浅析计算机网络安全(英文 含中文翻译)

X X X X 学 院

计算机专业英语

班级 计科

学号 12

姓名

日期 2015-12-

Security of Computer Network System

Abstract: This paper discussed the secure and dependable problem about the

computer network system. On some aspects: the importance of network security

basic theory function and the method of solving a problem etc. Good views for

solving the problem are put forward. It strengthens people’s consciousness on

network security.

Key words: Computer network Virtual private network Encryption techniques

Firewall

Introduction: Along with the computer network technology development the

network security and the reliability have become the question of common interest

by all users. The people all hoped their own network system can move reliably not

Security of Computer Network System

external intruder disturbance and destruction .Therefore solves the network

security and the reliable problem carefully is a guarantee the network normal

operation’s premise and safeguard.

First: the importance of the network security. With the information developing

fast today the computer network obtained the widespread application but along

with the network information transmission capacity growing faster some

organizations and departments benefit the speed up with the service operation in

the network while the data has also suffered to extent attack and destruction. The

aggressor may intercept the information in the network steals the user’s password

the database information also may tamper with the database content the forge

users status denies own signature. And what is more the aggressor may delete the

database content the destroy node releases computer virus and so on. This cause

data security and own benefit have received the serious threat. According to

American FBI US Federal Bureau of Investigation invest the network security creates

the economic loss surpasses 17 billion dollars every year.75 corporation report

finance loss is because the computer system security problem creates. More than

50 safe threat come from inside. But only 59 loss could be possible estimate. In

China the economic loss amount in view of financial domain and the bank

negotiable securities computer system security problems creates has reached as

high as several hundred million Yuan also sometimes occurs in view of other

profession network security threat. Thus it can be seen regardless of is the mean

attack or unconscious disoperation will all be able to bring the inestimable loss to

the system. Therefore the computer network must have the enough strong security

measure. Regardless of is in the local area network or in WAN the network security

1

Security of Computer Network System

measure should be Omni-directional in view of each kind of different threat and the

vulnerability so that it can guarantee the network information’s secrecy the

integrity and the usability.

Second: Network security rationale. International Standardization Organization

ISO once suggested the computer security the definition was: “The computer

system must protect its hardware the data not accidentally or reveals intentionally

the change and the destruction.” In order to help the computer user discrimination

and the solution computer network security problem the American Department of

Defense announced “the orange peel book” orange book official name is

“credible computer system standard appraisal criterion” has carried on the

stipulation to the multiuser computer system security rank division. The orange

peel book from low to high divides into the computer security four kinds of seven

levels: D1 C1 C2 B1 B2 B3 allD1 level does not have the lowest safety

margin rank C1 and the C2 level has the lowest safety margin rank B1 and the B2

level has the medium safekeeping of security ability rank B3 and A1 belongs to the

highest security rating. In the network concrete design process it should act

according to each technology standard the equipment type the performance

requirement as well as the funds which in the network overall plan proposed and so

on the overall evaluation determines one quite reasonably the performance high

network security rank thus realization network security and reliability.

Third: The network security should have function. In order to adapt the

information technology development well the computer network application

system must have following function: 1 Access control: Through to the specific

2

Security of Computer Network System

webpage the service establishment access control system in arrives the

overwhelming majority attack impediment in front of the attack goal. 2 Inspects the

security loophole: Through to security loophole cyclical inspection even if attacks

may get the attack goal also may cause the overwhelming majority attack to be

invalid. 3 Attack monitoring: Through to specific webpage service establishment

attack monitoring system but real-time examines the overwhelming majority attack

and adopts the response the motion for example separation network connection

recording attack process pursuit attack source and so on. 4 Encryption

Communication: Encrypts on own initiative the communication may enable the

aggressor to understand the revision sensitive information. 5 Authentication: The

good authentication system may prevent the aggressor pretends the validated user.

6 Backup and restoration: The good backup and restores the mechanism may

causes the losses when the attack as soon as possible restores the data and the

system service. 7 Multi-layered Defense: The aggressor after breaks through the

first defense line delays or blocks it to reach the attack goal. 8 Sets up the safe

monitoring center: Provides the security system management the monitoring the

protection and the emergency case service for the information system.

