淺析網(wǎng)絡(luò)安全【中文3140字】 【中英文WORD】
淺析網(wǎng)絡(luò)安全【中文3140字】 【中英文WORD】,中文3140字,中英文WORD,淺析網(wǎng)絡(luò)安全【中文3140字】,【中英文WORD】,淺析,網(wǎng)絡(luò)安全,中文,3140,中英文,WORD
Security of Computer Network System
【中文3140字】
淺析網(wǎng)絡(luò)安全
摘要:針對計算機網(wǎng)絡(luò)系統(tǒng)存在的安全性和可靠性問題,本文從網(wǎng)絡(luò)安全的重要性、理論基礎(chǔ)、具備功能以及解決措施等方面提出一些見解,并且進行了詳細的闡述,以使廣大用戶在計算機網(wǎng)絡(luò)方面提高安全防范意識。
關(guān)鍵詞:計算機網(wǎng)絡(luò) 虛擬專用網(wǎng)技術(shù) 加密技術(shù) 防火墻
隨著計算機網(wǎng)絡(luò)技術(shù)的發(fā)展,網(wǎng)絡(luò)的安全性和可靠性已成為不同使用層次的用戶共同關(guān)心的問題。人們都希望自己的網(wǎng)絡(luò)系統(tǒng)能夠更加可靠地運行, 不受外來入侵者干擾和破壞。所以解決好網(wǎng)絡(luò)的安全性和可靠性問題,是保證網(wǎng)絡(luò)正常運行的前提和保障。
一、 網(wǎng)絡(luò)安全的重要性
在信息化飛速發(fā)展的今天,計算機網(wǎng)絡(luò)得到了廣泛應(yīng)用,但隨著網(wǎng)絡(luò)之間的信息傳輸量的急劇增長,一些機構(gòu)和部門在得益于網(wǎng)絡(luò)加快業(yè)務(wù)運作的同時,其上網(wǎng)的數(shù)據(jù)也遭到了不同程度的攻擊和破壞。 攻擊者可以竊聽網(wǎng)絡(luò)上的信息, 竊取用戶的口令及數(shù)據(jù)庫的信息;還可以篡改數(shù)據(jù)庫內(nèi)容, 偽造用戶身份, 否認自己的簽名。更有甚者,攻擊者可以刪除數(shù)據(jù)庫內(nèi)容,摧毀網(wǎng)絡(luò)節(jié)點,釋放計算機病毒等等。這致使數(shù)據(jù)的安全性和自身的利益受到嚴(yán)重的威脅。 根據(jù)美國 FBI(美國聯(lián)邦調(diào)查局)的調(diào)查,美國每年因為網(wǎng)絡(luò)安全造成的經(jīng)濟損失超過170 億美元。75個公司報告財政損失是由于計算機系統(tǒng)的安全問題造成的。超過 50%安全威脅來自內(nèi)部。而僅有 59%損失可以定量估算。在中國,針對銀行、證券等金融領(lǐng)域的計算機系統(tǒng)的安全問題所造成的經(jīng)濟損失金額已高達數(shù)億元, 針對其他行業(yè)的網(wǎng)絡(luò)安全威脅也時有發(fā)生。 由此可見,不論是有意的攻擊,還是無意的誤操作, 都將會給系統(tǒng)帶來不可估量的損失。所以,計算機網(wǎng)絡(luò)必須有足夠強的安全措施。無論是在局域網(wǎng)還是在廣域網(wǎng)中,網(wǎng)絡(luò)的安全措施應(yīng)是能全方位地針對各種不同的威脅和脆弱性, 這樣才能確保網(wǎng)絡(luò)信息的保密性、 完整性和可用性。
二、 網(wǎng)絡(luò)安全的理論基礎(chǔ)
國際標(biāo)準(zhǔn)化組織(ISO)曾建議把計算機安全定義為: “計算機系統(tǒng)要保護其硬件、數(shù)據(jù)不被偶然或故意地泄露、更改和破壞。 ”為了幫助計算機用戶區(qū)分和解決計算機網(wǎng)絡(luò)安全問題,美國國防部公布了 “桔皮書”(orange book, 正式名稱為“可對多用戶計算機系統(tǒng)安全級別的劃分進行了規(guī)定。信計算機系統(tǒng)標(biāo)準(zhǔn)評估準(zhǔn)則” ) 桔皮書將計算機安全由低到高分為四類七級:D1、C1、C2、B1、B2、B3、A1。其中 D1級是不具備最低安全限度的等級,C1 和 C2 級是具備最低安全限度的等級,B1 和 B2 級是具有中等安全保護能力的等級,B3 和 A1 屬于最高安全等級。 在網(wǎng)絡(luò)的具體設(shè)計過程中,應(yīng)根據(jù)網(wǎng)絡(luò)總體規(guī)劃中提出的各項技術(shù)規(guī)范、設(shè)備類型、性能要求以及經(jīng)費等,綜合考慮來確定一個比較合理、性能較高的網(wǎng)絡(luò)安全級別,從而實現(xiàn)網(wǎng)絡(luò)的安全性和可靠性。
