Chia sẻ: Thanh Cong | Ngày: | Loại File: PDF | Số trang:50

0
69
lượt xem
19

Mô tả tài liệu

Tham khảo tài liệu 'tcp/ip network administration- p11', công nghệ thông tin, quản trị mạng phục vụ nhu cầu học tập, nghiên cứu và làm việc hiệu quả

Chủ đề:

Bình luận(0)

Lưu

## Nội dung Text: TCP/IP Network Administration- P11

1. [Chapter 11] 11.9 Simple Network Management Protocol useful information for spotting usage trends and potential trouble spots. Every agent supports MIBI or MIBII. Some systems also provide a private MIB in addition to the standard MIBII. Private MIBs add to the monitoring capability by providing system-specific information. Most UNIX systems do not provide private MIBs. Private MIBs are most common on network hardware like routers, hubs, and switches. No matter what MIBs are provided by the agents, it is the monitoring software that displays the information for the system administrator. A private MIB won't do you any good unless your network monitoring software also supports that MIB. For this reason, most administrators prefer to purchase a monitor from the vendor that supplies the bulk of their network equipment. Another possibility is to select a monitor that includes a MIB compiler, which gives you the most flexibility. A MIB compiler reads in the ASN.1 description of a MIB and adds the MIB to the monitor. A MIB compiler makes the monitor extensible because if you can get the ASN.1 source from the network equipment vendor, you can add the vendor's private MIB to your monitor. MIB compilers are only part of the advanced features offered by some monitors. Some of the features offered are: Network maps Some monitors automatically draw a map of the network. Colors are used to indicate the state (up, down, etc.) of the devices on the network. At a glance, the network manager sees the overall state of the network. Tabular data displays Data displayed in tables or rendered into charts is used to make comparisons between different devices. Some monitors output data that can then be read into a standard spreadsheet or graphing program. Filters Filters sift the data coming in from the agents in order to detect certain conditions. Alarms Alarms indicate when "thresholds" are exceeded or special events occur. For example, you may want an alarm to trigger when your server exceeds some specified number of transmit errors. Don't be put off by the jargon. All of this detail is necessary to formally define a network management scheme that is independent of the managed systems, but you don't need to memorize it. You need to know that a MIB is a collection of management information, that an NMS is the network management station, and that an agent runs in each managed device in order to make intelligent decisions when selecting an SNMP monitor. This information provides that necessary background. The features available in network monitors vary widely; so does the price. Select an SNMP monitor that is suitable for the complexity of your network and the size of your budget. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. file:///C|/mynapster/Downloads/warez/tcpip/ch11_09.htm (4 of 5) [2001-10-15 09:18:52]
2. [Chapter 11] 11.9 Simple Network Management Protocol Previous: 11.8 Protocol TCP/IP Network Next: 11.10 Summary Case Study Administration 11.8 Protocol Case Study Book Index 11.10 Summary [ Library Home | DNS & BIND | TCP/IP | sendmail | sendmail Reference | Firewalls | Practical Security ] Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. file:///C|/mynapster/Downloads/warez/tcpip/ch11_09.htm (5 of 5) [2001-10-15 09:18:52]
3. file:///C|/mynapster/Downloads/warez/tcpip/ch11_10.htm Previous: 11.9 Simple Chapter 11 Next: 12. Network Security Troubleshooting TCP/IP Network Management Protocol 11.10 Summary Every network will have problems. This chapter discusses the tools and techniques that can help you recover from these problems, and the planning and monitoring that can help avoid them. A solution is sometimes obvious if you can just gain enough information about the problem. UNIX provides several built-in software tools that can help you gather information about system configuration, addressing, routing, name service and other vital network components. Gather your tools and learn how to use them before a breakdown occurs. In the next chapter, we talk about another task that is important to the maintenance of a reliable network: keeping your network secure. Previous: 11.9 Simple TCP/IP Network Next: 12. Network Security Network Management Administration Protocol 11.9 Simple Network Book Index 12. Network Security Management Protocol [ Library Home | DNS & BIND | TCP/IP | sendmail | sendmail Reference | Firewalls | Practical Security ] Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. file:///C|/mynapster/Downloads/warez/tcpip/ch11_10.htm [2001-10-15 09:18:53]
