桌面防御系统的设计与实现
|
摘要
随着网络技术的发展,网络安全事件也在不断增加,不仅大型网络和主机受到了严重威胁,PC桌面系统的安全问题也不容忽视。桌面防御系统是用来保障PC桌面系统安全的有效手段。
单纯的防火墙技术由于其自身的缺陷而不能提供完全的保护。入侵检测作为一种主动防御技术,是防火墙的重要补充,起到了第二道防线的作用。因而需要将防火墙与入侵检测技术相结合,来构造一个比较完善的防御系统。为了使防御系统有更好的针对性,本文首先对各种黑客入侵手段进行了详细的分析。随后给出了桌面防御系统的整体设计方案,分析了各模块的功能及模块间的关系。然后对数据包截获平台、桌面防火墙构件、基于网络的入侵检测构件进行了深入的探讨。在分析现有技术的各自优缺点的基础上,结合桌面系统的应用环境与安全要求,提出了一个结合入侵检测的桌面防御系统的实现手段。
With the development of network technology, problems of network security are increasing. Not only the hosts of large networks but also desktop computers are under serious situation. The security system for desktop is an efficient means to guarantee the safety of desktop. Because of its flaws, a firewall cannot provide complete protection. Intrusion detection, an important supplement to the firewall, should combine with the firewall to build a better security system.
For better performance of the security system, we firstly discuss in detail on how hackers intrude the networks and computers. Then the scheme of our desktop security system is expounded, including the function of each module and the relations among them. Following this, the three modules, desktop firewall, network-based intrusion detection and the module for packet capturing are probed into. After the comparison of the advantages and disadvantages of existing technology and the analysis of the environment of desktop, the realization method of our desktop security system is presented.
单纯的防火墙技术由于其自身的缺陷而不能提供完全的保护。入侵检测作为一种主动防御技术,是防火墙的重要补充,起到了第二道防线的作用。因而需要将防火墙与入侵检测技术相结合,来构造一个比较完善的防御系统。为了使防御系统有更好的针对性,本文首先对各种黑客入侵手段进行了详细的分析。随后给出了桌面防御系统的整体设计方案,分析了各模块的功能及模块间的关系。然后对数据包截获平台、桌面防火墙构件、基于网络的入侵检测构件进行了深入的探讨。在分析现有技术的各自优缺点的基础上,结合桌面系统的应用环境与安全要求,提出了一个结合入侵检测的桌面防御系统的实现手段。
With the development of network technology, problems of network security are increasing. Not only the hosts of large networks but also desktop computers are under serious situation. The security system for desktop is an efficient means to guarantee the safety of desktop. Because of its flaws, a firewall cannot provide complete protection. Intrusion detection, an important supplement to the firewall, should combine with the firewall to build a better security system.
For better performance of the security system, we firstly discuss in detail on how hackers intrude the networks and computers. Then the scheme of our desktop security system is expounded, including the function of each module and the relations among them. Following this, the three modules, desktop firewall, network-based intrusion detection and the module for packet capturing are probed into. After the comparison of the advantages and disadvantages of existing technology and the analysis of the environment of desktop, the realization method of our desktop security system is presented.
引文
[1] Willian R.Cheswick Steven M.Bellovin著,戴宗坤 罗万伯等译,防火墙与因特网安全,机械工业出版社,2000
[2] Marcus Goncalves著,宋书民 朱智强 徐开勇等译,防火墙技术指南,机械工业出版社,2000
[3] Matthew Strebe Charles Perkins著,吴焱等译,高效构筑与管理防火墙,电子工业出版社,2000
[4] Terry Escamilla著,吴焱等译,入侵者检测,电子工业出版社,1999
[5] Stephen Northcutt著,余青霓等译,网络入侵检测分析员手册,人民邮电出版社,2000
[6] William Stallings著,潇湘工作室译,网络安全要素——应用与标准,人民邮电出版社,2000
[7] Andrew S.Tanenbaum著,熊桂喜 王小虎等译,计算机网络,清华大学出版社,1998
[8] Karen Hazzah著,孙喜明译,Windows VxD与设备驱动程序权威指南(第二版),中国电力出版社,2001
[9] Denning D E, An Intrusion-Detection Model [J] , IEEE Transaction on Software Engineering, 1987, SE-13, 222~232
