信息安全管理：网络安全

1 网络的定义和特征

1.1 网络的定义

（根本懒得说。。你们自己wiki吧）
网络的用处

• What is a network…
• Devices in a network…
• LAN, WAN and Internetworks
• What do networks do for you…
  • Sharing resources
  • Use/share applications

1.2 网络的特征 Characteristics of networks

– Anonymity
– Automation
– Distance
– Opaqueness
– Routing diversity

1.3 Network Topology

2 TCP/IP

• Protocols…
• Open Systems
  • ANSI , IETF, ISO, IAB

2.1 ISO – OSI Reference Model - 7 Layers

• Application：End user processes like FTP, e-mail, etc.
• Presentation：Format, Encrypt data to send across network
• Session：Establishes, manages and terminates connections between applications
• Transport：End-to-end error recovery, flow control, priority services
• Network：Switching, Routing, Addressing, internetworking, error handling, congestion control and packet sequencing
• Data-link：Encoding, decoding data packets into bits. Media Access Control Sub-layer : Data access/transmit permissions. Logical Link Sub-layer : Frame synchronisation, flow control, error checking.
• Physical: Conveys the bit stream (electrical, light, radio)
  All People Seem To Need Data Protection
  People Do Not Trust Sales People Always

ISO-OSI七层结构

TCP/IP

2.2 相关协议

• Application layer – FTP, Telnet, DNS, DHCP, TFTP,RPC,NFS, SNMP..
• Transport layer – TCP, UDP
• Internet Layer – IP, ICMP, ARP, bootp…
• Organisations / entities : ICANN, IETF, IAB, IRTF, ISOC, W3C
• Other Protocols
  • IPX/SPX
  • ATM
  • DECnet
  • IEEE 802.11
  • AppleTalk
  • USB
  • SNA

3 网络的安全隐患

3.1 网络不安全的原因

What makes network vulnerable

• Anonymity
• Multiplicity of points of attack
• Resource sharing
• Complexity of system
• Uncertain perimeter
• Unknown path
• Protocol flaws / protocol implementation flaws

3.2 网络攻击的动机

Motivations of network attacks

• Challenge
• Fame
• Organised Crime
• Ideology
• Espionage / Intelligence

4 网络安全的威胁

Threats in Networks

4.1 侦察

Reconnaissance

• Port Scan
• Social Engineering
• Intelligence gathering
• O/S and Application fingerprinting
• IRC Chat rooms
• Available documentation and tools
• Protocol flaws / protocol implementation flaws

4.2 网络传输过程中的威胁

Threats in Transit

• Eavesdropping / Packet sniffing
• Media tapping (Cable, Microwave, Satellite, Optical fibre, Wireless)

4.3 网络冒充

Impersonation

• Password guessing
• Avoiding authentication
• Non-existent authentication
• Well-known authentication
• Masquerading
• Session hijacking
• Man-in-the-middle

4.4 信息私密性威胁

Message Confidentiality Threats

• Mis-delivery
• Exposure – in various devices in the path
• Traffic Flow analysis – sometimes the knowledge of existence of message
  can be as important as message content

4.5 信息完整性威胁

Message Integrity Threats

• Falsification
• Noise
• Protocol failures / misconfigurations

4.6 基于操作系统的威胁

Operating System based Threats

• Buffer-Overflow
• Virus , Trojans, rootkits
• Password

4.7 基于应用程序的威胁

Application based Threats

• Web-site defacement
• DNS cache poisoning
• XSS (Cross-site Scripting)
• Active-code / Mobile-code
• Cookie harvesting
• Scripting

4.8 拒绝服务

Denial of service

• Syn Flooding
• Ping of death
• Smurf
• Teardrop
• Traffic re-direction
• Distributed Denial of Service
  • Bots and Botnets
  • Script Kiddies

5 网络安全控制

Network Security Controls

5.1 弱点和威胁分析

Vulnerability and Threat assessment

5.2 网络结构控制

Network Architecture

• Network segmentation
• Architect for availability
• Avoid SPOF (single points of failure)
• Encryption
  • Link encryption
  • End-to-end encryption
  • Secure Virtual Private Networks
  • Public Key Infrastructure and Certificates
  • SSL and SSH

5.3 增强加密系统

Strong Authentication

• One Time Password
• Challenge Response authentication
• Kerberos

5.4 防火墙设置

Firewalls

• Packet Filters
• Stateful Packet Filters
• Application proxies
• Diodes
• Firewall on end-points

5.5 入侵检查和防御系统

Intrusion Detection / Prevention Systems

• Network based / host based
• Signature based
• Heuristics based / protocol anomaly based
• Stealth mode

5.6 使用政策和规程

Policies and Procedures

• Enterprise-wide Information Security Policy
• Procedures
• Buy-in (from Executives and employees)
• Review, enhancement and modification

5.7 其他网络控制方式

1. Data-Leakage Protection systems
   • Network based / host based
2. Content scanning/Anti-Virus/Spyware Control systems
   • Network based / host based
3. Secure e-mail Systems
4. Design and implementation
5. ACLs (Access Control Lists)