区域资源优化配置平台安全机制研究
|
摘要
区域资源优化配置平台基于网络,达到优化配置区域内资源,利用区域优势提升企业竞争力的目的。因为平台是基于Internet构建的,可能受到来自Internet的各种攻击,平台本身和平台数据的安全直接关系到企业对平台的信任程度。信任是提供服务的基础,安全是平台正常工作的保障;另外资源优化配置平台不同于一般的企业网站,对安全配置有特殊要求,所以有必要对平台安全机制深入研究。
本文在分析成德绵区域资源优化配置平台安全特点的情况下,提出了平台安全控制解决方案,并从系统安全和信息安全两方面制定具体的实施方案。
(1) 平台系统安全
平台系统安全是整个平台安全的基础,为平台信息安全提供了有力的支持。通过平台系统安全需求的分析,制定了平台系统安全体系结构,分别从被动防御和主动防御两方面对平台系统安全进行了具体的设计,最后从防火墙配置和入侵检测系统配置的角度,阐述了平台系统安全的具体实施方案。
(2) 平台信息安全
信息安全是平台安全的实施重点。在分析平台信息安全需求的基础上,制定了平台信息安全体系结构,分别从信息访问安全控制和信息传输安全控制这两个方面探讨了平台信息安全控制策略的计划和实施。其中平台信息访问涉及信息存储方式、信息访问权限控制、用户身份验证、密码和日志管理等诸多问题;信息传输安全主要研究信息加密传输方案的选择和实施。
最后详细阐述了用户身份验证策略中提出一种适用于平台的身份验证技术,并给予编程实现,为平台身份验证策略的实现提供支持。
本文是国家863计划项目:2001AA411320以成德绵为核心的区域现代集成制造系统开发及应用的一个组成部分,已经通过由国家863计划专家组组织的验收。
The Resource Optimize Configuration Platform of Area (ROCPA) which based on network, is wanted to optimize the resource of the area and improve the competitiveness of the enterprises in the area by the area's advantage. The platform is based on the Internet, so it should face all kinds of attacks which are from the Internet. Because Security of the platform self and the data in the platform is direct related to enterprises is trust in platform or not, Credit is the bedrock of the services and security is guarantee of area working normally. Otherwise, the ROCPA is not like the ecumenical Enterprises' Websites, and it has special demands for the configuration of security. From all the above, we can conclude that it is very important to reach the security mechanism of the platform thoroughly.
The thesis brings forward the scheme of platform security control, based on analyzing the characteristic of platform security. And then establish the implementary scheme concretely from the two sides -- system security and information security.
(1) Platform System Security
Platform system security is the base of the platform Security, and gives strongly support to platform information security. The structure of platform system security is determined through analyzing its needs. The platform system security is detail designed from two parts: passive recovery and positive recovery. At last The detail implement plan of platform system security is expatiated from deployment of Firewall and Intrusion Detection System.
(2) Platform Information Security
Information security is the keystone of platform security. This thesis establishes the structure of platform information security based on analyzing its needs, and probes into the plan and deployment of platform information security control strategy from two parts: information access security control and information transmission security control. Information access security is studied from several ways: information security storage, information access control, user
identity authentication, cipher key management and log management etc. The main which information transmission studied is the selection and deployment of information encryption transmission plan.
From analyzing and comparing the parts of information security system, configure scheme is made out, which is established for the concrete configuration of platform information security.
In the end, a kind of identity authentication technology fitted for the platform is brought forward, which is expatiated in the user identity authentication strategy. And function modules of the foregoing are implemented which is supported for the platform identity authentication strategy.
This thesis serves the national 863 planned project -- "2001AA411320 regional modern integrated manufacture system development and application at the core of Chengdu, Deyang and Mianyang". The group of experts organized of national 863 plan has checked and accepted the project.
