Ch17

Published on May 2016 | Categories: Documents | Downloads: 26 | Comments: 0 | Views: 296
of 147
Download PDF   Embed   Report

Comments

Content

Computer Networking
网络课件 双语教学 模拟实验

计算机网络教研室

CHAPTER 17 NETWORK MANAGEMENT
The first section Exercises Online lecture

1

2
3

Department of Computer Networking Application

CHAPTER 17 NETWORK MANAGEMENT PART THREE INTRODUCTION
CHAPTER 17 Examines the vital topic of network security and explains many ways in which networks can be made more secure. CHAPTER 18 You will cover encryption, digital signatures, and digital certificates in detail, and you will understand the importance of user IDs and strong passwords. CHAPTER 19 You will investigate the threat of viruses and other network perils as well as steps that can be taken to minimize their impact.
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
Text Books and References Books 密码学与网络安全 Cryptography and
Atul Kahate著 邱仲潘 等 译 清华大学出版社 ISBN:7-302-114900/TP•7540

Network Security
by Atul Kahate 清华大学出版社
ISBN:7-302-099677/TP•6855
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
Chapter 18
Explains network design and implementation process. Learn that designing a new or changed network is a multiphase activity That requires user involvement along the way . Study the various steds in the process, sted that are described and illustrated.
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
Chapter 19
Describes network management and operations process. Explore the reasons for managing a network and the standard management functions that are put into a network context. Learn the practical issues of day-to-day operation of a network: problem management,
performance management , configuration management, change management
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
Chapter 17 Network Security 17-1 Introduction

17-2 Why is needs
17-3 Management's responsibility 17-4 types of threat
• Security Architecture • Security attacks • Security services
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-1 OBJECTIVES
Explain why it is necessary; Discuss management's responsibility; Describe key elements of a network security policy;

List the types of security threats; Explain purpose, pros, and cons of encryption;
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-1 OBJECTIVES
Describe how symmetric and asymmetric key-based encryption system work; Digital signatures and certificates; Describe various types of network accesss control ; Discuss disaster recovery planning;

Describe the security of home network;
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-1 INTRODUCTION
Describes network security .
Explains the types of security threats. The various measures to increase a network's security. It also includes being able to recover from security incidents.
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-2 Security Is NOT Enough
No longer can a business be operated without having access to information and a reliable communication system. Usually, the value of the data stored on networked computers far exceeds ,The cost of the networks themselves
.

Security

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-2 Why Security
目标和破坏 的范围
全面框架

Hacker 特洛伊木马 HIGH

黑客攻击

天 TOOLS工具 新型的跨主机工具 快速变化的威胁 后门、隐蔽通道 灾 隐秘且高级的扫描工具
数据包欺骗 窃听 手动探测 拒绝服务 计算机病毒 Seconds 分布式攻击工具

区域网络

threats • Massive 干扰通信 多个LAN 偷窃信息 第三代 worm攻击的复杂度 攻击已知漏洞 Days 信息泄漏、 driven • Distribute 口令破解 拒绝服务攻 DDoS d denial of 篡改、破 单个 LAN 第二代 自我复制程序 Weeks service 击 攻击者 • Damagin 猜口令 坏 • Macro LOW • Blended g payload 第一代 viruses 2000 threats 1995 worms 1980 1985 1990 单个pc 社会工程 • Boot

Cybercrime and Cyberterror
后门程序 破坏审计

攻击者的 知识水平

下一代 www攻击 自动扫描 • Flash 图形化界面

网络信息系统 Attacks on the scope and time
viruses
• Denial of service

网管探测 Minutes

逻辑炸弹

蠕虫 1980s

内部人员威胁 系统 Bug 1990s Today

Future
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-2 Why Network Security is Needed
large and small organizations of all types are becoming increasingly dependent on networks to carry on their activities. In the past, networks were main private. easy to control.  with the rise of the Internet and its use for conducting business, network are more open. It is virtually impossible to eliminate all network security .
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-2 Why Internet Is NOT Safe?
Internet originated in the military,it were mainly private. With the rise of the Internet, networks are more open. TCP / IP protocol is open
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-3 MANAGEMENT`S RESPONSIBILITY
 Network management must see that appropriate security measures are implemented  Senior management must understand network security issues and indicate to all employees that network security is important to the organization’s well being.  The network management staff has a very Important security responsibility.

