Network Security Guide

3) remote procedure call (RPC) identification of the RPC is the core of the network security, to understand this we must clear identification mechanism in the RPC is how to distinguish the work of .RPC mechanism is a port open, i.e. various identification system which can be inserted and coexist with. current SUNOS has two identification system: UNIX and DES, the former is old, also weak-the latter are described in this section to the new system identification for RPC mechanism has two words is very important: certificate and checks (credentials and verify) this is like ID card, certificate is a recognition of a person's name, address, date of birth; and may wish to check for is identity photographs adopted this photo can holders check in RPC mechanism is also true: in the client process when the RPC request to issue the certificate and checks that the server received information. only returns matching device information, because the customer is aware that the service certificate.

(4) UNIX authentication mechanism SUN early various network services are built on top of UNIX authentication mechanism, the certificate section contains station name, user number, group number, and with group access sequence, and check for blank. this system has two problems: first, the most prominent problems is to check for is empty, this makes forged a certificate is very easy if all of the system administrator is reliable, it does not have any problems, but in many network (in particular University), it is not safe. give the NFS mount request by inquiry of the station's INTERNET address as the hostname field checking to compensate for the lack of UNIX authentication system, and make it only by INTERNET from a privileged port request. but this to ensure the system security still is not enough, because NFS still unrecognized user number ID. Another problem is the UNIX authentication system only applies to UNIX systems, but requires a network of stations in all uses the UNIX system is unrealistic, because NFS will run on MS-DOS and VMS systems machines, but in these operating systems UNIX authentication system is not running, for example: MS-DOS system even without user number concepts. So, should such identification system: it is independent of the operating system certificate and use check-this is like DES identification system. (5) Identification DES DES identification system security built on the sender on the encoding of the current time, it enables the ability of the recipient can decode and compare their own clock for testing-clock marks also use DES encoding. such mechanism to work, two things are required:-both sender and receiver must be on what is the current time for conventions. The sender and receiver must-use the same encoding keyword. If the network time synchronization mechanism, so the client time synchronization between servers will perform their own-if you do not have such a mechanism, the timestamp will be server time calculation for calculating time, client before starting the RPC call to the server asking for time, and then calculate their own and the time difference between servers, when calculating time markers, this difference will correct customer clock. once the client and server clock synchronization, the server begins to refuse a client's request, and DES identification system will make their time synchronization. Client and server is how to obtain a same encoding keyword? when customers want to talk to the server, it generates a random key to timestamps encoded; the keyword is called a session key customers on CK CK, according to the common keyword mode is encoded and, at the first session is sent to the server the CK is the only using the public keyword encoding keyword. at this point only the client and server both know their DES keyword, the keyword is called a total of keywords. First request, the client certificate includes three: first name, with a total of keyword coding session key and uses the session key encoding time window, the window is about to tell the server: after you send many certificate; maybe someone forged time marked off as a new session to send a certificate, and when you receive a time marker, please view your current time is the timestamp and timestamp with time window, if not please reject. To create a secure NFS file, time window the default value is 30 minutes in issue the first request, the customer's check reader contains encoded timestamp and a specific time window (WIN + 1) encoding check-the reason for this is: If someone wants to write a program and in the certificate and checks for encoding arbitrary fill some fields of binary values, the server will be decoded into DES keyword CK, and use it to the window and time tag decoding, and finally generate a random value in after the efforts of thousands of times, these random time window/time tag is only possible through the authentication system, so the time window to check that will make you want to guess the correct certificate becomes more difficult to improve security. Identification of the client, the server certificate stored in the table of the four values: A customer name, session keyword CK, time window, the timestamp in the server in the first three aims for future use. retention tag's purpose is to prevent recurrences, server receives only the time stamp than the previous late tag. Server will provide the customer returns the matching device including a serial number ID and negative time mark (the mark is CK encoded). the client know that only the server can return to return such check, because only the server know that time mark. The first session is very complicated, easier later on, the client sends to the server each time it's ID and the encoded timestamp, and the server is returning back to the encoded timestamp.