攀钢自动化公司计算机网络安全防范的研究
摘要
对计算机网络安全的研究,世界各国都非常重视,美国在网络安全方面的厂商已近600多家,成为美国Internet/Intranet/Extranet网络产业的重要组成部分。在国内,计算机网络安全问题也引起了极大的关注和重视,在病毒防治方面取得了很好的效果,但在防范恶意攻击上,成果极少。我国目前网络安全产品的研究机构和生产厂商不足70家,尚未形成规模和配套体系。
本文对攀钢自动化公司的计算机网络进行了分析研究。攀钢自动化公司的计算机网络属于局域网,也是典型的企业网络。由于安全措施相当薄弱,经常发生用户恶意攻击和滥用网络的现象,迫切需要符合实际的安全措施。分析研究了攀钢自动化公司计算机网络的管理信息的保密性和安全性、网络内各用户计算机的安全以及防止病毒入侵等主要安全需求和主要安全威胁。
本文阐述了基于OSI /RM计算机网络的体系结构。OSI/RM将计算机网络将网体系结构划分为应用层、表示层、会话层、传输层、网络层、数据链路层和物理层七个层次。在各个层次都有相应的网络协议支持,网络协议的存在主要依据于OSI/RM。根据使用协议、传输媒体和网络服务这三种基本因素的不同形式,将计算机网络分为对等网、基于服务器和企业网络三种类型。再根据地理范围,又分为局域网和广域网。
基于计算机网络安全基本理论,结合OSI/RM,本文重点对计算机网络的漏洞、网络攻击的技术和手段进行了分析研究。发现计算机网络的基本技术和应用中存在许多安全漏洞。由此不可避免的带来计算机网络的安全问题。其中,网络攻击是最主要的安全威胁。网络攻击的各种技术和方法,都是企图利用系统的漏洞。在此基础上,本文提出了计算机网络的安全策略,提出了攀钢自动化公司计算机网络的安全措施,即管理措施、组建VLAN、数据备份、访问权限控制、合法用户自我防范、病毒防治以及制定应急处理方案,取得了较好的实际效果。由于网络安全的复杂性,防范措施的研究将是长期和复杂的任务,要做的研究还很多,本科题今后仍将继续进行研究。
People all over the world pay much attention to the research on the security of the network. It is up to 600 manufactories on network security in USA. And the security of the network has become an important part of the Internet/Intranet/Extranet network industry. In China, the security of network is also regarded, and the researchers get good effect on anti-virus, but they can seldom break through on vicious attack. There are less than 70 manufactories and instruments on security of network and the network industry have not come into great scale and system in China recently.
In this paper, the author analyzed the network in automation department of PanZhiHua iron & steel company (PanGang Automation company). The network in PanGang Automation company is LAN, also is typical enterprise network. The vicious attack and misuse network occurred frequently because of the weakness of the security of network. So establish a set of security measure become urgent. Besides, the author researched on the privacy and security of the manage information, the right of users of network, the need to prevent from the virus and the menace to the network security in PanGang Automation company.
This paper expatiated the structure of the network system based on OSI/RM. OSI/RM classify the structure of the network into application layer, presentation layer, session layer, transport layer, network layer, data link layer and physical layer. There are correspond protocols in every layer, and the network protocols come into being according to OSI/RM. We can classify the network on other different standard. For example, we can classify the network into peer-to-peer network, network based on server and enterprise network according to the different protocol, transmission media and network server. And we also can classify the network into LAN and WAN according to the different region.
According to the basic theory about the network security, combined with OSI/RM, this paper lays emphasis on the resea}rch which contains the leak of network, the technique and means of the attack from network, and finding some security leaks existing in the basic technique and application behind the network. So, a lot of security problems inevitably come up. For example, the attack from the network is the main threat of security, while the network attack uses all kinds of technique and means with the purpose of using the leak of the system. Based on this, this paper provides a security strategy related on network, and gives the security measures for the network in PanGang Automation company, they are management measure, organization VLAN, data backup, limiting authority of access, the self-protection of legal user, prevention and cure of virus, and the emergency process plan. In these fields, we obtain much practical effect. Because of complexity of security on network, the research about the protective measures is a permanent and complex task, we have a lot of research to do, this task will continue to be discussing in the future.