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-3 Adequately manage network security
A network security policy Clearly defined roles and responsibilities A security implementation plan An effective implementation of appropriate security hardware and software A plan to deal with any security breaches that do occur Periodically ensure that the security policies and standards are effective
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-3 Network security policy
It is management's statement of the importance of and their commitment to network security. It needs to describe in general terms will be done. Need to clearly state management's position about the importance of network security It does not deal with the security protection is to be achieved. Network security officer who is responsible for seeing that security policy and practies are carried out.
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-3 Elements Of Network Security Policy

Importance of network security
What are to be protected MANAGEMENT`S RESPONSIBILITY

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-4 TYPES OF THREATS
Security threats to a network can be divided into those that involve some sort of unauthorized access and all others.

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-4 5 type of security threats
5 types of security threats to a network are
•eavesdropping •altering message contents •Masquerading •denial of service •planting viruses or worms.

Eavesdropping: monitor network traffic Altering message contents

Masquerading
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-4 Denial of service (DoS)
DoS occurs when someone floods a site with messages faster than they can be handled DDoS Distributed Denial of Service, DDoS TCP DoS attack SYN flood attack Land attack UDP DoS attack UDP Flood DoS attack ICMP DoS attack

Teardrop attack Ping of Death
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-4 DoS - Syn Flooding
Three-way Handshake
A B

syn ack, syn ack

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-4 Planting viruses
The most common ways: Through an attachment to an e-mail By downloading software containing a virus.
中毒的网站主 机

Internet /HTTP

网页夹带HTTP病毒指令

有安装防毒软 件的用户机
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-4 Planting viruses

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-4 Other types of security threats include
Physical damage Nonmalicious disruptions Disasters

More Samples ...

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-4 Attacks, Services and Mechanisms
Security Attack: Any action that compromises, the security of information. Security Mechanism: It is designed to detect, prevent, or recover from a security attack. Security Service: A service that enhances the security of data processing systems and information transfers. A security service makes use of one or more security mechanisms.
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-4 Security Attacks

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-4 Passive and active attacks
Passive attacks No modification of content or fabrication Eavesdropping to learn contents or other information. Active attacks Modification of content and/or participation in communication to •Impersonate legitimate parties •Modify the content in transit •Launch denial of service attacks
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-4 Security Attacks

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-4 Passive Attacks

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-4 Active Attacks

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
采用一切手段(主要指静态防护手段)保 护信息系统的五大特性。

17-4 Security Mechanism

检测本地网络的安全漏洞和存在的非 法信息流,从而有效阻止网络攻击

A mechanism that is designed to protect,detect, Protection Detection reaction, and restore from a security attack.
PDRR MODEL: Protection保护 Detection检测 Reaction响应 Restore恢复 information 采用一切手段(主要指静态防护手段) 检测本地网络的安全漏洞和存在的非 Security 保护信息系统的五大特性。 法信息流,从而有效阻止网络攻击 Protection Detection Restore information Reaction Security Restore Reaction 及时恢复系统,使其尽快正常对外提供服 对危及网络安全的事件和行为做出反应,阻
及时恢复系统,使其尽快正常对外提供 务,是降低网络攻击造成损失的有效途径 服务,是降低网络攻击造成损失的有效 途径

对危及网络安全的事件和行为做出反应,阻 止对信息系统的进一步破坏并使损失降到最 低止对信息系统的进一步破坏并使损失降到最 低 www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT

attack

Protect

succeed failure

Detect

succeed

React

succeed failure Recove

failure

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
Protection system is based on the known security issues may take some preventive measures from the successful invasion of the attacker. Detection If the attacker through the protection systems, detection systems will be detected. Recover After the incident, the system back to the original state or more secure than the original state.

