附件1:外文资料翻译译文
网络安全
1 简介
在计算机网络最初出现的几十年里,它主要用于在各大学的研究人员之间传送电子邮件,以及共同合作的职员间共享打印机。在这种条件下,安全性未能引起足够的注意,但是现在,众多的普通市民使用网络来处理银行事务、购物和纳税,网络安全逐渐成为一个潜在的巨大问题。
安全性是一个涉及面很广的问题,其中也涉及到是否构成犯罪行为的问题。大多数安全性问题的出现都是由于有恶意的人试图获得某种好处或损害某些人而故意引起的。
网络安全性可以被粗略地分为4个相互交织的部分:保密、鉴别、反拒认以及完整性控制。保密是指保护信息不被未授权者访问,这是人们在谈到网络安全性时最常想到的问题。鉴别主要指在揭示敏感信息或进行事务处理之前先确认对方身份。反拒认主要与鉴别有关:当你的客户下了一份要采购1000万双手套的订单,后来他宣称每双的价格是69美分,如何证明他原先答应的价格是89美分呢?最后,如何确定自己收到的消息是最初发送的那条消息,而不是被有恶意的敌人篡改或伪造过的呢?所有这些问题(保密、鉴别、反拒认和完整性控制)也发生在传统的系统中,但却有很大的差别。
在讨论解决方法之前,值得花些时间考虑网络安全性属于协议组的哪一部分的内容。可能无法确定一个单独的位置,因为安全性与每一层都有关。以下将从不同的角度来介绍网络安全性。
2 计算机病毒
在我们这个富有健康意识的社会中,任何形式的病毒都是敌人。计算机病毒则尤其是个祸害。这类病毒可以、也的确侵袭过没有防范的计算机系统,轻者可能仅仅是惹人心烦,重者可能造成灾难性的软件及数据损失,导致时间及财力的浪费。各家公司越来越多地使用计算机进行企业管理,这对于企业来说是至关重要的。然而,随着计算机病毒威胁的出现,病毒引发的系统瘫痪屡有发生,其代价正不断增长。我们应当关注这一问题,但恐慌是没有必要的。正如良好的饮食、运动及医疗保健可以延年益寿一样,谨慎高效的防病毒策略也可以最大限度地减少病毒入侵的机会。
计算机病毒到底是什么?
计算机病毒是一种人为设计的、可以自我复制及传播的计算机程序。一般来说,受害人对于病毒的存在并不知晓。计算机病毒可以将自身附加到其他程序(如文字处理或电子表格应用程序文件)或磁盘的引导扇区中,并借此传播。如果执行(激活)已感染了病毒的程序,或从感染了病毒的磁盘上引导系统,病毒程序也同时执行。通常,病毒程序隐藏于系统内存中,等待着感染下一个被激活的程序或下一个被访问的磁盘。
病毒的危险性在于其执行事件的能力。尽管有些病毒是良性的(例如,在某一日显示某种提示信息),但也有一些病毒令人心烦(如降低系统性能或篡改屏幕信息),更有一些病毒会破坏文件、销毁数据、导致系统瘫痪,而这将是灾难性的。
病毒程序有哪几种?
