The third chapter, network security
1, network security concept: all research areas related to network information confidentiality, integrity, availability, authenticity, controllability, and theoretical review of the relevant technical, are network security.
2, network security involves: computer science, network technology, communication technology, cryptography, information security technology, applied mathematics, number theory, information theory and other comprehensive field. Network security including network security hardware resources and information resources.
3, the concept of network management: general term supervision, organization and control network communications services, and information processing necessary for various activities.
4, network security features:
1) Reliability: the performance in terms of hardware reliability, software reliability, human reliability, environmental reliability. Relatively straightforward and common hardware reliability. Reliability refers to the software within the specified time, the probability of successful operation of the program. Reliability refers to the probability of staff who successfully complete the job or task. Reliability staff play an important role in the overall reliability of the system.
2) Availability: network characteristic information refers to authorized entities may be used to access and demand-driven. Ensure the availability of network information service allows authorized users when needed or entity.
3) Confidentiality: Confidentiality refers to the network information is not disclosed to the user, unauthorized entities or processes, or for the characteristics of their use.
4) Integrity: Integrity is the characteristic of the network unauthorized information can not be changed, i.e., the network information is not accidentally or deliberately deleted, modified or forged stored in the transmission process, and the like
5) Control: for information and the ability to control the spread of contents
6) auditability
5, common network topologies:
1) bus: fault diagnosis is difficult, fault isolation is difficult, the terminal must be intelligent
2) star: Great cable requirements and installation difficulties, extended difficulties, dependence on the central node is too large, prone to bottlenecks
3) ring: the failed node will cause failure of the entire network fault diagnosis is difficult, not easy to reconfigure the network, affecting access protocol.
4) Tree: too much reliance on the root node.
6, OSI seven-layer model and security architecture:
of the OSI seven-layer model: 1) Application Layer: access to network services interfaces, common application layer protocols are: Telnet, FTP, HTTP, SNMP , DNS.
2) presentation layer: providing data format conversion services, such as encryption and decryption. Common applications: URL encryption, password encryption, encoding and decoding picture
3) Session Layer: establish end-Fi and access authentication and session management.
4) Transport Layer: provides a logical communication between application processes common applications: TCP / UDP / process, port.
5) The network layer: create a logical link between a transmission node data and forwarding data packets. . Common applications: routers, multilayer switches, firewalls, IP, IPX and so on.
6) data link layer: establishing a logical communication link between the communicating entities.
7) Physical Layer: providing the original bitstream transmitted via the data terminal. Eg: cable, repeaters, optical fiber.
7, operation principle OSI protocol:
Briefly, the transmitting side, the operation data from the upper layer to the lower layer package, every layer of this layer is added to the data header in the data base of the upper layer, and then passed to the next layer in the process.
At the receiving end, and reverse operation of the above process the data, the data unit is removed at the head of each layer, needs to be transmitted to the upper layer according to the process until after the user sees the application layer analysis content, low-level to high-level solutions packaging process is called unpacking.
8, OSI security architecture:
1) Physical layer: set the connection password.
2) Data Link Layer: setting PPP authentication, the switch port priority, the MAC geological safety, the BPDU guard, fast ports.
3) Network layer: routing protocol authentication is provided, extended access list, or firewall.
4) Transport Layer: FTP password is provided, the transmission key and the like.
5) session layer / presentation layer: public key cryptography, private key cryptography should be set in the two layers.
6) Application layer: setting NBAR, an application layer firewall.
In the OSI security architecture defines five types of security-related services, including authentication (identification) service, service access control, data security services and anti-repudiation services.
Authentication services: the communication peer entity authentication and data sources
Access Control: To prevent data exchange between various network systems and unauthorized access or interception by leakage, provide confidentiality protection. While it is possible to observe the flow of information will be able to derive information situation prevention.
Data confidentiality services: preventive role of
data integrity services: to prevent illegal entity changes to exchange data, insert, and delete data in the data exchange process is lost,
the data is used to prevent sending the sender: Anti-repudiation services deny sending and receiving parties upon receipt of the data received or deny the behavior of falsified data.
9, TCP / IP protocol and safety:
Since many cyber attacks are due to inherent network protocol vulnerability caused.
TCP / IP four-layer model: 1) Application layer: also contains the application layer, presentation layer, session layer
2) transport layer,
3) network layer,
4) network interface layer
10, a network layer protocol: 1) the IP protocol: is the core, but also important protocol in the network layer.
2) APR: a network address of the computer for, (the IP address 32) into a physical address (MAC) address 48 bits)
11, a transport layer protocol: the TCP / the UDP
12 is, application layer protocols: the HTTP / the HTTPS
13 is, safety encapsulation protocol: 1) IPSec: the network layer, all network channels are encrypted.
2) SSL protocol: it is carried out between two points some applications.
3) S-HTTP: support the end to end secure transmission.