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-4 Security Services
A security service is a service provided by the protocol layer of a communicating system (X.800)

5 Categories
Authentication Access Control Data confidentiality Data Integrity

Nonrepudiation (and Availability)
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
information security
进不来 拿不走 看不懂 Reliability 改不了 跑不了

Availability

Authenticity
Confidentiality Integrality Forbidden deny

Sample…

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-5 ENCRYPTION
Encryption is the transformation of data into a meaningless form unreadable by anyone without a decryption key. Encryption prevents someone from eavesdropping on a network. F Plaintext: unencrypted information
Ciphertext: encrypted information Secret Key – the input to encryption/ decryption algorithm
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-5 Decryption
Conversion of Cipher Text to Plain Text

This is a book [email protected]#$~%^~&~*()-

加密

[email protected]#$~%^~&~*()This is a book
www.gxmu.edu.cn

解密

CHAPTER 17 NETWORK MANAGEMENT
17-5 Symmetric encryption techniques
This is a book
加密

[email protected]#$~%^~&~*()秘密钥匙

[email protected]#$~%^~&~*()-

解密

This is a book

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-5 The history of cryptography
Prior to 1949, classical cryptography Data security to rely on algorithm confidentiality 1949 to 1976, modern cryptography Data security to rely on key In 1976, public key cryptography Public-Key Cryptography makes sending and receiving-end side without key transmission of confidential communications possible
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-5 Caesar cryptogram
Ancient Rome

CAESAR : c=( m+ 3)
Caesar was a great soldier Fdhvdu zdv d juhdw vroglhu

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-4 Sparta cryptogram
(The fifth century BC, cryptogram stick)

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-5 Polybius’ Checkerboard
205~123 B.C.
1 1 2 3 4 5 A F L Q V 2 B G M R W 3 C H N S X 4 D IJ O T Y 5 E K P U Z

plaintext:POLYBIUS cypher:3534315412244543
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-5 U.S. Civil War
Input direction Output direction
C O A U N U Y N

Plaintext :
Can you understand

D
T

E
A

R
N

S

Ciphertext:
D

codtaueanurnynsd
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17.5 Mono Alphabetic Ciphers

It is a simple symmetric encryption scheme in which one plaintext character is replaced by another character. A secure encryption system should mask the frequency with which letters occur and should also mask the word lengths.
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-5 Caesar Cipher
Only have 25 possible ciphers A maps to B,..Z

Could simply try each in turn
a brute force attack


given ciphertext, just try all shifts of letters

do need to recognize when have plaintext
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17.5 Poly Alphabetic Ciphers
Define: If a given letter of the alphabet will not always be enciphereed by the same Ciphertext character. It changes letter frequencies An important example :

Vigenère
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-5 Features

Features:
A set of related mono alphabetic substitution rules is used A key determines which rule is used for a transformation.

Figure 17-3

A Vigenère square.

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-5 Poly alphabetic Ciphers example
writes the plaintext out
writes the keyword repeated above it encrypts the corresponding plaintext letter
eg using keyword deceptive

key:

deceptivedeceptivedeceptive

Plaintext:

wearediscoveredsaveyourself

ciphertext: ZICVTWQNGRZGVTWAVZHCQYGLMGJ
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17.5 Transposition Ciphers
Define: Rearrange the letters in the plaintext message rather than substituting cipher characters for them.

* Error:rearrange

the characters in the encrypted message.
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-5 Sample
c
n

o
y

m l
r c

p
r

A
E

s
a p d

u
a s e

t
e e t

S
X E
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-5 Bit-level Encryption
This technique ignores the characters that make up the message to be transmitted and instead works with the individual bits that make up the characters, uses a key key. Bit level encryption uses a key. encryption and decryption keys are the same key. Problem: how to sent key ?

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-5 A simple encryption algorithm - XOR
Either A or B, but not both.

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT

C=P
Figure 17-4 Bit-level encryption using the XOR operation. For simplicity, only a 16-bit substring of text and a 16-bit encryption key are used.

K

P=C

K

Figure 17-5

Decryption is a repetition of the encryption process using another XOR operation.

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-5 Data Encryption standard
DES was developed by IBM in 1970s.
DES(Data Encryption Standard ) Encrypts blocks of 64bits plaintext using a 56-bit key that yields 2 56 .or >72 2 64 bits as a group.

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-5 Speed
DES can be designed into hardware. VLSI Company VM009 1993 200M Bytes/s software: 80486, CPU 66Hz, 43000 DES grouping /sec 336K Bytes/s HP 9000/887 ,CPU 125 Hz, 196,000个分组, 1.53M Bytes/s

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
Plaintext Initial Permutation Roud1 Roud1 Round16 IP-1 ciphertext
Permuted Choice2 Permuted Choice2

64bits
Permuted Choice1 Left Circular Shift Left Circular Shift

Permuted Choice2

Left Circular Shift

17-5 DES algorithm summary
64bits
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-5 Triple DES
The original DES is vulnerable to a brute force attack. Triple DES is an improvement over DES because the key length is doubled from 56 to 112 bits, and the data is encrypted three times. Key length:112BIT, k=k1k2

2112
m
DES DES-1 DES

c

c

DES-1

DES

DES-1

m

k1

k2

k1

k1

k2

k1
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-5 Key management
In many situations, managing the key is a highcost overhead to an encryption system.

