Firewall Bibliographies - links
and Firewall article references
There are approximately 200 complete or partial items listed in this
listing. 80% of these links lead to the complete work and about 20% lead to
identifying why you can locate the reference at your library or by using the Search
Engines to hunt them down. Unfortunately some of the more commercial web sites use
the partial chapters as bait to lure you into buying the hard copy of the text - rather
then putting the whole thing online and letting the consumer decide whether he/she prefers
the free online version or if they wish to purchase a hard copy.
Another problem with maintaining this listing is that web sites live and die faster then
fruit flies - so it is possible that links will be up one day and down the next.
SEARCHING THIS LIST - use your browsers built in
find feature
Iin order to best search this list for topics of your particular interest, use the built
in feature of YOUR web browser to search the page for keywords. On the IE
Explorer the FIND feature is located in the EDIT options at the top of your browser.
On the Netscape browser you will find the FIND option also in the EDIT options at
the top of your web browser.
Good luck... good hunting... and hopefully good reading !
Network Bibliography : Firewalls
J. Altman and P. Runestig, "Telnet
Forwarding of X Windows Session Data," Internet Engineering Task Force, Apr.
2000.
Abstract: This Internet-Draft describes a mechanism via which X Window System
client applications to which a telnet session has been established may have their
communications with the X Windows Server forwarded via the Telnet communications channel.
This is desireable when the Telnet session is established through a Firewall or Network
Address Translator which does not allow arbitrary connections to be created from the host
machine to the client machine; or when the Telnet session is using an authenticated and
encrypted channel and that same security is desired for the X Window System session data.
X Window System client are authorized by the tunnel using X Display access control data.
J. Binkley and J. Richardson, "Security
Considerations for Mobility and Firewalls," Internet Engineering Task Force, Nov.
1998.
Abstract: In this paper we discuss various security issues concerning Mobile
Hosts using Mobile-IP or other mobility systems (DHCP standalone) and current firewall
technology. We first present some recent attacks on the Internet and what they might mean
for mobile systems like Mobile-IP that rely on tunneling technologies. We point out that
tunnels are a security threat and suggest how mobile systems may be made 'less insecure'
with the use of IP layer security (IPSEC) as one means for creating Virtual Private
Networks. The goal is to describe a security model wherein mobile systems can work across
the Internet and not just as an interior routing protocol within one security and/or
interior routing domain. Both the protection of Mobile Systems abroad and of Security
Enclaves that tolerate mobile visitors must be considered.
F. da Cruz and J. Altman, "INTERNET
KERMIT SERVICE," Internet Engineering Task Force, Feb. 2000.
Abstract: This document describes a new file transfer service for the Internet
based on Telnet Protocol for option negotiation and Kermit Protocol for file transfer and
management. The Internet Kermit Service provides access to both authenticated and
anonymous users. The use of Kermit protocol over a Telnet connection provides several
advantages over FTP, including easy traversal of firewalls, transfers over multiple
transports, and security via a combination of supported Telnet authentication and
encryption option negotiations, plus significant functional benefits. While this document
describes a new service for the Internet, the clients for this service already exist on
most platforms in the form of Telnet clients that support the Kermit file transfer
protocol. These clients are available not only from Columbia University's Kermit Project
but also numerous third parties.
R. Finlayson, "IP
Multicast and Firewalls," Internet Engineering Task Force, Mar. 1998.
Abstract: Many organizations use a firewall computer that acts as a security
gateway between the public Internet and their private, internal 'intranet'. In this
document, we discuss the issues surrounding the traversal of IP multicast traffic across a
firewall, and describe possible ways in which a firewall can implement and control this
traversal. We also explain why some firewall mechanisms - such as SOCKS - that were
designed specifically for unicast traffic, are less appropriate for multicast.
N. Freed and K. Carosso, "An Internet
Firewall Transparency Requirement," Internet Engineering Task Force, Dec. 1997.
Abstract: This memo defines a basic transparency requirement for Internet
firewalls. While such a requirement may seem obvious, the fact of the matter is that
firewall behavior is currently either unspecified or underspecified, and this lack of
specificity often causes problems in practice. This requirement is intended to be a
necessary first step in making the behavior of firewalls more consistent and correct.
C. Grall, "Firewall
Management Information Base," Internet Engineering Task Force, Apr. 1998.
Abstract: This document defines a portion of the Management Information Base
(MIB) for use with network management protocols in TCP/IP-based internets. In particular,
it defines objects for monitoring firewall devices.
V. Gupta, "Secure,
Remote Access over the Internet using IPSec," Internet Engineering Task Force,
Jun. 1999.
Abstract: This memo describes the use of IPSec [KeAt98a-c] for secure access to
protected networks by authorized users connected to the Internet. An example target
scenario is a corporate employee on the road accessing resources on his company's
Intranet. It addresses firewall traversal, user authentication, data confidentiality and
the use of private address spaces (the latter impacts routing and name lookups). A
comparison to other mechanisms such as those based on Layer-2 tunneling or session layer
security, is also included. This memo draws upon several ideas from [Dora97,Mosk98] and
would not have been possible without the contributions of the IETF working groups on IP
Security (IPSec) and Network Address Translation (NAT).
K. Gutfreund, "Internet
Content Filtering Protocol," Internet Engineering Task Force, May 1999.
Abstract: The Content Filtering Protocol (CFP) has been developed to facilitate
the connection of content filtering databases to Internet firewall systems. CFP compliance
allows content filters to be located 'behind the firewall,' where they are safe from
outside hostile attack. The CFP is a binary protocol used by firewall systems to
communicate over a private TCP/IP connection to the content filtering database server.
C. Huitema and F. Andreasen, "Media
Gateway Control Protocol (MGCP) Support for Packet Relays," Internet Engineering
Task Force, Feb. 1999.
Abstract: The Media Gateway Control Protocol (MGCP) organizes the communication
between a Media Gateway controller, or call agent, and a Media Gateway, e.g. a Voice over
IP gateway or a Network Access Server. MGCP is defined in a companion document [1]. This
document explains how MGCP can be used to handle 'packet relays', such as firewalls. It
contains an introduction, two example call flows, and a discussion of some open questions.
N. Freed, "Behavior of and
Requirements for Internet Firewalls," Internet Engineering Task Force, Jun. 2000.
Abstract: This memo defines behavioral characteristics of and interoperability
requirements for Internet firewalls. While most of these things may seem obvious, current
firewall behavior is often either unspecified or underspecified and this lack of
specificity often causes problems in practice. This requirement is intended to be a
necessary first step in making the behavior of firewalls more consistent across
implementations and in line with accepted IP protocol practices.
D. Chouinard, "SOCKS
V5 UDP and Multicast Extensions to Facilitate Multicast Firewall Traversal,"
Internet Engineering Task Force, Nov. 1997.
Abstract: This proposal creates a mechanism for managing the ingress or egress
of IP multicast through a firewall. It does this by defining extensions to the existing
SOCKS V5 protocol [RFC-1928], which provides a framework for doing user-level,
authenticated firewall traversal of unicast TCP and UDP traffic. However, because the
current UDP support in SOCKS V5 has scalability problems as well as other deficiencies --
and these need to be addressed before multicast support can be achieved -- the extensions
are defined in two parts: Base-level UDP extensions, and Multicast UDP extensions. Using
the SOCKS framework for managing multicast flows in/out of an organization, offers
numerous security advantages over what is possible with a conventional firewall approach.
