互聯網安全外文翻譯

1、<p><b>　　專業(yè)外文翻譯</b></p><p>　　二〇一二年五月二十日</p><p>　題 目Internet Security</p><p>　系 （院）計算機科學技術系</p><p>　專 業(yè)通信工程</p><p>　班 級2008級2班<

2、;/p><p>　學生姓名李華山</p><p>　學 號2008110311</p><p>　指導教師陳瑞斌</p><p>　職 稱講師</p><p>　　Internet Security</p><p>　　An intruder with the right backgro

3、und and malicious intent has many ways to infiltrate internal company systems and network devices through the Internet connection. Once inside, the hacker has free reign to destroy, change, or steal data and these action

4、s because various sorts of network havoc. The most popular use of the Internet, e-mail, is also insecure. The same hacker with a protocol analyzer and access to routers and other network devices can intercept or change m

5、essages. Threats like thes</p><p>　　The network security market is quickly responding to the threats by applying authentication and encryption technologies to the Internet and by developing new products. The

6、se products come at a time where methods of attacking user networks are more elaborate and vendors are improving their products to keep up with the increased threats. “Users need these tools [because they realize] they c

7、an’t use traditional monitoring tools to stop increasingly sophisticated attacks,” says Jim Hurley, an analys</p><p>　　Types of Internet Security Protection</p><p>　　1. Security Policy</p>

8、<p>　　Internet connections will never be 100 percent secure. Rather than aiming for total security, an organization has to assess the value of the information it is trying to protect and balance that against the l

9、ikelihood of a security violation and the cost of implementing various security measures. A company’s first line-of-defense should be either to devise or to revise its security policy for the organization that takes Inte

10、rnet connections into account. This policy should define in detail which </p><p>　　Part of the process will require evaluating the cost to the company of different types of security violations. Corporations

11、will want to involve people at the highest levels of the organization in this process. Hiring a computer security consultant may be of some help. Once a companywide policy is implemented, the company then should start ev

12、aluating the use of firewalls, encryption, and authentication.</p><p>　　2. Firewall</p><p>　　A firewall is a barrier between two networks, an internal network (trusted network) and an external n

13、etwork (untrusted network). Here the external network is the Internet. Firewalls examine incoming and outgoing packets and according to a set of rules defined by the administrator, either let them through or block them o

14、ut. Firewalls are not an Internet security remedy, but they are essential to the strategy.</p><p>　　Different kinds of firewalls function differently. They scrutinize, examine, and control the network traffi

15、c in numerous ways depending on their software architecture. Below are firewalls that work in different ways.</p><p>　　1）Packet Filtering Firewall Technique</p><p>　　Many routers use a firewall

16、technique called packet filtering, which examines the source and destination addresses and ports of incoming TCP and UDP packets, denying or allowing packets to enter based on a set of predefined rules set by the adminis

17、trator. Packet filters are inexpensive, transparent to users, and have a negligible impact on network performance. Configuring packet filtering is a relatively complex process, requiring a precise knowledge of network, t

18、ransport, and even application p</p><p>　　A problem with packet filters is that they are susceptible to“IP spoofing”, a trick that hackers use to gain access to a corporate network. Intruders fool the firewa

19、ll by changing Internet Protocol addresses in packet headers to ones that are acceptable.</p><p>　　2）The Application-Gateway Firewall </p><p>　　A more sophisticated and secure type of firewall i

20、s an application gateway, which is generally considered more secure than packet filters. Application gateways are programs written for specific Internet services such as HTTP, FTP, and telnet; applications that run on a

21、server with two network connections, acting as a server to the application client and as a client to the application server.</p><p>　　Application gateways evaluate network packets for valid specific data mak

22、ing the proxies more secure than packet filtering. Most application-gateway firewalls also have a feature called network address translation that prevents internal IP addresses from appearing to users outside the trusted

23、 network.</p><p>　　There are two primary disadvantages to application gateways. The first disadvantage is a performance decline caused by the proxy function’s double processing. Another is the lag time for t

24、he firewall vendor to supply an application proxy for a newly introduced Internet service, such as Real Audio.</p><p>　　3）SOCKS firewall</p><p>　　Another type of application-proxy firewall is th

25、e SOCKS firewall. Where normal application-proxy firewalls do not require modifications to network clients, SOCKS firewalls require specially modified network clients. This means users have to modify every system on thei

26、r internal network that needs to communicate with the external network. On a Windows or OS/2 system, this can be as easy as swapping a few DLLs.</p><p>　　In cases where performance is concerned, organization

27、s using application gateways should not be worried with a 10-Mbps Ethernet or 100-Mbps Fast Ethernet connection. If companies use application proxies within their network, they can consider fast hardware-based solutions

28、such as Cisco’s PIX Firewall or Seattle Software’s Firebox. The company may also consider installing firewall software on a system with multiple processors.</p><p>　　Major firewall vendors have incorporated

29、additional security technologies into their firewall products and partnered with other security vendors to offer complete Internet security solutions. These additional features will be discussed subsequently in this arti

30、cle and include encryption, authentication and protection from malicious Java and ActiveX downloads.</p><p>　　3. Authentication</p><p>　　Firewalls do their authentication using IP addresses, whi

31、ch can be faked. If a company wants to give certain users access over the Internet to sensitive internal files and data, they will want to make sure to authenticate each user. Authentication simply describes the numerous

32、 methods that positively identify a user. Passwords are the most common method of authentication used today, but employees are notorious for making poor password choices that can be guessed by an experienced hacker. In a

