[ Pobierz całość w formacie PDF ]
.The most popular accessmechanism is IMAP over SSL.When receiving mail via IMAP, yourusername and password must be sent to the remote mail server.Using SSLfor this connection allows you to maintain the confidentiality of your mailaccess credentials.Some mail clients also support SMTP over SSL.However, since no authentication credentials are sent during an SMTPsession, this practice is not as common.The use of SSL does increase thecomputational burden on the mail server and may not be feasible in high-volume mail systems.We value the privacy of our email and advise usingSMTP or IMAP over SSL if available.3.1.2.2 SSHSecure Shell (SSH) is a secure replacement for the r-commands such asrlogin, rcmd, and rshell.SSH also uses public-key cryptography like SSL,but does not rely on a trusted authority to issue the public/private key pairs.SSH can use several symmetric ciphers when passing data between hosts toallow users to choose the appropriate level of security based on theirsituation.If it is not installed on your workstation, check your distributionmedia or http://www.openssh.orgfor links to the source code or precompiledbinaries of OpenSSH.When accessing a command shell on a remote machine over a wirelessnetwork, you should use SSH rather than telnet or the r-commands.WhenSSH is properly used, it will help ensure your credentials and traffic isprotected from eavesdroppers. SSH also provides a tunneling mechanism.A port on a local machine can beforwarded to a port on a remote machine.This allows secure access toremote services that are normally accessible in an insecure manner.This canbe useful for accessing one particular service, but is not practical fortunneling many different types of traffic.The syntax for SSH local portforwarding is:ssh -L localport:remotehost:remoteportusername@remotehostAs an example, assume we are on a wireless network and want to access ourIMAP server over SSH.Normally, IMAP credentials and email is sent in theclear.Due to the constant data stream involved in IMAP connections, theyare ideal targets for eavesdroppers.By tunneling over SSH, the sensitiveinformation is protected from malicious neighbors, as shown in Figure 3-1.Figure 3-1.IMAP over SSH tunnelIn order to set up the tunnel, forward all local IMAP connections on theclient (TCP port 143) to the IMAP port on the mail server.The followingcommand performs the necessary remote port forwarding to achieve this:ssh -f -L 143:mail.example.com:143username@mail.example.com sleep 3600In order to use this tunnel, configure your mail client to use localhost as theIMAP server.The -f flag tells SSH to go into the background after theauthentication process is over.The command sleep 3600 is executed on theremote host.Once the sleep command terminates, the SSH session will betorn down.This example can be modified to forward POP connections ratherthan IMAP by changing the port information to port 110.Note that, by default, SSH will only forward connections that originate fromlocalhost.Connections to forwarded ports from remote stations will bedenied by default.In order to allow other machines to access the forwardedport, use the -g flag.Only do this if there is a reason for externalconnections. .2 Audit LoggingEven on client computers, it is very important to pay attention to the logsgenerated by the system.These logs can provide notification of attempted orsuccessful compromises of system security.The location and format of theselogs can vary from OS to OS.Monitoring of system logs can be tedious, andit is easy to become complacent.Because of this, we cover the installation ofswatch, a basic tool to automate log monitoring.3.3 Security UpdatesAfter the system is set up, it is important to monitor the vendor web site forsecurity patches.Most operating system vendors regularly discover or arenotified of new security issues.Make it a habit to regularly check anddownload the latest patches, or use an automated updating system to gatherthem for you.When doing a fresh OS installation, it is a good idea todownload any security patches on another machine and install them from aburned CD before connecting the fresh computer to the network. Chapter 4.FreeBSD Station SecurityThis chapter demonstrates how to lock down FreeBSD workstations for useon a wireless network.It will explain required and recommended kerneltuning, secure configuration of the wireless card, locking down the operatingsystem, and adding third-party software to further enhance the security ofthe machine.Many of the security practices documented in this chapter aregeneral best practices that should be applied to any workstation (but rarelyare).However, without mechanisms geared for wireless security, standardwired network best practices alone are not enough.4.1 FreeBSD Client SetupFreeBSD has a long history of wireless networking support.FreeBSD hadrobust support for the original 802.11 cards and has continued to support802.11b cards.As of this writing, several 802.11a cards have experimentalsupport under FreeBSD-current.Unless otherwise noted, the examples givenin this chapter are for FreeBSD 4.5-RELEASE.For information regardingthis release or for questions on FreeBSD in general, please seehttp://www.freebsd.org/.As in any other discussion of setting up a secure platform, the steps outlinedbelow are governed by the Principle of Least Privilege.The Principle ofLeast Privilege means that a user or system should be given only therequired amount of privilege to perform the required tasks.This principlecan be extended to configuring an operating system.Only required services,kernel configuration options, users, and files should be installed [ Pobierz całość w formacie PDF ]

  • zanotowane.pl
  • doc.pisz.pl
  • pdf.pisz.pl
  • szamanka888.keep.pl