网安习题中英文

温馨提醒

所有黑体加粗的都说明有可能会扣空考选择题,并且熟悉其英文

第一章

填选

  • interrpution,attack on availability(中断,针对可用性的攻击)
    image
  • interception,attack on confidentiality(拦截,针对保密性的攻击)
    image
  • modification,attack on integrity(修改,针对完整性的攻击)
    image
  • fabrication,attack on authenticity(伪造,针对真实性的攻击)
    image

《计算机安全手册》将术语“计算机安全”定义为 The NIST Computer Security Handbook defines the term computer security as

为实现维护信息系统资源(包括硬件、软件、固件、信息/数据和电信)的完整性、可用性和机密性的适用目标而对自动化信息系统提供的保护

The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability, and confidentiality of information system resources (includes hardware,software, firmware, information/data, and telecommunications)

计算机安全的三个关键目标是什么 What are the three key objectives of computer security

机密性、完整性和可用性

Confidentiality, integrity, and availability

被动安全威胁和主动安全威胁的区别是什么 What is the difference between passive and active security threats?

被动攻击与窃听或监视传输有关。电子邮件、文件传输和客户端/服务器交换是可以监控的传输示例。
主动攻击包括修改传输的数据和试图未经授权访问计算机系统

Passive attacks have to do with eavesdropping on, or monitoring, transmissions. Electronic mail, file transfers,and client/server exchanges are examples of transmissions that can be monitored.
Active attacks include the modification of transmitted data and attempts to gain unauthorized access to computer systems

主动攻击和被动攻击区别 List the categories of passive attacks and active attacks

两种类型的被动攻击是:消息内容的发布和流量分析
主动攻击可以细分为四类:伪装、重放、修改消息和拒绝服务

Two types of passive attacks are: the release of message contents and traffic analysis.
Active attacks can be subdivided into four categories: masquerade, replay, modification of messages, and denial of service.

X.800定义的五类安全服务是什么 What are the five categories of security services defined by X.800?

认证:确保通信实体是其声称的实体。
访问控制:防止未经授权使用资源(即,该服务控制谁可以访问资源,在什么条件下可以进行访问,以及允许访问资源的人做什么)。
数据机密性:保护数据不被未经授权的披露。
数据完整性:确保接收到的数据与授权实体(即不包含任何修改、插入、删除或重播)。
不可抵赖性:提供保护,防止参与通信的实体之一拒绝参与全部或部分通信。

Authentication: The assurance that the communicating entity is the one that it claims to be.
Access control: The prevention of unauthorized use of a resource (i.e., this service controls who can have access to a resource, under what conditions access can occur, and what those accessing the resource are allowed to do).
Data confidentiality: The protection of data from unauthorized disclosure.
Data integrity: The assurance that data received are exactly as sent by an authorized entity (i.e., contain no modification, insertion,deletion, or replay).
Nonrepudiation: Provides protection against denial by one of the entities involved in a communication of having participated in all or part of the communication.

第三章

列出三种消息身份验证方法 List three approaches to message authentication.

消息加密、消息身份验证码和哈希函数

Message encryption , message authentication code , and hash function

列出强哈希函数的属性。List the properties of a strong hash function.

① H用于任意长度的数据块。
② H可以生成固定长度的输出。
③ 对于任意给定的X,计算H(x)较容易,可以用软硬件实现。
抗原像攻击性: 对于任意h,找到𝐻(𝑥) = ℎ的x不可行。
抗第二原像攻击性:对于𝐻(𝑦) = 𝐻(𝑥),找到 𝑦 ≠ 𝑥是不可行的。
抗碰撞性: 对于𝐻(𝑥) = 𝐻(𝑦),找到该x,y是不可行的。
(1) 𝐻 can be applied to a block of data of any siee
(2) 𝐻 produces a fited-length output
(3) 𝐻(𝑥) is relatively easy to compute for any given 𝑥, making both hardware and software implementations practical
(4) Preimage resistant: For any given value ℎ, it is computationally infeasible to find 𝑥 such that𝐻(𝑥) = ℎ
(5) Second preimage resistant: For any given block 𝑥 , it is computationally infeasible to find 𝑦 ≠ 𝑥 with 𝐻(𝑦) = 𝐻(𝑥)
(6) Collision resistant: It is computationally infeasible to find any pair (𝑥, 𝑦) such that 𝐻(𝑥) = 𝐻(𝑦)

image

考虑以下散列函数。消息的形式为十进制数字序列,𝑴 = (𝒂𝟏, 𝒂𝟐, ⋯ , 𝒂𝒕).哈希值𝒉计算为\((∑^𝒕_{𝒊=𝟏}a_i)mod n\),对于某个预定义值𝒏 .这个散列函数是否满足强散列函数的任何要求?解释你的答案。
它满足属性(1)到(3),但不满足其余属性。例如,对于属性(4),由值组成的消息ℎ满足𝐻(ℎ) = ℎ对于属性(5),接受任何消息𝑀并将十进制数字0加到序列中;它将具有相同的哈希值

It satisfies properties (1) through (3) but not the remaining properties For etample, for property (4), a message consisting of the value ℎ satisfies 𝐻(ℎ) = ℎ For property (5), take any message 𝑀 and add the decimal digit 0 to the sequence; it will have the same hash value

image

考虑以下散列函数。消息的形式为十进制数字序列,𝑴 = (𝒂𝟏, 𝒂𝟐, ⋯ , 𝒂𝒕).哈希值𝒉计算为\((∑^𝒕_{𝒊=𝟏}(a_i)^2mod n\),对于某个预定义值𝒏 .这个散列函数是否满足强散列函数的任何要求?解释你的答案。

它满足性质(1)到(3)如果𝑛是一个大的复数,因为取平方根取这样一个整数的模𝑛被认为是不可行的。不满足性质(5)和(6),因为——𝑀将具有与相同的值𝑀

It satisfies properties (1) through (3) Property (4) is also satisfied if 𝑛 is a large composite number, because taking square roots modulo such an integer 𝑛 is considered to be infeasible Properties (5) and (6) are not satisfied because – 𝑀 will have the same value as 𝑀

列出公钥密码系统的使用情况。 List the use of public-key cryptosystems.

加密/解密:发件人使用收件人的公钥对邮件进行加密

数字签名:发送者用其私钥对消息进行“签名”签名是通过应用于消息或作为消息函数的小块数据的加密算法实现的

密钥交换:双方合作更改会话密钥有几种不同的方法,包括一方或双方的私钥

Encryption/decryption: The sender encrypts a message with the recipient's public key
Digital signature: The sender "signs" a message with its private key Signing is achieved by a cryptographic algorithm applied to the message or to a small block of data that is a function of the message
Key exchange: Two sides cooperate to etchange a session key Several different approaches are possible, involving the private key(s) of one or both parties

假设Bob使用的RSA密码系统具有非常大的模n,在合理的时间内无法找到其因子分解。假设Alice通过将每个字母字符表示为0到25之间的整数(a→0,B→1,…,Z→25),然后使用RSA分别加密每个数字𝒆和大型𝒏.这种方法安全吗?如果没有,请描述针对此加密方法的最有效攻击。 Suppose Bob uses the RSA cryptosystem with a very large modulus n for which the factorization cannot be found in a reasonable amount of time. Suppose Alice sends a message to Bob by representing each alphabetic character as an integer between 0 and 25 (A→0,B→1, …,Z→25), and then encrypting each number separately using RSA with large 𝒆 and large 𝒏. Is this method secure? If not, describe the most efficient attack against this encryption method.

