SANS Institute 2000 - 200 5, Author retains full rights.

Commentaires

Transcription

SANS Institute 2000 - 200 5, Author retains full rights.
Global Information Assurance Certification Paper
Copyright SANS Institute
Author Retains Full Rights
This paper is taken from the GIAC directory of certified professionals. Reposting is not permited without express written permission.
Planning, Implementing, and Maintaining a
Secure Network Perimeter for GIAC Enterprises
ull
rig
ht
s.
by
Jim Moore
ins
f
GIAC Certified Firewall Analyst (GCFW) Practical Assignment Version
4.1
ho
rr
eta
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
DRAFT COPY FOR REVIEW ONLY
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
Submitted April 6, 2005
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
ins
f
1 Security Problems with 802.11
1.1 Inherent Risks of Wireless LAN Communications
1.2 Inadequacies of WEP . . . . . . . . . . . . . . .
1.3 Inadequacies of 802.1X . . . . . . . . . . . . . .
1.4 Inadequacies of WPA . . . . . . . . . . . . . . .
ull
rig
ht
s.
I Wireless Networking: Security Implications for GIAC Enterprises Network
5
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
5
13
ut
GIAC Enterprises Perimeter Security Architecture
5,
A
II
ho
rr
eta
2
of 802.11i
10
KeyAssessment
fingerprint = AF19
FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
2.1 Overview of the Security Architecture . . . . . . . . . . . . . . . . . . .
2.2 Potential Weaknesses . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.3 Implementation Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3 Defining the Information Technology Capabilities Required by GIAC Enterprises in order to Accomplish its Business Objectives
13
3.1 Historical Assumptions . . . . . . . . . . . . . . . . . . . . . . . . . . . .
3.2 Capabilities needed for suppliers of GIAC Enterprises. . . . . . . . . . .
3.3 Capabilities needed for partners of GIAC Enterprises. . . . . . . . . . .
3.4 Capabilities needed for GIAC Enterprises’ employees located in Brooklyn.
3.5 Capabilities needed for GIAC Enterprises’ employees located at remote
sites. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
te
20
00
-2
00
©
SA
NS
In
sti
tu
4 Netork Security Architecture Providing Capabilities Needed by GIAC
terprises
4.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.2 IP Addressing Scheme . . . . . . . . . . . . . . . . . . . . . . . . . .
4.3 Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.3.1 Border Router . . . . . . . . . . . . . . . . . . . . . . . . . .
4.3.2 Internet Firewall . . . . . . . . . . . . . . . . . . . . . . . . .
4.3.3 Network Intrusion Detection System 1 . . . . . . . . . . . . .
4.3.4 VPN Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.3.5 VPN Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4.3.6 Email Gateway . . . . . . . . . . . . . . . . . . . . . . . . . .
4.3.7 Network Intrusion Detection System 2 . . . . . . . . . . . . .
4.3.8 Internal Firewall . . . . . . . . . . . . . . . . . . . . . . . . .
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
En.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
18
© SANS Institute 2000 - 2005
Author retains full rights.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
ull
rig
ht
s.
4.3.9 Network Intrusion Detection System 3
4.3.10 Network Intrusion Detection System 4
4.3.11 Network Intrusion Detection System 5
4.3.12 Web Proxy Server . . . . . . . . . . .
4.3.13 Network Intrusion Detection System 6
4.3.14 Syslog Server . . . . . . . . . . . . .
4.3.15 Network Management Workstation . .
4.4 Enterprise-wide Features . . . . . . . . . . .
4.4.1 Patch Management . . . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
ins
f
III GIAC Enterprises Perimeter Security Policy and Implementation
32
A Border Router Configuration
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
63
69
20
00
B Internet Firewall Configuration
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
NS
In
sti
tu
te
C VPN Gateway Configuration
C.1 /etc/ipsec.conf . . . . . .
C.2 /etc/ipsec.secrets . . . . .
C.3 /etc/ipsec.d/cacerts . . . .
C.4 /etc/ipsec.d/crls . . . . . .
C.5 Crontable entries . . . . .
32
63
00
Appendices
.
.
.
.
.
.
.
-2
IV
5,
A
ut
ho
rr
eta
5 Internet Firewall Security Policy
Overview
. .FA27
. . .2F94
. . .998D
. . . FDB5
. . . DE3D
. . . . F8B5
. . . 06E4
. . . A169
. . . 4E46
. . . .
Key5.1
fingerprint
= AF19
5.2 Border Router and Firewall Access Rules . . . . . . . . . . . . .
5.3 Inbound Access Rules . . . . . . . . . . . . . . . . . . . . . . . .
5.4 Outbound Access Rules . . . . . . . . . . . . . . . . . . . . . . .
5.5 Network Address Translation Rules . . . . . . . . . . . . . . . . .
5.6 Logging Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5.7 Order of Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . .
102
SA
D Redhat Network Scheduled Updates Script
99
103
©
References
! "#%$'& )(+*-, Key1fingerprint
AF19 FA27Network
2F94 998D
FDB5Overview
DE3D F8B5. 06E4
GIAC =Enterprises
Design
. . . A169
. . . 4E46
. . . . . . . .
© SANS Institute 2000 - 2005
Author retains full rights.
2
3
4
5
6
7
.
.
.
.
.
.
GIAC Enterprises IP Addressing Scheme . . . . . . . . . . . . . . . . .
VPN Gateway Subnets . . .
DMZ . . . . . . . . . . . . .
Internal Firewall . . . . . . .
Internal Servers Network .
Restricted-Access Network
User Subnets . . . . . . . .
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
ins
f
2
.
.
.
.
.
.
ull
rig
ht
s.
! "#%$/.1032546
.
.
.
.
.
.
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
7 0 , #8
ull
rig
ht
s.
Wireless Networking: Security
Implications for GIAC Enterprises
Network
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
Serious security issues have plagued 802.11 wireless LANs since their introduction
in the late 1990s. Numerous security analyses have pointed out the inherently insecure nature of LAN communications through the air and the woefully inadequate
protections provided by Wired Equivalent Privacy (WEP), the protocol defined to protect WLAN traffic from eavesdropping, spoofing, and connection hijacking in the original 802.11 standard. Since the issue of the original standard, the IEEE and industry
groups have made several attempts to improve the security of WLAN communicaKey fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
tions, including the 802.11X standard, which defined an improved method for authenticating wireless nodes, WPA (Wi-Fi Protected Access), an interim standard improving
on WEP produced by an industry group, which can be applied to existing hardware
via firmware upgrades, and 802.11i, a new standard recently approved by the IEEE,
which specifies a more robust security architecture for WLAN communications. Under
the original standard, WLANs were considered too insecure for a broad number of
security-sensitive applications. If one or more wireless devices had to be attached to
a private network, it was frequently recommended that that they be isolated from the
wired network by a firewall and forced to use a VPN to make a connection to the wired
network. With the new standard in place, to what extent and in what circumstances
do the security measures recommended for 802.11 networks still make sense? How
could WLANs be implemented securely in the GIAC Enterprises network using the
features added by the 802.11i standard?
To answer these questions, it would be useful to review the security characteristics
of the original 802.11 standard and each of its improvements to establish a basis of
comparison for 802.11i security. Then we can consider the remaining security weaknesses of 802.11i and the practicality of exploiting those weaknesses. Finally, we can
consider other practical obstacles to implementing full-strength 802.11i security that
may qualify a decision about whether other security measures are required.
©
SA
NS
C E F+GHJI 9+9
9 : ; *<,= ?> [email protected], +2A46
B D
MK LNK O PRQRS"TSUPWVYX[Z]\_^`\badcJe fZ TSUghSU\i\bjlknm opadqrqtsuPRZ]vxwyVZ]aMPR\
Wireless communications introduces a new set of complications into the process of
defining and defending the boundaries of trust in a networked environment. Wireless
devices conforming to the 802.11 standard broadcast signals; any other conforming
device within range can pick them up.[1] Range varies depending on the physical
Key fingerprint
AF19 FA27
2F94can
998Dcarry
FDB5
F8B52006E4
A169 4E46
medium
used.= Infrared
signals
upDE3D
to about
meters,[2]
802.11b signals
© SANS Institute 2000 - 2005
Author retains full rights.
ins
f
ull
rig
ht
s.
can carry up to about 500 meters in ideal conditions.[1] In the United States, 802.11b is
in wide use. In urban settings it is trivially easy for anonymous individuals to intercept
wireless LAN communications from nearby offices, buildings or streets.
In the most common wireless LAN configuration, known as an Extended Service
Set, one or more wireless access points broadcast (“beacon frame”) or at least readily
transmit to an inquiring device the “Service Set Identifier” (SSID) needed to connect
to the wireless LAN.[2] In the original 802.11 standard, access points are configured
to accept by default “open system authentication,” which basically means anyone can
connect to the device and anybody can listen in.[3] Most wireless access points have
been set up with the factory default configuration, as the annual Worldwide Wardriving
contest maps have abundantly demonstrated.[4] No sane administrator of a private
network would open up his organization’s network to the public, but ordinary users in
many organizations, possibly unaware of the security risks, have set up “rogue” access
points reachable by devices outside the organization.[5]
KML{z OPRwM|RSU}~suwMvxZ]SU\YaMce €A
eta
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
A sane network administrator would want to restrict access to his organization’s wireless LAN to authorized devices and prevent unauthorized individuals from being able
to intercept messages transmitted from participating wireless devices. The original
802.11 standard provided for authentication and privacy through “Shared Key” authentication and “Wired Equivalent Privacy” (WEP). The shared key is a code configured
on each authorized wireless device. When a device wants to “associate” with an access point, the access point uses the code to generate a challenge and sends it to the
device, which uses the same code to return the challenge in a WEP-encrypted packet.
If the access point can decrypt the packet and the decrypted challenge matches the
challenge originally sent, the device is allowed to associate. WEP is then used to
encrypt all subsequent data traffic between the access point and the device. WEP
employs a 40-bit shared secret key (optionally increased to 104-bit by many vendors’
implementations)[1] and the RC4 encryption algorithm to encrypt and decrypt messages between wireless devices. The secret key is distributed to each participating
station by a mechanism unspecified by the standard.[2]
Unfortunately, the security provisions in the original 802.11 standard fail to provide
adequate authentication or privacy. Even if an administrator were to implement all
the recommended provisions for maximizing the security of his organization’s wireless
LAN(s) available under the 802.11 standard,[3][1] the inherent weaknesses of WEP
would expose it to numerous vulnerabilities. First, there is no provision in the standard
for a device to authenticate an access point. An attacker with a modicum of knowledge
of the wireless LAN could set up a rogue access point with security features turned
off and attract victim devices to associate with it under the false pretense that traffic is
secured. Second, MAC address spoofing is trivial under 802.11 and most control and
management frames are sent in the clear, making it easy for an attacker to masquerade as an access point and interfere with the associations between devices and legitimate access points. Third, since access points send the authentication challenges
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
in the clear, an attacker who intercepts them can use offline brute-force methods to
© SANS Institute 2000 - 2005
Author retains full rights.
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
crack the shared key.[5] Fourth, the WEP IV (initialization vector) field, at 24 bits, is too
small. On a busy network, a constantly-changing IV will eventually roll over, allowing
a persistent attacker monitoring the network to recover the RC4 key stream. From
there, he can use offline methods to crack the WEP key. In addition, there are no
provisions in the standard for changing the IV. A vendor’s implementation could have
all stations changing the IV in a similar manner, leading to identical key streams occurring nearly simultaneously. Even worse, it is possible that a particular station may
use a constant IV. The IV is part of the RC4 encryption key. Knowledge of part of the
encryption key, combined with a known weakness in the RC4 key scheduling algorithm, makes it possible for an attacker to analyze WEP-encrypted traffic and recover
the encryption key.[1] Vendors have reduced the risk associated with this problem by
implementing key management schemes that reduce the lifetime of the WEP key to
around 5-15 minutes. A frequently-changing WEP key greatly reduces the likelihood
that identical key streams will be used over the lifetime of a WEP-encrypted WLAN.[5]
Unfortunately, weaknesses in the way IVs are generated do not rule out the possibility.
Key
= AF19
2F94
998D FDB5
DE3D
06E4
Evenfingerprint
if an attacker
is FA27
unable
to crack
a WEP
key F8B5
on time
to A169
mount4E46
an active attack
using WEP, he can still decrypt all the traffic using that key. Finally, WEP makes no
provision for cryptographic integrity-checking. The integrity of a packet is determined
under 802.11 by computing a CRC value and comparing that to a CRC value sent
with the packet. There are published methods for altering packets that will result in
the identical CRC value. In addition, it is possible to use partial knowledge of the contents of an encrypted packet to generate packets with altered IP, TCP or UDP headers
using bit-flipping that will be accepted by an access point and then forwarded to a system under the attacker’s control! Some of these attacks require modifications to the
firmware of wireless devices, but competent, determined attackers could accomplish
that[6].
There are several ways to mitigate these weaknesses within the framework of the
original 802.11 standard, but many students of the issue recommend employing additional security measures. These include isolating the wireless network from the rest
of an organization’s network by address segmentation, firewalling the wired network
off from the wireless segments, and requiring all wireless devices to use a VPN based
on IPSec or SSL/TLS to communicate with other devices.[3][5][1] The problem with
these recommendations is that they are not practical in some applications and do not
eliminate all problems. For example, they do not eliminate the problem of communications between nearby wireless devices. If the wireless devices need to communicate
securely with each other, either each will have to be forced to route its packets through
a VPN concentrator, which could have a serious impact on network performance, or
each device will have to be configured to establish a VPN directly with its wireless
neighbors. Not all wireless devices are capable of this, and for those that are configuring VPNs is not a trivial exercise.
KMLƒ‚ OPRwM|RSU}~suwMvxZ]SU\YaMc<„M…Wz~LNK"†
The IEEE recognized the security inadequacies of 802.11 early, and started working
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
groups to address them. The first new standard, 802.1X, published in 2001, addressed
© SANS Institute 2000 - 2005
Author retains full rights.
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
the problem of authentication.[7] It established a mechanism for authenticating wireless devices and their users to another device. The authenticating device could be
a wireless access point, hub, router, or even another wireless device. It adapted the
Extensible Authentication Protocol (EAP) standard published by the IETF[8] to transport over ISO layer 2 (EAP over LAN). As its name suggests, EAP provides a means
for a device communicating with another device over a point-to-point link to authenticate using any conforming method. The 802.1X standard specifies EAP mechanisms
employing an “authentication server” that may or may not be part of the authenticating device. The authenticating device (“authenticator”) and its peer (“supplicant”) exchange authentication messages using EAP. These messages include initialization of
the authentication exchange, negotiation of an authentication mechanism, exchange
of authentication tokens and authorization information, and deauthentication. The authenticator also acts as an intermediary between the supplicant and the authentication
server translating packets from EAP to whatever protocol it uses to communicate with
the authentication server and vice versa. Until authentication completes successfully,
Key
fingerprint = AF19
2F94 998D
FDB5from
DE3D
06E4 A169
4E46
the authenticator
will FA27
not accept
packets
theF8B5
supplicant
except
those needed
to complete the authentication exchange. The standard recognizes that in a shared
media environment, such as a wireless LAN, EAP mechanisms must be chosen that
enable the exchange of authentication information between the supplicant and authenticator and between the authenticator and authentication server securely, typically
via encryption. Authentication protocols meeting this requirement include Kerberos,[9]
Diameter,[10] and RADIUS using IPSec.[11][12]
The authentication exchange described above is strictly one-way. The “supplicant”
does not authenticate the “authenticator.” The original standard required that in an
IBSS, in which each wireless device communicates directly with every other wireless device in an “ad hoc” network, each wireless device would act both as a “supplicant” and an “authenticator.” In this setting, all devices would mutually authenticate.
In an ESS, however, only the access point acts as an “authenticator.” The “supplicant” device has no way to authenticate access points. Furthermore, at least some
of the management packets exchanged between the “supplicant” and the “authenticator” travel in the clear and unauthenticated. These flaws in the design of 802.1X
led to the elaboration of “man-in-the-middle” and session-hijacking attacks against
802.1X in an ESS context.[13] Subsequent responses generally conceded the authors’
claims against the 802.1X standard, unless enhanced by per-packet encryption using
dynically-negotiated keys and a higher-level protocol that performs mutual authentication. Responses written by members of the wireless industry tended to claim that their
product’s enhancements to the 802.1X standard would defeat the attacks.[14][15]
©
SA
KMLˆ‡ OPRwM|RSU}~suwMvxZ]SU\YaMce lk
In fact, vendors had been quite busy implementing security enhancements to their
802.11 devices, mostly without standardization. The industry evntually issued an interim standard of its own, Wi-Fi Protected Access, which defined a protocol for dynamic key management and data packet authentication and encryption called TemKey fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
poral Key Integrity Protocol (TKIP). The purpose of the standard was to mitigate the
© SANS Institute 2000 - 2005
Author retains full rights.
ull
rig
ht
s.
weaknesses of the 802.11 standard without requiring the replacement of deployed
hardware. TKIP added an encrypted Message Integrity Code (MIC) to messages to
reduce the effectiveness of attacks that relied on MAC address spoofing or packet
modification. It also increased the size of the Initialization Vector (IV), added a key
mixing function, implemented replay attack prevention measures, defined a rekeying
mechanism, and described a series of counter-measures designed to reduce the impact of attempted exploits against the protocol to Denial of Service. TKIP is included
in the 802.11i standard as an interim security protocol for networks making the transition from hardware that does not conform to the requirements of 802.11i to hardware
that does. It only enhances the security of ESS networks and still relies on the RC4
encryption algorithm specified for WEP.[16] The 802.11i standard states that TKIP is
a trade-off between security and compatibility with older hardware. It is still vulnerable to active attacks. As a countermeasure, the protocol specifies that reception of a
packet with an invalid MIC should be treated as an active attack. After receiving two
such packets within 60 seconds, the receiving device will deauthenticate itself and, in
Key case
fingerprint
AF19 FA27
FDB5 all
DE3D
F8B5it06E4
4E46authenticated
the
of an=access
point2F94
or in998D
an IBSS,
stations
has A169
currently
and refuse to accept or send any packets except 802.1X authentication messages for
60 seconds.[18]
This trade-off makes it possible to launch an extended Denial of Service attack
against a TKIP-protected WLAN simply by sending 2 invalid TKIP messages to the
access point every 60 seconds.[19] Other researchers have verified TKIP’s susceptibility to DoS attacks based on spoofed deauthentication or disassociation packets.[20]
By itself, thse attacks pose no threat to the privacy of data carried over the WLAN,
but in some situations the DoS itself could lead to serious problems for the victim
organization. In addition, WLANs making use of WPA with pre-shared keys rather
than 802.1X authentication are vulnerable to off-line dictionary attacks against the
pre-shared key. Any system capable of intercepting traffic between the access point
and any other station in the ESS could perform this off-line attack, and once in possession of the key, compromise the security of the entire WLAN. The vulnerability can
be mitigated by using a random pre-shared key of 20 characters or more in length.[21]
The use of DoS could be the first step in such an attack, since it would provoke a
large number of authentication attempts which could be collected and subjected to
analysis. An attack tool based on this vulnerability was subsequently published on the
internet with an accompanying technical discussion.[22] Overall, WPA, when implemented with properly-configured 802.1X authentication and without legacy support for
WEP-only devices, still represents a huge improvement over any combination of prior
non-proprietary security features available for wireless LANs.
SA
Š
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
‰
©
The Wi-Fi Alliance’s documentation on WPA can be described as marketing literature. It does not
mention the limitations of TKIP detailed in the 802.11i standard. At least one document makes the
undocumented claim, “Cryptographers have reviewed Wi-Fi Protected Access and have verified that
it meets its claims to close all known WEP vulnerabilities and provides an effective deterrent against
known attacks.”[17] The WPA specification is still available on their Website only for a fee of $25.00,
while the full 802.11i standard is now freely available to the public on the IEEE website.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
H Œ
‹ U
B D+$F+GHJI 9+9
~z LNK Ž MS"T`Z]S"‘ adcVQRS“’~SUvxsuTZ{V”•k[Tv–QRZ{VSUv?Vs—T–S
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
The complete IEEE 802.11i standard describes an overhauled 802.11 security architecture called a “Robust Security Network.” This architecture can be implemented in
an IBSS or ESS. It consists of a set of peer-to-peer security associations (analogous to
the security associations established in IPSec) negotiated between wireless devices
based on pre-configured security requirements and collectively labelled a “Robust Security Network Association” (RSNA). In an IBSS these security associations are established between any pair of wireless devices wishing to communicate with each other.
In an ESS, they are established between the access point and any wireless devices
wishing to participate in the wireless network. Each RSNA includes up to 4 specific security associations consisting of keys and policies. The Pairwise Master Key Security
Association (PMKSA) includes the long-term key to be used for generation of the transientfingerprint
keys. The= Pairwise
Transient
Key FDB5
Security
Association
(PTKSA)
includes the key
Key
AF19 FA27
2F94 998D
DE3D
F8B5 06E4
A169 4E46
to be used to encrypt unicast packets exchanged between the two peers. The Group
Transient Key Security Association (GTKSA) includes the key to be used to encrypt
multicast or broadcast packets destined for the members of the wireless network. The
STAKey Security Assoction (STAKeySA) includes the key to be used to encrypt traffic
sent from one non-AP wireless device to another non-AP device participating in the
same ESS.
RSNA-capable devices identify one another by an additional RSN element in beacon frames and (re)association messages. This element includes a list of cipher suites
the device is willing to use to communicate securely with other devices. In addition,
in an ESS access points can insist on the use of a specific cipher suite during association. Before establishing any of these security associations, wireless peers must
authenticate each other using either pre-shared keys or an 802.11X authentication
mechanism that implements mutual authentication such as EAP-TLS. Upon authentication, the peers establish the PMKSA, using either the pre-shared key or keying information exchanged during 802.11X authentication as the Pairwise Master Key. The
peers then engage in a “4-way handshake” that establishes the PTKSA and GTKSA.
If the non-AP peer wishes to establish direct communications with another non-AP
device on the wireless LAN, it then initiates a “STAKey handshake” with the access
point. Whenever a wireless device (re)(dis)associates, (de)authenticates, or simply
moves out of range of an access point with which it has an active security association,
any existing PTKSA and GTKSA are deleted. Likewise, the access point deletes the
PTKSA for any device that has entered one of these states. The PMKSA, on the other
hand, can remain in force indefinitely. PMKSAs can be cached by a device as they
are established between different peers. Implementations may use whatever means
are available to preserve the cached PMKSAs across system reboots or other interruptions of communication with the wireless network. The device can be configured
to specify a pre-defined maximum lifetime for its PMKSAs. Once the lifetime expires,
the device must re-authenticate if it is using 802.1X authentication, or the user may
Keyprompted
fingerprintto= re-enter
AF19 FA27
2F94 998D FDB5
DE3Da F8B5
06E4 A169
4E46will supply the
be
a passphrase
to activate
pre-shared
key that
© SANS Institute 2000 - 2005
Author retains full rights.
eta
ins
f
ull
rig
ht
s.
key material for the PMKSA. Otherwise, the PMKSA may last as long as the Pairwise
Master Key used by the peers does not change.
The 802.11i standard specifies the Counter with CBC-MAC cipher suite[23] using
the AES-128[24] encryption algorithm for data and key management, packet encryption and authentication. The only other option available in a Robust Security Network
is TKIP, and this must only be used in contexts in which compatibility with non-RSNAenabled devices is required. The Counter with CBC-MAC cipher suite (CCM) combines a block cipher with message authentication. In 802.11i it takes 4 inputs, an encryption key, a nonce that must be unique across all encryption operations using the
same encryption key, a plaintext message block, and part of the MAC header including
the source and destination MAC addresses.[18] It computes a message authentication code using over the combined MAC header and message text. Then it encrypts
the message authentication code and message text by generating key stream blocks
using AES-128 over the nonce and encryption key and XORing blocks of the message
text with the key stream. The encrypted message authentication code is appended to
Keyencrypted
fingerprint =
AF19 FA27
998D
DE3D
F8B5 06E4 A169 4E46
the
message
text2F94
to form
theFDB5
cipher
text.[23]
rr
z~L{z AayVSUPWVZhwMgle SUw˜^`PRSU\i\iSU\
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
As of this writing, the 802.11i standard is not even a year old, and because implementing conformant RSNAs requires new hardware, has not been widely deployed. Still,
there is data on potential security weaknesses of the standard, some of it supplied by
the standard itself. In particular, the authors include a list of “Assumptions and Constraints” for aspects of a WLAN not part of the standard that must be met in order for
the RSNA to possess the security characteristics outlined in the standard. This list is
intended to help implementors prevent poor design of features outside the scope of
the 802.11i standard from compromising the security of their products and to help consumers assess the real-world security consequences of deploying a particular 802.11i
configuration. Notable items include the need to use an EAP method that ensures
strong mutual authentication for 802.1X authentication, the need to provide a secure
channel between access points and centralized authentication servers to protect keys
and authentication tokens passing along the wired LAN, and the limitations of using
pre-shared keys for the Pairwise Master Key. Regarding the last item, a malicious insider (someone who has control of another device furnished with the same pre-shared
key) can determine the Pairwise Transient Key for any two other stations by examining the first two exchanges of the 4-way handshake. From there, eavesdropping or
a man-in-the-middle attack is possible.[18] The exploitation of other potential weaknesses depends on the specifics of the 802.11i implementation and the configuration
choices of the 802.11 network administrators.
It is heartening to note that the core privacy and authentication protocol chosen
for conforming 802.11i devices, CCMP, has been proven to have robust security properties. An attacker with access to a stream of packets processed by CCMP is highly
unlikely to be able to collect two identical ciphertexts (which can be used to attempt to
crack the encryption key) or to learn enough about the message authentication code
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
to forge a valid packet,[25] provided the same encryption key is used for no more than
© SANS Institute 2000 - 2005
Author retains full rights.
2 encryption operations.[23]. It is possible for an attacker to mount a precomputation attack against CCMP with 128-bit encryption keys when the same nonce value is
likely to occur across encryption sessions using different keys and the first 16 bytes
of the plaintext message are known. The attacker generates a table of all keys and
the first of the resulting key stream blocks generated using that nonce. He then captures packets using that nonce and compares the first encrypted block to those in the
table. After about 2 messages the attacker should be able to find a matching block
and identifiy the encryption key. This attack can be defeated by using a larger key or
by combining additional data with a sequentially increasing nonce value to form the
nonce.[23] The 802.11i specification employs 128-bit keys but also requires that the
MAC address of the sending station be included in the nonce value. As a result, the
series of all possible nonce values is unique to each communicating device. The attacker would have to generate a separate table for each device in the target packet
stream and would have to observe 2 messages from at least one of the devices before discovering the encryption key. This additional restriction makes precomputation
Key fingerprint
AF19 FA27
2F94
998Dto
FDB5
DE3D F8B5 06E4 A169 4E46
attacks
against=CCMP
highly
unlikely
succeed.[26]
The wedding of 802.11i privacy using CCMP with 802.1X authentication closes
nearly all the known holes in the 802.11 architecture. The major remaining problem is
Denial of Service. DoS attacks of several types can still succeed against a full-blown
802.11i network. In addition to the TKIP DoS attack mentioned previously1.4, 802.11i
networks are subject to DoS attacks using forged deauthentication or disassociation
frames, sending any of several forged EAPOL messages to the 802.1X supplicant or
authenticator, forging a packet with an incorrect RSN Information Element in message
3 of the 4-way handshake, or sending out numerous forged 4-way handshake message 1 packets to a supplicant.He and Mitchell [26] The impact of these attacks is
mitigated somewhat by the requirement that the attacker operate a device on the LAN.
Since the device is in the vicinity of the rest of the network, in most cases it could be
located fairly quickly. Still, many networks cannot function adequately with even brief
interruptions of service to devices on the LAN.
ull
rig
ht
s.
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
tu
te
z~Lƒ‚ Oqš™›g]SqœSUPWVwyVZ]aMPŒO\\isRSU\
©
SA
NS
In
sti
It appears to this author at least that 802.11i WLANs can provide adequate security
to an organization that must protect data from unauthorized access, provided certain
conditions are met. First, the WLAN must implement the RSNA architecture using
CCMP. Legacy devices only capable of using WEP should not be allowed to use the
WLAN. This eliminates not only the vulnerabilites of WEP but also those of WPA and
TKIP. Second, the WLAN must be configured as an ESS and employ 802.1X authentication using centralized authentication servers running RADIUS, Diameter, or
Kerberos. Third, the WLAN must be restricted to devices participating in a shared
network of trust, such as a Windows Domain or a PKI infrastructure. If all these conditions are met, there is no need in most cases to firewall off the WLAN from the rest
of the organization’s network or force WLAN devices to tunnel traffic through a VPN to
the wired
network.
Key
fingerprint
= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46

© SANS Institute 2000 - 2005
Author retains full rights.
ull
rig
ht
s.
On the other hand, there are numerous cases in which not all of these conditions
can be met. The most obvious case is that of the road warrior who uses a wireless
device to access the organization’s network from the outside. In many cases the road
warrior’s device will associate with a 3rd-party access point. In these cases, no guarantees about the security of the device’s traffic in the air or across intervening wired
networks can be made. In this case it makes sense to firewall off the road warrior’s
device and force it to establish a VPN tunnel. Some organizations have divisions with
different security requirements or have policies which prevent divisions from sharing
certain types of information with each other. In these cases, if the organization wishes
to deploy WLANs shared by members of different divisions, the network will have to
be configured to restrict unauthorized devices higher up the protocol stack, including
the use of internal VPNs and intra-divisional network firewalls.
ins
f
7 0 , #88
GIAC Enterprises Perimeter Security
Architecture
ž Defining the Information Technology Capabilities Reut
ho
rr
eta
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
-2
Historical Assumptions
00
‚
LNK
00
5,
A
quired by GIAC Enterprises in order to Accomplish
its Business Objectives
©
SA
NS
In
sti
tu
te
20
The description of GIAC Enterprises given in the guidelines for Part 1 of this Practical
is too general for determining the precise relationship the company has or intends to
have with its customers, suppliers, partners, and employees. In order to develop a
realistic network design, it is necessary to make further assumptions about the nature
of GIAC Enterprises’ business, as was done by previous analysts.[27] These assumptions put flesh to the business needs of the company. The network design will be
shaped by the business needs that arise from these assumptions, and it must be
judged by how well it satisfies those needs.
In the real world, the analyst rarely has such freedom to shape the circumstances
for which he is designing a solution. There is little doubt that if IT Security professionals really had the power to dictate to organizations what their genuine business
needs were, there would be far fewer security breaches – and far fewer successful
organizations! Likewise, I must not make assumptions about the character of GIAC
Enterprises that end up serving simply to make it easier for me to design a satisfying network security infrastructure. With this caveat, let’s take a closer look at the
company.
Enterprises
a small
company
that specializes
the global distriKeyGIAC
fingerprint
= AF19isFA27
2F94publishing
998D FDB5
DE3D F8B5
06E4 A169 in
4E46
© SANS Institute 2000 - 2005
Author retains full rights.
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
bution of fortune cookie sayings. While it is based in the United States and maintains
there its corporate headquarters and publishing offices in Brooklyn, NY, it partners
with authors and printers around the world to provide buyers with fortune cookie sayings that are in their customers’ native language and appropriate to their customers’
culture.
The company was founded in the 1960s, grew rapidly in the United States and began expanding overseas, largely by cooperative agreements with foreign businesses,
in the 1970s. Management tended to be cautious about adopting new technologies.
This policy appeared to serve them well until the 1990s.
As the decade wore on, it became clear that companies more quickly adopting internet technologies were eating their lunch. Fueled by the efficiencies of web-based
ordering, their competitors were dropping prices and luring customers away. Management reluctantly decided to establish an English-language web site for product sales
in 1998. They hired a web development company to develop and maintain a website.
The web development company customized a business-to-business shopping-cart soKey
AF19contracted
FA27 2F94 with
998Dtheir
FDB5
DE3D
F8B5
A169 4E46
lutionfingerprint
for them.=They
ISP
to host
the06E4
website.
That decision led to increased sales. Management was sufficiently impressed to
roll out web-based sales worldwide over the following year. By 2001 the company
had a well-established international on-line sales presence. Meanwhile, sales costs
dropped as many older customers converted to web-based ordering. While management was happy with these results, they were also feeling pressure to increase the
breadth of their reliance on internet technologies.
They were not able to develop as broad a base of authors in emerging markets
as they desired because of continuing problems with communications. They had also
begun to lose authors to companies that were using the web to maintain relationships
with authors. Management decided to survey all their existing suppliers, partners,
and customers to find out what services they would like the company to provide and
how they would like to receive them. The results indicated that business relationships
should improve if the company supplemented its personal contacts with its suppliers,
partners, and customers with web-based access to more detailed product information,
coming projects, and collaboration tools. This year, the company hired a chief technology officer and assigned him the task of bringing in these capabilities, overseeing
training of staff, suppliers, partners, and customers in using the new features, and
providing and maintaining the infrastructure necessary to make it happen. He in turn
hired me to help design and implement a network security architecture to support the
new operations.
The new CTO included the following requirements in my assignment. First, the design must assume that as many functions as possible of the company’s web presence
be located in-house. The CTO was determined to eliminate dependence on thirdparties for the security of the company’s assets. Second, the design should use opensource tools, unless commercially-available, closed-source tools were significantly superior or open-source tools are not available for a particular function. This decision
was based primarily on budgetary constraints for software acquisition and training
(NOT because open-source software is inherently more likely to be free of security
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
weaknesses! [28, 29]). As it turns out, the CTO’s former company had used many
© SANS Institute 2000 - 2005
Author retains full rights.
Capabilities needed for suppliers of GIAC Enterprises.
00
‚
L{z
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
open-source security tools, and he had managed to bring a few of his key staff along
with him to GIAC Enterprises. He wanted to exploit their competencies as quickly and
cheaply as possible.
Third, the design must allow for the use of the existing ecommerce solution, which
includes the following components: A web/application server cluster provides access
for customers to product information via HTTP and secure online ordering and orderstatus information via HTTPS secured with SSL v.3 using an RSA server certificate
signed by Verisign’s Certificate Authority and a negotiated encryption algorithm of minimum 128-bit key length. Also, an Oracle database backend cluster located in-house
provides access to customer account information to the web/application servers and
detailed reporting information to internal customer support and accounting personnel
using an internal application server via an encrypted channel on TCP ports 1521-1526
using TLS v. 1.0 with 2-way authentication using RSA client and server certificates
signed by Verisign’s Certificate Authority and encryption using the triple DES cipher
algorithm with a 168-bit key and SHA-1 MAC. In addition, the Oracle database server
Key
fingerprint
AF19toFA27
998D FDB5
DE3D Payment
F8B5 06E4
A169 4E46
cluster
must be= able
make2F94
connections
to Acme
Systems
remote payment
processor over the internet (IP address 1.100.100.1) on port 4999 using TLS v. 1.0
with 2-way authentication using RSA client and server certificates signed by Verisign’s
Certificate Authority and encryption using the triple DES cipher algorithm with a 168bit key and SHA-1 or MD5 MAC.
In addition to these baseline requirements, I had to make provision for additional
access by suppliers, partners, and employees as follows:
©
SA
NS
In
sti
tu
te
20
00
-2
GIAC Enterprises’ suppliers can be broken into two broad categories: authors of fortune cookie sayings and vendors who provide products needed by the employees of
GIAC Enterprises to conduct the various aspects of her business. Authors need access to specifications for new projects, legal and contractual information regarding
copyright, ownership of submissions, review policy, plagiarism, pay scales, and other
contranct terms, a repository in which they can place and retrieve works in process
that are under editorial review, and channels for communication with editors and, in
limited cases, with each other, about their work. The CTO already had an answer to
my question about exactly where in the organization’s network infrastructure authors
would go to get this access; he had contracted with a development firm to build a
web portal into the existing Oracle application server. This portal required authors
to authenticate with a user name and password to gain access to most features of
the site, and granted access to various features of the portal based on policies set
for their identity by the editorial staff. The portal included a collaboration space, in
which authors and editors could brainstorm together, and a restricted-access repository for submissions in progress and contracts. Communications with the portal from
the internet were secured with 2-way authentication using RSA certificates signed by
Verisign’s Certificate Authority and a negotiated encryption algorithm of minimum key
length of 128 bits. I had to come up with a secure method for editors and authors to
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
exchange contracts and other sensitive information over the internet in the event the
© SANS Institute 2000 - 2005
Author retains full rights.
web portal was not available.
Other suppliers required far less access to GIAC Enterprises. They needed to
be able to communicate with GIAC Enterprises employees via email and wanted the
employees to be able to get to their websites for product information, purchasing, and
educational opportunities. Occasionally, they would be exchanging email that required
encryption.
Capabilities needed for partners of GIAC Enterprises.
ull
rig
ht
s.
‚
Lƒ‚
ho
Capabilities needed for GIAC Enterprises’ employees located
in Brooklyn.
5,
A
ut
‚
Lˆ‡
rr
eta
ins
f
Most of GIAC Enterprises’ partners were printers with long-term contracts for printing
and ensuring delivery of fortune cookie sayings to customers. Many of these firms
were based in other countries. Most of the rest of the the firm’s partners were overseas
as well. Most often, they provided translation services. Frequently, they were also
asked to vet projects destined for an overseas customer for cultural appropriateness.
They needed to be able to exchange email with GIAC Enterprises’ editorial staff,
Key
fingerprint
= AF19 FA27
2F94
998D
FDB5
DE3D
F8B5 to
06E4
sometimes
in encrypted
form.
They
also
needed
access
the A169
portal4E46
for specifications
of ongoing or upcoming projects and to exchange work in progress. Their access to
the portal was secured in the same way as that for authors.
©
SA
NS
In
sti
tu
te
20
00
-2
00
The employees based at GIAC Enterprises’ headquarters and publishing offices include their corporate officers, editorial staff, and several support departments: accounting, legal, human resources, purchasing, sales, and IT. In general, the employees require access to the web and must be able to send email to various parties on the
internet. In many cases, they will need the ability to engage in secure transactions via
SSL. Individuals or departments that require additional access will be specfied below.
Editorial staff need the ability to send encrypted email to authors as a backup to
secure access to the company’s web portal. There exists the danger of proprietary
information leaking out of the company in undetectable form via secure email. There
does not seem to be a realistic method of preventing this from happening, and even
if there were a way to prevent employees from sending encrypted email, there are
too many other relatively easy ways for them to sneak proprietary information out the
door. For that reason, this kind of access will be allowed and the risk mitigated by
issuing clear policies on proper use and training editorial staff on how to implement
those policies in their communications with authors.
Corporate and accounting staff need access to a variety of reports and financial data stored in the Oracle database originally used as part of the company’s
ecommerce solution. It was decided, however, to consolidate a number of internal
databases storing financial data onto the same server. The company purchased a
second application server to be used in-house only. This application server would
limit direct access to the database, allow for even more granular access control, and
isolate
sensitive
data FA27
from the
application
used by partners,
Key fingerprint
= AF19
2F94publicly-available
998D FDB5 DE3D
F8B5 06E4server
A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
Capabilities needed for GIAC Enterprises’ employees located
at remote sites.
ins
f
‚
L{Ÿ
ull
rig
ht
s.
suppliers, and customers. Of course, it also greatly simplified access to the financial
data.
IT staff need FTP access to various sites on the internet in order to download
needed software packages and updates. While it is entirely possible to do this via
HTTP, FTP is faster, and many of these packages will be quite large. The CTO has
already indicated that only IT staff should be allowed to download software packages
and updates, including Java programs. If employees need access to software available on the web, it IT’s responsibility to fetch it, check it for problems (licensing issues,
viruses and worms, security vulnerabilities) and make it available to employees on the
company’s intranet. IT staff also require access to the newsgroup server at the company’s ISP in order to keep up with technical issues discussed in some newsgroups.
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
Key the
fingerprint
= AF19
2F94 998D
FDB5 Enterprises
DE3D F8B5 06E4
A169
4E46
For
most part,
theFA27
employees
of GIAC
do not
need
access to data
stored inside the company’s network except when they are at work. The exceptions
to this rule include corporate officers, some of the editorial staff, remote sales staff,
and IT staff. The first three groups need access to email, the web portal, and the
internal application server. The internal application server gives corporate officers
quick access to confidential financials, performance data and strategy. Editors and
salespeople use the internal application server to maintain confidential information
on customers. The company’s CRM solution, for example, is hosted on the internal
application server. IT staff needs comprehensive access to the network to perform
remote diagnostics and troubleshooting.
Access to email had already been available via Outlook for Web Access, provided
by the company’s Microsoft Exchange server. The company was now to migrate all its
groupware functions to Oracle Collaboration Suite and use the web-interface provided
by Oracle on the web/application server to give remote users access to email and
other groupware functions. Remote access to the email site would be granted to
users via HTTPS secured with SSL v.3 using 2-way authentication with RSA client
and server certificates and a negotiated encryption algorithm of minimum 128-bit key
length. The server certificate will be signed by Verisign’s Certificate Authority and
the client certificates will be signed by GIAC Enterprises’ own certificate authority.
Traveling employees will connect to the portal site in the same way. The internal
application server cannot be accessed directly from the internet. For remote access
to this system, remote users will have to establish an IPSec VPN connection to the
company network from their remote site.
IT staff require by far the most far-ranging remote access to the company’s network
as a consequence of the CTO’s decision not to staff IT on-site 24x7. After a study of
the frequency of problems encountered during the use of the company’s ecommerce
solution and the number of such problems requiring on-site intervention by IT staff,
and several discussions with IT managers who oversaw the use of portal software
similar
in design
and purpose
to 998D
what FDB5
the company
was 06E4
aboutA169
to put
into production,
Key fingerprint
= AF19
FA27 2F94
DE3D F8B5
4E46
© SANS Institute 2000 - 2005
Author retains full rights.
ho
rr
eta
ins
f
ull
rig
ht
s.
he concluded that the company could provide a sufficient level of service to its site’s
users without incurring the expense of keeping staff on-site 24 hours a day, 365 days
a year.
Instead, he would have IT staff rotate on-call duty from home and have the company’s security and network-monitoring tools forward alerts to the on-call staff. In order
for this to work, on-call staff would have to have a secure, reliable connection to the
company’s network and sufficient access to its network infrastructure to perform maintenance and repair. This will take place via an IPSec VPN between each of the IT
staff’s homes and the company network.
As a backup in case the company’s link to its ISP goes down or the VPN gateway
or internet firewall fail, a Remote Access Server taking dialup connections will also be
provided. The dialup lines are normally only needed on off-hours, and then only when
IT staff are unable to reach target hosts via their VPN connection.
It should be noted in this connection that in no case does a remote employee need
an end-to-end IPSec tunnel. Confidentiality inside the company’s network can be
Key
fingerprint
= AF19
FA27such
2F94as
998D
FDB5
DE3D
4E46
achieved
by other
means,
using
HTTPS
orF8B5
SSH.06E4
The A169
CTO instructed
me that
in the absence of a clear business need end-to-end tunnels will not be allowed. He
preferred to limit the amount of unidentifiable traffic flowing in and out of the company’s
network.
Netork Security Architecture Providing Capabilities
Needed by GIAC Enterprises
00
Overview
-2
‡—LNK
5,
A
ut
©
SA
NS
In
sti
tu
te
20
00
The network security architecture recommended for GIAC Enterprises is meant to accomplish the following objectives: 1.) Provide all the capabilities required by GIAC Enterprises; 2.) Prevent anyone from extending or exploiting those capabilities to achieve
unauthorized access to any of GIAC Enterprises IT assets; 3.) Keep implementation and maintenance costs as low as is consistent with meeting objectives 1) and 2)
quickly. The security architecture will achieve its objectives by employing a number
of complementary security features, including a multi-layered perimeter, network intrusion detection and, for mission-critical, exposed, or otherwise sensitive hosts, hostbased intrusion detection, hardening of exposed hosts, segmentation of the company’s
internal network, enterprise-wide anti-virus detection and removal, centralized system
logging and near real-time response to possible security breaches. Costs will be contained by employing free or inexpensive open-source software and recycled hardware
for many key components. Centralized administration tools will simplify maintenance
and monitoring.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
ull
rig
ht
s.
Remote
Users
ISP
IDS 1
ins
f
Cisco
2621
(2.3.1)
eta
Key fingerprint(2.3.3)
= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
DMZ
FreeS/WAN
VPN
Gateway
(2.3.4)
ho
ut
5,
A
Log
00
Linux
Netfilter
Firewall
(2.3.8)
IDS 3
(2.3.9)
te
Internal
Servers
Cisco
3640
Users
©
SA
NS
In
sti
tu
Limited
Access
20
00
-2
IDS 2
(2.3.7)
rr
Linux
Netfilter
Firewall
(2.3.2)
¡=¢¤£¥–¦N§ ¨ GIAC Enterprises Network Design Overview
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
‡—L{z
IP Addressing Scheme
Border Router
20
te
Components
tu
—‡ Lƒ‚
©ª¬«Uªˆ­
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
Heretofore, GIAC Enterprises’ internal network was based on RFC 1918 addressing
using class C subnets or smaller in the 192.168/16 address space. I decided to abandon this scheme entirely in favor of one based on the 10/8 address space. The obvious but less important reason for going with the 10/8 address space is that it increases
the total number of available addresses by a factor of 256. The company is currently
nowhere near large enough to use up the 65536 addresses available in the 192.168/16
space; converting to the 10/8 space simply makes it a complete non-issue.
The more important reason is interoperability. Many home networks and businesses use one or more class C subnets of the 192.168/16 space as their private
addressing. By converting to the 10/8 space, the company more easily avoids collisions with private addresses in the home networks of VPN clients. Each VPN client
will be assigned an IP address in the 10/8 space, and in no case will a VPN client be
permitted to route packets from his/her home network or anywhere else into GIAC Enterprises’
network,
or vice
This FDB5
is not DE3D
so easily
accomplished
if the IP address
Key
fingerprint
= AF19
FA27versa.
2F94 998D
F8B5
06E4 A169 4E46
assigned to a VPN client interface happened to be in a subnet already allocated to a
home network. Routing issues between the client and the company network could be
alleviated by subnetting the part of the home network assigned to the VPN client.
Another problem would remain, however. The firewall will include access rules for
VPN subnets. The brevity and efficiency of these rules depends on being able to
predict the subnetting for entire blocks of addresses assigned to certain classes of
VPN clients. If exceptions have to be made to prevent address clashes with certain
home networks, it will complicate the firewall ruleset. If, in the future the company has
a need to set up a network-network VPN, perhaps with a partner, there is far more
flexibility in the 10/8 space for finding a network number that will allow the two sides to
talk to one another without asking either one to change their current addressing.
©
SA
NS
In
sti
The purpose of the border router is to supervise the connection between GIAC Enterprises and the internet. Not only does it route IP traffic in and out of the company’s
network, but it also blocks IP traffic with invalid source addresses and prevents certain other kinds of potentially dangerous traffic, including certain kinds of ICMP and
traceroutes, from entering the company’s network. The border router is placed on the
company’s end of the T1 connecting it to its Internet Service Provider. All other devices connected to the internet in GIAC Enterprises forward their traffic through this
router and all network traffic entering GIAC Enterprises network must pass through this
router first. Since this is the first device incoming traffic encounters, it is the ideal device to block certain kinds of suspicious traffic which its limited access-control facilities
can detect. In particular, it is able to block traffic with unrouteable[30] and otherwise
reserved[31] source IP addresses. It is also ideal for blocking traceroutes, which might
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
Description
Network Block
Public Networks
1.1.1.104/30
Assigned to GIAC Enterprises by ISP. Border
Router <-> Internet Firewall
VPN Gateway Public Network
1.1.1.240/30 Assigned to GIAC Enterprises by ISP. Internet Firewall <-> VPN Gateway
Public Servers
1.1.2.240/28 Assigned to GIAC Enterprises by ISP.
Internal Network Device Link Networks
Firewall-Firewall Network
10.1.1.0/30
Internet Firewall <-> Internal Firewall network
VPN Gateway Private Network
10.1.1.4/30
VPN <-> Internet Firewall
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5
06E4
A169
4E46
RFC
1918
network
Internal Firewall-Users Network
10.1.1.8/30
Internal Firewall <-> Cisco
3640 Router
Private Networks
Restricted-Access Network
10.1.3/24
Used to isolate
sensitive traffic used
mostly for infrastructure support from
main subnets
DMZ
10.1.4/24
Internal Server Network
10.1.5/24
Logging Network
10.1.6/24
Mostly dedicated to logging
to lighten load on main subnets.
Corporate User Network
10.10.2/24
Editorial User Network
10.10.3/24
Support User Network
10.10.128/17 Supernet for various support departments.
Devices are logically subdivided by department into
natural subnets. Used in
firewall rules and for later
segmentation.
IT Network
10.10.128/24 Used by network security
devices to grant special access to IT personnel.
Sales Network
10.10.129/24 Used by network security
devices to limit access by
sales
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5
06E4personnel.
A169 4E46
Editorial VPN Client Network
10.253.2/24
System running VPN client
software for a remote editorial user gets address in
this subnet.
Sales VPN Client Network
10.253.3/24
System running VPN client
software for a remote sales
user gets address in this
© SANS Institute 2000 - 2005
Author retains full rights.
subnet.
IT Staff VPN Client Network
10.253.4/24
System running VPN client
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
Public WAN Network
Comment
otherwise be able to discover invaluable information about the structure of the network
defenses protecting the publicly accessible mail gateway and web/application server.
It can also reduce the impact of DOS attacks using rate limiting on certain types of
otherwise permitted traffic. The border router used at GIAC Enterprises is a Cisco
2621 running Cisco IOS Release 12.2(15)T2, with the IP Plus feature set.
©ª¬«Uª¬®
Internet Firewall
ho
Network Intrusion Detection System 1
ut
©ª¬«Uª¬«
rr
eta
ins
f
ull
rig
ht
s.
The purpose of the internet firewall is to limit the types of IP traffic allowed to pass
between the GIAC Enterprises network and the internet. It sits just inside the border
router and performs “stateful” filtering to prevent forwarding of unallowed traffic that
the router’s access-control mechanisms are too simple to detect. It also translates
unrouteable (RFC 1918) addresses used in the GIAC Enterprises network into public
IP addresses that can be passed along the internet. Since all traffic in and out of
the network passes through this system, including unencrypted traffic from the VPN
gateway,
it is able
to comprehensively
limit the
types
of06E4
trafficA169
flowing
Key
fingerprint
= AF19
FA27 2F94 998D FDB5
DE3D
F8B5
4E46in and out. It
is configured to block many types of attacks and evasive scanning techniques based
on malformed IP packets, including fragmentation and unusual combinations of TCP
flags. This system runs Redhat Linux 9.0 with netfilter v. 1.2.7a.
te
VPN Gateway
tu
©ª¬«Uª¯©
20
00
-2
00
5,
A
This unit sits just inside the border router. It captures and anaylyzes all inbound and
outbound traffic for signs of suspicious activity, sends alerts when such activity is detected, blocks certain types of activity, and logs a record of the subsequent conversation between the source and destination hosts. It supplements the internet firewall by
performing protocol analysis and blocking suspicious TCP activity. While it is possible
to have the intrusion detection system modify the firewall rulebase dynamically in response to suspicious activity, this function is not implemented in the GIAC Enterprises
network. This system runs Snort, v. 2.0.1 on Redhat Linux 9.0.
©
SA
NS
In
sti
The VPN Gateway enables key GIAC Enterprises employees who need more comprehensive access to the company network than what is available through the web portal
to establish a secure channel for communications across the internet. While this function could be performed by the internet firewall itself, it was offloaded to a separate
device to ease the load on the firewall and to allow for the use of network address
translation on packets coming from systems inside GIAC Enterprises network.
The VPN gateway has two interfaces connected to the internet firewall, an internal
and a publicly-addressable interface. Outbound VPN packets pass through the firewall, NAT is performed on them, and they are forwarded to the VPN gateway’s internal
interface for handling. The VPN gateway wraps the packets in AH or ESP headers
and passes them back to the firewall on the publicly-addressable interface. The firewall checks the information in the new packet headers and forwards them if they are
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
acceptable. Inbound VPN packets are checked by the firewall first and passed to
© SANS Institute 2000 - 2005
Author retains full rights.
5,
A
©ª¬«Uª¬°
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
the VPN gateway if allowed. The VPN gateway unwraps and unencrypts the packets
and passes them to the firewall through its internal interface. The firewall performs
any needed NAT on the packets, checks them to see if they are allowed, and if so,
forwards them to a system in GIAC Enterprises’ network.
The gateway will be configured to allow for redundant controls on access to the
company network by remote clients. The VPN gateway itself will use the distinguished
name of the client’s X.509 certificate to determine to which areas of the company
network the client is granted access . Each user will also be assigned a static IP
address to be associated with a virtual interface on the client machine. The IP address
will be pulled from a subnet to which all addresses for that access class belong. The
internet firewall will include rules that specify to which areas of the company network
that subnet is granted access. The VPN gateway and firewall access controls will be
coordinated by configuration settings on the gateway that bind a user’s distinguished
name to the subnet belonging to his/her access class.
The VPN gateway system runs FreeS/WAN v. 2.01 with the X.509 patch on a
Key fingerprint
AF19
FA27 modified
2F94 998Dkernel
FDB5 version
DE3D F8B5
06E4The
A169
4E46 patch allows
Redhat
Linux =9.0
system,
2.4.20.
X.509
the VPN gateway to use PKI for authentication which also enables it to interoperate
with Windows 2000/XP clients. A patch to FreeS/WAN which allows for NAT traversal
was considered unready for production use, but will be studied closely for possible
inclusion in future installations.
VPN Clients
te
Email Gateway
tu
©ª¬«Uª¬±
20
00
-2
00
Since the company already owns a fair number of laptops with Windows 2000 or XP
installed, the IPSec sub-system that comes standard in a Windows 2000 and XP Professional workstation installation will be the standard VPN client software used by the
company. The IPSec sub-system will be configured to operate in client-only mode
and use X.509 certificates signed by GIAC Enterprises own certificate authority for
authentication.
©
SA
NS
In
sti
The email gateway handles email traffic going in and out of GIAC Enterprises. It is
designed to trap SPAM and viruses or trojans embedded in email and strip them out
of the message flow. It also rewrites headers on outbound email to hide sensitive
information about the internal structure of GIAC Enterprises network and blocks 3rdparty relaying. It also runs a DNS service, both to provide DNS to the mail service for
quick name resolution, and to act as a proxy for internal DNS servers. The company’s
forward and reverse DNS records are maintained by the company’s ISP, so this gateway DNS server does not actually serve any DNS records to the internet. All inbound
access to the email gateway’s DNS service is blocked. The gateway DNS server
performs recursive queries on behalf of internal DNS servers and forwards them its
cached information. It also acts as a slave server for the internal DNS domain and
provides
direct=DNS
to the
perimeter
hostsF8B5
that need
it. The4E46
DNS service on
Key fingerprint
AF19service
FA27 2F94
998D
FDB5 DE3D
06E4 A169
© SANS Institute 2000 - 2005
Author retains full rights.
ull
rig
ht
s.
Corporate
VPN Clients
10.253.1.0/24
Sales VPN
ins
f
Editorial
VPN Clients
10.253.2.0/24
IT VPN
10.253.3.0/24
ut
ho
rr
10.253.4.0/24
eta
Key fingerprint Clients
= AF19 FA27 2F94 998D FDB5Clients
DE3D F8B5 06E4 A169 4E46
ISP
20
00
-2
00
5,
A
216.97.129.102
Border
Router
216.97.129.100/30
(2.3.1)
216.97.129.105
IDS 1
(2.3.3)
216.97.129.104/30
te
216.97.130.240/30 216.97.129.106
216.97.130.242 216.97.130.241
©
SA
NS
In
sti
tu
10.1.1.6
10.1.1.5
10.1.1.4/30
FreeS/WAN
Internet
VPN
Firewall
Gateway
(2.3.2)
(2.3.4)
²¬³)´xµ¶¸·º¹y³¼»ƒ½N¾x³À¿RÁÝĝ½h»ÆÅ
¡Ç¢¬£¥–¦È§ i¨ VPN Gateway Subnets
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
IDs 3
(2.3.9)
ull
rig
ht
s.
