Let’s take a more detailed look at computer networking and securing the network. In today’s world, the internet connects nearly everyone and everything, and this is accomplished through networking. While most see computer networking as a positive, criminals routinely use the internet, and the networking protocols themselves, as weapons and tools to exploit vulnerabilities and for this reason we must do our best to secure the network. We will review the basic components of a network, threats and attacks to the network, and learn how to protect them from attackers. Network security itself can be a specialty career within cybersecurity; however, all information security professionals need to understand how networks operate and are exploited to better secure them.
让我们更详细地了解一下计算机网络和网络安全。在当今世界,互联网几乎连接了每个人和一切,这是通过网络实现的。虽然大多数人认为计算机网络是一个积极的,但犯罪分子经常使用互联网和网络协议本身,作为武器和工具来利用漏洞,出于这个原因,我们必须尽最大努力保护网络。我们将回顾网络的基本组成部分,网络的威胁和攻击,并学习如何保护它们免受攻击者的攻击。网络安全本身可以是网络安全中的专业职业;然而,所有信息安全专业人员都需要了解网络的运行方式和如何被利用,以更好地保护网络的安全。
Learning Objectives 学习目标
Domain 4: Network Security Objectives 领域4:网络安全目标
After completing this chapter, the participant will be able to:
完成本章后,参与者将能够:
L4
Explain the concepts of network security.
解释网络安全的概念。
L4.1.1
Recognize common networking terms and models.
认识常见的网络术语和模型。
L4.1.2
Identify common protocols and ports and their secure counterparts.
确定常用协议和端口及其安全对应项。
L4.2.1
Identify types of network (cyber) threats and attacks.
识别网络(网络)威胁和攻击的类型。
L4.2.2
Discuss common tools used to identify and prevent threats.
讨论用于识别和预防威胁的常用工具。
L4.3.1
Identify common data center terminology.
确定通用数据中心术语。
L4.3.2
Recognize common cloud service terminology.
认识常见的云服务术语。
L4.3.3
Identify secure network design terminology.
确定安全网络设计术语。
L4.4.1
Practice the terminology of and review network security concepts.
练习术语并复习网络安全概念。
Module Objectives 模块目标
A network is simply two or more computers linked together to share data, information or resources.
网络只是两台或多台计算机连接在一起以共享数据、信息或资源。
To properly establish secure data communications, it is important to explore all of the technologies involved in computer communications. From hardware and software to protocols and encryption and beyond, there are many details, standards and procedures to be familiar with.
为了正确建立安全的数据通信,探索计算机通信中涉及的所有技术非常重要。从硬件和软件到协议和加密等等,有许多细节、标准和程序需要熟悉。
There are two basic types of networks:
有两种基本类型的网络:
hub 集线器
Hubs are used to connect multiple devices in a network. They’re less likely to be seen in business or corporate networks than in home networks. Hubs are wired devices and are not as smart as switches or routers.
集线器用于连接网络中的多个设备。他们不太可能出现在商业或公司网络比在家庭网络。集线器是有线设备,不像交换机或路由器那样智能。
switch 交换机
Rather than using a hub, you might consider using a switch, or what is also known as an intelligent hub. Switches are wired devices that know the addresses of the devices connected to them and route traffic to that port/device rather than retransmitting to all devices.
您可以考虑使用交换机或智能集线器,而不是使用集线器。交换机是有线设备,它们知道连接到它们的设备的地址,并将流量路由到该端口/设备,而不是重新传输到所有设备。
Offering greater efficiency for traffic delivery and improving the overall throughput of data, switches are smarter than hubs, but not as smart as routers. Switches can also create separate broadcast domains when used to create VLANs, which will be discussed later.
交换机比集线器智能,但不如路由器智能,可以提供更高的流量传输效率,并提高数据的总体吞吐量。交换机在用于创建VLAN时还可以创建单独的广播域,这将在后面讨论。
router 路由器
Routers are used to control traffic flow on networks and are often used to connect similar networks and control traffic flow between them. Routers can be wired or wireless and can connect multiple switches. Smarter than hubs and switches, routers determine the most efficient “route” for the traffic to flow across the network.
路由器用于控制网络上的流量,并且经常用于连接相似的网络并控制它们之间的流量。路由器可以是有线或无线的,可以连接多个交换机。路由器比集线器和交换机更智能,它决定了流量在网络中流动的最有效的“路由”。
firewall 防火墙
Firewalls are essential tools in managing and controlling network traffic and protecting the network. A firewall is a network device used to filter traffic. It is typically deployed between a private network and the internet, but it can also be deployed between departments (segmented networks) within an organization (overall network). Firewalls filter traffic based on a defined set of rules, also called filters or access control lists.
防火墙是管理和控制网络流量和保护网络的重要工具。防火墙是用于过滤流量的网络设备。它通常部署在专用网络和互联网之间,但也可以部署在组织(整体网络)内的部门(分段网络)之间。防火墙根据一组已定义的规则(也称为过滤器或访问控制列表)过滤流量。
server服务器
A server is a computer that provides information to other computers on a network. Some common servers are web servers, email servers, print servers, database servers and file servers. All of these are, by design, networked and accessed in some way by a client computer. Servers are usually secured differently than workstations to protect the information they contain.
服务器是向网络上的其他计算机提供信息的计算机。一些常见的服务器是Web服务器、电子邮件服务器、打印服务器、数据库服务器和文件服务器。通过设计,所有这些都是联网的,并通过客户端计算机以某种方式访问。服务器的安全性通常与工作站不同,以保护它们包含的信息。
endpoint终端
Endpoints are the ends of a network communication link. One end is often at a server where a resource resides, and the other end is often a client making a request to use a network resource. An endpoint can be another server, desktop workstation, laptop, tablet, mobile phone or any other end user device.
端点是网络通信链路的端点。一端通常位于资源驻留的服务器上,另一端通常是请求使用网络资源的客户端。端点可以是另一个服务器、台式工作站、膝上型计算机、平板计算机、移动的电话或任何其他终端用户设备。
Ethernet 以太网
Ethernet (IEEE 802.3) is a standard that defines wired connections of networked devices. This standard defines the way data is formatted over the wire to ensure disparate devices can communicate over the same cables.
以太网(IEEE 802.3)是定义联网设备的有线连接的标准。该标准定义了数据在有线上格式化的方式,以确保不同的设备可以通过相同的电缆进行通信。
Device Address 设备地址
Media Access Control (MAC) Address - Every network device is assigned a Media Access Control (MAC) address. An example is 00-13-02-1F-58-F5. The first 3 bytes (24 bits) of the address denote the vendor or manufacturer of the physical network interface. No two devices can have the same MAC address in the same local network; otherwise an address conflict occurs.
媒体访问控制(MAC)地址-每个网络设备都被分配一个媒体访问控制(MAC)地址。例如00-13-02-1F-58-F5。地址的前3个字节(24位)表示物理网络接口的供应商或制造商。在同一局域网中,没有两台设备可以具有相同的MAC地址;否则发生地址冲突。
Internet Protocol (IP) Address - While MAC addresses are generally assigned in the firmware of the interface, IP hosts associate that address with a unique logical address. This logical IP address represents the network interface within the network and can be useful to maintain communications when a physical device is swapped with new hardware. Examples are 192.168.1.1 and 2001:db8::ffff:0:1.
互联网协议(IP)地址-虽然MAC地址通常在接口的固件中分配,但IP主机将该地址与唯一的逻辑地址相关联。此逻辑IP地址表示网络中的网络接口,并且在物理设备与新硬件交换时可用于维持通信。例如192.168.1.1和2001:db 8::ffff:0:1。
small business network 小型企业网络
This diagram represents a small business network, which we will build upon during this lesson. The lines depict wired connections. Notice how all devices behind the firewall connect via the network switch, and the firewall lies between the network switch and the internet.
此图代表了一个小型企业网络,我们将在此基础上构建此网络。线描绘了有线连接。请注意防火墙后面的所有设备如何通过网络交换机连接,而防火墙位于网络交换机和Internet之间。
typical home network 家庭网络
The network diagram below represents a typical home network. Notice the primary difference between the home network and the business network is that the router, firewall, and network switch are often combined into one device supplied by your internet provider and shown here as the wireless access point.
下面的网络图代表了典型的家庭网络。请注意,家庭网络和企业网络之间的主要区别是路由器、防火墙和网络交换机通常被组合成由互联网提供商提供的一个设备,并在这里显示为无线接入点。
Many different models, architectures and standards exist that provide ways to interconnect different hardware and software systems with each other for the purposes of sharing information, coordinating their activities and accomplishing joint or shared tasks.
存在许多不同的模型、架构和标准,其提供了将不同的硬件和软件系统彼此互连的方式,以用于共享信息、协调它们的活动以及完成联合或共享任务。
Computers and networks emerge from the integration of communication devices, storage devices, processing devices, security devices, input devices, output devices, operating systems, software, services, data and people.
计算机和网络从通信设备、存储设备、处理设备、安全设备、输入设备、输出设备、操作系统、软件、服务、数据和人的集成中出现。
Translating the organization’s security needs into safe, reliable and effective network systems needs to start with a simple premise. The purpose of all communications is to exchange information and ideas between people and organizations so that they can get work done.
将组织的安全需求转化为安全、可靠和有效的网络系统需要从一个简单的前提开始。所有沟通的目的是在人与组织之间交换信息和想法,以便他们能够完成工作。
Those simple goals can be re-expressed in network (and security) terms such as:
这些简单的目标可以用网络(和安全)术语重新表达,例如:
In the most basic form, a network model has at least two layers:
在最基本的形式中,网络模型至少有两层:
Upper Layer 上层
The upper layer, also known as the host or application layer, is responsible for managing the integrity of a connection and controlling the session as well as establishing, maintaining and terminating communication sessions between two computers. It is also responsible for transforming data received from the Application Layer into a format that any system can understand. And finally, it allows applications to communicate and determines whether a remote communication partner is available and accessible.
上层,也称为主机或应用层,负责管理连接的完整性和控制会话,以及建立、维护和终止两台计算机之间的通信会话。它还负责将从应用层接收的数据转换成任何系统都能理解的格式。最后,它允许应用程序通信,并确定远程通信伙伴是否可用和可访问。
Lower Layer 下层
The lower layer is often referred to as the media or transport layer and is responsible for receiving bits from the physical connection medium and converting them into a frame. Frames are grouped into standardized sizes. Think of frames as a bucket and the bits as water. If the buckets are sized similarly and the water is contained within the buckets, the data can be transported in a controlled manner. Route data is added to the frames of data to create packets. In other words, a destination address is added to the bucket. Once we have the buckets sorted and ready to go, the host layer takes over.
较低层通常被称为介质或传输层,并且负责从物理连接介质接收比特并将它们转换成帧。帧按标准化尺寸分组。把框架想象成水桶,把碎片想象成水。如果桶的尺寸类似并且水包含在桶内,则数据可以以受控方式传输。路由数据被添加到数据帧以创建分组。换句话说,目的地地址被添加到桶。一旦我们对桶进行了排序并准备就绪,主机层就会接管。
The OSI Model was developed to establish a common way to describe the communication structure for interconnected computer systems. The OSI model serves as an abstract framework, or theoretical model, for how protocols should function in an ideal world, on ideal hardware. Thus, the OSI model has become a common conceptual reference that is used to understand the communication of various hierarchical components from software interfaces to physical hardware.
OSI模型是为了建立一种通用的方法来描述互连计算机系统的通信结构。OSI模型作为一个抽象的框架或理论模型,用于说明协议在理想的世界中,在理想的硬件上应该如何工作。因此,OSI模型已经成为一个通用的概念参考,用于理解从软件接口到物理硬件的各种分层组件的通信。
The OSI model divides networking tasks into seven distinct layers. Each layer is responsible for performing specific tasks or operations with the goal of supporting data exchange (in other words, network communication) between two computers. The layers are interchangeably referenced by name or layer number. For example, Layer 3 is also known as the Network Layer. The layers are ordered specifically to indicate how information flows through the various levels of communication. Each layer communicates directly with the layer above and the layer below it. For example, Layer 3 communicates with both the Data Link (2) and Transport (4) layers.
OSI模型将网络任务划分为七个不同的层。每个层负责执行特定的任务或操作,目标是支持两台计算机之间的数据交换(换句话说,网络通信)。图层可以通过名称或图层编号互换引用。例如,第3层也称为网络层。这些层被特别地排序以指示信息如何通过各级通信流动。每一层直接与上面的层和下面的层通信。例如,层3与数据链路(2)和传输(4)层两者通信。
The Application, Presentation, and Session Layers (5-7) are commonly referred to simply as data. However, each layer has the potential to perform encapsulation. Encapsulation is the addition of header and possibly a footer (trailer) data by a protocol used at that layer of the OSI model. Encapsulation is particularly important when discussing Transport, Network and Data Link layers (2-4), which all generally include some form of header. At the Physical Layer (1), the data unit is converted into binary, i.e., 01010111, and sent across physical wires such as an ethernet cable.
应用层、表示层和会话层(5-7)通常简称为数据。然而,每一层具有执行封装的潜力。封装是通过OSI模型的该层使用的协议添加报头和可能的页脚(尾部)数据。当讨论传输层、网络层和数据链路层(2-4)时,封装尤其重要,这些层通常都包括某种形式的报头。在物理层(1)处,数据单元被转换成二进制,即,01010111,并通过诸如以太网电缆的物理线路发送。
It’s worth mapping some common networking terminology to the OSI Model so you can see the value in the conceptual model.
将一些常见的网络术语映射到OSI模型是值得的,这样您就可以看到概念模型中的价值。
Consider the following examples:
考虑以下示例:
Encapsulation occurs as the data moves down the OSI model from Application to Physical. As data is encapsulated at each descending layer, the previous layer’s header, payload and footer are all treated as the next layer’s payload. The data unit size increases as we move down the conceptual model and the contents continue to encapsulate.
