[ Pobierz całość w formacie PDF ]

time in Version 2.0, and is now called TCP Session Time-out.
For more details, see Appendix B of the FireWall-1 Administrator s
Guide.
A-8 Solaris Network Security
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService August 1996
A
Appendix A Lab: Introduction to
Inspection Language
Purpose
By the end of this lab session, you will know the structure of the
Inspection Language and some advantages and disadvantages of
using it instead of the GUI. You will also start experimenting with the
Inspection Language on your own.
While completing these lab exercises you will learn to:
Describe the Inspection Language.
Review sample code.
Preparation
You will need to have a Solaris 2.x system and the Solstice FireWall-1
2.0 software to run this lab. You should also have a Cisco or Wellfleet
(Bay Networks router.
Make sure your user ID is superuser. Have OpenWindows running,
and start the Solstice FireWall-1 2.0 software, and the GUI. Make sure
the Log Viewer and System Status windows are displayed.
Appendix A Lab: Introduction to Inspection Language A-9
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService August 1996
A
Exercise A.1 - Viewing Code Created Using the GUI
In this exercise, you are introduced to the Status View window.
Procedure:
Note  Viewing the Inspection Language code generated with the GUI
is a good way to become familiar with the language.
1. Load and install the default security policy as in earlier lab
exercises.
2. Save the security policy under a new name, such as  example ,
as in earlier lab exercises.
3. Choose Policy0 View in the Rule Base Editor window.
A Policy View window is displayed showing the Inspection
Language code generated by the GUI. Take a few moments to
study it.
You may want to save this code to a file using the File Save As
menu item. This will enable you to refer to it later or use it with
other utilities such as diff.
4. Add a simple rule to the rule base so that you will have
something like the following:
No. Source Destination Service Action Track Install On Comments
--- ------ ----------- ------- ------ ----- ---------- --------
1 Any Any Any Accept -- Gateways --
2. Any Any smtp Accept Long_Log Gateways Mail
5. Click on Update View in the Policy View window.
Notice the changes to the code.
6. Try this again and again either changing or adding rules each
time.
Notice the changes to the code.
A-10 Solaris Network Security
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService August 1996
A
Exercise A.1 - Viewing Code Created Using the GUI
7. Alter various settings on the Properties especially in the
Security Policy window.
Try these one at a time, updating the view in the Policy View
window each time, and save the result to a file, if you want.
You may want to use a text editor or other Solaris tools to analyze
the inspection code created by the various security policies you
experiment with.
You now have some familiarity with the syntax and semantics of
the Inspection language.
Appendix A Lab: Introduction to Inspection Language A-11
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService August 1996
A
Exercise A.2 - Single Interface Control
In this exercise, you will compare GUI-generated code generated to
code written using the Inspection Language directly.
Procedure:
Note  An altered (or manually written) security policy must be
maintained by manually updating the Inspection Language code used.
1. Create a Rule Base with only the following rule:
No. Source Destination Service Action Track Install On Comments
--- ------ ----------- ------- ------ ----- ---------- --------
1 !my.com my.com finger Reject Short Destination blkdsvcs
telnet, ftp Log
not my.com.
2. View the Inspection Language code generated as in the previous
exercise.
3. Compare the result in step B above with the following line of
code:
eitherbound le0@fw_host reject src not in my.com, \
dst in my.com (finger or ftp or telnet) short;
Note that the code above controls a single interface, and that the
code generated by the GUI controls all interfaces. It is not possible
to specify a single interface using the GUI.
You have an example of something that can be accomplished with
the Inspection Language, but not with the GUI.
A-12 Solaris Network Security
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService August 1996
A
Exercise A.3 - Established TCP Connections
In this exercise, you will compare a code fragment with a Control
Properties, Security Policy setting.
Procedure:
1. Note the following line of code:
all@fw_host accept tcp,established;
This implements the Solstice FireWall-1 1.2.1 Properties Security
Policy Established TCP Connections option. This option does not
exist in the 2.0 version.
This is another example of something that can be accomplished
with the Inspection language, but not with the GUI.
Appendix A Lab: Introduction to Inspection Language A-13
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService August 1996
A
Checkpoint
1. What are some of the advantages to using the Inspection
Language to implement your security policy?
___________________________________________________________
___________________________________________________________
___________________________________________________________
2. What are some of the disadvantages to using the Inspection
Language to implement your security policy?
___________________________________________________________
___________________________________________________________
___________________________________________________________
3. Is it good to keep a copy of a security policy that can be altered
using the GUI after generating your own with the Inspection
Language? Why or why not?
___________________________________________________________
___________________________________________________________
___________________________________________________________
___________________________________________________________
A-14 Solaris Network Security
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService August 1996
Reading List B
This appendix lists resources for:
System documentation
General and introductory writings
Security
Firewalls
Operating systems
Networking and administration
UNIX kernel and implementation details
Online information (URLs)
Security and cracker   culture 
B-1
Copyright 1997 Sun Microsystems, Inc. All Rights Reserved. SunService August 1996
B
System Documentation
FireWall-1 Installation and User s Guide
Release 1.0
SunSoft 1994
Part Number 802-2426-10
FireWall-1 Installation and User s Guide
Release 1.2.1
SunSoft, September 1995
Part Number 802-3181-10
Solstice FireWall-1 Administrator s Guide
Release 2.0
SunSoft, January 1996 [ Pobierz całość w formacie PDF ]

  • zanotowane.pl
  • doc.pisz.pl
  • pdf.pisz.pl
  • pomorskie.pev.pl

    • Archiwum

    Home
    M L N Hanover Black Sun's Daughter 01 Unclean Spirits
    0415159105.Routledge.H.G.Wells.Apr.1997
    Tremayne Avril MiśÂ‚osny kontrakt
    Lis Tomasz Co z_ta_Polska_by_adam xyz
    Delinsky Barbara ZśÂ‚ocisty urok
    17 smiertelnych bledow szefa Wydanie II rozszerzone 17grz2
    Atlantis 3 The Nymph King
    Joanna Chmielewska Dzikie biaśÂ‚ko
    101. Delacorte Shawna Kawaler na sprzedaśź
    Williams Bronwyn BiaśÂ‚a szamanka
  • zanotowane.pl
  • doc.pisz.pl
  • pdf.pisz.pl
  • ramtopy.keep.pl