The main network security technologies today are as follows:
1. encryption router technology
The encryption router encrypts and compresses the content that passes through the router, and then transmits it through the insecure network, and decompresses and decrypts it at the destination.
Second, security kernel technology.
People began to consider security at the operating system level, trying to remove the parts that may cause security problems from the system kernel, thus making the system more secure. For example, the S olaris operating system puts the static password in an implicit file, which enhances the security of the system.
Thirdly, the network address translator.
Network address translator, also known as address sharer or address mapper, was originally designed to solve the problem of IP address shortage, and now it is mainly used for network security. Internal hosts use the same IP address when connecting to external hosts; Conversely, when an external host wants to connect to an internal host, it must be mapped to the internal host through a gateway. It makes the external network invisible to the internal network, thus hiding the internal network and achieving the purpose of confidentiality.
Data encryption technology
The so-called encryption means that a message (or plaintext) is converted into meaningless ciphertext through Encrypt ionkey and encryption function, and the receiver restores the ciphertext into plaintext through decryption function and decryption key. Encryption technology is the cornerstone of network security technology.
Data encryption technology requires that the original data can only be obtained under the specified user or network, which requires some special information to be encrypted and decrypted for the data sender and receiver, which is called the key. The value of its key is selected from a large number of random numbers. According to encryption algorithm, it can be divided into private key and public key.
Private keys, also known as symmetric keys or single keys, use the same key, that is, the same algorithm. Kerberos algorithms, such as DES and MIT. Single key is the simplest way. Both parties must exchange each other's keys. When sending messages to each other, they will use their own encryption keys to encrypt, and after receiving data, they will use the keys given by the other party to decrypt. This method becomes very complicated when communicating with many parties, because it needs to save many keys, and the security of the keys themselves is also a problem.
DES is a data block encryption algorithm, which divides the data into six 4-bit data blocks, of which 8 bits are used for parity check and the remaining 56 bits are used as the length of the password. The first step is to replace the original text and get six 4-bit chaotic data sets; Step 2, divide it into two equal sections; Step 3, transform with encryption function, and iterate for many times under the condition of given key parameters to get encrypted ciphertext.
Public key, also known as asymmetric key, uses different keys, that is, different algorithms, including a public key and multiple decryption keys, such as RSA algorithm.
In computer networks, encryption can be divided into "communication encryption" (that is, data encryption during transmission) and "file encryption" (that is, storage data encryption). There are three kinds of communication encryption: node encryption, link encryption and end-to-end encryption.
(1) node encryption, in time coordinates, is carried out before the information is transmitted to the physical communication link; As far as the coordinates (logical space) of OSI layer 7 reference model are concerned, it is carried out between the first layer and the second layer; As far as the implementation object is concerned, it encrypts the data transmitted between two adjacent nodes, but only encrypts the message, not the header, so as to facilitate the selection of transmission routes.
② Link encryption, which is performed at the data link layer, encrypts the data transmitted on the link between adjacent nodes, not only encrypting the data, but also encrypting the header.
③ End-to-end encryption, which is carried out at the sixth or seventh layer, provides continuous protection for data transmission between users. It is also effective to implement encryption at the originating node, transmit it in the form of ciphertext at the intermediate node and decrypt it when it finally reaches the destination node.
In the OSI reference model, all layers except the session layer can implement some encryption measures. However, it is usually the most advanced encryption, that is, every application in the application layer is modified by password coding, so it can keep every application secret, thus protecting the investment of the application layer. If encryption is implemented on one of the following layers, such as TCP layer, only this layer can be protected.
It is worth noting that whether the encryption mechanism can play its role effectively depends on key management, including the whole process of key survival, distribution, installation, storage, use and invalidation.
(1) digital signature
Although the encryption mechanism of public key provides good confidentiality, it is difficult to identify the sender, that is, anyone who obtains the public key can generate and send messages. Digital signature mechanism provides an authentication method to solve the problems of forgery, denial, counterfeiting and tampering.
Digital signature generally adopts asymmetric encryption technology (such as RSA), and a value is obtained as a verification signature by some transformation of the whole plaintext. The receiver decrypts the signature using the sender's public key. If the result is plain text, the signature is valid, which proves the true identity of the other party. Of course, signatures can also be used for many purposes, such as attaching signatures to plain text. Digital signature is widely used in banking, e-commerce and other fields.
Digital signature is different from handwritten signature: digital signature changes with the change of words, and handwritten signature reflects a person's personality characteristics and is unchanged; Digital signature and text information are inseparable, while handwritten signature is attached to text and separated from text information.
(2)Kerberos system
Kerberos system is designed by MIT for Athena project, which provides an authentication method to verify both users in distributed computing environment.
Its security mechanism lies in firstly authenticating the requesting user to confirm whether it is a legal user; If it is a legitimate user, check whether the user has the right to access the service or host he requested. In terms of encryption algorithm, its verification is based on symmetric encryption.
