With the continuous development of computer network, global informatization has become a major trend of human development. However, due to the diversity of connection forms, the uneven distribution of terminals, the openness and interconnection of networks, computer networks are easily attacked by hackers, geeks, malicious software and other irregular behaviors, so the security and confidentiality of online information is a crucial issue. For computer network systems that transmit sensitive data, such as military automation command network, C3I system, banks, etc., the security of online information is particularly important. Therefore, the above-mentioned network must have strong enough security measures, otherwise it will be useless and even endanger national security. Whether it is a local area network or a wide area network, there are many loopholes and potential threats caused by natural and human factors. Therefore, network security measures should be aimed at various threats and vulnerabilities to ensure the confidentiality, integrity and availability of network information.
2. Threats to computing networks
The threats faced by computer networks can be roughly divided into two types: one is the threat to the information in the network; The second is the threat to the equipment in the network. There are many factors that affect computer networks, some of which may be intentional or unintentional. It may be man-made or non-man-made; It may be that foreign hackers illegally occupy network system resources. To sum up, network security faces three major threats:
(1) Unintentional human error: such as security loopholes caused by improper security configuration of operators, poor security awareness of users, careless password selection of users, and users lending or sharing their accounts with others at will will all pose a threat to network security.
(2) Man-made malicious attacks: This is the biggest threat to computer networks, and both adversary attacks and computer crimes fall into this category. This kind of attack can be divided into the following two types: one is active attack, which selectively destroys the validity and integrity of information in various ways; The other is passive attack, which intercepts, steals and deciphers important confidential information without affecting the normal work of the network. Both attacks will do great harm to computer networks and lead to the disclosure of confidential data.
(3) Vulnerabilities and "back doors" of network software: network software can't be 100% defect-free. However, these vulnerabilities and defects are the first target of hacker attacks. Most of the incidents of hackers breaking into the network are caused by imperfect security measures. In addition, the "back door" of software is set by designers and programmers of software companies for their own convenience, which is unknown to outsiders, but once the "back door" is opened, the consequences will be unimaginable.
3. Computer network security strategy
3. 1 physical security policy
The purpose of physical security policy is to protect computer systems, network servers, printers and other hardware entities and communication links from natural disasters, man-made destruction and wiring attacks; Verify the user's identity and right to use, and prevent users from operating beyond their authority; Ensure that the computer system has a good electromagnetic compatibility working environment; Establish a complete safety management system to prevent illegal entry into the computer control room and various theft and sabotage activities.
Suppressing and preventing electromagnetic leakage (that is, TEMPEST technology) is the main problem of physical security strategy. At present, there are two main protective measures: one is the protection of conducted emission, which is mainly to add filters with good performance in power lines and signal lines to reduce transmission impedance and cross coupling between wires. The other is radiation protection, which is divided into the following two types: one is to adopt various electromagnetic shielding measures, such as shielding equipment and various connectors, to shield and isolate the sewer pipes, heating pipes, metal doors and windows of the computer room; The second is the protection measures of interference, that is, when the computer system is working, the jamming device is used to generate a pseudo noise related to the radiation of the computer system and radiate it into space to cover up the working frequency and information characteristics of the computer system.
3.2 Access control strategy
Access control is the main strategy of network security prevention and protection, and its main task is to ensure that network resources are not illegally used and accessed. It is also an important means to maintain network system security and protect network resources. All kinds of security policies must cooperate with each other to really play a protective role, but access control can be said to be one of the most important core strategies to ensure network security. Let's discuss various access control strategies. 3.2. 1 network access control
Network access control provides the first layer of access control for network access. It controls which users can log on to the server and get network resources, and controls when users are allowed to access the network and at which workstation they are allowed to access the network.
User access control can be divided into three steps: user name identification and verification, user password identification and verification, and user account default restriction check. As long as any one of the three levels fails, users cannot enter the network.
Verifying the user name and password of network users is the first line of defense to prevent illegal access. When users register, they first enter their user name and password, and the server will verify whether the entered user name is legal. If the verification is legal, continue to verify the password entered by the user, otherwise, the user will be denied access to the network. User password is the key for users to access the network. In order to ensure the security of passwords, user passwords should not be displayed on the display screen. The password should be at least 6 characters long, and the password characters should be a mixture of numbers, letters and other characters. User passwords must be encrypted. There are many kinds of encryption methods, among which the most common ones are: password encryption based on one-way function, password encryption based on test mode, password encryption based on public key encryption scheme, password encryption based on square residue, password encryption based on polynomial * * and password encryption based on digital signature. The password encrypted by the above method is difficult for system administrators to obtain. Users can also use one-time user passwords or portable verifiers (such as smart cards) to verify the identity of users.
