网络安全与病毒防范

1200312•••••3••••4•••5•–•–•–6•••••7••••8•••••9••••––CERT–10••••••11•••••12•••••13•••••••14•••–––––15••••()––SSH–16Internet•Internet(DMZ)18••–––19••LDAPNIS•CAKDCKerberos(KDC)20•••–––21--••••22•••••23•••24•–––25•––––26•––––––27UnixUnix28UNIXUNIX•RPC–RemoteProcedureCall–•––root29UNIXUNIX•––•––30SolarisSolaris•OpenBoot–none–commandbootgo–go•OpenBoot–eepromsecurity-passwordOpenBootrooteepromsecurity-mode=commandcommandOKoksetenvsecurity-mode=command31SolarisSolaris•SUID/SGID––SUIDIDSGIDID”–find/-typef\(-perm-4000-o-perm-2000\)-ls32SolarisSolaris•–––()–()–cp,tar,cpio,dump,restore33SolarisSolaris•–TRIPWIRE–TROJANperl–PGP–LIBDESDESDEScrypt(3)34SolarisSolaris•–•passwd-n30user#30•passwd-fuser#•passwd-n2-x1user#•passwd-luser#35SolarisSolaris•ROOT–/etc/default/loginCONSOLE/etc/ftpusersroot•ROOT–umask077027–./36SolarisSolaris•––/etc/shadowpasswordNP(NoPassword)•rlogin/rsh–/etc/hosts.equiv/.rhostshome.rhosts–/etc/inetd.confrinetd37SolarisSolaris•–/etc/rc2.d/etc/rc3.dS–/etc/init.d–/var/adm/messages–ps-elf38SolarisSolaris•NFS•rpcbind–rpcbindrpcrpc–rpc•in.finger–nobodyroot39SolarisSolariscroncronatat•cronTripwire–Tripwire•/etc/cron.d•/etc/default•/var/cron•/var/spool/cron•/etc/cron.d/cron.allow•/etc/cron.d/at.allow•/etc/cron.d/at.deny40SolarisSolaris•UNIX–/var/adm–•––41SolarisSolaris••SUN••42UNIXUNIX•–••–––••43UNIXUNIX•–––•––44UNIXUNIX•–cops–tara–tiger•–SATAN/SAINT–NMAP–NESSUS–ISS(InternetSecurityScanner)45UNIXUNIX•–Logcheck–Swatch–……•–tcpdump–snoop46LinuxLinux•Solaris•4748•––––•49•–•–––lockin/lockout50•–––––sniffer––51•••––52•–Web–ftp––53•–NetworkSniffers–TrojanHorsePrograms–Backdoors–VulnerabilityExploits–OtherIntruderTools•••54•NTIIS–c:\winnt\system32\logfiles•UNIX–messages–xferlog–utmp–wtmp55sniffersniffer•UNIX,sniffer(orpacketsniffer)•UNIXpromiscdebug–ifconfig–ifstatus–cpm56•(NFSNIS)•(hosts.equiv/.rhostsKerberos)••57•()•58•––––AusCERT–CERT––59••–––60•–––––•61•••••62•InternetInternetfilterfilter63IPIP••IP•••AB64•••••••BA65•••TCP/UDP•IPTCP–SOCKS–VPN66IPIP••676869707172IP:••IP••TCP/IP••7374757677•access-list-number199•permit|deny•sourceIP•source-mask10•in|outACL78798081access-listaccess-list-number{permit|deny}protocolsourcesource-maskdestinationdestination-mask[operatoroperand][established]ipaccess-groupaccess-list-number{in|out}82•access-list-number100199•permit|deny•ProtocolIP,TCP,UDP,ICMP,GRE,IGRP.•IP•01•lt,gt,eq,neq,,•establishedACKTCP838485•••••86•Virus,cannotspreadsunderitsownpower•Worms,anautomatedintrusionagents•87•••••88••••••••••CMOS•89•DOS•DOS••••••••Java90•–––•––•––––•91•••92••93•(Reconnaissance)•(Specificattack)•(Acommandinterface)•(Communications)•(Intelligence)•(Unusedattack)94(())•Reconnaissance–•–•OSfingerprinting••SpecificAttack–•Bufferoverflow,cgi-bin,etc•Trojanhorse–••95(())•Commoninterface–•••Communication––•Intelligence––•Unusedattack–96•LimitedCapabilities––•GrowthRatedandTraffic–97(())•NetworkStructure––•IntelligenceDatabase–•Mailbox•Chatroom•AsimplepackettoaparticularIP–98•MorrisWorm–Reconnaissance:scanningandtrustedhostanalysis–Specificattack:sendmailattack;fingerdaemonbufferoverflowattack;Dictionaryandusernameinformationattacksonpasswords–Intelligencedatabase:thenewlyacquirednodesendingaonebytepackettoacertainIP(Infact,itisasuperficies.)–Commandinterface:absent–Communication:minimal–Unusedattack:iftargetisaVAX,theSunspecificattacksareunused99(())•CUC–Reconnaissancecapabilities:asimplescannertotestwhetherasystemisrunningsadmind–Specificattackcapabilities:sadmindbufferoverflowattackmodule–Commandinterface:gettingperlinterpreterfromaftpserver(limited)–CommunicationCapabilities:absent–IntelligenceCapabilities:storechildwormnodesinformationlocally–UnusedAttackCapabilities:iftargetisLinux,SunOSspecificattacksareunused100(())•CUCFTPNTwebserverNTwebserverNTwebserver101OutlookEmail,HappyTime(),IISIISCodeRed()IISEmailIISNimda()102•–CPU–––•103•Multi-tier–––104•••IDS105••••106•••PC••••107•Norton•KILL•KV•VRV•RAV••PC-cillin108•••••109•––•––•––110²²²²111•:•:112IDSIDS•IDS••••113IDSIDS•––––––114•IDS•IDS(IDSsensor)•115(())•WEBDNS•IDSTCP2580UDP53116•IDS•IDS••Automatic()Automated()117(())•WEBDNS•IDSTCP2580UDP53•118•(falsepositive)•(falsenegative)119•IDS••()()120((1)1)•InternetExplorerWeb32•IDSSYNFLOOD•WebSYNFLOOD121((2)2)•ping(ICMPEchoRequest)•ICMP(ICMPEchoResponse)SMURF•pingSMURFICMP122((3)3)••IDS•123•“programtheIDSwiththenewpolicyandturniton!”••124(())•IDS•IDS•900!125•Internet••126InternetInternet••Proxy••127InternetInternetInternet•HTTP••HTTP•HTTPHTTP129Internet130••••131Internet132