Đang chuẩn bị liên kết để tải về tài liệu:
Firewalls and Internet Security, Second Edition phần 6

Hệ thống điều hành Thương mại và phần mềm máy chủ mạng thay đổi đáng kể trong hiệu quả của họ. Một sự lựa chọn phần mềm thông minh hơn có thể giúp đỡ. Chúng tôi không ủng hộ các nhà cung cấp cụ thể, nhưng xin lưu ý rằng việc triển khai với | 206 Filtering Services 10.1.8 ssh One of the principles of computer security is to trust as little as possible. Ssh is one of the things we trust. As with Mail it is thus crucial to keep up with bugs and patches. Ssh has indeed had some serious security problems in the past. Ssh is reasonable to allow through the firewall because it implements cryptographic authentication and encryption and is the best way we know of to allow access through a firewall. Depending on your internal trust policies you may want to terminate incoming ssh connec-tions at the firewall. Here you can do strong centralized authentication. It s also attractive to pretend that doing so prevents people or malicious programs from creating back doors but it s just that a pretense. If you permit outbound TCP it s easy to create back doors and ssh s port-forwarding just lets Bad Guys do it a bit more easily from the command line. The rule for ssh is as follows protocol out in comment ssh allow allow Stay current on patches 10.2 Digging for Worms E-mail isn t the only way that viruses and worms spread but it s one of the most common. If your user population runs susceptible software i.e. Windows you really need to filter incoming e-mail. If you want to be a good citizen of the Net you ll filter outgoing e-mail too. One approach of course is to screen each piece of incoming mail on each desktop. That s a good idea even if you adopt other measures as well defense in depth generally pays off. But desktops are often behind in their updates and getting new pattern files to them now can be difficult. Fortunately it s not hard to install a centralized filter for malware. Use MX records to ensure that all inbound e-mail goes to a central place. Make sure that you include a wildcard MX record too for both your inside and your outside DNS example.com. IN MX 10 mail-gw.example.com .example.com. IN MX 10 mail-gw.example.com It s a good idea to use a different brand of virus scanner for your gateway than for your