ch05.htm

来自「Maximum Security (First Edition) 网络安全 英文」· HTM 代码 · 共 978 行 · 第 1/4 页

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>

<HEAD>
	
	<TITLE>Maximum Security -- Ch 5 -- Is Security a Futile Endeavor?</TITLE>
</HEAD>

<BODY TEXT="#000000" BGCOLOR="#FFFFFF">

<CENTER>
<H1><IMG SRC="../button/samsnet.gif" WIDTH="171" HEIGHT="66" ALIGN="BOTTOM" BORDER="0"><BR>
<FONT COLOR="#000077">Maximum Security: </FONT></H1>
</CENTER>
<CENTER>
<H2><FONT COLOR="#000077">A Hacker's Guide to Protecting Your Internet Site and Network</FONT></H2>
</CENTER>
<CENTER>
<P><A HREF="../ch04/ch04.htm"><IMG SRC="../button/previous.gif" WIDTH="128" HEIGHT="28"
ALIGN="BOTTOM" ALT="Previous chapter" BORDER="0"></A><A HREF="../ch06/ch06.htm"><IMG
SRC="../button/next.gif" WIDTH="128" HEIGHT="28" ALIGN="BOTTOM" ALT="Next chapter"
BORDER="0"></A><A HREF="../index.htm"><IMG SRC="../button/contents.gif" WIDTH="128"
HEIGHT="28" ALIGN="BOTTOM" ALT="Contents" BORDER="0"></A> 
<HR>

</CENTER>
<CENTER>
<H1><FONT COLOR="#000077">5</FONT></H1>
</CENTER>
<CENTER>
<H1><FONT COLOR="#000077">Is Security a Futile Endeavor?</FONT></H1>
</CENTER>
<P>Since Paul Baran first put pen to paper, Internet security has been a concern.
Over the years, <I>security by obscurity</I> has become the prevailing attitude of
the computing community.

<UL>
	<LI><I>Speak not and all will be well.</I><BR>
	<BR>
	
	<LI><I>Hide and perhaps they will not find you.</I><BR>
	<BR>
	
	<LI><I>The technology is complex. You are safe.</I>
</UL>

<P>These principles have not only been proven faulty, but they also go against the
original concepts of how security could evolve through discussion and open education.
Even at the very birth of the Internet, open discussion on standards and methodology
was strongly suggested. It was felt that this open discussion could foster important
advances in the technology. Baran was well aware of this and articulated the principle
concisely when, in <I>The Paradox of the Secrecy About Secrecy: The Assumption of
A Clear Dichotomy Between Classified and Unclassified Subject Matter</I>, he wrote:

<DL>
	<DD>Without the freedom to expose the system proposal to widespread scrutiny by clever
	minds of diverse interests, is to increase the risk that significant points of potential
	weakness have been overlooked. A frank and open discussion here is to our advantage.
</DL>

<H2><FONT COLOR="#000077"><B>Security Through Obscurity</B></FONT></H2>
<P>Security through obscurity has been defined and described in many different ways.
One rather whimsical description, authored by a student named Jeff Breidenbach in
his lively and engaging paper, <I>Network Security Throughout the Ages</I>, appears
here:

<DL>
	<DD>The Net had a brilliant strategy called &quot;Security through Obscurity.&quot;
	Don't let anyone fool you into thinking that this was done on purpose. The software
	has grown into such a tangled mess that nobody really knows how to use it. Befuddled
	engineers fervently hoped potential meddlers would be just as intimidated by the
	technical details as they were themselves.
</DL>

<P>Mr. Breidenbach might well be correct about this. Nevertheless, the standardized
definition and description of security through obscurity can be obtained from any
archive of the Jargon File, available at thousands of locations on the Internet.
That definition is this:

<DL>
	<DD>alt. 'security by obscurity' n. A term applied by hackers to most OS vendors'
	favorite way of coping with security holes--namely, ignoring them, documenting neither
	any known holes nor the underlying security algorithms, trusting that nobody will
	find out about them and that people who do find out about them won't exploit them.
</DL>

<P>Regardless of which security philosophy you believe, three questions remain constant:

<UL>
	<LI>Why is the Internet insecure?
	<LI>Does it need to be secure?
	<LI>Can it be secure?
</UL>

<H2><FONT COLOR="#000077"><B>Why Is the Internet Insecure?</B></FONT></H2>
<P>The Internet is insecure for a variety of reasons, each of which I will discuss
here in detail. Those factors include

<UL>
	<LI>Lack of education
	<LI>The Internet's design
	<LI>Proprietarism (yes, another ism)
	<LI>The trickling down of technology
	<LI>Human nature
</UL>

