Author: David Elson
翻译:ishtar Translation: ishtar
IDS:THEORY&PRACTICE IDS: THEORY & PRACTICE
入侵检测系统:理论和实践 Intrusion Detection System: Theory and Practice
自从计算机以网络方式被连接开始,网络安全就成为一个重大问题,随着INTERNET的发展,安全系统的要求也与日俱增,其要求之一就是入侵检测系统。 Since the way the computer is connected to the network started, network security has become a major issue, with the development of INTERNET, security, system requirements are also increasing, its one of the requirements is that intrusion detection systems.
本文旨在介绍几种常见的入侵检测系统及其理论和实践,需要指出的是,本文仅仅是一篇介绍性的文章,即使我推荐了许多可能的系统,在你相信其可靠性前,最好还是深入的研究一下他们。 This paper describes several common intrusion detection system and its theoretical and practical, be pointed out, this is just an introductory article, even if I recommended a number of possible systems, its reliability before you believe, the most good or in-depth look at them. (NND,烦死我了,要敲4个字,以后我就简称ID得了。入侵检测系统就是IDS:-) ) (NND, sick of me, to knock four words, then I got on the short ID. Intrusion detection system is IDS :-))
一、什么是入侵检测。 First, what is intrusion detection.
入侵检测是指监视或者在可能的情况下,阻止入侵或者试图控制你的系统或者网络资源的那种努力。 Intrusion detection is to monitor or possible, to prevent the invasion or attempt to control your system or network resources that effort.
简而言之,它的工作方式是这样的:你有台机器,被连接到网络上,也许就是被连到了INTERNET上,出于可以理解的原因,你也愿意为被授权者设置从网络上访问你的系统的许可。 In short, the way it works is this: you have a machine, is connected to the network, perhaps to be connected to the INTERNET, for understandable reasons, you are willing to be authorized to set from the network permission to access your system. 比如,你有以台连接到INTERNET上的WEB服务器,愿意让客户、职员和潜在客户可以访问存储在WEB服务器上的页面。 For example, you have the computer connected to the INTERNET WEB server, willing to let customers, employees and potential customers can access data stored in the WEB page on the server.
然而,你并不愿意那些未经授权的职员、顾客或者其他未经授权的第三方访问系统。 However, you do not want that unauthorized staff, customers or other unauthorized third party access to the system. 比如,你不愿意除了公司雇佣的网页设计人员以外的人员可以修改储存在机器上的页面。 For example, you do not want to hire a web design company in addition to persons other than staff can modify the pages stored on the machine. 典型的做法之一就是使用防火墙或者某种认证系统来防止未经授权的访问。 One typical approach is to use a firewall or some sort of authentication system to prevent unauthorized access.
但是,在一些情况下,简单的使用防火墙或者认证系统也可以被攻破。 However, in some cases, a simple authentication system using a firewall or can be broken. 入侵检测就是这样以种技术,它会对未经授权的连接企图作出反应,甚至可以抵御以部分可能的入侵。 Is this the kind of intrusion detection technology, which will unauthorized connection attempts to respond to some may even resist the invasion.
那么, Then,
二、为什么要使用ID呢? Second, why use the ID it?
以下给出了使用ID的理由: The following shows the use of ID of reasons:
(1)你需要保护自己的数据安全和系统,而事实是在现在的INTERNET环境下,如果你仅仅使用普通的密码和文件保护方式,你不可能永远保证你数据和系统的安全性。 (1) you need to protect their data security and system, and the fact that in today's INTERNET environment, if you're just using ordinary password and file protection mode, you can not always guarantee that your data and system security.
(2)对于保护数据来说,没有什么比系统的安全更重要了,想就这么把你的机器连上INTETNET而不作任何防护,甚至连管理员密码都不设,就指望这台机器会太平无事,那简直是近乎于痴心妄想。 (2) For the protection of data, nothing is more important than the safety of the system, and so would like to connect to your machine without any protection on INTETNET even the administrator password is not set, you expect the machine will peace No matter, it is simply near-wishful thinking. 同样,系统对核心文件或者授权数据库(比如NT的SAM和UNIX的/ETC/PASSWORD或者/ETC/SHADOW)的保护也是非常重要的。 Similarly, the system core file, or authorization database (such as NT-SAM and UNIX / ETC / PASSWORD or / ETC / SHADOW) protection is also very important.