[10] Smaha S E., Haystack: An Intrusion Detection System [A] , Proceeding of the IEEE Fourth Aerospace Computer Security Application Conference[C], Orlando, FL:IEEE,1988
[11] Anderson D Frivold T Valdes A, Next-generation Intrusion Detection Expert System(NIDES), A summary [R] , Menlo Pack, CA: SRI International, Computer Science Lab, 1995
[12] Sandeep Kumar, Classification and Detection of Computer Intrusions[Ph.D. Thesis] , Purdue University, 1995
[13] Sandeep Kumar Eugene H Spafford, An Application of Pattern Mattaching in Intrusion Detection [R], Technical Report CSD-TR-94-012, 1994
[14] P.A. Porras, STAT: A State Transition Analysis Tool for Intrusion Detection [M.S. Thesis] , Computer Science Department, University of California Santa Barbara,1992
[15] R.A. Kemmerer, NSTAT: A Model-based Real-time Network Intrusion Detection System [R] , Computer Science Department, University of California Santa Barbara, 1997
[16] Koral Ilgun, USTAT: A Real-time Intrusion Detection System for UNIX [M.S. Thesis], Computer Science Department, University of California Santa Barbara, 1992
[17] STAT Documents, http://www. cs.ucsb.edu/~rsg/STAT/documents.html
[18] Mark Joseph Edwards, Desktop Firewalls, http://www.win2000mag.com/Files/22241/22241.pdf
[19] Captain Sean, Firewall makers scramble as security gadfly exposes flaw, PC World, http://www.itworld.com/Sec/3833/ITW3710
[20] Fox K L Henning R R Reed J H Simonian R P , A Neural Network Approach towards Intrusion Detection, Proceeding of the 13th National Computer Security Conference[C], Washington D.C., 1990
[21] Curtis Dalton, Getting Personal with Firewalls [J] , Network Magazine, 2001 Vol.16 No.1, 102-106
[22] Seán Boran, An Analysis of Mini-firewalls for Windows Users http://www.securityportal.com/article/pf_main20001023.html#introduction
[23] Tina Zych, Personal Firewalls: What are They, How Do They Work? http://www.sans.org/infosecFAQ/homeoffice/personal_fw.htm
[24] Mark D. Tollison, An Analysis of the Snort Network Intrusion Detection System, http://rr.sans.org/intrusion/snort2.php
[25] Martin Roesch, Writing Snort Rules, http://www.clark.net/~roesch/snort_rules.html
[26] 聂元铭 丘平编著,网络信息安全技术,科学出版社,2001
[27] 张小斌 严望佳编著,黑客分析与防范技术,清华大学出版社,1999
[28] 蒋建春 马恒太 任党恩 卿斯汉,网络安全入侵检测:研究综述[J],2000 Vol.11 No.11,1460~1466
[29] 金波 林家骏 王行愚,入侵检测技术评述[J],华东理工大学学报,2000 Vol.26 No.2,191~197
[30] 阮耀平 易江波 赵战生,计算机系统入侵检测模型与方法[J],计算机工程,1999 Vol.25 No.9,63~65
[31] 张然 钱德沛 过晓兵,防火墙与入侵检测技术[J],计算机应用研究,2000年第1期,4~7
[32] 龚俭 董庆 陆晟,面向入侵检测的网络安全监测实现模型[J],小型微型计算机系统,2001 Vol.22 No.3,145~148
[33] 刘美兰 姚京松,神经网络在入侵检测系统中的应用[J],计算机工程与应用,1999.6,37~38
[34] 赵龙 况晓辉 赵辉,高效防火墙系统体系结构研究[J],计算机工程,2000 Vol.26 No.1,12~13
[35]刘宝旭 徐菁 许榕生,黑客入侵防护体系研究与设计[J],计算机工程与应用,2001.8 1~3
[36]曾志峰 杨义先,基于身份认证和加密技术的包过滤防火墙系统的设计与实现[J],计算机工程与应用,1999.12,1~3
[37]钟伯成,Windows 98的内置网络结构体系结构研究[J],微机发展,2000年第4期,4~7
[38]陈取才 张蕴玉 胡修林,Windows 9x网络底层应用程序的设计方法[J],微型机与应用,2001年第5期,8、23
[39]陈性元 杨涛 宋国文,Windows的VxD技术分析[J],小型微型计算机系统,2000 Vol.21 No.6,670~672
[40]http://www.cert.org/
[41]http://rr.sans.org/firewall/firewall_list.php
[42]http://rr.sans.org/intrusion/intrusion_list.php
[2] Marcus Goncalves著,宋书民 朱智强 徐开勇等译,防火墙技术指南,机械工业出版社,2000
[3] Matthew Strebe Charles Perkins著,吴焱等译,高效构筑与管理防火墙,电子工业出版社,2000
[4] Terry Escamilla著,吴焱等译,入侵者检测,电子工业出版社,1999
[5] Stephen Northcutt著,余青霓等译,网络入侵检测分析员手册,人民邮电出版社,2000
