网络安全与网络管理

1、Network Security and Management Dr. LU Tianbo（陆天波）（陆天波）, associate professor（网络安全与网络管理）（网络安全与网络管理）3“一些国家实施或默许网络攻击，预示着全球网络危机必将持续增加由于缺乏国际条款约束，由于难以查找攻击源头，由于缺少可阻碍攻击的防护，网络威胁正在扩大和恶化。”7How big is the security problem?10M15Why are there security vulnerabilities? Lots of buggy software.- Why do programmers w

2、rite insecure code?- Awareness is the main issueSome contributing factors- Few courses in computer security- Programming text books do not emphasize security- Few security audits - C is an unsafe language- Programmers have many other things to worry about- Consumers do not care about security- Secur

3、ity is expensive and takes 16Why is computer security so hard?Computer networks are “systems of systems”- Your system may be secure, but then the surrounding environment changesToo many things dependent on a small number of systemsSociety is unwilling to trade off features for securityEase of attack

4、s- Cheap- Distributed, automated- Anonymous- Insider threatsSecurity not built in from the beginningHumans in the loopComputers ubiquitousSecurity is interdisciplinary 17Course AdministrationPrerequisite: Computer NetworksClass Hours: Thursday 10:00am-11:50 am.Office: Building 1-123Office Hours: Wed

5、nesday 18Textbook“Computer Security Principles and Practice”, William Stallings, 机械工机械工业出版社业出版社Several other good texts out there- Ask me if you are interestedWill supplement with other readings (distributed on class webpage)19GradingHomeworks 30%-Must be done individually.Project 30%Final exam (cum

6、ulative) 40%Cheating will be punished 20Syllabus IIntroduction- Is security achievable?- A broad perspective on securityCryptography- The basics - Symmetric and Public key cryptography- Cryptography is not the whole solutionbut it is an important part of the solution- Along the way, we will see why

7、cryptography cant solve all security 21Syllabus IINetwork security- General principles- Security policies- Access control- Attacks on network- Buffer overflows- Viruses/worms- Privacy and AnonymitySecurity M22Philosophy of this courseWe are not going to be able to cover everything- We are not going

8、to be able to even mention everythingMain goals- A sampling of many different aspects of security- The security “mindset”- Become familiar with basic acronyms (RSA, SSL, PGP, etc.), and “buzzwords” (phishing, )- Become an educated security consumer- Try to keep it interesting with real-world example

9、s and “hacking” projectsYou will not be a security expert after this class(after this class, you should realize why itwould be dangerous to think you are)You should have a better appreciation of securityissues after this 23Helpful BooksFrank Adelstein, Sandeep K.S. Gupta, Golden G. Richard III, and

10、Loren Schwiebert, Fundamentals of Mobile and Pervasive Computing, 2005. Noureddine Boudriga, Security of Mobile Communications, 2010. Levente Buttyn and Jean-Pierre Hubaux, Security and Cooperation in Wireless Networks, 2008. Available Online James Kempf, Wireless Internet Security: Architectures an

11、d Protocols, 2008. Patrick Traynor, Patrick McDaniel, and Thomas La Porta, Security for Telecommunications Networks, 24Helpful Books Mark Stamp Information Security: Principles and Practice John Wiley & and Sons 2006 Alfred Menezes, Paul van Oorschot, Scott Vanstone Handbook of Applied Cryptogra

12、phy CRC Press 1997 This is a very comprehensive book. The best part is that you can download this book online ! The hardcopy is very convenient though. Bruce Schneier Applied Cryptography , 2nd Edition John Wiley & Sons 1996 This is the best book to read for an introduction to applied security a

13、nd cryptography. There is much less math than the book by Menezes et al. Sometimes statements are made without much justification, but no other book even compares to this comprehensive introduction to cryptography. The bibliography alone is worth buying the book. Ross Anderson Security Engineering J

14、ohn Wiley & Sons 2001 An excellent book on security in real world systems. Douglas Stinson Cryptography Theory and Practice CRC Press 1995 This used to be required for 6.875, the theory of cryptography class at MIT. Bruce Schneier Secrets and Lies John Wiley & Sons 2000 Schneier used to advo

15、cate good cryptography as the solution to security problems. He has since changed his mind. Now he talks about risk management and cost-benefit analysis. Eric Rescorla SSL and TLS: Designing and Building Secure Systems Addison-Wesley 2001 The only book you need to read to learn about the evolution,

16、politics, and bugs in the development of SSL. Erics a swell guy too; buy his book. 25Helpful Books Peter Neumann Computer Related Risks Addison-Wesley 1995 Power grid failures. Train collisions. Primary and backup power lines blowing up simultaneously. These events arent supposed to happen! Neumann

17、offers a plethora of stories about the risks and consequences of technology, gathered from his Risks mailing list. On a side note, Neumann is also responsible for coming up with the pun/name Unix. Jakob Nielsen Usability Engineering Academic Press 1993 There are a lot of non-intuitive GUIs out there

18、 for security products. Anyone making a security product for use by humans should learn about the principles of smart GUIs. Charlie Kaufman, Radia Perlman, Mike Speciner Network Security: Private Communication in a Public World, 2nd Edition Prentice Hall 2002 The authors discuss network security fro

19、m a very applied approach. There is a lot of discussion about real systems, all the way down to the IETF RFCs and the on-the-wire bit representations. The authors also have a fun, informal style. Simson Garfinkel, Gene Spafford Web Security, Privacy & Commerce OReilly 2002 Its hard to keep up wi