Key sharing still represents a weakness in any other symmetric encryption system

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-6 Advanced Encryption Standard
DES is vulnerable to a brute force attack AES is the U.S. National Institute of Standards and Technology (NIST) is to replace of the DES encryption standard . 128bit key

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-6 Asymmetric Key Encryption
PKE (Public key encryption) Messages are encrypted with one key that can be made public.the recipient uses a separate private key to decipher. Advantage: It solves the problem of key management & exchange. Symmetric key encryption is much faster than PKE,but PKE is more safe.
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-6 Asymmetric Key
The key used for encryption and the key used for decryption are not the same. Public key is one that is used for encryption and can be Private key known by anyone. Private key is used for decryption and is kept secret. The keys used with an asymmetric key encryption system are normally very large prime numbers.

Public key www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-6 Asymmetric Key Encryption

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
RSA(Rivest, Shamir and Adleman)

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17.6 PGP
PGP (Pretty Good Privacy) Inventor, Phil Zimmerman An asymmetric encryption/decryption program for email, computer data, and voice conversations that was developed by a private individual is called PGP Internet e-mail encryption: a de-facto standard PGP is in the public domain. The most common ways to protect data on the Internet.
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17.7 Other Encryption System
Microsoft :encrypting file system NTFS Winzip 128 256 AES Winrar Hardware encryption Software dog

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-7 Voice Scrambling
Voice scrambling makes the voice transmission
unintelligible to anyone who does not have a descrambler.

Scrambler

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-7 DIGITAL SIGNATURES
It is the network equivalent of signing a message and guaranteeing that the contents have not been changed. For electronic commerce ,key component of most authentication systems. Purposes: Guarantee that the individual sending the message The message has arrived intact The sender cannot dispute Time stamped
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-7 Hash Function
Crunches the data and calculates a unique Value for the docment. Message digest or hash

Ensure that the contents of the message are not changed.
“我们的五年计划是…” “B*[email protected];qHUHW”

Hash
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-7 Cryptography hash of several basic requirements for

Input :any length Output: Fixed length

One-way function
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-7 Usage method

To sign a message with a digital signature, the sender simply invokes a software routine that builds the signature using a private key known only to him.
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
1.Copy contract to email 2.Calculates hash for email

1.Calculates the hash of received message
2.Decrypts hash using public key 3.Hashes match ,message is valid
Figure 17-6 The digital signature process.

3.Encrypts hash using private key

Digital signatures :the encrypted hash
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-7 Digital fingerprint
File checkout

To prevent the malicious destruction of file.
UNIX tanajiya.tar.gz , tanajiya.tar.gz.md5 MD5 (tanajiya.tar.gz) = 0ca175b9c0f726a831d895e269332461
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-7 DIGITAL CERTIFICATES
It is a password-protected,encrypted data file that identifies a transmitting entity and certifies that it is who it say it is.

Usually installed in the e-key
Digital certificates similar to the real-life identity. CA –certificate allthoritiy
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-7 CA's role
 Guarantee that the organization or individual granted the certificate is who he claims to be.  Guarantee that the holder`s public key really belongs to him.  Trust-worthy CA will issue a certificate onl y after verifying the identity .  A certificate is valid only for the perid of time specified by the CA that issued it.
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-7 X.509.CCITT(即国际电话委员会)

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-7 Digital certificate Content
– Certificate Authority
Name
CA logo
Subject: Mr Tom Issuer: INET CA1 Subject’s Public key:
公钥

Public key

Serial Number: 29483756 Not Before: 10/18/99 CAID Not After: 10/18/04 Secure Email Client Authentication Signed: Cg6&^78#@dx

Effective Date

扩展域

认证中心(CA) 的数字证书

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-7 The principle of digital certificates
CA
Certificate Application Certificate Application Public key