本文在分析成德绵区域资源优化配置平台安全特点的情况下,提出了平台安全控制解决方案,并从系统安全和信息安全两方面制定具体的实施方案。
(1) 平台系统安全
平台系统安全是整个平台安全的基础,为平台信息安全提供了有力的支持。通过平台系统安全需求的分析,制定了平台系统安全体系结构,分别从被动防御和主动防御两方面对平台系统安全进行了具体的设计,最后从防火墙配置和入侵检测系统配置的角度,阐述了平台系统安全的具体实施方案。
(2) 平台信息安全
信息安全是平台安全的实施重点。在分析平台信息安全需求的基础上,制定了平台信息安全体系结构,分别从信息访问安全控制和信息传输安全控制这两个方面探讨了平台信息安全控制策略的计划和实施。其中平台信息访问涉及信息存储方式、信息访问权限控制、用户身份验证、密码和日志管理等诸多问题;信息传输安全主要研究信息加密传输方案的选择和实施。
最后详细阐述了用户身份验证策略中提出一种适用于平台的身份验证技术,并给予编程实现,为平台身份验证策略的实现提供支持。
本文是国家863计划项目:2001AA411320以成德绵为核心的区域现代集成制造系统开发及应用的一个组成部分,已经通过由国家863计划专家组组织的验收。
The Resource Optimize Configuration Platform of Area (ROCPA) which based on network, is wanted to optimize the resource of the area and improve the competitiveness of the enterprises in the area by the area's advantage. The platform is based on the Internet, so it should face all kinds of attacks which are from the Internet. Because Security of the platform self and the data in the platform is direct related to enterprises is trust in platform or not, Credit is the bedrock of the services and security is guarantee of area working normally. Otherwise, the ROCPA is not like the ecumenical Enterprises' Websites, and it has special demands for the configuration of security. From all the above, we can conclude that it is very important to reach the security mechanism of the platform thoroughly.
The thesis brings forward the scheme of platform security control, based on analyzing the characteristic of platform security. And then establish the implementary scheme concretely from the two sides -- system security and information security.
(1) Platform System Security
Platform system security is the base of the platform Security, and gives strongly support to platform information security. The structure of platform system security is determined through analyzing its needs. The platform system security is detail designed from two parts: passive recovery and positive recovery. At last The detail implement plan of platform system security is expatiated from deployment of Firewall and Intrusion Detection System.
(2) Platform Information Security
Information security is the keystone of platform security. This thesis establishes the structure of platform information security based on analyzing its needs, and probes into the plan and deployment of platform information security control strategy from two parts: information access security control and information transmission security control. Information access security is studied from several ways: information security storage, information access control, user
identity authentication, cipher key management and log management etc. The main which information transmission studied is the selection and deployment of information encryption transmission plan.
From analyzing and comparing the parts of information security system, configure scheme is made out, which is established for the concrete configuration of platform information security.
In the end, a kind of identity authentication technology fitted for the platform is brought forward, which is expatiated in the user identity authentication strategy. And function modules of the foregoing are implemented which is supported for the platform identity authentication strategy.