These are spelled out in the draft.
M. Kayashima, T. Ogino, M. Terada and Y. Fujiyama, "SOCKS
V5 Protocol extension for Multiple Firewalls Traversal," Internet Engineering
Task Force, Nov. 1997.
Abstract: This document provides the extended specification of SOCKS Version 5
which enable to use multiple firewalls traversal. In this protocol, client does
subnegotiation with all servers on the communication path, and each server relays the
connection after subnegotiation.
M. VanHeyningen, "SOCKS
Protocol Version 5," Internet Engineering Task Force, Jun. 2000.
Abstract: This document is a revision of RFC 1928, the SOCKS version 5 protocol.
SOCKS is a generic proxying protocol for traversing firewalls and other trust boundaries;
version 5 of the protocol adds new features such as authentication and UDP support.
Changes from the RFC in this draft include formatting cleanups, authentication
clarification, and fixing UDP-related problems found during implementation.
T. Martin and B. Hickman, "Benchmarking
Methodology for Firewalls," Internet Engineering Task Force, Jul. 2000.
Abstract: This document is intended to provide methodology for the benchmarking
of firewalls. It provides methodologies for benchmarking forwarding performance,
connection performance, latency and filtering. In addition to defining the tests, this
document also describes specific formats for reporting the results of the tests. A
previous document, 'Benchmarking Terminology for Firewall Performance' [1], defines many
of the terms that are used in this document. The terminology document SHOULD be consulted
before attempting to make use of this document.
D. Newman, "Benchmarking
Terminology for Firewall Performance," Internet Engineering Task Force, Jun.
1999.
Abstract: This document defines terms used in measuring the performance of
firewalls. It extends the terminology already used for benchmarking routers and switches
with definitions specific to firewalls. Forwarding rate and connection-oriented
measurements are the primary metrics used in this document.
A. Westerlund and J. Danielsson, "Kerberos
vs firewalls," Internet Engineering Task Force, Dec. 1997.
Abstract: Kerberos[RFC1510] is a protocol for authenticating parties
communicating over insecure networks. Firewalling is a technique for achieving an illusion
of security by putting restrictions on what kinds of packets and how these are sent
between the internal (so called ''secure'') network and the global (or ''insecure'')
Internet.
N. Freed, "Behavior of
and Requirements for Internet Firewalls," Internet Engineering Task Force, Jun.
1999.
Abstract: This memo defines behavioral characteristics of and interoperability
requirements for Internet firewalls. While most of these things may seem obvious, current
firewall behavior is often either unspecified or underspecified and this lack of
specificity often causes problems in practice. This requirement is intended to be a
necessary first step in making the behavior of firewalls more consistent and correct.
M. Litvin, R. Shamir and T. Zegman, "A
Hybrid Authentication Mode for IKE," Internet Engineering Task Force, Aug. 2000.
Abstract: This document describes a set of new authentication methods to be used
within Phase 1 of the Internet Key Exchange (IKE). The proposed methods assume an
asymmetry between the authenticating entities. One entity, typically an Edge Device (e.g.
firewall), authenticates using standard public key techniques (in signature mode), while
the other entity, typically a remote User, authenticates using challenge response
techniques. These authentication methods are used to establish, at the end of Phase 1, an
IKE SA which is unidirectionally authenticated. To make this IKE bi-directionally
authenticated, this Phase 1 is immediately followed by an X-Auth Exchange [XAUTH]. The
X-Auth Exchange is used to authenticate the remote User. The use of these authentication
methods is referred to as Hybrid Authentication mode. This proposal is designed to provide
a solution for environments where a legacy authentication system exists, yet a full public
key infrastructure is not deployed.
P. Srisuresh and L. Sanchez, "Policy
Framework for IP Security," Internet Engineering Task Force, Mar. 1999.
Abstract: As policy based networking has become a common place across the
Internet with the advent of IPsec, firewalls and other initiatives, it is important for
peering end nodes to understand where and why packets enroute are black-holed. End-to-end
networking mandates that end nodes be cognizant of the impact policies along various
points on the network will have on their packets. The objective of this document is to lay
out a framework of policy requirements for end nodes. While the framework is focussed on
IPSec based policies, it may be applicable across a wider policy base.
R. Finlayson, "IP
Multicast and Firewalls," Internet Engineering Task Force, Nov. 1998.
Abstract: Many organizations use a firewall computer that acts as a security
gateway between the public Internet and their private, internal 'intranet'. In this
document, we discuss the issues surrounding the traversal of IP multicast traffic across a
firewall, and describe possible ways in which a firewall can implement and control this
traversal. We also explain why some firewall mechanisms - such as SOCKS - that were
designed specifically for unicast traffic, are less appropriate for multicast.
C. Huitema and F. Andreasen, "Media
Gateway Control Protocol (MGCP) Support for Packet Relays," Internet Engineering
Task Force, Feb. 1999.
Abstract: The Media Gateway Control Protocol (MGCP) organizes the communication
between a Media Gateway controller, or call agent, and a Media Gateway, e.g. a Voice over
IP gateway or a Network Access Server. MGCP is defined in a companion document [1]. This
document explains how MGCP can be used to handle 'packet relays', such as firewalls. It
contains an introduction, two example call flows, and a discussion of some open questions.
P. Calhoun and C. Perkins, "Mobile
IP Dynamic Home Address Allocation Extensions," Internet Engineering Task Force,
Nov. 1998.
Abstract: RFC2002 defines a method for a Mobile Node to be assigned a Home Agent
dynamically through the use of a limited broadcast message. However, most corporate
networks do not allow such packets to traverse through their firewall, which renders this
feature difficult to use. This draft introduces new entity named the Home Domain
Allocation Agency (HDAA) that can dynamically assign a Home Address to the Mobile Node.
This draft also proposes a method for the HDAA to assign a dynamic Home Agent to the
Mobile Node.
J. Zao and M. Condell, "Use of
IPSec in Mobile IP," Internet Engineering Task Force, Jan. 1998.
Abstract: The use of IPSec ESP protocol in the Mobile IP packet redirection
tunnels will protect the redirected packets against both passive and active attacks
launched and aid these packets to traverse the firewalls surrounding both the home and the
foreign subnets visited by the mobile nodes. This document proposes a scheme to negotiate
the use of IPSec ESP on selected Mobile IP tunnels and a procedure to establish these
tunnels with the aid of automatic key and security association management protocol such as
ISAKMP.
G. Montenegro, "Reverse
Tunneling for Mobile IP, revised," Internet Engineering Task Force, Jul. 2000.
Abstract: Mobile IP uses tunneling from the home agent to the mobile node's
care-of address, but rarely in the reverse direction. Usually, a mobile node sends its
packets through a router on the foreign network, and assumes that routing is independent
of source address. When this assumption is not true, it is convenient to establish a
topologically correct reverse tunnel from the care-of address to the home agent. This
document proposes backwards-compatible extensions to Mobile IP to support topologically
correct reverse tunnels. This document does not attempt to solve the problems posed by
firewalls located between the home agent and the mobile node's care-of address.
G. Montenegro, "Reverse
Tunneling for Mobile IP," Internet Engineering Task Force, Apr. 1998.
