Network Security Blackboard Content 1 Network Security Blackboard Content 2 Network Security Blackboard Content 3 Network Security Precautions Computer network security measures mainly include three aspects: protecting network security, protecting application service security and protecting system security. All aspects should be combined with physical security, firewall, information security, Web security, media security and so on.
(1) Protect network security.
Network security is to protect the security of communication process between network-side systems of all business parties. Ensuring confidentiality, integrity, authentication and access control is an important factor in network security. The main measures to protect network security are as follows:
(1) Overall plan the security strategy of the network platform.
(2) Formulate network security management measures.
(3) Use a firewall.
(4) Record all activities on the network as much as possible.
(5) Pay attention to the physical protection of network equipment.
(6) Test the vulnerability of the network platform system.
(7) Establish a reliable identification and discrimination mechanism.
(2) Protect application security.
Protecting application security mainly refers to the security protection measures established for specific applications (such as Web servers and online payment special software systems), which are independent of any other security protection measures of the network. Although some protection measures may be the substitution or overlap of network security services, such as the encryption of network payment and settlement packets by Web browsers and Web servers at application level, all of which are IP layer encryption, many applications have their own specific security requirements.
Because the application layer in e-commerce has the strictest and most complicated requirements for security, it is more inclined to take various security measures at the application layer than at the network layer.
Although the security of network layer still has its special position, people can't rely on it to solve the security problem of e-commerce application. Security services on the application layer can involve authentication, access control, confidentiality, data integrity, non-repudiation, Web security, EDI and network payment.
(3) Protect system security.
Protecting system security refers to security protection from the perspective of the overall e-commerce system or online payment system, which is interrelated with the hardware platform, operating system and various application software of the network system. System security involving online payment and settlement includes the following measures:
(1) Check and confirm unknown security vulnerabilities in installed software, such as browser software, e-wallet software, payment gateway software, etc.
(2) The combination of technology and management makes the system have the minimum penetration risk. If the connection is allowed after multiple authentications, all the access data must be audited and the system users must strictly manage it.
(3) Establish detailed security audit logs to detect and track intrusion attacks.
Precautionary measures for the safety of commercial transactions pay close attention to various security problems arising from the application of traditional commerce on the Internet. On the basis of computer network security, how to ensure the smooth progress of e-commerce process.
All kinds of business transaction security services are realized through security technology, mainly including encryption technology, authentication technology and e-commerce security protocol.
(1) encryption technology.
Encryption technology is a basic security measure adopted in e-commerce, and both parties can use it in the information exchange stage as needed. Encryption technology is divided into two categories, namely symmetric encryption and asymmetric encryption.
(1) symmetric encryption.
Symmetric encryption is also called private key encryption, that is, the sender and receiver of information use the same key to encrypt and decrypt data. Its biggest advantage is its fast encryption/decryption speed, which is suitable for encrypting a large number of data, but the key management is difficult. If both parties can ensure that the private key is not leaked in the key exchange stage, then the confidentiality and message integrity can be realized by encrypting the confidential information by this encryption method and sending the message digest or message hash value with the message.
(2) Asymmetric encryption.
Asymmetric encryption, also known as public key encryption, uses a pair of keys to complete the encryption and decryption operations respectively, one of which is publicly released (that is, the public key) and the other is kept by the user himself in secret (that is, the private key). The process of information exchange is: Party A generates a pair of keys and discloses one of them to other parties as a public key. Party B who obtained the public key encrypts the information and sends it to Party A, and Party A decrypts the encrypted information with its own private key.
(2) Authentication technology.
Authentication technology is a technology to prove the identity and file integrity of the sender and receiver by electronic means, that is, to confirm that the identity information of both parties has not been tampered with during transmission or storage.
(1) digital signature.
Digital signature, also known as electronic signature, can play the role of authentication, approval and entry into force of electronic documents just like presenting handwritten signature. The realization method is to combine hash function with public key algorithm. The sender generates a hash value from the message body and encrypts the hash value with his own private key to form the sender's digital signature. Then, the digital signature is sent to the receiver of the message together with the message as an attachment of the message; The receiver of the message first calculates the hash value from the received original message, and then decrypts the digital signature attached to the message with the public key of the sender; If the two hash values are the same, the receiver can confirm that the digital signature belongs to the sender. Digital signature mechanism provides an authentication method to solve the problems of forgery, denial, counterfeiting and tampering.
(2) Digital certificate.
A digital certificate is a file digitally signed by a certificate authority, which contains information about the owner of the public key and the public key. The main components of a digital certificate include the user's public key, the user identifier of the key owner and the trusted third-party signature. The third party is generally a certification authority (CA) trusted by users, such as government departments and financial institutions. The user submits his public key to the public key certificate authority in a secure way and obtains the certificate, and then the user can disclose the certificate. Anyone who needs the user's public key can get this certificate and verify the validity of the public key through the relevant trust signature. Digital certificate provides a way to verify the identity of the other party through a series of data that marks the identity information of each party in the transaction, and users can use it to identify the identity of the other party.
(3) the security protocol of e-commerce.
