电信运营商企业网络安全建设

上海交通大学硕士学位论文电信运营商企业网络安全建设姓名：王毅申请学位级别：硕士专业：电子与通信工程指导教师：陈恭亮20080101IntranetIntranetIntranetIntranetIntranetIntranetVPNABSTRACTBUILDSECUREINTEANETOFTELECOMCORPORATIONABSTRACTAlongwiththedevelopmentofcomputernetwork,informationbecomethegoalofthecorporation.Moderncorporationleanupnetworkmoreandmore,asecureandstabilizationnetworkbecomethebasicsupportsystemofthecompany.Butbecausethenetworkismultiformityandopen,thesystemofnetiscomplexity,andtheterminaldistributingisasymmetry,leadthenetliabletoattackofthevirus,howtoprotectthesafetyoftheIntranetisaveryimportantproblem.Thecontentofthisarticleishowtodesignandbuildanet-safty-defendingsystemwhichcansuitcompanyself.ThissystemcansolvetheproblemsandtroublesofSHMC,andcansufficethedevelopmentofSHMC’sIntranet.Thisarticleanalysethetroubleandproblemofourcompany’sIntranetinrunning,thesetroublesincludeprotectsecurityofIntranetbyusingall-aroundFirewallonly,thefirewallcannotbreasttheattackcomingfromtheinside,equipmentcannotpreventvirusfromenteringtheinside,andtrashinflownowandthen,andresearchhowtobysettingupasecureIntranetforcorporationbyanalyzingthecauseoftheseproblemsandstudyingsolveschemeoftheseproblemstopreventunlawfuluserfromthieving,forginganddestroyingdatabythebugofnetwork.Also,technologyandmanagersupplementeachother.Thisarticletryhardtoexplainbothoftechnologyandmanager,letthereaderrealizeonlybycombiningthetechnologyandmanager,wecanprotectthesafetyofthecompanyIntranet.Keywords:FireworkIntrusionDetectionVPNsecuritymanager-1-IntranetIntranet1.1[1][2]IntranetIntranetDoS-2-phishing“bug”1.2IntranetIntranet[3]IntranetIntranet“”-3-[4]1.3IntranetIntranetIntranetIntranet-4-IntranetIntranetIDCIPSIntranetVPNIntranet-5-Intranet2.1Intranet[5][6]IntranetInternetIntranet2.1.1Intranet[8][9]IntranetInternetDMZ[7]InternetInternetInternetInternetInternetDMZIntranetIntranetIntranet-6-2.1.2Intranet3internetDMZinternetCisco3725CiscoCatalyst2900XLNOKIANOKIAIP12602900XLNOKIAVRRPDMZDNSSMSDMZDMZDMZDMZFarmVIPSMGFarmDMZDMZDNSSMSCiscoCatalyst2950ChannelradwareCID2.1:IntranetFig2.1:thestructureofIntranet(initial)Intranet-7-[10][11]Intranet2.2IntranetIntranetIntranetIntranetIntranet2.2.1[13]2.1IntranetOAMISIntranetOANOKIAPIXIntranet-8-OAOAOACiscoCatalyst3550FailoverCiscoPIX52535506509inboundIntranetIntranetIntranetIntranetIntranet2.2:IntranetFig2.2:thestructureofIntranet(afterredress)IntranetIntranet-9-2.2.2Intranet[12]IntranetIntranetIntranetIntranetIDCIPSIntranetIntranet2.2.3IDCIPS[14][15][16]IPSIDCIDCIPSIntranetDMZinternetIDCIDCIDSIPSIPSDoSDDoSIntranetIPSIPSIPSPCInternetIDCIPSIntranet-10-2.3IDCIPSFig2.3:thedesignoftheIDCandIPSsystemIDCIPSinternetIDCNOKIAIDCIDCIPS2.2.4Intranet[17][18]IntranetIntranetHTTPPCNORTONIntranet-11-IT2.2.5DMZ2.4Fig2.4:thewholestructureofsecuregatewayofemailIntranet-12-IntranetVPN2.2.6IntranetIntranetIntranet2.5:IntranetFig2.5:thewholestructureofIntranetsecurityIntranet-13-IntranetIntranet2.32.12.1:NOKIANokiaIP1260CISCOCISCOPIX525RadwareRadwareCIDRadwareRadwareWSDPacketeerPacketeerPacketSharper6500BlueCoatHTTPBlueCoatProxySG-800-3SymenticSymenticSGSIs-oneIDSsymantecsymantecIP7160McAfeeMcAfeeWebShielde1000SMGHW302RSAmobileIntranet-14-2.4IntranetIntranetIntranetIntranetIntranetIPSIDC-15-IPSIDCIntranetIDCIPS3.1IPSIDC[21]IDCIPSIntranetIPSIDCIDCIPSIntranetDMZinternetIDCIDCIDSIPSIPSDoSDDoSIntranetIPSIPSIPSPCInternetIDCIPSIPSIDC-16-3.1IDCIPSFig3.1:thesignoftheIDCandIPSsystemIPSIPSDoSDDoSIntranetIPSIntranetIDS3.2IPSIPSIntranetCPU15IPSIDC-17-3.2CPUFig3.2:theusingfrequencyofthefirewall’sCPUcomebackIPS2126McAfeeIPS315347026631513.1IPSAttackCountPerSensor#SensorAlertCountAttackCountBlockedAttackCount1.shmccips7971831534702663151IPSIPSintruShield4010IntruShield4010OA/DOSNokiaCheckpointIntruShield4010IntruShield4010SensorIntruShieldManagerIPSIDC-18-IPSIPSIPSIPS3.3IPSIPS20061210OA10DMZNOKIACPUIdle3%3.3CPUFig3.3:theusingfrequencyofthefirewall’sCPUintheperiodoffaultMcafeeIPSIPSIDC-19-3.4IPSFig3.4:IPSappearmachattacknoticesDoSUDPDoSIPSIPSblockIPS15:04IPSIDC-20-3.5CPUFig3.5:theusingfrequencyofthefirewallcomebackIPSInboundUDPPacketVolumeTooHighBlockDOS9blockDOSIPSIPSDOSIPSIPSIPSIPSIntranetIDCinternetIDCNOKIAIDCIDCIPSIDSIPSIPSIPSIDC-21-3.4IDCIPSIDCIDSIDCIntranet-22-IntranetIDCIPSIntranetEmail[19][20]4.1BlueCoatProxySG800-3WANSWNOKIA-1NOKIA-2SWCS-SW-CIS-05CS-SW-CIS-06BlueCoat-1BlueCoat-2CID-1CID-2Packeteer-1Packeteer-26509-16509-2W1W2N1N2L1L2L3L4L5L6L7L8L9-L12L13L14L15L16WANSWNOKIA-1NOKIA-2SWCS-SW-CIS-05CS-SW-CIS-06BlueCoat-1BlueCoat-2CID-1CID-2Packeteer-1Packeteer-26509-16509-2W1W2N1N2L1L2L3L4L5L6L7L8L9-L12L13L14L15L164.1Fig4.1:installProxyNimuda3721MSNYahooGoogle-23-4.2PCPCPCQQPCNORTONIT32000OA4.2Fig4.2:VirusStatbedetectedbyFenseVirusSystem-24-4.3Fig4.3:theStatofresultofdestroyvirus4.34.314NORTON-25-4.4-26-E-mail5.1DMZDMZDMZDNSSMSMcAfeeWebShielde10005.1Fig5.1:thestructureofsecuregatewayofemail(initial)-27-McAfeeMcAfeeIntranetDMZ5.2Fig5.2:thewholestructureofsecuregatewayofemailMcAfeeWebShielde1000SMGinternetemailSMGInboundSMG-28-SMGWSDWSDWebShield20064SMGSMGSMG5.3SMG5.3SMGFig5.3:amountoftrashbefiltrat