信息安全管理（3）：网络安全

1 网络的定义和特征

1.1 网络的定义

（根本懒得说。。你们自己wiki吧）
网络的用处

What is a network…

Devices in a network…

LAN, WAN and Internetworks

What do networks do for you…

Sharing resources

Use/share applications

1.2 网络的特征 Characteristics of networks

– Anonymity
– Automation
– Distance
– Opaqueness
– Routing diversity

1.3 Network Topology

2 TCP/IP

Protocols…

Open Systems

ANSI , IETF, ISO, IAB

2.1 ISO – OSI Reference Model - 7 Layers

Application：End user processes like FTP, e-mail, etc.

Presentation：Format, Encrypt data to send across network

Session：Establishes, manages and terminates connections between applications

Transport：End-to-end error recovery, flow control, priority services

Network：Switching, Routing, Addressing, internetworking, error handling, congestion control and packet sequencing

Data-link：Encoding, decoding data packets into bits. Media Access Control Sub-layer : Data access/transmit permissions. Logical Link Sub-layer : Frame synchronisation, flow control, error checking.

Physical: Conveys the bit stream (electrical, light, radio)
All People Seem To Need Data Protection
People Do Not Trust Sales People Always



ISO-OSI七层结构



TCP/IP

2.2 相关协议

Application layer – FTP, Telnet, DNS, DHCP, TFTP,RPC,NFS, SNMP..

Transport layer – TCP, UDP

Internet Layer – IP, ICMP, ARP, bootp…

Organisations / entities : ICANN, IETF, IAB, IRTF, ISOC, W3C

Other Protocols

IPX/SPX

ATM

DECnet

IEEE 802.11

AppleTalk

USB

SNA

3 网络的安全隐患

3.1 网络不安全的原因

What makes network vulnerable

Anonymity

Multiplicity of points of attack

Resource sharing

Complexity of system

Uncertain perimeter

Unknown path

Protocol flaws / protocol implementation flaws

3.2 网络攻击的动机

Motivations of network attacks

Challenge

Fame

Organised Crime

Ideology

Espionage / Intelligence

4 网络安全的威胁

Threats in Networks

4.1 侦察

Reconnaissance

Port Scan

Social Engineering

Intelligence gathering

O/S and Application fingerprinting

IRC Chat rooms

Available documentation and tools

Protocol flaws / protocol implementation flaws

4.2 网络传输过程中的威胁

Threats in Transit

Eavesdropping / Packet sniffing

Media tapping (Cable, Microwave, Satellite, Optical fibre, Wireless)

4.3 网络冒充

Impersonation

Password guessing

Avoiding authentication

Non-existent authentication

Well-known authentication

Masquerading

Session hijacking

Man-in-the-middle

4.4 信息私密性威胁

Message Confidentiality Threats

Mis-delivery

Exposure – in various devices in the path

Traffic Flow analysis – sometimes the knowledge of existence of message
can be as important as message content

4.5 信息完整性威胁

Message Integrity Threats

Falsification

Noise

Protocol failures / misconfigurations

4.6 基于操作系统的威胁

Operating System based Threats

Buffer-Overflow

Virus , Trojans, rootkits

Password

4.7 基于应用程序的威胁

Application based Threats

Web-site defacement

DNS cache poisoning

XSS (Cross-site Scripting)

Active-code / Mobile-code

Cookie harvesting

Scripting

4.8 拒绝服务

Denial of service

Syn Flooding

Ping of death

Smurf

Teardrop

Traffic re-direction

Distributed Denial of Service

Bots and Botnets

Script Kiddies

5 网络安全控制

Network Security Controls

5.1 弱点和威胁分析

Vulnerability and Threat assessment

5.2 网络结构控制

Network Architecture

Network segmentation

Architect for availability

Avoid SPOF (single points of failure)

Encryption

Link encryption

End-to-end encryption

Secure Virtual Private Networks

Public Key Infrastructure and Certificates

SSL and SSH

5.3 增强加密系统

Strong Authentication

One Time Password

Challenge Response authentication

Kerberos

5.4 防火墙设置

Firewalls

Packet Filters

Stateful Packet Filters

Application proxies

Diodes

Firewall on end-points

5.5 入侵检查和防御系统

Intrusion Detection / Prevention Systems

Network based / host based

Signature based

Heuristics based / protocol anomaly based

Stealth mode

5.6 使用政策和规程

Policies and Procedures

Enterprise-wide Information Security Policy

Procedures

Buy-in (from Executives and employees)

Review, enhancement and modification

5.7 其他网络控制方式

Data-Leakage Protection systems

Network based / host based

Content scanning/Anti-Virus/Spyware Control systems

Network based / host based

Secure e-mail Systems

Design and implementation

ACLs (Access Control Lists)

参考文献：

Principles of Information Security Systems – Texts and Cases – Gurpreet Dhillon-Chapter 5 : Network Security

Security in Computing – Charles & Shari Pfleeger - Chapter 7 : Security in Networks

Information Security Principles and Practices – Mark Merkow & Jim Breithaupt - Chapter 12 : Telecommunications, Network and Internet Security