英文原文.docx

英文原文.docx

《英文原文.docx》由会员分享，可在线阅读，更多相关《英文原文.docx（13页珍藏版）》请在冰点文库上搜索。

英文原文

WebSecurityPrivacy&Commerce

Therunningbattlebetweenhackersandnetworksecurityprofessionalshasmovedbeyondtheperimeterfirewalltohand-to-handcombatatindividualWebandcorporateservers．

AndnewsecurityweaponshaveemergedthatuseingeniousmethodstoprotectWebsitesandcorporatenetworksfromexternalandinternalsecuritythreats．Herearesomeofthelatesttoolsatyourdisposal.

Noexit

GillianG-Serverdoesn’tcarehowthehackergotinorwhatchangestheymayhavemadetoyourWebsite．GillianExitControltechnologypreventstheworldfromseeingtheconsequencesofasecuritybreach．

GillianG-ServersitsbetweentheWebserverandtherouterorfirewallthatconnectstheWebservertotheInternet,inspectingeverypieceofcontentthatgoesout.TheExitControlG-ServercontainsacollectionofdigitalsignaturesmadefromauthorizedWebcontentduringthepublicationprocess．

Eachtimethesitecontentproducerspublishaneworrevisedobject，theG-Serversavesadigitalbackupoftheobjectalongwithadigitalsignature.

SignaturesthatdonmatchsenduparedflagwhichtriggerstheG-Servertoimmediatelyreplaceaboguspagewithasecurearchivedcopyoftheoriginal，whilesimultaneouslyalertingappropriatepersonnel．

Tripwire，Inc.TripwireforServersisasimilardataandnetworkintegrityproduct．However，TripwireforServerstakesadifferentapproach——itssoftwareisloadedontotheserverthatyouwanttoprotect．Itmonitorsallfilechanges，whethertheyoriginatefrominsideoroutsidethecompany，andreportsbackifachangeviolatespredeterminedpolicies.

Honeypotsordecoys

Honeypotsaredesignedtolureandcontainanintruderonthenetwork．Honeypotsaredecoydevicesthatcandivertattacksfromproductionsystemsandletsecurityadministratorsstudyorunderstandwhathappeningonthenetwork．

ManTrap，fromRecourse，isapowerfulhoneypotthatdeployednexttodataservers，ifitbeingusedtodeflectinternalattacks，andlocatedoffthefirewallinthedemilitarizedzone（DMZ）ifitbeingusedagainstexternalthreats．Themajorityofusersdeployitinternallytogetsuspiciousactivityundercontrol.

Inthatscenario，aManTrapserverwouldbesetuptolooklikeafileserverthatstoresintellectualpropertyorbusinessplans．AsuccessfuldeploymentofManTrapdependsonavarietyoffactorsincludingquality，namingscheme，placementandsecuritypolicy．Forexample，deceptivedefensesaremosteffectivewhendeployedinquantitiesequaltoorgreaterthanthatoftheproductionsystem．Honeypotscangetexpensivewhichiswhycompaniesmustpickandchoosethecriticalserverstheywanttoprotect.

WhatattractsanattackertoManTrapisconfiguringittomakeitlookmorevulnerablethanotherservers．Oncethehackerisonthedecoyserver，securitymanagerscanlogthehackeractivityandgaininsightintowhattheintruderistryingtoaccomplish.

Fallintothegap

Airgaptechnologyprovidesaphysicalgapbetweentrustedanduntrustednetworks,creatinganisolatedpathformovingfilesbetweenanexternalserverandacompanyinternalnetworkandsystems.VendorsincludeRVTTechnologies,SpearheadTechnologyandWhaleCommunications.

Whalee-GapWebShuttleisanonprogrammabledevicethatswitchesamemorybankbetweentwocomputerhosts.Thee-GapWebShuttlecreatesanairgapbetweentheInternetandacompanyback-officesystems.Companiesmightusee-GapWebShuttlebetweenanexternalservicerunninge-commerceapplications,suchasonlinebanking,andinternaldatabasesthatmightbequeriedbyexternalusers.

Thee-Gapsystemconsistsofthee-GapappliancethatisattachedtotwoPChosts,oneinternalandoneexternal.TheinternalhostconnectstothecompanyinternalnetworkandtheexternalhostsitsintheDMZinfrontofthefirewall.

AllURLstoWebpagesaredirectedtoamocklocationontheexternalhost.Pagesdonotactuallyresideonthishost.Theexternalhoststripsofftheprotocolheaders,extractsonlythecontentoftheSecureSocketsLayer（SSL）trafficandpassesittothee-GapWebShuttle.Thee-GapWebShuttletransportstheencrypteddatatotheinternalhostusingatogglinge-disk.Thee-GapinternalhostdecryptsSSLtraffic,authenticatestheuserandfilterstheURLcontent.ItthenpassestheURLrequesttothecompanyproductionWebserverthatresidesontheback-officenetwork.

Thefixisin

Securityandvulnerabilityassessmenttools,designedtobeusedin-house,candetectweaknessesinanorganizationsystemsbeforeproblemsoccurandcanfixthoseproblems.

Retina3.0,fromeEye,scans,monitors,alertsandautomaticallyfixesnetworksecurityvulnerabilities.TheproductworksonWindowsNT4.0SP3orhigherandWindows2000.