(3)在通过局域网连接到INTERNET的环境下,经常会采用防火墙或者其他保护措施,如果在NT环境下,如果开放了文件共享,或者允许TELNET,这台机器就需要更好的保护,比如在防火墙中对137-139端口(属于TCP/UDP),SMB协议下的NT文件共享加以限制、使用SSH取代UNIX环境下的 TELNET连接。 (3) connected to the INTERNET through the LAN environment, often using a firewall or other protection measures, if in the NT environment, if the open file sharing, or to allow TELNET, this machine needs to better protection, such as firewall port for 137-139 (part of TCP / UDP), SMB NT file sharing under the agreement to limit, using SSH instead of TELNET connections under UNIX environment.
(4)ID还有进一步的作用,由于被放置在防火墙和被保护的系统之间,ID等于是在系统之上增加了以层保护。 (4) ID there is a further effect, because they had been placed in the firewall and protected systems, ID systems, etc. So in order to layer on top of increased protection. 比如,通过ID对敏感端口的监测就可以判断防火墙是否已经被攻破,或者防护措施已经被灭了。 For example, through the port ID of sensitive monitoring can determine whether the firewall has been compromised, or have destroyed the protective measures.
三、ID有哪些种类呢? Three, ID what type it?
ID可以分为两大类, ID can be divided into two categories,
(1)基于网络的系统:这种ID放置于网络之上,靠近被检测的系统,它们监测网络流量并判断是否正常。 (1) Web-based system: the network placed on top of this ID, the system is close to be detected, they monitor network traffic and determine whether it is normal.
(2)基于主机的系统:这种系统经常运行在被监测的系统之上,用以监测系统上正在运行的进程是否合法。 (2) host-based systems: This system is often running on top of the monitored system to monitor process running on the system is legitimate. 我还想补充最近出现的一种ID:位于操作系统的内核之中并监测系统的最底层行为。 I would add a recent ID: located in the operating system kernel into the bottom of the monitoring system and behavior. 所有这些系统最近已经可以被用于多种平台。 All of these systems has recently been used for a variety of platforms can be.
基于网络的ID Web-based ID
简介 Introduction
基于网络的IDS是指监测整个网络流量的系统,一块网卡就可能会有两种用途: Network-based IDS is monitoring the network traffic system, a card may have two purposes:
普通模式: 受数据包里面所包含的MAC地址决定,数据被发送到目的主机。 Normal mode: the data packet by the MAC address which contains the decision, the data is sent to the destination host.
任意模式(Promiscuous mode):所有可以被监测到的信息均被主机接收。 Any mode (Promiscuous mode): All the information can be monitored are host to receive.
网卡可以在普通模式和任意模式之间进行切换,同样,使用操作系统的低级功能就可以完成这种变换。 Card in normal mode and switch between any of the same, the use of low-level operating system functions to complete this transformation. 基于网络的IDS一般是需要把网卡设置成后以种模式。 Network-based IDS generally need to set the card after modes.
包嗅探和网络监测 Packet sniffer and network monitoring
包嗅探和网络监测最初是为了监测以太网的流量而设计的,最初的代表性产品就是NOVEL的LANALYSER和MS的NETWORKMONITOR。 Packet sniffer and network monitoring is to monitor the Ethernet was originally designed to flow, the first representative of the product is NOVEL LANALYSER and MS NETWORKMONITOR.
这些产品一般会拦截它们在网络上可疑拦截的一切数据包,当一个数据包被拦截后,可能会有以下几种情况: These products are usually blocked on the network to intercept all suspicious packets, when a packet is blocked, you may have the following situations:
对包进行累加,在截取的时间段内对数据包进行累加,用以确定该时间段内网络的负载,LANALYSER和MS的NM都在网络负载的表示界面方面有很好的表现。 Accumulation of packets in the packet interception period of time to accumulate, the time period used to determine the network load, LANALYSER of NM and MS in network load that interface has a good performance.
