- Introduction to the Second Edition
- Who Should Read This Book?
- How This Book Is Organized
- What Are You Protecting?
- Who Are Your Enemies?
- What They Hope to Accomplish
- Costs: Protection versus Break-Ins
- Protecting Hardware
- Protecting Network and Modem Access
- Protecting System Access
- Protecting Files
- Preparing for and Detecting an Intrusion
- Recovering from an Intrusion
1.10 Protecting System Access
This book covers how to protect access to a system via proper password policy and configuration, disabling insecure services and software, upgrading insecure versions of programs, logging out inactive users, discovering new intrusion techniques (including the occasional security bug in trusted software) before crackers can use them against a system, and avoiding the various traps that crackers plant.
Also discussed are a variety of techniques and tools that further reduce vulnerability. Many Linux systems on the Internet (and non-Linux systems as well) offering telnet and FTP can be cracked via exhaustive password searches. Many systems have weak passwords that do not require exhaustive searches. On many systems, an intruder merely uses anonymous FTP to get a copy of the encrypted password file and cracks it on his own system with widely available tools. Then he "owns" that system (controls it with unauthorized root). On others, he uses known vulnerabilities in the POP or IMAP daemons, named, sendmail, or he breaks a CGI program. It is explained in detail how to build up a number of concentric walls in one's systems and network, each one of which must be penetrated in turn, before a break-in can occur. I call these concentric walls "Rings of Security" throughout the book. A single wall with many places where it might be broken would require only one break for a cracker to gain full access. However, these "Rings of Security" will stop most crackers from causing major problems because it is unlikely that a cracker will be able to break through all of them in turn.
Many leading security experts use the term security in depth for the same meaning, including Kurt Seifried of http://www.seifried.org and Mike Warfield of Internet Security Systems. It is very fortunate that both of these well-known experts found time to review this book and offer many suggestions.