I. Introduction to computer network security
Web pages: currently have mature web automatic protection technology in China
Network worm: it is generally difficult to find
Denial service attack: solve the network management department
Trojan Ma: Need to have experience
Technical features of network information security and confidentiality: reliability, availability, confidentiality, integrity, unrecognitionability, controllability
1. Reliability is the characteristic of the network information system to complete the predetermined functions under the predetermined conditions and the specified time.
The formula is described as
R = MTBF / (MTBF MTTR)
R is reliability, MTBF represents the average fault interval, and the MTTR represents a flat fault repair time.
The reliability is mainly:
Reliability of human destruction
Survivability: Reliability of the system randomly destroyed
Effectiveness: Based on business reliability
Reliability is mainly manifested in: hardware, software, personnel, environmental reliability, etc.
Availability is network information that can be accessed by an entity and uses features used in demand.
It is the security performance of the network information system for users.
2, usability should meet the following requirements
Identification and confirmation
Access control
Business flow control
Routing selection control
Audit tracking
3. Confidentiality is network information that is not leaked to unauthorized users, entities, or processes, or for their utilization. (Only for authorized users)
Commonly used confidentiality technology:
Defense
Radiation
Information encryption
Physical confidentiality
4, integrity is the characteristic of network information technology that is not authorized to change. Is information-oriented security.
The main factors affecting network information integrity are: equipment failure, error, human attack, computer virus.
Main methods for ensuring network information integrity:
protocol
Error correction coding method
Password checksum
digital signature
notarization
5, unrecognizedness is also known as undisporance. In the interaction of the network information system, all participants cannot deny or redeemed the operations and commitments that have been completed.
Use information source evidence to prevent denial has been sent
Use the submitted to receive evidence defense has been received
6. Controllability is the characteristic of the propagation and content of network information and content.
Hierarchy of network information security: physical security, security control, security service
1. Physical security refers to the security of network information for storage and transmission at the physical media level.
The common insecure factors in this level are:
Natural disasters, physical damage, equipment failure
Electromagnetic radiation, trace leakage
Operation error, accidental omission
2. Safety control refers to control and management of the operations and processes of the information in the network information system, mainly through the implementation of OS or network management software, router configuration, etc., focusing on information on the network information processing level. safety protection.
Can be divided into three levels:
Safety control of the operating system: verify the user legal identity, the control of the read and write access to the file
Safety Control of Network Interface Modules: Safety Control for network communication from other machines, including identity authentication, customer permission settings, and judgment, audit logs, etc.
Safety Control of Network Interconnection: Safety detection and control of transmission information and operational status of all hosts in the entire subnet.
3, security service refers to the protection and identification of the authenticity, integrity, and trusted authenticity of network information to the application layer, to meet the security needs of users, prevent and resist various security threats and attack methods.
mainly includes:
Safety mechanism: such as encryption and decryption, digital signature and signature verification, information certification. Modern cryptography has an important role.
Safety connection: allocation and generation, authentication, authentication
Security Protocol: Communication between communication in network environments can cooperate with each other, and through the above implementation to ensure the safety, reliability and fairness of the communication process.
Safety strategy: is the above organic combination, determines the overall security and practicality of the system.
Software Vulnerability: Security Vulnerabilities and Prevention of Operating System
Database security vulnerability and prevention
Security vulnerabilities and prevention of TCP / IP protocol
Vulnerability of network software and network services
Vulnerabilities set by password
1. What is the trap? It is a short program inserted when the program is developed, and the purpose is to test this module, or provide the programmer to provide programmers for future changes and upgrade programs, or after future failure. Often it is removed in the post-program development, but may also be reserved or unintentionally. Common deposits: logical bombs, remote control, remote maintenance, illegal communication, greedy
Prevention method:
Strengthen security control during program development phase
Implement scientific security control in program use
Develop standardized software development standards, strengthen management
2, the security vulnerabilities of the operating system are:
Input / output illegal access
Discharge of access control
Incomplete intermediary
Operating system
3. To prevent data from the database from physical damage and cannot restore the original system, the database system should be used to back up all files to protect the integrity of the system.
The database can have its own user identification mechanism to provide dual protection, and can also limit events and locations using the database.
Encrypt the storage data if necessary.
4, security protocol
SSL
S-http
SEEP
Set
IKP
5, Finger's vulnerability
Anonymous FTP
Remote login
6, password selection should pay attention to problems
Make a password with your name digit
Do passwords or operating system commands
Multiple hosts use the same password
Use only lowercase letters
Password length is short
Security defect in network topology
Bus type topology
Star
Loop
Tree type
Network hardware security defect
Bridge security hazard:
Safety risks of the router: modified modality of dynamic routing tables, IP is cut
"Trusted Computer System Evaluation Guidelines" divide the safety of the computer system into the following four levels:
D-class
Class C
C1 level
C2 level
B
B1 level
B2
B3
Level A
According to the national standard, my country's computer information system security protection is divided into 5 levels:
User independent protection
System audit protection
Safety tag protection
Structured protection level
Access verification protection
Second, hacker technology
Intrusion process
- Scout: Collection of information
- Vulnerability Identification: Judging information such as port scanning
- Penetration: Enter the target system, verify illegal passwords, hijack TCP session
- Control: Control of Target System
- Embed: Install and modify the system, such as Trojan horse, back door, modification log sales
- Data extraction and modification: Conducting activities
- Attack playback: Using the destroyed system
Foot Printing
Scanning
ENUMERATION
Get Access (Gain Access)
Permission improvement (Escalating Privilege)
Pilfering
Covering trace
Create a Creating Back DOORS
Denial of Services (Denial of Services)
(1) Deny service attack is the most easy implementation of attack behavior, which attempts to block it by causing target computers or pressing it across it. Mainly include: Land, Syn Flooding (UDP Flooding), Ping of Death, Smurf (Fraggle), Teardrop, TCP RST attack, JOT2, email bomb, malformed messaging attack.
