安全复习索引修改版

Web Security 开卷考试复习索引Chapter 1: Introduction to Information Security信息安全简介1.1 Concept of Information Security信息安全概念 Definition of Information Security 定义 P6Information Security , Computer Security and Information Assurance ( Similarities & Differences ) 信息安全，电脑安全，信息保证 的比较 P6信息安全 P7-P8 History P10-11信息安全威胁 P12 Key Concepts of information security信息安全主要概念Concept P12计算机安全、信息安全、信息保障 P141.2 Computer System Security 电脑系统安全 System Vulnerabilities（系统安全漏洞）definition P16 Operating System Security(计算机系统安全性) P18 安全漏洞定义和原因 P19-20 Database Security（数据库系统的安全性） P22数据库系统安全含义 P22-24 User Application Security（用户应用程序安全） p25-281.3 Information Security Service （信息安全服务） Basic Concept 基本概念 P30 Information security categories 信息安全类别 P31 Information security management tools 信息安全管理工具 P32 信息安全服务 P33-34 Authentication（认证） P35-36 Access Control（访问控制） P37-39 Confidentiality 机密性 P40 Integrity 完整性 P41-42 Available 有效性 P43 Non-repudiation 不可抵赖性 P441.4 Information Security Manangement , Audit and Protection信息安全管理，审计和保护 （ISEC ,ISM,ISMS）P47 Security Management 安全管理ISM信息安全管理 P48ISMS信息安全管理体系 P49信息安全管理的目标&原则 &实施（PDCA） P51-58 Security Audit 安全审计Definition 定义 P60&62Process 过程 P62&63内容 P64信息安全审计与信息安全管理的关系 P65-66 Levels of Information Security 信息安全级别The eight information security levels 八个信息安全级别 P68-69信息安全管理等级 P72-75Conclusion总结Standard organization标准组织 P80Levels of impact(low, moderate, high) 影响级别 P82-84Computer security challenges 电脑安全挑战 P85Passive attacks被动攻击(interception拦截, traffic analysis交通分析) P88-89Active attacks主动攻击(interruption中断, fabrication构建, replay, modification) P90-93Chapter 2 Cryptographic Techniques 密码学技术2.1 Cryptology Introduction 密码学介绍 Cryptology definition P5-7 History(Manual、Mechanical、 Modern) 9-12 Concepts & ItemsPlain Text and Cipher Text 无格式文本和密码文本 P14Key and Key Space 秘钥和秘钥空间 P14Cryptosystem Services(confidentiality机密性, integrity完整性, authenticity确定性. Non-reputation不可抵赖性, access control受控性, symmetric对称性, asymmetric非对称) P15-17Attributes of Strong Encryption加密技术(confusion混乱, diffusion扩散) P182.2 Symmetric Key Cryptographic Algorithms对称密码和密码算法 Introduction P20-21 Algorithm Types & Modes block cipher(块加密) P22&25Stream Cipher（流加密） P23&24Electronic Code Book(ECB) Mode(电子密码本模式) P26-30Cipher Block Chaining( CBC ) Mode（密码块链接模式） P31-34Cipher Feedback( CFB ) Mode（密文反馈模式） P35-37Output Feedback(OFB) Mode 输出反馈模式 P38-39 Data Encryption Standard ( DES ) 数据加密标准Background and History P40*How DES WorksP42 Advanced Encryption Standard 高级密码标准( AES )Introduction p44*How AES Works P45-462.3 Asymmetric Key Cryptographic Algorithms非对称秘钥密码算法 Introduction P48-52 The RSA AlgorithmIntroduction p53-55*How RSA Works P56-58公钥和私钥产生 p59 加密消息 P60 解密消息 P61 解码原理 P62 Example P63-72 Digital Signatures 数字签名 P732.4 Hashing Algorithms(散列算法) Introduction P76-77 Message-Digest Algorithm( MD5 ) Whats MD5 P78 Chapter 3: Authentication Technologies认证（识别）技术3.1.Overview Introduction to Authentication TechnologiesWhat is Authentication, identification, authorization?