This thesis serves the national 863 planned project -- "2001AA411320 regional modern integrated manufacture system development and application at the core of Chengdu, Deyang and Mianyang". The group of experts organized of national 863 plan has checked and accepted the project.
引文
[1] Michael Howard,David LeBlanc.Writing Secure Code.Microsoft Press 2002.3
[2] Larry L.Peterson,Bruce S. Davic. Computer Network. Morgan Kaufmann Press 2001. 6
[3] Andrew S.Tanenbaum计算机网络(第三版) 清华大学出版社,Prentice Hall 1998.7
[4] Carlton R.Davis.IPSec VPN的安全实施 清华大学出版社,麦格劳—希尔教育出版集团 2002.1
[5] 米雁辉 主编 网络安全与黑客 航空工业出版社 2001.2
[6] Stephen Northcutt 网络入侵检测分析员手册 人民邮电出版社2001.1
[7] Rebecca Gurley Bace 入侵检测 人民邮电出版社 2001.6
[8] 唐正军 等编著 网络入侵检测系统的设计和实现 电子工业出版社 2002.4
[9] Marcus Goncalves 著 宋书民 朱智强 徐开勇等译 防火墙技术指南 机械工业出版社 2000.11
[10] Robert L.Ziegler Linux防火墙 人民邮电出版社 2000.10
[11] Carlisle Adams,Steve Lloyd 公开密钥基础设施建设 人民邮电出版社 2001.1
[12] Steven Brown Implementing Virtual Private Network McGraw-Hill Companies,Inc.1999
[13] Eric Harmon Delphi COM 深入编程 机械工业出版社 2000.10
[14] Steve Teiceira,Xavier Pacheco Delphi 5 Developer's Guide Sams Publishing 2000.7
[15] 张勇 身份认证机制的对比和分析
http://www.china-pub.com/computers/eMook/0730/info.htm 2001/02/23
[16]Shelley Powers 著 何建辉 张璐玲 于芳 邓晓蓓 等译 ASP组件开发指南 O'Reilly中国电力出版社2002.4
[17]宾晓华 周世斌 企业网络安全问题研究 计算机工程与应用2001.1:179~182
[18]周笑庭杨传斌 基于插件的安全通讯模型研究 微机发展2001,5:67~69
[19]张文增 林晓森 赵东斌 孙振国 陈强 ASP网站安全研究计算机工程2002,28(3):270~273
[20]王辉 邵佩英 多级安全策略的Intemet防火墙的设计与实施 中国科学院研究生院学报2000,17(2):99~104
[21]Laura Chappell Basic Packet Filtering Protocol Analysis Institute, LLC(www. Packet-level.com) 2001
[22]Laura Chappell Advanced Packet Filtering Protocol Analysis Institute, LLC(www.Packet-level.com) 2001
[23]Kevin J.Houle,George M.Weaver Trends in Denial of Service Attack Technology CERT Coordination Center 2001
[24]Allen Householder, Art Manion,Linda Pesante,George M. Weaver Managing the Threat of Denial-of-Services Atttacks CERT Coordination Center 2001.10
[25]余祥宜,卢刚 CIDF的组件通信分析和算法描述 计算机工程2002,28(5):141~143
[26]寇芸 宋鹏鹏 王育民 入侵检测系统和PC安全的研究 计算机工程2002,28(5):54~56
[27]Tim Bass Intrusion Detection Systems and Multisensor Data Fusion Communication of the ACM 2000,43 (4):99~105
[28]陈鹏 吕卫锋 单征 基于网络的入侵方法研究 计算机工程与应用 2001,19 44~48
[29]Macro De Vivo,Eddy Carrasco,Germinal Isem,Gabriela O. De Vivo A Review of Port Scanning Techniques Computer Communication Review 1999:41~48
[30]张海航 深度防御体系的构建
http://www.chinabyte.com/20011113/205015.shtml 2001. 11
[31] 张焕国 计算机安全保密技术 机械工业出版社1995.2
[32] Victor L.Voydock,Stepher T.Kent Security Mechanisms in High--Level Network Protocol Belt Beranek and Newman Inc,Cambridge,Massachusetts 02238
[33] Shai Halevi,Hugo Krawczyk Public Key Cryptography and Password Protocol ACM Transaction On Information and System Security 1999,2 (3): 230~268
[34] Morris Sloman,Emil Lupu Security and Management Policy Specification IEEE Network 2002 March/April
[35] 楼伟进,应飙 COM/DCOMYCOM+组件技术 计算机应用2000,20(4):31~33
[36] Tom Chen Network and Intemet Security IEEE Network 1997 May/June
[37] 刘怡文 防火墙包过滤技术 第13届全国计算机安全技术交流会论文集 1999.6 126~129
[38] W.Richard Stevens著 施振川 周立民 孙宏晖等译 Unix 网络编程(第一卷) 清华大学出版社 1999
[39] Matt Blaze,John Ioannidis,Angeles D.Keromytis Trust Manage of the IPSec ACM Transaction of Information and System Security 2002,5 (2): 95~118
[40] Randy Abemethy著 汪浩 黄正宇等译 COM/DCOM技术内幕电子工业出版社 1999