封装发生在数据沿着OSI模型从应用程序向下移动到物理程序时。由于数据在每个降层被封装,所以前一层的报头、有效载荷和页脚都被视为下一层的有效载荷。数据单元大小随着我们向下移动概念模型和内容继续封装而增加。
The inverse action occurs as data moves up the OSI model layers from Physical to Application. This process is known as de-encapsulation (or decapsulation). The header and footer are used to properly interpret the data payload and are then discarded. As we move up the OSI model, the data unit becomes smaller. The encapsulation/de-encapsulation process is best depicted visually below:
当数据从OSI模型层从物理层向上移动到应用层时,会发生相反的动作。该过程被称为解封装(或解封装)。页眉和页脚用于正确解释数据有效负载,然后丢弃。随着OSI模型的升级,数据单元变得更小。封装/脱封装过程在视觉上最佳描述如下:
The OSI model wasn’t the first or only attempt to streamline networking protocols or establish a common communications standard. In fact, the most widely used protocol today, TCP/IP, was developed in the early 1970s. The OSI model was not developed until the late 1970s. The TCP/IP protocol stack focuses on the core functions of networking.
OSI模型并不是第一次或唯一一次尝试简化网络协议或建立通用通信标准。事实上,今天使用最广泛的协议TCP/IP是在20世纪70年代早期开发的。OSI模型直到20世纪70年代末才被开发出来。TCP/IP协议栈侧重于网络的核心功能。
TCP/IP Protocol Architecture Layers TCP/IP协议体系结构层 | |
---|---|
Application Layer 应用层 | Defines the protocols for the transport layer. 定义传输层的协议。 |
Transport Layer 传输层 | Permits data to move among devices. 允许数据在设备之间移动。 |
Internet Layer 互联网层 | Creates/inserts packets. 创建/插入数据包。 |
Network Interface Layer 网络接口层 | How data moves through the network. 数据如何在网络中移动。 |
The most widely used protocol suite is TCP/IP, but it is not just a single protocol; rather, it is a protocol stack comprising dozens of individual protocols. TCP/IP is a platform-independent protocol based on open standards. However, this is both a benefit and a drawback. TCP/IP can be found in just about every available operating system, but it consumes a significant amount of resources and is relatively easy to hack into because it was designed for ease of use rather than for security.
使用最广泛的协议套件是TCP/IP,但它并不只是单一协议;相反,它是包括几十个单独协议的协议栈。TCP/IP是一种基于开放标准的平台无关协议。然而,这既是一个好处,也是一个缺点。TCP/IP几乎可以在所有可用的操作系统中找到,但它消耗了大量的资源,并且相对容易入侵,因为它是为了易用而不是为了安全而设计的。
At the Application Layer, TCP/IP protocols include Telnet, File Transfer Protocol (FTP), Simple Mail Transport Protocol (SMTP), and Domain Name Service (DNS).
在应用层,TCP/IP协议包括Telnet、文件传输协议(FTP)、简单邮件传输协议(SMTP)和域名服务(DNS)。
The two primary Transport Layer protocols of TCP/IP are TCP and UDP. TCP is a full-duplex connection-oriented protocol, whereas UDP is a simplex connectionless protocol. In the Internet Layer, Internet Control Message Protocol (ICMP) is used to determine the health of a network or a specific link. ICMP is utilized by ping, traceroute and other network management tools. The ping utility employs ICMP echo packets and bounces them off remote systems. Thus, you can use ping to determine whether the remote system is online, whether the remote system is responding promptly, whether the intermediary systems are supporting communications, and the level of performance efficiency at which the intermediary systems are communicating.
TCP/IP的两个主要传输层协议是TCP和UDP。TCP是全双工面向连接的协议,而UDP是单工无连接协议。在Internet层,Internet控制消息协议(ICMP)用于确定网络或特定链路的健康状况。ICMP用于ping、traceroute和其他网络管理工具。ping实用程序使用ICMP回送数据包并将其从远程系统中反弹出去。因此,您可以使用ping来确定远程系统是否在线、远程系统是否迅速响应、中间系统是否支持通信以及中间系统通信的性能效率级别。
IP is currently deployed and used worldwide in two major versions. IPv4 provides a 32-bit address space, which by the late 1980s was projected to be exhausted. IPv6 was introduced in December 1995 and provides a 128-bit address space along with several other important features.
IP目前在全球部署和使用的两个主要版本。IPv4提供了32位地址空间,预计到20世纪80年代末将耗尽。IPv6于1995年12月推出,提供128位地址空间沿着其他几个重要特性。
IP hosts/devices associate an address with a unique logical address. An IPv4 address is expressed as four octets separated by a dot (.), for example, 216.12.146.140. Each octet may have a value between 0 and 255. However, 0 is the network itself (not a device on that network), and 255 is generally reserved for broadcast purposes. Each address is subdivided into two parts: the network number and the host. The network number assigned by an external organization, such as the Internet Corporation for Assigned Names and Numbers (ICANN), represents the organization’s network. The host represents the network interface within the network.
IP主机/设备将地址与唯一逻辑地址相关联。IPv4地址被表示为由点(.)分隔的四个八位字节,例如216.12.146.140。每个八位字节可以具有0和255之间的值。然而,0是网络本身(不是该网络上的设备),255通常保留用于广播目的。每个地址分为两部分:网络号码和主机。由外部组织分配的网络号码,如互联网名称与数字地址分配机构(ICANN),代表组织的网络。主机表示网络中的网络接口。
To ease network administration, networks are typically divided into subnets. Because subnets cannot be distinguished with the addressing scheme discussed so far, a separate mechanism, the subnet mask, is used to define the part of the address used for the subnet. The mask is usually converted to decimal notation like 255.255.255.0.
为了简化网络管理,网络通常被划分为子网。由于到目前为止讨论的编址方案无法区分子网,因此使用了一种单独的机制,即子网掩码,来定义用于子网的地址部分。掩码通常转换为十进制符号,如255.255.255.0。
With the ever-increasing number of computers and networked devices, it is clear that IPv4 does not provide enough addresses for our needs. To overcome this shortcoming, IPv4 was sub-divided into public and private address ranges. Public addresses are limited with IPv4, but this issue was addressed in part with private addressing. Private addresses can be shared by anyone, and it is highly likely that everyone on your street is using the same address scheme.
随着计算机和联网设备数量的不断增加,IPv4显然不能提供足够的地址来满足我们的需求。为了克服这个缺点,IPv4被细分为公共地址和私有地址范围。公共地址在IPv4中受到限制,但这个问题在一定程度上通过私有地址得到了解决。私人地址可以被任何人共享,而且很可能你所在街道上的每个人都在使用相同的地址方案。
The nature of the addressing scheme established by IPv4 meant that network designers had to start thinking in terms of IP address reuse. IPv4 facilitated this in several ways, such as its creation of the private address groups; this allows every LAN in every SOHO (small office, home office) situation to use addresses such as 192.168.2.xxx for its internal network addresses, without fear that some other system can intercept traffic on their LAN.
IPv4建立的寻址方案的本质意味着网络设计人员必须开始考虑IP地址重用。IPv4通过几种方式促进了这一点,例如它创建了私有地址组;这允许每个SOHO(小型办公室、家庭办公室)情况下的每个LAN使用诸如192.168.2.xxx之类的地址作为其内部网络地址,而不必担心其他系统可能拦截其LAN上的流量。
This table shows the private addresses available for anyone to use:
下表显示了可供任何人使用的私有地址:
Range 范围 |
---|
10.0.0.0 to 10.255.255.254 10.0.0.0至10.255.255.254 |
172.16.0.0 to 172.31.255.254 172.16.0.0至172.31.255.254 |
192.168.0.0 to 192.168.255.254 192.168.0.0至192.168.255.254 |
The first octet of 127 is reserved for a computer’s loopback address. Usually, the address 127.0.0.1 is used. The loopback address is used to provide a mechanism for self-diagnosis and troubleshooting at the machine level. This mechanism allows a network administrator to treat a local machine as if it were a remote machine and ping the network interface to establish whether it is operational.
127的第一个八位字节保留给计算机的环回地址。通常,使用地址127.0.0.1。环回地址用于在计算机级别提供自我诊断和故障排除机制。此机制允许网络管理员将本地计算机视为远程计算机,并ping网络接口以确定其是否可操作。
IPv6 is a modernization of IPv4, which addressed a number of weaknesses in the IPv4 environment:
IPv6是IPv4的现代化,它解决了IPv4环境中的许多弱点:
An IPv6 address is shown as 8 groups of four digits. Instead of numeric (0-9) digits like IPv4, IPv6 addresses use the hexadecimal range (0000-ffff) and are separated by colons ( rather than periods (.). An example IPv6 address is 2001:0db8:0000:0000:0000:ffff:0000:0001. To make it easier for humans to read and type, it can be shortened by removing the leading zeros at the beginning of each field and substituting two colons (: for the longest consecutive zero fields. All fields must retain at least one digit. After shortening, the example address above is rendered as 2001:db8::ffff:0:1, which is much easier to type. As in IPv4, there are some addresses and ranges that are reserved for special uses:
IPv6地址显示为8组四位数。IPv6地址不像IPv4那样使用数字(0-9),而是使用十六进制范围(0000-ffff),并且用冒号(:)而不是句点(.)分隔。IPv6地址的示例是2001:0 db 8:0000:0000:0000:ffff:0000:0001。为了使人们更容易阅读和打字,可以通过删除每个字段开头的前导零并用两个冒号(::)代替最长的连续零字段来缩短它。所有字段必须至少保留一个数字。在缩短之后,上面的示例地址呈现为2001:db 8::ffff:0:1,这更容易键入。在IPv4中,有一些地址和范围是为特殊用途保留的:
Wireless networking is a popular method of connecting corporate and home systems because of the ease of deployment and relatively low cost. It has made networking more versatile than ever before. Workstations and portable systems are no longer tied to a cable but can roam freely within the signal range of the deployed wireless access points. However, with this freedom comes additional vulnerabilities.
无线网络是连接公司和家庭系统的流行方法,因为易于部署和相对较低的成本。它使网络比以往任何时候都更加通用。工作站和便携式系统不再与电缆相连,而是可以在部署的无线接入点的信号范围内自由漫游。然而,这种自由带来了额外的漏洞。
Wi-Fi range is generally wide enough for most homes or small offices, and range extenders may be placed strategically to extend the signal for larger campuses or homes. Over time the Wi-Fi standard has evolved, with each updated version faster than the last.
Wi-Fi范围通常对于大多数家庭或小型办公室来说足够宽,并且范围扩展器可以战略性地放置,以便为较大的校园或家庭扩展信号。 随着时间的推移,Wi-Fi标准不断发展,每一个更新版本都比上一个更快。
In a LAN, threat actors need to enter the physical space or immediate vicinity of the physical media itself. For wired networks, this can be done by placing sniffer taps onto cables, plugging in USB devices, or using other tools that require physical access to the network. By contrast, wireless media intrusions can happen at a distance.
在局域网中,威胁参与者需要进入物理空间或物理介质本身的紧邻区域。对于有线网络,这可以通过将嗅探器抽头放置到电缆上、插入USB设备或使用需要物理访问网络的其他工具来完成。相比之下,无线媒体入侵可能发生在远处。
TCP/IP’s vulnerabilities are numerous. Improperly implemented TCP/IP stacks in various operating systems are vulnerable to various DoS/DDoS attacks, fragment attacks, oversized packet attacks, spoofing attacks, and man-in-the-middle attacks.
TCP/IP的漏洞很多。在各种操作系统中,TCP/IP协议栈的不正确实现容易受到各种DoS/DDoS攻击、碎片攻击、超大数据包攻击、欺骗攻击和中间人攻击。
TCP/IP (as well as most protocols) is also subject to passive attacks via monitoring or sniffing. Network monitoring, or sniffing, is the act of monitoring traffic patterns to obtain information about a network.
TCP/IP(以及大多数协议)也会受到通过监视或嗅探的被动攻击。网络监视或嗅探是监视流量模式以获取有关网络的信息的行为。
There are physical ports that you connect wires to and logical ports that determine where the data/traffic goes.
物理端口
Physical ports are the ports on the routers, switches, servers, computers, etc. that you connect the wires, e.g., fiber optic cables, Cat5 cables, etc., to create a network.
物理端口是路由器、交换机、服务器、计算机等上的端口。连接电线,例如,光纤电缆、Cat5电缆等,创建一个网络。
逻辑端口
When a communication connection is established between two systems, it is done using ports. A logical port (also called a socket) is little more than an address number that both ends of the communication link agree to use when transferring data. Ports allow a single IP address to be able to support multiple simultaneous communications, each using a different port number. In the Application Layer of the TCP/IP model (which includes the Session, Presentation, and Application Layers of the OSI model) reside numerous application- or service-specific protocols. Data types are mapped using port numbers associated with services. For example, web traffic (or HTTP) is port 80. Secure web traffic (or HTTPS) is port 443. Table 5.4 highlights some of these protocols and their customary or assigned ports. You’ll note that in several cases a service (or protocol) may have two ports assigned, one secure and one insecure. When in doubt, systems should be implemented using the most secure version as possible of a protocol and its services.
当在两个系统之间建立通信连接时,它是使用端口完成的。逻辑端口(也称为套接字)只不过是通信链路两端在传输数据时同意使用的地址号。端口允许单个IP地址能够支持多个同时通信,每个通信使用不同的端口号。在TCP/IP模型的应用层(包括OSI模型的会话层、表示层和应用层)中驻留了许多特定于应用或服务的协议。使用与服务关联的端口号映射数据类型。例如,Web流量(或HTTP)是端口80。安全Web流量(HTTPS)是端口443。表5.4重点介绍了其中一些协议及其习惯或分配的端口。您会注意到,在一些情况下,服务(或协议)可能分配了两个端口,一个是安全的,一个是不安全的。 当有疑问时,系统应该使用协议及其服务的尽可能安全的版本来实现。
Some network protocols transmit information in clear text, meaning it is not encrypted and should not be used. Clear text information is subject to network sniffing. This tactic uses software to inspect packets of data as they travel across the network and extract text such as usernames and passwords. Network sniffing could also reveal the content of documents and other files if they are sent via insecure protocols. The table below shows some of the insecure protocols along with recommended secure alternatives.
