Current location - Quotes Website - Personality signature - What are the key technologies of network security?
What are the key technologies of network security?
I. Virtual network technology

Virtual network technology is mainly based on LAN switching technology (ATM and Ethernet switching) developed in recent years. Switching technology develops the traditional broadcast-based LAN technology into a connection-oriented technology. Therefore, the network management system has the ability to limit the communication range of the local area network without going through an expensive router.

The benefits of the above operation mechanism to network security are obvious: information only reaches where it should. Therefore, most intrusion methods based on network monitoring are blocked. Through the access control set by the virtual network, network nodes outside the virtual network cannot directly access nodes inside the virtual network. However, virtual network technology has also brought new security problems:

The devices that perform virtual network switching become more and more complex, thus becoming the target of attacks.

Intrusion detection technology based on network broadcasting principle needs special settings in high-speed switching networks.

MAC-based VLAN cannot prevent MAC spoofing attacks.

Ethernet is essentially based on broadcast mechanism, but after the application of switch and VLAN technology, it is actually transformed into point-to-point communication. Unless the monitoring port is set, there will be no problems of monitoring and insertion (replacement) in information exchange.

However, the VLAN division based on MAC will face the attack of impersonating MAC address. Therefore, VLAN division is best based on switch ports. However, this requires the entire network desktop to use switch ports, or the network segment machines where each switch port is located belong to the same VLAN.

Network layer communication can cross routers, so attacks can be launched from far away. The implementation of IP protocol family is not perfect, so there are relatively many security vulnerabilities found in the network layer, such as IP sweep, teardrop, sync-flood, IP spoofing attacks and so on.

2. Firewall technology

Network firewall technology is a special network interconnection equipment, which is used to strengthen the access control between networks, prevent external users from illegally entering the internal network through the external network, access the internal network resources, and protect the internal network operating environment. It checks the data packets transmitted between two or more networks according to certain security policies to determine whether to allow communication between networks and monitor the network operation status.

Firewall products mainly include fortress host, packet filtering router, application layer gateway (proxy server) and circuit layer gateway, shielded host firewall, dual-homed host and so on.

Although the firewall is an effective means to protect the network from hacker attacks, it also has obvious shortcomings: it can't prevent attacks from other ways besides the firewall, it can't prevent threats from internal defectors and temporary users, it can't completely prevent the spread of infected software or files and it can't prevent data-driven attacks.

Since 1986, American digital company installed the world's first commercial firewall system on the Internet and put forward the concept of firewall, the firewall technology has developed rapidly. Dozens of companies at home and abroad have launched firewall products with different functions.

Firewall is at the bottom of the five-layer network security system and belongs to the category of network layer security technology. At this level, the enterprise asks the security system whether all IPS can access the enterprise's internal network system. If the answer is "Yes", it means that the intranet has not taken corresponding preventive measures at the network layer.

As the first barrier between internal network and external public network, firewall is one of the first network security products that people pay attention to. Although in theory, the firewall is at the lowest level of network security, and is responsible for security authentication and transmission between networks, with the overall development of network security technology and the constant changes of network applications, modern firewall technology has gradually moved to other security levels outside the network layer, which can not only complete the filtering tasks of traditional firewalls, but also provide corresponding security services for various network applications. In addition, a variety of firewall products are developing in the direction of data security and user authentication to prevent the invasion of viruses and hackers.

1. Benefits of using a firewall

Protect fragile services

By filtering unsafe services, the firewall can greatly improve network security and reduce the risk of hosts in the subnet.

For example, a firewall can prohibit NIS and NFS services from passing, and a firewall can reject both source routes and ICMP redirected packets.

Control system access

A firewall can provide access control to the system. For example, some hosts are allowed to access from outside, while others are forbidden. For example, a firewall allows external access to specific mail servers and Web servers.

Centralized safety management

The firewall realizes the centralized security management of the intranet, and the security rules defined in the firewall can be applied to the whole intranet system without setting security policies on every machine in the intranet. For example, you can define different authentication methods in the firewall without installing specific authentication software on each machine. External users only need to be authenticated once to access the intranet.

Enhanced confidentiality

Firewalls can prevent attackers from obtaining useful information to attack network systems, such as Finger and DNS.

Record and count network usage data and illegal usage data.

