操作系统防火墙中英文对照外文翻译文献.docx
《操作系统防火墙中英文对照外文翻译文献.docx》由会员分享,可在线阅读,更多相关《操作系统防火墙中英文对照外文翻译文献.docx(18页珍藏版)》请在冰点文库上搜索。
![操作系统防火墙中英文对照外文翻译文献.docx](https://file1.bingdoc.com/fileroot1/2023-5/24/9e2237bf-d85d-4a52-b03a-95f2ea4b66a5/9e2237bf-d85d-4a52-b03a-95f2ea4b66a51.gif)
操作系统防火墙中英文对照外文翻译文献
中英文对照外文翻译文献
(文档含英文原文和中文翻译)
原文:
LockingUpthePorts:
WindowsFirewall
OneofMicrosoft’sstrongestresponsestotheongoingbuffer-overflow-wormthreatwasacompleterewritingofthesoftwarefirewallincorporatedintoXP,2003,andR2.TheyrenamedthefirewallfromInternetConnectionFirewall(ICF)toWindowsFirewall(WF).TheyalsoaddedsomethingcalledIpsecbypassthatextendsthefirewall’sabilitytoallowyoutoeasilyrequireasecureservertoauthenticatenotjustincomingusers,butmachines.Inthischapter,you’llseewhatWFdoes,whatissuesitcanraise,andhowtoconfigureitsothatitsuitsyoursecurityneedsbest.
WhatIsWindowsFirewall?
Howcananoperatingsystemhavefirewall,anyway?
Isn’tafirewallaboxwithblinkinglightsandabunchofcablescomingoutofit?
Theansweristhatthetermfirewallreferstoanyofanumberofwaystoshieldacomputernetworkfromothernetworks,networksrifewithuntrustworthypeople—youknow,networksliketheInternet.Let’sdigdownabitfurther,however,andstartwithalookatwhatafirewallis,basically.
WhatFirewallsDo
WiththeadventoftheLndustrialRevolution,peoplestartedbuildingthingsdrivenbysteampower,suchaslocomotives,ships,andthelike.Creatingsteamrequiredfire,andfire’sascarything,atleastwhenitgetsoutofhand.Toprotectagainstfire-relatedproblems,thoselocomotives,ships,andthelikeweredesignedsothatathick,sturdy,nearlyfireproofwallexistedbetweenwhereverthefirewaskept—usuallyaboiler—andtherestofthevehicle.Thatway,ifsomethingcaughtfireintheboiler’scompartment,thentheonboardengineerswouldhaveabitmoretimetoputoutthefirewithouthavingtoworryaboutthefireimmediatelyspreadingtotherestofthecraft.Lateron,westartedusinginternalcombustionenginesanthey,too,cancatchfire,sothingslikeautimobilesandprivateaircrafthavefirewallsdesignedintothem.(Infact,the“wall”referredtowhenpeoplesaythatsomethingisrunning“ballstothewall”isthefirewall.Youcontrolasmallaircraft’senginespeedbymovingaball-shapedcontrolcalledthethrottle.Pullingitbacktowardyoureducestheengine’sspeed;pushingtheballforward—“tothefirewall”—increasesenginespeed.)
Basically,then,afirewall’sjobistocontainbadstuff.Butwhereenginefirewallscontainarelativelysmallspacesoastocontainafire,computernetworkfirewallsattempttocontainatrulyhugespacetheIneternet.Firewallsexisttomakeitharderfordirtbagstoattackournetworks.
HowFirewallswork
Firewallisoneoftheosewordsthatsoundssogood—justputoneboxbetweenyournetworkandtheInternet,andyou’resafefromallthebaddies—thatpeopleusethetermtomeanalotofthings.
PORT-FILTERINGFIREWALLS
TheearliestkindoffirewallwasaboxthatsatbetweenaninternalnetworkandtheInternet.Now,ifyouthinkaboutit,whatsortofboxnormallysitsbetweenournetworkandtheInternet?
Probablyarouterand,infact,manyfirewallsarejustrouterswithabitofinterlligenceadded.
Ontheleftyouseetheinternalnetwork(includingPCs,andservers),ontherighttheInternet.InbetweenistheIProuter,whichhasatleasttwointerfaces—theonethatconnectstotheInternet(whichmaybeanEthernetcable,awirelessconnectiong,amodem,anISDNconnection,aDSLconnection,aframerelay,orperhapsacablemodem),andtheonethatconnectstotheinternalnetwork(whichisusuallyanEthernetconnection).Therouterisaverysimplecomputerthatlistenstomessagessenttoiffromeithertheinternalorexternalinterface.
Yes,that’sright—arouterisacomputerrunningaverysimpleprogram,here’showitworks.SupposetheIPaddressesthatyouuseinyournetworkareonesintherangeof200.100.7to200.100.7.254.(Yes,thatisarangeofroutableaddresses.Nonroutableaddressesdidn’tappearintheInternetoriginally;we’llgetthatinaminute.)Herearetheinstructionsthatessentiallycapturearouter’sentireprogram:
●ListentoIPpacketssenttoeithertheinternalorexternalinterface.
●Ifapacketneedstogotoanaddressintherangeof200.100.7.1to200.100.7.254,thenresendthepacketontotheinternalnetwork.
●Ifapacketneedstogoanywherelse,assumethataddressisontheInternet,andresendthepacketontheexternalinterface.
That’sallthereistoit.Sure,routerscanactuallyhandlemorecomplicatedsetsof,“IfIgetamessagedestinedforIPrangeXthenIshouldresenditoninterfaceY,”butmyexampleencapsulatesenoughforourfirewalldiscussion.