一些网络协议以明文形式传输信息,这意味着它没有加密,不应该被使用。明文信息会受到网络嗅探的影响。这种策略使用软件来检查数据包在网络中传输的过程中,并提取用户名和密码等文本。网络嗅探还可以揭示文档和其他文件的内容,如果它们是通过不安全的协议发送的。下表显示了一些不安全的协议沿着推荐的安全替代方案。
21 - ftp
Port 21, File Transfer Protocol (FTP) sends the username and password using plaintext from the client to the server. This could be intercepted by an attacker and later used to retrieve confidential information from the server. The secure alternative, SFTP, on port 22 uses encryption to protect the user credentials and packets of data being transferred. 端口21,文件传输协议(FTP)使用明文将用户名和密码从客户端发送到服务器。这可能会被攻击者拦截,随后用于从服务器检索机密信息。端口22上的安全替代方案SFTP使用加密来保护用户凭据和传输的数据包。
Insecure Port 不安全端口 | Description 项目名称 | **Protocol 协议 ** | Secure Alternative Port 安全备用端口 | Protocol 协议 |
---|---|---|---|---|
21 - FTP | File Transfer Protocol 文件传输协议 | 22* - SFTP | Secure File Transfer Protocol 安全文件传输协议 |
23 -telnet
Port 23, telnet, is used by many Linux systems and any other systems as a basic text-based terminal. All information to and from the host on a telnet connection is sent in plaintext and can be intercepted by an attacker. This includes username and password as well as all information that is being presented on the screen, since this interface is all text. Secure Shell (SSH) on port 22 uses encryption to ensure that traffic between the host and terminal is not sent in a plaintext format. 端口23,telnet,被许多Linux系统和任何其他系统用作基本的基于文本的终端。telnet连接上的主机之间的所有信息都以明文形式发送,攻击者可以拦截。这包括用户名和密码以及屏幕上显示的所有信息,因为该界面全部是文本。端口22上的Secure Shell(SSH)使用加密来确保主机和终端之间的通信不以明文格式发送。
Insecure Port 不安全端口 | Description 项目名称 | Protocol 协议 | Secure Alternative Port 安全备用端口 | Protocol 协议 |
---|---|---|---|---|
23 - Telnet | Telnet 远程登录 | 22* - SSH | Secure Shell 安全外壳 |
25 -smtp
Port 25, Simple Mail Transfer Protocol (SMTP) is the default unencrypted port for sending email messages. Since it is unencrypted, data contained within the emails could be discovered by network sniffing. The secure alternative is to use port 587 for SMTP using Transport Layer Security (TLS) which will encrypt the data between the mail client and the mail server. 端口25,简单邮件传输协议(SMTP)是发送电子邮件的默认未加密端口。由于它是未加密的,电子邮件中包含的数据可以通过网络嗅探发现。安全的替代方案是使用端口587用于SMTP,使用传输层安全性(TLS),这将加密邮件客户端和邮件服务器之间的数据。
Insecure Port 不安全端口 | Description 项目名称 | Protocol 协议 | Secure Alternative Port 安全备用端口 | Protocol 协议 |
---|---|---|---|---|
25 - SMTP | Simple Mail Transfer Protocol 简单邮件传输协议 | 587 - SMTP 第587节- SMTP | SMTP with TLS 使用TLS的SMTP |
37-time
Port 37, Time Protocol, may be in use by legacy equipment and has mostly been replaced by using port 123 for Network Time Protocol (NTP). NTP on port 123 offers better error-handling capabilities, which reduces the likelihood of unexpected errors. 端口37(时间协议)可能由传统设备使用,并且大多数已被网络时间协议(NTP)使用端口123所取代。端口123上的NTP提供了更好的错误处理功能,从而降低了意外错误的可能性。
Insecure Port 不安全端口 | Description 项目名称 | Protocol 协议 | Secure Alternative Port 安全备用端口 | Protocol 协议 |
---|---|---|---|---|
37 - Time 37 -时间 | Time Protocol 时间协议 | 123 - NTP | Network Time Protocol 网络时间协议 |
53-DNS
Port 53, Domain Name Service (DNS), is still used widely. However, using DNS over TLS (DoT) on port 853 protects DNS information from being modified in transit. 端口53,域名服务(DNS),仍然被广泛使用。但是,在端口853上使用DNS over TLS(DoT)可以保护DNS信息在传输过程中不被修改。
Insecure Port 不安全端口 | Description 项目名称 | Protocol 协议 | Secure Alternative Port 安全备用端口 | Protocol 协议 |
---|---|---|---|---|
53 - DNS | Domain Name Service 域名服务 | 853 - DoT 第853节-游戏 | DNS over TLS (DoT) DNS over TLS(DoT) |
80-http
Port 80, HyperText Transfer Protocol (HTTP) is the basis of nearly all web browser traffic on the internet. Information sent via HTTP is not encrypted and is susceptible to sniffing attacks. HTTPS using TLS encryption is preferred, as it protects the data in transit between the server and the browser. Note that this is often notated as SSL/TLS. Secure Sockets Layer (SSL) has been compromised is no longer considered secure. It is now recommended for web servers and clients to use Transport Layer Security (TLS) 1.3 or higher for the best protection. 超文本传输协议(HTTP)端口80是互联网上几乎所有Web浏览器流量的基础。通过HTTP发送的信息未加密,容易受到嗅探攻击。使用TLS加密的HTTPS是首选的,因为它可以保护服务器和浏览器之间传输的数据。请注意,这通常被标记为SSL/TLS。安全套接字层(SSL)已被破坏,不再被视为安全。现在建议Web服务器和客户端使用传输层安全性(TLS)1.3或更高版本以获得最佳保护。
Insecure Port 不安全端口 | Description 项目名称 | Protocol 协议 | Secure Alternative Port 安全备用端口 | Protocol 协议 |
---|---|---|---|---|
80 - HTTP | HyperText Transfer Protocol 超文本传输协议 | 443 - HTTPS | HyperText Transfer Protocol (SSL/TLS) 超文本传输协议(SSL/TLS) |
143-IMAP
Port 143, Internet Message Access Protocol (IMAP) is a protocol used for retrieving emails. IMAP traffic on port 143 is not encrypted and susceptible to network sniffing. The secure alternative is to use port 993 for IMAP, which adds SSL/TLS security to encrypt the data between the mail client and the mail server. 端口143,Internet Message Access Protocol(IMAP)是一种用于检索电子邮件的协议。端口143上的IMAP流量未加密,容易受到网络嗅探的影响。安全的替代方案是使用IMAP端口993,它增加了SSL/TLS安全性,以加密邮件客户端和邮件服务器之间的数据。
Insecure Port 不安全端口 | Description 项目名称 | Protocol 协议 | Secure Alternative Port 安全备用端口 | Protocol 协议 |
---|---|---|---|---|
143 - IMAP 第143节- IMAP | Internet Message Access Protocol 因特网消息访问协议 | 993 - IMAP | IMAP for SSL/TLS |
161/162 - SNMP
Ports 161 and 162, Simple Network Management Protocol, are commonly used to send and receive data used for managing infrastructure devices. Because sensitive information is often included in these messages, it is recommended to use SNMP version 2 or 3 (abbreviated SNMPv2 or SNMPv3) to include encryption and additional security features. Unlike many others discussed here, all versions of SNMP use the same ports, so there is not a definitive secure and insecure pairing. Additional context will be needed to determine if information on ports 161 and 162 is secured or not. 端口161和162(简单网络管理协议)通常用于发送和接收用于管理基础设施设备的数据。由于这些消息中通常包含敏感信息,因此建议使用SNMP版本2或3(缩写为SNMPv 2或SNMPv 3)来包含加密和其他安全功能。与这里讨论的许多其他版本不同,所有版本的SNMP使用相同的端口,因此没有确定的安全和不安全配对。将需要附加上下文来确定端口161和162上的信息是否安全。
Insecure Port 不安全端口 | Description 项目名称 | Protocol 协议 | Secure Alternative Port 安全备用端口 | Protocol 协议 |
---|---|---|---|---|
161/162 - SNMP | Simple Network Management Protocol 简单网络管理协议 | 161/162 - SNMP | SNMPv3 |
445-SMB
Port 445, Server Message Block (SMB), is used by many versions of Windows for accessing files over the network. Files are transmitted unencrypted, and many vulnerabilities are well-known. Therefore, it is recommended that traffic on port 445 should not be allowed to pass through a firewall at the network perimeter. A more secure alternative is port 2049, Network File System (NFS). Although NFS can use encryption, it is recommended that NFS not be allowed through firewalls either. 端口445,即服务器消息块(SMB),被许多版本的Windows用于通过网络访问文件。文件传输时不加密,许多漏洞是众所周知的。因此,建议不允许端口445上的流量通过网络周边的防火墙。一个更安全的替代方案是端口2049,网络文件系统(NFS)。虽然NFS可以使用加密,但建议也不允许NFS通过防火墙。
Insecure Port 不安全端口 | Description 项目名称 | Protocol 协议 | Secure Alternative Port 安全备用端口 | Protocol 协议 |
---|---|---|---|---|
445 - SMB | Server Message Block 服务器消息块 | 2049 - NFS | Network File System 网络文件系统 |
389-LDAP
Port 389, Lightweight Directory Access Protocol (LDAP), is used to communicate directory information from servers to clients. This can be an address book for email or usernames for logins. The LDAP protocol also allows records in the directory to be updated, introducing additional risk. Since LDAP is not encrypted, it is susceptible to sniffing and manipulation attacks. Lightweight Directory Access Protocol Secure (LDAPS) adds SSL/TLS security to protect the information while it is in transit. 端口389(轻量级目录访问协议(LDAP))用于将目录信息从服务器传送到客户端。这可以是电子邮件的地址簿或登录的用户名。LDAP协议还允许更新目录中的记录,从而引入了额外的风险。由于LDAP未加密,因此很容易受到嗅探和操纵攻击。轻量级目录访问协议安全(LDAPS)添加了SSL/TLS安全性,以在传输中保护信息。
Insecure Port 不安全端口 | Description 项目名称 | Protocol 协议 | Secure Alternative Port 安全备用端口 | Protocol 协议 |
---|---|---|---|---|
389 - LDAP | Lightweight Directory Access Protocol 轻型目录访问协议 | 636 - LDAPS 第636节-最后一节 | Lightweight Directory Access Protocol Secure 轻量级目录访问协议安全 |
Module Objectives 模块目标
There are many types of cyber threats to organizations. Below are several of the most common types:
组织面临的网络威胁有很多种。以下是几种最常见的类型:
snooping 欺骗
An attack with the goal of gaining access to a target system through the use of a falsified identity. Spoofing can be used against IP addresses, MAC address, usernames, system names, wireless network SSIDs, email addresses, and many other types of logical identification.
以通过使用伪造的身份访问目标系统为目标的攻击。欺骗可用于IP地址、MAC地址、用户名、系统名、无线网络SSID、电子邮件地址和许多其他类型的逻辑标识。
phishing钓鱼
An attack that attempts to misdirect legitimate users to malicious websites through the abuse of URLs or hyperlinks in emails could be considered phishing.
试图通过滥用电子邮件中的URL或超链接将合法用户误导到恶意网站的攻击可被视为网络钓鱼。
DOS/DDOS 拒绝服务/分布式拒绝服务
A denial-of-service (DoS) attack is a network resource consumption attack that has the primary goal of preventing legitimate activity on a victimized system. Attacks involving numerous unsuspecting secondary victim systems are known as distributed denial-of-service (DDoS) attacks.
拒绝服务(DoS)攻击是一种网络资源消耗攻击,其主要目标是阻止受害系统上的合法活动。涉及大量不知情的次要受害者系统的攻击被称为分布式拒绝服务(DDoS)攻击。
Virus 计算机病毒
The computer virus is perhaps the earliest form of malicious code to plague security administrators. As with biological viruses, computer viruses have two main functions—propagation and destruction. A virus is a self-replicating piece of code that spreads without the consent of a user, but frequently with their assistance (a user has to click on a link or open a file).
这种计算机病毒可能是最早困扰安全管理员的恶意代码。和生物病毒一样,计算机病毒有两个主要功能–传播和破坏。病毒是一段自我复制的代码,它在未经用户同意的情况下传播,但经常在用户的帮助下传播(用户必须点击链接或打开文件)。
worm蠕虫
Worms pose a significant risk to network security. They contain the same destructive potential as other malicious code objects with an added twist—they propagate themselves without requiring any human intervention.
蠕虫对网络安全构成重大风险。它们包含与其他恶意代码对象相同的破坏性潜力,但有一个额外的缺陷-它们无需任何人为干预即可自行传播。
trojan特洛伊木马
Named after the ancient story of the Trojan horse, the Trojan is a software program that appears benevolent but carries a malicious, behind-the-scenes payload that has the potential to wreak havoc on a system or network. For example, ransomware often uses a Trojan to infect a target machine and then uses encryption technology to encrypt documents, spreadsheets and other files stored on the system with a key known only to the malware creator.
特洛伊木马以特洛伊木马的古老故事命名,特洛伊木马是一种软件程序,表面上看起来是善意的,但实际上携带了恶意的幕后有效负载,有可能对系统或网络造成严重破坏。例如,勒索软件通常使用特洛伊木马感染目标机器,然后使用加密技术对存储在系统上的文档、电子表格和其他文件进行加密,其密钥仅为恶意软件创建者所知。
on-path attack路径攻击
In an on-path attack, attackers place themselves between two devices, often between a web browser and a web server, to intercept or modify information that is intended for one or both of the endpoints. On-path attacks are also known as man-in-the-middle (MITM) attacks.
