Network security computer network firewall
1 network security and its present situation
1. 1 the concept of network security
The International Organization for Standardization (ISO) defines "computer security" as abstract: "technical and management security protection of data processing systems, and protection of computer hardware and software data from unexpected and malicious reasons". The above definitions of computer security include physical security and logical security. The content of logical security can be understood as what we often call information security, which refers to the protection of information confidentiality, integrity and availability, while the meaning of network security is the extension of information security, that is, network security is the protection of network information confidentiality, integrity and availability.
1.2 Current situation of network security
At present, the economic losses caused by computer viruses to small enterprises in European countries are as high as 22 billion euros every year, and these viruses are mainly spread by e-mail. According to the statistics of Trend Company, an anti-virus manufacturer, the network traffic jam caused by network viruses and worms such as Sobig and Slammer last year caused losses of $55 billion to enterprises. The losses caused by other network dangers, including identity thieves and spies, are difficult to quantify, which can be seen from the new problems of network security.
2 The main technologies of network security
Peace is the guarantee of network survival. Only by ensuring peace can the network realize its own value. Network security technology is developed with the development of people's network practice, which involves a wide range of technical aspects. The main technologies such as authentication, encryption, firewall and intrusion detection are important defense lines of network security.
2. 1 certification
Authenticating legal users can prevent illegal users from accessing company information systems, and using authentication mechanism can also prevent legal users from accessing information that they have no right to view. The following summaries are listed:
2. 1. 1 certification
When users of the system want to access system resources, they need to confirm whether they are legal users, that is, identity authentication. The simplest methods such as user name and password are often used for user authentication and identification.
2. 1.2 message authentication
Mainly, the two communication parties verify the communication content to ensure that the message is generated by the confirmed sender, the message is sent to the receiver to be sent, and the message has not been modified during transmission.
2. 1.3 access authorization
Mainly to confirm the user's access rights to resources.
2. 1.4 digital signature
Digital signature is a method to authenticate electronic information through encryption, and its security and usefulness mainly depend on the protection of the user's private key and the secure hash function. Digital signature technology is based on encryption technology and can be realized by symmetric encryption algorithm, asymmetric encryption algorithm or mixed encryption algorithm.
2.2 data encryption
Encryption is a way to confuse information so that unauthorized people can't understand it. There are two main types of encryption: private key encryption and public key encryption.
2.2. 1 private key encryption
Private key encryption is also called symmetric key encryption, because the key used to encrypt information is the key used to decrypt information. Private key encryption provides further compactness for information, and it does not provide authentication, because anyone who uses this key can calmly create, encrypt and send valid messages. The advantages of this encryption method are high speed and easy to implement in hardware and software.
Public key encryption
Public key encryption appears later than private key encryption. Private key encryption uses the same key for encryption and decryption, while public key encryption uses two keys, one for encrypting information and the other for decrypting information. The disadvantage of public key encryption systems is that they are usually computationally intensive, so they are much slower than private key encryption systems. However, if we combine them, we can get a more complex system.
2.3 firewall technology
Firewall is a kind of network access control device, which is used to reject all communication data except those explicitly allowed to pass. It is different from a simple router that only determines the transmission direction of network information, but a system or a group of systems implement a set of access policies for the network when it passes through the relevant access sites. Most firewalls combine several functions to protect their networks from malicious transmission. Among them, the most popular technologies are static packet filtering, dynamic packet filtering, state filtering and proxy server technology, and their security levels are increasing in turn. However, in practice, we should not only consider the cost performance of the system, but also consider the network connection ability. In addition, now a good firewall also uses VPN, inspection, intrusion detection technology.
The security control of firewall is mainly based on IP address, so it is difficult to provide consistent security policies for users inside and outside the firewall. Moreover, the firewall only realizes coarse-grained access control and cannot be integrated with other security mechanisms (such as access control) used within the enterprise; In addition, firewalls are difficult to manage and configure, and firewalls composed of multiple systems (routers, filters, proxy servers, gateways, and security hosts) are inevitably ignored in management.
2.4 Intrusion detection system
Intrusion detection technology is the focus of network security exploration, and it is an active security protection technology, which provides real-time protection for internal intrusion, external intrusion and misoperation, and intercepts the corresponding intrusions before the network system is harmed. With the development of the times, intrusion detection technology will develop in three directions: distributed intrusion detection, intelligent intrusion detection and comprehensive security defense scheme.
Intrusion detection system is a combination of intrusion detection software and hardware. Its main function is detection, and there are also some intrusions that detection can't stop. Detect the precursors of invasion so as to deal with them, such as stopping sealing; Filing of invasion events in order to provide legal basis; Network threat assessment and intrusion recovery.