Abstract: Mobile IP uses tunneling from the home agent to the mobile node's
care-of address, but rarely in the reverse direction. Usually, a mobile node sends its
packets through a router on the foreign network, and assumes that routing is independent
of source address. When this assumption is not true, it is convenient to establish a
topologically correct reverse tunnel from the care-of address to the home agent. This
document proposes backwards-compatible extensions to Mobile IP in order to support
topologically correct reverse tunnels. This document does not attempt to solve the
problems posed by firewalls located between the home agent and the mobile node's care-of
address.
S. Reddy, "WEB based
Certificate Access Protocol-- WebCAP/1.0," Internet Engineering Task Force, Apr.
1998.
Abstract: This document describes the Internet X.509 Public Key Infrastructure
(PKI) Certificate Access Protocols. Protocol messages are defined for all relevant aspects
of certificate creation and management. Note that ''certificate'' in this document refers
to an X.509v3 Certificate as defined in [COR95, X509-AM]. This document specifies a set of
methods, headers, and content-types ancillary to HTTP/1.1 to publish, retrieve X.509
certificates and Certificate Revocation Lists. This protocol also facilitates determining
current status of a digital certificate without the use of CRLs. This protocol defines new
methods, request and response bodies, error codes to HTTP/1.1 protocol for securely
publishing, retrieving, and validation certificates across a firewalls.
M. Iyer, R. Kale, L. Apsani and S. Iyer, "IP
VPN Policy Information Model," Internet Engineering Task Force, Jul. 2000.
Abstract: This document represents the object oriented information model for
representing policy information associated with provisioning IP VPN services such as
firewall, address translation, quality of service, encryption. This draft extends the core
policy information model to cover the policies that need to be enforced to configure IP
VPN services mentioned earlier. The information model defined in this document is
independent of any implementation specifics related to the repository used to store the
policy information.
J. Peterson, "Application-layer
Policy Enforcement at SIP Firewalls," Internet Engineering Task Force, Jul. 2000.
Abstract: At the boundaries of some networks, administrators may want to
implement policies that govern the application-layer traversal of SIP signaling. This
document serves as an introduction to application- layer policies for SIP, discusses the
architectures of network boundaries at which policies might be deployed, and provides
examples of policies tailored to particular network services.
J. Kuthan and J. Rosenberg, "Firewall Control
Protocol Framework and Requirements," Internet Engineering Task Force, Jun. 2000.
Abstract: The purpose of this document is to collect and put under discussion
requirements for a protocol allowing for decomposition of application-awareness from
packet processing in firewalls. The protocol will be used by application-aware entities to
control packet flows of applications traversing firewalls dynamically. This kind of
control allows applications using session control protocols to traverse firewalls while
still retaining restrictive packet filtering policy. Network management tools may also
utilize the protocol to manage packet-processing policies. We suggest an extensible
framework that may be used for management of arbitrary per-flow control states in network
nodes.
E. Lear, "ICMP Blocked
Notification," Internet Engineering Task Force, Aug. 2000.
Abstract: Since the introduction of private addresses[1] the use of NATs and
firewalls has introduced not only inability to communicate using certain mechanisms, such
as AH[2], ESP[3], and H.323[4], but also difficulty in determining the reason for the
failed communication. This document specifies methods an intermediate device such as a
router, a firewall, or a NAT may use to inform end hosts that a particular type of
communication is not possible. It also recommends practices for both the frequency of
transmission of such error notices, and their consumption by the end hosts. This document
is an outgrowth of the 'foglamps' discussion that occurred within the IETF between late
1999 and 2000, and is not the product of a working group.
M. Litvin and R. Shamir, "A
Hybrid Authentication Mode for IKE," Internet Engineering Task Force, Jun. 1998.
Abstract: This document describes a new authentication mode for the Internet Key
Exchange (IKE). This mode extends the authentication modes defined in [IKE]. The proposed
mode assumes an asymmetry between the authenticating entities. One entity, typically an
edge device (e.g. firewall), authenticates using public key techniques, while the other
entity, typically a remote user, authenticates using challenge response techniques. The
mode is designed to provide a solution for environments where a legacy authentication
system exists, yet a full public key infrastructure is not deployed.
A. Luotonen, "Tunneling
TCP based protocols through Web proxy servers," Internet Engineering Task Force,
Aug. 1998.
Abstract: This document specifies a generic tunneling mechanism for TCP based
protocols through Web proxy servers. This tunneling mechanism was initially introduced for
the SSL protocol [SSL] to allow secure Web traffic to pass through firewalls, but its
utility is not limited to SSL. Earlier drafts of this specification were titled 'Tunneling
SSL through Web Proxy Servers' . Implementations of this tunneling feature are commonly
referred to as 'SSL tunneling', although, again, it can be used for tunneling any TCP
based protocol. A wide variety of existing client and proxy server implementations conform
to this specification. The purpose of this specification is to describe the current
practice, to propose some good practices for implementing this specification, and to
document the security considerations that are involved with this protocol.
C. Metz, "Short
Passive (SPASV) Command for FTP," Internet Engineering Task Force, Jan. 1998.
Abstract: RFC 1639[Pis94] documents experimental long port (LPRT) and long
passive (LPSV) commands that many IP Version 6 implementations are using as the
replacement for the PORT and PASV commands in FTP [PR85]. The author believes that this is
the incorrect direction to be heading and that the replacement for PORT and PASV should
carry less information instead of more. The passive command (SPASV) is a replacement for
the PASV command. It only carries port numbers and does not carry addresses. This makes it
usable with IPv4 and IPv6. A benefit of not carrying addresses is that pure network
address translators (NAT) do not have to do a search-and-replace on the TCP stream, which
is an expensive operation. This also eliminates three-way FTP, which is a rarely used mode
of operation that leaves most existing FTP servers wide open to the FTP Bounce Attack
[Hob95]. Because the FTP PORT command is unfriendly to some kinds of firewall
configurations [Bel94] and that unfriendliness is there to support three-way FTP, there is
no replacement for the PORT command -- all transfers should use passive mode instead. The
author's inet6-apps kit (available on ftp.ipv6.inner.net and ftp.inner.net) includes a
client and server that supports the current version of these commands. Those FTP servers
implement this command.
G. Montenegro and V. Gupta, "Firewall
Support for Mobile IP," Internet Engineering Task Force, Jan. 1998.
Abstract: The Mobile IP specification establishes the mechanisms that enable a
mobile host to maintain and use the same IP address as it changes its point of attachment
to the network. Mobility implies higher security risks than static operation, because the
traffic may at times take unforeseen network paths with unknown or unpredictable security
characteristics. The Mobile IP specification makes no provisions for securing data
traffic. The mechanisms described in this document allow a mobile node out on a public
sector of the internet to negotiate access past a SKIP firewall, and construct a secure
channel into its home network. In addition to securing traffic, our mechanisms allow a
mobile node to roam into regions that (1) impose ingress filtering, and (2) use a
different address space.
S. Moyer, D. Marples, S. Tsang, J. Katz, P. Gurung, T. Cheng, A. Dutta and H.
Schulzrinne, "Framework
Draft for Networked Appliances Using the Session Initiation Protocol," Internet
Engineering Task Force, Jul. 2000.
Abstract: This document proposes the use of SIP for Network-capable appliances.