有4种主要类型的病毒:外壳型、入侵型、操作系统型和源代码型。 外壳型病毒包围在主程序的四周,对源程序不做修改。外壳型病毒较易编写,因此约半数的病毒程序是这种类型。
入侵型病毒入侵到现有程序中,实际上是把病毒程序的一部分插入主程序。入侵型病毒难以编写,不破坏主文件,很难去除这种病毒。
外壳型和入侵型病毒通常都是攻击可执行程序文件,即带有.COM或者.EXE扩展名的文件。但数据文件也有受攻击的危险。
操作系统型病毒是用它们自己的逻辑代替部分操作系统。这些病毒程序的编写非常困难,它们一旦发作就能控制整个系统。
源代码型病毒是入侵程序,它们在程序被编译之前插入到源程序中,它们是最少见的病毒程序,因为它们不仅编写困难,而且与其他类型的病毒相比,受破坏的主程序数目也有限。
3 防火墙
当把你的局域网连接到Internet后,你的用户就能够与外部世界进行接触和通信联系。然而,同时也让外界能进入你的局域网并相互产生影响。防火墙只是古代中世纪防御方法——在城堡周围挖一条深深的护城河的一种现代应用。使得每个进出城堡的人必须通过一条吊桥,在那里他们受到守桥卫士的检查。对网络可以使用同样的方法:一个公司可能有许多的局域网,它们以任意的方式连接,但是所有流进、流出公司的信息流都必须通过一个电子吊桥(防火墙)。
防火墙实质上是一个独立的进程或一组紧密结合的进程,运行在路由器或服务器上以控制经过防火墙的网络应用程序的信息流。一般来说,防火墙置于公共网络(如Internet)入口处。它们可以看做是交通警察。防火墙的作用是确保一个单位的网络与Internet之间所有的通信均符合该单位的安全方针。这些系统基本上基于TCP/IP,它能根据实施情况设置安全路障并为管理员提供下列问题的答案:
谁一直在使用我的网络? 他们在我的网络上做什么? 他们在什么时间使用我的网络? 他们在我的网络上去了何处? 谁要连接我的网络但没有成功?
通常有3种类型的防火墙实现方案,其中某些可以一起使用以建立更安全的环境。这些实现方案是过滤包、应用程序代理和电路级通用应用程序代理。
包过滤通常是在路由器中实现的,而应用程序代理通常运行在独立的服务器上。代理服务采取不同于各种包过滤的方法,使用(可能)修改过的客户机程序与专用中间主机相连,而该主机又真正与所需的服务器相连。
(1) 包过滤
把你的网络数据看成一个你必须送到某个地方的干净的小数据包。该数据可能是电子邮件、文件传输等的一部分。使用包过滤时,你自己来传送此数据包。包过滤器起交通警察的作用,它分析你想到哪儿去,你随身携带了什么。但包过滤不打开数据包,如果允许,你仍要把它送到目的地。
多数商品化的路由器都有某种内建的包过滤功能。然而,有些由ISP(Internet服务提供商)控制的路由器不可能给管理人员提供控制路由器配置的能力。在这些情况下,管理人员可能选择使用接在路由器后面的独立包过滤器。
不管哪种方法,管理人员都需要知道如何按包过滤器能理解的术语来识别数据包。由于所有Internet信息流都是基于IP(Internet协议),故通过特定的TCP(传输控制协议)或UDP(用户数据报文协议)端口可以识别每个应用程序或“数据包”。这些端口都在RFC1700中登记和定义。RFC(请求注解)1700可在Internet上找到。例如,Telnet的端口是23。公司可以阻拦所有端口为23的IP包进入。用这种方法,公司外面的人都不能通过远程登陆进来。
(2) 应用程序代理
为理解应用程序代理,来看一看这样的情况,你需要递交一个干净的小网络数据包。用应用程序级代理,情况是相似的,但现在你需要依靠另外一个人来为你传递此数据包。因此,术语“代理”说明了这个情况。包过滤适用的规则也适用应用程序代理,有一点不同,即你不能越过应用程序代理递交包。有人会为你做事,但此代理人首先要看一下包的内部来确认其内容。如果代理已有递交该包的内容的许可,他就会为你递交。
虽然笔者相信,将来代理技术会融合进路由器的程序代码中,但今天多数商品化的路由器都不具备代理功能。迄今,你还是需要依靠能支持应用程序级代理服务的独立系统。
由于应用代理需要代表发送者进行通信,所以它需要懂得与特定应用程序相关联的具体语言或协议。以广泛使用的HTTP(超文本传输协议)代理为例,如果你在网络上使用浏览器,那么可能的情况是信息系统部门有一配置成允许你通过的中央服务器访问Web的HTTP代理。这台机器懂得HTTP对话,能代表请求的客户说话。这就是应用程序级的代理。
当然,由于代理必须有能力打开“包”来进行查看或者对其内容进行译码,所以安全和加密问题随之而来。显然这些是很重要的问题,但充分讨论这这些问题需要另写一篇文章。
(3) 电路级或通用应用程序代理
与应用程序代理一样,你需要依靠某个人来为你传递数据包(对于电路级代理),区别是,如果这些电路级代理要把数据包递交到你要求的目的地时,它们就会这么做。它们不需要知道内容是什么。
电路级代理(尤其是SOCKS)工作在应用层协议的外面。这些服务器允许客户机通过此集中服务,并接到连接请求的源地址,并通过SOCKS客户程序库对它们进行重新编译和链接来阻断未经许可的客户机接到Internet上。基于DLL的TCP组还具有另外一个好处,即能通过使用垫片向应用程序提供SOCKS客户机能力,而不再需要重新编译。 附件2:外文原文(复印件)
Network Security 1 Introduction For the first few decades of their existence,computer networks were primarily used by university researchers for sending email,and by corporate employees for sharing printers.Under these conditions,security did not get a lot of attention.But now,as millions of ordinary citizens are using networks fou banking,shopping,and filing their tax returns,network security is looming on the horizon as a potentially maive problem.Security is a broad topic and covers a multitude of sins.Most security problems are intentionally caused by malcious people trying to gain some benefit or harm someone.Network security problems can be divided roughly into four intertwined areas:secrecy,authentication,non-repudiation,and integrity control.Secrecy has to do with keeping information out of the hands of unauthorized users.This is what usually comes to mind when people think about network security.Authentication deals with determining whom you are talking to before revealing sensitive information or entering into a busine deal.Non-repudation deals with signatures:how do you prove that your customer really placed an electronic order for ten million letf-handed doohickeys at 89 cents each when he laterclaims the price was 69 cents?Finally,how can you be sure that a meage you received was really the one sent and not something that a malicious adversary modified in transit or concocted?And all thes iues(secrecy,authentication,non-repudiation,and integrity control)occur in traditionl systems,too,but with some significant differences.Before getting into the solution themselves,it is worth spending a few moments considering where in the protocol stack network security belongs.There is probably no one single place.Every layer has something to contribute.In the following sections,we will study network security from several angles.2 Computer Virus
