1、 Preface
When it comes to network security, people generally regard it as a branch of information security. Information security is a more generalized concept: measures taken to prevent unauthorized use, misuse, tampering or refusal to use knowledge, facts, data or capabilities
To put it bluntly, information security is to protect sensitive and important information from illegal access, and to further do illegal things. Network security is specifically reflected in the information security problem in the environment where multiple computers realize independent interconnection, which is mainly reflected in the security of independent computers, the security of interconnection (equipment, communication links, network software, network protocols that realize interconnection), and the security of various network applications and services.
Here are some typical network security issues, which can be sorted out:
1. IP security: the main attack modes include passive attack of network eavesdropping, active attack of IP spoofing (message forgery and tampering) and routing attack (man in the middle attack);
2. DNS security: you should be familiar with this, modify the DNS mapping table, and mislead users about access traffic;
3. DoS attacks: Denial of service attacks launched by a single attack source, mainly occupying network resources and forcing the target to crash. Now the more popular is actually DDoS, distributed denial of service attacks launched by multiple attack sources;
Three basic attributes of network security:
Confidentiality Integrity Availability
In fact, auditability can also be added.
Confidentiality, also known as confidentiality, mainly refers to controlling the outflow of information, that is, ensuring that information and information are not obtained and used by unauthorized persons. The main preventive measure is cryptography;
Integrity refers to the reliability of information, that is, information will not be forged or tampered. The main preventive measure is verification and authentication technology, which is to ensure that the system can be used normally.
Network security measures are generally classified into different levels according to the TCP/IP or OSI model of the network. For example, the data link layer is responsible for establishing point-to-point communication, the network layer is responsible for routing, and the transport layer is responsible for establishing end-to-end communication channels.
The earliest security problems occurred on the computer platform, and then gradually entered the network level. In computer security, the subject mainly controls the access rights of the object, while the network contains more complex security problems. Now the development of network applications is in full swing, and the rapid development of e-government, e-commerce, and e-finance have all posed challenges to deal with security threats.
The application of cryptography in the field of network security is mainly confidentiality and identity authentication. Symmetric cryptosystems, such as DES, and asymmetric cryptosystems, such as RSA, generally adopt RSA to protect the DES key, and DES is responsible for the actual transmission of information. The reason is that DES is fast to implement, and RSA occupies more computing resources than RSA.
2、 Risk analysis
The main task of risk analysis is to identify the assets to be protected and the potential threats to them. The first step is to determine the assets, including physical resources (workstations, servers and various equipment, etc.), knowledge resources (databases, financial information, etc.), and time and reputation resources. The second step needs to analyze potential attack sources, such as internal employees, external enemies, etc; The third step is to specify a compromise security policy for the above analysis, because security measures are often inversely proportional to system performance. Risk is defined as vulnerability threat, and vulnerability refers to the way an attacker can achieve attack. Threat refers to the specific behavior to achieve attack. For risk, both are indispensable.
Security policies can be divided into many types, such as:
Information strategy: such as identification of sensitive information, information classification, marking/storage/transmission/destruction of sensitive information;
System and network security policies: user identification and authentication, access control, audit, network connection, encryption, etc;
Computer user strategy: computer ownership, information ownership, computer license, etc;
Internet usage policy: mail policy (distinguish and filter internal mail from external mail); User management procedure: new employee procedure, employee procedure for job transfer and employee procedure for resignation;
System management program: software update, vulnerability scanning, policy check, login check, regular monitoring, etc;
Accident response procedure: response, authorization, document and procedure test;
Configuration management procedure: control procedure for initial state and change of system
3、 Network information security service
Network information security services can be divided into:
Confidential * * Complete * * Available * * Auditable**
Confidentiality * * is mainly realized by encrypting files with cryptography technology, and integrity is mainly realized by verification code/Hash technology, which can be guaranteed by * * major disaster recovery.
Identity authentication in the network environment, of course, still relies on cryptography. One can use password technology, and the other relies on physical forms of authentication, such as identity cards. In fact, it is more secure to implement multi factor identity authentication, not only in one way. Digital signature can be used to ensure the integrity of information. For example, RSA can be used for digital signature:
If A sends the message m to B, it encrypts m with its own secret key (private key) first, and then encrypts it with B's public key for the second time. After sending B, B decrypts it with its own private key first, and then decrypts it with A's public key.
Kerberos uses symmetric cryptographic algorithms to implement authentication services through trusted third-party key distribution centers, which has become a de facto standard in the industry.
4、 Security Architecture
To design a security system, we need to pay attention to the following key issues: subject and object, trusted computing base (TCB), security boundary, benchmark monitor and security kernel, security domain, minimum privilege, resource isolation and layering, data concealment and abstraction, etc. In fact, these contents are the principles of operating system security design.
