051-052.html

入侵检测的相关教程

			<option value="/reference/dir.hardware1.html">Hardware
			<option value="/reference/dir.intranetandextranetdevelopment1.html">Intranet Dev
			<option value="/reference/dir.middleware.html">Middleware
			<option value="/reference/dir.multimediaandgraphicdesign1.html">Multimedia
			<option value="/reference/dir.networkservices1.html">Networks 
			<option value="/reference/dir.operatingsystems.html">OS
			<option value="/reference/dir.productivityapplications1.html">Prod Apps
			<option value="/reference/dir.programminglanguages.html">Programming
			<option value="/reference/dir.security1.html">Security	
			<!-- <option value="/reference/dir.ewtraining1.html">Training Guides -->
			<option value="/reference/dir.userinterfaces.html">UI
			<option value="/reference/dir.webservices.html">Web Services
			<option value="/reference/dir.webmasterskills1.html">Webmaster
			<option value="/reference/dir.y2k1.html">Y2K
			<option value="">-----------
			<option value="/reference/whatsnew.html">New Titles
			<option value="">-----------
			<option value="/reference/dir.archive1.html">Free Archive		
			</SELECT>
			</font></td>
	</tr>
	</table>
	</form>
<!-- LEFT NAV SEARCH END -->

		</td>
		
<!-- PUB PARTNERS END -->
<!-- END LEFT NAV -->

<td rowspan="8" align="right" valign="top"><img src="/images/iswbls.gif" width=1 height=400 alt="" border="0"></td>
<td><img src="/images/white.gif" width="5" height="1" alt="" border="0"></td>
<!-- end of ITK left NAV -->

<!-- begin main content -->
<td width="100%" valign="top" align="left">


<!-- END SUB HEADER -->

<!--Begin Content Column -->

<FONT FACE="Arial,Helvetica" SIZE="-1">
To access the contents, click the chapter and section titles.
</FONT>
<P>
<B>Intrusion Detection: Network Security beyond the Firewall</B>
<FONT SIZE="-1">
<BR>
<I>(Publisher: John Wiley & Sons, Inc.)</I>
<BR>
Author(s): Terry Escamilla
<BR>
ISBN: 0471290009
<BR>
Publication Date: 11/01/98
</FONT>
<P>
<form name="Search" method="GET" action="http://search.earthweb.com/search97/search_redir.cgi">

<INPUT TYPE="hidden" NAME="Action" VALUE="Search">
<INPUT TYPE="hidden" NAME="SearchPage" VALUE="http://search.earthweb.com/search97/samples/forms/srchdemo.htm">
<INPUT TYPE="hidden" NAME="Collection" VALUE="ITK">
<INPUT TYPE="hidden" NAME="ResultTemplate" VALUE="itk-full.hts">
<INPUT TYPE="hidden" NAME="ViewTemplate" VALUE="view.hts">

<font face="arial, helvetica" size=2><b>Search this book:</b></font><br>
<INPUT NAME="queryText" size=50 VALUE="">&nbsp;<input type="submit" name="submitbutton" value="Go!">
<INPUT type=hidden NAME="section_on" VALUE="on">
<INPUT type=hidden NAME="section" VALUE="http://www.itknowledge.com/reference/standard/0471290009/">

</form>


<!-- Empty Reference Subhead -->

<!--ISBN=0471290009//-->
<!--TITLE=Intrusion Detection: Network Security Beyond the Firewall//-->
<!--AUTHOR=Terry Escamilla//-->
<!--PUBLISHER=John Wiley & Sons, Inc.//-->
<!--IMPRINT=Wiley Computer Publishing//-->
<!--CHAPTER=2//-->
<!--PAGES=051-052//-->
<!--UNASSIGNED1//-->
<!--UNASSIGNED2//-->

