The application of information technology and network has become an important standard to measure the world national strength and enterprise competitiveness.
National information infrastructure construction plan, NII is called information superhighway.
Internet, Intranet, Extranet and e-commerce have become the focus of enterprise network research and application.
The main goal of computer network construction is to realize the sharing of computer resources. Computer resources are mainly computer hardware, software and data.
We judge whether computers are interconnected into a computer network, mainly to see whether they are independent "autonomous computers".
Distributed operating system manages system resources in a global way, and it can automatically schedule network resources for user tasks.
The main difference between distributed system and computer network is not their physical structure, but advanced software.
According to transmission technology, it is divided into: 1. Broadcast network. 2。 Peer to peer network.
Using data packets to store, forward and route is one of the important differences between point-to-point networks and broadcast networks.
Classification by scale: LAN, MAN and WAN.
Wide area network (remote network) has the following characteristics:
1 meets the requirements of large capacity and burst communication.
2. Meet the requirements of comprehensive business services.
Open device interface and standardized protocol.
Perfect communication service and network management.
X.25 network is a typical public packet-switched network and a communication subnet widely used in early WAN.
The changes are mainly in the following three aspects:
The transmission medium of 1 is changed from cable to optical fiber.
There is a growing demand for interconnection among multiple LANs.
User equipment has been greatly improved.
On the optical fiber with high data transmission rate and low bit error rate, a simple protocol is adopted to reduce network delay, and the necessary error control function will be completed by user equipment. This is the background of frame continuation fr and frame relay technology.
The main technical factors that determine the characteristics of LAN are network topology, transmission medium and media access control method.
From the point of media control mode, LAN can be divided into * * * shared LAN and switched LAN.
MAN is a high-speed network between WAN and LAN.
FDDI is a high-speed backbone network with optical fiber as transmission medium, which can be used to interconnect local area networks and computers.
There are several similarities in various MAN construction schemes: optical fiber is the transmission medium, high-speed routing switch or ATM switch based on IP switching is the switching contact, and core switching layer, service convergence layer and access layer are adopted as the architecture.
The topological structure of computer network is mainly the topological structure of communication subnet.
Network topology can be divided into:
Topological structure of 4-point communication subnet. Star, ring, tree and mesh.
Topological structure of broadcast communication subnet. Bus, tree, ring, wireless communication and satellite communication.
The transmission medium is the physical path that connects the sender and the receiver in the network, and it is also the carrier that actually transmits information in communication.
Commonly used transmission media are twisted pair, coaxial cable, optical cable, wireless communication and satellite communication channels.
Twisted pair consists of two, four or eight insulated wires arranged in a regular spiral structure.
Shielded twisted pair STP and unshielded twisted pair UTP.
Shielded twisted pair is composed of outer sheath, shielding layer and several twisted pairs.
Unshielded twisted pair consists of outer sheath and several twisted pairs.
Class iii line, class iv line, class v line.
As a long-distance trunk line, the maximum distance of twisted pair can reach 15km. When used in 100Mbps LAN, the maximum distance from the hub is 100 meters.
Coaxial cable consists of inner conductor, outer shielding layer, insulating layer and outer protective layer.
Divided into: baseband coaxial cable and broadband coaxial cable.
Single channel broadband: broadband coaxial cable can also be used for high-speed digital communication with only one communication channel.
Optical cable is called optical cable for short.
Consists of an optical fiber core, an optical layer and an outer protective layer.
At the transmitting end of optical fiber, two kinds of light sources are mainly used: light emitting diode LED and injection laser diode ILD.
Optical fiber transmission is divided into single mode and multimode. The difference is that the angle with the optical brazing axis is single or multi-ray propagation.
Single-mode fiber is superior to multimode fiber.
There are two modes of electromagnetic wave propagation: 1. It is free to spread in space, all by wireless means.
2。 In a limited space, spread by existing lines.
Mobile communication: communication between moving and fixed, moving and moving objects.
Mobile communication means:
1 wireless communication system.
Microwave communication system.
A signal with a frequency of 100MHz- 10GHz is called a microwave signal, and its corresponding signal wavelength is 3m-3cm.
3 cellular mobile communication system.
