信息安全管理(3):网络安全
2016-07-23 14:43
501 查看
本章分出来专门来谈谈网络安全,当然还是比较泛泛地谈一下网络安全的特征,常见网络安全的漏洞,和网络安全控制的办法。在参考的过程中应该结合 信息安全管理(2):什么叫作信息安全?信息安全的原则和要求一起阅读和理解。因为网络安全本来就是前一章节的一部分。
这文内容只记录了碎片笔记,以后有时间再来补充。应该说具体内容下次会在计算机网络或者是分布式网络里详述。第一部分的网络的定义和特征,第二部分的TCP/IP不需要看,只是用来做笔记的。
1 网络的定义和特征
1.1 网络的定义
(根本懒得说。。你们自己wiki吧)网络的用处
What is a network…
Devices in a network…
LAN, WAN and Internetworks
What do networks do for you…
Sharing resources
Use/share applications
1.2 网络的特征 Characteristics of networks
– Anonymity– Automation
– Distance
– Opaqueness
– Routing diversity
1.3 Network Topology
2 TCP/IP
Protocols…Open Systems
ANSI , IETF, ISO, IAB
2.1 ISO – OSI Reference Model - 7 Layers
Application:End user processes like FTP, e-mail, etc.Presentation:Format, Encrypt data to send across network
Session:Establishes, manages and terminates connections between applications
Transport:End-to-end error recovery, flow control, priority services
Network:Switching, Routing, Addressing, internetworking, error handling, congestion control and packet sequencing
Data-link:Encoding, decoding data packets into bits. Media Access Control Sub-layer : Data access/transmit permissions. Logical Link Sub-layer : Frame synchronisation, flow control, error checking.
Physical: Conveys the bit stream (electrical, light, radio)
All People Seem To Need Data Protection
People Do Not Trust Sales People Always
ISO-OSI七层结构
TCP/IP
2.2 相关协议
Application layer – FTP, Telnet, DNS, DHCP, TFTP,RPC,NFS, SNMP..Transport layer – TCP, UDP
Internet Layer – IP, ICMP, ARP, bootp…
Organisations / entities : ICANN, IETF, IAB, IRTF, ISOC, W3C
Other Protocols
IPX/SPX
ATM
DECnet
IEEE 802.11
AppleTalk
USB
SNA
3 网络的安全隐患
3.1 网络不安全的原因
What makes network vulnerableAnonymity
Multiplicity of points of attack
Resource sharing
Complexity of system
Uncertain perimeter
Unknown path
Protocol flaws / protocol implementation flaws
3.2 网络攻击的动机
Motivations of network attacksChallenge
Fame
Organised Crime
Ideology
Espionage / Intelligence
4 网络安全的威胁
Threats in Networks4.1 侦察
ReconnaissancePort Scan
Social Engineering
Intelligence gathering
O/S and Application fingerprinting
IRC Chat rooms
Available documentation and tools
Protocol flaws / protocol implementation flaws
4.2 网络传输过程中的威胁
Threats in TransitEavesdropping / Packet sniffing
Media tapping (Cable, Microwave, Satellite, Optical fibre, Wireless)
4.3 网络冒充
ImpersonationPassword guessing
Avoiding authentication
Non-existent authentication
Well-known authentication
Masquerading
Session hijacking
Man-in-the-middle
4.4 信息私密性威胁
Message Confidentiality ThreatsMis-delivery
Exposure – in various devices in the path
Traffic Flow analysis – sometimes the knowledge of existence of message
can be as important as message content
4.5 信息完整性威胁
Message Integrity ThreatsFalsification
Noise
Protocol failures / misconfigurations
4.6 基于操作系统的威胁
Operating System based ThreatsBuffer-Overflow
Virus , Trojans, rootkits
Password
4.7 基于应用程序的威胁
Application based ThreatsWeb-site defacement
DNS cache poisoning
XSS (Cross-site Scripting)
Active-code / Mobile-code
Cookie harvesting
Scripting
4.8 拒绝服务
Denial of serviceSyn Flooding
Ping of death
Smurf
Teardrop
Traffic re-direction
Distributed Denial of Service
Bots and Botnets
Script Kiddies
5 网络安全控制
Network Security Controls5.1 弱点和威胁分析
Vulnerability and Threat assessment5.2 网络结构控制
Network ArchitectureNetwork segmentation
Architect for availability
Avoid SPOF (single points of failure)
Encryption
Link encryption
End-to-end encryption
Secure Virtual Private Networks
Public Key Infrastructure and Certificates
SSL and SSH
5.3 增强加密系统
Strong AuthenticationOne Time Password
Challenge Response authentication
Kerberos
5.4 防火墙设置
FirewallsPacket Filters
Stateful Packet Filters
Application proxies
Diodes
Firewall on end-points
5.5 入侵检查和防御系统
Intrusion Detection / Prevention SystemsNetwork based / host based
Signature based
Heuristics based / protocol anomaly based
Stealth mode
5.6 使用政策和规程
Policies and ProceduresEnterprise-wide Information Security Policy
Procedures
Buy-in (from Executives and employees)
Review, enhancement and modification
5.7 其他网络控制方式
Data-Leakage Protection systemsNetwork based / host based
Content scanning/Anti-Virus/Spyware Control systems
Network based / host based
Secure e-mail Systems
Design and implementation
ACLs (Access Control Lists)
参考文献:
Principles of Information Security Systems – Texts and Cases – Gurpreet Dhillon-Chapter 5 : Network SecuritySecurity in Computing – Charles & Shari Pfleeger - Chapter 7 : Security in Networks
Information Security Principles and Practices – Mark Merkow & Jim Breithaupt - Chapter 12 : Telecommunications, Network and Internet Security
相关文章推荐
- 关于Cache-Control: no-cache和no-store
- 关于Android中使用WebView播放网络视频不能全屏的问题
- linux网络编程中的shutdown()与close()函数
- 抓包工具tcpdump
- 关于HTTP GET & POST的区别(转)
- 细说TCP三次握手
- C#网络爬虫
- Android之HttpClient的详解
- ImportError: cannot import name HTTPSHandler
- tomcat启动,访问http://localhost:8080时报http status 404
- VMware虚拟机配置Ubuntu桥接方式(Bridged)使虚拟机和宿主机能互相ping通
- httpclient 无信任证书使用https
- android studio处理网络jason文件
- HTTP 协议 学习笔记一
- HTTP 协议 学习笔记一
- 【Web开发原理】HTTP协议详解
- Android之使用HttpURLConnection进行网络编程
- tcpdump netstat traceroute详解
- 解决VM克隆虚拟机网络IP配置问题及时区改为中国时区
- 无线网络安全一瞥