The network system is mainly based on the OSI model and provides five types of security services:
Authentication, identity authentication of peer entities and data origination authentication; Access control; Data confidentiality; Data integrity; Anti repudiation. It should be noted that neither the sender nor the receiver can deny;
Security mechanism of OSI security architecture:
Specific security mechanisms: encryption mechanism, digital signature mechanism, access control mechanism, data integrity mechanism, authentication exchange mechanism, communication service filling mechanism, routing control mechanism and notary mechanism. Universal security mechanism: trusted functionality, security marking, event detection, security audit and tracking, and security recovery.
5、 Extended data
1. What can I do before going online to ensure online safety?
First of all, you need to install a personal firewall. With the privacy control feature, you can choose which information needs to be kept confidential without inadvertently sending it to unsafe websites. In this way, you can also prevent the website server from tracking your email address and other personal information without your knowing it.
Secondly, please install patches and updates to the system and other software in a timely manner. Basically, the earlier the update, the less risk. Remember to update the firewall data in time.
2. How to prevent hacker attacks?
First, use a personal firewall anti-virus program to prevent hacker attacks and check hacker programs (a software that connects to external servers and transmits your information). Personal firewall can protect your computer and personal data from hackers, and prevent applications from automatically connecting to the website and sending information to the website.
Second, turn off these functions when file and print sharing is not required. File and print sharing is sometimes a very useful feature, but this feature will also expose your computer to hackers looking for security vulnerabilities. Once you enter your computer, hackers can steal your personal information.
3. How to prevent computer poisoning?
First of all, do not open email attachments from strangers or open files from instant messaging software. These files may contain a trojan horse program that allows hackers to access your files and even control your peripherals. You should also install an anti-virus program to protect you from viruses, trojan horse programs, and worms.
4. How to ensure information security when browsing the web?
If you browse anonymously, when you log on to a website, you will generate an information store called a cookie (that is, a temporary file, which can save the traces of your browsing pages). Many websites will use cookies to track your activities on the Internet.
You can select the option of turning off the computer to receive cookies in the parameter options when using the browser. (Open E browser, click "Tools" - "Internet Options", select "Privacy" from the open options, leave "Cookies" unchecked, and click "OK")
5. How to ensure your information security when shopping online?
When shopping online, make sure you use a secure connection. You can determine whether a connection is secure by checking whether the lock icon on the corner of the browser window is closed. Read the privacy policy of the website before conducting any transaction or sending information. Because some websites will sell your personal information to a third party. Don't disclose your personal information and password to anyone when you are online.
6、 Questions and answers on basic knowledge of network security
Q: What is network security?
Answer: Network security means that the hardware and software of the network system and the data in the system are protected from being damaged, changed or leaked due to accidental or malicious reasons. The system can operate continuously, reliably and normally without interruption of network services.
Q: What is a computer virus
A: Computer virus refers to a group of computer instructions or program codes that are inserted into computer programs by programmers to destroy computer functions or data, affect computer use, and can self replicate.
Q: What is a wooden horse?
Answer: Trojans are malicious remote control software. Trojans are generally divided into client and server. The client is the console of various commands used locally, while the server is to be run for others. Only the computer running the server can be completely controlled. Trojans do not infect files like viruses.
Q: What is a firewall and how does it ensure network security?
A: Using a firewall is a way to ensure network security. Firewall refers to the combination of a series of components set between different networks (such as trusted intranet and untrusted public network) or network security domains. It is the only access to information between different networks or network security domains. It can control (allow, reject, monitor) the information flow in and out of the network according to the security policy of the enterprise, and has strong anti attack ability. It is the infrastructure to provide information security services and realize network and information security.
Q: What is a back door and why does it exist?
A: Back Door refers to a method to bypass security control and gain access to programs or systems. In the software development phase, programmers often create backdoors in the software so that they can modify defects in the program. If the backdoor is known by others or is not deleted before releasing the software, it becomes a security risk.
Q: What is intrusion detection
Answer: Intrusion detection is a reasonable complement to the firewall, helping the system cope with network attacks, expanding the security management capabilities of the system administrator (including security audit, monitoring, attack identification and response), and improving the integrity of the information security infrastructure. It collects information from several key points in the computer network system, analyzes the information, and checks whether there are any behaviors violating the security policy and signs of being attacked in the network.
Q: What is packet monitoring and what is its role?
A: Packet monitoring can be considered as the equivalent of a telephone wiretap in a computer network. When someone is "listening" to the network, they are actually reading and interpreting the data packets transmitted on the network. If you need to send an email or request to download a web page through a computer on the Internet, these operations will enable data to pass through many computers between you and the data destination. All the computers passing by can see the data you send, and the packet monitoring tool allows someone to intercept the data and view it.