Fourth: The network system safety comprehensive solution measures. If want

to realize the network security function we should carry on the Omni-directional

guarding to the network system and thus formulate the quite reasonable network

security architecture. Below on the network system security problem proposes

some guard measure. Physics safe may divide into two aspects: One is the artificial

harm to the network the other is the network to the users. Most common thing is

the constructor who did not understand to the buried cable clearly thus lead to the

3

Security of Computer Network System

destruction of electric cable this kind of situation may through standing symbolized

the sign guards against Has not used the structure wiring the network to be able to

appear the user frequently to the electric cable damage this needs to use the

structure wiring to install the network as far as possible Artificial or natural disaster

influence when to consider the plan. The access control security the access control

distinguishes and confirms the user limits the user in the already activity and the

resources scope which is authorized. The network access control safe may consider

from following several aspects. 1 password: The network security system most

outer layer defense line is network users registering in the registration process the

system would inspect the user to register the name and the password validity only

then the legitimate user can enter the system. 2 The network resources’ host the

attribute and the visit jurisdiction: The network resources mainly include the

resources which shared files the shared printer network users and so on that all the

network users can use. The resources were the host to manifest the different user to

the resources subordinate relations such as builder modifier and group member

and so on. The resources attribute expressed itself deposit and withdrawal

characteristics as can read by who write or the execution and so on. The visit

jurisdiction mainly manifests in the user to the network resources available degree

in using assigns the network resources to be the host the attribute and the visit

jurisdiction may effectively in the application cascade control network system

security. 3 Network security surveillance: The network surveillance is generally

called for “the network management” its function mainly is carries on the dynamic

surveillance to the entire network movement and handles each kind of event

promptly. May understand simply through the network surveillance discovers and

solves in the network security problem such as the localization network fault point

4

Security of Computer Network System

seizes the IP embezzler the control network visit scope and so on. 4 Audit and track:

Network audit and track which is including the network aspect resources use

network breakdown and system keeping. It composed generally by two parts: One

the recording event soon each kind of event entirely records in the document. Two

carries on the analysis and the statistics to.

Data transmission security, transmission security requirements to protect the

information on the network is transmitted to prevent the passive and active

violations. The security of data transmission can take the following measures: (1)

encryption and digital signature: digital signature is the receiver of data used to

confirm the sender of the data is true and correct. (2) firewall: firewall (Firewall) is a

security measure that is widely used in Internet. It can be used to set up a series of

components in different network or network security domain. It can detect, limit

and change the data flow of the firewall, and detect the information, structure and

running status of the network as far as possible, so as to realize the network

security. (3) Username or Password certification: the authentication method is the

most commonly used as an authentication method for the operating system, telnet

(remote login), rlogin (remote login), but the process is not encrypted, that is,

password is easy to be monitored and decryption. (4) authentication using the

algorithm: radius (Remote Authentication Dial protocol, OSPF (open routing

protocol), SNMP Security Protocol use shared Security Key (key), and the abstract

algorithm (MD5) certification, but abstract algorithm is an irreversible process,

therefore, in the authentication process, by the information cannot be calculated

Security Key shared, so the sensitive information in the network transmission. The

algorithm is mainly used on the market are mainly MD5 and SHA - 1. (5)

5

Security of Computer Network System

authentication and encryption based on PKI: using PKI (public key system). This

method has a high security level, which is integrated with the technology of the

algorithm, asymmetric encryption, symmetric encryption, digital signature, and so

on. This authentication method is currently used in the fields of email, application

server access, customer authentication, firewall authentication, etc.. This kind of

authentication method is very safe, but it involves a relatively heavy certificate

management task. (6) virtual private network (VPN) technology: VPN technology

mainly provides two-way communication in the public security, the transparent

encryption scheme to ensure data integrity and confidentiality.

In summary, for the security of computer network transmission, we must do

the following. First, we should strictly limit access to the Internet users of the

system information and resources, this function can be achieved by setting the Net

Screen firewall on the access server. Second, we should strengthen the identity

authentication of Internet users, using RADIUS and other special authentication

server. On the one hand, it can achieve the unified management of Internet users

account; on the other hand, in the process of identity verification using encryption

means to avoid the possibility of leakage of the account. Third: The use of

encryption technology in the process of data transmission, to prevent data theft.

One way is to use for Business Security PGP to encrypt data. Another approach is to

use the VPN technology provided by Net Screen firewall. VPN in the provision of

network data encryption, but also provides a single user of the encryption software,

that is, the use of software encryption technology to ensure the security of data

transmission.

