012-015.html

入侵检测的相关教程

			<option value="/reference/dir.networkservices1.html">Networks 
			<option value="/reference/dir.operatingsystems.html">OS
			<option value="/reference/dir.productivityapplications1.html">Prod Apps
			<option value="/reference/dir.programminglanguages.html">Programming
			<option value="/reference/dir.security1.html">Security	
			<!-- <option value="/reference/dir.ewtraining1.html">Training Guides -->
			<option value="/reference/dir.userinterfaces.html">UI
			<option value="/reference/dir.webservices.html">Web Services
			<option value="/reference/dir.webmasterskills1.html">Webmaster
			<option value="/reference/dir.y2k1.html">Y2K
			<option value="">-----------
			<option value="/reference/whatsnew.html">New Titles
			<option value="">-----------
			<option value="/reference/dir.archive1.html">Free Archive		
			</SELECT>
			</font></td>
	</tr>
	</table>
	</form>
<!-- LEFT NAV SEARCH END -->

		</td>
		
<!-- PUB PARTNERS END -->
<!-- END LEFT NAV -->

<td rowspan="8" align="right" valign="top"><img src="/images/iswbls.gif" width=1 height=400 alt="" border="0"></td>
<td><img src="/images/white.gif" width="5" height="1" alt="" border="0"></td>
<!-- end of ITK left NAV -->

<!-- begin main content -->
<td width="100%" valign="top" align="left">


<!-- END SUB HEADER -->

<!--Begin Content Column -->

<FONT FACE="Arial,Helvetica" SIZE="-1">
To access the contents, click the chapter and section titles.
</FONT>
<P>
<B>Intrusion Detection: Network Security beyond the Firewall</B>
<FONT SIZE="-1">
<BR>
<I>(Publisher: John Wiley & Sons, Inc.)</I>
<BR>
Author(s): Terry Escamilla
<BR>
ISBN: 0471290009
<BR>
Publication Date: 11/01/98
</FONT>
<P>
<form name="Search" method="GET" action="http://search.earthweb.com/search97/search_redir.cgi">

<INPUT TYPE="hidden" NAME="Action" VALUE="Search">
<INPUT TYPE="hidden" NAME="SearchPage" VALUE="http://search.earthweb.com/search97/samples/forms/srchdemo.htm">
<INPUT TYPE="hidden" NAME="Collection" VALUE="ITK">
<INPUT TYPE="hidden" NAME="ResultTemplate" VALUE="itk-full.hts">
<INPUT TYPE="hidden" NAME="ViewTemplate" VALUE="view.hts">

<font face="arial, helvetica" size=2><b>Search this book:</b></font><br>
<INPUT NAME="queryText" size=50 VALUE="">&nbsp;<input type="submit" name="submitbutton" value="Go!">
<INPUT type=hidden NAME="section_on" VALUE="on">
<INPUT type=hidden NAME="section" VALUE="http://www.itknowledge.com/reference/standard/0471290009/">

</form>


<!-- Empty Reference Subhead -->

<!--ISBN=0471290009//-->
<!--TITLE=Intrusion Detection: Network Security Beyond the Firewall//-->
<!--AUTHOR=Terry Escamilla//-->
<!--PUBLISHER=John Wiley & Sons, Inc.//-->
<!--IMPRINT=Wiley Computer Publishing//-->
<!--CHAPTER=1//-->
<!--PAGES=012-015//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->

