Chapter Network Security
3.1 Overview of network security and management
3.1.1 Network security concept
Broadly: all related network information confidentiality, integrity, availability, authenticity, controllability, technologies and theories of review, research areas are network security
network security: involving ++ is a computer science network technology, communications technology, cryptography, information security technology, applied mathematics, number theory, information theory and other areas ++ integrated
network security : including network security hardware resources and information resources.
Network hardware resource includes a communication line, a communication device (router, switches, etc.), a host, to achieve the secure exchange of information delivery, there must be a reliable physical network.
Information resources include maintaining network services running system software and application software, and user information and other data in the network storage and transmission.
Security of information resources is an important part of network security
3.1.2 The concept of network management
Network Management : refers to supervise, organize and control network communications services, and information necessary for processing activities in general. The goal is to ensure the continued normal operation of the computer network, the network is more efficient use of resources and timely response and troubleshooting when the network computer is running an exception occurs
along with computer, networking and communications technology when ++ network management technology the development of the development, the two are complementary ++
3.1.3 network security features
1) Reliability: network information system and can be completed within a predetermined time characteristic of a predetermined function under predetermined conditions. Reliability is the goal of all network information system construction and operation. Reliability mainly in terms of hardware reliability, software reliability, human reliability, environmental reliability.
2) Availability: Availability refers to the characteristic of the network entity is authorized to access information may use and demand-driven. Availability guarantee network information service allows authorized users when needed and entities, or a damaged part of the network need to downgrade or authorized user can still receive services provide efficient use.
3) Confidentiality: refers to network information confidentiality is not leaked to unauthorized users, entities, or processes, or characteristic for their use. Confidentiality prevents disclosure of network information to unauthorized individuals or entities, only to authorized users.
4) Integrity: Integrity is the characteristic of the network unauthorized information can not be changed, i.e., the network information is not guaranteed occasionally deliberately deleted, modified, forged, or stored in the reproduction transmission process, insertion loss and other damage characteristic.
5) Control: controllable means having the ability to control the dissemination of information and content.
6) auditability: You can review refers to the basis and the means provided at the time a security problem.
3.1.4 common network topologies
Network topology refers to the structure of the network mode, shows that the geometric logically connected to the respective nodes in geographically dispersed. Network topology determines the transmission method works networks and network information. Once the logical network topology selected, be sure to select an appropriate logical topology of this way of working, will lay hidden network security, network topology of the network itself can cause security problems.
Common network topologies include: a bus, star, ring and tree-like.
- 1 line topology
is a network to connect all the workstations or network devices on the same physical medium, each time the device is typically directly connected to said trunk cable. Since the bus connection is simple shaped structure, more flexible to add and delete nodes
1) Diagnostic difficulties: Although bus-shaped structure is simple, high reliability, fault detection is difficult, however. Since the network structure is not shaped bus centralized control, fault detection requires each node on the entire network, the connection device must be disconnected in order to determine whether the fault is caused by a node has. Further, since the bundle of cables connected to the exclusion of all devices, failure also more difficult.
2) fault isolation difficulties: for a bus topology, where if a fault occurs on a node, refers to the node to be removed from the network; If a failure occurs on a transmission medium, the entire bus to be cut.
3) terminal must be intelligent: the bus control equipment generally does not have a network, each node sends data by way of competition, it will inevitably bring conflicting information on the bus, so have the media access nodes connected to the bus control function, which requires the terminal must be intelligent - 2 star topology
star topology connected by central node and by-point link to the central node sites composition.
1) a large demand for cable and installation difficulties: because each site and is directly connected to the central site, and therefore requires a lot of cables, cable trenches, maintenance, installation and other problems
2) Extended difficulties: To add a new network, it is necessary to increase connected to the central node, which requires pre-set a lot of redundant cables.
3) too much dependence on the central node: if the central node fails, it will become a fatal accident, could lead to large-scale network paralysis.
4) prone to "bottleneck" phenomenon: another big hidden star topology network is a large amount of data processed by the central node is completed, and thus cause the central node overload, complex, prone to "bottleneck" phenomenon, system poor security. - Ring topology
network ring topology link a closed loop of a combination of some point repeaters and the repeater is connected. Each repeater is connected to the two links, each site is connected to a network through a repeater, data transmitted in the form of packets, since a plurality of devices share a loop, so the need for network control.