Public key Private key

Private key

Digital certificates used public-key mechanism CA provide the program for the user, have a pair of keys: public key,be stored in CA. private key, l be stored on the user's computer.
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT 17-7 CA structure
Return request terminal request

注册中心

认证中心

RA
Submit a certificate application

CA

apply for the certificate

To obtain a certificate

certificate Library
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-7 PK typical application
数据库 Web服务器及应用软件 防火墙 业务处理流程

银行等数据接收网关 防火墙

CA

Internet/Intranet
卡 读卡器 卡 读卡器

浏览器/Client

浏览器/Client



电子钥匙



电子钥匙
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17.8 IP SECURITY
IETF(Internet Engineering Task Force) IPSEC(IP security): Security for Internet communications protocol, known as IPsec. In the IP layer to provide identification and security services Ipsec acts at the network layer,protecting and authenticating IP packets between Ipsec-compliant devices Compatible with IPv4 and IPv6
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-8 IPSec in TCP/IP
Sender Receiver

Original message Application Transport IPSec Internet Data link Transmission medium

Original message Application Transport IPSec Internet Data link

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-8 Based on TCP / IP protocol network security architecture

PEM MOSS PGP S/MIME SHTTP SSH Kerberos SNMPv2 应用层 TCP SSL UDP 传输层 网络层

IPv6 IPSEC ISAKMP

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-5 IPsec content
Sending and receiving must share a public key. ISAKMP(Internet Security Association and Key Management Protocol)

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-8 IPSEC architecture
IPSec安全体系

封装安全载荷(ESP)

认证头(AH)

加密算法

认证算法

解析域(DOI)

密钥交换与管理(IKE)

安全关联(SA)

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-8 IPSec Provides services

Data Confidentiality Data integrity

Data origin Authentication Anti-reply
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-8 IPSec Uses
●applicable to use over LANs, across public & private WANs, & for the Internet

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-9 Virtual Private Network
Uses the Internet as if it is a private network Far less expensive than a leased line Uses IPSec protocol

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-9 SECURE SOCKET
Web server be encrypted. Netscape is the first to use. SSL is a transport level technology for authentication between a WEB browser and a WEB server. SSL runs above TCP layer and below application layer. Establish an encrypted connection. (shttp/https).

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-9 SSL includes two subprotocols:
SSL record protocol:format data
SSL handshake protocol: first establish connection。 Use techniques include DES,Triple DES,RSA etc.

SSL allows a user to confirm a server’s identity.
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-9 SSL-based Web access a complete process
1. Client bowser `s digital certificate and public key 2. server`s digital certificate and public key
6. decrypt information by client browser `s private key 4. decrypt information By Server`s private key
Server

3. encryption of information by server`s public key
client

5. encrypt session key by client's browser `s public-key 7. Encrypt of data transmission by Session key
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-9 (shttp/https).

Both Netscape and Internet Explorer support SSL.
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17.10 VIRUSES
Viruses become a network issue.

The single best thing an organization or user can to protect themselves against viruses is to install antivirus software on its computers.
Program files that have a virus attached are said to be infected.
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-10 Antivirus program
It work by looking for virus signature that is unique to the virus. Virus signature:a sequence of computer instruction that is unique to the virus.

Antivirus programs have reduced the overall risk of network security problems in the past few years. F
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-10 Virus Signature
A sequence of computer instruction that is unique to the virus.

Viruses Spread : Computer viruses spread much like their biological counterpart极相似—by sharing.
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-10 Typical network virus
--Netstat -a

Trojan
A computer virus is similar to the instructions set it in the general parasitic programs, and secretly carry out some of the destructive operation or theft of data.
More…

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-10 Computer Worm
工作站 A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes and it may do so without any user intervention. It does not need to attach itself to an 网站服务器 existing program. 路由器 Worms almost hub always Internet to the network, if only by cause harm consuming bandwidth, whereas viruses 网站服务器 almost always corrupt or modify files on a 工作站 targeted computer. NEXT……
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-10 ARP CACHE POISONING

ARP CACHE POISONING
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-10 NETWORK ACCESS CONTROL
Network access adds another dimension to the protection of data and information.

New question : How to know who is at the terminal If is the person authorized to access data. What operations are user authorized to perform. If is Lines tapped?
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-10 3 primary way unauthorized access
From another network such as Internet.