Network administrators should be able to control and restrict the account usage of ordinary users and the time and manner of accessing the network. User name or user account is the most basic form of security in all computer systems. User accounts can only be established by system administrators. The user password should be the "certificate" that every user must submit when accessing the network. Users can modify their own passwords, but the system administrator should be able to control the following restrictions of passwords: minimum password length, time interval for forced password modification, uniqueness of passwords, and grace period for allowing access to the network after the password expires.
After the user name and password are verified, the default restriction check of the user account will be further performed. The network should be able to control the sites where users log in to the network, limit the time for users to access the network and limit the number of workstations for users to access the network. When the user pays the access fee to the network, the network should also be able to restrict the user's account, and at this time, the user should not be able to enter the network to access network resources. The network should audit the access of all users. If the password entered many times is incorrect, it is considered to be the invasion of illegal users, and an alarm message should be given.
3.2.2 Network access control
Network access control is a security protection measure against illegal network operations. Users and user groups are given certain rights. The network controls which directories, subdirectories, files and other resources users and user groups can access. You can specify what users can do with these files, directories and devices. Delegate allocation and inheritance privilege mask (IRM) can be realized in two ways. Proxy assignment controls how users and user groups use the directories, files and devices of the network server. Inherit permission mask is equivalent to a filter, which can limit which permissions subdirectories inherit from the parent directory. We can divide users into the following categories according to their access rights: (1) special users (that is, system administrators); (2) General users and system administrators allocate operation rights according to actual needs; (3) Audit users, responsible for network security control and resource usage audit. Users' access rights to network resources can be described by access control lists.
3.2.3 Directory-level security control
The network should allow users to control their access to directories, files and devices. The permissions specified by users at the directory level are valid for all files and subdirectories, and users can further specify the permissions of subdirectories and files under directories. There are usually eight kinds of access rights to directories and files: administrator, read, write, create, delete, modify, file scan and access control. The effective authority of a user on a file or target depends on the following two factors: the user's trustee assignment, the user group's trustee assignment and the user's right to inherit the authority mask cancellation. The network system administrator should assign users appropriate access rights to control users' access to the server. The effective combination of eight kinds of access rights can enable users to finish their work effectively, and at the same time can effectively control users' access to server resources, thus strengthening the security of the network and the server.
3.2.4 Attribute security control
When using files, directories and network devices, the network system administrator should specify the access attributes of files, directories, etc. Attribute security control can associate a given attribute with files, directories and network devices of a network server. Attribute security provides further security on the basis of permission security. Resources on the network should be pre-marked with a set of security attributes. A user's access right to network resources corresponds to an access control list showing the user's access ability to network resources. Property settings can override any assigned delegate assignments and valid permissions. Attributes can often control the following permissions: writing data to files, copying files, deleting directories or files, viewing directories and files, executing files, hiding files, * * enjoying, system attributes, etc. The properties of the network can protect important directories and files and prevent users from deleting, modifying and displaying them by mistake.
3.2.5 Network Server Security Control
The network allows a series of operations to be performed on the server console. Users can use the console to load and unload modules, install and delete software and other operations. The security control of network server includes setting a password to lock the server console to prevent illegal users from modifying, deleting important information or destroying data; You can set the time limit for server login, and the time interval for illegal visitor detection and shutdown.
3.2.6 Network monitoring and locking control
Network administrators should monitor the network, and servers should record users' access to network resources. For illegal network access, the server should give an alarm in the form of graphics, text or sound to attract the attention of the network administrator. If criminals try to access the network, the network server should automatically record the number of attempts to access the network. If the number of illegal visits reaches the set value, the account will be automatically locked.
3.2.7 Security Control of Network Ports and Nodes
The ports of servers in the network are usually protected by automatic callback devices and silent modems, and the identity of nodes is identified in encrypted form. Automatic dial-back devices are used to prevent impersonation of legitimate users, and silent modems are used to prevent hackers' automatic dialing programs from attacking computers. The network often controls the server and client, and users must carry authorization codes (such as smart cards, magnetic cards and secure password generators) to confirm their identities. After the user's identity is verified, the user is allowed to enter the client. Then, the client and server authenticate each other.
Firewall control
Firewall is a recently developed technical measure to protect computer network security. It is a barrier to prevent hackers in the network from accessing the organization network, and it can also be called the threshold to control two-way communication. On the network boundary, the corresponding network communication monitoring system is established to isolate the internal and external networks and prevent the invasion of external networks. At present, there are mainly three types of firewalls;
(1) Packet filtering firewall: The packet filtering firewall is set in the network layer, which can realize packet filtering on the router. Firstly, a certain number of information filtering tables should be established, which are based on the packet header information they receive. The packet header contains the source IP address, destination IP address and transmission protocol type (TCP, UDP, ICMP, etc.). ), protocol source port number, protocol destination port number, connection request direction, ICMP message type, etc. When the packet meets the rules in the filtering table, it is allowed to pass, otherwise it is forbidden to pass. The firewall can be used to prohibit illegal external users from accessing the interior, and it can also be used to prohibit access to certain service types. However, packet filtering technology cannot identify dangerous packets, handle application layer protocols, UDP, RPC or dynamic protocols.
(2) Proxy firewall: Proxy firewall, also known as application-level gateway firewall, consists of proxy server and filtering router, and is a popular firewall at present. It combines filtering router and software agent technology. The filtering router is responsible for network interconnection, strictly screens the data, and then transmits the filtered data to the proxy server. As an intermediary for the external network to apply for access to the internal network, the proxy server functions like a data forwarder, mainly controlling which users can access which service types. When the external network applies for a certain network service to the internal network, the proxy server accepts the application, and then decides whether to accept the service according to its service type, service content, service object, application time of service provider, domain name range of the applicant, etc. If so, it will forward the request to the internal network. Proxy firewall can't support some emerging services (such as multimedia) quickly. WinGate and Proxy Server are popular proxy server software.
(3) Dual-hole host firewall: This firewall uses the host to perform security control functions. A dual-port host is equipped with multiple network cards, which are connected to different networks respectively. A two-node host collects data from one network and selectively sends it to another network. Network services are provided by service agents on dual-socket hosts. Users of the intranet and extranet can transmit data through the shared data area of the dual-node host, thus protecting the intranet from illegal access.
4. Information encryption strategy
The purpose of information encryption is to protect the data, files, passwords and control information in the network and protect the data transmitted on the network. There are three common methods of network encryption: link encryption, endpoint encryption and node encryption. The purpose of link encryption is to protect the security of link information between network nodes; The purpose of end-to-end encryption is to protect data from source users to destination users; The purpose of node encryption is to protect the transmission link between source node and destination node. Users can choose the above encryption method according to the network situation.
The process of information encryption is realized by various encryption algorithms, which provides great security protection at a small cost. In most cases, information encryption is the only way to ensure the confidentiality of information. According to incomplete statistics, hundreds of encryption algorithms have been published so far. If classified according to whether the sender and the receiver have the same key, these encryption algorithms can be divided into conventional encryption algorithms and public key encryption algorithms.
In conventional passwords, the receiver and the sender use the same key, that is, the encryption key and the decryption key are the same or equivalent. Well-known conventional cryptographic algorithms are: DES in the United States and its various variants, such as Triple DES, GDES, New DES and Lucifer, the predecessor of DES; In Europe; Feal-N, Loki-9 1, Skipjack, RC4, RC5 in Japan, and classic passwords represented by substitution password and wheel password. DES password is the most influential one among many conventional passwords.
The advantage of conventional passwords is that they have strong confidentiality and can stand the test and attack of time, but their keys must be transmitted in a secure way. Therefore, its key management has become an important factor of system security.
In public key encryption, the keys used by the receiver and the sender are different from each other, and it is almost impossible to derive the decryption key from the encryption key. The famous public key cryptography algorithms include RSA, knapsack cryptography, McEliece cryptography, different-Hellman, Rabin, Ong-Fiat-Shamir, zero-knowledge proof algorithm, elliptic curve, EIGamal algorithm and so on. The most influential public key cryptography algorithm is RSA, which can resist all known cryptographic attacks so far.
The advantage of public key cryptography is that it can meet the requirements of network openness, and the key management problem is relatively simple, especially for digital signature and verification. But its algorithm is very complicated. The rate of encrypting data is very low. However, with the development of modern electronic technology and cryptography, public key cryptography will be a promising network security encryption system.
Of course, in practical applications, people usually use conventional passwords together with public key passwords, such as DES or IDEA for encrypting information, while RSA is used for transmitting session keys. If classified according to the bits of each encryption process, encryption algorithms can be divided into sequence ciphers and block ciphers. The former encrypts only one bit at a time, while the latter groups the information sequence first and processes one group at a time. Cryptography is one of the most effective technologies in network security. Encrypted network can not only prevent unauthorized users from eavesdropping and accessing the network, but also be one of the effective methods to deal with malicious software.
5. Network security management strategy
In terms of network security, in addition to the above technical measures, strengthening network security management and formulating relevant rules and regulations will play a very effective role in ensuring the safe and reliable operation of the network.
The security management strategy of the network includes: determining the level and scope of security management; Formulate relevant network operation and use rules and personnel access to the computer room management system; Formulate the maintenance system and emergency measures of the network system.
6. Concluding remarks
With the development of computer technology and communication technology, computer network will increasingly become an important means of information exchange in industry, agriculture and national defense, and penetrate into all fields of social life. Therefore, it is very important to realize the vulnerability and potential threat of the network and adopt a strong security strategy to ensure the security of the network.