Kerberos system has been widely used in distributed computing environment (such as Notes) because it has the following characteristics:
(1) has high security. Kerberos system encrypts the user's password and uses it as the user's private key, thus avoiding the display and transmission of the user's password on the network, making it difficult for eavesdroppers to obtain the corresponding password information on the network;
(2) High transparency, users only need to enter a password when logging in, which is exactly the same as normal operation, and the existence of Ker beros is transparent to legitimate users;
③ Good scalability. Kerberos provides authentication for each service to ensure the security of the application.
The Ker beros system is somewhat similar to the process of watching movies. The difference is that only customers who log in to Kerberos system in advance can apply for service. Kerberos requires customers who apply for tickets to TGS (ticket distribution server) to request the final service.
The authentication protocol process of Kerberos is shown in Figure 2.
Kerberos has its advantages and disadvantages, mainly as follows:
(The secret shared by Kerberos server and user * * * is the user's password, and the server does not verify the authenticity of the user when responding, assuming that only legitimate users have passwords. If an attacker records an application reply message, it is easy to form a codebook attack.
The secret shared by Kerberos server and user * * * is the user's password, and the server does not verify the authenticity of the user when responding, assuming that only legitimate users have passwords. If an attacker records an application reply message, it is easy to form a codebook attack.
③ AS and TGS are centralized management, which is easy to form a bottleneck. The performance and security of the system also depend on the performance and security of AS and TGS to a great extent. There should be access control before AS and TGS to enhance the security of AS and TGS.
④ With the increase of users, key management becomes more complicated. Kerberos has the hash value of each user's password, and as and TGS are responsible for the distribution of communication keys between families. When n users want to communicate at the same time, N*(N- 1)/2 keys are still needed.
(3) PGP algorithm
PGP(Pretty Good Privacy) is a scheme put forward by author hil Zimmermann, and it has been written since the mid-1980s. The public key and the group key are in the same system, and the public key uses RSA encryption algorithm to manage the key; The IDEA algorithm is used to encrypt information in the group key.
The first characteristic of PGP application is its high speed and efficiency. Another notable feature is its excellent portability, which can run on a variety of operating platforms. PGP mainly includes encrypting files, sending and receiving encrypted emails, digital signatures and so on.
(4) PEM algorithm
Private Enhanced Mail (PEM) is a product developed by American RSA Lab based on RSA and DES algorithms. Its purpose is to enhance the privacy function of individuals. At present, it has been widely used on the Internet, providing the following two types of security services for e-mail users:
Provide security service functions such as verification, integrity and non-repudiation for all messages; Provide optional security service functions, such as confidentiality.
Pemthe mail is handled as follows:
Step 1: Normalization: In order to make PEM compatible with MTA (Message Transfer Agent), the message is normalized according to MTP protocol;
Step 2, MIC (Message Integrity Code) calculation;
The third step is to convert the processed mail into a format suitable for SMTP system transmission.
Authentication technology
Identity recognition is the process of specifying users to show their own identities to the system. Authentication is the process that the system checks the user's identity. People usually refer to these two tasks as identity authentication (or identity authentication), which are two important links to identify and confirm the true identities of the two communication parties.
Network security technology
There are two ways to realize network security on the Web: SHTTP/HTTP and SSL.
(1) HTTP/HTTP
SHTTP/HTTP can encapsulate information in many ways. The encapsulated contents include encryption, signature and MAC-based authentication. And messages can be encapsulated and encrypted repeatedly. In addition, SHTTP also defines header information for key transmission, authentication transmission and similar management functions. SHTTP can support various encryption protocols and provide a flexible programming environment for programmers.
SHTTP does not depend on a specific key authentication system, and currently supports RSA, in-band and out-of-band and Kerberos key exchange.
(2) SSL (condom layer) Secure Socket Layer is an industrial standard using public key technology. SSL is widely used in intranet and Internet, and its products include SSL-supporting clients and servers provided by companies such as Netscape, Microsoft, IBM and Open Market, and Apa che-SSL.
SSL provides three basic security services, all of which use public key technology.
① Information confidentiality, which is realized by using public key and symmetric key technology. All business between SSL client and SSL server is encrypted by using the key and algorithm established during SSL handshake. This can prevent some users from eavesdropping illegally by using the IP packet sniffer tool. Although the packet sniffer can still capture the content of the communication, it cannot decipher it. (2) Information integrity to ensure that all SSL services achieve their goals. If the Internet becomes a feasible e-commerce platform, we should ensure that the information content between the server and the client is not destroyed. SSL provides information integrity services by using secret sharing and hash function groups. ③ Mutual authentication is a process of mutual recognition between client and server. Their identification numbers are encoded with public keys, and when SSL handshakes, their identification numbers are exchanged. In order to verify that the certificate holder is its legitimate user (not an impostor), SSL requires the certificate holder to digitally identify the exchanged data when shaking hands. The certificate holder identifies all information data including the certificate to show that he is the legal owner of the certificate. This can prevent other users from using certificates under pseudonyms. The certificate itself does not provide authentication, only the certificate and the key work together. ④SSL security services should be as transparent as possible to end users. Usually, users can connect to SSL hosts by clicking buttons or links on the desktop. Unlike standard HTTP connection applications, the default port of a typical network host supporting SSL connection is 443, not 80.
