外文翻译--防火墙地址入侵计算机的特点和破坏安全的类型.doc
ADDRESSESEachtechnologyhasitsownconventionfortransmittingmessagesbetweentwomachineswithinthesamenetwork.OnaLAN,messagesaresentbetweenmachinesbysupplyingthesixbyteuniqueidentifier(the"MAC"address).InanSNAnetwork,everymachinehasLogicalUnitswiththeirownnetworkaddress.DECNET,Appletalk,andNovellIPXallhaveaschemeforassigningnumberstoeachlocalnetworkandtoeachworkstationattachedtothenetwork.Ontopoftheselocalorvendorspecificnetworkaddresses,TCP/IPassignsauniquenumbertoeveryworkstationintheworld.This"IPnumber"isafourbytevaluethat,byconvention,isexpressedbyconvertingeachbyteintoadecimalnumber(0to255)andseparatingthebyteswithaperiod.Forexample,thePCLubeandTuneserveris130.132.59.234.AnorganizationbeginsbysendingelectronicmailtoHostmasterINTERNIC.NETrequestingassignmentofanetworknumber.Itisstillpossibleforalmostanyonetogetassignmentofanumberforasmall"ClassC"networkinwhichthefirstthreebytesidentifythenetworkandthelastbyteidentifiestheindividualcomputer.Theauthorfollowedthisprocedureandwasassignedthenumbers192.35.91.*foranetworkofcomputersathishouse.Largerorganizationscangeta"ClassB"networkwherethefirsttwobytesidentifythenetworkandthelasttwobytesidentifyeachofupto64thousandindividualworkstations.YalesClassBnetworkis130.132,soallcomputerswithIPaddress130.132.*.*areconnectedthroughYale.TheorganizationthenconnectstotheInternetthroughoneofadozenregionalorspecializednetworksuppliers.Thenetworkvendorisgiventhesubscribernetworknumberandaddsittotheroutingconfigurationinitsownmachinesandthoseoftheothermajornetworksuppliers.Thereisnomathematicalformulathattranslatesthenumbers192.35.91or130.132into"YaleUniversity"or"NewHaven,CT."ThemachinesthatmanagelargeregionalnetworksorthecentralInternetroutersmanagedbytheNationalScienceFoundationcanonlylocatethesenetworksbylookingeachnetworknumberupinatable.TherearepotentiallythousandsofClassBnetworks,andmillionsofClassCnetworks,butcomputermemorycostsarelow,sothetablesarereasonable.CustomersthatconnecttotheInternet,evencustomersaslargeasIBM,donotneedtomaintainanyinformationonothernetworks.Theysendallexternaldatatotheregionalcarriertowhichtheysubscribe,andtheregionalcarriermaintainsthetablesanddoestheappropriaterouting.NewHavenisinaborderstate,split50-50betweentheYankeesandtheRedSox.Inthisspirit,YalerecentlyswitcheditsconnectionfromtheMiddleAtlanticregionalnetworktotheNewEnglandcarrier.Whentheswitchoccurred,tablesintheotherregionalareasandinthenationalspinehadtobeupdated,sothattrafficfor130.132wasroutedthroughBostoninsteadofNewJersey.Thelargenetworkcarriershandlethepaperworkandcanperformsuchaswitchgivensufficientnotice.Duringaconversionperiod,theuniversitywasconnectedtobothnetworkssothatmessagescouldarrivethrougheitherpath.NETWORKFIREWALLSThepurposeofanetworkfirewallistoprovideashellaroundthenetworkwhichwillprotectthesystemsconnectedtothenetworkfromvariousthreats.Thetypesofthreatsafirewallcanprotectagainstinclude:Unauthorizedaccesstonetworkresources-anintrudermaybreakintoahostonthenetworkangainunauthorizedaccesstofiles.Denialofserviceanindividualfromoutsideofthenetworkcould,forexample,sendthousandsofmailmessagestoahostonthenetinanattempttofillavailablediskspaceorloadthenetworklinks.Masqueradingelectronicmailappearingtohaveoriginatedfromoneindividualcouldhavebeenforgedbyanotherwiththeintenttoembarrassorcauseharm.Afirewallcanreduceriskstonetworksystemsbyfilteringoutinherentlyinsecurenetworkservices.NetworkFileSystem(NFS)services,forexample,couldbepreventedfrombeingusedfromoutsideofanetworkbyblockingallNFStraffictoorfromthenetwork.Thisprotectstheindividualhostswhilestillallowingtheservice,whichisusefulinaLANenvironment,ontheinternalnetwork.Onewaytoavoidtheproblemsassociatedwithnetworkcomputingwouldbetocomputingwouldbetocompletelydisconnectanorganizationsinternalnetworkfromanyotherexternalsystem.This,ofcourseisnotthepreferredmethod.Insteadwhatisneededisawaytofilteraccesstothenetworkwhilestillallowingusersaccesstothe“outsideworld”.Inthisconfiguration,theinternetnetworkisseparatedfromexternalnetworkbyafirewallgateway.Agatewayisnormallyusedtoperformrelayservicesbetweentwonetworks.Inthecaseofafirewallgateway,italsoprovidesafilteringservicewhichlimitsthetypesofinformationthatcanbepassedtoorfromhostslocatedontheinternalnetwork.Therearethreebasictechniquesusedforfirewalls:packetfiltering,circuitgateway,andapplicationgateways.Often,morethanoneoftheseisusedtoprovidethecompletefirewallservice.Thereareseveralconfigurationschemesoffirewallinthepracticalapplicationofinter-networksecurity.Theyusuallyusethefollowingterminologies:Screeningrouter-itcanbeacommercialrouterorahost-basedrouterwithsomekindofpacketfilteringcapability.Bastionhost-itisasystemidentifiedbythefirewalladministratorasacriticalstrongpointinthenetworksecurity.Dual-homedgateway-somefirewallsareimplementedwithoutascreeningrouter,byplacingasystemonboththeprivatenetworkandtheInternet,anddisablingTCP/IPforwarding.Screened-hostgatewayitispossiblythemostcommonfirewallconfiguration.Thisisimplementedusingascreeningrouterandabastionhost.Screenedsubnet-anisolatedsubnetissituatedbetweentheInternetandtheprivatenetwork.Typically,thisnetworkisisolatedusingscreeningrouters,whichmayimplementvaryinglevelsoffiltering.Application-levelgateway-itisalsocalledaproxygatewayandusuallyoperatesatauserlevelratherthanthelowerprotocollevelcommontotheotherfirewalltechniques.CHARACTERISTICSOFCOMPUTERINTRUSIONANDKINDSOFSECURITYBREACHES1.CHARACTERISTICSOFCOMPUTERINTRUSIONThetargetofacrimeinvolvingcomputersmaybeanypieceofthecomputingsystem.Acomputingsystemisacollectionofhardware,software,storagemedia,data,andpersonsthatanorganizationusestodocomputingtasks.Whereastheobvioustargetofabankrobberyiscash,alistofnamesandaddressesofdepositorsmightbevaluabletoacomputingbank.Thelistmightbeonpaper,recordedonamagneticmedium,storedininternalcomputermemory,ortransmittedelectronicallyacrossamediumsuchasatelephoneline.Thismultiplicityoftargetsmakescomputersecuritydifficult.Inanysecuritysystem,theweakestpointisthemostseriousvulnerability.Arobberintentonstealingsomethingfromyourhousewillnotattempttopenetrateatwo-inchthickmetaldoorifawindowgiveseasieraccess.Asophisticatedperimeterphysicalsecuritysystemdosenotcompensateforunguardedaccessbymeansofasimpletelephonelineandamodem.The“weakestpoint”philosophycanberestatedasthefollowingprinciple.PrincipleofEasiestPenetration.Anintrudermustbeexpectedtouseanyavailablemeansofpenetration.Thiswillnotnecessarilybethemostobviousmeans,norwillitnecessarilybetheoneagainstwhichthemostsoliddefensehasbeeninstalledThisprinciplesaysthatcomputersecurityspecialistsmustconsiderallpossiblemeansofpenetration,becausestrengtheningonemayjustmakeanothermeansmoreappealingtointruders,Wenowconsiderwhatconsiderwhatthesemeansofpenetrationare.2.KINDSOFSRCURITYBREACHESInsecurity,anexposureisaformofpossiblelossorharminacomputingsystem;examplesofexposuresareunauthorizedofdata,modificationofdata,ordenialoflegitimateaccesstocomputing.Avulnerabilityisaweaknessinthesecuritysystemthatmightbeexploitedtocauselossorharm.Ahumanwhoexploitsavulnerabilityperpetratesanattackonthesystem.Threatstocomputingsystemsarecircumstancesthathavethepotentialtocauselossorharm;humanattacksareexamplesofthreats,asarenaturaldisasters,inadvertenthumanerrors,andinternalhardwareorsoftwareflaws.Finally,acontrolisaprotectivemeasure-anaction,adevice,aprocedure,oratechnique-thatreducesavulnerability.Themajorassetsofcomputingarehardware,software,anddata.Therearefourkindsofthreatstothesecurityofacomputingsystem;interruption,interception,modification,andfabrication.Thefourthreatsallexploitvulnerabilitiesoftheassetsincomputingsystems.Inainterruption,anassetofthesystembecomeslostorunavailableorunusable.Anexampleismaliciousdestructionofahardwaredevice,erasureofaprogramordatafile,orfailureofanoperatingsystemfilemanagersothatitcannotfindaparticulardiskfile.Aninterruptionmeansthatsomeunauthorizedpartyhasgainedtoanasset.Theoutsidepartycanbeaperson,aprogram,oracomputingsystem.Examplesofthistypeoffailureareillicitcopyingofprogramordatafiles,orwiretappingtoobtaindatainanetwork.Whilealossmaybediscoveredfairlyquickly,asilentinterceptormayleavenotracesbywhichtheinterceptioncanbereadilydetected.Ifanunauthorizedpartynotonlyaccessesbuttamperswithanasset,thefailurebecomesamodification.Forexample,someonemightmodifythevaluesinadatabase,alteraprogramsothatitperformsanadditionalcomputation,ormodifydatabeingtransmitted.Itisevenpossibleforhardwaretobemodified.Somecasesofmodificationcanbedetectedwithsimplemeasures,whileothermoresubtlechangesmaybealmostimpossibletodetect.Finally,anunauthorizedpartymightfabricatecounterfeitobjectsforacomputingsystem.Theintrudermaywishtoaddspurioustransactionstoanetworkcommunicationsystem,oraddrecordstoanexistingdatabase.Sometimestheseadditionscanbedetectedasforgeries,butifskillfullydone,theyarevirtuallyindistinguishablefromtherealthing.Thesefourclassesofinterferencewithcomputeractivity-interruption,interception,modification,andfabrication-candescribethekindsofexposurespossible.地址每种技术都有它自己的在同样的网络内部两台机器之间传输信息的协定。在一个局域网里面,机器通过提供6字节唯一的标识符(介质访问控制地址)来发