solutions@syngress.com With more than 1,500,000 copies of our MCSE, MCSD, CompTIA, and Cisco study guides in print, we continue to look for ways we can better serve the information needs of our readers. One way we do that is by listening. Readers like yourself have been telling us they want an Internet-based ser- vice that would extend and enhance the value of our books. Based on reader feedback and our own strategic plan, we have created a Web site that we hope will exceed your expectations. Solutions@syngress.com is an interactive treasure trove of useful infor- mation focusing on our book topics and related technologies. The site offers the following features: ■ One-year warranty against content obsolescence due to vendor product upgrades. You can access online updates for any affected chapters. ■ “Ask the Author” customer query forms that enable you to post questions to our authors and editors. ■ Exclusive monthly mailings in which our experts provide answers to reader queries and clear explanations of complex material. ■ Regularly updated links to sites specially selected by our editors for readers desiring additional reliable information on key topics. Best of all, the book you’re now holding is your key to this amazing site. Just go to www.syngress.com/solutions, and keep this book handy when you register to verify your purchase. Thank you for giving us the opportunity to serve your needs. And be sure to let us know if there’s anything else we can do to help you get the maximum value from your investment. We’re listening. www.syngress.com/solutions 250_DMZ_fm.qxd 6/5/03 2:27 PM Page i 250_DMZ_fm.qxd 6/5/03 2:27 PM Page ii 1 YEAR UPGRADE BUYER PROTECTION PLAN Robert J. Shimonski Will Schmied Dr. Thomas W. Shinder Victor Chang Drew Simonis Damiano Imperatore DMZs for Building Enterprise Networks 250_DMZ_fm.qxd 6/5/03 2:27 PM Page iii Syngress Publishing, Inc., the author(s), and any person or firm involved in the writing, editing, or production (collectively “Makers”) of this book (“the Work”) do not guarantee or warrant the results to be obtained from the Work. There is no guarantee of any kind, expressed or implied, regarding the Work or its contents.The Work is sold AS IS and WITHOUT WARRANTY. You may have other legal rights, which vary from state to state. In no event will Makers be liable to you for damages, including any loss of profits, lost savings, or other incidental or consequential damages arising out from the Work or its contents. Because some states do not allow the exclusion or limitation of liability for consequential or incidental damages, the above limitation may not apply to you. You should always use reasonable care, including backup and other appropriate precautions, when working with computers, networks, data, and files. Syngress Media®, Syngress®,“Career Advancement Through Skill Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are registered trademarks of Syngress Publishing, Inc. “The Definition of a Serious Security Library™”,“Mission Critical™,” and “The Only Way to Stop a Hacker is to Think Like One™” are trademarks of Syngress Publishing, Inc. Brands and product names mentioned in this book are trademarks or service marks of their respective companies. KEY SERIAL NUMBER 001 TH3H7GYV43 002 QUCK7T6CVF 003 8BRWN5TX3A 004 Z2FXX3H89Y 005 UJMPT3D33S 006 X6B7NCVER6 007 TH34EPQ2AK 008 9BKMLAZYD7 009 CAN7N3V6FH 010 5BBABY339Z PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Building DMZs for Enterprise Networks Copyright © 2003 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of the publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. Printed in the United States of America 1 2 3 4 5 6 7 8 9 0 ISBN: 1-931836-88-4 Technical Editor: Robert J. Shimonski Cover Designer: Michael Kavish Acquisitions Editor: Jonathan E. Babcock Page Layout and Art by: Patricia Lupien Indexer: Rich Carlson Copy Editor: Darlene Bordwell Distributed by Publishers Group West in the United States and Jaguar Book Group in Canada. 