[6] William Stallings著,潇湘工作室译,网络安全要素——应用与标准,人民邮电出版社,2000
[7] Andrew S.Tanenbaum著,熊桂喜 王小虎等译,计算机网络,清华大学出版社,1998
[8] Karen Hazzah著,孙喜明译,Windows VxD与设备驱动程序权威指南(第二版),中国电力出版社,2001
[9] Denning D E, An Intrusion-Detection Model [J] , IEEE Transaction on Software Engineering, 1987, SE-13, 222~232
[10] Smaha S E., Haystack: An Intrusion Detection System [A] , Proceeding of the IEEE Fourth Aerospace Computer Security Application Conference[C], Orlando, FL:IEEE,1988
[11] Anderson D Frivold T Valdes A, Next-generation Intrusion Detection Expert System(NIDES), A summary [R] , Menlo Pack, CA: SRI International, Computer Science Lab, 1995
[12] Sandeep Kumar, Classification and Detection of Computer Intrusions[Ph.D. Thesis] , Purdue University, 1995
[13] Sandeep Kumar Eugene H Spafford, An Application of Pattern Mattaching in Intrusion Detection [R], Technical Report CSD-TR-94-012, 1994
[14] P.A. Porras, STAT: A State Transition Analysis Tool for Intrusion Detection [M.S. Thesis] , Computer Science Department, University of California Santa Barbara,1992
[15] R.A. Kemmerer, NSTAT: A Model-based Real-time Network Intrusion Detection System [R] , Computer Science Department, University of California Santa Barbara, 1997
[16] Koral Ilgun, USTAT: A Real-time Intrusion Detection System for UNIX [M.S. Thesis], Computer Science Department, University of California Santa Barbara, 1992
[17] STAT Documents, http://www. cs.ucsb.edu/~rsg/STAT/documents.html
[18] Mark Joseph Edwards, Desktop Firewalls, http://www.win2000mag.com/Files/22241/22241.pdf
[19] Captain Sean, Firewall makers scramble as security gadfly exposes flaw, PC World, http://www.itworld.com/Sec/3833/ITW3710
[20] Fox K L Henning R R Reed J H Simonian R P , A Neural Network Approach towards Intrusion Detection, Proceeding of the 13th National Computer Security Conference[C], Washington D.C., 1990
[21] Curtis Dalton, Getting Personal with Firewalls [J] , Network Magazine, 2001 Vol.16 No.1, 102-106
[22] Seán Boran, An Analysis of Mini-firewalls for Windows Users http://www.securityportal.com/article/pf_main20001023.html#introduction
[23] Tina Zych, Personal Firewalls: What are They, How Do They Work? http://www.sans.org/infosecFAQ/homeoffice/personal_fw.htm
[24] Mark D. Tollison, An Analysis of the Snort Network Intrusion Detection System, http://rr.sans.org/intrusion/snort2.php
[25] Martin Roesch, Writing Snort Rules, http://www.clark.net/~roesch/snort_rules.html
[26] 聂元铭 丘平编著,网络信息安全技术,科学出版社,2001
[27] 张小斌 严望佳编著,黑客分析与防范技术,清华大学出版社,1999
[28] 蒋建春 马恒太 任党恩 卿斯汉,网络安全入侵检测:研究综述[J],2000 Vol.11 No.11,1460~1466
[29] 金波 林家骏 王行愚,入侵检测技术评述[J],华东理工大学学报,2000 Vol.26 No.2,191~197
[30] 阮耀平 易江波 赵战生,计算机系统入侵检测模型与方法[J],计算机工程,1999 Vol.25 No.9,63~65
[31] 张然 钱德沛 过晓兵,防火墙与入侵检测技术[J],计算机应用研究,2000年第1期,4~7
[32] 龚俭 董庆 陆晟,面向入侵检测的网络安全监测实现模型[J],小型微型计算机系统,2001 Vol.22 No.3,145~148
[33] 刘美兰 姚京松,神经网络在入侵检测系统中的应用[J],计算机工程与应用,1999.6,37~38
[34] 赵龙 况晓辉 赵辉,高效防火墙系统体系结构研究[J],计算机工程,2000 Vol.26 No.1,12~13
[35]刘宝旭 徐菁 许榕生,黑客入侵防护体系研究与设计[J],计算机工程与应用,2001.8 1~3
[36]曾志峰 杨义先,基于身份认证和加密技术的包过滤防火墙系统的设计与实现[J],计算机工程与应用,1999.12,1~3
[37]钟伯成,Windows 98的内置网络结构体系结构研究[J],微机发展,2000年第4期,4~7
[38]陈取才 张蕴玉 胡修林,Windows 9x网络底层应用程序的设计方法[J],微型机与应用,2001年第5期,8、23
[39]陈性元 杨涛 宋国文,Windows的VxD技术分析[J],小型微型计算机系统,2000 Vol.21 No.6,670~672
[40]http://www.cert.org/
[41]http://rr.sans.org/firewall/firewall_list.php
[42]http://rr.sans.org/intrusion/intrusion_list.php