现代企业网络风险分析与安全策略
|
摘要
网络发展日新月异,电子商务如火如荼,网络安全问题亦接踵而至,
以信息技术的广泛应用,网络为平台的现代企业在充分享受网络与电子
商务的便利与快捷时也需正视网络带来的相关问题,特别是安全!
现代企业网络安全涉及到企业、网络技术、人员心理、社会大环境
等许多方面的因素,对其进行分析时由于其中绝大多数的考虑因素都是
极难量化表示的,如果只是通过简单的假设将其忽略或拟量化以适应某
种定量方法的话,那么所建立的模型就无法按照实际问题的性质反映所
有因素的作用。所以我们只能采用既能处理定量参数,又能考虑定性因
素的方法来进行建模。
本文在充分界定现代企业及其数字化经济特质时,对其安全问题亦
进行了较全面的研究与探讨,对现代企业网可能面临的网络风险、网络
攻击进行了考察,并首次将层次分析、德尔菲法等传统的分析方法应用
于网络及网络安全这一全新领域,为其建立了层次模型,从而使得网络
安全与防护这一主要靠经验决策的问题有了更科学、更准确、更合理快
捷的解决方法。
同时本文亦针对现代企业网的特点与安全要求,提出了一套系统、
先进、科学合理的网络安全解决方案,涉及局域网安全解决方案、广域
网安全解决方案、Internet互连安全解决方案以及操作系统安全、应用程
序安全、防病毒、反黑客安全等解决方案。
With the development of network and Electronic Commerce, network
security is becoming increasingly noticeable, While Modern Enterprises,
based on network flatfOrm and widely applying InfOrmation Technology, are
benefited from the facility of network and Electronic Commerce, lots of
problems fOllowing, especialIy network security, shouId be paid attention
to.
Network security of Mod ern Enterprise dea] s with enterpri ses, network
technologies, personnel psychology, the society and so on, most of which
are difficult to quantize. The model, ignoring simply or quantizing
approximateIy some factors to adapt to some quantitative methods, will not
show their exact roles in practice. TherefOre, the modeling methods, taking
quantitative parameters and qualitative factors into account, should be
ad o pted
The definition of Modern Enterprise and its digitaI economic character
are presented Its security is analyzed comprehensively, and then the risk
and attack of network are studied Analytic Hierarchy Process (AHP) is
firstly applied to the fields of network and its security Modeling based on
the new method presents a reasonable solution, which is more scientific,
accurate and convenient, to network security and prevention, most of which
were decided by experience previously.
Meanwhile, a systematic, advanced and scientific suit of solution to
network security is presented according with the properties and security
demands of Modern Enterprise network, incIuding security soIutions to
LAN, WAN and Internet, and those to Operation System, appl ication
program, anti-virus and anti-hacker
以信息技术的广泛应用,网络为平台的现代企业在充分享受网络与电子
商务的便利与快捷时也需正视网络带来的相关问题,特别是安全!
现代企业网络安全涉及到企业、网络技术、人员心理、社会大环境
等许多方面的因素,对其进行分析时由于其中绝大多数的考虑因素都是
极难量化表示的,如果只是通过简单的假设将其忽略或拟量化以适应某
种定量方法的话,那么所建立的模型就无法按照实际问题的性质反映所
有因素的作用。所以我们只能采用既能处理定量参数,又能考虑定性因
素的方法来进行建模。
本文在充分界定现代企业及其数字化经济特质时,对其安全问题亦
进行了较全面的研究与探讨,对现代企业网可能面临的网络风险、网络
攻击进行了考察,并首次将层次分析、德尔菲法等传统的分析方法应用
于网络及网络安全这一全新领域,为其建立了层次模型,从而使得网络
安全与防护这一主要靠经验决策的问题有了更科学、更准确、更合理快
捷的解决方法。
同时本文亦针对现代企业网的特点与安全要求,提出了一套系统、
先进、科学合理的网络安全解决方案,涉及局域网安全解决方案、广域
网安全解决方案、Internet互连安全解决方案以及操作系统安全、应用程
序安全、防病毒、反黑客安全等解决方案。
With the development of network and Electronic Commerce, network
security is becoming increasingly noticeable, While Modern Enterprises,
based on network flatfOrm and widely applying InfOrmation Technology, are
benefited from the facility of network and Electronic Commerce, lots of
problems fOllowing, especialIy network security, shouId be paid attention
to.
