Network security solution

zhaozj2021-02-16  91

The goal of cybersecurity should be satisfied:

Identity authenticity: Identify the authenticity of the communication entity identity.

Information confidentiality: Make confidential information does not disclose to non-authorized people or entities.

Information Integrity: Ensure the consistency of data, it is possible to prevent data from being established, modified, and destroyed by unauthorized users or entities.

Service availability: Guarantee that legitimate users will not be rejected by the use of information and resources.

Unsability: Establish a valid responsibility mechanism to prevent entities from denying their behavior.

System controllability: how can be used to control people or entities that use resources.

System easy to use: Under the conditions of meeting safety requirements, the system should operate simple and easy to maintain.

Reviewable: The basis and means of providing investigations on the emergence of network security issues.

The system's security threat is often characterized by the following characteristics:

Stealing: An attacker obtains sensitive information by monitoring network data.

Reburrent: The attacker obtains part or all information in advance, and then sends this information to the recipient.

Forge: The attacker sends the forged information to the recipient.

Tampering: An attacker modifies, deletes, inserts, and then sends it to the recipient.

Deny Service Attack: An attacker responds to system response through a certain approach or even paralyzed, preventing legal users from obtaining services.

Behavior denial: The communication entity denies the behavior that has occurred.

Non-authorized access: No pre-consent, use network or computer resources as unauthorized access. It mainly has the following forms: counterfeit, identity attack, illegal users enter the network system for illegal operation, legal users are unauthorized Operation, etc.

Communication of viruses: By networking computer viruses, it is very destructive, and users are difficult to prevent. For well-known CIH-virus, the recent "love" virus has great destructive.

Network security technology mainly includes the following aspects:

Host security technology

Identity certification technology

Access control technology

Password technology

Firewall technology

Safety audit technology

Safety management technology

System vulnerability detection technology

Hacker tracking technology

Safety mechanisms mainly include:

Encryption mechanism: Encryption is to ensure data confidentiality

Digital signature mechanism: Digital signature is used to ensure data authenticity and authentication.

Access Control Mechanism: Access Control determines whether the subject's access is legal on the principal.

Data Integrity Mechanism: Data Integrity is to ensure that data is not modified.

Authentication mechanism: The certification of the computer network mainly has the certification, packet certification, user, and processes.

Information flow filler mechanism: Information flow filled attackers don't know which is useful information, which is useless information, so that the information flow analysis attack.

Routing Control Mechanism: The routing control mechanism can select a security path according to the application of the information sender to ensure data security.

Justice: Mainly in fair arbitration when dispatched

For website architectures, website security issues are mainly divided into the following four aspects: server security, border security, security on Internet, and EXTRANET.

Before the attack behavior occurs, it is necessary to prevent it to prevent it. The firewall system is the first defense line of website security. It can filter and block many attack behaviors. The firewall combines two packages and proxy services. The main firewall technology provides a complete protection mechanism from the network to the application layer. The network topology inside the local area network is hidden, and the problem of insufficient IP resources is resolved;

Identity authentication system.

The dynamic password system turns the password of the system into dynamic. The user is different for each login system, which prevents passwords from being illegally stolen; [by DigitalTitan: This can generate the random port to generate the random port to the end of the random mouth to verify the verification]

PKI is a system architecture that provides user authentication and preventing transmission data is illegally modified;

We have heard that a hacker attacks the database through the Internet and uses the credit card information from which it is discovered, the cause of this problem is that the database information at the black site is not protected.

Remember this old saying: Deep defense. To firmly establish this belief, because all defense in the system will be harmful, the more well-established defense layers, the better the content of the database, many Web sites believe SSL / TLS It will protect their credit card data. When credit card data from the client, this is the fact, but SSL / TLS does not protect fixed data stored in the database. SSL / TLS is an online protocol. If attack If you use the Web server and enter the database server directly, then he may access data directly.

Encrypt data in the database

Encrypted data in the database is a good way to transfer this threat, but few databases offer this type of data encryption. For example, Microsoft SQL Server 7 and SQL Server 2000 are only pairs from database customers (such as an ASP page) Data flowing to the database server itself provides encryption, but does not encrypt data saved in the database.

The easiest way to solve this problem is to create a COM component that calls CRYPTO API (CAPI) with C , then call this component from the ASP page. But please note that this scheme is very difficult because CAPI is not the most easy to use API Although its function is very strong and rich, you need to call a complex function to use it completely. Another problem is that you have to know C , if you are a script with HTML and JScript, VBScript or Perl This is undoubtedly a dilemma. Solving the problem with Capicom components

Now let's know that CAPI Com.capicom is a high-performance COM component that can be used in client (such as HTML pages or Windows script applications) or on the server side (such as an ASP page. Use. Pay attention to Capicom is not a simple package based on CAPI, which provides advanced support, such as encryption, verification management, and digital signature support for special features. Capicom is the first time in the Microsoft release platform SDK Windows Whistler beta 2. So if you have a platform SDK, then you have Capicom.

Now returning to data encryption, about encryption is the management of keywords. We may already have a valid approach to encrypt and decrypt data with Capicom, but how we store keywords used to encrypt and decrypt Data? Admire, we can't completely eliminate potential threats to keywords, add only to let attackers do more attack work. Remember deep defense! If someone hazards to your database, and have gained it What must the attacker want to determine the keyword used to encrypt and decrypt information?

Keyword management

To make keyword management, your first choice is to store keywords with data, use additional storage locations, such as registry files or a COM component. Using registry files is easier. To the key Words ACL Control (Access Control), so programs and users that need to encrypt and decrypt data can read keywords from registry files. In order to get more security, you can add keywords to the registry. A reviewful ACE can see the frequency of these keywords and who is used.

It is a good start to store the keyword to the registry file, but it has not yet ended. You can find the material material from the system, such as the machine name, or some keywords can be obtained from the user's record. When you create a new user, you can also create a random value and add it to the customer record. However, when generating a random value, do not call C / C Rand () or VBScript RND because these functions are not random To use CAPI's CryptGenrandom.

Personal view: As a software developer: B / S mode for web interactive queries should mainly take the following measures: Access [Compiling the original procedure, explain the original program can pass encryption] 3. Network communication application SSL protocol can basically guarantee the security of data in transmission 4. The code access database reasonably uses CAPICOM components to ensure data security

Safety protection of physical layers: Provide security solutions mainly by developing management specifications and measures in the physical level.

Link layer security: mainly the link encryption device is protected on data encryption. It encrypts all user data, and user data is sent to another node through communication lines.

Network layers and safety protection: security protection for network layers is for IP packets. The network layer mainly uses firewall as safety protection means to realize primary security protection. Encryption protection in network layers can also be implemented in accordance with some security protocols. Corresponding intrusion detection can be implemented.

Safety protection of the transport layer: The transport layer is between the communication subnet and the resource subnet, and it works in the work. The transport layer also supports a variety of security services: 1) peer entity authentication services; 2) Access control services; 3) Data Secure Service; 4) Data Integrity Services; 5) Data Source Point Certification Service;

Application layer safety protection: Security protection for application layers: In principle, all security services can be provided at application layer. At the application layer, powerful user-based authentication is implemented. Application layer is also ideal for implementing data encryption, access control Location. Backup and recovery of data can also be strengthened at the application layer. Application layer can be controlled by the validity of resources, resources include various data and services. Application layer security protection is user-oriented, so you can Implement fine particle size safety control.

转载请注明原文地址:https://www.9cbs.com/read-13149.html

New Post(0)