Network System Security Comprehensive Solution
Security threat of network systems
System security
LAN security solution
WAN security solution
Security threat of network system
Due to the running multiple network protocols (TCP / IP, IPX / SPX, NetBeua) within large network systems, these network protocols are not designed for security communications. Therefore, the security threats that the network system may exist are from the following:
★ The security of the operating system. Many of the currently popular operating systems have network security vulnerabilities, such as UNIX servers, NT servers, and Windows desktop PCs.
★ The security of the firewall. Whether the firewall product itself is safe, whether it is set, and it needs to be inspected.
★ Security threats from internal network users. Lack of effective means monitoring, assess the security of the network system.
★ The TCP / IP protocol software used is lacking security.
★ Failure to use virus and web from Internet's email and web browsing possible malicious Java / ActiveX controls for effective control.
★ Application service security. Many application service systems considerate less in access control and security communication, and if the system settings are incorrect, it is easy to cause losses.
System security
Computer security careers began in the end of the 1960s. At that time, the vulnerability of the computer system was increasingly known for the US government and the private sector. However, since the speed and performance of the computer is relatively after, the use is not wide, and the US government applies it as a sensitive issue, so the research on computer security has been limited to a relatively small range.
After entering the 1980s, the performance of the computer has been improved, and the scope of application is also expanding, and the computer has spread all over the world. Also, people use the communication network to connect the isolated stand-alone system, communicate and share resources. However, the increasingly serious problem is the problem of computer information security. The research in this regard is not adapted to computer performance and application rapid development, so it has become one of the main problems in future information technology.
Since computer information has characteristics such as sharing and easy spread, it has severe vulnerability in processing, storage, transmission, and use, which is easily interfered, abuse, omissions, and loss, even leaked, stealing, tampering, pretending and destruction. It is also possible to be infected by computer viruses.
International Standardization Organization (ISO) defines "Computer Security" as: "Safety protection for technical and management of data processing systems, protects computer hardware, software data is not damaged, changed and caused by accidents and malicious reasons. Leak. "This concept is highly protected by static information. Some people also define "Computer Security" as: "The hardware, software, and data of the computer are protected, not due to accidental and malicious reasons, and the system is running normally." This definition focuses on dynamic meanings .
The content of computer security should include two aspects: physical security and logical security. Physical security refers to system equipment and related equipment from physical protection, free from damage, loss, and so on. Logic security includes information integrity, confidentiality, and availability:
Confidentiality refers to high-level information only flows to low-level objects and subjects under licensing;
Integrity refer to information will not be consistent with unauthorized modifications and information;
Availability refers to the normal request of legitimate users to get service or respond, safely and safely.
A systematic security problem may primarily come from two aspects: or security control mechanisms have faults; or system security definitions are defective. The former is a software reliability problem that can be overcome with excellent software design technology to overcome special security policy; while the latter needs to accurately describe the security system.
The US Department of Defense (DOD) published the "Evaluation Guidelines for Trusted Computer Systems" in 1985 (also known as "Orange Leather Book", enabling the safety assessment of computer systems with an authoritative standard. The concept of trusted computing base (TCB) is used in DOD's Orange Lead, that is, a composite body of computer hardware and operating system that supports untrusted applications and untrusted users. The orange leather book divides the credibility of the computer system to D, C1, C2, B1, B2, B3, and A1 seven levels. In the DOD's evaluation criteria, it is required to have forced access control and formal model technology from the start of the B. The focus of oranges discusses is a general operating system, in order to make its evaluation method is used in the network, the US National Computer Security is published in 1987 to "Trusted Network Guide". The book explains the views in the guidelines from the perspective of network security. LAN security solution
Since the broadcast mode is used in the LAN, if all the packets can be listened to a broadcast domain, hackers can analyze the packets, then the information transfer of this broadcorn domain will be exposed to hackers.
Network segmentation
Network segmentation is a need for security, and it is also a basic measure that the guiding idea is to isolate the illegal users from network resources to limit the illegal access to the user's illegal access.
Network segments can be divided into physical segments and logic sections: physical segments typically refer to the network from physical layer and data link layer (ISO / OSI model, first and second layers) For several network segments, each network segment cannot be directly communicated with each other. Currently, many switches have certain access control capabilities that enable physical segments for the network.