什么是认证、身份识别、授权p6Authentication involves two parties包含两个团体prover&identifierp7Two kind of Authentication一种是整体认证，一种是（部分）信息认证p8-10Goals 认证技术的目标（或说好的认证技术必须要有的条件）p11Three classes of entity authentication P12 The Weak/Strong Authentication Scheme 弱的和强的几种认证手段Weak：基于passwordp13基于PIN（time-invariant password）p14strong：secret key加密p15public key加密p16zero-knowledge加密p17基于设备的加密p18 The Application of Authentication Technologies 两种认证的services，X.509和Kerberosp19 The Attack to Authentication几种攻击种类p20Impersonation 假冒Replay 重放Forced delay attacks强迫延时Interleaving交错Oracle session oracle会话Parallel session并行会话 The Security Guidelines to Protect AuthenticationSchemes保证安全的几项原则p213.2.Public Key Infrastructure PKI的基础设施（基础内容） Introduction to PKI介绍是什么&用来做什么p24-27 PKIX PKI+X.509P28End-entity;PKC公钥证书;CA证书授权机构;CR证书仓库p28End-entity, PKC P30CA,CR,CRL(证书撤回清单/证书吊销列表)， CRL issuer，RA(注册机构) P31-32PKI document P33CP(certificate证书 policy, certificate practice statement) P34Subscriber签署 agreements, relying party agreements P35 The Management of PKIXp36 Public Key Certificate证书内容样例p37 Trust Hierarchy Model严格信任层次p383.3.Kerberos麻省理工学院开发的安全认证系统 What is Kerberosp40-41 History & Developmentp42 Description描述（看图）p45-47 Processp48-54 Drawbacks & Limitations缺点限制p55-563.4.X.509 What is X.509 X.509被广泛使用的数字证书标准p58Hierarchy P59 History and Versionp60 Certificate p61Structure of certificatep62-63How to get itp64Revoke撤回 a certificatep65 Security problemsp66 Applicationp68Chapter 4:Introduction to Internet Security4.1. Network Security Architectures Levels of Network Security Architectures网络安全防范体系（物理层,系统层，网络层，应用层，安全管理）p6-9 OSI/ISO 7498-2 ModelP10-11PDR, P2DR and PDRR Security ModelP10ISO 7498-2 ArchitecturesP12Security life-cycle P13 Threats, services & Mechanismsp14 Security domains and security policies P15Types of security policies P17Security threat/attack, safeguards, vulnerabilities P18Risk P19Classification of threats P20Fundamental threats P21Primary enabling threats P22The two planting threats(Trojan horse, trapdoor) P23 ISO security services P24Administrative security, media security, emanations security, life cycle controls P25Five main categories of security serviceAuthenticationP27access control P28data confidentialityP29data integrityP30non-reputation P32 ISO security mechanisms (8种方法) p33-36Encryption mechanismsDigital signature mechanismsAccess control mechanismsData integrity mechanismsAuthentication exchange mechanismsTraffic padding mechanismsRouting control mechanismsNotarization mechanisms TCP/IP securityp474.2. IPSec Introduction将IP包先加密在传输p49&52How IPsec protect usWhat do we need to protectp53How does IPsec provide usp54-56 Some Basic Concepts About IPSecp23基本概念：SA;SAD;SPI;SPD;AH;ESP(比AH多了加密的功能);Tunnel Mode; Transport Mode; p58-65 ESP protocolTunnel mode & Transport mode（ESP）p67-77报文datagram装包过程拆包过程 AH Protocol提供完整性量度和来源认证，不提供加密P79-82 Gateway and Road Warrior modeP85IPSec的通常应用情况 P84 IKE(Key management of IPSec)86使用IKE的IPsec的密钥协商分为两个阶段p88-894.3. SSL/TLS Introductionp91-93一个简化后的SSL/TLS模型p94-96 How TLS Worksp97-104会话、连接、写模式、读模式、安全套件、预主密钥、记录层协议、握手协议、应用数据协议TLS握手（以RSA为例子） p105-111Key Generation握手密钥协商成功后进行密钥保护通信过程(密钥的生成，主密钥的计算，密钥块的计算，应用数据协议)P112Resume of TLS handshake恢复p118-1194.4. VPN Introductionp124 OpenVPNIntruduction P126-127工作过程p128-129Chapter 5: Network Attack and Defence5.1. Overview Network Security Crisis（网络安全危机）P7网络病毒P8黑客和黑客程序P9信息生态恶化P10 Types of Network Attack（网络攻击类型）破坏型和入侵型、被动型和主动型P11、12窃听P13数据篡改、身份欺骗（IP地址欺骗）P14盗用口令攻击P15拒绝服务攻击(DoS) P16中间人攻击、盗取密钥攻击P17嗅探器攻击P18应用层攻击P19 Steps of Network Attack（网络攻击步骤）P20-23准备实施善后 Port Scan（端口扫描）P24端口扫描工具（NMap&superscan）P25-30Port