CSC 482/582: Computer Security. Network Security. Network Security. TCP/IP Basics Spoofing TCP Session Hijacking Packet Fragmentation Denial of Service Attacks IPv6 Security Changes Port Scanning Firewalls VPNs. TCP/IP. HTTP, FTP, telnet TCP, UDP IP, ICMP, IGMP - PowerPoint PPT Presentation
Introduction
CSC 482/582: Computer SecurityNetwork SecurityCSC 482/582:
Computer SecurityCSC 482/582: Computer SecurityNetwork
SecurityTCP/IP BasicsSpoofingTCP Session HijackingPacket
FragmentationDenial of Service AttacksIPv6 Security ChangesPort
ScanningFirewallsVPNs2CSC 482/582: Computer
SecurityTCP/IPApplicationTransportNetworkNetwork AccessHTTP, FTP,
telnet
TCP, UDP
IP, ICMP, IGMP
PPP, 802.11, EthernetCSC 482/582: Computer SecurityApplication
LayerApplications have their own protocols.ex: FTP, HTTP, IRC, POP,
SMTP, ssh, telnetRequest/response patternClient requests data from
the server.Server sends a response to client.
4Figure from chapter 2 of CCENT/CCNA ICND1 Official Exam
Certification Guide, 2nd edCSC 482/582: Computer SecurityTransport
LayerTwo main protocols: TCP and UDPTCP guarantees delivery of data
across networkError detection and recoverySequence numbers and
ACKs
CSC 482/582: Computer SecurityNetwork LayerIP transmits data
across the network.AddressingRouting
CSC 482/582: Computer SecurityNetwork Access LayerPhysically
connects one computer to another.Common
protocolsEthernetPPP802.11
CSC 482/582: Computer SecurityEncapsulation
8Figure 1.7 from TCP/IP Illustrated, Vol 1.
CSC 482/582: Computer SecurityNetwork SniffingAll ethernet
frames to or from any locally connected host are seen by all
hosts.NIC normally filters out frames that are not addressed to its
MAC address.In promiscuous mode, NIC processes all ethernet frames,
not just ones addressed to it.Requires administrative access on
most OSes.CSC 482/582: Computer SecurityARP SpoofingARP
Spoofing/Cache Poisoning:Send spoofed MAC address in response to
senders ARP requestSender will cache responseMay need to stop
response from correct hostMan-in-the-Middle AttackSend your MAC
address in response to both Alices and Bobs ARP responsesIntercept
and forward all trafficTools: ettercap, parasiteCSC 482/582:
Computer SecurityARP Spoofing DefencesEnable switch MAC bindingMAC
address for a port is set onceCreate static ARP table for local
LANArpwatchBuilds table of IP/MAC bindings for LANSends
notifications of any changes
CSC 482/582: Computer SecurityIP: Internet ProtocolUnreliable,
connectionless datagram servicePackets may arrived damaged, out of
order, duplicated or not at all.Transport/Application layers
provide reliability.IPv4 underlies Internet.32-bit addresses in
dotted-quad: 10.17.0.90.IPv6 is successor with 128-bit
addresses.Complexities: addressing, routing12RFC 791CSC 482/582:
Computer SecurityIP Header
13Figure 3.1 from TCP/IP Illustrated, Vol 1.
