029-031.html

入侵检测的相关教程

			</SELECT>
			</font></td>
	</tr>
	</table>
	</form>
<!-- LEFT NAV SEARCH END -->

		</td>
		
<!-- PUB PARTNERS END -->
<!-- END LEFT NAV -->

<td rowspan="8" align="right" valign="top"><img src="/images/iswbls.gif" width=1 height=400 alt="" border="0"></td>
<td><img src="/images/white.gif" width="5" height="1" alt="" border="0"></td>
<!-- end of ITK left NAV -->

<!-- begin main content -->
<td width="100%" valign="top" align="left">


<!-- END SUB HEADER -->

<!--Begin Content Column -->

<FONT FACE="Arial,Helvetica" SIZE="-1">
To access the contents, click the chapter and section titles.
</FONT>
<P>
<B>Intrusion Detection: Network Security beyond the Firewall</B>
<FONT SIZE="-1">
<BR>
<I>(Publisher: John Wiley & Sons, Inc.)</I>
<BR>
Author(s): Terry Escamilla
<BR>
ISBN: 0471290009
<BR>
Publication Date: 11/01/98
</FONT>
<P>
<form name="Search" method="GET" action="http://search.earthweb.com/search97/search_redir.cgi">

<INPUT TYPE="hidden" NAME="Action" VALUE="Search">
<INPUT TYPE="hidden" NAME="SearchPage" VALUE="http://search.earthweb.com/search97/samples/forms/srchdemo.htm">
<INPUT TYPE="hidden" NAME="Collection" VALUE="ITK">
<INPUT TYPE="hidden" NAME="ResultTemplate" VALUE="itk-full.hts">
<INPUT TYPE="hidden" NAME="ViewTemplate" VALUE="view.hts">

<font face="arial, helvetica" size=2><b>Search this book:</b></font><br>
<INPUT NAME="queryText" size=50 VALUE="">&nbsp;<input type="submit" name="submitbutton" value="Go!">
<INPUT type=hidden NAME="section_on" VALUE="on">
<INPUT type=hidden NAME="section" VALUE="http://www.itknowledge.com/reference/standard/0471290009/">

</form>


<!-- Empty Reference Subhead -->

<!--ISBN=0471290009//-->
<!--TITLE=Intrusion Detection: Network Security Beyond the Firewall//-->
<!--AUTHOR=Terry Escamilla//-->
<!--PUBLISHER=John Wiley & Sons, Inc.//-->
<!--IMPRINT=Wiley Computer Publishing//-->
<!--CHAPTER=2//-->
<!--PAGES=029-031//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->