(2) Utilization attack is a class of attacks trying to control your machine directly. Mainly include: password speculation, Trojan horse, buffer overflow.
(3) Information Collection Attack does not cause harm to the target itself, but is used to provide useful information for further intrusion. Mainly include: scanning (including: port scan, address scanning, reverse mapping, slow scan), architecture sprouts, utilizing information services (including: DNS Domain Conversion, Finger Services, LDAP Services). (4) The fake message attack is used to configure incorrectly for the attack target, including: DNS cache pollution, forgery email.
Network information collection techniques include topologizing technologies, target network service distribution analysis techniques, target network vulnerability scanning techniques.
Target network privilege promoters include local permissions upgrade and remote permissions.
Target network penetration technology includes lattice technology, Sniffer technology, spoofing technology, tunnel and proxy technology.
Target network destruction technology includes targeted service termination, target system, and target network paralysis.
LAND attack: Principle: The attacker sends a specially built SYN package to the target, the original address of the package is set to the address of the target server, and set the source and destination address and port to the same value, which will Resulting in the receiving server sends an SYN-ACK message to its own address, the result is sent back to the ACK message and creates an empty connection, each such a connection will remain until time out. Some router devices and some operating systems will not work properly. Different systems differ from LAND attacks. For example, many UNIX systems will crash, NT will become extremely slow.
Smurf Attack: Principle: An attacker falsified an attacker's IP address to the broadcast address, which will continue to return information to the victim in the broadcast address, and excessive information will increase the attacker load, even A rejecting service. If you make a simple modification for the Smurf attack, use the UDP response message instead of ICMP, it is a Fraggle attack.
SYN FLOODING: Principle:
The IP address that the attacker fake server-side cannot connect to the server to send SYN requests to the server, the server sent back SYN / ACK to this fake IP address, but because the IP address is fake, there is no ACK to return, the server can only wait for the connection timeout. TIMEOUT.
A large number of unfinished connection requests seriously affect system performance. Some TCP / IP stacks have only a limited memory buffer for creating a connection. If this buffer is full of false connection initial information, the server will stop responding to the next connection until the connection in the buffer is attempting to timeout.
Distributed Deny Service Attack: Distributed Denial Service Attack (DDoS) is a further evolution of DOS attacks, which introduces the Client / Server mechanism, increasing distributed concepts. It is an attack method implemented by using network protocol defects.
DDOS attack was earliered in 1999, but it was only a theoretical discussion at the hacking site, and later started.
Common refusal service attacks mainly include Trin00, TFN, Stacheldraht, and Trinity.
Detecting the target host is survived from multi-aspect, usually calling Sweep, that is, which hosts on the network are in survival status.
Mainly include: ICMP scan, broadcast ICMP, non-return ICMP, TCP scan, UDP scan
ICMP scan: Use ICMP echo request (using an ICMP packet with type 8) to detect whether the target is survive.
ICMP scan tools under UNIX mainly have ping and fping
WINDOWS has pinger
NAMP's SP option also provides ICMP scan capacity
Broadcast ICMP: Sends an echo request to the target network address or broadcast address to detect hosts in the target network. Can only be used for hosts under UNIX
Easy to cause dos
Non-returned ICMP: Using other types of ICMP packet detects whether the host survives
13: Timestamp request (such as: ICMPENUM)
17: Address Mask Request
TCP scans: Use TCP three handshake principles, send ACK or SYN messages to the target, if survive, it will receive RST packets.
UDP scan: Send UDP data to report to the target network broadcast address, if the error is received, the target survives.
Take the port and service information of the target host open
TCP Connect () Scan: Use the CONNECT () system call provided by the OS. If the target port is listening, connect () is successful.
Advantages: Users in the system can use this call
Disadvantages: slow speed
TCP SYN Scan: Half-open scan, only half of the three handshake processes is completed.
TCP ACK Scan: Used to detect firewall filtering rules
TCP FIN Scan: Based on UNIX-based systems, after receiving a FIN message in the listening status port, do not respond; if closed, respond to an RST message. The WIN system always responds to RST packets, only for UNIX.
TCP Xmas Scan: Send URG / PSH / FIN to the Target
TCP Air Scan: Send a message to all tags to the target.
FTP rebound scan: Use a server to detect the port status of another host
Advantages: It is difficult to track, can pass firewalls;
Disadvantages: slow speed
UDP scan: Similar to UDP scans, used to discover the UDP port of the target open
Netcat: Also known as the Swiss army knife. Developed by HobBit.
NMAP: Open source network scanning tool, written by NMAP.
Satan: Network analysis security management tools provide a full set of security management, testing and reporting features.
NESSUS: Free Network Vulnerability Scanning Tools. For Solaris, Linux and other systems.
X-SCAN: Free Vulnerability Scanning Tools. Used for WIN systems. The specified IP address segment is detected by the specified IP address segment by multi-threading.