Network security of Mod ern Enterprise dea] s with enterpri ses, network
technologies, personnel psychology, the society and so on, most of which
are difficult to quantize. The model, ignoring simply or quantizing
approximateIy some factors to adapt to some quantitative methods, will not
show their exact roles in practice. TherefOre, the modeling methods, taking
quantitative parameters and qualitative factors into account, should be
ad o pted
The definition of Modern Enterprise and its digitaI economic character
are presented Its security is analyzed comprehensively, and then the risk
and attack of network are studied Analytic Hierarchy Process (AHP) is
firstly applied to the fields of network and its security Modeling based on
the new method presents a reasonable solution, which is more scientific,
accurate and convenient, to network security and prevention, most of which
were decided by experience previously.
Meanwhile, a systematic, advanced and scientific suit of solution to
network security is presented according with the properties and security
demands of Modern Enterprise network, incIuding security soIutions to
LAN, WAN and Internet, and those to Operation System, appl ication
program, anti-virus and anti-hacker
引文
[1]唐晓东,齐治昌,建立INTERNET上的安全环境,计算机科学,1998,Vol.25,No.1,26-30
[2]王育民,刘建伟,通信网的安全---理论与技术,西电出版社,1999
[3]胡昌振,李贵,面向21世纪网络安全与防护,北京希望电子出版社,1999
[4]关键业务网络系统信息系统安全,美国网络联盟公司,1998.10
[5]黑客防线秘笈,家庭电脑世界,2000
[6]INTRANET与网络安全研讨会技术白皮书,清华得实,1998
[7]清华得实,网络安全需求,微型机与应用,1998,No.8,4-5
[8]Gregory White.and Udo Pooch, Problems with DCE Security Services,Computer Communication Review, 1995, Oct, Vol.25, No.5, 5-11
[9]张小斌,严望隹,黑客分析与防范技术,清华大学出版社,1999.5
[10]Ahmed Patel,Security management for OSI networks, Computer Communication Vol17, No. 7, July 1994, 544-553
[11]胡道元,INTRANET网络技术及应用,清华大学出版社,1998,5
[12]Raouf Boutaba and Simon Znaty, An Architectural Approach for Integrated Network and Systems Management, Computer Communication Review, 1995,Oct, Vol.25, No.5, 13-25
[13]John vacca, INTRANET的安全性,2000,1
[14]Stephan Lechner, SAMSON: Management of Security in Open Systems,Computer Communication, Vol 17, No. 7, July 1994, 538-543
[15]王怀伯,张申生,周一萍,Intranet/Extranet中的网络安全技术,计算机工程,1999,Vol.25,No.1,30-32
[16]李建萍,郭学理,Internet的安全机制,微型机与应用,1999,No.2,26-29
[17]胡英伟,董永平,赵乐春等,网络认证及其发展,微型机与应用,1999,No.7,28-29
[18]前导工作室,网络安全技术内幕,机械工业出版社,1999。4
[19]邮电部数据通信技术研究所,构建安全内联网,信息安全专论,1998
[20]李江,冯登国,TCP协议安全分析,密码与信息,1998。4
