操作系统防火墙中英文对照外文翻译文献.docx

操作系统防火墙中英文对照外文翻译文献.docx

《操作系统防火墙中英文对照外文翻译文献.docx》由会员分享，可在线阅读，更多相关《操作系统防火墙中英文对照外文翻译文献.docx（18页珍藏版）》请在冰点文库上搜索。

操作系统防火墙中英文对照外文翻译文献

中英文对照外文翻译文献

（文档含英文原文和中文翻译）

原文：

LockingUpthePorts:

WindowsFirewall

OneofMicrosoft’sstrongestresponsestotheongoingbuffer-overflow-wormthreatwasacompleterewritingofthesoftwarefirewallincorporatedintoXP,2003,andR2.TheyrenamedthefirewallfromInternetConnectionFirewall（ICF）toWindowsFirewall（WF）.TheyalsoaddedsomethingcalledIpsecbypassthatextendsthefirewall’sabilitytoallowyoutoeasilyrequireasecureservertoauthenticatenotjustincomingusers,butmachines.Inthischapter,you’llseewhatWFdoes,whatissuesitcanraise,andhowtoconfigureitsothatitsuitsyoursecurityneedsbest.

WhatIsWindowsFirewall?

Howcananoperatingsystemhavefirewall,anyway?

Isn’tafirewallaboxwithblinkinglightsandabunchofcablescomingoutofit?

Theansweristhatthetermfirewallreferstoanyofanumberofwaystoshieldacomputernetworkfromothernetworks,networksrifewithuntrustworthypeople—youknow,networksliketheInternet.Let’sdigdownabitfurther,however,andstartwithalookatwhatafirewallis,basically.

WhatFirewallsDo

WiththeadventoftheLndustrialRevolution,peoplestartedbuildingthingsdrivenbysteampower,suchaslocomotives,ships,andthelike.Creatingsteamrequiredfire,andfire’sascarything,atleastwhenitgetsoutofhand.Toprotectagainstfire-relatedproblems,thoselocomotives,ships,andthelikeweredesignedsothatathick,sturdy,nearlyfireproofwallexistedbetweenwhereverthefirewaskept—usuallyaboiler—andtherestofthevehicle.Thatway,ifsomethingcaughtfireintheboiler’scompartment,thentheonboardengineerswouldhaveabitmoretimetoputoutthefirewithouthavingtoworryaboutthefireimmediatelyspreadingtotherestofthecraft.Lateron,westartedusinginternalcombustionenginesanthey,too,cancatchfire,sothingslikeautimobilesandprivateaircrafthavefirewallsdesignedintothem.（Infact,the“wall”referredtowhenpeoplesaythatsomethingisrunning“ballstothewall”isthefirewall.Youcontrolasmallaircraft’senginespeedbymovingaball-shapedcontrolcalledthethrottle.Pullingitbacktowardyoureducestheengine’sspeed;pushingtheballforward—“tothefirewall”—increasesenginespeed.）

Basically,then,afirewall’sjobistocontainbadstuff.Butwhereenginefirewallscontainarelativelysmallspacesoastocontainafire,computernetworkfirewallsattempttocontainatrulyhugespacetheIneternet.Firewallsexisttomakeitharderfordirtbagstoattackournetworks.

HowFirewallswork

Firewallisoneoftheosewordsthatsoundssogood—justputoneboxbetweenyournetworkandtheInternet,andyou’resafefromallthebaddies—thatpeopleusethetermtomeanalotofthings.

PORT-FILTERINGFIREWALLS

TheearliestkindoffirewallwasaboxthatsatbetweenaninternalnetworkandtheInternet.Now,ifyouthinkaboutit,whatsortofboxnormallysitsbetweenournetworkandtheInternet?

Probablyarouterand,infact,manyfirewallsarejustrouterswithabitofinterlligenceadded.

Ontheleftyouseetheinternalnetwork（includingPCs,andservers）,ontherighttheInternet.InbetweenistheIProuter,whichhasatleasttwointerfaces—theonethatconnectstotheInternet（whichmaybeanEthernetcable,awirelessconnectiong,amodem,anISDNconnection,aDSLconnection,aframerelay,orperhapsacablemodem）,andtheonethatconnectstotheinternalnetwork（whichisusuallyanEthernetconnection）.Therouterisaverysimplecomputerthatlistenstomessagessenttoiffromeithertheinternalorexternalinterface.

Yes,that’sright—arouterisacomputerrunningaverysimpleprogram,here’showitworks.SupposetheIPaddressesthatyouuseinyournetworkareonesintherangeof200.100.7to200.100.7.254.（Yes,thatisarangeofroutableaddresses.Nonroutableaddressesdidn’tappearintheInternetoriginally;we’llgetthatinaminute.）Herearetheinstructionsthatessentiallycapturearouter’sentireprogram:

●ListentoIPpacketssenttoeithertheinternalorexternalinterface.

●Ifapacketneedstogotoanaddressintherangeof200.100.7.1to200.100.7.254,thenresendthepacketontotheinternalnetwork.

●Ifapacketneedstogoanywherelse,assumethataddressisontheInternet,andresendthepacketontheexternalinterface.

That’sallthereistoit.Sure,routerscanactuallyhandlemorecomplicatedsetsof,“IfIgetamessagedestinedforIPrangeXthenIshouldresenditoninterfaceY,”butmyexampleencapsulatesenoughforourfirewalldiscussion.