三、 網(wǎng)絡(luò)安全應(yīng)具備的功能
為了能更好地適應(yīng)信息技術(shù)的發(fā)展,計算機網(wǎng)絡(luò)應(yīng)用系統(tǒng)必須具備以下功能:
(1)訪問控制:通過對特定網(wǎng)段、服務(wù)建立的訪問控制體系,將絕大多數(shù)攻擊阻止在到達攻擊目標(biāo)之前。
(2)檢查安全漏洞:通過對安全漏洞的周期檢查,即使攻擊可到達攻擊目標(biāo),也可使絕大多數(shù)攻擊無效。
(3)攻擊監(jiān)控:通過對特定網(wǎng)段、服務(wù)建立的攻擊監(jiān)控體系,可實時檢測出絕大多數(shù)攻擊,并采取響應(yīng)的行動(如斷開網(wǎng)絡(luò)連接、記錄攻擊過程、跟蹤攻擊源等) 。
(4)加密通訊:主動地加密通訊,可使攻擊者不能了解、修改敏感信息。
(5)認證:良好的認證體系可防止攻擊者假冒合法用戶。
(6)備份和恢復(fù):良好的備份和恢復(fù)機制,可在攻擊造成損失時,盡快地恢復(fù)數(shù)據(jù)和系統(tǒng)服務(wù)。
(7)多層防御:攻擊者在突破第一道防線后,延緩或阻斷其到達攻擊目標(biāo)。
(8) 設(shè)立安全監(jiān)控中心:為信息系統(tǒng)提供安全體系管理、監(jiān)控、保護及緊急情況服務(wù)。
四、網(wǎng)絡(luò)系統(tǒng)安全綜合解決措施。
要想實現(xiàn)網(wǎng)絡(luò)安全功能,應(yīng)對網(wǎng)絡(luò)系統(tǒng)進行全方位防范,從而制定出比較合理的網(wǎng)絡(luò)安全體系結(jié)構(gòu)。下面就網(wǎng)絡(luò)系統(tǒng)的安全問題,提出一些防范措施。 物理安全可以分為兩個方面:一是人為對網(wǎng)絡(luò)的損害;二是網(wǎng)絡(luò)對使用者的危害。最常見的是施工人員由于對地下電纜不了解, 從而造成電纜的破壞, 這種情況可通過立標(biāo)志牌加以防范; 未采用結(jié)構(gòu)化布線的網(wǎng)絡(luò)經(jīng)常會出現(xiàn)使用者對電纜的損壞, 這就需要盡量采用結(jié)構(gòu)化布線來安裝網(wǎng)絡(luò);人為或自然災(zāi)害的影響,需在規(guī)劃設(shè)計時加以考慮。
訪問控制安全, 訪問控制識別并驗證用戶, 將用戶限制在已授權(quán)的活動和資源范圍之內(nèi)。網(wǎng)絡(luò)的訪問控制安全可以從以下幾個方面考慮。 (1)口令:網(wǎng)絡(luò)安全系統(tǒng)的最外層防線就是網(wǎng)絡(luò)用戶的登錄,在注冊過程中,系統(tǒng)會檢查用戶的登錄名和口令的合法性,只有合法的用戶才可以進入系統(tǒng)。 (2)網(wǎng)絡(luò)資源屬主、屬性和訪問權(quán)限:網(wǎng)絡(luò)資源主要包括共享文件、共享打印機、網(wǎng)絡(luò)通信設(shè)備等網(wǎng)絡(luò)用戶都有可以使用的資源。 資源屬主體現(xiàn)了不同用戶對資源的從屬關(guān)系, 如建立者、修改者和同組成員等。資源屬性表示了資源本身的存取特性,如可被誰讀、寫或執(zhí)行等。訪問權(quán)限主要體現(xiàn)在用戶對網(wǎng)絡(luò)資源的可用程度上。利用指定網(wǎng)絡(luò)資源的屬主、屬性和訪問權(quán)限可以有效地在應(yīng)用級控制網(wǎng)絡(luò)系統(tǒng)的安全性。 (3)網(wǎng)絡(luò)安全監(jiān)視:網(wǎng)絡(luò)監(jiān)視通稱為“網(wǎng)管” ,它的作用主要是對整個網(wǎng)絡(luò)的運行進行動態(tài)地監(jiān)視并及時處理各種事件。 通過網(wǎng)絡(luò)監(jiān)視可以簡單明了地找出并解決網(wǎng)絡(luò)上的安全問題,如定位網(wǎng)絡(luò)故障點、捉住 IP 盜用者、控制網(wǎng)絡(luò)訪問范圍等。 (4)審計和跟蹤:網(wǎng)絡(luò)的審計和跟蹤包括對網(wǎng)絡(luò)資源的使用、網(wǎng)絡(luò)故障、系統(tǒng)記賬等方面的記錄和分析。一般由兩部分組成:一是記錄事件,即將各類事件統(tǒng)統(tǒng)記錄到文件中;二是對記錄進行分析和統(tǒng)計,從而找出問題所在。
