网络监听技术及其对策分析
|
摘要
近年来,网络监听一直是计算机网络安全的敏感话题,它既能带来方便也能造成极大的危害。对付监听的最有效的办法是对数据采取加密手段。然而,采用软件对数据进行加密存在着占用CPU资源,从而降低系统性能及本身安全性差等问题。若把算法集成到网卡上,通过安装加密网卡来实现数据的安全性的途径,也能实现网络监听的防范。本文重点对网络监听技术及加密网卡在网络监听中的应用进行了研究。
本文首先研究了涉及到网络监听技术的基本概念和基本理论,认真分析了TCP/IP协议结构、以太网体系结构和IPSec安全协议的基础知识。特别是对IPSec安全协议进行了详细地研究。深入分析了它的工作机制、安全联盟的重要作用,并在此基础上讨论了IPSec中论证头协议(AH)、封装安全协议载荷(ESP)的封装格式以及安全策略数据库(SPD)的实现。
在前面理论的基础上,深入研究网络监听技术。讨论了网络监听的原理、组成、用途、意义,介绍了它的实现工具,接着讨论了网络监听的检测方法和防范措施。只要把网络接口控制器(NIC)设置为混杂模式,网卡就能接收到每一个数据包,实现监听。针对网络监听的检测有很多方法,有PING法、ARP法等。对于防范对策主要有信息加密、使用安全的拓扑结构和利用交换机划分VLAN等方法,而信息加密是所有方法中最有效的,因而对当前较为流行的传统加密算法和公开密钥加密算法作深入的探讨,并对具有代表性的DES和RSA进行深入的对比分析。
为了把加密算法软件和以太网卡硬件结合起来,本文在结合IPSec安全协议知识的基础上,还深入研究了网卡的组成原理、功能,对NIC上数据的发送和接收过程进行了深入分析。在此基础上,给出了加密网卡的安全实现设计思想:在网卡硬件上实现密码运算。在网卡的驱动程序中实现IPSec处理功能模块;进一步对IPSec的实现进行了讨论,给出了数据安全处理原理图,并分析了在这个加密网卡中外出和进入的数据包的处理过程。最后阐述了加密网卡在网络监听中的应用:把加密网卡安装在网络中的每台计算机上,以此达到网络监听的防范。
Recently, network sniffing has been a sensitive topic of computer network security. It can bring not only convenience but also harm. Encryption is the most effective measure of dealing with network sniffing. But encrypting packet with software not only occupies the resource of CPU, but also degrades the performance of network. It can realize precaution of network sniffing by the approach of fixing encrypted network cark, which integrated arithmetic, to realize the data's security. This thesis studies emphatically network sniffing technology and the application of encrypted network card in network sniffing.
The thesis at first gives the basic concept and principle of related to network sniffing, and then summarizes the protocol structure of TCP/IP, the system structure of Ethernet and the basic knowledge of IP Security protocol. In particular, it studies on the IPSec in detail and analyzes the working mechanism of IPSec, the importance of the security association. On the basis of these, the data encapsulation formats of the Authentication Header (AH) and the Encapsulation Security Payload (ESP) and the realization of security policy database (SPD) are discussed.
On these basic theories, the thesis lucubrates the technology of network sniffing. It discusses the principle, component, use and significance, and then introduces some tools about realizing network sniffing. Following, it discusses the detecting measure and precautionary measures. If it is set to promiscuous mode, network interface controller (NIC) can incept all data packet to monitor. There are many means such as PING, ARP for the detecting of network sniffing. There are many means for the precaution of network sniffing too, such as encrypting information, using secure topology and plotting VLAN by utilizing switch. In all of the means, encrypting information is the most effective, so the tradition encryption algorithm and the public key algorithm that are the most fashionable are studied, at the same time, algorithms DES and RS A which are representative used widely are analyzed.
To combine the encrypted algorithm with Ethernet network card, on the basic knowledge of IPSEC, the thesis studies the composition of network card and its function, at one time, it analyses the processing of the sending and incepting data via
NIC. According to the above contents, the thesis implements the scheme of security network card, which includes implementing the encryption function on the hardware of the network card, and implementing the IPSec transacted function. Further, the implementation of IPSec is discussed, the principle chart of data transacting safely is given, and discusses the processing of the inbound and outbound data packets via encrypted NIC. At last, it expatiates the application of encrypted network card that is used in network sniffing, that is to say, each computer is fixed encrypted network so that it can defend network monitored.