In our health-conscious society,viruses of any type are an enemy.Computer viruses are especially pernicious.They can and do strike any unprotected computer system,with results that range from merelyannoying to the disastrous,time-consuming and expensive lo of software and data.And with corporations increasingly using computer for enterprise-wide,busine-critical computing,the costs of virus-induced downtime(the time during which a machine,esp.a computer is not working or is not able to be used).are growing along with the threat from viruses themselves.Concern is justified—but unbrdled paranoia is not.Just as proper diet,exercise and preventive health care can add years to your life,prudent and cos effective anti-virus strategies can minimize your exposure to computer viruses.What is Virus? A computer virus is a program designed to replicate and spread on its own,generally with the victim being oblivious to its existence.Computer viruses spread by attaching themselves to other programs(e.g.,word proceor or spreadsheet application files)or to the boot sector of a disk.When an infected file is actvated,or executed ,or when the computer is started from an infected disk,the virus itself is also executed.Often,it lurks in computer memory,wating to infect the next program that is activate,or the next disk that is acceed.What makes viruses dangerous is their ability to perform an event .While some events are benign(e.g.,displaying a meage on a certain date)and others annoying(e.g.,slowing performance or altering the screen display),some viruses can be catastrophic by damaging files,destroying data and crashing systems.What Kinds of viruses Are There? There are four main types of viruses:shell,intrusive,operating system,and source code.Shell viruses wrap themselves around a host program and do not modify the orginal program.Shell programa are easy to write,which is why about half of all viruses are of this type.Intrusive viruses invade an existing program and actually insert a portion of themselves into the host program.Intrusive vruses are hard to write and very difficult to remove without damaging the host file.Shell and intrusive viruses most commonly attack executable program files—those with a.COM or .EXE extension—although data files are also at some risk.Operating system viruses work by replacing parts of the operating system with their own logic.Very difficult to write,these viruses have the ability,once booted up,to take total control of your system.Source code viruses are intrusive program that are inserted into a source program prio to the program being compiled.They are the least common viruses because they are not only hard to write,but also have a limited number of hosts compared to the other types.3 Firewall When you connect your LAN to the internet,you are enabling your users to touch and communicate with the outside world.At the same time,however,you are enabling the outside world to touch and interact with your LAN.Firewalla are just a modern adaptation of that old medieval security standby:digging a deep moat around your castle.This design forced everyone entering or leaving the castle to pa over a single drawbridge,where they could be inspected by the I/O police.With networks,the same trick is poible:a company can have many LANs connected in arbitrary ways, but all traffics to or from the company is forced through an electronic drawbridge(firewall).Basically,a firewall is a standalone proce or a set of integrated procees that runs on a router or server to control the flow of networked application traffic paing through it.Typically,firewalla are placed on the entry point to a public network such as the internet.They could be considered traffic cops.The firewall’s role is to the organization’s security policies.Primarily these system are TCP/IP based and,depending on the implementation,can enforce security roadblocks as well as provide administrators with answers to the following questions: Who’s been using my network? What were they doing on my network? When were they using my network? Where were they going on my network? Who failed to enter my network? In general,there are three types of firewall implementations,some of which can be used together to create a more secure environment.These implementations are:packek filterng,application proxies,and circuit-level or generic-application proxies.Packet filtering is often achieved in the router itself.Application proxies,on the other hand,usually run on standalone servers.Proxy services take a different approach than packet filters,using a(poibly)modfied client program that connects to a special intermediate host that actually connects to the desired service.