Scan Types（端口扫描类型）P31TCP/SYN/UDP/ACK/FIN ScanningP32-41 Idle Scan（空闲扫描）P42-49 Methods of Network Defense（网络防御的方法）P50Regular security defend（常规的安全防护）P515.2. Password Cracking（密码破解） The Vulnerability of Passwords（密码的易损性/弱点）P53 Password Selection Strategies（密码选择策略）User educationComputer-generated passwordsReactive password checkingProactive password checkingUse of hashed password P54-60 Password Cracking（密码破解）Using system bug(利用系统漏洞直接提取口令)Brute force(暴力破解)Precomputing potential hash vales(字典破解) P62-64针对口令破解攻击的防范措施P64 Useful Tools（有用的工具）P655.3. Buffer Overflow（缓冲区溢出） Background（背景）（definition&destruction）P68-69Structure of an Address Space（地址空间结构）P71-72堆栈溢出攻击的例子 P73-78Cause of vulnerability（易损性的原因）P79 Attack Classification（攻击分类）P80Stack buffer overflow（栈溢出）P81-85Heap buffer overflow（堆溢出）P86 Attack Practicalities（攻击实例）P87-90 Protection Solutions（防护方法）P95-1075.4. DoS Attack（DoS攻击） Definition（定义）P109 Different Kinds of DoS（DoS的不同种类）P110Flooding(过载)Crashing（摧毁） Different kinds of DoS P111TCP/IP攻击 P112-114UDP攻击P115-1175.5. Spoofing Attack（欺骗攻击） DNS Spoofing（DNS欺骗）P120 MITM attacks(中间人攻击) P120ARP cache poisoningP121-128DNS spoofingP129-137Defending Against DNS Spoofing（DNS欺骗防御）P141-143 Web Spoofing（Web欺骗/网页仿冒）P144What is Web Spoofing（什么是Web欺骗）P145Different types of web spoofing（Web欺骗类型）P147-148How to spot a spoofed webpage P150 IP Spoofing（IP欺骗）P152TCP/IP简要介绍P154-156IP spoofingP156-179DoS/DDoSP180-183Defending Against the Threat（防御措施）P184Chapter 6:Firewall6.1. Introduction to Firewall（防火墙介绍） What Is a Firewall（什么是防火墙&功能）P6 Types of Firewall（防火墙的类型）P7&16-19Packet filtersP8-9Stateful filtersP10Application filtersP11 What Can a Firewall Do（防火墙的功能）P2026 Where to base a firewall P28 Bastion host(堡垒主机) P29Security bastion hosts P30-31Host-based firewall P32Advantages of using host-based firewalls P33Personal firewall P34DMZ network P35-36VPN network P37-38Distributed firewalls P396.2.Design Principles of Firewall（防火墙的设计原则） Packet Filtering Firewall（包过滤防火墙）What is Packet Filtering Firewall（什么是包过滤防火墙）P42-43How Packet Filtering Firewall Works（包过滤防火墙如何工作）P44-48What to Filter（过滤对象）P48-53Advantages（优点）P54-55Disadvantages（弱点）P56-59 Packet Filtering Firewall Based on the state（基于状态检测的防火墙）P60What is Stateful Inspection Firewall（什么是状态检测防火墙）P61-62How Stateful Inspection Firewall Works（状态检测技术原理）P63-64Advantages（优点）P65-66Disadvantages（缺点）P66 Application Layer Firewall（应用层代理防火墙）(ALG)P67What is Proxy（什么是代理服务器）P68-69Function Offered By Proxy（功能）Authentication mechanismContent filteringMature log P72-73Advantages（优点）P74-76Disadvantage（缺点）P77-78 Bastion host（堡垒主机）P80Topological Graph（堡垒主机拓扑图）P81-82堡垒主机的分类 P83传统应用的 P84安全堡垒主机 P85进入控制堡垒主机 P86内控堡垒主机 P87-93Physical Placement of Bastion Host（堡垒主机的物理部署）P94-976.3. Penetration of firewall（防火墙的穿透） Attack Packet Filtering Firewall（攻击包过滤防火墙）P100IP Address Spoofing Attack（IP地址欺骗）P101Denial-of-service Attack（拒绝服务攻击）P102Tiny Fragment Attack（分片包攻击）P103Trojan Attack（木马攻击）P104 Attack Stateful Inspection Firewall（攻击状态检测防火墙）P105-107Protocol Tunneling（协议隧道）P108-109Trojans Rebound（反弹木马）P110 Attack Proxy（攻击代理服务器）P111-112Unauthorized Web Access（非授权Web访问）P114Unauthorized Socks Access（非授权Socks访问）P115Unauthorized Telnet Access（非授权Telnet访问）P116 防火墙攻击分类P119 防火墙十大局限性P120 防火墙十大脆弱性P121 硬件防火墙P122 软件防火墙P123 