Logic segmentation refers to segmenting the entire system on a network layer (the third layer in the ISO / OSI model). For example, for TCP / IP networks, networks can be divided into several IP subnets, each subnet must be connected via router, routing switches, gateways or firewalls, using these intermediate equipment (including software, hardware) security mechanisms. Control accesses between each subnet.
During practical applications, physical segments are typically taken in combination with logic segments to achieve security control of network systems.
VLAN implementation
Virtual network technology is based primarily based on LAN exchange technology (ATM and Ethernet exchange) in recent years. Switching technology develops traditional broadcasting local area network technologies into connection-oriented technologies. Therefore, the network management system has the ability to limit the scope of the local area network without the need for a large router. Ethernet is essentially based on broadcast mechanism, but after application of switches and VLAN technology, it is actually converted to point-to-point communication unless the monitoring port is set, and the information exchange does not have listening and insertion (changing) issues.
The benefits of network security brought by the above operating mechanisms are obvious: information is only to the location that should arrive. Therefore, most of the intrusion means based on network monitors is prevented. Access control through the virtual network settings that cannot directly access the virtual network node directly outside the network node outside the virtual network. However, virtual network technology also brings new issues: Devices that perform virtual network exchange are more complicated, thus becoming an attacked object. Invasion monitoring technology based on network broadcast principles requires special settings within the high speed switching network. Mac-based VLANs cannot prevent Mac spoofing attacks. The use of Mac-based VLAN will face attacks of counterfeit MAC addresses. Therefore, the division of the VLAN is best based on the switch port. But this requires the entire network desktop using the switching port or the network segment machine in which each switch port is the same VLAN.
Dividing principles between VLANs
The purpose of the VLAN division is to ensure the security of the system. Therefore, it is possible to divide VLANs in accordance with the security of the system: the server system in the headquarters can be separately disposed of a VLAN, such as a database server, an email server, and the like. It is also possible to divide the VLAN according to the institution, such as the network where the leader is located is separate as a Leader VLAN (LVLAN), other servants (or subordinate mechanisms), respectively, and controls one-way information between LVLAN and other VLANs. The flow direction, that is, the LVLAN is allowed to view information about other VLANs, and other VLANs cannot access the LVLAN information. The connection within the VLAN is implemented in exchange technology, and the route implementation is used between the VLAN and the VLAN. Since routing control is limited, the unidirectional information flow between LVLANs and other VLANs cannot be implemented, and a NetScreen firewall is required between LVLAN and other VLANs as a security isolation device, controlling information exchange between VLANs and VLANs. WAN security solution
Since the WAN is transmitted with public network transmission data, the information may be intercepted by the criminals on a wide area network. This packet may be intercepted and utilized if the branch sends an information from the ground to the headquarters. Therefore, when sending and receiving information on a wide area, be guaranteed:
In addition to senders and reception, others are unknown (privacy);
Do not be tampered with (authenticity) during the transfer;
The sender can be confident that the recipient is not a fake (non-assault);
The sender cannot deny your own send behavior (non-denial).
If there is no dedicated software to control the data, all wide area network communication will transmit unrestrictedly, so anyone monitors communication can be intercepted for communication data. This form of "attack" is relatively easy to succeed, as long as you use the "package detection" software that can be easily obtained now. If you use the Tracking Routing command from a networked UNIX job station, you can see how many different nodes and systems are transmitted from the client to the server, all of which are considered to be the most susceptible to hacker attack. In general, a monitoring attack only needs to obtain information on the IP packet at the end of the transmitted data. This approach does not require special physical access. If you have direct physical access to the network, you can use the network diagnostic software to eavesdrop. The way to deal with such an attack is to encrypt the information of the transmission, or at least some information containing sensitive data is encrypted.
Encryption Technology
The basic idea of encryptive network security technology is not dependent on the security of data paths in the network to realize the security of network systems, but through encryption of network data to ensure the security and reliability of networks, this type of security technology The cornerstone is the use of amplification data encryption technology and its application in distributed systems.
