Section 20.5. Key Terms, Review Questions, and Problems

List three design goals for a firewall.

List four techniques used by firewalls to control access and enforce a security policy.

What information is used by a typical packet-filtering router?

What are some weaknesses of a packet-filtering router?

What is the difference between a packet-filtering router and a stateful inspection firewall?

What is an application-level gateway?

What is a circuit-level gateway?

What are the differences among the three configurations of Figure 20.2?

In the context of access control, what is the difference between a subject and an object?

What is the difference between an access control list and a capability ticket?

What are the two rules that a reference monitor enforces?

What properties are required of a reference monitor?

What are the common criteria?

As was mentioned in Section 20.1, one approach to defeating the tiny fragment attack is to enforce a minimum length of the transport header that must be contained in the first fragment of an IP packet. If the first fragment is rejected, all subsequent fragments can be rejected. However, the nature of IP is such that fragments may arrive out of order. Thus, an intermediate fragment may pass through the filter before the initial fragment is rejected. How can this situation be handled?

In an IPv4 packet, the size of the payload in the first fragment, in octets, is equal to Total Length (4 x IHL). If this value is less than the required minimum (8 octets for TCP), then this fragment and the entire packet are rejected. Suggest an alternative method of achieving the same result using only the Fragment Offset field.

RFC 791, the IPv4 protocol specification, describes a reassembly algorithm that results in new fragments overwriting any overlapped portions of previously received fragments. Given such a reassembly implementation, an attacker could construct a series of packets in which the lowest (zero-offset) fragment would contain innocuous data (and thereby be passed by administrative packet filters), and in which some subsequent packet having a nonzero offset would overlap TCP header information (destination port, for instance) and cause it to be modified. The second packet would be passed through most filter implementations because it does not have a zero fragment offset. Suggest a method that could be used by a packet filter to counter this attack.

The necessity of the "no read up" rule for a multilevel secure system is fairly obvious. What is the importance of the "no write down" rule?

In Figure 20.5 one link of the Trojan horse copy-and-observe-later chain is broken. There are two other possible angles of attack by Drake: Drake logging on and attempting to read the string directly, and Drake assigning a security level of sensitive to the back-pocket file. Does the reference monitor prevent these attacks?