《网络安全与网络管理》由会员分享,可在线阅读,更多相关《网络安全与网络管理(57页珍藏版)》请在金锄头文库上搜索。
1、www.Network Security and Management Dr. LU Tianbo(陆天波)(陆天波), associate professor(网络安全与网络管理)(网络安全与网络管理)23“一些国家实施或默许网络攻击,预示着全球网络危机必将持续增加由于缺乏国际条款约束,由于难以查找攻击源头,由于缺少可阻碍攻击的防护,网络威胁正在扩大和恶化。”4567How big is the security problem?8910Motivation1112131415Why are there security vulnerabilities? Lots of buggy soft
2、ware.-Why do programmers write insecure code?-Awareness is the main issueSome contributing factors-Few courses in computer security-Programming text books do not emphasize security-Few security audits -C is an unsafe language-Programmers have many other things to worry about-Consumers do not care ab
3、out security-Security is expensive and takes time16Why is computer security so hard?Computer networks are “systems of systems”-Your system may be secure, but then the surrounding environment changesToo many things dependent on a small number of systemsSociety is unwilling to trade off features for s
4、ecurityEase of attacks-Cheap-Distributed, automated-Anonymous-Insider threatsSecurity not built in from the beginningHumans in the loopComputers ubiquitousSecurity is interdisciplinary 17Course AdministrationPrerequisite: Computer NetworksClass Hours: Thursday 10:00am-11:50 am.Office: Building 1-123
5、Office Hours: Wednesday 18Textbook“Computer Security Principles and Practice”, William Stallings, 机械工机械工业出版社业出版社Several other good texts out there-Ask me if you are interestedWill supplement with other readings (distributed on class webpage)19GradingHomeworks 30%-Must be done individually.Project 30
6、%Final exam (cumulative) 40%Cheating will be punished severely.20Syllabus IIntroduction-Is security achievable?-A broad perspective on securityCryptography-The basics -Symmetric and Public key cryptography-Cryptography is not the whole solutionbut it is an important part of the solution-Along the wa
7、y, we will see why cryptography cant solve all security problems21Syllabus IINetwork security-General principles-Security policies-Access control-Attacks on network-Buffer overflows-Viruses/worms-Privacy and AnonymitySecurity Management22Philosophy of this courseWe are not going to be able to cover
8、everything-We are not going to be able to even mention everythingMain goals-A sampling of many different aspects of security-The security “mindset”-Become familiar with basic acronyms (RSA, SSL, PGP, etc.), and “buzzwords” (phishing, )-Become an educated security consumer-Try to keep it interesting
9、with real-world examples and “hacking” projectsYou will not be a security expert after this class(after this class, you should realize why itwould be dangerous to think you are)You should have a better appreciation of securityissues after this class23Helpful BooksFrank Adelstein, Sandeep K.S. Gupta,
10、 Golden G. Richard III, and Loren Schwiebert, Fundamentals of Mobile and Pervasive Computing, _. Noureddine Boudriga, Security of Mobile Communications, _. Levente Buttyn and Jean-Pierre Hubaux, Security and Cooperation in Wireless Networks, _. Available Online James Kempf, Wireless Internet Securit
11、y: Architectures and Protocols, _. Patrick Traynor, Patrick McDaniel, and Thomas La Porta, Security for Telecommunications Networks, _.24slide 24Helpful BooksMark Stamp Information Security: Principles and Practice John Wiley & and Sons 2006 Alfred Menezes, Paul van Oorschot, Scott Vanstone Handbook
12、 of Applied Cryptography CRC Press 1997 This is a very comprehensive book. The best part is that you can download this book online ! The hardcopy is very convenient though. Bruce Schneier Applied Cryptography , 2nd Edition John Wiley & Sons 1996 This is the best book to read for an introduction to a
13、pplied security and cryptography. There is much less math than the book by Menezes et al. Sometimes statements are made without much justification, but no other book even compares to this comprehensive introduction to cryptography. The bibliography alone is worth buying the book. Ross Anderson Secur
14、ity Engineering John Wiley & Sons 2001 An excellent book on security in real world systems. Douglas Stinson Cryptography Theory and Practice CRC Press 1995 This used to be required for 6.875, the theory of cryptography class at MIT. Bruce Schneier Secrets and Lies John Wiley & Sons 2000 Schneier use
15、d to advocate good cryptography as the solution to security problems. He has since changed his mind. Now he talks about risk management and cost-benefit analysis. Eric Rescorla SSL and TLS: Designing and Building Secure Systems Addison-Wesley 2001 The only book you need to read to learn about the ev
16、olution, politics, and bugs in the development of SSL. Erics a swell guy too; buy his book. 25Helpful BooksPeter Neumann Computer Related Risks Addison-Wesley 1995 Power grid failures. Train collisions. Primary and backup power lines blowing up simultaneously. These events arent supposed to happen!
