Information source: feedingM.Net
The computer around the 21st century will join together with the Internet, with the development of the Internet, network-rich information resources have brought great convenience, but also bring security issues to the Internet users. Due to the Internet of Internet and transcending organizational and national borders, it has some hidden dangers in security. Moreover, the connotation of information security has also undergone fundamental changes. It not only has become a very ordinary prevention from a general defense, but also has become everywhere from a special field. I. Concept of Network Security International Standardization Organization (ISO) definition of computer system security is: the security protection of technical and management, protecting computer hardware, software, and data for accidents and malicious reasons for data processing systems. To damage, change, and disclose. This allows the security understanding of the computer network to ensure that the network system is operated normally by adopting various technologies and management measures, thereby ensuring availability, integrity, and confidentiality of network data. Therefore, the purpose of establishing network security protection measures is to ensure that data transmitted and exchanged through network transmission will not increase, modify, lose, and disclose. Second, the security risks of Internet are mainly reflected in the following aspects: 1. The Internet is an open, non-control mechanism network, hacker, often invades the computer system in the network, or stealing confidential data and stealing privileges, or destroying important data, or makes the system failure until it is. 2. The Internet's data transfer is based on the TCP / IP communication protocol, which lacks security measures that make information in the transmission process not stealing. 3. Most of the communication business on the Internet use UNIX operating systems to support, and the problem of safe vulnerability in the UNIX operating system will directly affect security services. 4. The electronic information stored, transmits, and processed on the computer, has not yet been enveloped and signed a seal like traditional mail communication. The source of information and whether the content is true, whether the content is changed, and whether it is leaked, etc., in the service agreement supported by the application layer, the gentleman agreement is maintained. 5. Email has the possibility of being disassembled, misunderstood and forged. There is a great risk of using email to transmit important confidential information. 6. Computer viruses bring great harm to Internet users through Internet users, viruses can make computer and computer network systems are lost, data and files are lost. Communication of viruses on the network can be transmitted through public anonymous FTP files or via email and email. Third, network security defense content A secure computer network should have the characteristics of reliability, availability, integrity, confidentiality and authenticity. Computer networks not only protect computer network equipment security and computer network system security, but also protect data security. Therefore, for the security issues that the computer network itself may exist, the network security program is implemented to ensure that the security of computer network itself is an important issue to be treated carefully every computer network. There are two main points of network security prevention: First, the computer virus, the second is hacker crime. Computer viruses is a destructive procedure that harms computer systems and network security is more familiar. Hacker crime refers to the use of computer high-tech means, stealing passwords to invade others computer network, illegally obtain information, stealing privileges, such as illegal transfer bank funds, and stealing the bank account shopping. With the development of the network economy and the development of e-commerce, prevent hackers 'intrusion, effectively protect the security of online transactions, but also related to personal funding safety, merchants' goods safety, also related to national economic security, national economic order stability Therefore, organizations and departments at all levels must be given high attention.
4. Ensuring the main technique of network security 1. Firewall technology network firewall technology is an access control between networks to prevent external network users from entering internal networks with illegal means through external network, access internal network resources, and protect internal network operations. Environment special network interconnection equipment. It performs an inspection of data packets transmitted between two or more networks such as a link to determine whether the communication between the network is allowed and monitors the network operation. Current firewall products mainly have a fortress host, package filtering router, application layer gateway (proxy server), and circuit layer gateway, shielded host firewall, two-storey host. The firewall is at the bottom of the 5-storey network security system, which belongs to the technical scope of network layer security technology. Responsible for security certification and transmission between networks, but with the overall development of network security technology and the continuous change of network applications, modern firewall technology has gradually moved to other security levels outside the network, not only to complete the filter task of traditional firewalls, It is also possible to provide appropriate security services for a variety of network applications. In addition, there are a variety of firewall products that are being certified by data security and user, prevent viruses from developing in the direction of hackers. Depending on the technology used by the firewall, we can divide it into four basic types: packet filter, network address translation - Nat, agent, and monitoring. The specific: (1) Packing filter type packing filter products is a primary product of a firewall, and its technical discretion is a subcontracting transmission technology in the network. The data on the network is transmitted in "packet". The data is split into a packet of a certain size. Each packet contains some specific information, such as data source address, destination address, TCP / UDP source Port and target ports, etc. The firewall determines whether these "package" comes from the trusted security sites by reading the address information in the packet, once the packets from the dangerous site are found, the firewall will refuse this data. System administrators can also flexibly develop judgment rules based on actual conditions. The advantages of package filtering technology are simple and practical, and the implementation is low. When the application environment is relatively simple, it is possible to ensure the safety of the system at a certain extent at a certain extent. However, the defect of package filtration technology is also obvious. Packet filtering technology is a complete network-based security technology that can only be judged according to network information such as data packets, target and ports, etc., unrecognizable malicious intrusion based on application layer, such as malicious Java applets and email The virus comes with. Experienced hackers are easy to fake IP addresses and deceive the bag filter firewall. (2) Network address transformation - NAT network address conversion is an IP address standard for converting IP addresses to temporary, external, registered IP address standards. It allows internal networks with private IP addresses to access the Internet. It also means that users do not need to get registered IP addresses for each machine in their network. The working process of NAT is: When the internal network accesss the external network through the Security NIC, a mapping record will be generated. The system maps the source address and the source port to a camouflage address and port, so that this camouflage address and port is connected to an external network through a non-secure NIC, so that the real internal network address is hidden. When an external network accesses internal networks via a non-secure NIC, it does not know the connection of internal networks, but just through an open IP address and port to request access. The OLM firewall determines whether the access is safe based on a pre-defined mapping rule. When complies with the rules, the firewall believes that access is safe, accept access request, or map the connection request to a different internal computer. When the rules are not met, the firewall believes that the access is unsafe, cannot be accepted, the firewall will shield the external connection request. The process of network address translation is transparent for the user, and does not require the user to set, the user can make a regular operation. (3) Agent agent firewall can also be referred to as a proxy server, and its security is higher than that of the package filter product and has begun to develop to the application layer. The proxy server is located between the client and the server, completely blocking data exchange between the two. From the client, the proxy server is equivalent to a real server; and from the server, the proxy server is a real client.
When the client needs to use the data on the server, first send the data request to the proxy server, the proxy server requests data to the server according to this request, and then transmits the data to the client by the proxy server. Due to no direct data channels between the external system and the internal server, the external malicious invasion is difficult to hurt the internal network system. The advantages of agency firewall are high security, which can be detected and scanned for application layers to deal with application-based intrusion and viruses are very effective. Its disadvantage is that there is a big impact on the overall performance of the system, and the proxy server must set up one by one by one of the application types that the client can generate, greatly increase the complexity of system management. (4) Monitoring monitoring firewall is a new generation of products, and this technology has actually surpassed the initial firewall definition. The monitoring of the firewall can actively, real-time monitoring of the data of each layer, on the basis of analyzing the data, can effectively determine the illegal intrusion in each layer. At the same time, this detection type firewall product generally has a distributed detector, which is placed in a node of various application servers and other networks, but also can detect attacks from the outside of the network, but also for malicious destruction from internal There is also a strong precautionary role. According to the statistics of the authority, in the attack on the network system, there is a considerable approval from the interior of the network. Therefore, the monitoring firewall not only exceeds the definition of traditional firewalls, but also exceeds the first two generations of products on security. Although the monitoring firewall security has exceeded the package filter type and proxy server type firewall, it is not easy to manage due to the high cost of monitoring firewall technology, so it is currently in practical firewall products still use the second generation agent. The product is main, but in some respects have begun to use a monitoring firewall. Based on the comprehensive consideration of system cost and security technology cost, users can selectively use certain monitoring techniques. This can guarantee the security requirements of the network system, and can also effectively control the total cost of ownership of the security system. Although the firewall is currently protecting the network from hacker attacks, there is also a significant shortcoming: unable to prevent attacks from other ways outside the firewall, can not prevent the threats from internal variables and unusual users, Fully prevent software or documentation of the infected virus, as well as unable to prevent data-driven attacks. 2. Encryption technology information exchange encryption technology is divided into two categories: symmetrical encryption and asymmetric encryption. The specific: (1) Symmetric encryption technology uses the same key to the encryption and decryption of information in symmetrical encryption technology, that is, a key to open a lock. This encryption method simplifies the encryption process, and both parties of information exchange do not have to study and exchange dedicated encryption algorithms. If the private key in the switched phase has not been disclosed, the confidentiality and packet integrity can be guaranteed. Symmetric encryption technology has some shortcomings. If you have N exchange objects, then he will maintain N private keys, another problem with symmetrical encryption is to share a private key, and exchange any information on both sides. It is transmitted to each other after encrypting the key. (2) Asymmetric encryption technology is decomposed into a pair (ie public key and private key) in an asymmetric encryption system. This can be disclosed to others as the public key (encryption key) in the key (encryption key), while the other is saved as a private key (decryption key). The public key is used for encryption, and the private key is used to decrypt. The private key can only be mastered by the exchange of keys, and the public key can be widely announced, but it only corresponds to the switching party generating the key. Asymmetric encryption methods can establish secure communication without prior exchange keys, which are widely used in information exchanges such as identity authentication, digital signatures. The asymmetric encryption system is generally based on certain known mathematical problems, which is an inevitable result of the development of computed complexity. The most representative is the RSA public key cryptographic system. The RSA algorithm is the first perfect public key cryptographic system proposed in 1977 in 1977, which is based on the difficulty of decomposing large integers.
In the RSA system, this basic fact is used: So far, an effective algorithm cannot be found to decompose two large numbers. The description of the RSA algorithm is as follows: public key: n = pq (p, Q is two mutually variable numbers, p, q must be confidential) E and (P-1) (q-1) mutual private key : D = E-1 {MOD (P-1) (P-1)} Encryption: C = Me (MOD N), where m is clear, c is a ciphertext. Decryption: M = CD (MOD N) Using the knowledge and theory of currently mastered, decompose 2048bit's large integer has exceeded 64-bit computer computing power, so it is safe enough in the current and foreseeable future. 3. Virtual private network technology virtual private network (VPN) is a technology that has developed rapidly with the development of Internet in recent years. Modern companies are increasingly using Internet resources to conduct promotions, sales, after-sales service, and even training, cooperation. Many companies tend to use Internet to replace their private data networks. This logical network formed by using Internet to transmit private information is called virtual private network. The virtual private network actually treats the Internet as a public data network. This public network and PSTN net do not essentially distinguish between data transfer. From the user's point of view, data is properly transmitted to the destination. Relatively, the network established by the enterprise in this public data online is called private network. At present, VPN mainly adopts four technologies to ensure safety, these four technologies are tunneling, encrypting technology, key management technology, user and device identity authentication technology (Authentication) ). (1) Tunnel Technology Tunnel Technology is a way to pass data between networks by using an interconnected infrastructure. Data (or load) that use tunnels (or load) can be data frames or packages of different protocols. The tunneling protocol will be reproducted to the data frames or packages of these other protocols in the new header. The new header provides routing information so that the packaged load data can be passed through the Internet. The packaged packet is routed through the public interconnection network between the two endpoints of the tunnel. The logical path passed by the packaged packet is transmitted on the public interconnection network is called a tunnel. Once the network end point is reached, the data will be unpack and forward to the final destination. Note that tunneling technology refers to a whole process including data packaging, transmission, and unpacking. (2) The addition of data passed through the public Internet network must be encrypted, ensuring that other unauthorized users of the network cannot read this information. The addendal technology is a more mature technology in data communication, and VPN can directly utilize the prior art. (3) Key Management Technical Key Management Technology The main task is how to secure the key in public data online without stolen. The current key management technology is divided into two kinds of SKIP and Isakmp / Oakley. Skip mainly uses Diffie-Hellman's algorithm, transmits a key on the network; in Isakmp, both sides have two keys, which are used in public, private. (4) User and Device Identity Authentication Technology The VPN scheme must be able to verify the user's identity and strictly control only the authorized user to access the VPN. In addition, the program must also provide audit and billing functions, showing what information when they visit. Identity certification technology is most commonly used by the user name and password or card authentication.
