Papers (Building Internet Firewalls, 2nd Edition)

A.8. Papers

This section contains a list of papers about firewalls, security attacks, and related topics. It is by no means an exhaustive list, but it does contain references to some of the papers that we find the most interesting. To get most of them, as well as many other papers, consult the extensive collections available from the Telstra and CERIAS web pages described earlier in this appendix.

The following list does not include papers that describe topics that are adequately described in this book, nor does it include papers that simply describe software (such as Tripwire, TCP Wrapper, etc.) that are mentioned in this book and cited in Appendix B, "Tools"; up-to-date papers about tools are ordinarily included with the tools themselves. The published versions of the papers are out of date, so you will do better to get the papers or documentation distributed with the software.

Bellovin, Steve, [email protected]. "Packets Found on an Internet". Computer Communications Review. 23(3): 26-31. July 1993.
Describes some of the stranger and more malevolent packets seen by one of AT&T's gateways.
ftp://ftp.research.att.com/dist/smb/packets.ps
Bellovin, Steve, [email protected]. "There Be Dragons". Proceedings of the Third USENIX Unix Security Symposium . USENIX Association. Baltimore. September 14-16, 1992.
This paper describes some of the probes and attacks against one of AT&T's gateways.
ftp://research.att.com/dist/internet_security/dragon.ps
Cheswick, Bill, [email protected]. "An Evening with Berferd in Which a Cracker Is Lured, Endured, and Studied". Proceedings of the Winter 1992 USENIX Technical Conference. USENIX Association. San Francisco. January 20-24, 1992.
Describes AT&T's experiences with one particular cracker who walked right into a trap and never knew he was the mouse being toyed with by the cat. The best part of the story isn't in the paper, however: how they got him to finally go away. The cracker was in the Netherlands, and they were sure they knew who it was, but there were no diplomatic channels through which they could get the Dutch police to do anything about it (what the cracker was doing wasn't illegal in the Netherlands, at least not at the time). Finally, one of the Dutch system administrators they'd been working with throughout the investigation got frustrated, called the cracker's mother, and the problem went away.
ftp://research.att.com/dist/internet_security/berferd.ps
Eichlin, Mark W., and Jon A. Rochlis, "With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988". Proceedings, IEEE Symposium on Research in Security and Privacy. Pages 326-45. Oakland, CA. May 1989.
A detailed dissection of the Morris Internet worm (this paper's authors prefer "Internet virus") of 1988: what it was, how it worked, what it did, and so on, as well as a discussion of the response.
ftp://athena-dist.mit.edu/pub/virus/mit.PS
Farmer, Dan, and Wietse Venema. "Improving the Security of Your Site by Breaking into It."
A guide from the authors of COPS and SATAN (Dan) and TCP Wrapper, portmap, and chrootuid (Wietse) to testing your own security before attackers do it for you.
ftp://ftp.porcupine.org/pub/security/admin-guide-to-cracking.101.Z
Fraser, B. RFC 2196: Site Security Handbook. September 1997.
This RFC is a guide to establishing a security policy for your site.From the introduction:
This handbook is a guide to setting computer security policies and procedures for sites that have systems on the Internet. This guide lists issues and factors that a site must consider when setting their own policies. It makes some recommendations and gives discussions of relevant areas.
http://www.ietf.org/rfc/rfc2196.txt
Note that the RFCs ("Requests for Comments") are the defining documents for almost all Internet protocols and services. Start with file rfc-index.txt; this is the index to the rest of the documents:
http://www.ietf.org/rfc.html
Ranum, Marcus, and Matt Curtin (maintainers), "Internet Firewalls Frequently Asked Questions (FAQ)."
It is updated and posted to the Firewalls mailing list ([email protected]) on a regular basis.
http://www.interhack.net/pubs/fwfaq/


A.7. Conferences		A.9. Books