本文首先研究了涉及到网络监听技术的基本概念和基本理论,认真分析了TCP/IP协议结构、以太网体系结构和IPSec安全协议的基础知识。特别是对IPSec安全协议进行了详细地研究。深入分析了它的工作机制、安全联盟的重要作用,并在此基础上讨论了IPSec中论证头协议(AH)、封装安全协议载荷(ESP)的封装格式以及安全策略数据库(SPD)的实现。
在前面理论的基础上,深入研究网络监听技术。讨论了网络监听的原理、组成、用途、意义,介绍了它的实现工具,接着讨论了网络监听的检测方法和防范措施。只要把网络接口控制器(NIC)设置为混杂模式,网卡就能接收到每一个数据包,实现监听。针对网络监听的检测有很多方法,有PING法、ARP法等。对于防范对策主要有信息加密、使用安全的拓扑结构和利用交换机划分VLAN等方法,而信息加密是所有方法中最有效的,因而对当前较为流行的传统加密算法和公开密钥加密算法作深入的探讨,并对具有代表性的DES和RSA进行深入的对比分析。
为了把加密算法软件和以太网卡硬件结合起来,本文在结合IPSec安全协议知识的基础上,还深入研究了网卡的组成原理、功能,对NIC上数据的发送和接收过程进行了深入分析。在此基础上,给出了加密网卡的安全实现设计思想:在网卡硬件上实现密码运算。在网卡的驱动程序中实现IPSec处理功能模块;进一步对IPSec的实现进行了讨论,给出了数据安全处理原理图,并分析了在这个加密网卡中外出和进入的数据包的处理过程。最后阐述了加密网卡在网络监听中的应用:把加密网卡安装在网络中的每台计算机上,以此达到网络监听的防范。
Recently, network sniffing has been a sensitive topic of computer network security. It can bring not only convenience but also harm. Encryption is the most effective measure of dealing with network sniffing. But encrypting packet with software not only occupies the resource of CPU, but also degrades the performance of network. It can realize precaution of network sniffing by the approach of fixing encrypted network cark, which integrated arithmetic, to realize the data's security. This thesis studies emphatically network sniffing technology and the application of encrypted network card in network sniffing.
The thesis at first gives the basic concept and principle of related to network sniffing, and then summarizes the protocol structure of TCP/IP, the system structure of Ethernet and the basic knowledge of IP Security protocol. In particular, it studies on the IPSec in detail and analyzes the working mechanism of IPSec, the importance of the security association. On the basis of these, the data encapsulation formats of the Authentication Header (AH) and the Encapsulation Security Payload (ESP) and the realization of security policy database (SPD) are discussed.
On these basic theories, the thesis lucubrates the technology of network sniffing. It discusses the principle, component, use and significance, and then introduces some tools about realizing network sniffing. Following, it discusses the detecting measure and precautionary measures. If it is set to promiscuous mode, network interface controller (NIC) can incept all data packet to monitor. There are many means such as PING, ARP for the detecting of network sniffing. There are many means for the precaution of network sniffing too, such as encrypting information, using secure topology and plotting VLAN by utilizing switch. In all of the means, encrypting information is the most effective, so the tradition encryption algorithm and the public key algorithm that are the most fashionable are studied, at the same time, algorithms DES and RS A which are representative used widely are analyzed.
To combine the encrypted algorithm with Ethernet network card, on the basic knowledge of IPSEC, the thesis studies the composition of network card and its function, at one time, it analyses the processing of the sending and incepting data via
NIC. According to the above contents, the thesis implements the scheme of security network card, which includes implementing the encryption function on the hardware of the network card, and implementing the IPSec transacted function. Further, the implementation of IPSec is discussed, the principle chart of data transacting safely is given, and discusses the processing of the inbound and outbound data packets via encrypted NIC. At last, it expatiates the application of encrypted network card that is used in network sniffing, that is to say, each computer is fixed encrypted network so that it can defend network monitored.