Fault 1) of a node failure will cause the entire network: data transmission on the ring will, if a fault occurs on the ring by each node connected to a node on the ring, will cause failure of the entire network
2) Fault diagnosis difficult : since a node failure will cause the entire network interruption of work, it is difficult to diagnose faults need to be detected for each node.
3) easy to reconfigure the network: In this topology, the ring configuration of expansion to cross suffering Similarly, to turn off a part of the access network nodes is not easy.
4) influence access protocol: after ring on each node receives data, to be responsible for sending it to the ring, which means taking into account access control protocol, the first node sends data, it is necessary to know the transmission medium it is useful . A tree topology
tree topology is derived from the evolution of line topology, shaped like an inverted tree. Tree topology commonly used coaxial cable as the transmission medium, and the use of broadband transmission technologies.
The main security flaw tree structure is too dependent on the root node3.2 network security infrastructure
3.2.1 OSI seven-layer model and security architecture
OSI (Open Source Initiative, Association for Open Source / Open Source) is a non-profit organization promoting open source software development of resistance aimed at. The full name of the OSI Reference Model (OSI / RM) is the OSI reference model, which is by the International Standards Organization (ISO) and the International Telegraph and Telephone Consultative Committee (CCITT) developed jointly. Its purpose is to provide a common framework for the base and the standard interconnect heterogeneous computer, and providing a common reference for maintaining consistency and compatibility with standards. Open systems mentioned here, refers to substantially follow the OSI reference model and related protocols, the computer system can be realized with various application purposes interconnected. It is the basis of network technology, as well as analysis, evaluation based on a variety of network technologies.
1, consisting of seven layer model
OSI reference model, respectively from the bottom physical layer, data link layer, network layer, transport layer, session layer, presentation layer and application layer, the main function of each layer;
| Application layer | Access web services interfaces, such as providing an interface to access network services to the operating system or network applications. |
|---|---|
| Presentation layer | Provides data format conversion services, such as encryption and decryption, the picture decoding and encoding, data compression and decompression |
| Session Layer | Establish end-Fi and access authentication and session management |
| Transport Layer | Provide logical communication between application processes |
| Network layer | Data transmission between nodes created logic link, and forwards the data packet. |
| data link layer | Establish a logical communication link between the communicating entities |
| Physical Layer | Providing the original bitstream transmitted via the data terminal equipment |
The operating principle of the protocol 2.OSI
"package" procedure: the transmitting side, the operation data from the upper layer to the lower layer package, every layer of this layer is added to the data header in the data base of the upper layer, and then passed to the next layer in the process . Thus, the process is to drill down the data packaging process.
"Unpacking" process: At the receiving end, and reverse operation of the above process the data, the data unit is removed at the head of each layer, needs to be transmitted to the upper layer according to the process until after the user sees the application content layer analysis . This is a re-opened from the bottom to the top of the process.
3.OSI security architecture
OSI security architecture is built according to the OSI seven-layer protocol model, that is, the OSI security architecture is the OSI seven layer corresponding. There are different security technologies on different levels
- Physical Layer: set the connection password.
- Data Link Layer: PPP authentication setting, the priority of the switch port, MAC address security, the BPDU guard, fast ports.
- Network layer: routing protocol validation set, extended access lists, firewalls and so on.
- Transport Layer: FTP password is provided, the transmission key and the like.
- Session Layer & Presentation Layer: public key, the private key should be provided in the two layers.
Application Layer: setting NBAR, an application layer firewall.
In the OSI security architecture defines five types of related services, including authentication (identification) service, service access control, data confidentiality service, data integrity service and anti-repudiation services.
1) authentication (identification) service: providing a communication peer entity authentication and data sources (identification).
2) access control service: to prevent unauthorized users from illegal use of system resources, including user authentication and user rights confirmation.
3) data confidentiality service: To prevent data exchange between various network systems and unauthorized access or interception by leakage, provide confidentiality protection. Meanwhile, it is possible by observing the stream where information can be derived prevention.
4) Data Integrity Service: to prevent illegal entity to modify data exchange, insert, and delete data in the data exchange process is lost.
5) Anti-repudiation services (also known as non-repudiation of data service): Used to prevent the sender and the recipient denies that send data after receiving the denial or falsification of data received after sending data.3.2.2 TCP / IP protocol and security
TCP / IP (data transmission protocol / Internet Protocol) is the basic protocol of the Internet, the IP network layer and the transport layer of the TCP protocol in the OSI model composition. TCP / IP defines how an electronic device connected to the Internet, and how the standard data transfer therebetween.