在路径上攻击中,攻击者将自己置于两个设备之间,通常在Web浏览器和Web服务器之间,以拦截或修改针对一个或两个端点的信息。路径上攻击也被称为中间人(MITM)攻击。
side-channel 测信道攻击
A side-channel attack is a passive, noninvasive attack to observe the operation of a device. Methods include power monitoring, timing and fault analysis attacks.
侧信道攻击是一种被动的、非侵入性的攻击,目的是观察设备的操作。方法包括功率监视、定时和故障分析攻击。
apt攻击 高级持续性威胁
Advanced persistent threat (APT) refers to threats that demonstrate an unusually high level of technical and operational sophistication spanning months or even years. APT attacks are often conducted by highly organized groups of attackers.
高级持续性威胁(APT)是指在几个月甚至几年内表现出异常高的技术和操作复杂性的威胁。APT攻击通常由高度组织化的攻击者团体进行。
内部威胁 Inside Threat
Insider threats are threats that arise from individuals who are trusted by the organization. These could be disgruntled employees or employees involved in espionage. Insider threats are not always willing participants. A trusted user who falls victim to a scam could be an unwilling insider threat.
内部威胁是由组织信任的个人产生的威胁。这些人可能是心怀不满的员工或参与间谍活动的员工。内部威胁并不总是自愿的参与者。一个受信任的用户福尔斯骗局的受害者可能是一个不情愿的内部威胁。
恶意软件 malware
A program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity or availability of the victim’s data, applications or operating system or otherwise annoying or disrupting the victim.
一种插入到系统中的程序,通常是秘密的,其目的是破坏受害者数据、应用程序或操作系统的机密性、完整性或可用性,或者以其他方式骚扰或破坏受害者。
Ransomware 勒索软件
Malware used for the purpose of facilitating a ransom attack. Ransomware attacks often use cryptography to “lock” the files on an affected computer and require the payment of a ransom fee in return for the “unlock” code.
用于促进赎金攻击的恶意软件。勒索软件攻击通常使用加密技术来“锁定”受影响计算机上的文件,并要求支付赎金费用以换取“解锁”代码。
So far in this chapter, we have explored how a TCP/IP network operates, and we have seen some examples of how threat actors can exploit some of the inherent vulnerabilities. The remainder of this module will discuss the various ways these network threats can be detected and even prevented.
到目前为止,在本章中,我们已经探讨了TCP/IP网络是如何运行的,我们已经看到了一些例子,说明威胁参与者如何利用一些固有的漏洞。本模块的其余部分将讨论检测甚至预防这些网络威胁的各种方法。
While there is no single step you can take to protect against all attacks, there are some basic steps you can take that help to protect against many types of attacks.
虽然没有一个单一的步骤可以防止所有的攻击,但您可以采取一些基本步骤来帮助防止许多类型的攻击。
Here are some examples of steps that can be taken to protect networks.
下面是一些可以用来保护网络的步骤示例。
Intrusion Detection System (IDS) 入侵检测系统
An intrusion occurs when an attacker is able to bypass or thwart security mechanisms and gain access to an organization’s resources. Intrusion detection is a specific form of monitoring that monitors recorded information and real-time events to detect abnormal activity indicating a potential incident or intrusion. An intrusion detection system (IDS) automates the inspection of logs and real-time system events to detect intrusion attempts and system failures. An IDS is intended as part of a defense-in-depth security plan. It will work with, and complement, other security mechanisms such as firewalls, but it does not replace them.
当攻击者能够绕过或破坏安全机制并获得对组织资源的访问权限时,就会发生入侵。入侵检测是一种特定形式的监视,它监视记录的信息和实时事件,以检测指示潜在事件或入侵的异常活动。入侵检测系统(IDS)自动检查日志和实时系统事件,以检测入侵尝试和系统故障。IDS是深度防御安全计划的一部分。它将与其他安全机制(如防火墙)一起工作并对其进行补充,但不会取代它们。
IDSs can recognize attacks that come from external connections, such as an attack from the internet, and attacks that spread internally, such as a malicious worm. Once they detect a suspicious event, they respond by sending alerts or raising alarms. A primary goal of an IDS is to provide a means for a timely and accurate response to intrusions.
IDS可以识别来自外部连接的攻击,例如来自互联网的攻击,以及内部传播的攻击,例如恶意蠕虫。一旦检测到可疑事件,它们就会通过发送警报或发出警报来做出响应。IDS的一个主要目标是提供一种对入侵做出及时和准确响应的方法。
Intrusion detection and prevention refer to capabilities that are part of isolating and protecting a more secure or more trusted domain or zone from one that is less trusted or less secure. These are natural functions to expect of a firewall, for example.
入侵检测和预防是指作为将更安全或更受信任的域或区域与不太受信任或不太安全的域或区域隔离和保护的一部分的能力。例如,这些是防火墙的自然功能。
IDS types are commonly classified as host-based and network-based. A host-based IDS (HIDS) monitors a single computer or host. A network-based IDS (NIDS) monitors a network by observing network traffic patterns.
IDS类型通常分为基于主机的和基于网络的。基于主机的IDS(HIDS)监视单个计算机或主机。基于网络的IDS(NIDS)通过观察网络流量模式来监视网络。
Host-based Intrusion Detection System (HIDS) 基于主机的入侵检测系统
A HIDS monitors activity on a single computer, including process calls and information recorded in system, application, security and host-based firewall logs. It can often examine events in more detail than a NIDS can, and it can pinpoint specific files compromised in an attack. It can also track processes employed by the attacker. A benefit of HIDSs over NIDSs is that HIDSs can detect anomalies on the host system that NIDSs cannot detect. For example, a HIDS can detect infections where an intruder has infiltrated a system and is controlling it remotely. HIDSs are more costly to manage than NIDSs because they require administrative attention on each system, whereas NIDSs usually support centralized administration. A HIDS cannot detect network attacks on other systems.
HIDS监视单个计算机上的活动,包括进程调用和记录在系统、应用程序、安全和基于主机的防火墙日志中的信息。它通常可以比NIDS更详细地检查事件,并且可以查明在攻击中受损的特定文件。它还可以跟踪攻击者使用的进程。HIDS优于NIDS的优点是HIDS可以检测主机系统上NIDS无法检测的异常。例如,HIDS可以检测入侵者已经渗透系统并远程控制系统的感染。HIDS比NIDS的管理成本更高,因为它们需要对每个系统进行管理,而NIDS通常支持集中管理。HIDS无法检测对其他系统的网络攻击。
Network Intrusion Detection System (NIDS) 网络入侵检测系统
A NIDS monitors and evaluates network activity to detect attacks or event anomalies. It cannot monitor the content of encrypted traffic but can monitor other packet details. A single NIDS can monitor a large network by using remote sensors to collect data at key network locations that send data to a central management console. These sensors can monitor traffic at routers, firewalls, network switches that support port mirroring, and other types of network taps. A NIDS has very little negative effect on the overall network performance, and when it is deployed on a single-purpose system, it doesn’t adversely affect performance on any other computer. A NIDS is usually able to detect the initiation of an attack or ongoing attacks, but they can’t always provide information about the success of an attack. They won’t know if an attack affected specific systems, user accounts, files or applications.
NIDS监视和评估网络活动以检测攻击或事件异常。它不能监控加密流量的内容,但可以监控其他数据包的详细信息。单个NIDS可以通过使用远程传感器在关键网络位置收集数据来监视大型网络,这些位置将数据发送到中央管理控制台。这些传感器可以监视路由器、防火墙、支持端口镜像的网络交换机以及其他类型的网络窃听器上的流量。NIDS对整个网络性能的负面影响非常小,当它部署在单一用途的系统上时,它不会对任何其他计算机的性能产生负面影响。NIDS通常能够检测到攻击的发起或正在进行的攻击,但它们并不总是能够提供关于攻击成功的信息。他们不知道攻击是否影响了特定的系统、用户帐户、文件或应用程序。
Security Information and Event Management (SIEM) 安全信息和事件管理(SIEM)
Security management involves the use of tools that collect information about the IT environment from many disparate sources to better examine the overall security of the organization and streamline security efforts. These tools are generally known as security information and event management (or S-I-E-M, pronounced “SIM”) solutions. The general idea of a SIEM solution is to gather log data from various sources across the enterprise to better understand potential security concerns and apportion resources accordingly.
安全管理涉及使用从许多不同来源收集有关IT环境的信息的工具,以更好地检查组织的整体安全性并简化安全工作。这些工具通常被称为安全信息和事件管理(或S-I-E-M,发音为“SIM”)解决方案。SIEM解决方案的总体思想是从整个企业的各种来源收集日志数据,以更好地了解潜在的安全问题并相应地分配资源。
SIEM systems can be used along with other components (defense-in-depth) as part of an overall information security program.
SIEM系统可以与其他组件(纵深防御)沿着使用,作为整体信息安全计划的一部分。
Here we see an example of an Intrusion Detection System (IDS) alert. This is being provided as an example of how threats are identified, Some of the concepts in this scenario are more advanced than this course, so don’t be alarmed if you don’t understand everything discussed here.
旁白:这里我们看到了入侵检测系统(IDS)警报的示例。这是作为如何识别威胁的示例提供的,此场景中的一些概念比本课程更高级,因此如果您不了解这里讨论的所有内容,请不要惊慌。
We’ll start by reviewing the main points of the data that is presented to us. Note that in this example, the hostname and username fields have been removed to maintain anonymity.
我们将首先回顾呈现给我们的数据的要点。请注意,在本例中,主机名和用户名字段已被删除以保持匿名。
This tells us that the IDS detected the use of software called Advanced IP Scanner that can be used by attackers to enumerate, or look through the network, scanning addresses to see what services are running on the computers in the local network. This software is also used by network or system administrators to inventory a local network for troubleshooting purposes. Finally, this top section of the alert screen tells us that the event was reported by an endpoint agent, meaning that it was generated by a Host Intrusion Detection System (HIDS) solution, not a Network Intrusion Detection System (NIDS).
这告诉我们,入侵检测系统检测到一种名为高级IP扫描程序的软件的使用,攻击者可以使用该软件枚举或查看网络,扫描地址,以查看本地网络中的计算机上正在运行哪些服务。网络或系统管理员也可使用此软件清点本地网络以进行故障排除。最后,警报屏幕的顶部告诉我们,事件是由端点代理报告的,这意味着它是由主机入侵检测系统(HIDS)解决方案生成的,而不是网络入侵检测系统(NIDS)。
This line identifies the host that is running the suspicious process as a Windows system.
此行将运行可疑进程的主机标识为Windows系统。
This process section identifies the start time, process name and ID (or pid) number that correlates to the process in the Windows Task Manager. This can be helpful in a couple of ways. First, the start time tells us how long the process has been running. The pid can also give some clues, as lower pid numbers may indicate a process that started running during the boot sequence and higher numbers indicate something that was started much later.
此进程部分标识与Windows任务管理器中的进程相关的开始时间、进程名称和ID(或pid)号。这可以在几个方面有所帮助。首先,开始时间告诉我们进程已经运行了多长时间。pid还可以给予一些线索,因为较低的pid数字可能表示在靴子序列期间开始运行的进程,而较高的数字表示启动时间较晚的进程。
These lines give us the details of the executable file, including the path to the file itself as well as the actual command line that was used to run the executable. These are important contextually as they show the program executed from a Temp folder under the user’s ID, which typically does not require administrative privileges in a Windows system. In other words, they could be run by any average user. The command line used shows additional context, including that the application is running as a portable application, meaning that it doesn’t have to be formally installed on the machine to execute.
这些行为我们提供了可执行文件的详细信息,包括文件本身的路径以及用于运行可执行文件的实际命令行。这些在上下文中很重要,因为它们显示从用户ID下的Temp文件夹执行的程序,这通常不需要Windows系统中的管理权限。换句话说,它们可以由任何普通用户运行。所使用的命令行显示了其他上下文,包括应用程序作为可移植应用程序运行,这意味着它不必正式安装在机器上即可执行。
In this case, there is not enough context to really know if this process is being used in a malicious manner. Like many security alerts, this one relies on some human interaction, so you should contact the end user assigned to this asset to inquire whether they are, in fact, running this software and if they have a legitimate business reason to do so. If you discover that this was intended, it might be a good place to explain to that you were alerted because this legitimate software can be used by threat actors to conduct reconnaissance on the local network to determine where there might be weaknesses to exploit.
在这种情况下,没有足够的上下文来真正知道该进程是否被恶意使用。与许多安全警报一样,此警报依赖于一些人工交互,因此您应该联系分配给此资产的最终用户,询问他们是否实际上正在运行此软件,以及他们是否有合法的商业理由这样做。如果你发现这是故意的,这可能是一个很好的地方来解释你被警告,因为这个合法的软件可以被威胁行为者用来在本地网络上进行侦察,以确定哪里可能有弱点可以利用。
While there is no single step you can take to protect against all threats, there are some basic steps you can take that help reduce the risk of many types of threats.
虽然没有一个单一的步骤可以防止所有的威胁,但有一些基本的步骤可以帮助降低许多类型的威胁的风险。
Antivirus 防病毒软件
The use of antivirus products is strongly encouraged as a security best practice and is a requirement for compliance with the Payment Card Industry Data Security Standard (PCI DSS). There are several antivirus products available, and many can be deployed as part of an enterprise solution that integrates with several other security products.
强烈建议使用防病毒产品作为安全最佳实践,这也是遵守支付卡行业数据安全标准(PCI DSS)的要求。有几种防病毒产品可用,其中许多产品可以作为与其他几种安全产品集成的企业解决方案的一部分进行部署。
Antivirus systems try to identify malware based on the signature of known malware or by detecting abnormal activity on a system. This identification is done with various types of scanners, pattern recognition and advanced machine learning algorithms.
