外文翻译--防火墙地址入侵计算机的特点和破坏安全的类型

《外文翻译--防火墙地址入侵计算机的特点和破坏安全的类型》由会员分享，可在线阅读，更多相关《外文翻译--防火墙地址入侵计算机的特点和破坏安全的类型（8页珍藏版）》请在装配图网上搜索。

1、ADDRESSESEach technology has its own convention for transmitting messages between two machines within the same network. On a LAN, messages are sent between machines by supplying the six byte unique identifier (the MAC address). In an SNA network, every machine has Logical Units with their own networ

2、k address. DECNET, Appletalk, and Novell IPX all have a scheme for assigning numbers to each local network and to each workstation attached to the network. On top of these local or vendor specific network addresses, TCP/IP assigns a unique number to every workstation in the world. This IP number is

3、a four byte value that, by convention, is expressed by converting each byte into a decimal number (0 to 255) and separating the bytes with a period. For example, the PC Lube and Tune server is 130.132.59.234. An organization begins by sending electronic mail to HostmasterINTERNIC.NET requesting assi

4、gnment of a network number. It is still possible for almost anyone to get assignment of a number for a small Class C network in which the first three bytes identify the network and the last byte identifies the individual computer. The author followed this procedure and was assigned the numbers 192.3

5、5.91.* for a network of computers at his house. Larger organizations can get a Class B network where the first two bytes identify the network and the last two bytes identify each of up to 64 thousand individual workstations. Yales Class B network is 130.132, so all computers with IP address 130.132.

6、*.* are connected through Yale. The organization then connects to the Internet through one of a dozen regional or specialized network suppliers. The network vendor is given the subscriber network number and adds it to the routing configuration in its own machines and those of the other major network

7、 suppliers. There is no mathematical formula that translates the numbers 192.35.91 or 130.132 into Yale University or New Haven, CT. The machines that manage large regional networks or the central Internet routers managed by the National Science Foundation can only locate these networks by looking e

8、ach network number up in a table. There are potentially thousands of Class B networks, and millions of Class C networks, but computer memory costs are low, so the tables are reasonable. Customers that connect to the Internet, even customers as large as IBM, do not need to maintain any information on

9、 other networks. They send all external data to the regional carrier to which they subscribe, and the regional carrier maintains the tables and does the appropriate routing.New Haven is in a border state, split 50-50 between the Yankees and the Red Sox. In this spirit, Yale recently switched its con

10、nection from the Middle Atlantic regional network to the New England carrier. When the switch occurred, tables in the other regional areas and in the national spine had to be updated, so that traffic for 130.132 was routed through Boston instead of New Jersey. The large network carriers handle the p

11、aperwork and can perform such a switch given sufficient notice. During a conversion period, the university was connected to both networks so that messages could arrive through either path. NETWORK FIREWALLSThe purpose of a network firewall is to provide a shell around the network which will protect

12、the systems connected to the network from various threats. The types of threats a firewall can protect against include:Unauthorized access to network resources-an intruder may break into a host on the network an gain unauthorized access to files.Denial of service an individual from outside of the ne

13、twork could, for example, send thousands of mail messages to a host on the net in an attempt to fill available disk space or load the network links.Masquerading electronic mail appearing to have originated from one individual could have been forged by another with the intent to embarrass or cause ha

14、rm.A firewall can reduce risks to network systems by filtering out inherently insecure network services .Network File System (NFS) services, for example , could be prevented from being used from outside of a network by blocking all NFS traffic to or from the network .This protects the individual hos

15、ts while still allowing the service, which is useful in a LAN environment , on the internal network . One way to avoid the problems associated with network computing would be to computing would be to completely disconnect an organizations internal network from any other external system. This, of cou

16、rse is not the preferred method. Instead what is needed is a way to filter access to the network while still allowing users access to the“outside world ”.In this configuration , the internet net work is separated from external network by a firewall gateway .A gateway is normally used to perform rela

17、y services between two networks . In the case of a firewall gateway, it also provides a filtering service which limits the types of information that can be passed to or from hosts located on the internal network .There are three basic techniques used for firewalls: packet filtering, circuit gateway,

