外文翻译--防火墙地址入侵计算机的特点和破坏安全的类型.doc

ADDRESSESEachtechnologyhasitsownconventionfortransmittingmessagesbetweentwomachineswithinthesamenetwork.OnaLAN,messagesaresentbetweenmachinesbysupplyingthesixbyteuniqueidentifier(theMACaddress).InanSNAnetwork,everymachinehasLogicalUnitswiththeirownnetworkaddress.DECNET,Appletalk,andNovellIPXallhaveaschemeforassigningnumberstoeachlocalnetworkandtoeachworkstationattachedtothenetwork.Ontopoftheselocalorvendorspecificnetworkaddresses,TCP/IPassignsauniquenumbertoeveryworkstationintheworld.ThisIPnumberisafourbytevaluethat,byconvention,isexpressedbyconvertingeachbyteintoadecimalnumber(0to255)andseparatingthebyteswithaperiod.Forexample,thePCLubeandTuneserveris34.AnorganizationbeginsbysendingelectronicmailtoHostmasterINTERNIC.NETrequestingassignmentofanetworknumber.ItisstillpossibleforalmostanyonetogetassignmentofanumberforasmallClassCnetworkinwhichthefirstthreebytesidentifythenetworkandthelastbyteidentifiestheindividualcomputer.Theauthorfollowedthisprocedureandwasassignedthenumbers192.35.91.*foranetworkofcomputersathishouse.LargerorganizationscangetaClassBnetworkwherethefirsttwobytesidentifythenetworkandthelasttwobytesidentifyeachofupto64thousandindividualworkstations.YalesClassBnetworkis130.132,soallcomputerswithIPaddress130.132.*.*areconnectedthroughYale.TheorganizationthenconnectstotheInternetthroughoneofadozenregionalorspecializednetworksuppliers.Thenetworkvendorisgiventhesubscribernetworknumberandaddsittotheroutingconfigurationinitsownmachinesandthoseoftheothermajornetworksuppliers.Thereisnomathematicalformulathattranslatesthenumbers192.35.91or130.132intoYaleUniversityorNewHaven,CT.ThemachinesthatmanagelargeregionalnetworksorthecentralInternetroutersmanagedbytheNationalScienceFoundationcanonlylocatethesenetworksbylookingeachnetworknumberupinatable.TherearepotentiallythousandsofClassBnetworks,andmillionsofClassCnetworks,butcomputermemorycostsarelow,sothetablesarereasonable.CustomersthatconnecttotheInternet,evencustomersaslargeasIBM,donotneedtomaintainanyinformationonothernetworks.Theysendallexternaldatatotheregionalcarriertowhichtheysubscribe,andtheregionalcarriermaintainsthetablesanddoestheappropriaterouting.NewHavenisinaborderstate,split50-50betweentheYankeesandtheRedSox.Inthisspirit,YalerecentlyswitcheditsconnectionfromtheMiddleAtlanticregionalnetworktotheNewEnglandcarrier.Whentheswitchoccurred,tablesintheotherregionalareasandinthenationalspinehadtobeupdated,sothattrafficfor130.132wasroutedthroughBostoninsteadofNewJersey.Thelargenetworkcarriershandlethepaperworkandcanperformsuchaswitchgivensufficientnotice.Duringaconversionperiod,theuniversitywasconnectedtobothnetworkssothatmessagescouldarrivethrougheitherpath.NETWORKFIREWALLSThepurposeofanetworkfirewallistoprovideashellaroundthenetworkwhichwillprotectthesystemsconnectedtothenetworkfromvariousthreats.Thetypesofthreatsafirewallcanprotectagainstinclude:Unauthorizedaccesstonetworkresources-anintrudermaybreakintoahostonthenetworkangainunauthorizedaccesstofiles.Denialofserviceanindividualfromoutsideofthenetworkcould,forexample,sendthousandsofmailmessagestoahostonthenetinanattempttofillavailablediskspaceorloadthenetworklinks.Masqueradingelectronicmailappearingtohaveoriginatedfromoneindividualcouldhavebeenforgedbyanotherwiththeintenttoembarrassorcauseharm.Afirewallcanreduceriskstonetworksystemsbyfilteringoutinherentlyinsecurenetworkservices.NetworkFileSystem(NFS)services,forexample,couldbepreventedfrombeingusedfromoutsideofanetworkbyblockingallNFStraffictoorfromthenetwork.Thisprotectstheindividualhostswhilestillallowingtheservice,whichisusefulinaLANenvironment,ontheinternalnetwork.Onewaytoavoidtheproblemsassociatedwithnetworkcomputingwouldbetocomputingwouldbetocompletelydisconnectanorganizationsinternalnetworkfromanyotherexternalsystem.This,ofcourseisnotthepreferredmethod.Insteadwhatisneededisawaytofilteraccesstothenetworkwhilestillallowingusersaccesstothe“outsideworld”.Inthisconfiguration,theinternetnetworkisseparatedfromexternalnetworkbyafirewallgateway.Agatewayisnormallyusedtoperformrelayservicesbetweentwonetworks.Inthecaseofafirewallgateway,italsoprovidesafilteringservicewhichlimitsthetypesofinformationthatcanbepassedtoorfromhostslocatedontheinternalnetwork.Therearethreebasictechniquesusedforfirewalls:packetfiltering,circuitgateway,andapplicationgateways.Often,morethanoneoftheseisusedtoprovidethecompletefirewallservice.Thereareseveralconfigurationschemesoffirewallinthepracticalapplicationofinter-networksecurity.Theyusuallyusethefollowingterminologies:Screeningrouter-itcanbeacommercialrouterorahost-basedrouterwithsomekindofpacketfilteringcapability.Bastionhost-itisasystemidentifiedbythefirewalladministratorasacriticalstrongpointinthenetworksecurity.Dual-homedgateway-somefirewallsareimplementedwithoutascreeningrouter,byplacingasystemonboththeprivatenetworkandtheInternet,anddisablingTCP/IPforwarding.Screened-hostgatewayitispossiblythemostcommonfirewallconfiguration.Thisisimplementedusingascreeningrouterandabastionhost.Screenedsubnet-anisolatedsubnetissituatedbetweentheInternetandtheprivatenetwork.Typically,thisnetworkisisolatedusingscreeningrouters,whichmayimplementvaryinglevelsoffiltering.Application-levelgateway-itisalsocalledaproxygatewayandusuallyoperatesatauserlevelratherthanthelowerprotocollevelcommontotheotherfirewalltechniques.CHARACTERISTICSOFCOMPUTERINTRUSIONANDKINDSOFSECURITYBREACHES1.CHARACTERISTICSOFCOMPUTERINTRUSIONThetargetofacrimeinvolvingcomputersmaybeanypieceofthecomputingsystem.Acomputingsystemisacollectionofhardware,software,storagemedia,data,andpersonsthatanorganizationusestodocomputingtasks.Whereastheobvioustargetofabankrobberyiscash,alistofnamesandaddressesofdepositorsmightbevaluabletoacomputingbank.Thelistmightbeonpaper,recordedonamagneticmedium,storedininternalcomputermemory,ortransmittedelectronicallyacrossamediumsuchasatelephoneline.Thismultiplicityoftargetsmakescomputersecuritydifficult.Inanysecuritysystem,theweakestpointisthemostseriousvulnerability.Arobberintentonstealingsomethingfromyourhousewillnotattempttopenetrateatwo-inchthickmetaldoorifawindowgiveseasieraccess.Asophisticatedperimeterphysicalsecuritysystemdosenotcompensateforunguardedaccessbymeansofasimpletelephonelineandamodem.The“weakestpoint”philosophycanberestatedasthefollowingprinciple.PrincipleofEasiestPenetration.Anintrudermustbeexpectedtouseanyavailablemeansofpenetration.Thiswillnotnecessarilybethemostobviousmeans,norwillitnecessarilybetheoneagainstwhichthemostsoliddefensehasbeeninstalledThisprinciplesaysthatcomputersecurityspecialistsmustconsiderallpossiblemeansofpenetration,becausestrengtheningonemayjustmakeanothermeansmoreappealingtointruders,Wenowconsiderwhatconsiderwhatthesemeansofpenetrationare.2.KINDSOFSRCURITYBREACHESInsecurity,anexposureisaformofpossiblelossorharminacomputingsystem；examplesofexposuresareunauthorizedofdata,modificationofdata,ordenialoflegitimateaccesstocomputing.Avulnerabilityisaweaknessinthesecuritysystemthatmightbeexploitedtocauselossorharm.Ahumanwhoexploitsavulnerabilityperpetratesanattackonthesystem.Threatstocomputingsystemsarecircumstancesthathavethepotentialtocauselossorharm；humanattacksareexamplesofthreats,asarenaturaldisasters,inadvertenthumanerrors,andinternalhardwareorsoftwareflaws.Finally,acontrolisaprotectivemeasure-anaction,adevice,aprocedure,oratechnique-thatreducesavulnerability.Themajorassetsofcomputingarehardware,software,anddata.Therearefourkindsofthreatstothesecurityofacomputingsystem；interruption,interception,modification,andfabrication.Thefourthreatsallexploitvulnerabilitiesoftheassetsincomputingsystems.Inainterruption,anassetofthesystembecomeslostorunavailableorunusable.Anexampleismaliciousdestructionofahardwaredevice,erasureofaprogramordatafile,orfailureofanoperatingsystemfilemanagersothatitcannotfindaparticulardiskfile.Aninterruptionmeansthatsomeunauthorizedpartyhasgainedtoanasset.Theoutsidepartycanbeaperson,aprogram,oracomputingsystem.Examplesofthistypeoffailureareillicitcopyingofprogramordatafiles,orwiretappingtoobtaindatainanetwork.Whilealossmaybediscoveredfairlyquickly,asilentinterceptormayleavenotracesbywhichtheinterceptioncanbereadilyd