ch11.htm

来自「Maximum Security (First Edition) 网络安全 英文」· HTM 代码 · 共 1,114 行 · 第 1/4 页

<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>The TAMU distribution
	is available at <A HREF="ftp://coast.cs.purdue.edu/pub/tools/unix/TAMU/"><TT>ftp://coast.cs.purdue.edu/pub/tools/unix/TAMU/</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H4><FONT COLOR="#000077"><B>ATP (The Anti-Tampering Program)</B></FONT></H4>
<P>ATP is a bit more obscure than TripWire and the TAMU distribution, but I am not
certain why. Perhaps it is because it is not widely available. In fact, searches
for it may lead you overseas (one good source for it is in Italy). At any rate, ATP
works somewhat like TripWire. As reported by David Vincenzetti, DSI (University of
Milan, Italy) in &quot;ATP--Anti-Tampering Program&quot;:

<DL>
	<DD>ATP 'takes a snapshot' of the system, assuming that you are in a trusted configuration,
	and performs a number of checks to monitor changes that might have been made to files.
</DL>



<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>&quot;ATP--Anti-Tampering
	Program&quot;<I> </I>can be found at <A HREF="http://www.cryptonet.it/docs/atp.html"><TT>http://www.cryptonet.it/docs/atp.html</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>ATP then establishes a database of values for each file. One of these values (the
signature) consists of two checksums. The first is a CRC32 checksum, the second an
MD5 checksum. You might be wondering why this is so, especially when you know that
CRC checksums are not entirely secure or reliable, as explained previously. The explanation
is this: Because of its speed, the CRC32 checksum is used in checks performed on
a regular (perhaps daily) basis. MD5, which is more comprehensive (and therefore
more resource and time intensive), is intended for scheduled, periodic checks (perhaps
once a week).</P>
<P>The database is reportedly encrypted using DES. Thus, ATP provides a flexible
(but quite secure) method of monitoring your network and identifying possible trojans.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>ATP docs and distribution
	can be found at <A HREF="ftp://security.dsi.unimi.it/pub/security"><TT>ftp://security.dsi.unimi.it/pub/security</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>Hobgoblin</B></FONT></H3>
<P>The Hobgoblin tool is an interesting implementation of file- and system-integrity
checking. It utilizes Ondishko Consistency checking. The authors of the definitive
paper on Hobgoblin (Farmer and Spafford at Purdue) claim that the program is faster
and more configurable than COPS and generally collects information in greater detail.
What makes Hobgoblin most interesting, though, is that it is both a language and
an interpreter. The programmers provided for their own unique descriptors and structural
conventions.</P>
<P>The package seems easy to use, but there are some pitfalls. Although globbing
conventions (from both csh and sh/bash) are permissible, the Hobgoblin interpreter
reserves familiar and often-used metacharacters that have special meaning. Therefore,
if you intend to deploy this powerful tool in a practical manner, you should set
aside a few hours to familiarize yourself with these conventions.</P>
<P>In all, Hobgoblin is an extremely powerful tool for monitoring file systems. However,
I should explain that the program was written specifically for systems located at
the University of Rochester and, although it has been successfully compiled on a
variety of platforms, your mileage may vary. This is especially so if you are not
using a Sun3, Sun4, or VAX with Ultrix. In this instance, some hacking may be involved.
Moreover, it has been observed that Hobgoblin is lacking some elements present in
other file-integrity checkers, although I believe that third-party file-integrity
checkers can be integrated with (and their calls and arguments nested within) Hobgoblin.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Hobgoblin and its source
	are located at <A HREF="ftp://freebsd.cdrom.com/.20/security/coast/tools/unix/hobgoblin/hobgoblin.shar.Z.uu.Z"><TT>ftp://freebsd.cdrom.com/.20/security/coast/tools/unix/hobgoblin/hobgoblin.shar.Z.uu.Z</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H3><FONT COLOR="#000077"><B>On Other Platforms</B></FONT></H3>
<P>You're probably wondering whether there are any such utilities for the Windows
platform. It happens that there are, though they are perhaps not as powerful or reliable.
Most of these tools use checksum integrity checkers and are, therefore, not as comprehensive
as tools that employ MD5. Flatly stated, the majority for the Microsoft platform
are intended for use as virus scanners.</P>
<P>For this reason, I have not listed these utilities here (a listing of them does
appear in Chapter 14, &quot;Destructive Devices&quot;). However, I do want to address
a few points: It is generally assumed that trojans are a security problem primarily
for UNIX and that when that problem is a Windows problem, it usually involves a virus.
There is some truth to this, and there are reasons for it.</P>
<P>Until recently, security on IBM compatibles running Microsoft products was slim.
There was no need for complex trojans that could steal (or otherwise cull) information.
Thus, the majority of trojans were viruses encased in otherwise useful (or purportedly
useful) programs. That situation has changed.</P>
<P>It should be understood that a trojan can be just as easily written for a Microsoft
platforms as for any other. Development tools for these platforms are powerful, user-friendly
applications (even VC++ far surpasses C compiling utilities made by other firms).
And, now that the Windows environment is being used as Internet server material,
you can expect the emergence of trojans.
<H2><FONT COLOR="#000077"><B>Summary</B></FONT></H2>
<P>People generally equate trojan horses with virus attacks and, while this is accurate
to some degree, it is not the whole picture. True, trojans on the PC-based operating
systems have traditionally been virus related, but on the UNIX platform, a totally
different story emerges. On the UNIX platform, crackers have consistently crafted
trojans that compromise security without damaging data or attaching unauthorized
code to this or that executable.</P>
<P>In either case, however, one thing is clear: Trojans are a significant security
risk to any server as well as to machines networked to that server. Because PC-based
servers are becoming more common on the Internet, utilities (above and beyond those
virus checkers already available) that can identify trojaned files must be developed.
<H3><FONT COLOR="#000077"><B>Resources</B></FONT></H3>
<P>Following you will find an extensive list of resources concerning object reconciliation.
Some of these documents are related to the process of object reconciliation (including
practical examples) and some are related to the process by which this reconciliation
is performed. All of them were handpicked for relevancy and content. These are the
main papers available from the void (some books are sprinkled in as well). I recommend
that every system administrator at least gain a baseline knowledge of these techniques
(if not actually implement the procedures detailed within).</P>
<P><B>&quot;MDx-MAC and Building Fast MACs from Hash Functions.&quot; </B>Bart Preneel
and Paul C. van Oorschot. Crypto 95.</P>

