Linux Server Security (2nd Edition( [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Linux Server Security (2nd Edition( [Electronic resources] - نسخه متنی

Michael D. Bauer

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Section 6.1. DNS Basics

Section 6.2. DNS Security Principles

Section 6.3. Selecting a DNS Software Package

Section 6.4. Securing BIND

Section 6.5. djbdns

Section 6.6. Resources

Chapter 7. Using LDAP for Authentication

Section 7.1. LDAP Basics

Section 7.2. Setting Up the Server

Section 7.3. LDAP Database Management

Section 7.4. Conclusions

Section 7.5. Resources

Chapter 8. Database Security

Section 8.1. Types of Security Problems

Section 8.2. Server Location

Section 8.3. Server Installation

Section 8.4. Database Operation

Section 8.5. Resources

Chapter 9. Securing Internet Email

Section 9.1. Background: MTA and SMTP Security

Section 9.2. Using SMTP Commands to Troubleshootand Test SMTP Servers

Section 9.3. Securing Your MTA

Section 9.4. Sendmail

Section 9.5. Postfix

Section 9.6. Mail Delivery Agents

Section 9.7. A Brief Introduction to Email Encryption

Section 9.8. Resources

Chapter 10. Securing Web Servers

Section 10.1. Web Security

Section 10.2. The Web Server

Section 10.3. Web Content

Section 10.4. Web Applications

Section 10.5. Layers of Defense

Section 10.6. Resources

Chapter 11. Securing File Services

Section 11.1. FTP Security

Section 11.2. Other File-Sharing Methods

Section 11.3. Resources

Chapter 12. System Log Management and Monitoring

Section 12.1. syslog

Section 12.2. Syslog-ng

Section 12.3. Testing System Logging with logger

Section 12.4. Managing System Logfiles with logrotate

Section 12.5. Using Swatch for Automated Log Monitoring

Section 12.6. Some Simple Log-Reporting Tools

Section 12.7. Resources

Chapter 13. Simple Intrusion Detection Techniques

Section 13.1. Principles of Intrusion Detection Systems

Section 13.2. Using Tripwire

Section 13.3. Other Integrity Checkers

Section 13.4. Snort

Section 13.5. Resources

Colophon
توضیحات
افزودن یادداشت جدید








2.4. Allocating Resources in the DMZ



So everything public goes in the DMZ. But does each service need its
own host? Can any of the services be hosted on the firewall itself?
Should one use a hub or a switch on the DMZ?


The last question is the easiest: with the price of switched ports
decreasing every year, switches are preferable on any LAN, and
especially so in DMZs. Switches are superior in two ways. From a
security standpoint, they''re better because
it''s a bit harder to
"sniff" or eavesdrop traffic not
delivered to one''s own switch port.



Wireless Local Area Networks and Firewalls


Wireless Local Area
Networks (WLANs) are increasingly popular, due to their convenience
and their low cost (compared to running cable and terminating it to
data jacks). But network security professionals nearly unanimously
agree that WLAN segments should not be connected directly to
trusted/internal networks; they should instead be set up as DMZ
networks separated both from the internal network and from other
(wired) DMZs by a firewall.


Why? The main reason is because wireless networking is a radio
technology: all network traffic in a WLAN is broadcast over radio
waves that can be trivially eavesdropped by unauthorized passersby.
Besides the obvious privacy problem, this eavesdropping exposure also
makes it easier for an attacker to connect to and pretend to be a
legitimate user of a WLAN.


Emerging WLAN technologies such as WPA may effectively and
transparently encrypt all traffic to mitigate eavesdropping
exposures, but as of this writing, the predominant WLAN technology is
still 802.11b, a.k.a. "WiFi,"
typically implemented without WPA (which is backward-compatible with
802.11b). Although 802.11b natively supports encryption via the
"Wired Equivalent
Privacy" protocol, WEP is not trustworthy: it was
found to have fatal flaws very soon after its details were made
public.


Even if you use 128-bit WEP keys (the maximum key length WEP
supports), an attacker with WEP-cracking software needs only to
capture a few hours'' worth of your 802.11b WLAN
traffic to crack its WEP key and read all your WLAN packets at will
(and, potentially, to connect to your WLAN).


Isolating a WLAN segment outside of a firewall mitigates the exposure
to unauthorized access to the network, but what about the exposure of
data confidentiality? My best advice is not only to DMZ your WLAN but
also to run VPN software or to use only encrypted services such as
SSH, HTTPS, etc. on it (in addition to using
128-bit WEP).


(Unfortunately, this isn''t as true as it once was:
there are a number of ways that Ethernet switches can be forced into
"hub" mode or otherwise tricked
into copying packets across multiple ports. Still, some work, or at
least knowledge, is required to sniff across switch ports.) One of our assumptions about DMZ hosts is that they are more likely
to be attacked than internal hosts. Therefore, we need to think not
only about how to prevent each DMZed host from being compromised, but
also what the consequences might be if it is. One possible
consequence is the attacker using it to sniff other traffic on the
DMZ. We like DMZs because they help isolate publicly accessible
hosts, but that does not mean we want those
hosts to be easier to attack.


Switches also provide better performance than hubs: most of the time,
each port has its own chunk of bandwidth rather than sharing one big
chunk with all other ports. Note, however, that each switch has a
backplane that describes the actual volume of
packets the switch can handle: a 10-port 100 Mbps hub
can''t really process 1000 Mbps if it has an 800 Mbps
backplane. Nonetheless, even low-end switches disproportionately
outperform comparable hubs.


The other two questions concerning how to distribute DMZ services can
usually be determined by factors that are not security-related (cost,
expected load, efficiency, redundancy/failover, etc.), provided that
all DMZ hosts are thoroughly hardened and monitored and that firewall
rules (packet filters, proxy configurations, etc.) governing traffic
to and from the DMZ are as restrictive as possible.


Note that high-availability and load-balancing solutions leveraged in
DMZ devices and systems have important benefits for security, not
just for performance. Redundancy is one of the only effective
mitigators of Denial of Service attacks.


/ 94