Firewall can record and count the network communication through firewall, and provide statistical data about network usage. Firewall can provide statistical data to judge possible attacks and detection.

Policy implementation

Firewall provides a method to formulate and implement network security policies. When there is no firewall, network security depends on the users of each host.

2. Set the elements of the firewall

Network strategy

Network policies that affect the design, installation and use of firewall systems can be divided into two levels. Advanced network policies define the allowed and prohibited services and how to use them. The low-level network policy describes how the firewall restricts and filters the services defined in the high-level policy.

Service access policy

Service access strategy focuses on Internet access services and external network access (such as dial-in strategy, SLIP/PPP connection, etc. ).

The service access policy must be feasible and reasonable. A feasible strategy must strike a balance between preventing known network risks and providing services to users. The typical service access strategy is: if necessary, allow users with enhanced authentication to access some internal hosts and services from the Internet; Allow internal users to access designated Internet hosts and services.

Firewall design strategy

The firewall design strategy is based on a specific firewall and defines the rules for completing the service access strategy. There are usually two basic design strategies:

Allow any service unless explicitly prohibited;

No services are allowed unless explicitly allowed.

The second design strategy is usually adopted.

3, the basic classification of firewall

Packet filtering type

Packet filtering product is the primary product of firewall, and its technical basis is packet transmission technology in the network. The data on the network is transmitted in the form of packets. The data is divided into packets of a certain size, and each packet contains some specific information, such as the source address and destination address of the data. TCP/UDP source port and destination port, etc. Firewall can judge whether these "data packets" come from trusted security sites by reading the address information in the data packets. Once a packet from a dangerous site is found, the firewall will shut it out. System administrators can also flexibly formulate judgment rules according to the actual situation.

The advantages of packet filtering technology are simple and practical, and low implementation cost. In the case of simple application environment, the security of the system can be guaranteed to a certain extent at a small cost.

However, the shortcomings of packet filtering technology are also obvious. Packet filtering technology is a security technology based entirely on the network layer, which can only be judged according to the network information such as the source, destination and port of the packet, and can not identify malicious intrusions based on the application layer, such as malicious Java applets and viruses attached to emails. Experienced hackers can easily forge IP addresses and fool the packet filtering firewall.

Network address translation (NAT)

Is a standard for converting IP addresses into temporary, external and registered IP addresses. It allows internal networks with private IP addresses to access the Internet. This also means that users are not allowed to obtain the registered IP address of every machine in their network.

When the internal network accesses the external network through the security network card, a mapping record will be generated. The system maps the outgoing source address and source port into a disguised address and port, which is connected to the external network through an unsecured network card, thus hiding the real internal network address. When the external network accesses the internal network through the insecure network card, it does not know the connection of the internal network. But only through open IP addresses and ports. OLM firewall judges whether the access is secure according to the predefined mapping rules. When the rules are met, the firewall considers the access safe, and can accept the access request or map the connection request to different internal computers. When the rules are not met, the firewall considers the access unsafe and unacceptable, and the firewall will block the external connection request. The process of network address translation is transparent to users and unnecessary.

Agent type

Proxy firewall can also be called proxy server, which is more secure than packet filtering products and has begun to develop to the application layer. The proxy server is located between the client and the server, which completely blocks the data exchange between them. From the client's point of view, the proxy server is equivalent to a real server. From the server's point of view, the proxy server is a real client. When the client needs to use the data on the server, it first sends a data request to the proxy server, and then the proxy server requests the data from the server according to this request, and then the proxy server transmits the data to the client. Because there is no direct data channel between the external system and the internal server, it is difficult for external malicious infringement to harm the internal network system of the enterprise.

The advantage of proxy firewall is high security, which can detect and scan the application layer, and it is very effective for applications-based intrusions and viruses. Its disadvantage is that it has a great influence on the overall performance of the system, and proxy servers must be set for all application types that may be generated by the client, which greatly increases the complexity of system management.

Monitoring type

Firewall is a new generation product, and this technology has actually surpassed the original definition of firewall. The monitoring firewall can actively monitor all levels of data in real time. Based on the analysis of these data, monitoring firewall can effectively judge illegal intrusion at all levels. At the same time, this kind of firewall products generally have distributed detectors, which are placed in various application servers and other network nodes. It can not only detect attacks from outside the network, but also have a strong preventive effect on malicious damage from inside. According to the statistics of authoritative organizations, a considerable proportion of attacks against network systems come from within the network. Therefore, the monitoring firewall not only goes beyond the definition of traditional firewall, but also goes beyond the previous two generations of products in terms of security.

