2.5 Network Security
2.5.1 Correct understanding of network security issues
Information security has developed from the initial communication security, developing the computer security, developing to the current network security, has
It has entered the third stage.
Network security is in the distributed network environment, for information carriers (processing vectors, storage vectors, transport carriers) and letters
Treatment, transmission, storage, and access providing security to prevent data, information content or capabilities are unauthorized
, Tampering and refusing service. Network security with similar information security properties: confidentiality, integrity, availability, audit
Sex.
With the high-speed development of computer networks around the world, network security issues are increasingly exposed more and more.
The people pay attention. Due to the mechanism characteristics of the network itself, the attacks of the network can be remote, and the attack technology
The propagation speed is grown in an index mode. A large number of automated attack tools appear, once a tool is public,
Anyone can download and use it so that it becomes uncontrollable.
There are two wrong understandings for network security: one is to ignore the role of network security, simplify the problem, think
Keep the network for a long time with some common means. This kind of understanding does not see the importance and responsibility of network security.
Another error understanding is more common, it is believed that information security is network security, and the two are equal, this is exaggerated.
Network security issues, this understanding is particularly common in a general computer user population. In fact, you must see network security asking
It is important that network security is only a small part of the information security field, not all of information security. root
According to the principle of the wooden bucket, the safety of the system depends on the weaker part of the system security, so the components of information security
It is very important, there is no possibility of nothing to do with a part, and you can ignore the possibilities.
2.5.2 Network Security Model
A common network security model, that is, the PPDRR processing model is shown below. It includes security strategy, anti-defense
Protency, intrusion detection, attack reaction (response), disaster recovery (Restore)
(Survival technology) and other parts.
2.5.3 Security Enhancement Agreement
Now the most popular heterogeneous network interconnection protocol TCP / IP protocol clusters do not consider security issues at the beginning of design. Objective
For security considerations, some security protocols for TCP / IP have been developed, and the purpose is to enhance the special
The security of the protocol level. Of course, these are just some form of repair and cannot guarantee network security from essentially.
See the figure below for security services available from different levels of networks:
Link layer security
The following measures can be taken to enhance the security of the link layer: install or rent specialized communication facilities; implement points to point identity
Authentication, provide confidentiality; providing data stream security but does not provide end user authentication and user confidentiality.
Network layer security
Most importantly IP security (IPSec), including three aspects of certification, confidentiality and key management.
IPSec runs between the IP layer and the transport layer TCP, UDP, provides secure communication in the LAN, WAN, and the Internet
ability. IPSec can support various applications in that it can be encrypted and / or authenticated all traffic in IP layer, so
To protect all distributed applications, including remote login, client / server, email, file transfer, web access, etc.
The important advantage of IPSec is transparent to end users.
IPsec determines the algorithm used by the service and providing any service needs by allowing the system to select the security protocol required for the system.
Key to provide IP level security services. Both agreements provide security: one is a certification association using ah protocol header
The other is the encryption / authentication protocol ESP designed for the packet. It provides the following services: access control, no connection
Integrity, data source authentication, reject packet reproduction, confidentiality, limit traffic confidentiality, and AH and ESP support transmission mode and tunnel mode. IPsec's problem is to establish standard key management (difficult to implement) and reduce network
can.
Safety jacket and transport layer security
SSL (Secure Socket Layer) is an open protocol designed by Netscape, which specifies a use of application
The program protocol (such as HTTP, Telnet, NNTP, FTP), and TCP / IP provide data security hierarchical mechanisms. It is
TCP / IP connection provides data encryption, server authentication, message integrity, and optional client authentication. SSL is designed
Use TCP to provide a reliable end-to-end security service. A secure TCP connection can be established between two communication nodes.
Negotiate the layer and recording layer. The SSL record protocol provides SSL with confidentiality and message integrity.
The advantage of SSL is that based on the process of the process and encrypted transmission channel for the process, identity authentication with public key system
. Its shortcomings are also obvious: it is opaque to the application layer, does not apply to UDP-based communications, requiring the certificate authority center CA,
Access control is not available.
In April 1996, IETF authorized a transport layer safety (TLS) working group to set up a transport layer security protocol (TLS
P) In order to be officially submitted to IESG as a standard proposal. TLSP will look like SSL in many places.
Application layer safety technology
Application layer security technology is very rich.
