This appendix describes some of the tools and packages available on the Internet that you might find useful in building and maintaining your firewall. Many of these tools are mentioned in this book. Although this software is freely available, some of it is restricted in various ways by the authors (e.g., it may not be permitted to be used for commercial purposes or be included on a CD-ROM, etc.) or by the U.S. government (e.g., if it contains cryptography, it can't ordinarily be exported outside the United States). Carefully read the documentation files that are distributed with the packages.
Although we have used most of the software listed here, we can't take responsibility for ensuring that the copy you get will work properly and won't cause any damage to your system. As with any software, test it before you use it.
As we've mentioned, the Computer Operations, Audit, and Security
Technology (COAST) project at Purdue University
provides a valuable service to the Internet community by maintaining a
current and well-organized repository of the most important security
tools and documents on the Internet. The repository is available on host
anonymous FTP; start in the/pub/aux directory for listings of the documents and tools
available. Many of the descriptions of tools in the list below are
drawn from COAST's
tools.abstracts file, and we gratefully
acknowledge their permission to use this information. To find out
more about COAST, point a WWW
viewer at their Web page:
The tools in this category provide support for various types of authentication. See Chapter 10, Authentication and Inbound Services for information about different authentication approaches.
The TIS Internet Firewall Toolkit (FWTK), from Trusted Information Systems, Inc., is a very useful, well-designed, and well-written set of programs you might find useful for authentication and other purposes. It includes:
An authentication server that provides several mechanisms for supporting nonreusable passwords (described in Chapter 10).
An access control program, netacl (described in Chapter 5, Bastion Hosts).
Proxy servers for a variety of protocols (FTP, HTTP, Gopher, rlogin, Telnet, and X11) (described in Chapter 7, Proxy Systems).
A generic proxy server for simple TCP-based protocols using one-to-one or many-to-one connections, such as NNTP (described in Chapter 7).
A wrapper (the smap package) for SMTP servers such as Sendmail to protect them from SMTP-based attacks (described in Chapter 8, Configuring Internet Services).
A wrapper for inetd-started servers such as telnetd and ftpd to control where they can be contacted from (much like the TCP Wrapper package described later in this appendix)
The toolkit is designed so that you can pick and choose only the pieces you need; you don't have to install the whole thing. The pieces you do install share a common configuration file, however, which makes managing configuration changes somewhat easier.
Some parts of the toolkit (the server for the non-reusable password system, for example) require a Data Encryption Standard (DES) library in some configurations. If your system doesn't already have one (look for a file named libdes.a in whatever directories code libraries are kept on your system), you can get one from:
TIS maintains a mailing list for discussions of improvements, bugs, fixes, and so on among people using the toolkit; Send email to email@example.com to subscribe to this list.
Kerberos was developed by Project Athena at the Massachusetts Institute of Technology. From the Kerberos Frequently Asked Questions (FAQ) file:
Kerberos is a network authentication system for use on physically insecure networks, based on the key distribution model presented by Needham and Schroeder. It allows entities communicating over networks to prove their identity to each other while preventing eavesdropping or replay attacks. It also provides for data-stream integrity (detection of modification) and secrecy (preventing unauthorized reading) using cryptography systems such as DES.