Chapter 1 Security Concepts


Lines of defense

This section describes types of attacks and some strategies for defending against them.

Types of attacks

There are several ways in which data can be tampered with, compromised, and stolen. In addition, systems can be overwhelmed with traffic to the point that they are rendered useless.

Integrity attacks Data integrity is a measure of the quality of the information stored and transmitted on a system.

Types of attacks on data integrity include deleting or modifying files or information on the file system or over a network.

Spoofing IP spoofing occurs when an intruder attempts to deceive the target system into accepting packets that appear to the target as coming from someone other than the intruder. If the target system already has an authenticated TCP session with another system and mistakenly accepts spoofed IP packets, the intruder can access sensitive information and lead the target to execute commands in that packet, as though they came from the authenticated connection.

Availability attacks Availability attacks occur when a resource such as a Web site or HTTP port becomes unavailable due to a high volume of traffic. Someone can use a program to generate thousands of simultaneous requests aimed at the same site which then is unable to respond to legitimate requests.

Capture-and-replay Capture-and-replay refers to an intruder capturing data as it moves from one system to another. User names, passwords, authentication information, and so on, can be tampered with or used by the intruder to gain access to protected resources.

There are a variety of ways and tools that intruders use to gain access to system resources. Some of these attacks are undetected, while others destroy or alter information. Following is a few examples of how an intruder gains access to system resources:

Defense against attacks

This section discusses some of the methods by which you can protect data and restrict access to resources.

Protecting ports and listeners You can provide various levels of security to EAServer listeners by assigning security profiles to HTTPS and IIOPS listeners. See Chapter 11, "Security Configuration Tasks" for more information.

Protecting application server resources and securing clients EAServer provides several methods to protect server resources and secure client/server connections:

Protecting data Use public-key certificates when exchanging sensitive data over a network to protect it from being viewed by intruders. See Chapter 12, "Managing Keys and Certificates" for more information.

 


Copyright © 2002 Sybase, Inc. All rights reserved.