考虑一组字母字符{a,B,…,Z}。对应的整数表示字母表中每个字母字符的位置,形成一组消息块值SM={0,1,2,…,25}。对应密文块值的集合SC={\(0^e\) mod N,\(1^e\) mod N,…,\(25^e\) mod N},并且可以由每个知道Bob公钥的人来计算。因此,针对问题中描述的方案的最有效的攻击是计算\(𝑀^e\)mod N表示的所有可能值𝑀,然后创建一个查找表,其中密文作为indet,对应的明文作为表中适当位置的值

image

使用RSA算法对以下内容执行加密和解密:

a) p=3; q=11, e=7; M=8
b) p=17; q=11, e=7; M=88

第四章

What is a key distribution center? 密钥分发中心

密钥分发中心是一个被授权向主体传输临时会话密钥的系统。每个会话密钥都以加密的形式传输,使用密钥分发中心与目标主体共享的主密钥

A key distribution center is a system that is authorieed to transmit temporary session keys to principals Each session key is transmitted in encrypted form, using a master key that the key distribution center shares with the target principal

What is a public-key certificate? 公钥证书

公钥证书包含公钥和其他信息,由证书颁发机构创建,并用匹配的私钥提供给参与者。参与者通过传输其证书将其密钥信息传递给另一个参与者。参与者可以验证证书是由该颁发机构创建的

A public-key certificate contains a public key and other information, is created by a certificate authority, and is given to the participant with the matching private key A participant conveys its key information to another by transmitting its certificate bther participants can verify that the certificate was created by the authority

What are the key elements of the Public Key Infrastructure X.509 (PKIX) model?公钥基础设施X.509(PKIX)模型的关键元素是什么?

PKIX的关键元素是:最终实体、证书颁发机构(CA)、注册机构(RA)、证书颁发者和存储库

the key elements of PKIX are: end entity, certification authority (CA), registration authority (RA), CRe issuer, and repository

4. In Kerberos,

a) How do servers verify the authenticity of the client using the ticket?
b) How does an authentication server protect a ticket from being altered by the client or opponent?

4.在Kerberos中,

a) 服务器如何使用票证验证客户端的真实性?

b) 身份验证服务器如何保护票证不被客户端或对手更改?

a) It contains the Alice’s ID, Bob’s name, and timestamp encrypted by the KDCBob secret key
b) It contains the session key encrypted by the KDC-Bob secret key
a) 它包含Alice的ID、Bob的姓名和KDC Bob密钥加密的时间戳

b) 它包含由KDC Bob密钥加密的会话密钥

Consider a one-way authentication technique based on asymmetric encryption:

Alice→Bob: 𝑰𝑫𝑨
Bob→Alice: 𝑹𝟏
Alice→Bob: 𝑬(𝑷𝑹𝒂,𝑹𝟏)
a) Explain the protocol.
b) What type of attack is this protocol susceptible tov
考虑一种基于非对称加密的单向身份验证技术:
爱丽丝→Bob:𝑰𝑫𝑨
bob→爱丽丝:𝑹𝟏
爱丽丝→Bob:𝑬(𝑷𝑹𝒂,𝑹𝟏)
a) 解释协议。
b) 此协议易受哪种类型的攻击

a) 这是向Bob验证Alice身份的一种方法。𝑅1是一个挑战,只有Alice能够加密𝑅1,以便可以使用Alice的公钥对其进行解密
b) 某人(例如,bscar)可以使用此机制让Alice对消息进行签名。然后,bscar会将此签名与消息一起提交给Kathy,声称它是由Alice发送的。如果Alice同时使用其公钥/私钥进行身份验证、签名等,这就是一个问题

a) This is a means of authenticating Alice to Bob .𝑅1 serves as a challenge, and only Alice is able to encrypt 𝑅1 so that it can be decrypted with Alice 's public key
b) Someone (e g , bscar) can use this mechanism to get Alice to sign a message Then, bscar will present this signature to Kathy along with the message, claiming it was sent by Alice This is a problem if Alice uses its public/private key for both authentication, signatures, etc

Consider a one-way authentication technique based on asymmetric encryption:

Alice→Bob: 𝑰𝑫𝑨
Bob→Alice: 𝑬(𝑷𝑼𝒂,𝑹𝟐)
Alice→Bob: 𝑹𝟐
a) Explain the protocol.
b) What type of attack is this protocol susceptible to?

考虑一种基于非对称加密的单向身份验证技术:
爱丽丝→Bob:𝑰𝑫𝑨
bob→爱丽丝:𝑬(𝑷𝑼𝒂,𝑹𝟐)
爱丽丝→Bob:𝑹𝟐
a) 解释协议。
b) 此协议易受哪种类型的攻击?

a) This is a means of authenticating Alice to Bob only Alice can decrypt the second message, to recover 𝑅2
b) Someone (e g bscar) can use this mechanism to get Alice to decrypt a message (i e , send that message as 𝑅2) that it has eavesdroppedfrom the network (originally sent to Alice)

a) 这是一种向Bob 验证Alice的方法,只有Alice可以解密第二条消息,以恢复𝑅2.
b) 某人(e g bscar)可以使用此机制让Alice解密消息(即,将该消息发送为𝑅2) 它从网络上窃听了(最初发送给Alice)

image

a) Alice requests a session key for use between Alice and Bob from the KDC A nonce is used for challenge-response
b) If someone manages to get an old 𝐾𝑠, they can replay the message from step 3 to Bob and communicate with Bob, pretending,to,be,Alice
c) Timestamps included with the message can counter this vulnerability
a) Alice从KDC请求Alice和Bob之间使用的会话密钥。随机数用于质询响应
b) 如果有人设法得到一个老𝐾𝑠,他们可以将步骤3中的消息重播给Bob,并与Bob通信,假装成Alice
c) 消息中包含的时间戳可以对抗此漏洞

第五章

1. Provide a brief definition of network access control. 1.提供网络访问控制的简要定义。网络访问控制

Network access control (NAC) is an umbrella term for managing access to a network NAC authenticates users logging into the network and determines what data they can access and actions they can perform NAC also etamines the health of the user's computer or mobile device (the endpoints)

网络访问控制(NAC) 是管理网络访问的总括术语。NAC对登录网络的用户进行身份验证,并确定他们可以访问哪些数据和可以执行哪些操作。NAC还评估用户的计算机或移动设备(端点)的健康状况

What is an EAP? 可扩展认证协议

The Ettensible Authentication Protocol (EAP) acts as a framework for network access and authentication protocols EAP provides a set of protocol messages that can encapsulate various authentication methods to be used between a client and an authentication server EAP can operate over a variety of network and link level facilities, including point-to-point links, eANs, and other networks, and can accommodate the authentication needs of the various links and networks

可扩展认证协议(EAP) 充当网络接入和认证协议的框架。EAP提供了一组协议消息,这些协议消息可以封装要在客户端和认证服务器之间使用的各种认证方法。EAP可以在各种网络和链路级设施上操作,包括点对点链路、eAN和其他网络,并且可以适应各种链路和网络的认证需求

What is the function of IEEE 802.1X? IEEE 802.1X的功能是什么?