Data encryption technology can be divided into three types, namely, symmetrical encryption, asymmetric encryption, and irreversible encryption. Symmetrical encryption uses a single key to encrypt or decrypt data, which is characterized by small computation, high encryption efficiency. But such algorithms are more difficult to use on distributed systems, mainly for key management, so that the cost is high, and security performance is not easy. Representatives of such algorithms are DIGITAL ENCRYPTION STANDARDs in the computer private network system.
Asymmetric encryption algorithm also known as a common key algorithm, it is characterized by two key (ie public keys and private keys), only the entire process of encryption and decryption only. Since the asymmetric algorithm has two keys, it is especially suitable for data encryption in the distributed system, and is widely used in the Internet. Where public key is published online, the data is encrypted for data, and the corresponding private key for decryption is properly kept by the receiver of the data.
Another use of asymmetrical encryption is called "Digital Signature", that is, the data source uses its private key to encrypt data or other variables related to data content, and data reception. The party uses the corresponding public key to interpret "digital signature" and use the interpretation result to test the data integrity. The asymmetric encryption algorithm obtained in the network system has the RSA algorithm and DIGITAL SIGNATURE Algorithm proposed by the US National Standards Bureau. Asymmetric Encryption Method, the application to note in a distributed system is how to manage and confirm the legality of the public key. Features of the irreversible degreege algorithm are the encryption process does not require a key, and the encrypted data cannot be decrypted, and only the same input data is passed through the same irreversible algorithm to obtain the same encrypted data. The irreversible algorithm does not exist key storage and distribution problems, suitable for use on distributed network systems, but their encryption calculation work is considerable, so it is usually used for encryption in the case of limited data volume, such as the password in the computer system. Using the irreversible algorithm encryption. Recently, with the continuous improvement of computer system performance, the application of irreversible encryption is gradually increased. Applying more MD5 algorithms in the computer network invented the MD5 algorithm of RSA and a reliable irreversible encryption standard recommended by the National Standards Bureau (SHS-Secure Hash Standard).
Encryption technology is used in network security usually there are two forms, namely, network or facilities. The former is usually working on a network layer or transport layer, using encrypted packet delivery, authentication network routing, and other network protocols, thereby ensuring that the network's connectivity and availability are not damaged. Encryption technology implemented on a network layer is usually transparent to users of network application layers. In addition, through the appropriate key management mechanism, use this method can also establish a virtual private network on a public Internet and to ensure the security of virtual private online information. The SKIP protocol is one of the efforts of IETF in this regard. Encryption technology for network application services is currently the usual ways of popular encryption technology, such as Telnet, NFS, Rlogion, etc., using Kerberos services, and PEM (Privacy Enhanced Mail) and PGP for email encryption (Pretty Good Privacy. The advantage of this type of encryption technology is that the implementation is relatively simple, and does not require special requirements for the security performance of the network through the electronic information (packet), and the end-to-end security guarantee is implemented.
Digital signature and certification technology
The authentication technology mainly solves the identity of the communication between the network communication, digital signature as a specific technique in identity authentication technology, and digital signatures can also be used for unresenable requirements in communication.
The authentication process usually involves encryption and key exchange. Typically, encryption can be mixed using symmetric encryption, asymmetric encryption, and two encryption methods.
User Name / Password Certification
This type of authentication is the most common way of authentication, for operating system login, telnet, rlogin, etc., but this authentication method is not encrypted, that is, Password is easily listened and decrypted.
Certification using a summary algorithm
RADIUS (Dial Certification Protocol), OSPF (Route Protocol), SNMP Security Protocol, etc. All use shared Security Key, plus a summary algorithm (MD5), because the summary algorithm is an irreversible process, so during the certification process, The SECURITY key cannot be technically shared by the summary information, and the sensitive information is not transmitted on the network. The summary algorithm in the market is MD5 and SHA-1.