CSC 482/582: Computer SecurityIP SpoofingForging IP address of
packetsSpoofer must bypass TCP/IP stack by writing data directly to
data link layer (raw sockets)AttacksConceal identity of
attackerMisidentification: finger another IP as attackerFeints:
hide real attack within flood of forged packetsAuthentication:
bypass IP-based ACLsDenial of ServiceTypes of
SpoofingNon-BlindBlindCSC 482/582: Computer SecurityNon-blind
SpoofingSpoofing on a network which you can snifflocal
networkcompromised networkredirected traffic via ARP spoofingEasier
to attackCan see responsesCan see TCP sequence numbersCSC 482/582:
Computer SecurityBlind AttacksAttacker A sends packets to victim
host V using spoofed IP address of trusted host TV will send
responses to TT will discard responses as replies to packets that
it never sendA cannot see any of the reply packetsA must be able to
ignore or predict responsesCSC 482/582: Computer SecuritySource
RoutingUse source route option to ensure that attacker host A
receives responses instead of trusted host T, whose IP address was
spoofedWell-known attack typeMost routers drop source routed
packets
CSC 482/582: Computer SecurityIP Spoofing DefencesPacket
filtering gatewayDisallow incoming packets with source IPs that
belong to your internal networksDrop source routed packetsISP
packet filteringDisallow outgoing packets with source IPs that dont
belong to ISPDrop source routed packetsCSC 482/582: Computer
SecurityTCP 3-way Handshake
19Figure 2.2, UNIX Network Programming
CSC 482/582: Computer SecurityTCP SpoofingSelect trusted host to
impersonateGuess TCP ISN of victim hostUse a DOS attack to silence
trusted hostSend SYN packet to victim host with spoofed IP address
of trusted hostTrusted host cant respond to SYN+ACKSend ACK packet
to victim host with spoofed IP address and guessed ISN+1CSC
482/582: Computer SecurityTCP Session Number GuessingCreate test
TCP connections to target host to examine ISNs and discover
algorithmsTypical algorithmIncrement TCP SN by 128,000/secIncrement
TCP SN by 64,000/connectionCalculate round trip time of packets to
hostTime to host is typically RTT/2Send TCP segment with calculated
SNCSC 482/582: Computer SecurityPossible ResultsCorrect GuessToo
LowSegment dropped silentlyToo High, but within windowSegment held,
pending arrival of intermediate segmentsToo High, but outside
windowSegment droppedHost sends a segment back (to spoofed IP) with
expected SNCSC 482/582: Computer SecurityTCP Session KillingRSTNeed
one valid TCP sequence numberSend RST segment with spoofed IP
address and valid sequence numberMay need to send multiple RSTs in
case host receives TCP segment with your chosen sequence number
before your RST segmentFINNeed valid TCP sequence + ACK numbersSend
FIN+ACK segment with spoofed IP address to terminate sessionReceive
FIN packet in response, verifying kill if successfulCSC 482/582:
Computer SecurityDesynchronized TCP StateTCP connection in
established stateNo data is being sentServer SN != Client ACKClient
SN != Server ACKOnce data is sent:If Client SN within server
window, packet accepted for future use, pending receipt of packet
with correct SNIf Client SN not within window, discardedCSC
482/582: Computer SecurityEarly desynchronizationListen for SYN+ACK
from server in setupSend server RST packet, then SYN packet with
exactly same parameters (but diff sequence number) of client
SYNServer will close first connection on RSTServer will re-open new
one on same port with different seq numben on recept of SYNAttacker
sends expected ACK response, completing session establishmentCSC
482/582: Computer SecurityNull data desynchronizationAttacker sends
large amount of null data (data that will not affect session, i.e.
telnet NOP) to server, increasing servers ACK number to be out of
sequence with clientAttacker sends null data to client, forcing it
out of sequence with the server
CSC 482/582: Computer SecurityTCP Session HijackingGuess TCP
sequence numbers used in current session between two hostsCreate
desynchronized state so neither side of connection can talk to the
otherSend packet with correct SN + ACK with spoofed client IP
address to server, containing attackCSC 482/582: Computer
SecuritySession Hijacking Attackrlogin can be configured to allow