Multiple access methods mainly include: frequency division multiple access FDMA, time division multiple access TDMA and code division multiple access CDMA.
Satellite mobile communication system.
Commercial communication satellites are generally launched in a synchronous orbit of 35,900 kilometers above the equator.
There are two basic technical parameters to describe data communication: data transmission rate and bit error rate.
Data transmission rate is one of the important indexes to describe data transmission system. S= 1/T .
The relationship between the maximum data transmission rate Rmax of binary signal and the communication channel bandwidth B(B=f, in Hz) can be written as: Rmax=2*f(bps).
When transmitting data signals in a channel with random thermal noise, the relationship between data transmission rate Rmax and channel bandwidth b and signal-to-noise ratio S/N is: Rmax = b * logχ( 1+S/N).
The bit error rate is the probability of transmitting binary symbols incorrectly in a data transmission system, which is approximately equal to:
Pe=Ne/N (error divided by total)
For the actual data transmission system, if the transmission is not a binary symbol, it should be converted into a binary symbol for calculation.
These rules, conventions and standards specified for network data transmission and exchange are called network protocols.
The protocol is divided into three parts: grammar. Semantic time series
The hierarchical model of computer network and the protocol set of each layer are defined as the computer network architecture.
Using hierarchical structure in computer networks has the following advantages:
The layers of 1 are independent of each other.
2 Good flexibility.
Each layer can be realized by the most suitable technology, and the change of the realization technology of each layer does not affect other layers.
4 easy to implement and maintain.
5 is conducive to promoting standardization.
The architecture standard defines the seven-layer framework of network interconnection, namely ISO open system interconnection. In this framework, the functions of each layer are further specified in detail to realize interconnection, interoperability and application transplantation in the open system environment.
The method used in the formulation of OSI standards is to divide the whole huge and complex problem into several small problems that are easy to deal with, which is the layered architecture method. In OSI, three levels of abstraction are adopted, namely architecture, service definition and protocol specification.
OSI seven layers:
Physical layer: The physical transmission medium is mainly used to provide physical connection for the data link layer, so as to transmit the bit stream transparently.
3 data link layer. Establish data link connection between communication entities, transmit data in units of frames, and adopt error control and flow control methods.
Network layer: Choose the most suitable path for the packet to pass through the communication subnet through the routing algorithm.
Transport layer: provide users with reliable end-to-end services and transmit messages transparently.
Session layer: organizes the communication between two session processes and manages the exchange of data.
Presentation layer: handles the presentation of information exchanged in two communication systems.
8 Application layer: The application layer is the highest layer in the OSI reference model. Determine the communication nature between processes to meet the needs of users.
TCP/IP reference model can be divided into application layer, transport layer, interconnection layer and host network layer.
The interconnection layer is mainly responsible for sending packets from the source host to the destination host. The source and destination hosts may or may not be on the same network.
The main function of the transport layer is responsible for end-to-end communication between application processes.
The transport layer of TCP/IP reference model defines two protocols, namely transmission control protocol TCP and user datagram protocol UDP.
TCP protocol is a reliable connection-oriented protocol. UDP protocol is a connectionless and unreliable protocol.
The host network layer is responsible for sending and receiving IP datagrams through the network.
According to the idea of hierarchical structure, the research result of computer network modularization is to form a set of one-way dependent protocol stacks from top to bottom, also known as protocol families.
Application layer protocols are divided into:
1。 One relies on connection-oriented TCP.
2. A connection-oriented UDP protocol.
Another type of 10 depends on both TCP and UDP protocols.
NSFNET adopts hierarchical structure, which can be divided into backbone network, regional network and campus network.
As the main technical basis of the information superhighway, the data communication network has the following characteristics:
1 meets the requirements of large capacity and burst communication.
2. Meet the requirements of comprehensive business services.
Open device interface and standardized protocol.
Perfect communication service and network management.
People call the public packet switching network that adopts DTE and DCE interface standards specified in the proposal of X. 25 network.
Frame Relay is a technology to reduce contact processing time.
Integrated services digital network;
The main differences between B-ISDN and N-ISDN are as follows:
2 N is based on the currently used public telephone switching network, and B is based on optical fiber as the transmission medium of trunk line and subscriber loop.
