作者:happysolon Author: happysolon
目前的局域网基本上都采用以广播为技术基础的以太网,任何两个节点之间的通信数据包,不仅为这两个节点的网卡所接收,也同时为处在同一以太网上的任何一个节点的网卡所截取。 Basically the current LAN technology used to broadcast the basis for the Ethernet, the communication between any two nodes in a packet, not only for the two nodes receives the card, and also to any at the same Ethernet a node of the network card of the interception. 因此,黑客只要接入以太网上的任一节点进行侦听,就可以捕获发生在这个以太网上的所有数据包,对其进行解包分析,从而窃取关键信息,这就是以太网所固有的安全隐患。 Therefore, as long as the hacker access to any node on an Ethernet network to listen, you can catch in all this Ethernet packets, unpack its analysis to steal critical information, which is inherent in Ethernet security risks.
事实上,Internet上许多免费的黑客工具,如SATAN、ISS、NETCAT等等,都把以太网侦听作为其最基本的手段。 In fact, Internet hackers on the many free tools such as SATAN, ISS, NETCAT, etc., regarded as its most basic Ethernet listening means.
当前,局域网安全的解决办法有以下几种: Currently, LAN security solutions are the following:
1. 1. 网络分段 Network segmentation
网络分段通常被认为是控制网络广播风暴的一种基本手段,但其实也是保证网络安全的一项重要措施。 Network segmentation is generally considered a network broadcast storm control a basic tool, but is actually an important network security measures. 其目的就是将非法用户与敏感的网络资源相互隔离,从而防止可能的非法侦听,网络分段可分为物理分段和逻辑分段两种方式。 The aim is to unauthorized users and isolated sensitive network resources, thus preventing possible illegal interception, network segmentation can be divided into physical and logical sub-section in two ways.
目前,海关的局域网大多采用以交换机为中心、路由器为边界的网络格局,应重点挖掘中心交换机的访问控制功能和三层交换功能,综合应用物理分段与逻辑分段两种方法,来实现对局域网的安全控制。 Currently, most of the customs of the local area network using a switch as the center, the border router for the network structure, should focus on the mining center of switch access control functions and three switching capabilities, integrated application of physical and logical sub-section are two ways to achieve LAN security control. 例如:在海关系统中普遍使用的DEC For example: in the customs system commonly used in DEC
MultiSwitch 900的入侵检测功能,其实就是一种基于MAC地址的访问控制,也就是上述的基于数据链路层的物理分段。 MultiSwitch 900 intrusion detection, in fact, based on MAC address access control, which is based on the data link layer above the physical segment.
2. 2. 以交换式集线器代替共享式集线器 To switching hubs instead of shared hub
对局域网的中心交换机进行网络分段后,以太网侦听的危险仍然存在。 The center of the LAN switch network segment, the Ethernet listening risk still exists. 这是因为网络最终用户的接入往往是通过分支集线器而不是中心交换机,而使用最广泛的分支集线器通常是共享式集线器。 This is because the network is often the end-user access through a branch rather than the center of the hub switch, and the most widely used branch of the hub is usually shared hub. 这样,当用户与主机进行数据通信时,两台机器之间的数据包(称为单播包Unicast Thus, when the user data communication with the host when the packet between two machines (called Unicast Unicast packets
Packet)还是会被同一台集线器上的其他用户所侦听。 Packet) will be the same or other users on the hub is listening. 一种很危险的情况是:用户TELNET到一台主机上,由于TELNET程序本身缺乏加密功能,用户所键入的每一个字符(包括用户名、密码等重要信息),都将被明文发送,这就给黑客提供了机会。 Is a very dangerous situation: the user TELNET to a host, TELNET program itself as a lack of encryption, each user type a character (including user names, passwords and other important information), will be sent in the clear, which provides an opportunity for hackers.
因此,应该以交换式集线器代替共享式集线器,使单播包仅在两个节点之间传送,从而防止非法侦听。 Therefore, instead of switching hub should be shared hub, so that only unicast packets sent between two nodes, thus preventing the illegal interception. 当然,交换式集线器只能控制单播包而无法控制广播包(Broadcast Of course, switching hub can only control unicast packets can not control broadcast packet (Broadcast
Packet)和多播包(Multicast Packet)。 Packet) and multicast packets (Multicast Packet). 所幸的是,广播包和多播包内的关键信息,要远远少于单播包。 Fortunately, the broadcast packets and multicast packets of critical information, much less than unicast packets.