It leverages the standard SIP capabilities to directly communicate with appliances even
when they are behind firewalls, NATs or other entities that prevent direct end-to-end
communication. When combined with the recently proposed Instant Messaging and Presence SIP
extensions these techniques become even more powerful.
A. Papp, "Firewall
Redundancy Protocol Specification," Internet Engineering Task Force, Jun. 2000.
Abstract: Firewalls are used to get controlled and secure connection between
networks, e.g. a company's internal network and the Internet. Preferably the firewall is
the only link between the networks to be able to guarantee a certain level of security.
The firewall is a critical node in the network and if it would fail the result is lost
connection between the networks. To ensure reliability and connectivity we add redundancy,
i.e. a number of parallel firewalls are installed which will act as backups for each
other.
S. Mercer, A. Molitor, M. Hurry and T. Ngo, "H.323 Firewall
Control Interface (HFCI)," Internet Engineering Task Force, Dec. 1998.
Abstract: It is becoming clear that next generation telephony networks will be
built on top of IP-based networks, as opposed to the traditional voice technology. There
are several reasons for this, among them lower cost and greater flexibility. While there
are several Voice on IP (VoIP) solutions, the H.323 [2] standard from the ITU seems to be
a major player. Other solutions will probably resemble H.323, even if they do not comply
with the standard. This memo proposes an Application Interface to permit H.323 devices to
open 'pinholes' in an otherwise opaque firewall, to permit the traffic necessary for H.323
through, and nothing else. Since other VoIP solutions resemble H.323, at least
approximately, the same Application Interface may well be useful for them. In particular,
Real-Time Protocol (RTP), defined in RFC1889 [3], is likely to be the underlying voice
transport for any VoIP solution.
J. Rosenberg, D. Drew and H. Schulzrinne, "Getting
SIP through Firewalls and NATs," Internet Engineering Task Force, Feb. 2000.
Abstract: This document discusses the interaction of the Session Initiation
Protocol (SIP) with with Network Address Translators (NATS) and firewalls. We show the
difficulties in SIP traversing these devices, and we compare the solutions that might be
used.
M. Sakurai, H. Kikuchi, H. Hattori, Y. Sameshima and H. Kumagai, "Web-based
Integrated CA services Protocol, ICAP," Internet Engineering Task Force, Feb.
1999.
Abstract: This document provides a sub set of specifications how to issue,
publish X.509 certificates and certificate revocation lists (CRLs). It also provides the
certificate validation service by online. In the proposed specifications, the World Wide
Web (WWW) is used for secure distributing certificates across a firewall in both human and
machine readable syntax. These specifications define not only the protocols between the
PKI clients and a single CA, but also the protocols between the CAs. With the CA-CA
communications, the PKI clients can retrieve any certificates and CRLs without specifying
the location of the appropriate CA, by only asking to the neighbor CA.
M. Shore, "H.323 and
Firewalls: Problem Statement and Solution Framework," Internet Engineering Task
Force, Feb. 2000.
Abstract: This paper attempts to describe in detail the problems associated with
passing H.323 through firewalls and NAT devices, and discuss the appli- cability of a
range of technologies currently available to solve these problems. We conclude that the
only general solution to the problem is external application control of firewalls.
S. Reddy, "WEB based
Certificate Access Protocol-- WebCAP/1.0," Internet Engineering Task Force, May
2000.
Abstract: This document describes the Internet X.509 Public Key Infrastructure
(PKI) Certificate Access Protocols. Protocol messages are defined for all relevant aspects
of certificate creation and management. Note that 'certificate' in this document refers to
an X.509v3 Certificate as defined in [COR95, X509-AM]. This document specifies a set of
methods, headers, and content-types ancillary to HTTP/1.1 to publish, retrieve X.509
certificates and Certificate Revocation Lists. This protocol also facilitates determining
current status of a digital certificate without the use of CRLs. This protocol defines new
methods, request and response bodies, error codes to HTTP/1.1 protocol for securely
publishing, retrieving, and validation certificates across a firewalls. A various
certificate related information that includes certificates, CLs, and certification
authority (CA) policy are retrieved from an integrated single authority access point
specified in X.509 version 3 extensions.
F. Thernelius, "SIP
Firewall Solution," Internet Engineering Task Force, Jul. 2000.
Abstract: This document describes a solution that is able to handle SIP
signaling together with NAT enabled firewalls. The intent is to show that existing
firewalls do not have to be replaced by 'SIP enabled' ones, instead they will only have to
be reconfigured slightly. The main feature of this solution is using MGCP from a session
control proxy to open/close holes in an RTP proxy which then enables RTP traffic to flow
between interconnected networks. Worth noting is that this solution will not only work for
SIP, it will also work for other protocols, such as H.323 or Real Audio. It does not even
have to be RTP that is passed through the RTP proxy, though this draft assumes that the
RTP stream is accompanied by RTCP. The solution will work for any protocol that wishes to
open/close ports dynamically in the RTP proxy (maybe it should be called Forwarding Engine
in the general case).
P. Mart, P. Sijben and R. Swale, "Firewall Control
Requirements," Internet Engineering Task Force, Jun. 2000.
Abstract: This draft describes a set of requirements for a protocol between
application level entities, acting as proxies, and packet filtering devices that implement
policies determined by the application. The packet filters apply header translation and
police flow rates. These requirements are considered initially in the context of IP
telephony but may be extended further.
Adiseshu Hari, Subhash Suri and Guru Parulkar, "Detecting and Resolving Packet
Filter Conflicts," in Proceedings of the Conference on Computer Communications
(IEEE Infocom), (Tel Aviv, Israel), Mar. 2000.
Abstract: Packet filters are rules for classifying packets based on their header
fields. Packet classification is essential to routers supporting services such as Quality
of Service (QoS), Virtual Private Networks (VPNs), and firewalls. A filter conflict occurs
when two or more filters overlap, creating an ambiguity in packet classification. Current
techniques for resolving filter conflicts are based on prioritizing conflicting filters,
and choosing the higher priority filter. We show that such ordering does not always work.
Instead, we propose a new scheme for conflict resolution, which is based on the idea of
adding resolve filters. Our main results are algorithms for detecting and resolving
conflicts in a filter database.
Keywords: Traffic management and control; Security and privacy; Network
architectures (protocols, algorithms, intelligent networks, reliability)
Ralf Ackermann Utz Roedig and Ralf Steinmetz, "Evaluating
and Improving Firewalls for IP-Telephony Environments," in Proceedings of the
1st IP-Telephony Workshop (IPtel 2000), (Berlin, Germany), Apr. 2000.
Abstract: Firewalls are a well established security mechanism for providing
access control and auditing at the borders between different administrative network
domains. Their basic architecture, techniques and operation modes did not change
fundamentally during the last years. On the other side new challenges emerge rapidly when
new innovative application domains have to be supported. IP-Telephony applications are
considered to have a huge economic potential in the near future. For their widespread
acceptance and thereby their economic success they must cope with established security
policies. Existing firewalls face immense problems here, if they - as it still happens
quite often - try to handle the new challenges in a way they did with ``traditional
applications''. As we will show in this paper, IP telephony applications differ from those
in many aspects, which makes such an approach quite inadequate. After identifying and
characterizing the problems we then describe and evaluate a more appropriate approach. The
feasibility of our architecture will be shown. It forms the basis of a prototype
implementation that we are currently working on.