10.1.4/24
10.1.4.3
(NAT ->
10.1.4.1
216.97.159.242)
Cisco
Internet
Catalyst
Firewall
2950
(2.3.2)
10.1.4.254
Public
Web/Portal
Server
10.1.4.2
(NAT ->
216.97.159.241)
ins
f
Email
Gateway
(2.3.6)
¡Ç¢¬£¥–¦N§ ¨ DMZ
rr
eta
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
00
Network Intrusion Detection System 2
20
©ª¬«UªÊÉ
-2
00
5,
A
ut
ho
this host is configured to allow queries only from perimeter hosts and internal nameservers. The internal DNS master server is configured to allow zone transfers from the
email gateway and other internal DNS servers. The gateway runs MailScanner 4.22-5
to integrate anti-virus and anti-SPAM checks with the mail delivery system, Spamassassin 2.55 for SPAM detection, Sophos Anti-Virus for virus-checking and removal,
Sendmail 12.8 with the latest security patches for mail transport and BIND v.9 for the
DNS service on a Redhat Linux 9.0 system.
©ª¬«Uª¬Ë
©
SA
NS
In
sti
tu
te
This intrusion detection system sits between the internet firewall and an internal firewall to monitor traffic from the internet and VPN gateway after network address translation has been performed (See 4.3.4). It also monitors outbound traffic before network address translation is performed. It is meant to perform several functions. First,
it verifies the success of IDS 1 in detecting and blocking suspicious inbound activity. Second, it traps suspicious traffic passing through the VPN gateway, since it is
unencrypted when it passes through this IDS, unless of course it is encrypted email,
SSL or SSH traffic. Third, it verifies the sucess of the user network IDS and proxy
server at detecting and trapping dangerous HTTP or FTP requests and will stop them
if detected. This system’s software configuration is identical to that of IDS 1.
Internal Firewall
The internal firewall offers a second line of defense against traffic inbound from the
internet. It also protects sensitive areas of GIAC Enterprises’ internal network from
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
other internal systems and users. All server systems and network devices in the GIAC
© SANS Institute 2000 - 2005
Author retains full rights.
10.1.1.2
10.1.3.1
10.1.5.1
User
Servers
10.1.5/24
ull
rig
ht
s.
10.1.1.0/30
ins
f
IDS 2
(2.3.7)
Internet
Firewall
(2.3.2)
10.1.1.1
ut
ho
rr
eta
Internal
Key fingerprint = AF19
FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Restricted
Firewall
Access
(2.3.8)
Segment
10.1.1.9
10.1.3/24
00
-2
¡Ç¢¤£¥–¦È§ ¨ Internal Firewall
20
00
Cisco
3640
5,
A
10.1.1.10
©
SA
NS
In
sti
tu
te
Enterprises network log to a remote syslog server. This logging is carried over a
back-channel LAN segment through the internal firewall to the remote syslog server.
Communications between the application servers and the Oracle database server are
also carried over this back-channel segment. The internal firewall allows limited access to these servers for crucial maintenance without exposing them unnecessarily.
The company already owns a Cisco 3640 router that was used to forward traffic between segments of their LAN. An IOS upgrade to include Cisco’s firewall feature set
could have enabled the router to perform the functions of the internal firewall fairly effectively, but The router’s available ethernet interfaces were already taken up with user
LAN segments. Had the switches in the user portion of the LAN been capable of handling vlan trunking, this problem could have been alleviated. Unfortunately, they were
not. As a result, the addition of a restricted-access segment and a segment dedicated
to internal servers necessitated either the introduction of another device or a costly
hardware upgrade. The internal firewall runs Redhat Linux 9.0 with netfilter v. 1.2.7a.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
©ª¬«Uª¬Ì
Network Intrusion Detection System 3
©ª¬«Uªˆ­_Í
ull
rig
ht
s.
This system inspects traffic traversing the DMZ (See 4.3.6). It is connected to one
of the Gigabit ethernet ports on the Cisco 2950 switch to which all devices on that
segment connect. Cisco SPAN is configured to copy all traffic to that port; the IDS
monitors all incoming, outgoing, and intra-segment traffic. It is configured to alert
on suspicious requests addressed to any of the servers and any unexpected activity
originating from any of the servers. It runs Snort, v. 2.0.1 on Redhat Linux 9.0.
Network Intrusion Detection System 4
rr
Network Intrusion Detection System 5
ho
©ª¬«Uªˆ­Î­
eta
ins
f
This system inspects traffic traversing the internal server LAN segment. It is connected
to one of the Gigabit ethernet ports on the Cisco 2950 switch to which all devices on
that segment connect. Cisco SPAN is configured to copy all traffic to that port; the
IDS monitors all incoming, outgoing, and intra-segment traffic. It is configured to alert
on suspicious requests addressed to any of the servers and any unexpected activity
Key fingerprint
= AF19
2F94 998D
FDB5
DE3Dv.F8B5
A169 4E46
originating
from
any ofFA27
the servers.
It runs
Snort,
2.0.106E4
on Redhat
Linux 9.0.
In
Web Proxy Server
NS
©ª¬«Uªˆ­i®
sti
tu
te
20
00
-2
00
5,
A
ut
This system inspects traffic traversing the restricted access LAN segment. It is connected to one of the Gigabit ethernet ports on the Cisco 2950 switch to which all
devices on that segment connect. Cisco SPAN is configured to copy all traffic to that
port; the IDS monitors all incoming, outgoing, and intra-segment traffic. It is configured
to alert on any unencrypted communication with the Oracle service or any communication not originating from one of the application servers or the network management
workstation, either of which is a sure sign of trouble. It also will alert on attempts to get
unencrypted web traffic from any of the systems in this segment. The syslog server,
backup server, and network management workstation all run web services that allow
remote access to their management and reporting capabilities, but these connections
are all SSL-enabled to protect the network management data from being visible inside
GIAC Enterprises’ network to any but IT staff. This system runs Snort, v. 2.0.1 on
Redhat Linux 9.0.
©
SA
The web proxy server takes http, https, and ftp requests and fetches the requested
information on behalf of the connecting client (See 4.3.10). In the process, it offers
access control by requiring users to authenticate and limiting access to internet resources by matching the identity of the user with a list of ACLs based on the IP address/DNS hostname, URL, mime-type, request method, and a variety of other criteria. The proxy server is configured to block access to downloads of certain types of
files, such as Windows executables and script files (except from Microsoft’s automatic
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
ull
rig
ht
s.
ins
f
Internal
Domain Controller File/Print
Firewall DNS/DHCP Server
Server
(2.3.8)
10.1.5.13
10.1.5.10
10.1.5.1
eta
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Cisco
Catalyst
2950
10.1.5.254
-2
00
File/Print
Server
10.1.5.12
te
20
00
IDS 4
(2.3.10)
5,
A
ut
ho
rr
Application/Groupware
Server
10.1.5.11
Intranet
Web Proxy
Web
Server
Server
(2.3.12) 10.1.5.15
10.1.5.14
¡Ç¢¤£¥¦È§ ¨ Internal Servers Network
©
SA
NS
In
sti
tu
RAS
Server
(2.3.16)
10.1.5.16
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
ull
rig
ht
s.
10.1.3.1
ins
f
Internal
Firewall
(2.3.8)
ho
rr
eta
Oracle
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Database
Server
10.1.3.10
IDS 5
(2.3.11)
5,
A
00
-2
00
Syslog
Server
(2.3.14)
10.1.3.11
ut
Cisco
Catalyst
2950
10.1.3.254
20
Network
Management
Workstation
(2.3.15)
10.1.3.25
¡=¢¤£¥–¦N§ ¨ Restricted-Access Network
©
SA
NS
In
sti
tu
te
Backup
Server
10.1.3.12
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
10.1.1.10
10.10.1.1
10.10.2.1
ull
rig
ht
s.
Cisco
3640
10.10.3.1
IDS 6
(2.3.13)
Support
(10.10.128/17)
ins
f
Corporate
(10.10.2/24)
rr
eta
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
ut
ho
Editorial
(10.10.3/24)
00
5,
A
¡Ç¢¬£¥–¦È§ ¨ User Subnets
20
Network Intrusion Detection System 6
te
©ª¬«Uªˆ­i«
00
-2
updates site), MP3s, java archives, and all very large files. It will also filter out pornography to a limited degree. The server runs Squid 2.5.3 for proxying and caching and
DansGuard 2.6.1-3 for web content filtering on a Redhat 9.0 Linux system.
©
SA
NS
In
sti
tu
This system inspects traffic entering and leaving the user LAN segments. Ideally, the
IDS would be monitoring all traffic on each segment, including intra-segment traffic.
Unfortunately, the systems in these segments are attached to Cisco catalyst 2820
switches, which do not allow for SPAN ports. At some point in the future, the company
will invest in a switch upgrade. Until that time, it was decided to attach a hub to the port
leading out of each switch to the Cisco 3640 router and run the monitoring interface
for each segment into the hub to capture traffic entering and leaving the segment.
For the time being, this rather busy IDS will alert on suspicious requests originating
from the user segments and dangerous responses coming back. It will also alert on
suspicious incoming activity. The system runs Snort, v. 2.0.1 on Redhat Linux 9.0
with modifications to the system init scripts and snort rules to allow for independent
configuration and control of Snort for each sensor interface.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
©ª¬«Uªˆ­©
Syslog Server
ull
rig
ht
s.
This system captures logs sent to it from every server and network device on the
GIAC Enterprises network (see 4.3.11). It uses syslog-ng, v. 1.6 to customize logging
sources and destinations so that system logs are automatically deposited in a SQL
database as well as in standard log files. It uses swatch 3.0.8 to analyze logs for
security violations and alert IT staff via pages, emails, and Windows desktop pop-ups
when detected. The Analysis Console for Intrusion Databases, v. 0.9.6b23 and phpsyslog-ng, v. 1.4 are used to provide web-based tools for searching and reporting on
security incidents. IT staff connect to the web-based interfaces using HTTPS with 2way authentication using RSA certificates signed by the Verisign Certificate Authority
and a negotiated encryption algorithm of minimum 128-bit key length. The system
runs Redhat Linux 9.0
ins
f
©ª¬«Uªˆ­i°
eta
Network Management Workstation
Key
= AF19
FA27
2F94 998D FDB5
DE3D
06E4 A169
Thisfingerprint
system acts
as the
management
console
forF8B5
configuration
of 4E46
network security.
From this system, updates to router and firewall configurations are permitted
ut
ho
rr
—‡ Lˆ‡ A€ PWVS"T™uT–Z]\iS¸Ï‘bZ]|RStÐuSUwyVsuTSU\
©ª¯©ªˆ­ ›Ñ ÒӝÔÖÕn×ØÒÚÙҖÛÎÜÝ!ÜÙ?Ó
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
To ease the administrative burden of staying up-to-date with security fixes on GIAC
Enterprises’ servers and workstations, all qualified systems will use a vendor’s patch
management distribution system. Systems that are not qualified will be slated for
replacement as soon as possible. In the meantime, non-qualified systems will be
kept up-to-date via scripted software installation with available patches. Both Redhat Network[32] and Windows Update[33] make available an automatic update feature with their patch management solutions. The Windows Update feature in Windows
2000/XP Professional and Windows 2000/2003 Server allows administrators to schedule automatic updates. All Windows 2000/XP workstations and Windows 2000/2003
servers will be scheduled to download and install available updates once per week.
Windows servers and workstations will be scheduled for updating early every Sunday
morning. Redhat Network’s automatic update feature does not yet allow for scheduled
updates. This is easily managed, however with a small shell script run from cron on a
weekly basis. This script will be run once per week early Sunday morning. In addition,
a staggered schedule of reboots will be set up through the Redhat Network so that
any updates are applied to daemons or the kernel as soon as possible after updates
are installed. The schedule will stagger the reboot of web server and database cluster
members so that at least one member of each cluster is available at all times.
To prevent large numbers of systems from attempting to carry out downloads of
updates over the internet, local update distribution will be used. Windows Software
Updates Service[34] will be deployed on the same Windows 2000 server that deploys
Sophos Anti-Virus updates. Redhat Network’s Satellite Server software[35] will be
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
installed on the web proxy server. All other systems in the company will be configured
to contact one of these two systems to fetch available updates.
7 0 , #888
ins
f
ull
rig
ht
s.
GIAC Enterprises Perimeter Security
Policy and Implementation
Þ Internet Firewall Security Policy
Ÿ~LNK Overview
-2
Ÿ~L{z
00
5,
A
ut
ho
rr
eta
The internet firewall’s security policy is designed to limit access from the internet to
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
a small set of TCP/IP hosts and services that have been available to the public or to
selected parties outside GIAC Enterprises network, limit access to the internet from
within GIAC Enterprises network to TCP/IP services approved for use by GIAC Enterprises employees, frustrate various techniques employed by network enumeration
and exploit tools, perform network address tanslation on the RFC 1918 IP addresses
used by systems in GIAC Enterprises network, limit access to the border router and
the firewall itself, and maintain a detailed log of all network activity supervised by the
firewall. We will examine the firewall settings that accomplish each of these tasks in
detail below. See B on page 69 for the complete configuration.
Border Router and Firewall Access Rules
©
SA
NS
In
sti
tu
te
20
00
Technical Support personnel may obtain virtual terminal access to the firewall via SSH
from company headquarters or a remote location, as specified in the global policy ruleset below. As mentioned above, the border router does not run a SSH server. Telnet
access is granted only from the firewall to the ethernet interface facing the firewall.
Access is granted to the firewall via its non-public interfaces implicitly as part of the
GIAC Enterprises private address space. The first rule includes access via SSH or
PCAnywhere. Since nearly every company system runs only one of these, one could
write a separate rule for each type of access. Unfortunately, there is no easy way to
separate out the two cases; each rule would have a long list of specific IP addresses
to which it applies. Technical Support would have the onerous job of maintaining this
long list whenever a particular device is added, removed, or changes its remote access configuration. The class C subnet 10.10.128.0/24 does not represent a physical
or virtual network segment; planning for the day when that can be a reality, the IP
addresses of all systems belonging to Technical Support were kept in this range. The
10.253.4/24 and 10.254.1/24 subnets represent Technical Support VPN and dialin access networks.
ß
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
ßAß àâáãâäºåÀæçƒèÖãâé6êëãÖì
ßAøÈùíôäÖä)óâîÀïñùÖëð6ãáâïÖòòÖéÖé)õ¼ôóô<õèûä)øüôëñõõóõÀïñäÀöé)é)ó5ôä<ýëâþâ÷¼ÿâöiùøÈùñïÖëÖä)óîî6ä äÖõâõôéúëãã
ß ýíÿ ð 5þø¼÷ Öæ ýíÿ 
ð
Àÿ ý í ¼÷!å ]ö õ¼ôë6ô
ä âõ¼ôë)ôä
"!<þø¼
÷ Öæ ýíÿ 
ð ÷Àÿ Öýæ í¼ ÷!#å h#å ]#å hå $ ]ö õ¼ôë)ô%ä âõ¼ôë)ôä
"!<þø¼
ýíÿ 
ð 5þø¼÷ Öæ hå
ýíÿ 
ð Àÿ5þø¼÷ Öæ &ÈòúôîÀò ]ö5öÖáãüôøÈòÖé)óâô
À÷äÖõ¼ôøNùÖë)ôøüéü'
ù ÈòÖéüóô(õ $)'å *+ fö õÀôë)ô,ä âõÀôë)ô-ä "!Aþø¼÷Öæhå
ýíÿ 
ð Aà .åÀæ
ýíÿ 
å .åÈæâõ å 0$12 fö
õ¼ôë)ôäâõÀð ôë)Àÿ5ôä3þø¼÷ Ö"!Aæ àh/
ýíÿ 
Key fingerprint
06E4 A169 4E46
ÿ5ô3ä þø¼÷ FA27
Öæ 2F94
h/
å 998D
âõ å FDB5
0$4h5
å DE3D
F8B5
fö
õ¼ôë)ôä âõÀð =ôë)ÀAF19
"!Aà .åÈæ
ýíÿ 
å .åÈæâõ å ]å hå ]ö
õ¼ôë)ôä âõÀð ôë)Àÿ5ô3ä þø¼÷ Ö"!Aæ àh/
ýíÿ 
ð Àÿ ý 6í Èòúá÷)ò âõ å $140 ¼÷
å 0 ¼÷äÖõÀôøÈùÖë)ôøüé6'
ù Èòé)ó-ô $) ]ö õ¼ôë)ôä
)õ¼ôë)ôä7
"!<à
.åÀæ
ýíÿ 
ð Àÿ ý 6í Èòúá÷)ò âõ å $140 ¼÷
å ]#å h#å hä8å $ ¼÷"!<äÖõ¼àôøÈùÖ
ë).ôåÀø¼æé6'ù ÈòÖéüó-ô $) fö õÀôë)ôä
#
)õ¼ôë)ô7
ýíÿ 
ð Àÿ ý 6í Èòúá÷)ò âõ å $4h#å 0 ¼÷
å 0 ¼÷äÖõÀôøÈùÖë)ôøüé6'
ù Èòé)ó-ô $) ]ö õ¼ôë)ôä
)õ¼ôë)ôä7
"!<à
.åÀæ
ýíÿ 
ð Àÿ ý 6í Èòúá÷)ò âõ å $4h#å 0 ¼÷
å ]#å h#å hä8å $ ¼÷"!<äÖõ¼àôøÈùÖ
ë).ôåÀø¼æé6'ù ÈòÖéüó-ô $) fö õÀôë)ôä
#
)õ¼ôë)ô7
ýíÿ 
ð Àÿ ý 6í Èòúá÷)ò âõ å h8å hå À÷
å 0 ¼÷äÖõÀôøÈùÖë)ôøüé6'
ù Èòé)ó-ô $) ]ö õ¼ôë)ôä
)õ¼ôë)ôä7
"!<à
.åÀæ
ýíÿ 
ð Àÿ ý 6í Èòúá÷)ò âõ å h8å hå À÷
å ]#å h#å hä8å $ ¼÷"!<äÖõ¼àôøÈùÖ
ë).ôåÀø¼æé6'ù ÈòÖéüó-ô $) fö õÀôë)ôä
#
)õ¼ôë)ô7
ýíÿ 
ð 5þø¼÷ Öæ ýíÿ 
)õ¼ôë)ô7
ä ð À9ÿ "!A:6à ÿþø¼à÷ ;ÖÀ÷!æ 8å ]ö õ¼ôë)ôä
ýíÿ 
ð À9ÿ "!A:6à ÿþø¼à÷ ;ÖÀ÷!æ 5å h#å h#å ]å $ fö õÀôë)ôä
)õ¼ôë)ô7
ä
ýíÿ
ð5þø¼÷Öæ
ýíÿ 
ð Àÿ5þø¼÷ Öæ &ÈòúôîÀò ]ö5öÖáãüôøÈòÖé)óâô
À÷äÖõ¼ôøNùÖë)ôøüéü'
ù ÈòÖéüóô(õ $)'å *+ fö õÀôë)ô,ä âõÀôë)ô-ä "!Aþø¼÷ Öæ Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
õ¼ôýë)ôíÿä
âõÀð ôë)Àÿ5ôä3þø¼÷ Ö"!Aæà .åÈæâõ å0$12 fö
ýíÿ 
õ¼ôë)ôä âõÀð ôë)Àÿ5ô3ä þø¼÷ Ö"!Aæà .åÈæâõ å0$4hå5 fö
ýíÿ 
õ¼ôë)ôä âõÀð ôë)Àÿ5ô3ä þø¼÷ Ö"!Aæ à .åÈæâõ å]åhå ]ö
ýíÿ 
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ å8$14 ¼÷
å 0 ¼÷äÖõÀôøÈùÖë)ôøüé6'
ù Èòé)óô-$) ]ö õ¼ôë)ôä
)õ¼ôë)ôä7
"!<à
.åÀæ
ýíÿ 
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å $14 ¼÷
å]#å h#å "h!-8å à$ .¼÷åÀäÖæ õ¼ôøÈùÖë)ôø¼é6'ù ÈòÖéüó-ô $) fö õÀôë)ô,ä âõÀôë)ôä
#
ýíÿ 
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å $2h#å ¼÷
å 0 ¼÷äÖõÀôøÈùÖë)ôøüé6'
ù Èòé)ó-ô $) ]ö õ¼ôë)ôä
)õ¼ôë)ôä7
"!<à
.åÀæ
ýíÿ 
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å $2h#å ¼÷
å ]#å h#å "h!-8å à$ =AF19
#
¼÷äÖõ¼ôFA27
øÈùÖë)ôø¼2F94
é6'ù ÈòÖéüó998D
ô $)FDB5
fö õÀDE3D
ôë)ô,ä F8B5
âõÀôë)ôä 06E4 A169 4E46
Key fingerprint
.åÀæ
ýíÿ 
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å hå ]å ¼÷
å 0 ¼÷äÖõÀôøÈùÖë)ôøüé6'
ù Èòé)ó-ô $) ]ö õ¼ôë)ôä
)õ¼ôë)ôä7
"!<à
.åÀæ
ýíÿ 
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å hå ]å ¼÷
å ]#å h#å "h!-8å à$ .¼÷åÀäÖæ õ¼ôøÈùÖë)ôø¼é6'ù ÈòÖéüó-ô $) fö õÀôë)ô,ä âõÀôë)ôä
#
ýíÿ 
ð è À6ÿAãâä)àûä-ã )%.åÀæ6ãâé)>è]ö!ÈòãÖóø]ä ö?øÀø %ô@,Ahà6ãÖø]ö!øÈ<ôåÀ,æ )ÈöJøÈÿùâþáþôâä ýBí"! A
:= 6ãâé)>
ßßAàâýáíÿãâ
9ä ðåçƒèÖÀÿAãâé6àêëãÖì .åÀæ C!<ÿþþ ýí
ßßúð)ôë ??3ïÖé î6ë6ùñðð DAô9é ?øÀó"ä Öëãã ë6óäúëããâé Öä)÷ ôé<ôäãüùÖä69ô ?âóéÀö
?øÈóä ÖëãâãJôé-êÖé)ó÷ä6ó<óé6áôä69
ß ýíÿ ð Aà .å ó ?é)óAóäÀöé6ôä<ëâ÷¼öøNùøâõ¼ôóë)ôøüé64ù ýíÿ 
ð Àÿ :Cíâý %í ÈòúôîÀò âõ #å h5å h#å hå ) ¼÷!"#å !<h5å àh#å h
å .$ å
À÷äÖõ¼ôøNùÖë)ôøüéüù'ÈòÖéüóô- ]ö õ¼ôë)ôäâõ¼ôë)ôä3
ýíÿ 
ð Àã ÿA)6à üãâé).EèÈå òóä ?]ö!ø @ãÖø]ANöà øÀ%ô 6ãÖ9å ø]öJøÈ<ô ÿþ)þÈöýøÈùâBí áôA ä "!9
:=
üãâé)E
è
6ã)ä)ûä7
ýíÿ
ðÀÿAà.å C!<ÿþþýí
Inbound Access Rules
SA
Ÿ~Lƒ‚
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
©
Generally, responses to outbound requests are allowed into the network. The range
of responses is largely limited by restrictions on outbound requests. Additionally, most
types of inbound ICMP are blocked regardless of whether they come in response to
outbound requests. Only echo replies and unreachables (ICMP type 3) are allowed
in, and only in response to an outbound request. Fragmented packets are blocked,
except
for fragmented
AH or2F94
ESP998D
packets
bound
the public
IP address
Key fingerprint
= AF19 FA27
FDB5
DE3DforF8B5
06E4 A169
4E46 of the VPN
© SANS Institute 2000 - 2005
Author retains full rights.
gateway. This exception is granted to allow for oversize packets resulting from IPSec
encapsulation in cases where pMTU discovery fails between the IPSec gateways.
Below are relevant snippets from the firewall configuration script, with extra comments
added to clarify:
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
ßAßúàâëáããâã<äé)õôâïëÖä)îóAî6ä6óâòáôãâøÈùäÖèõ òëÖîCFä)ôõôâïÖë)ôúë)óä òÖë6óôúé?ñäõ¼ôë6êãøâõÀïÖäâ÷Aî6é6ùùäÖî¼ôøüéüùõ+òóäÖî6äâ÷ä
ýíÿ 
üãâé)E
è Èòóäð ?Àø ô[email protected]÷âANàó
éüGò<ÈÿHG;à
:6-ýH)ý ÿI=A "!9
:= 6ã)é)èE6ãâä6ûäã-)
ýíÿ 
ð Àÿ ý í ]ö õ¼ôë6ôä âõ¼ôë)ôä
ð6íÿ ð D;* à âÿ)í ;9"!<ÿþþ âýí
ýíÿ 
ð Àÿ :Cíâý í ]ö õ¼ôë6ôä âõ¼ôë)ôä
ð6íÿ ð D;* à âÿ)í ;9"!<ÿþþ âýí
ýíÿ 
ð À9ÿ :6à ÿà ;%]ö õ¼ôë6ôä âõ¼ôë)ôä
ð6íÿ ð D;* à âÿ)í ;9"!<ÿþþ âýí
ß
Key fingerprint
FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
ßßAàâáãâäºåçÆ=ä)ôâAF19
ì
ï
ß
ß ;óé6ò öéõ¼ôAô âòÖäÖõé ?pøÈùâêÖé6áù÷ þ J4ý [email protected]î6ä6òôøüé6ùõë)óä
9
áùóäëÖîÀïë6êãâäÖõlë6ù÷úäÖîÀïé<óä6òãÖøüäLõ í)ïÖäÖõ6äAë)óäñî6é6ûä)óäâ÷ ê
ôâïä<èä6ùÖä)óø)îóâáãâäAëãã)é øÈù3è ð)íÿ ð D;<ë6ù÷<à âÿí ;
ôóë ??øâîêÖëÖCî FºøÈùôé<ô)ïÖä<ùä)ô Öé)ó F4Mä5÷éü2ù Nˆô
õÀòäÖîCø ?ø)î6ëãã öä6ùôøüé6ùúäÖîÈïÖé-óä O)áÖäõ¼ôõlêÖäî6ë6áõ6-ä ä5ë6óä
èéÖøÈùè<ôé5ëããâ"é úô)ïÖäÀöñôé<ôâïÖQä Pý 5èë)ôä Öë òâáêãÖøâî
êßøÈùã)ôéÖä)îCóF?äâ÷Jëî6ïÖRä ä)*uóëüäù ÷5ô)ïÖä QÖé6ù Nˆôöë Fä øÀôAôâïÖä6óä Cø ?5ô)ïÖä úë)óä
ýíÿ 
ð úä)ôâ
ï . Sù .üà .å
ýíÿ 
ð Àïÿ . ýSù .6íà ø.å ä)ôâï ,Èò!øâîhöò øâî]öÖ'ò Àô )òÖä
"!5ä)ôâ
ýíÿ 
ð
Àÿ ý í ø ä)ôâ
$
"!5ä)ôâ
ï . Sù .6à .å ï ,Èò!øâîhöò øâî]öÖ'ò Àô )òÖä
ýíÿ 
ð Àïÿ . ýSù .6íà ø.å ä)ôâï ,Èò!øâîhöò øâî]öÖ'ò Àô )òÖä
$å
"!5ä)ôâ
ýíÿ 
ð Àïÿ . ýSù .6íà ø.å ä)ôâï ,Èò!øâîhöò øâî]öÖ'ò Àô )òÖä
$
"!5ä)ôâ
ýíÿ 
ð
Àÿ ý í ø ä)ôâ
$
"!5ä)ôâ
ï . Sù .6à .å ï ,Èò!øâîhöò øâî]öÖ'ò Àô )òÖä
ýíÿ 
ð Àÿ ï . ý Sù í.üà ø .ä)å ôâï ,Èò!øâîhöò øâî]öÖ'ò Àô )òÖä
å "!5ä)ôâ
ýíÿ 
ð
Àÿ ý í ø ä)ôâ
Tå "!5ä)ôâ
ï . Sù .üà .å ï ,Èò!øâîhöò øâî]öÖ'ò Àô )òÖä
ýíÿ 
ð Àÿ ï . ý Sù í.üà ø .ä)å ôâï ,Èò!øâîhöò øâî]öÖ'ò Àô )òÖä
å $
"!5ä)ôâ
ýíÿ 
ð Àÿ ï . ý Sù í.üà ø .ä)å ôâï ,Èò!øâîhöò øâî]öÖ'ò Àô )òÖä
å )
"!5ä)ôâ
Key fingerprint
ýíÿ 
ð =ÀAF19
ÿ ý FA27
í ø 2F94
ä)ôâï ,998D
Èò!øâîhöFDB5
ò øâDE3D
î]öÖ'ò Àô )òF8B5
Öä 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
æ "!5ä)ôâï. ùS.6à.å
ýíÿ
ðÀÿ ýí ø ä)ôâï,Èò!øâîhöò øâî]öÖò'Àô)òÖä
å "!5ä)ôâï
. ùS.üà.å
ýíÿ 
ð
Àÿ ý í ø ä)ôâï,Èò!øâîhöò øâî]öÖò'Àô)òÖä
"!5ä)ôâ
ï . Sù .üà .å
ýíÿ 
ð Àÿ ï . ý Sù í.üà ø .ä)å ôâï ,Èò!øâîhöò øâî]öÖò'Àô)òÖä
"!5ä)ôâ
ýíÿ 
ð Àï9ÿ . :6 àSù ÿ.6à à;.âå ø ä6ôâï ,Èò!øâîhöÖò øâîhöÖòEÀôâòÖä
"!5ä)ôâ
ýíÿ 
ð Àï9ÿ . :6 àSù ÿ.6à à;.âå ø ä6ôâï ,Èò!øâîhöÖò øâîhöÖòEÀôâòÖä
$
"!5ä)ôâ
ýíÿ 
ð Àï9ÿ . :6 àSù ÿ.6à à;.âå ø ä6ôâï ,Èò!øâîhöÖò øâîhöÖEò Àô âòÖä
$å
"!5ä)ôâ
ýíÿ 
ð Àï9ÿ . :6 àSù ÿ.6à à;.âå ø ä6ôâï ,Èò!øâîhöÖò øâîhöÖEò Àô âòÖä
$
"!5ä)ôâ
ýíÿ 
ð Àï9ÿ . :6 àSù ÿ.6à à;.âå ø ä6ôâï ,Èò!øâîhöÖò øâîhöÖEò Àô âòÖä
$
"!5ä)ôâ
Key fingerprint
=ÀAF19
998D
ýíÿ 
ð
ÿ
9
:6à ÿFA27
à ; 2F94
âø ä6ôâ
ï
,Èò!FDB5
â
ø
h
î
Ö
ö
ò
DE3D
øâîhöÖE
ò
ÀF8B5
ô âòÖä 06E4 A169 4E46
å "!5ä)ôâ
ï . Sù .üà .å
ýíÿ 
ð À9ÿ ï :6. à ÿSù .üàà ; â.ø å ä6ôâï ,Èò!øâîhöÖò øâîhöÖEò Àô âòÖä
Tå "!5ä)ôâ
ýíÿ 
ð À9ÿ ï :6. à ÿSù .üàà ; â.ø å ä6ôâï ,Èò!øâîhöÖò øâîhöÖEò Àô âòÖä
å $
"!5ä)ôâ
ýíÿ 
ð À9ÿ ï :6. à ÿSù .üàà ; â.ø å ä6ôâï ,Èò!øâîhöÖò øâîhöÖEò Àô âòÖä
å )
"!5ä)ôâ
æ ý íÿ "!5ð ä)ôâÀï9ÿ . :6 àSù ÿ.6à à;.âå ø ä6ôâï ,Èò!øâîhöÖò øâîhöÖEò Àô âòÖä
ýíÿ 
ð À9ÿ ï :6. à ÿSù .üàà ; â.ø å ä6ôâï ,Èò!øâîhöÖò øâîhöÖEò Àô âòÖä
å "!5ä)ôâ
ýíÿ 
ð À9ÿ ï :6. à ÿSù .üàà ; â.ø å ä6ôâï ,Èò!øâîhöÖò øâîhöÖEò Àô âòÖä
"!5ä)ôâ
ýíÿ 
ð À9ÿ ï :6. à ÿSù .üàà ; â.ø å ä6ôâï ,Èò!øâîhöÖò øâîhöÖEò Àô âòÖä
"!5ä)ôâ
ýíÿ 
ð Àÿúä)ôâ
ï . Sù .üà .å ]öpãÖø]öiøÀ6ô 6ãÖø]öiøÀô
)NöøÈùáô
ä "!9
:= 6ã)é)Eè 6ãâä6ûäUã B6ã)é)Eè Èòóä ?ø @AVÿ ;
þJý6U;WGA
ýíÿ 
ð Àÿúä)ôâ
ï . Sù .üà .å "!&;à :6ý
ßß ßAß àâáãâä9–çÆä)ôâïiå)ì
ßAÿÖããâ"é ºøÈùôä)ó)ùÖä)ô-ïÖéÖõÀôõôé-òøÈùèAôâïÖQä Pý 5èë)ôä Öë 4XÖä
ëãâãâé Aôâïø)3õ ?é)óúôäÖõ¼ôøÈùQè Pý î6é6ùâùÖäÖî¼ôøÈûøÀô úøâõõÀáÖäLõ àë6ôä5ãÖø]öøÀôøÈùèAë6òâòãÖøüäÖõôé<ô)ïÖä<òøÈùè<óä O6áÖäÖõ¼ôYõ XÖä
ëãÖãâøföãâéøÀAôäâó÷Jä6êòÖúôãÖøü)äÖïÖõäºôé<øNùèôéä)óâêÖùëÖä)&ôî F?*uøÀêóáä ôAÖëôâãïÖRã ä- ô âòäÖõ ëããâé äâ÷Aë)óä
ß ýíÿ
ðúä)ôâï_åC. ùS.üà.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
ýíÿ
ðÀÿ9:6àÿà; âø ä6ôâïiåQÈò!øâîhöÖò À÷1å#]å#hå#
âä)ô)ïiøâîhåCöÖ. ò' ùÈô.6âòàÖä-
. föõ¼ôë)ôäâõÀôë)ôä3 "!
ýíÿ
ðÀÿúä)ôâï_åC. ùS.üà.
]öpãÖø]öiøÀô66ãÖø]öiøÀô
õ6äÖî6é6ù
÷
6ãÖøföøÀE
ô
Èêâáóõ¼3
ô
$6C!<
:= 6ãâé)>
üãâé)E
è Èòóä ?ø @ANà 6Jÿþþ ýBí A è 6ãâä)ûä-ã )
ýíÿ 
ð À6ÿúãÖøföä)ôâøÀï_Eô CåÈêâ. á Sùó.üõ¼à3ô $6C.!A ÿþâþ ]öpýí ãÖø]öiøÀ6ô 6ãÖø]öiøÀô
õ6äÖî6é6ù
÷
ýíÿ 
ð úä)ôâï_Cå .:üá
ô .6à .
ýíÿ 
ð Àÿ :Cíâý í üé5ä)ôâï_&å Nò!ø)îhöÖò ¼÷p#å h5å h#å âøâîhöÖ'
ò
Èô âòÖä)ô)ïiåC.:üáô.6àä . föõ¼ôë)ôä âõÀôë)ô3ä "!
ýíÿ 
ð À9ÿ :6à ÿà ; ¼é5ä6ôâïiQå Èò!øâîhöÖò À÷1#å ]#å h#å âøâîhöÖ'
ò
Èô âòÖä)ô)ïiCå .:üáô .6à ä . föõ¼ôë)ôä âõÀôë)ô3ä "!
ýíÿ 
ð Àÿúä)ôâï_Cå .:üá
ô .6à . fö1ãÖøföøÀ%ô 6ãø]öøÀô
õ6äÖî6é6ù
÷ =6AF19
ãÖøföøÀEô ÈFA27
êâáóõ¼3ô 2F94
$6C!<998D
:= FDB5
6ãâé)>
è 6ãâDE3D
ä)ûä-ã ) F8B5 06E4 A169 4E46
Key fingerprint
üãâé)èEÈòóä?ø@ANà
6JÿþþýíBA
ýíÿ 
ð À6ÿúãÖøföä)ôâøÀï_Eô CåÈêâ.á:üáó
ôõ¼.63ô à $6
C!A. ÿþâþ ýfö1í ãÖøföøÀ%ô 6ãø]öøÀô
õ6äÖî6é6ù
÷
ýíÿ
ðúä)ôâï_åC. ùS.üà.
ho
rr
eta
ins
f
ull
rig
ht
s.
5,
A
ut
Here are the rules allowing IPSec packets, possibly fragmented, to and from the VPN
gateway interface and blocking all others:
ßß
©
SA
NS
In
sti
tu
te
20
00
-2
00
Aßß àâáãâä9–çÆä)ôâïiå)ì
èßAß ë6ÿÖôãäÖãâé"ëºN]øÈõlùòôáä)êÖó)ùÖãÖä)øâô-îAïÖøÈùéÖôõÀôä)óõ?ôëÖéîüä-î6?é6ùé)ùÖó äî¼ýô-ðâôäÖé&îL Pý
ýíÿ 
ð 5þø¼÷ )ææ ýíÿ 
ð À9ÿ :6à ÿà ; âø ä6ôâïiQå Èò5á÷)ò ¼÷på#hå5hå#
þøÀ÷ ¼÷äÖõ¼
ôøÈ)ùæë)æôøü0 é6Eù ÈòÖé6óâ3ô $ ]ö õ¼ôë)ôä âõ¼ôë)ô3ä "!
ýíÿ 
ð À9ÿ ä :6à)ÿõ¼ôàë)ô; 3ä âø ä6ôâïi"!AQå þÈ,òø¼÷ $ ¼÷!)âææ#å h#å h5å C?
]ö1õ¼ôë)ô,
ýíÿ 
ð À9ÿ ä :6à)ÿõ¼ôàë)ô; 3ä âø ä6ôâïi"!AQå þÈ,òø¼÷ $å ¼÷!)âææ#å h#å h5å C?
]ö1õ¼ôë)ô,
ýíÿ 
ð Àÿ5þø¼÷ )ææ ø ä)ôâï_å âõ #å h#å h5å _å
"!<à í à ýíÿ 
ð Àÿ5þø¼÷ )ææ ø ä)ôâï_å âõ #å h#å h5å hå )
"!<à í à ýíÿ 
ð Àÿ5þø¼÷ )ææ ø ä)ôâï_å âõ å 0
"!<à í à ýíÿ 
ð Àÿ5þø¼÷ )ææ ø ä)ôâï_å âõ #å h#å h5å "!<à í à ýíÿ 
ð =ÀAF19
ÿ5þø¼÷ FA27
)2F94
ææ 998D
ø ä)ôâï_
å âõ DE3D
å h#å F8B5
#
Key fingerprint
FDB5
06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
<à í à
<ýýàííÿÿ í àðð Àÿ5úþä)ôâø¼ï_÷ å ù üàææ ø ä)ôâï_å âõ å hå _å
)ýõ¼íôÿë)ôä ð Àÿ5þ5ø¼÷ ä)ôâïiå ùæ6æ à ø ä)ôâï_å ]ö õ¼ôë)ôä
ýíÿ ð Àÿúä)ôâï_å ù üà
]ö1ãø]öøÀô üãÖø]öøÀô
NJöÿøÈùþáþ ôýä í
6ã)é)è 6ãâä6ûäã 6ã)é)è Èòóä ø ýð þ
ýýííÿÿ ðð Àÿú5þä)ôâø¼ï_÷ å ù üàææ hå
Aÿþâþ ýí
ýíÿ ð Àÿ íâý í üé5ä)ôâï_å Nò5á÷)ò ¼÷!å hå hå
þøÀ÷ ¼÷äÖõ¼ôøÈùæë)æôøü]åé6ù ÈòÖé6óâô ]ö õ¼ôë)ôä âõ¼ôë)ôä
ýíÿ ]ö1õ¼ð ôë)Àÿôä íâ)ýõ¼ôíë)ôä üé5ä)ôâï_å ANòþø¼÷ À÷!âæå æ hå håhå
ýíÿ ð Àÿ íâý í üé5ä)ôâï_å Nò å À÷!å hå hå
A]þö1ø¼÷ õ¼ôë)ôä æâæ õ¼ôhë)å ôä
ýíÿ ð Àÿ 6à ÿà ¼é5ä6ôâïiå Èò5á÷)ò ¼÷på hå hå
Àõ¼ô÷ë)ôäÖäõ¼ôøNùÖâõÀë)ôôë)øüôéüäù ÈòÖéüóô 5þø¼÷]ö ææ hå
ýíÿ ]ö1õ¼ð ôë)Àÿôä 6à)ÿõ¼ôàë)ôä ¼é5ä6ôâïiAå þÈòø¼÷ ¼÷!âææå hhåå hå
ýíÿ ]ö1õ¼ð ôë)Àÿôä 6à)ÿõ¼ôàë)ôä ¼é5ä6ôâïiAå þÈòø¼÷ å ¼÷!âææå hhåå hå
<ýàíÿ í àð Àÿ5þø¼÷ ææ hå üé5ä)ôâï_å âõ å hå hå _å
<ýàíÿ í àð Àÿ5þø¼÷ ææ hå üé5ä)ôâï_å âõ å hå hå hå
<ýàíÿ í àð Àÿ5þø¼÷ ææ hå üé5ä)ôâï_å âõ å
<ýàíÿ í àð Àÿ5þø¼÷ ææ hå üé5ä)ôâï_å âõ å hå hå
<ýàíÿ í àð Àÿ5þø¼÷ ææ hå üé5ä)ôâï_å âõ å hå
<ýýàííÿÿ í àðð Àÿ5úþä)ôâø¼ï_÷ å üáô 6àææ hå üé5ä)ôâï_å âõ å hå _å
)ýõ¼íôÿë)ôä ð Àÿ5þ5ø¼÷ ä)ôâïiå üáæôæ ühà å üé5ä)ôâï_å ]ö õ¼ôë)ôä
ýíÿ ð Àÿúä)ôâï_å üáô 6à
]ö!ãÖø]öøÈô 6ãÖø]öøÈô
NJöÿøÈùþáþ ôýä í
6ã)é)è 6ãâä6ûäã 6ã)é)è Èòóä ø ýð þ
Aÿþþ ýí
ßß ýíÿ ð Àÿúä)ôâï_å üáô 6à
ßAß àâáãâäºåçÆä)ôâïiå)ì
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
"! ) # #
"! C. S. ..
) 7
"!
. S. ..
C. S. ..
%
)
"!9
:= E
-)% E ? @A 5A
C. S. ..
C!
) C: &
# # 5
E
3$ 3
"!
) :C & ,$ 5 # #0
C?
,
3
"!
) :C & ,$
5 # #0
?
Key fingerprint
=
AF19
FA27
2F94
998D
FDB5
DE3D F8B5 06E4 A169 4E46
,
-
"!
) 9: ; Q
# 5 #
'
-$ 3
"!
) 9: ; Q ,$ # # 5
C?
,
3
"!
) 9: ; Q ,$
# # 5
C?
,
3
"!
) ) /
# # 5
"! ) /
# # 5 )
"! ) /
0
"! ) /
# # 5
"! ) /
# #
"! ) /
# #
"! C.: . ..
) /
7
"!
.: . ..
C.: . ..
B
)
"!9
:= E
-)% E ? @A 5A
C.: . ..
"!
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
ßAÿÖããâé"AôâïÖä-òáêãÖø)îAøÈùôä)ó?ëÖî6ä-é?Aô)ïÖä9PâýAèë)ôäë<ôé
î6éüùùÖäÖî¼-ô øÀôâïñé)ôâïä)óºøÈùôä)ó)ùÖä)ô ïÖéõ¼ô7õ ?é)ó ýðâäÖLî þ)äá@óî6óä6òä6ùô<ôôã é*
øÈùô)ïÖøÈôäAøüèë)ë)ôôä7ä FÖäë ø<÷Èùéè-äÖùÖõä)ùÖèé6é)ôñôøüëë)ôî¼ôâøüáÖéüùëãâõLã <÷é<ôâïøâ#õ *
ß ýíÿ ð 5þø¼÷ þ ýíÿ 
ð Àÿ ý í ø ä)ôâïiQå Èò5á÷)ò )õ 5å h#å h#å 0
þÀøÀ÷÷äÖõ¼ôþøNùÖ
ë)ôøüéü0'ù ÈòÖéüó-ô $ ]ö1õ¼ôë6ô,ä âõ¼ôë6ô-ä C!
ýíÿ 
ð
Àÿ ý í ø ä)ôâïiQ
C?
]ö1õ¼ôë)ô,
ä )õ¼ôë)ô3ä å "!AÈ,ò þ$ø¼÷ âþõ #å h5å h#å ýíÿ 
ð Àÿ ä ý)õ¼íôë)ô3ä ø ä)ôâïiQå "!AÈ,ò þ$ø¼÷å âþõ #å h5å h#å C?
]ö1õ¼ôë)ô,
ýíÿ 
ð À9ÿ :6à ÿà ; âø ä6ôâïiQå Èò5á÷)ò âõñ#å h5å h#å À÷äÖõ¼ôøNùÖë)ôøüéü'
þøÀ÷þ
0ù ÈòÖéüó-ô $ ]ö1õ¼ôë6ô,ä âõ¼ôë6ô-ä C!
ýíÿ 
ð ôë)ÀAF19
ÿô,ä :6à)ÿõ¼FA27
9
ôàë)ô; 3ä 2F94
âø ä6ôâïiQ
å È,ò $ þ âõ DE3D
å h#å h5å F8B5
#
Key fingerprint
06E4 A169 4E46
C?
]ö1õ¼=
"998D
!Aþø¼÷ FDB5
ýíÿ 
ð À9ÿ ä :6à)ÿõ¼ôàë)ô; 3ä âø ä6ôâïi"!AQå þÈ,òø¼÷ $å þ âõ #å h#å h5å C?
]ö1õ¼ôë)ô,
ýíÿ 
ð Àÿ5þø¼÷ þ ø ä)ôâï_å ¼÷!#å h#å h5å hå )
"!<à í à ýíÿ 
ð Àÿ5þø¼÷ þ ø ä)ôâï_å ¼÷!#å h#å h5å _å
"!<à í à ýíÿ 
ð Àÿ5þø¼÷ þ ø ä)ôâï_å ¼÷!#å h#å _å
"!<à í à ýíÿ 
ð Àÿ5þø¼÷ þ ø ä)ôâï_å ¼÷!#å h#å "!<à í à ýíÿ 
ð Àÿ5þø¼÷ þ ø ä)ôâï_å ¼÷!#å h#å h5å "!<à í à ýíÿ 
ð Àÿ5þø¼÷ þ ø ä)ôâï_å ¼÷!å 0
"!<à í à ýíÿ
ðúä)ôâï_åC. ùS.üà.åC.
ýíÿ 
)õ¼ôë)ô7
ä ð Àÿ5þ"!5ø¼÷ ä)ôâïiþå .
Sù.6à .ø å .ä) ôâï_å ]ö õ¼ôë)ôä
ýíÿ 
ð Àÿúä)ôâï_Cå . Sù .üà .Cå . ]ö1ãø]öøÀ%ô üãÖø]öøÀô
)NöøÈùáô
ä "!9
:= 6ã)é)Eè 6ãâä6ûä-ã )%6ã)é)Eè Èòóä ?ø @A ýð þ
JÿþþýíBA
ýíÿ 
ðð Àÿú5þä)ôâø¼ï_÷ Cå . Sùþ .üà
h.å Cå . C!Aÿþâþ ýí
ýíÿ 
ýíÿ 
ð À9ÿ :6à ÿà ; ¼é5ä6ôâïiQå Èò5á÷)ò âõñ#å h5å h#å À÷äÖõ¼ôøNùÖë)ôøüéü'
þøÀ÷þ
]ù å ÈòÖéüó-ô $ ]ö1õ¼ôë6ô,ä âõ¼ôë6ô-ä C!
ýíÿ 
ð À9ÿ :6à ÿà ; ¼é5ä6ôâïi"!AQå þÈ,òø¼÷$ þâõ #å hh#åå h5å C?
]ö1õ¼ôë)ôä,)õ¼ôë)ôä3
ýíÿ 
ð À9ÿ ä :6à)ÿõ¼ôàë)ô; 3ä ¼é5ä6ôâïi"!AQå þÈ,òø¼÷ $å þ âõ #å hh#åå h5å C?
]ö1õ¼ôë)ô,
ýíÿ 
ð Àÿ5þø¼÷ þ h/
å üé5ä)ôâï_å ¼÷!#å h#å h5å hå )
"!<à í à = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Key fingerprint
© SANS Institute 2000 - 2005
Author retains full rights.
<ýàíÿ í àð Àÿ5þø¼÷ þ hå üé5ä)ôâï_å ¼÷!å hå hå _å
<ýàíÿ í àð Àÿ5þø¼÷ þ hå üé5ä)ôâï_å ¼÷!å hå _å
<ýàíÿ í àð Àÿ5þø¼÷ þ hå üé5ä)ôâï_å ¼÷!å hå
<ýàíÿ í àð Àÿ5þø¼÷ þ hå üé5ä)ôâï_å ¼÷!å hå hå
<ýýàííÿÿ í àðð Àÿ5úþä)ôâø¼ï_÷ å üáþ ô 6à hå å üé5ä)ôâï_å ¼÷!å
)ýõ¼íôÿë)ôä ð Àÿ5þ5ø¼÷ ä)ôâïiþå üáô ühà å üé5å ä)ôâï_å ]ö õ¼ôë)ôä
ýíÿ ð Àÿúä)ôâï_å üáô 6à å ]ö!ãÖø]öøÈô 6ãÖø]öøÈô
NJöÿøÈùþáþ ôýä í
6ã)é)è 6ãâä6ûäã 6ã)é)è Èòóä ø ýð þ
ýíÿ ð Àÿúä)ôâï_å üáô 6à å Aÿþþ ýí
ßßAàâáãâ9ä –çˆèÖãâé6êÖëãÖì
ß
ß<êãâéÖî F9?âóë)èüöä6ùôõLMóë6èüöä6ùôäâ÷òÖëÖîFä)ôõô)ïÖë)ôúë)óä-òÖë)óô
é ?úë6ù5ÿ Dñé)<
ó ð)ý<òÖëÖCî Fä)ô<ôé<ôâïÖQä Pý Aèë)ôä Öë 5ë)óä
ä @î6ä6òôä)2
÷ çÆðääAä)ôâïiålóâáÖãâäÖõYì íâïÖä úë)óä5ëããâé Öä)÷-ôâïÖä)óä
êÖôäéâéúî6ë6áã)ë)õ6óäJèôâ&ä ïÖ?ä5é)óúä @ôé6áóóAë ò ýøÈòÖðäÖäÖLõî ïÖäë)÷ä)óõ%öë -öë Fä ôâïÖä-òÖëÖî Fä)ô
ß ýíÿ
ðAà.
ýíÿ 
ðð ÀÀÿÿ :C íâý ý 6í %í Èò1Èò!øNòøÈò C?C? "!-C!Aà à ..
ýíÿ 
ýíÿ
ðÀÿ9:6àÿà;%Èò!øÈò
C?
"!Aà.
ýíÿ 
ð
ÀÿAà .
fö!ãø]öøÀ6
ô
6ãø]öøÀ9
ô )ÈöøÈùáôä "!
:= 6ãâé)>
è
6ãâä)ûäãú&
å
6ãâé)>
è
Èòóä ?ø @,AVàÿ =%U;W5A
ýíÿ
ðÀÿAà. "!&;à:üý
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
/
# # 5
"! /
# #
"! /
# #
"! /
# # 5
"! /
0
"! C.: . . C.
/
7
"!
.: . . C.
C.: . . C.
B
)
"!9
:= E
-)% E ? @A BA
C.: . . C.
"!
Key fingerprint
= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
©
SA
NS
In
sti
A large subset of TCP scanning techniques, including ACK, FIN, null and xmas tree
scans, is blocked. The rules do not try to detect SYN (half-open) scans, since these
cannot easily be differentiated from legitimate connection attempts by Netfilter until the
prober sends a RST packet. By then, it is already too late. We leave it to the IDS1
system to detect and respond to SYN scans. While it is likely that a very stealthy SYN
probe could fly under the IDS, most will get caught. The firewall responds to detected
probes by dropping the offending packets. The decision to react this way is a trade-off.
On the positive side, dropping the scan packets prevents the attacker from receiving
anything from the security devices themselves. Were we to send TCP RSTs or ICMP
unreachables in response to the probes, the attacker could use passive fingerprinting
to guess the OS and possibly the firewalling software we are running on the security
devices. In the case of ICMP unreachables, we would also be giving him the public
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
IP address of the firewall. Even in the case of a TCP RST, the response packet will
© SANS Institute 2000 - 2005
Author retains full rights.
eta
ins
f
ull
rig
ht
s.
contain information (TTL and TCP Window size are two examples) that could tip the
attacker to the presence and nature of the firewall. This assumes that the attacker has
packets from the target host with which to make comparisons, but obtaining these is a
trivial exercise. On the negative side, this makes all ports appear open – or filtered –
to the probing system.[36] A savvy attacker would recognize that a security device is
filtering responses to his probes. A newbie may just go ahead and launch his favorite
attacks on the target.
What would the prober learn about the network by attacking this design? First, he
could learn that SYN scans are treated differently from other types of scans. A simple
TCP connect scan – until it is blocked by the IDS – would show that only ports for
which we allow inbound connections are open. The other scans would show all ports
open. A comparison of results would tell the prober that one or more security devices
have intervened. He is likely to figure out that TCP connections are blocked except to
a few ports and that the filtering devices are configured to drop all TCP scan packets
of certain types. The prober would eventually figure this out no matter what kind of
Key fingerprint
= AF19 FA27
2F94 this
998Dway,
FDB5
F8B5
A169 4E46 that will help
response
we designed.
At least
theDE3D
prober
gets06E4
no information
him attack the security devices themselves. Here is the relevant ruleset with additional
comments:
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
ßßAàâáãâäºåçˆèÖãâé6êÖëãÖì
ß
ß9;óé6òñð)ôäëã6ôâï õâî6ë6ùõLXé)óüöëãã*ué6òÖä6ùAòÖé)óâôõJ÷âóé6òAêÖë)÷<òëÖîCFä)ôõZ*
ïø6ãâäúî)ãâéõ6äâ÷ òÖé)óâôõAõ6ä6ù÷5ë<íþâýAàð)4
óß äõÀòÖé6ùõüä-ë6ù÷Jöë FäÖõ ëããòÖé)óôõ-ëüòòÖíäë)—ó5íâïéüòÖøâä6õ[ù ê ãâéÖCî FõôâïÖä<÷äÖõ¼ôøÈùÖë)ôø¼é6ù
ýíÿ
ðAà.å
ýíÿ 
ðð ÀÀÿÿ :C:Cíâíâýý %í%í ÈÈòúòúôôîÀîÀòò ÈÈôôîÀîÀ'ò'ò CC??ãâãâë)ë)èèõ\õ ÿ à&=*ˆý:ð D * 7C!<àà =R*ˆýð.Då *0 "!<à.å
ýíÿ 
ýíÿ 
]ö õ¼ôë6ô
ä ð Àâÿõ¼ô:Cë)ôíâ3ä ý %í ÈòCó!<é)àôéÖîüé.ãJå ôîÀBò ÈôîÀ'ò C?ãâë)èõð W*ˆÿþ ]*ˆàð6í * U ýíÿ 
ð Àÿ :C"!<íâàý %í
.Èå òóé)ôéÖîüéãJôîÀBò ÈôîÀ'ò C?ãâë)èõÿþ ]Aÿþ ]B]ö1õ¼ôë)ôä
)õ¼ôë)ô7
ä
ýíÿ 
ð Àÿ ý 6í ÈòñôîÀò ÀôîÀ'ò C?ã)ë)èõlÿ <
: "!<à .å
ýíÿ 
ð Àÿ ý 6í ÈòñôîÀò ÀôîÀ'ò C?ã)ë)èõlÿ &à =*ˆÿþ ]*ˆýð D*ˆàð)Rí *Æð W*0 "!<à .å
ýíÿ 
ð
Àÿ ý 6
í
Èòóé6ôéÖî6éãôîÀB
ò
ÀôîÀ'
ò
C?ã)ë)èõð W*ˆÿþ ]*ˆàð)
í
* 7 ]ö õ¼ôë6ô
ä âõ¼ôë)ô3ä C!<à .å
ýíÿ 
ð Àÿ "!<ý à 6í .Èòå óé6ôéÖî6éãôîÀBò ÀôîÀ'ò C?ã)ë)èõlÿþ ]úÿþ ]6]öõÀôë)ôä
)õ¼ôë)ô7
ä
ýíÿ
ðÀÿ9:6àÿà;%ÈòúôîÀò
ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò ÀÀôôîÀîÀò''ò ??ãâãâë)ë)èèõ+^õ ÿà9=R*ˆý:ð D *0 7"!<àà =*ˆýð.Då * "!<à .å
ýíÿ 
ð À9ÿ :6à ÿà ;%CNò!<óàé)ôéî6.éãå ôîÀ_ò ÀôîÀ'ò ?ãâë)èõð W* ÿþ ]*ˆàð)í * 7 ]ö õ¼ôë6ôäâõ¼ôë)ôä3
ýíÿ 
ð À9ÿ "!<:6à ÿàà ;%.å Nòóé)ôéî6éãôîÀ_ò ÀôîÀ'ò ?ãâë)èõÿþ ]Aÿþ ]6]ö õ¼ôë6ôä
)õ¼ôë)ôä7
ýíÿ 
ð ?Àø ÿ[email protected]à ANíþ)ýñ.ðå î6ë6Bù fö!7ã;ø]öøÀ6ôWGA 6ãø]öøÀ9ô )ÈöøÈùáôä "!&
:= üãâé)Eè 6ã)ä)ûä`ã ü
â
ã
)
é
è
E
È
ò

ó
ä
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
–
© SANS Institute 2000 - 2005
Author retains full rights.