Common dedicated application layer security services are: for email S / MIME and OpenPGP; private enhanced mail PEM
In public key infrastructure PKI); hypertext transmission protocol security enhanced version S-HTTP, providing file level security mechanism; security
Electronic trading set, is an open encryption safety specification for protecting credit card transactions on the Internet,
Security channels provide trust by using X.509V digital certificates.
Common Universal Application Layer Security Services include: General Security Services API-GSS-API; MIT's Kerberos for distributed
The computing environment provides a certification method for verifying the user, a two-way body that proves to be very safe.
Certification technology, its identity has emphasized the client's certification of the client, and other identity authentication technology often only solves.
The server is certified to the client; OSF's DCE-Web; HP Corba-web, etc.
2.5.4 Important Issues of Network Security
To date, many network security technologies have been successfully applied to a large and small computer network. These technologies
It has played a positive role in improving network security and defending invaders.
Firewall
Firewall is an effective defense tool that accesses internal hosts or networks via WAN and Internet
And when accessing external systems through internal hosts or networks, firewalls can protect the system from network security
Less, equivalent to isolating an internal network and an Internet network. The firewall is embedded between the station network and the Internet, thus
Establish a controlled connection and form an external security wall or a boundary. The purpose of this boundary is to prevent the station from being affected.
From the Internet attack, and the safety will form an obstruction point where the security will be affected.
The firewall is the first barrier of network security, although the firewall provides a variety of capacities, but overall
Speaking, the existing IP firewall technology can be generally divided into the following:
(1) Packing the filter firewall
The safety of the filtered firewall is based on the check of the IP address of the package. It will send all the information packets and accept
The information such as the IP address, port, TCP link state is read, and the packet is filtered according to a predetermined filtering principle. that
Some packages that do not meet the prescribed package are filtered out by the firewall to ensure the security of the network system.
(2) Agent firewall
Agent service is an application that runs on the host (Fort Host) between internal networks and external networks. As a user
When you need to access the other side of the proxy server, the proxy server is responsive to the host response and re-emits an identical request. When this connection is established, the pass between the internal host and the external host
Letter will be implemented through the connection mapping of the agent. Agent's transparent letter to users, guarantee internal network topology
The interest is limited to the inside of the proxy gateway, thereby reducing the necessary information required when hacker attacks.
(3) state monitoring technology
Network status monitoring technology is generally considered to be a next-generation network security technology. It uses the method of capturing network packets
The various levels of network communications have been inspected and the basis for security decisions. The monitoring module supports multiple network protocols and should
With an agreement, you can easily achieve application and service expansion. Status Monitoring Service You can monitor RPC and UDP port information, and
Packing filtration and proxy services cannot be done.
Early firewall constructs a safe network boundary such as a single device (such as filtering router and fortress host), such as shielding
Subnet structure or single point of fortress host. Now, construct a safe service of the security service to complete the control
Fine safety services. General related services include authentication servers, authorization servers, central policy management devices
And the corresponding remote management services, status monitoring servers, etc.
The limitations of firewalls are: can't defend against its attack; can't eliminate threats from internal;
The procedures and documents of the virus infected and documents are often easy to penetrate the firewall easily.
The general working principle of the firewall is based on the filtering rule, determines whether a package allows or if a connection is allowed. Objective
The front firewall does not have enough intelligence, and the hacker's carefully designed scan and intrusion methods may also penetrate the firewall.
Intrusion detection
If the firewall is the first defense line of the system, then intrusion detection is the second defense line of the system, which is also the most
One of the hotspots in recent years of network security research.
Intrusion detection technology is established in a basic hypothesis, that is, the behavior of intruders is different in some cases.
The behavior of legal users. Of course, the difference between the invasive attack and legal users normally use resources is very obvious, even
There is also similar to their behavior, which is also the main difficulty in invasive detection.
Intrusion detection generally has two methods, namely, statistical abnormal detection and rule-based detection.
(1) Statistical abnormal detection
Statistical abnormal detection is divided into two categories: value detection and profile-based detection.
The number of criteria detection is related to the number of special incidents in a period of time. If the number of times exceeds the expected reasonable
The number of times is considered possible to have an intrusion. The value analysis itself is a detector that is rough and the efficiency is not high. Because of the value and time
The interval must be selected in advance, and the user is constantly changing, and the value detection is very likely to cause a lot of errors or wrong negation.
.
Outline-based abnormal detection summarizes the feature of each user's past behavioral characteristics or user group past behavior, for
It is found that there is a behavior of major deviations. The contour may contain multiple parameter sets, so only one parameter is not enough to produce
A warning.