PKI-based authentication
Authentication and encryption using the public key system. The method is highly safe, combined with a summary algorithm, asymmetric encryption, symmetrical encryption, digital signature, and other techniques, and combine security and efficiency. This authentication method is currently available in the fields of email, application server access, customer authentication, firewall certification. This kind of authentication method is high, but involves a more heavy certificate management task.
digital signature
Digital signatures act as a basis for verifying the identity and message integrity of the sender. The public key system (such as RSA) is based on a private / public key pair. As the authentication sender identity and message integrity, CA uses private key technology its digital signature, using the public key provided by CA, any per capita validation The authenticity of the signature. Forged digital signatures are not feasible from computer capabilities. Also, if the message is sent with a digital signature, any modification of the message will be discovered when verifying a digital signature.
Communication two sides securely obtain the shared confidential key through the Diffie-Hellman key system and encrypt the message using the key. The DIFFIE-HELLMAN key is verified by CA.
Based on this encryption mode, the number of keys required to manage is linear relationship with the number of communications. The other encryption mode needs to manage the number of keys and the square of the number of the number of the call.
VPN technology
The network system headquarters and the branches are connected to the public network network, and their largest weakness is the lack of sufficient security. Enterprise network access to the public network, exposes two main hazards:
Unauthorized access to enterprises from the public network.
When the network system communicates through the public network, the information may be subject to eavesdropping and illegal modification. Complete integrated enterprise-wide VPN security solutions offer two-way communication on public online, as well as transparent encryption programs to ensure data integrity and confidentiality.
The principle of VPN technology:
The VPN system makes communication on untrustful public networks that are distributed in different local dedicated networks. It uses a complex algorithm to encrypt the transmission information, so that sensitive data will not be eavesdropped. The process is generally like this:
The host to be protected sends a plain text message to the VPN device connected to the public network;
The VPN device determines if the data is encrypted or proceed directly to the data according to the rules set by the network management.
For data that needs to be encrypted, the VPN device encrypts and attaches a digital signature for the entire packet.
The VPN device plus new data headers, including the security information required by the destination VPN device and some initialization parameters.
The VPN device is replified for encapsulated data, identification packages, and source IP addresses, and the target VPN device IP address, and the reproduced data package is transmitted on public online through virtual channels.
When the packet reaches the target VPN device, the packet is decryled after the digital signature is checked, and the packet is decrypted.
IPsec
IPSec is supported by most manufacturers as encrypted communication frameworks on IPv4 and IPv6.
IPSec mainly provides encrypted communication capabilities on IP network layers. This standard adds new cladding formats for each IP package, Authentication Header (AH), and Encapsulating Security Payload (ESP). IPSec uses Isakmp / Oakley and Skip for key exchange, management and encryption communication negotiation.
IPsec contains two parts:
IP Security Protocol Proper defines the IPSec header format.
Isakmp / Oakley is responsible for encrypting communication negotiation.
IPSec provides two encrypted communication methods:
IPsec Tunnel: The whole IP is encapsulated between IPsec-Gateway.
IPSec Transport: Encrypts data in the IP package, using the original source address and destination address.
IPsec Tunnel does not require a modified device and app that is equipped, and network hackers cannot see the actual communication source address and destination address, and can provide a dedicated network to encrypted through the Internet, therefore, most manufacturers use this mode. Isakmp / Oakley uses an X.509 digital certificate, so that VPN can easily expand to enterprise levels. (Easy to manage).
At the client end for the remote dial, IPSec's client can also provide encrypted network communication for dialing users. Since IPSec is about to become an Internet standard, the firewall (VPN) products provided by different manufacturers can implement interoperability.
How to guarantee the security of remote access
For users from the external dial-up access to the headquarters, due to the risk of data transmission by using the public telephone network, the security must be strictly controlled. First, we should strictly limit the system information and resources accessed by the dial-up user, which can be implemented by setting the NetScreen firewall after the dial-up access server. Second, the identity authentication of the dial user should be strengthened, using a special authentication server such as RADIUS. On the one hand, unified management of dial-up user accounts can be implemented; on the other hand, encryption means during authentication, avoid the possibility of user password leakage. Third, encryption technology is used during data transmission, preventing data from being illegally stolen. One method is to encrypt data using PGP for Business Security. Another method is to use the VPN (Virtual Brigade) technology provided by the NetScreen firewall. While providing network data encryption, VPN also provides encrypted client software for single-machine users, ie technologies that use software encryption to ensure data transmission.