Keywords: Firewalls; H.323; Internet telephony; network security; VoIP
Scott Hazelhurst, "Algorithms for
Analysing Firewall and Router Access Lists," no. cs/0008006, Aug. 2000.
Abstract: Network firewalls and routers use a rule database to decide which
packets will be allowed from one network onto another. By filtering packets the firewalls
and routers can improve security and performance. However, as the size of the rule list
increases, it becomes difficult to maintain and validate the rules, and lookup latency may
increase significantly. Ordered binary decision diagrams (BDDs) - a compact method of
representing and manipulating boolean expressions - are a potential method of representing
the rules. This paper presents a new algorithm for representing such lists as a BDD and
then shows how the resulting boolean expression can be used to analyse rule sets.
Keywords: Networking; Internet Architecture; firewalls
Bill Cheswick, "The design of a secure Internet gateway," in Proc. of
Usenix Summer Conference, (Anaheim, California), pp. 233--237, Jun. 1990.
Abstract: The Internet supports a vast and growing community of computer users
around the world. Unfortunately, this network can provide anonymous access to this
community by the unscrupulous, careless, or dangerous. On any given Internet there is a
certain percentage of poorly maintained systems. AT\&T has a large internal Internet
that we wish to protect from outside attacks, while providing useful services between the
two. This paper describes our Internet gateway. It is an application-level gateway that
passes mail and many of the common Internet services between our internal machines and the
Internet. This is accomplished without IP connectivity using a pair of machines: a trusted
internal machine and an untrusted external gateway. These are connected by a private link.
The internal machine provides a few carefully-guarded services to the external gateway.
This configuration helps protect the internal internet even if the external machine is
fully compromised.
Keywords: gateway; firewall; security
Lixia Zhang, "VirtualClock: a new traffic control algorithm for packet-switched
networks," ACM Transactions on Computer Systems, vol. 9, no. 2, pp. 101--124,
May 1991.
Abstract: One of the challenging research issues in building high-speed
packet-switched networks is how to control the transmission rate of statistical data
flows. This paper describes a new traffic control algorithm, VirtualClock, for high-speed
network applications. VirtualClock monitors the average transmission rate of statistical
data flows and provides every flow with guaranteed throughput and low queueing delay. It
provides firewall protection among individual flows, as in a TDM system, while retaining
the statistical multiplexing advantages of packet switching. Simulation results show that
the VirtualClock algorithm meets all its design goals.
Keywords: virtual clock; rate control; bandwidth reservation; performance
guarantees; rate-based flow control; statistical multiplexing; time-division multiplexing;
TDM
Bill Cheswick, "An evening with Berferd in which a cracker is lured, endured, and
studied," , Sep. 1992.
Abstract: On 7 January 1991 a cracker, believing he had discovered the famous
sendmail DEBUG hole in our Internet gateway machine, attempted to obtain a copy of our
password file. I sent him one. For several months, we led this cracker on a merry chase in
order to trace his location and learn his techniques. This paper is a chronicle of the
cracker's ``successes'' and disappointments, the bait and traps used to lure and detect
him, and the chroot ``jail'' we built to watch his activities. We concluded that our
cracker had a lot of time and persistence, and a good list of security holes to use once
he obtained a login on a machine. With these holes he could often subvert the uucp and bin
accounts in short order, and then root. Our cracker was interested in military targets and
new machines to help launder his connections.
Keywords: cracker; security; firewall
G. Winfield Treese and Alec Wolman, "X
through the firewall, and other application relays," in Proc. of Usenix Summer
Conference, (Cincinnati, Ohio), pp. 87--99, Jun. 1993.
Abstract: Organizations often impose an administrative security policy when they
connect to other organizations on a public network such as the Internet. Many applications
have their own notions of security, or they simply rely on the security of the underlying
protocols. Using the X Window System as a case study, we describe some techniques for
building application-specific ``relays'' that allow the use of applications across
organizational boundaries. In particular, we focus on analyzing administrative and
application-specific security policies to construct solutions that satisfy the security
requirements while providing the necessary functions of the applications.
Keywords: security; firewall; X; application relay; Internet
Liang Wu, "ATM CRS CNM PROXY: is is a firewall or a stonewall?," in 8th
IEEE Workshop on Computer Communications, (Del Mar, California), Oct. 1993.
Keywords: ATM; proxy; network management
Steven M. Bellovin and William R. Cheswick, "Network Firewalls," IEEE
Communications Magazine, vol. 32, no. 9, pp. 50--57, Sep 1994.
Abstract: Computer security is a hard problem. Security on networked computers
is much harder. Firewalls (barriers between two networks), when used properly, can provide
a significant increase in computer security.
Keywords: network firewalls; computer security
William R. Cheswick and Steven M. Bellovin, "Firewalls and Internet Security:
repelling the wily hacker," Reading, Massachusetts, 1994.
Keywords: security; firewall; internet; cryptography
Ari Luotonen and Kevin Altis, "World-Wide Web Proxies," in First
International WWW Conference, (Geneva, Switzerland), May 1994.
Abstract: A WWW proxy server, proxy for short, provides access to the Web for
people on closed subnets who can only access the Internet through a firewall machine. The
hypertext server developed by CERN, cern\_httpd, is capable of running as a proxy,
providing seamless external access to HTTP, Gopher, WAIS and FTP. Cern\_httpd has had
gateway features for a long time, but only this spring they were extended to support all
the methods in the HTTP protocol used by WWW clients. Clients don't lose any functionality
by going through a proxy, except special processing they may have done for non-native Web
protocols such as Gopher and FTP. A brand new feature is caching performed by the proxy,
resulting in shorter response times after the first document fetch. This makes proxies
useful even to the people who do have full Internet access and don't really need the proxy
just to get out of their local subnet. This paper gives an overview of proxies and reports
their current status.
Keywords: WWW; W3; http; world-wide web; proxy; server; security; cache
Simon Lam and Geoffrey G. Xie, "Burst Scheduling Networks: Flow
Specification and Performance Guarantees," in Proc. International Workshop on
Network and Operating System Support for Digital Audio and Video (NOSSDAV), (Durham,
New Hampshire), pp. 303-306, Apr. 1995.
Abstract: We present a class of packet switching networks, called Burst
Scheduling Networks, designed to provide throughput, delay, and delay jitter guarantees.
These performance guarantees are derived from the delay guarantee of a VC server, and a
new traffic model called Flow Specification. The delay guarantee of a VC server has
several desirable properties, including the following firewall property: The guarantee to
a flow is unaffected by the behavior of other flows sharing the same server. There is no
assumption that sources are flow-controlled or well-behaved. Each guaranteed flow is
modeled as a sequence of bursts, each of which is a sequence of packets. Bursts are needed
to specify two types of jitter bounds: over the delays of packets in a burst, and over the
delays of bursts in a flow. For video flows, each encoded picture is naturally modeled by
a burst. The model is also appropriate for audio and data flows that require delay and
delay jitter guarantees. With the new traffic model, a flow can be partitioned into
intervals (bursts) that have substantially different average rates; the first packet of a
burst carries information on the size and average rate of the burst. Switches are designed
to process flows efficiently in bursts.
