130-132.html

入侵检测的相关教程

			<option value="/reference/dir.groupwareandcollaboration1.html">Groupware
			<option value="/reference/dir.hardware1.html">Hardware
			<option value="/reference/dir.intranetandextranetdevelopment1.html">Intranet Dev
			<option value="/reference/dir.middleware.html">Middleware
			<option value="/reference/dir.multimediaandgraphicdesign1.html">Multimedia
			<option value="/reference/dir.networkservices1.html">Networks 
			<option value="/reference/dir.operatingsystems.html">OS
			<option value="/reference/dir.productivityapplications1.html">Prod Apps
			<option value="/reference/dir.programminglanguages.html">Programming
			<option value="/reference/dir.security1.html">Security	
			<!-- <option value="/reference/dir.ewtraining1.html">Training Guides -->
			<option value="/reference/dir.userinterfaces.html">UI
			<option value="/reference/dir.webservices.html">Web Services
			<option value="/reference/dir.webmasterskills1.html">Webmaster
			<option value="/reference/dir.y2k1.html">Y2K
			<option value="">-----------
			<option value="/reference/whatsnew.html">New Titles
			<option value="">-----------
			<option value="/reference/dir.archive1.html">Free Archive		
			</SELECT>
			</font></td>
	</tr>
	</table>
	</form>
<!-- LEFT NAV SEARCH END -->

		</td>
		
<!-- PUB PARTNERS END -->
<!-- END LEFT NAV -->

<td rowspan="8" align="right" valign="top"><img src="/images/iswbls.gif" width=1 height=400 alt="" border="0"></td>
<td><img src="/images/white.gif" width="5" height="1" alt="" border="0"></td>
<!-- end of ITK left NAV -->

<!-- begin main content -->
<td width="100%" valign="top" align="left">


<!-- END SUB HEADER -->

<!--Begin Content Column -->

<FONT FACE="Arial,Helvetica" SIZE="-1">
To access the contents, click the chapter and section titles.
</FONT>
<P>
<B>Intrusion Detection: Network Security beyond the Firewall</B>
<FONT SIZE="-1">
<BR>
<I>(Publisher: John Wiley & Sons, Inc.)</I>
<BR>
Author(s): Terry Escamilla
<BR>
ISBN: 0471290009
<BR>
Publication Date: 11/01/98
</FONT>
<P>
<form name="Search" method="GET" action="http://search.earthweb.com/search97/search_redir.cgi">

<INPUT TYPE="hidden" NAME="Action" VALUE="Search">
<INPUT TYPE="hidden" NAME="SearchPage" VALUE="http://search.earthweb.com/search97/samples/forms/srchdemo.htm">
<INPUT TYPE="hidden" NAME="Collection" VALUE="ITK">
<INPUT TYPE="hidden" NAME="ResultTemplate" VALUE="itk-full.hts">
<INPUT TYPE="hidden" NAME="ViewTemplate" VALUE="view.hts">

<font face="arial, helvetica" size=2><b>Search this book:</b></font><br>
<INPUT NAME="queryText" size=50 VALUE="">&nbsp;<input type="submit" name="submitbutton" value="Go!">
<INPUT type=hidden NAME="section_on" VALUE="on">
<INPUT type=hidden NAME="section" VALUE="http://www.itknowledge.com/reference/standard/0471290009/">

</form>


<!-- Empty Reference Subhead -->

<!--ISBN=0471290009//-->
<!--TITLE=Intrusion Detection: Network Security Beyond the Firewall//-->
<!--AUTHOR=Terry Escamilla//-->
<!--PUBLISHER=John Wiley & Sons, Inc.//-->
<!--IMPRINT=Wiley Computer Publishing//-->
<!--CHAPTER=4//-->
<!--PAGES=130-132//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->

