信息系统安全第一章、看

Network

SecurityEssentialsApplications

and

StandardsThird

Edition12This

book

is

adapted

from

Cryptography

andNetwork

Security,

Fourth

Edition.Objectives

of

This

Book:Provide

a

practical

survey

of

network

securityapplications

and

standards.

The

emphasis

onapplications

that

are

widely

used

on

the

Internetand

for

corporate

networks,

and

on

standards,especially

Internet

standards,

that

have

beenwidely

deployed.3The

book

is

organized

in

three

Parts:

Part

One—Cryptography:A

concise

survey

ofthe

cryptographic

algorithms

and

protocolsunderlying

network

securityapplications,including

encryption,

hashfunctions,

digital

signatures,

and

key

exchange

Part

Two

—

Network

Security

Applications:Covers

important

network

security

tools

and4applications,

including

Kerberos,

X.509v3certificates,

PGP,

S/MIME,

IP

Security,SSL/TLS,

SET,

and

SNMPv3

Part

Three

—

System

Security:

Look

atsystem-level

security

issues,

including

thethreat

of

and

countermeasures

for

intrudersand

virus,

and

the

use

of

firewalls

and

trustedsystems5Chapter

1Introduction6OutlineSecurity

trendsTheOSI

security

architectureSecurity

attacksSecurity

servicesSecurity

mechanismsMethods

of

DefenseA

model

for

network

SecurityInternet

standards

and

RFCs1.1

Security

Trends7891.2

The

OSI

Security

ArchitectureThe

OSI

security

architecture

focuses

on

securityattacks,

mechanisms,

and

services.

Security

Attack:

Any

action

that

compromises

thesecurity

of

information.

Security

Mechanism:

A

mechanism

that

is

designed

todetect,

prevent,

or

recover

from

asecurity

attack.

Security

Service:

A

service

thatenhancesthesecurity

of

data

processing

systemsand

informationtransfers.

A

security

service

makes

use

of

one

ormore

security

mechanisms.101.3

Security

AttacksPassive

attacks:

attempts

to

learn

or

make

use

ofinformation

from

the

system

but

does

not

affectsystem

resources.

They

are

in

the

nature

ofeavesdroppingon

,

or

monitoring

of

,transmissions.

Thegoal

of

the

opponent

is

to

obtain

information

that

isbeing

transmitted.

Two

types

of

passive

attacks

areRelease

of

message

contentTraffic

analysis1112Active

attacks:

attempts

to

alter

system

resources

oraffect

their

operation.

Involve

some

modification

ofthe

data

stream

or

the

creation

of

a

false

stream

andcan

be

subdivided

into

four

categories:MasqueradeReplayModification

of

messagesDenial

of

service

(DoS)131415Passive

attacks

are

very

difficult

to

detect,

theemphasis

in

dealing

with

passive

attacks

is

onprevention

rather

than

detection.Active

attacks

are

quite

difficult

to

prevent,

insteadthe

goal

is

to

detect

them

and

to

recover

from

anydisruption

or

delays

caused

by

them.16

Interruption:

This

is

an

attack

onavailability

Interception:

This

is

an

attack

onconfidentialityModification:

This

is

an

attack

on

integrity

Fabrication:

This

is

an

attack

onauthenticity171.4

Security

ServicesX800

defines

a

security

service

that

is

providedby

a

protocol

layer

of

communicating

open

systemsand

ensures

adequate

security

of

the

systems

or

ofdata

transfers.RFC

2828

provides

the

following

definition:

aprocessing

or

communication

service

that

is

provideby

a

system

to

give

a

specific

kind

of

protection

tosystem

resources.18Security

services

implement

security

policies

anare

implemented

by

security

mechanisms.X800

divides

security

services

into

fivecategories

and

fourteen

specific

services.(1)

Authenticationpeer

entity

authenticationdata

origin

authenticationAccess

controlData

confidentiality19Data

integrityNonrepudiationAvailability

serviceSecurity

GoalsIntegrity20ConfidentialityAvaliability211.5

Security

MechanismsSecurity

mechanism

are

divided

into

those

that

areimplemented

in

a

specific

protocol

layer

and

those

thare

not

specific

to

any

particular

protocol

layer

orsecurity

service.X800

distinguishes

between

reversible

enciphermenmechanisms

and

irreversible

encipherment

mechanisms.1.6

A

Model

for

Network

Security222324The

security

mechanisms

needed

tocope

with

unwanted

access

fall

into

twobroad

categories:(1)

A

gatekeeper

function(2)

Screening

logic25Methods

of

DefenceEncryption

Software

Controls

(access

limitations

in

adata

base,

in

operating

system

protecteach

user

from

other

users)HardwareControls

(smartcard)Policies(frequent

changes

ofpasswords)PhysicalControls261.7

Internet

Standards

and

theInternet

SocietyThe

Internet

societyInternet

Architecture

Board

(IAB)Internet

Engineering