4. [Chapter 12] Network Security Previous: 11.10 Summary Chapter 12 Next: 12.2 User Authentication 12. Network Security Contents: Security Planning User Authentication Application Security Security Monitoring Access Control Encryption Firewalls Words to the Wise Summary Hosts attached to a network - particularly the worldwide Internet - are exposed to a wider range of security threats than are unconnected hosts. Network security reduces the risks of connecting to a network. But by nature, network access and computer security work at cross-purposes. A network is a data highway designed to increase access to computer systems, while security is designed to control access. Providing network security is a balancing act between open access and security. The highway analogy is very appropriate. Like a highway, the network provides equal access for all - welcome visitors as well as unwelcome intruders. At home, you provide security for your possessions by locking your house, not by blocking the streets. Likewise, network security generally means providing adequate security on individual host computers, not providing security directly on the network. In very small towns, where people know each other, doors are often left unlocked. But in big cities, doors have deadbolts and chains. In the last decade, the Internet has grown from a small town of a few thousand users to a big city of millions of users. Just as the anonymity of a big city turns neighbors into strangers, the growth of the Internet has reduced the level of trust between network neighbors. The ever-increasing need for computer security is an unfortunate side effect. Growth, however, is not all bad. In the same way that a big city offers more choices and more services, the expanded network provides increased services. For most of us, security consciousness is a small price to pay for network access. Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. file:///C|/mynapster/Downloads/warez/tcpip/ch12_01.htm (1 of 7) [2001-10-15 09:18:54]
5. [Chapter 12] Network Security Network break-ins have increased as the network has grown and become more impersonal, but it is easy to exaggerate the extent of these security breaches. Over-reacting to the threat of break-ins may hinder the way you use the network. Don't make the cure worse than the disease. The best advice about network security is to use common sense. RFC 1244, Site Security Handbook, by Holbrook, Reynold, et al., states this principle very well: Common sense is the most appropriate tool that can be used to establish your security policy. Elaborate security schemes and mechanisms are impressive, and they do have their place, yet there is little point in investing money and time on an elaborate implementation scheme if the simple controls are forgotten. This chapter emphasizes the simple controls that can be used to increase your network's security. A reasonable approach to security, based on the level of security required by your system, is the most cost-effective - both in terms of actual expense and in terms of productivity. 12.1 Security Planning One of the most important network security tasks, and probably one of the least enjoyable, is developing a network security policy. Most computer people want a technical solution to every problem. We want to find a program that "fixes" the network security problem. Few of us want to write a paper on network security policies and procedures. However, a well-thought-out security plan will help you decide what needs to be protected, how much you are willing to invest in protecting it, and who will be responsible for carrying out the steps to protect it. 12.1.1 Assessing the Threat The first step toward developing an effective network security plan is to assess the threat that connection presents to your systems. RFC 1244 identifies three distinct types of security threats usually associated with network connectivity: Unauthorized access A break-in by an unauthorized person. Disclosure of information Any problem that causes the disclosure of valuable or sensitive information to people who should not have access to the information. Denial of service Any problem that makes it difficult or impossible for the system to continue to perform productive work. Assess these threats in relation to the number of users who would be affected, as well as to the Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. file:///C|/mynapster/Downloads/warez/tcpip/ch12_01.htm (2 of 7) [2001-10-15 09:18:54]
16. [Chapter 12] 12.2 User Authentication used between UNIX hosts on a local area network. One-time passwords are only needed for the occasions when you log in from a remote location or an untrusted host. For this reason, some one-time password systems are designed to allow reusable passwords when they are appropriate. There are several one-time password systems. Some use specialized hardware such as "smart cards." OPIE is a free software system that requires no special hardware. 12.2.4 OPIE One-time Passwords In Everything (OPIE) is free software from the U.S. Naval Research Laboratory (NRL) that modifies a UNIX system to use one-time passwords. OPIE is directly derived from SKey, which is a one-time password system created by Bell Communications Research (Bellcore). Download OPIE from ftp://ftp.nrl.navy.mil/pub/security/opie/opie-2.3.tar.gz. It is a binary file. gunzip the file and extract it using tar. The directory this produces contains the source files, Makefiles, and scripts necessary to compile and install OPIE. OPIE comes with configure, an auto-configuration script that detects your system's configuration and modifies the Makefile accordingly. It does a good job, but you still should manually edit the Makefile to make sure it is correct. For example: my Linux system uses the Washington University FTP daemon wu.ftpd. OPIE replaces login, su, and ftpd with its own version of these programs. On my Linux system, configure did not find ftpd and I did not notice the problem when I checked the Makefile. make ran without errors but make install failed during the install of the OPIE FTP daemon. The Makefile was easily corrected and the rerun of make