西电电子对抗所_第1页
西电电子对抗所_第2页
西电电子对抗所_第3页
西电电子对抗所_第4页
西电电子对抗所_第5页
已阅读5页,还剩33页未读 继续免费阅读

下载本文档

版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领

文档简介

NetworkSecurityandPrivacyChapter1:SecurityIntroduction西电电子对抗所Security:IntheBeginning……Intheearlydaysofdataprocessing,thesecurityofinformationwasprovidedprimarilybyphysicalandadministrativemeans.Computerbuildings,floors,roomswereguardedandalarmedtopreventoutsidesfromintrudinganddisruptingoperations.Thefocuswasonphysicalbreak-ins,thetheftofcomputerequipment,andthephysicaltheftordestructionofdiskpacks,tapereels,punchcards,orothermedia.Insiderswerekeptatbyandaccesswaslimitedtoasmallsetofcomputerprofessionals.西电电子对抗所InformationSecurityTherequirementsofinformationsecuritywithinorganizationshaveundergonetwomajorchanges:Theintroductionofsharedsystemssuchastime-sharedand/orsystemsthatcanbeaccessedoverthepublictelephoneordatanetworks.Theintroductionofdistributedsystemsandtheuseofnetworksandcommunicationsfacilitiesforcarryingdatabetweenterminaluserandcomputerandbetweencomputerandcomputer.西电电子对抗所SecurityIntroduction

Computervs.NetworkSecurityComputersecurityisthegenerictermforacollectionoftoolsdesignedtoprotectdataandtothwarthackers.Networksecurityisthesecuritymeasuresthatareneededtoprotectduringtheirtransmission.Inmostsystems,theboundariesbetweencomputersecurityandnetworksecurityareblurredsincemost,ifnotall,oftoday’ssystemsaredistributedinnature.Networkingisacorepartoftoday’senvironment.西电电子对抗所ThedegreeofSecurityCurtainLockDemi-wolfSecurityalarmingsystemFencing,guard西电电子对抗所SecurityGoalsIntegrityConfidentialityAvailability西电电子对抗所SecurityIntroduction

SecurityServicesConfidentialityistheprotectionoftransmitteddatafrompassiveattacks.Authenticationisconcernedwithassuringthatacommunicationisauthentic.Integrityassuresthatmessagesarereceivedassent.Aconnection-orientedintegrityserviceshouldassurethattherearenoduplicates,insertions,deletions,modifications,reordering,orreplays.Aconnectionlessintegrityservicesdealsonlywithanindividualmessage.西电电子对抗所SecurityIntroduction

SecurityServicesNon-repudiationpreventseitherthesenderorreceiverfromdenyingatransmittedmessage.AccessControlistheabilitytolimitandcontroltheaccesshostsystemsandapplicationsviacommunicationslinks.Availabilityistheabilitytopreventthelossorareductioninavailabilityofelementsofadistributedsystem.西电电子对抗所NetworkTopology西电电子对抗所HierarchyofNetworkSecurityPhysicalSecuritySecurityControlSecurityServicePhysicalmediumOS,NICInternetworkingDeviceSecurityMechanismSecurityconnectionSecurityprotocolSecuritypolicy西电电子对抗所SecurityRisksExploitationofvulnerabilityUnauthorizedAccessInformationdisclosureInformationexhaustInformationtheft西电电子对抗所TypesofRisksSniffer

窃听Impersonate

假冒Replay

重放Trafficanalysis

通信量分析Loseofintegrity

破坏完整性Denialofservice

拒绝服务UnauthorizedAccess

非授权访问Trapdoor/TrojanHorse/Virii

恶意代码西电电子对抗所MotivesIndustryespionageFinancialgainsRevenge/publicityInnocence西电电子对抗所NetworkAttacksSecurityAttack:Anyactionthatcompromisesthesecurityofinformationownedbyanorganization.SecurityMechanism:Amechanismthatisdesignedtodetect,prevent,orrecoverfromasecurityattack.SecurityService:Aservicethatenhancesthesecurityofdataprocessingsystemsandinformationtransfers.Asecurityservicemakesuseofoneormoresecuritymechanisms.Designedtocountersecurityattacks西电电子对抗所StepsofNetworkAttacksInformationgatheringScanningvulnerabilitiesAttacking…西电电子对抗所16TheStagesofaNetworkIntrusion1.Scanthenetworkto: •locatewhichIPaddressesareinuse, •whatoperatingsystemisinuse, •whatTCPorUDPportsare“open”.2.Run“Exploit”scriptsagainstopenports3.GetaccesstoShellprogramwhichis“suid”(has“root”privileges).4.DownloadfromHackerWebsitespecialversionsofsystemsfilesthatwillletCrackerhavefreeaccessinthefuturewithouthiscputimeordiskstoragespacebeingnoticedbyauditingprograms.5.UseIRC(InternetRelayChat)toinvitefriendstothefeast.西电电子对抗所AttackingMethodsSystembugs/BackdoorsSecurityAwarenessFirewallInternalusersLackofMeanstoSecurityAuditingPasswordDenialofServiceWeb/CGI西电电子对抗所FourSecurityAttackCategoriesInterruptionAttackonavailabilityInterceptionAttackonconfidentialityModificationAttackonintegrityFabricationAttackonauthenticity西电电子对抗所