In addition to the various security technologies mentioned above, there is also a set of security protocols for e-commerce operation. The more mature protocols are SET, SSL and so on.
(1) Secure Sockets Layer Protocol SSL.
SSL protocol is located between the transport layer and the application layer, and consists of SSL recording protocol, SSL handshake protocol and SSL alarm protocol. SSL handshake protocol is used to establish security mechanism before client and server actually transmit application layer data. When the client communicates with the server for the first time, the two parties agree on version number, key exchange algorithm, data encryption algorithm and hash algorithm through handshake protocol, and then verify each other's identities. Finally, the negotiated key exchange algorithm is used to generate a secret information that only two parties know. According to this secret information, the client and the server generate data encryption algorithm and hash algorithm parameters respectively. SSL recording protocol encrypts and compresses the data sent by the application layer according to the parameters negotiated by SSL handshake protocol, calculates the message authentication code MAC, and then sends it to the other party through the network transport layer. SSL alert protocol is used to transmit SSL error information between client and server.
(2) Secure electronic transaction protocol set.
SET protocol is used to divide and define the rights and obligations among consumers, online merchants, banks and credit card organizations in e-commerce activities, and gives the standard of transaction information transmission process. SET mainly consists of three files, namely, SET business description, SET programmer's guide and SET protocol description. SET protocol ensures the confidentiality, data integrity and identity legitimacy of e-commerce system.
SET protocol is specially designed for e-commerce system. It is located in the application layer, and its authentication system is perfect, which can realize multi-party authentication. In the implementation of SET, consumer account information is confidential to the merchant. However, the SET protocol is very complicated, and the transaction data needs to be verified many times, using multiple keys and encrypting and decrypting many times. Besides consumers and merchants, there are other participants in the SET protocol, such as issuers, acquirers, authentication centers, payment gateways, etc.
Encryption prevention mode links encryption mode.
Safety technical means
Physical measures: such as protecting key network equipment (such as switches and large computers). ), formulate strict network security rules and regulations, and take measures such as radiation protection, fire prevention and installation of uninterruptible power supply (UPS).
Access control: Strictly authenticate and control users' access to network resources. For example, user authentication, password encryption, update and authentication, setting user access to directories and files, and controlling network device configuration.
Data encryption: Encryption is an important means to protect data security. The function of encryption is to ensure that the information cannot be read after being intercepted. Prevent computer network virus and install network anti-virus system.
Network isolation: There are two ways of network isolation, one is to use isolation card, and the other is to use network security isolation gateway.
Isolation cards are mainly used to isolate single machines, and gateways are mainly used to isolate the whole network. The difference between the two can be found in resources.
Other measures: Other measures include information filtering, fault tolerance, data mirroring, data backup and audit. Many solutions are put forward around network security issues, such as data encryption technology and firewall technology. Data encryption is to encrypt the data transmitted in the network, and then decrypt and restore it to the original data after reaching the destination to prevent illegal users from stealing information after interception. Firewall technology is to control the access rights of the network by isolating and restricting the access to the network.
safety consciousness
Having network security awareness is an important prerequisite to ensure network security. Many network security incidents are related to the lack of security awareness.
Host security check
To ensure and build network security, we must first fully understand the system, evaluate the system security, and realize our own risks, so as to quickly and accurately solve the internal network security problems. The first innovative automatic host security inspection tool independently developed by An Tian Laboratory completely subverts the complexity of traditional system security inspection and system risk assessment tools. One-click operation can carry out comprehensive security inspection and accurate security grade judgment on intranet computers, and carry out powerful analysis, disposal and repair on the evaluation system.
Host physical security
The physical security environment in which the server runs is very important, which is overlooked by many people. The physical environment mainly refers to the facilities of the server hosting computer room, including ventilation system, power supply system, lightning protection and fire prevention system, temperature and humidity conditions of the computer room, etc. These factors will affect the life of the server and the security of all data. I don't want to discuss these factors here, because when choosing IDC, you will make your own decision.
It is emphasized here that some computer rooms provide special cabinets to store servers, and some computer rooms only provide racks. The so-called cabinet is an iron cabinet similar to the cabinet at home. There are doors in front and back, and shelves for servers, power supplies, fans, etc. After the server is put in, the door is locked and only the administrator of the computer room can open the key. The shelf is an iron shelf, which is open. After the server is put on the shelf, just plug it into the trailer. The two environments are very different in terms of the physical security of the server. Obviously, the server in the cabinet is much safer.
If your servers are in open racks, this means that anyone can access them. If others can easily access your hardware, what security is there?
If your server can only be placed in an open rack room, you can do this:
(1) Tie the power supply to the slot with adhesive tape to prevent others from accidentally touching your power supply;
(2) After installing the system, restart the server, and unplug the keyboard and mouse during the restart process, so that after the system is started, the ordinary keyboard and mouse will not work (except USB mouse and keyboard).
(3) Keep a good relationship with the personnel on duty in the computer room, and don't offend the maintenance personnel of other companies in the computer room. After doing this, your server will at least be more secure.