<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="010-012.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="015-017.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<H4 ALIGN="LEFT"><A NAME="Heading7"></A><FONT COLOR="#000077">What Makes a Good Reference Monitor</FONT></H4>
<P>A reference monitor should meet three requirements (Anderson, 1972). First, you must be able to isolate the reference monitor; it should be resistant to tampering. Next, the reference monitor must be complete in that it is invoked for every reference to an object by a subject. If a subject is allowed to access an object without going through the reference monitor, say good-bye to CIA. Finally, you must have some way to verify the reference monitor. In practice, this verification is done in many ways. You might trust the vendor&#146;s reputation; you might have access to the source code; or the product may have been used for years without problems. Look for compact and simple implementations. If the reference monitor is a few hundred lines of code, you might feel more comfortable that the vendor was able to adequately test the implementation.
</P>
<P>The reference monitor is an abstraction that must be programmed into a product to help enforce security. You can think of the reference monitor as a high-level design. The actual implementation of the reference monitor is called the <I>security kernel</I>.</P>
<P><FONT SIZE="+1"><B>The Security Kernel</B></FONT></P>
<P>The security kernel is the real-world implementation of the abstract reference monitor defined in the preceding section. In most systems, the security kernel includes hardware, firmware, and software that work together to control access in the system. The main design goal of a security kernel is simplicity. Ideally, the security kernel design can be written in such precise terms that you can perform mathematical proofs which conclusively show it works as designed. This naturally represents a very high level of assurance. In practice, few vendors go through this much trouble, and, for only a few, such formal mathematical undertakings have been successful (Schell and Brinkley, 1995).
</P>
<P>You probably will not find mathematical proofs in the documentation accompanying commercial products. There is a continuum with poor software quality on the low end and provably secure systems on the high end. Decide what you can live with when looking for a product. Ask the vendor whether it is possible to discuss the security kernel design with you. Make inquiries about the degree of testing that the security kernel undergoes. If the security kernel includes software only, you need to verify fewer components. When the security kernel consists of hardware, firmware, and software, the resulting implementation naturally will be more complex. Workstations or servers running UNIX or NT naturally contain all three components in the security kernel.</P>
<P>Security kernels are found in a variety of products. Clearly, operating systems provide security kernels. Each commercial product you deploy also contains a security kernel. For example, did you know that firewalls also implement their own security kernels? When a firewall makes decisions about whether to permit or deny network traffic, it is consulting an authorization database commonly referred to as the firewall rule base. Like the reference monitor described, the firewall security kernel is also responsible for restricting who can change the rule base itself.</P>
<P>If you ask the vendor to explain the underlying security kernel, you are showing that you are an educated buyer. Seek clarification on the following three aspects of the product:</P>
<DL>
<DD><B>1.</B>&nbsp;&nbsp;Is the reference monitor complete? In other words, is the reference monitor activated each time a subject accesses an object? Is every reference by a subject to an object passing through the reference monitor?
<DD><B>2.</B>&nbsp;&nbsp;How is the reference monitor itself protected from unauthorized tampering? How is the authorization database protected?
<DD><B>3.</B>&nbsp;&nbsp;Is the implementation of the reference monitor simple enough to verify with test cases? If the answer to this question is &#147;No,&#148; decide what information you will accept as proof that the reference monitor works.
</DL>
<H3><A NAME="Heading8"></A><FONT COLOR="#000077">Enhancing the Security Model Further</FONT></H3>
<P>At this point, you must surely be asking how the reference monitor alone can adequately provide confidentiality and integrity. In fact, the reference monitor or security kernel trusts other components to help with security. Beyond the security kernel, you also need some way to verify the identity of subjects and objects. As mentioned previously, you also need an authorization database that is used to control access to objects. To know whether the reference monitor is behaving correctly, audit data must be produced to track its activities.
</P>
<P>Taking a quick look back, you can see that the security model begins with subjects and objects and then incorporates an abstract reference monitor. The security model is now enhanced with the addition of three more components. The <I>identification and authentication</I> (I&#38;A) component of a computer system interacts with the security kernel to positively identify subjects and objects. The authorization database component discussed earlier also is added to the security model. Finally, an audit mechanism is added for accountability and monitoring. With these three additions, the security model is complete enough to be useful for specifying a complete security policy. The <I>trusted computing base</I> (TCB) includes any hardware, software, or firmware used in the security kernel, the I&#38;A subsystem, the authorization database, or the auditing subsystem to enforce the security policy.</P>
<H4 ALIGN="LEFT"><A NAME="Heading9"></A><FONT COLOR="#000077">Identification and Authentication (I&#38;A)</FONT></H4>
<P>A secure computer system must provide a trustworthy component for identifying subjects and objects. Like the reference monitor and security kernel introduced earlier, the I&#38;A component should be tamper resistant and simple. If the I&#38;A programs or hardware can be compromised, the confidentiality and integrity of the system will no longer be guaranteed. After penetrating your system, one of the first things a hacker will do is plant Trojan Horse routines for the real I&#38;A programs. One of the oldest tricks is to leave a password grabber running on a computer terminal. The grabber pretends to be the real operating system login program, but its sole purpose is to trick an unsuspecting user. Because I&#38;A is the first step in getting into a computer, it is obviously where a hacker will probe for weaknesses.
</P>
<P>A confounding behavior of computing systems is <I>on behalf of semantics</I>. When a person wants to access a computer, the first step is typically I&#38;A. What really happens after this initial phase will be described in detail in the next chapter for both UNIX and NT. However, unless you are starring in the motion picture <I>Tron</I>, you can be sure that you don&#146;t physically enter the system yourself. Instead, things happen inside the computer on your behalf.</P><P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="010-012.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="015-017.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>


<!-- all of the reference materials (books) have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- BEGIN SUB FOOTER -->
		<br><br>
		</TD>
    </TR>
	</TABLE>

		
	<table width="640" border=0 cellpadding=0 cellspacing=0>
		<tr>
		<td align="left" width=135><img src="/images/white.gif" width=100 height="1" alt="" border="0"></td>
		
		
<!-- END SUB FOOTER -->

<!-- all of the books have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- FOOTER -->
			
		<td width="515" align="left" bgcolor="#FFFFFF">
<font face="arial, helvetica" size="1"><b><a href="/products.html"><font color="#006666">Products</font></a>&nbsp;|&nbsp; <a href="/contactus.html"><font color="#006666">Contact Us</font></a>&nbsp;|&nbsp; <a href="/aboutus.html"><font color="#006666">About Us</font></a>&nbsp;|&nbsp; <a href="http://www.earthweb.com/corporate/privacy.html" target="_blank"><font color="#006666">Privacy</font></a> &nbsp;|&nbsp; <a href="http://www.itmarketer.com/" target="_blank"><font color="#006666">Ad Info</font></a> &nbsp;|&nbsp; <a href="/"><font color="#006666">Home</font></a></b>
		<br><br>
		
		Use of this site is subject to certain <a href="/agreement.html">Terms &amp; Conditions</a>, <a href="/copyright.html">Copyright &copy; 1996-1999 EarthWeb Inc.</a><br> 
All rights reserved.  Reproduction whole or in part in any form or medium without express written permision of EarthWeb is prohibited.</font><p>
</td>
		</tr>
</table>
</BODY>
</HTML>

<!-- END FOOTER -->