When the client connects to the port, the handshake protocol is initialized to establish an SSL session. After the handshake, the communication will be encrypted and the integrity of the information will be checked until the end of the conversation. Only one handshake occurs during each SSL session. In contrast, HTTP needs to shake hands every time it connects, which reduces the communication efficiency. The following events occur in SSL handshake:
1. Client and server exchange X.509 certificates for mutual confirmation. In this process, you can exchange all the proof chains, or you can choose to exchange only some of the underlying proofs. The verification of the certificate includes: the effective date of the certificate and the signing authority.
2. The client randomly generates a set of keys for information encryption and MAC calculation. These keys are encrypted by the server's public key before being sent to the server. There are four keys for server-to-client communication and client-to-server communication.
3. Information encryption algorithm (used for encryption) and hash function (used for ensuring information integrity) are used together. The SSL implementation scheme of Netscape is that the client provides a list of all the algorithms it supports, and the server chooses the password it thinks is the most effective. Server administrators can use or prohibit certain passwords.
agency service
Proxy services such as Domain Name System (DNS) are widely used in the Internet, and many people regard proxy services as a security feature.
Technically speaking, proxy service is a gateway function, but its logical position is above the application layer of OSI layer 7 protocol.
The agent uses the client program to link to a specific intermediate node, and then the intermediate node actually links to the required server. Different from the gateway firewall, there is no direct connection between the external network and the internal network when using this firewall, so even if there is a problem with the firewall, the external network cannot connect with the protected network.
Firewall technology
The concept of (1) firewall
In the computer field, a device that can protect a network and its resources from "fire" outside the network "wall" is called "firewall". In more technical terms, a firewall is a network device or a group of network devices (computer systems or routers, etc.). ) is used to strengthen the access control between two or more networks, and its purpose is to protect one network from the attack of another network. It can be understood as digging a moat around the network, setting up a security checkpoint on the only bridge, and all pedestrians entering and leaving have to undergo security inspection.
The composition of firewall can be expressed as: firewall = filter+security policy (+gateway).
(2) Implementation of firewall
① Implemented on the border router;
(2) Implementation on dual-host computer;
(3) It is implemented on a public subnet (subnet is equivalent to a dual-port host), and a firewall with a fire zone structure can be established on this subnet.
(3) the network structure of the firewall
The topological structure of the network and the reasonable configuration of the firewall are closely related to the performance of the firewall system, and the firewall generally adopts the following structure.
① The simplest firewall structure
This network structure can make the protected network only see the "bridgehead host" (the host through which communication must pass). At the same time, the bridgehead host does not forward any TCP/IP communication packets, and all services in the network must be supported by the corresponding proxy service program of the bridgehead host. However, it entrusts the security performance of the whole network to a single security unit, and a single network security unit is the first target of attackers. Once the firewall is destroyed, the bridgehead host becomes a router without routing function, and the security of the system is unreliable.
② Single network firewall structure
Among them, the role of the shielding router is to protect the security of the fortress host (application gateway or proxy service) and establish a barrier. In this structure, the fortress host can be regarded as an information server and a data center for the intranet to release information to the outside world, but this network topology still entrusts most network security to the shielded router. The security of the system is still not reliable.
③ Structure of enhanced single-segment firewall
In order to enhance the firewall security of the network segment, a shielding router is added between the intranet and the subnet, so that the connection between the whole subnet and the intranet is controlled by the router working at the network level, and the intranet and the extranet cannot be directly connected, so they can only communicate with the fortress host through the corresponding router.
(4) firewall structure with "cease fire zone"
For some special security requirements, the following firewall network structure can be established. The whole security characteristics of the network are shared by multiple security units, and the public information server can be connected to the subnet of the external ceasefire zone as a place for information exchange between the internal and external networks.
Network anti-virus technology
Because computer virus has immeasurable threat and destructive power in the network environment, the prevention of computer virus is also an important part of network security construction. Network anti-virus technology has also been developed accordingly.
Network anti-virus technology includes three technologies: virus prevention, virus detection and antivirus. (1) virus prevention technology, through the system memory where it resides, gives priority to control the system, monitors and judges whether there is a virus in the system, and then prevents computer viruses from entering the computer system and destroying the system. Such technologies include: encrypting executable programs, protecting boot areas, system monitoring and reading and writing control (such as anti-virus cards). (2) Virus detection technology, which is a technology to judge the characteristics of computer viruses, such as self-checking, keywords, file length changes, etc. (3) Anti-virus technology, through the analysis of computer viruses, develops software with the functions of deleting virus programs and restoring original files.
The implementation objects of network anti-virus technology include file virus, boot virus and network virus.
The specific implementation methods of network anti-virus technology include frequent scanning and monitoring of files in network servers; Use anti-virus chips on workstations and set access rights to network directories and files.
With the continuous development of online application and the continuous application of network technology, network insecurity factors will appear constantly, but they are interdependent, network security technology will also develop rapidly, and new security technologies will emerge one after another. Finally, security problems on the Internet will not stop our progress.