外联网接入平台中网络安全技术研究及其应用
|
摘要
由于网络协议的开放性,以及网络具有联结形式多样性、终端分布不均匀性及互连性等特征,致使网络易受黑客、怪客、恶意软件和其他不轨的攻击,信息被泄露、窃取、篡改、冒充和破坏,还有可能受到计算机病毒的感染。所以,信息社会中网络安全是一个至关重要的问题。
网络的安全措施应是能全方位地防御各种不同的网络安全威胁,才能确保网络信息的保密性、完整性和可用性。
在网络无处不在的信息时代,企业(组织)之间、企业(组织)与互联网之间的网络许多情况下需要彼此连接,才能充分发挥网络的优势。而不同网络之间的连接,受到的安全威胁及安全级别是不同的,其策略和要求也就不同。本文正是基于对当前网络安全技术及策略的分析研究以及企业网络连接的应用现状中存在的问题,做如下工作:
①研究分析当前网络安全问题的起因、常见攻击和反攻击技术手段。
②分析网络安全的任务、建设需求的系统性和完备性。
③研究分析网络安全问题的技术及策略,包括密码技术、系统安全技术、网络安全技术。重点包括防火墙技术、访问控制技术、安全路由及策略路由技术、加密、认证和密钥管理技术、入侵检测和漏洞扫描技术、VPN / VPDN技术等。
④综合运用上述技术及策略,从网络安全的各个层面综合考虑,以某大型金融企业外联网平台为例,采用区域分隔架构的策略,构建一个安全、稳健、高效的外部网接入平台。
本文就网络安全现状进行了深入分析,同时分析研究了网络安全的技术及策略。在此基础上,综合运用各种安全技术,以某企业外联网平台建设为例,从网络安全的各个层面综合考虑,构建了一个安全、稳健、高效的外部网接入系统平台,具有重要的理论意义和实际应用价值。
Attribute to the openness of internetwork protocol, the diversity of internetwork connection and the uneven distribution of terminals, together with other characteristics, the internet are vulnerable by hacker or malicious software and other illegal attacks. So, the information which delivered on internet are possibly leaked or steal, tampered with or counterfeited, or even destructed and infected by virus. Therefor, in information age, the network security are most important and crucial issue.
Network security measures should be all-round to cope with all kinds of totally different menace coming from internet in order to ensure that the confidentiality, integrity and availability of information while they are transferred on line.
Nowadays, thought as information age network exist everywhere. It is quiet common to see that connection are established between different enterprises and between enterprises and internet in order to bring in full advantages of network We’d better adopt different strategies to deal with different situation because dissimilar connection among different sub-nets of enterprise or internet need quiet diverse security level and suffered different menace. This paper has done lots of research basing on the current network security technology and strategy, as well as on analysis of drawback for the current application of network connection including following points:
①Analyzing the causes of the network security problems and the normal attack ways and counter-strike means.
②Analyzing the tasks of the network security and the systematics and perfectibility for constructing the demand of network. Security.
③Studying the tools and strategy for network security, including cryptographic techniques, system security technology and network security technology. In detail, are firewall, access control technology, security routing ,strategy routing technology, encryption, authentication and key management technology, intrusion detection and vulnerability scanning technology, VPN / VPDN technology.
④We will use a financial enterprise Extranet as a example to illustrate how to build a safe, sound and efficient external network platform taking on a regional separate framework strategy in terms of comprehensive consideration of all different technology(presented in point 3) and levels of network security.
In this paper, we will analyze the present situation of network security deeply, while we will construe the technology and strategy of network security. So, It is have great theoretical and practical values to use a financial enterprise Extranet as a example to illustrate how to build a safe, sound and efficient external network platform from different technologies
网络的安全措施应是能全方位地防御各种不同的网络安全威胁,才能确保网络信息的保密性、完整性和可用性。
在网络无处不在的信息时代,企业(组织)之间、企业(组织)与互联网之间的网络许多情况下需要彼此连接,才能充分发挥网络的优势。而不同网络之间的连接,受到的安全威胁及安全级别是不同的,其策略和要求也就不同。本文正是基于对当前网络安全技术及策略的分析研究以及企业网络连接的应用现状中存在的问题,做如下工作:
①研究分析当前网络安全问题的起因、常见攻击和反攻击技术手段。
②分析网络安全的任务、建设需求的系统性和完备性。
③研究分析网络安全问题的技术及策略,包括密码技术、系统安全技术、网络安全技术。重点包括防火墙技术、访问控制技术、安全路由及策略路由技术、加密、认证和密钥管理技术、入侵检测和漏洞扫描技术、VPN / VPDN技术等。
④综合运用上述技术及策略,从网络安全的各个层面综合考虑,以某大型金融企业外联网平台为例,采用区域分隔架构的策略,构建一个安全、稳健、高效的外部网接入平台。
本文就网络安全现状进行了深入分析,同时分析研究了网络安全的技术及策略。在此基础上,综合运用各种安全技术,以某企业外联网平台建设为例,从网络安全的各个层面综合考虑,构建了一个安全、稳健、高效的外部网接入系统平台,具有重要的理论意义和实际应用价值。
Attribute to the openness of internetwork protocol, the diversity of internetwork connection and the uneven distribution of terminals, together with other characteristics, the internet are vulnerable by hacker or malicious software and other illegal attacks. So, the information which delivered on internet are possibly leaked or steal, tampered with or counterfeited, or even destructed and infected by virus. Therefor, in information age, the network security are most important and crucial issue.