[21]蒋建春,赵晓亮,INTERNET 网络安全监视器设计与实现,密码与信息,1998。4
[22]http://www.hn.cninfo.net/safty
[23]http://www.setco.org/set specifications.html
[24]http://www.ebusinessrevolution.com
[25]B.Clifford Neuman, Security, Payment and Privacy for Network Commerce,IEEE Journal on Selected Areas in Communications, 1995, Oct, Vol.13, No.8,1523-1530
[26]董慧,刘厚嘉,现代企业在信息高速公路环境中的变革,情报科学,1999,Vol.17 No.1,10-14
[27]毛广,吴荣泉,DCE WEB:安全的Web服务器,计算机工程,1999,No.1
[28]RFC文档,FTP://FTP.PKU.EDU.CN
[29]靳莉莉,王硗靖,网络安全测试的研究及实现,密码及信息,1999。4
[30]罗文平,杨蕾,ERCIST防火墙系统,信息与密码,1998,4
[31]Hamilton S, E-Commerce for the 21~(st) Century, IEEE Computer May, 1997,44-47
[32]Kalakota R Whinston, Electronic Commerce: a manager's guide, Addison Wesley Longman,1997
[33]李海泉,计算机网络的安全技术与方法,微型机与应用,1998,No.10,28-30,36
[34]王圣广,马士华,基于全球供应链的虚拟企业,管理工程学报,1999,No.3,9-12,16
[35]钱勇,谷大成,白英彩,Internet网上商务离线系统的一种随意支付技术,微型电脑应用,1998。6
[36]鄂大伟,基于交换的VLAN配置与应用,微型机与应用,1998,No.10,34-36
[37]B.Clifford Neuman and Theodore Ts′o, Kerberos: An Anthentication Service for Computer Networks,IEEE Communications Magazine September 1994,33-38
[38]J.T.Kohl and B.C.Neuman, The Kerberos Network Authentication service,Internet RFC 1510, September 1993
[39]Ping Lin, Lin Lin, Security in Enterprise Networking: A Quick Tour, IEEE Commun.Mag., Jan.1996
[40]B.C.Neuman, Using Kerberos for Authentication on Computer Networks,IEEE Commun.Mag., Sept.1994
[41]缪逸,高剑峰,电子贸易与网络安全,计算机应用研究,1999,No.2,21-23
[42]许玲,公开密钥加密体制引入电子邮件,计算机应用研究,1999,No.2,49-50
[43]Dan Blacksrski, Network Security in a Mixed Enviroment, IDG Books WorldWide,1998
[44]Andrew S. Tanenbaum, Computer Networks(Third Edition), Prentice Hall International,Inc., PTR May,1996
[45]胡道元,卢开澄,朱爽等著,《INTRANET 网络技术及应用》,清华大学出版社,1998
[46]高鹏,严望佳著,《UNIX系统安全》,清华大学出版社,1999
[47]William Stallings, SNMP, SNMPv2 and RMON: Practical Network Management, Addison Wesley, 1996
[48]岑贤道,安常青,《网络管理协议及应用开发》,清华大学出版社,1998
[49]Englewood Cliffs. NJ. Open Software Foundation. Introduction to DCE.Prentice Hall Inc, 1992
[50]3Com. SuperStack Ⅱ Switch 1000 User Guide
[51]R.L.Rivest, A.Shamir and L.Adleman, A Method for Obtaining Digital Signatures and Public Key Cryptosystems, Comun.ACM, Vol21, No.2, 120-126,Feb 1978
[52]S.M.Bellovin and W.R.Cheswick, Network firewalls, IEEE Communication Mag, Vol32, No.9, 50-57, Sept 1994
[53]E.Rescorla and A.Schiffman, The Secure Hypertext Transfer Protocol,Internet Draft Rescorla-Shttp-0, Dec 1994