本文对攀钢自动化公司的计算机网络进行了分析研究。攀钢自动化公司的计算机网络属于局域网,也是典型的企业网络。由于安全措施相当薄弱,经常发生用户恶意攻击和滥用网络的现象,迫切需要符合实际的安全措施。分析研究了攀钢自动化公司计算机网络的管理信息的保密性和安全性、网络内各用户计算机的安全以及防止病毒入侵等主要安全需求和主要安全威胁。
本文阐述了基于OSI /RM计算机网络的体系结构。OSI/RM将计算机网络将网体系结构划分为应用层、表示层、会话层、传输层、网络层、数据链路层和物理层七个层次。在各个层次都有相应的网络协议支持,网络协议的存在主要依据于OSI/RM。根据使用协议、传输媒体和网络服务这三种基本因素的不同形式,将计算机网络分为对等网、基于服务器和企业网络三种类型。再根据地理范围,又分为局域网和广域网。
基于计算机网络安全基本理论,结合OSI/RM,本文重点对计算机网络的漏洞、网络攻击的技术和手段进行了分析研究。发现计算机网络的基本技术和应用中存在许多安全漏洞。由此不可避免的带来计算机网络的安全问题。其中,网络攻击是最主要的安全威胁。网络攻击的各种技术和方法,都是企图利用系统的漏洞。在此基础上,本文提出了计算机网络的安全策略,提出了攀钢自动化公司计算机网络的安全措施,即管理措施、组建VLAN、数据备份、访问权限控制、合法用户自我防范、病毒防治以及制定应急处理方案,取得了较好的实际效果。由于网络安全的复杂性,防范措施的研究将是长期和复杂的任务,要做的研究还很多,本科题今后仍将继续进行研究。
People all over the world pay much attention to the research on the security of the network. It is up to 600 manufactories on network security in USA. And the security of the network has become an important part of the Internet/Intranet/Extranet network industry. In China, the security of network is also regarded, and the researchers get good effect on anti-virus, but they can seldom break through on vicious attack. There are less than 70 manufactories and instruments on security of network and the network industry have not come into great scale and system in China recently.
In this paper, the author analyzed the network in automation department of PanZhiHua iron & steel company (PanGang Automation company). The network in PanGang Automation company is LAN, also is typical enterprise network. The vicious attack and misuse network occurred frequently because of the weakness of the security of network. So establish a set of security measure become urgent. Besides, the author researched on the privacy and security of the manage information, the right of users of network, the need to prevent from the virus and the menace to the network security in PanGang Automation company.
This paper expatiated the structure of the network system based on OSI/RM. OSI/RM classify the structure of the network into application layer, presentation layer, session layer, transport layer, network layer, data link layer and physical layer. There are correspond protocols in every layer, and the network protocols come into being according to OSI/RM. We can classify the network on other different standard. For example, we can classify the network into peer-to-peer network, network based on server and enterprise network according to the different protocol, transmission media and network server. And we also can classify the network into LAN and WAN according to the different region.
According to the basic theory about the network security, combined with OSI/RM, this paper lays emphasis on the resea}rch which contains the leak of network, the technique and means of the attack from network, and finding some security leaks existing in the basic technique and application behind the network. So, a lot of security problems inevitably come up. For example, the attack from the network is the main threat of security, while the network attack uses all kinds of technique and means with the purpose of using the leak of the system. Based on this, this paper provides a security strategy related on network, and gives the security measures for the network in PanGang Automation company, they are management measure, organization VLAN, data backup, limiting authority of access, the self-protection of legal user, prevention and cure of virus, and the emergency process plan. In these fields, we obtain much practical effect. Because of complexity of security on network, the research about the protective measures is a permanent and complex task, we have a lot of research to do, this task will continue to be discussing in the future.
