復習網(wǎng)絡安全高天寒charpter4network security

1、Chapter 4Network security高天寒Timothygao78Reviewü Introductionü Message authenticationü MD5ü SHA-1ü Digital signatureü PKI高天寒Timothygao78Contentsü Network securityü Security attackü Architecture and mü Firewallü IDSüü Other security tech

2、niques高天寒Timothygao78Network securityü Network security, 泛指網(wǎng)絡系統(tǒng)的硬件、軟件及其系統(tǒng)中的數(shù)據(jù)不受偶然或的破壞、更改、泄露，系統(tǒng)連續(xù)可靠正常運行，網(wǎng)絡服務不中斷ü 狹義，指網(wǎng)絡的運行安全ü 因特網(wǎng)的特性nnnn界無主管不設防無法律約束ü成為影響Internet發(fā)展的主要因素高天寒Timothygao78Network security (Cont.)ü 缺乏用戶鑒別機制n 使用IP作為節(jié)點主要標識n TCP/IP沒有對IP地址真實性的鑒別機制n 網(wǎng)絡拓撲ü 缺乏路由協(xié)議鑒別認

3、證機制ü 缺乏性ü TCP/UDP缺陷nnn三次握手缺陷初始序列號缺陷UDP易受源路由和DoSü TCP/IP服務的脆弱性高天寒Timothygao78Security attackü Security attack，任何以干擾、破壞網(wǎng)絡系統(tǒng)為目的的非ü 對網(wǎng)絡行為的兩種理解nnü發(fā)生在行為完全完成且者在目標系統(tǒng)內(nèi)從者開始在目標機上工作時刻起，已開始方式多種多樣，環(huán)境越發(fā)廣泛n 可以是n 可以是n 可以是ü 網(wǎng)絡安全策略的特征的行為行為正常行為特征的異常行為總有一定規(guī)律可尋高天寒Timothygao78Attack char

4、acterü Attackerü Timeü Goalp Small networkp Universityp Multi-user networkp Government高天寒Timothygao78Attack method高天寒Timothygao78Attack method (Cont.)Interruption: This is an attack on availabilityInterception: This is an attack onityModification: This is an attack on integrityFabrica

5、tion: This is an attack on reliability and accountability高天寒Timothygao78Attack method (Cont.)Attacks can be from two categories: "Passive" when a network intruder intercepts data traveling through the network, and "Active" in which an intruder initiates commands to disrupt the ne

6、twork's normal operation.高天寒Timothygao78Typical Attacksü TCP SYN floodingü ICMP floodingü Smurfü Fragment attackü Teardropü IP spoofingü DNS spoofing高天寒Timothygao78Security ArchitectureApplicationTransportNetworkLinkPhysical高天寒Timothygao78S-Http、S/MIME、SETSSLIP

7、SecTPMC&AMechanismsü Firewallüü IDSü Scannerü Isolationü Audition高天寒Timothygao78Firewallü A firewall is a hardware/software combination that restricts access to or from a network resourceü A network resource is any addressable entity on a computer network&

8、#252; Two control policiesnnTrust all that should not be trustedDistrust all that should be trusted高天寒Timothygao78Characteristics of FWü All traffic from inside to outside must pass through the firewall (physically blocking all access to the local network)ü Only authorized traffic (defined

9、 by the local securitypolicy) will be allowed to pass高天寒Timothygao78Characteristics of FWü The firewall is inserted between the premises network and the Internet高天寒Timothygao78Types of FWü 按物理實體分類nnn軟件硬件級ü 按性能分類nnn百兆千兆Tbit高天寒Timothygao78Types of FW (Cont.)ü 按部署位置分類nnn邊界個人分布式級

10、2; 按工作方式分類nnPacket-filtering routerApplication-level gateway高天寒Timothygao78Packet filteringü Packet-filtering Routern Applies a set of rules to each incoming IP packet and then forwards or discards the packetn Filter packets going in both directionsn The packet filter is typically set up as a l

11、ist of rules based on matches to fields in the IP or TCP headern Two default policies (discard or forward)高天寒Timothygao78Packet filtering (Cont.)Screening RouterExternal NetworkInternal Network/24Filter RulesMail ServerWeb ServerOther HostsSource IPSourcePortDestinat

12、ionIPDestinationPortProtoFlagsActionDescription /24Any Any Any AnyAny Any Any Any AnyAnyAnyAnyAny> 10242580AnyTCP TCP TCP TCPAnyAnyACKAny Any AnyAllow Allow Allow Allow RejectAllow Allow Allow Allowall ofourtraffic outour callsreplies totraffic to traffic toour ma

13、il server our web serverDisallow all other traffic高天寒Timothygao78Application-level Gatewayü Application-level GatewaynnAlso called proxy serverActs as a relay of application-level traffic高天寒Timothygao78Application gateway高天寒Timothygao78IDSü Anintrusiondetectionsystem(IDS)isadeviceorsoftwar

14、e activitiesapplicationthatmonitorsnetworkorsystemformaliciousactivitiesorpolicyviolationsandproduces electronic reports to a management station.ü Passive and reactive defense techniqueü是的合理補充，后的第二道ü The combination of hardware and softwareü Based on sniff techniqueü Bypass

15、deployment高天寒Timothygao78NIDSü Network IDS (NIDS): NIDS are placed at a strategic point or points within the network to monitor traffic to and from all devices on the network.ü On-line and Off-line NIDS.高天寒Timothygao78SNORTü Snort is a free and open source NIDS created by Martin Roesc

16、h in 1998.ü Snort has the ability to perform real-time traffic analysis and packetlogging IP networks, and performs protocol analysis, content searching andmatching.高天寒Timothygao78HIDSü Host IDS (HIDS): HIDS run on individual hosts or devices on the network.ü HIDS monitors the inbound

17、 and outbound packets from the device only and will alert the user or administrator if suspicious activity is detected.ü The object:DIDSpppppNetwork File Process System log高天寒Timothygao78Techniqueü 靜態(tài)配置分析nnnn通過檢查當前系統(tǒng)配置等靜態(tài)特征，檢測系統(tǒng)是否遭到發(fā)現(xiàn)并痕跡可以及時發(fā)現(xiàn)潛在威脅要求對系統(tǒng)有全面、深入了解ü 誤用檢測技術（模式匹配）nnnn通過已知行為檢

18、測已知系統(tǒng)模式匹配法IDIOT (Intrusion Detection In Our Time)對未知為力高天寒Timothygao78Technique (Cont.)ü 異常檢測技術nnn為用戶正常行為模式建立特征輪廓采用基于規(guī)則描述或統(tǒng)計方法及神經(jīng)原網(wǎng)絡方法能夠發(fā)現(xiàn)未知ü 基于系統(tǒng)關鍵程序的安全規(guī)格描述方法n 為系統(tǒng)安全關鍵程序編寫安全規(guī)格說明n 安全規(guī)格說明，是關于一個或多個程序執(zhí)行時合法操作序列的描述，用于程序執(zhí)行軌跡是否合法n 安全規(guī)格說明與程序缺陷無關，能檢測出利用程序未知缺陷的行為高天寒Timothygao78Evaluation檢測網(wǎng)絡內(nèi)部檢測未知ppp

19、pNIDS不占用系統(tǒng)，對透明同時也是審計系統(tǒng)pppp交換機大量使用，使網(wǎng)絡IDS失去對全網(wǎng)的NIDS處理速度慢HIDS占用系統(tǒng)缺乏防御能力高天寒Timothygao78IPSü IPS，是一種智能化的檢測和防御ü 不但能檢測發(fā)生，而且能通過一定的響應方式，實時終止行為的產(chǎn)生和發(fā)展ü 使IDS與統(tǒng)一ü 提供對的實時預防和分析ü 實施深度防御高天寒Timothygao78ü A virtualprivatenetwork()extendsaprivatenetwork across a public network, such as th

20、e Internet.üenables users to send and receive data acrossshared or public networks as if their computing deviceswere directly connected to the private networküAis created by establishing a virtual point-to-pointconnection through the use of tunnelling protocols.üscanallow employeestos

21、ecurelyaccessacorporate Similarly, separatedintranetwhiletravellingoutsidetheoffice.scan securelyconnect geographicallyofficesofanorganization,creatingonecohesive network.高天寒Timothygao78ütechnologyisalsousedbyindividualInternetusers to secure their wireless transactions, to circumvent geo-restr

22、ictions, and to connect to proxy servers for thepurpose of protectingal identity and vides:that even if the network traffic isü Thesniffedsecurity mity: suchatthepacketanattackerwouldonlyseeencrypted data Sender authentication: to prevent unauthorized users from accessing the Messag

23、e integrity to detect any instances of tamperingwith transmitted messages高天寒Timothygao78techniquesü Tunnelü Cryptologyü Key managementü Authentication高天寒Timothygao78IPSecIPSecisnotasingleprotocol.Instead,IPSec provides a set of security algorithmsplus a general framework that all

24、ows a pair of communicating entities to use whicheveralgorithmsprovidesecurityappropriateforthe communication.高天寒Timothygao78IPSec Servicesü Access Controlü Connectionless integrityü Data origin authenticationü Rejection of replayed packetsüity (encryption)ü Limited tra

25、ffic flowlity高天寒Timothygao78IPv4 vs. IPv6 header高天寒Timothygao78Destination AddressOptions & PaddingDestination AddressSource AddressSource AddressChecksumProtocolTTLFlow LabelHopLimitNextHeaderPayload LengthTraffic ClassVerVerPayload LengthOffsetFlagsIdentiferTOSIHLIPv6 vs. IPv4 Packet Data Unit

26、um 65535 octetsminimum 20 octetsIPv4 HeaderData FieldIPv4 PDUum65535 octetsFixed40 octets0 or moreExtension HeaderExtension HeaderIPv6 PDUTransport-level PDUIPv6 Header高天寒Timothygao78IPv6 extension headerHop-by-hop header Routing header Fragment HeaderAuthentication headerEncapsulating security payl

27、oad headerDestination header高天寒Timothygao78目的地處理 (60)加密(50)認證 (51)分段 (44)源路由 (43)所有中間Router檢查 (0)Authenticationü Before applying AH高天寒Timothygao78Authentication (Cont.)ü Transport Mode (AH Authentication)高天寒Timothygao78Authentication (Cont.)ü Tunnel Mode (AH Authentication)高天寒Timothyg

28、ao78ESP Encryption andAuthenticationESP Encryption andAuthenticationHoneynetü Honeynet，是一個網(wǎng)絡系統(tǒng)，隱蔽在后ü 所有進出數(shù)據(jù)都受到關注及ü 學習了解者思路、工具和目的ü 目標是通過熟悉理解所遇威脅，更好地防止威脅ü 建立Honeynet需解決的問題n 信息n 信息捕獲高天寒Timothygao78Vulnerability scanü 漏洞，Vulnerability，“脆弱性”，是指硬件、軟件或策略上存在的安全缺陷ü 威脅體現(xiàn)在行為對系統(tǒng)的威脅ü 3萬個站點，800種ü 中國95%中心遭到過漏洞ü