对数据包进行分析:比如,当你想对抵达一个WEB服务器的数据进行分析时,你往往会先捕获一些数据,然后进行分析。 Analysis of data packets: for example, when you want to reach a WEB server to analyze the data, you tend to capture some data first, and then analyzed.
包嗅探工具在近年有了长足的发展,象ETHEREAL和新版的MSNM都可以对数据包进行详尽的分析。 Packet sniffing tools have made great progress in recent years, and the new version as ETHEREAL MSNM can carry out a detailed packet analysis.
最后罗嗦以句(NND,洋人就是P多):工具本身无善恶,全在人心,通过对连接到UNIX的TELNET连接进行包嗅探,就可能可以截取用户的密码,任何一个入侵者一旦得手,首先的事情就是会安装包嗅探器(NND,那是说高手,象俺最多在自己的机器上装个嗅探器,嘿嘿) Finally, with wordy sentences (NND, P is more than foreigners): the tool itself is no good and evil, all the people, by connecting to a UNIX-TELNET connection packet sniffer, you may be able to intercept the user's password, once any intruder succeeded, the first thing will install a packet sniffer (NND, it is that master, as I own the machine up to upload a sniffer, hehe)
包嗅探与任意模式 Packet sniffer and any mode
所有包嗅探都需要网卡被设置为任意模式,因为仅在此模式下,所有通过网卡的数据可以被传送到嗅探器,包嗅探的使用前提是安装他的机器上使用者具有管理员权限 All packet sniffer need the network card is set to any mode, because only in this mode, all data can be transmitted through the LAN to the sniffer, packet sniffer with the premise that users install on his machine with administrator Permissions
还有一点需要引起注意的是交换机的使用,请注意,不是HUB(NND,当我们中国人没见过交换机啊!),在交换机内,一个接口所接收的数据并不是一定会转发到另一个接口,所以,在这种情况下,包嗅探器并不一定可以发挥其作用。 Another point that needs attention is the use of the switch, please note, not HUB (NND, when we have not seen the Chinese people switch ah!), Within the switch, an interface is not the data received will be forwarded to another interfaces, so in this case, the packet sniffer does not necessarily play its role.
基于网络的ID:嗅探器的发展 Web-based ID: development of sniffer
不幸的是,从安全的角度来看,包嗅探器好处有限。 Unfortunately, from a security point of view, the benefits of limited packet sniffer. 要去捕获每一个数据包,然后是分析、手工采取行动,实在是一件烦琐之至的事情,但是,如果用软件来代替我们的劳动呢? Going to capture every packet, then the analysis of hand action, it is a trivial matter to matter, but if instead of using software to do our work?
这就是基于网络的ID要干的活。 This is based on network ID to do live. 比如经常使用的ISS RealSecureEngine和Network Flight Recorder. Such as regular use of ISS RealSecureEngine and Network Flight Recorder.
以下给出RealSecure Engine这种ID的作用: The following shows the RealSecure Engine The ID of the role:
监测网络上的数据传输情况。 Monitoring network data transmissions.
如果数据为正常数据,允许其通过(或者留待以后分析),如果数据包被认为可能会危害目的地系统的安全,则发出\"connectionclosed\"(使用TCP协议时)或者\"portunreachable'(使用ICMP时)以截断数据发送方和接收方之间的连接。 If the data is normal data, allow the adoption (or wait until later analysis), if the packet is considered likely to endanger the safety of the destination system, the issue of \ "connectionclosed \" (when using the TCP protocol), or \ "portunreachable '(to use ICMP time) to truncate data between sender and receiver connection.
在这种情况下,RealSecure可以在防火墙后建立起以个有效的阻止系统,当然,也有在防火墙的位置直接使用RS的,而我(原作者-不是土鳖我啊!)不建议大伙采用这种方法。 In this case, RealSecure firewall can be set up with an effective system to prevent, of course, but also the location of the firewall directly using RS and I (the original author - not Eupolyphaga I ah!) Do not recommend everyone use this method.
基于网络的ID还有一些别的功能,比如: Network-based ID and some other features such as:
监测明显的端口扫描。 Monitoring obvious port scanning. 在攻陷系统之前,攻击者一般会扫描系统以发现系统的缺陷,一般说来,INTERNET上来自以台主机的端口扫描往往是有人开始攻击的先兆。 In the fall of the system, attackers generally scan system to detect defects in the system, in general, INTERNET from the hosts on the port scan is often a precursor to some people began to attack.
