7 英文原文.doc

《7 英文原文.doc》由会员分享，可在线阅读，更多相关《7 英文原文.doc（4页珍藏版）》请在淘文阁 - 分享文档赚钱的网站上搜索。

1、ADDRESSESEach technology has its own convention for transmitting messages between two machines within the same network. On a LAN, messages are sent between machines by supplying the six byte unique identifier (the MAC address). In an SNA network, every machine has Logical Units with their own networ

2、k address. DECNET, Appletalk, and Novell IPX all have a scheme for assigning numbers to each local network and to each workstation attached to the network. On top of these local or vendor specific network addresses, TCP/IP assigns a unique number to every workstation in the world. This IP number is

3、a four byte value that, by convention, is expressed by converting each byte into a decimal number (0 to 255) and separating the bytes with a period. For example, the PC Lube and Tune server is 130.132.59.234. An organization begins by sending electronic mail to HostmasterINTERNIC.NET requesting assi

4、gnment of a network number. It is still possible for almost anyone to get assignment of a number for a small Class C network in which the first three bytes identify the network and the last byte identifies the individual computer. The author followed this procedure and was assigned the numbers 192.3

5、5.91.* for a network of computers at his house. Larger organizations can get a Class B network where the first two bytes identify the network and the last two bytes identify each of up to 64 thousand individual workstations. Yales Class B network is 130.132, so all computers with IP address 130.132.

6、*.* are connected through Yale. The organization then connects to the Internet through one of a dozen regional or specialized network suppliers. The network vendor is given the subscriber network number and adds it to the routing configuration in its own machines and those of the other major network

7、 suppliers. There is no mathematical formula that translates the numbers 192.35.91 or 130.132 into Yale University or New Haven, CT. The machines that manage large regional networks or the central Internet routers managed by the National Science Foundation can only locate these networks by looking e

8、ach network number up in a table. There are potentially thousands of Class B networks, and millions of Class C networks, but computer memory costs are low, so the tables are reasonable. Customers that connect to the Internet, even customers as large as IBM, do not need to maintain any information on

9、 other networks. They send all external data to the regional carrier to which they subscribe, and the regional carrier maintains the tables and does the appropriate routing.New Haven is in a border state, split 50-50 between the Yankees and the Red Sox. In this spirit, Yale recently switched its con

10、nection from the Middle Atlantic regional network to the New England carrier. When the switch occurred, tables in the other regional areas and in the national spine had to be updated, so that traffic for 130.132 was routed through Boston instead of New Jersey. The large network carriers handle the p

11、aperwork and can perform such a switch given sufficient notice. During a conversion period, the university was connected to both networks so that messages could arrive through either path. NETWORK FIREWALLSThe purpose of a network firewall is to provide a shell around the network which will protect

12、the systems connected to the network from various threats. The types of threats a firewall can protect against include:Unauthorized access to network resources-an intruder may break into a host on the network an gain unauthorized access to files.Denial of service an individual from outside of the ne

13、twork could, for example, send thousands of mail messages to a host on the net in an attempt to fill available disk space or load the network links.Masquerading electronic mail appearing to have originated from one individual could have been forged by another with the intent to embarrass or cause ha

14、rm.A firewall can reduce risks to network systems by filtering out inherently insecure network services .Network File System (NFS) services, for example , could be prevented from being used from outside of a network by blocking all NFS traffic to or from the network .This protects the individual hos

15、ts while still allowing the service, which is useful in a LAN environment , on the internal network . One way to avoid the problems associated with network computing would be to computing would be to completely disconnect an organizations internal network from any other external system. This, of cou

16、rse is not the preferred method. Instead what is needed is a way to filter access to the network while still allowing users access to the“outside world ”.In this configuration , the internet net work is separated from external network by a firewall gateway .A gateway is normally used to perform rela

17、y services between two networks . In the case of a firewall gateway, it also provides a filtering service which limits the types of information that can be passed to or from hosts located on the internal network .There are three basic techniques used for firewalls: packet filtering, circuit gateway,