Q: What is NIDS?
Answer: NIDS is the abbreviation of Network Intrusion Detection System, which is mainly used to detect hacker or cracker intrusion through the network. NIDS operates in two ways: one is to run on the target host to monitor its own communication information, and the other is to run on a separate machine to monitor the communication information of all network devices, such as Hub and router.
Q: What is a SYN package?
Answer: The first packet of a TCP connection is a very small packet. SYN attacks include a large number of such packets. Because these packets appear to come from sites that do not actually exist, they cannot be processed effectively.
Q: What does encryption technology mean?
Answer: Encryption technology is the most commonly used means of security and confidentiality. Use technical means to transform important data into garbled code (encryption) for transmission, and then restore (decrypt) it with the same or different means after reaching the destination.
Encryption technology includes two elements:
Algorithm key
The algorithm is the step of combining ordinary information or understandable information with a string of numbers (keys) to generate incomprehensible ciphertext. The key is an algorithm used to encode and decrypt data. In security, appropriate key encryption technology and management mechanism can be used to ensure the security of network information communication.
Q: What is a worm virus
A: Worm originated from the first virus spread on the network. In 1988, Robert Morris, a 22-year-old Cornell University graduate student, sent a virus called Worm through the network to attack UNIX system defects. Worms have paralyzed 6000 systems, with an estimated loss of $2 million to $60 million. Because of the birth of this worm, a computer emergency response team (CERT) was also set up on the Internet. Now the family of worm viruses has grown to thousands, and most of these millions of worm viruses are created by hackers.
Q: What is an operating system virus and what harm does it do?
A: This virus will use its own programs to join the operating system or replace some operating systems to work. It has strong destructive power and will cause the entire system to be paralyzed. And because it is infected with the operating system, this virus will replace the legitimate program module of the operating system with its own program fragments when running. Destroy the operating system according to the characteristics of the virus itself, the status and role of the legal program module in the replaced operating system, and the way the virus replaces the operating system. At the same time, this virus is also highly infectious to files in the system.
Q: What does the Morris worm mean? What are its characteristics?
A: It was written by Robert Morris, a first year graduate student of Cornell University. This program has only 99 lines. It takes advantage of the shortcomings in the Unix system, checks the online user list with the Finger command, decrypts the user password, copies and spreads its source program with the Mail system, and compiles the generated code.
The original design of the network worm is that when the network is idle, the program will "wander" between computers without any damage. When a machine is overloaded, the program can "borrow resources" from idle computers to achieve network load balance. The Morris worm does not "borrow resources", but "exhaust all resources".
Q: What is DDoS? What consequences will it lead to?
A: DDoS is also a distributed denial of service attack. It uses the same method as an ordinary denial of service attack, but the source of the attack is multiple.
Usually, attackers use downloaded tools to penetrate unprotected hosts. After obtaining appropriate access rights to the host, attackers install software services or processes (hereinafter referred to as agents) in the host. These agents remain asleep until they receive instructions from their master to launch a denial of service attack against the specified target. With the widespread use of highly harmful hacker tools, distributed denial of service attacks can simultaneously launch thousands of attacks against a target. The power of a single denial of service attack may not affect sites with wide bandwidth, while thousands of attacks distributed around the world will have fatal consequences.
Q: What does the ARP attack within the LAN mean?
Answer: The basic function of the ARP protocol is to query the MAC address of the target device through the IP address of the target device to ensure communication.
Based on this working feature of the ARP protocol, hackers constantly send fraudulent ARP packets to the other computer. The packets contain Mac addresses that are duplicate with the current device, making the other party unable to conduct normal network communication due to simple address duplication errors when responding to messages.
Generally, the computer attacked by ARP will have two phenomena:
The dialog box "The local XXX hardware address conflicts with the XXX address in the network" pops up constantly. The computer can not access the Internet normally, and the network is interrupted. Because this attack is "spoofed" by ARP request packets, the firewall will mistake it for normal request packets and will not intercept them. Therefore, ordinary firewalls can hardly resist this attack.
Q: What is a deception attack? What are its attack methods?
Answer: The technology of network deception mainly includes HONEYPOT, distributed HONEYPOT, space deception technology, etc.
The main methods are:
IP spoofing, ARP spoofing, DNS spoofing, Web spoofing, e-mail spoofing, source routing spoofing (through designated routes, legitimate communication with other hosts with fake identities or sending fake messages, causing the attacked host to take wrong actions), address spoofing (including forging source addresses and intermediate sites), etc.
