Takeaway:
Switch security involves challenges. Take a look at how you can ensure switch security in your organization.
--------------------------------------------------------------------------------
When it comes to securing internal networks, one area that organizations often overlook is switch security. Most companies tend to focus on their borders and end users, forgetting the devices that connect the two.
Ensuring switch security in your organization basically comes down to two steps: Defining what users can see, and defining what they can connect.
What you see
Every business-grade switch allows you to define virtual local area networks (VLANs). Organizations typically implement VLANs for the following reasons:
Broadcasts: A VLAN doesn't pass broadcast traffic to nodes that aren't part of the VLAN.
Performance: A VLAN can reduce the number of router hops and extend your local topology between user workstations and resource servers, increasing the apparent bandwidth for network users.
Departments: A VLAN can segment departments that use bandwidth-intense applications. You can also dedicate a VLAN to specific types of job roles (e.g., executives, kiosk workstations, etc.).
Security: A VLAN allows organizations to separate sensitive clusters of systems from the rest of the network, decreasing the likelihood that users will gain access to information on these clients and servers.
What you connect
Port security is also available on every business-class switch. Some switches allow very in-depth settings; others just provide some of the basics. Here's a look at some of your options:
MAC Locking: This involves tying a Media Access Control (MAC) address of one or more connected devices to a physical port on a switch. If you lock a switch port to a particular MAC address, you don't have to worry about superusers or internal black hats creating backdoors into your network with rogue access points.
MAC Lockout: This disables a specified MAC address from ever connecting to a switch.
MAC Learning: Using knowledge about each switch port's direct connections, the switch can set security based on current connections.
Remote Configuration: Limit remote configuration to specific IP addresses, using SSH instead of Telnet. Telnet passes usernames and passwords in clear text, potentially allowing everyone on the LAN segment to see login credentials.
Final thoughts
Switch security does involve challenges, particularly when it comes to setting up and deploying new workstations in your help desk area. This is definitely an issue you should consider when implementing a switch security policy.
Network administrators who balk at port security because it's labor-intensive and requires constant management should consider this: Port security stops people from attaching wireless access points and bypassing your site security. That alone should be a good enough reason to implement switch security on your network today.
Worried about security issues? Who isn't? Automatically sign up for our free Security Solutions newsletter, delivered each Friday, and get hands-on advice for locking down your systems.
#p#2.系统过载攻击
另一种流行的基于进程的攻击是一个用户产生了许多进程,消耗了大量的cpu时间。这种攻击减少了其他用户可用的CPU处理时间。例如,某用户使用了十个find命令,并使用则在一些目录中查找文件,这些都可以使系统运行得像爬行一样慢。
比较好的办法是,教育用户合理地共享系统,鼓励用户使用nice命令降低后台运行的进程的优先级。另外,也可以使用at和batch命令,将一些长的任务安排在系统不是很繁忙的时候去执行。对那些故意或者重复这种行为的用户可以采取一些措施。
如果系统过载了,用root登录,将自己的优先纽设为较高的值。然后使用ps命令观察运行的进程,并使用kill命令。
3.磁盘攻击
攻击方式是填充磁盘空间个用户向磁盘填充了大量的文件,其他用户不能生成文件做其它有用的事.
磁盘满攻击
du命令可以发现系统中磁盘分区空间的使用情况。du命令递归地查找目录树,列出每一个使用了多少块。也可以使用flnd命令列出那些大文件的文件名。可以使用find命令的-size选项,列出文件大小超过一定慎的文件。
quot命令可以根据每一个用户来总结文件系统的使用情况。使用―f选项,quot打印出每一个用户使用的文件数量和使用的块数。
UNIX文件系统使用inode来存放文件的信息。一个可以便磁盘不能使用的途径是消耗所有磁盘上的空闲inode,使之不能生成新的文件。一个用户可能生成了上千个空文件。这是一个很令人困惑的问题,因为df命令提示有许多可用的空间,然而当生成文件时,却得到一个错误。这是因为每一个新文件、目录、管道文件都需要一个inode结构去描述。如果可用的inode消耗尽了,系统便无法生成新文件,但此时,系统还有可用的磁盘空间。
可以使用df命令的―I选项来查看有多少空闲的inode。通常,可以将磁盘划分成一些小的分区,保护磁盘满攻击。将不同用户的主目录放到不同的分区中。用这种方式,如果一个分区被充满了,别的用户并不受影响。
另一个有效的办法是,使用在许多现代unix系统中都有的quota系统,来保护系统不受这种攻击。通过磁盘配额系统,每一个用户可以确定有多少inode可用;有多少磁盘块可用.
防止拒绝服务的攻击
许多现代的UNIX允许管理员设置一些限制,如限制可以使用的最大内存、CPU时间以及可以生成的最大文件等。如果当前正在开发―个新的程序,而又不想偶然地使系统变得非常缓慢,或者使其它分享这台主机的用户无法使用,这些限制是很有用的。Korn Shell的ulimit命令和Shell的Iimit命令可以列出当前程的资源限制。