18、 and application gateways. Often, more than one of these is used to provide the complete firewall service. There are several configuration schemes of firewall in the practical application of inter-network security. They usually use the following terminologies:Screening router-it can be a commercial

19、router or a host-based router with some kind of packet filtering capability.Bastion host-it is a system identified by the firewall administrator as a critical strong point in the network security.Dual-homed gateway-some firewalls are implemented without a screening router, by placing a system on bot

20、h the private network and the Internet, and disabling TCP/IP forwarding.Screened-host gateway it is possibly the most common firewall configuration. This is implemented using a screening router and a bastion host.Screened subnet-an isolated subnet is situated between the Internet and the private net

21、work. Typically, this network is isolated using screening routers, which may implement varying levels of filtering.Application-level gateway-it is also called a proxy gateway and usually operates at a user level rather than the lower protocol level common to the other firewall techniques.CHARACTERIS

22、TICS OF COMPUTER INTRUSION AND KINDS OF SECURITY BREACHES1. CHARACTERISTICS OF COMPUTER INTRUSION The target of a crime involving computers may be any piece of the computing system. A computing system is a collection of hardware, software, storage media,data, and persons that an organization uses to

23、 do computing tasks. Whereas the obvious target of a bank robbery is cash, a list of names and addresses of depositors might be valuable to a computing bank. The list might be on paper, recorded on a magnetic medium, stored in internal computer memory, or transmitted electronically across a medium s

24、uch as a telephone line. This multiplicity of targets makes computer security difficult.In any security system, the weakest point is the most serious vulnerability. A robber intent on stealing something from your house will not attempt to penetrate a two-inch thick metal door if a window gives easie

25、r access. A sophisticated perimeter physical security system dose not compensate for unguarded access by means of a simple telephone line and a modem. The “weakest point” philosophy can be restated as the following principle.Principle of Easiest Penetration. An intruder must be expected to use any a

26、vailable means of penetration. This will not necessarily be the most obvious means, nor will it necessarily be the one against which the most solid defense has been installed This principle says that computer security specialists must consider all possible means of penetration, because strengthening

27、 one may just make another means more appealing to intruders, We now consider what consider what these means of penetration are.2. KINDS OF SRCURITY BREACHESIn security, an exposure is a form of possible loss or harm in a computing system; examples of exposures are unauthorized of data, modification

28、 of data, or denial of legitimate access to computing. A vulnerability is a weakness in the security system that might be exploited to cause loss or harm. A human who exploits a vulnerability perpetrates an attack on the system. Threats to computing systems are circumstances that have the potential

29、to cause loss or harm; human attacks are examples of threats, as are natural disasters, inadvertent human errors, and internal hardware or software flaws. Finally, a control is a protective measure-an action, a device, a procedure, or a technique-that reduces a vulnerability.The major assets of comp

30、uting are hardware, software, and data. There are four kinds of threats to the security of a computing system; interruption, interception, modification, and fabrication. The four threats all exploit vulnerabilities of the assets in computing systems. In a interruption, an asset of the system becomes

31、 lost or unavailable or unusable. An example is malicious destruction of a hardware device, erasure of a program or data file, or failure of an operating system file manager so that it cannot find a particular disk file.An interruption means that some unauthorized party has gained to an asset. The o

32、utside party can be a person , a program, or a computing system .Examples of this type of failure are illicit copying of program or data files, or wiretapping to obtain data in a network. While a loss may be discovered fairly quickly, a silent interceptor may leave no traces by which the interceptio

33、n can be readily detected.If an unauthorized party not only accesses but tampers with an asset, the failure becomes a modification. For example, someone might modify the values in a database, alter a program so that it performs an additional computation, or modify data being transmitted. It is even

34、possible for hardware to be modified. Some cases of modification can be detected with simple measures, while other more subtle changes may be almost impossible to detect.Finally, an unauthorized party might fabricate counterfeit objects for a computing system. The intruder may wish to add spurious t

35、ransactions to a network communication system, or add records to an existing data base. Sometimes these additions can be detected as forgeries, but if skillfully done, they are virtually indistinguishable from the real thing.These four classes of interference with computer activity-interruption, int

36、erception, modification, and fabrication-can describe the kinds of exposures possible. 地址每种技术都有它自己的在同样的网络内部两台机器之间传输信息的协定。在一个局域网里面，机器通过提供6字节唯一的标识符（介质访问控制地址）来发送消息。在一个SNA网络里面，每台机器都拥有一个逻辑单位对应着它们自己的网络地址。DECNET, Appletalk, 和 Novell IPX都有一个配置，这个配置是为了对每一个本地网络和附属的工作站分配号码。在这些本地或一些特殊的网络地址的顶端，TCP/IP协议为每世界上每一个工作

37、站分配唯一的号码。这个IP号码是一个4字节的值，按照规定，这个值被传递的方式是转变每个字节为一个十进制的数字（0到255），并且以一个节点来分离这些字节。比如，PC Lube and Tune服务器地址是130.132.59.234。 一个组织开始于利用发送电子邮件到HostmasterINTERNIC.NET来请求分配一个网络地址号码。几乎对任何人来说，获得一个小的C类网络都仍然是可能的，在C类网络中前面3个字节标示网络而最后一个字节标示这台单独的电脑。作者跟随这个程序，并且为他家里的电脑网络分配到地址192.35.91.*。更多的组织能够获得B类网络，其中前面两个字节标示网络而后面两个标示

38、多达64，000台独立工作站中的每一台。耶鲁的B类网络是130.132，所以所有IP地址为130.132.*.*形式的电脑都是通过耶鲁连接的。然后这个组织通过一系列的地区或专门的网络提供商中的一个连接到Internet上。网络运营商给用户提供网络地址号码并将其添加到自己和其它的主要网络提供商的机器的路由配置中去。没有数学公式能够解译出号码192.35.91 或 130.132在耶鲁大学或者新港学校中。这些机器依靠国家自然科学基金处理大范围的网络或者进行中心Internet路由处理，却只能依靠查在一个工作台上查询每一个网络号码来定位那些网络。这里存在很多潜在的B类网络和数百万的C类网络，但是计算

39、机内存消耗很低，所以这些平台是合理的。连接到因特网上的客户，甚至像IBM一样大的，没有必要在其它网络上保持任何信息。它们把所有的内部数据发送到它们向其预定的区域运营者上，然后区域运营者维修平台和做一些适当的路由安排。新港在一个州接壤的地方，离Yankees和Red Sox中50到55。耶鲁最近开始转换它的网络从中太平洋区域网络到新英格兰运营者。当转换发生后，在其它地方区域和国家中心的工作台不得不进行升级，以便130.132的通信量通过波士顿而不是以前的新泽西进行传输。这一大的网络运营者处理文本工作并且居然能够在足够的注意下完成这样的一个转换。在这个转换期间，该大学都连接了这两个网络以便于消息能

40、够通过任意一个路径抵达。网络防火墙网络防火墙的目的是在网络周围设置一层外壳，用于防治连入网络的系统受到各种威胁。防火墙可以防止的威胁类型包括：非授权的对网络资源的访问-入侵者渗入网上的主机，并对文件进行非授权访问；拒绝服务-网络以外的某个人可能向网上的主机发送成千上网个邮件信息，企图填满可用的磁盘空间，或者使网络链路满负荷；冒充-某个人发出的电子邮件可能被别有用心的人篡改，结果使得原发件人感到难堪，或受到伤害。防火墙可以通过滤掉某些原有的不安全的网络业务而降低网络系统的风险。例如网络文件系统（NFS）可以通过封锁进出网络的所有NFS业务而防止为网络外部人员所利用。这就保护了各个主机，同时使其一

41、直能在内部网络中服务，这在局域网环境中很有用。一种避免与网络计算有关问题的方法是把单位的内部网与其他外部系统完全断开。当然这不是一个好办法，其实需要的是对访问网络进行过滤，同时仍允许用户访问“外部世界”。在这种配置中，用一个防火墙网关把内部网和外部网分开。网关一般用于实现两个网络之间的中继业务。防火墙网关还提供过滤业务，它可以限制进出内部网络主机的信息类型。有三种基本防火墙技术：包过滤、电路网关和应用网关。通常可采用上述的一种以上技术以提供完善的防火墙业务。在互连网络安全的实际应用中有好几种防火墙配置方案，他们通常使用以下术语：屏蔽路由器-可以是一种商用路由器，或是带有某种包过滤功能的基于主机

