计算机系外文翻译.doc

外 文 翻 译题 目： 网络安全保护服务器 保护服务器因此,您要运行的Web服务器在你的地下室,创造未来大件事,你要找一些廉价安全咨询如何展开? 好,我的第一个和最佳建议是不要这样做。 我只是说:“如果美国航天局-你知道,火箭科学家-不能使黑客的Web服务器,是什么使你认为你可以呢? 要去找一些ISP的服务,已找你,和薪酬的ISP,做它。你们真的是仍读? 这个画面:你找到完美,别人。 您计划一个浪漫的夜晚,走到一个电影和有漂亮晚餐。 只是当事开始吹角,得到有趣你的电话铃声的骑兵负责通知你的15未经许可登录尝试在Web服务器上。 你道歉后,周围的人对破坏其晚餐,您的日期提出了一个眉毛和决定,跳过甜品。还有,呃? 我很抱歉。 我知道,它必须健全璀璨,有你的Web服务器,但除非你付出了时间想一个黑客、赔率是无论你放在互联网将受到攻击。阿贾克斯队应用程序需要一个Web服务器来工作。 所有后,什么是良好thexml-httprequestobject没有一个Web服务器,并在后端。 因此,阿贾克斯队的安全启动Web服务器。 如果您的Web服务器是不安全的,也不是你的申请。 你要知道什么作用发挥的Web服务器的安全。 确保一个Web服务器是一个非微不足道,需要了解Web服务器的关系网的工作。看见滑稽看电话象从您的DSL/cable调制解调器出来的缆绳？ 那是互联网。 在我们可以设定网络服务器之前，我们必须首先准备网络。 您不想要塞住网络服务器入互联网与巨型乱砍我标志对此，是？ 我们必须首先采取一些防备措施。我们真正地需要什么将从他们分离我们，正确？ 我们是你知道我们和他们是很好这坏人。 我们需要墙壁做那a防火墙对保留他们。防火墙防火墙是坐在一个专用网和一个公共网络之间的设备。 分开什么帮助使一个专用网私有是，实际上，防火墙。 防火墙的工作是控制计算机网络之间的交通用信任为例子，一个内部，被信任的区域不同的区域，例如一个专用网和外部，非被信任的区域，例如互联网。信任界限另外信任区域集会在什么通认当信任界限。 它是象一个缝在网络，并且，如前面提到，缝要求增加的安全注意。 我们需要确信，所有空白被填补，并且防火墙允许这正确的交通。 我们做此以防火墙规则。 防火墙规则建立一安全策略治理什么交通允许流经防火墙，并且在什么方向。最终目标是提供不同的信任区域之间的一个控制界面，并且强制执行由于流动在他们之间的交通的普通安全政策根据以下安全原则：最少特权的原则用户应该允许只做什么她是要求做。责任的分离定义角色为用户并且分配不同的水平存取控制。 控制怎么应用是开发，测试和部署，并且谁有访问到应用数据。防火墙是擅长于做出决断是否应该允许一个机器谈话到另一个。 容易的方法为了防火墙能做此将根据它的决定源点地址和目的地址。嘿,这是什么规则? 防火墙是太经常发现有规则,谁也不记得加入。 这是因为行政人员担心如果他们将打破删除它们。 当防火墙规则是介绍,应当有一个明确界定的程序追踪的每条规则及其目的。另一个问题是,看看是否有防火墙是实际上做什么是应做你要打在它与一个渗透检测工具和监测它与入侵检测软件。 换句话说,你要写下锅之作它,看是否有休息时间。端口80这只是网交通、权利? 端口80是有时称为绕过港口的防火墙。 这是因为许多倍任何交通将会允许的防火墙在端口80。 防火墙管理员打开端口80的交通网络,发展商利用开放的港口的东西,如Web服务运行通过它-如此多的防火墙安全。SSLSSL之前必须终止的防火墙,以便防火墙可以查阅的数据和作出决定的内容正在发出或收到。 否则,该数据是用SSL加密 如果防火墙或代理在前面或后面的防火墙终止SSL,用户不会看到一个锁在她的浏览器和可能成为混淆或有关安全,她不能做网上银行、例如。SSL代理人有一个狡猾的SSL问题解决办法:一种SSL代理服务器。 代理服务器可以设立其外游SSL连接到服务器的用户想联系。 该代理服务器然后谈判一个单独SSL连接与用户的浏览器。 用户的浏览器不知道什么是在另一方的代理人,因此它无法到其他方面没有代理的帮助。当时的委任代表假冒的目标Web服务器的飞行的创收和签署的证明书,网目的地。 这一点的唯一方式是工程如果用户的浏览器的信托代理的证书颁发机构。 意思是如果用户的浏览器有一个证书颁发机构(CA)证书与本公司在其受信任的证书存储,然后浏览器会接受代理的产生,无论legit证书。一旦这种委任代表的是成立,有可能彻底检查所有内容流通过没有任何担心加密了我们的道路。 虽然这并现在使我们能够检查的内容的Web交易,这样的组织电子前线基金()可能抱怨的损失用户的隐私。多个防火墙在信任范围内可以用于修造排。 通过修造排与防火墙控制对那排的所有规则通入在每个末端可以被处理。 这考虑到一个灵活，并且限制性网络布局。那里我们看见配置的这个类型最在一种传统解除军事管制区域(DMZ)样式防火墙配置的设定。 图4-1显示一个典型的有排列的网络。图4-1。 一个有排列的网络结构如果它离析网络的这段的攻击在DMZ之内发生，从而限制损伤攻击者可能做。 次要防火墙在DMZ机器妥协的事件保护内部网络。责任的分离男孩，那是您达到目的那里的一个强壮的机器。 它做一台美好的网络服务器。 然而，您也许认为它是足够大的做一切(网， FTP，新闻，邮件，等等)，并且它也许是。 但，问题是，如果机器妥协，一切妥协。 您不想要那; 那是坏的。因而它是很好的练习隔绝这些服务和通过创造一个分开的被硬化的机器伸长功能为每项主要网：际网路服务防火墙代理人和门户服务器Web servers应用服务器数据库服务器采伐的服务器电子邮件服务器FTP服务器把这些服务分开地限制攻击的冲击并且减少一起使用攻击者必须的表面与。 是，那是不错。 现在您有一个借口买更多机器! 记住，您是想进入主持事务的网站的人，权利？至少，在您的网络应该有点，在您能使用作为问题的检查和侦查的网络服务器之前。 您不可能需要一个充分的DMZ类型设定，而是，如果您在互联网演奏，我劝告您至少有一个很好配置的路由器和一个防火墙。 即然网络准备我们可以去回到网络服务器的大厦。So, you want to run a web server in your basement to create the next big thing, and youre looking for some cheap security advice on how to get started? Well, my first and best suggestion is dont do it. Im just saying if NASAyou know, rocket scientistscant keep hackers out of its web servers, what makes you think you can? Go find some ISP that has the services you are looking for, and pay the ISP to do it. The job of administering a web server on your own can consume every waking moment, and unless you dont ever want to leave the house, it is well worth the money to let the pros handle the frontend work. Are you really still reading? Picture this: you find that perfect somebody. You plan a romantic evening and go out to a movie and have a nice dinner. Just when things start to get interesting your phone trumpets out the cavalry charge ring tone informing you of 15 unauthorized login attempts on the web server. After apologizing to those around you for disrupting their dinner, your date raises an eyebrow and decides to skip dessert. Still there, eh? Im sorry. I know, it must sound glamorous to have your very own web server, but unless you have spent time thinking like a hacker, odds are whatever you put on the Internet will be vulnerable to attack. Ajax applications require a web server to work. After all, what good is theXML-HttpRequestobject without a web server to talk to on the backend. So, Ajax Security starts with the web server. If your web server is not secure, neither is your application. You need to know what role the web server plays in security. Securing a web server is a non-trivial task that requires an understanding of the web servers relationship with the network. By being aware of what security measures are on the web server, you can balance the security necessary within your applications. In this chapter, I will look at how to ensure the network is secure, and then go through the steps for making a secure and dynamite web server. Iwill also address what to do in the event of an attack. See that funny-looking telephone-like cable coming out of your DSL/cable modem? Thats the Internet. Before we can set up a web server, we must first prepare the network. You dont want to plug the web server into the Internet with a giant Hack Me sign on it, do you? We must take some precautions first. What we really need to do is separate us from them, right? Us beingyou knowus, and them beingwellthe bad guys. We need a wallmake that a firewallto keep them out. Firewalls A firewall is a device sitting between a private network and a public network. Part of what helps make a private network private is, in fact, the firewall. The firewalls job is to control traffic between computer networks with different zones of trustfor example, an internal, trusted zone, such as a private network, and an external, non-trusted zone, such as the Internet. Trust boundaries Different trust zones meet in what is known as trust boundaries. It is like a seam in the network and, as mentioned earlier, seams require added security attention. We need to make sure that all the gaps are filled and that the firewall allows the right kind of traffic. We do this with firewall rules. Firewall rules establish a security policy governing what traffic is allowed to flow through the firewall and in what direction. The ultimate goal is to provide a controlled interface between the different trust zones and enforce common security policy on the traffic that flows between them based on the following security principles: Principle of least privilege A user should be allowed to do only what she is required to do. Separation of duties Define roles for users and assign different levels of access control. Control how the application is developed, tested, and deployed and who has access to application data. Firewalls are good at making quick decisions about whether one machine should be allowed to talk to another. The easiest way for the firewall to do this is to base its decisions on source address and destination address. Hey, whats this rule for? Far too often firewalls are found with rules that nobody remembers adding. This happens because administrators fear something will break if they remove them. When firewall rules are