Mitigating Access Attacks
You can mitigate access attacks as follows:
■ Strong password security—A surprising number of access attacks are
carried out through simple password-guessing or brute-force dictionary
attacks against passwords. The use of encrypted or hashed authentication
protocols (for instance, Secure Shell [SSH] for terminal access,
TACACS+ for authentication, authorization, and accounting [AAA])
along with a strong password policy (requiring different passwords on
different systems, locking out accounts after a string of unsuccessful
attempts, and complex password requirements) greatly reduce the
probability of password access attacks.
■ Principle of minimum trust—Systems should not trust one another
unnecessarily. A common trust exploitation attack occurs when an
inside network host trusts a device in the demilitarized zone (DMZ). If
an attacker is able to compromise the DMZ system, the DMZ system
can be used as a stepping-stone to access and compromise the trusted
internal system. Secure network designs take this into account by
ensuring that inside systems do not trust DMZ systems unconditionally.
■ Cryptography—The MitM attack, in which an attacker inserts
himself between two trusted hosts and impersonates both to gather
sensitive information, can be thwarted only by using cryptography in
the communications channel between the trusted hosts.