access from an IP address without password ~/.rhosts or
/etc/hosts.equivPlan of AttackHijack telnet connection from V to
TSend target host T commandsecho + + >>~/.rhostsUse rlogin to
access account without passwordCSC 482/582: Computer SecurityACK
StormNoisy side effect of TCP session hijackingBoth client and
server ACK unacceptable packets with expected sequence numberEach
ACK is also unacceptable and generates another ACK responseIf
network drops packet, no response madeACK storms create network
congestion, leading to many dropped packetsCSC 482/582: Computer
SecurityTCP DefencesRandom ISNsIf attacker cant guess sequence
numbers of a connection, session cant be hijackedAdding a random
number to previous ISN insufficientSome random schemes can be
statistically attackedCryptographically Secure ProtocolsConnections
reject packets that arent correctly encrypted as part of the
application streamStill vulnerable to RST snipingCSC 482/582:
Computer SecurityUDP Attacks: NISNetwork Information Service (NIS)
used by clients to obtain authentication information, including
users, hosts, and netgroups (ACLs) from serverRPC service using UDP
packetsAttacker host listens on client subnetMust respond to
requests before real NIS serverAttacker attempts to login to client
w/ fake userClient asks for fake users information from NISAttacker
host responds with a forged password entryAttacker successfully
logs in with forged accountCSC 482/582: Computer SecurityPacket
FragmentationOccurs at IP layerEach fragment has own IP
headerCharacteristics:Each fragment of a packet has same
identification fieldMore Fragments flag set (except on final
frag)Fragment Offset is offset (8-byte units) of fragment from
beginning of original datagramTotal Length field is length of
fragment32RFC 791, 815, 1858CSC 482/582: Computer SecurityFragment
Security IssuesLarge DatagramsUse multiple fragments that will be
re-assembled into a packet larger than the maximum IP packet size
of 64KBexample: ping of deathTiny FragmentsArtificially small
fragments break up TCP header into multiple packets, preventing
firewalls/NIDS from seeing header dataMinimum fragment size is 68
bytes, which would put only 8 bytes of TCP header (src + dest
ports) in first fragment, while flags like SYN and ACK, which
indicate connection initiation would be in secondCSC 482/582:
Computer SecurityFragment Security IssuesOverlapping
FragmentsFragment offsets overlap, so during reassembly, second
packet is copied over part of TCP header, allowing true header to
be hidden in second packet while firewall reads misleading header
data from first packetDenial of Service: Teardrop attack uses
overlapping fragments to overflow integer in memory copy to crash
Windows 95/NT and Linux nmap -sT at204m02(1645 ports scanned but
not shown are in state: closed)PORT STATE SERVICE22/tcp open
ssh80/tcp open http111/tcp open rpcbind443/tcp open https515/tcp
open printer2049/tcp open nfs4045/tcp open lockd5432/tcp open
postgres5901/tcp open vnc-16000/tcp open X1132775/tcp open
sometimes-rpc13Nmap run completed -- 1 IP address (1 host up)
scanned in 43.846 secondsCSC 482/582: Computer SecurityScanning
TechniquesTCP connect() scanTCP SYN scanTCP FIN scanTCP Xmas
scanTCP Null scanTCP ACK scanFragmentation ScanFTP bounce scanIdle
ScanUDP scanCSC 482/582: Computer SecurityTCP connect() scanUse
connect() system call on each port, following normal TCP connection
protocol (3-way handshake).connect() will succeed if port is
listening.Advantages: fast, requires no privilegesDisadvantages:
easily detectable and blockable.CSC 482/582: Computer SecurityTCP
SYN ScanSend SYN packet and wait for responseSYN+ACKPort is
openSend RST to tear down connectionRSTPort is closedAdvantage:
less likely to be logged or blockedDisadvantage: requires root
privilegeCSC 482/582: Computer SecurityTCP FIN scanSend TCP FIN
packet and wait for responseNo responsePort is openRSTPort is
closed.Advantages: more stealthy than SYN scanDisadvantages: MS
Windows doesnt follow standard (RFC 793) and responds with RST in
both cases, requires root privilege.CSC 482/582: Computer
SecurityXmas and Null ScansSimilar to FIN scan with different flag
settings.Xmas Scan: Sets FIN, URG, and PUSH flags.Null Scan: Turns
off all TCP flags.
CSC 482/582: Computer SecurityTCP ACK ScanDoes not identify open
portsUsed to determine firewall typePacket filter (identifies
responses by ACK bit)StatefulSend TCP ACK packet to specified
portRSTPort is unfiltered (packet got through)No response or ICMP
unreachablePort is filteredCSC 482/582: Computer
SecurityFragmentation ScanModify TCP stealth scan (SYN, FIN, Xmas,
NULL) to use tiny fragmented IP datagrams.Advantages: increases
difficulty of scan detection and blocking.Disadvantages: does not
work on all Oses, and may crash some firewalls/sniffers.CSC
482/582: Computer SecurityFTP Bounce ScanFTP protocol supports
proxy ftp Client requests server send file to another IP, port.If
server can open connection, port is open.Advantages: Hide identity
of scanning host.Bypass firewalls by using ftp server behind
firewall.Disadvantages:Most ftp servers no longer support
proxying.Printer ftp servers often do still support.CSC 482/582:
Computer SecurityIdle ScanUse intermediate idle host to do
scan.Idle host must increment IP ID for each packet.Idle host must
not receive traffic from anyone other than attacker.Scan
ProcessAttacker connects to idle host to obtain initial IP ID
X.Send SYN packet to port Y of target with spoofed IP of idle
host.If port is open, target host will send SYN+ACK to idle
host.Idle host with send RST packet with IP ID X+1 to
target.Attacker connects with SYN to idle host to obtain updated IP
ID.Idle host sends back SYN+ACK to attacker.Note that this action
will increment IP ID by 1.If IP ID is X+2, then port Y on target is
open.Advantages: hides attacker IP address from target.CSC 482/582:
Computer SecurityUDP ScansSend 0-byte UDP packet to each UDP
portUDP packet returnedPort is openICMP port unreachablePort is
closedNothingPort listed as open|filteredCould be that packet was
lost.Could be that server only returns UDP on valid
input.Disadvantages: ICMP error rate throttled to a few
packets/second (RFC 1812), making UDP scans of all 65535 ports very
slow.MS Windows doesnt implement rate limiting.CSC 482/582:
Computer SecurityVersion ScanningPort scanning reveals which ports
are openGuess services on well-known ports.How can we do
better?Find what server: vendor and versiontelnet/netcat to port
and check for bannerVersion scanningCSC 482/582: Computer
SecurityBanner Checking> nc www.nku.edu 80GET / HTTP/1.1
HTTP/1.1 400 Bad RequestDate: Sun, 07 Oct 2007 19:27:08
GMTServer: Apache/1.3.34 (Unix) mod_perl/1.29 PHP/4.4.1
mod_ssl/2.8.25 OpenSSL/0.9.7aConnection: closeTransfer-Encoding:
chunkedContent-Type: text/html; charset=iso-8859-1
127
400 Bad Request
Bad RequestYour browser sent a request that this server could
not understand.client sent HTTP/1.1 request without hostname (see
RFC2616 section 14.23): /
CSC 482/582: Computer SecurityVersion ScanningIf port is TCP,
open connection.Wait for service to identify self with banner.If no
identification or port is UDP, Send probe string based on
well-known service.Check response against db of known results.If no
match, test all probe strings in list.CSC 482/582: Computer
Securitynmap version scan> nmap -sV at204m02(The 1645 ports
scanned but not shown below are in state: closed)PORT STATE SERVICE
VERSION22/tcp open ssh OpenSSH 3.7.1p2 (protocol 1.99)80/tcp open
http Apache httpd 2.0.48 (mod_python/3.1.3 DAV/2)111/tcp open
rpcbind 2-4 (rpc #100000)443/tcp open ssl/http Apache httpd 2.0.48
(mod_python/3.1.3 DAV/2)515/tcp open printer?2049/tcp open nfs 2-3
(rpc #100003)4045/tcp open nlockmgr 1-4 (rpc #100021)5432/tcp open
postgres?5901/tcp open vnc VNC (protocol 3.3)6000/tcp open
X11?32775/tcp open status 1 (rpc #100024)CSC 482/582: Computer
SecurityMore nmap ToolsSet source portBypass firewall by using
allowed source port.Use port 80 for TCP, port 53 for UDP
scans.DecoysSend additional scans from list of decoys.Spoof IP
addresses of decoy hosts.Defender has to investigate decoys +
attacker.CSC 482/582: Computer SecurityDefencesPreventionDisable
unnecessary services.Block ports at firewall.Use a stateful
firewall instead of packet filter.DetectionNetwork Intrusion
Detection Systems.Port scans often have distinct signatures.IPS can
react to scan by blocking IP address.CSC 482/582: Computer
SecurityOS FingerprintingIdentify OS by specific features of its
TCP/IP network stack implementation.Explore TCP/IP differences
between OSes.Build database of OS TCP/IP fingerprints.Send set of
