146-148.html

入侵检测的相关教程

			<option value="/reference/dir.userinterfaces.html">UI
			<option value="/reference/dir.webservices.html">Web Services
			<option value="/reference/dir.webmasterskills1.html">Webmaster
			<option value="/reference/dir.y2k1.html">Y2K
			<option value="">-----------
			<option value="/reference/whatsnew.html">New Titles
			<option value="">-----------
			<option value="/reference/dir.archive1.html">Free Archive		
			</SELECT>
			</font></td>
	</tr>
	</table>
	</form>
<!-- LEFT NAV SEARCH END -->

		</td>
		
<!-- PUB PARTNERS END -->
<!-- END LEFT NAV -->

<td rowspan="8" align="right" valign="top"><img src="/images/iswbls.gif" width=1 height=400 alt="" border="0"></td>
<td><img src="/images/white.gif" width="5" height="1" alt="" border="0"></td>
<!-- end of ITK left NAV -->

<!-- begin main content -->
<td width="100%" valign="top" align="left">


<!-- END SUB HEADER -->

<!--Begin Content Column -->

<FONT FACE="Arial,Helvetica" SIZE="-1">
To access the contents, click the chapter and section titles.
</FONT>
<P>
<B>Intrusion Detection: Network Security beyond the Firewall</B>
<FONT SIZE="-1">
<BR>
<I>(Publisher: John Wiley & Sons, Inc.)</I>
<BR>
Author(s): Terry Escamilla
<BR>
ISBN: 0471290009
<BR>
Publication Date: 11/01/98
</FONT>
<P>
<form name="Search" method="GET" action="http://search.earthweb.com/search97/search_redir.cgi">

<INPUT TYPE="hidden" NAME="Action" VALUE="Search">
<INPUT TYPE="hidden" NAME="SearchPage" VALUE="http://search.earthweb.com/search97/samples/forms/srchdemo.htm">
<INPUT TYPE="hidden" NAME="Collection" VALUE="ITK">
<INPUT TYPE="hidden" NAME="ResultTemplate" VALUE="itk-full.hts">
<INPUT TYPE="hidden" NAME="ViewTemplate" VALUE="view.hts">

<font face="arial, helvetica" size=2><b>Search this book:</b></font><br>
<INPUT NAME="queryText" size=50 VALUE="">&nbsp;<input type="submit" name="submitbutton" value="Go!">
<INPUT type=hidden NAME="section_on" VALUE="on">
<INPUT type=hidden NAME="section" VALUE="http://www.itknowledge.com/reference/standard/0471290009/">

</form>


<!-- Empty Reference Subhead -->

<!--ISBN=0471290009//-->
<!--TITLE=Intrusion Detection: Network Security Beyond the Firewall//-->
<!--AUTHOR=Terry Escamilla//-->
<!--PUBLISHER=John Wiley & Sons, Inc.//-->
<!--IMPRINT=Wiley Computer Publishing//-->
<!--CHAPTER=4//-->
<!--PAGES=146-148//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->