<P>Each of these factors contributes in some degree to the Internet's current lack
of security.
<H3><FONT COLOR="#000077"><B>Lack of Education</B></FONT></H3>
<P>Do you believe that what you don't know can't hurt you? If you are charged with
the responsibility of running an Internet server, you had better not believe it.
Education is the single, most important aspect of security, one aspect that has been
sorely wanting.</P>
<P>I am not suggesting that a lack of education exists within higher institutions
of learning or those organizations that perform security-related tasks. Rather, I
am suggesting that security education rarely extends beyond those great bastions
of computer-security science.</P>
<P>The Computer Emergency Response Team (CERT) is probably the Internet's best-known
security organization. CERT generates security advisories and distributes them throughout
the Internet community. These advisories address the latest known security vulnerabilities
in a wide range of operating systems. CERT thus performs an extremely valuable service
to the Internet. The CERT Coordination Center, established by ARPA in 1988, provides
a centralized point for the reporting of and proactive response to all major security
incidents. Since 1988, CERT has grown dramatically, and CERT centers have been established
at various points across the globe.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>You can contact CERT
	at its WWW page (<A HREF="http://www.cert.org"><TT>http://www.cert.org</TT></A>).
	There resides a database of vulnerabilities, various research papers (including extensive
	documentation on disaster survivability), and links to other important security resources.
	
<HR>


</BLOCKQUOTE>

<P>CERT's 1995 annual report shows some very enlightening statistics. During 1995,
CERT was informed of some 12,000 sites that had experienced some form of network-security
violation. Of these, there were at least 732 known break-ins and an equal number
of <I>probes</I> or other instances of suspicious activity.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>You can access CERT's
	1995 annual report at <A HREF="http://www.cert.org/cert.report.95.html"><TT>http://www.cert.org/cert.report.95.html</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>12,000 incidents with a reported 732 break-ins. This is so, even though the GAO
report examined earlier suggested that Defense computers alone are attacked as many
as 250,000 times each year, and Dan Farmer's security survey reported that over 60
percent of all critical sites surveyed were vulnerable to some technique of network
security breach. How can this be? Why aren't more incidents reported to CERT?


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Check out Dan Farmer's
	security survey at <A HREF="http://www.trouble.org/survey"><TT>http://www.trouble.org/survey</TT></A>.
	
<HR>


</BLOCKQUOTE>

<P>It might be because the better portion of the Internet's servers are now maintained
by individuals who have less-than adequate security education. Many system administrators
have never even heard of CERT. True, there are many security resources available
on the Internet (many that point to CERT, in fact), but these may initially appear
intimidating and overwhelming to those new to security. Moreover, many of the resources
provide links to dated information.</P>
<P>An example is RFC 1244, the Site Security Handbook. At the time 1244 was written,
it comprised a collection of state-of-the-art information on security. As expressed
in that document's editor's note: This FYI RFC is a first attempt at providing Internet
users guidance on how to deal with security issues in the Internet. As such, this
document is necessarily incomplete. There are some clear shortfalls; for example,
this document focuses mostly on resources available in the United States. In the
spirit of the Internet's `Request for Comments' series of notes, we encourage feedback
from users of this handbook. In particular, those who utilize this document to craft
their own policies and procedures.

<DL>
	<DD>This handbook is meant to be a starting place for further research and should
	be viewed as a useful resource, but not the final authority. Different organizations
	and jurisdictions will have different resources and rules. Talk to your local organizations,
	consult an informed lawyer, or consult with local and national law enforcement. These
	groups can help fill in the gaps that this document cannot hope to cover.
</DL>

<P>From 1991 until now, the Site Security Handbook has been an excellent place to
start. Nevertheless, as Internet technology grows in leaps and bounds, such texts
become rapidly outdated. Therefore, the new system administrator must keep up with
the security technology that follows each such evolution. To do so is a difficult
task.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>RFC 1244 is still a good
	study paper for a user new to security. It is available at many places on the Internet.
	One reliable server is at <A HREF="http://www.net.ohio-state.edu/hypertext/rfc1244/toc.html"><TT>http://www.net.ohio-state.edu/hypertext/rfc1244/toc.html</TT></A>.
	
<HR>


</BLOCKQUOTE>

<H4><FONT COLOR="#000077"><B>The Genesis of an Advisory</B></FONT></H4>
<P>Advisories comprise the better part of time-based security information. When these
come out, they are immediately very useful because they usually relate to an operating
system or popular application now widely in use. As time goes on, however, such advisories
become less important because people move on to new products. In this process, vendors
are constantly updating their systems, eliminating holes along the way. Thus, an
advisory is valuable for a set period of time (although, to be fair, this information
may stay valuable for extended periods because some people insist on using older
software and hardware, often for financial reasons).</P>
<P>An advisory begins with discovery. Someone, whether hacker, cracker, administrator,
or user, discovers a hole. That hole is verified, and the resulting data is forwarded
to security organizations, vendors, or other parties deemed suitable. This is the
usual genesis of an advisory (a process explained in Chapter 2, &quot;How This Book
Will Help You&quot;). Nevertheless, there is another way that holes are discovered.</P>
<P>Often, academic researchers discover a hole. An example, which you will review
later, is the series of holes found within the Java programming language. These holes
were primarily revealed--at least at first--by those at Princeton University's computer
science labs. When such a hole is discovered, it is documented in excruciating detail.
That is, researchers often author multipage documents detailing the hole, the reasons
for it, and possible remedies.


<BLOCKQUOTE>
	<P>
<HR>
<FONT COLOR="#000077"><B>Cross Reference:</B></FONT><B> </B>Java is a compiled language
	used to create interactive applications for use on the World Wide Web. The language