tailieunhanh - NETWORK SECURITY BY DAVID G.MESSERSCHMITT

After the desired settings are specified, they should be published, so the clients can download the configuration changes when Outpost Network Security Client is installed on each computer. This is done with the help of Agnitum Publisher Service, which can be configured using Agnitum Command Center. When a new configuration is published, Agnitum Publisher Service notifies each active client computer about necessity to download the configuration changes. The new configuration is downloaded and applied without having to restart the client. . | Copyright 1999 University of California Network Security by David G. Messerschmitt Supplementary section for Understanding Networked Applications A First Course Morgan Kaufmann 1999. Copyright notice Permission is granted to copy and distribute this material for educational purposes only provided that this copyright notice remains attached. By its very nature a public network is a security risk as it opens up access to each connected host to everybody see Chapter 13 . Fortunately there are measures that can be taken to mitigate these risks. Both the risks and the measures taken to counter them are dependent on an understanding of the network architecture presented earlier in this chapter. Secure and Insecure Authentication One key to protecting a host is access control and associated authentication of users. Unfortunately some simple authentication approaches commonly used are insecure. A common approach is to ask a user to supply a password which can be captured in transit unless the entire session is encrypted. Alternatively the IP address of a host is sometimes used to authenticate it. An intruder who gains physical access to a network or can surreptitiously install a program in a host connected to a network can monitor network traffic. This sniffing attack can uncover valuable information such as the IP address of hosts or user passwords. It is possible for an attacker to masquerade as a different host by spoofing an IP address making it appear that packets are originating from another host. Authentication based on a shared secret or certificate as was described in Chapter 13 is much more secure. Servers sometimes authenticate another host by matching its domain name against its IP address by making a query to the domain name system. Unfortunately the DNS is itself insecure and thus should not be trusted. Also the information sent among DNS zones can be sniffed uncovering potentially valuable information such as a list of domain names and IP addresses internal