Thus, a respected user, or at least respected network administrator, you still decided to try to protect your system from various remote influences. Of course, the right step in this direction will visit a specialist in information security, which together with you will try to solve the whole range of tasks to ensure the required level of security required for your distributed Sun
This is a fairly complex problems, whose solution is necessary to determine that (the list of controlled objects and resources FAR), from which (an analysis of possible threats to the FAR) and the (production requirements, the definition of security policies and developing the administrative and hardware and software measures to ensure In practice, developed a security policy) to protect.
Perhaps the most simple and cheap it is the administrative methods of protection against information-destroying effects. The following paragraphs discuss possible administrative methods of protection from those described in chapter 4, remote attacks on hosts Internet (in the general case for IP-based network).
How to protect against network traffic analysis?
Network administrators, obviously, we can recommend to avoid the use of these basic protocols to allow remote authenticated access to the resources of their systems and consider the analysis of network traffic of the ever-present threat that can not be eliminated but it can do its implementation is essentially meaningless, applying persistent cryptographic algorithms protection of IP-flow.
How to protect against false ARP-server?
In that case, if the network operating system is no information about under IP-and Ethernet-host addresses within a single segment of IP-based networks, this protocol allows you to send a broadcast ARP-request to find the necessary Ethernet-address to which an attacker could send a wrong answer, and in the future, all traffic on the link layer will be intercepted and the attacker will go through a false ARP-server. Obviously, for the elimination of this attack must eliminate the cause for which may exercise it.
The main reason for the success of the remote attack - no need NFORMATION in OS of each host of the relevant IP-and Ethernet-addresses of all other hosts inside the same network segment.
Thus, the simplest solution would be to create setevymadministratorom static ARP-table in a file (in UNIX is usually / etc / ethers), which is necessary to make corresponding schuyu address information. This file is installed on each host within the segment, and consequently, the network operating system eliminates the need to use a remote ARP-search. True, we note that the OS is Windows '95 this does not help.
As the network administrator to protect against false DNS-server?
If the answer to this question briefly, then nothing.
Neither the administration nor the software can not protect against attacks on the existing version of the service DNS. Optimal in terms of security solution is to opt out of using the DNS in your sheltered segment! Of course, absolutely refuse to use names when referring to hosts for users would be very inconvenient. Therefore, we can propose the following compromise: use names, but to abandon mechanism of remote DNS-search. You guessed it, that this return to a scheme that was used before the advent of the DNS service with dedicated DNS-servers.
Then on each machine on the network existed hosts file, which contains information on the relevant names and IP-addresses of all hosts on the network. It is obvious that today the administrator can make a similar file information on only the most frequently visited by users of this segment of the network servers.
Therefore, the use in practice, this decision is extremely difficult and probably unrealistic (for example, that to do with browsers that use the URL with the names?).
In order to obstruct the implementation of the remote attack can be offered for administrators to use the DNS protocol instead of UDP, which is installed by default protocol is TCP (although the documentation is far from obvious how to change it). This significantly more difficult for the attacker to transfer to a host of false DNS-response without the use of DNS-query.
The overall disappointing conclusion is: the Internet using an existing version of the DNS there is no acceptable solution to protect against false DNS-server (and do not refuse, as in the case of ARP, and use dangerous)!
In conclusion, we can recommend for all of the Internet as soon as possible or go to a new more secure version of your DNS, or to adopt a single standard for secure protocol. Make this transition, despite all the huge costs, just necessary, otherwise the Internet can be simply put on his knees before the ever-increasing successful attempts to breach its security with the service!
How to protect against denial of service?
As repeatedly noted, there can not be acceptable ways of protection against denial of service in the current IPv4 standard network Internet!
This is due to the fact that this standard can not control the route messages. It is therefore impossible to provide reliable monitoring of network connections, as one of the subject of networking is possible to take an unlimited number of channels of communication with the remote object and remain anonymous. Because of this, any server on the Internet can be completely paralyzed by a remote attack.
The only thing that can be offered to improve the reliability of the system subject to this attack - it can be used as more powerful computers. The greater the number and frequency of the processor, the more RAM you have, the more reliable will be the work of a network operating system, when it brought down a storm of false requests aimed at creating the connection. In addition, you must use appropriate computing power your operating system with an internal queue that can accommodate a large number of connection requests. After all, what you like, put on a super computer operating system Linux or Windows NT, in which the length of the queue simultaneously processed requests about 10, and a timeout clearing the queue a few minutes, then, despite all the processing power of computer, operating system will be completely paralyzed by the attacker.
The general conclusion to counter this attack in the current IPv4 standard is the following: sit back and hope that you it is no interest, either buy a super computer with the corresponding network operating system.
How to protect against substitution of one party in the interaction with the basic protocols of TCP / IP As noted earlier, only the basic protocol family TCP / IP, which initially provides the function of the security compound and its subscribers, is the transport protocol - the protocol TCP. With regard to the basic application layer protocols: FTP, TELNET, r-service, NFS, HTTP, DNS, SMTP, none of them did not provide additional protection for connections at their level and leaves the solution to all problems to ensure the security of the connection protocol of a lower transport layer - TCP.
However, thinking about possible attacks on TCP-connection is discussed in Section 4.5, where it was noted that in finding the attacker in the same segment in order to protect against spoofing attacks one of the subscribers of TCP-connection, in principle, impossible, and in case of being in different segments because of the possibility of mathematical prediction ID TCP-connection ISN is also a real substitute for one of the subscribers, it is easy to conclude that when using the basic protocols of TCP / IP secure connection is almost impossible! This is due to the fact that, unfortunately, all the basic protocols on the Internet in terms of information security is incredibly outdated.
The only thing we can recommend network administrators to protect only from attacks on intersegment connections - as a base to use a secure protocol, TCP and network operating systems, in which the initial value of the ID TCP-connection really is randomly generated (a good pseudorandom generator algorithm used in recent versions of OS FreeBSD).