<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="../ch01/025-028.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="031-034.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<H2><A NAME="Heading1"></A><FONT COLOR="#000077">Chapter 2<BR>The Role of Identification and Authentication in Your Environment
</FONT></H2>
<P>Intrusion detection involves not only knowing that someone is trying to break into your system, but also identifying <I>who</I> the intruder is. This fundamental notion of <I>who</I> in computer environments is at the heart of regulating all of the system&#146;s activities. That is, the subject of an operation is determined by who is performing the act. In this chapter, you learn about weaknesses with authentication systems, what people have done to improve upon these weaknesses, and why intrusion detection is still needed even if you deploy strong authentication tools.</P>
<P>Initially, the focus is on the standard login process used to authenticate a user to the computer. After this material is covered, you will explore authentication between other entities, such as computers or software servers. An in-depth survey of network authentication requires a thorough understanding of network protocols. Although some of the discussion is about authentication across networks, this topic is not covered in detail until Chapter 4, &#147;Traditional Network Security Approaches,&#148; in which you will explore network security.</P>
<P>The material in this chapter begins with discussions of UNIX and NT login procedures. Threats and defenses are identified for traditional password-based authentication. Following this discussion, you learn about alternative authentication servers.</P>
<P>Recall from the preceding chapter that <I>identification and authentication</I> (I&#38;A) can be based on something you know, something you have, or something you are. Note that most operating systems or other products requiring authentication are now enabled to use a variety of techniques for verifying the identity of users. For example, IBM&#146;s AIX operating system is designed with an authentication grammar that enables you to plug in different commercial products. The Open Group&#146;s <I>Common Desktop Environment</I> (CDE) also includes a pluggable authentication mechanism. The IBM Firewall supports strong authentication with hardware tokens, too. These enhancements were added because of concerns about relying on a single password for authentication. You easily can add stronger authentication software or hardware to products such as operating systems, firewalls, and databases.</P>
<P>Knowing who is on your system is only part of the story. Knowing <I>what</I> the user did and whether the account has been compromised by an intruder is also important. I&#38;A tools will help you improve upon problems like weak passwords. Intrusion detection tools are needed on top of these to track the activities of your users and to watch for intruders masquerading as normal users.</P>
<H3><A NAME="Heading2"></A><FONT COLOR="#000077">Identification and Authentication in UNIX</FONT></H3>
<P>Consider first a configuration that involves a stand-alone, multiuser computer with a directly attached terminal or display unit. After this simple scenario is described, we can elaborate on more complex cases involving network connections. The entities that are involved in UNIX I&#38;A are <I>users</I> and <I>groups</I>.</P>
<H4 ALIGN="LEFT"><A NAME="Heading3"></A><FONT COLOR="#000077">Users and Groups</FONT></H4>
<P>In UNIX users are identified by a unique <I>username</I> composed of a contiguous string of characters including letters and numbers. For historical reasons, uppercase characters are not used. Special characters such as punctuation symbols are rarely found in usernames because applications running on the system may have trouble interpreting unusual characters.</P>
<P>Paired with each username is a numerical user ID or <I>UID</I>. The pairings are not required to be unique. The UNIX operating system does not require each username to be paired with a unique UID. However, a recommended security practice is to assign a separate UID to each user. Some versions of UNIX provide higher level commands or programs for adding users. As common practice, these programs assign the next UID value when a user is added or force the administrator to enter an unused UID. Even so, bypassing these administrative utilities and assigning the same UID to more than one user is possible. The mappings between usernames and UIDs are defined in the /etc/passwd file. This file usually can be edited directly by the machine&#146;s administrator, which is how one can pair two usernames with the same UID.</P>
<P>UNIX uses the UID as the subject identifier when performing many of its access control decisions. The username is rarely needed for anything other than the initial login I&#38;A phase. Because the UID is the basis for many decisions made by the reference monitor, you can see why assigning duplicate UIDs might be a problem. If several users are performing tasks with the same UID, determining accountability for actions will be more difficult, though not impossible. For the sake of simplicity, the remaining discussions assume that a UID is assigned to only one user.</P>
<P>UNIX also provides a means for combining users into groups. Each group is identified by a groupname and <I>group ID</I> (GID). A user belongs to a <I>primary group</I> whose GID value is stored with the user&#146;s record in /etc/passwd. All groups defined on the system are stored in /etc/group. Users can belong to zero or more <I>secondary groups</I>, too. GIDs also are needed by the UNIX reference monitor for making some access control decisions.</P>
<P>Figure 2.1 shows a dump of the /etc/passwd file from a UNIX system. Each entry in the file is contained on one logical line. That is, an entry is terminated by an <I>end of line</I> (EOL) character. Fields in a record are separated by the colon character (:). Table 2.1 provides an explanation of the meaning of each field in a record. Entries in /etc/group have a similar format except that no password is associated with the group itself. Figure 2.2 shows the contents of an example /etc/group file.</P>
<P><A NAME="Fig1"></A><A HREF="javascript:displayWindow('images/02-01.jpg',571,250 )"><IMG SRC="images/02-01t.jpg"></A>
<BR><A HREF="javascript:displayWindow('images/02-01.jpg',571,250)"><FONT COLOR="#000077"><B>Figure 2.1</B></FONT></A>&nbsp;&nbsp;Typical contents of the /etc/passwd file.</P>
<TABLE WIDTH="100%">
<CAPTION ALIGN=LEFT><B>Table 2.1</B> Interpretation of Fields in a Record in /etc/passwd
<TR>
<TH COLSPAN="2"><HR>
<TR>
<TH WIDTH="35%" ALIGN="LEFT">Field
<TH WIDTH="65%" ALIGN="LEFT">Contents
<TR>
<TD COLSPAN="2"><HR>
<TR>
<TD>terry
<TD>Username
<TR>
<TD>fC3/.rj29MBD
<TD>Hashed password value
<TR>
<TD>101
<TD>UID
<TR>
<TD>100
<TD>Group ID (GID)
<TR>
<TD>Terry Escamilla
<TD>Full name of user
<TR>
<TD>/home/terry
<TD>Home directory of user
<TR>
<TD>/bin/ksh
<TD>Login shell for user
<TR>
<TD COLSPAN="2"><HR>
</TABLE>
<P><A NAME="Fig2"></A><A HREF="javascript:displayWindow('images/02-02.jpg',265,252 )"><IMG SRC="images/02-02t.jpg"></A>
<BR><A HREF="javascript:displayWindow('images/02-02.jpg',265,252)"><FONT COLOR="#000077"><B>Figure 2.2</B></FONT></A>&nbsp;&nbsp;Contents of the /etc/group file.<P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="../ch01/025-028.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="031-034.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>


<!-- all of the reference materials (books) have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- BEGIN SUB FOOTER -->
		<br><br>
		</TD>
    </TR>
	</TABLE>

		
	<table width="640" border=0 cellpadding=0 cellspacing=0>
		<tr>
		<td align="left" width=135><img src="/images/white.gif" width=100 height="1" alt="" border="0"></td>
		
		
<!-- END SUB FOOTER -->

<!-- all of the books have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- FOOTER -->
			
		<td width="515" align="left" bgcolor="#FFFFFF">
<font face="arial, helvetica" size="1"><b><a href="/products.html"><font color="#006666">Products</font></a>&nbsp;|&nbsp; <a href="/contactus.html"><font color="#006666">Contact Us</font></a>&nbsp;|&nbsp; <a href="/aboutus.html"><font color="#006666">About Us</font></a>&nbsp;|&nbsp; <a href="http://www.earthweb.com/corporate/privacy.html" target="_blank"><font color="#006666">Privacy</font></a> &nbsp;|&nbsp; <a href="http://www.itmarketer.com/" target="_blank"><font color="#006666">Ad Info</font></a> &nbsp;|&nbsp; <a href="/"><font color="#006666">Home</font></a></b>
		<br><br>
		
		Use of this site is subject to certain <a href="/agreement.html">Terms &amp; Conditions</a>, <a href="/copyright.html">Copyright &copy; 1996-1999 EarthWeb Inc.</a><br> 
All rights reserved.  Reproduction whole or in part in any form or medium without express written permision of EarthWeb is prohibited.</font><p>
</td>
		</tr>
</table>
</BODY>
</HTML>

<!-- END FOOTER -->