Network security measures should be all-round to cope with all kinds of totally different menace coming from internet in order to ensure that the confidentiality, integrity and availability of information while they are transferred on line.
Nowadays, thought as information age network exist everywhere. It is quiet common to see that connection are established between different enterprises and between enterprises and internet in order to bring in full advantages of network We’d better adopt different strategies to deal with different situation because dissimilar connection among different sub-nets of enterprise or internet need quiet diverse security level and suffered different menace. This paper has done lots of research basing on the current network security technology and strategy, as well as on analysis of drawback for the current application of network connection including following points:
①Analyzing the causes of the network security problems and the normal attack ways and counter-strike means.
②Analyzing the tasks of the network security and the systematics and perfectibility for constructing the demand of network. Security.
③Studying the tools and strategy for network security, including cryptographic techniques, system security technology and network security technology. In detail, are firewall, access control technology, security routing ,strategy routing technology, encryption, authentication and key management technology, intrusion detection and vulnerability scanning technology, VPN / VPDN technology.
④We will use a financial enterprise Extranet as a example to illustrate how to build a safe, sound and efficient external network platform taking on a regional separate framework strategy in terms of comprehensive consideration of all different technology(presented in point 3) and levels of network security.
In this paper, we will analyze the present situation of network security deeply, while we will construe the technology and strategy of network security. So, It is have great theoretical and practical values to use a financial enterprise Extranet as a example to illustrate how to build a safe, sound and efficient external network platform from different technologies
引文
[1] 谢希仁编著.计算机网络.电子工业出版社.2003(4)
[2] Merilee Ford,H.Kim Lew,Steve Spanier,Tim Stevenson 著,包晓露,张雅丽,李宗泽等译.网络互联技术.电子工业出版社,1998(1)
[3] 韦卫,王德杰.Internet 网络层安全协议理论研究与发展.计算机学报,1992(7):171-176
[4] 于云程.C3I 系统分析与设计.国防科技大学出版社,1996 年 08 月 第一版
[5] 李建萍,郭学理,吕宏辉.Internet 的安全机制..微型计算机与应用,1999.2:3-4
[6] Michael Wenstrom .Managing Cisco Network Security. POSTS & TELECOM PRESS,2001.11
[7] 王宏伟.网络安全威胁与对策.应用技术, 2006.05
[8] 陈斌.计算机网络安全与防御.信息技术与网络服务,2006.04
[9] T.L Magnani,R.T Wong.Network Design and Transportation Planning,Models and Algorithms.Transportation Science,2001,18(1):26-55
[10] Jay Ramachandran.Designing Security Architecture Solutions.China MachinePress,2003.11,121-150
[11] 刘克龙,蒙杨.一种新型的防火墙系统.计算机学报,2000(3)231-236
[12] 黄智详,叶震,孙志勇.防火墙技术及其体系机构研究.计算机与信息技术,1999(11):41-49
[13] 李晓峰,张玉清.Linux 2.4 内核防火墙底层结构分析.计算机工程与应用,2002(14):62-71
[14] 孙健,王韬,李东强.病毒防护技术的研究.科学技术与工程,2005.11
[15] 王 睿,林海波.网络安全与防火墙技术.清华大学出版社,2005.7
