操作系統(tǒng)防火墻中英文對照外文翻譯文獻(xiàn)

1、(文檔含英文原文和中文翻譯) OneofMicrosoftsstrongestresponsestotheongoingbuffer-overflow-wormthreatwasacompleterewritingofthesoftwarefirewallincorporatedintoXP,2003,and R2.They renamed the firewall from Internet ConnectionFirewall(ICF)to Windows Firewall(WF).They also added something calledIpsec bypass that exte

2、nds the firewalls ability to allow you to easilyrequire a secure server to authenticate not just incoming users,butmachines.In this chapter,you see what WF does,what issues it canraise,and how to configureitso thatit suits yoursecurity needs best.How can an operating system have firewall,anyway?Isnt

3、afirewall a boxwith blinking lights and a bunch of cables coming out of it? The answer1is that the term firewall refers to any of a number of ways to shield acomputer network from other networks,networks rife with untrustworthypeopleyou know,networks like the Internet.Lets dig down a bitfurther,howe

4、ver,and start with a look at what a firewall is,basically.With the advent of the Lndustrial Revolution,people started buildingthings driven by steam power,such as locomotives,ships,and the like.Creating steam required fire,and sascary thing,at least when itgets out of hand.To protect against fire-re

5、lated problems,thoselocomotives,ships,and the like were designed so that a thick,sturdy,nearlyfireproofwallexistedbetweenwhereverthefirewaskeptusuallya boilerand the rest of the vehicle.That way,if something caught firein the boilerscompartment,then the onboard engineers would have a bitmore time to

6、 put out the fire without having to worry about the fireimmediatelyspreadingtotherestofthecraft.Lateron,westartedusinginternal combustion engines an they,too,can catch fire,so things likeautimobiles and private aircraft have firewalls designed into them.(Infact,the“wall”referred to when people say t

7、hat something is running“balls to the wall”is the firewall.You control a small aircraftsenginespeedbymovingaball-shapedcontrolcalledthethrottle.Pullingit back toward you reduces the engines speed; pushing the ballforward“to the firewall”increases engine speed.)Basically,then,a firewalls job is to co

8、ntain bad stuff.But whereenginefirewallscontainarelativelysmallspacesoastocontainafire,computer network firewalls attempt to contain a truly huge space theIneternet.Firewalls exist to make it harder for dirtbags to attack ournetworks.Firewall is one of theose words that sounds so goodjust put one bo

9、xbetween yournetwork and the Internet,and youre safe from all thebaddiesthat people use the term to mean a lot of things.The earliest kind of firewall was a box that sat between an internalnetwork and the Internet.Now,if you think about it,what sort of boxnormally sits between our network and the In

10、ternet?Probably a router2and,in fact,many firewalls are just routers with a bit of interlligenceadded.Ontheleftyouseetheinternalnetwork(includingPCs,andservers),ontherighttheInternet.InbetweenistheIProuter,whichhasatleasttwointerfacestheonethatconnectstotheInternet(whichmaybeanEthernetcable,a wirele

11、ss connectiong,a modem,an ISDN connection,a DSLconnection,a frame relay,or perhaps a cable modem),and the one thatconnects to the internal network(which is usually an Ethernetconnection).Therouterisaverysimplecomputerthatlistenstomessagessent to if from either the internal or external interface.Yes,

12、thats righta router is a computer running a very simpleprogram,hereshowitworks.SupposetheIPaddressesthatyouuseinyournetworkareonesintherangeof200.100.7to54.(Yes,thatisarangeofroutableaddresses.NonroutableaddressesdidntappearintheInternet originally;well get that in a minute.)Here are theinstructions

13、 that essentially capture a routers entire program: Listen to IP packets sent to either the internal or externalinterface. If a packet needs to go to an address in the range ofto54,then resend the packet onto theinternal network. If a packetneeds to go anywherelse,assumethat addressis on theInternet

14、,and resend the packet on the external interface.Thats all there is to it.Sure,routers can actually handle morecomplicated setsof,“IfIget amessage destinedfor IP rangeX thenIshouldresenditoninterfaceY,”butmyexampleencapsulatesenoughfor our firewall discussion.Nowletsmaketheroutherabitsmarter.Suppose

15、youvegotsomejerktryingtoconnecttoyourserverthebigPCinyournetworkviaTCP port 139,one of the ties up the server,and if they try logging onwith enough user names and passwords,they might figure out of youraccounts.(Thisisasimpleexample,soimaginethattherearenoaccountlockouts.)Soyou(somehow)hacktheprogra