3 N adopts synchronous time-division multiplexing, and B adopts asynchronous transmission mode ATM technology.
4 N The speed of each channel is predetermined, and B uses the concept of channel, but the speed is not predetermined.
Asynchronous transfer mode ATM is a new generation of data transmission and packet switching technology, and it is a hot issue in the research and application of network technology at present.
The main features of ATM technology are:
3 ATM is a connection-oriented technology that uses small fixed-length data transmission units.
All kinds of information are transmitted in cells, and ATM can support multimedia communication.
5 ATM uses statistical time division multiplexing to dynamically allocate the network, which has small network transmission delay and meets the requirements of real-time communication.
6 ATM has no link-to-link error correction and flow control, so the protocol is simple and the data exchange rate is high.
The data transmission rate of 7 ATM is 155Mbps-2. 4Gbps .
Factors promoting the development of air traffic management;
People's demand for network bandwidth is increasing.
3 users' requirements for the flexibility of broadband intelligent use.
4 users' demand for real-time applications.
5. The design and construction of network need to be further standardized.
The information superhighway of a country is divided into: national broadband backbone network, regional broadband backbone network and access network connecting end users.
The technology to solve the access problem is called access technology.
It can be used as three types of user access networks: post and telecommunications network, computer network (the most promising) and radio and television network.
Network management includes five functions: configuration management, fault management, performance management, billing management and security management.
The agent is located in the managed device, which converts the command or information request from the manager into the specific instructions of the device, completes the instructions of the manager, or returns the information of the device where it is located.
The information exchange between managers and agents can be divided into two types: the management operation of managers to agents; Event notification from agent to manager.
The goal of configuration management is to master and control the configuration information of networks and systems, as well as the status and connection management of network devices. Modern network equipment consists of hardware and device drivers.
The most important function of configuration management is to enhance the network administrator's control over network configuration, which can be achieved by providing quick access to device configuration data.
Fault refers to an abnormal situation in which a large number or serious errors occur and need to be repaired. Fault management is the process of locating problems or faults in computer networks.
The main function of fault management is to enhance the reliability of the network by providing network administrators with tools to quickly check problems and start the recovery process. Fault labeling is the front-end process of monitoring network problems.
The goal of performance management is to measure and present all aspects of network characteristics and maintain network performance at an acceptable level.
Performance management includes two functions: monitoring and adjustment.
The goal of billing management is to track the use of network resources by individuals and group users and charge them reasonable fees.
The main function of billing management is that network managers can measure and report billing information based on individual or group users, allocate resources and calculate the cost of users transmitting data through the network, and then charge users.
The goal of security management is to control the access to the network according to certain methods, so as to ensure that the network is not infringed and important information is not accessed by unauthorized users.
Security management is to restrict and control access to network resources and important information.
In the network management model, network managers and agents need to exchange a lot of management information, and this process must follow a unified communication standard, which we call network management protocol.
Network management protocol is an advanced network application protocol based on specific physical network and its basic communication protocol, which serves the network management platform.
At present, the standard network management protocols used include SNMP, CMIS/CMIP, LMMP, etc.
SNMP adopts circular monitoring mode. Agent/management station mode.
Management nodes are generally workstation-level computers for engineering applications, which have strong processing capabilities. A proxy node can be any type of node on the network. SNMP is an application layer protocol. In TCP/IP network, it uses the services of transport layer and network layer to transmit information to peer layer.
The advantages of CMIP are high security and powerful functions, which can be used not only to transmit management data, but also to perform certain tasks.
Information security includes five basic elements: confidentiality, integrity, availability, controllability and auditability.
3 D 1 class. The standard of D 1 computer system does not authenticate users. Such as DOS. Windows 3 .x and WINDOW 95 (not in workgroup mode). Apple's 7 X system.
4 C 1 level provides independent security protection, and meets independent requirements by separating users from data.
C 1 level, also known as selective security protection system, describes the typical security level used in Unix systems.
C 1 level requires that the hardware has a certain level of security, and users must log in to the system before using it.
The disadvantage of C 1 level protection is that users can directly access the root directory of the operating system.
The 9 C2 level provides finer discretionary access control than the C 1 level system. The minimum level of security required to handle sensitive information. C2 level also includes a controlled access environment, which further restricts users' rights to execute certain commands or access certain files, and adds an authentication level. Such as UNIX system. Xenix. Novell version 3. 0 or higher. WINDOWS NT .
1Level B 1 is called marking security protection, and level B 1 supports multi-level security. Marking means that objects on the Internet are identifiable and protected in the security protection plan. B 1 is the first level that needs a lot of access control support. The security level is confidential and top secret.
1 1 B2, also known as structured protection, requires that all objects in the computer system be marked and security levels be assigned to devices. The key safety hardware/software components of B2-level system must be based on the formal safety method mode.
12 B3, also known as security domain, requires users' workstations or terminals to connect to the network system through trusted channels. In addition, this level uses hardware to protect the storage area of the security system.
The key security components of B3-level system must understand the access of all objects to the subject, be tamper-proof, and be small enough for analysis and testing.
The highest security level of 30 A 1 indicates that the system provides the most comprehensive security, which is also called verification design. The sources of all components that make up the system must be secured, so as to ensure the completeness and security of the system. Security measures must also ensure that system components are not harmed during the sales process.
Network security is essentially information security on the network. All technologies and theories related to the confidentiality, integrity, availability, authenticity and controllability of network information are the research fields of network security.
Security policy is a rule that must be followed in order to ensure a certain level of security protection in a specific environment. The security policy model includes three important components of establishing a security environment: majestic laws, advanced technology and strict management.
Network security means that the hardware, software and data in the network system are protected from being destroyed, changed or leaked due to unexpected or malicious reasons, and the system can run continuously, reliably and normally without interrupting the network service.
All mechanisms to ensure safety include the following two parts:
1 Perform security-related transformations on the transmitted information.
Two subjects * * * enjoy confidential information that they don't want their opponents to know.
Security threat is the harm that people, things, things or concepts do to the confidentiality, integrity, availability or legality of resources. Attacks are the concrete realization of threats.
Security threats can be divided into intentional and accidental. Intentional threats can be divided into passive and active.
Interrupt means that system resources are destroyed or become unavailable. This is an attack on usability.
Interception means that unauthorized entities gain access to resources. This is an attack on confidentiality.
Modification is that unauthorized entities not only gain access, but also tamper with resources. This is an attack on integrity.
Forgery is that unauthorized entities insert forged objects into the system. This is an attack on authenticity.
Passive attacks are characterized by eavesdropping or monitoring transmission. Its purpose is to obtain the information being transmitted. Passive attacks include: leaking information content and traffic analysis.
Active attacks include modifying data streams or creating erroneous data streams, including impersonation, replay, information modification and denial of service.
Simulation means that one entity pretends to be another. False attacks usually include another form of active attacks. Replay involves passive capture and subsequent retransmission of data units to produce unauthorized effects.
Modifying a message means changing a part of the real message, or delaying or reordering the message, resulting in unauthorized operation.
Denial of service prohibits the normal use or management of communication tools. This kind of attack has a specific target. Another form of denial of service is the interruption of the whole network, which can be achieved by disabling the network or reducing the network performance through message overload.
The way to prevent active attacks is to detect attacks and recover from the interruption or delay caused by attacks.
From the perspective of network high-level protocols, the attack methods can be summarized as: service attack and non-service attack.
A service attack is an attack against a specific network service.
Non-service attacks are not aimed at a specific application service, but are based on the underlying protocols such as the network layer.
Non-service attack is a more effective attack method, which uses the loopholes in the protocol or operating system to achieve the purpose of attack.
The basic goal of network security is to realize the confidentiality, integrity, availability and legality of information.
Main threats that can be achieved:
Infiltration threat: forgery, bypass control and violation of authorization.
Implantation threat: Trojan horse, trapped in the door.
A virus is a program that can infect other programs by modifying them. The modified programs contain copies of virus programs, so that they can continue to infect other programs.
Network anti-virus technology includes three technologies: virus prevention, virus detection and virus antivirus.
1 virus prevention technology.
By staying in the system memory for a long time, the system is given priority to control, monitor and judge whether there is virus in the system, and then prevent computer viruses from entering the computer system to destroy the system. These technologies include: encrypting executable program, protecting boot area, system monitoring and reading and writing control.
2. Virus detection technology.
Computer virus feature judgment technology. Such as self-efficacy, keywords, changes in file length, etc.
3. Disinfection technology.
Through the analysis of computer virus, a software with the functions of deleting virus programs and restoring original components is developed.
The specific implementation methods of network anti-virus technology include frequently scanning and detecting files in network servers, using anti-virus chips on workstations and setting access rights to network directories and files.
Three principles of network information system security management:
1 principle of multi-person liability.
2. The principle of limited term.
3 Principle of separation of duties.
Cryptography is a science that studies the security of cryptographic systems or communications, including cryptography and cryptanalysis.
Messages that need to be hidden are called plaintext. Converting plaintext into another hidden form is called ciphertext. This conversion is called encryption. The reverse process of encryption is called group decryption. A set of rules used to encrypt plaintext is called encryption algorithm. A set of rules used to decrypt ciphertext is called decryption algorithm. Encryption algorithm and decryption algorithm are usually carried out under the control of a set of keys. The key used in the encryption algorithm becomes the encryption key, and the key used in the decryption algorithm is called the decryption key.
Cryptosystem is usually classified from three independent aspects:
1 According to the operation type of converting plaintext into ciphertext, it can be divided into permutation cipher and translocation cipher.
All encryption algorithms are based on two basic principles: permutation and shift.
According to the processing mode of plaintext, it can be divided into block cipher and sequence cipher.
According to the number of keys used, it can be divided into symmetric cryptosystem and asymmetric cryptosystem.
If the encryption key used by the sender is the same as the decryption key used by the receiver, or another key can be easily extracted from one of the keys, such a system is called symmetric but key or conventional encryption system. If the encryption key used by the sender is different from the decryption key used by the receiver, it is difficult to deduce another key from one of them. This system is called asymmetric, double-key or public-key encryption system.
The encryption method of block cipher is to group plaintext sequences with fixed length, and each group of plaintext is operated with the same key and encryption function.
The core of block cipher design is to construct a reversible and strongly linear algorithm.
The encryption process of sequence cipher is to convert the original information such as message, voice, image and data into plaintext data sequence, and then XOR with key sequence. Generate a ciphertext sequence and send it to the receiver.
Data encryption technology can be divided into three categories: symmetric encryption, asymmetric encryption and irreversible encryption.
Symmetric encryption uses a single key to encrypt or decrypt data.
Asymmetric encryption algorithm, also known as public encryption algorithm, is characterized by two keys. Only when the two keys are used together can the whole encryption and decryption process be completed.
Another usage of asymmetric encryption is called "digital signature", that is, the data source uses its private key to encrypt data verification and other variables related to data content, while the data receiver uses the corresponding public key to interpret the "digital signature" and uses the interpretation result to check the data integrity.
The characteristic of irreversible encryption algorithm is that the encryption process does not need a key, and the encrypted data cannot be decrypted. The same irreversible algorithm can only get the same input data.
Encryption technology is usually applied to network security in two forms, namely, network-oriented and application-oriented services.
Network service-oriented encryption technology usually works in the network layer or transport layer, and uses encrypted data packets to authenticate the information needed by network routing and other network protocols, thus ensuring that the connectivity and availability of the network are not infringed.
Network application service-oriented encryption technology is the most popular encryption technology at present.
From the transmission of communication network, data encryption technology can be divided into three categories: link encryption mode, node-to-node mode and end-to-end mode.
Link encryption is the main method of general network communication security.
Node-to-node encryption method is to solve the shortcoming that the data in nodes is plaintext. In the intermediate node, encryption and decryption protection devices are installed, and this device completes the conversion from one key to another.
In the end-to-end security mode, the data encrypted by the sender will not be decrypted until it reaches the final destination node.
The process of trying to find plaintext or key is called cryptanalysis.
The actual arrangement and transformation of the algorithm is determined by the key.
Ciphertext is determined by key and plaintext.
Symmetric encryption has two security requirements:
1 requires a strong encryption algorithm.
The sender and the receiver must obtain a copy of the key in a secure way.
The security of conventional secrets depends on the confidentiality of keys, not the confidentiality of algorithms.
IDEA algorithm is considered as the best and safest block cipher algorithm.
Public key encryption is also called asymmetric encryption.
There are two basic models of public key cryptosystem, one is encryption model and the other is authentication model.
Usually, one key is used for public key encryption and another key is used for decryption.
The key used in traditional encryption is called secret key. The key pair used in public key encryption is called public key or private key.
RSA system is considered as the most mature and perfect public key cryptosystem in theory.
The lifetime of the key refers to the period during which the key is authorized to be used.
In fact, the safest way to store keys is to put them in a physically safe place.
Key registration includes binding the generated key to a specific application.
The key management is to solve the key distribution problem.
Key destruction includes removing all traces of keys.
Key distribution technology is to send keys to places where others can't see them on both sides of data exchange.
A digital certificate is a digitally signed message, which is usually used to prove the validity of an entity's public key. A digital certificate is a digital structure with a common format, which binds the identifier of a member with the public key value. People use digital certificates to distribute public keys.
Serial number: The unique identifier of the certificate assigned by the certificate issuer.
Authentication is an important technology to prevent active attacks and plays an important role in the security of various information systems in an open environment.
Authentication is the process of verifying the identity claimed by the end user or device.
The main purposes are:
Verifying that the sender of the information is true, not false, is called source identification.
Verify the integrity of the information and ensure that the information has not been tampered with, replayed or delayed during transmission.
The authentication process usually includes encryption and key exchange.
Account name and password authentication are the most commonly used authentication methods.
Authorization is the process of granting users, user groups or specifying system access rights.
Access control is to limit the information in the system to authorized individuals or systems in the network.
The technologies used in authentication mainly include message authentication, identity authentication and digital signature.
The contents of message authentication include:
1 Verify the source and destination of the message.
The content of the email has been tampered with accidentally or intentionally.
The sequence number and timeliness of the message.
The general method of message authentication is to generate attachments.
Certification can be roughly divided into three categories:
1 what people know.
2 certified personnel
The characteristics of three people.
Password or PIN mechanism is a widely studied and used authentication method, and it is also the mechanism on which the most practical authentication system depends.
In order to make passwords more secure, we can provide more robust methods by encrypting passwords or modifying encryption methods. This is the one-time password scheme, as well as the common S/KEY and token password authentication schemes.
This certificate is owned by individuals.
Two formats of digital signature:
2. All signature information after password conversion.
Signature pattern attached to a signature message or a specific location.
For connections, the only way to maintain authentication is to use the connection integrity service at the same time.
Firewall is generally divided into packet filtering, application layer gateway and proxy service.
Packet filtering technology is to select packets at the network layer.
Application layer gateway is to establish protocol filtering and forwarding functions at the network application layer.
Proxy service is also called link-level gateway or TCP channel, and some people classify it as application-level gateway.
Firewall is a series of invisible combinations set between different networks or network security domains. It can detect, restrict and change the data flow passing through the firewall, and shield the messages, structures and operations inside the network from the outside as much as possible, thus realizing the security protection of the network.
The design objectives of the firewall are:
1 traffic entering and leaving the intranet must pass through the firewall.
Only legitimate traffic defined in the intranet security policy can enter and exit the firewall.
The firewall itself should prevent penetration.
Firewall can effectively prevent foreign invasion, its role in the network system is:
1 controls the flow of information and data packets in and out of the network.
Provide logs and audit records of usage and traffic.
3 hide the details of internal IP and network structure.
Provide virtual private network function.
There are usually two design strategies: allow all services unless explicitly prohibited; All services are prohibited unless explicitly allowed.
Firewall technology to realize website security strategy;
3 service control. Determine the types of Internet services that can be accessed inside and outside the fence.
4 direction control. Initiating a specific service request and allowing it to pass through the firewall is a directional operation.
5 user control. According to the user who requests access, determine whether to provide services.
6. Behavior control. Controls how specific services are used.
Network policies that affect the design, installation and use of firewall systems can be divided into two levels:
Advanced network policies define the allowed and prohibited services and how to use them.
The low-level network policy describes how the firewall restricts and filters the services defined in the high-level policy.