Nowlet’smaketheroutherabitsmarter.Supposeyou’vegotsomejerktryingtoconnecttoyourserver—thebigPCinyournetwork—viaTCPport139,oneofthetiesuptheserver,andiftheytryloggingonwithenoughusernamesandpasswords,theymightfigureoutofyouraccounts.（Thisisasimpleexample,soimaginethattherearenoaccountlockouts.）Soyou（somehow）hacktheprograminyourroutherandgiveitanextrarule:

Ifapacketappearsontheexternalinterfacedestinedforanaddressontheinternalnetwork,andifthatpacketisdestinedforTCPport139,justdiscardthepacket;don’ttransmitit

Here,then,isanexampleofaworkingfirewall.Averysimpleone,tobesure,butaworkingfirewall.Becausethefirewall’sprogram（calledthefirewallrulesbymost）decideswhattopassandwhatnottopassbasedonthedestinationport,suchafirewalliscalledaport-filteringfirewall.

Now,inmyexampleIonlyblockedoneport.Butyoumayknowthatintherealworld,peopletendtoconfigureport-filteringrouterswithruleslike“blockallincomingtrafficonallportsexceptforsuch-and-suchportranges.”Additionally,considerthattheonerulethatI’veshownyou—”blockalltrafficdestinedforaninternalIPaddressonTCPport139”—refersonlytoincomingtraffic.Port-filteringfirewallscan,however,usuallyfilteroutgoingtrafficaswell.Forexample,yourfirmmighthavediscoveredatsometimethatemployeeswererunningwebsitesoftheirownthatfeatured,well,contentofquestionablelegalityandtaste,andsoyouwanttokeeppeoplefromrunningwebserversoneverycomputerexceptforyourofficialwebserver.Iftheofficialwebserverhadaddress200.100.7.33,thenyoucouldcreateafirewallrulethatsaid,“IfapacketappearsontheinternalinterfacedestinedforsomeaddressontheInternet,andifthepacketoriginatedfromport80,andifthepacket’ssourcedoesnothavetheIPaddress200.100.7.33,thendiscardit.”You’llsee,however,thatWFdoesnotofferyoutheoptiontoblockoutgoingtraffic,justincomingtraffic.

NATFirewalls

ForalmostanyonewhofirststarteddoingInternetnetworkingafterabout1996,thatexamplemighthaveseemedodd.Putroutableaddressestoeverydesktopmachine?

Crazy,youmightthink.ButthenotionofcreatinganinternalnetworkofIPaddressesintherangeof10.x.x.x,or192.168.x.x,ortherangeofIPaddressesfrom172.16.0.0through172.31.255.255firstappearedinMarch1994withRFC1597,“AddressAllocationforPrivateInternets.”TheideawasthatpeoplemightneedIPaddressestorunaTCP/IP-basednetworkbutmightnotneedaccesstothepublicInternet.Ofcourse,that’snotthecaseformostofus.YouwantlotsofIPaddresses,sothethreerangesof“privatenetworkaddresses”arewidelyused,butyoualsowanttobeabletohavethosenetworkstalktothepublicInternet,whichiswhereMay1994’sRFC1631,“TheIPNetworkAddressTranslator,”fillsthebill.

NATroutershaveatleasttwointerfaces,asdidthesimplerouter,butNATrouterscontainasomewhatmorecomplexroutingprogram.AsingleNATroutermayhaveonlyoneroutableIPaddressonitsexternalinterface,butthatrouter’salsocleverenoughtobeabletoallowallofthose“private”—nonroutable—addressestocarryonconversationswithsystemsontheInternetbysharingthatoneroutableIPaddress.（ThiswascoveredinmoredetailinChapter6ofMasteringWindowsServer2003.）ThetoughestpartofNATroutingisthatnotionthattheroutercancarryonabunchofdifferentconversationsbetweenitsinternalcomputersandvariousserversoutonthepublicInternet.Forexample,supposetensystemsbehindtheNATrouterwerealltalkingtoMicrosoft’swebserver.WhenMicrosoft’swebserverrespondstooneofthetensystems,howdoestheNATrouterknowwhichofitsinternalsystemsthisisdestinedfor?

TheansweristhateverysystemtalkingtoMicrosoft’swebservertalkstothatwebserveronport80,butthewebserverrespondstoeachofthosesystemsondifferentports.So,forexample,ifthewebserverweretorespondtoalltensystemsatthesametime,thentheIPpacketsthatcomprisethoseresponseswouldallspecifyasourceIPaddressofwhateverMicrosoft’swebserveris,andport80.ButwhilethedestinationIPaddresseswouldallbethesame—theroutableIPaddressoftheNATrouter—eachofthemwouldbedestinedforadifferentTCPportnumber.TheNATroutermust,then,keeptrackofthefactthatXmachineontheinsideintranetishavingaconversationwithYmachineontheInternet,andthatconversationusesZportnumber.Thatinformationiscalledthestate,andanyrouterthatkeepstrackofstatesofconversationsissaidtobeastatefulrouter.That’llbeusefullater.

ButhowdoInternetconversationsstartonaNATsystem?

Ineverycase,asystemontheintranetmustinitiatetheconversationbycontactingaserverontheInternet.That’sworthhighlighting:

NOTEInclient-servercommunications,whichisprettymuchtheonlykindofcommunicationswedoontheInternet,theclientstartstheconversationbysendinganunsolicitedrequesttotheserver.We’llreturntothisnotionabitlater,butfornow,rememberthatclientrequestsareseenasu