📄 151-152.html
字号:
<option value="/reference/dir.funandgames1.html">Fun/Games
<option value="/reference/dir.groupwareandcollaboration1.html">Groupware
<option value="/reference/dir.hardware1.html">Hardware
<option value="/reference/dir.intranetandextranetdevelopment1.html">Intranet Dev
<option value="/reference/dir.middleware.html">Middleware
<option value="/reference/dir.multimediaandgraphicdesign1.html">Multimedia
<option value="/reference/dir.networkservices1.html">Networks
<option value="/reference/dir.operatingsystems.html">OS
<option value="/reference/dir.productivityapplications1.html">Prod Apps
<option value="/reference/dir.programminglanguages.html">Programming
<option value="/reference/dir.security1.html">Security
<!-- <option value="/reference/dir.ewtraining1.html">Training Guides -->
<option value="/reference/dir.userinterfaces.html">UI
<option value="/reference/dir.webservices.html">Web Services
<option value="/reference/dir.webmasterskills1.html">Webmaster
<option value="/reference/dir.y2k1.html">Y2K
<option value="">-----------
<option value="/reference/whatsnew.html">New Titles
<option value="">-----------
<option value="/reference/dir.archive1.html">Free Archive
</SELECT>
</font></td>
</tr>
</table>
</form>
<!-- LEFT NAV SEARCH END -->
</td>
<!-- PUB PARTNERS END -->
<!-- END LEFT NAV -->
<td rowspan="8" align="right" valign="top"><img src="/images/iswbls.gif" width=1 height=400 alt="" border="0"></td>
<td><img src="/images/white.gif" width="5" height="1" alt="" border="0"></td>
<!-- end of ITK left NAV -->
<!-- begin main content -->
<td width="100%" valign="top" align="left">
<!-- END SUB HEADER -->
<!--Begin Content Column -->
<FONT FACE="Arial,Helvetica" SIZE="-1">
To access the contents, click the chapter and section titles.
</FONT>
<P>
<B>Intrusion Detection: Network Security beyond the Firewall</B>
<FONT SIZE="-1">
<BR>
<I>(Publisher: John Wiley & Sons, Inc.)</I>
<BR>
Author(s): Terry Escamilla
<BR>
ISBN: 0471290009
<BR>
Publication Date: 11/01/98
</FONT>
<P>
<form name="Search" method="GET" action="http://search.earthweb.com/search97/search_redir.cgi">
<INPUT TYPE="hidden" NAME="Action" VALUE="Search">
<INPUT TYPE="hidden" NAME="SearchPage" VALUE="http://search.earthweb.com/search97/samples/forms/srchdemo.htm">
<INPUT TYPE="hidden" NAME="Collection" VALUE="ITK">
<INPUT TYPE="hidden" NAME="ResultTemplate" VALUE="itk-full.hts">
<INPUT TYPE="hidden" NAME="ViewTemplate" VALUE="view.hts">
<font face="arial, helvetica" size=2><b>Search this book:</b></font><br>
<INPUT NAME="queryText" size=50 VALUE=""> <input type="submit" name="submitbutton" value="Go!">
<INPUT type=hidden NAME="section_on" VALUE="on">
<INPUT type=hidden NAME="section" VALUE="http://www.itknowledge.com/reference/standard/0471290009/">
</form>
<!-- Empty Reference Subhead -->
<!--ISBN=0471290009//-->
<!--TITLE=Intrusion Detection: Network Security Beyond the Firewall//-->
<!--AUTHOR=Terry Escamilla//-->
<!--PUBLISHER=John Wiley & Sons, Inc.//-->
<!--IMPRINT=Wiley Computer Publishing//-->
<!--CHAPTER=4//-->
<!--PAGES=151-152//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="148-151.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="153-154.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<H4 ALIGN="LEFT"><A NAME="Heading36"></A><FONT COLOR="#000077">IP Sec or Application Security</FONT></H4>
<P>IP ESP and AH are applicable between two IP addresses. If you do not want to apply IPsec to all of the traffic running through your firewall, consider application-level cryptography. A number of alternatives are available. If your application runs on TCP/IP sockets, you can use SSL libraries available from Security Dynamics, Inc. Kerberos V5 and DCE both ship with Generic Security Services API (GSS-API), which is a set of library routines that provide application level security services including authentication, message integrity, and privacy. Finally, if you are writing applications on NT, the Microsoft Crypto API services are the best choice.