[54]M.E.Erdos and J.N.Pato, Extending the OSF DCE Authorization System to Support Practical Delegation, Network and Distributed System Security, Feb 1993
[55]电子商务技术、产品及方案,微电脑世界,1998,No.16,30-33
[56]Vin cerf,,Bay Networks, 1997
[57]王水星,政务信息处理中安全域控制机制研究,情报科学,1999,Vol.17 No.2,153-155
[58]杨德华,企业INTRANET 计算结构及其相关技术,微型电脑应用,1999,No.7,24-27,31
[59]刘晓敏,网络环境下信息安全的技术保护,情报科学,1999,Vol.17 No.2,122-125
[60]M Bellovin and M Merritt, Limitations of the Kerberos Authenication System, Computer Communication Review, 1990, Oct, 20(5): 119-132
[61]T Kohl,B C Neuman and T Y T′so, The Evolution of the Kerberos Authentication System in Distributed Open Systems, IEEE Computer Society Press, 1994, 78-94
[62]刘志勇,电子商务发展趋势及对策,管理现代化,1999,No.5,27-29
[63]刘柏嵩,Intranet的实现及其关键技术,计算机应用研究,1998,No.3,50-52
[64]杨德华,Intranet网上用户验证技术,计算机应用研究,1999,No.5,45-49
[65]李玉海,王继新,王学东,发展我国电子商务亟待解决的几个技术问题,中国信息导报,1999,No.10,16-18
[66]崔永臻,张焕国,电子商务及其安全保密,通信保密,1998,No.4,59-63
[67]万江平,郭荷清,刘发贵等,从Extranet看电子商务,计算机应用研究,1999,No.2,1-3
[68]秦荪涛,校园网络的安全性与防火墙设计,管理信息系统,1999,No.3,57-60
[69]M Needham and M D Schroeder, Using Encryption for Authentication in Large Networks of Computers, Communication of the ACM, 21(12): 993-999,December 1978
[70]程代杰,刘卫宁,电子商务及相关技术,计算机应用,1999,Vol.19,No7,1-3
[71]刘卫宁,宋伟,电子商务中在线支付的安全保障,计算机应用,1999,Vol.19,Nol,3-6
[72]曹勇,刘洁,Internet/Intranet上电子商店的一个实现方法,计算机应用,1999,Vol.19,Nol,7-10
[73]倪凯民,INTRANET在现代企业中的应用,计算机应用研究,1998,No.2,15-18
[74]于华,基于Intranet的管理信息系统构造,管理信息系统,1999,No.3,57-60
[75]廖建勇,电子商务的定义与分类,电子与信息化,1999,No.7,6-7
[76]邱燕燕,网络信息安全及防范对策,情报理论与实践,1999,No.3,191-193
[77]郑枫,苏厚勤,刘维克,计算机网络安全技术—防火墙,微型电脑应用,1998,No.6,9-13,26
[78]罗元,尹传高,电子商务研究中的机遇与挑战,计算机工程与应用,1999,No.8,39-42
[79]王利,浅析Internet防火墙,现代情报,1999,No.10,62-65
[80]杨良海,陈克非,电子商务中的信任模型,微型电脑应用,1998,No.5,19-21
[81]江文年,李明星,基于Intranet的现代管理信息系统研究,计算机工程与应用,1998,No.7,14-19
[82]Chris Hare,Karanjit Sigan,《internet防火墙与网络安全》,电子工业出版社,1998
[83]朱三元,网络通信软件设计指南,清华大学出版社,1999
[84]T.L.萨蒂[美],层次分析法
[85]J.P.伊格尼齐奥[美],单目标和多目标系统线性规划
[2]王育民,刘建伟,通信网的安全---理论与技术,西电出版社,1999
[3]胡昌振,李贵,面向21世纪网络安全与防护,北京希望电子出版社,1999
[4]关键业务网络系统信息系统安全,美国网络联盟公司,1998.10
[5]黑客防线秘笈,家庭电脑世界,2000
[6]INTRANET与网络安全研讨会技术白皮书,清华得实,1998
[7]清华得实,网络安全需求,微型机与应用,1998,No.8,4-5
[8]Gregory White.and Udo Pooch, Problems with DCE Security Services,Computer Communication Review, 1995, Oct, Vol.25, No.5, 5-11
[9]张小斌,严望隹,黑客分析与防范技术,清华大学出版社,1999.5
[10]Ahmed Patel,Security management for OSI networks, Computer Communication Vol17, No. 7, July 1994, 544-553
[11]胡道元,INTRANET网络技术及应用,清华大学出版社,1998,5
