Cisco 网络署 PPT 内部员工培训材【培训课件】.pptVIP

* * * * * * * * * * * * * * * * /rfc/rfc1918.txt * /rfc/rfc2827.txt * * * Private VLANs Consist of three port classifications: Isolated Ports: can only communicate with promiscuous ports Promiscuous Ports: can communicate with all other ports Community Ports: can communicate with other members of community and all promiscuous ports All within the same VLAN (subnet) Private VLANs are useful in a security environment because they can limit a hosts’ ability to communicate with other hosts on the same subnet. This is very useful in a public services segment where a public web, ftp, and smtp servers don’t necessarily need to talk to one another. If a host gets compromised, private VLANs make it more difficult to compromise other hosts on the same network. * * * * Firewall filtering is often too broad. Specific port and address filtering for each service will limit your exposure. Consider the following specific optimizations: No self initiated traffic from web servers Limit or eliminate ICMP traffic by type and direction If ICMP is required, implement IDS to detect bogus ICMP traffic. DNS zone transfers are usually not needed (TCP / 53) and can be blocked * * * * * * * * * * * * * * * * * * * * * * * * * * Allows a compromised machine to have custom versions of utilities and back-doors into areas of the OS. Basic system administration can not detect the changes after a root kit is installed (files have same date / time / size etc.) This creates an environment for the attacker to operate without being detected. Root Kits are primarily UNIX based though NT kits exists. Some Root Kits offer special features: sniffing tuned to find passwords log modifications to remove presence * CGI-BIN Takes advantage of insecure coding methods to execute commands on a host using TCP / 80 (HTTP). New vulnerabilities are constantly being discovered. Keeping up with patches is difficult. A malicious hacker is not necessarily motivated to reveal his latest discoveries. Further Reading: