计算机专业英语翻译+5000字.doc

局域网的安全性VLAN（Virtual Local Area Network）又称虚拟局域网，是指在交换局域网的基础上，采用网络管理软件构建的可跨越不同网段、不同网络的端到端的逻辑网络。一个VLAN组成一个逻辑子网，即一个逻辑广播域，它可以覆盖多个网络设备，允许处于不同地理位置的网络用户加入到一个逻辑子网中。VLAN技术是在局域网内将工作站逻辑的划分成一个个网段从而实现虚拟工作组的技术。IEEE于1999年颁布了802.1Q关于VLAN的协议草案。是为了解决以太网广播问题和安全性而提出的协议。VLAN在逻辑上等价于广播域。更具体的说，我们可以将VLAN类比成一组最终用户的集合。这些用户可以处在不同的物理LAN上，但他们之间可以象在同一个LAN上那样自由通信而不受物理位置的限制。在这里，网络的定义和划分与物理位置和物理连接是没有任何必然联系的。网络管理员可以根据不同的需要，通过相应的网络软件灵活的建立和配置虚拟网，并为每个虚拟网分配它所需要的带宽。VLAN并非一种新型的网络，是包含一组端站点的逻辑上的LAN，其中的站点好像被同一网线连接在一起，而实际上可能出于LAN的不同物理网段。是一组逻辑上的设备或用户，它们就好像处于同一个物理LAN中一样相互通信，不受物理位置的限制。基于交换网络的VLAN目前大致可分为4类：基于端口的VLAN,基于MAC地址的VLAN、基于路由的VLAN和基于策略的VLAN。基于端口的VLAN划分是最简单、最有效的划分方法，是基于交换机端口的划分方法，只需网络管理员对网络设备的交换端口进行重新分配，不需考虑该端口所连接的设备，就可将属于不同交换机端口的不同网段划分在一个VLAN中；基于MAC地址的VLAN是MAC地址的集合，允许网络用户从一个位置移动到另一个物理位置，且自动保留起所属VLAN的成员身份，是基于网络用户的，但由于MAC地址的唯一性，初始化困难，且网卡更换就必须重新配置，另外它不能防止MAC欺骗攻击，有可能受到假冒MAC地址攻击的危险。 VLAN技术的出现为网络设计、扩展、更改提供了更大的灵活性，主要体现如下： 提高网络设计的灵活性。处于不同地理位置的站点可划分到同一个虚拟网中，不受地理位置的限制；可根据功能、项目组、应用的需要来划分用户和设备，可根据实际情况增加和减少用户。 方便站点的移动、增加和变化，大大提高管理动态网络的能力。由于某种原因，用户工作位置发生变化时，采用传统局域网技术的用户需要对站点的IP地址、缺省网关进行修改后才能上网；采用基于MAC地址VLAN技术的用户则可不作任何修改，在网上的任意位置都可上网，因为VLAN成员不是捆绑在某固定工作站上的；反过来，用户的实际位置不发生改变却变更了部门，网络管理员也可以通过改变VLAN成员的方式让用户与VLAN的逻辑关系发生改变。减少了日常管理开销，提供了更大的配置灵活性。提高网络安全功能。采用传统局域网技术的网络，只要利用一台PC装上协议分析软件，连到集线器上就可拦截该网段上的所有数据，采用基于MAC地址的VLAN技术时就不可能拦截该VLAN的数据；VLAN与VLAN间逻辑上是分开的，VLAN成员的数据包只能在同一VLAN内部传送，即使处于同一网络中，不同VLAN间也不能进行直接通信，有效的避免了广播风暴的传播；校园网中如财务管理、人事档案管理及一些不对外公开的科研数据资料库等应用系统，网络管理员可采用VLAN技术对广播域进行逻辑划分，达到限制用户非法访问的目的，从而确保重要部门的数据安全。除非设置了监听口，信息交换就不可能存在监听和插入问题，提高了网络的安全性能；对于内网，采用基于MAC地址的VLAN技术，可有效防止IP地址盗用问题。采用VLAN技术的网络中，每个VLAN内的站点可直接访问该VLAN内的服务器，提高了网络的响应速度；同时，同一个VLAN内的站点可以非常方便的进行通信。VLAN是一个在物理网络上根据用途、工作组、应用等来逻辑划分的局域网络，与用户的物理位置没有关系。采用VLAN技术，网络管理员只需设置指令就能为某个项目或任务建立VLAN。计算机网络安全主要涉及网络的信息安全和网络系统本身的安全。Internet 的安全问题是网络安全的主要问题。它一方面来自网络面临的安全威胁，通常人们认为的Internet安全威胁来自外部黑客攻击、计算机病毒和拒绝服务攻击等方面。因此，我们在组建网络的时候, 首先考虑避免来自Internet 网络安全问题,全方位地应对各种不同的威胁, 这样才能确保网络信息的保密性、完整性和可用性。另一方面来自Internet自身固有的弱点, 在网络上如何保证合法用户对资源的合法访问以及如何防止网络黑客攻击，成为网络安全的主要内容。网络安全措施应能全方位地应对各种不同的威胁,这样才能确保网络信息的保密性、完整性和可用性。因此我们在规划网络的时候,将最核心的数据放到内部网络上，不提供Internet接口，在此称之为核心数据网。主要运行内部视频会议、楼宇自动化、安全监控、财务数据、核心疫情、实验室管理系统等核心信息。核心数据网只对能够掌握这些信息的高层领导和专业人员授权以后才能使用。由于与因特网隔离, 可以避免黑客攻击和间谍软件的泄密， 再部署内部网络版杀毒软件， 使网络安全性极高。而将日常办公、需要与外部交流的信息， 放到另一个网络里， 称之为综合办公网， 并为这套网络提供Internet接口，方便中心员工与外部信息交流, 并采取一定的安全措施保证数据及网络安全运行各种信息平台, 如办公自动化系统(OA)、邮件服务器、疫情上报系统等。公司应该根据部门划分若干VLAN, 并根据各部门的安全要求在交换机上为各VLAN设计访问控制列表, 控制各部门对网络的使用权限, 从而大大提高了各部门网络的安全性。通过将公司的一个大局域网划分为若干VLAN, 一方面可以控制广播风暴的产生,提高交换式网络整体性能和安全性;另一方面可以将因失误、病毒引起的IP冲突控制在一个VLAN 里,避免影响整个局域网运行。数字化企业管理已成为当前各大型企业信息化建设发展的主要目标。企业内部网络作为信息化建设的主要载体，其网络安全已经成为当前各企业内部网络建设中不可忽视的首要问题。随着我国经济与科技的不断发展，企业数字化管理作为为网络时代的产物，已经成为企业管理发展的方向。随着各企业内部网络规模的急剧膨胀，网络用户的快速增长，企业内部网安全问题已经成为当前各企业网络建设中不可忽视的首要问题。操作系统的安全问题被广泛使用的网络操作系统主要是UNIX、WINDOWS和Linux等，这些操作系统都存在各种各样的安全问题，许多新型计算机病毒都是利用操作系统的漏洞进行传染。如不对操作系统进行及时更新，弥补各种漏洞，计算机即使安装了防毒软件也会反复感染。病毒的破坏。计算机病毒影响计算机系统的正常运行、破坏系统软件和文件系统、破坏网络资源、使网络效率急剧下降、甚至造成计算机和网络系统的瘫痪，是影响企业内部网络安全的主要因素。黑客。在中华人民共和国公共安全行业标准中，黑客的定义是：“对计算机系统进行非授权访问的人员”，这也是目前大多数人对黑客的理解。大多数黑客不会自己分析操作系统或应用软件的源代码、找出漏洞、编写工具，他们只是能够灵活运用手中掌握的十分丰富的现成工具。黑客入侵的常用手法有：端口监听、端口扫描、口令入侵、JAVA炸弹等。口令入侵。为管理方便，一般来说，企业为每个上网的领导和工人分配一个账号，并根据其应用范围，分配相应的权限。某些人员为了访问不属于自己应该访问的内容，用不正常的手段窃取别人的口令，造成了企业管理的混乱及企业重要文件的外流。非正常途径访问或内部破坏。在企业中，有人为了报复而销毁或篡改人事档案记录；有人改变程序设置，引起系统混乱；有人越权处理公务，为了个人私利窃取机密数据。这些安全隐患都严重地破坏了学校的管理秩序。设备受损。设备破坏主要是指对网络硬件设备的破坏。企业内部网络涉及的设备分布在整个企业内，管理起来非常困难，任何安置在不能上锁的地方的设施，都有可能被人有意或无意地损坏，这样会造成企业内部网络全部或部分瘫痪的严重后果。敏感服务器使用的受限。由于财务等敏感服务器上存有大量重要数据库和文件，因担心安全性问题，不得不与企业内部网络物理隔离，使得应用软件不能发挥真正的作用。技术之外的问题。企业内部网是一个比较特殊的网络环境。随着企业内部网络规模的扩大，目前，大多数企业基本实现了科室办公上网。由于上网地点的扩大，使得网络监管更是难上加难。由于企业中部分员工对网络知识很感兴趣，而且具有相当高的专业知识水平，有的员工上学时所学的专业甚至就是网络安全，攻击企业内部网就成了他们表现才华，甚至是泄私愤的首选。其次，许多领导和员工的计算机网络安全意识薄弱、安全知识缺乏。企业的规章制度还不够完善，还不能够有效的规范和约束领导和员工的上网行为。安全策略是指一个特定环境中，为保证提供一定级别的安全保护所必须遵守的规则。安全策略包括严格的管理、先进的技术和相关的法律。安全策略决定采用何种方式和手段来保证网络系统的安全。即首先要清楚自己需要什么，制定恰当的满足需求的策略方案，然后才考虑技术上如何实施。物理安全策略。保证计算机网络系统各种设备的物理安全是整个网络安全的前提。物理安全是保护计算机网络设备、设施以及其它媒体免遭地震、水灾、火灾等环境事故以及人为操作失误或错误及各种计算机犯罪行为导致的破坏过程。其目的是保护计算机系统、web服务器、打印机等硬件实体和通信链路层网络设备免受自然灾害、人为破坏和搭线攻击等。它主要包括两个方面:环境安全。对系统所在环境的安全保护，确保计算机系统有一个良好的电磁兼容工作环境。设备安全。包括设备的防盗、防毁、防电磁信息辐射泄漏、抗电磁干扰及电源保护等。访问控制策略。访问控制的主要任务是保证网络资源不被非法使用和访问，它是保证网络安全最重要的核心策略之一。主要有以下七种方式：入网访问控制。入网访问控制为网络访问提供了第一层访问控制，它控制哪些用户能够登录到服务器并获取网络资源；控制准许用户入网的时间和准许他们在哪台工作站入网。网络的权限控制。网络的权限控制是针对网络非法操作所提出的一种安全保护措施。目录级安全控制。网络应允许控制用户对目录、文件、设备的访问。属性安全控制。当用文件、目录和网络设备时，网络系统管理员应给文件、目录等指定访问属性。网络服务器安全控制。网络允许在服务器控制台上执行一系列操作。用户使用控制台可以装载和卸载模块，可以安装和删除软件等操作。网络监测和锁定控制。网络管理员应对网络实施监控，服务器应记录用户对网络资源的访问，对非法的网络访问，服务器应以图形或文字或声音等形式报警，以引起网络管理员的注意。网络端口和节点的安全控制。端口是虚拟的“门户”，信息通过它进入和驻留于计算机中，网络中服务器的端口往往使用自动回呼设备、静默调制解调器加以保护，并以加密的形式来识别节点的身份。自动回呼设备用于防止假冒合法用户，静默调制解调器用以防范黑客的自动拨号程序对计算机进行攻击。防火墙控制策略。防火墙是近期发展起来的一种保护计算机网络安全的技术性措施，它是一个用以阻止网络中的黑客访问某个机构网络的屏障。它是位于两个网络之间执行控制策略的系统(可能是软件或硬件或者是两者并用)，用来限制外部非法(未经许可)用户访问内部网络资源，通过建立起来的相应网络通信监控系统来隔离内部和外部网络，以阻挡外部网络的侵入，防止偷窃或起破坏作用的恶意攻击。信息加密策略。信息加密的目的是保护网内的数据、文件、口令和控制信息，保护网上传输的数据。网络加密常用的方法有链路加密、端点加密和节点加密三种。信息加密过程是由各种加密算法来具体实施。多数情况下，信息加密是保证信息机密性的唯一方法。Local Area Network SecurityVLAN (Virtual Local Area Network), also known as virtual local area network, local area network is based on the exchange, a network management software can be built across the segment does not meet the demand of different network end of the logical network. A VLAN form a logical subnet, that is, a logical broadcast domain, it can cover multiple network devices, allowing users at different geographical locations to a logical subnet. VLAN technology is the workstation in the LAN will be divided into logical segments one by one in order to achieve the technology of virtual working group. IEEE 802.1Q 1999 issued a draft agreement on the VLAN. Ethernet radio is to address the problem and proposed security agreement. VLAN equivalent is the broadcast domain. More specifically, we can set VLAN analog into a collection of end-users. The user can at different physical LAN, but between them can be like on the same LAN as the free communication without physical location limitations. Here, the definition and classification of network and physical connection with the physical location is no necessary link. Network administrators can according to different needs, through the appropriate network software flexibility to establish and configure a virtual network, and allocated for each virtual network bandwidth it needs.VLAN is not a new network, it is a container terminal site of the logical LAN, one of the sites seems to be the same network cable connected, but may actually be due to different physical LAN segment. Is a set of logical devices or users, they are the same as in the same physical LAN communicate with each other without physical location limitations. VLAN-based switching network now can be divided into four categories: port-based VLAN, MAC address based VLAN, VLAN-based routing and policy-based VLAN. Port-based VLAN classification is the simplest and most effective classification method is based on the classification method of switch ports, only network administrators of network devices to exchange port redistribution, without regard to the equipment connected to the port, you can will belong to different segments of different switch port in a VLAN in the division; VLAN based on MAC address is the MAC address of the collection, allowing Internet users move from one location to another physical location, and automatically keep their VLAN membership since it is Web-based users, but because of the uniqueness of MAC address, initialization problems, and must re-configure the network card replacement, In addition, it can not prevent MAC spoofing, MAC address may be fake and the risk of attack.VLAN technology for the network design, expansion change provides greater flexibility, mainly reflected as follows: Improve the network design flexibility. At different geographical sites can be divided into the same virtual network, without geographical restrictions; can function, project team, applications and devices need to divide the user can increase and decrease according to actual user condition. Convenient site moves, add and changes, greatly enhance the ability of dynamic network management. For some reason, the user work location changes, the traditional local area network technology, users need the sites IP address, default gateway modified to the Internet; MAC address based VLAN technology, the user can not make any changes, in can access the Internet anywhere, because the VLAN members are not tied to a fixed workstation; turn, the users actual location does not change is change of a departmental, network administrators can also change the way the members of VLAN and VLAN to users The logic change. Reduce the daily administrative overhead and provides greater configuration flexibility.Improve network security features. Traditional local area network technology, network, as long as the use of a protocol analysis software installed on PC, connected to the hub can intercept all the data on the segment, based on MAC address of VLAN technologies can not intercept the VLAN data; VLAN and the VLAN between the logically separate, VLAN members can only be in the same VLAN packets within the transmission, even in the same network, between different VLAN can not communicate directly and effectively to avoid a broadcast storm spread; campus Networks such as financial management, personnel records management, and some are not open to the public the scientific data in applications such as database systems, Network management VLAN technology can be used for the logic of broadcasting , Limit users of illicit purpose of the visit to ensure key sectors data security. Unless I set up monitoring, information exchange, there can be no monitoring and insertion problems and improve the safety performance of the network; for the internal network, MAC address based VLAN technology to prevent IP address theft problems. By VLAN technology, network, each VLAN can directly access the sites server within the VLAN to improve the response speed of the network; the same time, the same VLAN within the site can be very convenient to communicate. VLAN is a physical network on the basis of use, the working group, application to the logical division of local area network, and the users physical location does not matter. By VLAN technology, network administrators can simply set the order for a project or task to establish VLAN.Computer network security mainly related to network information security and network systems for their own safety. Internet, security is the main problem of network security. On the one hand the security threat from the network, usually people think of Internet security threats from external hacker attacks, computer viruses and denial of service attacks and so on. Therefore, when we in the establishment of the network, first of all to avoid the problem from the Internet network security, comprehensive deal different threat in order to ensure the confidentiality of the network information, integrity and availability. On the other hand from the Internets own inherent weaknesses, the network how to ensure legitimate users legal access to resources, and how to prevent network hackers become the main content of network security. Network security should be comprehensive to deal with a variety of threats, so as to ensure that the network of information confidentiality, integrity and availability. So when we are in the planning of the network will be the core of the data into the internal network, does not provide Internet interface, this is called the core data network. Main run internal video conferencing, building automation, security monitoring, financial data, core disease, central laboratory information management systems. The core data network is only able to master the information on the senior leadership and professional license to use later. As the Internet isolation, prevent hacker attacks and spyware leak, then the deployment of the internal network version of antivirus software, so that the high degree of network security. The daily office will need to exchange information with the outside, into another network, the call integrated office network, and this network Internet interfaces to facilitate information exchange center staff and outside and take some safety measures to ensure data and network security platform running all kinds of information, such as office automation system (OA), mail server, the epidemic reporting system.Company should be based sector in a number of VLAN, and security requirements of the various departments in the design of the switch for the VLAN access control lists, control the use of various departments of the network permission, thus greatly improving network security sectors. By the company of a large LAN ,a number of VLAN, one hand control of broadcasts produced storm and improve the overall performance switched network and security Xing; on the other hand can be Yin errors, viruses cause the IP conflict control in a VLAN, to avoid affecting the entire local area network running. Digital Enterprise Management has become the large-scale enterprise information construction and development of the main objectives. Internal network as the main carrier of information technology, its network security has become the construction of the internal network can not be ignored the most important issue. As the Chinese economy and the continuous development of science and technology, enterprise digital management as a product for the Internet age, has become a business management development. As the scale of the enterprise networks rapid expansion, rapid growth of Internet users, internal network security has become the corporate network construction in the first problem can not be ignored. The security of the operating system widely used network operating system is mainly UNIX, WINDOWS and LINUX, etc., these operating systems have a variety of security problems, many new computer viruses are transmitted using the operating system vulnerabilities. If no operating system update, make up all kinds of loopholes, anti-virus software installed on your computer even if the infection will be repeated. Computer viruses affect the normal operation of computer systems, software and file system damage, destruction of network resources to network efficiency declined sharply, causing the paralysis of computer and network systems, affecting the internal network security of the main factors. In The Peoples Republic of China public safety industry standard, the hacker is defined as: The unauthorized access to computer systems personnel, which is currently the most people to understand hackers. Most hackers do not own analysis of the operating system or application software source code, to find loopholes in the preparation of tools, they just make flexible use of the hands of the very rich ready-made tools. Common hacking methods are: listening port, port scanning, password invasion, JAVA bombs. Convenient for the management, in general, the Internets leading enterprises and workers, each assigned an account number, and according to its application, assign the appropriate permissions. In order to access certain staff should not access the content of their own, using unusual means to steal other peoples passwords, causing confusion and enterprise business management outflow of important documents. In the enterprise, it was in retaliation for the destruction of or tampering with personnel records; someone changes settings, causing confusion in the system; was ultra virus of public affairs, to personal self-interest to steal confidential data. These security risks have seriously damaged the schools management order. Equipment damage mainly refers to networking hardware equipment damage. Internal network distribution equipment involved in the whole enterprise, is having difficulty managing any settlement can not be locked in place the facilities, there may have been damaged intentionally or unintentionally, this would result in all or part of the internal network paralysis serious consequences. As the financial and other sensitive server, database and have a lot of important documents, for fear of security problems, had to contend with internal network physical separation, the application software can not play a real role. Intranet is a more specific network environment. With the expansion of the scale of the enterprise network, at present, most enterprises have basically realized the Internet department office. Since the expansion of Internet sites, makes network monitoring more difficult. As part of the enterprise knowledge workers are interested in the network, and has a relatively high level of expertise, and some staff to go to school even when school is a professional network security, attack the intranet has become their performance talents, and even preferred. Second, many leaders and staff awareness of network security is weak, the lack of safety knowledge. Business rules still not perfect, it is not able to effectively regulate and restrain the leadership and staff of online behavior.Security policy is a specific environment, to guarantee a certain level of security to provide protection to comply with the rules. Security policy, including strict management, advanced technology and related laws. Security policy decision on the ways and means to ensure network security. First of all, be clear that what they need to develop appropriate strategies to meet the needs of the program, before considering how to implement technology. Physical security policy. Computer network systems to ensure the physical security of equipment is the premise of the whole network security. Physical security is the protection of computer network equipment, facilities, and other media from earthquakes, floods, fires and other environmental incidents and human operator error or errors, and various comput