NormalFlowNormalFlowistheflowofinformationfromaninformationsource,suchasafile,oraregionofmainmemory,toadestination,suchasanotherfileoruser.西电电子对抗所InterruptionAnassetofthesystemisdestroyedorbecomesunavailableorunusable.Thisisanattackonavailability.Examples:Thedestructionofhardware,thecuttingofacommunicationline,orthedisablingofthefilemanagementsystem.西电电子对抗所InterceptionAnunauthorizedpartygainsaccesstoanasset.Thisisanattackonconfidentiality.Theunauthorizedpartycouldbeaperson,aprogram,oracomputer.Examples:Wiretappingtocapturedatainanetworkandtheunauthorizedcopyingoffilesorprograms.西电电子对抗所ModificationAnauthorizedpartynotonlygainsaccesstobuttamperswithanasset.Thisisanattackonintegrity.Examples:Changingvaluesinadatafile,alteringaprogramsothatitperformsdifferently,ormodifyingthecontentofmessagesbeingtransmittedinanetwork.西电电子对抗所FabricationAnauthorizedpartyinsertscounterfeitobjectsintothesystem.Thisanattackonauthenticity.Examples:theinsertionofspuriousmessagesinanetworkortheadditionofrecordstoafile.西电电子对抗所PassiveAttacksPassiveattackseavesdrop,ormonitor,transmission.Goal:Toobtaintransmittedinformation.2Typesofpassiveattacks西电电子对抗所

PassiveAttackTypesReleaseofcontents:Atelephoneconversation,anelectronicmailmessage,orconfidentialinformation.Trafficanalysis:Usingthelocationandidentitiesofhostsandthefrequencyandlengthofmessagestodeterminethetypeofcommunicationtakingplace.Passiveattacksaredifficulttodetectsincetheydonotinvolveanyalterationofdata.Theemphasisisonpreventionratherthandetection.西电电子对抗所ActiveAttacksAnactiveattackinvolvethemodificationofthedatastreamorthecreationofafalsestream.4Typesofactiveattacks.西电电子对抗所ActiveAttackTypesMasqueradetakesplacewhenoneentitypretendstobeadifferententity.Thisformusuallyincludesoneoftheothersformsofactiveattack.Replayinvolvesthepassivecaptureofadataunitanditssubsequentretransmissiontoproduceanunauthorizedeffect.西电电子对抗所ActiveAttackTypesIIModificationoccurswhenanunauthorizedpartygainsaccesstoandtamperswithanasset.Thisisanattackonintegrity.DenialofServicepreventsorinhibitsthenormaluseormanagementofcommunicationsfacilities.西电电子对抗所ModelforNetworkSecurity西电电子对抗所ModelforNetworkSecurityThismodeloperatesasfollows:Amessageispresentedtobetransferredfromonepartytoanotheracrosssomesortofinternet.Thetwoparties(principals)inthetransactionmustcooperatefortheexchangetotakeplace.AlogicalinformationchannelisestablishedbydefiningaroutethroughtheinternetfromsourcetodestinationusingacommunicationsprotocolsuchasTCP/IP.西电电子对抗所SecurityComponentsSecurityisanissuewhenitisnecessarytoprotectthetransmissionfromanopponent.Alltechniquesforprovidingsecurityhavetwocomponents:Asecurity-relatedtransformationontheinformationtobesent.Somesecretinformationsharebythetwoprincipalsandhopefullyunknowntoopponent.Additionally,insomecasesatrustedthirdpartymaybeusedfordistributingthesecretinformationorarbitratingdisputesbetweenthetwopartiesoverauthenticity.西电电子对抗所DesignGoalsforASecurityServiceDesignanalgorithmforperformingthesecurity-relatedtransformations.Anopponentshouldnotbeabletodefeatit!Generatethesecretinformationtobeusedwiththealgorithm.Developmethodsfordistributionandsharingofthesecretinformation.Specifyaprotocoltobeusedbythetwoprincipalsthatmakeuseofthesecurityalgorithmsandthesecretinformationtoachieveaparticularsecurityservice.西电电子对抗所NetworkAccessSecurityModel西电电子对抗所SecuritytechnologiesFirewallEncryptionAuthenticationDigitalsignatureContentinspection西电电子对抗所35Application

Layer

(HTTP)TransportLayer(TCP,UDP)NetworkLayer(IP)E'netDataLinkLayerEthernetPhys.LayerNetworkLayerE'net

人人文库> 全部分类> 行业资料 > 信息产业

温馨提示

  • 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
  • 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
  • 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
  • 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
  • 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
  • 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
  • 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

最新文档

评论

0/150

提交评论