《网络安全与网络管理.ppt》由会员分享,可在线阅读,更多相关《网络安全与网络管理.ppt(57页珍藏版)》请在金锄头文库上搜索。
1、Network Security and Management Dr. LU Tianbo(陆天波)(陆天波), associate (网络安全与网络管理)(网络安全与网络管理)3“一些国家实施或默许网络攻击,预示着全球网络危机必将持续增加由于缺乏国际条款约束,由于难以查找攻击源头,由于缺少可阻碍攻击的防护,网络威胁正在扩大和恶化。”7How big is the security problem?10Motivationhttp:/ are there security vulnerabilities? Lots of buggy software.-Why do programmers w
2、rite insecure code?-Awareness is the main issueSome contributing factors-Few courses in computer security-Programming text books do not emphasize security-Few security audits -C is an unsafe language-Programmers have many other things to worry about-Consumers do not care about security-Security is e
3、xpensive and takes 16Why is computer security so hard?Computer networks are “systems of systems”-Your system may be secure, but then the surrounding environment changesToo many things dependent on a small number of systemsSociety is unwilling to trade off features for securityEase of attacks-Cheap-D
4、istributed, automated-Anonymous-Insider threatsSecurity not built in from the beginningHumans in the loopComputers ubiquitousSecurity is interdisciplinary 17Course AdministrationPrerequisite: Computer NetworksClass Hours: Thursday 10:00am-11:50 am.Office: Building 1-123Office Hours: Wednesday Contac
5、ting me outside office hours: Send email to 18Textbook“Computer Security Principles and Practice”, William Stallings, 机械工机械工业出版社业出版社Several other good texts out there-Ask me if you are interestedWill supplement with other readings (distributed on class webpage)19GradingHomeworks 30%-Must be done ind
6、ividually.Project 30%Final exam (cumulative) 40%Cheating will be punished 20Syllabus IIntroduction-Is security achievable?-A broad perspective on securityCryptography-The basics -Symmetric and Public key cryptography-Cryptography is not the whole solutionbut it is an important part of the solution-A
7、long the way, we will see why cryptography cant solve all security 21Syllabus IINetwork security-General principles-Security policies-Access control-Attacks on network-Buffer overflows-Viruses/worms-Privacy and AnonymitySecurity M22Philosophy of this courseWe are not going to be able to cover everyt
8、hing-We are not going to be able to even mention everythingMain goals-A sampling of many different aspects of security-The security “mindset”-Become familiar with basic acronyms (RSA, SSL, PGP, etc.), and “buzzwords” (phishing, )-Become an educated security consumer-Try to keep it interesting with r
9、eal-world examples and “hacking” projectsYou will not be a security expert after this class(after this class, you should realize why itwould be dangerous to think you are)You should have a better appreciation of securityissues after this 23Helpful BooksFrank Adelstein, Sandeep K.S. Gupta, Golden G.
10、Richard III, and Loren Schwiebert, Fundamentals of Mobile and Pervasive Computing, 2005. Noureddine Boudriga, Security of Mobile Communications, 2010. Levente Buttyn and Jean-Pierre Hubaux, Security and Cooperation in Wireless Networks, 2008. Available Online James Kempf, Wireless Internet Security:
11、 Architectures and Protocols, 2008. Patrick Traynor, Patrick McDaniel, and Thomas La Porta, Security for Telecommunications Networks, 24slide 24Helpful BooksMark Stamp Information Security: Principles and Practice John Wiley & and Sons 2006 Alfred Menezes, Paul van Oorschot, Scott Vanstone Handbook
12、of Applied Cryptography CRC Press 1997 This is a very comprehensive book. The best part is that you can download this book online ! The hardcopy is very convenient though. Bruce Schneier Applied Cryptography , 2nd Edition John Wiley & Sons 1996 This is the best book to read for an introduction to ap
13、plied security and cryptography. There is much less math than the book by Menezes et al. Sometimes statements are made without much justification, but no other book even compares to this comprehensive introduction to cryptography. The bibliography alone is worth buying the book. Ross Anderson Securi
14、ty Engineering John Wiley & Sons 2001 An excellent book on security in real world systems. Douglas Stinson Cryptography Theory and Practice CRC Press 1995 This used to be required for 6.875, the theory of cryptography class at MIT. Bruce Schneier Secrets and Lies John Wiley & Sons 2000 Schneier used
15、 to advocate good cryptography as the solution to security problems. He has since changed his mind. Now he talks about risk management and cost-benefit analysis. Eric Rescorla SSL and TLS: Designing and Building Secure Systems Addison-Wesley 2001 The only book you need to read to learn about the evo