IEEE 08 1X, Port-Based Network Access Control was designed to provide access control functions for eANs。
IEEE 08 1X,基于端口的网络访问控制旨在为eAN提供访问控制功能

Define cloud computing. 定义云计算

NIST defines cloud computing as follows: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e g , networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models

NIST对云计算的定义如下:一种实现无处不在、方便、高效的云计算的模型,对可配置计算资源(如网络、服务器、存储、应用程序和服务)共享池的按需网络访问,这些资源可以通过最少的管理工作或服务提供商交互快速调配和释放。该云模型提高了可用性,由五个基本特征、三个服务模型和四个部署模型组成

Describe some of the main cloud-specific security threats. 描述一些主要的特定于云的安全威胁。

  • Abuse and nefarious use of cloud computing: For many cloud providers (CPs), it is relatively easy to register and begin using cloud services, some even offering free limited trial periods This enables attackers to get inside the cloud to conduct various attacks, such as spamming, malicious code attacks, and denial of service
  • Insecure interfaces and APIs: CPs etpose a set of software interfaces or APIs that customers use to manage and interact with cloud services The security and availability of general cloud services is dependent upon the security of these basic APIs
  • Malicious insiders: Under the cloud computing paradigm, an organieation relinquishes direct control over many aspects of security and, in doing so, confers an unprecedented level of trust onto the CP bne grave concern is the risk of malicious insider activity Cloud architectures necessitate certain roles that are ettremely high-risk Etamples include CP system administrators and managed security service providers
  • Shared technology issues: IaaS vendors deliver their services in a scalable way by sharing infrastructure bften, the underlying components that make up this infrastructure (CPU caches, GPUs, etc ) were not designed to offer strong isolation properties for a multi-tenant architecture
  • Data loss or leakage: For many clients, the most devastating impact from a security breach is the loss or leakage of data
  • Account or service hijacking: With stolen credentials, attackers can often access critical areas of deployed cloud computing services, allowing them to compromise the confidentiality, integrity, and availability of those services
  • Unknown risk profile: In using cloud infrastructures, the client necessarily cedes control to the cloud provider on a number of issues that may affect securit

GitHub Copilot
这段文字可以按照每个云计算安全问题进行分段,如下:

  • 滥用和恶意使用云计算: 对于许多云服务提供商(CPs),注册并开始使用云服务相对容易,一些甚至提供免费的有限试用期。这使得攻击者可以进入云内部进行各种攻击,如垃圾邮件、恶意代码攻击和拒绝服务。

  • 不安全的接口和APIs: CPs提供一组软件接口或APIs,客户使用它们来管理和与云服务交互。一般云服务的安全性和可用性取决于这些基本APIs的安全性。

  • 恶意内部人员: 在云计算模式下,一个组织放弃了对许多安全方面的直接控制,从而赋予CPs前所未有的信任级别。一个严重的担忧是恶意内部活动的风险。云架构需要一些极高风险的角色。例如,CP系统管理员和托管安全服务提供商。

  • 共享技术问题: IaaS供应商通过共享基础设施以可扩展的方式提供服务。通常,构成这种基础设施的底层组件(CPU缓存、GPU等)并未设计为为多租户架构提供强大的隔离属性。

  • 数据丢失或泄漏: 对于许多客户来说,安全漏洞最具破坏性的影响是数据的丢失或泄漏。

  • 账户或服务劫持: 使用被盗的凭证,攻击者通常可以访问部署的云计算服务的关键区域,从而威胁到这些服务的保密性、完整性和可用性。

  • 未知的风险概况: 在使用云基础设施时,客户必然将一些可能影响安全性的问题的控制权交给云提供商。

第六章

What are the advantages of the approaches to providing Web security listed in Figure 2? 图2中列出的提供Web安全性的方法有哪些优点?

image
The advantage of using IPSec (Figure 8(a)) is that it is transparent to end users and applications and provides a general-purpose solution Further, IPSec includes a filtering capability so that only selected traffic need incur the overhead of IPSec processing The advantage of using SSe (Figure 8(b)) is that it makes use of the reliability and flow control mechanisms of TCP The advantage of application-specific security services (Figure 8(c)) is that the service can be tailored to the specific needs of a given application

使用IPSec(图8(a))的优点是它对最终用户和应用程序是透明的,并提供了通用的解决方案。此外,IPSec包括一个过滤功能,因此只有选定的流量需要承担IPSec处理的开销。使用SSe(图8(b))的优点是它利用了TCP的可靠性和流量控制机制。特定于应用程序的安全服务的优点(图8c

What is HTTPS?

HTTPS (HTTP over SSe) refers to the combination of HTTP and SSeto implement secure communication between a Web browser and a Web server
HTTPS(HTTP over SSe) 是指HTTP和SS的组合,用于实现Web浏览器和Web服务器之间的安全通信

Explain the Transport Layer Security (TLS)’s two layer protocol stack.。解释传输层安全性(TLS)的两层协议栈。

TeS is designed to make use of TCP to provide a reliable, end-to-end, secure service. SSe is not a single protocol but rather two layers of protocols, as illustrated in Figure 1Figure 3. The SSe Record Protocol provides basic security services to various higher-layer protocols. In particular, the Hypertext Transfer Protocol (HTTP), which provides the transfer service for Web client/server interaction, can operate on top of SSe. Three higher-layer protocols are defined as part of TeS: the Handshake Protocol, The Change Cipher Spec Protocol, and the Alert Protocol. These TeS-specific protocols are used in the management of TeS exchanges.