Dialing directly into network
Using workstation located
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-10 User Identification and Passwords
One common method of network access control is user IDs and passwords.

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-10 Password status quo
No password use the system's built-in default password and account number Use easy to guess the password Name birthday

Not to replace passwords on a regular basis Crack password method: Brute attack
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-10 Password cracking technology
Comparison

Attack types
Dictionary attacks Violent attacks Combination of attack

speed of attack fast low

number of password cracking

All Dictionary words all
Only to find the words to the dictionary-based password
www.gxmu.edu.cn

Medium

CHAPTER 17 NETWORK MANAGEMENT
17-10 Strong Password
At lease 7 characters length. Include upper and lower case letters,numerals,and symbols. Have at least one symbol character in the second . Have at lease four different characters. Look like a sequence of random letters and numbers.
[email protected] h¥7 O8ng

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-10 They should not
Contain any part of the users user ID Use any actual word or name in any language Use numbers in place of similar letters Reuse any portion of an old password Use consecutive letters or numbers Use adjacent key on the keyboard. Abcdefg 234567 Mothed: Complete record is kept of all users of system. Restricted the number of Sign
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-10 CALL BACK

Other: Monitor computer ports Reading a printed log
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17.11 Firewalls
It isClose a combination of hardware and software that

enforces boundary between two or more networks.
A relatively effective technique for limiting Samples… unauthorized access to an organization’s network from outside networks to which it is connected is to install a firewall.

Figure 17-7

A firewall at the boundary of two networks.

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-11 Firewall Function
Special type of router provides perimeter defence

Firewall can not be anti-virus. imposes restrictions on network services only authorized traffic is allowed
Firewalls normally log all of the activity so that information about network access and detail is available for later analysis
.

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-11 Firewall Types

Firewalls

Packet Filters

Application Gateways

分组过滤器

应用网关
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-11 Packet Filter (Screening filter)

Internal (Private) Network Protected zone

Internet
Packet filter

•foundation of any firewall system •examine each IP packet (no context) and permit or deny according to rules •restrict access to services (ports)
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-11 Packet Filter Operation

Outgoin g packets

Incoming packets

Receive each packet. Apply rules. If no rules, apply default rules.

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-11 Attacks to security of packer filter

IP address spoofing Source routing attacks

Tiny fragment attacks
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-11 Packet Filter Defeating IP Spoofing Attack

178.29.10.89

Source address: 178.29.10.91

178.29.10.90
Incoming packet 178.29.10.91


Packet filter
STOP!

Internal network and the IP addresses of the hosts

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-11 PROXY SERVER
HTTP SMTP FTP TELNET

Inside connection

Application gateway

Outside connection

Network Address Translation
Internal Network Address

192.168.0.x

PROXY Network Address Translation

External network / Internet address

202.11.196.16

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-11 DMZ
Demilitarized Zone

In computer networking, DMZ is a firewall
configuration for securing local area networks (LANs).
Inter net
Firewall

 Internal private network

Demilitarized Zone (DMZ)

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-11 IDS
IDS(Intrusion Detection System) is software and/or hardware designed to detect unwanted attempts at accessing, manipulating, and/or disabling of computer systems.

Analysis of events, find violation of security policy.
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-11 IDS principle
Network Data Flow

Real-time response

Real-time

analysis
of the invasion

The formation of alarm records

Event Database
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-11 IDS deployment

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
Firewall and IDS linkage

Next page…
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-11 Product

天融信 IDS

防火墙

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-12 UTM
UTM: Unified Threat Management It said in a hardware platform integrated security features such as firewall, VPN, gateway anti-virus, intrusion detection and intrusion prevention, traffic

analysis, content filtering, and so on.

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT IPS
FIREWALL
ANTI-VIRUS

UTM

Anti-Spam

VPN

content filtering

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-13 PHYSICAL SECURITY
Emphasis : Prevent authorized access to communications room Network operations center Communication equipment Equipment room should be kept locked PCs can employ screen savers
physical security as it relates to a network means, among other things, that the equipment rooms should be kept locked.
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-13 PERSONNEL SECURITY
security conscious and well trained to use security tools Method:
Screening or security checking for new employees Identifying employees and vendor personnel by IDs Reminding employees about their security responsibilities. Have a good job duties. Error prevention techniques

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-14 DISASTER RECOVERY PLANNING

Disaster is defined as a long-term outage) that cannot be quickly remedied. 5 kinds of network paralysis can be a disaster Fire flood hurricane earthquake terrorism

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-14 Disaster Recovery Plans
1. An organization should have a disaster recovery plan in order to ensure that it knows how it will recover its network (and computing) assets if disaster should strike. 2.whatever plan is developed for disaster recovery, it must be specific for different kinds of disasters. 3.Disaster recovery plans must be tested. 4.Constantly Reassess disaster 5.A generic disaster recovery plan will not cover all kinds of disasters.
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-14 Checklist for disaster recovery planning.