防病毒系统尝试基于已知恶意软件的签名或通过检测系统上的异常活动来识别恶意软件。这种识别是通过各种类型的扫描仪、模式识别和先进的机器学习算法来完成的。
Anti-malware now goes beyond just virus protection as modern solutions try to provide a more holistic approach detecting rootkits, ransomware and spyware. Many endpoint solutions also include software firewalls and IDS or IPS systems.
反恶意软件现在不仅仅是病毒防护,因为现代解决方案试图提供一种更全面的方法来检测rootkit,勒索软件和间谍软件。许多终端解决方案还包括软件防火墙和IDS或IPS系统。
Scans 扫描
Here is an example scan from Zenmap showing open ports on a host.
以下是Zenmap的示例扫描,显示主机上的开放端口。
Regular vulnerability and port scans are a good way to evaluate the effectiveness of security controls used within an organization. They may reveal areas where patches or security settings are insufficient, where new vulnerabilities have developed or become exposed, and where security policies are either ineffective or not being followed. Attackers can exploit any of these vulnerabilities.
定期的漏洞和端口扫描是评估组织内使用的安全控制有效性的好方法。它们可能会揭示补丁或安全设置不足的地方,新漏洞已经开发或暴露的地方,以及安全策略无效或未被遵循的地方。攻击者可以利用这些漏洞中的任何一个。
Firewalls 防火墙
In building construction or vehicle design, a firewall is a specially built physical barrier that prevents the spread of fire from one area of the structure to another or from one compartment of a vehicle to another. Early computer security engineers borrowed that name for the devices and services that isolate network segments from each other, as a security measure. As a result, firewalling refers to the process of designing, using or operating different processes in ways that isolate high-risk activities from lower-risk ones.
在建筑结构或车辆设计中,防火墙是专门建造的物理屏障,其防止火灾从结构的一个区域蔓延到另一个区域或从车辆的一个车厢蔓延到另一个车厢。早期的计算机安全工程师借用了这个名字,用于将网段彼此隔离的设备和服务,作为一种安全措施。因此,防火墙是指设计、使用或操作不同流程的过程,其方式是将高风险活动与低风险活动隔离开来。
Firewalls enforce policies by filtering network traffic based on a set of rules. While a firewall should always be placed at internet gateways, other internal network considerations and conditions determine where a firewall would be employed, such as network zoning or segregation of different levels of sensitivity. Firewalls have rapidly evolved over time to provide enhanced security capabilities. This growth in capabilities can be seen in the graphic below, which contrasts an oversimplified view of traditional and next-generation firewalls. It integrates a variety of threat management capabilities into a single framework, including proxy services, intrusion prevention services (IPS) and tight integration with the identity and access management (IAM) environment to ensure only authorized users are permitted to pass traffic across the infrastructure. While firewalls can manage traffic at Layers 2 (MAC addresses), 3 (IP ranges) and 7 (application programming interface (API) and application firewalls), the traditional implementation has been to control traffic at Layer 4.
防火墙通过基于一组规则过滤网络流量来实施策略。虽然防火墙应始终放置在互联网网关处,但其他内部网络考虑因素和条件决定了防火墙的使用位置,例如网络分区或不同敏感级别的隔离。防火墙已经随着时间的推移而迅速发展,以提供增强的安全能力。从下图中可以看出这种功能的增长,该图对比了传统防火墙和下一代防火墙的过度简化视图。它将各种威胁管理功能集成到一个框架中,包括代理服务、入侵防御服务(IPS)以及与身份和访问管理(IAM)环境的紧密集成,以确保仅允许授权用户在基础设施中传递流量。 虽然防火墙可以管理第2层(MAC地址)、第3层(IP范围)和第7层(应用编程接口(API)和应用防火墙)的流量,但传统的实现方式是控制第4层的流量。
Intrusion Prevention System (IPS) 入侵防御系统(IPS)
An intrusion prevention system (IPS) is a special type of active IDS that automatically attempts to detect and block attacks before they reach target systems. A distinguishing difference between an IDS and an IPS is that the IPS is placed in line with the traffic. In other words, all traffic must pass through the IPS and the IPS can choose what traffic to forward and what traffic to block after analyzing it. This allows the IPS to prevent an attack from reaching a target. Since IPS systems are most effective at preventing network-based attacks, it is common to see the IPS function integrated into firewalls. Just like IDS, there are Network-based IPS (NIPS) and Host-based IPS (HIPS).
入侵防御系统(IPS)是一种特殊类型的主动IDS,它会在攻击到达目标系统之前自动尝试检测和阻止攻击。IDS和IPS之间的一个显著区别是IPS与流量保持一致。换句话说,所有流量都必须通过IPS,IPS可以在分析后选择转发哪些流量和阻止哪些流量。这允许IPS阻止攻击到达目标。由于IPS系统在防止基于网络的攻击方面最有效,因此通常会看到IPS功能集成到防火墙中。与IDS一样,有基于网络的IPS(NIPS)和基于主机的IPS(HIPS)。
Module Objective 模块目标
When it comes to data centers, there are two primary options: organizations can outsource the data center or own the data center. If the data center is owned, it will likely be built on premises. A place, like a building for the data center is needed, along with power, HVAC, fire suppression and redundancy.
在数据中心方面,有两个主要选项:组织可以外包数据中心或拥有数据中心。如果数据中心是自有的,它可能会建立在内部。需要一个地方,比如数据中心的建筑,沿着电力、HVAC、消防和冗余。
Data Center/Closets 数据中心/机柜
The facility wiring infrastructure is integral to overall information system security and reliability. Protecting access to the physical layer of the network is important in minimizing intentional or unintentional damage. Proper protection of the physical site must address these sorts of security challenges. Data centers and wiring closets may include the following:
设施布线基础设施对于整个信息系统的安全性和可靠性是不可或缺的。保护对网络物理层的访问对于最大限度地减少有意或无意的损害非常重要。对物理站点的适当保护必须解决这些类型的安全挑战。数据中心和配线间可能包括:
Heating, Ventilation and Air Conditioning (HVAC) / Environmental 供暖、通风和空调(HVAC)/环境
High-density equipment and equipment within enclosed spaces requires adequate cooling and airflow. Well-established standards for the operation of computer equipment exist, and equipment is tested against these standards. For example, the recommended range for optimized maximum uptime and hardware life is from 64° to 81°F (18° to 27°C), and it is recommended that a rack have three temperature sensors, positioned at the top, middle and bottom of the rack, to measure the actual operating temperature of the environment. Proper management of data center temperatures, including cooling, is essential.
高密度设备和封闭空间内的设备需要足够的冷却和气流。 计算机设备的操作有既定的标准,设备是根据这些标准进行测试的。例如,优化的最大正常运行时间和硬件寿命的建议范围为64°至81°F(18°至27°C),并且建议机架具有三个温度传感器,分别位于机架的顶部、中部和底部,以测量环境的实际工作温度。正确管理数据中心温度(包括冷却)至关重要。
Cooling is not the only issue with airflow: Contaminants like dust and noxious fumes require appropriate controls to minimize their impact on equipment. Monitoring for water or gas leaks, sewer overflow or HVAC failure should be integrated into the building control environment, with appropriate alarms to signal to organizational staff. Contingency planning to respond to the warnings should prioritize the systems in the building, so the impact of a major system failure on people, operations or other infrastructure can be minimized.
冷却不是气流的唯一问题:灰尘和有毒烟雾等污染物需要适当的控制,以尽量减少对设备的影响。水或气体泄漏、下水道溢出或HVAC故障的监测应集成到建筑控制环境中,并提供适当的警报以向组织工作人员发出信号。应对警报的应急计划应优先考虑建筑物中的系统,以便将重大系统故障对人员、运营或其他基础设施的影响降至最低。
Fire Suppression 灭火系统
For server rooms, appropriate fire detection/suppression must be considered based on the size of the room, typical human occupation, egress routes and risk of damage to equipment. For example, water used for fire suppression would cause more harm to servers and other electronic components. Gas-based fire suppression systems are more friendly to the electronics, but can be toxic to humans.
对于服务器机房,必须根据机房的大小、典型的人员占用、出口路线和设备损坏风险考虑适当的火灾探测/灭火。例如,用于灭火的水会对服务器和其他电子元件造成更大的伤害。气体灭火系统对电子设备更友好,但对人类有毒。
Power 电源
Data centers and information systems in general consume a tremendous amount of electrical power, which needs to be delivered both constantly and consistently. Wide fluctuations in the quality of power affect system lifespan, while disruptions in supply completely stop system operations.
数据中心和信息系统通常消耗大量的电力,这些电力需要不断地和一致地输送。电力质量的大幅波动会影响系统寿命,而供应中断则会完全停止系统运行。
Power at the site is always an integral part of data center operations. Regardless of fuel source, backup generators must be sized to provide for the critical load (the computing resources) and the supporting infrastructure. Similarly, battery backups must be properly sized to carry the critical load until generators start and stabilize. As with data backups, testing is necessary to ensure the failover to alternate power works properly.
站点的电源始终是数据中心运营不可或缺的一部分。无论燃料来源如何,备用发电机的大小必须能够提供关键负载(计算资源)和支持基础设施。同样,备用电池的大小必须适当,以承载关键负载,直到发电机启动和稳定。与数据备份一样,需要进行测试以确保故障切换到备用电源正常工作。
旁白:现在我们已经了解了构建本地数据中心时必须考虑的一些主要组件,我们应该更深入地研究一些组件。
首先,我们考虑数据中心的空调要求。服务器和其他设备会产生大量热量,必须妥善处理。这不仅是为了让有人在场时感到舒适,而且是为了确保设备保持在其运行参数范围内。当设备过热时,可能会导致更快的故障或保修失效。大多数设备被编程为在达到某个温度阈值时自动关闭。这有助于保护设备,但用户无法使用已关闭的系统。系统异常关闭也可能导致数据丢失或损坏。
本地数据中心的另一个考虑因素是灭火系统。在美国,大多数商业建筑都需要配备在火灾中启动的自动喷水灭火系统。这些洒水器最大限度地减少了对建筑物造成的损害,并防止火势蔓延到邻近区域,但它们可能对电子设备有害,因为水和电不会混合。虽然大多数水基灭火系统不像电影中那样工作,建筑物的一个部分发生火灾会打开整个建筑物的喷水器,但另一个危险是数据中心的头顶上有水。最终,水管会失效并可能在设备上泄漏。这种风险可以通过使用干管系统来降低数据中心上方的管道中的水。这些系统在数据中心外有一个阀门,只有在传感器指示发生火灾时才会打开。由于数据中心上方的管道中没有水,因此降低了泄漏的风险。
The concept of redundancy is to design systems with duplicate components so that if a failure were to occur, there would be a backup. This can apply to the data center as well. Risk assessments pertaining to the data center should identify when multiple separate utility service entrances are necessary for redundant communication channels and/or mechanisms.
冗余的概念是设计具有重复组件的系统,以便如果发生故障,将有备份。这也适用于数据中心。与数据中心相关的风险评估应确定冗余通信信道和/或机制何时需要多个单独的公用事业服务入口。
If the organization requires full redundancy, devices should have two power supplies connected to diverse power sources. Those power sources would be backed up by batteries and generators. In a high-availability environment, even generators would be redundant and fed by different fuel types.
如果组织需要完全冗余,则设备应具有连接到不同电源的两个电源。这些电源将由电池和发电机提供支持。在高可用性环境中,即使是发电机也是冗余的,并由不同类型的燃料供电。
除了保持信息的冗余备份外,您还拥有冗余电源,以提供备用电源,从而使您拥有不间断的电源或UPS。也可能涉及转换开关或变压器。如果电力因天气或停电而中断,备用发电机是必不可少的。通常会有两台发电机通过两个不同的转换开关连接。这些发电机可能由柴油或汽油或丙烷等其他燃料供电,甚至由太阳能电池板供电。一家医院或重要的政府机构可能与一家以上的电力公司签订合同,并在两个不同的电网上,以防其中一个断电。这就是我们所说的冗余。
Some organizations seeking to minimize downtime and enhance BC (Business Continuity) and DR (Disaster Recovery) capabilities will create agreements with other, similar organizations. They agree that if one of the parties experiences an emergency and cannot operate within their own facility, the other party will share its resources and let them operate within theirs in order to maintain critical functions. These agreements often even include competitors, because their facilities and resources meet the needs of their particular industry.
一些寻求最大限度地减少停机时间并增强BC(业务连续性)和DR(灾难恢复)功能的组织将与其他类似组织签订协议。他们同意,如果一方遇到紧急情况,无法在自己的设施内运作,另一方将分享其资源,让他们在自己的设施内运作,以维持关键功能。这些协议往往甚至包括竞争对手,因为他们的设施和资源满足其特定行业的需求。
For example, Hospital A and Hospital B are competitors in the same city. The hospitals create an agreement with each other: if something bad happens to Hospital A (a fire, flood, bomb threat, loss of power, etc.), that hospital can temporarily send personnel and systems to work inside Hospital B in order to stay in business during the interruption (and Hospital B can relocate to Hospital A, if Hospital B has a similar problem). The hospitals have decided that they are not going to compete based on safety and security—they are going to compete on service, price and customer loyalty. This way, they protect themselves and the healthcare industry as a whole.
例如,A医院和B医院是同一城市的竞争对手。医院之间达成协议:如果医院A发生了不好的事情(火灾、洪水、炸弹威胁、停电等),该医院可以临时派遣人员和系统在医院B内工作,以便在中断期间保持业务(并且如果医院B具有类似的问题,则医院B可以重新定位到医院A)。医院已经决定,他们不会在安全和保障的基础上竞争,他们将在服务,价格和客户忠诚度上竞争。通过这种方式,他们可以保护自己和整个医疗保健行业。
These agreements are called joint operating agreements (JOA) or memoranda of understanding (MOU) or memoranda of agreement (MOA). Sometimes these agreements are mandated by regulatory requirements, or they might just be part of the administrative safeguards instituted by an entity within the guidelines of its industry.