<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="049-051.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="053-055.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>
<P><BR></P>
<P><FONT SIZE="+1"><B>Ideas for Improving Reusable Passwords</B></FONT></P>
<P>If you are constrained to relying on reusable passwords for I&#38;A at your site, consider these ideas. Good security practices dictate that each password be subject to an aging rule, such as expiring the password when it becomes 180 days old or after it has been used 265 times. Similar rules should be followed for password composition, requiring that passwords include uppercase, lowercase, numeric, and even some special characters. Another composition recommendation is to limit the number of repeated characters in a password, whether serially repeated or not. To ensure that an attacker must search a large number of alternatives, the password should be the maximum length permitted on the system. Unfortunately, most UNIX systems only support 8-character passwords.
</P>
<P>Another password rule is to limit similarities between the user&#146;s previous password and the newly chosen one. You could require that at least six of the characters in the password be different from those used in the previous password. Controlling password history is also a good idea. Some operating systems allow the administrator to configure how many password changes a user must endure before the same password can be reused. To prevent the user from choosing a temporary new password several times until the threshold is reached, a configuration value also is provided for a minimum password age. The user cannot change the password until the minimum age has expired.</P>
<P>The system also can generate passwords for users. Two problems are encountered with this approach. If the password is difficult to guess, the tradeoff is that you will find users writing down the complex strings. On the other hand, if the password generator creates pronounceable strings that fit a particular grammar, an attacker can use this information to narrow the search space. A hacker also can proactively check for passwords as they are chosen by users. Ideas for proactive password checkers can be found in the literature (Stallings, 1995; Bishop, 1993). Logical choices include modifying the change-password routines to invoke programs that compare the user&#146;s choice with dictionary entries.</P>
<P>One additional idea is to require each user to enter more than one password value. That is, authentication would be based on something you know <I>and</I> something you know. Although this method is stronger than a single reusable password, it still suffers from the problems already described. In terms of algorithm complexity, guessing twice as many passwords is negligibly harder for a password cracker.</P>
<P>As you probably have guessed, significantly improving the security of I&#38;A at your site means foregoing reusable passwords. For example, instead of requiring a user to know two passwords for authentication, it would be better to base authenticate on two values selected separately from something you know, something you have, and something you are. Perhaps, you have seen movies in which an employee first inserts a badge into a reader and then also keys an access code into a keypad. Here, authentication is based on something the user has <I>and</I> on something the user knows. Either single authentication item alone is insufficient for gaining access to the target environment.</P>
<P>You will learn about mechanisms that avoid reusable passwords or require multiple authentication values in a few moments. Before doing so, let&#146;s pick up the earlier discussion path and expand your knowledge of authentication servers. Because many improvements to I&#38;A require authentication servers, knowing how a server such as Kerberos works will help you evaluate alternatives. Before reading about Kerberos, you might want to glance through the sidebar, &#147;A Cryptography Primer,&#148; if you are a novice to cryptography. More thorough treatments of cryptography can be found in Schneier (1996), Denning (1983), and Koblitz (1994).</P>
<H3><A NAME="Heading22"></A><FONT COLOR="#000077">Improving upon I&#38;A with Authentication Servers</FONT></H3>
<P>In this section, you learn how authentication servers can be used to solve I&#38;A problems in distributed systems. Specifically, third-party authentication based on Kerberos and X.509 certificates is described.
</P>
<H4 ALIGN="LEFT"><A NAME="Heading23"></A><FONT COLOR="#000077">Third-Party Authentication</FONT></H4>
<P>The goal of a third-party authentication system is to provide secure communications between previously unknown entities. When MIT started the Athena project to deploy a number of distributed systems across a large network, they immediately realized that I&#38;A was the initial weakest link in security. To solve their problems, researchers developed the Kerberos authentication system. Now widely deployed at various sites, Kerberos provides a third-party authentication server across heterogeneous operating systems.
</P>
<P>Another third-party system described in this section is based on X.509 digital certificates. One of the drawbacks of Kerberos is that to date it has relied on secret-key technology, or symmetric cryptography, for I&#38;A between entities. Lately, though, extensions have been proposed to Kerberos to support X.509 certificates. The X.509 standard is part of a large body of standards developed by the <I>International Standards Organization</I> (ISO) aimed at solving distributed computing problems. X.509 certificates are based on public key, or asymmetric cryptography, which overcomes some of the critiques of Kerberos mentioned in the following section.</P><P><BR></P>
<CENTER>
<TABLE BORDER>
<TR>
<TD><A HREF="049-051.html">Previous</A></TD>
<TD><A HREF="../ewtoc.html">Table of Contents</A></TD>
<TD><A HREF="053-055.html">Next</A></TD>
</TR>
</TABLE>
</CENTER>


<!-- all of the reference materials (books) have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- BEGIN SUB FOOTER -->
		<br><br>
		</TD>
    </TR>
	</TABLE>

		
	<table width="640" border=0 cellpadding=0 cellspacing=0>
		<tr>
		<td align="left" width=135><img src="/images/white.gif" width=100 height="1" alt="" border="0"></td>
		
		
<!-- END SUB FOOTER -->

<!-- all of the books have the footer and subfoot reveresed -->
<!-- reference_subfoot = footer -->
<!-- reference_footer = subfoot -->

<!-- FOOTER -->
			
		<td width="515" align="left" bgcolor="#FFFFFF">
<font face="arial, helvetica" size="1"><b><a href="/products.html"><font color="#006666">Products</font></a>&nbsp;|&nbsp; <a href="/contactus.html"><font color="#006666">Contact Us</font></a>&nbsp;|&nbsp; <a href="/aboutus.html"><font color="#006666">About Us</font></a>&nbsp;|&nbsp; <a href="http://www.earthweb.com/corporate/privacy.html" target="_blank"><font color="#006666">Privacy</font></a> &nbsp;|&nbsp; <a href="http://www.itmarketer.com/" target="_blank"><font color="#006666">Ad Info</font></a> &nbsp;|&nbsp; <a href="/"><font color="#006666">Home</font></a></b>
		<br><br>
		
		Use of this site is subject to certain <a href="/agreement.html">Terms &amp; Conditions</a>, <a href="/copyright.html">Copyright &copy; 1996-1999 EarthWeb Inc.</a><br> 
All rights reserved.  Reproduction whole or in part in any form or medium without express written permision of EarthWeb is prohibited.</font><p>
</td>
		</tr>
</table>
</BODY>
</HTML>

<!-- END FOOTER -->