17、Neumann offers a plethora of stories about the risks and consequences of technology, gathered from his Risks mailing list. On a side note, Neumann is also responsible for coming up with the pun/name Unix. Jakob Nielsen Usability Engineering Academic Press 1993 There are a lot of non-intuitive GUIs o
18、ut there for security products. Anyone making a security product for use by humans should learn about the principles of smart GUIs. Charlie Kaufman, Radia Perlman, Mike Speciner Network Security: Private Communication in a Public World, 2nd Edition Prentice Hall 2002 The authors discuss network secu
19、rity from a very applied approach. There is a lot of discussion about real systems, all the way down to the IETF RFCs and the on-the-wire bit representations. The authors also have a fun, informal style. Simson Garfinkel, Gene Spafford Web Security, Privacy & Commerce OReilly 2002 Its hard to keep u
20、p with all the security software out there. But these authors do a good job documenting it all. After many years in the real world, Garfinkel recently joined the MIT Lab for Computer Science as a graduate student. David Kahn The Codebreakers Scribner 1973 Phillip Hallam-Baker The dotCrime Manifesto:
21、 How to Stop Internet Crime Addison-Wesley 2008 Jonathan Katz, Yehuda Lindell Introduction to Modern Cryptography Chapman & Hall/CRC Press 2007 This book contains broad coverage of cryptography. Nigel Smart Cryptography: An Introduction, 3rd Edition 2008 Song Y. Yan and Martin E. Hellman Number Theo
22、ry for computing Springer 2002 26Useful Links National Information Assurance Training and Education Consortium (NIATEC) IEEE/IET Electronic Library Information Assurance Support Environment National Institute of Standards and Technology National Vulnerability Database Common Vulnerabilities and Expo
23、sures SevurityFocus Vulnerabilites Information Assurance Technical Framework Forum Information Systems Security Association ISSA North Alabama Microsoft TechNet The Open Source Vulnerability Database Security Tracker 27Useful Links Network World Cryptologia Digital Investigation http:/ Journal of In
24、formation and Computer Security Journal of Computer Security The Virus Bulletin ACM Transactions on Information and Systems Security IEEE Transactions on Dependable and Secure Computing Journal of Cryptography Information Systems Control 28slide 28Peek at the Dark Side The only reason we will be lea
25、rning about attack techniques is to build better defensesDont even think about using this knowledge to attack anyone29Cyberspace & physical space are increasingly intertwined and software controlled/enabledEnergyBanking and FinanceAgriculture and FoodWaterPublic HealthChemical IndustryTelecommunicat
26、ionsKey AssetsTransportationPostal and ShippingFarmsFood Processing PlantsReservoirsTreatment PlantsHospitalsChemical PlantsCableFiberPower PlantsProduction Sites Railroad TracksHighway BridgesPipelinesPortsDelivery SitesNuclear Power PlantsGovernment facilitiesDamsFDIC institutionsControl Systems S
27、CADA PCS DCSSoftware Financial System Human ResourcesServices Managed Security Information ServicesInternet Domain Name System Web HostingHardware Database Servers Networking Equipment Critical Infrastructure / Key ResourcesSectorsPhysical AssetsCyber AssetsCyber InfrastructurePhysical Infrastructur
28、eNeed for secure software applications“In an era riddled with asymmetric cyber attacks, claims about system reliability, integrity and safety must also include provisions for built-in security of the enabling software.”302009200820032004200520062007Cyberspace Policy ReviewDHS Roadmap ForCybersecurit
29、y ResearchCSIS: Securing CyberspaceFor The 44th Presidency National Cyber Leap Year NRC: Toward a Safer & Secure CyberspaceFed Plan For Cyber Security & Info. Assurance R&DIRC: Hard Problem ListCRA: Grand Challenges InTrustworthy ComputingCybersecurity: A Crisis Of PrioritizationNational Strategy To
30、Secure Cyberspace31首任白宫网络安全协调官首任白宫网络安全协调官3233网络空间国际战略网络空间国际战略34Create a comprehensive national security strategy for cyberspace.Lead from the White House.Cybersecurity is among the most serious economic and national security challenges we face in the twenty-first century In cyberspace, the war has g
