Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
Local Area Networks (LANs) in Aircraft - FTP Directory Listing - FAA
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
force mechanisms can be defended aga<strong>in</strong>st by effective password management procedures and<br />
by limit<strong>in</strong>g the number of fail<strong>in</strong>g account accesses that can occur with<strong>in</strong> a given time period.<br />
The other types of attacks will be discussed below.<br />
A.2.3 OPEN-NETWORK PORTS.<br />
Ports 11 provide the avenue for device processes or applications to receive or send data across an<br />
IP network. IP communications are addressed <strong>in</strong> terms of a specific IP address that identifies a<br />
specific device with<strong>in</strong> the network, and a specific port, identify<strong>in</strong>g a specific application or<br />
process with<strong>in</strong> that device (see RFC 2780). Open ports with<strong>in</strong> a device provide opportunities for<br />
remote attackers to remotely attack the process or application us<strong>in</strong>g that port. All unneeded ports<br />
should to be closed. Indeed, devices should only support the m<strong>in</strong>imum number of ports required<br />
to perform the device’s mission(s). Bob Toxen observed:<br />
“Just as every account on a system is a potential path for a cracker, every network<br />
service [port] is a road to it. Most L<strong>in</strong>ux [i.e., a type of Unix] distributions <strong>in</strong>stall<br />
‘tons’ of software and services by default. They deliberately prefer ‘easy’ over<br />
‘secure.’ Many of these are not necessary or wanted. Take the time to remove<br />
software and services you do not need. Better still—do not <strong>in</strong>stall them to beg<strong>in</strong><br />
with.” [A-10]<br />
For example, Department of Defense (DoD) <strong>in</strong>struction 8551.1 [A-11] requires that<br />
“Ports, protocols, and services that are visible to DoD-managed network<br />
components shall undergo a vulnerability assessment; be assigned to an assurance<br />
category; be appropriately registered; be regulated based on their potential to<br />
cause damage to DoD operations and <strong>in</strong>terests if used maliciously; and be limited<br />
to only the PPS required to conduct official bus<strong>in</strong>ess or required to address<br />
Quality of Life issues authorized by competent authority.” (Emphasis added,<br />
quoted from Section 4.1 of A-11.)<br />
A.2.4 OLD SOFTWARE VERSIONS.<br />
Vulnerabilities are cont<strong>in</strong>ually be<strong>in</strong>g found and corrected <strong>in</strong> software systems. Thus, effective<br />
security requires that the adm<strong>in</strong>istrators keep up with the current patches and software versions.<br />
A.2.5 SESSION HIJACKING.<br />
Session hijack<strong>in</strong>g is the process used by an attacker to f<strong>in</strong>d an active TCP connection between<br />
two other computers and to take control of it, mak<strong>in</strong>g it unusable by the actual source. Hacker<br />
tools, such as juggernaut and hunt, seek to leverage this vulnerability.<br />
A.2.6 WEB HACKING.<br />
Websites are subject to a host of security vulnerabilities that offer attackers numerous possible<br />
11 See http://www.iana.org/assignments/port-numbers<br />
A-7