(1) Packet Filtering Consider your network data a neat little package that you have to deliver somewhere.This data could be part of an e-mail,file transfer,etc.with packet filtering,you have acce to deliver the package yourself.The packet filter acts like a traffic cop;it nanlyzes where you are going and what you are bringing with you.However,the packet filter does not open the data package,and you still get to drive it to the destnation allowed.Most commercial routers have some kind of built-in packet filtering capability.However some routers that are controlled by ISPs may not offer administrators the ability to control the configuration of router.In those cases, administrators may opt to use a standalone packet filter behind the router.Either way,an administrator needs to understand how to identify data packages in terms the packet filter can understand.Since all Internet traffic is based on IP(Internet Protocol),each application or“package”can be identified through a specific TCP(Transmiion Control Protocol)or UDP(User Datagram Protocol)Port.These ports are registered and defined in RFC(Request for Comment)1700 which can be found on the internet.For example,port 23 is for Telnet.A company could block incoming packets for all IP addrees combined with port 23.In this way,no one outside the company could log in via Telnet.(2) Application Proxy To understand the application proxy,consider this scenario where you need to deliver your neat little package of network data.With application-level proxies,the scenario is similar,but now you need to rely on someone else to deliver the package for you.Hence the term proxy illustrates new scenario.The same rules apply as they do for packet filtering,except that you don’t get to deliver your package past the gate.Someone will do it for you,but that agent needs to look inside the package first to conform its contents.If the agent has permiion to deliver the contents of the package for you,he will.Most commercial routers do not have proxy capabilties today,although we believe that proxy technology will be integrated with router in the future.Until then,you need to rely on a standalone system that can support application-level proxy services.Since an application proxy needs to communicate on behalf of the sender,it needs to understand the specific language or protocols aociated with a particular application.Take as an example the widely used HTTP(Hypertext Transfer Protocol)proxy.If you are using a browser on your network,it is highly likely that your IS group has an HTTP proxy configured to allow you to acce the Web via a central server.That single machine understands HTTP conversations and speak on behalf of the requesting client.This is application-level proxy.Of course,security and encryption also come into play,since the proxy must be able to open the “package”to look at or decode its contents.These are important iues obviously,but to do them justice would require another article.(3) Circuit-Level or Generic-Application Proxy As with application-level proxy,you need to rely on someone to deliver your package for you.The difference is that if these circuit-level proxies have acce to deliver the package to your requented destination,they will.They do not need to know what is inside.Circuit-level proxies(specifically SOCKS)work outside of the application layers of the protocol.These servers allow clients to pa through this centralized service and onnect to source addre of connection requests and can block unauthorized clients from connecting out onto recompiling and linking them with a SOCKS client library.DLL-based TCP stacks have the use of shims,eliminating the need to recompile.