31、egun35The Nation is at a crossroads. cybersecurity risks pose some of the most serious economic and national security challenges of the 21st Century.The status quo is no longer acceptable.The national dialogue on cybersecurity must begin todayThe United States cannot succeed in securing cyberspace i
32、f it works in isolationThe White House must lead the way forward36美国国家网络安全综合计划(CNCI计划)美国国家网络安全综合计划(美国国家网络安全综合计划(美国国家网络安全综合计划(美国国家网络安全综合计划(CNCICNCI计划计划计划计划, The , The Comprehensive National Cybersecurity InitiativeComprehensive National Cybersecurity Initiative)国家安全总统令国家安全总统令国家安全总统令国家安全总统令(NSPD)54(NS
33、PD)54,国土安全总统令,国土安全总统令,国土安全总统令,国土安全总统令(HSPD)23(HSPD)23_年年年年_月月月月_日日日日(CNCICNCI计划始于计划始于计划始于计划始于_年)年)年)年)3737美国各部门参与美国各部门参与CNCI计划计划.mil.govCriticalI3838IndustryFBINCIJTFDHSUS-CERTServicesOthersODNIIC-IRCDISAGNOAlliesSTRATCOMDoDDC3NSANTOC全面的国家网络安全行动(全面的国家网络安全行动(全面的国家网络安全行动(全面的国家网络安全行动(CNCICNCI计划)计划)计划)计
34、划)国家安全总统令国家安全总统令国家安全总统令国家安全总统令(NSPD)54(NSPD)54,国土安全总统令,国土安全总统令,国土安全总统令,国土安全总统令(HSPD)23(HSPD)2339CNCI计划计划394041My own view is that the only way to counteract both criminal and espionage activity online is to be proactive. If the U.S. is taking a formal approach to this, then that has to be a good thi
35、ng. The Chinese are viewed as the source of a great many attacks on western infrastructure and just recently, the U.S. electrical grid. If that is determined to be an organized attack, I would want to go and take down the source of those attacks. The only problem is that the Internet, by its very na
36、ture, has no borders and if the U.S. takes on the mantle of the worlds police; that might not go down so well.On 23 June 2009, the Secretary of Defense directed the Commander of U.S. Strategic Command (USSTRATCOM) to establish USCYBERCOM. In May 2010, General Keith Alexander outlined his views in a
37、report for the United States House Committee on Armed Services subcommittee.4243 _年年_月国防部发布的网络月国防部发布的网络空间对抗战略高度评价网络靶场空间对抗战略高度评价网络靶场44 Just as in the 19th century we had to secure the seas for our national safety and prosperity, and in the 20th century we had to secure the air, in the 21st century we
38、 also have to secure our advantage in cyber space. 45464747United States 2nd National Software Summit, Washington, May 10-12, _.The strategy includes four programs:-Improving Software Trustworthiness-Educating and Fielding the Software Workforce-Re-Energizing Software Research and Development-Encour
39、aging Innovation Within the U.S. SoftwareSecuritySafetyReliabilitySurvivabilitylThe strategy includes two mutually supporting and complementary goals: lAchieve the ability to routinely develop and deploy trustworthy software products and systemslEnsure the continued competitiveness of the U.S. softw
40、are industry.48Cyber Security: A Crisis of PrioritizationTop Ten Areas in Need of Increased Support Computer Authentication Methodologies Securing Fundamental Protocols Secure Software Engineering & Software Assurance Holistic System Security Monitoring and Detection Mitigation and Recovery Methodol
41、ogies Cyber Forensics and Technology to Enable Prosecution of Criminals Modeling and Testbeds for New Technologies Metrics, Benchmarks, and Best Practices Societal and Governance Issues49Disciplines Contributing to Software AssuranceSafety & SecurityProject MgtSoftware AcquisitionSoftware Engineerin
42、gSoftware AssuranceSystems EngineeringInformation Assurance5050https:/buildsecurityin.us-cert.gov/portal/ http:/nvd.nist.gov/http:/onguardonline.gov/index.html5152Model for Network Security53Summary“The system” is not just a computer or a networkPrevention is not the only goalSecurity as a trade-off
43、-The goal is not (usually) “to make the system as secure as possible”-but instead, “to make the system as secure as possible within certain constraints” (cost, usability, convenience)Cost-benefit analysisSometimes the best security is to make sure you are not the easiest target for an attacker54“Mor
44、e” security not always better“No point in putting a higher post in the ground when the enemy can go around it”Need to identify the weakest link-Security of a system is only as good as the security at its weakest pointSecurity is not a “magic bullet”Security is a process, not a product55OrganizersDavid Evans, University of Virginia Karl Levitt, National Science FoundationBrad Martin, National Security AgencyJames Silk, Institute for Defense Analyses 5657Thank you!