42、的路由器。堡垒主机-它是由防火墙管理人员认定作为网络安全最关键处的一个系统。双宿主网关-某些防火墙不使用屏蔽路由器，但在专用网和因特网之间放一个系统，不允许传送TCP/IP包。主机屏蔽网关-可能是最常用的防火墙配置，它由屏蔽路由器和堡垒主机构成。子网屏蔽-位于因特网和专用网之间的一个隔离子网。一般来说，这种网络用一台屏蔽路由器来隔离，它可以实现不同级别的过滤功能。应用级网关-又叫做代理网关，它不像普通防火墙在低层协议上工作，而通常在用户级上工作。入侵计算机的特点和破坏安全的类型1、入侵计算机的特点对计算机犯罪的目标可以是计算机系统的任何部分。计算机系统是指硬件、软件、存储媒体、数据和部分中用计

43、算机去完成计算任务的人的集合，银行抢劫的目标显然是现金，而储户姓名和地址清单对竞争的银行来说是很有价值的。这种清单可以是书面上的、记录在磁介质上的、存储在内存中的或通过电话线那样的媒体以电子方式传送的。这么多的目标使得处理计算机安全问题很困难。任何安全系统，最薄弱点是最致命的。一个强盗要偷你房间中的东西，如果破窗而入更容易，他绝不会穿过两英寸厚的铁门，很高级的全范围实物安全系统并不能防范通过电话线和调制解调器这种简单的无设防接入。最薄弱点法则可用下述原理描述。最容易渗入原理。入侵者必定要使用一种可以渗入的方法，这种方法既不一定时最常用的，也不一定是针对已经采取了最可靠防范措施的。这一原理说明计

44、算机安全专家必须考虑所有可能的攻击方法，也许正是由于你加强了某一方面， 入侵者可能会想出另外的对付方法。我们现在就说这种方法是什么。2、破坏安全的类型在计算机系统中，暴露是一种使计算机系统安全丧失或受到伤害的一种形式；暴露的例子有非授权的数据泄露、数据修改或拒绝合法访问计算机。脆弱性是安全系统中的薄弱环节，它可能因安全的丧失或伤害。有人会利用脆弱性对系统进行罪恶的攻击。潜在的引起安全丧失或伤害的环境对计算机系统的威胁；人类的攻击像自然灾害一样是一场灾难，人们非故意错误和硬件或软件缺陷一样是威胁的例子。最后，控制是一种保护性措施（控制可以是一种动作、一个设备、一个过程或一种技术），控制的目的是减

45、少脆弱性。计算机系统的主要资源是硬件、软件和数据。有4种对计算机安全的威胁：中断、截获、修改和伪造。这4种威胁都利用了计算机系统资源的脆弱性。（1） 在中断情况下，系统资源开始丢失，不可用或者不能用。例如，恶意破坏硬件设备、抹除程序或数据文件或造成操作系统的文件管理程序失败，以致不能找到某一磁盘文件。（2） 截获是指某非授权用户掌握了资源访问权。外界用户可以是一个人、一个程序或者一个计算机系统。这种威胁的例子如程序或数据文件的非法复制，或私自搭线入网去获取数据，数据丢失可能会很快被发现，但暗中的截获者很可能并不留下任何容易检测的痕迹。（3） 如果非授权用户不仅可以访问还可以篡改资源，则失效就成为了修改了。例如,某人可以修改数据库中的值，更改一个程序，以便完成另外的计算或修改正在传输的数据，甚至还可能修改硬件。某些情况下可以用简单的测量手段检测出所做的修改，但是某些微妙的修改是不可能检测出来的。（4） 最后，非授权用户可以伪造计算机系统的一些对象。入侵者企图向网络通信系统加入假的事务处理业务，或向现有的数据库加入记录。有时，这些添加的数据可以作为伪造品检测出来，但如果做得很巧妙，这些数据实际上无法与真正的数据分开。这4种对计算机工作的干扰（中断、截获、修改或伪造）表明了可能出现的几种威胁类型。