16、minyourroutherandgiveitan extra rule:If a packet appears on the external interface destined for anaddressontheinternalnetwork,andifthatpacketisdestinedforTCPport 139,just discard the packet;dont transmit it3Here,then,isanexampleofaworkingfirewall.Averysimpleone,to be sure, but a working firewall. Be

17、cause the firewalls program(called thefirewall rulesby most) decideswhat to passand what notto pass based on the destination port, such a firewall is called aport-filtering firewall.Now, in my example I only blocked one port. But you may know thatintherealworld,peopletendtoconfigureport-filteringrou

18、terswithrules like “block all incoming traffic on all ports except forsuch-and-suchportranges.”Additionally,considerthattheonerulethatIveshownyou”blockalltrafficdestinedforaninternalIPaddress on TCP port 139”refers only to incoming traffic.Port-filtering firewalls can, however, usually filter outgoi

19、ngtrafficaswell.Forexample,yourfirmmighthavediscoveredatsometimethatemployeeswererunningwebsitesoftheirownthatfeatured,well, content of questionable legality and taste, and so you want tokeeppeoplefromrunningwebserversoneverycomputerexceptforyourofficial web server. If the official web server had ad

20、dress3, then you could create a firewall rule that said, “Ifa packet appears on the internal interface destined for some addressontheInternet,andifthepacketoriginatedfromport80,andifthepackets source does not have the IP address 3, thendiscard it.” Youll see, however, that WF does not offer you theo

21、ption to block outgoing traffic, just incoming traffic.NAT FirewallsFor almost anyone who first started doing Internet networking afterabout1996,thatexamplemighthaveseemedodd.Putroutableaddressesto every desktop machine? Crazy, you might think. But the notion ofcreatinganinternalnetworkofIPaddresses

22、intherangeof10.x.x.x,or 192.168.x.x, or the range of IP addresses from through55 first appeared in March 1994 with RFC 1597, “AddressAllocationforPrivateInternets.”TheideawasthatpeoplemightneedIP addresses to run a TCP/IP-based network but might not need accessto the public Internet. Of course, that

23、s not the case for most ofus. You want lots of IP addresses, so the threeranges of “privatenetwork addresses” are widely used, but you also want to be able tohave those networks talk to the public Internet, which is where May1994s RFC 1631, “The IP Network Address Translator,” fills thebill.NAT rout

24、ers have at least two interfaces, as did the simple router,but NAT routers contain a somewhat more complex routing program. A4singleNATroutermayhaveonlyoneroutableIPaddressonitsexternalinterface, but that routers also clever enough to be able to allowall of those “private” non routableaddresses to c

25、arry onconversationswithsystemsontheInternetbysharingthatoneroutableIPaddress.(ThiswascoveredinmoredetailinChapter6of MasteringWindowsServer2003.)ThetoughestpartofNATroutingisthatnotionthattheroutercancarryonabunchofdifferentconversationsbetweenitsinternalcomputersandvariousserversoutonthepublicInte

26、rnet.Forexample,supposetensystemsbehindtheNATrouterwerealltalkingto Microsofts web server. When Microsofts web server responds toone of the ten systems, how does the NAT router know which of itsinternalsystemsthisisdestinedfor?Theansweristhateverysystemtalking to Microsofts web server talks to that

27、web server on port80,but theweb serverresponds to eachof thosesystems ondifferentports. So, for example, if the web server were to respond to all tensystems at the same time, then the IP packets that comprise thoseresponseswould all specify a source IP address of whateverMicrosoftswebserveris,andpor

28、t80. ButwhilethedestinationIPaddresses would all be the samethe routable IP address of the NATroutereachofthemwouldbedestinedforadifferentTCPportnumber.The NAT router must, then, keep track of the fact that X machine onthe inside intranet is having a conversation with Y machine on theInternet, and t

29、hat conversation uses Z port number. That informationis called the state, and any router that keeps track of states ofconversations is said to be a stateful router. Thatll be usefullater.ButhowdoInternetconversationsstartonaNATsystem?Ineverycase,asystemontheintranetmustinitiatetheconversationbyconta

30、ctinga server on the Internet. Thats worth highlighting:NOTEIn client-server communications, which is pretty much theonly kind of communications we do on the Internet, the client startsthe conversation by sending an unsolicited request to the server.Well return to this notion a bit later, but for no