ýíÿ
ðÀÿAà.å
à üý
"!&; :
ull
rig
ht
s.
Inbound connections to the email gateway’s SMTP services and web/portal server’s
web services are allowed generally. VPN clients are also allowed inbound connections from the VPN gateway’s private interface to a number of services on the internal
server network. Technical Support personnel are also allowed access to all internal
systems via SSH or PCAnywhere, as noted above 5.2 on page 32, and to the telnet service on some legacy Cisco switches. Here are the relevant snippets from the
firewall configuration script, with additional comments:
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ßßAàâáãâä9–çˆèÖãâé6êÖëãÖì
ßßQùóäõ¼ôóøâîÀôäâ7÷ ä6êñëÖîî6äÖõâõôé&ä6êSüòÖé6óôëã-õ6ä)óûä6ó
ß ýíÿ ð Aà .
Key fingerprint
ýíÿ 
ð =ÀAF19
ÿ :Cíâý FA27
%
í Èòú2F94
ôîÀò 998D
]ö5öÖáãüFDB5
ôøÈòÖé)óâô DE3D
¼÷ F8B5 06E4 A169 4E46
å h#
å 14ä 0 ¼÷äÖ"!<õ¼ôà øÈùë)
ô.øüé6Eù Èòé)ó)ô(õ R*
]ö1õ¼ôë6ôä
)õ¼ôë)ô7
ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò fö5öáã6ôøÈòé)óô À÷
å h#
å
140 ¼÷äÖõ¼ôøÈùë)ôøüé6E
ù Èòé)ó)ô(õ R*
]ö1õ¼ôë6ôä
)õ¼ôë)ôä7
"!<à
.
ýíÿ 
ð ÀÿAà . fö!ãø]öøÀ6ô 6ãø]öøÀ9ô )ÈöøÈùáôä "!
:= 6ãâé)>
ÿþâ ýþ íýÿ Bí A ð è À6ÿAãâä)àûä-ã )%. 6ãâ"!<é)>è ÿÈòþþóä ý?í ø @,Ahà %
ßßAàâáãâ9ä –çˆèÖãâé6êÖëãÖì
ßßQùóäõ¼ôóøâîÀôäâ÷-ðJíý5ëÖîîüäÖõõôé5äÀöëøüã-èë)ôäÖë
ß ýíÿ ð Aà .
ýíÿ 
ð Àÿ :Cíâý %í ÈòúôîÀò ]ö5öÖáãüôøÈòÖé)óâô ¼÷
å h#
å 140 ¼÷äÖ"!<õ¼ôàøÈùë)
ô.øüé6Eù Èòé)ó)ô(õ $R*)$ ]ö1õ¼ôë6ôä
)õ¼ôë)ôä7
ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò fö5öáã6ôøÈòé)óô À÷
å h#
å 14ä 0 ¼÷äÖ"!<õ¼ôà øÈùë)
ô.øüé6Eù Èòé)ó)ô(õ $R*)$ ]ö1õ¼ôë6ôä
)õ¼ôë)ô7
ýíÿ 
ð è À6ÿAãâä)àûä-ã )%. 6ãâé)fö!>è Èòãóø]öä ?øÀ6ô ø @,6Ahàãø]öøÀ9ô %)ÈöøÈÿùþáþôä ýBí"! A
:= 6ãâé)>
ýíÿ 
ð ÀÿAà . "!<ÿþþ ýí
ßßAàâ áãâäºåçƒèÖãâé6êëãÖì
ß
ûßAß ë6ÿÖóãøü3ãé6áPõ ý Aõ6ä)áóûõ6ä6ø)óî6äÖõõ èä)ôúëÖîîüäÖõõôé øÈùôä6óâùÖëãAõüä)óûä)ó7õ ?é)ó
Key fingerprint
ýíÿ 
ð =AF19
Aà FA27
.å 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
_
© SANS Institute 2000 - 2005
Author retains full rights.
ýíÿ ð Àÿ 6à ÿà ÈòúôîÀò fö5öáã6ôøÈòé)óô )õ
å
å À÷!å hå
¼÷äÖõ¼ôøÈùë)ôøüé6ù Èòé)óâôõ
æå âæ æ Èå ]öõÀôë)ôä âõÀ)ôæ ë)ôä
<à )æ å Nå
ýíÿ ð Àÿ 6à ÿà ÈòúôîÀò fö5öáã6ôøÈòé)óô )õ
å å åå À÷!]ö å õ¼ôhë)å ôä âõ¼ôë)ôä ¼÷äÖõ¼ôøÈù-ë)ôà øüé6ù Èòé)å óâôõ
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò fö5öáã6ôøÈòé)óô )õ
åå Èå å Àfö÷!õÀå ôë)hôå ä âõÀôë)ôä ¼÷äÖõ¼ôøÈ<ùë)àôøüé6ù Èòå é)óâôõ
ýíÿ 6ãâé)ð è À6ÿAãâä)àûäã å 6ãâé)è]ö!ÈòãÖóø]ä öøÀø ô hà6ãÖø]ö!øÈôå ÈöJøÈÿùâþáþôâä ýí
ýíÿ ð ÀÿAà å <ÿþþ ýí
ßßAàâáãâäºåÀæçƒèÖãâé6êëãÖì
ß
Key fingerprint
ßAíäÖîÀïñð6áâ=òòÖAF19
é)óô<èä)FA27
ôõóäÀö2F94
é)ôä<ëâ998D
÷¼öiøÈùñëÖFDB5
îî6äÖõâõDE3D
ôéúëãã F8B5 06E4 A169 4E46
ýßøÈùþ)ôÿâùä)óâùÖïëä)ãóïÖä éÖõ¼ôõ-ëüù÷<ôâïÖä êÖé)ó÷ä)ó<óé6áôä)ó<ûøüëñõõÀï é)ó
ýíÿ 
ð 5þø¼÷ Öæ ýíÿ 
ð ÷Àÿ Öýæ í¼ ÷!å ]ö õ¼ôë6ôä âõ¼ôë)ôä
"!<þø¼
ýíÿ 
ð
Àÿ ý í ¼÷!#
å h#å ]#å hå $ ]ö õ¼ôë)ô%ä âõ¼ôë)ôä
"!<þø¼
÷
Öæ ýíÿ 
ð 5þø¼÷ Öæ hå
ýíÿ 
ð Àÿ5þø¼÷ Öæ &ÈòúôîÀò ]ö5öÖáãüôøÈòÖé)óâô
À÷äÖõ¼ôøNùÖë)ôøüéü'
ù ÈòÖéüóô(õ $)'å *+ fö õÀôë)ô,ä âõÀôë)ô-ä "!Aþø¼÷Öæhå
ýíÿ 
ð Aà .åÀæ
ýíÿ 
å .åÈæâõ å 0$12 fö
õ¼ôë)ôäâõÀð ôë)Àÿ5ôä3þø¼÷ Ö"!Aæ àh/
ýíÿ 
å .åÈæâõ å 0$4h5å fö
õ¼ôë)ôä âõÀð ôë)Àÿ5ô3ä þø¼÷ Ö"!Aæ àh/
ýíÿ 
å .åÈæâõ å ]å hå ]ö
õ¼ôë)ôä âõÀð ôë)Àÿ5ô3ä þø¼÷ Ö"!Aæ àh/
ýíÿ 
ð Àÿ ý 6í Èòúá÷)ò âõ å $140 ¼÷
å 0 ¼÷äÖõÀôøÈùÖë)ôøüé6'
ù Èòé)ó-ô $) ]ö õ¼ôë)ôä
)õ¼ôë)ôä7
"!<à
.åÀæ
ýíÿ 
ð Àÿ ý 6í Èòúá÷)ò âõ å $140 ¼÷
å ]#å h#å hä8å $ ¼÷"!<äÖõ¼àôøÈùÖ
ë).ôåÀø¼æé6'ù ÈòÖéüó-ô $) fö õÀôë)ôä
#
)õ¼ôë)ô7
ýíÿ 
ð Àÿ ý 6í Èòúá÷)ò âõ å $4h#å 0 ¼÷
å 0 ¼÷äÖõÀôøÈùÖë)ôøüé6'
ù Èòé)ó-ô $) ]ö õ¼ôë)ôä
)õ¼ôë)ôä7
"!<à
.åÀæ
ýíÿ 
ð Àÿ ý 6í Èòúá÷)ò âõ å $4h#å 0 ¼÷
å ]#å h#å h8å $ ¼÷äÖõ¼ôøÈùÖë)ôø¼é6'ù ÈòÖéüó-ô $) fö õÀôë)ôä
#
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
9: ;%
$0 8) 8 #$ E
R* $L*
R*
$R*+R*a R*+))L*+)Y*+) R*+$R*a$Y*
)$R* TL*
R*+ ,
-
"! . 9: ;%
$0 8) 8 #$ E
R*+ '*aR*+ 8 3
"! . 9: ;%
$0 8) 8 #$ E
R* L*+$R*+ ,
-
"! . . %
<)
"!
:= >
-)% > ? @,A ,
BA
. C!
© SANS Institute 2000 - 2005
Author retains full rights.
)õ¼ôë)ôä
<à åÀæ
ýíÿ ð Àÿ ý í Èòúá÷)ò âõ å hå hå
À÷
å )õ¼ôë)ôä ¼<÷äÖà õÀôøÈùÖë)ôåÀæøüé6ù Èòé)óô
]ö õ¼ôë)ôä
ýíÿ ð Àÿ ý í Èòúá÷)ò âõ å hå hå
À÷
å )]õ¼å ôhë)å ôhäå ¼÷<äÖõ¼àôøÈùÖë)ôåÀø¼æé6ù ÈòÖéüóô
fö õÀôë)ôä
ýíÿ ð 5þø¼÷ Öæ
]ö õ¼ôë)ôä
)ýõ¼íôÿë)ôä ð Àÿ A6à ÿþø¼à÷ ÖÀ÷!æ å
)ýýõ¼íôíÿÿë)ôä ðð Àÿ5þA6ø¼à÷ ÿþø¼à÷ Öæ ÖÀ÷!æ å hå hå ]å fö õÀôë)ôä
ýíÿ ð Àÿ5þø¼÷ Öæ ÈòúôîÀò ]ö5öÖáãüôøÈòÖé)óâô
ÀA÷þäÖõ¼ø¼ô÷ øNùÖë)Öôæøüéüù ÈòÖéüóôõ å fö õÀôë)ôä âõÀôë)ôä
fö
õ¼ôýë)ôíÿä âõÀð ôë)Àÿ5ôä þø¼÷ ÖAæ à åÈæâõ å
fö
õ¼ôýë)ôíÿä âõÀð ôë)Àÿ5ôä þø¼÷ ÖAæ à åÈæâõ å hå
]ö
õ¼ôýë)ôíÿä âõÀð ôë)Àÿ5ôä þø¼÷ ÖAæ à åÈæâõ å ]å hå
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ å
¼÷
å )õ¼ôë)ôä ¼<÷äÖà õÀôøÈùÖë)ôåÀæøüé6ù Èòé)óô
]ö õ¼ôë)ôä
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ å
¼÷
å ]å hå h-å à ¼÷åÀäÖæ õ¼ôøÈùÖë)ôø¼é6ù ÈòÖéüóô
fö õÀôë)ôä âõÀôë)ôä
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ å hå
¼÷
å )õ¼ôë)ôä ¼<÷äÖà õÀôøÈùÖë)ôåÀæøüé6ù Èòé)óô
]ö õ¼ôë)ôä
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ å hå
¼÷
å ]å hå h-å à ¼÷åÀäÖæ õ¼ôøÈùÖë)ôø¼é6ù ÈòÖéüóô
fö õÀôë)ôä âõÀôë)ôä
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ å hå ]å
¼÷
å )õ¼ôë)ôä ¼<÷äÖà õÀôøÈùÖë)ôåÀæøüé6ù Èòé)óô
]ö õ¼ôë)ôä
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ å hå ]å
¼÷
å ]å hå h-å à ¼÷åÀäÖæ õ¼ôøÈùÖë)ôø¼é6ù ÈòÖéüóô
fö õÀôë)ôä âõÀôë)ôä
ýíÿ 6ãâé)ð è À6ÿAãâä)àûäã åÀæ 6ãâé)è]ö!ÈòãÖóø]ä öøÀø ô hà6ãÖø]ö!øÈôåÀæ ÈöJøÈÿùâþáþôâä ýí
ýíÿ ð ÀÿAà åÀæ <ÿþþ ýí
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
7
"! .
6
8 0 '
-$) 7
"! .
6
8 # # # 8$ '
-$) 7
"! .
9: ; 8 7
"!
9: ; 5 # # $ 7
"!
&
'
($) '*+ ,
-
"!
0$12 Key fingerprint
= AF19
3 FA27
"! 2F94
. 998D FDB5 DE3D F8B5 06E4 A169 4E46
0$4 5 3
"! .
3
"! .
9: ;%
8$14 0 '
-$) 7
"! .
9: ;%
8$14 # # # 8$ '
-$) ,
"! .
9: ;%
8$2 # 0 '
-$) 7
"! .
9: ;%
8$2 # # # # 8$ '
-$) ,
"! .
9: ;%
8 0 '
-$) 7
"! .
9: ;%
8 # # # 8$ '
-$) ,
"! .
.
%
<)
"!
:= >
-)% > ? @,A ,
BA
.
C!
All the systems on the network perimeter are allowed to send SNMP traps or informs
to a network management station inside GIAC Enterprises network. DMZ hosts are
Key fingerprint
= AF19from
FA27
2F94 998D
FDB5 DE3Dto
F8B5
06E4 A169
4E46 hosts. The
otherwise
forbidden
making
any connections
the firewall
or internal
© SANS Institute 2000 - 2005
Author retains full rights.
border router and firewall are also allowed to send logs to the central syslog server.
Finally, inbound ident connections to the email gateway are specifically rejected with
an ICMP port-unreachable packet so that SMTP connections from gateways that use
ident queries don’t hang. Here are the relevant snippets from the firewall configuration
script with additional comments:
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
ßßAàâáãâäAæ–çˆèÖãâé6êÖëãÖì
ßßAÿÖããâ"é úð JýAôóëüòõÖøÈù?é)óüöiõ%êÖëÖîF5ôé9JëüùÖë)èäÀöä6ùôúõÀôë)ôøüéüù
ß ýíÿ ð Aà .âæ
ýíÿ 
ð Àÿ :Cíâý %í ÈòúôîÀò âõ å ]#å h#å hb
å ¼÷
å h#
å
0$ ¼÷äÖõ¼ôøÈùÖë)ôø¼é6'
ù
ÈòÖéüóôúå ) ]ö õ¼ôë6ô
ä âõ¼ôë)ôä
"!-à .)æ
ýíÿ 
ð Àÿ :Cíâý %í Èò5á÷)ò âõ å ]#å h#å hb
å ¼÷
å h#
å "!-0à$ =AF19
¼÷äÖõ¼ôøÈùÖë)ôø¼é6'
ù ÈòÖéüóôúå ) ]ö õ¼ôë6ôä âõ¼ôë)ôä
Key fingerprint
FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
.)æ
ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 8å h#å h5å ) ¼÷
å h#
å "!-0à$ .)¼÷æ äÖõ¼ôøÈùÖë)ôø¼é6'ù ÈòÖéüóôúå ) ]ö õ¼ôë6ôä âõ¼ôë)ôä
ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 5å h#å h#å ]å $ À÷
å h#
å "!-0à$ .)¼÷æ äÖõ¼ôøÈùÖë)ôø¼é6'ù ÈòÖéüóôúå ) ]ö õ¼ôë6ôä âõ¼ôë)ôä
ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 8å h#å 12 ¼÷
å h#
å
0$ ¼÷äÖõ¼ôøÈùÖë)ôø¼é6'
ù ÈòÖéüóôúå ) ]ö õ¼ôë6ôä âõ¼ôë)ôä
"!-à .)æ
ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 8å h#å 12 ¼÷
å h#
å
0$ ¼÷äÖõ¼ôøÈùÖë)ôø¼é6'
ù ÈòÖéüóôúå ) ]ö õ¼ôë6ôä âõ¼ôë)ôä
"!-à.)æ
ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 8å h#å 12$ ¼÷
å h#
å "!-0à$ .)¼÷æ äÖõ¼ôøÈùÖë)ôø¼é6'ù ÈòÖéüóôúå ) ]ö õ¼ôë6ôä âõ¼ôë)ôä
ýíÿ 
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å h#å h5å ) ¼÷
å h#
å "!-0à$ .)¼÷æ äÖõ¼ôøÈùÖë)ôø¼é6'ù ÈòÖéüóôúå ) ]ö õ¼ôë6ôä âõ¼ôë)ôä
ýíÿ 
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 5å h#å h#å ]å $ À÷
å h#
å "!-0à$ .)¼÷æ äÖõ¼ôøÈùÖë)ôø¼é6'ù ÈòÖéüóôúå ) ]ö õ¼ôë6ôä âõ¼ôë)ôä
ýíÿ 
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å h#å 12 ¼÷
å h#
å
0$ ¼÷äÖõ¼ôøÈùÖë)ôø¼é6'
ù ÈòÖéüóôúå ) ]ö õ¼ôë6ôä âõ¼ôë)ôä
"!-à.)æ
ýíÿ 
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å h#å 12 ¼÷
å h#
å
0$ ¼÷äÖõ¼ôøÈùÖë)ôø¼é6'
ù ÈòÖéüóôúå ) ]ö õ¼ôë6ôä âõ¼ôë)ôä
"!-à .)æ
ýíÿ 
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å h#å 12$ ¼÷
å h#
å "!-0à$ .)¼÷æ äÖõ¼ôøÈùÖë)ôø¼é6'ù ÈòÖéüóôúå ) ]ö õ¼ôë6ôä âõ¼ôë)ôä
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
ýíÿ 6ãâé)ð è À6ÿAãâä)àûäã-)%.âæ 6ãâé)fö!è>Èòãóø]öä?øÀô6ø@,6Ahàãø]öúøÀô9æ%)ÈöøÈÿùþáþôäýíB"! A
ßßAàâýáíÿãâ亝åð çƒèÖÀÿAãâé6àêëãÖì .âæ "!<ÿþþýí
ßß<êãâéÖî FøÈùèAëîî6äÖõõôéºøÈùôä)óâùÖëãùÖä)ô
ßúßAàâë6ùá9÷ãâä?õøÀôâóïÖä Öë)ô<ëãòÖ3ã ä)ó¼?)öóéÀøÀöô5;ëÖJ
îcîüäÖ õõôé õ6ä)óûä)óõ
ßúß é6ù ;J
cñõÀïÖé6áÖã)÷ êÖä5ëâ÷÷äâ÷AëüêÖé)ûä ýíÿ 
ðð À5ÿ þ ø¼ý÷ íâõ å )å h5å )) "!5þø¼÷ å )
ýíÿ 
ýíÿ
ðÀÿ ýí âõ åhå514 "!5þø¼÷å)
ýíÿ 
ðð ÀÀÿÿ ýý íí ââõõ åå hh5å5å 14)$ ""!5!5þþø¼ø¼÷÷ åå ))
ýíÿ 
ýíÿ
ðAà.å
ýíÿ 
ðð ÀÀÿ5ÿ5þþø¼ø¼÷÷ åå )) ¼¼÷!÷!#å#å hh5å5å hh#å#å hå )å ""!<!<àà ..åå
ýíÿ 
Key fingerprint
= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
ýíÿ
ðÀÿ5þø¼÷å) ¼÷!å]å#hå#$ "!<à
.å
ýíÿ 
ðð ÀÀÿ5ÿ5þþø¼ø¼÷÷ åå )) ¼¼÷!÷!åå ]]#å#å 1h4#å hhb
å ""!<!<àà ..åå b
ýíÿ 
å
ýíÿ
ðÀÿ5þø¼÷å) ¼÷!å]å#) "!<à
.å
ýíÿ 
ð Àÿ ý í âõ å h5å )) ¼÷18å "!
à .å ýíÿ 
ð Àÿ ý í âõ å h5å 14 ¼÷18å "!
à .å ýíÿ 
ð Àÿ ý í âõ å h5å 14 ¼÷18å "!
à .å ýíÿ 
ð
Àÿ ý í âõ å h5
å )$ ¼÷18å "!
à .å ýíÿ 
ð À9ÿ :6à ÿà ; )õ 8å h#å )) ¼÷!å 0 C!
à .å ýíÿ 
ð À9ÿ :6à ÿà ; )õ 8å h#å 12 ¼÷!å 0 C!
à .å ýíÿ 
ð À9ÿ :6à ÿà ; )õ 8å h#å 12 ¼÷!å 0 C!
à .å ýíÿ 
ð À9ÿ :6à ÿà ; )õ 8å h#å )$ ¼÷!å 0 C!
à .å ýíÿ 
ð è À6ÿAãâä)àûäUã B.å 6ãâé)>è]ö!ÈòãÖóäø]ö?øÀø %ô@,Ahà6ãÖø]ö!øÈ<ôå ,)Èö7øÈ;ùâáôWGä "A !
:= 6ãâé)>
ýíÿ 
ð ÀÿAà .å C!&;âà :6ý
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
:= >
©
SA
ßßAàâ áãâäºå)çƒèÖãâé6êëãÖì
ß
ß9øÀó"ä Öëãã ëüù9÷ é)ó÷ä)ó<àé6áôä)óJöë õ6ä6ù÷úãâé)èâèøÈùè
öäõõ6ë)èäõôé î6ä6ùôóëãACõ õ6ãâé)è õ6ä)óâûä)ó4KøÀóäÖëããLN]õãâé)èõ
ë)óä<óé6áôäâ÷Aéüáô!øÈôõ-ãâé)èèøNùè øÈùôä)ó ?ëÖîüä í)ïÖä<êé)ó÷ä)ó
óéüáôä)ó-ïÖë=õJAF19
ùéñãâé6èFA27
èøÈùè 2F94
øNùôä)ó ?998D
ëÖî6Rä *›õ6FDB5
é ä5ëDE3D
&
ããâé ãâF8B5
é)èõôé 06E4 A169 4E46
Key fingerprint
© SANS Institute 2000 - 2005
Author retains full rights.
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
ßî6éÈ öýíä&ÿ?â
óéÀö ðøÀôA-õ à?øÈó.õ¼ô5å) ä)ôâïä)óâùÖä)ô øNùôä)ó?ëÖî6ä
ýíÿ 
ð Àÿ :Cíâý %í ÈòúôîÀò âõ å]å#) ¼÷
å h#
å "!-]åà å .¼÷å äÖ) õ¼ôøÈùÖë)ôø¼é6'ù ÈòÖéüó-ô $åT ]ö õ¼ôë6ôäâõ¼ôë)ôä
ýíÿ 
ð Àÿ :Cíâý %í Èò5á÷)ò âõ å ]#å ) ¼÷
å h#
å "!-]åàå .¼÷åäÖ) õ¼ôøÈùÖë)ôø¼é6'ù ÈòÖéüó-ô $Tå ]ö õ¼ôë6ôä âõ¼ôë)ôä
ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 5å h#å h#å ]å $ À÷
å h#
å
]åå ¼÷äÖõ¼ôøÈùÖë)ôø¼é6'
ù ÈòÖéüó-ô $Tå ]ö õ¼ôë6ôä âõ¼ôë)ôä
"!-à .å )
ýíÿ 
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 5å h#å h#å ]å $ À÷
å h#
å
]åå ¼÷äÖõ¼ôøÈùÖë)ôø¼é6'
ù ÈòÖéüó-ô $Tå ]ö õ¼ôë6ôä âõ¼ôë)ôä
"!-à.å)
ýíÿ 
ð è À6ÿAãâä)àûä-ã )%.å )6ãâé)>è]ö!ÈòãÖóø]ä ö?øÀø %ô@,Ahà6ãÖø]ö!øÈ<ôå ),)ÈöJøÈÿùâþáþôâä ýBí"! A
:= 6ãâé)>
Key fingerprint
=ÀAF19
ýíÿ
ð
A
ÿ
FA27
à
.å) 2F94
C!<ÿþþ998D
ýí FDB5 DE3D F8B5 06E4 A169 4E46
ßßAàâáãâäºå çƒèÖãâé6êëãÖì
ß
òÖßAß é6àóô<ä !áäùî¼óô äëø¼÷îÀïÖä6ùë6ôêã)O6äRáÖ*›ä)óõüéøüäõhõöÖôôâòºé<ôâî6ïÖé6ùäAûäÀä6öóëõ6ë)øüã-ôø¼èé6ë)ùôõä ÷Öé6ë ù23Nˆô-øÀïôâïñë6ùè4ë ýíÿ 
ð Aà .å ýíÿ 
ð Àÿ ù :CȝòÖíâéüýóôú%í åÈå òú ôîÀ"ò!-à ¼÷!.å å ]#å 14
À÷äÖõ¼ôøNùÖë)ôøüéü'
ýíÿ 
ð À9ÿ ù È:6òÖà éüÿóôúà ;%åå Èòúô"!-îÀò à À÷!.8åå h#å 12
À÷äÖõ¼ôøNùÖë)ôøüéü'
ýíÿ 
ð è À6ÿAãâä)àûä-ã )%.å 6ãâé)>è]ö!ÈòãÖóø]ä ö?øÀø %ô@,Ahà6ãÖø]ö!øÈ<ôå ,)ÈöJøÈàùâáôdä þâBí"! A
:= 6ãâé)>
ýíÿ 
øâî]öÖ'ò ÈòÖé6óEôð ÈáÀÿAùóà äëÖîNïÖ.ëüêå ã6ä C!<à dþâí Àóä !âäÖî¼Eô 8øÀôâï
Ÿ~Lˆ‡ Outbound Access Rules
©
SA
NS
In
Outbound ICMP is restricted carefully. Echo requests and unreachables are allowed
out, the latter only in response to an inbound connection request. Echo replies to
pings to the VPN gateway are allowed out as well. These are covered by the generic
rules permiting packets belonging to established connections. All other standard types
are blocked. This protects the network from traceroute probes and other types of
reconnaisance. It also prevents most types of inbound ICMP traffic, because if no
outbound request is allowed, no inbound response will be allowed either. Outbound
fragments and TCP Scans are blocked in the same way as for inbound attempts. Here
are snippets from the firewall configuration script with additional comments:
ßßAàâáãâä9–çÆä)ôâïì
ß
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
ß9;óé6ò öéõ¼ôAôâòÖäÖõé?ñé6áôâêÖé6áù÷ þJý[email protected]î6äüòôøüé6ùõJë)óä
äÖîÈïÖé-óäO)áÖäõ¼ôõJë6ù÷ þJý<áùóäâëÖîÀïÖë6êÖãâäÖõLeJë6ùñé?Aô)ïÖäÖõ6ä
ô)òÖäÖ`õ ø6ãâã êä5÷âóé6òòÖäâ÷ ê5ô)ïÖäºøföÖòãÖøâîøÀô<÷ä?ë6áã6ôQ;W*
êá9ô &ä ÖëüùôAôé îüë6òôâáóäôâïÖäÀö øÈù ë õÀòÖäÖîø¼ëãJóâáã)ä íâïä)óä<ë)óä<ûä)ó ?ä ºî6ëÖõ6äÖõAøNù ïøâîÀïAôâïÖäõ6ä òÖëÖCî Fä6ôõë)óä
ãÖ8ø Fäã <ôé5ë6òòäë)9ó ?é)óñãâä6èøÀôø]öë)ôäJóäëÖõ6é6ùLõ XÖä øÈùî6ãüá÷ä
õ6éüáóî6Qä O)áä6ùîÀïºøÈùúôâïø)õèâóé6áò<êÖäî6ë6áõ6äñøÈôºîüë6ùúêä-áõ6äâ÷
?é6óñë&;:âð
ß ýíÿ ð úä)ôâ
ï .:üá
ô .6à .
ýíÿ 
åå å "!5ð ä)Àÿôâ
ï :C.íâ:üýá
ô í.6à üé5
.ä) ôâ
ï %Nò!ø)îhöÖò ø)îhöÖ'ò Àô âòÖä
ýíÿ 
åå "!5ð ä)Àÿôâ
ï :C.íâ:üýá
ô í.6à üé5
.ä) ôâ
ï %Nò!ø)îhöÖò ø)îhöÖ'ò Àô âòÖä
ýíÿ 
ð Àïÿ :C.:üíâáýô .üíà üé5. ä)ôâ
ï %Nò!ø)îhöÖò ø)îhöÖ'ò Àô âòÖä
$
"!5ä)ôâ
ýíÿ 
ð =ÀAF19
í üé5
ä)ôâ
ï %998D
Nò!ø)îhFDB5
öÖò DE3D
ø)îhöÖ'ò Àô F8B5
âòÖä 06E4 A169 4E46
Key fingerprint
2F94
$å
"!5ä)ôâ
ïÿ :C.:üíâáýô FA27
.üà .
ýíÿ 
ð Àïÿ :C.:üíâáýô .üíà üé5. ä)ôâ
ï %Nò!ø)îhöÖò ø)îhöÖ'ò Àô âòÖä
$
"!5ä)ôâ
ýíÿ 
ð Àïÿ :C.:üíâáýô .üíà üé5. ä)ôâ
ï %Nò!ø)îhöÖò ø)îhöÖ'ò Àô âòÖä
$
"!5ä)ôâ
ýíÿ 
ð Àÿ ï :C.íâ:üýá
ô í.6à üé5
.ä) ôâ
ï %Nò!ø)îhöÖò ø)îhöÖ'ò Àô âòÖä
å "!5ä)ôâ
ýíÿ 
ð Àÿ ï :C.íâ:üýá
ô í.6à üé5
.ä) ôâ
ï %Nò!ø)îhöÖò ø)îhöÖ'ò Àô âòÖä
å $
"!5ä)ôâ
ýíÿ 
ð Àÿ ï :C.íâ:üýá
ô í.6à üé5
.ä) ôâ
ï %Nò!ø)îhöÖò ø)îhöÖ'ò Àô âòÖä
Tå "!5ä)ôâ
ýíÿ 
ð Àÿ ï :C.íâ:üýá
ô í.6à üé5
.ä) ôâ
ï %Nò!ø)îhöÖò ø)îhöÖ'ò Àô âòÖä
å )
"!5ä)ôâ
æ ý íÿ "!5ð ä)ôâÀïÿ :C.:üíâáýô .üíà üé5. ä)ôâ
ï %Nò!ø)îhöÖò ø)îhöÖ'ò Àô âòÖä
ýíÿ 
ð Àÿ ï :C.íâ:üýá
ô í.6à üé5
.ä) ôâ
ï %Nò!ø)îhöÖò ø)îhöÖ'ò Àô âòÖä
å "!5ä)ôâ
ýíÿ 
ð Àÿ ï :C.íâ:üýá
ô í.6à üé5
.ä) ôâ
ï %Nò!ø)îhöÖò ø)îhöÖ'ò Àô âòÖä
"!5ä)ôâ
ýíÿ 
ð Àÿ ï :C.íâ:üýá
ô í.6à üé5
.ä) ôâ
ï %Nò!ø)îhöÖò ø)îhöÖ'ò Àô âòÖä
"!5ä)ôâ
ýíÿ 
åå å "!5ð ä)À9ÿôâ
ï :6.à:üÿá
ô à.6;à ¼
é5. ä6ôâï ,Èò!øâîhöÖò øâîhöÖEò Àô âòÖä
ýíÿ 
åå "!5ð ä)À9ÿôâ
ï :6.à:üÿá
ô à.6;à ¼
é5. ä6ôâï ,Èò!øâîhöÖò øâîhöÖEò Àô âòÖä
ýíÿ 
ð Àï9ÿ .:6:üàáÿô .üàà ;¼.é5 ä6ôâï ,Èò!øâîhöÖò øâîhöÖEò Àô âòÖä
$
"!5ä)ôâ
ýíÿ 
ð Àï9ÿ .:6:üàáÿô .üàà ;¼.é5 ä6ôâï ,Èò!øâîhöÖò øâîhöÖEò Àô âòÖä
$å
"!5ä)ôâ
ýíÿ 
ð Àï9ÿ .:6:üàáÿô .üàà ;¼.é5 ä6ôâï ,Èò!øâîhöÖò øâîhöÖEò Àô âòÖä
$
"!5ä)ôâ
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
ýíÿ 5ð ä)ôâÀïÿ 6üàáÿô üàà ¼é5ä6ôâï
å ýíÿ 5ð ä)Àÿôâï 6àüÿáô à6à ¼é5ä6ôâï
å ýíÿ 5ð ä)Àÿôâï 6àüÿáô à6à ¼é5ä6ôâï
å ýíÿ 5ð ä)Àÿôâï 6àüÿáô à6à ¼é5ä6ôâï
å ýíÿ 5ð ä)Àÿôâï 6àüÿáô à6à ¼é5ä6ôâï
æ ýíÿ 5ð ä)ôâÀïÿ 6üàáÿô üàà ¼é5ä6ôâï
å ýíÿ 5ð ä)Àÿôâï 6àüÿáô à6à ¼é5ä6ôâï
ýíÿ 5ð ä)Àÿôâï 6àüÿáô à6à ¼é5ä6ôâï
ýíÿ 5ð ä)Àÿôâï 6àüÿáô à6à ¼é5ä6ôâï
ýíÿ ð Àÿúä)ôâï üáô 6à
þNöýýíøÈùÿ áôä ð Àÿúä)ôâï ü6áã)é)ô è6à6ãâä6ûäã
Èò!øâîhöÖò øâîhöÖò Àô âòÖä
Èò!øâîhöÖò øâîhöÖò Àô âòÖä
Èò!øâîhöÖò øâîhöÖò Àô âòÖä
Èò!øâîhöÖò øâîhöÖò Àô âòÖä
Èò!øâîhöÖò øâîhöÖò Àô âòÖä
Èò!øâîhöÖò øâîhöÖò Àô âòÖä
Èò!øâîhöÖò øâîhöÖò Àô âòÖä
Èò!øâîhöÖò øâîhöÖò Àô âòÖä
Èò!øâîhöÖò øâîhöÖò Àô âòÖä
fö1ãÖøföøÀô 6ãø]öøÀô
6ã)é)è Èòóä ø Öëâ÷
à üý
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
9: ; ,
E $
"!
.: . .
9: ; ,
E "!
.: . .
9: ; ,
E $
"!
.: . .
9: ; ,
E T
"!
.: . .
9: ; ,
E )
"!
.: . .
9: ; ,
E "!
.: . .
9: ; ,
E "!
.: . .
9: ; ,
E "!
.: . .
9: ; ,
E Key fingerprint
998D FDB5 DE3D F8B5 06E4 A169 4E46
"! = AF19
.: FA27
. 2F94
.
.: . .
%
)
"!9
:= E
UB E ? @AV
J 6U;WGA
.: . .
"!Q; :
-2
00
5,
A
The firewall, the email gateway, and the web/portal server also fulfill the role of time
hosts for the rest of the company’s network. They are allowed access to the NTP
ports on nine public NTP servers. Each server synchronizes with three different time
servers. All internal hosts are allowed to use the NTP service on these hosts for time
synchronization. No other access to internet time servers is granted:
©
SA
NS
In
sti
tu
te
20
00
ßßAàâáãâä9–çˆèÖãâé6êÖëãÖì
ßßAÿÖããïÖéÖõÀôõJèä)ôAôø]öä&?âóéÀö ôâïÖäÖõ6äúõüä)óûä)óõ
ß ýíÿ ð Aà .
ýíÿ 
ð Àÿ ý 6í ÈòñôîÀò âõ å ¼÷
å ]#å h#å hä8å ) ¼÷"!<äÖõ¼àôøÈùÖ
ë).ôø¼é6'ù ÈòÖéüóôúå ]ö õ¼ôë6ôä
#
)õ¼ôë)ô7
ýíÿ 
ð Àÿ ý 6í ÈòñôîÀò âõ #å hå#]å#hå$ ¼÷
å)]õ¼#å ôhë)#å ôhä78å ) ¼÷"!<äÖõ¼àôøÈùÖ
ë).ôø¼é6'ù ÈòÖéüóôúå ]ö õ¼ôë6ôä
#
ýíÿ 
ð Àÿ ý 6í Èòúá÷)ò âõ å ¼÷
å ]#å h#å hä8å ) ¼÷"!<äÖõ¼àôøÈùÖ
ë).ôø¼é6'ù ÈòÖéüóôúå ]ö õ¼ôë6ôä
#
)õ¼ôë)ô7
ýíÿ 
ð Àÿ ý 6í Èòúá÷)ò âõ #å h#å ]#å hå $ ¼÷
å ]#å h#å h8å ) ¼÷"!<äÖõ¼àôøÈùÖ
ë).ôø¼é6'ù ÈòÖéüóôúå ]ö õ¼ôë6ôä
#
)õ¼ôë)ôä7
ýíÿ 
ð 5þø¼÷ );4
Key fingerprint
ýíÿ 
ð =ÀAF19
ÿ :Cíâý FA27
í â2F94
õ å 0998D
FDB5
fö õÀDE3D
ôë)ôä F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
)õ¼ôë)ôä
Aþø¼÷
ýíÿ <þð ø¼÷Àÿ íâý í âõ å hå hå hå ]ö õ¼ôë6ôä âõ¼ôë)ôä
ýíÿ ð Àÿ5þø¼÷
ÈòúôîÀò ¼÷!å ]å
Àà ÷äÖõ¼ôøNùÖë)ôøüéüù ÈòÖéüóôúå ]ö1õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ ð Àÿ5þø¼÷
ÈòúôîÀò ¼÷!å ]å
à Àý÷íäÖÿõ¼ôøNù֝ë)ð ôøü5éüù þÈòÖø¼÷ éüóôúå ]hö1å õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ <þð ø¼÷Àÿ íâý í hå âõ å
fö õÀôë)ôä âõÀôë)ôä
ýíÿ <þð ø¼÷Àÿ íâý í hå âõ å hå hå hå ]ö õ¼ôë6ôä âõ¼ôë)ôä
ýíÿ ð Àÿ5þø¼÷
hå Èò5á÷)ò ¼÷!å ]å
à À÷äÖõ¼ôøNùÖë)ôøüéüù ÈòÖéüóôúå ]ö1õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ ð Àÿ5þø¼÷
hå Èò5á÷)ò ¼÷!å ]å
Àà ÷äÖõ¼ôøNùÖë)ôøüéüù ÈòÖéüóôúå ]ö1õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ ð 5þø¼÷
]ö õ¼ôë)ôä
)ýõ¼íôÿë)ôä ð Àÿ A6à ÿþø¼à÷ )õ å
)ýõ¼íôÿë)ôä ð Àÿ A6à ÿþø¼à÷ )õ å hå hå ]å fö õÀôë)ôä
ýíÿ ð Àÿ5þø¼÷
ÈòúôîÀò ¼÷!å ]å
à À÷äÖõ¼ôøNùÖë)ôøüéüù ÈòÖéüóôúå ]ö1õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ ð Àÿ5þø¼÷
ÈòúôîÀò ¼÷!å ]å
à Àý÷íäÖÿõ¼ôøNù֝ë)ð ôøü5éüù þÈòÖø¼÷ éüóôúå ]ö1õ¼ôë6ôä âõ¼ôë6ôä
]ö õ¼ôë)ôä
)ýõ¼íôÿë)ôä ð Àÿ A6à ÿþø¼à÷ )õ å
)ýõ¼íôÿë)ôä ð Àÿ A6à ÿþø¼à÷ )õ å hå hå ]å fö õÀôë)ôä
ýíÿ ð Àÿ5þø¼÷
Èò5á÷)ò ¼÷!å ]å
Àà ÷äÖõ¼ôøNùÖë)ôøüéüù ÈòÖéüóôúå ]ö1õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ ð Àÿ5þø¼÷
Èò5á÷)ò ¼÷!å ]å
Àà ÷äÖõ¼ôøNùÖë)ôøüéüù ÈòÖéüóôúå ]ö1õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ 6ãâé)ð è À6ÿAãâä)àûäã 6ãâé)fö!è Èòãóø]öä øÀô ø 6hàãø]öøÀô ÈöøÈÿùþáþôä ýí
ýíÿ ð ÀÿAà
<ÿþþ ýí
ßßAàâáãâäºTå ÚçƒèÖãâé6êëãÖì
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
7
"!
)";4
:C # 5 # $ "!
);4
);4&
#14
'
,
-
C!
.
);4&
#14
'
,
-
C!
.
);4
:C 0 ,
"!
);4
:C # 5 # $ "!
);4
);4 `
#14
'
,
-
C!
.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
);4 `
#14
'
,
-
C!
.
);4
9: ; 8 7
"!
)";4
9: ; 5 # # $ 7
"!
)";4
);4&
#14
'
,
-
C!
.
);4&
#14
'
,
-
C!
.
);4
9: ; 8 7
"!
)";4
9: ; 5 # # $ 7
"!
)";4
);4&
#14
'
,
-
C!
.
);4&
#14
'
,
-
C!
.
.
6
9)
"!
:= >
-)% > ? @,A %
BA
. "!
© SANS Institute 2000 - 2005
Author retains full rights.
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
ßßAÿÖããâé"AôâïÖäÖõ6äñõ6ä6óûä)óõôé îüé6ùôëÖîÀô õ6äãâäÖîÀôäâ÷3íâýºõüä)óûä)óõ
ß ýíÿ ð Aà .Tå ýíÿ 
ð Àÿ :Cíâý %í ÈòúôîÀò âõ å#hå5hå#hå) ¼÷
â
æ $#å ]å )#å " !<à¼÷
ä.õ¼ôåTøÈùÖë6ôøüé6ù'NòÖé6óôúå ]öõÀôë)ôä
)õ¼ôë)ôä7
ýíÿ 
ð Àÿ :Cíâý %í ÈòúôîÀò âõ #å h5å h#å hå ) ¼÷
å )$)$ ¼÷äõ¼ôøÈùÖë6ôøüé6'
)õ¼ôë)ô7
ä "!<à .Tå ù NòÖé6óôúå ]öõÀôë)ôä
ýíÿ 
ð Àÿ :Cíâý %í ÈòúôîÀò âõ #å h5å h#å hå ) ¼÷
å $
æ
0$
æ hå "!<à¼÷äÖ
õ¼ô.øÈåTùÖë)ôø¼é6'ù Èòé)óâôúå föõ¼ôë)ôä
)õ¼ôë)ôä7
ýíÿ 
ð Àÿ :Cíâý %í ÈòúôîÀò âõ #å h5å h#å hå ) ¼÷
8å )2hå $)0 ¼÷äÖõ¼ôøÈùÖë)ôø¼é6'
)õ¼ôë)ô7
ä "!<à .Tå ù Èòé)óâôúå föõ¼ôë)ôä
ýíÿ 
ð Àÿ :Cíâý %í ÈòúôîÀò âõ #å h5å h#å hå ) ¼÷
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
åÀæ hTå hVå " !<à¼÷
ä.õ¼ôåTøÈùÖë6ôøüé6'ù NòÖé6óôúå ]öõÀôë)ôä
)õ¼ôë)ôä7
ýíÿ 
ð Àÿ :Cíâý %í ÈòúôîÀò âõ #å h5å h#å hå ) ¼÷
)$å#
å ä ]å æ h/
å "!<Àà÷äÖõ¼
ô.øNùÖTå ë)ôøüéü'ù ÈòÖéüóôúå ]ö1õ¼ôë6ôä
)õ¼ôë)ô7
ýíÿ 
ð Àÿ :Cíâý %í ÈòúôîÀò âõ #å h5å h#å hå ) ¼÷
)$å#
å ]å æ håâb
å "!<à¼÷äÖ
õ¼ô.øÈåTùÖë)ôø¼é6'ù Èòé)óâôúå föõ¼ôë)ôä
)õ¼ôë)ôä7
ýíÿ 
ð Àÿ :Cíâý %í ÈòúôîÀò âõ #å h5å h#å hå ) ¼÷
å hå $
å "!<à¼÷äÖ
õ¼ô.øÈTå ùÖë)ôø¼é6'ù Èòé)óâôúå föõ¼ôë)ôä
)õ¼ôë)ô7
ä æ håâb
ýíÿ 
ð Àÿ :Cíâý %í ÈòúôîÀò âõ #å h5å h#å hå ) ¼÷
å hå $håâb
å "!<à¼÷äÖ
õ¼ô.øÈåTùÖë)ôø¼é6'ù Èòé)óâôúå föõ¼ôë)ôä
)õ¼ôë)ôä7
ýíÿ 
ð Àÿ :Cíâý %í Èò5á÷)ò âõ #å h5å h#å hå ) ¼÷
â
æ $#å ä ]å )#å " !<à¼÷
ä.õ¼ôTå øÈùÖë6ôøüé6'ù NòÖé6óôúå ]öõÀôë)ôä
)õ¼ôë)ô7
ýíÿ 
ð Àÿ :Cíâý %í Èò5á÷)ò âõ #å h5å h#å hå ) ¼÷
å )$)$ ¼÷äõ¼ôøÈùÖë6ôøüé6'
ù NòÖé6óôúå ]öõÀôë)ôä
)õ¼ôë)ôä7
"!<à
.åT
ýíÿ 
ð Àÿ :Cíâý %í Èò5á÷)ò âõ #å h5å h#å hå ) ¼÷
å $
æ ä 0$æ hå "!<à¼÷äÖ
õ¼ô.øÈTå ùÖë)ôø¼é6'ù Èòé)óâôúå föõ¼ôë)ôä
)õ¼ôë)ô7
ýíÿ 
ð Àÿ :Cíâý %í Èò5á÷)ò âõ #å h5å h#å hå ) ¼÷
8å )2hå $)0 ¼÷äÖõ¼ôøÈùÖë)ôø¼é6'
ù Èòé)óâôúå föõ¼ôë)ôä
)õ¼ôë)ôä7
"!<à
.åT
ýíÿ 
ð Àÿ :Cíâý %í Èò5á÷)ò âõ #å h5å h#å hå ) ¼÷
åÀæ)õ¼ôhë)Tå ô7ä hVå " !<à¼÷
ä.õ¼ôTå øÈùÖë6ôøüé6'ù NòÖé6óôúå ]öõÀôë)ôä
ýíÿ 
ð Àÿ :Cíâý %í Èò5á÷)ò âõ #å h5å h#å hå ) ¼÷
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
)õ¼ôë)åôå ä ]å æ hå <Àà÷äÖõ¼ôøNùÖå ë)ôøüéüù ÈòÖéüóôúå ]ö1õ¼ôë6ôä
ýíÿ ð Àÿ íâý í Èò5á÷)ò âõ å hå hå hå ¼÷
)õ¼ôë)åôå ä ]å æ håâå <à¼÷äÖõ¼ôøÈå ùÖë)ôø¼é6ù Èòé)óâôúå föõ¼ôë)ôä
ýíÿ ð Àÿ íâý í Èò5á÷)ò âõ å hå hå hå ¼÷
å )õ¼ôhë)å ôä æ håâå <à¼÷äÖõ¼ôøÈå ùÖë)ôø¼é6ù Èòé)óâôúå föõ¼ôë)ôä
ýíÿ ð Àÿ íâý í Èò5á÷)ò âõ å hå hå hå ¼÷
å )õ¼ôhë)å ôä håâå <à¼÷äÖõ¼ôøÈå ùÖë)ôø¼é6ù Èòé)óâôúå föõ¼ôë)ôä
ýíÿ ð 5þø¼÷ å
ýíÿ <þð ø¼÷Àÿ 6à ÿå à )õ å hå ]ö õ¼ôë6ôä âõ¼ôë)ôä
ýíÿ <þð ø¼÷Àÿ 6à ÿå à )õ å hå ]ö õ¼ôë6ôä âõ¼ôë)ôä
ýíÿ ð Àÿ5þø¼÷ å ÈòúôîÀò ¼÷ æ å hå å
à ¼÷äÖåõ¼ôøÈùë)ôøüé6ù ÈòÖé6óâôñå ]ö õ¼ôë)ôä âõ¼ôë)ôä
ýíÿ ð Àÿ5þø¼÷ å ÈòúôîÀò ¼÷!å
à ¼÷äÖåõ¼ôøÈùë)ôøüé6ù ÈòÖé6óâôñå ]ö õ¼ôë)ôä âõ¼ôë)ôä
ýíÿ ð Àÿ5þø¼÷ å ÈòúôîÀò ¼÷!å æ âæ hå
à ¼÷äÖåõ¼ôøÈùë)ôøüé6ù ÈòÖé6óâôñå ]ö õ¼ôë)ôä âõ¼ôë)ôä
ýíÿ ð Àÿ5þø¼÷ å ÈòúôîÀò ¼÷ å ]å
à ¼÷äÖåõ¼ôøÈùë)ôøüé6ù ÈòÖé6óâôñå ]ö õ¼ôë)ôä âõ¼ôë)ôä
ýíÿ ð Àÿ5þø¼÷ å ÈòúôîÀò ¼÷!åÀæ hå hå
à ¼÷äÖåõ¼ôøÈùë)ôøüé6ù ÈòÖé6óâôñå ]ö õ¼ôë)ôä âõ¼ôë)ôä
ýíÿ ð Àÿ5þø¼÷ å ÈòúôîÀò ¼÷ åå hå æ hå
à À÷äÖõ¼ôå øNùÖë)ôøüéüù ÈòÖéüóôúå ]ö1õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ ð Àÿ5þø¼÷ å ÈòúôîÀò ¼÷ åå hå æ håå
à À÷äÖõ¼ôå øNùÖë)ôøüéüù ÈòÖéüóôúå ]ö1õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ ð Àÿ5þø¼÷ å ÈòúôîÀò ¼÷!å hå æ håå
à À÷äÖõ¼ôå øNùÖë)ôøüéüù ÈòÖéüóôúå ]ö1õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ ð Àÿ5þø¼÷ å ÈòúôîÀò ¼÷!å hå håå
Àà ÷äÖõ¼ôå øNùÖë)ôøüéüù ÈòÖéüóôúå ]ö1õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ ð 5þø¼÷ å hå
ýíÿ <þð ø¼÷Àÿ 6à ÿå à hå )õ å hå ]ö õ¼ôë6ôä âõ¼ôë)ôä
ýíÿ <þð ø¼÷Àÿ 6à ÿå à hå )õ å hå ]ö õ¼ôë6ôä âõ¼ôë)ôä
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
)$ # /
'
7
"! . T
:C %
# 5 # ) )$ # b
'
7
"! . T
:C %
# 5 # ) $ b
'
7
"! . T
:C %
# 5 # ) $ b
'
7
"! . T
) V[
9: ; 8 #12 "!
) f[
9: ; 8 #12 "!
) f[
) V[&
$ # 8) #
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
E
8 3
"!
. T
) V[&
)0$)$
E
8 3
"!
. T
) V[&
$ $ E
8 3
"!
. T
) V[&
)4 $)
E
8 3
"!
. T
) V[&
T
0 T
E
8 3
"!
. T
) V[&
)$0 # 8 '
,
-
C!
. T
) V[&
)$0 # 8 '
,
-
C!
. T
) V[&
$0 '
,
-
C!
. T
) V[&
$0
'
,
-
C!
. T
) V[
9: ; 8 #12 "!
) f[
9: ; 8 #12 "
!
)
f
[
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
ýíÿ ð Àÿ5þø¼÷ å hå Èò5á÷)ò ¼÷ æ å hå å
à ¼÷äÖåõ¼ôøÈùë)ôøüé6ù ÈòÖé6óâôñå ]ö õ¼ôë)ôä âõ¼ôë)ôä
ýíÿ ð Àÿ5þø¼÷ å hå Èò5á÷)ò ¼÷!å
à ¼÷äÖåõ¼ôøÈùë)ôøüé6ù ÈòÖé6óâôñå ]ö õ¼ôë)ôä âõ¼ôë)ôä
ýíÿ ð Àÿ5þø¼÷ å hå Èò5á÷)ò ¼÷!å æ âæ hå
à ¼÷äÖåõ¼ôøÈùë)ôøüé6ù ÈòÖé6óâôñå ]ö õ¼ôë)ôä âõ¼ôë)ôä
ýíÿ ð Àÿ5þø¼÷ å hå Èò5á÷)ò ¼÷ å ]å
à À÷äÖõ¼ôå øNùÖë)ôøüéüù ÈòÖéüóôúå ]ö1õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ ð Àÿ5þø¼÷ å hå Èò5á÷)ò ¼÷!åÀæ hå hå
à ¼÷äÖåõ¼ôøÈùë)ôøüé6ù ÈòÖé6óâôñå ]ö õ¼ôë)ôä âõ¼ôë)ôä
ýíÿ ð Àÿ5þø¼÷ å hå Èò5á÷)ò ¼÷ åå hå æ hå
Àà ÷äÖõ¼ôå øNùÖë)ôøüéüù ÈòÖéüóôúå ]ö1õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ ð Àÿ5þø¼÷ å hå Èò5á÷)ò ¼÷ åå hå æ håå
Àà ÷äÖõ¼ôå øNùÖë)ôøüéüù ÈòÖéüóôúå ]ö1õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ ð Àÿ5þø¼÷ å hå Èò5á÷)ò ¼÷!å hå æ håå
à À÷äÖõ¼ôå øNùÖë)ôøüéüù ÈòÖéüóôúå ]ö1õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ ð Àÿ5þø¼÷ å hå Èò5á÷)ò ¼÷!å hå håå
à À÷äÖõ¼ôå øNùÖë)ôøüéüù ÈòÖéüóôúå ]ö1õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ 6ãâé)ð è À6ÿAãâä)àûäã å 6ãâé)è]ö!ÈòãÖóø]ä öøÀø ô hà6ãÖø]ö!øÈôå ÈöJøÈÿùâþáþôâä ýí
ýíÿ ð ÀÿAà å <ÿþþ ýí
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
) V[ `
$ # 8) #
E
8 3
"!
. T
) V[ `
)0$)$
E
8 3
"!
. T
) V[ `
$ $ E
8 3
"!
. T
) V[ `
)4 $)
'
,
-
C!
. T
) V[ `
T
0 T
E
8 3
"!
. T
) V[ `
)$0 # 8 '
,
F8B5
C!
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D
06E4 A169 4E46
. T
) V[ `
)$0 # 8 '
,
-
C!
. T
) V[ `
$0 '
,
-
C!
. T
) V[ `
$0
'
,
-
C!
. T
. T
%
<)
"!
:= >
-)% > ? @,A T6
BA
. T C!
In
sti
tu
te
The email gateway is allowed to contact internet mailservers to conduct SMTP transactions. It also runs a caching-only DNS service to improve its mail-handling response
time and serves as a forwarder for our internal nameserver so it doesn’t have to contact internet nameservers directly. The email gateway DNS service is allowed to contact internet DNS servers for name resolution. The internal nameserver is allowed to
contact the email gateway to forward queries it cannot resolve on its own:
©
SA
NS
ßßAàâáãâäQÎçˆèÖãâé6êÖëãÖì
ß
ß9ä@üî6öä6òëô<øüãôèé9ë)ô?äøÀóäë Ö5ëëããã ãâé"Öäâ÷AëÖîîüäÖõõôé&?é)óÖë)ó÷öëÖø6ãL*
ß ýíÿ ð 5þø¼÷ âæ ;
)
ýíÿ 
ð Àÿ ý 6í ÈòñôîÀò ]ö5öÖáã6ôøÈòÖé)óô âõ å hå514
¼÷äÖõ¼ôøÈùë)ôøüé6E
ù ÈòÖé6óâôgõ $R*
)$R*+$ ]ö õ¼ôë)ôä âõ¼ôë)ôä3
"!Aþø¼÷æ;
)
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
ý íÿ
ðÀÿ ýí6Èòúá÷)ò âõ åhå514
þÀøÀ÷÷äÖõ¼ô
øNùÖë)æô;
)øüéü0ù' ÈòÖéüóô-$ ]ö õ¼ôë)ôäâõ¼ôë)ôä3 "!
ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò fö5öáã6ôøÈòé)óô )õ
å h#
å
140 ¼÷äÖõ¼ôøÈùë)ôøüé6ùEÈòé)ó)ôõ($R*)$R*+$ ]ö õ¼ôë)ôä
)õ¼ôë)ôä7
"!Aþø¼÷æ;
)
ýíÿ 
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å h#å 12
þÀøÀ ý÷÷ íäÖÿõ¼
ô
øNù֝ë)æð ô;
À)øüÿ5éü0'ù þÈòÖø¼÷ éüó-ô $âæ ;
])ö õ¼ôë)¼ô÷!ä #å hâ5å õ¼hô#å ë)hôå 3ä) "!<à"! í à
ýíÿ
ðÀÿ5þø¼÷âæ;
) ¼÷!å#hå5hå#å "!<àíà
ýíÿ 
ðð ÀÀÿ5ÿ5þþø¼ø¼÷÷ ââææ ;
;
)) ¼¼÷!÷!åå ]]#å#å h14#å h$b
"!<à í à ýíÿ 
å
"!<à í à ýíÿ
ðÀÿ5þø¼÷âæ;
) ¼÷!å]å#hå#håb"!<àíà
ýíÿ 
ðð Àÿ5Aàþø¼÷ ..âæ ;
) ¼÷!å ]#å ) "!<à í à ýíÿ 
ýíÿ 
ð .Àÿ5þø¼÷ âæ ;
) ]ö õ¼ôë6ôä âõ¼ôë)ô3ä "
<
!
à
.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
ýíÿ 
ð è À6ÿAãâä)àûä-ã )%..6ãâé)>è ]ÈöpòóãÖä ?ø]öiø @,øÀ6ô Ahà6ãÖ9ø]öiBøÀ9ô )ÈöiÿþøÈùþ áýôBíä CA !
:= 6ãâé)>
ýíÿ 
ßßAàâáãâ9ä )–ð çˆèÖãâÀÿAé6êÖàëãÖì .. "!<ÿþþ ýâí
ß
ß ùôä6óâùÖë7ã ;ðöëÖõ¼ôä)ó îüë6ù ?é)ó Öë6ó÷<é6áôõø¼÷Qä O)áä)óøüäÖõôé
î6ëîÀïøÈù>è üé6ùã 7;ð õ6ä)óâûä)ó5é6ùñäÀöëÖø6ã èë)ôä ë 4 ôºîüë6ù
ëãõ6&é ?é)ó Öë6óQ÷ hé6ùä-áâò÷ë)ôäùé)ôCø ?ø)î6ë)ôøüéüùLõ iÖëÖõ¼ôø¼é6ù
ïÖëÖéõ7õ¼Öôäõãâáãõ6 ä5äÀöëÖø6ãèë)ô"ä Öë 5ëÖõJôâïÖäÖøÀó<òóø]öë6ó Q;ð õ6ä)óâûä)ó
ß ýíÿ ð Aà .)
ýíÿ 
ð Àÿ :Cíâý %í ÈòúôîÀò âõ å ]#å h#å hb
å ¼÷!å h5å 14
¼÷äÖõ¼ôøÈùë)ôøüé6E
ù
ÈòÖé6óâ3
ô
$ ]öõÀôë)ô,
ä
âõÀôë)ôä "!
à
.)
ýíÿ 
ð Àÿ :Cù ÈíâòÖý é6óâ%í 3ô È$ò5 á÷)]òöõÀâôõë)ôå,ä ]#åâõÀh#åôë)hb
åô-ä ¼÷! å "h5å!<14à .)
¼÷äÖõ¼ôøÈùë)ôøüé6E
ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 8å h#å $hå À÷
å h#
å 14"!-0 à¼÷.)äÖõ¼ôøÈùë)ôøüé6Eù Èòé)ó)Qô $ ]öõÀôë)ôä )õ¼ôë)ôä
ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 8å h#å )hå $ À÷
å h#
å
140 ¼÷äÖõ¼ôøÈùë)ôøüé6E
ù Èòé)ó)Qô $ ]öõÀôë)ôä )õ¼ôë)ôä
"!-à .)
ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 8å h#å h5å ) ¼÷
å h#
å
140 ¼÷äÖõ¼ôøÈùë)ôøüé6E
ù Èòé)ó)Qô $ ]öõÀôë)ôä )õ¼ôë)ôä
"!-à.)
ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 5å h#å h#å ]å $ À÷
å h#
å 14"!-0 à ¼÷.)äÖõ¼ôøÈùë)ôøüé6Eù Èòé)ó)Qô $ ]öõÀôë)ôä )õ¼ôë)ôä
ýíÿ 
ð =ÀAF19
ÿ :6à ÿFA27
9
à ;%Èòú2F94
ôîÀò 998D
)õ 8å h#
å 12 DE3D
¼÷ F8B5 06E4 A169 4E46
Key fingerprint
FDB5
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
© SANS Institute 2000 - 2005
Author retains full rights.
å hå -à ¼÷äÖõ¼ôøÈùë)ôøüé6ù Èòé)ó)ô
ýíÿ ð Àÿ 6à ÿà ÈòúôîÀò )õ
å hå -à ¼÷äÖõ¼ôøÈùë)ôøüé6ù Èòé)ó)ô
ýíÿ ð Àÿ 6à ÿà ÈòúôîÀò )õ
å hå -à ¼÷äÖõ¼ôøÈùë)ôøüé6ù Èòé)ó)ô
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ
å hå -à ¼÷äÖõ¼ôøÈùë)ôøüé6ù Èòé)ó)ô
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ
å hå -à ¼÷äÖõ¼ôøÈùë)ôøüé6ù Èòé)ó)ô
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ
å hå -à ¼÷äÖõ¼ôøÈùë)ôøüé6ù Èòé)ó)ô
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ
å hå -à ¼÷äÖõ¼ôøÈùë)ôøüé6ù Èòé)ó)ô
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ
å hå -à ¼÷äÖõ¼ôøÈùë)ôøüé6ù Èòé)ó)ô
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ
å hå -à ¼÷äÖõ¼ôøÈùë)ôøüé6ù Èòé)ó)ô
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ
å hå -à ¼÷äÖõ¼ôøÈùë)ôøüé6ù Èòé)ó)ô
ýíÿ 6ãâé)ð è À6ÿAãâä)àûäã 6ãâé)fö!è Èòãóø]öä øÀô ø
ýíÿ ð ÀÿAà
<ÿþþ ýí
]öõÀôë)ôä )õ¼ôë)ôä
å hå ¼÷
]öõÀôë)ôä )õ¼ôë)ôä
å hå
¼÷
]öõÀôë)ôä )õ¼ôë)ôä
å hå hå À÷
]öõÀôë)ôä )õ¼ôë)ôä
å hå hå À÷
]öõÀôë)ôä )õ¼ôë)ôä
å hå hå ¼÷
]öõÀôë)ôä )õ¼ôë)ôä
å hå hå ]å À÷
]öõÀôë)ôä )õ¼ôë)ôä
å hå ¼÷
]öõÀôë)ôä )õ¼ôë)ôä
å hå ¼÷
]öõÀôë)ôä )õ¼ôë)ôä
å hå
¼÷
]öõÀôë)ôä )õ¼ôë)ôä
6hàãø]öøÀô ÈöøÈÿùþáþôä ýí
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
#140 E
Q$ "! .)
9: ;%
8 #12 #140 E
Q$ "! .)
9: ;%
8 #12$ #140 E
Q$ "! .)
9: ;%
8 #$ #140 E
Q$ "! .)
9: ;%
8 #) $ #140 E
Q$ "! .)
9: ;%
8 # 5) #140 E
Q$ "
!
.
)
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
9: ;%
5 # # $ #140 E
Q$ "! .)
9: ;%
8 #12 #140 E
Q$ "! .)
9: ;%
8 #12 #140 E
Q$ "! .)
9: ;%
8 #12$ #140 E
Q$ "! .)
.)
6
9)
"!
:= >
-)% > ? @,A )%
BA
.) "!
In
sti
tu
All internal systems are allowed to perform pings, traceroutes, and whois queries to
internet hosts for network troubleshooting, but FTP and web requests must go through
the web proxy. No direct connections to internet hosts are allowed. Requests that the
web proxy can’t cache are simply passed through it:
©
SA
NS
ßßAàâáãâäAæ–çˆèÖãâé6êÖëãÖì
ß
ß&ßúÖää@6ê5î)ã¼ýáó÷éä<@5÷ëÖîîüéäÖäÖõõõôëéãã-òÖ÷é)óâøÈôóäÖõ î¼é6ô ùñî6ô)éüùïÖùÖä&äÖ?î¼ôøÀóøüäé6ù-ëôãéºã øÈùôä)óâùÖä6ô3Öä6êS?âôâò õ6ä)óâûä)óõLMÖäAä@âòãøâîøÀôÖã"
ß ýíÿ ð 5þø¼÷ )âþ;4
ýíÿ
ðÀÿ ýí6ÈòñôîÀò
]ö5öÖáã6ôøÈòÖé)óô âõ åhå5$håT ¼÷äõ¼ôøÈùÖë6ôøüé6ù'Nòé)ó)ôõ(å'*+L*+R*
]öõÀôë
ýíÿ 
ð
À9
ÿ
:6à ÿà ;%ÈòúôîÀò
fö5öáã6ôøÈòé)óô )õ å8hå#$håT ¼÷äÖõ¼ôøÈùÖë)ôø¼é6ù'Èòé)óâôõ(åE*+R*+R*
]ö õ
ýíÿ 
ð
Àÿ5þø¼÷ )âþ ;4 ¼÷!#
å h5åå5hh#åå#hå )åDE3D
"!<àíà
Key fingerprint
=ÀAF19
ýíÿ
ð
ÿ5þø¼÷FA27
)âþ2F94
;4 998D
¼÷!å#hFDB5
"!<àF8B5
íà 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
ýýííÿÿ
ððÀÀÿ5ÿ5þþø¼ø¼÷÷)â)âþþ;4;4 ¼¼÷!÷!åå]]å#å#h14å#h$åb""!<!<ààííàà
ýýííÿÿ ðð ÀÀÿ5ÿ5þþø¼ø¼÷÷ )â)âþþ ;4;4 ¼¼÷!÷!åå]]å#å#h)å#håb""!<!<ààííàà
ýýííÿÿ ðð ÀAÿ5àþø¼÷ .âæ.)âþ ;4 ]ö õ¼ôë6ôäâõ¼ôë)ôä3 C!<à.âæ.
ýýííÿÿ
ððÀÀÿAÿAàà.â.âææ.. "!<]öpÿþãÖþø]öiýâøÀô6í 6ãÖø]öiøÀô9)ÈöiøÈùáôäC!9:= 6ãâé6èE6ãâä)ûäã-)%6ãâé6èEÈòóä?ø@%Ahà5æ%
ßßAàâáãâäºå çƒèÖãâé6êëãÖì
ß
ßúëããâ"é Aôóé6áêÖãâäÖõÀïÖéâé)ôøÈùè ë6ù âôâïøÈùQè ?âóéÀö øÈùôä)óâùÖëãïÖéÖõ¼ôYõ íâïÖQä Pý Aèë6ôä Öë N]õ
ß<òáêãøâîAøÈùôä6ó ?ëÖî6ä5øâõñøNùî)ãüá÷äâ÷ñøÈù5ôâïø)õ<ãøâõ¼ô<êÖäÖî6ëüáõ6-ä ÖäJöë <ùÖää)÷AôéA÷é
ßAß&ôóøÀôâé6ïáâêãâ ýäÖðõÀïäÖéî é)ôøÈùè é ?5ôâïä-òë)óä6ùô øNùôä)ó ?ëÖî6äôéA÷ä)ôäÖî¼ô õ6é6áóî6ä<é ?<òóé6êÖãâäÀöiõ
ß ýíÿ ð Aà .å ýíÿ
ðÀÿ ýí6Èò1ø)îhöÖò
âõ å0 øâîhöÖòEÀôâòÖä-
]öõÀôë)ôä)õ¼ôë)ôä3
"!-à
.å
Key fingerprint
=ÀAF19
998D
ýíÿ 
ý FA27
ð
ÿ
í
6
Èò12F94
)
ø
h
î
Ö
ö
ò
âõ #
å
hFDB5
å
5
h#
å
DE3D
âøâîhF8B5
Ö
ö
ò
'
Èô âòÖ06E4
ä
A169
fö4E46
¼
õ
ô
)
ë

ô
ä
,
âõ¼ôë)ôä
"!Aà .8å ýíÿ 
ð Àÿ ý 6í Èò1ø)îhöÖò ââõõ åå]]#åå#h)#å )$ ø)ø)îhîhöÖöÖ'òò'ÀÀôôâòâòÖÖ3ää3 ]]öö õ¼õ¼ôôë)ë)ôôääââõ¼õ¼ôôë6ë6ôô3ää3 ""!-!-àà
..åå
ýíÿ
ðÀÿ ýí6Èò1ø)îhöÖò
ýíÿ 
ðð ÀÀÿÿ ýý 6í6í ÈÈòñòñôôîÀîÀòò ââõõ å#å h#å ]#å âõü)é6õ6áé6áóóî6äîüSäÈòÖÈòÖé)óé)óâô ô å å 24j)j)$$$$$ $ ¼÷¼÷äÖäÖõ¼ôõÀôøÈùÖøÈùÖë)ôë)ôø¼é6øü'ùé6'ùÈòÖÈòé6óâé6óUô Uô ]ö1]ö õ¼ôõ
ýíÿ 
ýíÿ
ðÀÿ ýí6ÈòñôîÀò
âõ åhå5hå#) âõ6é6áóî6äSÈòé)óôñå4j0)$$$ ¼÷äÖõ¼ôøÈùë)ôøüé6ùEÈòÖé6óâô7 ]öõÀôë
ýíÿ 
ð
Àÿ ý 6
í
ÈòñôîÀò
âõ å h5
å )$ âõ6é6áóî6Sä Èòé)óôñùå ÈòÖ4éüój0)-ô $$
$ 2j¼÷äÖ$õ¼ô øÈùfë)öôøüõ¼é6ôEù ë)ÈôòÖ,äé6óâ7ô âõ¼ô ë)ô]-ä öõÀôë
ýíÿ 
ð
Àÿ ý 6
í
Èòúá÷)ò âõ å À÷äÖõ¼ôøNùÖë)ôøüéü'
ýíÿ
ðÀÿ ýí6Èòúá÷)ò âõ å#hå#]å#
¼÷äÖõ¼ôøÈùë)ôøüé6ùEÈòÖé)ó)ô3
4j0$ ]ö õ¼ôë)ôäâõ¼ôë6ôä3
ýíÿ 
ðð ÀÀÿÿ ýý 6í6í ÈÈòúòúáá÷)÷)òò ââõõ åå hh5å5å h)#å )$ ¼¼÷÷äÖäÖõÀõÀôôøÈøÈùÖùÖë)ë)ôôøüøüé6é6'ù'ù ÈÈòòé6é6óó-ô-ô 44jj$$ ]]öö õ¼õ¼ôôë)ë)ôô,ä,ä ))õ¼õ¼ôôë)ë)ôô7ä7ä ýíÿ 
ýíÿ
ðÀÿ:Cíâýí%Èò!øâîhöÖò
)õ å8 øâî]öÖò'Àô)òÖä3
]ö1õ¼ôë)ôä%âõ¼ôë)ôä-
"!<à.å
ýíÿ 
ð
À
ÿ
:Cíâý %
í
Èò!øâîhöÖò
)õ 5
å
h#
å
h#
å
0
øâîhöÖE
ò
Àô âòÖä
]öõÀôë)ô
ä
)õ¼ôë)ô3
ä
"!-à .å ýíÿ 
ð Àÿ :Cíâý %í Èò!øâîhöÖò ))õõ 8åå8hh#åå#h)5å )$ ââøâøâîhîhöÖöÖ'òò'ÈÈôôâòâòÖÖ-ää- ffööõ¼õ¼ôôë)ë)ôô,ää,ââõ¼õ¼ôôë)ë)ôô-ää- ""!A!Aàà..8åå8
ýíÿ
ðÀÿ:Cíâýí%Èò!øâîhöÖò
ýíÿ 
ðð ÀÀÿÿ :C:Cíâíâýý %í%í ÈÈòúòúôôîÀîÀòò ââõõ å#å h5å 0h#å )õ6âé6õ6áé6áóóîüSäî6SäÈòÖÈòÖé)óâé6óô ô å 8å 44j)j$)$$$$$ ¼÷¼÷äÖäõÀôõ¼ôøÈùÖøÈùÖë)ôë6ôøüé6øü'ùé6'ùÈòNòé6óé)Uôó)-ô ]ö fö õ
ýíÿ 
ýíÿ
ðÀÿ:Cíâýí%ÈòúôîÀò
âõ å]å#hå#) âõüé6áóî6äÈòÖé)óô å2j)$$$ ¼÷äÖõ¼ôøÈùÖë)ôø¼é6ù'ÈòÖé6óâôU
]ö1õ¼ô
ýíÿ 
ð
À
ÿ
:Cíâý %
í
ÈòúôîÀò
âõ å ]#
å )$ âõüé6áóî6ä ÈòÖé)óô ùå Èò2é)óâj)3ô $$
$ 4j¼÷äÖ$õ¼ô øÈùÖë)]öôø¼õÀé6ô'ù ë)ÈôòÖäé6óâUô )
õ¼ô ë)ô3ä]ö1õ¼ô
ýíÿ 
ð
À
ÿ
:Cíâý %
í
Èò5á÷)ò
âõ å 0 ¼÷äÖõ¼ôøÈùÖë)ôø¼é6'
ýíÿ
ðÀÿ:Cíâýí%Èò5á÷)ò
âõ å#hå5hå# À÷äÖõ¼ôøNùÖë)ôøüéüù'ÈòÖéüóô-
2j$ föõ¼ôë)ôä,âõ¼ôë)ôä-
ýíÿ 
ð
À
ÿ
:Cíâý %
í
Èò5á÷)ò
âõ å ]#
åå h)#å )$ ¼¼÷÷äÖäÖõ¼õ¼ôôøÈøÈùùë)ë)ôôøüøüé6é6EùEù ÈÈòÖòÖé)é)ó)ó)3ô3ô 44j0j0$$ ]]öö õ¼õ¼ôôë)ë)ôôää ââõ¼õ¼ôôë6ë6ôô3ä3ä ýíÿ 
ð
À
ÿ
:Cíâý %
í
Èò5á÷)ò
âõ å ]#
ýíÿ
ðÀÿ9:6àÿà;%Èò!øâîhöò âõ å0 ø)îhöÖò'ÀôâòÖä3
]ö õ¼ôë6ôäâõ¼ôë)ôä3
C!Aà
.å
ýíÿ 
ð
À9
ÿ
:6à ÿà ;%Èò!øâîhöò âõ #
å
h#
å
h5
å
øâî]öÖ'
ò
Àô )òÖ3
ä
]ö1õ¼ôë)ô%
ä
âõ¼ôë)ôä
"!<à .å ýíÿ 
ð À9ÿ :6à ÿà ;%Èò!øâîhöò âõ å h#å ]#å ) øâîhöÖEò Àô âòÖ-ä ]]ööõÀõÀôôë)ë)ôôää))õ¼õ¼ôôë)ë)ôô3ää3 ""!-!-àà
..åå
ýíÿ
ðÀÿ9:6àÿà;%Èò!øâîhöò âõ åhå#0)$ øâîhöÖòEÀôâòÖä-
ýíÿ 
ðð ÀÀ9ÿ9ÿ :6:6àà ÿÿàà ;%;%ÈÈòúòúôôîÀîÀòò ))õõ 8å5å h#å h#å 0
âõ6âé6õ6áéüáóóî6Säî6SäÈòÖNòÖé6óé)óô ôñ8å å 42j)j)$$$$$ $ ¼÷À÷ääÖõ¼ôõ¼ôøÈùÖøNùÖë6ôë)ôøüé6øü'ùéü'ù NòÈòÖé)ó)éüó-ô Uô fö ]ö
ýíÿ 
ýíÿ
ðÀÿ9:6àÿà;%ÈòúôîÀò
)õ å8hå#hå5) )õ6é6áóîüäSÈòÖé)óâô å4j)$$$ ¼÷äÖõÀôøÈùÖë)ôøüé6ù'Èòé6óôU
]ö õ
ýíÿ 
ð
À9
ÿ
:6à ÿà ;%ÈòúôîÀò
)õ 8å h#
å )$ )õ6é6áóîüSä ÈòÖé)óâô ùå NòÖ4é6ój)-ô $$
$ 4j¼÷äÖ$õÀô øÈùÖë)]ö1ôøüõ¼é6ô'ù ë)Èôò%äé6óUô â
õ¼ô ë)ô-ä]ö õ
ýíÿ 
ð
À9
ÿ
:6à ÿà ;%Èò5á÷)ò
)õ 8å ¼÷äõ¼ôøÈùÖë6ôøüé6'
ýíÿ
ðÀÿ9:6àÿà;%Èò5á÷)ò
)õ å5hå#hå#0
¼÷äÖõ¼ôøÈùÖë)ôø¼é6ù'Èòé)óâô3
4j$ ]öõÀôë)ôä)õ¼ôë)ôä3
ýíÿ 
ð
À9
ÿ
:6à ÿà ;%Èò5á÷)ò
)õ 8å h#
å#å h)5å )$ ÀÀ÷÷äÖäÖõ¼õ¼ôôøNøNùÖùÖë)ë)ôôøüøüéüéü'ù'ù ÈÈòÖòÖéüéüóó-ô-ô 22jj$$ ffööõ¼õ¼ôôë)ë)ôô,ä,ä ââõ¼õ¼ôôë)ë)ôô-ä-ä ýíÿ 
ð
À
ÿ
9
6
:
à
ÿ
à
%
;
È
5
ò

á
)
÷
ò
)
õ
å
8
h
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
© SANS Institute 2000 - 2005
Author retains full rights.
ýýííÿÿ
ððÀÀÿAÿAàà..åå C!<]ö!ÿ þãÖþø]öýøÀô%í 6ãÖø]öøÈô<)ÈöøÈùâáôä"!9
:= 6ãâé)èEüãâä)ûäã7)66ãâé)èENòóä?ø[email protected],ANà!å,
The Oracle database cluster is allowed to contact a remote payment processor listening on TCP port 4999. These communications are encrypted using SSL. The cluster
always
initiates this contact:
k
rr
eta
ins
f
ull
rig
ht
s.
ßAß àâáãâä9$–çˆèÖãâé6êÖëãÖì
ß:6óëÖî6ãâ3ä ;ë)ôëüêÖëÖõ6ä-ðâä)óûä)ó5ëããâéÖä)÷-ôé îüé6ùôëÖîÀô
Däâë)óôÖãâëüù÷ ýë ¼öä6ùôAð õ¼ôäÀö_õðäÖîÀáóä ýóéÖî6äõõ6é)ó-ûøüë
íß Sð üä6ùîÀó âòôä)÷AîÀïë6ùùÖäRã ýíÿ
ðAà.$
ýíÿ 
ð Àå 9ÿ :6¼à÷ÿäÖõ¼àô;%øÈùë)Èòúôøüôé6EùîÀò ÈòÖé))ó)õ7ô 8å ææhæ#å "h!-å à À÷ .$
å
#
]å h8å h/
Key fingerprint
2F94
ýíÿ 
ð =è À6AF19
ÿAãâä)àûä-ã FA27
.$
fö!ãø]ö998D
øÀ6ô 6ãFDB5
ø]öøÀ9ô )DE3D
ÈöøÈùáôF8B5
ä "! 06E4 A169 4E46
:= 6ãâé)>
)%6ãâé)>
è
Èòóä ?ø @,Ahà $%-;WGA
ýíÿ 
ð ÀÿAà .$ "!&;à :üý
ho
Finally, we allow the network management station to perform SNMP queries to inwardfacing interfaces on the firewall, border router, and DMZ hosts:
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ßßAàâáãâäºåçƒèÖãâé6êëãÖì
ß
ôß9ß é5Jë6ëùÖãë6ãèùÖäÀöä6ôä6Öùôúé)óFAõ¼ô÷ë6ôä)ûøüé6øâùúî6äëõ ãâãâéÖäâ÷-ôé-òä)ó?é)ó¼ö ðJý<O)áÖä6óøüäÖõ
ýíÿ 
ð Aà .å ýíÿ 
ð Àÿ ý 6í ÈòñôîÀò âõ å h5å $ ¼÷!åhå5hå#hå
à
¼÷.äÖåõ¼ôøÈùë)ôøüé6Eù ÈòÖé6óâôñ8å )å ]ö õ¼ôë)ôä âõ¼ôë)ôä3 "!
ýíÿ 
ð Àÿ ý 6í Èòúá÷)ò âõ å h5å $ ¼÷!å hå5hå#hå
à
¼÷.äÖåõ¼ôøÈùë)ôøüé6Eù ÈòÖé6óâôñ8å )å ]ö õ¼ôë)ôä âõ¼ôë)ô3ä "!
ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 8å h#å $ À÷
å h#
å h"#å !-0) à¼÷.äÖåõ¼ôøÈùë)ôøüé6Eù Èòé)ó)ô 8å )å ]ö õ¼ôë)ô%ä âõ¼ôë)ôä
ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 8å h#å $ À÷
å]#å h#å "h!-8å à$ .¼÷å äÖ õ¼ôøÈùÖë)ôø¼é6'ù ÈòÖéüóôúå )å ]ö õ¼ôë6ôä âõ¼ôë)ôä
#
ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 8å h#å $ À÷
å h#
å
140 ¼÷äÖõ¼ôøÈùë)ôøüé6E
ù Èòé)ó)ô 8å )å ]ö õ¼ôë)ô%ä âõ¼ôë)ôä
"!-à.å
ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 8å h#å $ À÷
å h#
å 14"!-0 à ¼÷.äÖå õ¼ôøÈùë)ôøüé6Eù Èòé)ó)ô 8å )å ]ö õ¼ôë)ô%ä âõ¼ôë)ôä
Key fingerprint
= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
ýíÿ ð Àÿ 6à ÿà ÈòúôîÀò )õ å hå
À÷
å hå -à ¼å ÷äÖõÀôøÈùÖë)ôøüé6ù Èòé)óôúå å fö õÀôë)ôä âõÀôë)ôä
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ å hå
À÷
å hå hå -à ¼÷äÖå õ¼ôøÈùë)ôøüé6ù Èòé)ó)ô å å ]ö õ¼ôë)ôä âõ¼ôë)ôä
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ å hå
À÷
å ]å hå h-å à ¼÷å äÖõ¼ôøÈùÖë)ôø¼é6ù ÈòÖéüóôúå å ]ö õ¼ôë6ôä âõ¼ôë)ôä
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ å hå
À÷
å hå -à ¼÷äÖå õ¼ôøÈùë)ôøüé6ù Èòé)ó)ô å å ]ö õ¼ôë)ôä âõ¼ôë)ôä
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ å hå
À÷
å hå -à ¼÷äÖå õ¼ôøÈùë)ôøüé6ù Èòé)ó)ô å å ]ö õ¼ôë)ôä âõ¼ôë)ôä
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ å hå
À÷
å hå -à ¼å ÷äÖõÀôøÈùÖë)ôøüé6ù Èòé)óôúå å fö õÀôë)ôä âõÀôë)ôä
ýíÿ 6ãâé)ð è À6ÿAãâä)àûäã å 6ãâé)è]ö!ÈòãÖóø]ä öøÀø ô hà6ãÖø]ö!øÈôå ÈöJøÈÿùâþáþôâä ýí
ýíÿ ð ÀÿAà å <ÿþþ ýí
ut
Network Address Translation Rules
5,
A
Ÿ~L{Ÿ
ho
rr
eta
ins
f
ull
rig
ht
s.
9: ;%
8 #$ #140$ '
)
,
"! . 9: ;%
8 #$ # #0) E
8)
%
"! . 9: ;%
8 #$ # # # 8$ '
)
"! . 9: ;%
8 #$ #140 E
8)
%
"! . 9: ;%
8 #$ #140 E
8)
%
"! . 9: ;%
8 #$ #
1
4
0
$
'
) FDB5
,F8B5
Key fingerprint = AF19 FA27 2F94 998D
DE3D
06E4 A169 4E46
"! . . %
<)
"!
:= >
-)% > ? @,A ,
BA
. C!
NS
In
sti
tu
te
20
00
-2
00
The firewall performs network address translation on all outbound packets from private addresses. It selectively performs NAT on inbound packets also. Since the DMZ
uses RFC 1918 addressing, NAT has to be performed on all packets from or to the
DMZ in order for connections to be sustained. If no NAT is performed on an inbound
connection attempt, the packet(s) will be sent back out the firewall’s public interface
and dropped by the border router’s anti-spoofing rules. If NAT is performed, the rest
of the firewall ruleset will be applied to the packet with its new destination address.
Performing NAT on all packets sent to DMZ hosts improves the accuracy of logging,
because denied packets will be logged by the firewall for the real reason they were
dropped. Inbound syslog packets from the border router are sent to the syslog port
on the firewall’s public interface. The destination IP address of these packets is translated to that of the central logging server. Outbound NTP queries from the web/portal
server and email gateway and DNS queries and SMTP connections from the email
gateway are translated to their public IP addresses. All other outbound connections
are translated to the firewall’s public IP address:
©
SA
ßß âà áã)ä&–çaÿíì
ß
ß9ÿíúé6áôâèéøÈùè-ùôâò5óäO)áÖäõ¼ôõU?âóéÀö ôâïÖä3Öä6êS¼òÖé)óôëã
ëâõ6÷âä6ó÷âóûäÖä)óõõ NfGõ N òáêÖãÖøâZî N%øNùôä)ó ?ëÖî6äôé øÀôõòáâêãÖøâîAøÈùôä)óâùÖä6ô
ýíÿ 
=¼éú
ð =ÀAF19
ô<ùÖë)Bô FA27
ÀÿA
ý :âð62F94
íà :Cí 998D
ä)ô)
ï l%DE3D
ÈòñôîÀò F8B5
âõ 06E4 A169 4E46
Key fingerprint
FDB5
© SANS Institute 2000 - 2005
Author retains full rights.
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
åå#]å#hå#140
¼÷äÖõ¼ôøÈùë)ôøüé6ùEÈòé)ó)ô å8,"!úðÿí%ÀôéSâõ6é6áóî6ä
ýíÿ 
ð Àô<ùÖë)ôBÀÿAý:âð6íà:Cí =¼éúä)ô)ï
l%Èòúá÷)ò âõ
å h#
åß ]#å å 140
¼÷äÖõ¼ôøÈùë)ôøüé6Eù Èòé)ó)ô 8å ,"!úð ÿ%í ÀôSé âõ6é6áóî6ä
#
ßß àâáã)ä åaç ÿíì
ß9ÿíúëããAëãã)é Öäâ÷<éüáôèéøNùè-óä O6áÖäÖõ¼ô7õ ?)óéÀö äÀöëÖø6ã
èë6ôä Öë N]Gõ N òáâêãÖøâZî N3øÈùôä)ó ?ëÖî6äôé øÈôõòâáêãÖøâîAøNò ë)÷÷âóäÖõâõ
ýíÿ 
ð Àô<ùÖë)Bô ÀÿAý :âð6íà :Cí =¼éúä)ô)
ï l%ÈòñôîÀBò ]ö
öÖáÖ$Lã6*ô
)øÈòÖ$Ré6*aó$ôR*Èå )õ9"å !5hð#å 1ÿâ4Bí 0 ÀôSé¼÷âäÖõüé6õ¼áôóøÈùî6ë)ä5ô#åøüé6hEù5å Èòé)ó)ôåõ
ýíÿ 
ð Àô<ùÖë)Bô ÀÿAý :âð6íà :Cí =¼éúä)ô)
ï l%Èòúá÷)Bò ]ö
öÖ"áÖ!5ã6ôðøÈòÖÿâí%é6óôÀôéS)õ)õ6é6å áóh#åîüäñ14å#0 hå5¼÷äÖõ¼å ôøÈùë)ôøüé6Eù Èòé)ó)ô(õ $R*È8å ßß àâáã)&ä –=aç AF19
Key fingerprint
ÿíì FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
ß
ß ÖäA÷é62ù NˆôA÷9é ÿâíñéüù1øÈùôä)óâùÖëãêÖé @äõô)ïÖë)ô<ôó 5ôé-ïøÀô
&
ôâïä-òâáêãÖøâîë)÷÷âóäÖõâõ6äÖõJé ?AôâïÖ&ä ?øÈóä Öëãâã é)<ó ;J
c
õ6ä6óûä)óYõ #íâïÖä 9ø6ããJêÖä5ë6êãâä-ôé<óäëîÀïAôâïÖ&ä ?øÀóä Öëãã
çNø ?úëããâé Öä)÷(ì øÀô)ïÖé6á&ô ÿâ4í íâïÖä<óâáã)äÖõêÖäãâ"é úô)ïÖë)ô
ïÖùÖëüä6ùôÖ÷é)ãâóä<F2ëÖ îâî6äÖõõôé<ôâïÖQä ;Jc õüä)óûä)ó7õ ?âóéÀö øÈùõø¼÷ä ôâïÖä
ýíÿ 
ð Àô<ùÖë)Bô íÀÿAýÀô:âð6Sé í)àõ6:Cé6áíóîüäñ=#å ¼héú5å hä)#å ô)hï å ) âõ
å 0<C!úð âÿ6
ßß àâáã)&ä –aç ÿíì
ß
ß ÿíúëãã øÈùîüéÀöøÈùèòÖëÖCî Fä6ôõôé<ôâïÖäAäÀöëÖø6ã èë)ôä ë <ôé
9
ôâïä-òóøÀûë)ôäñøÈò ë)÷÷âóäÖõâõJé6ù!øÀôIõ N òáêÖãÖøâZî N%øNùôä)ó ?ëÖî6ä
ýíÿ 
ð À÷Àô<äÖõ¼ùÖôë)øNBôùÖë)ÀôÿAøüé¼ýù à â8å à:Ch#å í 12 = ¼÷15å h#å 0_7å C!
;âÿ6
í
ÀôS
é
ßß àâáã)ä3Îçaÿíì
ß
ò9ß óøÀÿûíºë)ôä5øÈùøÈîüòéÀöë)øÈ÷ù÷âè-óòäÖëÖõâCîõFéä)?pôõøÈôôQéõIÖN òä6Sêáêüòãé)øâóîZôN%ëøÈã-ùôõ6ä)ä)óóû?ä)ëó<î6ä ôé
ýíÿ 
ð À÷Àô<äÖõ¼ùÖôë)øNBôùÖë)ÀôÿAøüé¼ýù à â8å à:Ch#å í 12 = ¼÷15å h#å 0
<C!
;âÿ6
í
ÀôS
é
ßß àâáã)&ä $–aç ÿíì
ß
ß?øÈóÿä ÖíºëøÈãâù-ã îü?âéÀöóéÀøÈöùè-ôâïòä-ëÖCî êFé)ä)óô÷õä)ôó<é<óôâé6áïÖô-ä ä)
ó<;ôý éACõ ôâõï6äãâé)è-õ õòÖ)é)ãâóâé)ôñè éüõüùñä)óôâûïä)2óä 9
ýíÿ 
ð Àô<ùÖë)Bô ÀÿAýà âà :Cí = Nòúá÷6ò âõ 5å h#å h#å ]å $
¼÷!#
å h#å ]#å hå )<¼÷äÖõÀôøÈùÖë)ôøüé6'ù Èòé)óâ3ô $Tå 6"!&;ÿâí
ÈôéS¼÷äõ¼ôøÈùÖë6ôøüé6ùñå]å#håâå
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
Ÿ~Lam
Logging Rules
ull
rig
ht
s.
By default, all rules get logged with a limit of at most 1 entry for each unique packet
type every 10 seconds at level ’info’ with the prefix ’Rule [rule number] – [Action].’ All
packets that are dropped are logged at level ’warn’ or higher. Explicitly denied ICMP
packets are logged with the custom prefix ’Bad ICMP – Deny.’ Denied fragments are
logged at level ’alert’ with the custom prefix ’FRAG – Deny.’ TCP Scan packets are
logged with the custom prefix ’TCP Scan – Reject.’ IKE, ESP, and AH packets bound
for the VPN gateway are logged with the custom prefix ’IPSEC – Accept.’ The selected
example snippets from the firewall configuration script below display only the logging
rule. See B for the full surrounding context.
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ß ;óé6ò öéõ¼ôAôâòÖäÖõé?ñé6áôâêÖé6áù÷ þJý[email protected]î6äüòôøüé6ùõ
9
ë)óä5äîÀïÖé-óäO)áäÖõ¼ôõJëüù÷ þJý-áùóäëÖîÀïÖëüêãâäÖõLeJëüùúé?
ôâïäÖõ6ä ôâòäÖõUø6ããêÖä<÷âóéüòòÖäâ÷ ê5ôâïÖä ø]öòãÖøâîøÈô<÷ä?ëüáã6ô
;W*—êá9
ô Ö3ä Öë6ùô5ôé î6ëüòôâáóä ô)ïÖäÀö1øÈù ë õÈòÖäÖîøüëãóâáãâä
â
í

ï
)
ä

ó
<
ä
)
ë

ó
ä)ó ?ä FA27
ºî6ëÖõ6äÖ
õAøNù 998D
ïøâîÀïAFDB5
ôâïÖäõ6ä DE3D
òÖëÖîCFä6ôF8B5
õë)óä 06E4 A169 4E46
Key fingerprintä<
=ûAF19
2F94
ãÖ8ø Fäã <ôé5ë6òòäë)9ó ?é)óñãâä6èøÀôø]öë)ôäJóäëÖõ6é6ùLõ XÖä øÈùî6ãüá÷ä
ëß&õ6éü;áó:âðî6Qä O)áä6ùîÀïºøÈùúôâïø)õèâóé6áò<êÖäî6ë6áõ6äñøÈôºîüë6ùúêä-áõ6äâ9÷ ?é)ó
ýíÿ 
ð úä)ôâ
ï .:üá
ô .6à .
ýíÿ 
ð Àÿúä)ôâ
ï .:üá
ô .6à . fö1ãÖøföøÀ%ô 6ãø]öøÀ<ô )NöøÈùáôä "!
:= 6ãâé)è>6ãâä)ûäãUB6ãâé)è>Èòóä?ø@,AfÖëâ÷ þJý67;W_A
ßßAàâ áãâä9–çÆä)ôâïiå)ì
ß
òßAß áâêÿÖããÖãâøâ"éîAºøÈùøÈùôôä)óä)ó)?ùÖëä)î6ô-ä3ïÖ?éÖé)óõÀôõýôðéäÖîLî6 é6ùùÖäî¼ô-ô&é Pý Aèë)ôä Öë Nfõ
ýíÿ 
ð 5þø¼÷ )ææ ýíÿ 
ð
Àÿúä)ôâï_Cå . S
ù .üà .. ]ö1ãø]öøÀ%ô üãÖø]öøÀ<ô )ÈöøÈùáôä "!
:= 6ãâé)è>6ãâä)ûäã-)%6ãâé)è>Èòóä?ø@,A ýðþ,ÿþâþýí5A
ßßAàâ áãâä9–çˆèÖãâé6êÖëãÖì
ß
ß<êãâéÖî F9?âóë)èüöä6ùôLõ Móë6èüöä6ùôäâ÷òÖëÖî Fä)ôõô)ïÖë)ôúë)óä-òÖë)óô5é ?
ë6ùúÿ Dúé)<ó ð)ý<òÖëÖî Fä)ô<ôé<ôâïÖQä Pý 5èë)ôä Öë Aë6óäúä @î6ä6òôäâ2÷ ç{ðää
ä) ô)ýïiðäÖålîóâïÖáäãâë)äÖ÷õä)Yì ó#õ+öíâïëä úëö)ëóFäAä-ôâëïÖãäãâ"é òÖÖëÖäâ÷-îFôâä)ïÖô<ä6ôóéäéúêÖäÖãâë)î6óâëüáèäQõ6ä ?ôâé)ïÖóñäAé6áä @âó<ôòóëøÈòäÖõL
ß ýíÿ ð Aà .
ýíÿ 
ð è>À6AF19
ÿAãâä)àûäãúFA27
.
fö!ãø]öøÀ6
ô 6ãàø]öÿ=%øÀ9ô )UDE3D
ÈöøÈùáô
ä "!
Key fingerprint
:= 6ãâé)=
å&6ãâé)2F94
è>Èòóä998D
?ø@,AVFDB5
;W5A F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
ull
rig
ht
s.
ßßAàâ áãâäºåçˆèÖãâé6êÖëãÖì
ß
ßAàä !äî¼ô5ð)ôäëã6ôâï õî6ëüùõ`øÀôâï þJýAýé)óôQùóäëÖîÀïÖëüêãâäJôé-ïø¼÷ä
é6òä6ùAòÖé)óôYõ né)ó¼öëãã*Ré6òÖä6ùAòÖé6óôõJ÷âóéüò5êëâ÷AòëÖîCFä)ôõZ*oïøüãâä
óßî)äã)éÖõÀòÖõ6äâé6ù÷ õüòÖä-é6óë6ùô÷Jõ<öõ6ä6ëùF÷úäÖõJë<ôâíïÖþâä ý5òÖàé)óð)í2ôñuãâí)éâïéF<øâõ?êø6ãâã6ôéä6îCFóäâõ÷2ôâ ïÖäA÷äÖõÀôøÈùÖë)ôøüé6ù
ýíÿ 
ð Aà .å
ýíÿ 
ð ÀÿAà .å fö!ãø]öøÀ6ô 6ãø]öøÀ9ô )ÈöøÈùáôä "!
:= 6ãâé)è>6ãâä)ûäãUB6ãâé)è>Èòóä?ø@,AhíþâýúðÖî6ë6ùBJàd"þâíBA
te
Order of Rules
tu
Ÿ~Lrq
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ßßAàâáãâä9–çˆèÖãâé6êÖëãÖì
ßßQùóäõ¼ôó=øâîÀAF19
Key fingerprint
ôäâ7÷ ä6FA27
êñëÖîî6äÖ2F94
õâõôé&998D
ä6êSüòÖFDB5
é6óôëã-DE3D
õ6ä)óûä6ó F8B5 06E4 A169 4E46
ß
ýíÿ 
ð Aà .
ýíÿ 
ð ÀÿAà . fö!ãø]öøÀ6ô 6ãø]öøÀ9ô )ÈöøÈùáôä "!
:= 6ãâé)>
è 6ãâä)ûä-ã )%6ãâé)>è Èòóä ?ø @,Ahà %ÿþþ ýBí A
ßßAàâáãâä9åçƒèÖãâé6êëãÖì
ßpß N]î6ë)ôîÀïúëãLã NRóâáÖãâä
ß ýíÿ ð Aà .å
ýíÿ 
ð ÀÿAà .å ]ö!ãÖø]öøÀ%ô 6ãÖø]öøÈ<ô )ÈöøÈùâáôä "!
:= 6ãâé)è>6ãâä)ûäãUB6ãâé)è>Èòóä?ø@,AhàåQ7;WGA
©
SA
NS
In
sti
The firewall configuration script puts the rules accepting packets that are part of or
related to established connections first. This prevents rules that do not use stateful
inspection from creating unwanted conflict with rules that do. Immediately following
are the rules tied to specific interfaces. Since these rules precede all “global” rules,
exceptions to global policies can be placed in an interface-specific ruleset. For example, in order to give unfettered access to IP traffic passed back and forth between the
loopback interface and the rest of the local system, we put a stateless rule in the ruleset for the loopback interface and any other restrictions on traffic to or from the firewall
are ignored in the case of the loopback interface. This also means that fragmented
IKE, AH, and ESP packets heading to the VPN gateway’s public interface will pass,
even though the very first global rule blocks all fragments.
The first two global rules block fragments and TCP scans. These packets are potentially
malicious
andFA27
dangerous;
weFDB5
put the
rules
forbidding
them
first to ensure
Key
fingerprint
= AF19
2F94 998D
DE3D
F8B5
06E4 A169
4E46
© SANS Institute 2000 - 2005
Author retains full rights.
ins
f
ull
rig
ht
s.
that packets that would otherwise be allowed through, say to an open port on the
web/portal server, are stopped. Next come rules that give access to and from the publicly accessible servers and the Oracle database cluster. We want these packets to be
passed quickly, so we keep the rules near the top. We also put rules granting access
from the DMZ hosts to internal systems higher up in the list, followed by a specific
block rule for any further access from the DMZ to internal hosts. Then come rules for
user access to public services, followed by rules that are not used as frequently, such
as access to internet NTP servers by our time servers or Technical Support access to
perimeter hosts.
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
7 0 , #8Rs
Appendices
‹ Border Router Configuration
ëÖàõ¼ôÿ î6éüî6ù
é6ù
??øÀèâøÈèáóã)ë)ëÖôõ¼øüô-éüùúáòîÀï÷ë6ë)ùôèäâ÷Aä<ë)ë)ô1ôåæjuj04)jjhå7$7;;í9í9óóøQøQdüdüááã&ã&$<$<
ûõ6t ä6ä6óóûõøüøâé6î6ùºäJôåø]öäÖõÀôëÀöÖòõ÷ä6êáè-áâòôø]öä
õ6ä6óûøâî6äJôø]öäÖõÀôëÀöÖòõJãâé)è5÷ë)ôä6ôø]öä<ã)éÖî6ëã6ôø]öä5õÀïé'Àôøföähé6ùä
õ6t ä6óûøâî6äòÖëÖõõ é)ó>÷ üäüùî¼ó âòôø¼é6ù
ïÖt éõ¼ôâùÖëÀöäJêÖé)ó÷ä)Eó Àóéüáôä)ó
Key fingerprint
FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
øùÖÈòpé î6øÈòAä ? ïôô)=òpAF19
õüä)óûä)ó
ùÖé îü÷)òñä6ùë6êãâä
ùÖé õ6ä)óâûøâî6äôîÀ'ò âõhöëãã âõüä)óûä)óÖõ
ùÖé õ6ä)óâûøâî6äJá÷)'ò âõhöëãã âõüä)óûä)óÖõ
ùÖé øÈò ?øÈùèä)ó
ùÖé õ6ä)óâûøâî63ä ?øÈùèä)ó
ùÖé øÈòAêÖéé6ôâòºõ6ä)óûä6ó
ùÖé-êÖéé6ô-ùÖä)ô Öé6ó F
ùÖé õ6ä)óâûøâî6ä5îüé6
ù ?øÀè
ùÖé øÈòú÷éÀöëøÈ'ù 6ã)éé Fâáò
õ6ä6óûøâî6äJôîÀ'ò Fää6òÖëãøÀûäÖõ âøÈù
t
v
áä6ùõüë6ä)êóâùÖãâäúëÀöõ6äQä!Àî¼öóéä)<ôé6ó$äúõ6äÖå î¼ó)ä)ûô<W $ ÷ 0Oå ä6$ùá êO?âÿ6ôá !6?âá èc)]ý
î¼û$üÿ:íw
$"v ;_dâå þW vv è÷2
ááõüõüä)ä)óâóâùÖùÖëÀëÀööQääJê!Àöûéé)èé6óääã5òõ6óäÖî¼øÀûóä)ø6ô<ãâä)$èäñ åå $v ô÷ û@âù
P÷øCh6ùÿ6ùÖëüùP6ÿýhâû
:
áëëâõüë-ä)óâùùÖäëÀö'äJ]öêé)û÷é)äèã äãJòóøÀûø6ãâä)èäñå $
ëëâë5ëüáôâïÖä6ùôøâî6ë)ôøüé6ù<ãâé)èøÈù5÷ä?ë6áãüôúãâéÖî6ëã
ët ëâë5ëüáôâïÖé)óCø hë)ôø¼é6ùúîüéÀööë6ù÷õ5å $A÷ä ?ëüáã6ôúãâéÖîüëã
êÖëüùùÖä)óJöé6ô9÷ H
íâÿxïxîâxî6øâäÖõxõx÷õAxä)xûøâxõøâxîüxóäñxäÖxøâõÀxôõxóxô)øâxïÖî¼xäôxäâxò÷xóxôé6xòÖé5x ä6ÿóë6áôàô)AéïÖ é) ?<ó=Cø =ht äâ ÿx÷5þ9xõ¼x)ôxùëxô?x?ä)xóâxöòxäÀóxöøâxêÖõ6xä)äÖxóõ#xõx* xéxù?<xî6x=é)xóâxòÖÿx9þé6xóx)ë)xùôxôäâx ä)÷óâ òóøâõ6äÖõ
íäîÀïùøâîüëã ð6áòâòÖé)óQô ;ä6òÖë)óô¼öä6ù4ô iùÖë6áôâïÖé)óø häâ÷Jáõ63ä ø6ããêÖä-òóéÖõüäÖîÀáôä)÷ôé
ôâï9ä ?6áããâäÖõÀô5ä @ôä6ùô5é ?5ô)ïÖä5ãâë [—ÿÖãã<ëÖîÀôøÀûøÀô øâõ5õÀáê !äî¼ô<ôéöé6ùøÈôé)óøÈùè
óä6ûøüä Öä)÷ê = ÿ&þ âùôä)óâòóø)õ6äÖõ íñðâäÖîÀáóøÈô Aë6ù÷ î6é6áÖã)÷ êÖä<óä6òÖé)óâôäâ÷ ôéúãâë ä6ù ?é)óî6äÈöä6ùô-é ??øâîøüëãõôé5ëõõøâõ¼ô øNù!î¼óø]öøÈùÖëãòóéÖõüäÖîÀáôø¼é6ù øÈùúôâïÖäAä)ûä6ùô
?<é6FA27
é ?öøâõÈáõ6
ä = AF19
áú÷é<ù2F94
é)&ô øâ998D
õÀï5ôé FDB5
êÖä õÀáê DE3D
!âäÖî¼ô<ôF8B5
é<ôâïÖäÖõü06E4
äúî6é6ùA169
÷øÈôøüé6ù4E46
õ*
#
Key fingerprint
t
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
t t P J
© SANS Institute 2000 - 2005
Author retains full rights.