install was successful. The effects of OPIE are evident as soon as the install completes. Run su and you're prompted with root's response: instead of Password:. login prompts with Response or Password: instead of just Password:. The response requested by these programs is the OPIE equivalent of a password. Programs that prompt with Response or Password accept either the OPIE response or the traditional password from the /etc/passwd file. This feature permits users to migrate gracefully from traditional passwords to OPIE. It also allows local console logins with re-usable passwords while permitting remote logins with one-time passwords. The best of both worlds - convenient local logins without creating separate local and remote login accounts! To use OPIE you must first select a secret password that is used to generate the one-time password list, and then you must run the program that generates the list. To select a secret password, run opiepassword as shown below: $opiepasswd -c Updating kristin: Reminder - Only use this method from the console; NEVER from remote. If you are using telnet, xterm, or a dial-in, type ^C now or exit with no password. Then run opiepasswd without the -c parameter. Using MD5 to compute responses. Enter old secret pass phrase: 3J5Wd6PaWP Enter new secret pass phrase: 9WA11WSfW95/NT Again new secret pass phrase: 9WA11WSfW95/NT The example above shows the user kristin updating her secret password. She runs opiepasswd from the computer's console, as indicated by the -c command option. Running opiepasswd from the console is the most secure. If it is not run from the console, you must have a copy of the opiekey software with you to generate the correct responses needed to enter your old and new secret passwords because clear-text passwords are only accepted from the console. Kristin is prompted to enter her old password and to select a new one. OPIE passwords must be at least Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. file:///C|/mynapster/Downloads/warez/tcpip/ch12_02.htm (6 of 13) [2001-10-15 09:18:56] 17. [Chapter 12] 12.2 User Authentication 10 characters long. Since the new password is long enough, opiepasswd accepts it and displays the following two lines: ID kristin OPIE key is 499 be93564 CITE JAN GORY BELA GET ABED These lines tell Kristin the information she needs to generate OPIE login responses and the first response she will need to log in to the system. The one-time password needed for Kristin's next login response is the second line of this display: a group of six short, uppercase character strings. The first line of the display contains the initial sequence number (499) and the seed (be93564) she needs, along with her secret password, to generate OPIE login responses. The software used to generate those responses is opiekey. opiekey takes the login sequence number, the user's seed, and the user's secret password as input and outputs the correct one-time password. If you have opiekey software on the system from which you are initiating the login, you can produce one-time passwords one at a time. If, however, you will not have access to opiekey when you are away from your login host, you can use the -n option to request several passwords. Write the passwords down, put them in your wallet, and you're ready to go! [3] In the following example we request five (-n 5) responses from opiekey: [3] Security experts will cringe when they read this suggestion. Writing down passwords is a "no- no." Frankly, I think the people who steal wallets are more interested in my money and credit cards than in the password to my system. But you should consider this suggestion in light of the level of protection that your system needs.$ opiekey -n 5 495 wi01309 Using MD5 algorithm to compute response. Reminder: Don't use opiekey from telnet or dial-in sessions. Enter secret pass phrase: UUaX26CPaU 491: HOST VET FOWL SEEK IOWA YAP 492: JOB ARTS WERE FEAT TILE IBIS 493: TRUE BRED JOEL USER HALT EBEN 494: HOOD WED MOLT PAN FED RUBY 495: SUB YAW BILE GLEE OWE NOR First opiekey tells us that it is using the MD5 algorithm to produce the responses, which is the default for OPIE. For compatibility with older Skey or OPIE implementations, force opiekey to use the MD4 algorithm by using the -4 command-line option. opiekey prompts for your secret password. This is the password you defined with the opiepasswd command. It then prints out the number of responses requested and lists them in sequence number order. The login sequence numbers in the example are 495 to 491. When the sequence number gets down to 10, rerun opiepasswd and select a new secret password. Selecting a new secret password resets the sequence number to 499. The OPIE login prompt displays a sequence number and you must provide the response that goes with that sequence number. For example: login: tyler otp-md5 492 wi01309 Response or Password: JOB ARTS WERE FEAT TILE IBIS At the login: prompt Tyler enters her username. The system then displays a single line that tells her that one- time passwords are being generated with the MD5 algorithm (otp-md5), that this is login sequence number 492, and that the seed used for her one-time passwords is wi01309. She looks up the response for login number 492 and enters the six short strings. She then marks that response off her list because it cannot be used again to log into the Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. file:///C|/mynapster/Downloads/warez/tcpip/ch12_02.htm (7 of 13) [2001-10-15 09:18:56]