Setting Up A Secure
Server/Firewall
Internet communications - An analogy
Communications on the Internet use an agreed form of communication (a protocol) called TCP/IP. There are many books written about TCP/IP so I won't write a complete explanation of it here. However, I will have to give you a feel for some of the basics of how the different parts of TCP/IP connect.
Interfaces, (such as modems, network cards, etc.), are assigned IP addresses - essentially a reference number, like a house address - by software. The software then uses connection protocols (TCP, UDP, etc.) to send data from one interface to another thus transmitting data from one computer to another. IP addresses are usually written in the format xxx.xxx.xxx.xxx where the value xxx can be any number up to 255. As part of the standardisation of TCP/IP certain IP addresses are reserved for certain uses so that IP addresses starting 192.168.xxx.xxx are reserved for small to medium sized local area networks.
It doesn't matter too much if you don't fully understand TCP/IP (although it would probably help), as long as you understand that interfaces - not computers - have IP addresses in the same way that your house has an address. An analogy for our server/firewall would be if your front door and back door had a different address, so if you live at 33 Acacia Avenue your front door might be 33F and your back door would be 33B.
Continuing the analogy, these can be thought of as being like different people carrying different types of data packets from the front door to the back, so John may carry the food packets whereas Sally is given the job of carrying the clothes packets. As you can imagine, it would be theoretically possible to implement a security policy to control the flow of goods by issuing rules to the people in your house to stop certain types of goods getting from one side of the house to the other. The two transmission methods you will come across here are TCP and UDP.
Unfortunately our analogy isn't quite yet complete. There are also things called 'ports'. To stretch our analogy a bit we can think of ports as the rooms in our house which deal with certain types of product that have to be transmitted. Each room can be given a number and also a name, which makes them easier for us to remember. We have one room that deals with incoming email and another room which deals with outgoing email. The incoming emails are carried using the TCP protocol to the outgoing email room, which we shall number 25 and call the 'Simple Mail Transfer Protocol' (SMTP) room. Of course, things would be much simpler if everyone agreed which room numbers and names provided which service. Well, unbelievably for the computer world, they have. A short list follows for what are referred to as 'well know services':
|
Port |
Name |
Service Provided |
|
21 |
File Transfer Protocol (FTP) |
File transfers |
|
25 |
Simple Mail Transfer Protocol (SMTP) |
Outgoing mail |
|
110 |
Post Office Protocol ver.3 (POP3) |
Incoming mail |
|
67/68 |
Dynamic Host Configuration Protocol (DHCP) |
Network node set-up |
|
53 |
Domain Name Server (DNS) |
WWW name to IP address translation |
|
80 |
World Wide Web Server |
WWW server facilities |
|
137/138/139 |
Netbios services |
Windows file/printer sharing/browsing etc. |
|
443 |
HTTPS Protocol |
Secure socket layer browsing |
This is just a very small part of the complete listing which can be found on UNIX/Linux systems in the file usually called /etc/services.
There are also port addresses which are dynamically allocated which are generally not a problem for security because they cannot be relied upon to be on the same number every time. For instance, if one computer wants to connect to another computers port 21 for FTP, (as in the above list), the data requested may be returned to a randomly allocated port on the requesting machine, say, port 1025. By convention the ports above 1024 are therefore considered safe as, generally, they are set up to be randomly allocated and so cannot be relied upon to be at the same port number every time.
Communications protocols - The 'innards'
Transmission of data packets in TCP is done by establishing a connection between both interfaces which means that all the packets have to be received correctly for transmission to be successful. Packets that are sent via UDP on the other hand, are sent without checking whether the packets arrive or not, so UDP is inherently safer because it cannot be relied upon by hackers anymore than it can be relied upon by you. What then is the point of UDP transmissions if they are unreliable? Because UDP doesn't have to set up a reliable connection with all the associated 'overhead' of ensuring reliable data communications, it is very fast so it is often easier to just send the data again. UDP is mainly used in the Internet for simple control programs or for programs that use a 'query/response model', i.e. programs that have to await a response and will usually have a delay.
Overview < Previous - Next > Which services?
© Copyright Andrew Bennett 2006