<UL>
	<LI><A HREF="ftp://ftp.esat.kuleuven.ac.be/pub/COSIC/preneel/mdxmac_crypto95.ps">ftp.esat.kuleuven.ac.be/pub/COSIC/preneel/mdxmac_crypto95.ps</A>
</UL>

<PRE></PRE>
<P><B>&quot;Message Authentication with One-Way Hash Functions.&quot; </B>Gene Tsudik.
1992. IEEE Info<FONT COLOR="#000000">com 1992.</FONT></P>

<UL>
	<LI><A HREF="http://www.zurich.ibm.com/Technology/Security/publications/1992/t92.ps.Z">http://www.zurich.ibm.com/Technology/Security/publications/1992/t92.ps.Z</A>
</UL>

<PRE></PRE>
<P><FONT COLOR="#000000"><B>&quot;RFC 1446--1.5.1. Message Digest Algorithm.&quot;
</B>Connected: An Internet Encyclopedia.</FONT></P>

<UL>
	<LI><A HREF="http://www.freesoft.org/Connected/RFC/1446/7.html">http://www.freesoft.org/Connected/RFC/1446/7.html</A>
</UL>

<PRE></PRE>
<P><FONT COLOR="#000000"><B>&quot;Answers To FREQUENTLY ASKED QUESTIONS About Today's
Cryptography.&quot; </B>Paul Fahn. RSA Laboratories. 1993 RSA Laboratories, a division
of RSA Data Security.</FONT></P>

<UL>
	<LI><A HREF="http://www.sandcastle-ltd.com/Info/RSA_FAQ.html">http://www.sandcastle-ltd.com/Info/RSA_FAQ.html</A>
</UL>

<PRE></PRE>
<P><FONT COLOR="#000000"><B>&quot;The Checksum Home Page.&quot; </B>Macintosh Checksum.</FONT></P>

<UL>
	<LI><A HREF="http://www.cerfnet.com/~gpw/Checksum.html">http://www.cerfnet.com/~gpw/Checksum.html</A>
</UL>

<PRE></PRE>
<P><FONT COLOR="#000000"><B>&quot;RFC 1510--6. Encryption and Checksum Specifications.&quot;
</B>Connected: An Internet Encyclopedia.</FONT></P>

<UL>
	<LI><A HREF="http://www.freesoft.org/Connected/RFC/1510/69.html">http://www.freesoft.org/Connected/RFC/1510/69.html</A>
</UL>

<PRE></PRE>
<P><FONT COLOR="#000000"><B>&quot;RFC 1510--6.4.5. RSA MD5 Cryptographic Checksum
Using DES (rsa-md5des).&quot; </B>Connected: An Internet Encyclopedia. J. Kohl. Digital
Equipment Corporation, C. Neuman, ISI. September 1993.</FONT></P>

<UL>
	<LI><A HREF="http://www.freesoft.org/Connected/RFC/1510/index.html">http://www.freesoft.org/Connected/RFC/1510/index.html</A>
</UL>

<PRE></PRE>
<P><FONT COLOR="#000000"><B>&quot;Improving the Efficiency and Reliability of Digital
Time-Stamping.&quot; </B>D. Bayer and S. Haber and W. S. Stornetta. 1992.</FONT></P>