引文
[1] 《计算机世界报》,第35期,A18,2002
[2] 万平国,《计算机世界报》,第41期,D20、D21、D23,2002
[3] 丁正铨、许祖谦 《计算机网络原理与技术》,四川大学出版社,1995, P1-2、P60-90
[4] 梁晋、黄樟钦等,《中文版Windows 95 使用大全》,西安电子科技大学出版社,1996
[5] 刘尊全,《计算机病毒防范与信息对抗技术》,清华大学出版社,1991,P1-25
[6] 周锡龄,《计算机数据安全原理》,上海交通大学出版社,1987
[7] 王和贵,《计算机信息保护》,科学技术文献出版社
[8] 张钟,《Internet基础教程》,科学技术文献出版社,1995
[9] 曾瑞源,《Internet实用手册》,学苑出版社,1994
[10] 林明宪、张芳泽,《Internet学术网络资源》,学苑出版社,1994
[11] 黄梯云等,《管理信息系统》, 电子工业出版社,P80-90 1995
[12] 王彬 、冬岗、马长武,《网络集成实例集粹》,西安电子科技大学出版社,1999,P11-21、P40-90、
[13] 刘鲁等,《信息系统设计原理与应用》,科学技术出版社,1999
[14] 黎洪松、裘晓峰,《网络系统集成技术及其应用》,P25-88、P101-166
[15] 胡道元主编,《信息网络集成技术》,清华大学出版社,1996
[16] 徐锋等,《攻克网络》,重庆出版社,2000,P1-50、P221-299
[17] Manrice J. Bach ,《UNIX操作系统设计》,机械工业出版社,2000
[18] Microsoft公司,《Windows 95 实用指南》,北京大学出版社,1996
[19] Allen WyaWyatt,《Windows 95 Internet使用指南》,学苑出版社,1995
[20] Neil Jenkins & Stan Schatt,《计算机局域网解析》,机械工业出版社,1997
[21] Thon Hogan,《PC软硬件技术资料大全》,清华大学出版社,1990
[22] KevinKelly,《Internet奥秘》,学苑出版社,1994,P8-66
[23] Bill Lawrence,《Novell NetWare 4 使用指南》,清华大学出版社,1995
[24] R. Atkinson. Security Architecture for the Internet Protocol. Resquest for Comments (Proposed Standard) RFC 1825, Internet Engineering Task Force, Augest 1995,August 1995
[25] R. Atkinson. IP authentication header. Resquest for Comments (Proposed Standard) RFC 1826, Internet Engineering Task Force, Augest 1995
[26] R. Atkinson. IP encapsulating security payload (ESP). Resquest for Comments (Proposed Standard) RFC 1827, Internet Engineering Task Force, Augest 1995.
[27] J. Postel. User datagram protocol. Resquest for Comments (Standard) STD 6, RFC 768, Internet Engineering Task Force, Augest 1980.
J. Postel. Internet control message protocol. Resquest for Comments (Standard) STD 5, RFC 792,
[28] Internet Engineering Task Force, September 1981.
[29] J. Postel. Internet protocol. Resquest for Comments (Standard) RFC 791, Internet Engineering Task Force, September 1981.
[30] J. Postel. Transmission control protocol. Resquest for Comments (Standard) STD 7, RFC 793, Internet Engineering Task Force, September 1981.
[31] Robert T. Morris. A weakness in the 4.2bsd UNIX TCP/IP software. Computing Science Technical Report 117,AT&T Bell Laboratories, Murray Hill,NJ February 1985.