250_DMZ_fm.qxd 6/5/03 2:27 PM Page iv about itfaqnet.com Syngress Publishing is a proud sponsor of itfaqnet.com, one of the web’s most comprehensive FAQ sites for IT professionals. This is a free ser- vice that allows users to query over 10,000 FAQs pertaining to Cisco net- working, Microsoft networking. Network security tools, .NET development, Wireless technology, IP Telephony, Storage Area Networking, Java develop- ment and much more. The content on itfaqnet.com is all derived from our hundreds of market proven books, written and reviewed by content experts. So bookmark ITFAQnet.com as your first stop for mission critical advice from the industry’s leading experts. www.itfaqnet.com 250_DMZ_fm.qxd 6/5/03 2:27 PM Page v Acknowledgments We would like to acknowledge the following people for their kindness and support in making this book possible. Karen Cross, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Kevin Votel, Kent Anderson, Frida Yara, Jon Mayes, John Mesjak, Peg O’Donnell, Sandra Patterson, Betty Redmond, Roy Remer, Ron Shapiro, Patricia Kelly, Kristin Keith, Jennifer Pascal, Doug Reil, David Dahl, Janis Carpenter, and Susan Fryer of Publishers Group West for sharing their incredible marketing experience and expertise. The incredibly hard working team at Elsevier Science, including Jonathan Bunkell, AnnHelen Lindeholm, Duncan Enright, David Burton, Rosanna Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus Beran, and Rosie Moss for making certain that our vision remains worldwide in scope. David Buckland, Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong, Leslie Lim, Audrey Gan, and Joseph Chan of STP Distributors for the enthu- siasm with which they receive our books. Kwon Sung June at Acorn Publishing for his support. Jackie Gross, Gayle Voycey, Alexia Penny, Anik Robitaille, Craig Siddall, Darlene Morrow, Iolanda Miller, Jane Mackay, and Marie Skelly at Jackie Gross & Associates for all their help and enthusiasm representing our product in Canada. Lois Fraser, Connie McMenemy, Shannon Russell, and the rest of the great folks at Jaguar Book Group for their help with distribution of Syngress books in Canada. David Scott,Tricia Wilden, Marilla Burgess, Annette Scott, Geoff Ebbs, Hedley Partis, Bec Lowe, and Mark Langley of Woodslane for distributing our books throughout Australia, New Zealand, Papua New Guinea, Fiji Tonga, Solomon Islands, and the Cook Islands. Winston Lim of Global Publishing for his help and support with distribution of Syngress books in the Philippines. 250_DMZ_fm.qxd 6/5/03 2:27 PM Page vi vii Contributors Thomas W. Shinder M.D. (MVP, MCSE) is a computing industry vet- eran who has worked as a trainer, writer, and a consultant for Fortune 500 companies including FINA Oil, Lucent Technologies, and Sealand Container Corporation.Tom was a Series Editor of the Syngress/Osborne Series of Windows 2000 Certification Study Guides and is author of the best selling books Configuring ISA Server 2000: Building Firewalls with Windows 2000 (Syngress Publishing, ISBN: 1-928994-29-6) and Dr.Tom Shinder's ISA Server & Beyond (ISBN: 1-931836-66-3).Tom is the editor of the Brainbuzz.com Win2k News newsletter and is a regular contributor to TechProGuild. He is also content editor, contributor, and moderator for the World's leading site on ISA Server 2000, www.isaserver.org. Microsoft recognized Tom's leadership in the ISA Server community and awarded him their Most Valued Professional (MVP) award in December of 2001. Will Schmied (BSET, MCSE, CWNA,TICSA, MCSA, Security+, Network+,A+) is the President of Area 51 Partners, Inc., a provider of wired and wireless networking implementation and security services to businesses in the Hampton Roads, VA area. Will holds a bachelors degree in mechanical engineering technology from Old Dominion University in addition to his various IT industry certifications and is a member of the IEEE and ISSA. Will has previously authored or contributed to several other publications by Syngress Publishing including Implementing and Administering Security in a Microsoft Windows 2000 Network Study Guide and DVD Training System (Exam 70-214) (ISBN: 1-931836-84-1), Security+ Study Guide & DVD Training System (ISBN: 1-931836-72-8), and Configuring and Troubleshooting Windows XP Professional (ISBN: 1-928994-80-6). Will lives in Newport News, Virginia with his wife, Chris, and their children Christopher, Austin, Andrea, and Hannah. Will would like to thank his family