4) S / MIME: Secure Multipurpose Internet Mail Extensions
security issues 1. Wireless LAN: eavesdrop, intercept or modify the transmission of data, denial of service
wireless LAN security protocols: WEP; WPA; WPA2; WAPI
external factors that affect network security, said as a threat, internal factors referred to vulnerability
categories of threats: system and application software security vulnerabilities; security policy; backdoors and Trojans; trap viruses and malicious web sites; hacker; safety consciousness; bad behavior of network users due to internal staff security
vulnerabilities
vulnerability of the operating system: dynamic link; create a process; empty password and RPC; super-user;
computer system itself vulnerability of
electromagnetic leakage
accessibility of data
weakness communication systems and communication protocols
database system vulnerabilities
network fragile storage media to deal with cyber security risks from the national strategic level
1. The introduction of network security strategy, improve top-level design
2. construction of network identity system, create a trusted network space
3. enhance the core technology R & D capabilities, the formation of a controlled network security funding by industry ecosystem
4. To strengthen the network offensive and defensive capabilities, Construction of both offensive and defensive security defense system
5. deepen international cooperation, gradually increase the international right to speak cyberspace
from security to deal with the technical aspects
1. authentication technologies: biometrics; password authentication; token authentication
2. access control
1. access control three elements: subject, object, control strategy
2. access control function and principle: function: to ensure that legitimate users to access network resources protected against illegal content into the main body of the protected network /// resource access control: authentication, control strategies, safety audits
3. Access Control Type: Discretionary Access Control; mandatory access control; role-based access control
control strategy 4. Comprehensive access: network access control; network control rights; directory and security control; property security control; network server security control; Network Monitoring and lock control; security control network port and node
3. intrusion detection technology
1. intrusion detection system is a real-time network monitoring, detection, suspicious data and to take timely initiatives of the network device
2. the common intrusion detection technology: abnormality detection; feature detection; file integrity checking
4. audit techniques to monitor
1. the network security audit is in a specific network environment, in order to protect the network from outside the network and the data network and the user's invasion and destruction, and the use of various a technical means real-time technology to collect and monitor network environment is not a constituent part of the state system, security incidents, in order to concentrate alarm analysis, processing
2. the method of network security audit: audit log, host audit, network auditing
5. honey pot
1. honeypot technology has two meanings: first, to lure the attacker, allowed to discover network vulnerabilities; secondly, honeypots do not repair damage caused by attacks to the greatest possible access to information attacker
2. honeypot system Category: by application platform: real systems honeypot; pseudo system honeypot
by deploying purpose: product honeypots; research honeypot
interactively degree level: low-interaction honeypot; high-interaction honeypots
common technology network management: daily operation and maintenance inspection; vulnerability scanning; application code review; system security reinforcement; grade security evaluation; safety supervision and inspection; disposal of emergency response; security configuration management
Chapter VII (section 2,3)
1, cloud security:
cloud definition: is a pool of computing resources, usually for a number of large server clusters. Cloud classification from technical architecture can be divided into three layers: service software as a service, platform as a service and infrastructure as a service. Object-oriented from the cloud can be divided into: public cloud, private and hybrid clouds.
2, Cloud computing: a calculation method, the upcoming on-demand services converging efficient resource pool.
Cloud computing is distributed computing, parallel computing, utility computing, network storage, virtualization, load balancing, hot standby redundancy traditional computer network technology and the integration of the product.
3, cloud services: infrastructure as a service, platform as a service, software as a service.
4, cloud hosting
5, Smart
6, cloud security security challenges:
the risk of how to solve the new risks posed by new technologies, how to plan resources, data and other brings. How to implement the requirements of watchmaking risk policies, regulations, and how to manage the risk of the operation and maintenance of cloud and its resources.
1), the new technology: controllability, dynamic, virtual machine escape
2, centralization:
1), and identifying the presence of a network planning and design circuitous configuration, security aspects of the system shift cloud data center, and other issues permission set.
2, there is a cloud platform administrator rights abuse risk
3) the user's security isolation
4) resource pool users to grab resources and malicious attacks
3, compliance
4, operation and maintenance management
7, security in the cloud:
cloud security standards: CSA, ENISA, NIST, OWASP , CPNI, SANA, PCI-DSS
Smart construction: 1) physical security aspects to consider access control, fire, temperature and humidity control, electromagnetic shielding,
2) network security secure construction to be achieved by FW, IDS / IPS, DDoS, VPN like.
3) Host Security needs to be considered safe terminal
4) virtualization security through construction into account virtualization platform reinforcement, reinforcement and isolated virtual machine, the virtual network monitoring, prevention of malicious VM
5) may consider building application security through multi-factor authentication access
6) data security can be information security protection from data access control and so on.
8, networking security:
Things definition
level architecture and features of things: data-aware part, network transmission part, can only deal with part of the
perception layer: data is addressed the human world and the physical world of the issue of access to
the transport layer: Also called the network layer, to solve the problem of long-distance transmission is aware layer of the obtained data, the main function of the completion of the access and transmission, information is exchanged, transmission of data path.
The application layer may also be referred to as a treatment layer: the problem is solved and the information processing man-machine interface
between the layers, not one-way transmission of information, and interactive, control mode.
10, things have three functions:
1) overall perception
2) reliable delivery
3) can only handle
11, the safety features of things:
Things devices such as sensors and consumer objects
things device with other devices can be unpredictable, establishing a connection in a dynamic manner.
Things deployment device comprises a set of identical or similar
things device using high-tech device is configured to obtain longer than the average life of the device
was connected devices without any ability to upgrade at design time, or upgrade process cumbersome, impractical
things device operation in a manner
such as environmental sensors Internet appliance, although embedded into the environment, but difficult to notice the user device and the operating state detector.
12, the security challenges of things facing:
the disposal of criteria and indicators, trade-offs regulations, shared responsibility, cost and security, obsolete equipment, scalability, data confidentiality, authentication and access control technology,
13, of things security architecture
14, control engineering and safety