信息安全管理:网络安全

1 网络的定义和特征

1.1 网络的定义

(根本懒得说。。你们自己wiki吧)

网络的用处

  • What is a network...
  • Devices in a network...
  • LAN, WAN and Internetworks
  • What do networks do for you...
    • Sharing resources
    • Use/share applications

1.2 网络的特征 Characteristics of networks

-- Anonymity

-- Automation

-- Distance

-- Opaqueness

-- Routing diversity

1.3 Network Topology


2 TCP/IP

  • Protocols...
  • Open Systems
    • ANSI , IETF, ISO, IAB

2.1 ISO -- OSI Reference Model - 7 Layers

  • Application:End user processes like FTP, e-mail, etc.
  • Presentation:Format, Encrypt data to send across network
  • Session:Establishes, manages and terminates connections between applications
  • Transport:End-to-end error recovery, flow control, priority services
  • Network:Switching, Routing, Addressing, internetworking, error handling, congestion control and packet sequencing
  • Data-link:Encoding, decoding data packets into bits. Media Access Control Sub-layer : Data access/transmit permissions. Logical Link Sub-layer : Frame synchronisation, flow control, error checking.
  • Physical: Conveys the bit stream (electrical, light, radio)
    All People Seem To Need Data Protection
    People Do Not Trust Sales People Always

ISO-OSI七层结构

TCP/IP

2.2 相关协议

  • Application layer -- FTP, Telnet, DNS, DHCP, TFTP,RPC,NFS, SNMP..
  • Transport layer -- TCP, UDP
  • Internet Layer -- IP, ICMP, ARP, bootp...
  • Organisations / entities : ICANN, IETF, IAB, IRTF, ISOC, W3C
  • Other Protocols
    • IPX/SPX
    • ATM
    • DECnet
    • IEEE 802.11
    • AppleTalk
    • USB
    • SNA

3 网络的安全隐患

3.1 网络不安全的原因

What makes network vulnerable

  • Anonymity
  • Multiplicity of points of attack
  • Resource sharing
  • Complexity of system
  • Uncertain perimeter
  • Unknown path
  • Protocol flaws / protocol implementation flaws

3.2 网络攻击的动机

Motivations of network attacks

  • Challenge
  • Fame
  • Organised Crime
  • Ideology
  • Espionage / Intelligence

4 网络安全的威胁

Threats in Networks

4.1 侦察

Reconnaissance

  • Port Scan
  • Social Engineering
  • Intelligence gathering
  • O/S and Application fingerprinting
  • IRC Chat rooms
  • Available documentation and tools
  • Protocol flaws / protocol implementation flaws

4.2 网络传输过程中的威胁

Threats in Transit

  • Eavesdropping / Packet sniffing
  • Media tapping (Cable, Microwave, Satellite, Optical fibre, Wireless)

4.3 网络冒充

Impersonation

  • Password guessing
  • Avoiding authentication
  • Non-existent authentication
  • Well-known authentication
  • Masquerading
  • Session hijacking
  • Man-in-the-middle

4.4 信息私密性威胁

Message Confidentiality Threats

  • Mis-delivery
  • Exposure -- in various devices in the path
  • Traffic Flow analysis -- sometimes the knowledge of existence of message
    can be as important as message content

4.5 信息完整性威胁

Message Integrity Threats

  • Falsification
  • Noise
  • Protocol failures / misconfigurations

4.6 基于操作系统的威胁

Operating System based Threats

  • Buffer-Overflow
  • Virus , Trojans, rootkits
  • Password

4.7 基于应用程序的威胁

Application based Threats

  • Web-site defacement
  • DNS cache poisoning
  • XSS (Cross-site Scripting)
  • Active-code / Mobile-code
  • Cookie harvesting
  • Scripting

4.8 拒绝服务

Denial of service

  • Syn Flooding
  • Ping of death
  • Smurf
  • Teardrop
  • Traffic re-direction
  • Distributed Denial of Service
    • Bots and Botnets
    • Script Kiddies

5 网络安全控制

Network Security Controls

5.1 弱点和威胁分析

Vulnerability and Threat assessment

5.2 网络结构控制

Network Architecture

  • Network segmentation
  • Architect for availability
  • Avoid SPOF (single points of failure)
  • Encryption
    • Link encryption
    • End-to-end encryption
    • Secure Virtual Private Networks
    • Public Key Infrastructure and Certificates
    • SSL and SSH

5.3 增强加密系统

Strong Authentication

  • One Time Password
  • Challenge Response authentication
  • Kerberos

5.4 防火墙设置

Firewalls

  • Packet Filters
  • Stateful Packet Filters
  • Application proxies
  • Diodes
  • Firewall on end-points

5.5 入侵检查和防御系统

Intrusion Detection / Prevention Systems

  • Network based / host based
  • Signature based
  • Heuristics based / protocol anomaly based
  • Stealth mode

5.6 使用政策和规程

Policies and Procedures

  • Enterprise-wide Information Security Policy
  • Procedures
  • Buy-in (from Executives and employees)
  • Review, enhancement and modification

5.7 其他网络控制方式

  1. Data-Leakage Protection systems
    • Network based / host based
  2. Content scanning/Anti-Virus/Spyware Control systems
    • Network based / host based
  3. Secure e-mail Systems
  4. Design and implementation
  5. ACLs (Access Control Lists)
相关推荐
XINO几秒前
防火墙双机热备实践
运维·安全
冷冷清清中的风风火火8 分钟前
关于敏感文件或备份 安全配置错误 禁止通过 URL 访问 Vue 项目打包后的 .gz 压缩文件
前端·vue.js·安全
原创资讯23 分钟前
安全挑战再升级,2025都有哪些备份与恢复挑战?
安全
XINO32 分钟前
企业常见安全事故排查思路
运维·安全
曼岛_37 分钟前
[密码学基础]商用密码应用安全性评估(密评):网络安全新风口,高薪紧缺人才必备技能
网络·web安全·密码学·密拼工程师
我最厉害。,。1 小时前
XML&XXE 安全&无回显方案&OOB 盲注&DTD 外部实体&黑白盒挖掘
android·xml·安全
Connie14512 小时前
K8s使用LIRA插件更新安全组交互流程
安全·容器·kubernetes
XINVRY-FPGA2 小时前
XC7K410T‑2FFG900I 赛灵思XilinxFPGA Kintex‑7
嵌入式硬件·安全·阿里云·ai·fpga开发·云计算·fpga
苏琢玉2 小时前
顺手写了个地址解析小工具,支持在线用,也能接 PHP 项目里
php·composer
自由鬼4 小时前
开源身份和访问管理(IAM)解决方案:Keycloak
服务器·数据库·安全·开源·身份认证·单点登录