1, network layer protocol
(1) IP protocol is TCP / IP core, is an important network layer protocol. Understood from the foregoing description, IP layer encapsulation from a higher layer (network interface layer, such as an Ethernet device driver) sent the data packet, and transfers the packet to a higher layer application ---- the TCP or UDP layer; Similarly, the IP layer is TCP or UDP also from the higher layer to the received packet is transferred to the lower layer. It is to be noted that, when IP packet data is not reliable, because the IP and there is no means to confirm acceptance of the data packet is not destroyed or transmitted sequentially. IP address of the host to send its data packet contained (source address) and receiving its host address (destination address).
IPv4 protocol as an example the usual, higher level (transport layer) TCP and UDP services when receiving a packet, the general assumption is valid when the source address of the packet. Therefore, IP addresses form the basis of many of my certification services, these services believe that the packet is sent from a valid host come. In the confirmation information includes the IP option IP source routing, can be used to specify a direct path between the source and destination addresses, for some applications to serve TCP and UDP, the IP packet using this option is that the path from the the last system terminal pass over, rather than from its true location. This makes many rely on IP source address of the service to be done to confirm the attack, such as the common IP address spoofing attacks.
(2) ARP (Address Resolution Protocol)
the ARP protocol for computer network addresses (IP address 32) into a physical address (MAC address 48). In order to explain the role of ARP protocol, we must understand the process of data transfer over the network.
2 Transport Protocol
The main use of the transport layer TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) protocol two, where TCP provides a reliable connection-oriented service, while UDP provides unreliable connectionless service.
(. 1) the TCP
the TCP protocol third handshake mechanism to establish a connection: the first handshake packet is a SYN packet; the second packet is an SYN / ACK packet indicating that the first response SYN packet, while continuing handshake process; third merely a response packet indicating an ACK packet
if the connection side AW, B is the responder, possible threats therebetween are as follows:
1) monitor the attacker SYN / ACK message sent by Party B Wen
2) attacker to issue the RST to the B-party, and then sends a SYN packet, posing the a-party initiates a new connection
3) B party in response to the new connection, and transmits a connection response packet SYN / the ACK
. 4) attacker then posing as the a side of the B sends an ACK packet
(2) the UDP
the UDP packets because there is no guarantee reliability, flow control, and order assurance field and the like, and therefore less reliable. Of course, because of fewer options to control the UDP protocol, it has less delay data transmission process, the advantages of high data transmission efficiency, it is suitable for less demanding applications the reliability, or may protect the reliability of the application .
UDP-based communication is difficult to re-establish a transport layer security mechanisms, compared to the same network layer security, Transport Layer Security Mechanism The main advantage is that it provides a process based on process (rather than the host to host) security services. This achievement, if coupled with application-level security services, it can greatly enhance security.
3, the application layer protocol
application layer protocol there are many familiar daily use to transmit data, such as HTTP, HTTPS, FTP, SMTP, Telent, DNS, POP3 , etc., in the practical application of these protocols to use practical application proxy.
From the customer point of view, the proxy server is equivalent to a real server; from the server point of view, the proxy server is a true client. When the client needs to use the data on the server, the data request to the first proxy server, the proxy server and then request this request data to the server, by the proxy server and then transfer data to the client.
Since there is no direct data between internal and external systems with channel server, external malicious damage against it would be difficult to internal network systems. Agency services transparent to the application layer data below. Application proxy server for supporting the application layer protocol proxy
4, Encapsulating Security Protocol
(1) IPSec protocols for IPv4 and IPv6 protocol-based encryption to provide security, which uses AH (Authentication header) and ESP (Encapsulating Security Payload) protocol to achieve its security, a key exchange using the ISAKMP / Oakley and SKIP, management and security consultation.
IPSec security protocol operates at the network layer, running all the network channels on it is encrypted. IPSec security services include access control, data origin authentication, connectionless data integrity, anti-replay, data confidentiality, and limited traffic flow confidentiality, it uses the authentication mechanism for access control, namely two IPSec entities before attempting to communicate, must be consultation process to be carried out by IKE negotiation SA (security Association) authentication, authentication using public key
signature scheme, using the digital signature standard (DSS) algorithm or the RSA algorithm, while the public key is usually the acquisition from the certificate obtained.
