計(jì)算機(jī)網(wǎng)絡(luò)安全雙語chapter-11-Firewall課件

PGP為什么在壓縮前生成簽名（1）對未壓縮的消息進(jìn)行簽名可以保存未壓縮的消息和簽名，驗(yàn)證時(shí)直接處理，不用涉及壓縮部分的內(nèi)容（2）釋然可以在驗(yàn)證時(shí)對消息重新壓縮后驗(yàn)證，用PGP現(xiàn)有的壓縮算法很難實(shí)現(xiàn)這個(gè)處理過程。PGP為什么在壓縮前生成簽名Chapter10SystemSecurityChapter10主要內(nèi)容木馬防火墻主要內(nèi)容木馬木馬利用計(jì)算機(jī)程序漏洞侵入后竊取文件的程序程序被稱為木馬軟件部分：實(shí)現(xiàn)遠(yuǎn)程控制所必須的軟件程序?？刂贫顺绦颍嚎刂贫擞靡赃h(yuǎn)程控制服務(wù)端的程序。木馬程序：潛入服務(wù)端內(nèi)部，獲取其操作權(quán)限的程序，設(shè)置木馬程序的端口號。具體連接部分：通過INTERNET在服務(wù)端和控制端之間建立一條木馬通道。木馬端口：即控制端，服務(wù)端的數(shù)據(jù)入口，通過這個(gè)入口，數(shù)據(jù)可直達(dá)控制端程序或木馬程序。木馬利用計(jì)算機(jī)程序漏洞侵入后竊取文件的程序程序被稱為木馬TrojanHorseDefenseSecure,trustedoperatingsystemsareonewaytosecureagainstTrojanHorseattacksTrojanHorseDefenseSecure,trTrojanHorseDefenseTrojanHorseDefenseTrojanHorseDefense敏感公開TrojanHorseDefense敏感公開防火墻計(jì)算機(jī)網(wǎng)絡(luò)安全雙語chapter-11-Firewall課件計(jì)算機(jī)網(wǎng)絡(luò)安全雙語chapter-11-Firewall課件products--deviceThroughput(Mbps)2000Securityfilteringbandwidth1100IDS

Dos、DDoSSecuritystandardICSA

Firewall，ICSAIPSec，VPNCIPSec，ICSACryptographyproducts--deviceThroughput(MThroughput

(Mbps)188Securityfilteringbandwidth(Mbps)130IDS

DoSMainfunctionsRedundantfirewall,filteringURLandvirusdetectionStandardUL1950,CAN/CSA-C22.2No.950，EN60950,IEC60825-1,IEC60825-2,EN60825-1,EN60825-2,21CFR1040Throughput(Mbps)products–puresoftwareAnexampleproducts–puresoftwareAnexaOutlineFirewallWhatisfirewallTypesofFirewallsFirewallConfigurationsOutlineFirewallWhatisfirewallAfirewallcanbesoftware,hardware,oracombinationofboth.AlltrafficfrominsidetooutsidemustpassthroughthefirewallOnlyauthorizedtrafficwillbeallowedtopass.definedbythelocalsecuritypoliceAttention:Firewallsdon'tpreventvirusattacksbut,insomecircumstances,theycanstopvirusesfromsendinginformationfromaninfectedcomputer.

WhatisfirewallAfirewallcantheaimsofFirewallEstablishcontrolledlinksProtectthesystem(networkoracomputer)fromInternet-basedattackstheaimsofFirewallEstablishFourgeneraltechniquesServicecontrolDeterminesthetypesofInternetservicesthatcanbeaccessed,inboundoroutboundDirectioncontrolDeterminesthedirectioninwhichparticularservicerequestsareallowedUsercontrolControlsaccesstoaserviceaccordingtowhichuserisattemptingtoaccessitBehaviorcontrolControlshowparticularservicesareused(e.g.filtere-mail)FourgeneraltechniquesServiceOutlineFirewallWhatisfirewallTypesofFirewallsFirewallConfigurationsOutlineFirewallTypesofFirewallsPacket-filtering報(bào)文過濾Application-levelgateways應(yīng)用層網(wǎng)關(guān)Circuit-levelgateways電路層網(wǎng)關(guān)StatefulInspectionFirewall

狀態(tài)檢測TypesofFirewallsPacket-filte(1)Packet-filtering(1)Packet-filteringAppliesasetofrulestoeachincomingIPpacketandthenforwards/discardsthepacketbasedonmatchestofieldsintheIPorTCPheaderAdvantages:Simplicity,Transparencytousers,HighspeedDisadvantages:Difficultyofsettinguppacketfilterrules,LackofAuthenticationAppliesasetofrulestoeachAnexampleAnexample計(jì)算機(jī)網(wǎng)絡(luò)安全雙語chapter-11-Firewall課件(2)Application-levelGatewayproxyserver

代理服務(wù)器Actsasarelayofapplication-leveltraffic(2)Application-levelGatewaypAdvantages:HighersecuritythanpacketfiltersOnlyneedtoscrutinize(細(xì)察)afewallowableapplications.Easytologandaudit(審計(jì))allincomingtrafficDisadvantages:AdditionalprocessingoverheadoneachconnectionAdvantages:計(jì)算機(jī)網(wǎng)絡(luò)安全雙語chapter-11-Firewall課件(3)circuit-levelgatewayItfilterspacketsatthesessionlayeroftheOSImodel.(3)circuit-levelgatewayItfiE.g.Socks軟件包Animplementofcircuit-levelgatewayPort1080(Socksserver)TCP/UDP1080E.g.Socks軟件包Animplementofc(4)StatefulInspectionFirewallmaintainsthestateofeachTCPsessionorUDPpseudo-sessiononoutboundTCP/UDPsession(4)StatefulInspectionFirewaOutlineFirewallWhatisfirewallTypesofFirewallsExamplesOutlineFirewall(1)Screenedhostfirewallsystemsingle-homedbastionhostFirewallconsistsoftwosystems:Apacket-filteringrouterAbastionhost(1)Screenedhostfirewallsysbastionhostdirectlyconnectedwiththepublicnetworkpacket-filteringrouterOnlypacketsfromandtothebastionhostareallowedtopassthroughtherouter.bastionhost(2)

Screened-subnetfirewallsystem(2)Screened-subnetfirewallsAnexampleofScreenedfirewallAnexampleofScreenedfirewalHoney-potAcomputersystemontheInternetthatissetuptoattractand"trap"peoplewhoattempttopenetrateotherpeople'scomputersystems.欲擒故縱Honey-potAcomputersystemonMostsecurityMostsecurityPGP為什么在壓縮前生成簽名（1）對未壓縮的消息進(jìn)行簽名可以保存未壓縮的消息和簽名，驗(yàn)證時(shí)直接處理，不用涉及壓縮部分的內(nèi)容（2）釋然可以在驗(yàn)證時(shí)對消息重新壓縮后驗(yàn)證，用PGP現(xiàn)有的壓縮算法很難實(shí)現(xiàn)這個(gè)處理過程。PGP為什么在壓縮前生成簽名Chapter10SystemSecurityChapter10主要內(nèi)容木馬防火墻主要內(nèi)容木馬木馬利用計(jì)算機(jī)程序漏洞侵入后竊取文件的程序程序被稱為木馬軟件部分：實(shí)現(xiàn)遠(yuǎn)程控制所必須的軟件程序?？刂贫顺绦颍嚎刂贫擞靡赃h(yuǎn)程控制服務(wù)端的程序。木馬程序：潛入服務(wù)端內(nèi)部，獲取其操作權(quán)限的程序，設(shè)置木馬程序的端口號。具體連接部分：通過INTERNET在服務(wù)端和控制端之間建立一條木馬通道。木馬端口：即控制端，服務(wù)端的數(shù)據(jù)入口，通過這個(gè)入口，數(shù)據(jù)可直達(dá)控制端程序或木馬程序。木馬利用計(jì)算機(jī)程序漏洞侵入后竊取文件的程序程序被稱為木馬TrojanHorseDefenseSecure,trustedoperatingsystemsareonewaytosecureagainstTrojanHorseattacksTrojanHorseDefenseSecure,trTrojanHorseDefenseTrojanHorseDefenseTrojanHorseDefense敏感公開TrojanHorseDefense敏感公開防火墻計(jì)算機(jī)網(wǎng)絡(luò)安全雙語chapter-11-Firewall課件計(jì)算機(jī)網(wǎng)絡(luò)安全雙語chapter-11-Firewall課件products--deviceThroughput(Mbps)2000Securityfilteringbandwidth1100IDS

Dos、DDoSSecuritystandardICSA

Firewall，ICSAIPSec，VPNCIPSec，ICSACryptographyproducts--deviceThroughput(MThroughput

(Mbps)188Securityfilteringbandwidth(Mbps)130IDS

DoSMainfunctionsRedundantfirewall,filteringURLandvirusdetectionStandardUL1950,CAN/CSA-C22.2No.950，EN60950,IEC60825-1,IEC60825-2,EN60825-1,EN60825-2,21CFR1040Throughput(Mbps)products–puresoftwareAnexampleproducts–puresoftwareAnexaOutlineFirewallWhatisfirewallTypesofFirewallsFirewallConfigurationsOutlineFirewallWhatisfirewallAfirewallcanbesoftware,hardware,oracombinationofboth.AlltrafficfrominsidetooutsidemustpassthroughthefirewallOnlyauthorizedtrafficwillbeallowedtopass.definedbythelocalsecuritypoliceAttention:Firewallsdon'tpreventvirusattacksbut,insomecircumstances,theycanstopvirusesfromsendinginformationfromaninfectedcomputer.

WhatisfirewallAfirewallcantheaimsofFirewallEstablishcontrolledlinksProtectthesystem(networkoracomputer)fromInternet-basedattackstheaimsofFirewallEstablishFourgeneraltechniquesServicecontrolDeterminesthetypesofInternetservicesthatcanbeaccessed,inboundoroutboundDirectioncontrolDeterminesthedirectioninwhichparticularservicerequestsareallowedUsercontrolControlsaccesstoaserviceaccordingtowhichuserisattemptingtoaccessitBehaviorcontrolControlshowparticularservicesareused(e.g.filtere-mail)FourgeneraltechniquesServiceOutlineFirewallWhatisfirewallTypesofFirewallsFirewallConfigurationsOutlineFirewallTypesofFirewallsPacket-filtering報(bào)文過濾Application-levelgateways應(yīng)用層網(wǎng)關(guān)Circuit-levelgateways電路層網(wǎng)關(guān)StatefulInspectionFirewall

狀態(tài)檢測TypesofFirewallsPacket-filte(1)Packet-filtering(1)Packet-filteringAppliesasetofrulestoeachincomingIPpacketandthenforwards/discardsthepacketbasedonmatchestofieldsintheIPorTCPheaderAdvantages:Simplicity,Transparencytousers,HighspeedDisadvantages:Difficultyofsettinguppacketfilterrules,LackofAuthenticationAppliesasetofrulestoeachAnexampleAnexample計(jì)算機(jī)網(wǎng)絡(luò)安全雙語chapter-11-Firewall課件(2)Application-levelGatewayproxyserver

代理服務(wù)器Actsasarelayofapplication-leveltraffic(2)Application-levelGatewaypAdvantages:HighersecuritythanpacketfiltersOnlyneedtoscrutinize(細(xì)察)afewallowableapplications.Easytologandaudit(審計(jì))allincomingtrafficDisadvantages:AdditionalprocessingoverheadoneachconnectionAdvantages:計(jì)算機(jī)網(wǎng)絡(luò)安全雙語chapter-11-Firewall課件(3)circuit-levelgatewayItfilterspacketsatthesessionlayeroftheOSImodel.(3)circuit-levelgatewayItfiE.g.Socks軟件包Animplementofcircuit-levelgatewayPort1080(Socksserver)TCP/UDP1080E.g.Socks軟件包Animplementofc(4)State