Keywords: Packet switching; delay guarantee; delay jitter guarantee; throughput
guarantee; firewall property; virtual clock; Burst Scheduling; video
Geoffrey G. Xie and Simon S. Lam, "Delay Guarantee of Virtual Clock Server," IEEE/ACM
Transactions on Networking, vol. 3, no. 6, Dec. 1995.
Abstract: We present and prove a delay guarantee for the Virtual Clock service
discipline. The guarantee has serveral desirable properties, including the following
firewall poperty: The guarantee to a flow is unaffected by the behaviour of other flows
sharing the same server. There is no assumption that sources are flow controlled or well
behaved. In this paper, we first introduce and define the concept of an active flow. The
delay guarantee is then formally stated as a theorem. We show how to obtain delay bounds
from the delay guarantee of a single server for different specifications. Derivations of
end-to-end delay bounds for various networks and source specification are presented
elsewhere.
Kelly Djahandari and Daniel F. Sterne, "An MBone Proxy for
an Application Gateway Firewall," in Proc. of IEEE Symposium on Security and
Privacy, (Oakland, California), May 1997.
Abstract: The Internet's multicast backbone (MBone) holds great potential for
many organizations because it supports low-cost audio and video conferencing and carries
live broadcasts of an increasing number of public interest events. MBone conferences are
transmitted via unauthenticated multicast datagrams, which unfortunately convey
significant security vulnerabilities to any system that receives them. For this reason,
most application gateway firewalls block MBone datagrams sent from the Internet and
prevent them from reaching hosts on internal networks. This paper describes the design and
rationale for a new set of facilities for the TIS Internet Firewall Toolkit (FWTK). These
facilities, which are fully implemented, significantly reduce the security risks of
observing or participating in MBone conferences. They impose no functional constraints on
MBone applications and are transparent to users. Configuration options that support
tradeoffs among security, performance, and ease of use are discussed.
Keywords: Mbone; security; firewall; TIS; multicast
Anonymous, "H.323 and
Firewalls: The problems and pitfalls of getting H.323 safely through firewalls,"
Intel Corporation, Apr. 1997.
Abstract: The first part of this document provides an overview of H.323 - what
the protocol is, why it's important, and how it works. The second section provides a
framework for discussing firewall issues, including a taxonomy for classifying firewalls.
The third section discusses the issues of H.323 and proxies - why H.323 is hard for
firewalls, and what implications a proxy has on H.323 applications. The fourth section is
a short overview of the changes necessary to an H.323 application to support proxies.
Finally, the appendices provide additional information, including pointers to other
sources, a `decoder ring' for the ITU-T's `alphabet soup' of protocols, and a detailed
trace from a typical H.323 call.
Keywords: H.323; firewall; proxy; Internet telephony signaling
Ping Pan and Henning Schulzrinne, "YESSIR:
A Simple Reservation Mechanism for the Internet," IBM Research, Hawthorne, New
York, no. RC 20697, Sep. 1997.
Abstract: RSVP has been designed to support resource reservation in the
Internet. However, it has two major problems: complexity and scalability. The former
results in heavy message processing overhead at end systems and routers, and inefficient
firewall processing at the edge of the network. The latter implies that in a backbone
environment, the amount of bandwidth consumed by refresh messages and the storage space
that is needed to support a large number of flows at a router are too large. We have
developed a new reservation mechanism that simplifies the process of establishing reserved
flows while preserving many unique features introduced in RSVP. Simplicity is measured in
terms of control message processing, data packet processing, and user-level flexibility.
Features such as robustness, advertising network service availability and resource sharing
among multiple senders are also supported in the proposal. The proposed mechanism, YESSIR
(YEt another Sender Session Internet Reservations) generates reservation requests by
senders to reduce the processing overhead, builds on top of RTCP, uses \emph{soft state}
to maintain reservation states, supports shared reservation and associated flow merging
and is backward compatible with the IETF Integrated Services models. YESSIR extends the
all-or-nothing reservation model to support partial reservations that improve over the
duration of the session. To address the scalability issue, we investigate the possibility
of using YESSIR for per-stream reservation and RSVP for aggregate reservation.
Keywords: resource reservation; RSVP; integrated services; quality of service;
bandwidth reservation; RTP
Michael Hasenstein, "IP Network Address
Translation," Chemnitz University of Technology, Chemnitz, Germany, 1997.
Keywords: firewall; NAT; network address translation
Ping P. Pan and Henning Schulzrinne, "YESSIR: A Simple
Reservation Mechanism for the Internet," in Proc. International Workshop on
Network and Operating System Support for Digital Audio and Video (NOSSDAV),
(Cambridge, England), pp. 141--151, Jul. 1998.
Abstract: RSVP has been designed to support resource reservation in the
Internet. However, it has two major problems: complexity and scalability. The former
results in heavy message processing overhead at end systems and routers, and inefficient
firewall processing at the edge of the network. The latter implies that in a backbone
environment, the amount of bandwidth consumed by refresh messages and the storage space
that is needed to support a large number of flows at a router are too large. We have
developed a new reservation mechanism that simplifies the process of establishing reserved
flows while preserving many unique features introduced in RSVP. Simplicity is measured in
terms of control message processing, data packet processing, and user-level flexibility.
Features such as robustness, advertising network service availability and resource sharing
among multiple senders are also supported in the proposal. The proposed mechanism, YESSIR
(YEt another Sender Session Internet Reservations) generates reservation requests by
senders to reduce the processing overhead, builds on top of RTCP, uses \emph{soft state}
to maintain reservation states, supports shared reservation and associated flow merging
and is backward compatible with the IETF Integrated Services models. YESSIR extends the
all-or-nothing reservation model to support partial reservations that improve over the
duration of the session. To address the scalability issue, we investigate the possibility
of using YESSIR for per-stream reservation and RSVP for aggregate reservation.
Keywords: RSVP; YESSIR; resource reservation; partial reservation
D. A. Maltz and P. Bhagwat, "MSOCKS: An Architecture for
Transport Layer Mobility," in Proceedings of the Conference on Computer
Communications (IEEE Infocom), (San Francisco, California), pp. 1037, March/April
1998.
Abstract: Mobile nodes of the future will be equipped with multiple network
interfaces to take advantage of overlay networks, yet no current mobility systems provide
full support for the simultaneous use of multiple interfaces. The need for such support
arises when multiple connectivity options are available with different cost, coverage,
latency and bandwidth characteristics, and applications want their data to flow over the
interface that best matches the characteristics of the data. We present an architecture
called Transport Layer Mobility that allows mobile nodes to not only change their point of
attachment to the Internet, but also to control which network interfaces are used for the
different kinds of data leaving from and arriving at the mobile node. We implement our
transport layer mobility scheme using a split-connection proxy architecture and a new
technique called TCP Splice that gives split-connection proxy systems the same end-to-end
semantics as normal TCP connections.
Keywords: mobile networking; proxies; TCP; connection redirection; SOCKS;
firewalls
Kathryn M. Walker and Linda Croswhite Cavanaugh, "Computer Security Policies and
SunScreen Firewalls," Upper Saddle River, New Jersey, 1998.
Keywords: security; firewall; NAT; SKIP
Linda McCarthy, "Intranet Security," Upper Saddle River, New Jersey, 1998.