2.5 Virtual Private Network (VPN) technology
VPN is one of the latest and most successful technical topics to solve the new problem of information security. The so-called virtual private network (VPN) technology is to establish a private network on the public network, so that data can spread in the public network through a secure "encrypted pipeline". There are two mainstream mechanisms to build VPN on public communication network, namely, routing filtering technology and tunneling technology. At present, VPN mainly adopts the following four technologies to ensure security: tunnel technology, encryption and decryption technology (Encryption% 26amp decryption), key management technology and user and device authentication technology. Among them, several popular tunneling technologies are PPTP, L2TP and Ipsec. VPN tunneling mechanism should be able to provide different levels of security services, including different strength of source authentication, data encryption and data integrity. There are several types of VPN, including private VPN and dial-up VPN. According to the tunnel protocol, it can be divided into the second layer and the third layer; According to the initiation mode, it can be divided into client initiation and server initiation.
2.6 Other network security technologies
(1) Smart card technology is similar to encryption technology. In fact, a smart card is a key medium, which is held by an authorized user and given a password or password by the user, which is consistent with the password registered on the intranet server. Smart card technology is usually used in combination with authentication.
(2) Security vulnerability scanning technology is a kind of security technology that can point out the existing or potential security vulnerabilities of the system according to the current settings and defense means of the network analysis system, so as to improve the defense ability of the system against network intrusion.
(3) Network data storage, backup and disaster recovery planning is a safety technical scheme that can quickly recover data when the system or equipment encounters a disaster, so that the whole system can be put into normal operation again in the shortest time.
Other network security technologies include various network anti-virus technologies that we are familiar with and so on.
3 The origin of new network security problems
At the beginning of network design, only the convenience and openness of information exchange were considered, but the planning to ensure information security was very limited. In this way, with the rapid development of computer and communication technology and the upgrading of network attack and defense technology, the openness and interconnection of the inherent advantages of the original network have become a convenient bridge for information security risks. Network security has become an increasingly difficult new problem, as long as the host connected to the Internet may be attacked or invaded, and suffer new security problems.
At present, when designing TCP/IP protocols, the neglect of new security issues has caused some characteristics of the network itself, and all application security protocols are based on TCP/IP. The new security problems of TCP/IP protocol itself greatly affect the security of upper application. The popularization and application of the network is still nearly 10 years, and the production and application of the operating system are much earlier than this, so the imperfection of the operating system and software system also caused security loopholes; In the design and implementation of Ping An architecture, even the perfect architecture may have small programming defects, which will bring huge security risks. In addition, the lack of close communication and cooperation between the components of the security system can easily lead to the collapse of the whole system one by one.
4. Thinking about new problems and strategies of network security
Network security construction is a systematic project as well as a social project. The strategy of new network security problems can be started from the following four aspects.
The guarantee of network security is from a technical point of view. First of all, we should establish correct mental preparation. The characteristics of network security determine that this is a constantly changing and rapidly updating field. Moreover, there is still a big gap between China and developed countries in the field of information security, which means a "protracted war" in technology, and it also means that people's investment in the field of network security is a long-term behavior. Secondly, build a high-quality talent team. At present, in China, the outstanding new problems of network information security are talent scarcity and brain drain, especially top-notch talents. At the same time, there is still a big shortage of investment in the training of network security talents. Finally, in the specific completion of network security requirements, according to the actual situation, combined with various requirements (such as cost performance, etc. ), it is necessary to use a variety of technologies reasonably and comprehensively.
The guarantee of network security is from the perspective of management. Whether the intranet is safe or not depends not only on its technical means, but also on its comprehensive approach to the network. It not only pays attention to physical prevention factors, but also pays attention to "soft" factors such as personnel quality, mainly focusing on management. "Peace comes from management, and it should also be safe from management." No matter how good the technology and equipment are, they are just a pile of scrap iron without high-quality management.
The guarantee of network security is from the perspective of organizational system. It is necessary to establish and improve the network security organization system as soon as possible and clarify the responsibilities at all levels. Establish scientific certification and accreditation organization management system, technical system organization system and certification and accreditation organization system at all levels to ensure information security technology, information security engineering, information security products and information security management.
Finally, while strengthening network legislation and law enforcement as soon as possible, we should constantly improve the civilized and moral level of the whole people, advocate healthy "network morality" and enhance the safety awareness of every network user. Only in this way can we fundamentally solve the new problems of network security.
refer to
1 Zhang Qianli, Chen Guangying. New technology of network security [m]. Beijing Abstract: People's Posts and Telecommunications Publishing House, 2003.
2 Gao Yongqiang and Guo Shize. Grand ceremony of network security technology and application [m]. Beijing Abstract: People's Posts and Telecommunications Publishing House, 2003
3 Zhou Guomin. Intrusion detection system evaluation and technology development [j]. Modern Electronic Technology, 2004( 12)
4 Geng Maixiang. Overview of Network Intrusion Detection Technology [J], Network Security, 2004(6)