Appliances include multiple layers of defense to protect against intrusions and hack attempts:
Appliances also include a built-in firewall which provides additional security beyond what is provided by the network environment. This firewall is constructed using the firewall rule-set building utility Bastille-Linux® (for details, see http://bastille-linux.sourceforge.net/). The firewall limits external access to the HTTP or HTTPS port for report viewing and additional ports used for intra-component communications.
If command-line access is needed for Quest Support to run low-level diagnostic procedures, customers may optionally open the SSH port. For more information, see Enable remote access using SSH.
Many network intruders begin an attack by scanning the target network. Detection of such a scan offers one indication that an attack is about to begin. Appliance software attempts to detect such scans by monitoring access to ports that are not active on the appliance system, but are typically exploited by hackers (for example, FTP, POP3, IMAP). Upon detection, the appliance automatically adds the source IP address of the potential attacker to the firewall rule-set and blocks all future packets that appear to originate from that address. This functionality is implemented using the Port Sentry tool (for details, see http://sourceforge.net/projects/sentrytools).
• |
Appliances have a minimal version of the 64-bit SUSE Linux® Enterprise Server (SLES) 11 operating system preinstalled. |
• |
Many tools and packages that represent common vulnerabilities are stripped out of the distribution. For example, server instances of Telnet, FTP server, rlogin, NFS, Samba, and lpr are not installed on the appliance. |
• |
• |
ping — The appliance’s Console Program uses the ping utility to verify network access during the appliance setup process. The Console Program requires a user account distinct from the browser interface user account. For more information, see User authentication on appliances . |
• |
traceroute — The traceroute utility is used only as an option in the alerting system; users can specify to traceroute to a particular IP address if an alert is triggered. There is no other access to the traceroute utility other than through the alerting system. |
• |
All standard Linux® user accounts available on the appliance (such as, shutdown, halt, and mailnull) have no login shell that allows an attacker to enter shell commands. For more information, see User authentication on appliances . |
© ALL RIGHTS RESERVED. Termini di utilizzo Privacy Cookie Preference Center