This section contains a list of papers about firewalls, security attacks, and related topics. It is by no means an exhaustive list, but it does contain references to some of the papers that we find the most interesting. To get most of these, as well as many other papers, consult the extensive collections available from the Telstra and COAST WWW pages described earlier in this appendix.
The list below does not include papers that describe topics that are adequately described in this book, nor does it include papers that simply describe software (such as Tripwire, TCP Wrapper, etc.) that are mentioned in this book and cited in Appendix B, Tools; up-to-date papers about tools are ordinarily included with the tools themselves. The published versions of the papers are out of date, so you will do better to get the papers or documentation distributed with the software.
Bellovin, Steve, smb@research.att.com. "Packets Found on an Internet." Computer Communications Review. 23(3): 26-31. July 1993.
Describes some of the stranger and more malevolent packets seen by one of AT&T's gateways.
Bellovin, Steve, smb@research.att.com. "There Be Dragons." Proceedings of the Third USENIX UNIX Security Symposium. USENIX Association. Baltimore. September 14-16, 1992.
This paper describes some of the probes and attacks against one of AT&T's gateways.
Cheswick, Bill, ches@research.att.com. "An Evening With Berferd in Which a Cracker Is Lured, Endured, and Studied." Proceedings of the Winter 1992 USENIX Technical Conference. USENIX Association. San Francisco. January 20-24, 1992.
Describes AT&T's experiences with one particular cracker who walked right into a trap and never knew he was the mouse being toyed with by the cat. The best part of the story isn't in the paper, however: how they got him to finally go away. The cracker was in the Netherlands, and they were sure they knew who it was, but there were no diplomatic channels through which they could get the Dutch police to do anything about it (what the cracker was doing wasn't illegal in the Netherlands, at least not at the time). Finally, one of the Dutch system administrators they'd been working with throughout the investigation got frustrated, called the cracker's mother, and the problem went away.
Eichlin, Mark W., and Jon A. Rochlis, "With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988." Proceedings, IEEE Symposium on Research in Security and Privacy. Pages 326-345. Oakland, CA. May 1989.
A detailed dissection of the Morris Internet worm (this paper's authors prefer "Internet virus") of 1988: what it was, how it worked, what it did, and so on, as well as a discussion of the response.
Farmer, Dan, and Wietse Venema. "Improving the Security of Your Site by Breaking Into It."
A guide from the authors of COPS and SATAN (Dan) and TCP Wrapper, portmap, and chrootuid (Wietse) to testing your own security before attackers do it for you.
ftp://ftp.win.tue.nl/pub/security/admin-guide-to-cracking.101.Z
Hess, David K., David R. Safford, and Udo W. Pooch, David-Hess@net.tamu.edu. "A UNIX Network Protocol Security Study: Network Information Service." Texas A&M University.
An interesting analysis of the security weaknesses in the NIS/YP protocol, which is one of the fundamental RPC-based services.
Holbrook, P, and J. Reynolds. RFC1244: Site Security Handbook. July 1991.
This RFC is a guide to establishing a security policy for your site. From the introduction:
This handbook is a guide to setting computer security policies and procedures for sites that have systems on the Internet. This guide lists issues and factors that a site must consider when setting their own policies. It makes some recommendations and gives discussions of relevant areas.
ftp://ftp.internic.net/rfc/rfc1244.txt.Z
http://ds.internic.net/rfc/rfc1244.txt
Note that the Internet RFCs ("Requests for Comments") are the defining documents for almost all Internet protocols and services. Start with file rfc-index.txt; this is the index to the rest of the documents.
Ranum, Marcus (maintainer), mjr@v-one.com. "Internet Firewalls Frequently Asked Questions (FAQ)."
It is updated and posted to the Firewalls mailing list (firewalls@greatcircle.com) on a regular basis.
http://www.clark.net/pub/mjr/pubs/fwfaq
http://www.greatcircle.com/firewalls/FAQ
ftp://ftp.greatcircle.com/pub/firewalls/FAQ
Safford, David R., Douglas Lee Shales, and David K. Hess, David-Hess@net.tamu.edu. "The TAMU Security Package: An Ongoing Response to Internet Intruders in an Academic Environment." Texas A&M, University Supercomputer Center.
A fascinating account of how fast things can go to hell in a handbasket when dealing with an attack. Due to rapid escalation of coordinated attacks against Texas A&M, the university was forced to go from no firewall at all (and never really having thought about one) to having to design, build from scratch, and install a rather significant firewall over the course of less than two weeks. This paper describes the situation and genesis of the TAMU security package, which includes the Tiger security analysis and Drawbridge packet-filtering systems discussed elsewhere in this book.
ftp://net.tamu.edu/pub/security/TAMU/tamu-security-overview.ps.gz