數(shù)據(jù)傳輸安全,傳輸安全要求保護網(wǎng)絡(luò)上被傳輸?shù)男畔ⅲ苑乐贡粍拥睾椭鲃拥厍址浮?shù)據(jù)傳輸安全可以采取如下措施: (1) 加密與數(shù)字簽名:數(shù)字簽名是數(shù)據(jù)的接收者用來證實數(shù)據(jù)的發(fā)送者確實無誤的一種方法,它主要通過加密算法和證實協(xié)議而實現(xiàn)。 (2)防火墻:防火墻(Firewall)是 Internet 上廣泛應(yīng)用的一種安全措施,它可以設(shè)置在不同網(wǎng)絡(luò)或網(wǎng)絡(luò)安全域之間的一系列部件的組合。它能通過監(jiān)測、限制、更改跨越防火墻的數(shù)據(jù)流,盡可能地檢測網(wǎng)絡(luò)內(nèi)外信息、結(jié)構(gòu)和運行狀況,以此來實現(xiàn)網(wǎng)絡(luò)的安全保護。 (3)Username/Password 認證:該種認證方式是最常用的一種認證方式,用于操作系統(tǒng)登錄、telnet(遠程登錄) 、rlogin(遠程登錄)等,但此種認證方式過程不加密,即 password容易被監(jiān)聽和解密。 (4)使用摘要算法的認證:Radius(遠程撥號認證協(xié)議) 、OSPF(開放路由協(xié)議)、SNMP Security Protocol 等均使用共享的 Security Key(密鑰),加上摘要算法(MD5)進行認證,但摘要算法是一個不可逆的過程, 因此,在認證過程中,由摘要信息不能計算出共享的 security key,所以敏感信息不能在網(wǎng)絡(luò)上傳輸。市場上主要采用的摘要算法主要有 MD5 和 SHA‐1。 (5)基于 PKI 的認證:使用 PKI(公開密鑰體系)進行認證和加密。該種方法安全程度較高,綜合采用了摘要算法、不對稱加密、對稱加密、數(shù)字簽名等技術(shù),很好地將安全性和高效性結(jié)合起來。這種認證方法目前應(yīng)用在電子郵件、應(yīng)用服務(wù)器訪問、客戶認證、防火墻認證等領(lǐng)域。該種認證方法安全程度很高,但是涉及到比較繁重的證書管理任務(wù)。 (6)虛擬專用網(wǎng)絡(luò)(VPN)技術(shù):VPN 技術(shù)主要提供在公網(wǎng)上的安全的雙向通訊,采用透明的加密方案以保證數(shù)據(jù)的完整性和保密性。
總結(jié):綜上所述,對于計算機網(wǎng)絡(luò)傳輸?shù)陌踩珕栴},我們必須要做到以下幾點。第一,應(yīng)嚴(yán)格限制上網(wǎng)用戶所訪問的系統(tǒng)信息和資源,這一功能可通過在訪問服務(wù)器上設(shè)置 NetScreen防火墻來實現(xiàn)。第二,應(yīng)加強對上網(wǎng)用戶的身份認證,使用 RADIUS 等專用身份驗證服務(wù)器。一方面,可以實現(xiàn)對上網(wǎng)用戶賬號的統(tǒng)一管理;另一方面,在身份驗證過程中采用加密的手段,避免用戶口令泄露的可能性。第三,在數(shù)據(jù)傳輸過程中采用加密技術(shù),防止數(shù)據(jù)被非法竊取。一種方法是使用 PGP for Business Security 對數(shù)據(jù)加密。另一種方法是采用 NetScreen防火墻所提供的 VPN 技術(shù)。VPN 在提供網(wǎng)間數(shù)據(jù)加密的同時,也提供了針對單機用戶的加密客戶端軟件,即采用軟件加密的技術(shù)來保證數(shù)據(jù)傳輸?shù)陌踩浴?
