复习网络安全高天寒charpter4network security

1、Chapter 4Network security高天寒Timothygao78Reviewü Introductionü Message authenticationü MD5ü SHA-1ü Digital signatureü PKI高天寒Timothygao78Contentsü Network securityü Security attackü Architecture and mü Firewallü IDSüü Other security tech

2、niques高天寒Timothygao78Network securityü Network security, 泛指网络系统的硬件、软件及其系统中的数据不受偶然或的破坏、更改、泄露，系统连续可靠正常运行，网络服务不中断ü 狭义，指网络的运行安全ü 因特网的特性nnnn界无主管不设防无法律约束ü成为影响Internet发展的主要因素高天寒Timothygao78Network security (Cont.)ü 缺乏用户鉴别机制n 使用IP作为节点主要标识n TCP/IP没有对IP地址真实性的鉴别机制n 网络拓扑ü 缺乏路由协议鉴别认

3、证机制ü 缺乏性ü TCP/UDP缺陷nnn三次握手缺陷初始序列号缺陷UDP易受源路由和DoSü TCP/IP服务的脆弱性高天寒Timothygao78Security attackü Security attack，任何以干扰、破坏网络系统为目的的非ü 对网络行为的两种理解nnü发生在行为完全完成且者在目标系统内从者开始在目标机上工作时刻起，已开始方式多种多样，环境越发广泛n 可以是n 可以是n 可以是ü 网络安全策略的特征的行为行为正常行为特征的异常行为总有一定规律可寻高天寒Timothygao78Attack char

4、acterü Attackerü Timeü Goalp Small networkp Universityp Multi-user networkp Government高天寒Timothygao78Attack method高天寒Timothygao78Attack method (Cont.)Interruption: This is an attack on availabilityInterception: This is an attack onityModification: This is an attack on integrityFabrica

5、tion: This is an attack on reliability and accountability高天寒Timothygao78Attack method (Cont.)Attacks can be from two categories: "Passive" when a network intruder intercepts data traveling through the network, and "Active" in which an intruder initiates commands to disrupt the ne

6、twork's normal operation.高天寒Timothygao78Typical Attacksü TCP SYN floodingü ICMP floodingü Smurfü Fragment attackü Teardropü IP spoofingü DNS spoofing高天寒Timothygao78Security ArchitectureApplicationTransportNetworkLinkPhysical高天寒Timothygao78S-Http、S/MIME、SETSSLIP

7、SecTPMC&AMechanismsü Firewallüü IDSü Scannerü Isolationü Audition高天寒Timothygao78Firewallü A firewall is a hardware/software combination that restricts access to or from a network resourceü A network resource is any addressable entity on a computer network&

8、#252; Two control policiesnnTrust all that should not be trustedDistrust all that should be trusted高天寒Timothygao78Characteristics of FWü All traffic from inside to outside must pass through the firewall (physically blocking all access to the local network)ü Only authorized traffic (defined

9、 by the local securitypolicy) will be allowed to pass高天寒Timothygao78Characteristics of FWü The firewall is inserted between the premises network and the Internet高天寒Timothygao78Types of FWü 按物理实体分类nnn软件硬件级ü 按性能分类nnn百兆千兆Tbit高天寒Timothygao78Types of FW (Cont.)ü 按部署位置分类nnn边界个人分布式级

10、2; 按工作方式分类nnPacket-filtering routerApplication-level gateway高天寒Timothygao78Packet filteringü Packet-filtering Routern Applies a set of rules to each incoming IP packet and then forwards or discards the packetn Filter packets going in both directionsn The packet filter is typically set up as a l

11、ist of rules based on matches to fields in the IP or TCP headern Two default policies (discard or forward)高天寒Timothygao78Packet filtering (Cont.)Screening RouterExternal NetworkInternal Network/24Filter RulesMail ServerWeb ServerOther HostsSource IPSourcePortDestinat

12、ionIPDestinationPortProtoFlagsActionDescription /24Any Any Any AnyAny Any Any Any AnyAnyAnyAnyAny> 10242580AnyTCP TCP TCP TCPAnyAnyACKAny Any AnyAllow Allow Allow Allow RejectAllow Allow Allow Allowall ofourtraffic outour callsreplies totraffic to traffic toour ma

13、il server our web serverDisallow all other traffic高天寒Timothygao78Application-level Gatewayü Application-level GatewaynnAlso called proxy serverActs as a relay of application-level traffic高天寒Timothygao78Application gateway高天寒Timothygao78IDSü Anintrusiondetectionsystem(IDS)isadeviceorsoftwar

14、e activitiesapplicationthatmonitorsnetworkorsystemformaliciousactivitiesorpolicyviolationsandproduces electronic reports to a management station.ü Passive and reactive defense techniqueü是的合理补充，后的第二道ü The combination of hardware and softwareü Based on sniff techniqueü Bypass

15、deployment高天寒Timothygao78NIDSü Network IDS (NIDS): NIDS are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network.ü On-line and Off-line NIDS.高天寒Timothygao78SNORTü Snort is a free and open source NIDS created by Martin Roesc

