网络安全风险分析

•••••TCP/IP•••Owner•Assets•Threat•Vulnerabilities•Countermeasures•RiskAssets•–•–•,,;•–,,–•AssetValue–Threats•–––•–––(,,)–(,,)–•––Threat(Cont.)•Passivethreats–Sniffer,wiretapping–Trafficanalysis•(),snifferThreat(Cont.)•Activethreats–Interruption•–Modification•threat(Cont.)•–(Replay)–Fabrication•–DenialofService•Bthreat(Cont.)–(MaliciousMobileCode)•(Virus)(Worm)(trojan)•(JavaScript,JavaApplet,ActiveX–repudiation)••Vulnerabilities••••Vulnerabilities•Internet–Internet–RFC“Securityissuesarenotdiscussedinthismemo”–,•SMTP,telnet•,•(QoS)Vulnerabilities(Cont.)•–bufferoverflow–•––•–––Countermeasure•––––••••••TCP/IP•••AV:Assetvalue•SLESingleLossExpectancy•EF:ExposureFactor,0%—100%SLE=AVEF•ARO:AnnualizedRateofOccurrence•ALE:AnnualizedLossExpectancyALE=SLEAROQuantitative•••••Risk=∑∑atALEQuantitative•–50AV=50–5EF=90%–10ARO=0.1–SLE=AVEF=45–ALE=SLEARO=4.4Qualitative•–Low,Medium,High•–Low,Medium,High•–Low,Medium,High•–•–––•••••TCP/IP•••Confidentiality–•(Integrity)–•(Availability)–ICA•Authenticity–•–•Non-Repudiation––•Accountability––••••••TCP/IP•••–IBMSUNPCpalm•–10M/100M/1G10GFDDIATM•–SDHPDHDDNFRX.25ATM•–TCP/IPSoftwareSoftwareSoftwareHardwareHardwareHardwareProgramsProgramsProgramsA1960sand1970s:SoftwareSoftwareProgramsProgramsHardwareHardware1970s1980s:PC,TokenRing1990s:GlobalInternetworkingInternet•1969ARPANET•1974Firstpaperonpacketswitching•1983TCP/IPimplementation•1985NSFNET•1986Firstrouter•1991•1995UScommercialInternet•1996USNextGenerationInternetInternet•PacketSwitch•KISS•End-to-end•BesteffortNoQoS••••IPovereverything••Werejectkings,presidents,andvoting;webelieveinroughconsensusandrunningcode.InternetInternetTransitISPTransitISPLocal?ISPLocal?ISPLocal?ISPCustomersCustomersIXIXIXCustomersOSI/RMApplicationPresentationSessionTransportNetworkDataLinkPhysicalHOSTAHOSTBsegmentspacketsframesbitsApplicationPresentationSessionTransportNetworkDataLinkPhysicalNetworkDataLinkPhysicalpacketsframesbitsOSITCP/IPApplicationPresentationSessionTransportNetworkDataLinkPhysicalOSI/RMTCP/IPApplicationTransportIPDataLinkPhysical•••••TCP/IPTCP/IPARPRARP802.xX.25PPPFRATM….ICMPIPIGMPTCPUDPSMTPFTPHTTPtelnetDNSSNMPOSPFBGPRIP……TCP/IP•––•–––––—QoS–IPIP0VERSHLENTypeofServiceTotalLengthIdentificationFragOffsetTTLProtocolHeaderChecksumSourceIPAddressDestinationIPAddressIPOptionsDataDFMF1631ARP/RARP•ARP/RARPIPßà166.111.1.0/24166.111.1.1IP:166.111.1.10MAC:A202.112.58.1IP:202.112.58.200MAC:CIP:166.111.1.20MAC:BAàALL:WhohasIP166.111.1.20?BàA:MyMACaddressisBRABCICMP•ICMP(InternetControlMessageProtocol)TTL=0;//•–IP–ARP–MAC•–ARP–Teardrop–SmurfICMPSmurfattackerICMPechoreqSrc:targetdst:xxx.xxx.xxx.255targetEchoreplyEchoreplyEchoreplyEchoreplyTeardropMF=1,offset=0,len=NMF=0,offset=K,(KN)len=S,(K+SN)0NKK+Slen=(K+S)-N0,memcpy•TBABABT,R2àR1R1R2R3•–RIPOSPF,BGPABCC•––•–IP–––TCPUDPApplicationTransportInternetNetworkInterfaceHardwareTCPSegmentFormat03116SourcePortDest.PortSequenceNumberAck.NumberHLENReservedURGWindowChecksumUrgentOptionData...ACKPSHRSTSYNFIN•NosequenceoracknowledgmentfieldsUDPSegmentFormatSourcePortDestinationPortLengthChecksumDataPortNumbersTCPPortNumbersFTPTransportLayerTELNETDNSSNMPTFTPSMTPUDPApplicationLayer2123255369161TCPPortNumbersSourcePortDest.PortHostADest.port=23.SendpackettomyTelnetapplication.102823SPDPHostZTelnetZTCPHandshake/OpenConnectionSendSYN(seq=100ctl=SYN)SYNreceivedHostAHostB1TCPHandshake/OpenConnectionSendSYN(seq=100ctl=SYN)SYNreceivedSendSYN(seq=300ack=101ctl=syn,ack)HostAHostB12SYNreceivedTCPHandshake/OpenConnectionSendSYN(seq=100ctl=SYN)SYNreceivedSendSYN(seq=300ack=101ctl=syn,ack)Established(seq=101ack=301ctl=ack)HostAHostB123SYNreceivedTCPHandshake/OpenConnectionSendSYN(seq=100ctl=SYN)SYNreceivedSendSYN(seq=300ack=101ctl=syn,ack)Established(seq=101ack=301ctl=ack)HostAHostBEstablished(seq=301ack=301ctl=ackData)1234SYNreceived•TCP––FINRST•SYNFloodSYNFloodSYNRCVD(Half-Open)attackertargetNormalApplicationTransportInternetNetworkInterfaceHardwareFileTransfer-TFTP-FTPE-Mail-SMTPRemoteLogin-Telnet-rloginNetworkManagement-SNMPNameManagement-DNS•MUAMDAMTAMUAMTASMTPMUAMDASMTPPOP3IMAP•MUAßàMTAMTAßàMTA,–SMTP(SimpleMailTransferProtocols)–ESMTP(ExtentedSimpleMailTransferProtocol)•MUAßàMDA–POP3(PostOfficeProtocol,version3)–IMAP(InteractiveMailAccessProtocol,IMAP)SMTP•RFC821,1982•TCP25•–HELO,MAIL,RCPT,DATA,RSET,VRFY,QUIT…•SMTP$telnetsmtp.ccert.edu.cn25Trying202.112.50.210...Connectedtosmtp.ccert.edu.cn.Escapecharacteris'^]'.220ns2.ccert.edu.cnESMTPSendmail8.12.1/8.12.1;Fri,9Aug200222:19:18+0800(CST)helotest.domain250ns2.ccert.edu.cnHelloincident.ccert.edu.cn[202.112.50.168],pleasedtomeetyoumailfrom:god@heaven.net2502.1.0god@heaven.net...Senderokrcptto:duan@ccert.edu.cn2502.1.5duan@ccert.edu.cn...RecipientokSMTPContdata354Entermail,endwith.onalinebyitselfFrom:GODgod@yahoo.comTo:anybodyanybody@edu.cnSubject:CanyouguesswhoamI?Spamemailtestbye.2502.0.0g79EJIx2009423Messageacceptedfordeliveryquit2212.0.0ns2.ccert.edu.cnclosingconnectionConnectionclosedbyforeignhost.$DNS••ßàIP“”educomgovorgcnjpedu.cncom.cnorg.cntsinghua.edu.c