</P>
<P>You should know that a number of vendors have signed up to support the <I>Common Data Security Architecture</I> (CDSA) initially proposed by Intel. The idea behind CDSA is to deliver a set of neutral security APIs that can be used for authentication, privacy, integrity, and nonrepudiation. The goal is to make available to vendors only one set of programming APIs that insulates developers from details of the underlying security implementation.</P>
<H3><A NAME="Heading37"></A><FONT COLOR="#000077">How Complex Is Your Network Security?</FONT></H3>
<P>In Chapter 1, “Intrusion Detection and the Classic Security Model,” you were introduced to the idea that security models are implemented in software to provide services for enforcing a security policy. Regardless of how complex a particular solution might be, you eventually can identify the subjects and objects and how the reference monitor makes access control decisions. If multiple security models are in use at your site, each model is responsible for controlling security for a specific set of subjects and objects.
</P>
<P>Network security is complex because so many different security models are in operation at any single moment. Traditional operating system network services work with familiar concepts such as users and groups. For example, the network applications FTP and Telnet use the operating system authentication subsystem before allowing access to a system. Not all popular network services follow this pattern. Web servers that run HTTP protocols over TCP/IP introduce their own notions of user, group, file system, and access control. Other client-server applications increase complexity by bringing along additional security models, including database management systems frequently used for critical business processes.</P>
<P>When you write a home-grown client-server application at your site, chances are that you will be crossing a number of security boundaries. Client and server programs have a security context meaningful to the operating system. They are associated with UIDs and GIDs, are stored as files in the file system, and are regulated by access control rules for IPC or sockets. As soon as you start worrying about how clients and servers communicate securely across a network, it’s likely that another security context is introduced, such as the cryptographic framework you instrument your applications to use. The more back-end business systems the applications interface with, the higher the probability that a number of security models will be active.</P>
<P>A good example of this is the typical Web e-commerce application. To begin with, end users connecting to your site probably have an X.509 certificate signed by an authoritative source. The public key and private key associated with this certificate are used for secure connections to your site. The software products that generated the certificate constitute one security domain. On your end, the Web server is running on an operating system. That would be two new security contexts, one for the operating system and one for the Web server as described. The Web server probably has some client code that connects through a firewall to the back end business databases. Depending on how picky you want to be, that is either one or two new security models. The database manager definitely implements its own reference monitor, and the firewall also introduces a security model, although it overlaps some with the operating system’s model.</P>
<P>When a hacker or a security expert looks at this kind of setup, they think “Wow, look at all the places someone can screw up security!” The first problem is that so many different models have to be administered. Users and groups must be managed, access control rules set up and modified, and client-server security established. To a hacker, this setup is just more opportunities for someone to configure the security policy incorrectly. Next, at each security model boundary, something interesting happens. Requests by subjects from one model are satisfied by subjects in another model acting with <I>on behalf of</I> semantics. If the mapping between the boundaries is well defined, no security leaks will exist. One frequently seen fiasco includes a database gateway application running on a Web server in which the gateway is given <I>unlimited</I> access to the back end database.</P><P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="148-151.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="153-154.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<!-- all of the reference materials (books) have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->
<!-- BEGIN SUB FOOTER -->
<br><br>
</TD>
</TR>
</TABLE>
<table width="640" border=0 cellpadding=0 cellspacing=0>
<tr>
<td align="left" width=135><img src="/images/white.gif" width=100 height="1" alt="" border="0"></td>
<!-- END SUB FOOTER -->
<!-- all of the books have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->
<!-- FOOTER -->
<td width="515" align="left" bgcolor="#FFFFFF">
<font face="arial, helvetica" size="1"><b><a href="/products.html"><font color="#006666">Products</font></a> | <a href="/contactus.html"><font color="#006666">Contact Us</font></a> | <a href="/aboutus.html"><font color="#006666">About Us</font></a> | <a href="http://www.earthweb.com/corporate/privacy.html" target="_blank"><font color="#006666">Privacy</font></a> | <a href="http://www.itmarketer.com/" target="_blank"><font color="#006666">Ad Info</font></a> | <a href="/"><font color="#006666">Home</font></a></b>
<br><br>
Use of this site is subject to certain <a href="/agreement.html">Terms & Conditions</a>, <a href="/copyright.html">Copyright © 1996-1999 EarthWeb Inc.</a><br>
All rights reserved. Reproduction whole or in part in any form or medium without express written permision of EarthWeb is prohibited.</font><p>
</td>
</tr>
</table>
</BODY>
</HTML>
<!-- END FOOTER -->
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -