對(duì)計(jì)算機(jī)網(wǎng)絡(luò)系統(tǒng)安全集成的分析new

////對(duì)計(jì)算機(jī)網(wǎng)絡(luò)系統(tǒng)安全集成的分析Theanalysisofcomputernetworksystemsecurityintegration摘要：隨著網(wǎng)絡(luò)的高速發(fā)展，網(wǎng)絡(luò)的安全問(wèn)題日益突出，近年來(lái)，間諜黑客、網(wǎng)絡(luò)病毒等屢屢被曝光，國(guó)家相關(guān)部門(mén)也一再要求，實(shí)做好網(wǎng)絡(luò)安全建設(shè)和管理工作。本文主要探討了計(jì)算機(jī)網(wǎng)絡(luò)在安全建設(shè)實(shí)施方面的相關(guān)基本設(shè)施以及采取的措施。Abstract:withthehigh-speeddevelopmentofnetwork,thenetworksecurityproblemincreasinglyprominent,inrecentyears,thespyhackers,networkvirusrepeatedlybeenexposed,suchasrelevantnationaldepartmentsalsorepeatedrequests,realtodoagoodjobofnetworksecurityconstructionandmanagement.Thispapermainlydiscussesthecomputernetworkintheimplementationofsafetyconstructionofbasicfacilitiesandrelatedmeasures.關(guān)鍵詞：計(jì)算機(jī)，網(wǎng)絡(luò)系統(tǒng)，安全集成Keywords:computer,network,securityintegration國(guó)務(wù)院1994年頒布的《中華人民共和國(guó)計(jì)算機(jī)信息系統(tǒng)安全保護(hù)條例》指出：計(jì)算機(jī)信息系統(tǒng)的安全保護(hù)．應(yīng)當(dāng)保障計(jì)算機(jī)及其相關(guān)的和配套的設(shè)備的安全，運(yùn)行環(huán)境的安全，保障信息的安全．保障計(jì)算機(jī)功能的正常發(fā)揮，以維護(hù)計(jì)算機(jī)信息系統(tǒng)的安全運(yùn)行。也就是說(shuō)。我們應(yīng)在計(jì)算機(jī)硬件、軟件及運(yùn)行環(huán)境等網(wǎng)絡(luò)的各個(gè)環(huán)節(jié)上，考慮來(lái)自網(wǎng)絡(luò)系統(tǒng)內(nèi)部和外部?jī)煞矫娴囊蛩兀畯墓芾砗图夹g(shù)上著手，制訂比較完善的網(wǎng)絡(luò)系統(tǒng)安全保護(hù)策略。1994ofthestatecouncilissuedthelawofthePeople'sRepublicofChinacomputerinformationsystemsafetyprotectionregulations,pointsoutthatthecomputerinformationsystemsafetyprotection.Shouldensurethatthesecurityofcomputersandtheirrelatedandsupportingdevice,thesafetyoftherunningenvironment,informationsecurity.Ensuretousetheircomputerfunctions,inordertomaintainthesafeoperationofcomputerinformationsystem.Thatistosay.Weshouldbeincomputerhardware,softwareandnetworkofeachlink,suchasrunningenvironment,consideringfrombothinternalandexternalfactorsofnetworksystem.Fromthemanagementandtechnology,todevelopmoreperfectnetworksystemsecurityprotectionstrategy.一、企業(yè)的網(wǎng)絡(luò)安全現(xiàn)狀enterprisenetworksecuritystatusquo.據(jù)統(tǒng)計(jì)，我國(guó)現(xiàn)有企業(yè)的網(wǎng)絡(luò)安全現(xiàn)狀是不容樂(lè)觀的，其主要表現(xiàn)在以下幾個(gè)方面:信息和網(wǎng)絡(luò)的安全防護(hù)能力差;網(wǎng)絡(luò)安全人才缺乏;企業(yè)員工對(duì)網(wǎng)絡(luò)的安全保密意識(shí)淡薄，企業(yè)領(lǐng)導(dǎo)對(duì)網(wǎng)絡(luò)安全方面不夠重視等。一部分企業(yè)認(rèn)為添加了各種安全產(chǎn)品之后，該網(wǎng)絡(luò)就已經(jīng)安全了，企業(yè)領(lǐng)導(dǎo)基本上就是只注重直接的經(jīng)濟(jì)利益回報(bào)的投資項(xiàng)目，對(duì)網(wǎng)絡(luò)安全這個(gè)看不見(jiàn)實(shí)際回饋的資金投入大部分都采取不積極的態(tài)度，其中起主導(dǎo)作用的因素還有就是企業(yè)缺少專門(mén)的技術(shù)人員和專業(yè)指導(dǎo)，導(dǎo)致我國(guó)目前企業(yè)的網(wǎng)絡(luò)安全建設(shè)普遍處于不容樂(lè)觀的狀況。Accordingtostatistics,China'sexistingenterprisenetworksecuritysituationisnotoptimistic,itismainlymanifestedinthefollowingaspects:informationandnetworksafetyprotectionabilityispoor;Thenetworksecuritypersonnellack;Enterprisestaffsecrecyconsciousness,thesafetyofthenetworkcompanyleadershipdidnotattachenoughimportancetonetworksecurity,etc.Numberofcompaniesthatafteraddingallkindsofsecurityproducts,thenetworkissafe,businessleadersisbasicallyonlypayattentiontotheeconomicinterestsofthereturnofinvestmentprojects,directlytothenetworksecuritycan'tseemostofthemoneyintotheactualfeedbackarenotactiveattitude,includingthefactorplaysaleadingroleandtheenterpriselackofspecializedtechnicalpersonnelandprofessionalguidance,leadtoenterprisenetworksecurityconstructioninourcountryatpresentnotoptimisticconditionsincommon.二、網(wǎng)絡(luò)安全常見(jiàn)威脅thecommonnetworksecuritythreats.1、計(jì)算機(jī)病毒thecomputerviruses.計(jì)算機(jī)病毒指在計(jì)算機(jī)程序中插入的破壞計(jì)算機(jī)功能和數(shù)據(jù)、影響計(jì)算機(jī)使用并且能夠自我復(fù)制的一組計(jì)算機(jī)指令或者程序代碼。具有寄生性、傳染性、隱蔽性等特點(diǎn)。常見(jiàn)的破壞性比較強(qiáng)的病毒經(jīng)常表現(xiàn)為：藍(lán)屏、機(jī)卡、CPU、自動(dòng)重啟使用率高、打不開(kāi)殺毒軟件等，并且在短時(shí)間內(nèi)傳播從而導(dǎo)致大量的計(jì)算機(jī)系統(tǒng)癱瘓，對(duì)企業(yè)或者個(gè)人造成重大的經(jīng)濟(jì)損失。Referstocomputervirusinacomputerprograminsertdamagecomputerfunctionsanddata,computeruseandbeabletoreplicateasetofcomputerinstructionsortheprogramcode.Havethecharacteristicsofparasiticandinfectious,concealment,etc.Commondestructivevirusmoreoftenshownas:bluescreen,machinecard,CPU,automaticrestartutilizationrateishigh,can'topenanti-virussoftware,etc.,andspreadoverashortperiodoftimeresultinginalargenumberofcomputersystems,totheenterpriseorindividualcausesignificanteconomiclosses.2、非授權(quán)訪問(wèn)unauthorizedaccess.指利用編寫(xiě)和調(diào)試計(jì)算機(jī)程序侵入到他方內(nèi)部網(wǎng)或?qū)Ｓ镁W(wǎng)，獲得非法或未授權(quán)的網(wǎng)絡(luò)或文件訪問(wèn)的行為。如有意避開(kāi)系統(tǒng)訪問(wèn)控制機(jī)制，對(duì)網(wǎng)絡(luò)設(shè)備及資源進(jìn)行非正常使用，或擅自擴(kuò)大權(quán)限，越權(quán)訪問(wèn)信息。它主要有以下幾種形式：假冒、身份攻擊、非法用戶進(jìn)入網(wǎng)絡(luò)系統(tǒng)進(jìn)行違法操作、合法用戶以未授權(quán)方式進(jìn)行操作等。TheuseofwritinganddebuggingacomputerprogramintotheIntranetorprivatenetworktotheotherparty,toobtainillegalorunauthorizednetworkorfileaccessbehavior.Suchaseschewedsystemaccesscontrolmechanism,toabnormaluseofnetworkequipmentandresources,oritsrights,unauthorizedaccesstoinformation.Itbasicallyhasthefollowingseveraltypes:fake,identityattack,illegaluser'saccesstothenetworksystemforillegaloperations,thelegitimateuserinunauthorizedwaystooperate,etc.3、木馬程序和后門(mén)trojansandbackdoor.木馬程序和后門(mén)是一種可以通過(guò)遠(yuǎn)程控制別人計(jì)算機(jī)的程序，具有隱蔽性和非授權(quán)性的特點(diǎn)。企業(yè)的某臺(tái)計(jì)算機(jī)被安裝了木馬程序或后門(mén)后，該程序可能會(huì)竊取用戶信息，包括用戶輸入的各種密碼，并將這些信息發(fā)送出去，或者使得黑客可以通過(guò)網(wǎng)絡(luò)遠(yuǎn)程操控這臺(tái)計(jì)算機(jī)，竊取計(jì)算機(jī)中的用戶信息和文件，更為嚴(yán)重的是通過(guò)該臺(tái)計(jì)算機(jī)操控整個(gè)企業(yè)的網(wǎng)絡(luò)系統(tǒng)，使整個(gè)網(wǎng)絡(luò)系統(tǒng)都暴露在黑客間諜的眼前。Trojansandbackdoorisakindofcanthroughtheremotecontrolcomputerprogram,hasthecharacteristicsofconcealmentandunauthorized.EnterpriseacomputerhasbeeninstalledaTrojanhorseprogramorthebackdoor,theprogrammightstealtheuserinformation,includingallsortsofinputfromtheuserpassword,andwillsendouttheinformation,orallowhackerstoremotecontrolthecomputerthroughthenetworktostealtheuserinformationinthecomputerandfiles,andmoreseriouslybythestationcomputerscontroltheentireenterprisenetworksystem,makethewholenetworksystemareexposedinfrontoftheeyesofhackerspy.三、網(wǎng)絡(luò)的安全策略thenetworksecuritypolicy.1、更改系統(tǒng)管理員的賬戶名changethesystemadministratoraccount.應(yīng)將系統(tǒng)管理員的賬戶名由原先的Administrator改為一個(gè)無(wú)意義的字符串．這樣要疊錄的非法用戶不但要猜準(zhǔn)口令。還必須猜出用戶名．這種更名功能在域用戶管理器的UserProperties對(duì)話框中并沒(méi)有設(shè)置．用它的User-*-Rename菜單選項(xiàng)就可以實(shí)現(xiàn)這一功能．如果用的是NT4.0.可以用ResourceKit中提供的工具封鎖聯(lián)機(jī)系統(tǒng)管理員賬號(hào)．這種封鎖僅僅對(duì)由網(wǎng)絡(luò)過(guò)來(lái)的非法疊錄起作用。ShouldbethesystemAdministratoraccountnamefromformerAdministratortoameaninglessstring.Sobefoldofillegalusersnotonlytoguessthepassword.HavetoguesstheUsername.ThisnamechangefeatureinthedomainUsermanagerisnotsetintheUserPropertiesdialogbox.WithitsUser-*-Renamecanachievethismenuoption.IfusingNT4.0.CanusetheResourceKittoolprovidedtheblockadeintheonlinesystemadministratoraccount.Thisblockonlyforillegalfoldbythenetworkcometorecordthework.2、關(guān)閉不必要的向內(nèi)TCP／IP端口turnoffunnecessarytoTCP/IPport.不合法用戶進(jìn)入系統(tǒng)并得到管理員權(quán)限之后．首先要做的，必定設(shè)法恢復(fù)管理員刻意廢止的TCP／IP上的NetBIOS裝訂．管理員應(yīng)該使用路由器作為另一道防線。即提供web和FTP之類公共服務(wù)的NT服務(wù)器．這種情況下，只須保留兩條路由器到服務(wù)器的向內(nèi)路徑：端日80的H1vrP和端日2l的FTP。Illegalusersenterthesystemandgetadministratorprivileges.Thefirstthingtodo,musttrytorestoretheadministratordeliberatelyabolishedontheTCP/IPNetBIOSbind.Theadministratorshouldusetherouterasanotherlineofdefense.ThatprovidepublicservicessuchaswebandFTPNTserver.Inthiscase,onlykeeptworoutertotheserverpath:inwardsideday80H1vrPandendoftheday2lofFTP.3、防火墻配置firewallconfiguration.防火墻是在2個(gè)網(wǎng)絡(luò)間實(shí)現(xiàn)訪問(wèn)控制的1個(gè)或1組軟件或硬件系統(tǒng)，它是外部網(wǎng)絡(luò)與內(nèi)部網(wǎng)絡(luò)之間的第1道安全屏障。本建設(shè)方案主要采用硬件防火墻，其主要功能就是屏蔽和允許指定的數(shù)據(jù)通訊，而這個(gè)功能的實(shí)現(xiàn)又主要是依靠一套訪問(wèn)控制策略，由訪問(wèn)控制策略來(lái)決定通訊的合法性，該控制策略的具體內(nèi)容由企業(yè)的安全管理員和系統(tǒng)管理員共同來(lái)制定。Firewallisbetweentwonetworkstoachieveaccesscontrolof1or1setofsoftwareorhardwaresystem,itis1betweeninternalnetworkandexternalnetworksecuritybarrier.TheconstructionschemeismainlyUSESthehardwarefirewall,itsmainfunctionistoshieldandallowsyoutospecifydatacommunication,andimplementationofthisfeatureismainlyrelyonasetofaccesscontrolpolicies,isdeterminedbytheaccesscontrolpolicytothelegitimacyofthecommunication,thespecificcontentofthecontrolstrategybycorporatesecurityadministratorandsystemadministratorstomaketogether.制定的防火墻安全策略主要有:所有從內(nèi)到外和從外到內(nèi)的數(shù)據(jù)包都必須經(jīng)過(guò)防火墻;只有被安全策略允許的數(shù)據(jù)包才能通過(guò)防火墻;服務(wù)器本身不能直接訪問(wèn)互聯(lián)網(wǎng);防火墻本身要有預(yù)防入侵的功能;默認(rèn)禁止所有服務(wù)，除非是必須的服務(wù)才允許。而其他一些應(yīng)用系統(tǒng)需要開(kāi)放特殊的端口由系統(tǒng)管理員來(lái)執(zhí)行。Setthefirewallsecuritystrategymainlyhas:allfrominsidetooutsideandfromoutsidetoinsideofpacketsmustpassthroughthefirewall;Onlybysecuritypolicyallowspacketsthroughafirewall;ServeritselfdoesnothavedirectaccesstotheInternet;Thefirewallitselftohavethefunctionofpreventinvasion;Defaultbanallservices,unlessitisamustserviceisallowed.Andotherapplicationsystemsneedtoopenspecialportbythesystemadministratortoperform.4、VLAN的劃分thedivisionofVLAN.VLAN是為解決以太網(wǎng)的廣播問(wèn)題和安全性而提出的一種協(xié)議。它在以太網(wǎng)的基礎(chǔ)上增加了VLAN頭，用VLANID把用戶劃分為更小的工作組，限制不同VLAN之間的用戶不能直接互訪，每個(gè)VLAN就是一個(gè)虛擬局域網(wǎng)。虛擬局域網(wǎng)的好處是可以限制廣播范圍，并能夠形成虛擬工作組，動(dòng)態(tài)管理網(wǎng)絡(luò)。VLAN之間的訪問(wèn)需要通過(guò)應(yīng)用系統(tǒng)的授權(quán)來(lái)進(jìn)行數(shù)據(jù)交互。VLANisproposedtosolvetheproblemofEthernetradioandsafetyofaprotocol.ItaddsaVLANonthebasisofEthernet,usingVLANIDtotheuserisdividedintosmallerteams,limittheusercannotdirectlyexchangeofvisitsbetweendifferentvlans,eachVLANisavirtuallocalareanetwork(LAN).Virtuallocalareanetworkhastheadvantageoflimitedrange,andcanformthevirtualworkinggroup,dynamicmanagementnetwork.Vlansneedtoaccesstothroughtheapplicationsystemofauthorizationfordatainteraction.為保護(hù)敏感資源和控制廣播風(fēng)暴，在3層路由交換機(jī)的集中式網(wǎng)絡(luò)環(huán)境下，將網(wǎng)絡(luò)中的所有客戶主機(jī)和服務(wù)器系統(tǒng)分別集中到不同的VLAN里，在每個(gè)VLAN里不允許任何用戶設(shè)置IP、用戶主機(jī)和服務(wù)器之間相互PING，不允許用戶主機(jī)對(duì)服務(wù)器的數(shù)據(jù)進(jìn)行編輯，只允許數(shù)據(jù)訪問(wèn)，從而較好地保護(hù)敏感的主機(jī)資源和服務(wù)器系統(tǒng)的數(shù)據(jù)。采用3層交換機(jī)，通過(guò)VLAN劃分，來(lái)實(shí)現(xiàn)同一部門(mén)在同一個(gè)VLAN中，這樣既方便同部門(mén)的數(shù)據(jù)交換，又限制了不同部門(mén)之間用戶的直接訪問(wèn)。