这些协议被称为联合运营协议(乔亚)或谅解备忘录(MOU)或协议备忘录(MOA)。有时,这些协议是由监管要求强制执行的,或者它们可能只是实体在其行业准则范围内制定的行政保障措施的一部分。
The difference between an MOA or MOU and an SLA is that a Memorandum of Understanding is more directly related to what can be done with a system or the information.
MOA或MOU与SLA之间的区别在于,谅解备忘录与系统或信息的用途更直接相关。
The service level agreement goes down to the granular level. For example, if I’m outsourcing the IT services, then I will need to have two full-time technicians readily available, at least from Monday through Friday from eight to five. With cloud computing, I need to have access to the information in my backup systems within 10 minutes. An SLA specifies the more intricate aspects of the services.
服务级别协议可以细化到粒度级别。例如,如果我外包IT服务,那么我需要有两个全职技术人员随时可用,至少从周一到周五的八点到五点。使用云计算,我需要在10分钟内访问备份系统中的信息。SLA指定服务的更复杂的方面。
We must be very cautious when outsourcing with cloud-based services, because we have to make sure that we understand exactly what we are agreeing to. If the SLA promises 100 percent accessibility to information, is the access directly to you at the moment, or is it access to their website or through their portal when they open on Monday? That’s where you’ll rely on your legal team, who can supervise and review the conditions carefully before you sign the dotted line at the bottom.
在外包基于云的服务时,我们必须非常谨慎,因为我们必须确保我们确切地理解我们同意的内容。如果SLA承诺100%的信息可访问性,那么您现在是直接访问,还是访问他们的网站或通过他们周一开放的门户网站访问?这就是你要依靠你的法律的团队的地方,他们可以在你签署底部的虚线之前仔细监督和审查这些条件。
Cloud computing is usually associated with an internet-based set of computing resources, and typically sold as a service, provided by a cloud service provider (CSP).
云计算通常与基于互联网的计算资源集相关联,并且通常作为由云服务提供商(CSP)提供的服务出售。
Cloud computing is very similar to the electrical or power grid. It is provisioned in a geographic location and is sourced using an electrical means that is not necessarily obvious to the consumer. But when you want electricity, it’s available to you via a common standard interface and you pay only for what you use. In these ways, cloud computing is very similar. It is a very scalable, elastic and easy-to-use “utility” for the provisioning and deployment of Information Technology (IT) services.
云计算与电力或电网非常相似。它是在地理位置提供的,并且使用对消费者来说不一定显而易见的电气手段来获得。但是当你需要电力时,你可以通过一个通用的标准接口获得电力 它是一个非常可扩展、弹性和易于使用的“实用程序”,用于提供和部署信息技术(IT)服务。
There are various definitions of what cloud computing means according to the leading standards, including NIST. This NIST definition is commonly used around the globe, cited by professionals and others alike to clarify what the term “cloud” means:
根据包括NIST在内的领先标准,云计算的含义有各种定义。这个NIST定义在地球仪范围内普遍使用,被专业人士和其他人引用,以澄清术语“云”的含义:
“a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (such as networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” NIST SP 800-145
“a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (such as networks, servers, storage, applications, and services) NIST SP 800-145
许多组织已经从硬连线的服务器机房转移到由基于云的设施运行的操作,因为它提供了安全性和灵活性。云服务提供商有不同的可用区,因此如果一个出现故障,活动可以转移到另一个。您不必维护一个包含所有冗余的整个数据中心——云服务提供商会为您做到这一点。
与云服务提供商签订合同的方式有多种。您可以设置计费,使其取决于使用的数据,就像您的手机一样。而且您拥有资源池,这意味着您可以共享其他同事或类似行业的资源,为人工智能或分析提供数据。
Cloud-based assets include any resources that an organization accesses using cloud computing. Cloud computing refers to on-demand access to computing resources available from almost anywhere, and cloud computing resources are highly available and easily scalable. Organizations typically lease cloud-based resources from outside the organization. Cloud computing has many benefits for organizations, which include but are not limited to:
基于云的资产包括组织使用云计算访问的任何资源。云计算是指对几乎任何地方可用的计算资源的按需访问,并且云计算资源是高度可用的并且易于扩展。组织通常从组织外部租用基于云的资源。云计算对组织有许多好处,包括但不限于:
me cloud-based services only provide data storage and access. When storing data in the cloud, organizations must ensure that security controls are in place to prevent unauthorized access to the data.
一些基于云的服务仅提供数据存储和访问。在云中存储数据时,组织必须确保安全控制措施到位,以防止未经授权访问数据。
There are varying levels of responsibility for assets depending on the service model. This includes maintaining the assets, ensuring they remain functional, and keeping the systems and applications up to date with current patches. In some cases, the cloud service provider is responsible for these steps. In other cases, the consumer is responsible for these steps.
根据服务模型的不同,资产的责任级别也各不相同。这包括维护资产,确保它们保持正常运行,并使系统和应用程序保持最新的最新补丁。在某些情况下,云服务提供商负责这些步骤。在其他情况下,消费者负责这些步骤。
Types of cloud computing service models include Software as a Service (SaaS) , Platform as a Service (PaaS) and Infrastructure as a Service (IaaS).
云计算服务模型的类型包括软件即服务(SaaS)、平台即服务(PaaS)和基础设施即服务(IaaS)。
软件即服务(SaaS)
Software as a Service (SaaS): A cloud provides access to software applications such as email or office productivity tools. SaaS is a distributed model where software applications are hosted by a vendor or cloud service provider and made available to customers over network resources. SaaS is a widely used and adopted form of cloud computing, with users most often needing an internet connection and access credentials to have full use of the cloud service, application and data. SaaS has many benefits for organizations, which include but are not limited to: Ease of use and limited/minimal administration. Automatic updates and patch management. The user will always be running the latest version and most up-to-date deployment of the software release, as well as any relevant security updates, with no manual patching required. Standardization and compatibility. All users will have the same version of the software release.
软件即服务(SaaS):云提供对软件应用程序(例如电子邮件或办公生产力工具)的访问。SaaS是一种分布式模型,其中软件应用程序由供应商或云服务提供商托管,并通过网络资源提供给客户。SaaS是一种广泛使用和采用的云计算形式,用户通常需要互联网连接和访问凭证才能充分使用云服务,应用程序和数据。SaaS对企业有很多好处,包括但不限于:易于使用和有限/最小给药。自动更新和修补程序管理。用户将始终运行软件版本的最新版本和最新部署,以及任何相关的安全更新,无需手动修补。标准化和兼容性。所有用户都将拥有相同版本的软件版本。
Platform as a Service (PaaS) 平台即服务(PaaS)
Platform as a Service (PaaS): A cloud provides an environment for customers to use to build and operate their own software. PaaS is a way for customers to rent hardware, operating systems, storage and network capacity over the internet from a cloud service provider. The service delivery model allows customers to rent virtualized servers and associated services for running existing applications or developing and testing new ones. The consumer does not manage or control the underlying cloud infrastructure, including network, servers, operating systems or storage, but has control over the deployed applications and possibly application-hosting environment configurations. A PaaS cloud provides a toolkit for conveniently developing, deploying and administering application software that is structured to support large numbers of consumers, process very large quantities of data and potentially be accessed from any point on the internet. PaaS clouds will typically provide a set of software building blocks and a set of development tools such as programming languages and supporting run-time environments that facilitate the construction of high-quality, scalable applications. Additionally, PaaS clouds will typically provide tools that assist with the deployment of new applications. In some cases, deploying a new software application in a PaaS cloud is not much more difficult than uploading a file to a web server. PaaS clouds will also generally provide and maintain the computing resources (e.g., processing, storage and networking) that consumer applications need to operate. PaaS clouds provide many benefits for developers, including that the operating system can be changed and upgraded frequently, along with associated features and system services.
平台即服务(PaaS):云提供了一个环境,供客户用来构建和操作他们自己的软件。PaaS是客户通过互联网从云服务提供商租用硬件、操作系统、存储和网络容量的一种方式。服务交付模型允许客户租用虚拟化服务器和相关服务来运行现有应用程序或开发和测试新应用程序。消费者不管理或控制底层云基础设施,包括网络、服务器、操作系统或存储,但可以控制所部署的应用程序以及可能的应用程序托管环境配置。PaaS云提供了一个工具包,用于方便地开发、部署和管理应用软件,该应用软件被构造为支持大量消费者、处理非常大量的数据,并且可能从互联网上的任何点访问。 PaaS云通常会提供一组软件构建块和一组开发工具,如编程语言和支持运行时环境,以促进高质量,可扩展应用程序的构建。此外,PaaS云通常会提供帮助部署新应用程序的工具。在某些情况下,在PaaS云中部署新的软件应用程序并不比将文件上传到Web服务器困难得多。PaaS云通常还将提供和维护计算资源(例如,处理、存储和联网)。PaaS云为开发人员提供了许多好处,包括操作系统可以经常更改和升级,沿着相关的功能和系统服务。
基础设施即服务(IaaS)
Infrastructure as a Service (IaaS): A cloud provides network access to traditional computing resources such as processing power and storage. IaaS models provide basic computing resources to consumers. This includes servers, storage, and in some cases, networking resources. Consumers install operating systems and applications and perform all required maintenance on the operating systems and applications. Although the consumer has use of the related equipment, the cloud service provider retains ownership and is ultimately responsible for hosting, running and maintenance of the hardware. IaaS is also referred to as hardware as a service by some customers and providers. IaaS has a number of benefits for organizations, which include but are not limited to: Ability to scale up and down infrastructure services based on actual usage. This is particularly useful and beneficial where there are significant spikes and dips within the usage curve for infrastructure. Retain system control at the operating system level.
基础设施即服务(IaaS):云提供对诸如处理能力和存储的传统计算资源的网络访问。IaaS模型为消费者提供基本的计算资源。这包括服务器、存储,在某些情况下还包括网络资源。消费者安装操作系统和应用程序,并对操作系统和应用程序执行所有必需的维护。虽然消费者可以使用相关设备,但云服务提供商保留所有权,并最终负责硬件的托管、运行和维护。IaaS也被一些客户和提供商称为硬件即服务。IaaS对组织有许多好处,包括但不限于:能够根据实际使用情况向上和向下扩展基础设施服务。这在基础设施的使用曲线中存在显著的尖峰和低谷的情况下特别有用和有益。 在操作系统级别保留系统控制。
There are four cloud deployment models. The cloud deployment model also affects the breakdown of responsibilities of the cloud-based assets. The four cloud models available are public, private, hybrid and community .
有四种云部署模式。云部署模型还影响基于云的资产的责任分解。现有的四种云模型是公共云、私有云、混合云和社区云。
Public 公共云
Public clouds are what we commonly refer to as the cloud for the public user. It is very easy to get access to a public cloud. There is no real mechanism, other than applying for and paying for the cloud service. It is open to the public and is, therefore, a shared resource that many people will be able to use as part of a resource pool. A public cloud deployment model includes assets available for any consumers to rent or lease and is hosted by an external cloud service provider (CSP). Service level agreements can be effective at ensuring the CSP provides the cloud-based services at a level acceptable to the organization.
公共云是我们通常所说的面向公共用户的云。访问公共云非常容易。除了申请和支付云服务之外,没有真实的的机制。它对公众开放,因此是一种共享资源,许多人将能够作为资源库的一部分使用。公共云部署模型包括可供任何消费者租用或租赁的资产,并由外部云服务提供商(CSP)托管。服务级别协议可以有效地确保CSP以组织可接受的级别提供基于云的服务。
Private 私有云
Private clouds begin with the same technical concept as public clouds, except that instead of being shared with the public, they are generally developed and deployed for a private organization that builds its own cloud. Organizations can create and host private clouds using their own resources. Therefore, this deployment model includes cloud-based assets for a single organization. As such, the organization is responsible for all maintenance. However, an organization can also rent resources from a third party and split maintenance requirements based on the service model (SaaS, PaaS or IaaS). Private clouds provide organizations and their departments private access to the computing, storage, networking and software assets that are available in the private cloud.
私有云的技术概念与公共云相同,不同之处在于它们通常是为构建自己的云的私有组织开发和部署的,而不是与公共云共享。组织可以使用自己的资源创建和托管私有云。因此,此部署模型包括用于单个组织的基于云的资产。因此,该组织负责所有维护。但是,组织也可以从第三方租用资源,并根据服务模型(SaaS、PaaS或IaaS)划分维护需求。私有云为组织及其部门提供了对私有云中可用的计算、存储、网络和软件资产的私有访问。
Hybrid 混合云
A hybrid cloud deployment model is created by combining two forms of cloud computing deployment models, typically a public and private cloud. Hybrid cloud computing is gaining popularity with organizations by providing them with the ability to retain control of their IT environments, conveniently allowing them to use public cloud service to fulfill non-mission-critical workloads, and taking advantage of flexibility, scalability and cost savings. Important drivers or benefits of hybrid cloud deployments include: Retaining ownership and oversight of critical tasks and processes related to technology, Reusing previous investments in technology within the organization, Control over most critical business components and systems, and Cost-effective means to fulfilling noncritical business functions (utilizing public cloud components).
混合云部署模型通过组合两种形式的云计算部署模型(通常是公共云和私有云)来创建。混合云计算通过为组织提供保持对其IT环境的控制的能力,方便地允许他们使用公共云服务来完成非关键任务工作负载,并利用灵活性,可扩展性和成本节约,在组织中越来越受欢迎。混合云部署的重要驱动因素或优势包括:保留与技术相关的关键任务和流程的所有权和监督权,重用组织内以前的技术投资,控制大多数关键业务组件和系统,以及以经济高效的方式履行非关键业务功能(利用公共云组件)。
Community 社区云
Community clouds can be either public or private. What makes them unique is that they are generally developed for a particular community. An example could be a public community cloud focused primarily on organic food, or maybe a community cloud focused specifically on financial services. The idea behind the community cloud is that people of like minds or similar interests can get together, share IT capabilities and services, and use them in a way that is beneficial for the particular interests that they share.