3.2 network security infrastructure
3.2.1 OSI seven-layer model and security architecture
1.OSI reference model called the OSI reference model, which is by the International Organization for Standardization (ISO) and the International Telegraph and Telephone Consultative Committee (CCITT) developed jointly.
2. Composition seven layer model
OSI reference model from top to bottom are a physical layer, data link layer, network layer, transport layer, session layer, presentation layer and application layer.
3.OSI operating principle of the protocol
package: the transmitting side, the operation data from the upper layer to the lower layer package, every layer of this layer is added to the data header in the data base of the upper layer and the lower layer processing before being passed.
Unpacking: At the receiving end, the data unit in the header of each layer is removed, transferred to the upper layer need to be processed until after the user sees the application content layer analysis.
Seven layer model established primarily to solve the compatibility problem encountered when heterogeneous network interconnection. Its biggest advantage is to distinguish between services, interfaces and protocols clearly distinguish these three concepts, but also the different functional modules from different networks to share responsibilities.
4.OSI security architecture
OSI security architecture is built according to the OSI seven-layer protocol model, that is, the OSI security architecture is the OSI seven layer corresponding to, for example:
• Physical layer: Set the connection password.
• the data link layer: PPP authentication setting, the priority of the switch port, MAC address security, the BPDU guard, fast ports.
• Network layer: routing protocol validation set, extended access lists, firewalls and so on.
• Transport Layer: FTP password settings, and other key transport.
• Session Layer Presentation Layer: public key cryptography, the private key password should be set in two layers.
• Application Layer: Set NBAR, application-layer firewall.
The five security-related services: authentication (identification) service, service access control, data confidentiality service, data integrity service and anti-repudiation services.
3.2.2 TCP / IP protocol
In the OSI model the IP network layer and the transport layer TCP protocol components.
1. The network layer protocol
• IP protocol
• ARP protocol: a computer network address (IP address 32) into a physical address (MAC address 48).
2. Transport Layer
• TCP: Use three-way handshake to establish a connection, a connection is disconnected.
• UDP
3. The application layer protocol
HTTP, HTTPS, FTP, SMTP, Telent, DNS, POP3 , etc., in the practical application of these protocols to use the application proxy.
4. Encapsulating Security Protocol
• IPSec: encryption-based protocol that provides security for IPv4 and IPv6 protocol that uses AH (Authentication header) and ESP (Encapsulating Security Payload) protocol to implement its security, ISAKMP / Oakley is SKIP key exchange and , management and security consultation.
• SSL protocol (Secure Sockets Layer): used to protect the Network Information
• S-HTTP: Hypertext Transfer Protocol is a secure communications protocol designed to bind HTTP
• S / MIME: full name of Secure Multipurpose Internet Mail Extensions
3.2.3 Wireless Network Security
1. WLAN Security: eavesdropping, intercepting or modifying the transmission data, denial of service.
2. Wireless LAN security protocol:
• WEP (Wired Equivalent Privacy)
• WPA (the Wi-Fi network security access)
• WPA2
• WAPI (China's own intellectual property rights WLAN security solutions)
3.WPI decapsulation process:
• Analyzing the data packet sequence number is valid, invalid data is discarded
• using a decryption key and data packet sequence number. MDSU of MIC data packets and decrypt the ciphertext decryption algorithm in OFB mode through the work to recover the MSDU plaintext data and MIC
• using the integrity check key and data packet sequence number, check data integrity check algorithm locally calculated by a CBC-MAC mode, the only difference with the packet if the calculated value in integrity check code MIC , the data is discarded
• After de-encapsulation MSDU plaintext restructuring process and submit to the top
3.3 identify network security risks
3.3.1 threat
Common external threats: System and application software security vulnerabilities, security policies, and backdoor Trojans, viruses, and malicious Web sites trap, hackers, safety consciousness, bad behavior of the user inside the network staff due to security concerns.
3.3.2 Vulnerability
1. The operating system vulnerability: Dynamic Link, to create a process, empty password and RPC, super user.
2. The vulnerability of the computer system itself: hardware and software failures.
3. electromagnetic leakage
4. Data accessibility
weakness The communication system and communication protocols
vulnerability database system 6.
vulnerable network storage medium 7.