Toprotectsensitiveresourcesandcontrolthebroadcaststorm,centralizedinlayer3routingswitchesunderthenetworkenvironment,thenetworkallthecustomersinthehostandserversystemsfocusondifferentvlans,respectivelyineachVLANdon'tallowanyusertosettheIP,user,hostPING,betweentheserverandnotallowtheusertohosttheserverinthedataeditor,onlyallowaccesstodata,soastobetterprotectsensitivehostserverresourcesandsystemdata.Uselayer3switches,VLANdivision,toachievethesamedepartmentinthesameVLAN,soconvenientdataexchangewiththedepartment,andlimittheusersdirectaccessbetweendifferentdepartments.5、身份認(rèn)證theidentityauthentication.身份認(rèn)證是提高網(wǎng)絡(luò)安全的主要措施之一。其主要目的是證實(shí)被認(rèn)證對(duì)象是否屬實(shí)，常被用于通信雙方相互確認(rèn)身份，以保證通信的安全。常用的網(wǎng)絡(luò)身份認(rèn)證技術(shù)有:靜態(tài)密碼、USBKey和動(dòng)態(tài)口令、智能卡牌等。其中，最常見(jiàn)的使用是用戶名加靜態(tài)密碼的方式。而在本方案中主要采用USBKey的方式。基于USBKey的身份認(rèn)證方式采用軟硬件相結(jié)合，很好地解決了安全性與易用性之間的矛盾，利用USBKey內(nèi)置的密碼算法實(shí)現(xiàn)對(duì)用戶身份的認(rèn)證。USBKey身份認(rèn)證系統(tǒng)主要有2種應(yīng)用模式:一是基于沖擊、響應(yīng)的認(rèn)證模式;二是基于PKI體系的認(rèn)證模式。Identityauthenticationisoneofthemainmeasurestoimprovenetworksecurity.Itsmainpurposeistoconfirmcertifiedobject,isoftenusedtoidentifyeachotherbetweentwocommunicationparties,toensurethesecurityofcommunication.Commonlyusednetworkidentityauthenticationtechnologyare:staticpasswords,smartCARDS,USBKeyanddynamicpasswordcard,etc.Amongthem,themostcommonuseistheusernameandpasswordstaticway.InthisschememainlyadoptthewayofUSBKey.USBKeybasedauthenticationmethodcombiningsoftwarewithhardware,wellsolvethecontradictionbetweensecurityandeaseofuse,usingtheUSBKeybuilt-inpasswordalgorithmofuseridentityauthentication.USBKeyauthenticationsystembasicallyhastwokindsofapplicationmodes:oneisbasedontheresponseofshock,certificationmode;Second,basedonthePKIsystemauthenticationmode.6、制訂網(wǎng)絡(luò)系統(tǒng)的應(yīng)急計(jì)劃establishnetworkcontingencyplan.為了將由意外事故引起的網(wǎng)絡(luò)系統(tǒng)損害降低到最小程度，企業(yè)應(yīng)制訂應(yīng)急計(jì)劃．以防意外事故使網(wǎng)絡(luò)系統(tǒng)遭受破壞．該應(yīng)急計(jì)劃應(yīng)包括緊急行動(dòng)方案及軟、硬件系統(tǒng)恢復(fù)方案等．絕對(duì)的安全是沒(méi)有的，安全標(biāo)準(zhǔn)的追求是以資金和方便為代價(jià)的．我們應(yīng)隨時(shí)根據(jù)網(wǎng)絡(luò)系統(tǒng)的運(yùn)行環(huán)境而采用相應(yīng)的安全保護(hù)策略．通過(guò)對(duì)計(jì)算機(jī)網(wǎng)絡(luò)系統(tǒng)安全問(wèn)題的充分認(rèn)識(shí)．以及行政、技術(shù)和物質(zhì)手段的保證。網(wǎng)絡(luò)系統(tǒng)就能夠有足夠的安全性來(lái)對(duì)付各種不安全問(wèn)題．Networksystemdamagecausedbytheaccidentinordertoreducetoaminimum,companiesshouldestablishcontingencyplan.Incaseofaccidentdamagetothenetworksystem.Theemergencyplanshouldincludetheemergencyactionplanandsystemrecoveryschemeofsoftwareandhardware,etc.Thereisnoabsolutesafety,thepursuitofsafetystandardsattheexpenseofthefundsandconvenient.Weshouldbeusedatanytimeaccordingtotheoperationofthenetworksystemenvironmentandthecorrespondingsecurityprotectionstrategy.Throughthefullknowledgeofcomputernetworksystemsecurityproblem.Andtheassuranceofadministrative,technicalandmaterial.Thenetworksys