(2) based on rules-based intrusion detection
Rule-based intrusion detection is to determine a given activity mode by observing the time in the system.
Whether it is suspicious. In general, we divide all methods into abnormal detection and penetration identification, although these two types of methods
There are overlapping parts.
Rule-based abnormal detection is similar to the similar statistical abnormality detection. Use rule-based method analysis
History audit record, determine the mode of use, and automatically generate rules that describe this mode. The rule is to represent the user program privilege
The mode of the pendant interrupts such as the interrupt. By observing the current behavior, each behavior is matched with the matching rule set, sentenced
Do it meet a historical behavior mode.
As with statistical abnormal detection, the abnormality detection gives rules does not know the knowledge of safety fragile inside the system.
. Moreover, this method is built on the observation of past behavior, assuming future behavior is similar to past behavior. This one
Methods To be valid, you need to include a large number of rules.
Rule-based penetration identification is different from intrusion detection, which is established above the expert system technology. This department
The key characteristic is to use rules to identify consistent penetration or utilize the penetration of known weaknesses. Rule can be used to identify
Suspicious behavior, even if this behavior meets the established model. Typically, the rules in these systems are in specific machines
And the operating system is related. Moreover, these rules are not generated by the analysis audit record, but is defined by experts. therefore
The quality of this method depends on the technique of establishing these rules.
Intrusion detection system wants to be practical, it must be guaranteed to detect a large amount of invasion at an acceptable false alarm rate.
. If you can only detect a small amount of invasion, the system gives people a safe fake phase, if there is no intrusion, the system frequently alarms,
System administrators may begin to ignore these alarms, or waste a lot of time to analyze this false alarm. Unfortunately, due to probability
It is difficult to meet the characteristics of both high detection rates to have a low false alarm rate. Current intrusion detection system
There is no error problem based on the ratio.
Relatively new innovation in intrusion detection technology is a honeypot. Honeymas is a potential attacker away from important systems
A circle. The function of the honeypot is: transfer attack important system attackers, collect information about attacker activities, hope attack
The person stays for a long time so that the administrator responds to this attack.
The honeypot is full of legitimate users unable to access, but the surface looks valuable false information. Therefore, any honeypot
Access is possible. Tools used by honeypot systems include sensitive monitors and time logs. Any attacker for honeypots
Hit, the system will give an illusion of success.
Recent studies are concentrated in building a honeypot network, used to simulate a business, which will use actual activities
Simulated traffic and data. Once hackers enter this network, administrators can observe their behavior in detail, find out
Fan measures.
Virtual private network
VPN refers to the technology of establishing a private network on the public network, which is called the virtual network. It is mainly because of the entire VPN network.
The connection between any two nodes of the network does not have the end-to-end physical link required for the traditional private network, but the architecture in public
The logical network on the network platform (such as Internet, ATM, Frame Relay, etc.) provided by the web service provider.
VPN has the following advantages: reduce costs, companies do not have to rent long-distance special line construction network, do not have to have a lot of network maintenance
Personnel and equipment investment; easy to expand, network routing equipment configuration is simple, no need to add too many devices, save time;
All control initiative, VPN's facilities and services are fully grasped in business hands.
VPN is unified by using tunnel technology and the IPSec standards developed in the Internet or ITW Engineering Working Group
Under the public network, enterprises form a company safe, confidential, and smooth dedicated link. Common VPN protocols have IPsec and PPTP
.
Refusal service attack
Refusal service attacks and distributed denial of service attacks begin to become a common means of hackers. If you can mobilize enough
The controlled computer is attacked, and the server is difficult to defend, thus threats to computer networks. 2000, Yahoo, Asia
Massiass, electronic port, CNN, etc. have been fell into a paralyzed service attack. On the other hand, distributed refusal service attack
Hit often uses counterfeit boycots and involves multiple attack sources, so it is very difficult to track the attacker's tracking positioning. Currently
There is no good solution in two attack methods. The fundamental reason is that there is no reasonable mathematical model for them.
Not implemented in a corresponding security mechanism.
Service refusal to attack attempts to block your service computer or block you from providing services, service refuses
The absolute attack is the most easy to implement attack behavior, including: Ping of Death, teardrop (
TEARDROP, UDP Flood, SYN Flood, Land Attack, Smurf
Hit, Fraggle attack, email bomb, malformation message attack, etc.
NSUN 2004