3. 3. VLAN的划分 VLAN classification
为了克服以太网的广播问题,除了上述方法外,还可以运用VLAN(虚拟局域网)技术,将以太网通信变为点到点通信,防止大部分基于网络侦听的入侵。 To overcome the problem of Ethernet broadcast, in addition to the above methods, you can also use VLAN (Virtual LAN) technology, Ethernet communications into a point to point communication, to prevent the invasion of the majority of web-based listening.
目前的VLAN技术主要有三种:基于交换机端口的VLAN、基于节点MAC地址的VLAN和基于应用协议的VLAN。 VLAN technology currently there are three: switch port-based VLAN, MAC address of the node-based application protocol-based VLAN and VLAN. 基于端口的VLAN虽然稍欠灵活,但却比较成熟,在实际应用中效果显著,广受欢迎。 Port-based VLAN and flexible though less impressive, but is more mature, in the practical application results are obvious and popular. 基于MAC地址的VLAN为移动计算提供了可能性,但同时也潜藏着遭受MAC欺诈攻击的隐患。 VLAN based on MAC addresses provide the possibility for mobile computing, but also suffered MAC hidden risks of fraud attacks. 而基于协议的VLAN,理论上非常理想,但实际应用却尚不成熟。 The protocol-based VLAN, very good in theory, but practical application is not yet mature.
在集中式网络环境下,我们通常将中心的所有主机系统集中到一个VLAN里,在这个VLAN里不允许有任何用户节点,从而较好地保护敏感的主机资源。 In a centralized network environment, we usually focus on the center of all the host system to a VLAN, the VLAN where this node does not allow any user to better protect sensitive host resources. 在分布式网络环境下,我们可以按机构或部门的设置来划分VLAN。 In a distributed network environment, we can set up agencies or departments to divide the VLAN. 各部门内部的所有服务器和用户节点都在各自的VLAN内,互不侵扰。 Various departments of the nodes of all servers and users in their own VLAN, mutual non-interference.
VLAN内部的连接采用交换实现,而VLAN与VLAN之间的连接则采用路由实现。 Connection using the internal VLAN switching to achieve, but the connection between the VLAN and VLAN routing is used to achieve. 目前,大多数的交换机(包括海关内部普遍采用的DEC Currently, most of the switches (including customs widely used within DEC
MultiSwitch MultiSwitch
900)都支持RIP和OSPF这两种国际标准的路由协议。 900) support both RIP and OSPF routing protocols to international standards. 如果有特殊需要,必须使用其他路由协议(如CISCO公司的EIGRP或支持DECnet的IS-IS),也可以用外接的多以太网口路由器来代替交换机,实现VLAN之间的路由功能。 If you have special needs, you must use other routing protocols (such as CISCO EIGRP or support DECnet company's IS-IS), you can also use an external multi-port Ethernet switches instead of routers, routing between VLAN implementation. 当然,这种情况下,路由转发的效率会有所下降。 Of course, this case, routing, forwarding efficiency will decline.
无论是交换式集线器还是VLAN交换机,都是以交换技术为核心,它们在控制广播、防止黑客上相当有效,但同时也给一些基于广播原理的入侵监控技术和协议分析技术带来了麻烦。 Whether switching hub or VLAN switches are based on switching technology as the core, they are in control of broadcasting, to prevent hackers quite effective, but also to some of the principles of intrusion monitoring based on radio technology and protocol analysis techniques to bring trouble . 因此,如果局域网内存在这样的入侵监控设备或协议分析设备,就必须选用特殊的带有SPAN(Switch Therefore, if the memory in such a local area network intrusion monitoring device or protocol analysis equipment, we must use special with SPAN (Switch
Port Port
Analyzer)功能的交换机。 Analyzer) function switches. 这种交换机允许系统管理员将全部或某些交换端口的数据包映射到指定的端口上,提供给接在这一端口上的入侵监控设备或协议分析设备。 This switch allows the system administrator to exchange all or some of the port packets are mapped to the port, providing access to this port in the invasion of monitoring equipment or protocol analysis equipment. 笔者在厦门海关外部网设计中,就选用了Cisco公司的具备SPAN功能的Catalyst系列交换机,既得到了交换技术的好处,又使原有的Sniffer协议分析仪“英雄有用武之地”。 The author in Xiamen Customs extranet design, it has selected Cisco's Catalyst series switches SPAN feature, has been both the benefits of switching technology, but also so that the original Sniffer protocol analyzer "Heroes are useless."
