148-151.html

入侵检测的相关教程

			<option value="/reference/dir.productivityapplications1.html">Prod Apps
			<option value="/reference/dir.programminglanguages.html">Programming
			<option value="/reference/dir.security1.html">Security	
			<!-- <option value="/reference/dir.ewtraining1.html">Training Guides -->
			<option value="/reference/dir.userinterfaces.html">UI
			<option value="/reference/dir.webservices.html">Web Services
			<option value="/reference/dir.webmasterskills1.html">Webmaster
			<option value="/reference/dir.y2k1.html">Y2K
			<option value="">-----------
			<option value="/reference/whatsnew.html">New Titles
			<option value="">-----------
			<option value="/reference/dir.archive1.html">Free Archive		
			</SELECT>
			</font></td>
	</tr>
	</table>
	</form>
<!-- LEFT NAV SEARCH END -->

		</td>
		
<!-- PUB PARTNERS END -->
<!-- END LEFT NAV -->

<td rowspan="8" align="right" valign="top"><img src="/images/iswbls.gif" width=1 height=400 alt="" border="0"></td>
<td><img src="/images/white.gif" width="5" height="1" alt="" border="0"></td>
<!-- end of ITK left NAV -->

<!-- begin main content -->
<td width="100%" valign="top" align="left">


<!-- END SUB HEADER -->

<!--Begin Content Column -->

<FONT FACE="Arial,Helvetica" SIZE="-1">
To access the contents, click the chapter and section titles.
</FONT>
<P>
<B>Intrusion Detection: Network Security beyond the Firewall</B>
<FONT SIZE="-1">
<BR>
<I>(Publisher: John Wiley & Sons, Inc.)</I>
<BR>
Author(s): Terry Escamilla
<BR>
ISBN: 0471290009
<BR>
Publication Date: 11/01/98
</FONT>
<P>
<form name="Search" method="GET" action="http://search.earthweb.com/search97/search_redir.cgi">

<INPUT TYPE="hidden" NAME="Action" VALUE="Search">
<INPUT TYPE="hidden" NAME="SearchPage" VALUE="http://search.earthweb.com/search97/samples/forms/srchdemo.htm">
<INPUT TYPE="hidden" NAME="Collection" VALUE="ITK">
<INPUT TYPE="hidden" NAME="ResultTemplate" VALUE="itk-full.hts">
<INPUT TYPE="hidden" NAME="ViewTemplate" VALUE="view.hts">

<font face="arial, helvetica" size=2><b>Search this book:</b></font><br>
<INPUT NAME="queryText" size=50 VALUE="">&nbsp;<input type="submit" name="submitbutton" value="Go!">
<INPUT type=hidden NAME="section_on" VALUE="on">
<INPUT type=hidden NAME="section" VALUE="http://www.itknowledge.com/reference/standard/0471290009/">

</form>


<!-- Empty Reference Subhead -->

<!--ISBN=0471290009//-->
<!--TITLE=Intrusion Detection: Network Security Beyond the Firewall//-->
<!--AUTHOR=Terry Escamilla//-->
<!--PUBLISHER=John Wiley & Sons, Inc.//-->
<!--IMPRINT=Wiley Computer Publishing//-->
<!--CHAPTER=4//-->
<!--PAGES=148-151//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->

