1、安全知识之加强网络防护的四步骤(Enhancement of security knowledge four steps of network protection)Online popular goods ninety percent off sale2006 annual book super inventoryWith the following four steps, you can ease the pressure of protecting your network. Here are some ways to strengthen your network protection
2、.Recently, Microsoft is promoting, and if you want a truly secure network, you have to focus on 5 important areas. These areas include perimeter protection, network protection, application protection, data protection, and host protection. In this article, Ill discuss network protection to help get d
3、eep security.Microsofts philosophy of security is that you should focus on five separate areas, as if you need to protect them independently. In that case, you can ensure that these areas are properly protected. By focusing on these areas independently, you can also make sure that when one of them i
4、s under threat of security, the other four layers will still work and protect your network.What is network protection?First of all, the concept of network protection is too broad and general. But there is nothing superfluous or too general in this field. Network protection solves the problem of conn
5、ecting between networks, connecting all networks into a whole network. Network protection does not solve problems such as external firewalls or dial-up connections, and peripheral security includes these issues. Network protection does not cover a single server or workstation problem, which is a pro
6、blem of host protection. Network protection covers issues such as protocols and routers.Internal firewallNetwork protection does not include an external firewall, but that doesnt mean it doesnt involve firewalls at all. On the contrary, the first step I propose for network protection is to use an in
7、ternal firewall whenever possible. Internal firewalls, like external firewalls, are the foundation of security. The main difference between the two is that the main job of an internal firewall is to protect your machine from internal communications. There are plenty of reasons to use an internal fir
8、ewall.First of all, imagine if a hacker or a virus somehow controls your external firewall, then he can communicate with the internal network without a firewall. Usually, this means that your network is completely open to the outside world. But if you have an internal firewall, then the internal fir
9、ewall blocks malicious packets that sneak in from an outside firewall.Another major reason for using an internal firewall is that many attacks are internal. First of all, you might have heard of this and think that internal attacks are unlikely to occur on your network, but Ive seen an insider attac
10、k in every security department Ive worked for.In the two places I used to work, some people in other departments were hackers or enthusiastic about management. They would think it would be cool and fascinating to try to find as many information as possible. In these two places, they do not have any
11、subjective malice (or they say they have no malice), they just want to show off in front of their friends, and they can attack the system. No matter what their motives are, they do harm to network security. You must guard against your network being attacked by such people.In other places Ive worked,
12、 Ive seen people install software on their own without authorization, and the software includes a Troy trojan. When these Troy Trojans enter the system, you can broadcast your messages via a specific port. Firewalls are hard to prevent malicious packets from entering the network because the packets
13、are already in the network.These facts lead to an interesting phenomenon: the most communication package I know the technical staff let them stop most of the external firewall into the network, but the communication packet outflow but not unrestricted. I suggest that the flow of communication should
14、 be as cautious as the incoming communication,Because you never know when a Troy Trojan will hide in your network and broadcast the information on your network.An internal firewall can be placed on any computer or on any server. There are some nice personal firewall products on the market, such as S
15、ymantec Norton Personal Firewall 2003. But since Windows XP comes with a built-in personal firewall, you dont have to pay for your workstation to buy an independent personal firewall.If you want to use the Windows XP firewall, right-click on my network, and then select properties from the shortcut m
16、enu to open the network connection window. Next, right-click the network connection you want to protect and select properties. Now, select the Advanced menu, and then click the Internet connection firewall option. You can use the settings button to select an open port. Although the Windows XP firewa
17、ll is an Internet firewall, it can also be used as an internal firewall.encryptionThe next step I suggest is to encrypt your network communications. Use IPSec whenever possible. Therefore, you need to understand IPSec security.If you configure a machine to use IPSec, you should do two-way encryption
18、. If you ask IPSec to encrypt, then when other machines try to connect to your machine, you will be told that you need to encrypt it. If other machines have the capability of IPSec encryption, then a secure communication channel can be established at the beginning of the communication establishment.