Keywords: security; firewall
V. Srinivasan, G. Varghese, S. Suri and M. Waldvogel, "Fast and Scalable Layer
Four Switching," ACM Computer Communication Review, vol. 28, no. 4, pp.
191--202, Sep. 1998.
Abstract: In Layer Four switching, the route and resources allocated to a packet
are determined by the destination address as well as other header fields of the packet
such as source address, TCP and UDP port numbers. Layer Four switching unifies firewall
processing, RSVP style resource reservation filters, QoS Routing, and normal unicast and
multicast forwarding into a single framework. In this framework, the forwarding database
of a router consists of a potentially large number of filters on key header fields. A
given packet header can match multiple filters, so each filter is given a cost, and the
packet is forwarded using the least cost matching filter. In this paper, we describe two
new algorithms for solving the least cost matching filter problem at high speeds. Out
first algorithm is based on a grid-of-tries construction and works optimally for
processing filters consisting of two prefix fields (such as destination-source filters)
using linear space. Our second algorithm, cross-producting, provides fast lookup times for
arbitrary filters but potentially requires large storage. We describe a combination scheme
that combines the advantages of both schemes. The combination scheme can be optimized to
handle pure destination prefix filters in 4 memory accesses, destination-source filters in
8 memory accesses worst case, and all other filters in 11 memory accesses in the typical
case.
Lincoln D. Stein, "Web Security: A step-by-step reference guide," Reading,
Massachusetts, 1998.
Keywords: web; security; SSL; firewall; cgi
William Stallings, "Cryptography and Network Security: principles and
practice," Upper Saddle River, New Jersey, 1999.
Keywords: security; firewall
Ping Pan and Henning Schulzrinne, "YESSIR: a simple reservation mechanism for the
Internet," ACM Computer Communication Review, vol. 29, no. 2, pp. 89--101,
Apr. 1999.
Abstract: RSVP has been designed to support resource reservation in the
Internet. However, it has two major problems: complexity and scalability. The former
results in heavy message processing overhead at end systems and routers, and inefficient
firewall processing at the edge of the network. The latter implies that in a backbone
environment, the amount of bandwidth consumed by refresh messages and the storage space
that is needed to support a large number of flows at a router are too large. We have
developed a new reservation mechanism that simplifies the process of establishing reserved
flows while preserving many unique features introduced in RSVP. Simplicity is measured in
terms of control message processing, data packet processing, and user-level flexibility.
Features such as robustness, advertising network service availability and resource sharing
among multiple senders are also supported in the proposal. The proposed mechanism, YESSIR
(YEt another Sender Session Internet Reservations) generates reservation requests by
senders to reduce the processing overhead, builds on top of RTCP, uses \emph{soft state}
to maintain reservation states, supports shared reservation and associated flow merging
and is backward compatible with the IETF Integrated Services models. YESSIR extends the
all-or-nothing reservation model to support partial reservations that improve over the
duration of the session. To address the scalability issue, we investigate the possibility
of using YESSIR for per-stream reservation and RSVP for aggregate reservation.
Keywords: resource reservation; RSVP; quality of service
Pankaj Gupta and Nick McKeown, "Packet Classification using
Hierarchical Intelligent Cuttings," in Hot Interconnects VII, (Stanford
University), pp. 8, Aug. 1999.
Abstract: Internet routers that operate as firewalls, or provide a variety of
service classes, perform different operations on different flows. A flow is defined to be
all the packets sharing common header characteristics; for example a flow may be defined
as all the packets between two specific IP addresses. In order to classify a packet, a
router consults a table (or classifier) using one or more fields from the packet header to
search for the corresponding flow. The classifier is a list of rules that identify each
flow and the actions to be performed on each. With the increasing demands on router
performance, there is a need for algorithms that can classify packets quickly with minimal
storage requirements and allow new flows to be frequently added and deleted. In the worst
case, packet classification is hard requiring routers to use heuristics that exploit
structure present in the classifiers. This paper presents such a heuristic, called HiCuts,
(hierarchical intelligent cuttings), which exploits the structure found in classifiers. We
describe HiCuts and examine its performance against real classifiers in use today. When
compared with previously described algorithms and used to classify packets based on four
header fields, the algorithm is found to classify packets quickly and has relatively small
storage requirements.
Jun Xu and Mukesh Singhal, "Design and Evaluation of a High-Performance ATM
Firewall Switch and Its Applications," IEEE Journal on Selected Areas in
Communications, vol. 17, no. 6, pp. 1190--1200, Jun. 1999.
Abstract: We present the design of a value-added ATM switch that is capable of
performing packet-level (IP) filtering at the maximum throughput of 2.88 Gbit/s per port.
This firewall switch nicely integrates the IP level security mechanisms into the hardware
components of an ATM switch so that most of the filtering operations are performed in
parallel with the normal cell processing, and most of its cost is absorbed into the base
cost of the switch. The firewall switch employs the concept of ``last cell hostage'' (LCH)
to avoid or reduce the latency caused by filtering. We analyze in detail the performance
of the firewall switch in terms of the throughput and the latency and address related
design issues. Applications of our firewall switch as Internet and intranet security
solutions are also discussed.
Lyndon G. Pierson, Edward L. Witzke, Mark O. Bean and Gerry J. Trombley, "Context-Agile
Encryption for High Speed Communication Networks," ACM Computer Communication
Review, vol. 29, no. 1, Jan. 1999.
Abstract: Different applications have different security requirements for data
privacy, data integrity, and authentication. Encryption is one technique that addresses
these requirements. Encryption hardware, designed for use in high-speed communications
networks, can satisfy a wide variety of security requirements if the hardware
implementation is key-agile, key length-agile, mode-agile, and algorithm-agile. Hence,
context-agile encryption provides enhanced solutions to the security, interoperability,
and quality of service issues in high-speed networks. Moreover, having a single
context-agile encryptor at an ATM aggregation point (such as a firewall) reduces hardware
and administrative costs. While single-algorithm, key-agile encryptors exits, encryptors
that are agile in a cryptographic robustness sense, are still research topics.
Jian Yin, Lorenzo Alvisi, Mike Dahlin and Calvin Lin, "Hierarchical
Cache Consistency in a WAN," in 2nd USENIX Symposium on Internet Technologies
and Systems, (Boulder, Colorado, USA), Oct 1999.
Abstract: This paper explores ways to provide improved consistency for Internet
applications that scale to millions of clients. We make four contributions. First, we
identify how workloads affect the scalability of cache consistency algorithms. Second, we
define two primitive mechanisms, split and join, for growing and shrinking consistency
hierarchies, and we present a simple mechanism for implementing them. Third, we describe
and evaluate policies for using split and join to address the fault tolerance and
performance challenges of consistency hierarchies. Fourth, using synthetic workload and
trace-based simulation, we compare various algorithms for maintaining strong consistency
in a range of hierarchy configurations. Our results indicate that a promising
configuration for providing strong consistency in a WAN is a two-level consistency
hierarchy where servers and proxies work to maintain consistency for data cached at
clients. Specifically, by adapting to clients' access patterns, two-level hierarchies
reduce the read latency for demanding workloads without introducing excessive overhead for
nondemanding workloads. Also, they can improve scalability by orders of magnitude.
Furthermore, this configuration is easy to deploy by augmenting proxies, and it allows
invalidation messages to traverse firewalls.