20、th all the security software out there. But these authors do a good job documenting it all. After many years in the real world, Garfinkel recently joined the MIT Lab for Computer Science as a graduate student. David Kahn The Codebreakers Scribner 1973 Phillip Hallam-Baker The dotCrime Manifesto: How

21、 to Stop Internet Crime Addison-Wesley 2008 Jonathan Katz, Yehuda Lindell Introduction to Modern Cryptography Chapman & Hall/CRC Press 2007 This book contains broad coverage of cryptography. Nigel Smart Cryptography: An Introduction, 3rd Edition 2008 Song Y. Yan and Martin E. Hellman Number Theo

22、ry for computing Springer 2002 26Useful Links National Information Assurance Training and Education Consortium (NIATEC) IEEE/IET Electronic Library Information Assurance Support Environment National Institute of Standards and Technology National Vulnerability Database Common Vulnerabilities and Expo

23、sures SevurityFocus Vulnerabilites Information Assurance Technical Framework Forum Information Systems Security Association ISSA North Alabama Microsoft TechNet The Open Source Vulnerability Database Security Tracker 27Useful Links Network World Cryptologia Digital Investigation http:/ International

24、 Journal of Information and Computer Security Journal of Computer Security The Virus Bulletin ACM Transactions on Information and Systems Security IEEE Transactions on Dependable and Secure Computing Journal of Cryptography Information Systems Control 28Peek at the Dark Side The only reason we will

25、be learning about attack techniques is to build better defensesDont even think about using this knowledge to attack 29Cyberspace & physical space are increasingly intertwined and software controlled/enabledEnergyBanking and FinanceAgriculture and FoodWaterPublic HealthChemical IndustryTelecommun

26、icationsKey AssetsTransportationPostal and ShippingFarmsFood Processing PlantsReservoirsTreatment PlantsHospitalsChemical PlantsCableFiberPower PlantsProduction Sites Railroad TracksHighway BridgesPipelinesPortsDelivery SitesNuclear Power PlantsGovernment facilitiesDamsFDIC institutionsControl Syste

27、ms SCADA PCS DCSSoftware Financial System Human ResourcesServices Managed Security Information ServicesInternet Domain Name System Web HostingHardware Database Servers Networking Equipment Critical Infrastructure / Key ResourcesSectorsPhysical AssetsCyber AssetsCyber InfrastructurePhysical Infrastru

28、ctureNeed for secure software applications“In an era riddled with asymmetric cyber attacks, claims about system reliability, integrity and safety must also include provisions for built-in security of the enabling software.”302009200820032004200520062007Cyberspace Policy ReviewDHS Roadmap ForCybersec

29、urity ResearchCSIS: Securing CyberspaceFor The 44th Presidency National Cyber Leap Year NRC: Toward a Safer & Secure CyberspaceFed Plan For Cyber Security & Info. Assurance R&DIRC: Hard Problem ListCRA: Grand Challenges InTrustworthy ComputingCybersecurity: A Crisis Of PrioritizationNati

30、onal Strategy ToSecure C31首任白宫网络安全协调官首任白宫网络安全协调官33网络空间国际战略网络空间国际战略34Create a comprehensive national security strategy for cyberspace.Lead from the White House.Cybersecurity is among the most serious economic and national security challenges we face in the twenty-first century In cyberspace, the war

31、has 35The Nation is at a crossroads. cybersecurity risks pose some of the most serious economic and national security challenges of the 21st Century.The status quo is no longer acceptable.The national dialogue on cybersecurity must begin todayThe United States cannot succeed in securing cyberspace i

32、f it works in isolationThe White House must lead the way 36编辑ppt美国国家网络安全综合计划（CNCI计划） 37编辑ppt37美国各部门参与美国各部门参与CNCI计划计划.CriticalI38IndustryFBINCIJTFDHSUS-CERTServicesOthersODNIIC-IRCDISAGNOAlliesSTRATCOMDoDDC3NSANTOC39CNCI计划计划41My own view is that the only way to counteract both criminal and esp

33、ionage activity online is to be proactive. If the U.S. is taking a formal approach to this, then that has to be a good thing. The Chinese are viewed as the source of a great many attacks on western infrastructure and just recently, the U.S. electrical grid. If that is determined to be an organized a

34、ttack, I would want to go and take down the source of those attacks. The only problem is that the Internet, by its very nature, has no borders and if the U.S. takes on the mantle of the worlds police; that might not go down so well.On 23 June 2009, the Secretary of Defense directed the Commander of

35、U.S. Strategic Command (USSTRATCOM) to establish USCYBERCOM. In May 2010, General Keith Alexander outlined his views in a report for the United States House Committee on Armed Services 44 Just as in the 19th century we had to secure the seas for our national safety and prosperity, and in the 20th ce

36、ntury we had to secure the air, in the 21st century we also have to secure our advantage in cyber space. 47United States 2nd National Software Summit, Washington, May 10-12, 2004. The strategy includes four programs:- Improving Software Trustworthiness- Educating and Fielding the Software Workforce-

37、 Re-Energizing Software Research and Development- Encouraging Innovation Within the U.S. SoftwareSecuritySafetyReliabilitySurvivabilitylThe strategy includes two mutually supporting and complementary goals: lAchieve the ability to routinely develop and deploy trustworthy software products and system

38、slEnsure the continued competitiveness of the U.S. software 48编辑pptCyber Security: A Crisis of PrioritizationTop Ten Areas in Need of Increased Support Computer Authentication Methodologies Securing Fundamental Protocols Secure Software Engineering & Software Assurance Holistic System Security Monitoring and Detection Mitigation and Recovery Methodologies Cyber Forensics and Technology to Enable