<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="126-130.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="132-134.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
</P>
<P>Closely related to IP is the <I>Internet Control Message Protocol</I> (ICMP). More than two dozen different ICMP message types are available to assist with network communications. Examples include messages for testing whether a network address is <I>alive</I>, returning notifications of error conditions, and querying IP configuration settings at a particular node. From a security perspective, arbitrary ICMP messages should not be allowed through the firewall if they specify explicit destination network addresses found in your private network. One of the most important security guidelines for attaching your private network to the Internet is that any information about your private network is useful to a hacker. Therefore, you should practice information hiding as much as possible. Because ICMP messages can be used to explore your private network, be careful about what you allow into your private network. As you will see, a firewall can provide a solution for this and related problems.</P>
<P>Each IP packet contains a header portion and a data portion. The important values are the source and destination address. Other values include a <I>time to live</I> (TTL) that controls the lifetime of the packet. The IP layer itself does not guarantee delivery of a packet. Assurances for error-free delivery of packets also do not exist. No flow control is included in IP itself. Clogging a system by sending it many IP packets is not difficult, and thus launches a denial-of-service attack. Layers that sit on top of IP must implement techniques for handling errors, flow control, and the recovery of lost packets.</P>
<P>The 32-bit IP address is divided into different address <I>classes</I> by breaking the bits into groups. Addresses frequently are manipulated in dotted <I>decimal notation</I> consisting of four <I>octets</I>. Example addresses include 198.32.102.25, 127.0.0.1, and 9.34.10.1. The octets in the first address are 198, 32, 102, and 25. The addresses assigned and controlled by the <I>Internet Activities Board</I> (IAB) are organized into a hierarchy with each decimal representing a branch in the tree. The first three octets of an address usually represent different subnetworks (subnets), each with one or more network nodes attached. Depending on the address class and the number of bits allocated for the last octet, 256 or more nodes (0[nd]255) might appear on a subnet. No particular security problems are associated with the address classes, so more details are not given here but can be found in the references.</P>
<P>The Internet is divided into many subset networks that are connected by <I>gateways</I> and <I>routers</I>. Although technically different, both gateways and routers are responsible for correctly forwarding packets on through the Internet until the packets reach their destinations. Each packet that travels across the Internet moves one <I>hop</I> at a time. That is, a routing node, such as a gateway or router, moves the packet to the next routing node until the packet finally reaches its target.</P>
<P>Flexibility in the addressing scheme of IP permits one to specify a <I>broadcast address</I> for the destination of a packet. Essentially, you are permitted to specify a wildcard for one of the octets that is interpreted to mean &#147;send this packet to all nodes in this subnet.&#148; For example, sending the broadcast address 198.21.54.255 would send the packet to all nodes in the subnet with a prefix of 198.21.54. The value 255 symbolizes the wildcard. A packet with destination address of 198.21.255.255 would be delivered to even more nodes.</P>
<P>The <I>multicast backbone</I> (Mbone) is a special class of IP addresses that allows for encapsulation of many IP packets into a single packet. Standard IP unicast sends a message to a single target address. Broadcast sends the message to all addresses in a subnet. Multicast sends a message to a group of IP addresses. The Mbone can provide significant performance improvements for Internet traffic. Because the Mbone address represents several targets, it saves network overhead that would occur by sending a single unicast packet to each address individually. This advantage is not without security implications as you will see when you read about firewalls later in this chapter.</P>
<H4 ALIGN="LEFT"><A NAME="Heading16"></A><FONT COLOR="#000077">Probing Network Paths</FONT></H4>
<P>At each hop, the TTL field is decremented once. If the TTL reaches the number 1, but the packet has not reached its destination, the last node holding the packet returns an ICMP message to the originating node indicating that the TTL has expired.
</P>
<P>The <I>traceroute</I> application can be used to find the route that a packet will take across a network. By taking advantage of the TTL decrement and timeout relation, <I>traceroute</I> can find a network path. The algorithm sets TTL to 2, sends the packet to a target IP address, and receives the TTL expiration message and the IP address of the node that sent it. Because the last node to decrement the TTL and notice the expiration sends the ICMP timeout message, <I>traceroute</I> can map the path that the packet is <I>hopping</I> through to a destination IP address. By incrementing the TTL by one each time and keeping track of the IP address returned in the <I>timeout</I>, traceoute can construct the list of nodes in the path to the target address. When the destination node is finally reached, a different ICMP message is returned, thus completing the algorithm. The dynamic routing nature of the Internet may yield a different path each time. However, you should be able to see how <I>traceroute</I> helps a hacker discover interesting characteristics about your network, including its physical layout.</P>
<H4 ALIGN="LEFT"><A NAME="Heading17"></A><FONT COLOR="#000077">Problems at the IP Layer</FONT></H4>
<P>Before looking at some the network layers above IP, take a look at the common hacks against IP. Most of these attacks succeed because of the open nature of the Internet. If packets are sent unencrypted between systems, then an adversary somewhere along the path can  sniff the network and read information contained in the packets fairly easily. Two pieces of information that must always be in the clear are the source and destination IP addresses. Otherwise, intermediate gateways and routers on the Internet could not forward packets properly.
</P><P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="126-130.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="132-134.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>


<!-- all of the reference materials (books) have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- BEGIN SUB FOOTER -->
		<br><br>
		</TD>
    </TR>
	</TABLE>

		
	<table width="640" border=0 cellpadding=0 cellspacing=0>
		<tr>
		<td align="left" width=135><img src="/images/white.gif" width=100 height="1" alt="" border="0"></td>
		
		
<!-- END SUB FOOTER -->

<!-- all of the books have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- FOOTER -->
			
		<td width="515" align="left" bgcolor="#FFFFFF">
<font face="arial, helvetica" size="1"><b><a href="/products.html"><font color="#006666">Products</font></a>&nbsp;|&nbsp; <a href="/contactus.html"><font color="#006666">Contact Us</font></a>&nbsp;|&nbsp; <a href="/aboutus.html"><font color="#006666">About Us</font></a>&nbsp;|&nbsp; <a href="http://www.earthweb.com/corporate/privacy.html" target="_blank"><font color="#006666">Privacy</font></a> &nbsp;|&nbsp; <a href="http://www.itmarketer.com/" target="_blank"><font color="#006666">Ad Info</font></a> &nbsp;|&nbsp; <a href="/"><font color="#006666">Home</font></a></b>
		<br><br>
		
		Use of this site is subject to certain <a href="/agreement.html">Terms &amp; Conditions</a>, <a href="/copyright.html">Copyright &copy; 1996-1999 EarthWeb Inc.</a><br> 
All rights reserved.  Reproduction whole or in part in any form or medium without express written permision of EarthWeb is prohibited.</font><p>
</td>
		</tr>
</table>
</BODY>
</HTML>

<!-- END FOOTER -->