TeS被设计为利用TCP提供可靠的,端到端的,安全的服务。SSe并不是一个单一的协议,而是两层协议,如图1Figure 3所示。SSe记录协议为各种高层协议提供基本的安全服务。特别是,为Web客户端/服务器交互提供传输服务的超文本传输协议(HTTP) 可以在SSe之上运行。作为TeS的一部分,定义了三个高层协议:握手协议,更改密码规范协议和警报协议。这些特定于TeS的协议用于管理TeS交换。

Consider the following threats to Web security and describe how each is countered by a particular feature of SSL.考虑以下对Web安全的威胁,并描述SSL的特定功能是如何应对这些威胁的。

a) Brute Force Cryptanalytic Attack(穷举密码分析攻击)
b) Known Plaintext Dictionary Attack(已知明文字典攻击)
c) Man-in-the-Middle Attack(中间人攻击)
d) Password Sniffing(口令窃听)
e) IP Spoofing(IP欺骗)
f) IP Hijacking(IP劫持)
g) SYN Flooding(SYN 泛滥)

  1. Brute Force Cryptanalytic Attack: The conventional encryption algorithms use key lengths ranging from 40 to 168 bits.

  2. Known Plaintext Dictionary Attack: SSL protects against this attack by not really using a 40-bit key, but an effective key of 128 bits. The rest of the key is constructed from data that is disclosed in the Hello messages. As a result the dictionary must be long enough to accommodate 2^128 entries.

  3. Replay Attack: This is prevented by the use of nonces.

  4. Man-in-the-Middle Attack: This is prevented by the use of public key certificates to authenticate the correspondents.

  5. Password Sniffing: User data is encrypted.

  6. IP Spoofing: The spoofer must be in possession of the secret key as well as the forged IP address.

  7. IP Hijacking: Encryption protects against this attack.

  8. SYN Flooding: SSL provides no protection against this attack.

  9. 穷举密码分析攻击:传统的加密算法使用的密钥长度从40位到168位不等。

  10. 已知明文字典攻击:SSL通过不真正使用40位密钥,而是使用有效的128位密钥来防止此类攻击。密钥的其余部分是由在Hello消息中公开的数据构造的。因此,字典必须足够长,以容纳2^128个条目。

  11. 重放攻击:通过使用随机数来防止此类攻击。

  12. 中间人攻击:通过使用公钥证书来验证通信方,防止此类攻击。

  13. 口令窃听:用户数据被加密。

  14. IP欺骗:欺骗者必须同时拥有秘密密钥和伪造的IP地址。

  15. IP劫持:加密可以防止此类攻击。

  16. SYN泛滥:SSL对此类攻击无法提供保护。

第七章

What factors of wireless networks are of higher security risk compared to wired network? 与有线网络相比,无线网络的哪些因素具有更高的安全风险?

Channel, mobility, resources, and accessibility

渠道、移动性、资源和可访问性

Identify at least five security measures for wireless network security ? 确定至少五种无线网络安全措施

a) Use encryption
b) Use antivirus and antispyware, and a firewall
c) Turn off identifier broadcasting
d) Change the identifier on your router from the default
e) Change your router’s pre-set password for administration
f) Allow only specific computers to access your wireless network

a) 使用加密
b) 使用防病毒和反间谍软件以及防火墙
c) 关闭标识符广播
d) 将路由器上的标识符从默认值更改为
e) 更改路由器的预设密码以进行管理
f) 只允许特定的计算机访问您的无线网络

List the services defined by the 802.11i RSN security specification. 列出802.11i RSN安全规范定义的服务。

Authentication, access control, and privacy with message integrity

身份验证、访问控制和具有消息完整性的隐私

In IEEE 802.11, open system authentication simply consists of two communications. An authentication is requested by the client, which contains the station ID (typically the MAC address). This is followed by an authentication response from the AP/router containing a success or failure message. An example of when a failure may occur is if the client’s MAC address is explicitly excluded in the AP/router configuration.

a) What are the benefits of this authentication scheme?
b) What are the security vulnerabilities of this authentication scheme
在IEEE 802.11中,开放系统认证仅由两个通信组成。客户端请求身份验证,其中包含站点ID(通常为MAC地址)。随后是来自AP/路由器的包含成功或失败消息的身份验证响应。故障可能发生的一个例子是,如果客户端的MAC地址在AP/路由器配置中被明确排除在外。
a) 此身份验证方案的好处是什么?
b) 此身份验证方案的安全漏洞有哪些

a) This scheme is ettremely simple and easy to implement It does protect against very simple attacks using an off-the-shelf Wi-Fi eAN card, and against accidental connection to the wrong network
b) This scheme depends on all parties behaving honestly The scheme does not protect against MAC address forgery

a) 这个方案非常简单,易于实现。它可以防止使用现成的Wi-Fi eAN卡进行非常简单的攻击,并防止意外连接到错误的网络
b) 该方案取决于各方的诚实行为。该方案不能防止MAC地址伪造

第七章

What are the advantages of a detached signature? 分离签名

一个分离的签名可以单独存储和传输,而不是与其签名的消息一起,这在多种情况下都很有用。用户可能希望维护所有发送或接收的消息的单独签名日志。一个可执行程序的分离签名可以检测到后续的病毒感染。最后,当多方需要签署一个文件,如法律合同时,可以使用分离的签名。每个人的签名都是独立的,因此只应用于文件。否则,签名将必须嵌套,第二个签名者签署文档和第一个签名,依此类推。

A detached signature may be stored and transmitted separately from the message is signs, which is useful in several contetts A user may wish to maintain a separate signature log of all messages sent or received A detached signature of an etecutable program can detect subsequent virus infection Finally, detached signatures can be used when more than one party must sign a document, such as a legal contract Each person's signature is independent and therefore is applied only to the document btherwise, signatures would have to be nested, with the second signer signing both the document and the first signature, and so on

Why is message signature applied before compression in PGP?为什么在PGP中压缩之前应用消息签名?

a. It is preferable to sign an uncompressed message so that one can store only the uncompressed message together with the signature for future verification. If one signed a compressed document, then it would be necessary either to store a compressed version of the message for later verification or to recompress the message when verification is required. b. Even if one were willing to generate dynamically a recompressed message for verification, PGP's compression algorithm presents a difficulty. The algorithm is not deterministic; various implementations of the algorithm achieve different tradeoffs in running speed versus compression ratio and, as a result, produce different compressed forms. However, these different compression algorithms are interoperable because any version of the algorithm can correctly decompress the output of any other version. Applying the hash function and signature after compression would constrain all PGP implementations to the same version of the compression algorithm.
a. 最好对未压缩的消息进行签名,这样在未来验证时,只需要存储未压缩的消息和签名。如果对压缩的文档进行签名,那么就需要存储压缩的消息版本以供以后验证,或者在需要验证时重新压缩消息。b. 即使你愿意动态生成一个重新压缩的消息进行验证,PGP的压缩算法也存在一个问题。该算法不是确定性的;算法的各种实现在运行速度与压缩比之间实现了不同的权衡,因此产生了不同的压缩形式。然而,这些不同的压缩算法是可以互操作的,因为算法的任何版本都可以正确地解压其他版本的输出。在压缩后应用哈希函数和签名会限制所有PGP实现使用相同版本的压缩算法。

What is S/MIME?

S/MIME (Secure/Multipurpose Internet Mail Ettension) is a security enhancement to the MIME Internet e-mail format standard, based on technology from RSA Data Security

S/MIME(安全/多用途Internet邮件Ettension)是对MIME Internet电子邮件格式标准的安全增强,基于RSA Data security的技术

. What is DKIM?