Evangelos P. Markatos, Manolis G. H. Katevenis, Dionisis Pnevmatikatos and Michail
Flouris, "Secondary
Storage Management for Web Proxies," in 2nd USENIX Symposium on Internet
Technologies and Systems, (Boulder, Colorado, USA), Oct 1999.
Abstract: World-Wide Web proxies are being increasingly used to provide Internet
access to users behind a firewall and to reduce wide-area network traffic. Recent results
suggest that disk I/O is increasingly becoming the limiting factor for the performance of
web proxies. In this paper we study the overheads associated with disk I/O for web
proxies, and propose secondary storage management alternatives that improve performance.
We use a combination of experimental evaluation and simulation based on traces from busy
web proxies. We show that web proxies experience significant overheads due to disk I/O. We
propose several file management methods that reduce the disk I/O overhead overhead by a
factor of 25 overall, resulting in a single-disk service rate that exceeds 500 (URL-get)
operations per second.
S. Bellovin, "Firewall-Friendly
FTP," Internet Engineering Task Force, no. 1579, Feb. 1994.
Abstract: This memo describes a suggested change to the behavior of FTP client
programs. No protocol modifications are required, though we outline some that might be
useful.
M. Chatel, "Classical versus
Transparent IP Proxies," Internet Engineering Task Force, no. 1919, Mar. 1996.
Abstract: Many modern IP security systems (also called "firewalls" in
the trade) make use of proxy technology to achieve access control. This document explains
"classical" and "transparent" proxy techniques and attempts to provide
rules to help determine when each proxy system may be used without causing problems.}
M. Leech, M. Ganis, Y. Lee, R. Kuris, D. Koblas and L. Jones, "SOCKS Protocol Version 5," Internet
Engineering Task Force, no. 1928, Apr. 1996.
Abstract: This memo describes a protocol that is an evolution of the previous
version of the protocol, version 4. This new protocol stems from active discussions and
prototype implementations. This RFC is a product of the Authenticated Firewall Traversal
Working Group of the IETF.
M. Leech, "Username/Password
Authentication for SOCKS V5," Internet Engineering Task Force, no. 1929, Apr.
1996.
Abstract: The protocol specification for SOCKS Version 5 specifies a generalized
framework for the use of arbitrary authentication protocols in the initial socks
connection setup. This document describes one of those protocols, as it fits into the
SOCKS Version 5 authentication "subnegotiation". This RFC is the product of the
Authenticated Firewall Traversal Working Group of the IETF.}
P. McMahon, "GSS-API
Authentication Method for SOCKS Version 5," Internet Engineering Task Force, no.
1961, Jun. 1996.
Abstract: The protocol specification for SOCKS Version 5 specifies a generalized
framework for the use of arbitrary authentication protocols in the initial SOCKS
connection setup. This document provides the specification for the SOCKS V5 GSS-API
authentication protocol, and defines a GSS-API-based encapsulation for provision of
integrity, authentication and optional confidentiality. This RFC is the product of the
Authenticated Firewall Traversal Working Group of the IETF.
B. Callaghan, "WebNFS Client
Specification," Internet Engineering Task Force, no. 2054, Oct. 1996.
Abstract: This document describes a lightweight binding mechanism that allows
NFS clients to obtain service from WebNFS-enabled servers with a minimum of protocol
overhead. In removing this overhead, WebNFS clients see benefits in faster response to
requests, easy transit of packet filter firewalls and TCP-based proxies, and better server
scalability.
B. Callaghan, "WebNFS Server
Specification," Internet Engineering Task Force, no. 2055, Oct. 1996.
Abstract: This document describes the specifications for a server of WebNFS
clients. WebNFS extends the semantics of versions 2 and 3 of the NFS protocols to allow
clients to obtain filehandles more easily, without recourse to the portmap or MOUNT
protocols. In removing the need for these protocols, WebNFS clients see benefits in faster
response to requests, easy transit of firewalls and better server scalability This
description is provided to facilitate compatible implementations of WebNFS servers.
G. Montenegro, "Reverse Tunneling
for Mobile IP," Internet Engineering Task Force, no. 2344, May 1998.
Abstract: This document proposes backwards-compatible extensions to Mobile IP in
order to support topologically correct reverse tunnels. This document does not attempt to
solve the problems posed by firewalls located between the home agent and the mobile node's
care-of address.
G. Montenegro and V. Gupta, "Sun's
SKIP Firewall Traversal for Mobile IP," Internet Engineering Task Force, no.
2356, Jun. 1998.
Abstract: The Mobile IP specification establishes the mechanisms that enable a
mobile host to maintain and use the same IP address as it changes its point of attachment
to the network. Mobility implies higher security risks than static operation, because the
traffic may at times take unforeseen network paths with unknown or unpredictable security
characteristics. The Mobile IP specification makes no provisions for securing data
traffic. The mechanisms described in this document allow a mobile node out on a public
sector of the internet to negotiate access past a SKIP firewall, and construct a secure
channel into its home network. In addition to securing traffic, our mechanisms allow a
mobile node to roam into regions that (1) impose ingress filtering, and (2) use a
different address space. This document is the product of the IP Routing for
Wireless/Mobile Hosts Working Group of the IETF.
R. Finlayson, "IP Multicast and
Firewalls," Internet Engineering Task Force, no. 2588, May 1999.
Abstract: Many organizations use a firewall computer that acts as a security
gateway between the public Internet and their private, internal 'intranet'. In this
document, we discuss the issues surrounding the traversal of IP multicast traffic across a
firewall, and describe possible ways in which a firewall can implement and control this
traversal. We also explain why some firewall mechanisms - such as SOCKS - that were
designed specifically for unicast traffic, are less appropriate for multicast. This
document is the product of the MBONE Deployment Working Group of the IETF.
D. Newman, "Benchmarking
Terminology for Firewall Performance," Internet Engineering Task Force, no. 2647,
Aug. 1999.
Abstract: This document defines terms used in measuring the performance of
firewalls. It extends the terminology already used for benchmarking routers and switches
with definitions specific to firewalls.
F. da Cruz and J. Altman, "Internet
Kermit Service," Internet Engineering Task Force, no. 2839, May 2000.
Abstract: This document describes a new file transfer service for the Internet
based on Telnet Protocol for option negotiation and Kermit Protocol for file transfer and
management. The Internet Kermit Service provides access to both authenticated and
anonymous users. The use of Kermit protocol over a Telnet connection provides several
advantages over FTP, including easy traversal of firewalls, transfers over multiple
transports, and security via a combination of supported Telnet authentication and
encryption option negotiations, plus significant functional benefits. While this document
describes a new service for the Internet, the clients for this service already exist on
most platforms in the form of Telnet clients that support the Kermit file transfer
protocol. These clients are available not only from Columbia University's Kermit Project
but also numerous third parties.
N. Freed, "Behavior of and
Requirements for Internet Firewalls," Internet Engineering Task Force, no. 2979,
Oct. 2000.
Abstract: This memo defines behavioral characteristics of and interoperability
requirements for Internet firewalls. While most of these things may seem obvious, current
firewall behavior is often either unspecified or underspecified and this lack of
specificity often causes problems in practice. This requirement is intended to be a
necessary first step in making the behavior of firewalls more consistent across
implementations and in line with accepted IP protocol practices. This document is a
product of the Internet Architecture Board.
|