[32] C. L. Schuba, I.Krsul, M. Kuhn, E. Spafford,AA. Sundaram, & D. Zamboni. Analysis of denial of service attacks on TCP. In Proceedings of the IEEE Symposium on Security and Privacy,May 4-7, 1997. Oakland, California, Los Alamitos, CA, USA, May 1997.
[33] T. Roscoe. Linkage in the Nemesis single address space operating system. Operating Systems Review, Oct.1994
[34] P. Kocher, Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other system. In Proc. Of crypto 96, LNCS 1109,Springer,1996
[35] Ashar Aziz. Simple Key-management for Internet protocols. In Obsolete Internet draft, October 25,1994
[36] Steven M. Bellovin. Security problems in the TCP/IP protocol suite. Computer Communications Review, April 1989
[37] Eli Biham and Adi Shamir. Differential cryptanalysis of DES-like cryptosysytems. Journal of Cryptology,1991
[38] Donald E. Eastlake, 3rd and Charles W. Kaufman. Domain name system protocol security extences. Internet draft;work in progress, January 30,1996
[39] R. Bird, I,Gopal, A. Herzberg, P. A. Janson, S. Kutten, R. Mulva, and M. Yuang. Systematic design of a family of attack-resistant authentication protocols. IEEE Journal on selected Areas in Communications,11(5), 1993.
[40] J. Clark and J. Jacob. On the security of recent protocols. Information Processing Letters, 56(3), 1995
[41] D. Gollmann. What dowe mean by entity authentication? In IEEE Symposium on Research in Security and Privacy, 1996
[42] J. K. Millen, S. C. Clark, and S. B. Freedman. The interrogator: Protocol security analysis. In IEEE Transactions on software Engineering, 13(2),1987.
[43] A. W. Roscoe. Intensional specifications of security protocols. In 9th IEEE Computer Security Foundations Workshop, 1996
[44] L. Gong, M. A. Lomas, R. Needham, and J. Saltzer. Protecting poorly chosen secrets from guessing attacks. IEEE Journal on Selected Area in Communications,11(5), June 1993.
D. Jablon. Extended password methods immune to dictionary attack. In WETICE '79 Enterprise Security Workshop, Cambridge, MA, June 1997.
[2] 万平国,《计算机世界报》,第41期,D20、D21、D23,2002
[3] 丁正铨、许祖谦 《计算机网络原理与技术》,四川大学出版社,1995, P1-2、P60-90
[4] 梁晋、黄樟钦等,《中文版Windows 95 使用大全》,西安电子科技大学出版社,1996
[5] 刘尊全,《计算机病毒防范与信息对抗技术》,清华大学出版社,1991,P1-25
[6] 周锡龄,《计算机数据安全原理》,上海交通大学出版社,1987
[7] 王和贵,《计算机信息保护》,科学技术文献出版社
[8] 张钟,《Internet基础教程》,科学技术文献出版社,1995
[9] 曾瑞源,《Internet实用手册》,学苑出版社,1994
[10] 林明宪、张芳泽,《Internet学术网络资源》,学苑出版社,1994
[11] 黄梯云等,《管理信息系统》, 电子工业出版社,P80-90 1995
[12] 王彬 、冬岗、马长武,《网络集成实例集粹》,西安电子科技大学出版社,1999,P11-21、P40-90、
[13] 刘鲁等,《信息系统设计原理与应用》,科学技术出版社,1999
[14] 黎洪松、裘晓峰,《网络系统集成技术及其应用》,P25-88、P101-166
[15] 胡道元主编,《信息网络集成技术》,清华大学出版社,1996
[16] 徐锋等,《攻克网络》,重庆出版社,2000,P1-50、P221-299
[17] Manrice J. Bach ,《UNIX操作系统设计》,机械工业出版社,2000
[18] Microsoft公司,《Windows 95 实用指南》,北京大学出版社,1996
[19] Allen WyaWyatt,《Windows 95 Internet使用指南》,学苑出版社,1995
[20] Neil Jenkins & Stan Schatt,《计算机局域网解析》,机械工业出版社,1997
[21] Thon Hogan,《PC软硬件技术资料大全》,清华大学出版社,1990
[22] KevinKelly,《Internet奥秘》,学苑出版社,1994,P8-66
[23] Bill Lawrence,《Novell NetWare 4 使用指南》,清华大学出版社,1995
[24] R. Atkinson. Security Architecture for the Internet Protocol. Resquest for Comments (Proposed Standard) RFC 1825, Internet Engineering Task Force, Augest 1995,August 1995
[25] R. Atkinson. IP authentication header. Resquest for Comments (Proposed Standard) RFC 1826, Internet Engineering Task Force, Augest 1995
[26] R. Atkinson. IP encapsulating security payload (ESP). Resquest for Comments (Proposed Standard) RFC 1827, Internet Engineering Task Force, Augest 1995.