18、 and application gateways. Often, more than one of these is used to provide the complete firewall service. There are several configuration schemes of firewall in the practical application of inter-network security. They usually use the following terminologies:Screening router-it can be a commercial

19、router or a host-based router with some kind of packet filtering capability.Bastion host-it is a system identified by the firewall administrator as a critical strong point in the network security.Dual-homed gateway-some firewalls are implemented without a screening router, by placing a system on bot

20、h the private network and the Internet, and disabling TCP/IP forwarding.Screened-host gateway it is possibly the most common firewall configuration. This is implemented using a screening router and a bastion host.Screened subnet-an isolated subnet is situated between the Internet and the private net

21、work. Typically, this network is isolated using screening routers, which may implement varying levels of filtering.Application-level gateway-it is also called a proxy gateway and usually operates at a user level rather than the lower protocol level common to the other firewall techniques.CHARACTERIS

22、TICS OF COMPUTER INTRUSION AND KINDS OF SECURITY BREACHES1. CHARACTERISTICS OF COMPUTER INTRUSION The target of a crime involving computers may be any piece of the computing system. A computing system is a collection of hardware, software, storage media,data, and persons that an organization uses to

23、 do computing tasks. Whereas the obvious target of a bank robbery is cash, a list of names and addresses of depositors might be valuable to a computing bank. The list might be on paper, recorded on a magnetic medium, stored in internal computer memory, or transmitted electronically across a medium s

24、uch as a telephone line. This multiplicity of targets makes computer security difficult.In any security system, the weakest point is the most serious vulnerability. A robber intent on stealing something from your house will not attempt to penetrate a two-inch thick metal door if a window gives easie

25、r access. A sophisticated perimeter physical security system dose not compensate for unguarded access by means of a simple telephone line and a modem. The “weakest point” philosophy can be restated as the following principle.Principle of Easiest Penetration. An intruder must be expected to use any a

26、vailable means of penetration. This will not necessarily be the most obvious means, nor will it necessarily be the one against which the most solid defense has been installed This principle says that computer security specialists must consider all possible means of penetration, because strengthening

27、 one may just make another means more appealing to intruders, We now consider what consider what these means of penetration are.2. KINDS OF SRCURITY BREACHESIn security, an exposure is a form of possible loss or harm in a computing system; examples of exposures are unauthorized of data, modification

28、 of data, or denial of legitimate access to computing. A vulnerability is a weakness in the security system that might be exploited to cause loss or harm. A human who exploits a vulnerability perpetrates an attack on the system. Threats to computing systems are circumstances that have the potential

29、to cause loss or harm; human attacks are examples of threats, as are natural disasters, inadvertent human errors, and internal hardware or software flaws. Finally, a control is a protective measure-an action, a device, a procedure, or a technique-that reduces a vulnerability.The major assets of comp

30、uting are hardware, software, and data. There are four kinds of threats to the security of a computing system; interruption, interception, modification, and fabrication. The four threats all exploit vulnerabilities of the assets in computing systems. In a interruption, an asset of the system becomes

31、 lost or unavailable or unusable. An example is malicious destruction of a hardware device, erasure of a program or data file, or failure of an operating system file manager so that it cannot find a particular disk file.An interruption means that some unauthorized party has gained to an asset. The o

32、utside party can be a person , a program, or a computing system .Examples of this type of failure are illicit copying of program or data files, or wiretapping to obtain data in a network. While a loss may be discovered fairly quickly, a silent interceptor may leave no traces by which the interceptio

33、n can be readily detected.If an unauthorized party not only accesses but tampers with an asset, the failure becomes a modification. For example, someone might modify the values in a database, alter a program so that it performs an additional computation, or modify data being transmitted. It is even

34、possible for hardware to be modified. Some cases of modification can be detected with simple measures, while other more subtle changes may be almost impossible to detect.Finally, an unauthorized party might fabricate counterfeit objects for a computing system. The intruder may wish to add spurious t

35、ransactions to a network communication system, or add records to an existing data base. Sometimes these additions can be detected as forgeries, but if skillfully done, they are virtually indistinguishable from the real thing.These four classes of interference with computer activity-interruption, interception, modification, and fabrication-can describe the kinds of exposures possible.