[41] 入侵检测产品 http://www.rdsk.net/products/ids.htm
[42] 张学军 基于ASP的网站动态分布的数据库化管理微型电脑应用 2002,18(5):61~62
[43] 鲁凌云,刘勇,潘成胜,杜海峰 COM组件在数据传输中的应用 沈阳工业学院学报 2002,21(1):81~84
[44] 张照,邵良杉 组件、COM和Windows DNA 计算机工程 2000,26(增刊):835~838
[45] Christophe Diot,Laurent Gautier A Distributed Architecture for
Multiplayer Interactive Application in the Intemet IEEE Network 1999 July/August
[46]周晓永,赵兴淘 网络加密技术漫谈 第十三届计算机安全 技术交流会论文集:76~80
[47]龚俭,刘建航 证书撤销机制的改进 计算机工程 1999,25(特刊):48~50
[48]D.Scot Alexander,William A.Arbaugh,Angelos D.Keromytis,Jonathen M.Smith A Secure Active Network Environment Architecture:Realization in Switchware IEEE Network 1998 May/June
[49]陈波 于玲 宋如顺 口令入侵攻击的并行化及其防范对策研究 计算机工程与应用 2001,23:84~87
[50]Yuan Ding,Fan Ping-zhi A Security Dynamic Password Authentication Scheme Journal of Sichuan University (National Science Edition) 2002,39 (2):228~232
[51]Shimizu A A Dynamic Password Authentication method by One way Function[J] IEICE Trans.1990 J73-D-I(7):630~636
[52]周世兵 刘渊 多层次的内部网安全策略研究及应用 计算机应用研究 2002年第9期;129~131
[53]高品均 陈荣良 加密算法与密钥管理 http://www.tongji.edu.cn/~yangdy/computer/DataBase/paper3.htm
[54]段海新 吴建平 李星 防火墙规则的动态分配和散列表匹配算法 清华大学学报(自然科学版) 2001,41(1):96~98,128
[55]梁晓诚,李肖坚 利用ASP技术实现网络辅助教学 计算机工程 2000,26(增刊):703~706
[56]Donal O'Mahony Security Consideration in a Network Management Environment IEEE Network 1994 May/June
[57]鲍江宏 安全支持提供者接口在网路安全通信中的应用 华南理工大学学报(自然科学版) 2002,30(6):61~64
[58]Maillist http://online.securityfocus.com/archive
[59]Michael Herfert Security Enhance Mailing Lists IEEE Network 1997 May/June
[60]赵一鸣,刘立铭,鲍振东 计算机系统中的密钥管理技术
第十三届计算机安全技术交流会论文集:36~41
[61]卿斯汉 网络安全的三道防线:密码、协议和防火墙 计算机工程 1999,25(特刊):3~7
[62]孙大奇 一种信息系统的安全规划和评估办法 第14次全国计算机安全学术交流会 1999.7:132~134
[63]刘宝旭,梅杰,许榕生,安德海 Intemet安全信息系统建构模式 第十四次计算机安全技术交流会 1999.7:78~82
[64]张曙 分散网络化制造 机械工业出版社 1999.9
[2] Larry L.Peterson,Bruce S. Davic. Computer Network. Morgan Kaufmann Press 2001. 6
[3] Andrew S.Tanenbaum计算机网络(第三版) 清华大学出版社,Prentice Hall 1998.7
[4] Carlton R.Davis.IPSec VPN的安全实施 清华大学出版社,麦格劳—希尔教育出版集团 2002.1
[5] 米雁辉 主编 网络安全与黑客 航空工业出版社 2001.2
[6] Stephen Northcutt 网络入侵检测分析员手册 人民邮电出版社2001.1
[7] Rebecca Gurley Bace 入侵检测 人民邮电出版社 2001.6
[8] 唐正军 等编著 网络入侵检测系统的设计和实现 电子工业出版社 2002.4
[9] Marcus Goncalves 著 宋书民 朱智强 徐开勇等译 防火墙技术指南 机械工业出版社 2000.11
[10] Robert L.Ziegler Linux防火墙 人民邮电出版社 2000.10
[11] Carlisle Adams,Steve Lloyd 公开密钥基础设施建设 人民邮电出版社 2001.1
[12] Steven Brown Implementing Virtual Private Network McGraw-Hill Companies,Inc.1999
[13] Eric Harmon Delphi COM 深入编程 机械工业出版社 2000.10
[14] Steve Teiceira,Xavier Pacheco Delphi 5 Developer's Guide Sams Publishing 2000.7
[15] 张勇 身份认证机制的对比和分析
http://www.china-pub.com/computers/eMook/0730/info.htm 2001/02/23
[16]Shelley Powers 著 何建辉 张璐玲 于芳 邓晓蓓 等译 ASP组件开发指南 O'Reilly中国电力出版社2002.4
[17]宾晓华 周世斌 企业网络安全问题研究 计算机工程与应用2001.1:179~182
[18]周笑庭杨传斌 基于插件的安全通讯模型研究 微机发展2001,5:67~69
[19]张文增 林晓森 赵东斌 孙振国 陈强 ASP网站安全研究计算机工程2002,28(3):270~273
[20]王辉 邵佩英 多级安全策略的Intemet防火墙的设计与实施 中国科学院研究生院学报2000,17(2):99~104
[21]Laura Chappell Basic Packet Filtering Protocol Analysis Institute, LLC(www. Packet-level.com) 2001
[22]Laura Chappell Advanced Packet Filtering Protocol Analysis Institute, LLC(www.Packet-level.com) 2001
[23]Kevin J.Houle,George M.Weaver Trends in Denial of Service Attack Technology CERT Coordination Center 2001