÷ø)õî6é6ùùäÖî¼ôùé t
H
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
)îî)t ã)ã)éÖéÖîCîCF<F ôõÀá6ø]ööâöähä)óEé6ùÖÀôä3ø]öð)ä7í6;"íú$ óäÖîÀáóóøÈùè åJð6áùúÿâòój05ãâëÖõ¼ôúð6áù,:îÀôj
ùÖt é øÈòºõ6é6áóî6äSÀóé6áôä
øÈùøÈôò ä)ó ëâ?÷ë÷âî6ó-ääÖõõ5ôâï#å ä)]óâ#å ùÖhä)#å ô h8å $Q$$$$0$$$
ùÖøÈòé ëÖøÈòñîî6÷äõøÀóõäÖÀèîÀôóäâé6á>÷ òÈêóå$éå<ëâ÷øÈî¼ù ëÖõÀô
óë)ôSä 6ãÖø]öiøÀôñøÈùâòáôúëÖîî6äõõ Àèóé6áò å å5å $
&æ$9$æ
î6éü
ù ?é)óü#ö üëÖî¼ôø¼é6ù ôâóë6ùõhöiøÀô ä @îüääâ>÷ üëî¼ôøüé6ù ÷âóéüò
óë)ôSä 6ãÖø]öiøÀôñøÈùâòáôúëÖîî6äõõ Àèóé6áò å )å5å $
&æ $&$æ î6t éü
ù ?é)óü#ö üëÖî¼ôø¼é6ù ôâóë6ùõhöiøÀôAä @îüääâ>÷ üëî¼ôøüé6ù ÷âóéüò
øÈù÷ôäÖä)õâó î¼?óëøÈî6òä-ô=øüðé6AF19
ä)ù óøü
ò ë6ãò FA27
Key fingerprint
2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Ö
ã
È
ø
ù
FAôé ð)ý
øÈò ëâ÷÷âóäÖõõ5å#]å#hå#hå8Q$$$$0$$$
øÈøÈòò ëÖëÖîîî6î6ääõõõõÀÀèèóóé6é6ááòò åå$$5é6øÈùáô
ùÖé øÈòñ÷øÀóäÖîÀôäâ>÷ Èêóéëâ÷î¼ëÖõÀô
ùÖé øÈò5òóé @>üë)óâò
ùÖé øÈò5áùóäëîÀïÖë6êã)ä
ùÖé øÈò-öëÖCõ FEÈóä6òã
ùÖé øÈòúóäâ÷øÀóäÖî¼ô
ùøÈòúôâòúû÷ä)óø)õ6ø ?ë6ê-áãâä ùøâîüëÖõ¼ô-óä6ûä)óõ6ä ÈòÖë)ôâï
óë)ôSä 6ãÖø]öiøÀôñøÈùâòáôúëÖîî6äõõ Àèóé6áò å <&$æ ºåå $
î6éü
ù ?é)óü#ö üëÖî¼ôø¼é6ù ôâóë6ùõhöiøÀô ä @îüääâ>÷ üëî¼ôøüé6ù ÷âóéüò
óë)ôSä 6ãÖø]öiøÀôñøÈùâòáôúëÖîî6äõõ Àèóé6áò å )på $
&æ $&$æ î6t éü
ù ?é)óü#ö üëÖî¼ôø¼é6ù ôâóë6ùõhöiøÀôAä @îüääâ>÷ üëî¼ôøüé6ù ÷âóéüò
øÈùùÖôé ä)ó øÈ?ò5ëî6áäJùóùäáëãâîÀãïÖ ë6êã)äÖõ
øÈøÈt òpòúóî)é6ãâáëôõä&õ)ãâäÖõâõ 0& å5hå#hå#]åå
øÈøÈòúòúóóé6é6ááôôää #å#å hh#å#å ]]#å#å hå $3æ $
$7$$$$0$$$$$$$A#å ]5#å h5å#å hh#å8å h)#å ]å )
øÈøÈòúòúóóé6é6ááôôä&&ä 00&&$$2$00ùùááãâãâãã øÈøÈòúòúóóé6é6ááôô&ää&$00&&$$$$00ùùááãâãâãã
øÈøÈòúòúóóé6é6ááôô&ä&ä QQ$$$$00JJùùáÖáÖãããã øÈøÈòúòúóóé6é6ááôôä&3ä _)#å QQ$$4$00JJùùáÖáÖãããã øÈòúóé6áô3ä Q$$0JùáÖãã Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
øÈòúóé6áôä&$Q$40JùáÖãã
øÈòúóé6áô&ä Q$40JùáÖãã øÈøÈòúòúóóé6é6ááôô&ää&QQ
$$00JJùùáÖáÖãããã
øÈøÈòúòúóóé6é6ááôô&ä&ä 4QQ
$00JJùùáÖáÖãããã øÈøÈòúòúóóé6é6ááôôä<ä æå ))æ 0$4Q34$$0$J$ùáÖãã ùáãã
øÈøÈòúòúóóé6é6ááôôää åå40033$$4$JJùâùâááãããã øÈøÈòúòúóóé6é6ááôôää åå 4)0033
$JJùâùâááãããã øÈòúóé6áôä åæ03$$Jùâáãã
øÈøÈòúòúóóé6é6ááôôää åÀåÀææ 0033$$$J$Jùâùâááãããã øÈøÈòúòúóóé6é6ááôôää åÀåÀææ 0]å 303$$$$$4J0ùâáãùâã á ãã øÈøÈòúòúóóé6é6ááôô&ää =åAF19
40FA27
342F94
J
ùâáãã FDB5 DE3D F8B5 06E4 A169 4E46
Key fingerprint
998D
Q$$0JùáÖãã
øÈòúóé6áôä åÀæ ]å )3$$$$ùáãã øÈt òúóé6áôä å ]å )03$$hå )Jùáãâã ãâãâé6é6èèèèøÈøÈùùèèúôõ6óé6áë6òAóîüùÖSä é)ôøÈùCø ?ôä)øâóî6ë6?ôëÖøüîüé6`ä ùâõ ôâïÖä)óâùä)
ô ëÖëÖãâé6îâîâèî6î6èäÖäÖõõøÈùõõ èüüãÖãÖå#øâøâõ¼õ¼hôôå#hååå5<5håò÷ä)ä6) ùóüö5ëøÀ6ôpù 5å hãâ#å é)hè #å ]å )
ëÖëÖîâîâî6î6äÖäÖõõõõ üüãÖãÖøâøâõ¼õ¼QôQô <<òòä)ä)óüóüööøÀøÀôpôp5å5å hh#å#å h#å ]0å _)å
ëÖëÖîâîâî6î6äÖäÖõõõõ üüãÖãÖøâøâõ¼õ¼QôQô <5ò÷ä)ä6ùóüö5ëøÀ6ôpù 5å hãâ#å é)è0
ëÖëÖîâîâî6î6äÖäÖõõõõüüãÖãÖøâøâõ¼õ¼QôôQ<5ò÷ä)ä6ùóüö5ëøÀ6ôpù 5å hãâ#å é)hè #å ]å )
ëÖt îâî6äÖõõ üãÖøâõ¼ô å $<÷ä6ù ºøÈ,ò 5å $$0$$$$ëüù ã)é)è
ëÖîâî6äÖõõ üãÖøâõ¼ô å $<÷ä6ù ºøÈò #å h5å h#å hå ë6ù ãâé)è
ëÖîâî6äÖõõ üãÖøâõ¼ô å $<÷ä6ù ºøÈò #å h5å h#å hå &<ë6ù ã)é)è
ëÖëÖîâîâî6î6äÖäÖõõõõ üüãÖãÖøâøâõ¼õ¼ôô åå $$<<÷÷ä6ä6ùù ºøºøÈÈòò #å#å hh5å5å h#å 33h<å $<ë6ùëüù ñãã)é)âèé)è
ëÖëÖîâîâî6î6äÖäÖõõõõüüãÖãÖøâøâõ¼õ¼ôô åå$$<<÷÷ä6ä6ùùºøºøÈÈ,òò,$QQ$$$$00$$$$$$$$ëüëüùù ã)ã)é)é)èè
ëÖëÖîâîâî6î6äÖäÖõõõõ üüãÖãÖøâøâõ¼õ¼ôô åå $$<<÷÷ä6ä6ùù ºøºøÈÈ,ò,ò 0Q3$$$$0$$$$0$$$$Jëüùë6ù ñãã)é)âèé)è
ëÖëÖîâîâî6î6äÖäÖõõõõ üüãÖãÖøâøâõ¼õ¼ôô åå $$<<÷÷ä6ä6ùù ºøºøÈÈò,,ò )003ñ#å $$$$$$$$00$$$J$Jë6ë6ùù ñãñãââé)é)èè
ëÖëÖîâîâî6î6äÖäÖõõõõüüãÖãÖøâøâõ¼õ¼ôô åå$$<<÷÷ä6ä6ùùºøºøÈÈòò_
#å 0033$$$$$$$$00$$$J$Jë6ë6ùùñãñãââé)é)èè
ëÖîâî6äÖõõ üãÖøâõ¼ô å $<÷ä6ù ºøÈ,ò $0ñ#å $$$$0$$Jë6ù ñãâé)è
ëÖîâî6äÖõõ üãÖøâõ¼ô å $<÷ä6ù ºøÈ,ò 0ñ#å $$$$0$$Jë6ù ñãâé)è
ëÖëÖîâîâî6î6äÖäÖõõõõ üüãÖãÖøâøâõ¼õ¼ôô åå $$<<÷÷ä6ä6ùù ºøºøÈÈ,ò,ò 0033$$$$$$$$00$$$J$Jë6ë6ùù ñãñãââé)é)èè
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
ëÖëÖîâîâî6î6äÖäÖõõõõüüãÖãÖøâøâõ¼õ¼ôô åå$$<<÷÷ä6ä6ùùºøºøÈÈò,ò,40033$$$$$$$$00$$$J$Jë6ë6ùùñãñãââé)é)èè
ëÖëÖîâîâî6î6äÖäÖõõõõ üüãÖãÖøâøâõ¼õ¼ôô åå$$<<÷÷ä6ä6ùùºøºøÈÈòò æå))æ0$4303å#$$$$$$$$$$Jë6ë6ùùñãñãââé)é)èè
ëÖëÖîâîâî6î6äÖäÖõõõõ üüãÖãÖøâøâõ¼õ¼ôô åå$$<<÷÷ä6ä6ùùºøºøÈÈòò åå2003ñå#$$$$$$$$$$$$ë6ë6ùùñãñãââé)é)èè
ëÖëÖîâîâî6î6äÖäÖõõõõüüãÖãÖøâøâõ¼õ¼ôô åå$$<<÷÷ä6ä6ùùºøºøÈÈòò åå2)0033$$$$$$$$$$$$ë6ë6ùùñãñãââé)é)èè
ëÖîâî6äÖõõ üãÖøâõ¼ô å$<÷ä6ùºøÈò åæ03$$$$$$ë6ùñãâé)è
ëÖëÖîâîâî6î6äÖäÖõõõõüüãÖãÖøâøâõ¼õ¼ôô åå$$<<÷÷ä6ä6ùùºøºøÈÈòò åÀåÀææ0033$$$$$$-ë6ù$$ë6ãâùé)èñãâé)è
ëÖëÖîâîâî6î6äÖäÖõõõõ üüãÖãÖøâøâõ¼õ¼ôô åå$$<<÷÷ä6ä6ùùºøºøÈÈòò åÀåÀææhå033]$å#$$$$$$$$$ë6ùë6ùñãñãâé)âèé)è
ëÖëÖîâîâî6î6äÖäÖõõõõ üüãÖãÖøâøâõ¼õ¼ôô åå$$<<÷÷ä6ä6ùùºøºøÈÈò,ò å20303å#$0$$$$$$0$$$J$ë6$ùñãë6ùâé)èã)é)è
ëÖîâî6äÖõõ üãÖøâõ¼ô å$<÷ä6ùºøÈò åÀæhå)03$$$$ë6ùñãâé)è
ëÖëÖîâîâî6î6äÖäÖõõõõ üüãÖãÖøâøâõ¼õ¼ôô åå$$< òÖ÷ä6ä)ùóüöiºøøÀôÈò øâîhåöÖòñhë6åù)ñëüù3ä0îÀïÖ
éSÀóä6$ò$ã$$ë6ù ã)é)è
Key fingerprint
ëÖëÖîâîâî6î6äÖäÖõõõõüüãÖãÖøâøâ=õ¼õ¼ôô AF19
åå$$ òÖòÖFA27
ä)ä)óüóüöiöiøÀøÀôô 2F94
øâøâîhîhöÖöÖòñòñ998D
ë6ë6ùùñëñëüüùùFDB5
5ápõâüùé6áóóäDE3D
ëÖî6äîÈïÖCO)ë6êáÖä6ãâF8B5
äùîÀï 06E4 A169 4E46
ëÖëÖîâîâî6î6äÖäÖõõõõ üüãÖãÖøâøâõ¼õ¼ôô åå $$ òÖòÖä)ä)óüóüöiöiøÀøÀôô øâøâîhîhöÖöÖòñòñë6ë6ùù ñëñëüüùù úô5òë)ø]öóSäëÀöüää[email protected]ôä)î6EóääâÈò÷óäâ÷é6êã6äÀö
ëÖëÖîâîâî6î6äÖäÖõõõõ üüãÖãÖøâøâõ¼õ¼ôô åå $$ òÖòÖä)ä)óüóüöiöiøÀøÀô<<ô $$5åJë6ë6ùù úëúë66ùù
ëÖëÖîâîâî6î6äÖäÖõõõõüüãÖãÖøâøâõ¼õ¼ôô åå$$<<÷÷ä6ä6ùù $$5$5ë6ë6ùùúëúë66ùùñãñãââé)é)èè
ëÖîâî6äÖõõ üãÖøâõ¼ô å $<÷ä6ù 5ë6ù úë6ù ñãâé)è
ëÖëÖîâîâî6î6äÖäÖõõõõüüãÖãÖøâøâõ¼õ¼ôô åå$$<<÷÷ä6ä6ùù òôîÀø]öºòñë6ë6ùùñëAïÖ6ùéÖñãõÀô1âé6å5è hå#hå#]å äO5ôäãüùÖä)ôúãâé6è
ëÖëÖîâîâî6î6äÖäÖõõõõ üüãÖãÖøâøâõ¼õ¼ôô åå $$<<÷÷ä6ä6ùù ôôîÀîÀòñòñë6ë6ùù AïAïÖÖéÖéÖõÀõÀô1ô15å5å hh#å#å hh#å#å ]]åå $ ää O5OôäúãüùÖãâé)ä)èôúãâé6è
ëÖëÖîâîâî6î6äÖäÖõõõõ üüãÖãÖøâøâõ¼õ¼ôô åå $$< òÖ÷ä6ä)ùóüöiøÀô<ôôîÀîÀòñòñë6ë6ùùñëAïÖ6ùéÖõÀô1å5hå#hå#]å$ äOúãâé)è
ëÖîâî6äÖõõ üãÖøâõ¼ô å $ òÖä)óüöiøÀô-á÷)òñë6ù ñë6ù
ëÖt îâî6äÖõõ üãÖøâõ¼ô å $<÷ä6ù ºøÈò ë6ù úë6ù ã)é)è
ëÖëÖîâîâî6î6äÖäÖõõõõ üüãÖãÖøâøâõ¼õ¼ôô åå $$åå÷÷ä6ä6ùù $$5$5ë6ë6ùù úëúë66ùù ñãñãââé)é)èè
ëÖîâî6äÖõõüãÖøâõ¼ô å$å÷ä6ù 5ë6ùúë6ùñãâé)è
ëÖîâî6äÖõõ üãÖøâõ¼ô å $å÷ä6ù òø]öºë6ù ñë6ù ñãâé6è
ëÖîâî6äÖõõ üãÖøâõ¼ô å $åòÖä)óüöiøÀô<ôîÀòAïÖéÖõÀô15å h#å h#å ]å )JïÖéõ¼ô!#å h#å h5å hå -ä O
ëÖîâî6äÖõõ üãÖøâõ¼ô å $åòÖä)óüöiøÀô øÈò #å h#å h5å hå )-ëüù
ëÖîâî6äÖõõ üãÖøâõ¼ô å $åòÖä)óüöiøÀô øÈò #å h#å h5å Q0-ë6ù
ëÖîâî6äÖõõ üãÖøâõ¼ô å $åòÖä)óüöiøÀô øÈò #å h#å Q]å $-ë6ù
ëÖt îâî6äÖõõ üãÖøâõ¼ô å $å÷ä6ù ºøÈò ë6ù úë6ù ã)é)è
ëÖëÖîâîâî6î6äÖäÖõõõõüüãÖãÖøâøâõ¼õ¼ôô åå$$ òÖòÖä)ä)óüóüöiöiøÀøÀôô øâøâîhîhöÖöÖòñò1ë6å#ù ]ñëå#hüå#ù ä-îÀïÖë6ùSé <òÀóÖä ëO)áÖîCFäÖä)õÀôEô ÈôééSÈêøÀè
ëÖîâî6äÖõõ üãÖøâõ¼ô å $<÷ä6ù ºøâî]öÖòñë6ù úë6ù
ëÖîâî6äÖõõ üãÖøâõ¼ô å $<÷ä6ù ºøÈò #å h5å h#å hå ë6ù
Key fingerprint
ëÖîâî6äÖõõ üãÖøâ=õ¼ô AF19
å $<÷FA27
ä6ù ºøÈò2F94
å h5å h998D
#
å hå $ FDB5
#
ë6ù DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
ëÖîâî6äÖõõüãÖøâõ¼ô å$ òÖä)óüöiøÀô øÈò ë6ùúë6ù
t
ëÖîâî6äÖõ"õ yãÖøâõ¼ô å) òÖä)óüöiøÀô<ôîÀòñë6ù1å#hå5hå#åõCâù
ëÖîâî6äÖõ"õ yãÖøâõ¼ô å) òÖä)óüöiøÀô<ôîÀòñë6ù1å#hå5hå#AõCâù
t
ëÖîâî6äÖõõ üãÖøâõ¼ô å)åòÖä)óüöiøÀô<ôîÀòñë6ùñë6ù õC)ù
t
ëÖîâî6äÖõõ üãÖøâõ¼ô å òÖä)óüöiøÀô øâîhöÖòñë6ùñëüù äîÀïÖéSÀóä6òã t
t
ëÖîâî6äÖõõ üãÖøâõ¼ô ååòÖä)óüöiøÀô øâîhöÖòñë6ùñëüù äîÀïÖéSÀóäO)áÖäÖõÀô
õÀt ùüöÖ'ò âõ6ä6óûä)ó-ä6ùèøÈùä ;5ãâéî6ëãQæ;
$å8$)
õÀõÀùüùüöÖöÖ'ò'ò ââõ6õ6ä6ä6óóûûä)ä)óóûûøüøüää ñAùÖëâ÷¼ë)öiô{ëøÈzù ]åJhå<ä @øÈùî)ãüî)áãüá÷÷äâ÷äâ÷
õÀùüöÖ'ò âõ6ä6óûä)óèóé6áòúë)÷¼öøÈù5
û òóøÈû5óäëâ÷5ëâ÷¼öøN<ù óøÀôäùÖë6ôë ùÖé)ôøC?-ùÖë)ôëAëÖîîüäÖõõ-
õÀùüöÖ'ò âõ6ä6óû=ä)óAF19
èóé6áò<ùé)ôCø ?2F94
<û<òóøÀûAóFDB5
äëâ÷-ùÖë)ôQë óøÀF8B5
ôäùÖë6ôë ùÖé)ôA169
øC?5ëâ÷¼öøÈùúëîî6äÖõõ-
Key fingerprint
õÀùüöÖ'ò âõ6ä6óûä)óJáõ6ä)ó<FA27
êøÀè)êóé)ôâïä)ó<998D
ëâ÷ÀöøÈùA
û 5ä6ùî¼DE3D
ó âòôäâ÷-ë6áôâï 06E4
ö÷$ ïÖëããâäâê4E46
ä)óóôéüù
õÀõÀùüùüöÖöÖ'ò'ò ââõ6õ6ä6ä6óóûûä)ä)óJó<áãâéÖõ6ä)î6ó<ë)ôùÖøüé)é6ô9ù Cø =?øüÿä)&þóùÖâùé)ôôä)Cø ó)?ò<ûó
øâúõ6ääügõ ù;î¼óë)ôâòëAôþäâä6÷-ùôëüáä)ôâó ï ö÷ $A÷ 6ùô)òïÖä6ùîüä J_åhù
õÀõÀùüùüöÖöÖ'òò'ââõ6õ6ä6ä6óóûûä)ä)ó5ó-ä6î6ùÖé6ùë6êôëã)äî¼&ô ô=óë6 ÿò9þõ<)õÈù6ùöÖôòä)óâòóøâõ6äÖõíäÖîÀïâùøâî6ëãð6áòòÖé6óô *Rä @â4ô |$
õÀõÀùüùüöÖöÖ'ò'ò ââõ6õ6ä6ä6óóûûä)ä)ó-ó-ä6ä6ùÖùÖë6ë6êêã)ã)ää ôôóóë6ë6òòõ<õäüîüùé6
ùô?øÀôøÀè
õÀõÀùüùüöÖöÖò''ò ââõ6õ6ä6ä6óóûûä)ä)ó-ó-ä6ä6ùÖùÖë6ë6êêã)ã)ää ôôóóë6ë6òòõõ<äüõ ùõûü)öãâé6é)ùè
õÀõÀùüùüöÖöÖ'òò'ââõ6õ6ä6ä6óóûûä)ä)ó-ó-ä6ä6ùÖùÖë6ë6êêã)ã)ää ôôóóë6ë6òò7õõóâ?)ôóóëÀöSä Èóäãâë
õÀõÀùüùüöÖöÖ'ò'ò ââõ6õ6ä6ä6óóûûä)ä)óJó-ïÖä6ùÖéÖë6õ¼êô!ã)ä#å hô5å óhë6#å òhõå äü)Jùûûüöä)óé6ùõøüé6ù 5ë6áôâïAùÖé6ôCø ?øüä6ó
õÀõÀùüùüöÖöÖò''ò ââõ6õ6ä6ä6óóûûä)ä)ó-ó-ä6ä6ùÖùÖë6ë6êêã)ã)ää ôôóóë6ë6òòõ<7õ ?)õõóëÀ)öãâé)Sä èÈóäãâë
õÀõÀùüùüöÖöÖ'òò'ââõ6õ6ä6ä6óóûûä)ä)ó-óJïÖä6ùÖéÖë6õ¼êô!ã)äå#hôå5óhë6å#òhõåóâ)Jôûó ä)óõøüé6ù5ë6áôâïAùÖé6ôøC?øüä6ó
ãÖt øNäùÖ@äñäîî6Àé6ôù ø]ö äé6áôQ$
ôëóëëüëAùë6õÀáòÖôâé)ïÖóâôä6ùôøÈùøâòî6áë)ô<ôø¼ôé6äùAãüùÖã)é)ä6èô øÈùú÷ä ?ë6áã6ô
ãÖøNë6ëÖùÖáîä-ô)îüïÖäÖûé)õô óõ øCâhî69ë)ãâôëÖ õøüé6õ<ù5å î6éÀöâøÈöù ë6ù÷õAå$5÷ä?ë6áãüôÖãÖøÈùÖä<î6é6ù
õ6äÖõâõøüé6'ù Èôø]öäéüá-ô $
ôëóëëüëAùë6õÀáòÖôâé)ïÖóâôä6ùôøÈùøâòî6áë)ô<ôø¼ôé6äùAãüùÖã)é)ä6èô øÈùú÷ä?ë6áã6ô
ë6áô)ïÖé)óCø hë)ôøüé6ù5î6éÀöâöë6ù÷õAå $5÷ä ?ë6áãüô
ãÖøNùÖäAë6á @
ôóëüùõÀòÖé)óâô øÈùòáô-ùÖé6ùÖä
t
ùùô)ô)òpòpî6õüé6ãâáéÖóCî FEî63äNòÖâä)ôâóïÖøüä)é)óâ÷ ùä)å ô )
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
ins
f
ull
rig
ht
s.
ùùô)ô)òpòpõüõüä)ä)óóûûä)ä)ópópå5å5hhå#å#hhå#å#0]å_)Jå òóä?ä)ó
ùÖä6ùé ÷ õîÀïäâ÷)áãâä6ó<ëãã)éÖî6ë)ôä
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
}
Internet Firewall Configuration
The Netfilter firewall script below was generated by the fwb_ipt program, part of the
Firewall Builder multi-platform firewall ruleset manager. Comments embedded in the
script were mostly added to comment fields in the fwbuilder GUI; a few, including the
file header, were generated by the iptables ruleset compiler, fwb_ipt. The generated
script is stored in /etc/sysconfig/firewall.fw and called by init script /etc/rc.d/init.d/firewall.
Long lines in the original file have been split to make it easier to read.
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
ßß t üêøÈùSõÀï
ß íâïøâõ5øâõ ë6áôéÀöë)ôøâî6ëãã" èä6ùä)óë)ôä)÷3?ø6ã)ä~;:3:6í
J:"; W t
ßß øÀóä Öëã`ã áø6ã)÷ä)ó ?âêS.ÖøÈòô<ûå#hå8Så
ßß =ä6ùä)óë)ôä)-÷ Jé6ù ðä6ò1å$<)j0$j$3Q;í<ê!Àöéâé)óä
Key fingerprint
= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
ßß
ßß
ãâé6èÎôäçNì-õ¼6ô  @GA :==5à A€€ :==à Èò1øN
ù ?6é A å A
ûë₠÷âë ÷.üù.âá6ëâ>ö÷÷)yóÎå çNUì 
ù6÷ëâSö÷âä6û÷ây óy y å
ôë)òë)Ö÷÷äy'y'AAAA
yLƒ %
øC?<: ô äýðõ¼ô6y úÈ ù†ëâð ÷âA ÷â óñ'A'㝇uõ ôâï ÷ä6ùä)…û „
èâóä6_ò A ÷ä64û jVAEƒ
õô6 âòä)Öôð yEä yAU j*‰ˆ>A
ð y : ð
yRƒ ý%ñëâ÷÷âóúãõ ÷ä6û5ôé ë)÷÷âóŠ„`èóä6ò_A<øÈùÖä)ôGAEƒ
Cø ?AôäÖõ¼%
ô ÈIù A EA'‡RôâïÖä6ù
: ð y ð
õëâüëâä)ô÷ðy'÷ yAU > A
ðy : ð
?ø
?ø
øC?<Cø ô?Aäôõ¼ô6äÖõ¼BôCh_A A ô âòëÖëâ÷Eä ÷EAgA'yG‡—ôâANïÖý äü: ù í :6
ý : 5í AE‡`ôâïä6ù
ãâëüêÖäã û÷ë ä66ý.ü4û ùá6j1Sö yRë)ƒ{÷ä 6÷â@âûóúòëó .¼ëâù÷ á6û÷ ö ë ‚.üùëâá6÷â,ö÷âó5l!÷ä)Eå û ƒ ÷ä)û õîüé6òÖä èÖãâéüêÖëã
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
Cø ?Aø ôäÖõ¼ôBA ôâòÖäEAgyGAVà
:6ÿ;þâÿð)í5A'‡`ôâïÖä6ù
èÖã)é6êÖëã<û
ãâë ëüý6.üêÖùäá6ãöS yR ë)ƒ{÷÷ää6÷â@âû4óúòój1ëâ÷ û÷ ë6.üûùëâëá6÷âö,.¼÷âùóá6l! ö ‚ùüåEöñƒ ÷ä)û ÷ä6ûAêó÷9lpõî6éüòÖä
?ø
?ø
蝂 ä6ô÷ëâä6÷û ÷ây óÚ çNå 7ì 
ùÖyLëÈöƒ äy %ý úëâ÷â÷âó õÀïÖé ú÷ä)û ÷ä6Šû „—èóäüòºøÈùÖä)ô ƒ
ôäõ¼Gô Ac 'Agyy_Ac>A`€€%
Ö
ä
À
î
Ö
ï
é
6
A ùôä)
ó
?ëÖî6ä ÷ä)ûºøâõ ÷é 2
ù
*+øÈôõ ý ë)÷÷âóäÖõâõAøâõ
áù FâùÖéä @4ù øÀô!
þå ë6ùAùÖé)ôpøÈùõÀôëã-ã ?øÀóä ÖëããòÖéãøâCî 4VA
‚
: ð y ð
ð y'AU>=A AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
Key fingerprint
õä)6ûä6ôë%ã A ùÖëÀöä y EA
ð y : ð
‚
ð J:;y'AõÀêøÈ
ù ãùõhöhöéâE÷é)÷)A òâóé6êEä A
J:";ý
à
:"y'ACõÈêøÈS
ýâíÿ
ðy'ACõÈêøÈùSøÈòôë¼êãâäõA
ý y'ACõÀêøÈS
ù ÖøÈ5òó üA êøÈ
ù ã)é)è)èä)Eó A
:==
à
yEACüáõ¼
îü÷âä)ô„uä@øÀô!å
ãâé6_è Ahÿî¼ôøÀûë)ôøÈù3è ?øÀó"ä ÖëããAõâî¼ä óA øÈòô<èä6ùÖä)óë6ôäâ3÷ Jéüù ðâä6ò8å $
)j$j$QQ;âíAê ,!Àöéé)óE
âí à ÿþ ð y'AÈä)ôâ
ï ä)ôâï_ð åJ‡ ä6ôâ÷ïé <ä)ôâ
ï 5ä6ôâï úä)ôâï $5ãâBé A
?é6ópø5øÈù í à ÿþ I
ý ãøÈ
ù
F õÀïÖé _A äÖä @îÀïÖøÀô!é å ùôä)ó?ëî6ä ø A7øŒ÷é)÷ää)õJû ùüùé)ôúáÖãä3ã @øâŒõ¼€ô †å „„|
‚
÷äÖéüîÈùÖïÖäéº3å Œ<üòóéî Cõ õüùÖä)ô øÈòû ÖøÈ
ò .)÷ âùëâ÷÷6ó
äÖäÖîÈîÈïÖïÖéº9é å3Œ<Œ<üüòòóóééîî õCCõ õõüüùÖùÖä)ä)ôô øÈøÈòòûû î6î6é¼é¼ù
ù ??ââëâëâãããã ¼6óâëÖòîâ.î6?Öä¼òø6ôã6ô.ä)õ6óéüáóîüä .¼óéüáôä
äÖäÖîÈîÈïÖïÖ9éé9Œ<Œ<üüòòóóééîCõõCõõüüùÖùÖä)ä)ôôøÈøÈòòûûî6î6é¼é¼
ùù
??ââëâëâãããã6)ëÖãâé6îâèî6ä¼.höòôë)ó).¼óôä)ø¼÷ë6ùøÈóõ äÖîÈôõ
äÖäÖîÈîÈïÖïÖéºéº3å3å Œ<Œ<üüòòóóééîî CõCõ õõüüùÖùÖä)ä)ôô øÈøÈòòûû ÖÖøâøâîfîföÖöÖòò .â.ÖäøNèâîÀïÖùÖééüó.ÖäøÈèâ.üùêé)é)óèâáä .üõ ê.)óä)óâéâóë)÷é)óî¼ëÖ.6óõÀôäÖõõÈòé6ùõ6äõ
äÖäÖîÈîÈïÖïÖé9éºå <Œ<üŒ<òóüòéÖóîé֝îõCõCõõüùÖä)¼ùÖô
ä)ÖôøNòÖûøhòû6ôÖ6îÀòô.îÀ
ò?Ö.øÈùSFä).¼ôä6òøföëä)ãé6øÀáûôä .ÖøNùôâûã
äÖäÖîÈîÈïÖïÖéºéº3åå3Œ<Œ<üüòòóóééîCõõCõõüüùÖùÖä)ä)ôôøÈøÈòòûû66ôôîNîNSòòS.C.õ6ëøhùîCF÷Cé S.õî¼ëãÖøhùè
äÖäÖîÈîÈïÖïÖéºéº3å3å Œ<Œ<üüòòóóééîî CõCõ õõüüùÖùÖä)ä)ôô øÈøÈòòûû 66ôôîNîNSòSò ..?Cõ 6ùëCî Fî6é)é Føüäõ
äÖäÖîÈîÈïÖïÖéºéºå33å Œ<Œ<üüòòóóééîî õCCõ õõüüùÖùÖä)ä)ôô øÈøÈòòûû 66ôôîNîNòSSò .).üôäÖîNø{öù äÖõÈôëÈöÖòõ
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
?
© SANS Institute 2000 - 2005
Author retains full rights.
ýBýB885 ùÖëâ÷âäÖ÷âøÀèâó<ï<??ãüáãüáõÀï5õÀïú÷÷ä)ûä)ûúä6ôâä)ôâïïA ãâë6êäã%AÀä)ôâïj1 A
ýBýB885 ùÖëâ÷âäÖ÷âøÀèâ<ó <ï ??ãüáãüáõÀï5õÀïú÷÷ä)ûä)ûúä6ôâä)ôâïiïiåå ãâë6êä%ã AÀä)ôâïi5å j1 x A
ýBýB885 ùÖëâ÷âäÖ÷âøÀèâ<ó ï<??ãüáãüáõÀï5õÀïú÷÷ä)ûä)ûúä6ôâä)ôâï ïA ãâë6êä%ã AÀä)ôâï j1 x A
ýBýB885 ùÖëâ÷âäÖ÷âøÀèâó<<ï ??ãüáãüáõÀï5õÀïú÷÷ä)ûä)ûúä6ôâä)ôâïïA ãâë6êäã%AÀä)ôâïj1 x A
ýBýB885 ùÖëâ÷âäÖ÷âøÀèâ<ó <ï ??ãüáãüáõÀï5õÀïú÷÷ä)ûä)ûúä6ôâä)ôâï ïú ãâë6êä%ã AÀä)ôâï 2j1 x A
ýBýB885 ùÖëâ÷âäÖ÷âøÀèâ<ó ï<??ãüáãüáõÀï5õÀïú÷÷ä)ûä)ûúä6ôâä)ôâï ï$A$ ãâë6êä%ã AÀä)ôâï $j1 x A
x
ëâ÷â ý
÷ .âãëâ÷øÈù÷)Fóºõ6#å ä)hôú#å ]ä)#å ôâhï
å -)3áâòúä6ôâï ëâ÷â ý
÷ .âãëâ÷øÈù÷)Fóºõ6#å ä)hôú#å ]ä)#å ôâï__ål(å áâòúä6ôâïiå
ëâ÷â ý÷
.âãëâ÷øÈù÷)Fóºõ6åä)ôúhå5ä)hôâå#
ï -$Qáâòúä)ô)ï
ëâ÷â ý
÷ .âãëâ÷øÈù÷)Fóº=õ6å ä)AF19
h5
å ä)1ôâ4ï
h-gå FA27
ä)ô)2F94
ï 998D FDB5 DE3D F8B5 06E4 A169 4E46
Key fingerprint
ú
ô
â
á
ò
ëâ÷â ý
÷ .âãëâ÷øÈù÷)Fóºõ6å ä)ôúh5å ä)hôâ#å ï hAgå áâòúä)ô)ï ëâ÷â ý÷
.âãëâ÷øÈù÷)Fóºõ6åä)ôúhå5ä)ôâ)
ï $-Qáâò ä)ô)ï$
ëâ÷â ý
÷ .âãëâ÷øÈù÷)Fóºõ6å ä)ôñ0ãâé-áhò (å ñãâé
ýíÿ 
ðð ÀÀýý :C íâý ý í í ;;
à
à :6:6ýý
ýíÿ 
ýíÿ
ðÀý9:6àÿà;&;à
:6ý
î6ë6,ô ¼ýòíóÿ éÖ
ùÖ<ð ä)ô ÀÖô øNSò .6ôôëüë6êêãâãâä äÖ"õC.ü6ùëÀÈöŽù äÖ_õ „„ïâø6ïãâø6ä ãâä-óäóë)ä÷ ë)÷Aî5ôîÀë6ïÖêëÖãâøÈRäù5‡Ró÷äÖé õ¼ô ‡R÷é
ø?5ô ýâäíõ¼ôGÿ ATwð îÀAgô yG ôATwë6êþ6ïÖã)ëä øÈù# A, ‡3îÀïÖôâïÖëäüøNùù
÷éü ùÖýíä ?ÿ ø <ð Àô ôëüêãâä w
÷éüùÖä
J:";."; ày'AãÖøÈê
Èöéâ÷üáãâäõZƒˆá)ùÖëÀöä&ÈóƒrFä6óâùÖäã¼ùÖä)ôÖøNòûüùä)ô?ø6ã¼ôä6óSA
J:";ð yRƒçhîü÷ J:";."; õ?6ä)é6óp÷ öNféâõ ÷)áãâˆäñé øNx ù YçÆNhäÖ5ì îÀƒ ïÖé J
:à ;‡uãõ ðxì#.‡—î6÷é6ùé ùôóëÖCî F
. xbx .üùÖë6ô . x „
Cø ? ð J:;Š„
èóä6ò Nöéâ÷)áã)ä ‚ Œ)÷ä)
û üùáÖãL㠇
ô)ïÖä6ùºî6é6ùôøÈùáÖRä ‡~?ø
Cø ?zü6
ä A J:";."; à ‚ Nöé6÷)áÖã)ä ‚ ˆSé Agü6é ¼ä
A J:;
.; à ‚ Èöéâ÷üáãâä ‚ é¤èh'A’‘‡RôâïÖäüù
J:;âý
à :" Èöéâ÷6áãâä ‚ „„•ä @øÀô!å
?ø
÷ß éüùÖä
ßß àâáã)&ä –aç ÿíì
ß ÿíúé6áôâèéøÈùè-ùôâò5óä O)áÖäõ¼ôUõ ?âóéÀö ôâïÖ3ä Öä6Sê ¼òÖé)óôëã
9
áêÖãÖøâZî N%FA27
øNùôä)ó2F94
?ëÖî6äôé øÀôõòáâêãÖøâîAøÈùôä)óâùÖä6ô
ëâõ6÷âä6ó÷âóûäÖä)óõõ NfGõ =N òAF19
Key fingerprint
998D FDB5 DE3D F8B5 06E4 A169 4E46
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
© SANS Institute 2000 - 2005
Author retains full rights.
ý íÿ ð Àô<ùÖë)ôBÀÿAý:âð6íà:Cí =¼éúä)ô)ï
l%ÈòñôîÀò âõ
åå ]å hå
¼÷äÖõ¼ôøÈùë)ôøüé6ùEÈòé)ó)ô å8,"!úðÿí%ÀôéSâõ6é6áóî6ä
ýíÿ ð Àô<ùÖë)ôBÀÿAý:âð6íà:Cí =¼éúä)ô)ï
l%Èòúá÷)ò âõ
åå ]å hå
¼÷äÖõ¼ôøÈùë)ôøüé6ùEÈòé)ó)ô å8,"!úðÿí%ÀôéSâõ6é6áóî6ä
ßß àâáã)ä åçaÿíì
ß
ß9ÿíúëããAëãã)éÖäâ÷<éüáôèéøNùè-óäO6áÖäÖõ¼ôõ7?)óéÀö äÀöëÖø6ã
èë6ôä Öë N]Gõ N òáâêãÖøâZî N3øÈùôä)ó ?ëÖî6äôé øÈôõòâáêãÖøâîAøNò ë)÷÷âóäÖõâõ
ýíÿ 
ð Àô<ùÖë)Bô ÀÿAý :âð6íà :Cí =¼éúä)ô)
ï l%ÈòñôîÀòB]ö
öÖáÖ$Lã6*ô
)øÈòÖ$Ré6*aó$ôR*Èå )õ9"å !5hð#å 1ÿâ4Bí 0 ÀôSé¼÷âäÖõüé6õ¼áôóøÈùî6ë)ä5ô#åøüé6hEù5å Èòé)ó)ôåõ
ýíÿ 
ð Àô<ùÖë)Bô ÀÿAý :âð6íà :Cí =¼éúä)ô)
ï l%Èòúá÷)Bò ]ö
öÖ"áÖ!5ã6ôðøÈòÖÿâí%é6óôÀôéS)õ)õ6é6å áóh#åîüäñ14å#0 hå5¼÷äÖõ¼å ôøÈùë)ôøüé6Eù Èòé)ó)ô(õ $R*È8å Key fingerprint
FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
ßß àâáã)&ä –=aç AF19
ÿíì
ß
ß ÖäA÷é62ù NˆôA÷9é ÿâíñéüù1øÈùôä)óâùÖëãêÖé @äõô)ïÖë)ô<ôó 5ôé-ïøÀô
&
ôâïä-òâáêãÖøâîë)÷÷âóäÖõâõ6äÖõJé ?AôâïÖ&ä ?øÈóä Öëãâã é)<ó ;J
c
õ6ä6óûä)óYõ #íâïÖä 9ø6ããJêÖä5ë6êãâä-ôé<óäëîÀïAôâïÖ&ä ?øÀóä Öëãã
çNø ?úëããâé Öä)÷(ì øÀô)ïÖé6á&ô ÿâ4í íâïÖä<óâáã)äÖõêÖäãâ"é úô)ïÖë)ô
ïÖùÖëüä6ùôÖ÷é)ãâóä<F2ëÖ îâî6äÖõõôé<ôâïÖQä ;Jc õüä)óûä)ó7õ ?âóéÀö øÈùõø¼÷ä ôâïÖä
ýíÿ 
ð
Àô<ùÖë)B
ô
ÀÿA
ý
:âð6í
à
:Cí =¼éúä)ô)
ï âõ
å 0<C!úð âÿ6
í
ÀôS
é
)õ6é6áóîüäñ#
å
h5
å
h#
å
hå )
ßß àâáã)&ä –aç ÿíì
ß
ß ÿíúëãã øÈùîüéÀöøÈùèòÖëÖCî Fä6ôõôé<ôâïÖäAäÀöëÖø6ã èë)ôä ë <ôé
9
ôâïä-òóøÀûë)ôäñøÈò ë)÷÷âóäÖõâõJé6ù!øÀôIõ N òáêÖãÖøâZî N%øNùôä)ó ?ëÖî6ä
ýíÿ 
ð À÷Àô<äÖõ¼ùÖôë)øNBôùÖë)ÀôÿAøüé¼ýù à â8å à:Ch#å í 12 = ¼÷15å h#å 0_7å C!
;âÿ6
í
ÀôS
é
ßß àâáã)ä3Îçaÿíì
ß
ò9ß óøÀÿûíºë)ôä5øÈùøÈîüòéÀöë)øÈ÷ù÷âè-óòäÖëÖõâCîõFéä)?pôõøÈôôQéõIÖN òä6Sêáêüòãé)øâóîZôN%ëøÈã-ùôõ6ä)ä)óóû?ä)ëó<î6ä ôé
ýíÿ 
ð À÷Àô<äÖõ¼ùÖôë)øNBôùÖë)ÀôÿAøüé¼ýù à â8å à:Ch#å í 12 = ¼÷15å h#å 0
<C!
;âÿ6
í
ÀôS
é
ßß àâáã)&ä $–aç ÿíì
ß
ß?øÈóÿä ÖíºëøÈãâù-ã îü?âéÀöóéÀøÈöùè-ôâïòä-ëÖCî êFé)ä)óô÷õä)ôó<é<óôâé6áïÖô-ä ä)
ó<;ôý éACõ ôâõï6äãâé)è-õ õòÖ)é)ãâóâé)ôñè éüõüùñä)óôâûïä)2óä 9
ýíÿ 
ð Àô<ùÖë)Bô ÀÿAýà âà :Cí = Nòúá÷6ò âõ 5å h#å h#å ]å $
¼÷!#
å h#å ]#å =hå AF19
)<¼÷FA27
äÖõÀôøÈùÖ2F94
ë)ôøüé6'ù 998D
Èòé)óâ3
ô FDB5
$Tå 6"!&DE3D
;ÿâí F8B5 06E4 A169 4E46
Key fingerprint
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
#140 # #
#140 # #
© SANS Institute 2000 - 2005
Author retains full rights.
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
ßßÈôéS¼÷äõ¼ôøÈùÖë6ôøüé6ùñå]å#håâå
ýíÿ 
üãâé)E
è Èòóäð ?Àø ô[email protected]÷âANàó
éüGò<ÈÿHG;
à:6-ýH)ý ÿI=A "!9
:= 6ã)é)èE6ãâä6ûäã-)
ýíÿ 
ð
Àÿ ý í
]ö õ¼ôë6ô
ä âõ¼ôë)ôä
ð6íÿ ð D;* à âÿ)í ;9"!<ÿþþ âýí
ýíÿ 
ð Àÿ :Cíâý í ]ö õ¼ôë6ôä âõ¼ôë)ôä
ð6íÿ ð D;* à âÿ)í ;9"!<ÿþþ âýí
ýíÿ 
ð À9ÿ :6à ÿà ;%]ö õ¼ôë6ôä âõ¼ôë)ôä
ð6íÿ ð D;* à âÿ)í ;9"!<ÿþþ âýí
ßßAàâáãâä9–çÆä)ôâïì
ß
ß ;óé6ò öéõ¼ôAô âòÖäÖõé ?ñé6áôâêÖé6áù÷ þ J2ý [email protected]î6äüòôøüé6ùõJë)óä
9
äÖîÈïÖé-óä O)áÖäõ¼ôõJë6ù÷ þ Jý<áùóäâëÖîÀïÖë6êÖãâäÖLõ eJë6ù ñé?Aô)ïÖäÖõ6ä
ô)òÖäÖ`õ ø6ãâã êä5÷âóé6FA27
òòÖäâ÷ ê 5ô)ïÖäº998D
øföÖòãÖøâîøÀô<÷ä DE3D
?ë6áã6Q
ô ;W*
Key fingerprint
êá9ô &ä Öëü=ùôAAF19
ôé îüë6òôâáóä2F94
ôâïÖäÀö øÈù ë õÀFDB5
òÖäÖîø¼ëãJóâáã)ä F8B5 06E4 A169 4E46
íâïä)óä<ë)óä<ûä)ó ?ä ºî6ëÖõ6äÖõAøNù ïøâîÀïAôâïÖäõ6ä òÖëÖCî Fä6ôõë)óä
ãÖ8ø Fäã <ôé5ë6òòäë)9ó ?é)óñãâä6èøÀôø]öë)ôäJóäëÖõ6é6ùLõ XÖä øÈùî6ãüá÷ä
õ6éüáóî6Qä O)áä6ùîÀïºøÈùúôâïø)õèâóé6áò<êÖäî6ë6áõ6äñøÈôºîüë6ùúêä-áõ6äâ÷
?é6óñë&;:âð
ß ýíÿ ð úä)ôâ
ï .:üá
ô .6à .
ýíÿ 
åå å "!5ð ä)Àÿôâ
ï :C.íâ:üýá
ô í.6à üé5
.ä) ôâ
ï %Nò!ø)îhöÖò ø)îhöÖ'ò Àô âòÖä
ýíÿ 
åå "!5ð ä)Àÿôâ
ï :C.íâ:üýá
ô í.6à üé5
.ä) ôâ
ï %Nò!ø)îhöÖò ø)îhöÖ'ò Àô âòÖä
ýíÿ 
ð Àïÿ :C.:üíâáýô .üíà üé5. ä)ôâ
ï %Nò!ø)îhöÖò ø)îhöÖ'ò Àô âòÖä
$
"!5ä)ôâ
ýíÿ 
ð Àïÿ :C.:üíâáýô .üíà üé5. ä)ôâ
ï %Nò!ø)îhöÖò ø)îhöÖ'ò Àô âòÖä
$å
"!5ä)ôâ
ýíÿ 
ð Àïÿ :C.:üíâáýô .üíà üé5. ä)ôâ
ï %Nò!ø)îhöÖò ø)îhöÖ'ò Àô âòÖä
$
"!5ä)ôâ
ýíÿ 
ð Àïÿ :C.:üíâáýô .üíà üé5. ä)ôâ
ï %Nò!ø)îhöÖò ø)îhöÖ'ò Àô âòÖä
$
"!5ä)ôâ
ýíÿ 
ð Àÿ ï :C.íâ:üýá
ô í.6à üé5
.ä) ôâ
ï %Nò!ø)îhöÖò ø)îhöÖ'ò Àô âòÖä
å "!5ä)ôâ
ýíÿ 
ð Àÿ ï :C.íâ:üýá
ô í.6à üé5
.ä) ôâ
ï %Nò!ø)îhöÖò ø)îhöÖ'ò Àô âòÖä
å $
"!5ä)ôâ
ýíÿ 
ð Àÿ ï :C.íâ:üýá
ô í.6à üé5
.ä) ôâ
ï %Nò!ø)îhöÖò ø)îhöÖ'ò Àô âòÖä
Tå "!5ä)ôâ
ýíÿ 
ð Àÿ ï :C.íâ:üýá
ô í.6à üé5
.ä) ôâ
ï %Nò!ø)îhöÖò ø)îhöÖ'ò Àô âòÖä
å )
"!5ä)ôâ
ýíÿ 
æ "!5ð ä)ôâÀïÿ :C.:üíâáýô .üíà üé5. ä)ôâ
ï %Nò!ø)îhöÖò ø)îhöÖ'ò Àô âòÖä
ýíÿ 
ð Àÿ ï :C.íâ:üýá
ô í.6à üé5
.ä) ôâ
ï %Nò!ø)îhöÖò ø)îhöÖ'ò Àô âòÖä
å "!5ä)ôâ
ýíÿ 
ð =ÀAF19
ÿ :Cíâý FA27
í üé5
ä)ôâ
ï %998D
Nò!ø)îhFDB5
öÖò DE3D
ø)îhöÖ'ò Àô F8B5
âòÖä 06E4 A169 4E46
Key fingerprint
2F94
© SANS Institute 2000 - 2005
Author retains full rights.
5ä)ôâï üáô 6à
ýíÿ 5ð ä)Àÿôâï íâüýáô í6à üé5ä)ôâï Nò!ø)îhöÖò ø)îhöÖò Àô âòÖä
åå ýíå ÿ 5ð ä)Àÿôâï 6àüÿáô à6à ¼é5ä6ôâï Èò!øâîhöÖò øâîhöÖò Àô âòÖä
åå ýíÿ 5ð ä)Àÿôâï 6àüÿáô à6à ¼é5ä6ôâï Èò!øâîhöÖò øâîhöÖò Àô âòÖä
ýíÿ 5ð ä)ôâÀïÿ 6üàáÿô üàà ¼é5ä6ôâï Èò!øâîhöÖò øâîhöÖò Àô âòÖä
ýå íÿ 5ð ä)ôâÀïÿ 6üàáÿô üàà ¼é5ä6ôâï Èò!øâîhöÖò øâîhöÖò Àô âòÖä
ýíÿ 5ð ä)ôâÀïÿ 6üàáÿô üàà ¼é5ä6ôâï Èò!øâîhöÖò øâîhöÖò Àô âòÖä
ýíÿ 5ð ä)ôâÀïÿ 6üàáÿô üàà ¼é5ä6ôâï Èò!øâîhöÖò øâîhöÖò Àô âòÖä
å ýíÿ 5ð ä)Àÿôâï 6àüÿáô à6à ¼é5ä6ôâï Èò!øâîhöÖò øâîhöÖò Àô âòÖä
å ýíÿ 5ð ä)Àÿôâï 6àüÿáô à6à ¼é5ä6ôâï Èò!øâîhöÖò øâîhöÖò Àô âòÖä
å ýíÿ 5ð ä)Àÿôâï 6àüÿáô à6à ¼é5ä6ôâï Èò!øâîhöÖò øâîhöÖò Àô âòÖä
å ýíÿ 5ð ä)Àÿôâï 6àüÿáô à6à ¼é5ä6ôâï Èò!øâîhöÖò øâîhöÖò Àô âòÖä
æ ýíÿ 5ð ä)ôâÀïÿ 6üàáÿô üàà ¼é5ä6ôâï Èò!øâîhöÖò øâîhöÖò Àô âòÖä
å ýíÿ 5ð ä)Àÿôâï 6àüÿáô à6à ¼é5ä6ôâï Èò!øâîhöÖò øâîhöÖò Àô âòÖä
ýíÿ 5ð ä)Àÿôâï 6àüÿáô à6à ¼é5ä6ôâï Èò!øâîhöÖò øâîhöÖò Àô âòÖä
ýíÿ 5ð ä)Àÿôâï 6àüÿáô à6à ¼é5ä6ôâï Èò!øâîhöÖò øâîhöÖò Àô âòÖä
ýíÿ ð Àÿúä)ôâï üáô 6à
fö1ãÖøföøÀô 6ãø]öøÀô
þNöýýíøÈùÿ áôä ð Àÿúä)ôâï ü6áã)é)ô è6à6ãâä6ûäã 6ã)é)àè üÈýòóä ø Öëâ÷
ßßAàâáãâäºåçÆä)ôâïì
ß
ß9;óé6ò öéõ¼ôAô âòÖäÖõé?pøÈùâêÖé6áù÷ þJý[email protected]î6ä6òôøüé6ùõë)óä
áùóäëÖîÀïë6êãâäÖõlë6ù÷úäÖîÀïé<óä6òãÖøüäõL í)ïÖäÖõ6äAë)óäñî6é6ûä)óäâ÷ ê
ôâïä<èä6ùÖä)óø)îóâáãâäAëãã)é øÈù3è ð)íÿ ðD;<ë6ù÷<àâÿí;
ôóë ??øâîêÖëÖCî FºøÈùôé<ô)ïÖä<ùä)ô Öé)ó F4Mä5÷éü2ù Nˆô
õÀòäÖîCø ?ø)î6ëãã öä6ùôøüé6ùúäÖîÈïÖé-óä O)áÖäõ¼ôõlêÖäî6ë6áõ6-ä ä5ë6óä
èéÖøÈùè<ôé5ëããâ"é úô)ïÖäÀöñôé<ôâïÖQä Pý 5èë)ôä Öë òâáêãÖøâî
êßøÈùã)ôéÖä)îCóF?äâ÷Jëî6ïÖRä ä)*uóëüäù ÷5ô)ïÖä QÖé6ù Nˆôöë Fä øÀôAôâïÖä6óä Cø ?5ô)ïÖä úë)óä
ýíÿ 
ð úä)ôâ
ï . Sù .üà .å
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
"!
.: . .
:C %
' "!
.: . .
9: ; ,
E "!
.: . .
9: ; ,
E "!
.: . .
9: ; ,
E $
"!
.: . .
9: ; ,
E $
"!
.: . .
9: ; ,
E $
"!
.: . .
9: ; ,
E $
"!
.: . .
9: ; ,
E "!
.: . .
Key fingerprint
= AF19
06E4 A169 4E46
9: FA27
; 2F94
998D
, FDB5 DE3D
E F8B5
$
"!
.: . .
9: ; ,
E T
"!
.: . .
9: ; ,
E )
"!
.: . .
9: ; ,
E "!
.: . .
9: ; ,
E "!
.: . .
9: ; ,
E "!
.: . .
9: ; ,
E "!
.: . .
.: . .
%
)
"!9
:= E
UB E ? @AV
J 6U;WGA
.: . .
"!Q; :
© SANS Institute 2000 - 2005
Author retains full rights.
ýíÿ
ýíÿ
ýå íÿ
ýíÿ
ýíÿ
å ýíÿ
å ýíÿ
å ýíÿ
å ýíÿ
æ ýíÿ
å ýíÿ
ýíÿ
ýíÿ
ýíÿ
ýíÿ
ýå íÿ
ýíÿ
ýíÿ
å ýíÿ
å ýíÿ
å ýíÿ
å ýíÿ
æ ýíÿ
å ýíÿ
ýíÿ
5ð ä)ôâÀïÿ
5ð ä)ôâÀïÿ
5ð ä)ôâÀïÿ
5ð ä)ôâÀïÿ
5ð ä)ôâÀïÿ
5ð ä)Àÿôâï
5ð ä)Àÿôâï
5ð ä)Àÿôâï
5ð ä)Àÿôâï
5ð ä)ôâÀïÿ
5ð ä)Àÿôâï
5ð ä)Àÿôâï
5ð ä)Àÿôâï
5ð ä)ôâÀïÿ
5ð ä)ôâÀïÿ
5ð ä)ôâÀïÿ
5ð ä)ôâÀïÿ
5ð ä)ôâÀïÿ
5ð ä)Àÿôâï
5ð ä)Àÿôâï
5ð ä)Àÿôâï
5ð ä)Àÿôâï
5ð ä)ôâÀïÿ
5ð ä)Àÿôâï
ð Àÿ
ýù 6íà
ýù 6íà
ýù 6íà
ýù 6íà
ýù 6íà
ý ù íüà
ý ù íüà
ý ù íüà
ý ù íüà
ýù 6íà
ý ù íüà
ý ù íüà
ý ù íüà
6àù ÿ6à à
6àù ÿ6à à
6àù ÿ6à à
6àù ÿ6à à
6àù ÿ6à à
6à ÿù üàà
6à ÿù üàà
6à ÿù üàà
6à ÿù üàà
6àù ÿ6à à
6à ÿù üàà
6à ÿà
øå ä)ôâï Èò!øâîhöò
øå ä)ôâï Èò!øâîhöò
øå ä)ôâï Èò!øâîhöò
øå ä)ôâï Èò!øâîhöò
øå ä)ôâï Èò!øâîhöò
ø ä)å ôâï Èò!øâîhöò
ø ä)å ôâï Èò!øâîhöò
ø ä)å ôâï Èò!øâîhöò
ø ä)å ôâï Èò!øâîhöò
øå ä)ôâï Èò!øâîhöò
ø ä)å ôâï Èò!øâîhöò
ø ä)å ôâï Èò!øâîhöò
ø ä)å ôâï Èò!øâîhöò
âå ø ä6ôâï Èò!øâîhöÖò
âå ø ä6ôâï Èò!øâîhöÖò
âå ø ä6ôâï Èò!øâîhöÖò
âå ø ä6ôâï Èò!øâîhöÖò
âå ø ä6ôâï Èò!øâîhöÖò
âø å ä6ôâï Èò!øâîhöÖò
âø å ä6ôâï Èò!øâîhöÖò
âø å ä6ôâï Èò!øâîhöÖò
âø å ä6ôâï Èò!øâîhöÖò
âå ø ä6ôâï Èò!øâîhöÖò
âø å ä6ôâï Èò!øâîhöÖò
âø ä6ôâï Èò!øâîhöÖò
øâî]öÖò Àô )òÖä
øâî]öÖò Àô )òÖä
øâî]öÖò Àô )òÖä
øâî]öÖò Àô )òÖä
øâî]öÖò Àô )òÖä
øâî]öÖò Àô )òÖä
øâî]öÖò Àô )òÖä
øâî]öÖò Àô )òÖä
øâî]öÖò Àô )òÖä
øâî]öÖò Àô )òÖä
øâî]öÖò Àô )òÖä
øâî]öÖò Àô )òÖä
øâî]öÖò Àô )òÖä
øâîhöÖò Àô âòÖä
øâîhöÖò Àô âòÖä
øâîhöÖò Àô âòÖä
øâîhöÖò Àô âòÖä
øâîhöÖò Àô âòÖä
øâîhöÖò Àô âòÖä
øâîhöÖò Àô âòÖä
øâîhöÖò Àô âòÖä
øâîhöÖò Àô âòÖä
øâîhöÖò Àô âòÖä
øâîhöÖò Àô âòÖä
øâîhöÖò Àô âòÖä
ins
f
eta
rr
ho
ut
5,
A
00
-2
00
20
te
tu
sti
In
NS
SA
©
ull
rig
ht
s.
,
' "!
. S. .
,
' $
"!
. S. .
,
' $
"!
. S. .
,
' $
"!
. S. .
,
' $
"!
. S. .
,
' "!
. S. .
,
' T
"!
. S. .
,
' $
"!
. S. .
,
' Key fingerprint
998D FDB5 DE3D F8B5 06E4 A169 4E46
)
"! = AF19
. SFA27
. 2F94
.
,
' "!
. S. .
,
' "!
. S. .
,
' "!
. S. .
,
' "!
. S. .
9: ; ,
E "!
. S. .
9: ; ,
E $
"!
. S. .
9: ; ,
E $
"!
. S. .
9: ; ,
E $
"!
. S. .
9: ; ,
E $
"!
. S. .
9: ; ,
E "!
. S. .
9: ; ,
E T
"!
. S. .
9: ; ,
E $
"!
. S. .
9: ; ,
E )
"!
. S. .
9: ; ,
E "!
. S. .
9: ; ,
E "!
. S. .
9: FA27
; 2F94
998D
, FDB5 DE3D
E F8B5
Key fingerprint
= AF19
06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
5ä)ôâï ùS.üà.å
ýíÿ 5ð ä)Àÿôâï 6à ÿùS.üàà; â.ø å ä6ôâï,Èò!øâîhöÖò øâîhöÖòEÀôâòÖä
ýíÿ ð Àÿúä)ôâï
. ùS.üà.å ]öpãÖø]öiøÀô66ãÖø]öiøÀô
þNöýýíøÈùÿ áôä ð Àÿúä)ôâ
ï .6 Sùã)é).üèEà 6ãâä6û.äå ãUB"!&6;ã)àé)èE:6ýÈòóä?ø@AVÿ;
ßßAàâáãâ9ä –çÆä)ôâïiå)ì
ßßAÿÖããâ"é ºøÈùôä)ó)ùÖä)ô-ïÖéÖõÀôõôé î6é6ùùÖäî¼ô-ô&é Pý Aèë)ôä Öë NfõlòáêãøâîAøÈùôä6ó?ëÖî6ä-?é)ó ý ðäîL
ß ýíÿ ð 5þø¼÷ )ææ ýíÿ 
ð À9ÿ :6à ÿà ; âø ä6ôâïiQå Èò5á÷)ò ¼÷p#å h5å h#å ¼÷äÖõ¼ôøÈùë)ôøüé6E
þøÀ÷ )ææ 0 ù ÈòÖé6óâ3ô $ ]ö õ¼ôë)ôä âõ¼ôë)ô3ä "!
ýíÿ 
ð ôë)À9ÿô,ä :6à)ÿõ¼ôàë)ô; 3ä âø ä6ôâïi"!AQå þÈ,òø¼÷ $ ¼÷!)âææ#å h#å h5å C
?
]
1
ö
¼
õ
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
ýíÿ 
ð À9ÿ ä :6à)ÿõ¼ôàë)ô; 3ä âø ä6ôâïi"!AQå þÈ,òø¼÷ $å ¼÷!)âææ#å h#å h5å C?
]ö1õ¼ôë)ô,
ýíÿ 
ð Àÿ5þø¼÷ )ææ ø ä)ôâï_å âõ #å h#å h5å _å
"!<à í à ýíÿ 
ð Àÿ5þø¼÷ )ææ ø ä)ôâï_å âõ #å h#å h5å hå )
"!<à í à ýíÿ 
ð Àÿ5þø¼÷ )ææ ø ä)ôâï_å âõ å 0
"!<à í à ýíÿ 
ð Àÿ5þø¼÷ )ææ ø ä)ôâï_å âõ #å h#å h5å "!<à í à ýíÿ 
ð Àÿ5þø¼÷ )ææ ø ä)ôâï_å âõ #å h#å "!<à í à ýíÿ 
ð Àÿ5þø¼÷ )ææ ø ä)ôâï_å âõ #å h#å _å
"!<à í à ýíÿ 
ð úä)ôâï_Cå . Sù .üà ..