[12]Raouf Boutaba and Simon Znaty, An Architectural Approach for Integrated Network and Systems Management, Computer Communication Review, 1995,Oct, Vol.25, No.5, 13-25
[13]John vacca, INTRANET的安全性,2000,1
[14]Stephan Lechner, SAMSON: Management of Security in Open Systems,Computer Communication, Vol 17, No. 7, July 1994, 538-543
[15]王怀伯,张申生,周一萍,Intranet/Extranet中的网络安全技术,计算机工程,1999,Vol.25,No.1,30-32
[16]李建萍,郭学理,Internet的安全机制,微型机与应用,1999,No.2,26-29
[17]胡英伟,董永平,赵乐春等,网络认证及其发展,微型机与应用,1999,No.7,28-29
[18]前导工作室,网络安全技术内幕,机械工业出版社,1999。4
[19]邮电部数据通信技术研究所,构建安全内联网,信息安全专论,1998
[20]李江,冯登国,TCP协议安全分析,密码与信息,1998。4
[21]蒋建春,赵晓亮,INTERNET 网络安全监视器设计与实现,密码与信息,1998。4
[22]http://www.hn.cninfo.net/safty
[23]http://www.setco.org/set specifications.html
[24]http://www.ebusinessrevolution.com
[25]B.Clifford Neuman, Security, Payment and Privacy for Network Commerce,IEEE Journal on Selected Areas in Communications, 1995, Oct, Vol.13, No.8,1523-1530
[26]董慧,刘厚嘉,现代企业在信息高速公路环境中的变革,情报科学,1999,Vol.17 No.1,10-14
[27]毛广,吴荣泉,DCE WEB:安全的Web服务器,计算机工程,1999,No.1
[28]RFC文档,FTP://FTP.PKU.EDU.CN
[29]靳莉莉,王硗靖,网络安全测试的研究及实现,密码及信息,1999。4
[30]罗文平,杨蕾,ERCIST防火墙系统,信息与密码,1998,4
[31]Hamilton S, E-Commerce for the 21~(st) Century, IEEE Computer May, 1997,44-47
[32]Kalakota R Whinston, Electronic Commerce: a manager's guide, Addison Wesley Longman,1997
[33]李海泉,计算机网络的安全技术与方法,微型机与应用,1998,No.10,28-30,36
[34]王圣广,马士华,基于全球供应链的虚拟企业,管理工程学报,1999,No.3,9-12,16
[35]钱勇,谷大成,白英彩,Internet网上商务离线系统的一种随意支付技术,微型电脑应用,1998。6
[36]鄂大伟,基于交换的VLAN配置与应用,微型机与应用,1998,No.10,34-36
[37]B.Clifford Neuman and Theodore Ts′o, Kerberos: An Anthentication Service for Computer Networks,IEEE Communications Magazine September 1994,33-38
[38]J.T.Kohl and B.C.Neuman, The Kerberos Network Authentication service,Internet RFC 1510, September 1993
[39]Ping Lin, Lin Lin, Security in Enterprise Networking: A Quick Tour, IEEE Commun.Mag., Jan.1996
[40]B.C.Neuman, Using Kerberos for Authentication on Computer Networks,IEEE Commun.Mag., Sept.1994
[41]缪逸,高剑峰,电子贸易与网络安全,计算机应用研究,1999,No.2,21-23
[42]许玲,公开密钥加密体制引入电子邮件,计算机应用研究,1999,No.2,49-50
[43]Dan Blacksrski, Network Security in a Mixed Enviroment, IDG Books WorldWide,1998
[44]Andrew S. Tanenbaum, Computer Networks(Third Edition), Prentice Hall International,Inc., PTR May,1996
[45]胡道元,卢开澄,朱爽等著,《INTRANET 网络技术及应用》,清华大学出版社,1998
[46]高鹏,严望佳著,《UNIX系统安全》,清华大学出版社,1999
[47]William Stallings, SNMP, SNMPv2 and RMON: Practical Network Management, Addison Wesley, 1996
[48]岑贤道,安常青,《网络管理协议及应用开发》,清华大学出版社,1998
