信息安全管理（3）：網絡安全

本章分出來專門來談談網絡安全，固然仍是比較泛泛地談一下網絡安全的特徵，常見網絡安全的漏洞，和網絡安全控制的辦法。在參考的過程當中應該結合 信息安全管理（2）：什麼叫做信息安全？信息安全的原則和要求一塊兒閱讀和理解。由於網絡安全原本就是前一章節的一部分。

這文內容只記錄了碎片筆記，之後有時間再來補充。應該說具體內容下次會在計算機網絡或者是分佈式網絡裏詳述。第一部分的網絡的定義和特徵，第二部分的TCP/IP不須要看，只是用來作筆記的。

---

1 網絡的定義和特徵

1.1 網絡的定義

（根本懶得說。。大家本身wiki吧）
網絡的用處

• What is a network…
• Devices in a network…
• LAN, WAN and Internetworks
• What do networks do for you…
  • Sharing resources
  • Use/share applications

1.2 網絡的特徵 Characteristics of networks

– Anonymity
– Automation
– Distance
– Opaqueness
– Routing diversity

1.3 Network Topology

---

2 TCP/IP

• Protocols…
• Open Systems
  • ANSI , IETF, ISO, IAB

2.1 ISO – OSI Reference Model - 7 Layers

• Application：End user processes like FTP, e-mail, etc.
• Presentation：Format, Encrypt data to send across network
• Session：Establishes, manages and terminates connections between applications
• Transport：End-to-end error recovery, flow control, priority services
• Network：Switching, Routing, Addressing, internetworking, error handling, congestion control and packet sequencing
• Data-link：Encoding, decoding data packets into bits. Media Access Control Sub-layer : Data access/transmit permissions. Logical Link Sub-layer : Frame synchronisation, flow control, error checking.
• Physical: Conveys the bit stream (electrical, light, radio)
  All People Seem To Need Data Protection
  People Do Not Trust Sales People Always

ISO-OSI七層結構

TCP/IP

2.2 相關協議

• Application layer – FTP, Telnet, DNS, DHCP, TFTP,RPC,NFS, SNMP..
• Transport layer – TCP, UDP
• Internet Layer – IP, ICMP, ARP, bootp…
• Organisations / entities : ICANN, IETF, IAB, IRTF, ISOC, W3C
• Other Protocols
  • IPX/SPX
  • ATM
  • DECnet
  • IEEE 802.11
  • AppleTalk
  • USB
  • SNA

---

3 網絡的安全隱患

3.1 網絡不安全的緣由

What makes network vulnerable

• Anonymity
• Multiplicity of points of attack
• Resource sharing
• Complexity of system
• Uncertain perimeter
• Unknown path
• Protocol flaws / protocol implementation flaws

3.2 網絡攻擊的動機

Motivations of network attacks

• Challenge
• Fame
• Organised Crime
• Ideology
• Espionage / Intelligence

---

4 網絡安全的威脅

Threats in Networks

4.1 偵察

Reconnaissance

• Port Scan
• Social Engineering
• Intelligence gathering
• O/S and Application fingerprinting
• IRC Chat rooms
• Available documentation and tools
• Protocol flaws / protocol implementation flaws

4.2 網絡傳輸過程當中的威脅

Threats in Transit

• Eavesdropping / Packet sniffing
• Media tapping (Cable, Microwave, Satellite, Optical fibre, Wireless)

4.3 網絡冒充

Impersonation

• Password guessing
• Avoiding authentication
• Non-existent authentication
• Well-known authentication
• Masquerading
• Session hijacking
• Man-in-the-middle

4.4 信息私密性威脅

Message Confidentiality Threats

• Mis-delivery
• Exposure – in various devices in the path
• Traffic Flow analysis – sometimes the knowledge of existence of message
  can be as important as message content

4.5 信息完整性威脅

Message Integrity Threats

• Falsification
• Noise
• Protocol failures / misconfigurations

4.6 基於操做系統的威脅

Operating System based Threats

• Buffer-Overflow
• Virus , Trojans, rootkits
• Password

4.7 基於應用程序的威脅

Application based Threats

• Web-site defacement
• DNS cache poisoning
• XSS (Cross-site Scripting)
• Active-code / Mobile-code
• Cookie harvesting
• Scripting

4.8 拒絕服務

Denial of service

• Syn Flooding
• Ping of death
• Smurf
• Teardrop
• Traffic re-direction
• Distributed Denial of Service
  • Bots and Botnets
  • Script Kiddies

---

5 網絡安全控制

Network Security Controls

5.1 弱點和威脅分析

Vulnerability and Threat assessment

5.2 網絡結構控制

Network Architecture

• Network segmentation
• Architect for availability
• Avoid SPOF (single points of failure)
• Encryption
  • Link encryption
  • End-to-end encryption
  • Secure Virtual Private Networks
  • Public Key Infrastructure and Certificates
  • SSL and SSH

5.3 加強加密系統

Strong Authentication

• One Time Password
• Challenge Response authentication
• Kerberos

5.4 防火牆設置

Firewalls

• Packet Filters
• Stateful Packet Filters
• Application proxies
• Diodes
• Firewall on end-points

5.5 入侵檢查和防護系統

Intrusion Detection / Prevention Systems

• Network based / host based
• Signature based
• Heuristics based / protocol anomaly based
• Stealth mode

5.6 使用政策和規程

Policies and Procedures

• Enterprise-wide Information Security Policy
• Procedures
• Buy-in (from Executives and employees)
• Review, enhancement and modification

5.7 其餘網絡控制方式

1. Data-Leakage Protection systems
   • Network based / host based
2. Content scanning/Anti-Virus/Spyware Control systems
   • Network based / host based
3. Secure e-mail Systems
4. Design and implementation
5. ACLs (Access Control Lists)

---

參考文獻：

1. Principles of Information Security Systems – Texts and Cases – Gurpreet Dhillon-Chapter 5 : Network Security
2. Security in Computing – Charles & Shari Pfleeger - Chapter 7 : Security in Networks
3. Information Security Principles and Practices – Mark Merkow & Jim Breithaupt - Chapter 12 : Telecommunications, Network and Internet Security