ch07.htm

来自「Maximum Security (First Edition) 网络安全 英文」· HTM 代码 · 共 1,036 行 · 第 1/4 页

not support anywhere close to the number of network protocols natively available
under UNIX.</P>
<P>Traditionally, UNIX security has been a complex field. In this respect, UNIX is
often at odds with itself. UNIX was developed as the ultimate open system (that is,
its source code has long been freely available, the system supports a wide range
of protocols, and its design is uniquely oriented to facilitate multiple forms of
communication). These attributes make UNIX the most popular networking platform ever
devised. Nevertheless, these same attributes make security a difficult thing to achieve.
How can you allow every manner of open access and fluid networking while still providing
security?</P>
<P>Over the years, many advances have been made in UNIX security. These, in large
part, were spawned by governmental use of the operating system. Most versions of
UNIX have made it to the Evaluated Products List (EPL). Some of these advances (many
of which were implemented early in the operating system's history) include</P>

<UL>
	<LI><FONT COLOR="#000000">Encrypted passwords</FONT>
	<LI><FONT COLOR="#000000">Strong file and directory-access control</FONT>
	<LI><FONT COLOR="#000000">System-level authentication procedures</FONT>
	<LI><FONT COLOR="#000000">Sophisticated logging facilities</FONT>
</UL>

<PRE></PRE>
<P>UNIX is used in many environments that demand security. As such, there are hundreds
of security programs available to tune up or otherwise improve the security of a
UNIX system. Many of these tools are freely available on the Internet. Such tools
can be classified into two basic categories:</P>

<UL>
	<LI><FONT COLOR="#000000">Security audit tools</FONT>
	<LI><FONT COLOR="#000000">System logging tools</FONT>
</UL>