[27] J. Postel. User datagram protocol. Resquest for Comments (Standard) STD 6, RFC 768, Internet Engineering Task Force, Augest 1980.
J. Postel. Internet control message protocol. Resquest for Comments (Standard) STD 5, RFC 792,
[28] Internet Engineering Task Force, September 1981.
[29] J. Postel. Internet protocol. Resquest for Comments (Standard) RFC 791, Internet Engineering Task Force, September 1981.
[30] J. Postel. Transmission control protocol. Resquest for Comments (Standard) STD 7, RFC 793, Internet Engineering Task Force, September 1981.
[31] Robert T. Morris. A weakness in the 4.2bsd UNIX TCP/IP software. Computing Science Technical Report 117,AT&T Bell Laboratories, Murray Hill,NJ February 1985.
[32] C. L. Schuba, I.Krsul, M. Kuhn, E. Spafford,AA. Sundaram, & D. Zamboni. Analysis of denial of service attacks on TCP. In Proceedings of the IEEE Symposium on Security and Privacy,May 4-7, 1997. Oakland, California, Los Alamitos, CA, USA, May 1997.
[33] T. Roscoe. Linkage in the Nemesis single address space operating system. Operating Systems Review, Oct.1994
[34] P. Kocher, Timing attacks on implementations of Diffie-Hellman, RSA, DSS, and other system. In Proc. Of crypto 96, LNCS 1109,Springer,1996
[35] Ashar Aziz. Simple Key-management for Internet protocols. In Obsolete Internet draft, October 25,1994
[36] Steven M. Bellovin. Security problems in the TCP/IP protocol suite. Computer Communications Review, April 1989
[37] Eli Biham and Adi Shamir. Differential cryptanalysis of DES-like cryptosysytems. Journal of Cryptology,1991
[38] Donald E. Eastlake, 3rd and Charles W. Kaufman. Domain name system protocol security extences. Internet draft;work in progress, January 30,1996
[39] R. Bird, I,Gopal, A. Herzberg, P. A. Janson, S. Kutten, R. Mulva, and M. Yuang. Systematic design of a family of attack-resistant authentication protocols. IEEE Journal on selected Areas in Communications,11(5), 1993.
[40] J. Clark and J. Jacob. On the security of recent protocols. Information Processing Letters, 56(3), 1995
[41] D. Gollmann. What dowe mean by entity authentication? In IEEE Symposium on Research in Security and Privacy, 1996
[42] J. K. Millen, S. C. Clark, and S. B. Freedman. The interrogator: Protocol security analysis. In IEEE Transactions on software Engineering, 13(2),1987.
[43] A. W. Roscoe. Intensional specifications of security protocols. In 9th IEEE Computer Security Foundations Workshop, 1996
[44] L. Gong, M. A. Lomas, R. Needham, and J. Saltzer. Protecting poorly chosen secrets from guessing attacks. IEEE Journal on Selected Area in Communications,11(5), June 1993.
D. Jablon. Extended password methods immune to dictionary attack. In WETICE '79 Enterprise Security Workshop, Cambridge, MA, June 1997.