31、w, remember thatclientrequestsareseenasunsolicitedpacketstoaserver,andserverpackets are always responses of some kind.This leads to an interesting side-effect of NAT: its a kind offirewall. Inasmuch as all of those systems attached to the innerinterface of the NAT router have nonroutable addresses,

32、it is flatlyimpossible for a system on the public Internet to initiate aconversation.Itcanonlyrespond,whichmeansthataNATroutersays5to the Internet,“Internet, Iloveyou but I dont trust youso dome a favor and only speak to me when I first speak to you.”Let me not, however, leave you with the idea that

33、 a NAT routers“firewallish”natureisgreatprotectionforyournetwork.Rememberthat any internal computer can start up a conversation, so all a badguy needs to attack your network is one computer on the inside to“inviteitin.”Howwouldthathappen?Ifsomeonevisitedawebsiteand downloaded a malicious ActiveX con

34、trol. Or if someone opened anemail attachment that included some malware.Software FirewallsNowIveexplainedenoughfirewallbackgroundtostarttellingyouhowWF works. Youve already read that a simple NAT router without anyofficial firewall features acts as something of a firewall in passingbecause of its s

35、tateful nature. That leads us to software firewalls.The idea of a software firewall isnt a new one. In fact, some of theearliestfirewallswereactuallyjustcomplexpiecesofsoftwarethatyouinstalled on a regular old computer. Youd then put two Ethernet cardsinthecomputeroneconnectedtotheintranet,onetotheI

36、nternetandthat was your firewall. Nor is that an outdated notion; one of the mostpopular firewalls among Windows users Internet Securityand Acceleration Server, or ISA Server.But Im not talking here about something like ISA Server, whichletsyoucreatethecomputerthatstandsbetweenyournetworkandtheInter

37、net.Im talking instead about something called a “personal firewall,” apiece of software that you might run on every single computer in yournetwork. It is a program that runs on a computer and that acts in somewaytorestricttheflowofIPtrafficintoor,insomecases, outofthecomputer so as to keep bad progr

38、ams out.Loadsofpersonalfirewallshaveappearedovertheyears.Thefirstonethat I recall hearing of was calledBlack Ice. One thats been aroundfor almost as long but seems well-known is something called Zone Alarmthat many people like but Ive found annoying. The big “securitysuites” offered by Trend, Grisof

39、t, Panda Software, McAfee, and otherstend to include a personal firewall as well.While WF is relatively new, Windows has contained at least some of therudimentsofasoftwarefirewallforalongtime.Forexample,eversinceat least NT 3.5 its been possible to go to TCP/IP Advanced Properties6andblockallportsex

40、ceptforthosespecifiedinalistacrudefirewall,but,ifyourewillingtodosometypingtoenteralloftheallowedports,youcouldcreateaverysimpleport-filteringfirewallonyourcomputer.And,sinceFebruaryof2000,WindowshasincludedIPsec,aquitepowerfulmethod for securing TCP/IP stacks that lets you create a series offirewal

41、lrulesasflexibleasanyyoumightwant,like“blockallincomingtraffic on TCP port 1433 unless its from IP address .” Youcould,withsomework,createamonsterbatchfilefullofIPseccommandsthatwouldbethesoftware-basedfirewallenvyofyourfriends.Butitdbe a lot of work.Content Filtering FirewallsBefore I leave this br

42、ief discussion of firewalls, I should mention anewer sort of firewall: the content filtering firewall. BuildingfirewallssolelyoutofrulesconstructedfromportsandIPaddressesishelpfulbutlessandlesseffectiveintodaysworld.Thepeoplewhowanttoprovideserverservicesinanorganizationareoftennotthesamepeopleasthe

43、oneschargedwithnetworksecurity andfirewalloperation,andsothefolkswhowanttoprovidesomenewnetworkservicesometimescomeintoconflict with the firewall folks. But, many clever content and serviceproviders ealize, theres a way around the firewall people port 80.HTTP port 80 is, you probably know, the stand

44、ard port for communicatingwith a web server and, well, there are very few firewall people who candeny a server guys request that they open port 80.Asaresult,moreandmoretypesofdevelopersofvarioustypesofnetworkserviceshavecraftedtheirservicessothattheyliveatopHTTPitself.Terminal Services, when run as

