信息安全管理(3):网络安全

本章分出来专门来谈谈网络安全,当然还是比较泛泛地谈一下网络安全的特征,常见网络安全的漏洞,和网络安全控制的办法。在参考的过程中应该结合 信息安全管理(2):什么叫作信息安全?信息安全的原则和要求一起阅读和理解。因为网络安全本来就是前一章节的一部分。

这文内容只记录了碎片笔记,以后有时间再来补充。应该说具体内容下次会在计算机网络或者是分布式网络里详述。第一部分的网络的定义和特征,第二部分的TCP/IP不需要看,只是用来做笔记的。

1 网络的定义和特征

1.1 网络的定义

(根本懒得说。。你们自己wiki吧)
网络的用处

  • What is a network…
  • Devices in a network…
  • LAN, WAN and Internetworks
  • What do networks do for you…
    • Sharing resources
    • Use/share applications

1.2 网络的特征 Characteristics of networks

– Anonymity
– Automation
– Distance
– Opaqueness
– Routing diversity

1.3 Network Topology

2 TCP/IP

  • Protocols…
  • Open Systems
    • ANSI , IETF, ISO, IAB

2.1 ISO – OSI Reference Model - 7 Layers

  • Application:End user processes like FTP, e-mail, etc.
  • Presentation:Format, Encrypt data to send across network
  • Session:Establishes, manages and terminates connections between applications
  • Transport:End-to-end error recovery, flow control, priority services
  • Network:Switching, Routing, Addressing, internetworking, error handling, congestion control and packet sequencing
  • Data-link:Encoding, decoding data packets into bits. Media Access Control Sub-layer : Data access/transmit permissions. Logical Link Sub-layer : Frame synchronisation, flow control, error checking.
  • Physical: Conveys the bit stream (electrical, light, radio)
    All People Seem To Need Data Protection
    People Do Not Trust Sales People Always

ISO-OSI七层结构

TCP/IP

2.2 相关协议

  • Application layer – FTP, Telnet, DNS, DHCP, TFTP,RPC,NFS, SNMP..
  • Transport layer – TCP, UDP
  • Internet Layer – IP, ICMP, ARP, bootp…
  • Organisations / entities : ICANN, IETF, IAB, IRTF, ISOC, W3C
  • Other Protocols
    • IPX/SPX
    • ATM
    • DECnet
    • IEEE 802.11
    • AppleTalk
    • USB
    • SNA

3 网络的安全隐患

3.1 网络不安全的原因

What makes network vulnerable

  • Anonymity
  • Multiplicity of points of attack
  • Resource sharing
  • Complexity of system
  • Uncertain perimeter
  • Unknown path
  • Protocol flaws / protocol implementation flaws

3.2 网络攻击的动机

Motivations of network attacks

  • Challenge
  • Fame
  • Organised Crime
  • Ideology
  • Espionage / Intelligence

4 网络安全的威胁

Threats in Networks

4.1 侦察

Reconnaissance

  • Port Scan
  • Social Engineering
  • Intelligence gathering
  • O/S and Application fingerprinting
  • IRC Chat rooms
  • Available documentation and tools
  • Protocol flaws / protocol implementation flaws

4.2 网络传输过程中的威胁

Threats in Transit

  • Eavesdropping / Packet sniffing
  • Media tapping (Cable, Microwave, Satellite, Optical fibre, Wireless)

4.3 网络冒充

Impersonation

  • Password guessing
  • Avoiding authentication
  • Non-existent authentication
  • Well-known authentication
  • Masquerading
  • Session hijacking
  • Man-in-the-middle

4.4 信息私密性威胁

Message Confidentiality Threats

  • Mis-delivery
  • Exposure – in various devices in the path
  • Traffic Flow analysis – sometimes the knowledge of existence of message
    can be as important as message content

4.5 信息完整性威胁

Message Integrity Threats

  • Falsification
  • Noise
  • Protocol failures / misconfigurations

4.6 基于操作系统的威胁

Operating System based Threats

  • Buffer-Overflow
  • Virus , Trojans, rootkits
  • Password

4.7 基于应用程序的威胁

Application based Threats

  • Web-site defacement
  • DNS cache poisoning
  • XSS (Cross-site Scripting)
  • Active-code / Mobile-code
  • Cookie harvesting
  • Scripting

4.8 拒绝服务

Denial of service

  • Syn Flooding
  • Ping of death
  • Smurf
  • Teardrop
  • Traffic re-direction
  • Distributed Denial of Service
    • Bots and Botnets
    • Script Kiddies

5 网络安全控制

Network Security Controls

5.1 弱点和威胁分析

Vulnerability and Threat assessment

5.2 网络结构控制

Network Architecture

  • Network segmentation
  • Architect for availability
  • Avoid SPOF (single points of failure)
  • Encryption
    • Link encryption
    • End-to-end encryption
    • Secure Virtual Private Networks
    • Public Key Infrastructure and Certificates
    • SSL and SSH

5.3 增强加密系统

Strong Authentication

  • One Time Password
  • Challenge Response authentication
  • Kerberos

5.4 防火墙设置

Firewalls

  • Packet Filters
  • Stateful Packet Filters
  • Application proxies
  • Diodes
  • Firewall on end-points

5.5 入侵检查和防御系统

Intrusion Detection / Prevention Systems

  • Network based / host based
  • Signature based
  • Heuristics based / protocol anomaly based
  • Stealth mode

5.6 使用政策和规程

Policies and Procedures

  • Enterprise-wide Information Security Policy
  • Procedures
  • Buy-in (from Executives and employees)
  • Review, enhancement and modification

5.7 其他网络控制方式

  1. Data-Leakage Protection systems
    • Network based / host based
  2. Content scanning/Anti-Virus/Spyware Control systems
    • Network based / host based
  3. Secure e-mail Systems
  4. Design and implementation
  5. ACLs (Access Control Lists)

参考文献:

  1. Principles of Information Security Systems – Texts and Cases – Gurpreet Dhillon-Chapter 5 : Network Security
  2. Security in Computing – Charles & Shari Pfleeger - Chapter 7 : Security in Networks
  3. Information Security Principles and Practices – Mark Merkow & Jim Breithaupt - Chapter 12 : Telecommunications, Network and Internet Security

posted on 2016-07-23 14:43  Donx  阅读(1095)  评论(0编辑  收藏  举报

导航