Although the security of monitoring firewall has surpassed that of packet filtering firewall and proxy server firewall, the second generation proxy firewall product is still the main product in practice due to the high implementation cost and difficult management, but the monitoring firewall has been applied in some aspects. Based on the comprehensive consideration of system cost and security technology cost, users can selectively use some monitoring technologies, which can not only ensure the security requirements of the network system, but also effectively control the total cost of ownership of the security system.

In fact, as the mainstream trend of firewall products, most proxy servers (also called application gateways) also integrate packet filtering technology, and the mixed application of these two technologies obviously has greater advantages than the single use. Because the product is application-based, the application gateway can provide filtering for the protocol. For example, the PUT command in FTP connection can be filtered out, and the application gateway can effectively avoid the information leakage in the intranet through proxy application. It is precisely because of these characteristics of application gateway that the contradictions in the application process mainly focus on the effective support of various network application protocols and the impact on the overall performance of the network.

4, the principle of building a firewall

Analyze security and service requirements

The following questions help to analyze security and service requirements:

√ What Internet services do you plan to use (such as services (local network, dial-up, remote office)).

√ Increased demand, such as encryption or dial-up access support.

√ Risks of providing the above services and visits.

√ While providing network security control, the cost of system application services is sacrificed.

Strategic flexibility

Generally speaking, Internet-related network security policies should be flexible for the following reasons:

√ With the rapid development of the Internet itself, organizations may need to constantly use new services provided by the Internet to conduct business. The emergence of new protocols and services has brought new security problems, and security policies must be able to respond and deal with these problems.

√ The risks faced by institutions are not static, and changes in institutional functions and network settings may change risks.

Remote user authentication strategy

√ Remote users cannot access the system through an unauthenticated modem behind a firewall.

√ PPP/SLIP connection must be authenticated by firewall.

√ Train remote users in identity authentication methods.

Dial-in/dial-out strategy

√ Dial-in/dial-out capability must be considered and integrated when designing firewall.

√ External dial-in users must pass the authentication of firewall.

Information server strategy

√ The security of public * * * information servers must be integrated into the firewall.

√ The public information server must be strictly controlled, otherwise it will become a gap in system security.

√ Defining compromise security policies for information servers allows the provision of public services.

√ Distinguish public information services from commercial information (such as e-mail) through security policies.

Basic characteristics of firewall system

√ The firewall must support the design strategy of "No service unless explicitly allowed".

√ The firewall must support the actual security policy, rather than changing the security policy to adapt to the firewall.

√ Firewalls must be flexible to adapt to changes in security policies brought about by new services and changes in institutional intelligence.

√ Firewall must support enhanced authentication mechanism.

√ Firewall should use filtering technology to allow or deny access to specific hosts.

√ IP filtering description language should be flexible and user-friendly, supporting source IP and destination IP, protocol type, source and destination TCP/UDP ports, and arrival and departure interfaces.

√ Firewall should provide proxy services for FTP and TELNET to provide enhanced centralized authentication management mechanism. If other services (such as NNTP, rlogin, etc. ), but the authentication process is not encrypted, that is, the password is easy to be monitored and decrypted.

Authentication using digest algorithm

Radius (Dial-in Authentication Protocol), OSPF and SNMP security protocols all use the security key shared by * * * and Digest Algorithm (MD5) for authentication. Because the digest algorithm is an irreversible process, in the authentication process, it is impossible to calculate the * * * shared security key from the digest information, and sensitive information will not be transmitted on the network. The main summarization algorithms used in the market are MD5 and SHA- 1.

Authentication based on PKI

Use public key system for authentication and encryption. This method has high security, and comprehensively adopts digest algorithm, asymmetric encryption, symmetric encryption, digital signature and other technologies, which combines security and efficiency well. The basic principle of PKI-based authentication will be described later. This authentication method is currently used in e-mail, application server access, customer authentication, firewall verification and other fields.

This authentication method has high security, but it involves heavy certificate management tasks.