本章分出来专门来谈谈网络安全,当然还是比较泛泛地谈一下网络安全的特征,常见网络安全的漏洞,和网络安全控制的办法。在参考的过程中应该结合 信息安全管理(2):什么叫作信息安全?信息安全的原则和要求一起阅读和理解。因为网络安全本来就是前一章节的一部分。
这文内容只记录了碎片笔记,以后有时间再来补充。应该说具体内容下次会在计算机网络或者是分布式网络里详述。第一部分的网络的定义和特征,第二部分的TCP/IP不需要看,只是用来做笔记的。
1 网络的定义和特征
1.1 网络的定义
(根本懒得说。。你们自己wiki吧)
网络的用处
- What is a network…
- Devices in a network…
- LAN, WAN and Internetworks
- What do networks do for you…
- Sharing resources
- Use/share applications
1.2 网络的特征 Characteristics of networks
– Anonymity
– Automation
– Distance
– Opaqueness
– Routing diversity
1.3 Network Topology
2 TCP/IP
- Protocols…
- Open Systems
- ANSI , IETF, ISO, IAB
2.1 ISO – OSI Reference Model - 7 Layers
- Application:End user processes like FTP, e-mail, etc.
- Presentation:Format, Encrypt data to send across network
- Session:Establishes, manages and terminates connections between applications
- Transport:End-to-end error recovery, flow control, priority services
- Network:Switching, Routing, Addressing, internetworking, error handling, congestion control and packet sequencing
- Data-link:Encoding, decoding data packets into bits. Media Access Control Sub-layer : Data access/transmit permissions. Logical Link Sub-layer : Frame synchronisation, flow control, error checking.
- Physical: Conveys the bit stream (electrical, light, radio)
All People Seem To Need Data Protection
People Do Not Trust Sales People Always
ISO-OSI七层结构
TCP/IP
2.2 相关协议
- Application layer – FTP, Telnet, DNS, DHCP, TFTP,RPC,NFS, SNMP..
- Transport layer – TCP, UDP
- Internet Layer – IP, ICMP, ARP, bootp…
- Organisations / entities : ICANN, IETF, IAB, IRTF, ISOC, W3C
- Other Protocols
- IPX/SPX
- ATM
- DECnet
- IEEE 802.11
- AppleTalk
- USB
- SNA
3 网络的安全隐患
3.1 网络不安全的原因
What makes network vulnerable
- Anonymity
- Multiplicity of points of attack
- Resource sharing
- Complexity of system
- Uncertain perimeter
- Unknown path
- Protocol flaws / protocol implementation flaws
3.2 网络攻击的动机
Motivations of network attacks
- Challenge
- Fame
- Organised Crime
- Ideology
- Espionage / Intelligence
4 网络安全的威胁
Threats in Networks
4.1 侦察
Reconnaissance
- Port Scan
- Social Engineering
- Intelligence gathering
- O/S and Application fingerprinting
- IRC Chat rooms
- Available documentation and tools
- Protocol flaws / protocol implementation flaws
4.2 网络传输过程中的威胁
Threats in Transit
- Eavesdropping / Packet sniffing
- Media tapping (Cable, Microwave, Satellite, Optical fibre, Wireless)
4.3 网络冒充
Impersonation
- Password guessing
- Avoiding authentication
- Non-existent authentication
- Well-known authentication
- Masquerading
- Session hijacking
- Man-in-the-middle
4.4 信息私密性威胁
Message Confidentiality Threats
- Mis-delivery
- Exposure – in various devices in the path
- Traffic Flow analysis – sometimes the knowledge of existence of message
can be as important as message content
4.5 信息完整性威胁
Message Integrity Threats
- Falsification
- Noise
- Protocol failures / misconfigurations
4.6 基于操作系统的威胁
Operating System based Threats
- Buffer-Overflow
- Virus , Trojans, rootkits
- Password
4.7 基于应用程序的威胁
Application based Threats
- Web-site defacement
- DNS cache poisoning
- XSS (Cross-site Scripting)
- Active-code / Mobile-code
- Cookie harvesting
- Scripting
4.8 拒绝服务
Denial of service
- Syn Flooding
- Ping of death
- Smurf
- Teardrop
- Traffic re-direction
- Distributed Denial of Service
- Bots and Botnets
- Script Kiddies
5 网络安全控制
Network Security Controls
5.1 弱点和威胁分析
Vulnerability and Threat assessment
5.2 网络结构控制
Network Architecture
- Network segmentation
- Architect for availability
- Avoid SPOF (single points of failure)
- Encryption
- Link encryption
- End-to-end encryption
- Secure Virtual Private Networks
- Public Key Infrastructure and Certificates
- SSL and SSH
5.3 增强加密系统
Strong Authentication
- One Time Password
- Challenge Response authentication
- Kerberos
5.4 防火墙设置
Firewalls
- Packet Filters
- Stateful Packet Filters
- Application proxies
- Diodes
- Firewall on end-points
5.5 入侵检查和防御系统
Intrusion Detection / Prevention Systems
- Network based / host based
- Signature based
- Heuristics based / protocol anomaly based
- Stealth mode
5.6 使用政策和规程
Policies and Procedures
- Enterprise-wide Information Security Policy
- Procedures
- Buy-in (from Executives and employees)
- Review, enhancement and modification
5.7 其他网络控制方式
- Data-Leakage Protection systems
- Network based / host based
- Content scanning/Anti-Virus/Spyware Control systems
- Network based / host based
- Secure e-mail Systems
- Design and implementation
- ACLs (Access Control Lists)
参考文献:
- Principles of Information Security Systems – Texts and Cases – Gurpreet Dhillon-Chapter 5 : Network Security
- Security in Computing – Charles & Shari Pfleeger - Chapter 7 : Security in Networks
- Information Security Principles and Practices – Mark Merkow & Jim Breithaupt - Chapter 12 : Telecommunications, Network and Internet Security