[49]Englewood Cliffs. NJ. Open Software Foundation. Introduction to DCE.Prentice Hall Inc, 1992
[50]3Com. SuperStack Ⅱ Switch 1000 User Guide
[51]R.L.Rivest, A.Shamir and L.Adleman, A Method for Obtaining Digital Signatures and Public Key Cryptosystems, Comun.ACM, Vol21, No.2, 120-126,Feb 1978
[52]S.M.Bellovin and W.R.Cheswick, Network firewalls, IEEE Communication Mag, Vol32, No.9, 50-57, Sept 1994
[53]E.Rescorla and A.Schiffman, The Secure Hypertext Transfer Protocol,Internet Draft Rescorla-Shttp-0, Dec 1994
[54]M.E.Erdos and J.N.Pato, Extending the OSF DCE Authorization System to Support Practical Delegation, Network and Distributed System Security, Feb 1993
[55]电子商务技术、产品及方案,微电脑世界,1998,No.16,30-33
[56]Vin cerf,
[57]王水星,政务信息处理中安全域控制机制研究,情报科学,1999,Vol.17 No.2,153-155
[58]杨德华,企业INTRANET 计算结构及其相关技术,微型电脑应用,1999,No.7,24-27,31
[59]刘晓敏,网络环境下信息安全的技术保护,情报科学,1999,Vol.17 No.2,122-125
[60]M Bellovin and M Merritt, Limitations of the Kerberos Authenication System, Computer Communication Review, 1990, Oct, 20(5): 119-132
[61]T Kohl,B C Neuman and T Y T′so, The Evolution of the Kerberos Authentication System in Distributed Open Systems, IEEE Computer Society Press, 1994, 78-94
[62]刘志勇,电子商务发展趋势及对策,管理现代化,1999,No.5,27-29
[63]刘柏嵩,Intranet的实现及其关键技术,计算机应用研究,1998,No.3,50-52
[64]杨德华,Intranet网上用户验证技术,计算机应用研究,1999,No.5,45-49
[65]李玉海,王继新,王学东,发展我国电子商务亟待解决的几个技术问题,中国信息导报,1999,No.10,16-18
[66]崔永臻,张焕国,电子商务及其安全保密,通信保密,1998,No.4,59-63
[67]万江平,郭荷清,刘发贵等,从Extranet看电子商务,计算机应用研究,1999,No.2,1-3
[68]秦荪涛,校园网络的安全性与防火墙设计,管理信息系统,1999,No.3,57-60
[69]M Needham and M D Schroeder, Using Encryption for Authentication in Large Networks of Computers, Communication of the ACM, 21(12): 993-999,December 1978
[70]程代杰,刘卫宁,电子商务及相关技术,计算机应用,1999,Vol.19,No7,1-3
[71]刘卫宁,宋伟,电子商务中在线支付的安全保障,计算机应用,1999,Vol.19,Nol,3-6
[72]曹勇,刘洁,Internet/Intranet上电子商店的一个实现方法,计算机应用,1999,Vol.19,Nol,7-10
[73]倪凯民,INTRANET在现代企业中的应用,计算机应用研究,1998,No.2,15-18
[74]于华,基于Intranet的管理信息系统构造,管理信息系统,1999,No.3,57-60
[75]廖建勇,电子商务的定义与分类,电子与信息化,1999,No.7,6-7
[76]邱燕燕,网络信息安全及防范对策,情报理论与实践,1999,No.3,191-193
[77]郑枫,苏厚勤,刘维克,计算机网络安全技术—防火墙,微型电脑应用,1998,No.6,9-13,26
[78]罗元,尹传高,电子商务研究中的机遇与挑战,计算机工程与应用,1999,No.8,39-42
[79]王利,浅析Internet防火墙,现代情报,1999,No.10,62-65
[80]杨良海,陈克非,电子商务中的信任模型,微型电脑应用,1998,No.5,19-21
[81]江文年,李明星,基于Intranet的现代管理信息系统研究,计算机工程与应用,1998,No.7,14-19
[82]Chris Hare,Karanjit Sigan,《internet防火墙与网络安全》,电子工业出版社,1998
[83]朱三元,网络通信软件设计指南,清华大学出版社,1999
[84]T.L.萨蒂[美],层次分析法
[85]J.P.伊格尼齐奥[美],单目标和多目标系统线性规划