Thesoftwareisinstalledonanymachinewithinthenetwork.ThenetworkadministratortypesinarangeofIPaddressestoscanandpushesabutton.Theproductscansthenetworkforvulnerabilities,softwareflawsandpolicyproblemsandreportsanyvulnerabilities.

Theproduct“fixit”featureprovidesnetworkadministratorwithadescriptionofanyfoundvulnerabilities,informationonhowtofixit,oraccesstoafixitbuttonthatcanrepairthevulnerabilitylocallyorremotely.

DemolishingDoSattacks

Perhapsoneofthenewestcategoriesofsecurityisproductsthattargetdenial-of-service（DoS）attacksandmore.Bydefinition,DoSattacksmakecomputersystemsinaccessiblebyexploitingsoftwarebugsoroverloadingserversornetworkssothatlegitimateuserscannolongeraccessthoseresources.Theproductcategoryissonewthatsomeproductsarestillinbetatestoronthecuspofenteringthemarketplace.

Goingafteroneofthemostmalicioustypesofcomputervandalism,theDoSattack,areArborNetworks,ofWaltham,Mass.;MazuNetworks,ofCambridge,Mass.;andAstaNetworksinSeattle.

Mazu’ssolutiontodistributedDoSattacksworksviaintelligenttrafficanalysisandfilteringacrossthenetwork.Amonitoringdevice,suchasapacketsnifferorpacketanalyzer,evaluatespacketsonthenetworkatspeedsupto1Gbit/sec.Amonitoringdevicethendetermineswhichtrafficneedstobefilteredout.

Thegood,thebadandtheugly

Thegoodnewsaboutallofthesenewsecuritytechniquesisthattheytheoreticallyoffercompaniesadditionallayersofsecurityprotection,providingbetteroverallsecurity.Whatthisultimatelymeanstobusinessesisthatadditionalsecuritymechanismscansucceedwhereothershavefailed.Anotherplusaboutsomeofthenewproductsisthattheyareoptimizedforaparticularapplication,suchasintegrityoftheWebservers.

However,aswithanytechnology,thereareprosandconstoconsider.Infact,therearesomedownsidestoimplementingthesenewsecurityproducts.Forexample:

Theyareallincrementalsolutions,notreplacements.

Theyrequireacertainamountofexpertise.

Manyvendorsarestart-upsandthereariskastohowlongtheylbearound.

Thereaconcern,inmanyITshops,aboutaddingpreventivecontrolsbecauseofassociatedoverhead——aconcernthatcanbeeasilyremediedbyinvestinginadditionalhorsepower.

Whattoomuch?

Whendoesacompanyruntheriskbecauseofhavingtoomanyproductstomanage?

Thebottomlineisthatsecurityisneveradonedeal.Itacontinuingprocessthatanewcropofinnovativevendorsaremakingmoreinteresting.

BenevolentWorms

Althoughtheprospectofusingvirustechnologytosimplifythetaskofdeliveringpatchesandsoftwareupdatesistempting,thedangerscanoutweighthebenefitswhentheprocessistooautomated.Forexample,theimprovedWindowsUpdatefeatureinWindowsXPnowallowspatchesandupdatestobedownloadedautomatically,althoughinstallationisstillattheuser’sdiscretion.

Trojanhorses,worms,andothermaliciouscodeformshaveproventobeincrediblysuccessfulatparalyzinge-mailsystemsandInternetproviders.Itisthereforeonlylogicaltoconceiveofwaystousethemforproductivepurposes,muchastheBibleexhortsitsreaderstobeattheirswordsintoplowsharesandtheirspearsintopruninghooks.

Granted,itwouldbewonderfulifITadministratorscoulddistributepatchesandsoftwareupdatestodesktopsandserversasquicklyasane-mailviruscanspreadfromonemachinetothenext.Butissuchamagicwandreallyagoodidea?

Well,maybenotexactly.Afterall,unlikethehumanimmunesystem,whichproducesdefenses,orantibodies,automatically,thecomputermustwaitforahumantoanalyzesamplesofacomputervirus,prepareantidotesandvaccinesforthatspecificsituation,andonlythenapplythecure.

Thisobservationalonewouldseemtodiscredittheideaofa“digitalimmunesystem”thatthesecuritycommunityhastossedaroundduringthepastfewyears,butthere’sanevenmoreimportantpointtoconsider.Similartothewaythatautoimmunediseasesturnthebody’sowndefensesagainstitself,socouldoneturnaviruslikesoftwaredeliverysystemagainstitsowncomputers.Althoughitwouldbedifficulttomonkeywiththedigitalcertificatesthatwouldconceivablybeusedtoidentifytrustedpatches,it’snotimpossibletosubvertthecertificateissuingsystem,asMicrosoftandVeriSignfoundtotheirdismaylastMarch.

Ultimately,aviruslikesoftwaredeliverysystemwouldrequiresoftwarepublisherstodeliberatelyputabackdoorintotheirsystems,andfewcustomerswilltoleratethatpractice,evenundershrinkwraplicensingterms.Becausethere’snoguaranteethatsuchatemptingtargetwouldn’tbeexploitedbyhackers,anyITmanagerdeployingsuchasystemwouldbefoolhardyintheextreme.

Virusbehaviorthatstandpointgotoseefromtheoperatesystem,issomenormalbehaviors,andsayfortheoperatesystemthat