淘宝怎么延长收货时间

April,2006StanfordCleanSlateSeminarAProtectionArchitectureforEnterpriseNetworks(andcommentsonsecurity-centricnetworkdesign)MartinCasado(Stanford)TalGarfinkel(Stanford)AdityaAkella(CMU/Stanford)MichaelFreedman(NYU)DanBoneh(Stanford)NickMcKeown(Stanford)ScottShenker(ICSI/Berkeley)淘宝网’mGoingtoTalkAboutAlotaboutsecurityintheEnterpriseAlittlebitaboutsecurityontheInternetGenerallyexploitthisopportunitytopontificateApril,2006StanfordCleanSlateSeminarPublicvs.PrivateNetworksPublic(google,ebay,stanford.eduetc.)Getaswideexposure(mostly)everyonewelcomeWantsomeprotectionfromevil-doersPrivate(internalcommercial,financialetc.)SpecialpurposeLimiteduserbaseKnowswhat’srunningwhereFundamentallydifferent(butusesametechnologies)April,2006StanfordCleanSlateSeminarAbilitytoidentifyindividualusersAbilitytorevokeaccesstoindividualusers(stopthemfromusingyournetworkresources)Abilitytodeterminelocationofindividualusers(regulatorycompliance)(moreonthislater)InfrastructureSupportforPublicServicesApril,2006StanfordCleanSlateSeminaridentifyindividualusersbyuseridrevokeaccesstousersdeterminelocationofindividualusersandstrictlydefineconnectivitybetweenusers,hosts,services,protocolsandaccesspointscontrolroutesatthesessionlevelcentralizedtrustandcontrolrestrictaccesstoinformationInfrastructureSupportforPrivateNetworksApril,2006StanfordCleanSlateSeminaridentifyindividualusersbyuseridrevokeaccesstousersdeterminelocationofindividualusersandstrictlydefineconnectivitybetweenusers,hosts,services,protocolsandaccesspointscontrolroutesatthesessionlevelCentralizedtrustandcontrolRestrictaccesstoinformationSupportedbyIPApril,2006StanfordCleanSlateSeminarMotivationPunchLineAttemptingtodoallthesethingstoday…butwithoutthesupportofthearchitectureResultis:InsecurenetworkInflexiblenetworkHardtomanagenetworkApril,2006StanfordCleanSlateSeminarDefiningConnectivityWhy?AttemptatlimitingresourcestothatwhichisneededLimitdamageofinternalmalware,perimeterbreach,orinsiderToday:UselotsoffilteringMAC,IP,transportPhysicalports(VLANs)Deeppacketinspection(e.g.firstdatapacketofaprotocol)FullproxiesAccesscontrollistsonservices(notnetworkaware…butcouldbe!)April,2006StanfordCleanSlateSeminarDefiningConnectivity(thebad)NetworkonlyreallyawareofaddressesFirewallrulesembedstopologyintoconfigurationstateDifficulttomovemachinesHardtoreadandunderstand(100klinesofproprietary,differentconfigurations)ForwardingpathunawareoffilteringrulesWilltrytocircumventifitcanAddinganewnetworkcomponentnotgood(hencehave“choked”networks)Higherlevelfilteringcanbeunderminedbylowerlevels(e.g.permissivelinklayer)April,2006StanfordCleanSlateSeminarControlOverRoutingWhy?Differentaccesspointshavedifferentsecurityrequirements(e.g.wirelessusersmustgothroughhttpproxy)Differentprotocolshavedifferentsecurityrequirements(e.g.allfilessentoverIMmustbecheckedforviruses)Differentusergroupshavedifferentsecurityrequirements(e.g.logallconnectionsfrommarketing)Today:makeallroutesgothroughthesamepoint(large,expensivedo-it-allproxies)Orusetwo/three/fourseparatenetworksOrapplicationprotocolawarerouting(CiscosOER,applicationawarerouting)April,2006StanfordCleanSlateSeminarCentralizedTrustandControlWhy?LimitednumberoftrustedcomponentsNetworksoftencentrallyadministeredPrettynewarea,butproductsarestartingtopopupConsentryApaniSecurifyNetworksbynaturearedistributedDistributedroutingcomputation(trusteveryrouter)Many(manymany)heavilytrustedcomponents(DNS,DHCPserver,gateway,routers,switches,end-hosts,directoryservices,authenticationservices,proxiesetc.)April,2006StanfordCleanSlateSeminarRestrictAccesstoInformationWhy?(firstresourceavailabletoattacker)Turnoff(normallyfilterathostorperimeterfirewall)RSTICMP(TTLTimeexceeded,echoreply,portunreach)DetectARPscansAutomatedIPscansLimitvisibilitynetworkresourcesVLANNATs,Proxiesetc.Stillreallyhardtodo(e.gTopologyinformationpassedunencryptedinroutingprotocols)No“switch”forauditing(shouldbecontrolledthesameasotherresources)April,2006StanfordCleanSlateSeminarRetrofittingSecurityontoIPDesignedforSecurityFirewalls,RouterACLSPortSecurityIDS/NDS/IPS(scandetection,anomalydetection,signaturedetection)VLANsPushedIntoServiceEthernetSwitchesNATs,ProxiesPhysicalDatalinkNetworkTransportApplicationApril,2006StanfordCleanSlateSeminarInflexibleHardtomoveamachine(yetdifficulttoknowifsomeonehasmoved)ReallydifficulttodeployanewprotocolBrittleChangeafirewallrule,breaksecuritypolicyAddaswitch,breaksecuritypolicyConfusingManydisparatepointsolutionsState=abunchofsoftstateHardtostatemeaningfulpoliciesLoseredundancyIntroducechokepointsCan'tmigrateroutesb/cofallthesoftstateCommonSolutions=CrummyNetworks(andmediocresecurity)April,2006StanfordCleanSlateSeminarLetsStartfromScratchLeveragecharacteristicsuniquetoEnterpriseCentrallymanagedKnownusersStructuredconnectivityReducenumberoftrustedcomponentsSimplifypolicydeclarationRetainflexibilityandredundancy(de