<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="146-148.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="151-152.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<P><FONT SIZE="+1"><B>Limitations of Packet Filtering</B></FONT></P>
<P>Reasons that packet filtering alone is not sufficient for network security include the following:
</P>
<DL>
<DD><B>Firewalls Are Complex to Configure.</B> Various public proclamations about penetration tests show that well over half of the firewalls regularly sampled are not properly configured. The ordering of packet filtering rules is particularly important.
<DD><B>Filters Can Operate Only on the Fields That Appear in the Network Packets.</B> Some access control decisions require higher level knowledge that is only available after the data in the packets is assembled by the receiving application. It is unreasonable to presume that the same knowledge that exists in the application will be duplicated in the packet filtering code. Still, some firewall vendors provide general-purpose programming languages that can be used to strengthen the constraint capabilities of packet filters.
<DD><B>When Much of the Network Traffic Is Augmented with Cryptography for Integrity, Authenticity, and Privacy, Packet Filters Provide Less Value.</B> If the traffic is cryptographically secured at the IP layer, packet filters can be applied on the receiving node after decryption. However, when application-level cryptography is applied, the packets are not decrypted until they reach the receiving application that is well past the packet filter in the IP stack.
<DD><B>Packet Filters Do Not Contain Application Specific Knowledge.</B> For example, they cannot be used to limit who is allowed to log in to systems inside the network using telnet. Because <I>user</I> is an entity meaningful at the telnet application layer, the packet filter can limit only telnet connections at the granularity of the source IP address, rather than individual users on each IP address.
</DL>
<H4 ALIGN="LEFT"><A NAME="Heading34"></A><FONT COLOR="#000077">Application Proxies Provide Access Control</FONT></H4>
<P>In addition to packet filters, a firewall should include proxies. An application proxy is an application that acts as a gateway between the untrusted and trusted network but does so at higher layers in the network stack. The application proxy can make access control decisions that are expressed in terms of objects and attributes that the proxy understands. Examples of application proxies include FTP, telnet, gopher, and HTTP.
</P>
<P>A circuit proxy (or gateway) is a generic proxy that does not know the specifics of the application but performs a more generic set of capabilities. SOCKS (Koblas and Koblas, 1992) is one of the more popular circuit gateways. The TIS Gauntlet firewall provides generic UDP and TCP circuit gateways, too.</P>
<P>In general, proxies improve upon the applications that they replace by supporting more granular access control. Many firewall texts prefer to distinguish between proxies based on whether they rely on the following:</P>
<DL>
<DD><B>&#149;</B>&nbsp;&nbsp;Modified user procedures
<DD><B>&#149;</B>&nbsp;&nbsp;Modified clients
<DD><B>&#149;</B>&nbsp;&nbsp;Transparency
</DL>
<P>Modified user procedures are rarely accepted and do not scale well. As an example, a user who needs to telnet from the trusted network to the untrusted network would be required to first log in to the proxy and then telnet from the proxy to the outside node. The second proxy type would avoid this inconvenience by requiring that each employee run a modified client program that would perform this additional step automatically. Concerns about this approach include scalability and cycle time. Supplying modified clients to thousands of users is difficult, and custom clients cost more to develop and may not be available.
</P>
<P><I>Transparent proxies</I>, best exemplified by the Gauntlet firewall from Trusted Information Systems, require neither modified procedures nor modified clients. Instead, the proxy runs on the firewall and transparently handles connections. A user on the inside initiates outbound connections just as if the firewall were not there. The application proxies running on the firewall intercept these outbound requests and deal with them according to configuration rules for the proxies. <I>Because security decisions are being made at the application level, a very rich access control language can be used to regulate network traffic with application proxies</I>. Any concepts or entities that are meaningful at the application level can appear in the access control rules. For example, one can limit FTP traffic so that only user Joe is allowed to GET files from IP address with a prefix of 7.88.99.</P>
<P>Generic proxies also exist for TCP and UDP; these proxies enable you to plug arbitrary client-server applications through the firewall. As with the specific proxies such as telnet, Lotus Notes, or Oracle SQL, access control rules can be defined to control which IP addresses, ports, or other packet values are allowed through these generic proxies.</P>
<P>Both packet filtering and proxies are needed in most environments to meet your security needs. Later, when you take a closer look at intrusion detection, you&#146;ll see some pros and cons of both approaches. The IBM Firewall provides packet filtering, application gateways, and circuit gateways. The Gauntlet firewall also supports all three approaches and transparent circuit proxies. To take advantage of SOCKS, you need to modify your applications and bind them to the SOCKS library when you recompile.</P>
<H4 ALIGN="LEFT"><A NAME="Heading35"></A><FONT COLOR="#000077">Firewalls Provide IP Security</FONT></H4>
<P>Almost every firewall today is equipped with a mechanism to provide secure IP traffic based on the IPsec standard. Interoperability tests are underway by various vendors to ensure that secure IP tunnels between vendors will work. Because the introduction of cryptography requires some notion of key management, unsurprisingly vendors distinguish themselves on whether they provide a useful key-management infrastructure. Support for X.509 certificates is mandatory because their use is increasing dramatically across the Internet. Firewall security policies based on the values in X.509 certificates are also appearing in products such as Gauntlet.
</P><P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="146-148.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="151-152.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>


<!-- all of the reference materials (books) have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- BEGIN SUB FOOTER -->
		<br><br>
		</TD>
    </TR>
	</TABLE>

		
	<table width="640" border=0 cellpadding=0 cellspacing=0>
		<tr>
		<td align="left" width=135><img src="/images/white.gif" width=100 height="1" alt="" border="0"></td>
		
		
<!-- END SUB FOOTER -->

<!-- all of the books have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- FOOTER -->
			
		<td width="515" align="left" bgcolor="#FFFFFF">
<font face="arial, helvetica" size="1"><b><a href="/products.html"><font color="#006666">Products</font></a>&nbsp;|&nbsp; <a href="/contactus.html"><font color="#006666">Contact Us</font></a>&nbsp;|&nbsp; <a href="/aboutus.html"><font color="#006666">About Us</font></a>&nbsp;|&nbsp; <a href="http://www.earthweb.com/corporate/privacy.html" target="_blank"><font color="#006666">Privacy</font></a> &nbsp;|&nbsp; <a href="http://www.itmarketer.com/" target="_blank"><font color="#006666">Ad Info</font></a> &nbsp;|&nbsp; <a href="/"><font color="#006666">Home</font></a></b>
		<br><br>
		
		Use of this site is subject to certain <a href="/agreement.html">Terms &amp; Conditions</a>, <a href="/copyright.html">Copyright &copy; 1996-1999 EarthWeb Inc.</a><br> 
All rights reserved.  Reproduction whole or in part in any form or medium without express written permision of EarthWeb is prohibited.</font><p>
</td>
		</tr>
</table>
</BODY>
</HTML>

<!-- END FOOTER -->