引文
[1] DOUGLAS E.COMER.用TCP/IP进行网际互连一第1卷:原理、协议和体系结构(第3版)[M].北京:电子工业出版社,1998:58-59,67-69,121-122,149-150
[2] (美)W.Richard Stevens.TCP/IP详解(卷1:协议)[M].北京:机械工业出版社,2000:7-8,16
[3] 吴国新,吉逸.计算机网络[M].北京:高等教育出版社,2003:93-96,114-125,189-200,229-230
[4] http://internetabc.nease.net/wljs/jichu/017.htm
[5] 李林春.IP安全及安全网卡实现:硕士学位论文[D].保存地点:西北工业大学图书馆,2001
[6] 曹卫兵.基于IPSec安全协议的网卡安全技术研究:硕士学位论文[D].保存地点:西北工业大学图书馆,2001
[7] 许进,马殿富,怀进鹏等.IPSec设计及实现[J].北京:航空航天大学学报,2001,27(4):386-389
[8] http://www.icom.com.cn/club/shareinfo/files/6_04.htm
[9] 谭思亮.监听与隐藏——网络侦听揭密与数据保护技术[M].北京:人民邮电出版社,2002:54-58,202-203,222-223,260-267,287-288
[10] Mark Taber. Maximum Security:A Hacker's Guide to Protecting Your Internet Site and Network[M].Macmillan Computer Publishing, 1997
[11] 21CN网络安全小组.http://www.21cn.net
[12] 王宇,张宁.网络监听器原理分析与实现[J].计算机应用研究,2003,7:142
[13] 庄春兴,彭奇志.关于窃听与反窃听技术的分析[J].小型微型计算机系统,2003,24(3):610
[14] 王清贤,寇晓蕤,陈新玉.嗅探器原理及预防检测方法[J].信息工程大学学报,2000,1,(4):55
[15] 陈伯成,范闽,李英杰.利用网络监听维护子网系统安全的一种方法[J].计算机工程与应用,2000,10:135
[16] 巫喜红.知己知彼,百战不殆——网络监听技术和防范的研究[J].五邑大学
学报,2004,18(1):68
[17] 黄彦,许晓东.交换式以太网环境下包嗅探的危害与防范[J].计算机工程,2001,27(12):97
[18] Mark Crosbie, Gene Spafford. Defending A Computer System using Autonomous Agents[D]. COAST Laboratory, 1994
[19] Brecht Claerbout. A sbort overvier of IP spooling[J].Phrack Magazine, 1996,7:48
[20] 赵志强.网络攻击及效果评估技术研究:硕士学位论文[D].保存地点:国防科学技术大学图书馆,2002
[21] http://www.10pht.com/antisniff/
[22] David Wu, Frederick Wong. Remote Sniffer Detection[M]. 1998
[23] 刘啸.基于Cookie欺骗的Session渗透入侵分析及其安全模型研究:硕士学位论文[D].保存地点:浙江大学图书馆,2003
[24] http://www-900.ibm.com/developerWorks/cn/security/se-sniff/index.shtml
[25] 贺龙涛,方滨兴,云晓春.网络监听与反监听[J].计算机工程与应用,2001,18:20-21
[26] http://www.pconline.com.cn/pcedu/soft/lan/10112/18068.html
[27] http://www.nowwx.com/ay/disp.asp?id=22277.
[28] 王彦梅,刘力军,孟宪遵.Sniffer在网络安全中的应用[J].河北职业大学学报,2001,3(2):91
[29] 高伟,周权,郭艾侠.网络嗅探及其检测和防范[J].安庆师范学院学报,2002,8(3):53
[30] 喻飞,安吉尧,朱淼良.以太网中网络监听的检测[J].网络安全技术与应用,2004,1:21
[31] 凌捷.计算机数据安全技术.讲义,2002
[32] 常建平,靳慧云,娄梅枝等.《网络安全与计算机犯罪》[M].北京:中国人民公安大学出版社,2002:58
[33] 史逵.Intranet安全技术分析与安全措施探讨:硕士学位论文[D].保存地点:大连理工大学图书馆,2002
[34] http://learn.bit.edu.cn/courseware/dep9/jsjaq/chpter6/shjx_content
[35] 樊宬丰,林东.网络信息安全与PGP加密[M].北京:清华大学出版社,1999:21-22
[36] http://industry.ccidnet.com/pub/article/c28_a1065_pl.html_6_3.htm
[37] 谭毓安.网络攻击防护编码设计[M].北京:北京希望电子出版社,2002:113
[38] http://soft.winzheng.com/info View/Article_296.htm
[39] 杨可棋.数据加密.http://www.mhdn.net/se/2002-06-12/5287.html