45、the TSWEB tool, needs only port 80 open.Manyonlinechatprogramsrunentirelyonport80.Web-basedemailclientslikeOutlookWebaccessmeanthatyoucanaccessnotjustemailbutpublicfolders,mailhandlingrules,andthelike,alloverport80.Bystackingeverything atop port 80, the network world both avoids firewalls and,unfort

46、unately, makes them considerably less useful. That led to atongue-in-cheekRFC3093dated1April2001yes,thatwasAprilFoolsDay2001calledthe“FirewallEnhancementProtocol”thatdetailswhatIve said in the paragraph, but in a much techier way.Well,thosefirewallguysarentgoingtotakethislyingdown,nosiree.So firewal

47、ls like ISA Server not only let you control the firewall viaportsandIPaddresses;ISAserveralsohasintelligentfiltersthatlookat theparticularHTTP traffic, lettingyou block not only a given port,but a given kind of data stream. It does more than just watch portsitlooksinsidethedatapacketsforsuspicious-l

48、ookingdata.Suchafirewall7iscalledacontentfilteringfirewall.(Andno,WindowsFirewalldoesntinclude such behavior. At least, not yet.)Writing that batch file might be impressive, but, again, itd be a lotof work. Fortunately, you neednt do that, because of the things thatWFdoes.Putbriefly,heresanoverviewo

49、fwhatkindoffirewallservicesit offers and what else might be appealing about it. Basically, WF is a stateful packet filter; by default, all packetstrying to enter a system with WF enabled will be discarded unless thosepackets are responses to queries from that system. Unsolicited packetsnever get pas

50、t the TCP/IP stack. WF lets you create exceptions for particular ports from particularranges of IP addresses; for example, its possible to say, “Acceptunsolicitedpacketsonport25,butonlyfromtherangeofaddressesfrom through 54.” When paired with IPsec on Server2003 and R2, WF some impressivethings via

51、something called IPsecbypass. Windowsletsitsfirewallbehaveintwodifferentways(“profiles”):one where the system is inside the corporate firewall, and another whenoutside the firewall. (Clearly having two different behaviors for WF isofmoreinteresttoXPusersXPSP2introducedWFthantoserverusers,as most of

52、us dont carry our servers outside the building.) WF may not be the most full-featured of firewalls, but it may havethe most broad-spectrum means of control of almost any Windows feature.First, you can control it from a fairly comprehensive command-lineinterfaceviathenetshcommand.Second,WFhasnear-com

53、pletegrouppolicysetting-based control. Finally, its got a GUI. Unlike its predecessor ICF, Windows Firewall starts up before theTCP/IP stack does. ICF had the troublesome aspect that it started afterthe TCP/IP stackdid, leaving thestack unprotectedfor a fewseconds onbootup.Agood,butnotgreat,listofab

54、ilities.Still,agreatimprovementoverthe ICF firewall originally shipped with XP and 2003.8WindowsFirewallisnotonlyanimprovementovertheInternetConnectionFirewall, its, well, the first version of Windows builin firewallthat passes the “l(fā)augh test.” But it does quite a lot more, as youveseen,includingit

55、spowerfulIPsecbypassfeaturethat,iftweakedabit,canprovideawholenewlevelofsecuritytoanintranet.Ifyouhaventchecked it out yet, its worth examining more closely and, as I alwayssay, the price is right.譯文：鎖定的端口： 2003 R2.They 改名為從 Internet 連接防火ICFWindows WF IPSec僅傳入，但machines.In 本章中，你會(huì)看到什么永豐做，哪些問題可以提高，以及如

56、何配置，使其適合您的安全需求的最佳。什么是 Windows 防火墻？樣才能有一個(gè)操作系統(tǒng)防火墻啊？不是一場防火墻與閃爍的燈光箱和電纜束來出來的嗎？答案是這個(gè)詞指的是防火墻的方式來保護(hù)其他網(wǎng)絡(luò)的任何一臺計(jì)算機(jī)的網(wǎng)絡(luò)號，網(wǎng)絡(luò)充斥著不可靠的人，你知道，像 Internet.Let下來了一點(diǎn)進(jìn)一步 s 挖網(wǎng)絡(luò)，但是，并開始與在什么是防火墻，基本上看。防火墻做什么隨著 Lndustrial hand.To防止火災(zāi)有關(guān)的問題，這些機(jī)車，船舶，以及類似的設(shè)計(jì)，使一厚實(shí)，近防火墻 vehicle.That 立即蔓延到關(guān)于 craft.Later 休息，我們開始使用內(nèi)燃發(fā)動(dòng)機(jī)的，他們也能著火，如 autimob