ýíÿ 
)õ¼ôë)ô7
ä ð Àÿ5þ"!5ø¼÷ ä)ôâïiå .) Sùæ.6æ à .ø.ä) ôâï_å ]ö õ¼ôë)ôä
ýíÿ 
ð Àÿúä)ôâï_Cå . Sù .üà .. ]ö1ãø]öøÀ%ô üãÖø]öøÀô
)NöøÈùáô
ä "!9
:= 6ã)é)Eè 6ãâä6ûä-ã )%6ã)é)Eè Èòóä ?ø @A ýð þ
Jÿþþýí5A
ýíÿ 
ðð Àÿú5þä)ôâø¼ï_÷ Cå . Sù.üà)ææ h.å . C!Aÿþâþ ýí
ýíÿ 
ýíÿ 
ð Àÿ :Cíâý í üé5ä)ôâï_&å Nò5á÷)ò ¼÷!#å h#å h5å ¼÷äÖõ¼ôøÈùë)ôøüé6E
þøÀ÷
)ææ]å ù ÈòÖé6óâ3ô $ ]ö õ¼ôë)ôä âõ¼ôë)ô3ä "!
ýíÿ 
ð Àÿ ä :Cíâ)ýõ¼ôíë)ô3ä üé5ä)ôâï_"&å !AN,òþø¼$÷ À÷!)âæ5å æ h#å håh#å 0
C?
]ö1õ¼ôë)ô,
ýíÿ 
ð Àÿ :Cíâý í üé5ä)ôâï_&å N,ò $å À÷!5å h#å h#å 0
?
]ö1õ¼ôë)ô,
ä âõ¼ôë)ô-ä "!Aþø¼÷)ææhå
ýíÿ 
ð =ÀAF19
ÿ :6à ÿFA27
9
à ; 2F94
¼é5ä6ôâïiQ
å Èò5áFDB5
÷)ò ¼÷pDE3D
å h5å h#å F8B5
#
Key fingerprint
998D
06E4 A169 4E46
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
"!
.
9:
"!
.
)
"!9
:=
J 6U;WGA
© SANS Institute 2000 - 2005
Author retains full rights.
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
¼õôÀ÷ë)ôäÖäõ¼ôøNùÖâõÀë)ôôë)øüôéüä3ù'ÈòÖéüóô-$"!5 þø¼÷]ö)ææhå
ýíÿ 
ð À9ÿ ä :6à)ÿõ¼ôàë)ô; 3ä ¼é5ä6ôâïi"!AQå þÈ,òø¼÷ $ ¼÷!)âææå#hhå#å hå5
C?
]ö1õ¼ôë)ô,
ýíÿ 
ð À9ÿ ä :6à)ÿõ¼ôàë)ô; 3ä ¼é5ä6ôâïi"!AQå þÈ,òø¼÷ $å ¼÷!)âææ#å hh#åå hå5
C?
]ö1õ¼ôë)ô,
ýíÿ 
ð Àÿ5þø¼÷ )ææ h/
å üé5ä)ôâï_å âõ #å h#å h5å _å
"!<à í à ýíÿ 
ð Àÿ5þø¼÷ )ææ h/
å üé5ä)ôâï_å âõ #å h#å h5å hå )
"!<à í à ýíÿ 
ð Àÿ5þø¼÷ )ææ h/
å üé5ä)ôâï_å âõ å 0
"!<à í à ýíÿ 
ð Àÿ5þø¼÷ )ææ h/
å üé5ä)ôâï_å âõ #å h#å h5å "!<à í à ýíÿ 
ð Àÿ5þø¼÷ )ææ h/
å üé5ä)ôâï_å âõ #å h#å "!<à í à ýíÿ 
ð Àÿ5þø¼÷ )ææ h/
å üé5ä)ôâï_å âõ #å h#å _å
Key fingerprint
"!<à í à = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
ýíÿ 
ð úä)ôâï_Cå .:üá
ô .6à ..
ýíÿ 
å üé5.ä).ôâ ï_å ]ö õ¼ôë)ôä
)õ¼ôë)ô7
ä ð Àÿ5þ"!5ø¼÷ ä)ôâïiå .:ü)áæôæ .ühà /
ýíÿ 
ð Àÿúä)ôâï_Cå .:üá
ô .6à .. ]ö!ãÖø]öøÈBô 6ãÖø]öøÈô
)NöøÈùáô
ä "!9
:= 6ã)é)Eè 6ãâä6ûä-ã )%6ã)é)Eè Èòóä ?ø @A ýð þ
Jÿþþýí5A
ßßAàâýáíÿãâ
亝åð çÆä)ôâÀïiÿúå)ä)ì ôâï_Cå .:üá
ô .6à .. "!Aÿþþ ýí
ß
ßAÿÖããâ"é AôâïÖä-òáêãÖø)îAøÈùôä)ó ?ëÖî6ä-é ?Aô)ïÖ9ä Pâý Aèë)ôä ë <ôé
î6éüùùÖäÖî¼-ô øÀôâïñé)ôâïä)óºøÈùôä)ó)ùÖä)ô ïÖéõ¼ô7õ ?é)ó ýðâäÖLî þ)äá@óî6óä6òä6ùô<ôôã é*
øÈùô)ïÖøÈôäAøüèë)ë)ôôä7ä FÖäë ø<÷Èùéè-äÖùÖõä)ùÖèé6é)ôñôøüëë)ôî¼ôâøüáÖéüùëãâõLã <÷é<ôâïøâ#õ *
ß ýíÿ ð 5þø¼÷ þ ýíÿ 
ð Àÿ ý í ø ä)ôâïiQå Èò5á÷)ò )õ 5å h#å h#å 0
þÀøÀ÷÷äÖõ¼ôþøNùÖ
ë)ôøüéü0'ù ÈòÖéüó-ô $ ]ö1õ¼ôë6ô,ä âõ¼ôë6ô-ä C!
ýíÿ 
ð
Àÿ ý í ø ä)ôâïiQ
C?
]ö1õ¼ôë)ô,
ä )õ¼ôë)ô3ä å "!AÈ,ò þ$ø¼÷ âþõ #å h5å h#å ýíÿ 
ð Àÿ ä ý)õ¼íôë)ô3ä ø ä)ôâïiQå "!AÈ,ò þ$ø¼÷å âþõ #å h5å h#å C?
]ö1õ¼ôë)ô,
ýíÿ 
ð À9ÿ :6à ÿà ; âø ä6ôâïiQå Èò5á÷)ò âõñ#å h5å h#å À÷äÖõ¼ôøNùÖë)ôøüéü'
þøÀ÷þ
0ù ÈòÖéüó-ô $ ]ö1õ¼ôë6ô,ä âõ¼ôë6ô-ä C!
ýíÿ 
ð À9ÿ :6à ÿà ; âø ä6ôâïi"!AQå þÈ,òø¼÷$ þâõ #å h#å h5å C?
]ö1õ¼ôë)ôä,)õ¼ôë)ôä3
ýíÿ 
ð À9ÿ ä :6à)ÿõ¼ôàë)ô; 3ä âø ä6ôâïi"!AQå þÈ,òø¼÷ $å þ âõ #å h#å h5å C?
]ö1õ¼ôë)ô,
ýíÿ 
ð =ÀAF19
ÿ5þø¼÷ FA27
þ 2F94
998D
ø ä)ôâï_
å ¼÷!DE3D
å h#å h5å hF8B5
#
å )
Key fingerprint
FDB5
06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
<à í à
ø ä)ôâï_å ¼÷!å hå hå _å
<ýàíÿ í àð Àÿ5þø¼÷ þ
ø ä)ôâï_å ¼÷!å hå _å
<ýàíÿ í àð Àÿ5þø¼÷ þ
ø ä)ôâï_å ¼÷!å hå
<ýàíÿ í àð Àÿ5þø¼÷ þ
ø ä)ôâï_å ¼÷!å hå hå
<ýàíÿ í àð Àÿ5þø¼÷ þ
<ýýàííÿÿ í àðð Àÿ5úþä)ôâø¼ï_÷ å ùþ üà å ø ä)ôâï_å ¼÷!å
)ýõ¼íôÿë)ôä ð Àÿ5þ5ø¼÷ ä)ôâïiþå ù 6à ø å ä)ôâï_å ]ö õ¼ôë)ôä
ýíÿ ð Àÿúä)ôâï_å ù üà å ]ö1ãø]öøÀô üãÖø]öøÀô
NJöÿøÈùþáþ ôýä í
6ã)é)è 6ãâä6ûäã 6ã)é)è Èòóä ø ýð þ
ýýííÿÿ ðð Àÿú5þä)ôâø¼ï_÷ å ùþ üà hå å Aÿþâþ ýí
ýíÿ ð Àÿ 6à ÿà ¼é5ä6ôâïiå Èò5á÷)ò âõñå hå hå
þÀøÀ÷÷ äÖõ¼ôþøNùÖë)ôøüéü]ù å ÈòÖéüóô ]ö1õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ ]ö1õ¼ð ôë)Àÿôä 6à)ÿõ¼ôàë)ôä ¼é5ä6ôâïiAå þÈòø¼÷ þ âõ å hhåå hå
ýíÿ ]ö1õ¼ð ôë)Àÿôä 6à)ÿõ¼ôàë)ôä ¼é5ä6ôâïiAå þÈòø¼÷ å þ âõ å hhåå hå
<ýàíÿ í àð Àÿ5þø¼÷ þ hå üé5ä)ôâï_å ¼÷!å hå hå hå
<ýàíÿ í àð Àÿ5þø¼÷ þ hå üé5ä)ôâï_å ¼÷!å hå hå _å
<ýàíÿ í àð Àÿ5þø¼÷ þ hå üé5ä)ôâï_å ¼÷!å hå _å
<ýàíÿ í àð Àÿ5þø¼÷ þ hå üé5ä)ôâï_å ¼÷!å hå
<ýàíÿ í àð Àÿ5þø¼÷ þ hå üé5ä)ôâï_å ¼÷!å hå hå
<ýýàííÿÿ í àðð Àÿ5úþä)ôâø¼ï_÷ å üáþ ô 6à hå å üé5ä)ôâï_å ¼÷!å
)ýõ¼íôÿë)ôä ð Àÿ5þ5ø¼÷ ä)ôâïiþå üáô ühà å üé5å ä)ôâï_å ]ö õ¼ôë)ôä
ýíÿ ð Àÿúä)ôâï_å üáô 6à å ]ö!ãÖø]öøÈô 6ãÖø]öøÈô
NJöÿøÈùþáþ ôýä í
6ã)é)è 6ãâä6ûäã 6ã)é)è Èòóä ø ýð þ
ßßAàâýáíÿãâ9ä –ð çÆä)ôâÀïiÿúå)ä)ì ôâï_å üáô 6à å Aÿþþ ýí
ß
ßAÿÖããâ"é ºøÈ=ùôAF19
ä)ó)ùÖä)ô-FA27
ïÖéÖõÀôõ2F94
ôé-òøÈ998D
ùèAôâïÖQäFDB5
Pý 5èë)ôä Öë 4XÖä
Key fingerprint
DE3D F8B5 06E4 A169 4E46
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
"! # # 5
"! # #
"! # #
"! # # 5
"! 0
"! C. S. . C.
7
"!
. S. . .
C. S. . C.
%
)
"!9
:= E
-)% E ? @A BA
Key fingerprint
= AF19 CFA27
. S. 2F94
. C.998D
C! FDB5
DE3D F8B5 06E4 A169 4E46
9: ; Q
# 5 #
'
-$ ,
-
C!
9: ; Q ,$ # # 5
C?
,
3
"!
9: ; Q ,$
# # 5
C?
,
3
"!
/
# # 5 )
"! /
# # 5
"! /
# #
"! /
# #
"! /
# # 5
"! /
0
"! C.: . . C.
/
7
"!
.: . . C.
C.: . . C.
B
)
"!9
:= E
-)% E ? @A BA
C.: . . C.
"!
© SANS Institute 2000 - 2005
Author retains full rights.
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
ëãâãâé Aôâïø)3õ ?é)óúôäÖõ¼ôøÈùQè Pý î6é6ùâùÖäÖî¼ôøÈûøÀô úøâõõÀáÖäLõ àë6ôä5ãÖø]öøÀôøÈùèAë6òâòãÖøüäÖõôé<ô)ïÖä<òøÈùè<óäO6áÖäÖõ¼ôõYXÖä
ëãÖãâøföãâéøÀAôäâó÷Jä6êòÖúôãÖøü)äÖïÖõäºôé<øNùèôéä)óâêÖùëÖä)&ôî F?*uøÀêóáä ôAÖëôâãïÖRã ä- ô âòäÖõ ëããâé äâ÷Aë)óä
ß ýíÿ
ðúä)ôâï_åC. ùS.üà.
ýíÿ 
ð À9ÿ :6à ÿà ; âø ä6ôâïiQå Èò!øâîhöÖò À÷1#å ]#å h#å ä)ô)âïiøâîhCå öÖ. 'ò ùÈô.6âòà Ö-ä . föõ¼ôë)ôä âõÀôë)ô3ä "!
ýíÿ 
ð Àÿúä)ôâï_Cå . Sù .üà . ]öpãÖø]öiøÀ6ô 6ãÖø]öiøÀô
õ6äÖî6é6ù
÷ 6ãÖøföøÀEô Èêâáóõ¼3ô $6C!<
:= 6ãâé)>è 6ãâä)ûä-ã )
üãâé)èEÈòóä?ø@ANà
6JÿþþýíBA
ýíÿ 
ð
Àÿúä)ôâï_Cå . S
ù .üàô $6C.!A ÿþâþ ]öpýí ãÖø]öiøÀ6ô 6ãÖø]öiøÀô
õ6äÖî6é6ù
÷
6ãÖøföøÀE
ô
Èêâáóõ¼3
ýíÿ
ðúä)ôâï_åC.:üáô
.6à
.
ýíÿ 
ð Àÿ :Cíâý í üé5ä)ôâï_&å Nò!ø)îhöÖò ¼÷p#å h5å h#å föõ¼ôë)ô
ä âõÀôë)ô3ä "!
Key fingerprint
ä)ô)âïiøâîhCå öÖ.'ò:üáÈôô âò.6=Öà -ä AF19
. FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
ýíÿ 
ð À9ÿ :6à ÿà ; ¼é5ä6ôâïiQå Èò!øâîhöÖò À÷1#å ]#å h#å âøâîhöÖ'
ò
Èô âòÖä)ô)ïiåC.:üáô.6àä . föõ¼ôë)ôä âõÀôë)ô3ä "!
ýíÿ 
ð Àÿúä)ôâï_Cå .:üá
ô .6à . fö1ãÖøföøÀ%ô 6ãø]öøÀô
õ6äÖî6é6ù
÷
üãâé)E
è Èòóä ?6ø ãÖ@øföANà øÀ
Eô Èêâá6óõ¼3ô J$6ÿþC!<þ ýBí:= A 6ãâé)>è 6ãâä)ûä-ã )
ýíÿ 
ð À6ÿúãÖøföä)ôâøÀï_Eô CåÈêâ.á:üáó
ôõ¼.63ô à $6
C!A. ÿþâþ ýfö1í ãÖøföøÀ%ô 6ãø]öøÀô
õ6äÖî6é6ù
÷
ßßAàâáãâä9–ç{ãâéì
ßßúëããâ"é úä)ûä)ó âôâïøÈùè<é6ùºã)éé6òêÖëCî F
ß ýíÿ ð ñãâé . Sù .6à .
ýíÿ 
ð Àÿ ý í ø-ãâé "!úãâé . Sù .6à .
ýíÿ 
ð Àÿñãâé . Sù .6à . fö!ãø]öøÀ6ô 6ãø]öøÀô
)NöøÈùáô
ä "!9
:= 6ã)é)Eè 6ãâä6ûä-ã )%6ã)é)Eè Èòóä ?ø @ANà JÿþþýíBA
ýíÿ 
ðð Àÿññãâãâéé ..:ü áSù ô.6à.6
à .. "!<ÿþþ ýí
ýíÿ 
ýíÿ
ðÀÿ:Cíâýí üéúãâé "!úãâé.:üáô.6à.
ýíÿ 
ð Àÿñãâé .:üáô .6à . ]ö!ãÖø]öøÀ%ô 6ãÖø]öøÈô
)NöøÈùáô
ä
"!9
:= 6ã)é)E
è 6ãâä6ûä-ã )%6ã)é)Eè Èòóä ?ø @ANà Jÿþþ ýB
í
A
ßßA àâýáíÿãâ
9ä –ð çˆèÖãâÀÿñé6êÖãâëéãÖ.ì :üáô .6à . C!<ÿþþ ýí
ß
ß<êãâéÖî F9?âóë)èüöä6ùôLõ Móë6èüöä6ùôäâ÷òÖëÖî Fä)ôõô)ïÖë)ôúë)óä-òÖë)óô
é ?úë6ù5ÿ Dñé)<
ó ð)ý<òÖëÖCî Fä)ô<ôé<ôâïÖQä Pý Aèë)ôä Öë 5ë)óä
ä @î6ä6òôä)2
÷ çÆðääAä)ôâïiålóâáÖãâäÖõYì íâïÖä úë)óä5ëããâé Öä)÷-ôâïÖä)óä
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
êÖôäéâéúî6ë6áã)ë)õ6óäJèôâä&ïÖ?ä5é)óúä@ôé6áóóAë ò ýøÈòÖðäÖäÖõLî ïÖäë)÷ä)óõ%öë-öëFä ôâïÖä-òÖëÖîFä)ô
ß ýíÿ ð Aà .
ýíÿ
ðÀÿ:Cíâýí%Èò!øÈò
C?
C!Aà
.
ýíÿ 
ð
Àÿ ý 6
í
Èò1øNò
C?
"!-à .
ýíÿ 
ð À9ÿ :6à ÿà ;%Èò!øÈò C? "!Aà .
ýíÿ 
ð è À6ÿAãâä)àûäãú.&å 6ãâé)fö!>è Èòãóø]öä ?øÀ6ô ø @,6AVãàø]öÿ =%øÀ9ô )UÈö;øÈùW5áôA ä "!
:= 6ãâé)>
ßßAàâýáíÿãâ
亝åð çˆèÖãâÀÿAé6êÖàëãÖì . "!&;à :üý
ß
ß ;óé6òñð)ôäëã6ôâï õâî6ë6ùLõ Xé)óüöëãã *ué6òÖä6ùAòÖé)óâôõJ÷âóé6òAêÖë)÷<òëÖîCFä)ôõZ*
9
ïø6ãâäúî)ãâéõ6äâ÷ òÖé)óâôõAõ6ä6ù÷5ë<íþâýAàð)4
óß äõÀòÖé6ùõüä-ë6ù÷JöëFäÖõ ëããòÖé)óôõ-ëüòòÖíäë)—ó5íâïéüòÖøâä6õù[ê ãâéÖCî FõôâïÖä<÷äÖõ¼ôøÈùÖë)ôø¼é6ù
ýíÿ 
ð =ÀAF19
Aà .å
Key fingerprint
FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
ýíÿ
ð
ýíÿ 
ð Àÿÿ :C:Cíâíâýý í%%í ÈÈòúòúôôîÀîÀòò ÈÈôôîÀîÀò''ò CC??ãâãâë)ë)èèõ\õ ÿà&=*ˆý:ð D * 7C!<àà =R*ˆýð.Då *0 "!<à.å
ýíÿ 
ð Àÿ :Cíâý %í ÈòCó!<é)àôéÖîüé.ãJå ôîÀBò ÈôîÀ'ò C?ãâë)èõð W*ˆÿþ ]*ˆàð6í * U ]ö õ¼ôë6ôäâõ¼ôë)ôä3
ýíÿ 
ð Àÿ :C"!<íâàý %í
.Èå òóé)ôéÖîüéãJôîÀBò ÈôîÀ'ò C?ãâë)èõÿþ ]Aÿþ ]B]ö1õ¼ôë)ôä
)õ¼ôë)ôä7
ýíÿ 
ð Àÿ ý 6í ÈòñôîÀò ÀôîÀ'ò C?ã)ë)èõlÿ <
: "!<à .å
ýíÿ 
ð Àÿ ý 6í ÈòñôîÀò ÀôîÀ'ò C?ã)ë)èõlÿ &à =*ˆÿþ ]*ˆýð D*ˆàð)Rí *Æð W*0 "!<à.å
ýíÿ 
ð
Àÿ ý 6
í
Èòóé6ôéÖî6éãôîÀB
ò
ÀôîÀ'
ò
C?ã)ë)èõð W*ˆÿþ ]*ˆàð)
í
* 7 ]ö õ¼ôë6ô
ä âõ¼ôë)ô3ä C!<à .å
ýíÿ 
ð Àÿ "!<ý à 6í .Èòå óé6ôéÖî6éãôîÀBò ÀôîÀ'ò C?ã)ë)èõlÿþ ]úÿþ ]6]öõÀôë)ôä
)õ¼ôë)ô7
ä
ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò ÀÀôôîÀîÀ'òò'??ãâãâë)ë)èèõ+õ^ÿ à9=R*ˆý:ðD *0 7"!<àà=*ˆýð.Då * "!<à
.å
ýíÿ
ðÀÿ9:6àÿà;%ÈòúôîÀò
ýíÿ 
ð À9ÿ :6à ÿà ;%CNò!<óàé)ôéî6.éãå ôîÀ_ò ÀôîÀ'ò ?ãâë)èõð W* ÿþ ]*ˆàð)í * 7 ]ö õ¼ôë6ôäâõ¼ôë)ôä3
ýíÿ 
)õ¼ôë)ô7
ä ð À9ÿ "!<:6à ÿà à ;%.å Nòóé)ôéî6éãôîÀ_ò ÀôîÀ'ò ?ãâë)èõÿþ ]Aÿþ ]6]ö õ¼ôë6ôä
ýíÿ 
ð ÀÿAà .å ù fö!7ã;ø]öøÀ6ôWGA 6ãø]öøÀ9ô )ÈöøÈùáôä "!&
:= üãâé)Eè 6ã)ä)ûä`ã üãâé)E
è
Èòóä ?ø @ANíþ)ýñðî6ë6B
ßßAàâýáíÿãâ
9ä –ð çˆèÖãâÀÿAé6êÖàëãÖì .å "!&;à :üý
ßßQùóäõ¼ôóøâîÀôäâ÷7ä6êñëÖîî6äÖõâõôé&ä6êSüòÖé6óôëã-õ6ä)óûä6ó
ß ýíÿ ð Aà .
ýíÿ 
ð Àÿ :Cíâý %í ÈòúôîÀò ]ö5öÖáãüôøÈòÖé)óâô ¼÷
å h#
å 140 ¼÷äÖ"!<õ¼ôàøÈùë)
ô.øüé6Eù Èòé)ó)ô(õ R*
]ö1õ¼ôë6ôä
)õ¼ôë)ôä7
ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò fö5öáã6ôøÈòé)óô À÷
Key fingerprint
DE3D
å h#
å 140 =AF19
¼÷äÖõ¼ôøÈFA27
ùë)ôøüé62F94
ù Èòé)ó)ô998D
E
õ R*FDB5
(
]ö1
õ¼ôë6ôä F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
)õ¼ôë)ôä "!<à
.
ýíÿ ð ÀÿAà. fö!ãø]öøÀô66ãø]öøÀô9)ÈöøÈùáôä"!
ÿþâýþ íýÿ í 6ãâé)ð è À6ÿAãâä)àûäã-)%. 6ãâ"!<é)è>ÿÈòþþóäý?í ø@,Ahà%
ßßAàâáãâ9ä –çˆèÖãâé6êÖëãÖì
ßßQùóäõ¼ôóøâîÀôäâ÷-ðJíý5ëÖîîüäÖõõôé5äÀöëøüã-èë)ôäÖë
ß ýíÿ ð Aà .
ýíÿ 
ð Àÿ :Cíâý %í ÈòúôîÀò ]ö5öÖáãüôøÈòÖé)óâô ¼÷
å h#
å 140 ¼÷äÖ"!<õ¼ôàøÈùë)
ô.øüé6Eù Èòé)ó)ô(õ $R*)$ ]ö1õ¼ôë6ôä
)õ¼ôë)ôä7
ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò fö5öáã6ôøÈòé)óô À÷
å h#
å 14ä 0 ¼÷äÖ"!<õ¼ôà øÈùë)
ô.øüé6Eù Èòé)ó)ô(õ $R*)$ ]ö1õ¼ôë6ôä
)õ¼ôë)ô7
ýíÿ 
Key fingerprint
2F94
ð =è À6AF19
ÿAãâä)àûä-ã FA27
.
fö!ãø]ö998D
øÀ6ô 6ãFDB5
ø]öøÀ9ô )DE3D
ÈöøÈùáôF8B5
ä í"! A 06E4 A169 4E46
:= 6ãâé)>
)%6ãâé)>
è
Èòóä ?ø @,Ahà %ÿþþ ýB
ýíÿ 
ßßAàâáãâQä Îð çˆèÖãâÀÿAé6êÖàëãÖì . "!<ÿþþ ýí
ß
ßä @üî6öä6òëô<øüãôè9é ë)ô?äøÀóäë Ö5ëëããã ãâ"é Öäâ÷AëÖîîüäÖõõô&é ?é)ó Öë)ó÷öëÖø6Lã *
9
ß ýíÿ
ð5þø¼÷âæ;
)
ýíÿ 
ð Àÿ ý 6í ÈòñôîÀò ]ö5öÖáã6ôøÈòÖé)óô âõ å h5å 14
¼÷äÖõ¼ôøÈùë)ôøüé6E
"!Aþø¼
÷ æ ;
ù )ÈòÖé6óâôgõ $R*
)$R*+$ ]ö õ¼ôë)ôä âõ¼ôë)ô3ä ýíÿ 
ð Àÿ ý 6í Èòúá÷)ò âõ å h5å 14
þÀøÀ÷÷äÖõ¼ô
øNùÖë)æô;
)øüéü0'ù ÈòÖéüó-ô $ ]ö õ¼ôë)ôä âõ¼ôë)ô3ä "!
ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò fö5öáã6ôøÈòé)óô )õ
å h#
å 14ä 0 ¼÷äÖ"!Aõ¼ôþøÈùø¼÷ë)ôøüé6Eù Èòæ ;
é))ó)ô(õ $R*)$R*+$ ]ö õ¼ôë)ôä
)õ¼ôë)ô7
ýíÿ 
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å h#å 12
þÀøÀ ý÷÷íäÖÿõ¼
ô
øNù֝ë)æð ô;
À)øüÿ5éü0'ù þÈòÖø¼÷ éüó-ô $âæ ;
])ö õ¼ôë)¼ô÷!ä #å hâ5å õ¼hô#å ë)hôå 3ä) "!<à"! í à ýíÿ 
ð Àÿ5þø¼÷ âæ ;
) ¼÷!#å h5å h#å å "!<à í à ýíÿ
ðÀÿ5þø¼÷âæ;
) ¼÷!å]å#hå#$ "!<àíà
ýíÿ 
ðð ÀÀÿ5ÿ5þþø¼ø¼÷÷ ââææ ;
;
)) ¼¼÷!÷!åå ]]#å#å 1h4#å hhb
å ""!<!<àà íí àà b
ýíÿ 
å
ýíÿ
ðÀÿ5þø¼÷âæ;
) ¼÷!å]å#) "!<àíà
ýíÿ 
ð Aà ..
ýíÿ 
ð Àÿ5þø¼÷ âæ ;
) ]ö õ¼ôë6ôä âõ¼ôë)ô3ä "!<à..
ýíÿ 
ð >è À6ÿAãâä)àûä-ã )%..6ãâé)>è ]ÈöpòóãÖä ø]?öiø @,øÀ6ô Ahà6ãÖ9ø]öiBøÀ9ô )ÈöiÿþøÈùþ áôýBíä CA !
:
=
6
â
ã
)
é
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
7
:= >
BA
© SANS Institute 2000 - 2005
Author retains full rights.
ßßA àâýáíÿãâ
ä9$–ðçˆèÖãâÀÿAé6êÖàëãÖì .. "!<ÿþþýâí
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
ß
ß:6óëÖî6ãâä3;ë)ôëüêÖëÖõ6ä-ðâä)óûä)ó5ëããâéÖä)÷-ôé îüé6ùôëÖîÀô
Däâë)óôÖãâëüù÷ ýë¼öä6ùôAðõ¼ôäÀö_õðäÖîÀáóä ýóéÖî6äõõ6é)ó-ûøüë
íß ðSüä6ùîÀóâòôä)÷AîÀïë6ùùÖäãR
ýíÿ 
ð Aà .$
ýíÿ 
å ]å h8å ðhÀ/
#
å 9ÿ :6¼à÷ÿäÖõ¼àô;%øÈùë)Èòúôøüôé6EùîÀò ÈòÖé))ó)õ7ô 8å ææhæ#å "h!-å à À÷ .$
ýíÿ 
ð è À6ÿAãâä)àûä-ã )%.$ 6ãâé)fö!>è Èòãóø]öä ?øÀ6ô ø @,6Ahàãø]öøÀ9ô $%)Èö-øÈ;ùáôWGä"A !
:= 6ãâé)>
ßßA àâýáíÿãâ
9ä )–ðçˆèÖãâÀÿAé6êÖàëãÖì .$ "!&;à:üý
ß
ß ùôä6óâùÖë=7ã AF19
;ðöëÖFA27
õ¼ôä)ó 2F94
îüë6ù ?é)998D
ó Öë6ó÷<FDB5
é6áôõø¼÷DE3D
ä O)áä)óF8B5
Q
øüäÖõôé 06E4 A169 4E46
Key fingerprint
î6ëîÀïøÈù>è üé6ùã 7;ð õ6ä)óâûä)ó5é6ùñäÀöëÖø6ã èë)ôä ë 4 ôºîüë6ù
ëãõ6&é ?é)ó Öë6óQ÷ hé6ùä-áâò÷ë)ôäùé)ôCø ?ø)î6ë)ôøüéüùLõ iÖëÖõ¼ôø¼é6ù
ïÖëÖé7õ õ¼Öôäõãâáã õ6 ä5äÀöëÖø6ãèë)ô"ä Öë 5ëÖõJôâïÖäÖøÀó<òóø]öë6ó Q;ð õ6ä)óâûä)ó
ß ýíÿ
ðAà.)
ýíÿ 
ð Àÿ :Cíâý %í ÈòúôîÀò âõ å ]#å h#å hb
å ¼÷!å h5å 14
¼÷äÖõ¼ôøÈùë)ôøüé6E
ù
ÈòÖé6óâ3
ô
$ ]öõÀôë)ô,
ä
âõÀôë)ôä "!
à .)
ýíÿ 
ð Àÿ :Cù ÈíâòÖý é6óâ%í 3ô È$ò5 á÷)]òöõÀâôõë)ôå,ä ]#åâõÀh#åôë)hb
åô-ä ¼÷! å "h5å!<14à .)
¼÷äÖõ¼ôøÈùë)ôøüé6E
ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 8å h#å $hå À÷
å h#
å
140 ¼÷äÖõ¼ôøÈùë)ôøüé6E
ù Èòé)ó)Qô $ ]öõÀôë)ôä )õ¼ôë)ôä
"!-à.)
ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 8å h#å )hå $ À÷
å h#
å
140 ¼÷äÖõ¼ôøÈùë)ôøüé6E
ù Èòé)ó)Qô $ ]öõÀôë)ôä )õ¼ôë)ôä
"!-à .)
ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 8å h#å h5å ) ¼÷
å h#
å 14"!-0 à¼÷.)äÖõ¼ôøÈùë)ôøüé6Eù Èòé)ó)Qô $ ]öõÀôë)ôä )õ¼ôë)ôä
ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 5å h#å h#å ]å $ À÷
å h#
å 14"!-0 à ¼÷.)äÖõ¼ôøÈùë)ôøüé6Eù Èòé)ó)Qô $ ]öõÀôë)ôä )õ¼ôë)ôä
ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 8å h#å 12 ¼÷
å h#
å 14"!-0 à¼÷.)äÖõ¼ôøÈùë)ôøüé6Eù Èòé)ó)Qô $ ]öõÀôë)ôä )õ¼ôë)ôä
ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 8å h#å 12 ¼÷
å h#
å
140 ¼÷äÖõ¼ôøÈùë)ôøüé6E
ù Èòé)ó)Qô $ ]öõÀôë)ôä )õ¼ôë)ôä
"!-à .)
ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 8å h#å 12$ ¼÷
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
å hå -à ¼÷äÖõ¼ôøÈùë)ôøüé6ù Èòé)ó)ô ]öõÀôë)ôä )õ¼ôë)ôä
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ å hå hå À÷
å hå -à ¼÷äÖõ¼ôøÈùë)ôøüé6ù Èòé)ó)ô ]öõÀôë)ôä )õ¼ôë)ôä
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ å hå hå À÷
å hå -à ¼÷äÖõ¼ôøÈùë)ôøüé6ù Èòé)ó)ô ]öõÀôë)ôä )õ¼ôë)ôä
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ å hå hå ¼÷
å hå -à ¼÷äÖõ¼ôøÈùë)ôøüé6ù Èòé)ó)ô ]öõÀôë)ôä )õ¼ôë)ôä
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ å hå hå ]å À÷
å hå -à ¼÷äÖõ¼ôøÈùë)ôøüé6ù Èòé)ó)ô ]öõÀôë)ôä )õ¼ôë)ôä
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ å hå ¼÷
å hå -à ¼÷äÖõ¼ôøÈùë)ôøüé6ù Èòé)ó)ô ]öõÀôë)ôä )õ¼ôë)ôä
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ å hå ¼÷
å hå -à ¼÷äÖõ¼ôøÈùë)ôøüé6ù Èòé)ó)ô ]öõÀôë)ôä )õ¼ôë)ôä
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ å hå
¼÷
å hå -à ¼÷äÖõ¼ôøÈùë)ôøüé6ù Èòé)ó)ô ]öõÀôë)ôä )õ¼ôë)ôä
ýíÿ 6ãâé)ð è À6ÿAãâä)àûäã 6ãâé)fö!è Èòãóø]öä øÀô ø 6hàãø]öøÀô ÈöøÈÿùþáþôä ýí
ßßAàâýáíÿãâ9ä –ð çˆèÖãâÀÿAé6êÖàëãÖì <ÿþþ ýí
ßßAÿÖããïÖéÖõÀôõJèä)ôAôø]ö&ä ?âóéÀö ôâïÖäÖõ6äúõüä)óûä)óõ
ß ýíÿ ð Aà .
ýíÿ 
ð Àÿ ý 6í ÈòñôîÀò âõ å ¼÷
å ]#å h#å h8å ) ¼÷"!<äÖõ¼àôøÈùÖ
ë).ôø¼é6'ù ÈòÖéüóôúå ]ö õ¼ôë6ôä
#
)õ¼ôë)ôä7
ýíÿ 
ð Àÿ ý 6í ÈòñôîÀò âõ #å h#å ]#å hå $ ¼÷
å ]#å h#å hä8å ) ¼÷"!<äÖõ¼àôøÈùÖ
ë).ôø¼é6'ù ÈòÖéüóôúå ]ö õ¼ôë6ôä
#
)õ¼ôë)ô7
ýíÿ 
ð Àÿ ý 6í Èòúá÷)ò âõ å ¼÷
å ]#å h#å h8å ) ¼÷"!<äÖõ¼àôøÈùÖ
ë).ôø¼é6'ù ÈòÖéüóôúå ]ö õ¼ôë6ôä
#
)õ¼ôë)ôä7
ýíÿ 
ð Àÿ ý 6í Èòúá÷)ò âõ #å h#å ]#å hå $ ¼÷
å)]õ¼#å ôhë)#å ôh7ä8å ) ¼÷"!<äÖõ¼àôøÈùÖ
ë).ôø¼é6'ù ÈòÖéüóôúå ]ö õ¼ôë6ôä
#
ýíÿ
ð5þø¼÷);4
ýíÿ 
)õ¼ôë)ô7
ä ð Àÿ :C"!Aíâýþø¼í÷ âõ )"å ;40 fö õÀôë)ôä
ýíÿ 
ð Àÿ :Cíâý í âõ #å h5å h#å hå $ ]ö õ¼ôë6ôä âõ¼ôë)ôä
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
#140 E
Q$ "! .)
9: ;%
8 #$ #140 E
Q$ "! .)
9: ;%
8 #) $ #140 E
Q$ "! .)
9: ;%
8 # 5) #140 E
Q$ "! .)
9: ;%
5 # # $ #140 E
Q$ "! .)
9: ;%
8 #12 #140 E
Q$ "
!
.
)
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
9: ;%
8 #12 #140 E
Q$ "! .)
9: ;%
8 #12$ #140 E
Q$ "! .)
.)
6
9)
"!
:= >
-)% > ? @,A )%
BA
.) "!
© SANS Institute 2000 - 2005
Author retains full rights.
<þø¼÷
ý íÿ ð Àÿ5þø¼÷
ÈòúôîÀò ¼÷!å ]å
à À÷äÖõ¼ôøNùÖë)ôøüéüù ÈòÖéüóôúå ]ö1õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ ð Àÿ5þø¼÷
ÈòúôîÀò ¼÷!å ]å
à Àý÷íäÖÿõ¼ôøNù֝ë)ð ôøü5éüù þÈòÖø¼÷ éüóôúå ]hö1å õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ <þð ø¼÷Àÿ íâý í hå âõ å
fö õÀôë)ôä âõÀôë)ôä
ýíÿ <þð ø¼÷Àÿ íâý í hå âõ å hå hå hå ]ö õ¼ôë6ôä âõ¼ôë)ôä
ýíÿ ð Àÿ5þø¼÷
hå Èò5á÷)ò ¼÷!å ]å
Àà ÷äÖõ¼ôøNùÖë)ôøüéüù ÈòÖéüóôúå ]ö1õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ ð Àÿ5þø¼÷
hå Èò5á÷)ò ¼÷!å ]å
à Àý÷íäÖÿõ¼ôøNù֝ë)ð ôøü5éüù þÈòÖø¼÷ éüóôúå ]ö1õ¼ôë6ôä âõ¼ôë6ôä
]ö õ¼ôë)ôä
)ýõ¼íôÿë)ôä ð Àÿ A6à ÿþø¼à÷ )õ å
)ýõ¼íôÿë)ôä ð Àÿ A6à ÿþø¼à÷ )õ å hå hå ]å fö õÀôë)ôä
ýíÿ ð Àÿ5þø¼÷
ÈòúôîÀò ¼÷!å ]å
à À÷äÖõ¼ôøNùÖë)ôøüéüù ÈòÖéüóôúå ]ö1õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ ð Àÿ5þø¼÷
ÈòúôîÀò ¼÷!å ]å
Àà ÷äÖõ¼ôøNùÖë)ôøüéüù ÈòÖéüóôúå ]ö1õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ ð 5þø¼÷
]ö õ¼ôë)ôä
)ýõ¼íôÿë)ôä ð Àÿ A6à ÿþø¼à÷ )õ å
)ýõ¼íôÿë)ôä ð Àÿ A6à ÿþø¼à÷ )õ å hå hå ]å fö õÀôë)ôä
ýíÿ ð Àÿ5þø¼÷
Èò5á÷)ò ¼÷!å ]å
à À÷äÖõ¼ôøNùÖë)ôøüéüù ÈòÖéüóôúå ]ö1õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ ð Àÿ5þø¼÷
Èò5á÷)ò ¼÷!å ]å
à À÷äÖõ¼ôøNùÖë)ôøüéüù ÈòÖéüóôúå ]ö1õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ 6ãâé)ð è À6ÿAãâä)àûäã 6ãâé)fö!è Èòãóø]öä øÀô ø 6hàãø]öøÀô ÈöøÈÿùþáþôä ýí
ßßAàâýáíÿãâ9ä –ð çˆèÖãâÀÿAé6êÖàëãÖì <ÿþþ ýí
ß
ß<êÖëÖõ¼ôøüé6ù<ïÖéÖõÀôõëããâ"é Öäâ÷-ôé áõ6ä øÈùôä)óâùÖëUã ;ðöëÖõ¼ôä)ó
ëÖõ5õ6äÖîüé6ù÷ë)ó 3;ð “üöëø6ãèë)ôä Öë *RëÖõ5õ)ãâë)ûä õüä)óûä)ó<ôé
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
"!
);4
);4&
#14
'
,
-
C!
.
);4&
#14
'
,
-
C!
.
);4
:C 0 ,
"!
);4
:C # 5 # $ "!
);4
);4 `
#14
'
,
-
C!
.
);4 `
#14
'
2F94
,FDB5
F8B5
C!
Key fingerprint
= AF19
FA27
998D
DE3D
06E4 A169 4E46
.
);4
9: ; 8 7
"!
)";4
9: ; 5 # # $ 7
"!
)";4
);4&
#14
'
,
-
C!
.
);4&
#14
'
,
-
C!
.
);4
9: ; 8 7
"!
)";4
9: ; 5 # # $ 7
"!
)";4
);4&
#14
'
,
-
C!
.
);4&
#14
'
,
-
C!
.
.
6
9)
"!
:= >
-)% > ? @,A %
BA
. "!
© SANS Institute 2000 - 2005
Author retains full rights.
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
ôßøÈùóôë6ùä)óâõ"ùÖ?ëä6óãõL÷ éÀöëÖøÈù2*›ëãã)éÖäâ÷ ôé î6éüùôëÖî¼ôJöëÖõ¼ôä)ó9?é)ó<hé6ùÖä
ýíÿ 
ð Aà .
ýíÿ 
åhå#$]åð Àÿ¼÷:CäÖíâõ¼ýôøÈ%íùÖë)ôÈòúø¼é6ôù'îÀÈòòÖéüóâô-õ $å]"å#!<hå#àhåb
.¼÷
ýíÿ 
åhå#)]åð$ Àÿ¼÷:CäÖíâõ¼ýôøÈ%íùÖë)ôÈòúø¼é6ôù'îÀÈòòÖéüóâô-õ $å ]"å#!<hå#àhåb
.¼÷
ýíÿ 
å .¼÷
å h#
å $]å ð Àÿ¼÷:CäÖíâõ¼ýôøÈ%íùÖë)ôÈò5ø¼é6á'ù ÷)ÈòòÖéüóâ-ô õ $å ]"#å !<h#å à hb
ýíÿ 
å .¼÷
å h#
å )]å ð$ Àÿ¼÷:CäÖíâõ¼ýôøÈ%íùÖë)ôÈò5ø¼é6á'ù ÷)ÈòòÖéüóâ-ô õ $å ]"#å !<h#å à hb
ýíÿ 
å h#
å $]å ð À9ÿ¼÷:6äÖàõ¼ÿôøÈàùÖ;%ë)ôÈø¼òúé6'ù ôÈòÖîÀò éüó-ô )$õ 8å "h!<#å hà 5å ) .¼÷
ýíÿ 
å h#
å )]å ð$ À9ÿ¼÷:6äÖàõ¼ÿôøÈàùÖ;%ë)ôÈø¼òúé6'ù ôÈòÖîÀò éüó-ô )$õ 8å "h!<#å hà 5å ) .¼÷
ýíÿ 
ÿ¼÷:6äÖàõ¼ÿôFA27
9
øÈàùÖ;%ë)ôÈø¼òú2F94
h#
å h#å ]å $ . À÷ F8B5 06E4 A169 4E46
Key fingerprint
å h#
å $]å ð =ÀAF19
é6'ù ôÈòÖîÀò éüó998D
ô )$õ 5å FDB5
"!<à DE3D
ýíÿ 
å h#
å )]å ð$ À9ÿ¼÷:6äÖàõ¼ÿôøÈàùÖ;%ë)ôÈø¼òúé6'ù ôÈòÖîÀò éüó-ô )$õ 5å h"#å !<h#å à ]å $ . À÷
ýíÿ 
å h#
å $]å ð À9ÿ¼÷:6äÖàõ¼ÿôøÈàùÖ;%ë)ôÈø¼òúé6'ù ôÈòÖîÀò éüó-ô )$õ 8å "h!<#å 1à2 .¼÷
ýíÿ 
å h#
å )]å ð$ À9ÿ¼÷:6äÖàõ¼ÿôøÈàùÖ;%ë)ôÈø¼òúé6'ù ôÈòÖîÀò éüó-ô )$õ 8å "h!<#å 1à2 .¼÷
ýíÿ 
å h#
å $]å ð À9ÿ¼÷:6äÖàõ¼ÿôøÈàùÖ;%ë)ôÈø¼òúé6'ù ôÈòÖîÀò éüó-ô )$õ 8å "h!<#å 1à2 .¼÷
ýíÿ 
å h#
å )]å ð$ À9ÿ¼÷:6äÖàõ¼ÿôøÈàùÖ;%ë)ôÈø¼òúé6'ù ôÈòÖîÀò éüó-ô )$õ 8å "h!<#å 1à2 .¼÷
ýíÿ 
å h#
å $]å ð À9ÿ¼÷:6äÖàõ¼ÿôøÈàùÖ;%ë)ôÈø¼òúé6'ù ôÈòÖîÀò éüó-ô )$õ 8å "h!<#å 1à2
$. ¼÷
ýíÿ 
å h#
å )]å ð$ À9ÿ¼÷:6äÖàõ¼ÿôøÈàùÖ;%ë)ôÈø¼òúé6'ù ôÈòÖîÀò éüó-ô )$õ 8å "h!<#å 1à2
$. ¼÷
ýíÿ 
å h#
å $]å ð À9ÿ¼÷:6äÖàõ¼ÿôøÈàùÖ;%ë)ôÈø¼ò5é6'ù áÈ÷)òÖò éüó-ô )$õ 8å "h!<#å hà 5å ) .¼÷
ýíÿ 
å h#
å )]å ð$ À9ÿ¼÷:6äÖàõ¼ÿôøÈàùÖ;%ë)ôÈø¼ò5é6'ù áÈ÷)òÖò éüó-ô )$õ 8å "h!<#å hà 5å ) .¼÷
ýíÿ 
å h#
å $]å ð À9ÿ¼÷:6äÖàõ¼ÿôøÈàùÖ;%ë)ôÈø¼ò5é6'ù áÈ÷)òÖò éüó-ô )$õ 5å h"#å !<h#å à ]å $ . À÷
ýíÿ 
å h#
å )]å ð$ À9ÿ¼÷:6äÖàõ¼ÿôøÈàùÖ;%ë)ôÈø¼ò5é6'ù áÈ÷)òÖò éüó-ô )$õ 5å h"#å !<h#å à ]å $ . À÷
ýíÿ 
å h#
å $]å ð À9ÿ¼÷:6äÖàõ¼ÿôøÈàùÖ;%ë)ôÈø¼ò5é6'ù áÈ÷)òÖò éüó-ô )$õ 8å "h!<#å 1à2 .¼÷
ýíÿ 
å h#
å )]å ð$ À9ÿ¼÷:6äÖàõ¼ÿôøÈàùÖ;%ë)ôÈø¼ò5é6'ù áÈ÷)òÖò éüó-ô )$õ 8å "h!<#å 1à2 .¼÷
ýíÿ 
å h#
å $]å ð À9ÿ¼÷:6äÖàõ¼ÿôøÈàùÖ;%ë)ôÈø¼ò5é6'ù áÈ÷)òÖò éüó-ô )$õ 8å "h!<#å 1à2 .¼÷
ýíÿ 
å h#
å )]å ð$ À9ÿ¼÷:6äÖàõ¼ÿôøÈàùÖ;%ë)ôÈø¼ò5é6'ù áÈ÷)òÖò éüó-ô )$õ 8å "h!<#å 1à2 .¼÷
ýíÿ 
ð =ÀAF19
ÿ :6à ÿFA27
9
à ;%Èò52F94
á÷)ò 998D
)õ 8å h#
å 12DE3D
$ ¼÷ F8B5 06E4 A169 4E46
Key fingerprint
FDB5
© SANS Institute 2000 - 2005
Author retains full rights.
å hå#$]å ¼÷äÖõ¼ôøÈùÖë)ôø¼é6ù'ÈòÖéüóô-$ "!<à
.
å ýhí#å ÿ
)]åð$ Àÿ9¼÷:6äÖàõ¼ÿôøÈàùÖ;%ë)ôÈø¼ò5é6ù'áÈ÷)òÖò éüóô-)$õ å8"h!<å#1à2
$. ¼÷
ýíÿ 6ãâé)ð >è À6ÿAãâä)àûä-ã )%. 6ãâé)fö!>è Èòãóø]öä ?øÀ6ô ø @,6Ahàãø]öøÀô9%)Èö-øÈ;ùáôWGä"A !
ßßAàâýáíÿãâ
äA斝ð çˆèÖãâÀÿAé6êÖàëãÖì . "!&;à :üý
ßßAÿÖããâ"é úð JýAôóëüòõ ÖøÈù ?é)óüöiõ%êÖëÖî F5ô9é JëüùÖë)èäÀöä6ùôúõÀôë)ôøüéüù
ß ýíÿ ð Aà .âæ
ýíÿ 
ð Àÿ :Cíâý %í ÈòúôîÀò âõ å ]#å h#å hb
å ¼÷
å h#
å "!-0à$ .)¼÷æ äÖõ¼ôøÈùÖë)ôø¼é6'ù ÈòÖéüóôúå ) ]ö õ¼ôë6ôä âõ¼ôë)ôä
ýíÿ 
ð Àÿ :Cíâý %í Èò5á÷)ò âõ å ]#å h#å hb
å ¼÷
å h#
å "!-0à$ .)¼÷æ äÖõ¼ôøÈùÖë)ôø¼é6'ù ÈòÖéüóôúå ) ]ö õ¼ôë6ôä âõ¼ôë)ôä
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 8å h#å h5å ) ¼÷
å h#
å
0$ ¼÷äÖõ¼ôøÈùÖë)ôø¼é6'
ù ÈòÖéüóôúå ) ]ö õ¼ôë6ôä âõ¼ôë)ôä
"!-à .)æ
ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 5å h#å h#å ]å $ À÷
å h#
å
0$ ¼÷äÖõ¼ôøÈùÖë)ôø¼é6'
ù ÈòÖéüóôúå ) ]ö õ¼ôë6ôä âõ¼ôë)ôä
"!-à.)æ
ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 8å h#å 12 ¼÷
å h#
å "!-0à$ .)¼÷æ äÖõ¼ôøÈùÖë)ôø¼é6'ù ÈòÖéüóôúå ) ]ö õ¼ôë6ôä âõ¼ôë)ôä
ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 8å h#å 12 ¼÷
å h#
å "!-0à$ .)¼÷æ äÖõ¼ôøÈùÖë)ôø¼é6'ù ÈòÖéüóôúå ) ]ö õ¼ôë6ôä âõ¼ôë)ôä
ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 8å h#å 12$ ¼÷
å h#
å
0$ ¼÷äÖõ¼ôøÈùÖë)ôø¼é6'
ù ÈòÖéüóôúå ) ]ö õ¼ôë6ôä âõ¼ôë)ôä
"!-à .)æ
ýíÿ 
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å h#å h5å ) ¼÷
å h#
å
0$ ¼÷äÖõ¼ôøÈùÖë)ôø¼é6'
ù ÈòÖéüóôúå ) ]ö õ¼ôë6ôä âõ¼ôë)ôä
"!-à.)æ
ýíÿ 
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 5å h#å h#å ]å $ À÷
å h#
å "!-0à$ .)¼÷æ äÖõ¼ôøÈùÖë)ôø¼é6'ù ÈòÖéüóôúå ) ]ö õ¼ôë6ôä âõ¼ôë)ôä
ýíÿ 
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å h#å 12 ¼÷
å h#
å "!-0à$ .)¼÷æ äÖõ¼ôøÈùÖë)ôø¼é6'ù ÈòÖéüóôúå ) ]ö õ¼ôë6ôä âõ¼ôë)ôä
ýíÿ 
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å h#å 12 ¼÷
å h#
å "!-0à$ .)¼÷æ äÖõ¼ôøÈùÖë)ôø¼é6'ù ÈòÖéüóôúå ) ]ö õ¼ôë6ôä âõ¼ôë)ôä
ýíÿ 
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å h#å 12$ ¼÷
å h#
å
0$ ¼÷äÖõ¼ôøÈùÖë)ôø¼é6'
ù ÈòÖéüóôúå ) ]ö õ¼ôë6ôä âõ¼ôë)ôä
"!-à.)æ
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
:=
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
ýíÿ 6ãâé)ð è À6ÿAãâä)àûäã-)%.âæ 6ãâé)fö!è>Èòãóø]öä?øÀô6ø@,6Ahàãø]öúøÀô9æ%)ÈöøÈÿùþáþôäýíB"! A
ßßAàâýáíÿãâ亝åð çƒèÖÀÿAãâé6àêëãÖì .âæ "!<ÿþþýí
ßß<êãâéÖî FøÈùèAëîî6äÖõõôéºøÈùôä)óâùÖëãùÖä)ô
ßúßAàâë6ùá9÷ãâä?õøÀôâóïÖä Öë)ô<ëãòÖ3ã ä)ó¼?)öóéÀøÀöô5;ëÖJ
îcîüäÖ õõôé õ6ä)óûä)óõ
ßúß é6ù ;J
cñõÀïÖé6áÖã)÷ êÖä5ëâ÷÷äâ÷AëüêÖé)ûä ýíÿ 
ðð À5ÿ þ ø¼ý÷ íâõ å )å h5å )) "!5þø¼÷ å )
ýíÿ 
ýíÿ
ðÀÿ ýí âõ åhå514 "!5þø¼÷å)
ýíÿ 
ðð ÀÀÿÿ ýý íí ââõõ åå hh5å5å 14)$ ""!5!5þþø¼ø¼÷÷ åå ))
ýíÿ 
ýíÿ
ðAà.å
ýíÿ 
ðð ÀÀÿ5ÿ5þþø¼ø¼÷÷ åå )) ¼¼÷!÷!#å#å hh5å5å hh#å#å hå )å ""!<!<àà ..åå
ýíÿ 
Key fingerprint
= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
ýíÿ
ðÀÿ5þø¼÷å) ¼÷!å]å#hå#$ "!<à
.å
ýíÿ 
ðð ÀÀÿ5ÿ5þþø¼ø¼÷÷ åå )) ¼¼÷!÷!åå ]]#å#å 1h4#å hhb
å ""!<!<àà ..åå b
ýíÿ 
å
ýíÿ
ðÀÿ5þø¼÷å) ¼÷!å]å#) "!<à
.å
ýíÿ 
ð Àÿ ý í âõ å h5å )) ¼÷18å "!
à .å ýíÿ 
ð Àÿ ý í âõ å h5å 14 ¼÷18å "!
à .å ýíÿ 
ð Àÿ ý í âõ å h5å 14 ¼÷18å "!
à .å ýíÿ 
ð
Àÿ ý í âõ å h5
å )$ ¼÷18å "!
à .å ýíÿ 
ð À9ÿ :6à ÿà ; )õ 8å h#å )) ¼÷!å 0 C!
à .å ýíÿ 
ð À9ÿ :6à ÿà ; )õ 8å h#å 12 ¼÷!å 0 C!
à .å ýíÿ 
ð À9ÿ :6à ÿà ; )õ 8å h#å 12 ¼÷!å 0 C!
à .å ýíÿ 
ð À9ÿ :6à ÿà ; )õ 8å h#å )$ ¼÷!å 0 C!
à .å ýíÿ 
ð è À6ÿAãâä)àûäUã B.å 6ãâé)>è]ö!ÈòãÖóäø]ö?øÀø %ô@,Ahà6ãÖø]ö!øÈ<ôå ,)Èö7øÈ;ùâáôWGä "A !
:= 6ãâé)>
ýíÿ 
ßßAàâáãâäºåðåçƒèÖÀÿAãâé6àêëãÖì .å C!&;âà :6ý
ß
ß Öäê 6ê5?âôâýòñóéõ[email protected]ä)ó5÷ûä6óéäÖõ õ ëãã-÷øÈóäÖî¼ô î6éüùùÖäÖî¼ôøüé6ù-ôéºøÈùôä)óâùÖä6ô
&
ÖäüS
ß ýíÿ
ð5þø¼÷)âþ;4
ýíÿ 
ð Àÿ ý 6í ÈòñôîÀò ]ö5öÖáã6ôøÈòÖé)óô âõ
å h#
å
$]Tå ¼÷äÖõ¼ôøÈùÖë)ôø¼é6'
ù ÈòÖéüóô(õ 'å *aR*+L*
]ö
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
:= >
© SANS Institute 2000 - 2005
Author retains full rights.