广域网安全 WAN security
由于广域网大多采用公网来进行数据传输,信息在广域网上传输时被截取和利用的可能性就比局域网要大得多。 Because they use a public network wide area network for data transmission, information is transmitted over the WAN intercepted and used likelihood is much greater than the LAN. 如果没有专用的软件对数据进行控制,只要使用Internet上免费下载的“包检测”工具软件,就可以很容易地对通信数据进行截取和破译。 If there is no dedicated software for data control, just use a free download on the Internet "packet inspection" tools, you can easily carry out the interception of communications data and decipher.
因此,必须采取手段,使得在广域网上发送和接收信息时能够保证: Therefore, we must take measures to make the WAN to send and receive information to ensure:
①除了发送方和接收方外,其他人是无法知悉的(隐私性); ① In addition to sending and receiving parties themselves, other people are not aware of (privacy);
②传输过程中不被篡改(真实性); ② not been tampered with during transmission (authenticity);
③发送方能确知接收方不是假冒的(非伪装性); ③ sender can ascertain the recipient is not fake (non-camouflage);
④发送方不能否认自己的发送行为(不可抵赖性)。 ④ the sender can not deny their sending behavior (non-repudiation).
为了达到以上安全目的,广域网通常采用以下安全解决办法: To achieve the above security purposes, wide area network security solutions often use the following:
1. 1. 加密技术 Encryption
加密型网络安全技术的基本思想是不依赖于网络中数据通道的安全性来实现网络系统的安全,而是通过对网络数据的加密来保障网络的安全可靠性。 Encryption-based network security technology, the basic idea is not dependent on the network data path to the security of network system security, but through the network data encryption to protect network security and reliability. 数据加密技术可以分为三类,即对称型加密、不对称型加密和不可逆加密。 Data encryption can be divided into three categories, namely symmetric encryption, asymmetric encryption and irreversible type of encryption.
其中不可逆加密算法不存在密钥保管和分发问题,适用于分布式网络系统,但是其加密计算量相当可观,所以通常用于数据量有限的情形下使用。 Which does not present reversible encryption algorithm key storage and distribution problems for distributed network systems, but the encryption considerable amount of computation, it is usually the case for the limited amount of data used. 计算机系统中的口令就是利用不可逆加密算法加密的。 Computer system password is encrypted using the encryption algorithm is not reversible. 近年来,随着计算机系统性能的不断提高,不可逆加密算法的应用逐渐增加,常用的如RSA公司的MD5和美国国家标准局的SHS。 In recent years, with the continuous improvement of computer system performance, the application of non-reversible encryption algorithm gradually increased, as commonly used RSA's MD5, and the U.S. National Bureau of Standards SHS. 在海关系统中广泛使用的Cisco路由器,有两种口令加密方式:Enable Widely used in the customs system of Cisco routers, there are two password encryption: Enable
Secret和Enable Password。 Secret and Enable Password. 其中,Enable One, Enable
Secret就采用了MD5不可逆加密算法,因而目前尚未发现破解方法(除非使用字典攻击法)。 Secret on the use of a non-reversible MD5 encryption algorithm, which has not yet found ways to crack (unless you use a dictionary attack). 而Enable The Enable
Password则采用了非常脆弱的加密算法(即简单地将口令与一个常数进行XOR与或运算),目前至少已有两种破解软件。 Password is the use of a very weak encryption algorithm (ie the password with a simple XOR with a constant or conducted operations), currently at least two kinds of cracking software. 因此,最好不用Enable Therefore, it is best not Enable
Password。 Password.
2. 2. VPN技术 VPN technology
VPN(虚拟专网)技术的核心是采用隧道技术,将企业专网的数据加密封装后,透过虚拟的公网隧道进行传输,从而防止敏感数据的被窃。 VPN (Virtual Private Network) technology is the use of tunneling technology, the enterprise private network data encryption package, the public network through a virtual tunnel for transport to prevent sensitive data theft. VPN可以在Internet、服务提供商的IP、帧中继或ATM网上建立。 VPN to the Internet, service provider IP, Frame Relay or ATM networks established. 企业通过公网建立VPN,就如同通过自己的专用网建立内部网一样,享有较高的安全性、优先性、可靠性和可管理性,而其建立周期、投入资金和维护费用却大大降低,同时还为移动计算提供了可能。 Enterprises through the establishment of public network VPN, just as their own private network through the establishment of the internal network, enjoy higher security, priority, reliability and manageability, and its establishment period, investment capital and maintenance costs are greatly reduced, It also offers the possibility for mobile computing. 因此,VPN技术一经推出,便红遍全球。 Therefore, VPN technology, once introduced, will be popular in the world.