6

Security of Computer Network System

浅析计算机网络安全

摘要：针对计算机网络系统存在的安全性和可靠性问题，本文从网络安全的重要性、理

论基础、具备功能以及解决措施等方面提出一些见解，并且进行了详细的阐述，以使广大用

户在计算机网络方面提高安全防范意识。

关键词：计算机网络 虚拟专用网技术 加密技术 防火墙

随着计算机网络技术的发展，网络的安全性和可靠性已成为不同使用层次的用户共同关

心的问题。人们都希望自己的网络系统能够更加可靠地运行， 不受外来入侵者干扰和破坏。

所以解决好网络的安全性和可靠性问题，是保证网络正常运行的前提和保障。

一、 网络安全的重要性

在信息化飞速发展的今天，计算机网络得到了广泛应用，但随着网络之间的信息传输量

的急剧增长，一些机构和部门在得益于网络加快业务运作的同时，其上网的数据也遭到了不

同程度的攻击和破坏。 攻击者可以窃听网络上的信息， 窃取用户的口令及数据库的信息；

还可以篡改数据库内容， 伪造用户身份， 否认自己的签名。更有甚者，攻击者可以删除数

据库内容，摧毁网络节点，释放计算机病毒等等。这致使数据的安全性和自身的利益受到严

重的威胁。 根据美国 FBI（美国联邦调查局）的调查，美国每年因为网络安全造成的经济

损失超过170 亿美元。75个公司报告财政损失是由于计算机系统的安全问题造成的。超过

50%安全威胁来自内部。而仅有 59%损失可以定量估算。在中国，针对银行、证券等金融

领域的计算机系统的安全问题所造成的经济损失金额已高达数亿元， 针对其他行业的网络

安全威胁也时有发生。 由此可见，不论是有意的攻击，还是无意的误操作， 都将会给系统

带来不可估量的损失。所以，计算机网络必须有足够强的安全措施。无论是在局域网还是在

7

Security of Computer Network System

广域网中，网络的安全措施应是能全方位地针对各种不同的威胁和脆弱性， 这样才能确保

网络信息的保密性、 完整性和可用性。

二、 网络安全的理论基础

国际标准化组织（ISO）曾建议把计算机安全定义为： “计算机系统要保护其硬件、

数据不被偶然或故意地泄露、更改和破坏。 ”为了帮助计算机用户区分和解决计算机网络

安全问题，美国国防部公布了 “桔皮书”（orange book， 正式名称为“可对多用户计算

机系统安全级别的划分进行了规定。信计算机系统标准评估准则” ） 桔皮书将计算机安全

由低到高分为四类七级：D1、C1、C2、B1、B2、B3、A1。其中 D1级是不具备最低安全

限度的等级，C1 和 C2 级是具备最低安全限度的等级，B1 和 B2 级是具有中等安全保护

能力的等级，B3 和 A1 属于最高安全等级。 在网络的具体设计过程中，应根据网络总体

规划中提出的各项技术规范、设备类型、性能要求以及经费等，综合考虑来确定一个比较合

理、性能较高的网络安全级别，从而实现网络的安全性和可靠性。

三、 网络安全应具备的功能

为了能更好地适应信息技术的发展，计算机网络应用系统必须具备以下功能：

（1）访问控制：通过对特定网段、服务建立的访问控制体系，将绝大多数攻击阻止在

到达攻击目标之前。

（2）检查安全漏洞：通过对安全漏洞的周期检查，即使攻击可到达攻击目标，也可使

绝大多数攻击无效。

8

Security of Computer Network System

（3）攻击监控：通过对特定网段、服务建立的攻击监控体系，可实时检测出绝大多数

攻击，并采取响应的行动（如断开网络连接、记录攻击过程、跟踪攻击源等） 。

（4）加密通讯：主动地加密通讯，可使攻击者不能了解、修改敏感信息。

（5）认证：良好的认证体系可防止攻击者假冒合法用户。

（6）备份和恢复：良好的备份和恢复机制，可在攻击造成损失时，尽快地恢复数据和

系统服务。

（7）多层防御：攻击者在突破第一道防线后，延缓或阻断其到达攻击目标。

（8） 设立安全监控中心：为信息系统提供安全体系管理、监控、保护及紧急情况服

务。

四、网络系统安全综合解决措施。

要想实现网络安全功能，应对网络系统进行全方位防范，从而制定出比较合理的网络安

全体系结构。下面就网络系统的安全问题，提出一些防范措施。 物理安全可以分为两个方

面：一是人为对网络的损害；二是网络对使用者的危害。最常见的是施工人员由于对地下电

缆不了解， 从而造成电缆的破坏， 这种情况可通过立标志牌加以防范； 未采用结构化布