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
õ¼ôë)ôä âõÀôë)ôä
5þø¼÷ âþ
ýíÿ ð Àÿ 6à ÿà ÈòúôîÀò fö5öáã6ôøÈòé)óô )õ
õ¼å ôýë)hôíå ÿä ]âå õÀð ôë)Àÿ5ôä¼þ÷äÖø¼÷õ¼ôøÈùÖë)5ôâø¼þþé6ùø¼÷ ÈòÖéüó¼ô÷!õ âþå å hå hå hå <à]öí à
ýýííÿÿ ðð ÀÀÿ5ÿ5þþø¼ø¼÷÷ ââþþ ¼¼÷!÷!åå hå ]å hå hå å <<à à íí à à
ýýííÿÿ ðð ÀÀÿ5ÿ5þþø¼ø¼÷÷ ââþþ ¼¼÷!÷!åå ]]åå hå hhåå <<àà íí àà
ýýííÿÿ ðð Àÿ5Aàþø¼÷ åå âþ ¼÷!å ]å
<à í à
à ýíÿåå ð Àÿ5þø¼÷ âþ ]ö õ¼ôë6ôä âõ¼ôë)ôä
ýíÿ ð 6ãâÀÿAé)è à 6ãâä)ûäãåå 6ãâé)fö1è NòãÖóøföä øÀô ø 6Nàãø]öpøÀô åå NöJøÈùÿáþôþä ýâí
ßßAàâýáíÿãâ亝åð çƒèÖÀÿAãâé6àêëãÖì åå -ÿþþ ýí
Key fingerprint
FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
ßßúëããâ"é Aô=óé6AF19
ß ýíÿ ð áAêÖàãâäÖõÀïÖ.éâé)å ô øÈùè ë6ù âôâïøÈùQè ?âóéÀö øÈùôä)óâùÖëãïÖéÖõ¼ôõ
ýíÿ 
ð Àÿ ý 6í föÈò1õ¼ôø)ë)îhöÖôòäââõõÀôë)å ôä30" !Aà.å8
âøâîhöÖò'ÈôâòÖä-
ýíÿ 
âøâîhöÖ'
ò Èô âòð ÖÀ-ä ÿ ý 6í föÈò1õ¼ôø)ë)îhöÖôòä ââõõÀôë)#å ôh3ä5å h#å "!Aà .8å ýíÿ 
ð
Àÿ ý 6
âøâîhöÖ'
ò Èô âòÖ-ä í föÈò1õ¼ôø)ë)îhöÖôòä ââõõÀôë)å ô3ä ]#å h#å ) "!Aà .8å ýíÿ 
âøâîhöÖ'
ò Èô âòð ÖÀ-ä ÿ ý 6í föÈò1õ¼ôø)ë)îhöÖôòä ââõõÀôë)å ô3ä ]#å )1 "!Aà .8å ýíÿ 
ð Àÿ ý 6í ÈòñôîÀò âõ å )õ6é6áóîüS
ä
õ¼ôë)ôäâõÀÈôòÖë)é)ôóâä3ô å 4j)"!A$$à$ .¼å8÷ äÖõÀôøÈùÖë)ôøüé6'ù Èòé)óUô ]ö
ýíÿ 
ð Àÿ ý 6í ÈòñôîÀò âõ #å h#å ]#å õ¼ô)ë)õ6ôé6áä óîüSäâõÀÈôòÖë)é)ôóâ3äô å 4j)"!A$$à$ .¼8å ÷ äÖõÀôøÈùÖë)ôøüé6'ù Èòé)óUô ]ö
ýíÿ 
ð Àÿ ý 6í ÈòñôîÀò âõ å h5å h#å )
õ¼ô)ë)õ6ôé6áäóîüSäâõÀÈôòÖë)é)ôóâä3ô å 4j)"!A$$à$ .¼å8÷ äÖõÀôøÈùÖë)ôøüé6'ù Èòé)óUô ]ö
ýíÿ 
ð Àÿ ý 6í ÈòñôîÀò âõ å h5å )1
õ¼ô)ë)õ6ôé6áä óîüSäâõÀÈôòÖë)é)ôóâ3äô å 4j)"!A$$à$ .¼8å ÷ äÖõÀôøÈùÖë)ôøüé6'ù Èòé)óUô ]ö
ýíÿ 
ð Àÿ ý 6í Èòúá÷)ò âõ å À÷äÖõ¼ôøNùÖë)ôøüéü'
ù ÈòÖéüó-ô 2j$ föõ¼ôë)ôä âõÀôë)ôä
"!-à.å
ýíÿ 
ð Àÿ ý 6í Èòúá÷)ò âõ #å h#å ]#å À÷äÖõ¼ôøNùÖë)ôøüéü'
ù ÈòÖéüó-ô 2j$ föõ¼ôë)ôä âõÀôë)ôä
"!-à .å ýíÿ 
ð Àÿ ý 6í Èòúá÷)ò âõ å h5å h#å )
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
3
"!
) ;2
9: ;%
#
$ T '
( '*aR*+L*
3
"!
) ;2
) ;4 # 5 # ) "! ) ;4 # 5 #
"! ) ;4 # #$ "! ) ;4 #14 b"! ) ;4 # # b"! ) ;4 #) "! . C.
) ;4 3
C!
. .
. C.
%
<)
"!9
:= >
-)B E ? [email protected],A &
BA
. C. "!
© SANS Institute 2000 - 2005
Author retains full rights.
À÷äÖõ¼ô"!-øNùÖàë)ôøüéü.ù'åÈòÖéüóô-
2j$ föõ¼ôë)ôäâõÀôë)ôä
ýíÿ
ðÀÿ ýí6Èòúá÷)ò âõ åhå5)1
À÷äÖõ¼ô"!-øNùÖàë)ôøüéü.'ù åÈòÖéüó-ô 2j$ föõ¼ôë)ôäâõÀôë)ôä
âýøâíîhöÖÿ 'ò
Èôâòð ÖÀ-ä ÿ :C íâý %íföÈò!õ¼ôë)øâôîhöÖä ò âõÀ)ôõ ë)ô8å 3ä "!A à .å8
âýøâíîhöÖÿ 'ò
Èôâòð ÖÀ-ä ÿ :C íâý %íföÈò!õ¼ôë)øâôîhöÖä ò âõÀ)ôõ ë)ô5å 3ä h#å h#å 0
"!Aà .8å âýøâíîhöÖÿ 'ò
Èôâòð ÖÀ-ä ÿ :C íâý %íföÈò!õ¼ôë)øâôîhöÖä ò âõÀ)ôõ ë)ô8å 3ä h#å h5å ) "!Aà .8å âýøâíîhöÖÿ 'ò
Èôâòð ÖÀ-ä ÿ :C íâý %íföÈò!õ¼ôë)øâôîhöÖä ò âõÀ)ôõ ë)ô8å 3ä h#å )1 "!Aà .8å ýíÿ ð Àÿ :Cíâý %í ÈòúôîÀò âõ å 0
)õ¼ôë)õ6ôé6áäóîüSäâõÀÈôòÖë)é)ôóâä3ô å 4j)"!A$$à$ .¼å8÷ äÖõÀôøÈùÖë)ôøüé6'ù Èòé)óUô ]ö
ýíÿ 
ð Àÿ :Cíâý %í ÈòúôîÀò âõ #å h5å h#å Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
õ¼ô)ë)õ6ôé6áä óîüSäâõÀÈôòÖë)é)ôóâ3äô å 4j)"!A$$à$ .¼8å ÷ äÖõÀôøÈùÖë)ôøüé6'ù Èòé)óUô ]ö
ýíÿ 
ð Àÿ :Cíâý %í ÈòúôîÀò âõ å ]#å h#å )
õ¼ô)ë)õ6ôé6áäóîüSäâõÀÈôòÖë)é)ôóâä3ô å 4j)"!A$$à$ .¼å8÷ äÖõÀôøÈùÖë)ôøüé6'ù Èòé)óUô ]ö
ýíÿ 
ð Àÿ :Cíâý %í ÈòúôîÀò âõ å ]#å )1
õ¼ô)ë)õ6ôé6áä óîüSäâõÀÈôòÖë)é)ôóâ3äô å 4j)"!A$$à$ .¼8å ÷ äÖõÀôøÈùÖë)ôøüé6'ù Èòé)óUô ]ö
ýíÿ 
ð Àÿ :Cíâý %í Èò5á÷)ò âõ å 0
À÷äÖõ¼ôøNùÖë)ôøüéü'
ù ÈòÖéüó-ô 2j$ föõ¼ôë)ôä âõÀôë)ôä
GC!Aà
.å
ýíÿ 
ð Àÿ :Cíâý %í Èò5á÷)ò âõ #å h5å h#å À÷äÖõ¼ôøNùÖë)ôøüéü'
ù ÈòÖéüó-ô 2j$ föõ¼ôë)ôä âõÀôë)ôä
"!-à .å ýíÿ 
ð Àÿ :Cíâý %í Èò5á÷)ò âõ å ]#å h#å )
À÷äÖõ¼ôøNùÖë)ôøüéü'
ù ÈòÖéüó-ô 2j$ föõ¼ôë)ôä âõÀôë)ôä
"!-à.å
ýíÿ 
ð Àÿ :Cíâý %í Èò5á÷)ò âõ å ]#å )1
À÷äÖõ¼ôøNùÖë)ôøüéü'
ù ÈòÖéüó-ô 2j$ föõ¼ôë)ôä âõÀôë)ôä
"!-à .å ýíÿ 
âøâîhöÖ'
ò Èô âòð ÖÀ-ä 9ÿ :6à ÿàfö;%õ¼Èò!ôë)ôøâäîhöòâõÀôâë)õ ô3äå 0"!A à .8å ýíÿ 
âøâîhöÖ'
ò Èô âòð ÖÀ-ä 9ÿ :6à ÿàfö;%õ¼Èò!ôë)ôøâäîhöòâõÀôâë)õ ô3ä#å h#å h5å "!A à .8å ýíÿ 
âøâîhöÖ'
ò Èô âòð ÖÀ-ä 9ÿ :6à ÿàfö;%õ¼Èò!ôë)ôøâäîhöòâõÀôâë)õ ô3äå h#å ]#å )"!Aà .8å ýíÿ 
âøâîhöÖ'
ò Èô âòð ÖÀ-ä 9ÿ :6à ÿàfö;%õ¼Èò!ôë)ôøâäîhöòâõÀôâë)õ ô3äå h#å 0)1"!Aà .8å ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 8å )õ6é6áóîüS
ä
õ¼ôë)ôäâõÀÈôòÖë)é)ôóâä3ô å 4j)"!A$$à$ .¼å8÷ äÖõÀôøÈùÖë)ôøüé6'ù Èòé)óUô ]ö
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
ýíÿ
ðÀÿ9:6àÿà;%ÈòúôîÀò )õ å5hå#hå#0
)õ¼ôë)õ6ôé6áäóîüäSâõÀÈôòÖë)é)ôóâä3ô å4j)"!A$$à$ .¼å8÷ äÖõÀôøÈùÖë)ôøüé6ù'Èòé)óôU
]ö
ýíÿ ðÀÿ9:6àÿà;%ÈòúôîÀò
)õ å8hå#hå5)
)õ6é6áóîüS
ä
ÈòÖé)óâô å 4j)$$$ ¼÷äÖõÀôøÈùÖë)ôøüé6'
ù Èòé)óUô ]ö
õ¼ôë)ôä âõÀôë)ô3ä "!Aà .8å ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 8å h#å )1
õ¼ô)ë)õ6ôé6áäóîüSäâõÀÈôòÖë)é)ôóâä3ô å 4j)"!A$$à$ .¼å8÷ äÖõÀôøÈùÖë)ôøüé6'ù Èòé)óUô ]ö
ýíÿ 
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å À÷äÖõ¼ôøNùÖë)ôøüéü'
ù ÈòÖéüó-ô 2j$ föõ¼ôë)ôä âõÀôë)ôä
"!-à .å ýíÿ 
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 5å h#å h#å 0
À÷äÖõ¼ôøNùÖë)ôøüéü'
ù ÈòÖéüó-ô 2j$ föõ¼ôë)ôä âõÀôë)ôä
"!-à.å
ýíÿ 
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å h#å h5å )
À
÷
Ö
ä
¼
õ
ô
N
ø
Ö
ù
éü'ù ÈòÖéüóFA27
ô 2F94
2j$998D
fö
õ¼ôë)ôä DE3D
âõÀôë)F8B5
ôä 06E4 A169 4E46
Key fingerprintë)=ôøüAF19
FDB5
"!-à .å ýíÿ 
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å h#å )1
À÷äÖõ¼ôøNùÖë)ôøüéü'
ù ÈòÖéüó-ô 2j$ föõ¼ôë)ôä âõÀôë)ôä
"!-à.å
ýíÿ 
ð è À6ÿAãâä)àûä-ã )%.å 6ãâé)>è]ö!ÈòãÖóø]ä ö?øÀø %ô@,Ahà6ãÖø]ö!øÈ<ôå ,)ÈöJøÈÿùâþáþôâä ýBí"! A
:= 6ãâé)>
ßßA àâýáíÿãâ
亝å ðçƒèÖÀÿAãâé6àêëãÖì .å C!<ÿþþýí
ß
ûßAß ë6ÿÖóãøü3ãé6áPõ ý Aõ6ä)áóûõ6ä6ø)óî6äÖõõ èä)ôúëÖîîüäÖõõôé øÈùôä6óâùÖëãAõüä)óûä)ó7õ ?é)ó
ýíÿ 
ð Aà .å ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò fö5öáã6ôøÈòé)óô )õ
å $08å ) À÷!8å h#
å $ ¼÷äÖõ¼ôøÈùë)ôøüé6Eù Èòé)óâôõ
æææR*È*+å $L*
]öR*õÀô
ë)$Rô*+ä,R*aâõÀ)ôRæ ë)*+ô)ä-)L*+)Y"*+!<à))Ræ *+$.Rå*a$Y*
)$R*NTå L*
å âR
ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò fö5öáã6ôøÈòé)óô )õ
å $08å ) À÷!8å h#
R*+'
å *aR*+8å ]ö õ¼ôë)å ô$ä âõ¼ô ë)ô3ä¼÷äÖõ¼ôøÈù"!-ë)ôà øüé6Eù È.òé)å óâôõ
ýíÿ 
ð À9ÿ :6à ÿà ;%Èò5á÷)ò fö5öáã6ôøÈòé)óô )õ
å $08å ) À÷!8å h#
åR*ÈåL*+$R*+ fö õÀôë)ôå ä,$âõÀôë) ôä-¼÷äÖõ¼ô"øÈ!<ùë)àôøüé6Eù .Èòåé)óâôõ
ýíÿ 
ð è À6ÿAãâä)àûä-ã )%.å 6ãâé)>è]ö!ÈòãÖóø]ä ö?øÀø %ô@,Ahà6ãÖø]ö!øÈ<ôå ,)ÈöJøÈÿùâþáþôâä ýBí"! A
:= 6ãâé)>
ßßAàâýáíÿãâ
亝Tå ÚðçƒèÖÀÿAãâé6àêëãÖì .å C!<ÿþþýí
ßßAÿÖããâ"é AôâïÖäÖõ6äñõ6ä6óûä)óõôé îüé6ùôëÖîÀô õ6äãâäÖîÀôäâ3÷ íâýºõüä)óûä)óõ
ß
Key fingerprint
= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
© SANS Institute 2000 - 2005
Author retains full rights.
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
ý íÿ ð Aà å
ýíÿ ð Àÿ íâý í ÈòúôîÀò âõ å hå5hå#hå) ¼÷
â)æõ¼ôë)ôå ä ]å å <à ¼÷äõ¼ôå øÈùÖë6ôøüé6ù NòÖé6óôúå ]öõÀôë)ôä
ýíÿ ð Àÿ íâý í ÈòúôîÀò âõ å hå5hå#hå) ¼÷
å )õ¼ôë)ôä
<à ¼÷äõ¼ôå øÈùÖë6ôøüé6ù NòÖé6óôúå ]öõÀôë)ôä
ýíÿ ð Àÿ íâý í ÈòúôîÀò âõ å h5å h#å hå ) ¼÷
å )õ¼ôë)ôæ ä æ hå <à¼÷äÖõ¼ôøÈå ùÖë)ôø¼é6ù Èòé)óâôúå föõ¼ôë)ôä
ýíÿ ð Àÿ íâý í ÈòúôîÀò âõ å h5å h#å hå ) ¼÷
)å õ¼ôë)ôä hå <à¼÷äÖõ¼ôøÈå ùÖë)ôø¼é6ù Èòé)óâôúå föõ¼ôë)ôä
ýíÿ ð Àÿ íâý í ÈòúôîÀò âõ å h5å h#å hå ) ¼÷
åÀæ)õ¼ôhë)å ôä hå <à ¼÷äõ¼ôå øÈùÖë6ôøüé6ù NòÖé6óôúå ]öõÀôë)ôä
ýíÿ ð Àÿ íâý í ÈòúôîÀò âõ å hFDB5
å h#å hå )DE3D
5
¼÷ F8B5 06E4 A169 4E46
)õ¼ôë)åôå ä ]å æ hå <Àà÷äÖõ¼ôøNùÖå ë)ôøüéüù ÈòÖéüóôúå ]ö1õ¼ôë6ôä
ýíÿ ð Àÿ íâý í ÈòúôîÀò âõ å h5å h#å hå ) ¼÷
)õ¼ôë)åôå ä ]å æ håâå <à¼÷äÖõ¼ôøÈå ùÖë)ôø¼é6ù Èòé)óâôúå föõ¼ôë)ôä
ýíÿ ð Àÿ íâý í ÈòúôîÀò âõ å h5å h#å hå ) ¼÷
å )õ¼ôhë)å ôä æ håâå <à¼÷äÖõ¼ôøÈå ùÖë)ôø¼é6ù Èòé)óâôúå föõ¼ôë)ôä
ýíÿ ð Àÿ íâý í ÈòúôîÀò âõ å h5å h#å hå ) ¼÷
å )õ¼ôhë)å ôä håâå <à¼÷äÖõ¼ôøÈå ùÖë)ôø¼é6ù Èòé)óâôúå föõ¼ôë)ôä
ýíÿ ð Àÿ íâý í Èò5á÷)ò âõ å h5å h#å hå ) ¼÷
â)æõ¼ôë)ôå ä ]å å <à ¼÷äõ¼ôå øÈùÖë6ôøüé6ù NòÖé6óôúå ]öõÀôë)ôä
ýíÿ ð Àÿ íâý í Èò5á÷)ò âõ å h5å h#å hå ) ¼÷
å )õ¼ôë)ôä
<à ¼÷äõ¼ôå øÈùÖë6ôøüé6ù NòÖé6óôúå ]öõÀôë)ôä
ýíÿ ð Àÿ íâý í Èò5á÷)ò âõ å h5å h#å hå ) ¼÷
å )õ¼ôë)ôæ ä æ hå <à¼÷äÖõ¼ôøÈå ùÖë)ôø¼é6ù Èòé)óâôúå föõ¼ôë)ôä
ýíÿ ð Àÿ íâý í Èò5á÷)ò âõ å h5å h#å hå ) ¼÷
)å õ¼ôë)ôä hå <à¼÷äÖõ¼ôøÈå ùÖë)ôø¼é6ù Èòé)óâôúå föõ¼ôë)ôä
ýíÿ ð Àÿ íâý í Èò5á÷)ò âõ å h5å h#å hå ) ¼÷
åÀæ)õ¼ôhë)å ôä hå <à ¼÷äõ¼ôå øÈùÖë6ôøüé6ù NòÖé6óôúå ]öõÀôë)ôä
ýíÿ ð Àÿ íâý í Èò5á÷)ò âõ å h5å h#å hå ) ¼÷
)õ¼ôë)åôå ä ]å æ hå <Àà÷äÖõ¼ôøNùÖå ë)ôøüéüù ÈòÖéüóôúå ]ö1õ¼ôë6ôä
ýíÿ ð Àÿ íâý í Èò5á÷)ò âõ å h5å h#å hå ) ¼÷
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
. T
:C %
#
$ # ) # '
7
"! . T
:C %
#
)$)$ '
7
"! . T
:C %
#
$ 0$ '
7
"! . T
:C %
#
8)2 $)0 '
7
"! . T
:C %
#
T
V
'
7
"! . T
:C FA27
% 2F94 998D
#
Key fingerprint
= AF19
)$ # /
'
7
"! . T
:C %
#
)$ # b
'
7
"! . T
:C %
#
$ b
'
7
"! . T
:C %
#
$ b
'
7
"! . T
:C %
#
$ # ) # '
7
"! . T
:C %
#
)$)$ '
7
"! . T
:C %
#
$ 0$ '
7
"! . T
:C %
#
8)2 $)0 '
7
"! . T
:C %
#
T
V
'
7
"! . T
:C %
#
)$ # /
'
7
"! . T
:C %
#
© SANS Institute 2000 - 2005
Author retains full rights.
)õ¼ôë)åôå ä ]å æ håâå <à¼÷äÖõ¼ôøÈå ùÖë)ôø¼é6ù Èòé)óâôúå föõ¼ôë)ôä
ýíÿ ð Àÿ íâý í Èò5á÷)ò âõ å hå hå hå ¼÷
å )õ¼ôhë)å ôä æ håâå <à¼÷äÖõ¼ôøÈå ùÖë)ôø¼é6ù Èòé)óâôúå föõ¼ôë)ôä
ýíÿ ð Àÿ íâý í Èò5á÷)ò âõ å hå hå hå ¼÷
å )õ¼ôhë)å ôä håâå <à¼÷äÖõ¼ôøÈå ùÖë)ôø¼é6ù Èòé)óâôúå föõ¼ôë)ôä
ýíÿ ð 5þø¼÷ å
ýíÿ <þð ø¼÷Àÿ 6à ÿå à )õ å hå ]ö õ¼ôë6ôä âõ¼ôë)ôä
ýíÿ <þð ø¼÷Àÿ 6à ÿå à )õ å hå ]ö õ¼ôë6ôä âõ¼ôë)ôä
ýíÿ ð Àÿ5þø¼÷ å ÈòúôîÀò ¼÷ æ å hå å
à ¼÷äÖåõ¼ôøÈùë)ôøüé6ù ÈòÖé6óâôñå ]ö õ¼ôë)ôä âõ¼ôë)ôä
ýíÿ ð Àÿ5þø¼÷ å ÈòúôîÀò ¼÷!å
à ¼÷äÖåõ¼ôøÈùë)ôøüé6ù ÈòÖé6óâôñå ]ö õ¼ôë)ôä âõ¼ôë)ôä
ýíÿ ð Àÿ5þø¼÷ å ÈòúôîÀò ¼÷!å æ âæ hå
à ¼÷äÖåõ¼ôøÈùë)ôøüé6ù ÈòÖé6óâôñå ]ö õ¼ôë)ôä âõ¼ôë)ôä
ýíÿ ð Àÿ5þø¼÷ å ÈòúôîÀò ¼÷ å ]å
à ¼÷äÖåõ¼ôøÈùë)ôøüé6ù ÈòÖé6óâôñå ]ö õ¼ôë)ôä âõ¼ôë)ôä
ýíÿ ð Àÿ5þø¼÷ å ÈòúôîÀò ¼÷!åÀæ hå hå
à ¼÷äÖåõ¼ôøÈùë)ôøüé6ù ÈòÖé6óâôñå ]ö õ¼ôë)ôä âõ¼ôë)ôä
ýíÿ ð Àÿ5þø¼÷ å ÈòúôîÀò ¼÷ åå hå æ hå
Àà ÷äÖõ¼ôå øNùÖë)ôøüéüù ÈòÖéüóôúå ]ö1õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ ð Àÿ5þø¼÷ å ÈòúôîÀò ¼÷ åå hå æ håå
à À÷äÖõ¼ôå øNùÖë)ôøüéüù ÈòÖéüóôúå ]ö1õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ ð Àÿ5þø¼÷ å ÈòúôîÀò ¼÷!å hå æ håå
à À÷äÖõ¼ôå øNùÖë)ôøüéüù ÈòÖéüóôúå ]ö1õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ ð Àÿ5þø¼÷ å ÈòúôîÀò ¼÷!å hå håå
à Àý÷íäÖÿõ¼ôå øNù֝ë)ð ôøü5éüù þÈòÖø¼÷ éüóôúå å ]hö1å õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ <þð ø¼÷Àÿ 6à ÿå à hå )õ å hå ]ö õ¼ôë6ôä âõ¼ôë)ôä
ýíÿ <þð ø¼÷Àÿ 6à ÿå à hå )õ å hå ]ö õ¼ôë6ôä âõ¼ôë)ôä
ýíÿ ð Àÿ5þø¼÷ å hå Èò5á÷)ò ¼÷ æ å hå å
à ¼÷äÖåõ¼ôøÈùë)ôøüé6ù ÈòÖé6óâôñå ]ö õ¼ôë)ôä âõ¼ôë)ôä
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
)$ # b
'
7
"! . T
:C %
# 5 # ) $ b
'
7
"! . T
:C %
# 5 # ) $ b
'
7
"! . T
) V[
9: ; 8 #12 "!
) f[
9: ; 8 #12 "!
) f[
) V[&
$ # 8) #
E
8 3
"!
. T
) V[&
)0$)$
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
E
8 3
"!
. T
) V[&
$ $ E
8 3
"!
. T
) V[&
)4 $)
E
8 3
"!
. T
) V[&
T
0 T
E
8 3
"!
. T
) V[&
)$0 # 8 '
,
-
C!
. T
) V[&
)$0 # 8 '
,
-
C!
. T
) V[&
$0 '
,
-
C!
. T
) V[&
$0
'
,
-
C!
. T
) V[
9: ; 8 #12 "!
) f[
9: ; 8 #12 "!
) f[
) V[ `
$ # 8) #
E
8 3
"!
.
T
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
ýíÿ ð Àÿ5þø¼÷ å hå Èò5á÷)ò ¼÷!å
à ¼÷äÖåõ¼ôøÈùë)ôøüé6ù ÈòÖé6óâôñå ]ö õ¼ôë)ôä âõ¼ôë)ôä
ýíÿ ð Àÿ5þø¼÷ å hå Èò5á÷)ò ¼÷!å æ âæ hå
à ¼÷äÖåõ¼ôøÈùë)ôøüé6ù ÈòÖé6óâôñå ]ö õ¼ôë)ôä âõ¼ôë)ôä
ýíÿ ð Àÿ5þø¼÷ å hå Èò5á÷)ò ¼÷ å ]å
à À÷äÖõ¼ôå øNùÖë)ôøüéüù ÈòÖéüóôúå ]ö1õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ ð Àÿ5þø¼÷ å hå Èò5á÷)ò ¼÷!åÀæ hå hå
à ¼÷äÖåõ¼ôøÈùë)ôøüé6ù ÈòÖé6óâôñå ]ö õ¼ôë)ôä âõ¼ôë)ôä
ýíÿ ð Àÿ5þø¼÷ å hå Èò5á÷)ò ¼÷ åå hå æ hå
à À÷äÖõ¼ôå øNùÖë)ôøüéüù ÈòÖéüóôúå ]ö1õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ ð Àÿ5þø¼÷ å hå Èò5á÷)ò ¼÷ åå hå æ håå
Àà ÷äÖõ¼ôå øNùÖë)ôøüéüù ÈòÖéüóôúå ]ö1õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ ð Àÿ5þø¼÷ å hå Èò5á÷)ò ¼÷!å hå æ håå
Àà ÷äÖõ¼ôå øNùÖë)ôøüéüù ÈòÖéüóôúå ]ö1õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ ð Àÿ5þø¼÷ å hå Èò5á÷)ò ¼÷!å hå håå
à À÷äÖõ¼ôå øNùÖë)ôøüéüù ÈòÖéüóôúå ]ö1õ¼ôë6ôä âõ¼ôë6ôä
ýíÿ 6ãâé)ð è À6ÿAãâä)àûäã å 6ãâé)è]ö!ÈòãÖóø]ä öøÀø ô hà6ãÖø]ö!øÈôå ÈöJøÈÿùâþáþôâä ýí
ßßAàâýáíÿãâ亝å $ð çƒèÖÀÿAãâé6àêëãÖì å <ÿþþ ýí
ßßAíäÖîÀïñð6áâòòÖé)óô5ëîî6äÖõõôé ð)ý N]õùÖä õ5õüä)óûä)ó
ß ýíÿ
ðAà.å$
ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 8å hå ]å ¼÷
8å )hå )1 À÷äÖõ¼ôøNùÖë)ôøüéü'
)õ¼ôë)ô7
ä "!<à .å $ ù ÈòÖéüóôúååÀæ ]ö1õ¼ôë6ôä
ýíÿ 
ð è À6ÿAãâä)àûä-ã )%.å $6ãâé)>è]ö!ÈòãÖóø]ä ö?øÀø %ô@,Ahà6ãÖø]ö!øÈ<ôå $,)ÈöJøÈÿùâþáþôâä ýBí"! A
:= 6ãâé)>
ßßA àâýáíÿãâ
亝å )ð çƒèÖÀÿAãâé6àêëãÖì .å $ C!<ÿþþ ýí
ß
ß øÀó"ä Öëãã ëüù9÷ é)ó÷ä)ó<àé6áôä)óJöë õ6ä6ù÷úãâé)èâèøÈùè
9
öäõõ6ë)èäõôé î6ä6ùôóëãACõ õ6ãâé)è õ6ä)óâûä)4ó KøÀóä ÖëãLã N]õãâé)èõ
ë)óä<óé6áôäâ÷Aéüáô!øÈôõ-ãâé)èèøNùè øÈùôä)ó ?ëÖîüä í)ïÖä<êé)ó÷ä)ó
óî6éüéÈöáôä&ä)?âó-óïÖéÀöëõJøÀùôéñõ-?ãâé6øÈèóèõ¼ô5øÈùä)è ôâïøNùä)ôóâùÖä)óä)ô?ëÖøNî6ùRä ô*›ä)óõ6&é?ë֝î6ä5ä ëããâé ãâé)èõôé
ß ýíÿ ð Aà .å )
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
) V[ `
)0$)$
E
8 3
"!
. T
) V[ `
$ $ E
8 3
"!
. T
) V[ `
)4 $)
'
,
-
C!
. T
) V[ `
T
0 T
E
8 3
"!
. T
) V[ `
)$0 # 8 '
,
-
C!
. T
) V[ `
)$0 # 8 '
,
F8B5
C!
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D
06E4 A169 4E46
. T
) V[ `
$0 '
,
-
C!
. T
) V[ `
$0
'
,
-
C!
. T
. T
%
<)
"!
:= >
-)% > ? @,A T6
BA
. T C!
© SANS Institute 2000 - 2005
Author retains full rights.
ýíÿ ðÀÿ:Cíâýí%ÈòúôîÀò âõ å]å#) ¼÷
å hå#"!-]åàå .¼÷åäÖ) õ¼ôøÈùÖë)ôø¼é6ù'ÈòÖéüóô-$åT ]ö õ¼ôë6ôäâõ¼ôë)ôä
ýíÿ ðÀÿ:Cíâýí%Èò5á÷)ò âõ å]å#) ¼÷
å h#å "!-]åàå .¼÷åäÖ) õ¼ôøÈùÖë)ôø¼é6ù'ÈòÖéüóô-$åT ]ö õ¼ôë6ôäâõ¼ôë)ôä
ýíÿ ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 5å h#å h#å ]å $ À÷
å h#å "!-]åà å .¼÷å äÖ) õ¼ôøÈùÖë)ôø¼é6'ù ÈòÖéüó-ô $Tå ]ö õ¼ôë6ôä âõ¼ôë)ôä
ýíÿ ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 5å h#å h#å ]å $ À÷
å h#å "!-]åàå .¼÷åäÖ) õ¼ôøÈùÖë)ôø¼é6'ù ÈòÖéüó-ô $Tå ]ö õ¼ôë6ôä âõ¼ôë)ôä
ýíÿ 6ãâé)ð >è À6ÿAãâä)àûä-ã )%.å )6ãâé)>è]ö!ÈòãÖóø]ä ö?øÀø %ô@,Ahà6ãÖø]ö!øÈ<ôå ),)ÈöJøÈÿùâþáþôâä ýBí"! A
ßßAàâýáíÿãâ
亝å ðçƒèÖÀÿAãâé6àêëãÖì .å) C!<ÿþþýí
Key fingerprint
= AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
ß
òÖßAß é6àóô<ä !áäùî¼óô äëø¼÷îÀïÖä6ùë6ôêã)O6Rä áÖ*›ä)óõüéøüäõhõöÖôôâòºé<ôâî6ïÖé6ùäAûäÀä6öóëõ6ë)øüã-ôø¼èé6ë)ùôõä ÷Öé6ë 2ù3Nˆô-øÀïôâïñë6ù4èë ýíÿ 
ð Aà .å ýíÿ 
ð Àÿ ù :CȝòÖíâéüýóôú%í åÈå òú ôîÀ"ò!-à ¼÷!.å å ]#å 14
À÷äÖõ¼ôøNùÖë)ôøüéü'
ýíÿ 
ð À9ÿ ù È:6òÖà éüÿóôúà ;%åå Èòúô"!-îÀò à À÷!.8åå h#å 12
À÷äÖõ¼ôøNùÖë)ôøüéü'
ýíÿ 
ð è À6ÿAãâä)àûä-ã )%.å 6ãâé)>è]ö!ÈòãÖóø]ä ö?øÀø %ô@,Ahà6ãÖø]ö!øÈ<ôå ,)ÈöJøÈàùâáôdä þâBí"! A
:= 6ãâé)>
ýíÿ 
øßâî]öÖ'ò ÈòÖé6óEôð ÈáÀÿAùóà äëÖîNïÖ.ëüêå ã6ä C!<à dþâí Àóä !âäÖî¼Eô 8øÀôâï
ßAß àâáãâäºåçƒèÖãâé6êëãÖì
ô9ßß é5Jë6ëùÖãë6ãèùÖäÀöä6ôä6Öùôúé)óFAõ¼ô÷ë6ôä)ûøüé6øâùúî6äëõ ãâãâé Öäâ÷-ôé-òä)ó ?é)ó¼ö ð J<ý O)áÖä6óøüäÖõ
ýíÿ 
ð Aà .å ýíÿ 
ð Àÿ ý 6í ÈòñôîÀò âõ å h5å $ ¼÷!å h5å h#å hå
à
¼÷.äÖåõ¼ôøÈùë)ôøüé6Eù ÈòÖé6óâôñ8å )å ]ö õ¼ôë)ôä âõ¼ôë)ô3ä "!
ýíÿ 
ð Àÿ ý 6í Èòúá÷)ò âõ å h5å $ ¼÷!å h5å h#å hå
¼÷äÖõ¼ôøÈùë)ôøüé6E
ù ÈòÖé6óâôñ8å )å ]ö õ¼ôë)ôä âõ¼ôë)ô3ä "!
à .å ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 8å h#å $ À÷
å h#
å
h#
å
0) ¼÷äÖõ¼ôøÈùë)ôøüé6E
ù Èòé)ó)ô 8å )å ]ö õ¼ôë)ô%ä âõ¼ôë)ôä
"!-à.å
ýíÿ 
ð À9ÿ :6à ÿà ;%ÈòúôîÀò )õ 8å h#å $ À÷
å ]#å h#å "h!-8å à$ .¼÷å äÖ õ¼ôøÈùÖë)ôø¼é6'ù ÈòÖéüóôúå )å ]ö õ¼ôë6ôä âõ¼ôë)ôä
#
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
:=
© SANS Institute 2000 - 2005
Author retains full rights.
ýíÿ ð Àÿ 6à ÿà ÈòúôîÀò )õ å hå
À÷
å hå -à ¼÷äÖå õ¼ôøÈùë)ôøüé6ù Èòé)ó)ô å å ]ö õ¼ôë)ôä âõ¼ôë)ôä
ýíÿ ð Àÿ 6à ÿà ÈòúôîÀò )õ å hå
À÷
å hå -à ¼÷äÖå õ¼ôøÈùë)ôøüé6ù Èòé)ó)ô å å ]ö õ¼ôë)ôä âõ¼ôë)ôä
ýíÿ ð Àÿ 6à ÿà ÈòúôîÀò )õ å hå
À÷
å hå -à ¼å ÷äÖõÀôøÈùÖë)ôøüé6ù Èòé)óôúå å fö õÀôë)ôä âõÀôë)ôä
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ å hå
À÷
å hå hå -à ¼÷äÖå õ¼ôøÈùë)ôøüé6ù Èòé)ó)ô å å ]ö õ¼ôë)ôä âõ¼ôë)ôä
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ å hå
À÷
å ]å hå h-å à ¼÷å äÖõ¼ôøÈùÖë)ôø¼é6ù ÈòÖéüóôúå å ]ö õ¼ôë6ôä âõ¼ôë)ôä
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ å hå
À÷
å hå -à ¼÷äÖå õ¼ôøÈùë)ôøüé6ù Èòé)ó)ô å å ]ö õ¼ôë)ôä âõ¼ôë)ôä
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ å hå
À÷
å hå -à ¼÷äÖå õ¼ôøÈùë)ôøüé6ù Èòé)ó)ô å å ]ö õ¼ôë)ôä âõ¼ôë)ôä
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ å hå
À÷
å hå -à ¼å ÷äÖõÀôøÈùÖë)ôøüé6ù Èòé)óôúå å fö õÀôë)ôä âõÀôë)ôä
ýíÿ 6ãâé)ð è À6ÿAãâä)àûäã å 6ãâé)è]ö!ÈòãÖóø]ä öøÀø ô hà6ãÖø]ö!øÈôå ÈöJøÈÿùâþáþôâä ýí
ßßAàâýáíÿãâ亝åÀæð çƒèÖÀÿAãâé6àêëãÖì å <ÿþþ ýí
ß
ßAíäÖîÀïñð6áâòòÖé)óô<èä)ôõóäÀöé)ôä<ëâ÷¼öiøÈùñëÖîî6äÖõâõôéúëãã
ýßøÈùþ)ôÿâùä)óâùÖïëä)ãóïÖä éÖõ¼ôõ-ëüù÷<ôâïÖä êÖé)ó÷ä)ó<óé6áôä)ó<ûøüëñõõÀï é)ó
ýíÿ
ð5þø¼÷Öæ
ýíÿ 
ð ÷Àÿ Öýæ í¼ ÷!å ]ö õ¼ôë6ôä âõ¼ôë)ôä
"!<þø¼
ýíÿ 
ð
Àÿ ý í ¼÷!#
å h#å ]#å hå $ ]ö õ¼ôë)ô%ä âõ¼ôë)ôä
"!<þø¼
÷
Öæ ýíÿ 
ð 5þø¼÷ Öæ hå
ýíÿ 
ð Àÿ5þø¼÷ Öæ &ÈòúôîÀò ]ö5öÖáãüôøÈòÖé)óâô
À÷äÖõ¼ôøNùÖë)ôøüéü'
ù ÈòÖéüóô(õ $)'å *+ fö õÀôë)ô,ä âõÀôë)ô-ä "!Aþø¼÷Öæhå
ýíÿ 
ð Aà .åÀæ
ýíÿ 
å .åÈæâõ å 0$12 fö
õ¼ôë)ôäâõÀð ôë)Àÿ5ôä3þø¼÷ Ö"!Aæ àh/
ýíÿ 
ð Àÿ5ä þø¼÷ Ö"!Aæ àh/
å .åÈæâõ å 0$4h5å fö
¼
õ
ô
)
ë

ô
ä
âõÀôë)ô3
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
9: ;%
8 #$ #140 E
8)
%
"! . 9: ;%
8 #$ #140 E
8)
%
"! . 9: ;%
8 #$ #140$ '
)
,
"! . 9: ;%
8 #$ # #0) E
8)
%
"! . 9: ;%
8 #$ # # # 8$ '
)
"! . 9: ;%
8 #$ #
1
4
0
E
8) FDB5
% F8B5 06E4 A169 4E46
Key fingerprint = AF19 FA27 2F94 998D
DE3D
"! . 9: ;%
8 #$ #140 E
8)
%
"! . 9: ;%
8 #$ #140$ '
)
,
"! . . %
<)
"!
:= >
-)% > ? @,A ,
BA
. C!
© SANS Institute 2000 - 2005
Author retains full rights.
õ¼ôýë)ôíÿä
âõÀð ôë)Àÿ5ôä3þø¼÷ Ö"!Aæàhå/.åÈæâõ å]åhå ]ö
ýíÿ 
ð Àÿ ý í6Èòúá÷)ò âõ å$140 ¼÷
å 0 ¼÷äÖõÀôøÈùÖë)ôøüé6ù'Èòé)óô-$) ]ö õ¼ôë)ôä
)õ¼ôë)ôä7
"!<à
.åÀæ
ýíÿ 
ð Àÿ ý 6í Èòúá÷)ò âõ å $140 ¼÷
å ]#å h#å hä8å $ ¼÷"!<äÖõ¼àôøÈùÖ
ë).ôåÀø¼æé6'ù ÈòÖéüó-ô $) fö õÀôë)ôä
#
)õ¼ôë)ô7
ýíÿ 
ð Àÿ ý 6í Èòúá÷)ò âõ å $4h#å 0 ¼÷
å 0 ¼÷äÖõÀôøÈùÖë)ôøüé6'
ù Èòé)ó-ô $) ]ö õ¼ôë)ôä
)õ¼ôë)ôä7
"!<à
.åÀæ
ýíÿ 
ð Àÿ ý 6í Èòúá÷)ò âõ å $4h#å 0 ¼÷
å)]õ¼#å ôhë)#å ôh7ä8å $ ¼÷"!<äÖõ¼àôøÈùÖ
ë).ôåÀø¼æé6'ù ÈòÖéüó-ô $) fö õÀôë)ôä
#
ýíÿ 
ð Àÿ ý 6í Èòúá÷)ò âõ å h8å hå À÷
å 0 ¼÷äÖõÀôøÈùÖë)ôøüé6'
ù Èòé)ó-ô $) ]ö õ¼ôë)ôä
)
¼
õ

ô
)
ë

ô
7
ä
"
<
!
à
.
À
å
æ
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
ýíÿ 
ð Àÿ ý 6í Èòúá÷)ò âõ å h8å hå À÷
å ]#å h#å hä8å $ ¼÷"!<äÖõ¼àôøÈùÖ
ë).ôåÀø¼æé6'ù ÈòÖéüó-ô $) fö õÀôë)ôä
#
)õ¼ôë)ô7
ýíÿ 
ð 5þø¼÷ Öæ ýíÿ 
)õ¼ôë)ô7
ä ð À9ÿ "!A:6à ÿþø¼à÷ ;ÖÀ÷!æ 8å ]ö õ¼ôë)ôä
ýíÿ 
ð À9ÿ "!A:6à ÿþø¼à÷ ;ÖÀ÷!æ 5å h#å h#å ]å $ fö õÀôë)ôä
)õ¼ôë)ô7
ä
ýíÿ 
ð 5þø¼÷ Öæ ýíÿ 
ð Àÿ5þø¼÷ Öæ &ÈòúôîÀò ]ö5öÖáãüôøÈòÖé)óâô
À÷äÖõ¼ôøNùÖë)ôøüéü'
ù ÈòÖéüóô(õ $)'å *+ fö õÀôë)ô,ä âõÀôë)ô-ä "!Aþø¼÷Öæ
ýíÿ 
õ¼ôë)ôä âõÀð ôë)Àÿ5ô3ä þø¼÷ Ö"!Aæ à .åÈæâõ å 0$12 fö
ýíÿ 
õ¼ôë)ôä âõÀð ôë)Àÿ5ô3ä þø¼÷ Ö"!Aæ à .åÈæâõ å 0$4h5å fö
ýíÿ 
õ¼ôë)ôä âõÀð ôë)Àÿ5ô3ä þø¼÷ Ö"!Aæ à .åÈæâõ å ]å hå ]ö
ýíÿ 
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å $14 ¼÷
å 0 ¼÷äÖõÀôøÈùÖë)ôøüé6'
ù Èòé)ó-ô $) ]ö õ¼ôë)ôä
)õ¼ôë)ôä7
"!<à
.åÀæ
ýíÿ 
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å $14 ¼÷
å]#å h#å "h!-8å à$ .¼÷åÀäÖæ õ¼ôøÈùÖë)ôø¼é6'ù ÈòÖéüó-ô $) fö õÀôë)ô,ä âõÀôë)ôä
#
ýíÿ 
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å $2h#å ¼÷
å 0 ¼÷äÖõÀôøÈùÖë)ôøüé6'
ù Èòé)ó-ô $) ]ö õ¼ôë)ôä
)õ¼ôë)ôä7
"!<à
.åÀæ
ýíÿ 
ð À9ÿ :6à ÿà ;%Èò5á÷)ò )õ 8å $2h#å ¼÷
å ]#å h#å "h!-8å à$ .¼÷åÀäÖæ õ¼ôøÈùÖë)ôø¼é6'ù ÈòÖéüó-ô $) fö õÀôë)ô,ä âõÀôë)ôä
#
ýíÿ 
ð =ÀAF19
ÿ :6à ÿFA27
9
à ;%Èò52F94
á÷)ò 998D
)õ 8å hå ]å DE3D
F8B5
¼÷ 06E4 A169 4E46
Key fingerprint
FDB5
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
© SANS Institute 2000 - 2005
Author retains full rights.
å )õ¼ôë)ôä ¼<÷äÖà õÀôøÈùÖë)ôåÀæøüé6ù'Èòé)óô-$) ]ö õ¼ôë)ôä
ýíÿ ð Àÿ 6à ÿà Èò5á÷)ò )õ å8hå]å ¼÷
å ]å hå h-å à ¼÷åÀäÖæ õ¼ôøÈùÖë)ôø¼é6ù'ÈòÖéüóô-$) fö õÀôë)ôä,âõÀôë)ôä
ýíÿ 6ãâé)ð è À6ÿAãâä)àûäã åÀæ 6ãâé)è>]ö!ÈòãÖóø]äö?øÀøô%@,Ahà6ãÖø]ö!øÈô<åÀæ,)ÈöJøÈÿùâþáþôâäýíB"! A
ßßAàâýáíÿãâ9ä ð çƒèÖÀÿAãâé6àêëãÖì åÀæ C!<ÿþþýí
ß
ùÖßAß ä6íô ÖäÖé)îÀïñó F-ð6áâ÷òä)òÖûé)øâóîüô<äÖõèûä)ôøüë-õóôäÀäöã¼ùÖé)ôä)ôä<ëâçN÷¼øÈöiùôøÈùñä)óâëÖùÖîëî6ã äÖé6õâùõã ôìéñY ã)ä)èëÖCî
ýíÿ 
ð 5þø¼÷ $$6
ÿ ;4
ýíÿ 
ð À9ÿ "!A:6à ÿþø¼à÷;
$)õ$)ÿ8å ;4 $14 ]öõÀôë)ôä
)õ¼ôë)ôä7
ýíÿ 
ÿ "!A:6à ÿþFA27
9
ø¼à÷ ;
$2F94
)õ 8å 998D
DE3D
]öõÀôë)F8B5
ôä 06E4 A169 4E46
Key fingerprint
)õ¼ôë)ô7
ä ð =ÀAF19
$)
ÿ ;4 $2h#å FDB5
ýíÿ 
ð À9ÿ "!A:6à ÿþø¼à÷ ;
$)õ$)ÿ 8å ;4hå ]å ]ö õ¼ôë)ôä
)õ¼ôë)ô7
ä
ýíÿ
ðAà.
ýíÿ 
ð Àÿ5þø¼÷ $$6
ÿ ;4&ÈòúôîÀò ¼÷!å ]å hå $
À÷äÖõ¼ôøNùÖë)ôøüéü'
ù ÈòÖéüó-ô ]ö õ¼ôë)ôä âõ¼ôë)ô3ä "!
à .
ýíÿ 
ð Àÿ5þø¼÷ $$6
ÿ ;4&ÈòúôîÀò ¼÷!å ]å hå $
à
À÷äÖ.õ¼ôøNùÖë)ôøüéü'ù ÈòÖéüó-ô ]ö õ¼ôë)ôä âõ¼ôë)ô3ä "!
ýíÿ 
ð Àÿ5þø¼÷ $$6
ÿ ;4&ÈòúôîÀò ¼÷!å ]å 0$
À÷äÖõ¼ôøNùÖë)ôøüéü'
ù ÈòÖéüó-ô ]ö õ¼ôë)ôä âõ¼ôë)ô3ä "!
à .
ýíÿ 
ð Àÿ5þø¼÷ $$6
ÿ ;4&ÈòúôîÀò ¼÷!å ]å 0$
À÷äÖõ¼ôøNùÖë)ôøüéü'
à
. ù ÈòÖéüó-ô ]ö õ¼ôë)ôä âõ¼ôë)ô3ä "!
ýíÿ 
ð Àÿ5þø¼÷ $$6
ÿ ;4&ÈòúôîÀò ¼÷!å ]å hå $å
À÷äÖõ¼ôøNùÖë)ôøüéü'
ù ÈòÖéüó-ô ]ö õ¼ôë)ôä âõ¼ôë)ô3ä "!
à .
ýíÿ 
ð Àÿ5þø¼÷ $$6
ÿ ;4&ÈòúôîÀò ¼÷!å ]å hå $
à
À÷äÖ.õ¼ôøNùÖë)ôøüéü'ù ÈòÖéüó-ô ]ö õ¼ôë)ôä âõ¼ôë)ô3ä "!
ýíÿ 
ð Àÿ5þø¼÷ $$6
ÿ ;4&ÈòúôîÀò ¼÷!å ]å hå $
À÷äÖõ¼ôøNùÖë)ôøüéü'
ù ÈòÖéüó-ô ]ö õ¼ôë)ôä âõ¼ôë)ô3ä "!
à .
ýíÿ 
ð Àÿ5þø¼÷ $$6
ÿ ;4&ÈòúôîÀò ¼÷!å ]å hå æ
À÷äÖõ¼ôøNùÖë)ôøüéü'
à
. ù ÈòÖéüó-ô ]ö õ¼ôë)ôä âõ¼ôë)ô3ä "!
ýíÿ 
ð Àÿ5þø¼÷ $$6
ÿ ;4&ÈòúôîÀò ¼÷!å ]å 0$
À÷äÖõ¼ôøNùÖë)ôøüéü'
ù ÈòÖéüó-ô ]ö õ¼ôë)ôä âõ¼ôë)ô3ä "!
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
0 7
"! .
9: ;%
# # # 8$ "! .
.
:= >
-)%
.
© SANS Institute 2000 - 2005
Author retains full rights.
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
à
.
ýíÿ ðÀÿ5þø¼÷
$$6ÿ
;4&ÈòúôîÀò
¼÷!å]å0$
à
À÷äÖ.õ¼ôøNùÖë)ôøüéüù'ÈòÖéüóô- ]ö õ¼ôë)ôäâõ¼ôë)ôä3 "!
ýíÿ 
ð Àÿ5þø¼÷ $$6
ÿ ;4&ÈòúôîÀò ¼÷!å ]å 0$
à
À÷äÖ.õ¼ôøNùÖë)ôøüéü'ù ÈòÖéüó-ô ]ö õ¼ôë)ôä âõ¼ôë)ô3ä "!
ýíÿ 
ð è À6ÿAãâä)àûä-ã )%.6ãâé)>è]ö!ÈòãÖóø]ä ö?øÀø %ô@,Ahà6ãÖø]öøÈ<ô ,)ÈöJøÈÿùâþáþôâä ýíB"! A
:= 6ãâé)>
ýíÿ
ðÀÿAà. C!<ÿþþýí
ßßAàâáãâ9ä åçƒèÖãâé6êëãÖì
ßßúð)ôë ??3ïÖé î6ë6ùñðð DAô9é ?øÀó"ä Öëãã ë6óäúëããâé Öä)÷ ôé<ôäãüùÖä6ô9?âóéÀö
?øÈóä ÖëãâãJôé-êÖé)ó÷ä6ó<óé6áôä69
ß ýíÿ ð Aà .å ó ?é)óAóäÀöé6ôä<ëâ÷¼öøNùøâõ¼ôóë)ôøüé64ù ýíÿ 
ð =ÀAF19
ÿ :Cíâý FA27
%
í Èòú2F94
ôîÀò 998D
âõ #
å hFDB5
å h#å hå )DE3D
5
¼÷!#
å F8B5
h5
å h#å hå06E4
$
Key fingerprint
A169 4E46
À÷äÖõ¼ôøNùÖë)ôøüéüù'ÈòÖéüóô- ]ö õ¼ôë)ôäâõ¼ôë)ôä3
"!<à
.å
ýíÿ 
ð Àã ÿA)6à üãâé).EèÈå òóä ?]ö!ø @ãÖø]ANöà øÀ%ô 6ãÖ9å ø]öJøÈ<ô ÿþ)þÈöýøÈùâBí áôA ä "!9
:=
üãâé)E
è
6ã)ä)ûä7
ßßA àâýáíÿãâ
9ä ðçƒèÖÀÿAãâé6àêëãÖì .å C!<ÿþþýí
ßpß N]î6ë)ôîÀïúëãLã NRóâáÖãâä
ß ýíÿ
ðAà.
ýíÿ 
ðð ÀÀÿÿ :C íâý ý í í "!<"!<à à .. ýíÿ 
ýíÿ
ðÀÿ9:6àÿà; C!<à.
