well-known

42、 is something called Zone Alarm that many people like but Ive found annoying. The big “security suites” offered by Trend, Grisoft, Panda Software, McAfee, and others tend to include a personal firewall as well.While WF is relatively new, Windows has contained at least some of the rudiments of a soft

43、ware firewall for a long time. For example, ever since at least NT 3.5 its been possible to go to TCP/IP Advanced Properties and block all ports except for those specified in a lista crude firewall, but, if youre willing to do some typing to enter all of the allowed ports, you could create a very si

44、mple port-filtering firewall on your computer. And, since February of 2000, Windows has included IPsec, a quite powerful method for securing TCP/IP stacks that lets you create a series of firewallrules as flexible as any you might want, like “block all incoming traffic on TCP port 1433 unless its fr

45、om IP address .” You could, with some work, create a monster batch file full of IPsec commands that would be the software-based firewall envy of your friends. But itd be a lot of work.Content Filtering FirewallsBefore I leave this brief discussion of firewalls, I should mention a newer sor

46、t of firewall: the content filtering firewall. Building firewalls solely out of rules constructed from ports and IP addresses is helpful but less and less effective in todays world. The people who want to provide server services in an organization are often not the same people as the ones charged wi

47、th network security and firewall operation, and so the folks who want to provide some new network service sometimes come into conflict with the firewall folks. But, many clever content and service providers realize, theres a way around the firewall people port 80. HTTP port 80 is, you probably know,

48、 the standard port for communicating with a web server and, well, there are very few firewall people who can deny a server guys request that they open port 80.As a result, more and more types of developers of various types of network services have crafted their services so that they live atop HTTP i

49、tself. Terminal Services, when run as the TSWEB tool, needs only port 80 open. Many online chat programs run entirely on port 80. Web-based email clients like Outlook Web access mean that you can access not just email but public folders, mail handling rules, and the like, all over port 80. By stacki

50、ng everything atop port 80, the network world both avoids firewalls and, unfortunately, makes them considerably less useful. That led to a tongue-in-cheek RFC 3093 dated 1 April 2001yes, that was April Fools Day 2001called the “Firewall Enhancement Protocol” that details what Ive said in the paragra

51、ph, but in a much techier way.Well, those firewall guys arent going to take this lying down, no siree. So firewalls like ISA Server not only let you control the firewall via ports and IP addresses; ISA server also has intelligent filters that look at the particular HTTP traffic, letting you block no

52、t only a given port, but a given kind of data stream. It does more than just watch portsit looks inside the data packets for suspicious-looking data. Such a firewall is called a content filtering firewall. (And no, Windows Firewall doesnt include such behavior. At least, not yet.)Windows Firewall Ba

53、sicsWriting that batch file might be impressive, but, again, itd be a lot of work. Fortunately, you neednt do that, because of the things that WF does. Put briefly, heres an overview of what kind of firewall services it offers and what else might be appealing about it. Basically, WF is a stateful pa

54、cket filter; by default, all packets trying to enter a system with WF enabled will be discarded unless those packets are responses to queries from that system. Unsolicited packets never get past the TCP/IP stack. WF lets you create exceptions for particular ports from particular ranges of IP address

55、es; for example, its possible to say, “Accept unsolicited packets on port 25, but only from the range of addresses from through 54.” When paired with IPsec on Server 2003 and R2, WF can do some impressive things via something called IPsec bypass. Windows lets its firewall beha

56、ve in two different ways (“profiles”): one where the system is inside the corporate firewall, and another when outside the firewall. (Clearly having two different behaviors for WF is of more interest to XP usersXP SP2 introduced WFthan to server users, as most of us dont carry our servers outside th

57、e building.) WF may not be the most full-featured of firewalls, but it may have the most broad-spectrum means of control of almost any Windows feature. First, you can control it from a fairly comprehensive command-line interface via the netsh command. Second, WF has near-complete group policy settin

58、g-based control. Finally, its got a GUI. Unlike its predecessor ICF, Windows Firewall starts up before the TCP/IP stack does. ICF had the troublesome aspect that it started after the TCP/IP stack did, leaving the stack unprotected for a few seconds on bootup.A good, but not great, list of abilities. Still, a great improvement over the ICF firewall originally shipped with XP and 2003.SummaryWindows Firewall is not only an improvement over the Internet Connection Firewall, its, well, the first ver