4
Security of Computer Network System
Brief analysis Security of Network System
Abstract: This paper discussed the secure and dependable problem about the computer network system. On some aspects: the importance of network security basic theory function and the method of solving a problem etc. Good views for solving the problem are put forward. It strengthens people’s consciousness on network security.
Key words: Computer network Virtual private network Encryption techniques Firewall
Introduction: Along with the computer network technology development the network security and the reliability have become the question of common interest by all users. The people all hoped their own network system can move reliably not external intruder disturbance and destruction .Therefore solves the network security and the reliable problem carefully is a guarantee the network normal operation’s premise and safeguard.
First: the importance of the network security. With the information developing fast today the computer network obtained the widespread application but along with the network information transmission capacity growing faster some organizations and departments benefit the speed up with the service operation in the network while the data has also suffered to extent attack and destruction. The aggressor may intercept the information in the network steals the user’s password the database information also may tamper with the database content the forge users status denies own signature. And what is more the aggressor may delete the database content the destroy node releases computer virus and so on. This cause data security and own benefit have received the serious threat. According to American FBI US Federal Bureau of Investigation invest the network security creates the economic loss surpasses 17 billion dollars every year.75 corporation report finance loss is because the computer system security problem creates. More than 50 safe threat come from inside. But only 59 loss could be possible estimate. In China the economic loss amount in view of financial domain and the bank negotiable securities computer system security problems creates has reached as high as several hundred million Yuan also sometimes occurs in view of other profession network security threat. Thus it can be seen regardless of is the mean attack or unconscious disoperation will all be able to bring the inestimable loss to the system. Therefore the computer network must have the enough strong security measure. Regardless of is in the local area network or in WAN the network security measure should be Omni-directional in view of each kind of different threat and the vulnerability so that it can guarantee the network information’s secrecy the integrity and the usability.
Second: Network security rationale. International Standardization Organization ISO once suggested the computer security the definition was: “The computer system must protect its hardware the data not accidentally or reveals intentionally the change and the destruction.” In order to help the computer user discrimination and the solution computer network security problem the American Department of Defense announced “the orange peel book” orange book official name is “credible computer system standard appraisal criterion” has carried on the stipulation to the multiuser computer system security rank division. The orange peel book from low to high divides into the computer security four kinds of seven levels: D1 C1 C2 B1 B2 B3 A1.Above allD1 level does not have the lowest safety margin rank C1 and the C2 level has the lowest safety margin rank B1 and the B2 level has the medium safekeeping of security ability rank B3 and A1 belongs to the highest security rating. In the network concrete design process it should act according to each technology standard the equipment type the performance requirement as well as the funds which in the network overall plan proposed and so on the overall evaluation determines one quite reasonably the performance high network security rank thus realization network security and reliability.
Third: The network security should have function. In order to adapt the information technology development well the computer network application system must have following function: 1 Access control: Through to the specific webpage the service establishment access control system in arrives the overwhelming majority attack impediment in front of the attack goal. 2 Inspects the security loophole: Through to security loophole cyclical inspection even if attacks may get the attack goal also may cause the overwhelming majority attack to be invalid. 3 Attack monitoring: Through to specific webpage service establishment attack monitoring system but real-time examines the overwhelming majority attack and adopts the response the motion for example separation network connection recording attack process pursuit attack source and so on. 4 Encryption Communication: Encrypts on own initiative the communication may enable the aggressor to understand the revision sensitive information. 5 Authentication: The good authentication system may prevent the aggressor pretends the validated user. 6 Backup and restoration: The good backup and restores the mechanism may causes the losses when the attack as soon as possible restores the data and the system service. 7 Multi-layered Defense: The aggressor after breaks through the first defense line delays or blocks it to reach the attack goal. 8 Sets up the safe monitoring center: Provides the security system management the monitoring the protection and the emergency case service for the information system.