[40] 刘京菊,孙乐昌,梁亚声.以太网MAC子层功能分析及安全性探讨[J].电脑开发与应用,2001,14(1):18-19
[2] (美)W.Richard Stevens.TCP/IP详解(卷1:协议)[M].北京:机械工业出版社,2000:7-8,16
[3] 吴国新,吉逸.计算机网络[M].北京:高等教育出版社,2003:93-96,114-125,189-200,229-230
[4] http://internetabc.nease.net/wljs/jichu/017.htm
[5] 李林春.IP安全及安全网卡实现:硕士学位论文[D].保存地点:西北工业大学图书馆,2001
[6] 曹卫兵.基于IPSec安全协议的网卡安全技术研究:硕士学位论文[D].保存地点:西北工业大学图书馆,2001
[7] 许进,马殿富,怀进鹏等.IPSec设计及实现[J].北京:航空航天大学学报,2001,27(4):386-389
[8] http://www.icom.com.cn/club/shareinfo/files/6_04.htm
[9] 谭思亮.监听与隐藏——网络侦听揭密与数据保护技术[M].北京:人民邮电出版社,2002:54-58,202-203,222-223,260-267,287-288
[10] Mark Taber. Maximum Security:A Hacker's Guide to Protecting Your Internet Site and Network[M].Macmillan Computer Publishing, 1997
[11] 21CN网络安全小组.http://www.21cn.net
[12] 王宇,张宁.网络监听器原理分析与实现[J].计算机应用研究,2003,7:142
[13] 庄春兴,彭奇志.关于窃听与反窃听技术的分析[J].小型微型计算机系统,2003,24(3):610
[14] 王清贤,寇晓蕤,陈新玉.嗅探器原理及预防检测方法[J].信息工程大学学报,2000,1,(4):55
[15] 陈伯成,范闽,李英杰.利用网络监听维护子网系统安全的一种方法[J].计算机工程与应用,2000,10:135
[16] 巫喜红.知己知彼,百战不殆——网络监听技术和防范的研究[J].五邑大学
学报,2004,18(1):68
[17] 黄彦,许晓东.交换式以太网环境下包嗅探的危害与防范[J].计算机工程,2001,27(12):97
[18] Mark Crosbie, Gene Spafford. Defending A Computer System using Autonomous Agents[D]. COAST Laboratory, 1994
[19] Brecht Claerbout. A sbort overvier of IP spooling[J].Phrack Magazine, 1996,7:48
[20] 赵志强.网络攻击及效果评估技术研究:硕士学位论文[D].保存地点:国防科学技术大学图书馆,2002
[21] http://www.10pht.com/antisniff/
[22] David Wu, Frederick Wong. Remote Sniffer Detection[M]. 1998
[23] 刘啸.基于Cookie欺骗的Session渗透入侵分析及其安全模型研究:硕士学位论文[D].保存地点:浙江大学图书馆,2003
[24] http://www-900.ibm.com/developerWorks/cn/security/se-sniff/index.shtml
[25] 贺龙涛,方滨兴,云晓春.网络监听与反监听[J].计算机工程与应用,2001,18:20-21
[26] http://www.pconline.com.cn/pcedu/soft/lan/10112/18068.html
[27] http://www.nowwx.com/ay/disp.asp?id=22277.
[28] 王彦梅,刘力军,孟宪遵.Sniffer在网络安全中的应用[J].河北职业大学学报,2001,3(2):91
[29] 高伟,周权,郭艾侠.网络嗅探及其检测和防范[J].安庆师范学院学报,2002,8(3):53
[30] 喻飞,安吉尧,朱淼良.以太网中网络监听的检测[J].网络安全技术与应用,2004,1:21
[31] 凌捷.计算机数据安全技术.讲义,2002
[32] 常建平,靳慧云,娄梅枝等.《网络安全与计算机犯罪》[M].北京:中国人民公安大学出版社,2002:58
[33] 史逵.Intranet安全技术分析与安全措施探讨:硕士学位论文[D].保存地点:大连理工大学图书馆,2002
[34] http://learn.bit.edu.cn/courseware/dep9/jsjaq/chpter6/shjx_content
[35] 樊宬丰,林东.网络信息安全与PGP加密[M].北京:清华大学出版社,1999:21-22
[36] http://industry.ccidnet.com/pub/article/c28_a1065_pl.html_6_3.htm
[37] 谭毓安.网络攻击防护编码设计[M].北京:北京希望电子出版社,2002:113
[38] http://soft.winzheng.com/info View/Article_296.htm
[39] 杨可棋.数据加密.http://www.mhdn.net/se/2002-06-12/5287.html
[40] 刘京菊,孙乐昌,梁亚声.以太网MAC子层功能分析及安全性探讨[J].电脑开发与应用,2001,14(1):18-19