16、lution, politics, and bugs in the development of SSL. Erics a swell guy too; buy his book. 25Helpful BooksPeter Neumann Computer Related Risks Addison-Wesley 1995 Power grid failures. Train collisions. Primary and backup power lines blowing up simultaneously. These events arent supposed to happen! N
17、eumann offers a plethora of stories about the risks and consequences of technology, gathered from his Risks mailing list. On a side note, Neumann is also responsible for coming up with the pun/name Unix. Jakob Nielsen Usability Engineering Academic Press 1993 There are a lot of non-intuitive GUIs ou
18、t there for security products. Anyone making a security product for use by humans should learn about the principles of smart GUIs. Charlie Kaufman, Radia Perlman, Mike Speciner Network Security: Private Communication in a Public World, 2nd Edition Prentice Hall 2002 The authors discuss network secur
19、ity from a very applied approach. There is a lot of discussion about real systems, all the way down to the IETF RFCs and the on-the-wire bit representations. The authors also have a fun, informal style. Simson Garfinkel, Gene Spafford Web Security, Privacy & Commerce OReilly 2002 Its hard to keep up
20、 with all the security software out there. But these authors do a good job documenting it all. After many years in the real world, Garfinkel recently joined the MIT Lab for Computer Science as a graduate student. David Kahn The Codebreakers Scribner 1973 Phillip Hallam-Baker The dotCrime Manifesto:
21、How to Stop Internet Crime Addison-Wesley 2008 Jonathan Katz, Yehuda Lindell Introduction to Modern Cryptography Chapman & Hall/CRC Press 2007 This book contains broad coverage of cryptography. Nigel Smart Cryptography: An Introduction, 3rd Edition 2008 Song Y. Yan and Martin E. Hellman Number Theor
22、y for computing Springer 2002 26Useful Links National Information Assurance Training and Education Consortium (NIATEC) http:/www.niatec.orgIEEE/IET Electronic Library http:/www.ieee.org/products/onlinepubs/prod/iel_overview.htmlInformation Assurance Support Environment http:/iase.disa.mil/links.html
23、-http:/iase.disa.mil/index2.htmlNational Institute of Standards and Technology http:/www.nist.gov/National Vulnerability Database http:/nvd.nist.gov/Common Vulnerabilities and Exposures http:/cve.mitre.org/SevurityFocus Vulnerabilites http:/ Assurance Technical Framework Forum http:/ Systems Securit
24、y Association http:/www.issa.org/lcindex.htmlISSA North Alabama http:/northalabama.issa.org/Microsoft TechNet http:/ Open Source Vulnerability Database http:/www.osvdb.org/Security Tracker http:/ 27Useful Links Network World http:/Cryptologia http:/www.dean.usma.edu/math/pubs/cryptologia/Digital Inv
25、estigation http:/ Journal of Information and Computer Security http:/ Journal of Computer Security http:/www.iospress.nl/loadtop/load.php?isbn=0926227xThe Virus Bulletin http:/ Transactions on Information and Systems Security http:/www.acm.org/pubs/tissec/IEEE Transactions on Dependable and Secure C
26、omputing http:/www.ieee.org/portal/pages/pubs/transactions/tdsc.htmlJournal of Cryptography http:/www.iacr.org/jofc/Information Systems Control http:/www.isaca.org/template.cfm?template=/ContentManagement/ContentDisplay.cfm&ContentID=3009 28slide 28Peek at the Dark Side The only reason we will be le
27、arning about attack techniques is to build better defensesDont even think about using this knowledge to attack 29Cyberspace & physical space are increasingly intertwined and software controlled/enabledEnergyBanking and FinanceAgriculture and FoodWaterPublic HealthChemical IndustryTelecommunicationsK
28、ey AssetsTransportationPostal and ShippingFarmsFood Processing PlantsReservoirsTreatment PlantsHospitalsChemical PlantsCableFiberPower PlantsProduction Sites Railroad TracksHighway BridgesPipelinesPortsDelivery SitesNuclear Power PlantsGovernment facilitiesDamsFDIC institutionsControl Systems SCADA
29、PCS DCSSoftware Financial System Human ResourcesServices Managed Security Information ServicesInternet Domain Name System Web HostingHardware Database Servers Networking Equipment Critical Infrastructure / Key ResourcesSectorsPhysical AssetsCyber AssetsCyber InfrastructurePhysical InfrastructureNeed
30、 for secure software applications“In an era riddled with asymmetric cyber attacks, claims about system reliability, integrity and safety must also include provisions for built-in security of the enabling software.”302009200820032004200520062007Cyberspace Policy ReviewDHS Roadmap ForCybersecurity Res
31、earchCSIS: Securing CyberspaceFor The 44th Presidency National Cyber Leap Year NRC: Toward a Safer & Secure CyberspaceFed Plan For Cyber Security & Info. Assurance R&DIRC: Hard Problem ListCRA: Grand Challenges InTrustworthy ComputingCybersecurity: A Crisis Of PrioritizationNational Strategy ToSecur
32、e C31首任白宫网络安全协调官首任白宫网络安全协调官33网络空间国际战略网络空间国际战略34Create a comprehensive national security strategy for cyberspace.Lead from the White House.Cybersecurity is among the most serious economic and national security challenges we face in the twenty-first century In cyberspace, the war has 35The Nation is a
33、t a crossroads. cybersecurity risks pose some of the most serious economic and national security challenges of the 21st Century.The status quo is no longer acceptable.The national dialogue on cybersecurity must begin todayThe United States cannot succeed in securing cyberspace if it works in isolati
34、onThe White House must lead the way 36美国国家网络安全综合计划(CNCI计划)美国国家网络安全综合计划(美国国家网络安全综合计划(美国国家网络安全综合计划(美国国家网络安全综合计划(CNCICNCI计划计划计划计划, , The The Comprehensive National Cybersecurity InitiativeComprehensive National Cybersecurity Initiative)国家安全总统令国家安全总统令国家安全总统令国家安全总统令(NSPD)54(NSPD)54,国土安全总统令,国土安全总统令,国土安全总统
35、令,国土安全总统令(HSPD)23(HSPD)2320082008年年年年1 1月月月月8 8日日日日(CNCICNCI计划始于计划始于计划始于计划始于20072007年)年)年)年)3737美国各部门参与美国各部门参与CNCI计划计划.mil.govCriticalI3838IndustryFBINCIJTFDHSUS-CERTServicesOthersODNIIC-IRCDISAGNOAlliesSTRATCOMDoDDC3NSANTOC全面的国家网络安全行动(全面的国家网络安全行动(全面的国家网络安全行动(全面的国家网络安全行动(CNCICNCI计划)计划)计划)计划)国家安全总统令国
36、家安全总统令国家安全总统令国家安全总统令(NSPD)54(NSPD)54,国土安全总统令,国土安全总统令,国土安全总统令,国土安全总统令(HSPD)23(HSPD)39CNCI计划计划41My own view is that the only way to counteract both criminal and espionage activity online is to be proactive. If the U.S. is taking a formal approach to this, then that has to be a good thing. The Chinese
37、are viewed as the source of a great many attacks on western infrastructure and just recently, the U.S. electrical grid. If that is determined to be an organized attack, I would want to go and take down the source of those attacks. The only problem is that the Internet, by its very nature, has no bor
38、ders and if the U.S. takes on the mantle of the worlds police; that might not go down so well.On 23 June 2009, the Secretary of Defense directed the Commander of U.S. Strategic Command (USSTRATCOM) to establish USCYBERCOM. In May 2010, General Keith Alexander outlined his views in a report for the U
39、nited States House Committee on Armed Services 43 2011年年7月国防部发布的网络空月国防部发布的网络空间对抗战略高度评价网络靶场间对抗战略高度评价网络靶场44 Just as in the 19th century we had to secure the seas for our national safety and prosperity, and in the 20th century we had to secure the air, in the 21st century we also have to secure our adv
40、antage in cyber space. 45http:/ States 2nd National Software Summit, Washington, May 10-12, 2004.The strategy includes four programs:-Improving Software Trustworthiness-Educating and Fielding the Software Workforce-Re-Energizing Software Research and Development-Encouraging Innovation Within the U.S
41、. SoftwareSecuritySafetyReliabilitySurvivabilitylThe strategy includes two mutually supporting and complementary goals: lAchieve the ability to routinely develop and deploy trustworthy software products and systemslEnsure the continued competitiveness of the U.S. software industry.http:/software.org
42、/nss2report/48Cyber Security: A Crisis of PrioritizationTop Ten Areas in Need of Increased Support Computer Authentication Methodologies Securing Fundamental Protocols Secure Software Engineering & Software Assurance Holistic System Security Monitoring and Detection Mitigation and Recovery Methodolo
43、gies Cyber Forensics and Technology to Enable Prosecution of Criminals Modeling and Testbeds for New Technologies Metrics, Benchmarks, and Best Practices Societal and Governance I49Disciplines Contributing to Software AssuranceSafety & SecurityProject MgtSoftware AcquisitionSoftware EngineeringSoftw
44、are AssuranceSystems EngineeringInformation A5050https:/buildsecurityin.us-cert.gov/portal/ http:/nvd.nist.gov/http:/onguardonline.gov/51https:/buildsecurityin.us-cert.gov/swa/52Model for Network S53Summary“The system” is not just a computer or a networkPrevention is not the only goalSecurity as a t
45、rade-off-The goal is not (usually) “to make the system as secure as possible”-but instead, “to make the system as secure as possible within certain constraints” (cost, usability, convenience)Cost-benefit analysisSometimes the best security is to make sure you are not the easiest target for an 54“Mor
46、e” security not always better“No point in putting a higher post in the ground when the enemy can go around it”Need to identify the weakest link-Security of a system is only as good as the security at its weakest pointSecurity is not a “magic bullet”Security is a process, not a 55OrganizersDavid Evans, University of Virginia Karl Levitt, National Science FoundationBrad Martin, National Security AgencyJames Silk, Institute for Defense Analyses 57Thank you!