specially tailored packets to hostMatch results to identical
fingerprint in db to identify operating system type and version.CSC
482/582: Computer Securitynmap OS fingerprint examples> nmap O
at204m02...Device type: general purposeRunning: Sun Solaris 8OS
details: Sun Solaris 8Uptime 10.035 days (since Sat Mar 27 08:59:38
2004)
> nmap O 10.17.0.1Device type: routerRunning: Bay Networks
embeddedOS details: Bay Networks BLN-2 Network Router or ASN
Processor revision 9CSC 482/582: Computer SecurityOS Fingerprinting
TechniquesFIN probeRFC 793 requires no responseMS Windows, BSDI,
Cisco IOS send RSTBogus flag probeBit 7 of TCP flags unusedLinux
1023Outgoing connection established by first packet with no ACK
flag setFollowing packets will have ACK flag setIncoming
packetsSource port is 23, as server runs on port 23Destination port
is high port used for outbound packetsAll incoming packets will
have ACK flag setCSC 482/582: Computer SecurityExample: outgoing
telnetDirSrcDestProtoS.PortD.PortACK?ActionOutIntAnyTCP>102323EitherAcceptInAnyIntTCP23>1023YesAcceptEitherAnyAnyAnyAnyAnyEitherDenyFirst
rule allows outgoing telnet packetsSecond rule allows response
packets back inThird rule denies all else, following Principle of
Fail-Safe DefaultsCSC 482/582: Computer SecurityExample: outgoing
telnetRed Hat Linux /etc/sysconfig/iptables-A RH-Firewall-1-INPUT
-m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT-A
RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED m tcp d
tcp sport 23 -j ACCEPT-A RH-Firewall-1-INPUT -j REJECT
CSC 482/582: Computer SecurityLimitations/ProblemsMust know
details of TCP/UDP port usage of protocol to create
filtersApplications only identified by port numberWhat if external
host is running a different TCP protocol on port 23?Order of rules
importantDifficulties when adding a new service filter to an
existing rulesetCSC 482/582: Computer SecurityExample:
SMTPDirSrcDestProtoS.PortD.PortACK?ActionInExtIntTCPAny25EitherAcceptOutIntExtTCPAny>1023EitherAcceptOutIntExtTCPAny25EitherAcceptInExtIntTCPAny>1023EitherAcceptEitherAnyAnyAnyAnyAnyEitherDenyPolicy:
Allow incoming and outgoing SMTP, deny all other servicesCSC
482/582: Computer SecurityExample: SMTPRules 1+2 allow outgoing
SMTPRules 3+4 allow incoming SMTPRule 5 denies all other
protocolsProblem:What about external user attacking an internal X
server on port 23?Rules 2 + 4 allows all connections where both
ends use ports >1023CSC 482/582: Computer SecurityExample:
SMTPDirSrcDestProtoS.PortD.PortACK?ActionInExtIntTCP>102325EitherAcceptOutIntExtTCP25>1023YesAcceptOutIntExtTCP>102325EitherAcceptInExtIntTCP25>1023YesAcceptEitherAnyAnyAnyAnyAnyEitherDenySolution:
Revise rules to consider source port and ACK flagCSC 482/582:
Computer SecurityStateful Packet FiltersSaves packet data to keep
state, in order to reconstruct connection at IP levelEven though
UDP has no ACK flag, can construct connection by remembering
outgoing packet for UDP 53 (DNS) and know that a response should
come from that port to the source port of original packetCan
examine packets at application layerExamine FTP packet stream for
PASV/PORT commands to find return port for ftp data streamCSC
482/582: Computer SecurityPacket Filtering SummaryAdvantages:One
packet filter can protect an entire networkEfficient (requires
little CPU)Supported by most routersDisadvantages:Difficult to
configure correctly Must consider rule set in its entiretyDifficult
to test completelyPerformance penalty for complex rulesetsStateful
packet filtering much more expensiveEnforces ACLs at layer 2 + 3,
without knowing any application detailsCSC 482/582: Computer
SecurityCircuit GatewaysProxy host relays TCP/UDP connectionsClient
makes connection to proxyProxy forwards connection to serverProxy
provides:Access ControlProxies specified source + dest ports / IP
addressesLoggingAnonymityCSC 482/582: Computer SecurityCircuit
GatewaysAdvantages:User-level authentication possibleEfficient
logging, as proxy deals with circuit connections instead of
individual packetsDisadvantages:Clients have to be recompiled or
reconfigured to use proxy serviceSome services cant be
proxiedCannot protect you from all protocol weaknessesCSC 482/582:
Computer SecurityApplication GatewaysProxy for a specific
applicationHTTP is most commonSMTP is effectively proxied by
defaultAdvantagesFiltering based on specifics of application