DomainKeys Identified Mail (DKIM) is a specification for cryptographically signing e-mail messages, permitting a signing domain to claim responsibility for a message in the mail stream

DomainKeys Identified Mail(DKIM) 是一种对电子邮件进行加密签名的规范,允许签名域对邮件流中的消息负责

PGP makes use of the cipher feelback (CFB) mode of CAST-128, whereas most symmetric encryption applications (other than key encryption) use the cipher block chaining (CBC) mode. Two modes appear to provide equal security. Suggest a reason why PGP uses the CFB mode PGP使用CAST-128的密码反馈(CFB)模式,而大多数对称加密应用(除密钥加密外)使用密码块链(CBC)模式。这两种模式似乎提供了相等的安全性。请提出一个原因,为什么PGP使用CFB模式。

CFB avoids the need to add and strip padding

CFB避免了添加和剥离衬垫的需要

In the PGP scheme, what is the expected number of session keys generated before a previously created key is produced? 在PGP方案中,在生成先前创建的密钥之前,预计生成的会话密钥数量是多少?

这只是生日模板的另一种形式,我们将问题描述为确定必须生成多少个会话密钥,以便重复的概率大于0 5
image

What is the basic difference between X.509 and PGP in terms of key hierarchies and key trust? X.509和PGP在密钥层次结构和密钥信任方面的基本区别是什么?

In X 509 there is a hierarchy of Certificate Authorities
Another difference is that in X 509 users will only trust Certificate Authorities while in PGP users can trust other users
在X 509中,存在证书颁发机构的层次结构
另一个区别是,在X 509中,用户只信任证书颁发机构,而在PGP中,用户可以信任其他用户

第九章

List the security services provided by IPSec 列出IPSec提供的安全服务

Access control; connectionless integrity; data origin authentication; rejection of replayed packets (a form of partial sequence integrity); confidentiality (encryption); and limited traffic flow confidentiality

访问控制;无连接完整性;数据源认证;拒绝重播的数据包(一种部分序列完整性);保密性(加密);以及有限的流量保密性。

What are the differences between transport and tunnel mode?运输方式和隧道方式有什么区别?

Transport mode provides protection primarily for upper-layer protocols. That is, transport mode protection extends to the payload of an IP packet.
Tunnel mode provides protection to the entire IP packet.

传输模式主要为上层协议提供保护。也就是说,传输模式保护扩展到IP数据包的有效载荷。
隧道模式为整个IP数据包提供保护。

Why does ESP contain the Padding field ?ESP为什么包含“填充”字段

f an encryption algorithm requires the plaintext to be a multiple of some number of bytes (e.g., the multiple of a single block for a block cipher), the Padding field is used to expand the plaintext (consisting of the Payload Data, Padding, Pad Length, and Next Header fields) to the required length.

The ESP format requires that the Pad Length and Next Header fields be right aligned within a 32-bit word. Equivalently, the ciphertext must be an integer multiple of 32 bits. The Padding field is used to assure this alignment.

Additional padding may be added to provide partial traffic flow confidentiality by concealing the actual length of the payload.

如果加密算法要求明文是某个字节数的倍数(例如,块密码的单个块的倍数),则使用填充字段将明文(由有效载荷数据、填充、填充长度和下一个头字段组成)扩展到所需长度。

ESP格式要求填充长度和下一个头字段在32位字中右对齐。等效地,密文必须是32位的整数倍。填充字段用于确保这种对齐。

可以添加额外的填充,通过隐藏有效载荷的实际长度,提供部分流量流的保密性。

4. Suppose that the current replay window spans from 120 to 530 4.假设当前回放窗口从120到530

a) If the next incoming authenticated packet has sequence number 105, what will the receiver do with the packet, and what will be the parameters of the window after that?
b) If instead the next incoming authenticated packet has sequence number 440, what will the receiver do with the packet, and what will be the parameters of the window after that?
c) If instead the next incoming authenticated packet has sequence number 540, what will the receiver do with the packet, and what will be the parameters of the window after that?

a) 如果下一个接收到的经过认证的数据包的序列号是105,接收者会怎么处理这个数据包,然后窗口的参数会是什么?
b) 如果下一个接收到的经过认证的数据包的序列号是440,接收者会怎么处理这个数据包,然后窗口的参数会是什么?
c) 如果下一个接收到的经过认证的数据包的序列号是540,接收者会怎么处理这个数据包,然后窗口的参数会是什么?

a) The received packet is to the left of the window, so the packet is discarded; this is an auditable event No change is made to window parameters
b) The received packet falls within the window If it is new, the MAC is checked If the packet is authenticated, the corresponding slot in the window is marked If it is not new, the packet is discarded In either case, no change is made to window parameters
c) The received packet is to the right of the window and is new, so the MAC is checked If the packet is authenticated, the window is advanced so that this sequence number is the right edge of the window, and the corresponding slot in the window is marked In this case, the window now spans from 180 to 540

a) 接收到的数据包在窗口的左侧,所以数据包被丢弃;这是一个可审计的事件。窗口参数不做改变。
b) 接收到的数据包落在窗口内。如果它是新的,就会检查MAC。如果数据包被认证,窗口中对应的槽会被标记。如果它不是新的,数据包会被丢弃。在任何情况下,窗口参数都不会改变。
c) 接收到的数据包在窗口的右侧,并且是新的,所以会检查MAC。如果数据包被认证,窗口会前移,使得这个序列号是窗口的右边缘,并且窗口中对应的槽会被标记。在这种情况下,窗口现在从180到540。

This order of processing facilitates rapid detection and rejection of replayed or bogus packets by the receiver, prior to decrypting the packet, hence potentially reducing the impact of denial of service attacks.
It also allows for the possibility of parallel processing of packets at the receiver, i.e., decryption can take place in parallel with authentication

这种处理顺序便于接收者在解密数据包之前快速检测和拒绝重播或伪造的数据包,从而可能减少拒绝服务攻击的影响。 它还允许在接收者处对数据包进行并行处理,即,解密可以与认证同时进行。

第十章

What are three broad mechanisms that malware can use to propagate? 恶意软件可以用来传播的三种广泛机制是什么?

The three broad mechanisms malware can use to propagate are:
(1) infection of existing executable or interpreted content by viruses that is subsequently spread to other systems;
(2) exploit of software vulnerabilities either locally or over a network by worms or drive-by downloads to allow the malware to replicate;
(3) social engineering attacks that convince users to bypass security mechanisms to install trojans, or to respond to phishing attacks.

