Chapter Network Security
Network Security and Management Overview
The concept of network security
network security is involved in a comprehensive field of computer science, network technology, communication technology, cryptography, information security technology, applied mathematics, number theory, information theory, etc.
Network security including network security hardware resources and information resources.
Network hardware resources, comprising: a communication line, a communication device, the host and the like.
Information resources include: maintenance of network services running system software and application software, and user information and other data in the network storage and transmission.
The concept of network management
network management is a generic term for a variety of supervised activities, organize and control network communications services, and information necessary for the processing.
Purpose: To ensure continued normal operation of the computer network, the network resources more effectively, with an exception of computer networks to run when timely response and troubleshooting.
From the management category to category: management of network devices
to access internal computers, servers and other management of
the management of the behavior of
the network device hardware asset management.
It features network security
in general, to protect the network security and network management technology or means reliability, availability, confidentiality, integrity, controllability, namely the review of the network has the characteristics of network security.
1) Reliability: network information system and can be completed within a predetermined time characteristic of a predetermined function under predetermined conditions. Mainly in terms of hardware reliability, software reliability, human reliability, environmental reliability.
2) Availability: network characteristic information refers to authorized entities may be used to access and demand-driven.
3) Confidentiality: Confidentiality refers to the network information is not disclosed to the user, unauthorized entities or processes, or for the characteristics of their use.
4) Integrity: Integrity is the characteristic of the network information can not be changed without authorization.
5) Control: controllable means having the ability to control the dissemination of information and content.
6) auditability: is based on the time and means to provide safety problems.
Common network topology
network topology structure refers to the way the network, each node represents a geometric logically connected to the geographically dispersed. Which determines the principle of network transmission and network information. There are common bus topology, star, ring and tree-like.
1, bus topology:
bus topology network is to connect all of the workstations or network devices on the same physical medium. Its simple structure connecting, addition and deletion of nodes is more flexible.
However, the following security flaws:
1) Fault diagnosis is difficult (though simple in structure, high reliability, the fault detection is difficult, because it is not a centralized network control, fault detection is required at each node on the entire network, the device must be removed and reconnected to determine the fault is caused by some nodes.)
2) fault isolation is difficult (e.g., a failure occurs in the node, the node will simply removed, if occurring on the conductive medium, the entire bus will have to cut)
3) must be intelligent terminal (the above is generally not provided with a control device of the network, each node transmits data in competitive manner, would constitute a conflict on the bus, the node must be a medium access control function)
2, the star topology
of nodes and through the central point link to the central node of each site composition. (Commonly referred to as a central node device adapter, concentrator or repeater)
security flaws:
1) demand for large and difficult to install the cable
2) Development difficulties
3) is too large dependence on the central node
4) prone to " bottleneck "phenomenon (the central node relies on large amounts of data processing, and thus can cause overloading their complex structure, the system less secure)
3, ring topology
network ring topology by some of the repeaters and the repeater is connected to the point a closed loop-point link thereof.
Security flaws:
Fault 1) node of the whole network may cause malfunction
2) Fault diagnosis is difficult
3) is not easy to reconfiguring the network
4) Effect access protocol
4, the tree topology
is composed of evolution of the bus topology, which is shaped like an inverted tree. Coaxial cable as the transmission medium, and the use of broadband transmission technologies.
**
Network security infrastructure
OSI model and security system
1, consisting of seven layer model
from top to bottom are a physical layer, data link layer, network layer, transport layer, session layer, presentation layer and application layer.
The main functions are as follows:
2, the operating principle of the protocol
data from the upper layer to the lower layer packaging operations, each layer of the present layer is added on the basis of the data heads on the hierarchy data, and then passed to the next processing layer, this process commonly known as "packaging "
at the receiving end in the data unit header of each layer is removed, transferred to a layer treated as necessary until the user sees the application layer content after parsing. Process commonly known as "unpacking"
. 3, the OSI security architecture
have different security levels on different technologies:
Physical Layer: set the connection password
data link layer: PPP authentication setting, the priority of the switch port, MAC address security, the BPDU guard, fast port Wait.
Network layer: the router protocol validation, expand access lists, firewalls and so on.
Transport Layer: FTP password is provided, the transmission key and the like.
Session Layer Presentation Layer: public key cryptography, the private key password should be set up in two layers
Application layer: Set NBAR, application-layer firewall.
Five kinds of related security services:
authentication authentication service, service access control, data confidentiality service, data integrity service, non-repudiation services.
TCP / IP and the security protocol
1, the network layer protocol
(1) the IP protocol
(2) the ARP (Address Resolution Protocol)
2, a transport layer protocol
(1) the TCP
(2) the UDP
. 3, the application layer protocol
4, Encapsulating Security Protocol
(1 ) IPSec
(2) the SSL protocol strong text
(. 3) the HTTP-S
(. 4) S / the MIME
wireless network security
1, wireless LAN security
2, wireless LAN security protocol
several common encryption method:
(1) the WEP (Wired Equivalent Privacy )
(2) WPA (a WiFi network secure access)
(. 3) WPA2
(. 4) the WAPI
Identify network security risks
Threat
1) applications and software security vulnerabilities
2) Security Policy
3) back doors and Trojans
4) viruses and malicious Web sites trap
5) Hacker
6) safety consciousness
7) security issues misconduct user network in-house staff due to
the vulnerability of
1, the operating system itself vulnerability of
2, the computer system itself vulnerability
3, electromagnetic leakage
4, accessibility data
weakness 5, communication system and communication protocol
6, the database system vulnerability
7, fragile network storage medium
To deal with network security risks
从国家战略层面应对
1、出台网络安全战略,完善顶层设计
2、建设网络身份体系,创建可信网络空间
3、提升核心技术自主研发能力,形成自主可控的网络安全产业生态体系。
4、加强网络攻防能力,构建攻防兼备的安全防御体系
5、深化国际合作,逐步提升网络空间国际话语权
从安全技术层面应对
1、身份认证技术
2、访问控制技术······
3、入侵检测技术
4、监控审计技术
5、蜜罐技术
网络管理的常用技术
1、日常运维巡检
2、漏洞扫描
3、应用代码审核
4、系统安全加固
5、等级安全测评
6、安全监督检查
7、应急响应处置
8、安全配置管理
第七章 第三节 物联网安全
**
物联网概述
1、物联网的概念
2、物联网的层次构架与特征
物联网大致分为三个部分:
数据感知部分
网络传输部分
智能处理部分
3、物联网的典型应用领域
具备物理世界认知能力的应用
在网络融合基础上的泛在化应用
基于应用目标的综合信息服务应用
物联网的安全特征与架构
1、物联网安全问题与特征
2、物联网面临的安全挑战
3、物联网的安全架构
工控系统及其安全
1、工控系统的特征
2、工控系统的架构
3、工控系统安全