对常见的攻击方式加以监测。 The attack on the common to be monitored. 通过80端口连接到以台WEB服务器应该看来是以件很正常的事情,但是有些同样通过80端口进行的连接就可能是祸心内藏哦,看看这个命令你就知道了: Through the 80 port to connect to the WEB server should be a normal thing purporting to pieces, but some of the same connection through port 80 may be evil built Oh, look at this command you will know:
“GET /../../../etc/passwd HTTP/1.0” "GET /../../../ etc / passwd HTTP/1.0"
鉴别各种IP欺骗。 Identify a variety of IP spoofing. 用于完成IP和MAC地址之间转换的ARP协议往往是攻击的重点,通过在以太网上向目的地址发布载有虚假ARP数据的数据包,入侵者可以将自己伪装成位于另外一个系统上,这样的结果就是各种拒绝服务攻击,当大型服务器(如DNS或者身份认证服务器)遭到攻击时,入侵者可以将数据包转发到自己的系统上。 Used to complete the conversion between IP and MAC address of the ARP protocol is often the focus of attack by the Ethernet destination address to publish data containing false ARP packets, an intruder can pretend to be located on another system, The result is a variety of denial of service attack, when a large server (such as DNS or authentication server) attack, the intruder can forward the packet to its own system. 基于网络的IDS通过登记ARP包,对信息源(以太网地址)进行认定,如果确认信息来自于已经被攻陷的系统,则会对入侵者进行拦截。 Network-based IDS ARP packets through the registration of information sources (Ethernet address) to identify, if the confirmation message from the system has been compromised, it will intercept the intruder.
如果探测到了有问题的行动,基于网络的ID会自行采取行动,包括重新配置附近的防火墙以拦截所有来自入侵者的数据流. If you detect a problem of action, based on the ID of the network itself to take action, including re-configure the firewall to block all nearby stream of data from intruders.
基于主机的ID Host-based ID
简介 Introduction
当数据包抵达目的主机后,防火墙和网络监控已经无能为力了,但是还有以个办法可以试试,那就是“基于主机的ID” When the packet arrives at the destination host, the firewall and network monitoring can not do anything, but there is a way to try, that is, "host-based ID"
基于主机的ID又可以分成两大类: Host-based ID and can be divided into two categories:
网络监测:这种监测对抵达主机的数据进行分析并试图确认哪些是潜在的威胁,任何连接都可能是潜在的入侵者所为,请注意,这点与基于网络的ID不同,因为它仅仅对已经抵达主机的数据进行监测,而后者则是对网络上的流量进行监控。 Network Monitoring: This monitoring of the arrival of the data and the host tried to identify which is a potential threat, any connection is a potential intruder that is, please note that this point and network-based ID is different, because it only to have arrived in the host data for monitoring, while the latter is a network traffic monitoring. 如次一来就不需要把网卡设置成××模式了。 Taken are the one you do not need the card set to × × mode.
主机监测:任何入侵企图(或者成功的入侵)都会在监测文件、文件系统、登录记录或其他主机上的文件中留下痕迹,系统管理员们可以从这些文件中找到相关痕迹。 Host monitoring: any intrusion attempt (or successful invasion) will be monitoring the file, the file system, registry, records or other file on the host left their mark, the system administrator can find the relevant documents from these traces.
外来连接监测: Connect external monitor:
主机可以在数据包真正抵达主机之前对试图进入主机的数据包进行监测,以避免其进入系统后可能造成的损害。 Host can host in a packet actually arrived before trying to enter the host to monitor packets in order to avoid their entry into the system may cause damage.
可供选择的处理方式有: Treatment options are:
监测未经授权的试图通过TCP或者UDP端口进行的连接,比如如果有人试图通过未开放任何服务的端口进行连接,就往往意味着有人在寻找系统漏洞。 Monitor unauthorized attempts to TCP or UDP port connection, such as if someone tried to not open the port to connect to any service, it often means that someone looking for loopholes in the system.