<PRE></PRE>
<P>Security audit tools tend to be programs that automatically detect holes within
systems. These typically check for known vulnerabilities and common misconfigurations
that can lead to security breaches. Such tools are designed for wide-scale network
auditing and, therefore, can be used to check many machines on a given network. These
tools are advantageous because they reveal inherent weaknesses within the audited
system. However, these tools are also liabilities because they provide powerful capabilities
to crackers in the void. In the wrong hands, these tools can be used to compromise
many hosts.</P>
<P>Conversely, system logging tools are used to record the activities of users and
system messages. These logs are recorded to plain text files or files that automatically
organize themselves into one or more database formats. Logging tools are a staple
resource in any UNIX security toolbox. Often, the logs generated by such utilities
form the basis of evidence when you pursue an intruder or build a case against a
cracker. However, deep logging of the system can be costly in terms of disk space.
Moreover, many of these tools work flawlessly at collecting data, but provide no
easy way to interpret it. Thus, security personnel may be faced with writing their
own programs to perform this task.</P>
<P>UNIX security is a far more difficult field than security on other platforms,
primarily because UNIX is such a large and complicated operating system. Naturally,
this means that obtaining personnel with true UNIX security expertise may be a laborious
and costly process. For although these people aren't rare particularly, most of them
already occupy key positions in firms throughout the nation. As a result, consulting
in this area has become a lucrative business.</P>
<P>One good point about UNIX security is that because UNIX has been around for so
long, much is known about its inherent flaws. Although new holes crop up on a fairly
regular basis, their sources are quickly identified. Moreover, the UNIX community
as a whole is well networked with respect to security. There are many mailing lists,
archives, and online databases of information dealing with UNIX security. The same
cannot be so easily said for other operating systems. Nevertheless, this trend is
changing, particularly with regard to Microsoft Windows NT. There is now strong support
for NT security on the Net, and that support is growing each day.
<H3><FONT COLOR="#000077"><B>The Internet: How Big Is It?</B></FONT></H3>
<P>This section requires a bit more history, and I am going to run through it rapidly.
Early in the 1980s, the Internet as we now know it was born. The number of hosts
was in the hundreds, and it seemed to researchers even then that the Internet was
massive. Sometime in 1986, the first freely available public access server was established
on the Net. It was only a matter of time--a mere decade, as it turned out--before
humanity would storm the beach of cyberspace; it would soon come alive with the sounds
of merchants peddling their wares.</P>
<P>By 1988, there were more than 50,000 hosts on the Net. Then a bizarre event took
place: In November of that year, a worm program was released into the network. This
worm infected numerous machines (reportedly over 5,000) and left them in various
stages of disrupted service or distress (I will discuss this event in Chapter 5,
&quot;Is Security a Futile Endeavor?&quot;). This brought the Internet into the public
eye in a big way, plastering it across the front pages of our nation's newspapers.</P>
<P>By 1990, the number of Internet hosts exceeded 300,000. For a variety of reasons,
the U.S. government released its hold on the network in this year, leaving it to
the National Science Foundation (NSF). The NSF had instituted strong restrictions
against commercial use of the Internet. However, amidst debates over cost considerations
(operating the Internet backbone required substantial resources), NSF suddenly relinquished
authority over the Net in 1991, opening the way for commercial entities to seize
control of network bandwidth.</P>
<P>Still, however, the public at large did not advance. The majority of private Internet
users got their access from providers like Delphi. Access was entirely command-line
based and far too intimidating for the average user. This changed suddenly when revolutionary
software developed at the University of Minnesota was released. It was called <I>Gopher</I>.
Gopher was the first Internet navigation tool for use in GUI environments. The World
Wide Web browser followed soon thereafter.</P>
<P>In 1995, NSF retired entirely from its long-standing position as overseer of the
Net. The Internet was completely commercialized almost instantly as companies across
America rushed to get connected to the backbone. The companies were immediately followed
by the American public, which was empowered by new browsers such as NCSA Mosaic,
Netscape Navigator, and Microsoft Internet Explorer. The Internet was suddenly accessible
to anyone with a computer, a windowing system, and a mouse.</P>
<P>Today, the Internet sports more than 10 million hosts and reportedly serves some
40 million individuals. Some projections indicate that if Internet usage continues
along its current path of growth, the entire Western world will be connected by the
year 2001. Barring some extraordinary event to slow this path, these estimates are
probably correct.</P>
<P>Today's Internet is truly massive, housing hundreds of thousands of networks.
Many of these run varied operating systems and hardware platforms. Well over 100
countries besides the United States are connected, and that number is increasing
every year. The only question is this: What does the future hold for the Internet?
<H3><FONT COLOR="#000077"><B>The Future</B></FONT></H3>
<P>There have been many projections about where the Internet is going. Most of these
projections (at least those of common knowledge to the public) are cast by marketeers
and spin doctors anxious to sell more bandwidth, more hardware, more software, and
more hype. In essence, America's icons of big business are trying to control the
Net and bend it to their will. This is a formidable task for several reasons.</P>
<P>One is that the technology for the Internet is now moving faster than the public's
ability to buy it. For example, much of corporate America is intent on using the
Internet as an entertainment medium. The network is well suited for such purposes,
but implementation is difficult, primarily because average users cannot afford the
necessary hardware to receive high-speed transmissions. Most users are getting along
with modems at speeds of 28.8Kbps. Other options exist, true, but they are expensive.
ISDN, for example, is a viable solution only for folks with funds to spare or for
companies doing business on the Net. It is also of some significance that ISDN is
more difficult to configure--on any platform--than the average modem. For some of
my clients, this has been a significant deterrent. I occasionally hear from people
who turned to ISDN, found the configuration problems overwhelming, and found themselves
back at 28.8Kbps with conventional modems. Furthermore, in certain parts of the country,
the mere use of an ISDN telephone line costs money per each minute of connection
time.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>Although telephone companies initially
	viewed ISDN as a big money maker, that projection proved to be somewhat premature.
	These companies envisioned huge profits, which never really materialized. There are
	many reasons for this. One is that ISDN modems are still very expensive compared
	to their 28.8Kbps counterparts. This is a significant deterrent to most casual users.
	Another reason is that consumers know they can avoid heavy-duty phone company charges
	by surfing at night. (For example, many telephone companies only enforce heavy charges
	from 8:00 a.m. to 5:00 p.m.) But these are not the only reasons. There are other
	methods of access emerging that will probably render ISDN technology obsolete. Today's
	consumers are keenly aware of these trends, and many have adopted a wait-and-see
	attitude. 
<HR>