硬件防火墙对软件防火墙的比较优势P124-1256.4. Firewall installation and Configuration（防火墙安装与配置） IptablesP128Chapter7:Intrusion Detection (入侵检测)7.1.Threats to Computer System (计算机系统面临的威胁) 计算机系统面临的威胁P4DosP5SpoofingP6EavesdropP7Password cracking P7TrojanP8Buffer overflowP87.2 Process of Intrusions(入侵攻击的过程) Process of Intrusions(入侵攻击的基本步骤)P10Information of my targets(确定攻击目标)P11Conduct of the attack(实施攻击)P12Afterwards(攻击后处理)P137.3 What is Intrusion Detection Definition &3 classes of intruders(masquerader, misfeasor, clandestine user)P15 计算机系统威胁分类P16 入侵行为的概念P17 审计技术，审计的目标P18 入侵检测的概念P19 入侵检测的作用(Function)P20-22 与防火墙(firewall)的区别P25-267.4 Methods of Intrusion Detection 2 ways to tell whether a behavior is maliciousP28(入侵检测技术的2种主要思路)Anomaly DetectionBased on Behavior(异常检测基于行为的检测)P30Behavioral Model(行为模型)P31-32异常检测的用途P32Statistics Analysis(统计分析技术)P33Neural Network(神经网络技术)P34Data Mining(数据挖掘技术)P35 Misuse(signature)DetectionBased on Rules(Knowledge)(误用/滥用检测)P36Pattern matching(模式匹配)P37State transition(状态转换)P37Expert system(专家系统)P38 两种检测的比较P397.5 Structure of IDS Information gathering(信息收集)P42-43System and network logs(系统或网络的日志文件)P43Anomalous changes of system directories and filesP44(系统目录和文件的异常变化)Anomalous behavior in program executingP44(程序执行中的异常行为) Analysis engine(分析引擎)P45-7Pattern matching(模式匹配)P46Statistics analysis(统计分析)P47Integrity analysis(完整性分析)P47 Response unit(响应部件)P48-49 Structure of IDSp50 入侵检测模型-IDES模型 & 6个组成部分P51-54 公共入侵检测框架-CIDFP55-60入侵检测系统的4个基本组件:P59Event generators(事件产生器)Event analyzers(事件分析器)Event databases(事件数据库)Response units(响应单元)7.6 HIDS and NIDS Host-based IDS-HIDS(基于主机的入侵检测)P62-63 Some potential threats to HIDS(对HIDS的潜在威胁)P64-P66Abuse of privilege(特权滥用)P65Access and modification on key information(关键数据访问及修改)P66Security configuration(安全配置不当)P66 HIDS检测策略P67-68 HIDS的优缺点P69-70 Network-based IDSNIDS includesP72 Sensors(探测器): Inline sensor & Passive sensorP73 一些攻击场景 P75 NIDS的优缺点P76-77 HIDS 和NIDS的比较P807.7 Introduction to IPS(Intrusion Prevention System) What is a IPS (入侵预防系统)P82 The need of IPSP83 IDS的缺陷P84-86 Security CapabilitiesDetect Intrusion & Evaluate the detect capabilitiesP88-89Log IntrusionP90-91Stop IntrusionP92-93Report IntrusionP94-95 Types of IPSP96 Agent/Sensor&management serverP97 Database Server & Console P98 HIPS p99 NIPSP101 Compare IPS with IDSP104-107Chapter8: The Architecture and Security of Web Applications8.1 Overview Definition of Web ApplicationsP5Web组成部分 & Web应用程序P6 C/S(Client/Server)客户机和服务器结构P7-8 C/S模式的优点P9 C/S模式的缺点P10 B/S(Browser/Server)浏览器和服务器结构P11-12 B/S结构的优缺点P13-14 C/S结构和B/S结构的比较P15-16 Web应用的结构P17-18静态页面 & 静态页面的访问流程P19-20动态网页 & 动态页面的访问流程P21-22带数据库的动态网页 & 带数据库的动态网页的访问流程P23-P24 Web Site ArchitectureHardware(硬件架构)P27Software(软件架构)in 3 Tiers:Presentation Layer (表现层)Business Layer(业务层)Persistent Layer(领域层)P28-30领域层逻辑的例子P34-35Software: in MVC(Model, View, Controller)P38 Electronic Commerce ArchitectureP39 RequirementP40-42 Common Architecture: MVC-EJB(Enterprise JavaBean)-图解P43B2C图解P44C2C(Taobao)-图解P45C2C(Taobao): High ScalabilityP46C2C(Taobao): WebX, Technical EnvironmentP47 HTTP ServerP49 Apache HTTP ServerP50-52Apache web Server软件拥有的特性P53 IIS服务器P54-55 Other Web ServersP568.2 Web Security Primer Why not SecureP63 Web安全问题的客观原因P66 传统网络安全设备P67 传统防护手段P68 Web安全问题的主观原因P69 Goals of Web Security P70-72 Web Security Technology(