监测端口扫描:在此我再推荐一种方式:调整防火墙或者调整本地IP配置(可以使用LINUX下的IPCHAINS)以拒绝来自可能的入侵者的连接请求。 Monitoring port scan: I would recommend this way: to adjust the firewall or to adjust the local IP configuration (you can use LINUX under IPCHAINS) from possible intruders to deny the connection request.
值得推荐的两个文件是ISS的RealSecure Agent和PortSentry. Recommended the two documents is ISS 'RealSecure Agent and PortSentry.
注册行为监测 Registration behavioral surveillance
即使网管做了最大的努力,安装了最新的IDS,入侵者也有可能使用无法被监测到的的手段来入侵系统,造成这种情况的重要可能之一就是入侵者使用包嗅探恩公工具已经取得了用户密码并能够合法登录系统。 Even if the network made the greatest efforts to install the latest IDS, the intruder may also not be monitored using the means to invade the system, may be important for this situation is one public intruder to use packet sniffing tool for ex has been made to the legitimate user's password and login systems.
HOSTSENTRY这样的产品的任务之一就是寻找系统的不寻常操作,对用户试图进行注册和注销进行监控,并就这些活动中不正常或者未曾预料的部分向系统管理员报警。 HOSTSENTRY this product one of the tasks is to find unusual operating system, the user attempts to register and log out to monitor these activities and unusual or unexpected part of the alarm to the system administrator.
根操作监控 Root operation monitoring
入侵者的最终目的是为了掌握被入侵主机上的根用户权限,如果一台WEB服务器规划的好的话,除了极少数的计划好的维修时间以外,根用户应该很少会有什么操作,但是根用户们也很少按照计划去进行检修,而是逮空就干,但是即使是这样,入侵者也很有可能在兔子都不拉屎的时间或者地方干出些什么事情来。 Intruder's ultimate goal is to master the compromised host root privileges, if a WEB server plan is good, except for a handful of planned maintenance hours, the root user should seldom have any operation, but the root users rarely go according to plan for maintenance, but catch air on the dry, but even so, most likely an intruder in the rabbit is not the time or place shit what things to dry out.
需要防御的战线还有以条:监视根用户或系统管理员的任何操作。 There needs defenses to bar front: the root user or system administrator to monitor any operation. 许多UNIX系统允许根用户执行包括登录、监测在内的所有运算,而象LOGCHECK这样的工具则可以对这些登录记录加以监控并提请网管注意。 Many UNIX systems allow root user to perform, including log, monitor, including all operations, and tools such as LOGCHECK These log records can be monitored and drew attention to network management.
如果使用了开放源代码的操作系统,网管们只有一个选择:改进内核。 If you use the open source operating system, network management have only one choice: to improve the kernel. 如何改进不在本文的讨论范围之内,毕竟INTERNET网上这样的资源很多。 How to improve is not within the scope of this article, after all, so a lot of resources online INTERNET.
监测文件系统 Monitoring File System
不管你的愿望如何良好,ID怎么卖命,你也不敢保证系统固若金汤,而系统一旦被攻陷,入侵者就会立即开始更改系统的文件,或者更改一些设置以废掉ID们的武功(哦!要练神功,必先自宫!!) No matter how good you desire, ID how their lives, you can not guarantee system impregnable, and once the system is compromised, intruders will immediately begin to change the system files, or change some settings in order to destroy the powers of their ID (oh! To practice magic, we must first from the palace!!)
在软件的安装过程中,不可避免的会更改系统设置,这些设置更改一般会在系统的文件或者LIBRARY的变化中体现出来。 In the software installation process, the inevitable change system settings, these settings will usually change a file system or the changes reflected LIBRARY.
类似于TRIPWIRE,FCHECK和AIDE的程序被设计用于检测系统内的文件变动,并向系统管理员报告。 Similar to the TRIPWIRE, FCHECK and AIDE program is designed to detect changes within the system files to the system administrator.
在所有系统文件上使用MD5或者其他的加密、校验和等手段,将这些设置储存进数据库,当文件变化时,校验和也会发生变化。 In all the system files using MD5 or other encryption, verification and other means, these settings are stored into the database, when the file changes, the checksum will change.
注意所有文件的创建和修改时间,以及它们的时戳。 Note that all file creation and modification time, and their time stamp.
