tailieunhanh - Firewalls and Internet Security, Second Edition phần 5

Nó thường khó để tăng năng lực của một liên kết mạng một cách nhanh chóng, và đắt tiền như. Đây cũng là thất vọng để có thể chi rằng loại tiền đơn giản chỉ để đối phó với một cuộc tấn công. Nó có thể được dễ dàng nhất để nâng cao năng lực của máy chủ. | Network Administration Tools 161 Isolation via a filtering bridge Isolation via a smart 10BaseT hub Figure Preventing exposed machines from eavesdropping on the DMZ net. A router instead of the filtering bridge could be used to guard against address-spoofing. It would also do a better job protecting against layer-2 attacks. 162 Using Some Tools and Services The name server can supply more complete information many name servers are configured to dump their entire database to anyone who asks for it. You can limit the damage by blocking TCP access to the name server port but that won t stop a clever attacker. Either way provides a list of important hosts and the numeric IP addresses provide network information. Dig can supply the following data dig axfr zone @ pfset 0x2020 Specifying pfset 0x2020 suppresses most of the extraneous information dig generates mak-ing it more suitable for use in pipelines. Chroot Caging Suspect Software UNIX provides a privileged system call named chroot that confines a process to a subtree of the file system. This process cannot open or create a file outside this subtree though it can inherit file handles that point to files outside the restricted area. Chroot is a powerful tool for limiting the damage that buggy or hostile programs can do to a Unix system. It is another very important layer in our defenses. If a service is compromised we don t lose the entire machine. It is not perfect user root may with difficulty be able to break out of a chroot-limited process but it is pretty good Chroot is one of a class of software tools that create a jail or sandbox for software execution. This can limit damage to files should that program misbehave. Sandboxes in general provide an important layer for defense-in-depth against buggy software. They are another battleground in the war between convenience and security The original sandboxes containing Java programs have often been extended to near impotence by demands for greater .

TỪ KHÓA LIÊN QUAN