[24]Allen Householder, Art Manion,Linda Pesante,George M. Weaver Managing the Threat of Denial-of-Services Atttacks CERT Coordination Center 2001.10
[25]余祥宜,卢刚 CIDF的组件通信分析和算法描述 计算机工程2002,28(5):141~143
[26]寇芸 宋鹏鹏 王育民 入侵检测系统和PC安全的研究 计算机工程2002,28(5):54~56
[27]Tim Bass Intrusion Detection Systems and Multisensor Data Fusion Communication of the ACM 2000,43 (4):99~105
[28]陈鹏 吕卫锋 单征 基于网络的入侵方法研究 计算机工程与应用 2001,19 44~48
[29]Macro De Vivo,Eddy Carrasco,Germinal Isem,Gabriela O. De Vivo A Review of Port Scanning Techniques Computer Communication Review 1999:41~48
[30]张海航 深度防御体系的构建
http://www.chinabyte.com/20011113/205015.shtml 2001. 11
[31] 张焕国 计算机安全保密技术 机械工业出版社1995.2
[32] Victor L.Voydock,Stepher T.Kent Security Mechanisms in High--Level Network Protocol Belt Beranek and Newman Inc,Cambridge,Massachusetts 02238
[33] Shai Halevi,Hugo Krawczyk Public Key Cryptography and Password Protocol ACM Transaction On Information and System Security 1999,2 (3): 230~268
[34] Morris Sloman,Emil Lupu Security and Management Policy Specification IEEE Network 2002 March/April
[35] 楼伟进,应飙 COM/DCOMYCOM+组件技术 计算机应用2000,20(4):31~33
[36] Tom Chen Network and Intemet Security IEEE Network 1997 May/June
[37] 刘怡文 防火墙包过滤技术 第13届全国计算机安全技术交流会论文集 1999.6 126~129
[38] W.Richard Stevens著 施振川 周立民 孙宏晖等译 Unix 网络编程(第一卷) 清华大学出版社 1999
[39] Matt Blaze,John Ioannidis,Angeles D.Keromytis Trust Manage of the IPSec ACM Transaction of Information and System Security 2002,5 (2): 95~118
[40] Randy Abemethy著 汪浩 黄正宇等译 COM/DCOM技术内幕电子工业出版社 1999
[41] 入侵检测产品 http://www.rdsk.net/products/ids.htm
[42] 张学军 基于ASP的网站动态分布的数据库化管理微型电脑应用 2002,18(5):61~62
[43] 鲁凌云,刘勇,潘成胜,杜海峰 COM组件在数据传输中的应用 沈阳工业学院学报 2002,21(1):81~84
[44] 张照,邵良杉 组件、COM和Windows DNA 计算机工程 2000,26(增刊):835~838
[45] Christophe Diot,Laurent Gautier A Distributed Architecture for
Multiplayer Interactive Application in the Intemet IEEE Network 1999 July/August
[46]周晓永,赵兴淘 网络加密技术漫谈 第十三届计算机安全 技术交流会论文集:76~80
[47]龚俭,刘建航 证书撤销机制的改进 计算机工程 1999,25(特刊):48~50
[48]D.Scot Alexander,William A.Arbaugh,Angelos D.Keromytis,Jonathen M.Smith A Secure Active Network Environment Architecture:Realization in Switchware IEEE Network 1998 May/June
[49]陈波 于玲 宋如顺 口令入侵攻击的并行化及其防范对策研究 计算机工程与应用 2001,23:84~87
[50]Yuan Ding,Fan Ping-zhi A Security Dynamic Password Authentication Scheme Journal of Sichuan University (National Science Edition) 2002,39 (2):228~232
[51]Shimizu A A Dynamic Password Authentication method by One way Function[J] IEICE Trans.1990 J73-D-I(7):630~636
[52]周世兵 刘渊 多层次的内部网安全策略研究及应用 计算机应用研究 2002年第9期;129~131
[53]高品均 陈荣良 加密算法与密钥管理 http://www.tongji.edu.cn/~yangdy/computer/DataBase/paper3.htm
[54]段海新 吴建平 李星 防火墙规则的动态分配和散列表匹配算法 清华大学学报(自然科学版) 2001,41(1):96~98,128
[55]梁晓诚,李肖坚 利用ASP技术实现网络辅助教学 计算机工程 2000,26(增刊):703~706
[56]Donal O'Mahony Security Consideration in a Network Management Environment IEEE Network 1994 May/June
[57]鲍江宏 安全支持提供者接口在网路安全通信中的应用 华南理工大学学报(自然科学版) 2002,30(6):61~64
[58]Maillist http://online.securityfocus.com/archive
[59]Michael Herfert Security Enhance Mailing Lists IEEE Network 1997 May/June
[60]赵一鸣,刘立铭,鲍振东 计算机系统中的密钥管理技术
第十三届计算机安全技术交流会论文集:36~41
[61]卿斯汉 网络安全的三道防线:密码、协议和防火墙 计算机工程 1999,25(特刊):3~7
[62]孙大奇 一种信息系统的安全规划和评估办法 第14次全国计算机安全学术交流会 1999.7:132~134
[63]刘宝旭,梅杰,许榕生,安德海 Intemet安全信息系统建构模式 第十四次计算机安全技术交流会 1999.7:78~82
[64]张曙 分散网络化制造 机械工业出版社 1999.9