313-315.html

来自「入侵检测的相关教程」· HTML 代码 · 共 330 行 · 第 1/2 页

HTML
330
字号
			<option value="/reference/dir.multimediaandgraphicdesign1.html">Multimedia
			<option value="/reference/dir.networkservices1.html">Networks 
			<option value="/reference/dir.operatingsystems.html">OS
			<option value="/reference/dir.productivityapplications1.html">Prod Apps
			<option value="/reference/dir.programminglanguages.html">Programming
			<option value="/reference/dir.security1.html">Security	
			<!-- <option value="/reference/dir.ewtraining1.html">Training Guides -->
			<option value="/reference/dir.userinterfaces.html">UI
			<option value="/reference/dir.webservices.html">Web Services
			<option value="/reference/dir.webmasterskills1.html">Webmaster
			<option value="/reference/dir.y2k1.html">Y2K
			<option value="">-----------
			<option value="/reference/whatsnew.html">New Titles
			<option value="">-----------
			<option value="/reference/dir.archive1.html">Free Archive		
			</SELECT>
			</font></td>
	</tr>
	</table>
	</form>
<!-- LEFT NAV SEARCH END -->

		</td>
		
<!-- PUB PARTNERS END -->
<!-- END LEFT NAV -->

<td rowspan="8" align="right" valign="top"><img src="/images/iswbls.gif" width=1 height=400 alt="" border="0"></td>
<td><img src="/images/white.gif" width="5" height="1" alt="" border="0"></td>
<!-- end of ITK left NAV -->

<!-- begin main content -->
<td width="100%" valign="top" align="left">


<!-- END SUB HEADER -->

<!--Begin Content Column -->

<FONT FACE="Arial,Helvetica" SIZE="-1">
To access the contents, click the chapter and section titles.
</FONT>
<P>
<B>Intrusion Detection: Network Security beyond the Firewall</B>
<FONT SIZE="-1">
<BR>
<I>(Publisher: John Wiley & Sons, Inc.)</I>
<BR>
Author(s): Terry Escamilla
<BR>
ISBN: 0471290009
<BR>
Publication Date: 11/01/98
</FONT>
<P>
<form name="Search" method="GET" action="http://search.earthweb.com/search97/search_redir.cgi">

<INPUT TYPE="hidden" NAME="Action" VALUE="Search">
<INPUT TYPE="hidden" NAME="SearchPage" VALUE="http://search.earthweb.com/search97/samples/forms/srchdemo.htm">
<INPUT TYPE="hidden" NAME="Collection" VALUE="ITK">
<INPUT TYPE="hidden" NAME="ResultTemplate" VALUE="itk-full.hts">
<INPUT TYPE="hidden" NAME="ViewTemplate" VALUE="view.hts">

<font face="arial, helvetica" size=2><b>Search this book:</b></font><br>
<INPUT NAME="queryText" size=50 VALUE="">&nbsp;<input type="submit" name="submitbutton" value="Go!">
<INPUT type=hidden NAME="section_on" VALUE="on">
<INPUT type=hidden NAME="section" VALUE="http://www.itknowledge.com/reference/standard/0471290009/">

</form>


<!-- Empty Reference Subhead -->

<!--ISBN=0471290009//-->
<!--TITLE=Intrusion Detection: Network Security Beyond the Firewall//-->
<!--AUTHOR=Terry Escamilla//-->
<!--PUBLISHER=John Wiley & Sons, Inc.//-->
<!--IMPRINT=Wiley Computer Publishing//-->
<!--CHAPTER=12//-->
<!--PAGES=313-315//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->