57、iles 和私人飛機(jī)等事情都成為他們設(shè)計(jì)的防火墻。（事實(shí)上，屏風(fēng)”是指到當(dāng)人們說某事是運(yùn)行球在墻上是 firewall.You 控制移動(dòng)球形控制一架小9型飛機(jī)的發(fā)動(dòng)機(jī)轉(zhuǎn)速稱為 throttle.Pulling 回來向你降低發(fā)動(dòng)機(jī)的轉(zhuǎn)速;推球前進(jìn)- 以防火墻，增加引擎速度）?；旧?，那么，防火墻的工作是包含壞 stuff.But 發(fā)動(dòng)機(jī)防火墻包含在相對較小的空間，以控制火災(zāi)，計(jì)算機(jī)網(wǎng)絡(luò)防火墻嘗試包含一個(gè)真正的Ineternet.Firewalls 存在巨大的空間，使其難以 dirtbags 攻擊我們的網(wǎng)絡(luò)。防火墻如何工作防火墻是一個(gè)字的 theose 聽起來那么好，只是把 yournetwork

58、和互聯(lián)網(wǎng)之間的一個(gè)盒子，你是安全的，從所有的壞人，人們用這個(gè)詞意味著很多東西。港口過濾防火墻最早類型的防火墻是一個(gè)方塊之間的內(nèi)部網(wǎng)絡(luò)和 Internet.Now而事實(shí)上，許多防火墻只是一個(gè)補(bǔ)充的 interlligence 位路由器。在左邊你看到的內(nèi)部網(wǎng)絡(luò)（包括個(gè)人電腦和服務(wù)器）上的權(quán)利，Internet.In之間是的 IP 路由器，它至少有兩個(gè)接口，一個(gè)連接到互聯(lián)網(wǎng)（這可能是以太網(wǎng)電纜，無線接法，調(diào)制解調(diào)器，ISDN DSL 的連接，幀中繼，或者電纜調(diào)制解調(diào)器），和一個(gè)連接到內(nèi)部網(wǎng)絡(luò)（通常是一個(gè)以太網(wǎng)連接）。路由器是一個(gè)非常簡單的電腦收聽，如果郵件發(fā)送到從內(nèi)部或外部接口。它 works.Su

59、ppose 您的IP 地址在網(wǎng)絡(luò)中使用的范圍在 200.100.7 到 54 的。（是的，這是一個(gè)可路由的地址范圍addresses.Nonroutable 沒個(gè)程序：聽 IP 數(shù)據(jù)包發(fā)送到內(nèi)部或外部接口。如果一個(gè)數(shù)據(jù)包需要去一個(gè)解決在 to54 后重新發(fā)送到內(nèi)部網(wǎng)絡(luò)的數(shù)據(jù)包。如果一個(gè)數(shù)據(jù)包需要去 anywher 別的，假設(shè)該地址在互聯(lián)網(wǎng)上，并重新發(fā)送數(shù)據(jù)包的外部接口。這是所有有 it.Sure如果我的 IP 地址范圍為對象的消息 X然后我就應(yīng)該重新發(fā)送它的接口 ，但我的例子足以概括我們的防火墻討論。 routher有點(diǎn) smarter.Suppose 你有一些挺舉嘗試連接到您的服務(wù)器的大型網(wǎng)

60、絡(luò)中的電腦通過 TCP 端口139，最多服務(wù)器的關(guān)系之一，如 routher方案，并給它一個(gè)額外的規(guī)則。：10TCP端口 139，只是丟棄該數(shù)據(jù)包，不要轉(zhuǎn)交在這里，那么，是防火墻的一個(gè)工作示例。一個(gè)很簡單的，可以肯定的，但工作防火墻。由于防火墻的程序（稱為最防火墻規(guī)則）決定通過什么，什么不該通過在目標(biāo)端口的，這樣的防火墻稱為端口過濾防火墻。現(xiàn)在，在我的例子中我只阻止一個(gè)端口。但你可知道，在現(xiàn)實(shí)世界中，人們往往要配置的端口過濾路由器喜歡規(guī)則塊，除了這些和，這樣的端口范圍。所有端口上的所有傳入流量此外，考慮，一個(gè)規(guī)則，我已經(jīng)證明你塊內(nèi)部的 IP地址的 TCP端口 139的所有流量網(wǎng)站的特色，很好，