FreeBSD security Issues

The key issue to understand when maintaining network security is that a network vulnerability may exist where it resides. It is only by understanding where the attacker will begin that the appropriate measures can be taken to enhance the security of the system. The following sections are a brief summary of possible vulnerabilities, which are aspects of network security that need attention. Physical security: Network eavesdropping and address spoofing

The security of physical security is important, but most of the content in this issue has nothing to do with network security, for example, if the server is stolen, the above hard drive can be read by thieves using physical reads. This is only an extreme example, and more generally, illegal users may be exposed to the console of the system, restart the computer and gain control, or eavesdrop on the network via a physical connection.

A number of "hacker" incidents have recently been reported in the country, where attackers steal information by connecting physical lines to destination lines and by understanding these proprietary computer systems. In fact, this type of attack is not a real cyber attack, and needless to say, cyber hackers.

In the aspect of physical security, network-related problems mainly depend on the security of data transmission. Because the TCP/IP protocol is a packet switching network, each packet is transparently transmitted on the network, it will pass through the different networks, the routers on the network forward to reach the destination computer. Because packets are passed directly through these networks, computers on these networks are likely to capture them and eavesdrop on the data being transmitted. This physical transmission security issue is important to network security because the current TCP/IP protocol itself does not consider secure transmissions, and many applications, such as Telnet, FTP, and so on, even use plaintext to pass very sensitive password data. Getting all the data through the network is often referred to as network analysis (sniffing).

Because of the transport restrictions on the physical network, packet information is not captured anywhere on the network. For the most commonly used Ethernet, older shared Ethernet can eavesdrop on all packets flowing through the network at any one location, and new switched Ethernet can isolate data flowing to different computers on the switch, making it more secure. However, no matter what the network, routers are always a very critical location, all the data flowing out of the network through this particular computer, if the attacker to eavesdrop on the router can cause very serious security problems.

Switched Ethernet does not guarantee that it will not be fully tapped, and smart eavesdroppers can cheat Ethernet switches to complete the eavesdropping task, but this requires attacks on specific switch vulnerabilities, which is actually difficult.

The way to prevent eavesdropping is to encrypt the transmitted data, and in the simplest case, do not use plaintext to transmit important authentication information. Kerberos authentication can be used under FreeBSD to ensure that password transmissions are not tapped. Further, you can use applications that support encrypted transmissions to transfer important data, such as SSH. Setting up a virtual private network on an insecure network that data is going through can also solve the problem. Currently, the protocol that supports data security from the IP layer is IPSec, and there is also a development group under FreeBSD kame that is IPSec-enabled (Kame's URL is located at http://www.kame.net/). There will be an increasing number of applications that support IPSec and no longer have transmission security issues.