Fourth: The network system safety comprehensive solution measures. If want to realize the network security function we should carry on the Omni-directional guarding to the network system and thus formulate the quite reasonable network security architecture. Below on the network system security problem proposes some guard measure. Physics safe may divide into two aspects: One is the artificial harm to the network the other is the network to the users. Most common thing is the constructor who did not understand to the buried cable clearly thus lead to the destruction of electric cable this kind of situation may through standing symbolized the sign guards against Has not used the structure wiring the network to be able to appear the user frequently to the electric cable damage this needs to use the structure wiring to install the network as far as possible Artificial or natural disaster influence when to consider the plan. The access control security the access control distinguishes and confirms the user limits the user in the already activity and the resources scope which is authorized. The network access control safe may consider from following several aspects. 1 password: The network security system most outer layer defense line is network users registering in the registration process the system would inspect the user to register the name and the password validity only then the legitimate user can enter the system. 2 The network resources’ host the attribute and the visit jurisdiction: The network resources mainly include the resources which shared files the shared printer network users and so on that all the network users can use. The resources were the host to manifest the different user to the resources subordinate relations such as builder modifier and group member and so on. The resources attribute expressed itself deposit and withdrawal characteristics as can read by who write or the execution and so on. The visit jurisdiction mainly manifests in the user to the network resources available degree in using assigns the network resources to be the host the attribute and the visit jurisdiction may effectively in the application cascade control network system security. 3 Network security surveillance: The network surveillance is generally called for “the network management” its function mainly is carries on the dynamic surveillance to the entire network movement and handles each kind of event promptly. May understand simply through the network surveillance discovers and solves in the network security problem such as the localization network fault point seizes the IP embezzler the control network visit scope and so on. 4 Audit and track: Network audit and track which is including the network aspect resources use network breakdown and system keeping. It composed generally by two parts: One the recording event soon each kind of event entirely records in the document. Two carries on the analysis and the statistics to.
Data transmission security, transmission security requirements to protect the information on the network is transmitted to prevent the passive and active violations. The security of data transmission can take the following measures: (1) encryption and digital signature: digital signature is the receiver of data used to confirm the sender of the data is true and correct. (2) firewall: firewall (Firewall) is a security measure that is widely used in Internet. It can be used to set up a series of components in different network or network security domain. It can detect, limit and change the data flow of the firewall, and detect the information, structure and running status of the network as far as possible, so as to realize the network security. (3) Username or Password certification: the authentication method is the most commonly used as an authentication method for the operating system, telnet (remote login), rlogin (remote login), but the process is not encrypted, that is, password is easy to be monitored and decryption. (4) authentication using the algorithm: radius (Remote Authentication Dial protocol, OSPF (open routing protocol), SNMP Security Protocol use shared Security Key (key), and the abstract algorithm (MD5) certification, but abstract algorithm is an irreversible process, therefore, in the authentication process, by the information cannot be calculated Security Key shared, so the sensitive information in the network transmission. The algorithm is mainly used on the market are mainly MD5 and SHA - 1. (5) authentication and encryption based on PKI: using PKI (public key system). This method has a high security level, which is integrated with the technology of the algorithm, asymmetric encryption, symmetric encryption, digital signature, and so on. This authentication method is currently used in the fields of email, application server access, customer authentication, firewall authentication, etc.. This kind of authentication method is very safe, but it involves a relatively heavy certificate management task. (6) virtual private network (VPN) technology: VPN technology mainly provides two-way communication in the public security, the transparent encryption scheme to ensure data integrity and confidentiality.
In summary, for the security of computer network transmission, we must do the following. First, we should strictly limit access to the Internet users of the system information and resources, this function can be achieved by setting the Net Screen firewall on the access server. Second, we should strengthen the identity authentication of Internet users, using RADIUS and other special authentication server. On the one hand, it can achieve the unified management of Internet users account; on the other hand, in the process of identity verification using encryption means to avoid the possibility of leakage of the account. Third: The use of encryption technology in the process of data transmission, to prevent data theft. One way is to use for Business Security PGP to encrypt data. Another approach is to use the VPN technology provided by Net Screen firewall. VPN in the provision of network data encryption, but also provides a single user of the encryption software, that is, the use of software encryption technology to ensure the security of data transmission.
淺析網(wǎng)絡(luò)安全
摘要:針對計算機網(wǎng)絡(luò)系統(tǒng)存在的安全性和可靠性問題,本文從網(wǎng)絡(luò)安全的重要性、理論基礎(chǔ)、具備功能以及解決措施等方面提出一些見解,并且進行了詳細的闡述,以使廣大用戶在計算機網(wǎng)絡(luò)方面提高安全防范意識。
關(guān)鍵詞:計算機網(wǎng)絡(luò) 虛擬專用網(wǎng)技術(shù) 加密技術(shù) 防火墻
隨著計算機網(wǎng)絡(luò)技術(shù)的發(fā)展,網(wǎng)絡(luò)的安全性和可靠性已成為不同使用層次的用戶共同關(guān)心的問題。人們都希望自己的網(wǎng)絡(luò)系統(tǒng)能夠更加可靠地運行, 不受外來入侵者干擾和破壞。所以解決好網(wǎng)絡(luò)的安全性和可靠性問題,是保證網(wǎng)絡(luò)正常運行的前提和保障。
一、 網(wǎng)絡(luò)安全的重要性
在信息化飛速發(fā)展的今天,計算機網(wǎng)絡(luò)得到了廣泛應(yīng)用,但隨著網(wǎng)絡(luò)之間的信息傳輸量的急劇增長,一些機構(gòu)和部門在得益于網(wǎng)絡(luò)加快業(yè)務(wù)運作的同時,其上網(wǎng)的數(shù)據(jù)也遭到了不同程度的攻擊和破壞。 攻擊者可以竊聽網(wǎng)絡(luò)上的信息, 竊取用戶的口令及數(shù)據(jù)庫的信息;還可以篡改數(shù)據(jù)庫內(nèi)容, 偽造用戶身份, 否認自己的簽名。更有甚者,攻擊者可以刪除數(shù)據(jù)庫內(nèi)容,摧毀網(wǎng)絡(luò)節(jié)點,釋放計算機病毒等等。這致使數(shù)據(jù)的安全性和自身的利益受到嚴(yán)重的威脅。 根據(jù)美國 FBI(美國聯(lián)邦調(diào)查局)的調(diào)查,美國每年因為網(wǎng)絡(luò)安全造成的經(jīng)濟損失超過170 億美元。75個公司報告財政損失是由于計算機系統(tǒng)的安全問題造成的。超過 50%安全威脅來自內(nèi)部。而僅有 59%損失可以定量估算。在中國,針對銀行、證券等金融領(lǐng)域的計算機系統(tǒng)的安全問題所造成的經(jīng)濟損失金額已高達數(shù)億元, 針對其他行業(yè)的網(wǎng)絡(luò)安全威脅也時有發(fā)生。 由此可見,不論是有意的攻擊,還是無意的誤操作, 都將會給系統(tǒng)帶來不可估量的損失。所以,計算機網(wǎng)絡(luò)必須有足夠強的安全措施。無論是在局域網(wǎng)還是在廣域網(wǎng)中,網(wǎng)絡(luò)的安全措施應(yīng)是能全方位地針對各種不同的威脅和脆弱性, 這樣才能確保網(wǎng)絡(luò)信息的保密性、 完整性和可用性。
二、 網(wǎng)絡(luò)安全的理論基礎(chǔ)
國際標(biāo)準(zhǔn)化組織(ISO)曾建議把計算機安全定義為: “計算機系統(tǒng)要保護其硬件、數(shù)據(jù)不被偶然或故意地泄露、更改和破壞。 ”為了幫助計算機用戶區(qū)分和解決計算機網(wǎng)絡(luò)安全問題,美國國防部公布了 “桔皮書”(orange book, 正式名稱為“可對多用戶計算機系統(tǒng)安全級別的劃分進行了規(guī)定。信計算機系統(tǒng)標(biāo)準(zhǔn)評估準(zhǔn)則” ) 桔皮書將計算機安全由低到高分為四類七級:D1、C1、C2、B1、B2、B3、A1。其中 D1級是不具備最低安全限度的等級,C1 和 C2 級是具備最低安全限度的等級,B1 和 B2 級是具有中等安全保護能力的等級,B3 和 A1 屬于最高安全等級。 在網(wǎng)絡(luò)的具體設(shè)計過程中,應(yīng)根據(jù)網(wǎng)絡(luò)總體規(guī)劃中提出的各項技術(shù)規(guī)范、設(shè)備類型、性能要求以及經(jīng)費等,綜合考慮來確定一個比較合理、性能較高的網(wǎng)絡(luò)安全級別,從而實現(xiàn)網(wǎng)絡(luò)的安全性和可靠性。
三、 網(wǎng)絡(luò)安全應(yīng)具備的功能
為了能更好地適應(yīng)信息技術(shù)的發(fā)展,計算機網(wǎng)絡(luò)應(yīng)用系統(tǒng)必須具備以下功能:
(1)訪問控制:通過對特定網(wǎng)段、服務(wù)建立的訪問控制體系,將絕大多數(shù)攻擊阻止在到達攻擊目標(biāo)之前。
(2)檢查安全漏洞:通過對安全漏洞的周期檢查,即使攻擊可到達攻擊目標(biāo),也可使絕大多數(shù)攻擊無效。
(3)攻擊監(jiān)控:通過對特定網(wǎng)段、服務(wù)建立的攻擊監(jiān)控體系,可實時檢測出絕大多數(shù)攻擊,并采取響應(yīng)的行動(如斷開網(wǎng)絡(luò)連接、記錄攻擊過程、跟蹤攻擊源等) 。
(4)加密通訊:主動地加密通訊,可使攻擊者不能了解、修改敏感信息。
(5)認證:良好的認證體系可防止攻擊者假冒合法用戶。
(6)備份和恢復(fù):良好的備份和恢復(fù)機制,可在攻擊造成損失時,盡快地恢復(fù)數(shù)據(jù)和系統(tǒng)服務(wù)。
(7)多層防御:攻擊者在突破第一道防線后,延緩或阻斷其到達攻擊目標(biāo)。
(8) 設(shè)立安全監(jiān)控中心:為信息系統(tǒng)提供安全體系管理、監(jiān)控、保護及緊急情況服務(wù)。
四、網(wǎng)絡(luò)系統(tǒng)安全綜合解決措施。
要想實現(xiàn)網(wǎng)絡(luò)安全功能,應(yīng)對網(wǎng)絡(luò)系統(tǒng)進行全方位防范,從而制定出比較合理的網(wǎng)絡(luò)安全體系結(jié)構(gòu)。下面就網(wǎng)絡(luò)系統(tǒng)的安全問題,提出一些防范措施。 物理安全可以分為兩個方面:一是人為對網(wǎng)絡(luò)的損害;二是網(wǎng)絡(luò)對使用者的危害。最常見的是施工人員由于對地下電纜不了解, 從而造成電纜的破壞, 這種情況可通過立標(biāo)志牌加以防范; 未采用結(jié)構(gòu)化布線的網(wǎng)絡(luò)經(jīng)常會出現(xiàn)使用者對電纜的損壞, 這就需要盡量采用結(jié)構(gòu)化布線來安裝網(wǎng)絡(luò);人為或自然災(zāi)害的影響,需在規(guī)劃設(shè)計時加以考慮。
訪問控制安全, 訪問控制識別并驗證用戶, 將用戶限制在已授權(quán)的活動和資源范圍之內(nèi)。網(wǎng)絡(luò)的訪問控制安全可以從以下幾個方面考慮。 (1)口令:網(wǎng)絡(luò)安全系統(tǒng)的最外層防線就是網(wǎng)絡(luò)用戶的登錄,在注冊過程中,系統(tǒng)會檢查用戶的登錄名和口令的合法性,只有合法的用戶才可以進入系統(tǒng)。 (2)網(wǎng)絡(luò)資源屬主、屬性和訪問權(quán)限:網(wǎng)絡(luò)資源主要包括共享文件、共享打印機、網(wǎng)絡(luò)通信設(shè)備等網(wǎng)絡(luò)用戶都有可以使用的資源。 資源屬主體現(xiàn)了不同用戶對資源的從屬關(guān)系, 如建立者、修改者和同組成員等。資源屬性表示了資源本身的存取特性,如可被誰讀、寫或執(zhí)行等。訪問權(quán)限主要體現(xiàn)在用戶對網(wǎng)絡(luò)資源的可用程度上。利用指定網(wǎng)絡(luò)資源的屬主、屬性和訪問權(quán)限可以有效地在應(yīng)用級控制網(wǎng)絡(luò)系統(tǒng)的安全性。 (3)網(wǎng)絡(luò)安全監(jiān)視:網(wǎng)絡(luò)監(jiān)視通稱為“網(wǎng)管” ,它的作用主要是對整個網(wǎng)絡(luò)的運行進行動態(tài)地監(jiān)視并及時處理各種事件。 通過網(wǎng)絡(luò)監(jiān)視可以簡單明了地找出并解決網(wǎng)絡(luò)上的安全問題,如定位網(wǎng)絡(luò)故障點、捉住 IP 盜用者、控制網(wǎng)絡(luò)訪問范圍等。 (4)審計和跟蹤:網(wǎng)絡(luò)的審計和跟蹤包括對網(wǎng)絡(luò)資源的使用、網(wǎng)絡(luò)故障、系統(tǒng)記賬等方面的記錄和分析。一般由兩部分組成:一是記錄事件,即將各類事件統(tǒng)統(tǒng)記錄到文件中;二是對記錄進行分析和統(tǒng)計,從而找出問題所在。