恶意软件可以使用的三种主要传播机制是:
(1) 通过病毒感染现有的可执行或解释内容,然后将其传播到其他系统;
(2) 通过蠕虫或驱动器下载利用软件漏洞,无论是本地还是通过网络,以允许恶意软件复制;
(3) 社会工程攻击,说服用户绕过安全机制安装木马,或响应网络钓鱼攻击。

What mechanisms can a virus use to conceal itself?病毒可以利用什么机制来隐藏自己

Some mechanisms a virus can use to conceal itself include: encryption, stealth, polymorphism, and metamorphism

病毒可以用来隐藏自己的一些机制包括:加密、隐形、多态性和变质

Differentiate among the following: a backdoor, a bot, a keylogger, spyware, and a rootkit? Can they all be present in the same malware? 区分以下几种:后门、机器人、键盘记录程序、间谍软件和rootkit?它们是否都存在于同一个恶意软件中?

A backdoor(后门) is a secret entry point into a program or system that allows someone who is aware of the backdoor to gain access without going through the usual security access procedures.
A bot(僵尸) subverts the computational and network resources of the infected system for use by the attacker.
A keylogger(键盘日志) captures keystrokes on the infected machine, to allow an attacker to monitor sensitive information including login and password credentials.
Spyware(间谍软件) subverts the compromised machine to allow monitoring of a wide range of activity on the system, including monitoring the history and content of browsing activity, redirecting certain web page requests to fake sites controlled by the attacker, dynamically modifying data exchanged between the browser and certain web sites of interest; which can result in significant compromise of the user’s personal information.
A rootkit(木马) is a set of programs installed on a system to maintain covert access to that system with administrator (or root) privileges, whilst hiding evidence of its presence to the greatest extent possible. These can all be present in the same malware.

后门是一个进入程序或系统的秘密入口,允许知道后门的人在不经过通常的安全访问程序的情况下获得访问权限。
僵尸会颠覆被感染系统的计算和网络资源供攻击者使用。
键盘日志会捕获被感染机器上的按键,以便攻击者监控包括登录和密码凭据在内的敏感信息。
间谍软件会颠覆被妥协的机器,允许监控系统上的广泛活动,包括监控浏览活动的历史和内容,将某些网页请求重定向到攻击者控制的假网站,动态修改浏览器和某些感兴趣的网站之间交换的数据;这可能导致用户的个人信息被严重妥协。
木马是一套安装在系统上的程序,用于以管理员(或root)权限维持对该系统的秘密访问,同时尽可能隐藏其存在的证据。 这些都可以在同一恶意软件中存在。

Briefly describe the malware countermeasure.简要描述恶意软件对策。

Malware countermeasure elements include prevention in not allowing malware to get into the system in the first place, or blocking its ability to modify the system, via policy, awareness, vulnerability mitigation and threat mitigation; detection to determine that it has occurred and locate the malware; identification to identify the specific malware that has infected the system; and removal to remove all traces of malware virus from all infected systems so that it cannot spread further

恶意软件的对策元素包括预防,不让恶意软件首先进入系统,或阻止其修改系统的能力,通过策略,意识,漏洞缓解和威胁缓解;检测以确定它已经发生并定位恶意软件;识别以识别已经感染系统的特定恶意软件;以及移除,从所有被感染的系统中移除所有恶意软件病毒的痕迹,以便它不能进一步传播。

Assume you have found a USB memory stick in you work paring area. What threats might this pose to your work computer should you just plug the memory stick in and examine its contents? In particular, consider whether each of the malware propagation mechanisms we discuss could use such a memory stick for transport. What steps could you take to mitigate these threats and safely determine the contents of the memory stick 假设你在工作区找到了一个USB记忆棒。如果你只是插入记忆棒并查看其内容,这可能对你的工作电脑构成什么威胁?特别是,考虑我们讨论的每一种恶意软件传播机制是否可以使用这样的记忆棒进行传输。你可以采取什么步骤来减轻这些威胁,并安全地确定记忆棒的内容?

The found USB memory stick may pose a range of threats to the confidentiality, integrity and availability of the work system. Each of the malware propagation mechanisms we discuss could use such a memory stick for transport. It may carry a program infected with an executable virus, or document infected with a macro virus, which if run or opened can allow the virus to run and spread. It could carry a malicious worm that may be run automatically using the autorun capability, or by exploiting some vulnerability when the USB stick is viewed. Or it could contain a trojan horse program or file that would threaten the system if installed or allowed to run. You can mitigate these threats, and try to safely determine the contents of the memory stick, by scanning the memory stick with suitable, up-to-date antivirus software for any signs of malware – though this will not detect unknown, zero-day exploits. You could examine the memory stick in a controlled environment, such as a live-boot Linux or other system, or in some emulation environment, which cannot be changed even if the malware does manage to run.

找到的USB记忆棒可能对工作系统的机密性、完整性和可用性构成一系列威胁。我们讨论的每一种恶意软件传播机制都可以使用这样的记忆棒进行传输。它可能携带一个被可执行病毒感染的程序,或者被宏病毒感染的文档,如果运行或打开,可以让病毒运行和传播。它可能携带一个恶意的蠕虫,这个蠕虫可能使用自动运行功能自动运行,或者在查看USB记忆棒时利用某些漏洞运行。或者,它可能包含一个木马程序或文件,如果安装或允许运行,将威胁到系统。你可以通过使用适当的、最新的防病毒软件扫描记忆棒,寻找任何恶意软件的迹象,来减轻这些威胁,并尝试安全地确定记忆棒的内容——尽管这不会检测到未知的、零日利用。你可以在一个受控环境中,如一个实时启动的Linux或其他系统,或在一些仿真环境中,检查记忆棒,即使恶意软件确实设法运行,也不能改变这些环境。

Suppose you observe that your home PC is responding very slowly to information requests from the net. And then you further observe that your network gateway shows high levels of network activity, even though you have closed your e-mail client, Web browser, and other programs that access the net. What types of malware could cause these symptoms? Discuss how the malware might have gained access to your system, What steps can you take to check whether this has occurred? If you do identify malware on your PC, how can you restore it to safe operation? 假设你观察到你的家用电脑对来自网络的信息请求反应非常慢。然后你进一步观察到,即使你已经关闭了你的电子邮件客户端、网页浏览器和其他访问网络的程序,你的网络网关仍然显示出高水平的网络活动。什么类型的恶意软件可能导致这些症状?讨论一下恶意软件可能如何进入你的系统,你可以采取什么步骤来检查是否发生了这种情况?如果你确实在你的电脑上发现了恶意软件,你如何才能恢复到安全操作?

Observations of your home PC is responding very slowly, with high levels of network activity, may indicate the presence of malware, likely including bot code, on the system. The slow response and net traffic could be caused by it participating in a botnet, perhaps distributing spam emails, performing DDoS attacks, or other malicious activities. This malware could have gained access to the system as a result of installing some trojan program perhaps advertised in spam email or on a compromised website, from a drive-by-download, or from exploit of some vulnerability on the system by a worm. Possible steps to check whether this has occurred include examining the process/task list for unknown programs executing, looking at logs of network traffic kept by a host firewall program to see which programs are generating traffic, or scanning the system with suitable, up-to-date anti-virus software for any signs of malware – though this will not detect unknown, zero-day exploits. If you do identify malware on your PC, you may be able to restore it to safe operation using suitable, uptodate anti-virus software, provided the malware is known. Otherwise you may have to erase all storage and rebuild the system from scratch.