<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="../ch11/311-312.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="315-318.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<H2><A NAME="Heading1"></A><FONT COLOR="#000077">Chapter 12<BR>Intrusion Detection: Not the Last Chapter When It Comes to Security
</FONT></H2>
<P>You need IDSs at your site in the same way you need firewalls, improved access control products, and better I&#38;A. After reading the arguments put forward for IDSs throughout this book, you might think that intrusion detection is the last chapter in the war on computer security. It isn&#146;t. Despite its important contribution to security for systems and networks, intrusion detection also can be improved.
</P>
<P>In this final chapter of the book, you will read about other open issues that argue for continued evolution of security solutions. The chapter begins by reviewing important topics in the book with a recap of each of the major themes in traditional security solutions. This review is followed by highlights of how you can improve upon traditional security with intrusion detection. The discussion then turns to recommended improvements for IDSs.</P>
<H3><A NAME="Heading2"></A><FONT COLOR="#000077">Traditional Computer Security</FONT></H3>
<P>The traditional and historically most widely adopted computer security approach is to <I>prevent</I> as many problems as possible. Monitoring always has been recognized as an important part of a total solution. However, most sites in the past did not dedicate resources for monitoring. Even the Orange Book emphasizes the importance of monitoring. For the most part, traditional security covers topics discussed in Part 1, &#147;Before Intrusion Detection: Traditional Computer Security,&#148; of this book and includes the basic model, I&#38;A, access control, and network security.</P>
<H4 ALIGN="LEFT"><A NAME="Heading3"></A><FONT COLOR="#000077">The Basic Security Model</FONT></H4>
<P>As you saw in Chapter 1, the fundamental concepts in security are subjects, objects, and access control. Most of the important security events are those in which subjects try to access objects, and a reference monitor decides whether the request is allowed. IDSs try to monitor when this process breaks down by scanning for vulnerabilities or catching attacks in progress. Because the basic model emphasizes <I>who accesses what</I>, it&#146;s not surprising that much of the security product marketplace is dominated by solutions that regulate access and try to prevent problems.</P>
<P>IDSs exist because people make mistakes. Intrusion detection began by looking for problems in operating systems and networks. The focus was on subjects and objects that were identified and reported on by operating systems such as UNIX. However, many applications introduce their own notions of subjects, objects, and access control. IDSs are just now beginning to look at application-level detection. Scanners, for example, often examine configuration files of Web servers. Fundamental to the proper operation of the basic model is the capability to uniquely identify the subjects and objects in the system. This is the purpose of I&#38;A.</P>
<H4 ALIGN="LEFT"><A NAME="Heading4"></A><FONT COLOR="#000077">I&#38;A</FONT></H4>
<P>When people mostly connected to large mainframes via dumb terminals, I&#38;A consisted of logging in by specifying a userid and a password. In today&#146;s complex distributed environments, many other forms of I&#38;A exist. Smart cards, challenge-response authentication servers, and trusted third-party servers are some of the alternatives today. X.509 is likely to be the future&#146;s leading mechanism for I&#38;A and trust in large heterogeneous networks.
</P>
<P>In Chapter 2, &#147;The Role of Identification and Authentication in Your Environment,&#148; you learned about attacks against I&#38;A and saw some steps that you could take to help stop these attacks. You need IDSs to monitor when these attacks are in progress, even if you have ways of preventing the attacks from going too far. Flaws in Kerberos and other authentication improvements were described, further emphasizing the need for monitoring. Intrusion detection not only can be used to catch attempts to circumvent I&#38;A. It also can be used to watch the I&#38;A tools you add to your site.</P>
<P>I&#38;A and IDSs are closely bound because intrusion detection tries to track the activities of an entity, such as a person. A sequence of events executed by different users may not be a problem, but the same sequence run by a single user could be a serious hack attack. Knowing the <I>who</I> and the <I>what</I> parts of an event is a critical part of discovering attacks and assigning accountability.</P>
<P>One last point to remember is that I&#38;A is not limited to people. Network nodes, software processes, and other forms of communicating entities need to identify and authenticate each other for secure message exchanges. This form of I&#38;A impacts IDSs as well. If you think about a system which does not have any login accounts except for the administrator, you begin to see how intrusion detection is affected by other forms of I&#38;A.</P>
<H4 ALIGN="LEFT"><A NAME="Heading5"></A><FONT COLOR="#000077">Access Control</FONT></H4>
<P>The second important aspect of traditional security is controlling access to resources. This is the classic notion of prevention. As you discovered throughout this book, prevention does not always work. You learned a number of attacks that circumvented the system&#146;s access control policy. For example, techniques that allowed a user to be able to gain privileges and access privileged resources were shown to be one of the arguments against relying solely on access control. Other examples included improper configuration of permissions, whether the result of a vendor error or an administrative mistake.
</P>
<P>As in the case of I&#38;A, individual applications might introduce their own notions of access control. Databases regulate access to records, fields, and tables by using their own techniques rather than relying on the operating system&#146;s capabilities.</P>
<P>IDSs rely on access control routines in the operating system to emit data about events. The IDSs need to know when a subject tries to access an object and what the outcome was for the request. This information is fed into signatures or statistical counters to determine whether a problem exists. There also is a fuzzy area between access control and IDSs because an intruder can be kicked off the system or a file&#146;s permission bits can be changed as the <I>response</I> of an IDS. In this role, the IDS is being preventative.</P>
<P>You read in Chapter 3, &#147;The Role of Access Control in Your Environment,&#148; that tools such as Memco&#146;s SeOS could improve upon traditional access control mechanisms in UNIX and NT. However, even the addition of such a tool is not sufficient for all of your security needs. Although attacks against SeOS itself were not identified, some chance exists that the preventative engine will fail. If not, there is the usual risk that an administrator will incorrectly configure SeOS. Both of these reasons argue further for adding an IDS even if you have additional access control products.</P><P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="../ch11/311-312.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="315-318.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>


<!-- all of the reference materials (books) have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- BEGIN SUB FOOTER -->
		<br><br>
		</TD>
    </TR>
	</TABLE>

		
	<table width="640" border=0 cellpadding=0 cellspacing=0>
		<tr>
		<td align="left" width=135><img src="/images/white.gif" width=100 height="1" alt="" border="0"></td>
		
		
<!-- END SUB FOOTER -->

<!-- all of the books have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- FOOTER -->
			
		<td width="515" align="left" bgcolor="#FFFFFF">
<font face="arial, helvetica" size="1"><b><a href="/products.html"><font color="#006666">Products</font></a>&nbsp;|&nbsp; <a href="/contactus.html"><font color="#006666">Contact Us</font></a>&nbsp;|&nbsp; <a href="/aboutus.html"><font color="#006666">About Us</font></a>&nbsp;|&nbsp; <a href="http://www.earthweb.com/corporate/privacy.html" target="_blank"><font color="#006666">Privacy</font></a> &nbsp;|&nbsp; <a href="http://www.itmarketer.com/" target="_blank"><font color="#006666">Ad Info</font></a> &nbsp;|&nbsp; <a href="/"><font color="#006666">Home</font></a></b>
		<br><br>
		
		Use of this site is subject to certain <a href="/agreement.html">Terms &amp; Conditions</a>, <a href="/copyright.html">Copyright &copy; 1996-1999 EarthWeb Inc.</a><br> 
All rights reserved.  Reproduction whole or in part in any form or medium without express written permision of EarthWeb is prohibited.</font><p>
</td>
		</tr>
</table>
</BODY>
</HTML>

<!-- END FOOTER -->

⌨️ 快捷键说明

复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?