數(shù)據(jù)傳輸安全,傳輸安全要求保護網(wǎng)絡(luò)上被傳輸?shù)男畔?,以防止被動地和主動地侵犯。對?shù)據(jù)傳輸安全可以采取如下措施: (1) 加密與數(shù)字簽名:數(shù)字簽名是數(shù)據(jù)的接收者用來證實數(shù)據(jù)的發(fā)送者確實無誤的一種方法,它主要通過加密算法和證實協(xié)議而實現(xiàn)。 (2)防火墻:防火墻(Firewall)是 Internet 上廣泛應(yīng)用的一種安全措施,它可以設(shè)置在不同網(wǎng)絡(luò)或網(wǎng)絡(luò)安全域之間的一系列部件的組合。它能通過監(jiān)測、限制、更改跨越防火墻的數(shù)據(jù)流,盡可能地檢測網(wǎng)絡(luò)內(nèi)外信息、結(jié)構(gòu)和運行狀況,以此來實現(xiàn)網(wǎng)絡(luò)的安全保護。 (3)Username/Password 認證:該種認證方式是最常用的一種認證方式,用于操作系統(tǒng)登錄、telnet(遠程登錄) 、rlogin(遠程登錄)等,但此種認證方式過程不加密,即 password容易被監(jiān)聽和解密。 (4)使用摘要算法的認證:Radius(遠程撥號認證協(xié)議) 、OSPF(開放路由協(xié)議)、SNMP Security Protocol 等均使用共享的 Security Key(密鑰),加上摘要算法(MD5)進行認證,但摘要算法是一個不可逆的過程, 因此,在認證過程中,由摘要信息不能計算出共享的 security key,所以敏感信息不能在網(wǎng)絡(luò)上傳輸。市場上主要采用的摘要算法主要有 MD5 和 SHA‐1。 (5)基于 PKI 的認證:使用 PKI(公開密鑰體系)進行認證和加密。該種方法安全程度較高,綜合采用了摘要算法、不對稱加密、對稱加密、數(shù)字簽名等技術(shù),很好地將安全性和高效性結(jié)合起來。這種認證方法目前應(yīng)用在電子郵件、應(yīng)用服務(wù)器訪問、客戶認證、防火墻認證等領(lǐng)域。該種認證方法安全程度很高,但是涉及到比較繁重的證書管理任務(wù)。 (6)虛擬專用網(wǎng)絡(luò)(VPN)技術(shù):VPN 技術(shù)主要提供在公網(wǎng)上的安全的雙向通訊,采用透明的加密方案以保證數(shù)據(jù)的完整性和保密性。
總結(jié):綜上所述,對于計算機網(wǎng)絡(luò)傳輸?shù)陌踩珕栴},我們必須要做到以下幾點。第一,應(yīng)嚴(yán)格限制上網(wǎng)用戶所訪問的系統(tǒng)信息和資源,這一功能可通過在訪問服務(wù)器上設(shè)置 NetScreen防火墻來實現(xiàn)。第二,應(yīng)加強對上網(wǎng)用戶的身份認證,使用 RADIUS 等專用身份驗證服務(wù)器。一方面,可以實現(xiàn)對上網(wǎng)用戶賬號的統(tǒng)一管理;另一方面,在身份驗證過程中采用加密的手段,避免用戶口令泄露的可能性。第三,在數(shù)據(jù)傳輸過程中采用加密技術(shù),防止數(shù)據(jù)被非法竊取。一種方法是使用 PGP for Business Security 對數(shù)據(jù)加密。另一種方法是采用 NetScreen防火墻所提供的 VPN 技術(shù)。VPN 在提供網(wǎng)間數(shù)據(jù)加密的同時,也提供了針對單機用戶的加密客戶端軟件,即采用軟件加密的技術(shù)來保證數(shù)據(jù)傳輸?shù)陌踩浴?
10
收藏