introduced, there should be a well-defined procedure for keeping track of each rule and its purpose. Another problem is that to see whether a firewall is actually doing what it is supposed to be doing you need to beat on it with a penetration-testing tool and monitor it with intrusion detection software. In other words, you have to hack it to see if it breaks. Port 80 Thats just web traffic, right? Port 80 is sometimes called the firewall bypass port. This is because many times any traffic will be allowed in and out of the firewall on port 80. Firewall administrators open port 80 for web traffic, and developers take advantage of the open port by running things such as web services through itso much for firewall security. SSL SSL must be terminated before the firewall so that the firewall can inspect the data and make decisions about the content being sent or received. Otherwise, the data is encrypted with SSL. If the firewall or some proxy in front or behind the firewall terminates SSL, the user wont see a lock in her browser and may become confused or concerned that she cannot do secure online banking, for example. SSL proxies There is a crafty solution to the SSL problem: an SSL proxy server. A proxy server can set up its own outbound SSL connection to the server the user wants to contact. The proxy server then negotiates a separate SSL connection with the users browser. The users browser doesnt know what is on the other side of the proxy, so it cannot get to the other side without the proxys help. The proxy then impersonates the destination web server byon the flygenerating and signing a certificate for that web destination. The only way that this works is if the users browser trusts the proxy as a certificate authority. Meaning that if the users browser has a Certificate Authority (CA) certificate from the company in its trusted store of certificates, then the browser will accept the proxys generated certificate as legit. Once this sort of proxy is set up, it is possible to thoroughly inspect all content flowing through without any worry about encryption getting in the way. Although this does now make it possible to inspect the contents of the web transaction, and an organization such as the Electronic Frontier Foundation () might complain about the loss of the users privacy. Multiple firewalls can be used to build tiers within trust boundaries. By building a tier with a firewall all the rules controlling access to that tier can be managed on each end. This allows for a flexible yet restrictive network configuration. Where we see this type of configuration most is in the setup of a traditional demilitarized zone (DMZ) style firewall configuration. Figure 4-1 shows a typical tiered network. Figure 4-1. A tiered network architectureIf an attack happens within the DMZ it is isolated to this segment of the network, thereby limiting the damage an attacker can do. The secondary firewall protects the internal network in the event a DMZ machine is compromised. Separation of duties Boy, thats a beefy machine you got there. Its going to make a fine web server. However, you might be thinking its big enough to do everything (Web, FTP, news, mail, and so on), and it might be. But, the problem is that if the machine is compromised, everything is compromised. You dont want that; that would be bad. Thus it is a good practice to isolate these services and spread