for believing in him and giving him the support and encouragement he needed during all of those late nights in “the lab.” Will 250_DMZ_fm.qxd 6/5/03 2:27 PM Page vii viii would also like to say thanks to the entire team of professionals at Syngress Publishing—you make being an author easy. Special thanks to Jon Babcock for having a sense of humor that never seems to go out of style. Norris L. Johnson, Jr. (Security+, MCSA, MCSE, CTT+, A+, Linux+, Network +, CCNA) is a technology trainer and owner of a consulting company in the Seattle-Tacoma area. His consultancies have included deployments and security planning for local firms and public agencies, as well as providing services to other local computer firms in need of problem solving and solutions for their clients. He specializes in Windows NT 4.0, Windows 2000 and Windows XP issues, providing consultation and implementation for networks, security planning, and services. In addi- tion to consulting work, Norris provides technical training for clients and teaches for area community and technical colleges. He is co-author of Security+ Study Guide & DVD Training System (Syngress Publishing, ISBN: 1-931836-72-8), Configuring and Troubleshooting Windows XP Professional (ISBN: 1-928994-80-6), and Hack Proofing Your Network, Second Edition (ISBN: 1-928994-70-9). Norris has also performed technical edits and reviews on Hack Proofing Windows 2000 Server (ISBN: 1-931836-49-3) and Windows 2000 Active Directory, Second Edition (ISBN: 1-928994-60-1). Norris holds a bachelor’s degree from Washington State University. He is deeply appreciative of the support of his wife, Cindy, and three sons in helping to maintain his focus and efforts toward computer training and education. Michael Sweeney (CCNA, CCDA, CCNP, MCSE) is the owner of the network consulting firm Packetattack.com. His specialties are network design, network troubleshooting, wireless network design, security, and network analysis using NAI Sniffer and Airmagnet for wireless network analysis. Michael’s prior published works include Cisco Security Specialist’s Guide to PIX Firewalls (Syngress Publishing, ISBN: 1-931836-63-9). 250_DMZ_fm.qxd 6/5/03 2:27 PM Page viii ix Michael is a graduate of the University of California, Irvine, extension program with a certificate in Communications and Network Engineering. Michael resides in Orange, CA with his wife Jeanne and daughter Amanda. Ido Dubrawsky (CCNA, SCSA) has been working as a UNIX/Network Administrator for over 10 years. He has experience with a variety of UNIX operating systems including Solaris, Linux, BSD, HP-UX, AIX, and Ultrix. He was previously a member of Cisco’s Secure Consulting Service pro- viding security posture assessments to Cisco customers and is currently a member of the SAFE architecture team. Ido has written articles and papers on topics in network security such as IDS, configuring Solaris virtual pri- vate networks, and wireless security. Ido is a contributing author for Hack Proofing Sun Solaris 8 (Syngress, ISBN: 1-928994-44-X) and Hack Proofing Your Network, Second Edition (ISBN: 1-928994-70-9) When not working on network security issues or traveling to conferences, Ido spends his free time with his wife and their children. Victor Chang (CCSA, CCSE, CCNA CCSE+, NSA) is the Product Line Support Team Lead for IPSO and Hardware with Nokia. He cur- rently provides Product Line Escalation Support for the Nokia IP Series Appliances and assists Product Management in new product development. Victor lives in Fremont, CA. He would like to thank his parents,Tsun San and Suh Jiuan Chang, Ricardo and Eva Estevez, as well as the rest of his family and friends. Without their love and support none of this would have been possible. Hal Flynn is a Senior Vulnerability Analyst for Symantec. He is also the UNIX Focus Area Manager of the SecurityFocus website, and moderator of the Focus-Sun and Focus-Linux mailing lists. Hal is a Veteran of the United States Navy, where he served as a Hospital Corpsman with 2nd 250_DMZ_fm.qxd 6/5/03 2:27 PM Page ix [...]