线的网络经常会出现使用者对电缆的损坏， 这就需要尽量采用结构化布线来安装网络；人

为或自然灾害的影响，需在规划设计时加以考虑。

访问控制安全， 访问控制识别并验证用户， 将用户限制在已授权的活动和资源范围之

内。网络的访问控制安全可以从以下几个方面考虑。 （1）口令：网络安全系统的最外层

9

Security of Computer Network System

防线就是网络用户的登录，在注册过程中，系统会检查用户的登录名和口令的合法性，只有

合法的用户才可以进入系统。 （2）网络资源属主、属性和访问权限：网络资源主要包括

共享文件、共享打印机、网络通信设备等网络用户都有可以使用的资源。 资源属主体现了

不同用户对资源的从属关系， 如建立者、修改者和同组成员等。资源属性表示了资源本身

的存取特性，如可被谁读、写或执行等。访问权限主要体现在用户对网络资源的可用程度上。

利用指定网络资源的属主、属性和访问权限可以有效地在应用级控制网络系统的安全性。

（3）网络安全监视：网络监视通称为“网管” ，它的作用主要是对整个网络的运行进行

动态地监视并及时处理各种事件。 通过网络监视可以简单明了地找出并解决网络上的安全

问题，如定位网络故障点、捉住 IP 盗用者、控制网络访问范围等。 （4）审计和跟踪：网

络的审计和跟踪包括对网络资源的使用、网络故障、系统记账等方面的记录和分析。一般由

两部分组成：一是记录事件，即将各类事件统统记录到文件中；二是对记录进行分析和统计，

从而找出问题所在。

数据传输安全，传输安全要求保护网络上被传输的信息，以防止被动地和主动地侵犯。

对数据传输安全可以采取如下措施： （1） 加密与数字签名：数字签名是数据的接收者用

来证实数据的发送者确实无误的一种方法，它主要通过加密算法和证实协议而实现。 （2）

防火墙：防火墙（Firewall）是 Internet 上广泛应用的一种安全措施，它可以设置在不同

网络或网络安全域之间的一系列部件的组合。它能通过监测、限制、更改跨越防火墙的数据

流，尽可能地检测网络内外信息、结构和运行状况，以此来实现网络的安全保护。 （3）

Username/Password 认证：该种认证方式是最常用的一种认证方式，用于操作系统登录、

telnet（远程登录） 、rlogin（远程登录）等，但此种认证方式过程不加密，即 password

容易被监听和解密。 （4）使用摘要算法的认证：Radius（远程拨号认证协议） 、OSPF

（开放路由协议）、SNMP Security Protocol 等均使用共享的 Security Key（密钥），加

上摘要算法（MD5）进行认证，但摘要算法是一个不可逆的过程， 因此，在认证过程中，

由摘要信息不能计算出共享的 security key，所以敏感信息不能在网络上传输。市场上主

10

Security of Computer Network System

要采用的摘要算法主要有 MD5 和 SHA‐1。 （5）基于 PKI 的认证：使用 PKI（公开密

钥体系）进行认证和加密。该种方法安全程度较高，综合采用了摘要算法、不对称加密、对

称加密、数字签名等技术，很好地将安全性和高效性结合起来。这种认证方法目前应用在电

子邮件、应用服务器访问、客户认证、防火墙认证等领域。该种认证方法安全程度很高，但

是涉及到比较繁重的证书管理任务。 （6）虚拟专用网络（VPN）技术：VPN 技术主要提

供在公网上的安全的双向通讯，采用透明的加密方案以保证数据的完整性和保密性。

总结：综上所述，对于计算机网络传输的安全问题，我们必须要做到以下几点。第一，

应严格限制上网用户所访问的系统信息和资源，这一功能可通过在访问服务器上设置

NetScreen防火墙来实现。第二，应加强对上网用户的身份认证，使用 RADIUS 等专用身

份验证服务器。一方面，可以实现对上网用户账号的统一管理；另一方面，在身份验证过程

中采用加密的手段，避免用户口令泄露的可能性。第三，在数据传输过程中采用加密技术，

防止数据被非法窃取。一种方法是使用 PGP for Business Security 对数据加密。另一种

方法是采用 NetScreen防火墙所提供的 VPN 技术。VPN 在提供网间数据加密的同时，

也提供了针对单机用户的加密客户端软件，即采用软件加密的技术来保证数据传输的安全性。

11