protocolDisadvantagesApplications are very complex (SMTP header,
data, attachments)CSC 482/582: Computer SecurityDistributed
FirewallsEach individual host has a firewallPolicy set by a central
management serverAdvantages:Can protect machines when no choke
point available, including mobile laptopsNo single point of
failureDisadvantages:Cant prevent IP spoofingCSC 482/582: Computer
SecurityScreened Subnet ArchitectureIsolates internal network from
external networks by means of a perimeter network, often called a
DMZ
97Figure 6.4, Building Internet Firewalls, 2nd ed
CSC 482/582: Computer SecurityScreened SubnetBastion hosts
isolated from internal networkCompromise of a bastion host doesnt
directly compromise internal networkBastion hosts also cant sniff
internal traffic, since theyre on a different subnetNo single point
of failureAttacker must compromise both exterior and interior
routers to gain access to internal netAdvantages: greater
securityDisadvantages: higher cost and complexityCSC 482/582:
Computer SecurityScreened SubnetExternal AccessFiltered: via
interior + exterior routersProxied: use a bastion host as a proxy
serverBastion HostsProxy serverExternal web/ftp serversExternal DNS
serverE-mail gatewayCSC 482/582: Computer SecurityScreened
SubnetExterior RouterSimple filtering rulesIngress/Egress
FilteringDOS preventionSimple ACLsMay be controlled by ISPInterior
RouterComplex filtering rulesMust protect internal network from
bastion hosts as well as external networkRecommendation: use
different hardware/software for interior and exterior routersCSC
482/582: Computer SecurityTunnelingTunneling: Encapsulation of one
network protocol in another protocolCarrier Protocol: protocol used
by network through which the information is travellingEncapsulating
Protocol: protocol (GRE, IPsec, L2TP) that is wrapped around
original dataPassenger Protocol: protocol that carries original
dataCSC 482/582: Computer Securityssh TunnelingSSH can tunnel TCP
connectionsCarrier Protocol: IPEncapsulating Protocol: sshPassenger
Protocol: TCP on a specific portPOP-3 forwardingssh -L
110:pop3host:110 -l user pop3host Uses ssh to login to pop3host as
userCreates tunnel from port 110 (leftmost port #) on localhost to
port 110 (rightmost post #)of pop3hostUser configures mail client
to use localhost as POP3 server, then proceeds as normalCSC
482/582: Computer SecurityVirtual Private Network (VPN)Two or more
computers or networks connected by a private tunnel through a
public network (typically the
Internet)Requirements:Confidentiality: encryptionIntegrity: MACs,
sequencing, timestampsFirewall InteractionsTunnels can bypass
firewallFirewall is convenient place to add VPN featuresCSC
482/582: Computer SecurityFirewall LimitationsCannot protect from
internal attacksMay be able to limit access with internal firewalls
to a segment of your networkCannot protect you from user errorUsers
will still run trojan horses that make it past your AV
scannerFirewall mechanism may not precisely enforce your security
policyCSC 482/582: Computer SecurityKey PointsTCP/IP insecure
layered architectureIP addresses can be spoofedTCP sessions can be
hijackedDenial of service attacksTechnical attacks exploit an
implementation flawBrute force attacks saturate network
bandwidthPort scanning allows attackers to find targetsStealth
scans can avoid firewalls or NIDSFirewalls block some classes of
attacksCan block packets by IP, port, or TCP flagsPacket filters
vs. stateful firewallsCSC 482/582: Computer
SecurityReferencesBellovin, Steven, Security Problems in the TCP/IP
Protocol Suite, Computer Communication Review, Vol. 19, No. 2, pp.
32-48, April 1989 Cheswick, William, Bellovin, Steven, and Rubin,
Aviel, Firewalls and Internet Security, 2nd edition, 2003Curtin,
Matt and Ranum, Marcus, Internet Firewalls FAQ,
http://www.interhack.net/pubs/fwfaq/, 2000Fyodor, The Art of Port
Scanning, http://www.insecure.org/nmap/nmap_doc.htmlFyodor, NMAP
man page,
http://www.insecure.org/nmap/data/nmap_manpage.htmlFyodor, Remote
OS detection via TCP/IP Stack FingerPrinting, Phrack 54,
http://Garfinkel, Simson, Spafford, Gene, and Schartz, Alan,
Practical UNIX and Internet Security, 3rd edition, OReilly &
Associates, 2003Stevens, W. Richard, TCP/IP Illustrated, Vol. 1,
Addison-Wesley, 1994Zwicky, Elizabeth, Chapman, Brent, and Cooper,
Simon, Building Internet Firewalls, 2nd edition, OReilly &
Associates, 2000
