西电电子对抗所

NetworkSecurityandPrivacyChapter1:SecurityIntroduction西电电子对抗所Security:IntheBeginning……Intheearlydaysofdataprocessing,thesecurityofinformationwasprovidedprimarilybyphysicalandadministrativemeans.Computerbuildings,floors,roomswereguardedandalarmedtopreventoutsidesfromintrudinganddisruptingoperations.Thefocuswasonphysicalbreak-ins,thetheftofcomputerequipment,andthephysicaltheftordestructionofdiskpacks,tapereels,punchcards,orothermedia.Insiderswerekeptatbyandaccesswaslimitedtoasmallsetofcomputerprofessionals.西电电子对抗所InformationSecurityTherequirementsofinformationsecuritywithinorganizationshaveundergonetwomajorchanges:Theintroductionofsharedsystemssuchastime-sharedand/orsystemsthatcanbeaccessedoverthepublictelephoneordatanetworks.Theintroductionofdistributedsystemsandtheuseofnetworksandcommunicationsfacilitiesforcarryingdatabetweenterminaluserandcomputerandbetweencomputerandcomputer.西电电子对抗所SecurityIntroductionComputervs.NetworkSecurityComputersecurityisthegenerictermforacollectionoftoolsdesignedtoprotectdataandtothwarthackers.Networksecurityisthesecuritymeasuresthatareneededtoprotectduringtheirtransmission.Inmostsystems,theboundariesbetweencomputersecurityandnetworksecurityareblurredsincemost,ifnotall,oftoday’ssystemsaredistributedinnature.Networkingisacorepartoftoday’senvironment.西电电子对抗所ThedegreeofSecurityCurtainLockDemi-wolfSecurityalarmingsystemFencing,guard西电电子对抗所SecurityGoalsIntegrityConfidentialityAvailability西电电子对抗所SecurityIntroductionSecurityServicesConfidentialityistheprotectionoftransmitteddatafrompassiveattacks.Authenticationisconcernedwithassuringthatacommunicationisauthentic.Integrityassuresthatmessagesarereceivedassent.Aconnection-orientedintegrityserviceshouldassurethattherearenoduplicates,insertions,deletions,modifications,reordering,orreplays.Aconnectionlessintegrityservicesdealsonlywithanindividualmessage.西电电子对抗所SecurityIntroductionSecurityServicesNon-repudiationpreventseitherthesenderorreceiverfromdenyingatransmittedmessage.AccessControlistheabilitytolimitandcontroltheaccesshostsystemsandapplicationsviacommunicationslinks.Availabilityistheabilitytopreventthelossorareductioninavailabilityofelementsofadistributedsystem.西电电子对抗所NetworkTopology西电电子对抗所HierarchyofNetworkSecurityPhysicalSecuritySecurityControlSecurityServicePhysicalmediumOS,NICInternetworkingDeviceSecurityMechanismSecurityconnectionSecurityprotocolSecuritypolicy西电电子对抗所SecurityRisksExploitationofvulnerabilityUnauthorizedAccessInformationdisclosureInformationexhaustInformationtheft西电电子对抗所TypesofRisksSniffer窃听Impersonate假冒Replay重放Trafficanalysis通信量分析Loseofintegrity破坏完整性Denialofservice拒绝服务UnauthorizedAccess非授权访问Trapdoor/TrojanHorse/Virii恶意代码西电电子对抗所MotivesIndustryespionageFinancialgainsRevenge/publicityInnocence西电电子对抗所NetworkAttacksSecurityAttack:Anyactionthatcompromisesthesecurityofinformationownedbyanorganization.SecurityMechanism:Amechanismthatisdesignedtodetect,prevent,orrecoverfromasecurityattack.SecurityService:Aservicethatenhancesthesecurityofdataprocessingsystemsandinformationtransfers.Asecurityservicemakesuseofoneormoresecuritymechanisms.Designedtocountersecurityattacks西电电子对抗所StepsofNetworkAttacksInformationgatheringScanningvulnerabilitiesAttacking…西电电子对抗所16TheStagesofaNetworkIntrusion1.Scanthenetworkto:•locatewhichIPaddressesareinuse,•whatoperatingsystemisinuse,•whatTCPorUDPportsare“open”.2.Run“Exploit”scriptsagainstopenports3.GetaccesstoShellprogramwhichis“suid”(has“root”privileges).4.DownloadfromHackerWebsitespecialversionsofsystemsfilesthatwillletCrackerhavefreeaccessinthefuturewithouthiscputimeordiskstoragespacebeingnoticedbyauditingprograms.5.UseIRC(InternetRelayChat)toinvitefriendstothefeast.西电电子对抗所AttackingMethodsSystembugs/BackdoorsSecurityAwarenessFirewallInternalusersLackofMeanstoSecurityAuditingPasswordDenialofServiceWeb/CGI西电电子对抗所FourSecurityAttackCategoriesInterruptionAttackonavailabilityInterceptionAttackonconfidentialityModificationAttackonintegrityFabricationAttackonauthenticity西电电子对抗所NormalFlowNormalFlowistheflowofinformationfromaninformationsource,suchasafile,oraregionofmainmemory,toadestination,suchasanotherfileoruser.西电电子对抗所InterruptionAnassetofthesystemisdestroyedorbecomesunavailableorunusable.Thisisanattackonavailability.Examples:Thedestructionofhardware,thecuttingofacommunicationline,orthedisablingofthefilemanagementsystem.西电电子对抗所InterceptionAnunauthorizedpartygainsaccesstoanasset.Thisisanattackonconfidentiality.Theunauthorizedpartycouldbeaperson,aprogram,oracomputer.Examples:Wiretappingtocapturedatainanetworkandtheunauthorizedcopyingoffilesorprograms.西电电子对抗所ModificationAnauthorizedpartynotonlygainsaccesstobuttamperswithanasset.Thisisanattackonintegrity.Examples:Changingvaluesinadatafile,alteringaprogramsothatitperformsdifferently,ormodifyingthecontentofmessagesbeingtransmittedinanetwork.西电电子对抗所FabricationAnauthorizedpartyinsertscounterfeitobjectsintothesystem.Thisanattackonauthenticity.Examples:theinsertionofspuriousmessagesina