... is a Systems Engineer for Verizon’s Enterprise Solutions Group (ESG) Damiano is responsible for designing networking solutions for several of New York’s government agencies and large enterprises Damiano has over 8 years of experience in the data networking field with strengths in designing, building, and securing large complex enterprise networks Prior to Verizon, Damiano worked for the Cendant Corporation... network security Robert has designed and worked on several projects dealing with cutting edge technologies for Syngress Publishing, including the only book dedicated to the Sniffer Pro protocol analyzer Robert has worked on the following Syngress Publishing titles: Building DMZs for Enterprise Networks (ISBN: 1-931836-88-4), Security+ Study Guide & DVD Training System (ISBN: 1-931836-72-8), Sniffer... 135 135 135 136 136 137 138 143 145 147 148 150 Chapter 4 Wireless DMZs Introduction Why Do We Need Wireless DMZs? Passive Attacks on Wireless Networks War Driving Sniffing Active Attacks on Wireless Networks Spoofing (Interception) and Unauthorized Access Denial of Service and Flooding Attacks Man-in-the-Middle Attacks on Wireless Networks Network Hijacking and Modification Jamming Attacks Designing... network The building of a DMZ can seem very complicated because you need to be a network engineer (and a good one at that), a systems engineer (to build up the xxxi 250_DMZ_Fore.qxd xxxii 6/5/03 11:55 AM Page xxxii Foreword services running on the DMZ and around it), and a highly skilled security analyst (to harden and test the DMZ segment) Due to the need for such a diverse skill set, it is common for most... made for secure Internet-based services, is covered here in the same format as Chapter 2 with one exception: Chapter 3 shows you how to build a DMZ from a Sun Solaris server I Chapter 4: Wireless DMZs This chapter covers the planning, layout, and design of a wireless DMZ As of this writing of this book, no other publication goes into the detail you see on this topic in Chapter 4.Wireless DMZs www .syngress. com... Security Engineer for a leading manufacturing company, Danaher Corporation At Danaher, Robert is responsible for leading the IT department within his division into implementing new technologies, standardization, upgrades, migrations, high-end project planning and designing infrastructure architecture Robert is also part of the corporate security team responsible for setting guidelines and policy for the entire... Fast Track Frequently Asked Questions Chapter 7 Firewall and DMZ Design: Nokia Firewall Introduction Basics of the Nokia Firewall Choosing the Right Platform Nokia IP120 Appliance Nokia IP350/IP380 Platforms Nokia IP530 Platform Nokia IP710/IP740 Platform Configuring the Nokia Appliance Serial Console Access Configuring IPSO Settings Using CLISH Software Installation Securing Your Network Perimeters... Remote Administration of DMZ Hosts Using Terminal Services for Remote Desktop Administration Installing Terminal Services Configuring Terminal Services Securely Using Terminal Services for File Replication Using IPSec-Enhanced Telnet for Command-Line Administration Vulnerability-Scan Your Host Bastion Host Configuration Configuring IIS Servers for Web Access Setting Up an Anonymous, Public Web Site The... The URLScan Tool (New and Improved) Final Configuration Steps Setting Up a Secure Web Site Configuring an IIS Server for FTP Configuring an IIS Server for SMTP Checklists Windows 2000 Server Hardening Checklist IIS Hardening Checklist (WWW, FTP, and SMTP) For World Wide Web Service (HTTP) For World Wide Web Service (HTTPS) xxvii 539 542 542 544 544 546 547 549 549 550 551 555 556 556 558 558 561 562 565... employed at Dell Computer Corporation in Round Rock,Texas.Tod is Dell’s Subject Matter Expert for security on the Windows NT/2000 server platform, with a focus on Dell’s Internet-exposed site operations In addition to performing the duties of a paid Windows dork,Tod is a Debian GNU/Linux enthusiast, a grader for the GIAC GCIA certification, and holds the esteemed distinction of 2000’s runner-up Sexiest . 5BBABY339Z PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland, MA 02370 Building DMZs for Enterprise Networks Copyright © 2003 by Syngress Publishing,. Chang Drew Simonis Damiano Imperatore DMZs for Building Enterprise Networks 250_DMZ_fm.qxd 6/5/03 2:27 PM Page iii Syngress Publishing, Inc., the author(s),