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-14 Network Backup System

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-14 Remote disaster emergency
Remote disaster emergency use of the Internet system to provide cross-boundary synchronized backup systems.

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17.15 WIRELESS NETWORK SECURITY
Wireless networks are especially prone to security violations

because they can broadcast far outside a home or office building.
Unless proper security measures are installed, anyone sitting

nearby can passively scan all the data flowing in your wireless network using an antenna, and some widely available hacking software. Bad view:Wireless networks are invulnerable to security breaches because they transmit data at ultra high frequencies.
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-15 Wireless network security can be implemented by
a. adjusting the signal strength of the wireless
access point b. c. d. using strong passwords authenticating users installing a firewall

e.

encrypting transmissions
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-15 Use strong passwords to protect AP
SSID: Service Set ID Only correct SSID can access AP Open system authentication e.g. Windows XP

www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-15 authenticating users
Limit the number of user addresses. Encrypt transmissions. Use 128-bit WEP security protocol does not in itself provide adequate protection for wireless networks. But may discourage the casual hacker
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
17-15 SECURITY FOR HOME NETWORK
For winxp ,Allows multiple users login to a machine Install firewall program Kill virus program and regularly update

Buy routers with built-in firewall
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
SUMMARY
Has highlighted the need for network security Described the security techiques that are most

often.
Anti-virus Network access control techniques. ……… etc
www.gxmu.edu.cn

CHAPTER 17 NETWORK MANAGEMENT
课后习题

Exercises

1.Management’s statement of the importance of and their commitment to network security is called the ( C ).
× A、 network security standard × B、 network security strategy



C、network security policy

× D、statement of network intent Redo Next Answer

CHAPTER 17 NETWORK MANAGEMENT
课后习题

Exercises

2. A digital signature ( B ).
× A、 has no place in electronic commerce



B、 is the network equivalent of signing a message

× C、 must be able to be imitated by someone else × D、 None of the above Redo Next Answer

CHAPTER 17 NETWORK MANAGEMENT
课后习题

Exercises

3. Examples of passive security attacks are ( D ).

× A、 altering message contents × B、 masquerading × C、 denial of service √ D、 None of the above Redo Next Answer

CHAPTER 17 NETWORK MANAGEMENT
课后习题
4. A firewall ( D ).
× A、 is usually a combination of hardware and software × B、 enforces a boundary between two or more networks × C、 normally logs all transactions that pass through it √

Exercises

D、All of the above
Redo Next Answer

CHAPTER 17 NETWORK MANAGEMENT
课后习题
5. DES ( B ).

Exercises

× A、 was developed by the Department of Defense √ B、 is vulnerable to a brute force attack

× C、 encrypts blocks of 56 bits using a 64-bit key × D、 has been implemented only in software because of its complexity Redo Next Answer

CHAPTER 17 NETWORK MANAGEMENT
课后习题

Exercises

Network 6. ___________

management must see that appropriate security measures are implemented. Answer 7. The network security policy needs to describe in general terms ___________ will What Answer be done. private 8. In an asymmetric key system, the ________ key is used for decryption and is kept secret.
Answer

CHAPTER 17 NETWORK MANAGEMENT
课后习题

Exercises

9. The primary advantages of an asymmetric key system over a symmetric key system are key management that it solves the problem of _____________ and exchange. Answer 10. To sign a message with a digital signature, the sender simply invokes a software _____ routine that builds the signature using a private _____ key known only to him.
Answer

CHAPTER 17 NETWORK MANAGEMENT

www.gxmu.edu.cn

Sponsor Documents

Or use your account on DocShare.tips

Hide

Forgot your password?

Or register your new account on DocShare.tips

Hide

Lost your password? Please enter your email address. You will receive a link to create a new password.

Back to log-in

Close