你家用电脑反应非常慢,网络活动水平高,可能表明系统上存在恶意软件,可能包括僵尸网络代码。慢速响应和网络流量可能是由于它参与了一个僵尸网络,可能是分发垃圾邮件,执行DDoS攻击,或其他恶意活动。 这种恶意软件可能是由于安装了一些木马程序,可能在垃圾邮件或被妥协的网站上广告,从驱动器下载,或者由蠕虫利用系统上的一些漏洞。可能的检查步骤包括检查进程/任务列表中正在执行的未知程序,查看主机防火墙程序保留的网络流量日志,看看哪些程序正在产生流量,或者使用适当的、最新的防病毒软件扫描系统,寻找任何恶意软件的迹象——尽管这不会检测到未知的、零日利用。如果你确实在你的电脑上发现了恶意软件,你可能可以使用适当的、最新的防病毒软件,只要恶意软件是已知的,就可以恢复到安全操作。否则,你可能需要擦除所有存储并从头开始重建系统。

Suppose that while trying to access a collection of short videos on some Web site, you see a popup window stating that you need to install this custom codec in order to view the videos. What threat might this pose to your computer system if you approve this installation request? 假设在尝试访问某个网站上的一系列短视频时,你看到一个弹出窗口,声明你需要安装这个自定义编解码器才能查看视频。如果你批准这个安装请求,这可能对你的电脑系统构成什么威胁?

If a user installs some custom codec claimed needed to view some videos, they may actually be installing trojan horse code It may indeed allow viewing of the video, or may just be an etcuse to compromise the system Such code may pose a range of threats to the confidentiality, integrity and availability of the system It may include backdoor, bot, keylogger, spyware, rootkit or indeed any other malware payloads

如果用户安装了一些声称需要查看一些视频的自定义编解码器,他们实际上可能正在安装木马代码。它可能确实允许查看视频,或者可能只是一个借口来妥协系统。这样的代码可能对系统的机密性、完整性和可用性构成一系列威胁。它可能包括后门、僵尸、键盘记录器、间谍软件、根套件或者任何其他恶意软件负载。

十一章

List the way to protect a password file

One-way encryption: The system stores only an encrypted form of the user's password. When the user presents a password, the system encrypts that password and compares it with the stored value. In practice, the system usually performs a one-way transformation (nonreversible) in which the password is used to generate a key for the encryption function and in which a fixed-length output is produced.

Access control: Access to the password file is limited to one or a very few accounts.
单向加密:系统只存储用户密码的加密形式。当用户提供密码时,系统会对该密码进行加密,并将其与存储的值进行比较。在实践中,系统通常执行一种单向转换(不可逆),在该转换中,密码被用来生成加密函数的密钥,并产生固定长度的输出。
访问控制:对密码文件的访问限制在一个或很少的账户

列出入侵检测的方法。List the approaches to intrusion detection.

Statistical anomaly detection involves the collection of data relating to the behavior of legitimate users over a period of time. Then statistical tests are applied to observed behavior to determine with a high level of confidence whether that behavior is not legitimate user behavior.

Rule-Based Detection involves an attempt to define a set of rules that can be used to decide that a given behavior is that of an intruder.

统计异常检测涉及到在一段时间内收集与合法用户行为相关的数据。然后,将统计测试应用于观察到的行为,以高度的信心确定该行为是否不是合法用户的行为。
基于规则的检测涉及尝试定义一组规则,这些规则可以用来决定给定的行为是否是入侵者的行为。

What is a honeypot

Honeypots are decoy systems that are designed to lure a potential attacker away from critical systems.
蜜罐是设计用来将潜在攻击者引离关键系统的诱饵系统。

What is the difference between statistical anomaly detection and rule-based intrusion detection?统计异常检测和基于规则的入侵检测之间有什么区别?

Statistical anomaly detection involves the collection of data relating to the behavior of legitimate users over a period of time. Then statistical tests are applied to observed behavior to determine with a high level of confidence whether that behavior is not legitimate user behavior. Rule-Based Detection involves an attempt to define a set of rules that can be used to decide that a given behavior is that of an intruder

统计异常检测涉及到在一段时间内收集与合法用户行为相关的数据。然后,将统计测试应用于观察到的行为,以高度的信心确定该行为是否不是合法用户的行为。基于规则的检测涉及尝试定义一组规则,这些规则可以用来决定给定的行为是否是入侵者的行为。

List and briefly define four techniques used to avoid guessable passwords 列出并简要定义用于避免猜测密码的四种技术

User education: Users can be told the importance of using hard-to-guess passwords and can be provided with guidelines for selecting strong passwords
Computer-generated passwords: Users are provided passwords generated by a computer algorithm
Reactive password checking: the system periodically runs its own password cracker to find guessable passwords The system cancels any passwords that are guessed and notifies the user
Proactive password checking: a user is allowed to select his or her own password However, at the time of selection, the system checks to see if the password is allowable and, if not, rejects it

用户教育:可以告诉用户使用难以猜测的密码的重要性,并提供选择强密码的指南。
计算机生成的密码:用户提供由计算机算法生成的密码。
反应式密码检查:系统定期运行自己的密码pojie器来找出可猜测的密码。系统取消任何被猜出的密码并通知用户。
主动式密码检查:用户可以选择自己的密码。然而,在选择时,系统会检查密码是否允许,如果不允许,就会拒绝它。

What are three benefits that can be provided by an intrusion detection system 入侵检测系统可以提供的三个好处是什么

If an intrusion is detected quickly enough, the intruder can be identified and ejected from the system before any damage is done or any data are compromised Even if the detection is not sufficiently timely to preempt the intruder, the sooner that the intrusion is detected, the less the amount of damage and the more quickly that recovery can be achieved 8 An effective intrusion detection system can serve as a deterrent, so acting to prevent intrusions 3 Intrusion detection enables the collection of information about intrusion techniques that can be used to strengthen the intrusion prevention facility

如果入侵被足够快地检测到,可以在任何损害发生或任何数据被妥协之前识别并将入侵者从系统中排除。即使检测不足以预防入侵者,入侵被检测到的越早,损害的数量就越少,恢复的速度就越快。有效的入侵检测系统可以起到威慑作用,从而防止入侵。入侵检测使得可以收集关于入侵技术的信息,这些信息可以用来加强入侵防护设施。

十二章

List three design goals for a firewall 列出防火墙的三个设计目标

All traffic from inside to outside, and vice versa, must pass through the firewall. This is achieved by physically blocking all access to the local network except via the firewall. Various configurations are possible, as explained later in this section.
Only authorized traffic, as defined by the local security policy, will be allowed to pass. Various types of firewalls are used, which implement various types of security policies, as explained later in this section.
The firewall itself is immune to penetration. This implies that use of a trusted system with a secure operating system.