3.4 deal with network security risks
3.4.1 respond from the national strategic level
1. The introduction of network security strategy, improve top-level design.
2. Construction of network identity system, create a trusted network space.
3. enhance the core technology R & D capabilities, the formation of self-control of network security industry ecosystem.
4. To strengthen the network offensive and defensive capabilities, build offensive and defensive security defense system.
5. deepen international cooperation, gradually increase the international right to speak cyberspace.
3.4.2 to deal with the technical aspects of security
1. Identity Authentication
• biometrics
• password authentication
• Token Authentication
2. Access Control
• Access Control (AccessControl) refers to the system limit means that the user identity and policy group belongs to a pre-defined usage data resource capacity.
• three elements: the host, object and control strategy
Functions and principles • Access control: certification, control strategy, security audit
• Type: discretionary access control, mandatory access control, policy-based access control and integrated access control and other roles.
• Integrated Access Control strategy: network access control, network access control, directory-level security controls, property security control, security control network server, network monitoring and locking control, security control network ports and nodes
• Access control applications
3. Intrusion Detection
• Intrusion Detection System is a real-time network monitoring, detection, suspicious data and to take timely initiatives of network equipment.
• Common Intrusion Detection Technology: anomaly detection, feature detection, file integrity checking.
4. Monitoring audit techniques
• Network security audit approach: audit log, host audit, network audit
The honeypot
by application platform, honeypot honeypot system is divided into real, pseudo honeypot system.
According to the purpose of the deployment, the honeypot is divided into product and research honeypot honeypot.
In accordance with the level of interaction honeypot is divided into low-interaction honeypot, high-interaction honeypots.
Common network management technology 3.4.3
1. The daily operation and maintenance inspection
2. Vulnerability Scan
3. Application Code Review
4. System Security Hardening
5. Level Security Evaluation
6. safety supervision and inspection
• management of information security
• Technical protective case
• emergency situations
• Safety Training in education
• safety rectification
7. Emergency Response disposal
8. Security Configuration Management
• Asset Management
• Resource Management
• Server Directory Management
• Service Request
• monitoring and management
summary
By analyzing common network topology, combined with the contents of the OSI model and protocol, introduces the threat and potential vulnerability of the network system, and put forward countermeasures from network technology and network management levels. In particular, he gave a detailed account authentication technology, access control, intrusion detection, monitoring and auditing technology honeypot technology.
Advanced computing security issues under Chapter VII of the big data background
Things Security 7.3
7.3.1 Overview of Things
1. Things goal is to help us to achieve interoperability of the physical world and the online world, mankind has "full awareness, a thorough analytical skills and wisdom of processing power" of the physical world.
2. The level of the architecture and features of things
• Things roughly divided into three parts: data-aware part, part of the network transmission, intelligent processing section.
• system of things is divided into perception layer, network layer, application layer three-tier structure.
• Things should have: a comprehensive perception, reliable delivery, can only handle three abilities.
3. Things Typical applications areas:
• Applied Physics world have cognitive
• pan in network convergence based on the application
of integrated information-based service application • Application target
7.3.2 security features and architecture of the Internet of Things
1. The security features of Internet of Things
security challenges faced by 2 things:
• criteria and indicators
• Regulatory
• shared responsibility
• Cost and security trade-offs
• obsolete equipment disposal
• Scalability
• data confidentiality, authentication and access control
3. Things security architecture
• Things facing security attacks
• Things security controls
7.3.3 industrial control systems and their security
Industrial Control System (ICS) is a general term for several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (the DCS), the process control system (PCS), a programmable logic controller.
Features 1. Industrial Control System
2. The architecture of industrial control system
key components • industrial control system comprising: a controller configuration programming components, data acquisition and supervisory control module, man-machine interface and distributed process control system.
• network portion of industrial control systems covered include: enterprise resource network, process control and network monitoring and control system network.
3. Industrial Control System Security
• Computer network security situation and security issues ◦ loopholes in the system is difficult to timely processing of industrial control system security risk
◦ industrial control system communication protocol lacks sufficient security considerations early in the design
◦ do not have enough security policy and management system
◦ industrial control systems directly exposed on the Internet
◦ system architecture lack of basic security
Industrial control system security ◦ • loss leak protection
◦ Host Security management
◦ data security management
◦ establish baseline
◦ operation monitoring
◦ implementation of defense