</BLOCKQUOTE>

<P>Cable modems offer one promising solution. These new devices, currently being
tested throughout the United States, will reportedly deliver Net access at 100 times
the speed of modems now in use. However, there are deep problems to be solved within
the cable modem industry. For example, no standards have yet been established. Therefore,
each cable modem will be entirely proprietary. With no standards, the price of cable
modems will probably remain very high (ranging anywhere from $300 to $600). This
could discourage most buyers. There are also issues as to what cable modem to buy.
Their capabilities vary dramatically. Some, for example, offer extremely high throughput
while receiving data but only meager throughput when transmitting it. For some users,
this simply isn't suitable. A practical example would be someone who plans to video-conference
on a regular basis. True, they could receive the image of their video-conference
partner at high speed, but they would be unable to send at that same speed.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>There are other more practical problems
	that plague the otherwise bright future of cable modem connections. For example,
	consumers are told that they will essentially have the speed of a low-end T3 connection
	for $39 a month, but this is only partially true. Although their cable modem and
	the coax wire it's connected to are capable of such speeds, the average consumer
	will likely never see the full potential because all inhabitants in a particular
	area (typically a neighborhood) must share the bandwidth of the connection. For example,
	in apartment buildings, the 10mps is divided between the inhabitants patched into
	that wire. Thus, if a user in apartment 1A is running a search agent that collects
	hundreds of megabytes of information each day, the remaining inhabitants in other
	apartments will suffer a tremendous loss of bandwidth. This is clearly unsuitable.
	
<HR>
<BR>
	
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Cable modem technology
	is an aggressive climate now, with several dozen big players seeking to capture the
	lion's share of the market. To get in-depth information about the struggle (and what
	cable modems have to offer), point your Web browser to <A HREF="http://rpcp.mit.edu/~gingold/cable/"><B>http://rpcp.mit.edu/~gingold/cable/</B></A>.
	
<HR>


</BLOCKQUOTE>

<P>Other technologies, such as WebTV, offer promise. WebTV is a device that makes
surfing the Net as easy as watching television. These units are easily installed,
and the interface is quite intuitive. However, systems such as WebTV may bring an
unwanted influence to the Net: censorship. Many of the materials on the Internet
could be characterized as highly objectionable. In this category are certain forms
of hard-core pornography and seditious or revolutionary material. If WebTV were to
become the standard method of Internet access, the government might attempt to regulate
what type of material could appear. This might undermine the grass-roots, free-speech
environment of the Net.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>NOTE:</B></FONT><B> </B>Since the writing of this chapter,
	Microsoft Corporation has purchased WebTV (even though the sales for WebTV proved
	to be far less than industry experts had projected). Of course, this is just my personal
	opinion, but I think the idea was somewhat ill-conceived. The Internet is not yet
	an entertainment medium, nor will it be for some time, largely due to speed and bandwidth
	constraints. One wonders whether Microsoft didn't move prematurely in making its
	purchase. Perhaps Microsoft bought WebTV expressly for the purpose of shelving it.
	This is possible. After all, such a purchase would be one way to eliminate what seemed
	(at least at the time) to be some formidable competition to MSN. 
<HR>
<BR>
	
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>WebTV does have interesting
	possibilities and offers one very simple way to get acquainted with the Internet.
	If you are a new user and find Net navigation confusing, you might want to check
	out WebTV's home page at <A HREF="http://www.webtv.net/"><B>http://www.webtv.net/</B></A>.
	
<HR>


</BLOCKQUOTE>

<P>Either way, the Internet is about to become an important part of every American's
life. Banks and other financial institutions are now offering banking over the Internet.
Within five years, this will likely replace the standard method of banking. Similarly,
a good deal of trade has been taken to the Net.
<H2><FONT COLOR="#000077"><B>Summary</B></FONT></H2>
<P>This chapter briefly examines the birth of the Internet. Next on the agenda are
the historical and practical points of the network's protocols, or methods of data
transport. These topics are essential for understanding the fundamentals of Internet
security.</P>
<CENTER>
<P>
<HR>
<A HREF="../ch06/ch06.htm"><IMG SRC="../button/previous.gif" WIDTH="128" HEIGHT="28"
ALIGN="BOTTOM" ALT="Previous chapter" BORDER="0"></A><A HREF="../ch08/ch08.htm"><IMG
SRC="../button/next.gif" WIDTH="128" HEIGHT="28" ALIGN="BOTTOM" ALT="Next chapter"
BORDER="0"></A><A HREF="../index.htm"><IMG SRC="../button/contents.gif" WIDTH="128"
HEIGHT="28" ALIGN="BOTTOM" ALT="Contents" BORDER="0"></A> <BR>
<BR>
<BR>
<IMG SRC="../button/corp.gif" WIDTH="284" HEIGHT="45" ALIGN="BOTTOM" ALT="Macmillan Computer Publishing USA"
BORDER="0"></P>

<P>&#169; <A HREF="../copy.htm">Copyright</A>, Macmillan Computer Publishing. All
rights reserved.
</CENTER>


</BODY>

</HTML>