<UL>
	<LI><A HREF="http://www.surety.com">http://www.surety.com</A>
</UL>

<PRE></PRE>
<P><FONT COLOR="#000000"><B>&quot;A Proposed Extension to HTTP: Simple MD5 Access
Authentication.&quot; </B>Jeffery L. Hostetler and Eric W. Sink. 1994.</FONT></P>

<UL>
	<LI><A HREF="http://www.spyglass.com/techreport/simple_aa.txt">http://www.spyglass.com/techreport/simple_aa.txt</A>
</UL>

<PRE></PRE>
<P><FONT COLOR="#000000"><B>&quot;A Digital Signature Based on a Conventional Encryption
Function.&quot; </B>Ralph C. Merkle. Crypto 87, LNCS, pp. 369-378, SV, Aug 1987.</FONT></P>
<P><FONT COLOR="#000000"><B>&quot;An Efficient Identification Scheme based on Permuted
Kernels.&quot; </B>Adi Shamir. Crypto 89, LNCS, pp. 606-609, SV, Aug 1989.</FONT></P>
<P><FONT COLOR="#000000"><B>&quot;An Introduction To Digest Algorithms.&quot; </B>Proceedings
of the Digital Equipment Computer Users Society Australia, Ross N. Williams. Sep
1994.</FONT></P>

<UL>
	<LI><A HREF="ftp://ftp.rocksoft.com/pub/rocksoft/papers/digest10.tex">ftp://ftp.rocksoft.com/pub/rocksoft/papers/digest10.tex</A>
</UL>

<PRE></PRE>
<P><FONT COLOR="#000000"><B>&quot;Data Integrity With Veracity.&quot; </B>Ross N.
Williams.</FONT></P>

<UL>
	<LI><A HREF="ftp://ftp.rocksoft.com/clients/rocksoft/papers/vercty10.tex">ftp://ftp.rocksoft.com/clients/rocksoft/papers/vercty10.tex</A>
</UL>

<PRE></PRE>
<P><FONT COLOR="#000000"><B>&quot;Implementing Commercial Data Integrity with Secure
Capabilities.&quot; </B>Paul A. Karger. SympSecPr. Oakland, CA. 1988. IEEECSP.</FONT></P>
<P><FONT COLOR="#000000"><B>&quot;Trusted Distribution of Software Over the Internet.&quot;
</B>Aviel D. Rubin. (Bellcore's Trusted Software Integrity (Betsi) System). 1994.</FONT></P>

<UL>
	<LI><A HREF="ftp://ftp.cert.dfn.de/pub/docs/betsi/Betsi.ps">ftp://ftp.cert.dfn.de/pub/docs/betsi/Betsi.ps</A>
</UL>

<PRE></PRE>
<P><FONT COLOR="#000000"><B>&quot;International Conference on the Theory and Applications
of Cryptology.&quot; </B>1994 Wollongong, N.S.W<I>. Advances in Cryptology,</I> ASIACRYPT
November 28-December 1, 1994. (Proceedings) Berlin &amp; New York. Springer, 1995.</FONT></P>
<P><FONT COLOR="#000000"><B>&quot;Managing Data Protection&quot; (Second Edition).</B>
Dr. Chris Pounder and Freddy Kosten, Butterworth-Heineman Limited, 1992.</FONT></P>
<P><FONT COLOR="#000000"><B>&quot;Some Technical Notes on S/Key, PGP...&quot;</B>
Adam Shostack.</FONT></P>

<UL>
	<LI><A HREF="http://www.homeport.org/~adam/skey-tech-2.html">http://www.homeport.org/~adam/skey-tech-2.html</A>
</UL>

<PRE></PRE>
<P><FONT COLOR="#000000"><B>&quot;Description of a New Variable-Length Key, 64-Bit
Block Cipher&quot; (Blowfish). </B>Bruce Schneier. Counterpane Systems.</FONT></P>

<UL>
	<LI><A HREF="http://www.program.com/source/crypto/blowfish.txt">http://www.program.com/source/crypto/blowfish.txt</A>
</UL>

<H1></H1>
<CENTER>
<P>
<HR>
<A HREF="../ch10/ch10.htm"><IMG SRC="../button/previous.gif" WIDTH="128" HEIGHT="28"
ALIGN="BOTTOM" ALT="Previous chapter" BORDER="0"></A><A HREF="../ch12/ch12.htm"><IMG
SRC="../button/next.gif" WIDTH="128" HEIGHT="28" ALIGN="BOTTOM" ALT="Next chapter"
BORDER="0"></A><A HREF="../index.htm"><IMG SRC="../button/contents.gif" WIDTH="128"
HEIGHT="28" ALIGN="BOTTOM" ALT="Contents" BORDER="0"></A> <BR>
<BR>
<BR>
<IMG SRC="../button/corp.gif" WIDTH="284" HEIGHT="45" ALIGN="BOTTOM" ALT="Macmillan Computer Publishing USA"
BORDER="0"></P>

<P>&#169; <A HREF="../copy.htm">Copyright</A>, Macmillan Computer Publishing. All
rights reserved.
</CENTER>


</BODY>

</HTML>