所有从内部到外部,反之亦然的流量,都必须通过防火墙。这是通过物理阻断除防火墙外的所有访问本地网络的方式来实现的。可能有各种各样的配置,这将在本节后面解释。
只有被本地安全策略定义为授权的流量才会被允许通过。使用各种类型的防火墙,它们实现各种类型的安全策略,这将在本节后面解释。
防火墙本身对渗透免疫。这意味着使用一个具有安全操作系统的可信系统。

List four techniques used by firewalls to control access and enforce a security policy.列出防火墙用于控制访问和强制执行安全策略的四种技术。

Service control: Determines the types of Internet services that can be accessed, inbound or outbound. The firewall may filter traffic on the basis of IP address and TCP port number; may provide proxy software that receives and interprets each service request before passing it on; or may host the server software itself, such as a Web or mail service.
Direction control: Determines the direction in which particular service requests may be initiated and allowed to flow through the firewall.
User control: Controls access to a service according to which user is attempting to access it. This feature is typically applied to users inside the firewall perimeter (local users). It may also be applied to incoming traffic from external users; the latter requires some form of secure authentication technology, such as is provided in IPSec.
Behavior control: Controls how particular services are used. For example, the firewall may filter e-mail to eliminate spam, or it may enable external access to only a portion of the information on a local Web server.

服务控制:确定可以访问的互联网服务的类型,入站或出站。防火墙可能会根据IP地址和TCP端口号过滤流量;可能提供代理软件,该软件在传递每个服务请求之前接收并解释它;或者可能自己托管服务器软件,如Web或邮件服务。
方向控制:确定哪些特定的服务请求可以启动并允许通过防火墙流动。
用户控制:根据尝试访问服务的用户来控制对服务的访问。这个功能通常应用于防火墙周边的用户(本地用户)。它也可能应用于来自外部用户的入站流量;后者需要一些形式的安全认证技术,例如IPSec提供的。
行为控制:控制如何使用特定的服务。例如,防火墙可能过滤电子邮件以消除垃圾邮件,或者可能只允许外部访问本地Web服务器上的一部分信息。

What are the differences among the firewalls of Figure 4?图4的防火墙之间有什么区别?

image

Packet filtering firewall: Applies a set of rules to each incoming and outgoing IP packet and then forwards or discards the packet. Stateful inspection firewall: Tightens up the rules for TCP traffic by creating a directory of outbound TCP connections. There is an entry for each currently established connection. The packet filter will now allow incoming traffic to high-numbered ports only for those packets that fit the profile of one of the entries in this directory. Application proxy firewall: Acts as a relay of application-level traffic (Figure 4d). The user contacts the gateway using a TCP/IP application, such as Telnet or FTP, and the gateway asks the user for the name of the remote host to be accessed. When the user responds and provides a valid user ID and authentication information, the gateway contacts the application on the remote host and relays TCP segments containing the application data between the two endpoints. If the gateway does not implement the proxy code for a specific application, the service is not supported and cannot be forwarded across the firewall. Further, the gateway can be configured to support only specific features of an application that the network administrator considers acceptable while denying all other features
Circuit-level proxy firewall: As with an application gateway, a circuit-level gateway does not permit an end-to-end TCP connection; rather, the gateway sets up two TCP connections, one between itself and a TCP user on an inner host and one between itself and a TCP user on an outside host. Once the two connections are established, the gateway typically relays TCP segments from one connection to the other without examining the contents. The security function consists of determining which connections will be allowed.

数据包过滤防火墙:对每个进入和出去的IP数据包应用一组规则,然后转发或丢弃该数据包。状态检查防火墙:通过创建出站TCP连接的目录来加强TCP流量的规则。每个当前建立的连接都有一个条目。数据包过滤器现在只允许那些符合此目录中的某个条目的配置文件的数据包进入高编号的端口。应用代理防火墙:作为应用级流量的中继(图4d)。用户使用TCP/IP应用程序(如Telnet或FTP)联系网关,网关要求用户提供要访问的远程主机的名称。当用户回应并提供有效的用户ID和认证信息时,网关联系远程主机上的应用程序,并在两个端点之间中继包含应用程序数据的TCP段。如果网关没有实现特定应用程序的代理代码,那么服务不受支持,不能在防火墙之间转发。此外,网关可以配置为只支持网络管理员认为可接受的应用程序的特定功能,同时拒绝所有其他功能。
电路级代理防火墙:与应用网关一样,电路级网关不允许端到端的TCP连接;相反,网关设置两个TCP连接,一个是它自己和内部主机上的TCP用户之间的连接,另一个是它自己和外部主机上的TCP用户之间的连接。一旦两个连接建立,网关通常在一个连接到另一个连接中中继TCP段,而不检查内容。安全功能包括确定哪些连接将被允许。

一种打败微小片段攻击的方法是强制执行必须包含在IP数据包的第一个片段中的传输头的最小长度。如果第一个片段被拒绝,所有后续的片段都可以被拒绝。然而,IP的性质是这样的,片段可能会乱序到达。因此,一个中间片段可能在初始片段被拒绝之前通过过滤器。这种情况应该如何处理?One approach to defeating the tiny fragment attack is to enforce a minimum length of the transport header that must be contained in the first fragment of an IP packet. If the first fragment is rejected, all subsequent fragments can be rejected. However, the nature of IP is such that fragments may arrive out of order. Thus, an intermediate fragment may pass through the filter before the initial fragment is rejected. How can this situation be handled

It will be impossible for the destination host to complete reassembly of the packet if the first fragment is missing, and therefore the entire packet will be discarded by the destination after a time-out

如果第一个片段丢失,目标主机将无法完成数据包的重组,因此整个数据包将在超时后被目标主机丢弃。

Table 1 shows a sample of a packet filter firewall ruleset for an imaginary network of IP address that range from 192.168.1.0 to 192.168.1.254. Describe the effect of each rule. 表1显示了IP地址范围从192.168.1.0到192.168.1.254的假想网络的数据包过滤器防火墙规则集示例。描述每条规则的效果。

image

  1. Allow return TCP Connections to internal subnet.
  2. Prevent Firewall system itself from directly connecting to anything.
  3. Prevent External users from directly accessing the Firewall system.
  4. Internal Users can access External servers,
  5. Allow External Users to send email in.
  6. Allow External Users to access WWW server.
  7. Everything not previously allowed is explicitly denied

① 允许返回到内部子网的TCP连接。
② 防止防火墙系统本身直接连接到任何东西。
③ 防止外部用户直接访问防火墙系统。
④ 内部用户可以访问外部服务器。
⑤ 允许外部用户发送电子邮件。
⑥ 允许外部用户访问WWW服务器。
⑦ 之前未被允许的所有事情都被明确地拒绝。

posted @ 2023-11-29 15:05  魔法少女小胖  阅读(56)  评论(0编辑  收藏  举报