19、 On the other hand, if other machines do not have the ability to encrypt IPSec, the communication process will be rejected because the requested encryption is not implemented.The request encryption options are slightly different. When a machine requests a connection, it also asks for encryption. If
20、two machines support IPSec confidentiality, then a secure path will be established between two machines, and communications will begin. If one of the machines does not support IPSec encryption, then the communication process will begin, but the data is not encrypted.For this reason, I offer some sug
21、gestions. First of all, I suggest putting all of the servers in a site in a secure network. The network should be completely separate from the usual network. Each server that users need to access should have two network cards, one connected to the primary network and the other to the private server
22、network. This server network should only contain servers, and there should be dedicated hubs or switches.To do so, you need to build a dedicated backbone between servers. All server based communications, such as RPC communications or replication, can be carried out in a dedicated backbone. In this w
23、ay, you can protect network based communications, and you can also increase the amount of available bandwidth on your major network.Next, I recommend using IPSec. For server only networks, IPSec encryption should be required. After all, there are only servers in this network, so unless you have UNIX
24、, Linux, Macintosh, or other non Microsoft servers, your server has no reason not to support IPSec. So you can confidently ask for IPSec encryption.Now, for all workstations and servers connected to an important network, you should ask the machine to encrypt it. In this way, you will be able to get
25、an optimal balance between security and functionality.Unfortunately, IPSec cannot distinguish between network adapters on multiple home computers. Therefore, unless a server is outside the server network, you may need to use the request encryption option, otherwise the other clients will not be able
26、 to access the server.Of course, IPSec is not the only encryption you can choose from your network communications.You also have to consider how you want to protect communications across your network and your wireless network.Its still difficult to talk about wireless encryption today, because wirele
27、ss network devices are still developing. Most network administrators that the wireless network is not secure, because the network communication packet is transmitted in the open space, no one can use the notebook computer with a wireless NIC card to intercept these communications package.Wireless ne
28、tworks do have some risks, but in some ways wireless networks are even safer than wired networks. This is because the main encryption mechanism for wireless communication is WEP encryption. WEP encryption from 40 bit to 152 bit, or even higher. The actual length depends on the minimum number of comm
29、unication participants. For example, if your access point supports 128 bit WEP encryption, but one of your wireless network user devices only supports 64 bit WEP encryption, then you can only get 64 bit encryption. But at present, basically all wireless devices support at least 128 bit encryption.Wh
30、at many administrators do not realize is that although wireless networks can use WEP encryption, this is not the only encryption they can use. WEP encryption is only encrypted for all communications over the network. It does not care what type of data is encrypted by itself. Therefore, if you have u
31、sed IPSec to encrypt data, then WEP can encrypt the encrypted data with secondary encryption.Network isolationIf your company is very large, then you are likely to have a Web server as the host for your companys Web site. If this web server does not need access to the backend database or other resou
32、rces in your private network, then there is no reason to put it on your private network. Since you can isolate this server from your own network, why would you put it in a private network and give hackers a chance to get into your private network?If your Web server needs to access the database or ot
33、her resources in the private network, I suggest you place a ISA server between your firewall and the network server. Internet users communicate with the ISA server rather than directly through the Web server. The ISA server will request between the proxy user and the Web server. You can set up a IPS
34、ec connection between the Web server and the database server and establish a SSL connection between the Web server and the ISA server.Packet monitorAfter youve taken all the necessary steps to protect communications across your network, I suggest using packet surveillance occasionally to monitor net
35、work communications. This is only a precaution because it helps you understand what types of communications have actually occurred in your network. If you find unexpected packet types, you can find the sources of these packages.The biggest problem with protocol analyzers is that it can be exploited
36、by hackers and become a weapon in the hands of hackers. Because of packet monitoring, I once thought that it was impossible to detect anyone who was monitoring packets in my network. Packet monitoring is only monitoring communications that occur in a cable. Since packet monitoring does not change co
37、mmunication packets, how can one know who is listening?In fact, checking packet monitoring is much easier than you think. All you need is a machine as a lure. The decoy machine should be a workstation where no one knows it except you. Make sure your decoy machine has an IP address, but not in the do
38、main. Now connect the bait machine to the network and let it generate some communication packets. If someone is listening to the network. Listen, and youll find the packets sent by the bait machine. The problem is that the listener knows the IP address of the decoy machine, but does not know its hos
39、t name. Typically, the listener will do a DNS lookup to try to find the host name of the machine.Since you are the only one who knows the machine exists, no one will search the DNS for the machine. So, if you find someone in the DNS log looking for your bait machine using the DNS lookup, then you ha
40、ve reason to suspect that the machine is being used to monitor the network.Another step you can take to prevent listening is to replace all existing hubs with the VLAN switch. These switches create virtual networks at the sender and receiver of the packet. The package no longer goes through all the
41、machines on the network. It will be sent directly from the sending end to the receiving end. This means that if a listener is listening to your network, its hard to get useful information.There are other advantages to this type of switch. For a standard hub, all nodes fall in the same domain. This m
42、eans that if you have a total bandwidth of 100 Mbps, then the bandwidth will be allocated among all nodes. But the VLAN switch is not the case, and each virtual LAN has proprietary bandwidth that does not need to be shared. This means that a 100 Mbps switch can deal with hundreds of Mbps traffic at the same time, and all communications occur on different virtual networks. Using VLAN switches can improve both security and efficiency.
