Practical TCP/IP and Ethernet Networking- P25: One of the great protocols that has been inherited from the Internet is TCP/IP and this is being used as the open standard today for all network and communications systems. The reasons for this popularity are not hard to find. | 222 Practical TCP IP and Ethernet Networking that travels with a signal coming back through the configuration table thus obtaining all addresses. To remove this potential weakness of dynamic IP address allocation firewalls can track the TCP sequence numbers and port numbers of originating TCP IP connections. In order for spoofers to penetrate the firewall to reach an end server they would need not only the IP address but the port number and TCP sequence numbers as well. To minimize the possibility of unauthorized network penetration some firewalls also support sequence number randomization a process that prevents potential IP address spoofing attacks as described in a Security Advisory CA-95 01 from the Computer Emergency Response Team CERT . Essentially this advisory proposes to randomize TCP sequence numbers in order to prevent spoofers from deciphering these numbers and then hijacking sessions. By using a randomizing algorithm to generate TCP sequence numbers the firewall then makes this spoofing process extremely difficult if not impossible. In fact the only accesses that can occur through this type of firewall are those made from designated servers which network administrators configure with a dedicated conduit through the firewall to a specific server - and that server alone. DMZs de-militarized zones Most firewalls have two ports one connected to the intranet and the other to the outside world. The problem arises on which side does one place a particular . WWW FTP or any other application server On either side of the firewall the server is exposed to attacks either from insiders or from outsiders. In order to address this problem some firewalls have a third port protected from both the other ports leading to a so-called DMZ or de-militarized zone. A server attached to this port is protected from attacks both from inside and outside. Strike back intruder response Some firewalls have a so-called intruder response function. If an attack is detected or an .