<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="143-146.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="148-151.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<H3><A NAME="Heading31"></A><FONT COLOR="#000077">The Role of the Firewall in Traditional Security</FONT></H3>
<P>Can anything be done to improve network security? Sure. First, think about the problem abstractly. Security is based on a security model. The model defines subjects, objects, and access control rules. Supporting facilities, such as auditing, assist in implementing security. The problems mentioned here can be put into three categories:
</P>
<DL>
<DD><B>&#149;</B>&nbsp;&nbsp;I&#38;A
<DD><B>&#149;</B>&nbsp;&nbsp;Access control
<DD><B>&#149;</B>&nbsp;&nbsp;Protocol design
</DL>
<P>Firewalls are the most widely known commercial tools for improving upon weaknesses due to the first two items (Chapman and Zwicky, 1995; Cheswick and Bellovin, 1994). Protocol design problems are not solved by off-the-shelf solution products. You cannot easily find a product that will safely design your client-server protocols to be resistant to attacks. Using cryptographic libraries that are commercially available or by relying on cryptographic services provided by firewalls, you <I>can</I> avoid security problems in your protocols.</P>
<H4 ALIGN="LEFT"><A NAME="Heading32"></A><FONT COLOR="#000077">What Is a Firewall?</FONT></H4>
<P>Firewalls are designed to provide a secure boundary between an untrusted network, such as the Internet, and a trusted network, such as your private corporate network. Other terms used are <I>unsecure</I> and <I>secure</I> network. Today, firewalls consist of one or more of the following:</P>
<DL>
<DD><B>&#149;</B>&nbsp;&nbsp;A packet filter
<DD><B>&#149;</B>&nbsp;&nbsp;A set of proxy servers
<DD><B>&#149;</B>&nbsp;&nbsp;Secure IP traffic or <I>virtual private network</I> (VPN)
</DL>
<P>Other software accompanies host firewalls to support these core functions. Examples include virus scanners, log reporting tools, strong authentication, and file system integrity checkers.
</P>
<P>Firewalls are implemented using screening routers, bastion hosts, or both. A screening router can be configured to control network packet routing based on attributes of the packet, such as source address, destination address, port number, and direction. A bastion host is a hardened computer, with the operating system locked down to a minimum of services. The bastion host can run proxies <I>and</I> perform packet filtering.</P>
<H4 ALIGN="LEFT"><A NAME="Heading33"></A><FONT COLOR="#000077">Packet Filters Provide Access Control Services</FONT></H4>
<P>Packet filters improve upon the access control capabilities of network software delivered as part of operating systems. Access control rules are constraints or predicates that are evaluated to determine whether to permit an operation. Conceptually, the values held by a set of variables are compared against rules in the access control database. The variables are derived from state information representing attributes of the subjects and objects. For example, two important values in network traffic are the source and destination IP addresses. A packet filter rule can be configured to permit or deny IP traffic based on these values.
</P>
<P>A packet filter is an access control mechanism for network traffic. Instead of processing or forwarding all packets that arrive on the node&#146;s network adapters, the packet filter consults its access control rules before handling each packet. Most packet filters are implemented as extensions or replacements for kernel components of operating systems because the lower layers of the network stack are running in the kernel. This practice is a very important because some firewalls completely replace part of the kernel, and others <I>hook in</I> and intercept function calls. What can a packet filter control?</P>
<P>Because the packet filter <I>is</I> the network stack, it can make access control decisions based on any of the fields that appear in the headers of network packets. If necessary, a packet filter also can inspect the contents of the data portion of packets to enforce a security policy or look for attacks. First generation packet filters passed or dropped packets by looking at fields such as:</P>
<DL>
<DD><B>&#149;</B>&nbsp;&nbsp;Source or destination IP address
<DD><B>&#149;</B>&nbsp;&nbsp;Port
<DD><B>&#149;</B>&nbsp;&nbsp;Protocol type (TCP, UDP, or other)
<DD><B>&#149;</B>&nbsp;&nbsp;Service type (FTP, telnet, DNS, RIP)
</DL>
<P>As protocol attacks became common, packet filters were enhanced to look at settings for SYN and ACK fields as well as other characteristics of the packet. When new protocol attacks are discovered, firewall vendors are quick to implement defenses. In other words, packet filtering access control capabilities are always being improved.
</P>
<P>Packet filters are installed as <I>screening routers</I> or <I>bastion hosts</I>. Both routers and bastion hosts are <I>multihomed</I>, meaning that they have two or more network adapters. A router is a special-purpose computer that, in its simplest form, controls the flow of network packets between subnets. A bastion host is a general-purpose computer that has been <I>hardened</I> to remove unnecessary or security threatening software. A network node, such as a router or bastion host, with two communication adapters, can know the adapter on which a packet arrived. Notice that this knowledge is not explicitly encoded in the packet itself. A generic term meaning either a router or a bastion host is <I>gateway</I>.</P>
<P>The purpose of a gateway is to inspect packets and, based on the destination network addresses of the packets, send them to the appropriate subnet for delivery to the target hosts. If you want to block all incoming traffic from networks other than packets whose addresses begin with 1.22.333, you easily can configure a router to do so. In addition, most screening routers can detect attempts to impersonate IP addresses. A router or bastion host can look at inbound packets arriving on the network adapter connected to the untrusted Internet, and if the source IP address has a prefix of one of the private network subnets, then an address impersonation attempt is in progress. If a packet is received on the secure side adapter that means it&#146;s supposed to be delivered to the Internet, and the source IP address has a prefix that is <I>not</I> from one of  the private subnets, one of the inside systems has been compromised. Both of these situations should be logged and flagged for the security administrator.</P>
<P>Besides blocking address impersonation attempts, firewalls are configured to reject inbound packets that have <I>source routing</I> defined for IP. An option of the IP protocol enables the sender to specify the precise route a packet should take. The route is declared as a list of IP addresses. Source routing can be used for a number of hacking purposes, including probing the network to determine its physical layout. Firewalls should be configured to block these packets.</P>
<P><I>IP forwarding</I> is a feature in operating systems that automatically routes a packet between two network adapters in the same computer if necessary. This feature is undesirable in a firewall because the packet will have bypassed the packet filter rules. Therefore, IP forwarding is turned off in firewalls.</P><P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="143-146.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="148-151.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>


<!-- all of the reference materials (books) have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- BEGIN SUB FOOTER -->
		<br><br>
		</TD>
    </TR>
	</TABLE>

		
	<table width="640" border=0 cellpadding=0 cellspacing=0>
		<tr>
		<td align="left" width=135><img src="/images/white.gif" width=100 height="1" alt="" border="0"></td>
		
		
<!-- END SUB FOOTER -->

<!-- all of the books have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- FOOTER -->
			
		<td width="515" align="left" bgcolor="#FFFFFF">
<font face="arial, helvetica" size="1"><b><a href="/products.html"><font color="#006666">Products</font></a>&nbsp;|&nbsp; <a href="/contactus.html"><font color="#006666">Contact Us</font></a>&nbsp;|&nbsp; <a href="/aboutus.html"><font color="#006666">About Us</font></a>&nbsp;|&nbsp; <a href="http://www.earthweb.com/corporate/privacy.html" target="_blank"><font color="#006666">Privacy</font></a> &nbsp;|&nbsp; <a href="http://www.itmarketer.com/" target="_blank"><font color="#006666">Ad Info</font></a> &nbsp;|&nbsp; <a href="/"><font color="#006666">Home</font></a></b>
		<br><br>
		
		Use of this site is subject to certain <a href="/agreement.html">Terms &amp; Conditions</a>, <a href="/copyright.html">Copyright &copy; 1996-1999 EarthWeb Inc.</a><br> 
All rights reserved.  Reproduction whole or in part in any form or medium without express written permision of EarthWeb is prohibited.</font><p>
</td>
		</tr>
</table>
</BODY>
</HTML>

<!-- END FOOTER -->