对SUID命令的使用加以监控,任何变化或者新的SUID命令被安装、删除,都可能会是问题的征兆。 The use of SUID commands to monitor any changes or new SUID commands are installed, removed, may be a sign of problems.
不管Tripwire, Fcheck,AIDE玩得怎么花,它们的工作原理就是上面那些东西,它们的作用是保证那些数据库和加密的校验和没出问题。 Regardless of Tripwire, Fcheck, AIDE play how to spend, how they work is above those things, their role is to ensure that cryptographic checksum database and no problems. 因为不排除这样一种可能,入侵者水平很高,高到足以理解操作系统和IDS,直接就把加密的校验和数据库都改得天衣无缝。 Because they do not exclude the possibility of intruders high level, high enough to understand the operating system and IDS, put the encrypted checksum direct database changes seamlessly.
基于内核的ID Kernel-based ID
基于内核的ID还是以种新生事务,但是成长很快,尤其是在和LINUX的配合方面。 Kernel-based ID or to new kinds of transactions, but growing rapidly, especially in the co-ordination and LINUX.
现在有两种基于LINUX的不同的基于内核的ID,它们是OPENWALL和LIDS。 Now there are two different LINUX-based kernel-based ID, they are OPENWALL and LIDS. 它们在防止缓冲区溢出方面有了长足进展,增强了文件系统的保护,拦截信号并使入侵系统变得更加困难。 They prevent buffer overflow areas have made great progress, enhanced file system protection, intrusion systems to intercept the signal and make it more difficult. LIDS也采取了一定措施以防止根用户执行一些操作,比如安装嗅探器或者更改防火墙规则等等。 LIDS has taken certain measures to prevent the root user to perform some operations, such as installing sniffer or changing firewall rules, and so on.
内核保护和文件系统保护 Kernel protection and file system protection
显而易见的是,虽然最终效果相近,LIDS系统和TRIPWIRE系统差别很大,它们都可以用于阻止入侵者出于未经授权的目的使用系统。 It is obvious that, although the final results are similar, LIDS system and TRIPWIRE systems vary greatly, they can be used to prevent unauthorized intruders for the purpose of using the system.
乍看之下,虽然象TRIPWIRE这样的系统确实是一个监测文件系统的好东西,人们也可能会认为他意义不大,人们的共识是:一旦你的系统被内在的入侵者攻陷,最好的办法就是关机重装系统。 At first glance, although such a system as TRIPWIRE monitoring file system is really a good thing, people might think he was of little significance, the consensus is: Once your system is captured within the intruder, the best way is to reinstall the system shutdown. 损失已然造成,系统已然玩完,你还是老老实实从恢复盘上重装系统得了。 Damage already caused, the system already comes to an end, you still honestly reinstall the system from the recovery disk had. 而LIDS提供的服务则更有诱惑一些,如果说一般的家伙是在屋子里面已经被糟践得一塌糊涂后才来跑来告诉你门开着的话,LIDS可能会使你的系统免遭损失。 The LIDS are more tempted to provide some of the services, if the guy is usually inside the house was a mess after being insulting to tell you that the door came open, then, LIDS may cause your system from damage.
从理论上说,我也同意以上分析,但是如果将LIDS和TRIPWIRE同时运行,肯定会带来更好的安全性。 In theory, I agree to the above analysis, but if the LIDS and TRIPWIRE run, sure to bring better security. 虽然LIDS在保护文件系统方面有着独到之处,但是如果再加上象TRIPWIRE这样的文件系统监视器,用他作为一个“独立的”审计方,效果肯定会更好,因为HACKER有可能会挫败LIDS的努力。 Although LIDS to protect the file system has a unique, but if coupled with a file system such as TRIPWIRE monitors, using him as an "independent" auditors, the effect will certainly be better, because there may be setbacks HACKER LIDS efforts.
小结 Summary
使用最新的工具可能会抵御一切已知形式的入侵,不幸的是,随着日常实践,新的威胁和软件的安全漏洞却在不断的被发现。 Using the latest tools may resist all known forms of invasion, unfortunately, with the daily practice, new threats and software vulnerabilities are constantly being discovered.
在任何环境下,非常重要的一点是知道你可能面对的所有威胁,要警惕你系统里面可能存在的潜在漏洞并加以修补,以免遭受基于这些漏洞的攻击。 In any environment, a very important point is to know all the threats you may face, inside the system to alert you of potential vulnerabilities that may exist and be repaired, so as not to suffer from these vulnerabilities.
举个例子来说,以台通过防火墙被连接到INTERNET的主机可以说会免于大多数种攻击,但是机器里的CGI程序则会使机器暴露出脆弱的以面,要尤其注意并确定CGI程序已经被合适的配置,数据在执行前已经被确认合法有效。 For example, the station is connected to the INTERNET through the firewall host can be said to be from the majority of attacks, but the machine where the CGI program is to make the machine vulnerable exposed surface, with particular attention to the CGI program and determine have been the appropriate configuration, the data has been identified in the implementation of previous valid. 而一个ID程序则会被放在WEB服务器和防火墙之间以拦截任何可疑的连接。 And an ID program will be placed between the WEB server and firewall to block any suspicious connections.
随时更新 Updated
随着新的入侵手段的发现,上面我们所阐述的工具也在不断更新,所以及时更新工具也是非常重要的。 With the discovery of new means of invasion, the tools described above we are also constantly updated, so the update tool is also very important.
在安装了相应的软件以后,用户有必要经常访问一些和安全有关的页面和邮件列表,同时,如果你所安装的软件或者防火墙报告说其自身出现缺陷或者其他被入侵的问题,千万不要为了面子而不去向软件提供商需求帮助(老外也这么要面子吗?嘿嘿) The corresponding software installed, users often need access to some and security-related pages and mailing lists, the same time, if you installed software or firewall reports that its own defects or other problems the invasion, do not to face without movement of software provider needs help (foreigners have to face it so? hehe)
Which Tools? Which Tools?
使用什么软件呢? What software do?
以上我们已经探讨了好几种有着不同功能的工具。 We have discussed above several tools with different functions. 为了尽量保证你的环境的安全性,根据功能来选择工具就变得非常重要。 To try to ensure the security of your environment, depending on the features to select the tool becomes very important. 工具之间“尺有所短,寸有所长”的情况很突出,所以,你的安全防线的第以关应该就是防火墙,然后,在防火墙后侧安装基于网络的IDS用于监视防火墙,再以后呢(老外就是TMD烦),就应该是连接监测工具,比如PORTSEBTRY或者HOSTSENTRY之类的,最后呢,你还可以用LOGCHECK之类的工具来监测那些最终的进入者。 Tool between the "short foot, inch a director," the situation is very prominent, so your first line of defense is the firewall to be off, and then, back in the firewall for network-based IDS installed to monitor the firewall, after it (TMD trouble is, foreigners), it should be connected monitoring tools, such as PORTSEBTRY or HOSTSENTRY the like, and finally it, you can also use LOGCHECK a tool to monitor those who enter the final.
原作者:DEL是新西兰的一位有着15年IT从业的哥们。 Original author: DEL is a New Zealand has 15 years of IT practitioners buddy. 其余的俺就不翻译了吧了,反正各位要是有什么问题要问我的话那就歇了,俺好菜的,就是翻译洋文速度好快,嘿嘿。 I can not translate the rest of it, anyway, If you have any questions to ask me if it would break, and I cook, is the translation of foreign language speed so fast, hehe. 附上这哥们简历,免得说俺侵犯版权,嘿嘿。 Attach resume this man, so that I infringe copyright, hehe.
David Elson (Del) is a security and technology consultant workingfor Wang New Zealand in Christchurch, on the South Island of NewZealand. With 15 years IT experience, he consults to variousclients on security and networking issues. He also maintains a setof web pages on Linux and other related security topics, and hasgiven talks on various security and networking issues atconferences in Australia and New Zealand. David Elson (Del) is a security and technology consultant workingfor Wang New Zealand in Christchurch, on the South Island of NewZealand. With 15 years IT experience, he consults to variousclients on security and networking issues. He also maintains a setof web pages on Linux and other related security topics, and hasgiven talks on various security and networking issues atconferences in Australia and New Zealand.
Tidak ada komentar:
Posting Komentar