16、h in 1998.ü Snort has the ability to perform real-time traffic analysis and packetlogging IP networks, and performs protocol analysis, content searching andmatching.高天寒Timothygao78HIDSü Host IDS (HIDS): HIDS run on individual hosts or devices on the network.ü HIDS monitors the inbound

17、 and outbound packets from the device only and will alert the user or administrator if suspicious activity is detected.ü The object:DIDSpppppNetwork File Process System log高天寒Timothygao78Techniqueü 静态配置分析nnnn通过检查当前系统配置等静态特征，检测系统是否遭到发现并痕迹可以及时发现潜在威胁要求对系统有全面、深入了解ü 误用检测技术（模式匹配）nnnn通过已知行为检

18、测已知系统模式匹配法IDIOT (Intrusion Detection In Our Time)对未知为力高天寒Timothygao78Technique (Cont.)ü 异常检测技术nnn为用户正常行为模式建立特征轮廓采用基于规则描述或统计方法及神经原网络方法能够发现未知ü 基于系统关键程序的安全规格描述方法n 为系统安全关键程序编写安全规格说明n 安全规格说明，是关于一个或多个程序执行时合法操作序列的描述，用于程序执行轨迹是否合法n 安全规格说明与程序缺陷无关，能检测出利用程序未知缺陷的行为高天寒Timothygao78Evaluation检测网络内部检测未知ppp

19、pNIDS不占用系统，对透明同时也是审计系统pppp交换机大量使用，使网络IDS失去对全网的NIDS处理速度慢HIDS占用系统缺乏防御能力高天寒Timothygao78IPSü IPS，是一种智能化的检测和防御ü 不但能检测发生，而且能通过一定的响应方式，实时终止行为的产生和发展ü 使IDS与统一ü 提供对的实时预防和分析ü 实施深度防御高天寒Timothygao78ü A virtualprivatenetwork()extendsaprivatenetwork across a public network, such as th

20、e Internet.üenables users to send and receive data acrossshared or public networks as if their computing deviceswere directly connected to the private networküAis created by establishing a virtual point-to-pointconnection through the use of tunnelling protocols.üscanallow employeestos

21、ecurelyaccessacorporate Similarly, separatedintranetwhiletravellingoutsidetheoffice.scan securelyconnect geographicallyofficesofanorganization,creatingonecohesive network.高天寒Timothygao78ütechnologyisalsousedbyindividualInternetusers to secure their wireless transactions, to circumvent geo-restr

22、ictions, and to connect to proxy servers for thepurpose of protectingal identity and vides:that even if the network traffic isü Thesniffedsecurity mity: suchatthepacketanattackerwouldonlyseeencrypted data Sender authentication: to prevent unauthorized users from accessing the Messag

23、e integrity to detect any instances of tamperingwith transmitted messages高天寒Timothygao78techniquesü Tunnelü Cryptologyü Key managementü Authentication高天寒Timothygao78IPSecIPSecisnotasingleprotocol.Instead,IPSec provides a set of security algorithmsplus a general framework that all

24、ows a pair of communicating entities to use whicheveralgorithmsprovidesecurityappropriateforthe communication.高天寒Timothygao78IPSec Servicesü Access Controlü Connectionless integrityü Data origin authenticationü Rejection of replayed packetsüity (encryption)ü Limited tra

25、ffic flowlity高天寒Timothygao78IPv4 vs. IPv6 header高天寒Timothygao78Destination AddressOptions & PaddingDestination AddressSource AddressSource AddressChecksumProtocolTTLFlow LabelHopLimitNextHeaderPayload LengthTraffic ClassVerVerPayload LengthOffsetFlagsIdentiferTOSIHLIPv6 vs. IPv4 Packet Data Unit

26、um 65535 octetsminimum 20 octetsIPv4 HeaderData FieldIPv4 PDUum65535 octetsFixed40 octets0 or moreExtension HeaderExtension HeaderIPv6 PDUTransport-level PDUIPv6 Header高天寒Timothygao78IPv6 extension headerHop-by-hop header Routing header Fragment HeaderAuthentication headerEncapsulating security payl

27、oad headerDestination header高天寒Timothygao78目的地处理 (60)加密(50)认证 (51)分段 (44)源路由 (43)所有中间Router检查 (0)Authenticationü Before applying AH高天寒Timothygao78Authentication (Cont.)ü Transport Mode (AH Authentication)高天寒Timothygao78Authentication (Cont.)ü Tunnel Mode (AH Authentication)高天寒Timothyg

28、ao78ESP Encryption andAuthenticationESP Encryption andAuthenticationHoneynetü Honeynet，是一个网络系统，隐蔽在后ü 所有进出数据都受到关注及ü 学习了解者思路、工具和目的ü 目标是通过熟悉理解所遇威胁，更好地防止威胁ü 建立Honeynet需解决的问题n 信息n 信息捕获高天寒Timothygao78Vulnerability scanü 漏洞，Vulnerability，“脆弱性”，是指硬件、软件或策略上存在的安全缺陷ü 威胁体现在行为对系统的威胁ü 3万个站点，800种ü 中国95%中心遭到过漏洞ü