Nowlet’smaketheroutherabitsmarter.Supposeyou’vegotsomejerktryingtoconnecttoyourserver—thebigPCinyournetwork—viaTCPport139,oneofthetiesuptheserver,andiftheytryloggingonwithenoughusernamesandpasswords,theymightfigureoutofyouraccounts.(Thisisasimpleexample,soimaginethattherearenoaccountlockouts.)Soyou(somehow)hacktheprograminyourroutherandgiveitanextrarule:
Ifapacketappearsontheexternalinterfacedestinedforanaddressontheinternalnetwork,andifthatpacketisdestinedforTCPport139,justdiscardthepacket;don’ttransmitit
Here,then,isanexampleofaworkingfirewall.Averysimpleone,tobesure,butaworkingfirewall.Becausethefirewall’sprogram(calledthefirewallrulesbymost)decideswhattopassandwhatnottopassbasedonthedestinationport,suchafirewalliscalledaport-filteringfirewall.
Now,inmyexampleIonlyblockedoneport.Butyoumayknowthatintherealworld,peopletendtoconfigureport-filteringrouterswithruleslike“blockallincomingtrafficonallportsexceptforsuch-and-suchportranges.”Additionally,considerthattheonerulethatI’veshownyou—”blockalltrafficdestinedforaninternalIPaddressonTCPport139”—refersonlytoincomingtraffic.Port-filteringfirewallscan,however,usuallyfilteroutgoingtrafficaswell.Forexample,yourfirmmighthavediscoveredatsometimethatemployeeswererunningwebsitesoftheirownthatfeatured,well,contentofquestionablelegalityandtaste,andsoyouwanttokeeppeoplefromrunningwebserversoneverycomputerexceptforyourofficialwebserver.Iftheofficialwebserverhadaddress200.100.7.33,thenyoucouldcreateafirewallrulethatsaid,“IfapacketappearsontheinternalinterfacedestinedforsomeaddressontheInternet,andifthepacketoriginatedfromport80,andifthepacket’ssourcedoesnothavetheIPaddress200.100.7.33,thendiscardit.”You’llsee,however,thatWFdoesnotofferyoutheoptiontoblockoutgoingtraffic,justincomingtraffic.
NATFirewalls
ForalmostanyonewhofirststarteddoingInternetnetworkingafterabout1996,thatexamplemighthaveseemedodd.Putroutableaddressestoeverydesktopmachine?
Crazy,youmightthink.ButthenotionofcreatinganinternalnetworkofIPaddressesintherangeof10.x.x.x,or192.168.x.x,ortherangeofIPaddressesfrom172.16.0.0through172.31.255.255firstappearedinMarch1994withRFC1597,“AddressAllocationforPrivateInternets.”TheideawasthatpeoplemightneedIPaddressestorunaTCP/IP-basednetworkbutmightnotneedaccesstothepublicInternet.Ofcourse,that’snotthecaseformostofus.YouwantlotsofIPaddresses,sothethreerangesof“privatenetworkaddresses”arewidelyused,butyoualsowanttobeabletohavethosenetworkstalktothepublicInternet,whichiswhereMay1994’sRFC1631,“TheIPNetworkAddressTranslator,”fillsthebill.
NATroutershaveatleasttwointerfaces,asdidthesimplerouter,butNATrouterscontainasomewhatmorecomplexroutingprogram.AsingleNATroutermayhaveonlyoneroutableIPaddressonitsexternalinterface,butthatrouter’salsocleverenoughtobeabletoallowallofthose“private”—nonroutable—addressestocarryonconversationswithsystemsontheInternetbysharingthatoneroutableIPaddress.(ThiswascoveredinmoredetailinChapter6ofMasteringWindowsServer2003.)ThetoughestpartofNATroutingisthatnotionthattheroutercancarryonabunchofdifferentconversationsbetweenitsinternalcomputersandvariousserversoutonthepublicInternet.Forexample,supposetensystemsbehindtheNATrouterwerealltalkingtoMicrosoft’swebserver.WhenMicrosoft’swebserverrespondstooneofthetensystems,howdoestheNATrouterknowwhichofitsinternalsystemsthisisdestinedfor?
TheansweristhateverysystemtalkingtoMicrosoft’swebservertalkstothatwebserveronport80,butthewebserverrespondstoeachofthosesystemsondifferentports.So,forexample,ifthewebserverweretorespondtoalltensystemsatthesametime,thentheIPpacketsthatcomprisethoseresponseswouldallspecifyasourceIPaddressofwhateverMicrosoft’swebserveris,andport80.ButwhilethedestinationIPaddresseswouldallbethesame—theroutableIPaddressoftheNATrouter—eachofthemwouldbedestinedforadifferentTCPportnumber.TheNATroutermust,then,keeptrackofthefactthatXmachineontheinsideintranetishavingaconversationwithYmachineontheInternet,andthatconversationusesZportnumber.Thatinformationiscalledthestate,andanyrouterthatkeepstrackofstatesofconversationsissaidtobeastatefulrouter.That’llbeusefullater.
ButhowdoInternetconversationsstartonaNATsystem?
Ineverycase,asystemontheintranetmustinitiatetheconversationbycontactingaserverontheInternet.That’sworthhighlighting:
NOTEInclient-servercommunications,whichisprettymuchtheonlykindofcommunicationswedoontheInternet,theclientstartstheconversationbysendinganunsolicitedrequesttotheserver.We’llreturntothisnotionabitlater,butfornow,rememberthatclientrequestsareseenasu