社区云可以是公共云,也可以是私有云。 它们的独特之处在于它们通常是为特定的社区开发的。一个例子可以是主要专注于有机食品的公共社区云,或者是专门专注于金融服务的社区云。社区云背后的想法是,志同道合或兴趣相似的人可以聚集在一起,共享IT功能和服务,并以有利于他们共享的特定利益的方式使用它们。
A managed service provider (MSP) is a company that manages information technology assets for another company. Small- and medium-sized businesses commonly outsource part or all of their information technology functions to an MSP to manage day-to-day operations or to provide expertise in areas the company does not have. Organizations may also use an MSP to provide network and security monitoring and patching services. Today, many MSPs offer cloud-based services augmenting SaaS solutions with active incident investigation and response activities. One such example is a managed detection and response (MDR) service, where a vendor monitors firewall and other security tools to provide expertise in triaging events.
托管服务提供商(MSP)是为另一家公司管理信息技术资产的公司。中小型企业通常将其部分或全部信息技术功能外包给MSP,以管理日常运营或在公司不具备的领域提供专业知识。组织还可以使用MSP来提供网络和安全监控以及修补服务。如今,许多MSP提供基于云的服务,通过主动事件调查和响应活动增强SaaS解决方案。一个这样的示例是受管检测和响应(MDR)服务,其中供应商监视防火墙和其他安全工具以提供分类事件的专业知识。
Some other common MSP implementations are:
其他一些常见的MSP实现有:
The cloud computing service-level agreement (cloud SLA) is an agreement between a cloud service provider and a cloud service customer based on a taxonomy of cloud computing– specific terms to set the quality of the cloud services delivered. It characterizes quality of the cloud services delivered in terms of a set of measurable properties specific to cloud computing (business and technical) and a given set of cloud computing roles (cloud service customer, cloud service provider, and related sub-roles).
云计算服务级别协议(云SLA)是云服务提供商与云服务客户之间基于云计算特定术语的分类来设置所交付的云服务的质量的协议。它根据特定于云计算(业务和技术)的一组可测量属性和给定的一组云计算角色(云服务客户、云服务提供商和相关子角色)来表征所交付的云服务的质量。
Think of a rule book and legal contract—that combination is what you have in a service-level agreement (SLA). Let us not underestimate or downplay the importance of this document/ agreement. In it, the minimum level of service, availability, security, controls, processes, communications, support and many other crucial business elements are stated and agreed to by both parties.
考虑一下规则手册和法律的合同-这两者的结合就是服务级别协议(SLA)。我们不要低估或低估这份文件/协议的重要性。其中,最低级别的服务、可用性、安全性、控制、流程、通信、支持和许多其他关键业务要素都得到了双方的声明和同意。
The purpose of an SLA is to document specific parameters, minimum service levels and remedies for any failure to meet the specified requirements. It should also affirm data ownership and specify data return and destruction details. Other important SLA points to consider include the following:
SLA的目的是记录特定参数、最低服务级别和任何未能满足指定要求的补救措施。它还应确认数据所有权并指定数据返回和销毁细节。需要考虑的其他重要SLA要点包括:
The objective of network design is to satisfy data communication requirements and result in efficient overall performance.
网络设计的目标是满足数据通信要求,并产生有效的整体性能。
Network segmentation 网络分段
Network segmentation involves controlling traffic among networked devices. Complete or physical network segmentation occurs when a network is isolated from all outside communications, so transactions can only occur between devices within the segmented network.
网络分段涉及控制联网设备之间的流量。当网络与所有外部通信隔离时,会发生完全或物理网络分段,因此事务只能在分段网络内的设备之间发生。
DMZ区域
A DMZ is a network area that is designed to be accessed by outside visitors but is still isolated from the private network of the organization. The DMZ is often the host of public web, email, file and other resource servers.
DMZ是一个网络区域,设计为供外部访问者访问,但仍然与组织的专用网络隔离。DMZ通常是公共Web、电子邮件、文件和其他资源服务器的主机。
Vlan 虚拟局域网
VLANs are created by switches to logically segment a network without altering its physical topology.
VLAN由交换机创建,用于在不改变物理拓扑的情况下对网络进行逻辑分段。
VPN 虚拟专用网络
A virtual private network (VPN) is a communication tunnel that provides point-to-point transmission of both authentication and data traffic over an untrusted network.
虚拟专用网络(VPN)是一种通信隧道,它通过不受信任的网络提供身份验证和数据流量的点对点传输。
纵深防御 Defense in depth
Defense in depth uses multiple types of access controls in literal or theoretical layers to help an organization avoid a monolithic security stance.
深度防御在文字或理论层中使用多种类型的访问控制,以帮助组织避免单一的安全立场。
Network access control (NAC) 网络访问控制
Network access control (NAC) is a concept of controlling access to an environment through strict adherence to and implementation of security policy.
网络访问控制(NAC)是通过严格遵守和实施安全策略来控制对环境的访问的概念。
Defense in depth uses a layered approach when designing the security posture of an organization. Think about a castle that holds the crown jewels. The jewels will be placed in a vaulted chamber in a central location guarded by security guards. The castle is built around the vault with additional layers of security—soldiers, walls, a moat. The same approach is true when designing the logical security of a facility or system. Using layers of security will deter many attackers and encourage them to focus on other, easier targets.
深度防御在设计组织的安全状态时使用分层方法。想想一座拥有王冠的城堡。这些珠宝将被放置在一个拱形的房间里,在一个由保安人员守卫的中心位置。城堡围绕着金库建造,并有额外的安全层士兵,墙壁,护城河。在设计设施或系统的逻辑安全性时也是如此。使用安全层将阻止许多攻击者,并鼓励他们专注于其他更容易的目标。
Defense in depth provides more of a starting point for considering all types of controls—administrative, technological, and physical—that empower insiders and operators to work together to protect their organization and its systems.
深度防御为考虑所有类型的控制(管理、技术和物理)提供了更多的起点,这些控制使内部人员和操作员能够共同努力保护他们的组织及其系统。
Here are some examples that further explain the concept of defense in depth:
以下是一些进一步深入解释防御概念的例子:
Zero trust networks are often microsegmented networks, with firewalls at nearly every connecting point. Zero trust encapsulates information assets, the services that apply to them and their security properties. This concept recognizes that once inside a trust-but-verify environment, a user has perhaps unlimited capabilities to roam around, identify assets and systems and potentially find exploitable vulnerabilities. Placing a greater number of firewalls or other security boundary control devices throughout the network increases the number of opportunities to detect a troublemaker before harm is done. Many enterprise architectures are pushing this to the extreme of microsegmenting their internal networks, which enforces frequent re-authentication of a user ID, as depicted in this image.
零信任网络通常是细分网络,几乎每个连接点都有防火墙。零信任封装了信息资产、应用于这些资产的服务及其安全属性。这个概念认识到,一旦进入信任但验证的环境,用户可能具有无限的能力来漫游,识别资产和系统,并可能找到可利用的漏洞。在整个网络中放置更多数量的防火墙或其他安全边界控制设备增加了在造成伤害之前检测麻烦制造者的机会的数量。许多企业架构正在将这一点推向极端,即对其内部网络进行细分,这会强制对用户ID进行频繁的重新身份验证,如下图所示。
Consider a rock music concert. By traditional perimeter controls, such as firewalls, you would show your ticket at the gate and have free access to the venue, including backstage where the real rock stars are. In a zero-trust environment, additional checkpoints are added. Your identity (ticket) is validated to access the floor level seats, and again to access the backstage area. Your credentials must be valid at all 3 levels to meet the stars of the show.
考虑一场摇滚音乐会。通过传统的外围控制,如防火墙,你会在门口出示你的票,并可以自由进入会场,包括后台,那里是真实的的摇滚明星。在零信任环境中,会添加其他检查点。您的身份(门票)经过验证,可以进入楼层座位,并再次进入后台区域。你的证书必须在所有3个级别有效用来遇见表演的明星。
Zero trust is an evolving design approach which recognizes that even the most robust access control systems have their weaknesses. It adds defenses at the user, asset and data level, rather than relying on perimeter defense. In the extreme, it insists that every process or action a user attempts to take must be authenticated and authorized; the window of trust becomes vanishingly small.
零信任是一种不断发展的设计方法,它认识到即使是最强大的访问控制系统也有其弱点。它增加了用户、资产和数据级别的防御,而不是依赖于外围防御。在极端的情况下,它坚持用户试图采取的每一个过程或动作都必须经过身份验证和授权;信任的窗口变得非常小。
While microsegmentation adds internal perimeters, zero trust places the focus on the assets, or data, rather than the perimeter. Zero trust builds more effective gates to protect the assets directly rather than building additional or higher walls.
虽然细分增加了内部边界,但零信任将重点放在资产或数据上,而不是边界上。零信任建立了更有效的大门来直接保护资产,而不是建立更多或更高的墙。
An organization’s network is perhaps one of its most critical assets. As such, it is vital that we both know and control access to it, both from insiders (e.g., employees, contractors) and outsiders (e.g., customers, corporate partners, vendors). We need to be able to see who and what is attempting to make a network connection.
一个组织的网络可能是其最重要的资产之一。因此,至关重要的是,我们都知道并控制对它的访问,无论是来自内部人员(例如,雇员、承包商)和外部人员(例如,客户、公司合作伙伴、供应商)。我们需要能够看到谁和什么正在尝试建立网络连接。
At one time, network access was limited to internal devices. Gradually, that was extended to remote connections, although initially those were the exceptions rather than the norm. This started to change with the concepts of bring your own device (BYOD) and Internet of Things (IoT).
曾经,网络访问仅限于内部设备。逐渐地,这被扩展到远程连接,尽管最初这些是例外而不是规范。随着自带设备(BYOD)和物联网(IoT)的概念开始改变。
Considering just IoT for a moment, it is important to understand the range of devices that might be found within an organization. They include heating, ventilation and air conditioning (HVAC) systems that monitor the ambient temperature and adjust the heating or cooling levels automatically or air monitoring systems, through security systems, sensors and cameras, right down to vending and coffee machines. Look around your own environment and you will quickly see the scale of their use.
仅考虑一下物联网,重要的是要了解组织内可能存在的设备范围。它们包括加热,通风和空调(HVAC)系统,通过安全系统,传感器和摄像头,自动监测环境温度并调整加热或冷却水平或空气监测系统,直到自动售货机和咖啡机。看看你周围的环境,你很快就会看到它们的使用规模。
Having identified the need for a NAC solution, we need to identify what capabilities a solution may provide. As we know, everything begins with a policy. The organization’s access control policies and associated security policies should be enforced via the NAC device(s). Remember, of course, that an access control device only enforces a policy and doesn’t create one.
在确定了对NAC解决方案的需求之后,我们需要确定解决方案可以提供哪些功能。我们知道,一切都始于政策。组织的访问控制策略和相关的安全策略应通过NAC设备实施。当然,请记住,访问控制设备只执行策略,而不创建策略。
The NAC device will provide the network visibility needed for access security and may later be used for incident response. Aside from identifying connections, it should also be able to provide isolation for noncompliant devices within a quarantined network and provide a mechanism to “fix” the noncompliant elements, such as turning on endpoint protection. In short, the goal is to ensure that all devices wishing to join the network do so only when they comply with the requirements laid out in the organization policies. This visibility will encompass internal users as well as any temporary users such as guests or contractors, etc., and any devices they may bring with them into the organization.
NAC设备将提供访问安全所需的网络可见性,并且稍后可用于事件响应。除了识别连接之外,它还应该能够为隔离网络中的不兼容设备提供隔离,并提供一种“修复”不兼容元素的机制,例如打开端点保护。简而言之,目标是确保所有希望加入网络的设备只有在符合组织策略中规定的要求时才能加入网络。这种可见性将包括内部用户以及任何临时用户,例如访客或承包商等。以及他们可能带入组织的任何设备。
Let’s consider some possible use cases for NAC deployment:
让我们考虑NAC部署的一些可能用例:
As we have established, it is critically important that all mobile devices, regardless of their owner, go through an onboarding process, ideally each time a network connection is made, and that the device is identified and interrogated to ensure the organization’s policies are being met.
正如我们已经确定的那样,至关重要的是,所有移动的设备,无论其所有者如何,都要经历一个加载过程,理想情况下,每次进行网络连接时,都要识别和询问设备,以确保符合组织的策略。
以最简单的形式,网络访问控制或 NAC 是一种防止不需要的设备连接到网络的方法。一些 NAC 系统允许在最终用户的设备上安装所需的软件,以在连接之前强制设备遵守策略。 NAC 系统的一个高级示例是酒店互联网访问。通常,连接到酒店网络的用户需要在被允许访问互联网之前确认可接受的使用政策。用户单击确认按钮后,设备将连接到启用互联网访问的网络。一些酒店添加了一个额外的层,要求客人在获得访问权限之前输入特殊密码或房间号和客人姓名。这可以防止非酒店客人的滥用行为,甚至可能有助于跟踪特定用户的网络滥用行为。
稍微复杂一点的场景是企业将员工 BYOD 设备与网络上的企业自有设备分开。如果 BYOD 设备被预先批准并允许连接到公司网络,NAC 系统可以使用硬件地址或安装的软件来验证设备,甚至可以检查以确保杀毒软件和操作系统软件是最新的。将其连接到网络。或者,如果它是不允许连接到公司网络的个人设备,则可以将其重定向到访客网络以访问 互联网,而无需访问内部公司资源。
Network segmentation is also an effective way to achieve defense in depth for distributed or multi-tiered applications. The use of a demilitarized zone (DMZ), for example, is a common practice in security architecture. With a DMZ, host systems that are accessible through the firewall are physically separated from the internal network by means of secured switches or by using an additional firewall to control traffic between the web server and the internal network. Application DMZs (or semi-trusted networks) are frequently used today to limit access to application servers to those networks or systems that have a legitimate need to connect.