ýíÿ 
ð Àã ÿAGà üãâé).EèÈòóä ?]ö!ø @ãÖø]ANöà øÀ%ô 66ãÖø]ö7øÈ<ô ;)ÈöWGøÈùâA áôä "!9
:=
üãâé)E
è
6ã)ä)ûä`
ßß ýíÿ
ðÀÿAà. C!&;âà:6ý
äÖîÈïÖéºå3Œ<üòóéîõCõüùÖä)ôøÈòûÖøÈò
.?é)óÖë)óâ÷
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
Yo LhK
VPN Gateway Configuration
/etc/ipsec.conf
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
î6éüù
?øÀè õ6ä6ôâáò
ß<áõ6ä-ôâïÖä<÷ä?ë6áã6ô<óé6áôä øÈùôä)ó?ëÖîü䔐{øÈùôä)óâùÖä6ôEÈêÖé6áâù÷‘
ßúëÖõôâïÖä ýðäîAøÈùôä)ó?ëÖî6ä-ëãõ6é
øÈùôä)ó ?ëî6äÖ"õ yHâ÷ä ?ëüáÖã6ôóé6áôä
ß<ßúáäÀöÖõ6òäñã)éõ¼ôäóäÖøâî¼õlô ôéî¼óÖêÖãäñòÖéã)éÖãÖîCøâFCî 4äâ÷AXéüáÖäôº3Öø]öë6öùôAäâ÷ôøüä)ë)ó¼ôöäã"øÈùÖë)ôäâ÷
õ¼ôâóøâî¼ôîÀóÖãüòÖéãøâCî yäÖõ
ßñãâéëâ÷5ëãâã-ô)ïÖäñî6é6ùùÖäî¼ôøüé6ù<÷äÖõî¼óøÈòôøüéüùõ öë)ó Fäâ&÷ ?é)ó
ßúë6áôé5ãâéâëâ÷øÈù2è òã¼áôéãâéâëâ÷ yHõüäë)óîÈï
òã¼áôéÖõ¼ôë)óô yHÖõ6äë6óîÈï
áùCø O)áÖäøÀ=÷"õ AF19
yäõ
Key fingerprint
06E4 A169 4E46
ßAôâïøâõ5øâõJôâïä5÷FA27
ä ?ë6áã62F94
ô *
êáô998D
öë Fä FDB5
øÈô ä @)òDE3D
ãÖøâîøÈ&ô F8B5
?é)ó
ß î)ãâë)óøÀô N]õ õ6ë Fä XÖä<÷é62ù Nˆôúëãâãâé úë6ù AòÖëÖî Fä)ô-ùÖé)ô
ßöë)ôîÈïøÈùèAë î6é6ùâùÖäÖî¼ôø¼é6ùA÷äÖõâî¼óøÈòôøüé6ùôé<òëÖõõJôâïóéüáèâï
òî6éüùÖßAù ëôâCî HïÖF÷ä-ä)ä ô?è÷ëüë)ä áô?ã6äë6ôÖáëãüô yt ÷)óéüò
ß<ùÖé)ô õ¼ôóøâî¼ôÖã ùÖääâ÷ä)÷ *›ä @î6äüò9ô ?é)ó î)ãâë6óøÀô
ô )òÖä yâôâáâùùÖäã
ß<áõ6ä-àð)ÿ<êÖëõ6äâ÷5ë6áôâïä6ùôøâîüë)ôøüé67ù øÀô)ï î6ä)óôø ?øâî6ë)ôäÖõ
ßë6á?ôâïé)9óêyF)äóAèõ6ë֝õäüøÈùÖè ä)óë)ôøüé6ù ç ð)ÿ ]Jýì
<
óFäøÈèâøïÈùôóèôâõüóëÖõøüäÖøÀèõ"Fyäåy HÖîüä)óô
ß<ë6ááôâ
ïõ6Qäyä֝õÈð)ò <ý ?é6ó ýðäÖîë6áô)ïÖä6ùôø)î6ë)ôøüéüù
ßöSºõø¼÷äñøâõ<ãâä?)ôBJôâïÖä9?âóäâäÖõÖë6ùñõ6äÖîÀáóøÀô-èë6ôäÖë
ãâä ?âô y#å ]#å h#å ãâä ?âôâùÖä @âôâïÖé6
ò y#å h5å ]5å å
ãâä ?âôø¼÷ y•Öõ6äÖîÀáóä Êèø¼ëÖî Àä6ùôä)ó)òóøâõüäLõ Æî6éNö
ãâä ?âôî6ä)óâô yâèë)ôä Öë 2¤òÖäÀö
ß îÀïÖäÖî F õ6é6áóîüä<ëâ÷÷âóäõõé ?<áùÖä6ùîÀó âòôä)÷JòÖëÖî Fä)ôõJéüù ë)óâóøÀûëã
÷ßñø)ãâõ6éë6êëâ÷ãâäâë)î6éüóùóùÖøÀäÖûëî¼ôãøüîÈïé6ù<äCî ÷Fäyü?ùÖøÈé ùøÈôøüé6ùõ ëüáôéÀöë6ôøâî6ëãâã
ë6áôé yëâ÷â÷
ßAíâïÖ&ä ?éãâãâé øÈùè-ôâïóäâä5äüùôóøüäõJë)ó&ä ?)áùî¼ôøüé6ùëãã
ßAóäâ÷)áâù÷ë6ùô óøÀèâïô-ùé [ ù5ôâïÖ9ä ?)áô)áóRä *—ô)ïÖä)óäöë
ß<êÖä<èä6ùáøNùÖä ÷Cø ??ä)óä6ùî6äÖõ-øNùñôâïä<ô âòÖäAé ?úëÖîî6äÖõâõ
ßAèóë6ùôäâ÷-ôâïÖäõ6ä èóé6áâòLõ nDä6ùî6ä-ôâïÖäñõ6äüòÖë)óë)ôä
ß5÷ä ?øNùøÀôøüéüùLõ Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
ßAÿÖãõ6é ùÖé6ôä-ôâïÖë)ôñãâë)óâèäêãâéÖîFõé?AôâïÖäºå$å)
ß<ùÖä)ô é)óF õÀòÖëî6ä óäÀöëÖøÈù[#í)ïøâõ ëããâé"õáõôéúë)÷÷
ß<?ë)óöé)óä<óäÀöé)ôäúî6ãÖøüä6ùôõë6ù÷<ôóäë6ôñäâëÖîÀïúé6ùÖä
ß5ß ÷õÀáCø ê?ù?ä)ä)ôóä6ùôã êñëÖõõøÀèâùøÈùèñøÀô5ôé5ë<òÖë6óôøâîÀáÖãâë)ó
î6éüùóùºøÈèâî6ïé)ô óâyòÖHé6ë6óù ë)ôä
óóøÈøÈèâèâïïôôõÀø¼áâ÷ êyù֖þä)ôyÖRðøÀôâ*oï:øNyù=y åÿRQþ â$ùô]ä)å#ó)1òóøâõ6äZõ *|:C
yþé)óâòé)óë)ôäL*
þy x –
ãâãâää ?â?âôôâáõÀáòêâ÷ùÖé ä)
ùô yy48å ƒõî¼hó5å øN0ò$-ô lñë) óâèâá6öä6ùôõlùÖää)÷äâ÷-ôéñõ6ä)ôAáòú÷ âùëÀöøâî7?øÈóäÖëãâãÖøÈùè3?é)ó î6é)óâòé)óë)ôäáõ6ä)óõC‘
î6éüùóùñøÈèâäâï÷ô øÀyôHé6ë6óù øüëã
óóøÈøÈèâèâïïôôõÀø¼áâ÷ êyù֖þä)ôyÖRðøÀôâ*oï:øNyù=y åÿRQþ â$ùô0ä)ó)1òóøâõ6äZõ *|:C
y÷øÀôé)óøüëYã *
þ y x –
î6éüùóãâùºäøÈèâ?âõ6ïôëôõÀãâáyäÖêâHõùÖë6ùä)ô y8å h5å 0$
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
óøÈèâïôø¼÷ y–þ yÖRð *o:y= ÿQþ âùôä)ó)òóøâõ6äZõ *|:C
yðëãâäZõ *uþ y x –
óãâäøÈèâ?âïôôõÀáõÀêâáâùÖêùÖä)ôä)ôy8å øÀôâhï5å øN0ù$yå R$01
î6éüùóù øÈèâïí ô yHë6ù
óóøÈøÈèâèâïïôôõÀø¼áâ÷ êyù֖þä)ôyÖRðøÀôâ*oï:øNyù=y åÿRQþ â$ùôuä)4ó)1òóøâõ6äZõ *|:C
yâíäÖîÀïâùøâî6ëãð6áòâòÖé)óô *Rþ y x –
ãâä ?âôõÀáêâùÖä)ô y8å 0
î6éüùù Eí Àèë6ôä Öë
óøÈèâïô yHë6ù
óøÈèâïôõÀáâêùÖä)ô øÀôâïøNù yå R$u41
óøÈèâïôø¼÷ y–þ yÖRð *o:y= ÿQþ âùôä)ó)òóøâõ6äZõ *|:C
yâíäÖîÀïâùøâî6ëãð6áòâòÖé)óô *Rþ y x –
ãâä ?âôõÀáêâùÖä)ô y8å h5å ]5å )
î6éüùù5óäÖõ¼ôóøâî¼ôäâ÷
ô )òÖä yâóä !äÖî¼ô
óøÈèâïô yHë6ù
ãâä ?âôõÀáêâùÖä)ô y8å 0
î6éüùùpøÈùôä)ó)ùÖä)ô
ô )òÖä y)òÖëõõ¼ôâïóé6áè)ï
óøÈèâïô yHë6ù
óøÈèâïôõÀáâêùÖä)ô øÀôâïøNù yå R$018å )
óøÈèâïôø¼÷ y–þ yÖRð *o:y= ÿQþ âùôä)ó)òóøâõ6äZõ *|:C
y x *Rþ y x –
ãâä ?âôõÀáêâùÖä)ô y00
î6éüùùAòóøÀûë6ôä
ë6áôé yøÀè)ùÖé)óä
î6éüùùAêãâéÖîCF
ë6áôé yøÀè)ùÖé)óä
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
00
tu
te
/etc/ipsec.d/crls
20
/etc/ipsec.d/cacerts
Crontable entries
ß<áò÷ë6ôäöSºî6ä)óô*Rþ)ÿpî6ä6óôõZ*RþâàõZ*›ë6ù÷9Fäõ
{øNùõ6ä)óôúî6éÀööëüù÷-ô9
é ?ä)ôé îÀ9ïÀPóä)ä6óóäøâëâõ÷øÈèâëùãã î¼óÖãAë6ù÷ õ¼ôé)óä‘
på x<xx øÈòõ6äÖîëüáô,
©
SA
NS
In
sti
oYLˆ‚
oYL ‡
oYLƟ
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
î6éüùùAòóøÀûë6ôäSüé)ó>âî)ãâäëüó
ë6áôé yøÀè)ùÖé)óä
î6éüùùºî)ãâäë)>ó üé)Eó ÈòóøÀûë)ôä
ë6áôé yøÀè)ùÖé)óä
î6éüùùºî)ãâäë)ó
ë6áôé yøÀè)ùÖé)óä
î6éüùùAòÖëÖCî Fä6ô÷ä ?ëüáã6ô
ë6áôé yøÀè)ùÖé)óä
î6éüùùpøÈùôä)ó)ùÖä)Eô üéüùã
óøÈèâïô yHë6ù
óøÈèâïôø¼÷ y–=þð AF19
y"R
ð *o:FA27
y= ÿþQ2F94
âùôä6óâòóøâõüäÖõ"–
Key fingerprint
óãâäøÈèâ?âïôôõÀáõÀáâêâêùÖùÖä)ôä)ôyøÀôâïRøh
ù yå R 10 998D FDB5 DE3D F8B5 06E4 A169 4E46
oYLÆz /etc/ipsec.secrets
ßAèë)ô"ä Öë N]õòóøÀûë6ô-ä Fä ?ø6ã)ä
ßúð)ôé)óäâ÷ áùãâéCî Fäâ÷ t ýóé6ôäÖî¼ô<ôâï9ä ?ø6ãâäAë6ù÷
ß5÷øÀóäî¼ôé)ó Q?âóéÀöñêÖäøNùè<óäëâ÷-ê ñë6ù é6ùÖäêáô
ßAóéé)ô t øÀôâï -òÖä)ó¼öiõé6ùñ÷øÀóúë6ù<÷ )-òÖä)ó¼öiõ
ßújuàé6ùð)ÿ<Fòä ó<?øÈûë)ø6ôãâääüt èë)ôäë41Fä
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
o™AEA0 nš ~ÎCœ ,œ› : ;˜E<o™ * 4)o™ Ÿž6™A03
: ; ,Ç ž<
¡–¢£¢g¢8¤)¦È¢¦¥Z§¦¢ ¢¤¨E¥'©i¦È¢¬£E¡'§ ª ©I«—¢£¤C¬I­#¡R®>¯L¬G¨>°±­Z¨¥–¦T¤â§²¢£¯L³–§â¦T¢´¶µr¯L¤S·G¸¹¨E¯£,º¤¢£¯–§¢+¢¦¯I§¡§
¨¦N¢¤£¢£¯R®>º¡R®»§ ª §)§ ¯ ª 8¦ ¨E¬§¯ú¥L¥<°0¨¦`¦È§®S³R® ª ¢£º¤¢£§r©>·
ß t üêøÈSù ¼êÖëÖõÀï
üáõ¼
ó õÀêøÈSù üá
ò â÷ë)ô&ä N6á Œ<6ôüöÖò üáò â÷ë)ôä ƒã)é)è
ðâþ)ÿ yRƒƒèâóä66ò Ahàä)ôóø¼ä)ûäâ2÷ fAg6ôüöSò üáò )÷ë)ôä ˆãâé6è ƒ
ôâCø ï?¼ä6ù (A ðâþâÿ 5A t yGAAU‘
ë?â÷Àø ööøÈëÖù ø6•)ã ô)ïÖâä6õ êÖë6AEù ƒˆF4ïÖéÖ{î6õÀéNôâö ùÖëÀˆ<ö<ä 6ôüöâSò õÀüïÖáé6ò ó)ô ÷ƒ—ë)ôòÖäëCî ˆãâFé)ë)3èèäŒ)á÷òä6÷û ë)üôùEä áA ãâ3㠌9)÷ä)
û üùáãã
àâ
à :6à yRƒˆèóä6%ò ANàý J<òÖëÖî Fë)èä5îüé6
ù ?ãÖø)î¼ôAä)óóé)4ó VAU6ô¼öÖSò üá
ò â÷ë)ôä ƒãâé)Lè ƒ
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
ôâCø ï?¼ä6ù (A à
à :65à A t yGAA`‘
ë?â÷Àø ööøÈëÖù ø6•)ã ô)ïÖâä6õ êÖë6ATùF4óó{î6é6éNó<ö óâˆ<áù6ùôüøNöùSò è-üááòò )â÷÷ë)ë)ôôää<ˆãâé6é)pù 3è ƒˆŒïÖ)é÷õ¼ä6ôâû ùÖüëÀùöáä ãâ3ã âõÀŒ9ïé))ó÷ô ä)ƒ
û A üùáãã
˜
©
SA
NS
In
sti
tu
te
20
00
-2
00
5,
A
ut
ho
rr
eta
ins
f
ull
rig
ht
s.
—
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
˜
`$Ö , A; ½"¾¿¼ÀRÁÂÄÃYÅEÆ5Ç5ÈÉSÅSÊ5Ê2É5˅ÅSÊZÌÎÍZÏY˼Ð>ÑYÏSÊËÓҔÔ2É
ÆZÏZÕ'ÏYË5ËpÊLÏ>Ö5ÑÁSÆ'×ØË>ÏYÙÚYÆÉÖ#ÇÜÛ
Ý#Þ5ß Ò"¾#¾[àáÕ
ÚLÏ>ÖÁ5ÁÖ'âÜà6ÅSÊY̼âLÅ>ÊZÌEâLÏZÕ>ÌÄÌZÏ>ãÉ'ÙEÏY˜ҋÀYÏYÙ
â5Ê2É'Ù>ÅYÕ¼äYÏSåÁSÆ5Ö
Ý#Þ5ÞLæ
çZÝ à,èZÅ>ÖÉEÁÊLÅZÕêéÊË
Ö2ÉÖ'Ú#ÖYÏëÁ>ìÎí>ÖYÅ>ÊZÌZÅEÆ5Ì˅ÅSÊZ̅ÀYÏYÙâ5ÊÁ5Õ5ÁSÈ5Çià
ß5Þ5Þ5ß Ò†îZäZÍëÙ5ËSÆRٜÒaÊ2É5Ë
Öï҉ÈLÁSãRð
å5Ú5áÕZÉ'Ù>Å>Ö2ÉEÁÊË5ð
Ê2É'Ë
Ö'å#Ú5áË'ð ÝZÞ5ÞLæ
ç#Ý ðSèéSí>À
S P8 00
ho
rr
eta
ins
f
ull
rig
ht
s.
− 48.pdf.
½ ß ¿òñ
ó5ó5óêô4õSö÷ø5öSùLøûú¹üùÄñ>÷úýüù
þ[öLõ'ÿ'ü
÷Mõ'÷üü
ö÷Zõ÷
5üþ5þ5÷2ÿEöLõEÿ5ü
÷Øö÷øŽÿ÷Sú¹üù
þ[öRõEÿ'ü
÷L
2õþüEöûö÷øIþYõùRü ü
ÿZõSö÷ öSùEö{÷Zõ
üù!‹
ô"5ÿ"ú ÿ
ù#ÿù"þ÷[õ%$2öSù2õ'&&(
) ÿù*+%,-EøZÿS þ.*05
5
/ ü
÷[õùRü
12,3*/54êö÷Rø6$7
3
ÿE
ö8
ö5
ù912$3:<;=4>"5ÿ"ú ÿE öLõEÿ5ü
÷ý
à6èYÏ>Ñ>
? ÁSÆ'×ià
è?ià†¾@@¶
@ ÒBéÊËÖÉÖ'Ú#ÖLÏëÁSì'R
A Õ'ÏYÙ
Ö#ÆÉ5Ù>ÅZÕÎÅSÊZÌ>R
A ÕEÏLÙ
Ö#ÆLÁ
Ê4É'Ù5Ë
A ÊZÈÉÊRÏ5ÏEÆRË àIéÊ2ٜÒûîZä#Í
'
â#Ö5Ö'å Û8ð5ð#Ë
ÖYÅ>ÊZÌZÅEÆ5̘ÒÉSÏ5Ï#϶ÒTÁSÆ5ÈRðSÈYÏ>Ö2ÉSÏ#Ï5Ï Ý#Þ#ß ð>ÌLÁSÑ'ÊÕ5Á'ÅEÌRð ÝZÞ5ß Ò"¾#¾ æ ¾@@i
@ ÒaåYÌ5ìïÒ
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
½C'
B ¿ÎíSÚË>ÅSʎÃYÏSÊ#ÊLÏEÌ5ÇÜÒEY
D ÏYË
օåZÆZÅYÙÖÉ'Ù>ÏY˼ìRÁSƊÑ2É
ÆZÏZÕEÏLË5ËpÊLÏ>Ö5ÑRÁ>Æ'×
Ë>ÏYÙÚZÆÉÖ#ÇÜÒ05
/ üþF4
õùG'
) üù ø4àèRÁãYÏÂ#áRÏEÆ ß5Þ5Þ i
B ÒûîYä#Í
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ Ò8Ù'ÁÂ#å#Ú#ÖYÏEÆ'ÑÁSÆLÕSÌÜÒÙ'Á
ÂðåZÆÉÊZÖ5Ö5â2É5Ë'ð ß5Þ#Þ L
B ð Þ à çZÝ ¾ ç à ÝH @
I ¾[à Þ5Þ ÒaâZÖEÂ2ÕÓÒ
)))KJL,2Mö 0$2ö àONÚÕSÇ ß5Þ5ÞEç Ò9ÑÁSÆLÕSÌ'Ñ2É
ÌZÏ>ÑYÅ'Æ5Ì5ÆÉãL϶ÒTÁSÆ5Èià
Ñ É
ÈLÕEÏiÒaÊLÏ>ÖïҋîZä#Í
â#Ö5Ö'åËÓÛTð5ðÑÉÈLÕE϶ÒaÊRÏ>ÖRðSÈEå2Ë'ðSÈEåË5ðFPQYíRDð5ÁÊÕYÉÊRÏÂÅSåðS'Ï>ãLÏSÊZÖÉÌT2¾ýÒ
5,
A
ut
½ç ¿
-2
00
½UIE¿WVLÅ>Ö5Ö'âRÏ>ÑXP#ÅYË
ÖïҔÀ'âRϼÖÁ
åòËEÏ>ãYÏSÊØË>ÏYÙÚYÆÉÖ#DžåZÆLÁáÕEÏÂ2ˎÁ>ì Ý#Þ5ß Ò"¾5¾
ÑÉ
ÆZÏZÕ'ÏYË5˜ҋÀYÏLÙâ5Ê2É'ÙEÅZՊÆZÏSåÁ>Æ'ÖiZ
à YÉ
Æ VRÅEÈEÊLÏ>ÖÜà†éÊٜÒEà ß5Þ5Þ'ç ÒûîZä#Í
Ñ5Ñ5ÑïÒfÅRÉ
Æ>ÂRÅEÈ'ÊLÏ>ÖïÒ8Ù5ÁÒTðÓÒ#Ò5ÒT5
ð YÉ
Æ VRÅEÈ'ÊLÏEÖïÒVí5ÏLÙÚYÆÉ
Ö#ÇïÒaÔ#â2É
ÖY
Ï QYÅ>åLÏ'Æ ß I¶Ò+åZÌ#ìÜÒ
tu
te
20
00
½ H ¿ŠèÉ×ÉÖLÅWDRÁ>ÆÉ'Ë'ÁãÜà†éSÅSÊXPYÁ5ÕSÌEáRÏEÆ5ȶà6ÅSÊZÌ>RYÅ>ã2É
̅ÔLÅEÈEÊLÏ'ÆÜÒzí5ÏYÙÚYÆÉÖ#Ç
ÁSì¼Ö'âRÏzÑYÏ>åêÅZÕ>ÈLÁSÆÉÖ5â'Ò{ÀLÏYÙâ5Ê2É5Ù>ÅZÕ¼ÆZÏSåÁ>Æ'Öià<î#Ê#ãYÏ'ÆRË#ÉÖ#ÇòÁ>ì
à DYÏEÆ'×YÏYÕEÏEǶO
à N>ÅSÊ#ÚLÅEÆ5Ç ß5Þ5Þ ¾ýÒûîZä#Í
[ ÅZÕZÉ
ìRÁSÆEÊ2ÉSÅ Z
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ ÒÉ'Ë>Å5ÅLٜÒ8Ù5˜Ò+áLÏEÆ'×YÏYÕEÏ'ÇÜÒVÏEÌ'ÚðYÉ'ËEÅ5ÅLÙ'ðSÑYÏ>å æ ìZ
Å \iÒ+â#Ö'ÂÕ Ò
SA
NS
In
sti
½C]'¿òñ
ó5ó5óêô4õSö÷ø5öSùLøûú¹üù%ü'ö‹ö÷Rø6,-ZõùRüM ü
ÿZõ>ö÷^*ZùEö_+ZõRüù!`
$4üù2
õ ba25
ö EøE+YõRü
ù !%*c/5ü
÷[õùR
ü 5à%èYÏ>Ñ>?ÁEÏ>×iàè?ià8NÚÕSÇ
ì ARÕ'ÏYÙ
Ö#ÆÉ5Ù>ÅZÕÎÅSÊZ>
Ì ARÕEÏLÙ
Ö#ÆLÁ
Ê4É'Ù5W
Ë A'ÊZÈÉÊLÏ5ÏEÆË à
ß5Þ5Þ ¾ýÒBéÊËÖÉÖ'Ú#ÖLÏëÁS'
éÊٜ҆îZä#Í
â#Ö5Ö'å Û8ð5ð#Ë
ÖYÅ>ÊZÌZÅEÆ5̘ÒÉSÏ5Ï#϶ÒTÁSÆ5ÈRðSÈYÏ>Ö2ÉSÏ#Ï5Ï Ý#Þ#ß ð>ÌLÁSÑ'ÊÕ5Á'ÅEÌRð ÝZÞ5ß Ò"¾ d æ>ß5Þ#Þ ¾ ÒaåYÌ5ìïÒ
©
½ Ý ¿ŠÍZÅEÆ5Æ5Ç0NœÒeDRÕ
Ú5ÊZ×ÄÅSÊYÌ.N'Áâ5ÊÄäïÒgfÁ5Õ5Õ
áZÆYÏYÙâ#ÖïÒEQ'å5åëÏh'ÖYÏSÊ2Ë#ÉáÕEÏ
ÅSÚ#Ö'âLÏ>Ê#ÖÉ'Ù>ÅEÖÉEÁ
ÊÄåZÆRÁÖRÁ#Ù'Á#j
Õ i8Ï5ÅS
å kœÒzí>ÖYÅSÊZÌYÅEÆ5̶àIéÊ#ÖLÏEÆEÊLÏ>Ö
A'ÊZÈÉÊRÏ5ÏEÆÉÊYȎÀYÅYË
^
× lLÁSÆRÙEÏÓm
à VLÅEÆRÙâe
¾ @@ Ý ÒûîZä#Í
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ ÒÉSÏ>Ö#ìïÒTÁSÆ5ÈLð>Æ5ìRÙ'ðSÆ#ìRÙ ß5ß5Ý'ç Ò+3
Ö h'
Ö S
Ê#Ú'ÂZáLÏ'
Æ T ß5ß5Ý'ç Ò
½[email protected]¿XN'Á
â5ʎÃRÁ
â Ò8Õ¼ÅSÊYÌ%DïÒ [ ÕZÉì5ìLÁSÆ5ÌÄèYÏ>ÑEÂRÅSʍҋÀ'âLϼ×YÏEÆEáLÏ'ÆLÁ#ËpÊLÏ>Ö5ÑÁSÆ'×
ÅSÚ#Ö'âLÏ>Ê#ÖÉ'Ù>ÅEÖÉEÁ
Ê Ë>Ï'Æ'ãÉ'Ù>Ïnifã7I7k ÒoQ#ÆLÁåÁ#Ë>ÏEÌØËÖYÅSÊZÌZÅ'Æ5̶àIéÊ#ÖYÏ'ÆEÊLÏ>Ö
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.
A'ÊZÈÉÊRÏ5ÏEÆÉÊYȎÀYÅYË
×^lLÁSÆRÙEÏÓà6í5ÏSå#ÖYÏSÂ#áLÏEÆ ¾@@BiÒûîZä#Í
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ ÒÉSÏ>Ö#ìïÒTÁSÆ5ÈLð>Æ5ìRÙ'ðSÆ#ìRÙL¾
I ¾ Þ Ò+Ö3h'ÖS
Ê#Ú'ÂZáLÏ'ÆT2¾I¾ Þ Ò
½"¾ Þ ¿'QYÅ>Ö [ ÅZÕ
âÁÚ5ÊÜàON'Á
â5ÊpN'Á
ÚYÈEâ5ÊLÏEÇiàZA#ÆÉ×qP>Ú#Ö5Ö'ÂRÅSÊÜàrPYÕEÏ>Ê.sYÁSÆEÊÜà%ÅSÊZÌ
N>ÅEÆÉ_Y5Æ'×5×ÁÓÒoRÉSÅÂÏ>ÖYÏEƅáLÅYËEÏzåYÆLÁÖRÁ#Ù5Á5ÕÓÒoQ#ÆLÁåÁ#Ë>ÏEÌØËÖYÅSÊZÌZÅ'Æ5̶à
éÊ#ÖYÏEÆ'ÊLÏ>^
Ö A'ÊZÈÉÊLÏ5ÏEÆÉÊZȎÀYÅYË
^
× lLÁSÆÙ>ÏÓà6í5ÏSå#ÖLÏÂ#áLÏEÆ ß#Þ5Þ Bi҆îZä#Í
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ ÒÉSÏ>Ö#ìïÒTÁSÆ5ÈLð>Æ5ìRÙ'ðSÆ#ìRF
Ù BI Ý5Ý Ò+3
Ö h'
Ö S
Ê#Ú'ÂZáLÏ'
Æ TBI Ý5Ý Ò
[ ÅEÆLÕ{äÉ
ÈEÊRÏEǶà6í>ÖYÏ>ãLÏ{Ô2É'Õ5ÕEÏSÊË àrYLÕ5ÕEÅSʎä'Ú5áRÏSÊË à6ÅSÊZ̊Ô2ÉEÕ#ÕZÉSÅÂ
ull
rig
ht
s.
½"¾5¾¿
íLÉÂ#åË5Á
Ê Ò‹äYÏÂ2ÁÖYώÅSÚ#Ö'âRÏSÊ#ÖÉ'ÙEÅ>ÖÉEÁ
ÊòÌÉSÅZÕÄÉÊÎÚË>ÏEÆ Ë>ÏEÆ'ã2É'Ù>Ï
iVÆZÅEÌÉÚËk ÒoR#ÆYÅEì'ÖØË
ÖYÅSÊYÌZÅEÆ5̶à†éÊ#ÖYÏEÆEÊRÏ>Ö^A'ÊZÈÉÊRÏ5ÏEÆÉÊYȎÀYÅYË
×^lLÁSÆRÙEÏÓà
NÚ5ÊLÏ ß5Þ5Þ5Þ ÒûîZä#Í
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ ÒÉSÏ>Ö#ìïÒTÁSÆ5ÈLð>Æ5ìRÙ'ðSÆ#ìRÙ ß'3
Ö h'
Ö S
Ê#Ú'ÂZáLÏ'
Æ T ß'3
Ý H IiÒ+3
Ý H IiÒ
rr
eta
ins
f
½"¾ ß ¿'DYÏEÆEÊLÅ'Æ5Ì^YEáÁ
áLÅÎÅSÊZÌ>QYÅ>Ö [ ÅZÕâÁ
Ú5Ê Ò{äYÅEÌÉÚ2ËtiTÆZÏÂÁÖLÏ
ÅSÚ#Ö'âLÏ>Ê#ÖÉ'Ù>ÅEÖÉEÁ
ÊëÌÉ>ÅZÕêÉʊÚËEÏEÆòË>ÏEÆ'ãÉ5Ù>Ï7kÎËÚ5å5åÁSÆ'ÖÄìLÁSÆ
Ï h'ÖYÏSÊ2Ë#ÉáÕEώÅSÚZÖ'âLÏSÊ#Ö2É'Ù>Å>ÖÉ'Á
ÊêåZÆLÁSÖRÁ#Ù'Á5j
iÏ5ÅS
å k ÒÎéÊZìLÁSÆ>ÂÅ>ÖÉEÁ
ÊRÅZÕ à
Key fingerprint
= AF19 FA27 2F94 998D FDB5 DE3DÕ F8B5
06E4 A169 4E46
éÊ#ÖYÏEÆ'ÊLÏ>^
Ö A'ÊZÈÉÊLÏ5ÏEÆÉÊZȎÀYÅYË
^
× lLÁSÆÙ>ÏÓà6í5ÏSå#ÖLÏÂ#áLÏEÆ ß#Þ5Þ Bi҆îZä#Í
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ ÒÉSÏ>Ö#ìïÒTÁSÆ5ÈLð>Æ5ìRÙ'ðSÆ#ìRF
Ù BI]@iÒ+3
Ö h'
Ö S
Ê#Ú'ÂZáLÏ'
Æ TBI]@iÒ
5,
A
ut
ho
½"¾B'¿%Y5ÆEÚ5ÊLÏLËâ^V2É'ËâZÆYŅÅSÊY̼Ô2É'Õ5ÕZÉSÅÂ0YïÒgY5ÆEáRÅSÚZÈEâ ÒWYEÊØÉÊ2ÉÖÉSÅYՎËEÏYÙÚZÆÉ
Ö#Ç
ÅSÊLÅZÕSÇË#É'ËÎÁSì…Ö'âLÏëÉSÏ5Ï5Ï Ý#Þ5ß Ò¾ hòË
ÖYÅSÊZÌYÅEÆ5ÌÜÒpäLÏYË>Ï5ÅEÆÙâŽåLÅSåLÏEÆià
î#Ê2ÉãYÏ'ÆRË#ÉÖ#Ç ÁS%
ì VLÅEÆ#ÇLÕEÅSÊZÌir
à lZÏSáZÆEÚRÅEÆ5Ç ß5Þ5Þ5ß ÒûîZä#Í
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ Ò8Ù5˜ÒaÚ5ÂYÌÜÒfÏEÌ'Ú3
ð ÑY
u Å5ÅYðL¾ hÜÒ+åZÌ#ìÜÒ
00
[ ÁÂ5ÂRÏ>Ê#ÖËÎÁ
Ê.v5ÅSÊ ÉÊ2ÉÖÉ>ÅZÕÄË>ÏYÙÚZÆÉÖ#ÇêÅSÊLÅZÕ>ÇRË#É'ËÎÁSì…Ö'âLÏëÉSÏ5Ï5Ï
h Ë
ÖLÅSÊZÌZÅEÆ#Ì3v¶Ò{ÀLÏYÙâ5Ê2É5Ù>ÅZÕ¼ÆZÏSåÁ>Æ'ÖiàZlEÚ5Ê#×êíZÁSì5Ö5ÑYÅEÆZÏ à†éÊٜÒEà
Ý#Þ5ß Ò"¾ë
½"¾ ç ¿
VLÅEÆRÙâ
00
-2
Ò îZä#Í
ß Þ5Þ#ß û
5
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ Ò‰E
ì Ú5Ê#× Ò8Ù'ÁÂð>ÆZÅEÌÉÚ2Ë'ð'íZÁ#Õ
Ê2Ë'ðÚ'ÂLÌ5ÆYÏYË
å
É Ë5Ù'ÁŠÅLÉ
ÆRÁ
ÊLÏ>ÖÄÆZÏYË
åÁ
ÊË>ϊÖRÁpÚ5Ê2É
ãYÏEÆRË#É
Ö#ÇòÁSì¼ÂRÅEÆ5ÇLÕ'ÅSÊZÌxwCË{åRÅSåLÏEƶà
[ '
y ÅSÊ ÉÊ2ÉÖÉ>ÅZÕÄË>ÏYÙÚZÆÉÖ#ÇêÅSÊLÅZÕ>ÇRË#É'ËÎÁSì…Ö'âLÏëÉSÏ5Ï5Ï Ý#Þ5ß Ò"¾h
Ë
ÖYÅSÊZÌYÅEÆ5Ì y ÒE#
Q ÆLÁSÌEÚ2Ù
ÖÎá5ÚÕ5ÕEÏEÖÉÊÜà [ É'Ë#Ù'Á…íEÇRË
ÖYÏSÂ2Ë àIéÊٜÒ'àz'
Y ÚZÈEÚË
Ö
te
20
½"¾IE¿
w p.asp.
sti
tu
Ò îZäZÍ
ß Þ5Þ5ß †
5
â#Ö5Ö'å 8Û ð5ðÑ5Ñ5Ñ Ò8Ù#É'Ë5Ù5ÁÓÒ8Ù'ÁÂ2ðÑYÅEÆEåð
å#Ú5áÕZÉ5Ù'ðZÙ5Ù5ð
åYÌLðSÑÉ
ÖÙ5ðEÅYÁFB3I Þ ÅSåð
åYÆLÁ>ÌLÕYÉÖðL¾ H'ÝZÞ
p p.htm.
NS
In
½"¾ H ¿¼ÃYÅEÆZÏSÊ^{YÅSÊÕEÏEÇÜÒzÐ>ãLÏEÆ'ãÉSÏEÑïÛ
Ô2É æ ìɋåZÆLÁÖYÏLÙ
ÖYÏEÌêÅYÙ5ÙEÏYË5˜ÒpÀLÏYÙâ5Ê2É5Ù>ÅZÕ
ÆZÏSåÁSÆ5ÖiàÔ2É æ l_
É YLÕ5Õ'ÅSÊÙ>϶ҋîZä#Í
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ Ò+ÑÉ æ ìÉ ÒTÁSÆ5ÈRðEÐSåLÏSÊRí5ÏLÙ
Ö2ÉEÁÊðåZÌ#ìLðÔ2É æ lÉ
P
rotectedA ccessO verview.pdf f.
©
SA
½"¾]'¿zÔ2É æ ìɔåZÆLÁSÖYÏYÙ
ÖYÏ'ÌëÅYÙ5Ù>ÏYË#˜Û
í>Ö#ÆLÁÊZȶà_Ë
ÖYÅSÊYÌZÅEÆ5ÌRË æ áLÅYË>Ï'̶à
ÉÊ#ÖYÏEÆRÁ
åLÏEÆZÅ>áÕEÏ Ë>ÏYÙ
ÚZÆÉÖ#ǎìLÁ>ƅÖÁSÌZÅEÇ3vLËpÑ2É æ ìɔÊLÏ>Ö5ÑÁSÆ'טÒ
Ô5â2ÉÖYÏ>åLÅSåLÏEÆiàÔ2É æ lÉ_YLÕ5ÕYÉSÅSÊÙ>Ï àrYEåZÆÉEÕ ß5Þ5Þ BiÒûîZä#Í
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ Ò+ÑÉ æ ìÉ ÒTÁSÆ5ÈRðEÐSåLÏSÊRí5ÏLÙ
Ö2ÉEÁÊðåZÌ#ìLðÔ5â4ÉÖLÏSåRÅSåRÏEÆ
Wi−
F iS ecurity4 − 29 − 03.pdf.
½"¾ Ý ¿òñ
ó5ó5óêô4õSö÷ø5öSùLø^|3}~€=&#
& ÿ3~}}KL ñó5ó5óêô4õSö÷Rø#öSùLøûú¹üùÄñ>÷ú¹üSù
þ[öLõEÿ5ü
÷
õ='
÷
ü
ü
2F94
5üþ5998D
þ5
÷2ÿEFDB5
öLõEÿ5ü
÷DE3D
öS÷RøŽ
ÿ
÷ú¹ü06E4
ù
þ¹öLõEÿ'A169
ü
÷
Lö÷
Key fingerprint
AF19
FA27
F8B5
4E46
© SANS Institute 2000 - 2005
Author retains full rights.
Zõ÷q
2õþüEöûö÷ø†þ<ZõùRü œü
ÿZõSöS÷ØöSùEö{÷Zõüù!
ô"5ÿúýÿ{ù#2ÿ
ù"þ
÷4õ%$2öSù4õ'&&(
)5ÿ
ù>*+%,-EøZÿþ0*
/ ü
÷4õùüp12,3*/5ê
5
4 ö÷Rø6$7
3
ÿE öO
ö
ù‚12$3:<;=4>"5ÿ"ú ÿEöLõEÿ5ü
÷
*Sþ÷Røþ÷4õ%ƒ( ,-EøYÿ þ0*c5
/ ü
÷4õùüp12,3*/5Š
4 ô#
ùÿZõ=
óY÷L
ö÷"þ÷[õý
à%èZÏ>ÑR
? ÁSÆ5×ià,èi
? à8N ÚÕSÇ ß5Þ5ÞEç ÒBéÊË
ÖÉÖ5Ú#ÖYÏêÁSì
ARÕEÏYÙ
ÖZÆÉ'Ù>ÅZՅÅSÊYÌ%R
A Õ'ÏYÙ
Ö#ÆLÁÊ2É'Ù5Ë'5
A ÊZÈÉÊLÏ#ÏEÆRË àIéÊÙÓÒûîZä#Í
â#Ö5Ö'å Û8ð5ðZÉSÏ5Ï#ÏE
h åÕ5Á>ÆZ϶ÒÉSÏ#Ï5϶ÒTÁSÆ#ÈLðFEh åÕ5ðSÖRÁZÙÆYÏYË
ÚÕSÖï҅Y
„ Ë
åY
S É'ËSèEÚ5Â#áRÏEÆ3T ß @ ß#ß @iÒ
ull
rig
ht
s.
½"¾@E¿%Y5ÌZÅÂ í>ÖRÁ
ÊR϶ҋÀ'âLÏnw+Â4É'Ù
âLÅ5ÏZՆw,ã5ÚÕ
ÊLÏEÆYÅSá2ÉEÕZÉ
Ö#ÇÜÒG)#ÿ3K‡2ÿˆ$€ö÷ZõLà
RYÏYÙ>ÏÂZáLÏEÆ ß5Þ5Þ5ß ÒûîZä#Í
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ Ò+ÑÉ æ ìÉåÕEÅSÊRÏ>ÖïÒ8Ù'Á
ÂðZÙ'Á#Õ
Ú5Â#Ê2Ë'ð'ÅEÆ5ÖÉ5Ù'Õ'϶Ò+å5â#åðR¾II H B ß ¾ýÒ
ins
f
½ ß5Þ ¿Îí5ÅSÊZÌ5ÆRÁWP'ÆYÏYÙâ ÅSÊZÌ0N>ÅSÊ2ÉpèÉ×#×YÅSÊLÏSʍÒEY'Ö5ÖYÅLÙ
×ËÎÁ
ʎÑÉ æ ìɔåZÆLÁSÖYÏYÙ
ÖYÏ'Ì
ÅYÙ5Ù>ÏYË#˜ҔÔÁSÆ'×ËâÁ
åŽåZÆZÏLË>ÏSÊ#ÖYÅEÖÉEÁ
ÊÜàBèLÁãYÏÂZáLÏEÆ ß5Þ5ÞEç ÒûîZä#Í
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ Ò+ÖEÂÕÓÒ+â5Ú#Öï҉ìÉEðSèLÁSÆ#ÌRËEÏYÙ ß5Þ#ÞEç ð QZÆZÏLË>Ï>Ê#ÖLÅ>Ö2ÉEÁÊË5ðSÈ#ÆZÏLÙâÒaåYÌ5ìïÒ
rr
eta
½ ß ¾¿¼äRÁ
áL=ÏEÆ5AF19
Ö%
V ÁZFA27
Ë
×RÁÑÉ
2F94
ÖÜ
‰ ÒpÔR
Ï5Å>×'ÊLFDB5
ÏLË5ËÄÉʅ
åRÅYË5ËF8B5
å5âYÆZÅYË>06E4
ÏëÙâÁY
É'Ù>Ï 4E46
ÉʎÑ'åLÅ
Key fingerprint
998D
DE3D
A169
ÉÊ#ÖYÏEÆ#ìZÅYÙ>϶Ò{ÀYÏYÙâ5Ê4É'Ù>ÅZÕ¼ÆZÏSåÁSÆ'ÖiàÀ#ÆEÚRí5ÏYÙÚZÆYÏ [ ÁSÆEåÁ>ÆZÅ>ÖÉEÁÊÜà
èLÁãYÏÂZáLÏEÆ ß5Þ5Þ Ü
B ÒûîZä#Í
â#Ö5Ö'å Û8ð5ðÑÉ
ìÉÊLÏ>Ö'ÊRÏ>јÒ8Ù5ÁÂðEÅEÆÙâ4ÉãLÏYË5ð Þ#Þ5ß'ç I ß Ò+â#Ö'ÂÕ Ò
ho
î#ÊÁSì5ìÉ'Ù#ÉSÅZÕ#ÕSÇ æ Ù#ÉÆRÙÚÕEÅEÖYÏEÌMÙ'Á
åZÇÜÒ
00
5,
A
ut
½ ß5ß ¿¼ÀYÅ>×YÏSâ4É
ÆLÁzÀYÅ>×YÅ>âLÅYËâ2ɜҋÔ5åLÅzåLÅYË5ËZÉãYυÌÉ'Ù
Ö2ÉEÁ
ÊLÅEÆ#ÇëÅ>Ö5ÖYÅYÙ×
ÁãYÏEÆ'ã2ÉSÏ>ÑïҋÀYÏLÙâ5Ê2É'ÙEÅZՊÆZÏSåÁ>Æ'ÖiàÖÉÊZÇ'åLÏ5ÅSå ÒÙ'ÁÂïà6èRÁãYÏÂ#áRÏEÆ
îZä#Í
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ Ò+ÖÉÊZÇ'åLÏ5ÅSå ÒÙ'ÁÂðSÌRÁ#Ù#Ë'ðÔQ3Y
P assiveD ictionaryA ttackO verview.pdf.
½ ß B'¿'RRÁ
ÚZȊÔ5â2ÉÖ2ÉÊZȶàä'ÚË#Ë>ÏZÕW{RÁ
ÚË5ÕEÏEǶà6ÅSÊZÌÎèÉSÏYÕ#ËWlZÏEÆ5ÈEÚ2Ë'Á
Ê Ò
ÑÉÖ'âØÙáÙ æ ÂRÅYŠ
Ù i"Ù5Ù k ÒÎéÊZìLÁ>Æ>ÂRÅ>ÖÉ'Á
ÊLÅZÕ à6À'âLÏëéÊ#ÖYÏEÆ'ÊLÏ>Ö
A'ÊZÈÉÊRÏ5ÏEÆÉÊYȎÀYÅYË
^
× lLÁSÆRÙEÏÓà6í5ÏSå#ÖYÏSÂ#áLÏEÆ ß5Þ5Þ BiÒûîZä#Í
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ ÒÉSÏ>Ö#ìïÒTÁSÆ5ÈLð>Æ5ìRÙ'ðSÆ#ìRF
Ù B H ¾ Þ Ò+3
Ö h'
Ö S
Ê#Ú'ÂZáLÏ'
Æ TB H ¾ Þ Ò
[ Á
Ú5Ê#ÖYÏ'Æ
20
00
-2
ß5Þ5ÞEç Ò
NS
In
sti
tu
te
½ ßEç ¿q‡Eø3
ùRöûñ>÷ú¹üùþ[öLõEÿ'ü÷>$LùRüÿ÷êô[õSö÷Rø5ö>ùLøo$‹
ÿEöLõEÿ'ü÷G&Œ3(
ô "5ÿúý
ÿ EöLõ'ÿ'ü
÷¼ú¹üù õ 6*
ø Žö
÷ EøpóL
÷ ù ¶õEÿ'ü
÷Žô4õSöS÷Rø5öSùLn
ø 1C*EóY3
ô 4¹à
èLÁãYÏÂZáLÏEÆ ß5Þ5Þ ¾ Ò9èZÅEÖÉEÁ
ÊLÅYÕëéÊË
ÖÉ
Ö'Ú#ÖYÏêÁSìÄí>ÖYÅSÊYÌZÅEÆ5ÌR˅Å>ÊZÌ
ÀYÏYÙâ5ÊÁ5Õ5ÁSÈ5ÇïҔîZä#Í
â#Ö5Ö'å Û8ð5ð#Ù5ËÆٜÒaÊ2É'ËÖï҉ÈLÁãð
å5Ú5áÕYÉ'ÙEÅ>Ö2ÉEÁÊË5ðSìÉå2Ë'ð>ìÉåËL
¾ @]Yð>ìÉåË æ ¾ @]ÜÒaåYÌ5ìïÒ
©
SA
½ß E
I ¿XN>ÅYÙ'Á
ápN'Á
Ê2Ë5Ë'Á
Ê ÒŠÐSÊÎÖ5âLÏÄËEÏYÙÚZÆÉ
Ö#Ç ÁSìëÙÖ#ƏêÙáÙ æ ÂRÅYٜÒpÀLÏYÙâ5Ê2É5Ù>ÅZÕ
ÆZÏSåÁSÆ5Öià,èZÅ>ÖÉEÁÊLÅZÕêéÊË
Ö2ÉÖ'Ú#ÖYÏëÁ>ìÎí>ÖYÅ>ÊZÌZÅEÆ5Ì˅ÅSÊZ̅ÀYÏYÙâ5ÊÁ5Õ5ÁSÈÉ>ÏYË à
ß5Þ5Þ5ß Ò†îZäZÍëÙ5ËSÆRٜÒaÊ2É5Ë
Öï҉ÈLÁSãRð [ Æ5Ç'å#ÖRÁÀRÁ#Á5ÕS×É
ÖRð
ÂÁSÌZÏYË5ð
åZÆLÁ
åÁ#Ë>ÏEÌ>Â2ÁSÌZÏYË'ðZÙ5ÙÂð#Ù#Ù æ Å'Ì2¾ ÒaåYÌ5ìïÒ
[ ÒgV2ÉÖÙâRÏZÕ5ÕÓÒ¼í#ÏYÙÚZÆÉ
Ö#ÇêÅSÊLÅZÕSÇË#É'ˊÅSÊZÌ
ÉÂ#åZÆLÁSãYÏÂRÏSÊZÖ˼ìLÁSÆòÉSÏ5Ï5Ï Ý#Þ5ß Ò"¾5¾EÉ ÒÄéÊ#ÖYÏEÆ'ÊLÏ>ÖëíZÁ#Ù#É>Ï>Ö#ǶàZZ
l ÏSáYÆEÚLÅEÆ5Ç
I ҆îZäZÍ
ß5Þ5Þ ¶
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ ÒÉ'Ë'Á#ÙÓÒTÁSÆ5ÈLðYÉ'Ë'Á#Ù'ðZÙ'ÁÊZìYÏEÆYÏSÊ2Ù>ÏLË'ðÊZÌË5Ë5ð Þ Z
I ðåZÆRÁ#ÙEÏ5Ï'ÌÉÊZÈË'ðåLÅ>åLÏ'ÆRË5ðSèRYí#í Þ I æ ¾5¾ Þ ]
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
½ ßH ¿
[ âLÅSÊZÈ'â5ÚLÅ%{YÏÎÅSÊZÌ0N'Á
â5Ê
© SANS Institute 2000 - 2005
Author retains full rights.
½ ß ]'¿ÎíSÚË>ÅSÊ^RYÏZÕ'ÅSÊLÏEÇÜҎô*+#ôc/‡)ˆ$LùLö‹ZõEÿEöO*3ÿZ÷þ÷4õ‘_Ž"ˆ&-KŒ-(
ü55ü ! ÿ÷4õ>üêõ )'ü<
ù øÄüúÎ3
ó ¹
õ ù'÷R
ö O+ZõRüS
ù !W$-
ùÿ"<
þ Zõ
ù
ô #ùÿZ=õ œÒz
í Y#èZí éÊË
ÖÉ
Ö'Ú#ÖYÏÓà ß#Þ5Þ Bi҆îZä#Í
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ Ò‰ÈÉSÅYÙÓÒTÁSÆ5ÈLðåZÆZÅYÙ
Ö2É'ÙEÅZÕ#F
ð P [ l'Ôð'íSÚ2Ë>Å>Ê
*
D elaneyG CF W.pdf.
½ ß'Ý ¿XN'Á
â5Ê^fÉSÏEÈYŶҋÀ'âLÏ{ÂYÇ'Ö'âòÁSìëÁ
åLÏSÊØË'Á
ÚYÆRÙ>ÏëË>ÏYÙÚYÆÉÖ#ÇÜÒ ß5Þ5Þ5Þ ÒûîYä#Í
â#Ö5Ö'å Û8ð5ðZÉÖEÂÅSÊLÅEÈZÏSÂRÏSÊ#ÖïÒVÏ5ÅEÆ'Ö'âZÑYÏ>á ÒÙ'Á
ÂðZË>ÏLÙÚðEÅ'Æ'Ö2É'Ù5ÕEÏiÒaå#â5åðL¾#¾ Þ ] H
6 218512 .
ull
rig
ht
s.
½ ß @E¿'RYÅ>ãÉ
ÌÄÐSáLÅLË>ÅSÊ7„ZÁ ÒpÀ'âLÏ{ÂYÇ'Ö'âòÁSìëÁ
åLÏSÊØË'Á
ÚYÆRÙ>ÏëË>ÏYÙÚYÆÉÖ#Ç
ÆZÏ>ãÉ'ËZÉÖYÏEÌÜÒ ß5Þ5Þ5ß ÒûîYä#Í
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ Ò‰ÌZÏ>ãYÏYÕ5Á
åLÏEÆïÒ8Ù'ÁÂð#Á
åRÏSÊðEÅ'Æ'Ö2É'Ù5ÕEÏiÒaå#â5åð@ Ý B H5ß ¾ýÒ
eta
ins
f
½CB Þ ¿'?YÅ>×RÁãÎäYÏ>×5â#ÖYÏEƶàäRÁáLÏEÆ'ÖVÁ#Ë×RÁÑÉÖ3‰¶àZRYÅSÊ2É>ÏZÕzÃYÅEÆ5ÆZÏ>Ê5áLÏEÆ5Èià
P#Ï5ÏEÆ'c
Ö N>ÅSÊÄÌZ>
Ï P'ÆLÁ5ÁSÖià6ÅSÊZ>
Ì ARÕZÉEÁ֎ÍZÏ5Å'ÆÜ_
Ò Y5Ì5Ì5ÆYÏYË5ˊÅZÕ5Õ5ÁZÙ>Å>ÖÉEÁÊëìLÁSÆ
åZÆÉãYÅEÖYÏ ÉÊ#ÖYÏEÆ'ÊLÏ>Ö˜Ò{äY
Ï \>ÚLÏLË
ÖÄìLÁSÆ [ ÁÂ5ÂRÏ>Ê#ÖËë
¾ @¾ Ý à_éÊ#ÖYÏEÆEÊRÏ>Ö
A'ÊZÈÉÊRÏ5ÏEÆÉÊYȎÀYÅYË
^
× lLÁSÆRÙEÏÓàû
¾ @@ H ÒûîYä#Í
#
â
5
Ö
'
Ö
å
8
Û
5
ð
ð
5
Ñ
5
Ñ
Ñ
Ò
S
É
>
Ï
#
Ö
ï
ì
T
Ò
S
Á
5
Æ
L
È
>
ð
5
Æ
R
ì
'
Ù
S
ð
#
Æ
ìRÙL
¾ @DE3D
¾ Ý Ò+3
Ö h'F8B5
Ö Ò
Key fingerprint = AF19 FA27 2F94 998D FDB5
06E4 A169 4E46
ho
rr
½CB¾¿ëéÊ#ÖYÏEÆ'ÊLÏ>ÖqYRË5Ë#ÉÈEÊLÏE̎èEÚ'ÂZáLÏEÆRËWYEÚ#Ö5âÁSÆÉÖZÇÜÒ¼íSåLÏLÙ#ÉSÅZÕ æ ÚË>ÏòÉå#ã ç
ÅEÌ5Ì5ÆZÏLË5Ë>ÏY˜Ò{äY
Ï \>ÚLÏLË
ÖÄìLÁSÆ [ ÁÂ5ÂRÏ>Ê#Ö'
Ë BBB Þ à_éÊ#ÖYÏEÆEÊRÏ>Ö^A'ÊZÈÉÊRÏ5ÏEÆÉÊYÈ
ÀYÅYË
^
× lLÁSÆRÙEÏÓà ß5Þ5Þ5ß ÒûîYä#ͼâZÖ5Ö'å ÛTð#ðÑ5Ñ5ÑïÒCÉSÏ>Ö#ìÜÒ8ÁSÆ5ÈLðSÆ#ìRÙ'ðSÆ5ì5
Ù BBB Þ Ò‰
Ö h5ÖïÒ
5,
A
ut
½CB ß ¿¼äYÏEÌEâLÅE֊ÊLÏEÖ5ÑRÁSÆ'×òÁSì#ìZÏEÆÉÊYÈR˜ÒEQZÆLÁSÌEÚÙ֎ÌYÏYË5ÙÆÉå#ÖÉEÁ
Êïà,äYÏEÌEâLÅEÖià
éÊٜÒEà ß5Þ5Þ BiÒûîZä#Í
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ Ò‰ÆZÏEÌEâRÅ>ÖïÒ8Ù'Á
Âð#Ë'ÁSì5Ö5ÑLÅEÆYÏZð>ÆEâ#Êð#ÁSì#ìZÏ'ÆÉÊZÈË'ð Ò
00
-2
00
½CBB'¿'{RÁÑÎÖRÁÓÛ
íYÙâLÏ'ÌEÚÕEώÅSÚ#ÖÁÂRÅ>ÖÉ5Ù{Ú5åZÌZÅ>ÖLÏYËÄÉÊÎÑ2ÉÊZÌLÁÑËEh'åÜà<Ñ2ÉÊZÌLÁÑË
ß5Þ5Þ5Þ àBÁSƅÑÉÊZÌRÁÑˎË>ÏEÆ'ãLÏEÆ ß5Þ5Þ BiҋÀLÏYÙâ5Ê2É5Ù>ÅZÕ¼ÆZÏSåÁ>Æ'ÖiàmV2É'ÙÆRÁ#Ë'ÁSì'ÖÜà
éÊٜÒEà ß5Þ5Þ BiÒûîZä#Í
â#Ö5Ö'å Û8ð5ð#ËÚ5å#åÁSÆ'ÖïÒaÂ4É'ÙÆLÁZË'ÁSì'ÖïÒÙ'Á
Âð>ÌZÏ'ìZÅ>ÚÕSÖïÒVÅYË
3
å hS#Ë#Ù#É
Ì T'×'“
á ’TÏ>Ê æ چ
Ë ’…B ß ] Ý B Ý Ò
tu
te
20
½CB ç ¿ÎíZÁSì'Ö5ÑLÅEÆZϼÚ5åZÌZÅEÖYÏëË>ÏEÆ'ãÉ5Ù>ÏYËzÌZÏSåÕ#ÁSÇ>ÂRÏSÊZÖÄÑ'â2ÉÖYÏzåLÅSåRÏEÆÜҔÔ5â2É
ÖYÏ
åLÅSåLÏEÆie
à V2É5ÙÆLÁ#Ë'Á>ì'Öià†éÊÙÓÒEà ß5Þ5Þ BiÒûîYä#Í
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ ÒÂ4É'ÙÆRÁ#Ë'ÁSì'Ö Ò8Ù'ÁÂðSÑÉÊZÌRÁÑË ß#Þ5Þ#Þ ðSÑÉÊZÌRÁÑËÚ#åZÌYÅ>ÖLÏZðZËÚ2Ë'ðZËÚ2ËÌYÏSåÕ5Á>Ç>ÂÏSÊZÖïÒVÅYË
å Ò
ß5Þ5Þ BiÒûîYä#Í
In
sti
½CBIE¿%YEáÁ
Ú#֎ÆEâ5ʍҋÀYÏYÙâ5Ê4É'Ù>ÅZÕ¼ÆZÏSåÁSÆ'ÖiàäYÏEÌ'âLÅ>ÖiàIéÊÙÓÒEà
â#Ö5Ö'å Û8ð5ðSÆEâ5ʍ҉ÆZÏEÌEâRÅ>ÖïÒ8Ù'Á
Âð
âLÏZÕåð'ÅSáÁ
ÚZÖïÒ+3
å h5ÖïÒ
©
SA
NS
½CB H ¿WV2É'ÙâLÅ#ÏZÕzäYÅYËâ Ò6QYÅ'ÆZÅSÊÁZÉÌÎåLÏSÊZÈEÚ4ÉÊ Û
RYÏ>ÖLÏYÙ
ÖÉÊYÈØËÚËåLÏLÙ
Ö
Ö#ÆZÅEì5ìÉ'ٜҋÀYÏYÙ
âŽèLÁSÖYÏ^@¾[àèLÁãYÏÂZáLÏEÆ ß5Þ5Þ ¾ ÒûîZä#Í
â#Ö5Ö'å Û8ð5ðÑ5Ñ5Ñ ÒTÕZÉÊ5‹
Ú h3„ZÁ
ÚZÆ'ÊLÅZÕÓÒ8Ù5ÁÂ2ðEÅ'Æ'Ö2É'Ù5ÕEÏiÒaå#â5åS#ËZÉ
Ì3T çZÝ ] H Ò
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46
© SANS Institute 2000 - 2005
Author retains full rights.

Documents pareils