[16] 吴艳辉,王伟平.基于重路由的匿名通信系统研究.计算机工程与应用,2006,42 (17期)
[17] Terry Sattery,Bill Buiton(美)等著,达达翻译组译.Cisco 网络高级 IP 路由技术.机械工业出版社,2001.7
[18] 彭湘凯.VPN 及其核心技术.成都大学学报(自然科学版),2001(3):12-15
[19] 陈依群,诸鸿文.基于 IPSec 的网络层 VPN 技术.电子工业出版社,1999(4),
[20] Peter Rybaczyk. Cisco Router Troubleshooting Handbook. Publishing House Of Electronics Industry,2000,08
[21] 张 维.实战网络工程案例.北京邮电大学出版社,2005.1
[22] Cisco Systems 公司著,夏凌,李婴歌,宋红丽等译.Cisco IOS 网络协议解决方案 第一卷:IP.电子工业出版社,1999(1)
[23] Richard Stevens 著.TCP/IP 详解(卷 I 一卷 3).机械机械工业出版社,2000
[24] David Hucaby,Steve McQuerry.Cisco Field Manual:Router Configuration.Post&Telecommunications Press,2002.9
[25] Steven M.Bellovin.Security Problems in the TCP/IP Protocol Suite.Computer Communication Review,April 1989.19(2):32-48
[26] Intel Co,Ltd.IXP2800 Network Proccessor Product Brief[R].December 2002:4-6
[27] Intel Co,Ltd.Intel IXP2800 Network Proccessor Product Brief[R].December 2002:36-54
[28] 吴鹏王晓峻苏新宁.基于 PKI/PMI 的 Web 应用安全解决方案.计算机工程与应用,2006 42 (6 期)
[29] Carrel Dave,Harkins Dan,RFC2409.The Internet Key Exchange(IKE)[S].1998
[30] Kent Stephen,Atkinson Randall,RFC2406.IP Encapsulating Security Payload(ESP)[S].1998
[2] Merilee Ford,H.Kim Lew,Steve Spanier,Tim Stevenson 著,包晓露,张雅丽,李宗泽等译.网络互联技术.电子工业出版社,1998(1)
[3] 韦卫,王德杰.Internet 网络层安全协议理论研究与发展.计算机学报,1992(7):171-176
[4] 于云程.C3I 系统分析与设计.国防科技大学出版社,1996 年 08 月 第一版
[5] 李建萍,郭学理,吕宏辉.Internet 的安全机制..微型计算机与应用,1999.2:3-4
[6] Michael Wenstrom .Managing Cisco Network Security. POSTS & TELECOM PRESS,2001.11
[7] 王宏伟.网络安全威胁与对策.应用技术, 2006.05
[8] 陈斌.计算机网络安全与防御.信息技术与网络服务,2006.04
[9] T.L Magnani,R.T Wong.Network Design and Transportation Planning,Models and Algorithms.Transportation Science,2001,18(1):26-55
[10] Jay Ramachandran.Designing Security Architecture Solutions.China MachinePress,2003.11,121-150
[11] 刘克龙,蒙杨.一种新型的防火墙系统.计算机学报,2000(3)231-236
[12] 黄智详,叶震,孙志勇.防火墙技术及其体系机构研究.计算机与信息技术,1999(11):41-49
[13] 李晓峰,张玉清.Linux 2.4 内核防火墙底层结构分析.计算机工程与应用,2002(14):62-71
[14] 孙健,王韬,李东强.病毒防护技术的研究.科学技术与工程,2005.11
[15] 王 睿,林海波.网络安全与防火墙技术.清华大学出版社,2005.7
[16] 吴艳辉,王伟平.基于重路由的匿名通信系统研究.计算机工程与应用,2006,42 (17期)
[17] Terry Sattery,Bill Buiton(美)等著,达达翻译组译.Cisco 网络高级 IP 路由技术.机械工业出版社,2001.7
[18] 彭湘凯.VPN 及其核心技术.成都大学学报(自然科学版),2001(3):12-15
[19] 陈依群,诸鸿文.基于 IPSec 的网络层 VPN 技术.电子工业出版社,1999(4),
[20] Peter Rybaczyk. Cisco Router Troubleshooting Handbook. Publishing House Of Electronics Industry,2000,08
[21] 张 维.实战网络工程案例.北京邮电大学出版社,2005.1
[22] Cisco Systems 公司著,夏凌,李婴歌,宋红丽等译.Cisco IOS 网络协议解决方案 第一卷:IP.电子工业出版社,1999(1)
[23] Richard Stevens 著.TCP/IP 详解(卷 I 一卷 3).机械机械工业出版社,2000
[24] David Hucaby,Steve McQuerry.Cisco Field Manual:Router Configuration.Post&Telecommunications Press,2002.9
[25] Steven M.Bellovin.Security Problems in the TCP/IP Protocol Suite.Computer Communication Review,April 1989.19(2):32-48
[26] Intel Co,Ltd.IXP2800 Network Proccessor Product Brief[R].December 2002:4-6
[27] Intel Co,Ltd.Intel IXP2800 Network Proccessor Product Brief[R].December 2002:36-54
[28] 吴鹏王晓峻苏新宁.基于 PKI/PMI 的 Web 应用安全解决方案.计算机工程与应用,2006 42 (6 期)
[29] Carrel Dave,Harkins Dan,RFC2409.The Internet Key Exchange(IKE)[S].1998
[30] Kent Stephen,Atkinson Randall,RFC2406.IP Encapsulating Security Payload(ESP)[S].1998