网络分段也是实现分布式或多层应用深度防御的有效方法。例如,使用非军事区(DMZ)是安全体系结构中的常见做法。使用DMZ时,可通过防火墙访问的主机系统通过安全交换机或使用附加防火墙控制Web服务器和内部网络之间的流量而与内部网络物理隔离。应用程序DMZ(或半信任网络)目前经常用于将对应用程序服务器的访问限制在具有合法连接需求的网络或系统。
网络前端服务器可能位于 DMZ 中,但它可能会从位于防火墙另一端的数据库服务器中检索数据。
例如,您可能有一个管理客户个人信息的网络,即使数据已被加密或通过密码术混淆,您也需要确保网络与网络的其余部分完全隔离,并使用一些仅授权的个人可以访问。只有经过授权的人员才能控制防火墙设置和控制 网络 服务器与内部网络之间的流量。例如,在医院或医生办公室,您将拥有一个用于患者信息和计费的隔离网络,而另一端则是电子病历。如果他们使用基于网络的应用程序来提供医疗记录服务,他们将拥有一个非军事区或分段区域。甚至在防火墙之后,他们也有自己的指定服务器来保护关键信息并将其隔离。
在这一点上值得注意的是,虽然本课程不会探讨细节,但某些网络使用 网络 应用程序防火墙 (WAF) 而不是 DMZ 网络。 WAF 与传统防火墙一样具有内部和外部连接,外部流量首先由传统或下一代防火墙过滤。在将命令传递到可能位于网络内部的 网络 服务器之前,它会从外部监视所有流量(无论是否加密)是否存在恶意行为。
An embedded system is a computer implemented as part of a larger system. The embedded system is typically designed around a limited set of specific functions in relation to the larger product of which it is a component. Examples of embedded systems include network-attached printers, smart TVs, HVAC controls, smart appliances, smart thermostats and medical devices.
嵌入式系统是作为较大系统的一部分实现的计算机。嵌入式系统通常是围绕与其作为组件的较大产品相关的有限的特定功能集来设计的。嵌入式系统的示例包括网络连接的打印机、智能TV、HVAC控制、智能电器、智能恒温器和医疗设备。
Network-enabled devices are any type of portable or nonportable device that has native network capabilities. This generally assumes the network in question is a wireless type of network, typically provided by a mobile telecommunications company. Network-enabled devices include smartphones, mobile phones, tablets, smart TVs or streaming media players (such as a Roku Player, Amazon Fire TV, or Google Android TV/Chromecast), network-attached printers, game systems, and much more.
支持网络的设备是具有本机网络功能的任何类型的便携式或非便携式设备。这通常假设所讨论的网络是无线类型的网络,通常由移动的电信公司提供。支持网络的设备包括智能手机、移动的电话、平板电脑、智能电视或流媒体播放器(如Roku Player、Amazon Fire TV或Google Android TV/Chromecast)、网络连接打印机、游戏系统等。
The Internet of Things (IoT) is the collection of devices that can communicate over the internet with one another or with a control console in order to affect and monitor the real world. IoT devices might be labeled as smart devices or smart-home equipment. Many of the ideas of industrial environmental control found in office buildings are finding their way into more consumer-available solutions for small offices or personal homes.
物联网(IoT)是可以通过互联网彼此通信或与控制台通信以便影响和监视真实的世界的设备的集合。物联网设备可能被标记为智能设备或智能家居设备。许多在办公楼中发现的工业环境控制的想法正在为小型办公室或个人住宅找到更多消费者可用的解决方案。
Embedded systems and network-enabled devices that communicate with the internet are considered IoT devices and need special attention to ensure that communication is not used in a malicious manner. Because an embedded system is often in control of a mechanism in the physical world, a security breach could cause harm to people and property. Since many of these devices have multiple access routes, such as ethernet, wireless, Bluetooth, etc., special care should be taken to isolate them from other devices on the network. You can impose logical network segmentation with switches using VLANs, or through other traffic-control means, including MAC addresses, IP addresses, physical ports, protocols, or application filtering, routing, and access control management. Network segmentation can be used to isolate IoT environments.
与互联网通信的嵌入式系统和支持网络的设备被认为是物联网设备,需要特别注意以确保通信不被恶意使用。由于嵌入式系统通常控制物理世界中的机制,因此安全漏洞可能会对人员和财产造成伤害。由于这些设备中的许多具有多个接入路由,例如以太网、无线、蓝牙等,应特别注意将它们与网络上的其他设备隔离。您可以使用VLAN或通过其他流量控制方式(包括MAC地址、IP地址、物理端口、协议或应用程序过滤、路由和访问控制管理),通过交换机实施逻辑网络分段。网络分段可用于隔离IoT环境。
旁白:使嵌入式系统高效运行的特性也是一种安全风险。嵌入式系统通常用于控制物理上的东西,例如水、蒸汽甚至油的阀门。这些设备的指令集有限,通常是硬编码或永久写入内存芯片。为了便于操作机械部件,嵌入式系统通常连接到公司网络,因为并且可以使用 TCP/IP 协议运行,是的,与在整个互联网上运行的协议相同。因此,互联网上任何地方的任何人都可以在网络完全连接时控制阀门的打开和关闭。这是在网络上对这些系统进行分段的主要原因。如果这些被正确分割,受感染的公司网络将无法访问嵌入式系统上的物理控件。
嵌入式系统的另一面,也适用于物联网设备,是发现新漏洞时普遍缺乏系统更新。对于大多数直接在芯片上编程的嵌入式系统,需要物理更换芯片来修补漏洞。对于许多系统而言,让专人上门更换芯片或手动连接芯片重新编程可能并不划算。
我们购买所有这些互联网连接的东西是因为方便。相机、灯泡、扬声器、冰箱等都给我们的生活带来了某种便利,但它们也带来了风险。虽然知名的主流品牌可能会在发现新漏洞时为其设备提供更新,但许多较小的公司根本不打算这样做,因为他们试图控制设备的成本。这些设备在连接到公司网络时,可以成为网络犯罪分子访问公司网络的简单连接互联网的门户。如果这些设备在网络上与公司服务器和其他公司网络进行了适当的分段或分离,则物联网设备或嵌入式系统的入侵将无法访问这些公司数据和系统。
The toolsets of current adversaries are polymorphic in nature and allow threats to bypass static security controls. Modern cyberattacks take advantage of traditional security models to move easily between systems within a data center. Microsegmentation aids in protecting against these threats. A fundamental design requirement of microsegmentation is to understand the protection requirements for traffic within a data center and traffic to and from the internet traffic flows.
当前攻击者的工具集本质上是多态的,并且允许威胁绕过静态安全控制。现代网络攻击利用传统的安全模型在数据中心内的系统之间轻松移动。细分有助于防范这些威胁。微分段的一个基本设计要求是了解数据中心内的流量以及进出互联网流量流的流量的保护要求。
When organizations avoid infrastructure-centric design paradigms, they are more likely to become more efficient at service delivery in the data center and become apt at detecting and preventing advanced persistent threats.
当组织避免以基础架构为中心的设计模式时,他们更有可能在数据中心的服务交付方面变得更高效,并且更善于检测和预防高级持久性威胁。
旁白:关于微分段的一些要点:
微分段允许在 IT 环境中进行极其精细的限制,以至于可以将规则应用于单个机器和/或用户,并且这些规则可以根据需要尽可能详细和复杂。例如,我们可以限制哪些 IP 地址可以与给定的机器通信,在一天中的什么时间,使用哪些凭据,以及这些连接可以使用哪些服务。
这些是逻辑规则,而不是物理规则,并且不需要额外的硬件或与设备的手动交互(也就是说,管理员可以将规则应用于各种机器,而无需物理接触每个设备或将其连接到网络环境的电缆)。
这是纵深防御哲学的终极境界; IT 环境中的任何单一访问点都不会导致更广泛的妥协。
这在共享环境中至关重要,例如云,其中多个客户的数据和功能可能驻留在同一设备上,并且第三方人员(为云提供商工作的管理员/技术人员,而不是客户) ) 可能对设备具有物理访问权限。
微分段允许组织限制哪些业务功能/单位/办公室/部门可以与其他人进行通信,以实施最小特权的概念。例如,人力资源办公室可能拥有其他业务部门不应访问的员工数据,例如员工家庭住址、工资、医疗记录等。微分段,如 VLAN,可以使 HR 成为自己独特的 IT 飞地,以便敏感数据对其他业务实体不可用,从而降低了暴露风险。
在现代环境中,由于虚拟化和软件定义网络 (SDN) 技术,微分段可用。在云中,应用此策略的工具通常称为“虚拟专用网络 (VPN)”或“安全组”。即使在您的家中,微分段也可用于将计算机与智能电视、空调和可以连接但可能存在漏洞的智能电器分开。
Virtual local area networks (VLANs) allow network administrators to use switches to create software-based LAN segments, which can segregate or consolidate traffic across multiple switch ports. Devices that share a VLAN communicate through switches as if they were on the same Layer 2 network. This image shows different VLANs — red, green and blue — connecting separate sets of ports together, while sharing the same network segment (consisting of the two switches and their connection). Since VLANs act as discrete networks, communications between VLANs must be enabled. Broadcast traffic is limited to the VLAN, reducing congestion and reducing the effectiveness of some attacks. Administration of the environment is simplified, as the VLANs can be reconfigured when individuals change their physical location or need access to different services. VLANs can be configured based on switch port, IP subnet, MAC address and protocols.
虚拟局域网(VLAN)允许网络管理员使用交换机创建基于软件的LAN网段,从而可以隔离或整合多个交换机端口之间的流量。共享VLAN的设备通过交换机进行通信,就像它们在同一个第2层网络中一样。此图显示了不同的VLAN(红色、绿色和蓝色),它们将不同的端口集连接在一起,同时共享同一网段(由两台交换机及其连接组成)。由于VLAN充当离散网络,因此必须启用VLAN之间的通信。广播流量仅限于VLAN,从而减少了拥塞并降低了某些攻击的有效性。环境的管理得到简化,因为当个人改变其物理位置或需要访问不同的服务时,可以重新配置VLAN。VLAN可以根据交换机端口、IP子网、MAC地址和协议进行配置。
VLANs do not guarantee a network’s security. At first glance, it may seem that traffic cannot be intercepted because communication within a VLAN is restricted to member devices. However, there are attacks that allow a malicious user to see traffic from other VLANs (so-called VLAN hopping). The VLAN technology is only one tool that can improve the overall security of the network environment.
VLAN不能保证网络的安全性。乍一看,流量似乎无法拦截,因为VLAN内的通信仅限于成员设备。但是,存在允许恶意用户查看来自其他VLAN的流量的攻击(所谓的VLAN跳跃)。VLAN技术只是提高网络环境整体安全性的工具之一。
旁白: VLAN 是交换机内的虚拟分隔,主要用于限制广播流量。 VLAN 可以配置为与其他 VLAN 通信或不通信,并可用于隔离网段。
在公司网络中有一些 VLAN 的常见用途。第一个是将 IP 语音 (VOIP) 电话与公司网络分开。通常这样做是为了通过将语音通信与网络的其余部分隔离来更有效地管理由语音通信产生的网络流量。
VLAN 在公司网络中的另一个常见用途是将数据中心与所有其他网络流量分开。这使得更容易将服务器到服务器的流量保持在数据中心网络中,同时允许来自工作站或 网络 的某些流量访问服务器。如前所述,VLAN 也可用于对网络进行分段。例如,VLAN 可以将工资单工作站与网络中的其他工作站分开。路由规则还可用于仅允许此工资 VLAN 内的设备访问包含工资信息的服务器。
早些时候,我们还讨论了网络访问控制 (NAC)。这些系统使用 VLAN 来控制设备是连接到公司网络还是连接到访客网络。即使无线接入控制器可以连接到物理网络交换机上的单个端口,与无线接入控制器上的设备连接相关联的 VLAN 也决定了设备运行的 VLAN 以及允许它连接到哪些网络。
最后,在大型企业网络中,VLAN 可用于限制网络内的广播流量。这在包含 1,000 多个设备的网络中最为常见,并且可以根据需要按部门、位置/建筑物或任何其他标准进行分隔。
要记住的最重要的事情是,虽然 VLAN 在逻辑上是分开的,但它们可能被允许访问其他 VLAN。它们还可以配置为拒绝访问其他 VLAN。
A virtual private network (VPN) is not necessarily an encrypted tunnel. It is simply a point-to-point connection between two hosts that allows them to communicate. Secure communications can, of course, be provided by the VPN, but only if the security protocols have been selected and correctly configured to provide a trusted path over an untrusted network, such as the internet. Remote users employ VPNs to access their organization’s network, and depending on the VPN’s implementation, they may have most of the same resources available to them as if they were physically at the office. As an alternative to expensive dedicated point-to-point connections, organizations use gateway-to-gateway VPNs to securely transmit information over the internet between sites or even with business partners.
虚拟专用网络(VPN)不一定是加密隧道。它只是两台主机之间的点对点连接,允许它们进行通信。当然,VPN可以提供安全通信,但只有在安全协议已经被选择并被正确配置为在不受信任的网络(诸如互联网)上提供受信任的路径的情况下。远程用户使用VPN来访问其组织的网络,并且根据VPN的实施,他们可能拥有与他们在办公室物理上相同的大部分可用资源。作为昂贵的专用点对点连接的替代方案,组织使用网关到网关VPN通过Internet在站点之间甚至与业务合作伙伴安全地传输信息。