但应该指出的是,目前VPN技术的许多核心协议,如L2TP、IPSec等,都还未形成通用标准。 It should be noted that, at present many of the core VPN technology protocols such as L2TP, IPSec, etc., have not yet formed a common standard. 这就使得不同的VPN服务提供商之间、VPN设备之间的互操作性成为问题。 This makes the difference between the VPN service provider, VPN interoperability between devices becomes a problem. 因此,企业在VPN建网选型时,一定要慎重选择VPN服务提供商和VPN设备。 Therefore, the selection of companies in the VPN network construction, we must carefully select the VPN service providers and VPN equipment.
3. 3. 身份认证技术 Authentication technology
对于从外部拨号访问总部内部网的用户,由于使用公共电话网进行数据传输所带来的风险,必须更加严格控制其安全性。 For dial-up access from outside the headquarters internal network users, the use of public telephone network for data transmission risks, must be more strict control over its security. 一种常见的做法是采用身份认证技术,对拨号用户的身份进行验证并记录完备的登录日志。 A common approach is to use authentication technology, dial-up users to verify the identity and record a complete log log. 较常用的身份认证技术,有Cisco公司提出的TACACS+以及业界标准的RADIUS。 More commonly used authentication technology, has made Cisco's industry-standard TACACS + and RADIUS. 笔者在厦门海关外部网设计中,就选用了Cisco公司的CiscoSecure The author in Xiamen Customs extranet design, on the selection of Cisco's CiscoSecure
ACS V2.3软件进行RADIUS身份认证。 ACS V2.3 software for RADIUS authentication.
外部网安全 External network security
海关的外部网建设,通常指与Internet的互联及与外部企业用户的互联两种。 Customs external network construction, usually refers to the interconnection with the Internet and corporate users and external Internet two. 无论哪一种外部网,都普遍采用基于TCP/IP的Internet协议族。 No matter what kind of external network, are generally based on the TCP / IP Internet protocol suite. Internet协议族自身的开放性极大地方便了各种计算机的组网和互联,并直接推动了网络技术的迅猛发展。 Internet protocol suite itself greatly facilitate the opening of a variety of computer networking and the Internet, and directly contributed to the rapid development of network technology. 但是,由于在早期网络协议设计上对安全问题的忽视,以及Internet在使用和管理上的无政府状态,逐渐使Internet自身的安全受到威胁,黑客事件频频发生。 However, due to the design of network protocols in the early issues of neglect of security, and Internet use and management of anarchy, and gradually make the Internet their own security is threatened, the frequent occurrence of hackers.
对外部网安全的威胁主要表现在:非授权访问、冒充合法用户、破坏数据完整性、干扰系统正常运行、利用网络传播病毒、线路窃听等。 The external network security threats mainly in: unauthorized access, impersonate legitimate users, destroy data integrity, interference with normal operation of the system, using the Internet spread the virus, line tapping and so on.
外部网安全解决办法主要依靠防火墙技术、入侵检测技术和网络防病毒技术。 External network security solutions rely mainly on firewall technology, intrusion detection and network anti-virus technology. 在实际的外部网安全设计中,往往采取上述三种技术(即防火墙、入侵检测、网络防病毒)相结合的方法。 In the actual design of the external network security, often taking the above three techniques (ie firewall, intrusion detection, network anti-virus) a combination of methods. 笔者在厦门海关外部网设计中,就选用了NAI公司最新版本的三宿主自适应动态防火墙Gauntlet The author in Xiamen Customs extranet design, on the selection of the latest version of the three NAI host adaptive dynamic firewall Gauntlet
Active Firewall。 Active Firewall. 该防火墙产品集成了Gauntlet Firewall、CyberCop Scanner、CyberCop The integrated firewall products Gauntlet Firewall, CyberCop Scanner, CyberCop
Monitor、WebShield for Monitor, WebShield for
Firewall等套件,将防火墙技术、入侵检测技术与网络防病毒技术融为一体,紧密结合,相得益彰,性价比比较高。 Firewall and other kit, firewall technology, intrusion detection and network anti-virus technology integration, closely integrated with each other, relatively high cost.
Tidak ada komentar:
Posting Komentar