33、ddi</p><p>　　Tokens are small, credit card or calculator-size devices that the remote user can carry around. Smart cards used for authentication are similar to tokens, except they need a reader to process th

34、e authentication request. Both use a challenge response scheme. W hen the user attempts to connect, an authentication server on the network issues a challenge, which the user keys into the token device. The device displa

35、ys the appropriate response, which the remote user then sends to the server. Many of t</p><p>　　4. Encryption</p><p>　　As offices and organizations connect to the Internet, many will consider th

36、e Internet infrastructure an inexpensive way for wide-area and remote connections. In addition to companies, Internet commerce vendors need to protect credit card and order transactions being transferred through the Inte

37、rnet. To use the Internet for these purposes, companies have to protect their information and customers with encryption. Encryption is the process of using an encryption algorithm to translate plain text i</p><

38、;p>　　1）The Encryption Process</p><p>　　A pre-hash code is derived mathematically from the message to be sent. The pre-hash code is encrypted using the sender’s private key. The encrypted pre-hash code and

39、 the message are encrypted using the secret key. The sender encrypts the secret key with the recipient’s public key, so only the recipient can decrypt it with his/her private key.</p><p>　　2）The Decryption P

40、rocess</p><p>　　The decryption process essentially is the encryption process in reverse. The recipient uses his/her private key to decrypt the secret key. The recipient then uses the secret key to decrypt th

41、e encrypted message and pre hash code.</p><p>　　5. Virtual private network</p><p>　　Virtual private networking (VPN) is the term used to describe remote access over the Internet, as well as use

42、of the Internet infrastructure for connecting two offices of an organization or even two different organizations. Basically, a VPN is an encrypted connection between private networks over a public network. With remote ac

43、cess, the remote user calls the local ISP, and then connects to the central network over the Internet. </p><p>　　Two industry standards have recently become interoperable to make remote access

44、 and connections over virtual private networks a viable strategy: Ascends’ and Microsoft’s Point-to-Point Tunneling protocol and Cisco’s Layer Two Forwarding (L2F), now combined by the IETF to form the Layer Two Tunnelin

45、g Protocol (L2TP). This standard essentially allows the authentication and authorization process to be forwarded from the ISP to a server located elsewhere on the Internet; a corporate central office f</p><p&g

46、t;　　6. Analyzing Other Security Threats: Java and ActiveX</p><p>　　Even after one has done all possible to block unauthorized users from accessing a network, there is still the danger of viruses, which can e

47、nter through e-mail attachments, and malicious Java and ActiveX applications that come into a network as users browse the Net. </p><p>　　When dealing with hostile Java and ActiveX applets, Finjan Software of

48、fers SurfinShield X tra for desktop users as well as Surfin Gate for servers. These unique packages actually maintain a database of known Java and ActiveX problems and monitor incoming and existing applets. Both products

49、 block only applets that misbehave, letting all others through.</p><p>　　1）Solutions to 6 Common Threats to Security</p><p>　　Here are six common Internet security problems and their solutions c

50、ited in PC Magazine, 1997. Reprinted by permission December 1998</p><p>　　2）Interception of e-mail</p><p>　　Encrypt e-mail using desktop or server encryption hardware or software. Use digital si

51、gnatures and certificates to authenticate senders and verify that e-mail has not been tampered with.</p><p>　　3）Theft or alteration of corporate information</p><p>　　Use the same procedures as f

52、or intrusion. Also use encryption hardware or software to encrypt traffic flowing from office to office across the Internet.</p><p>　　4）Macro viruses from e-mail attachments</p><p>　　Install an

53、e-mail anti-virus gateway to filter incoming email messages.</p><p>　　5）Corporate network intrusion</p><p>　　Protect the perimeter with firewalls. If you want remote users to access sensitive in

54、ternal data, set up an authentication server on the network and equip remote users with authentication tokens or smart cards.</p><p>　　6）Disruption of network devices and services</p><p>　　Prote

55、ct the perimeter with firewalls. Set up an authentication server on the network and equip remote users with authentication tokens or smart cards.</p><p>　　7）Misbehaved Java and ActiveX applets</p><

56、;p>　　Configure firewalls to block Java and ActiveX applets, or install a Java and ActiveX gateway to filter out bad applets.</p><p>　　Internet Security Products</p><p>　　Security Auditing<

57、/p><p>　　SAFEsuite Internet Scanner for Windows NT</p><p>　　SA FEsuite is designed to test security implementation for protection against inside and outside attacks, Internet Security Systems’ SA F

58、Esuite Internet Scanner for Windows NT looks for hundreds of vulnerabilities, provides a list of possible holes and suggests corrective actions.</p><p>　　SA FEsuite has three components: the Intranet Scanner

59、, Firewall Scanner, and Web Scanner. The program runs on a single PC loaded with Windows NT 3.51 or 4.0 and comes with a license key based on a single range of IP addresses. To scan multiple networks or segments, multipl

60、e licenses are needed.</p><p>　　SA FEsuite’s tests covers known weak spots that internal or external intruders can exploit.</p><p>　　Each of the tests comes with three different settings: light,

61、 medium and heavy scan. The light scan looks at the basic vulnerabilities on your network, such as shared resources without passwords, and requires only a few minutes to run. The medium scan looks for the same holes as t

62、he light scan, plus a few more. For example, in a light scan of FTP, the test looks for just anonymous connections. A medium scan looks for anonymous and trivial FTP connections. The heavy scan looks for all vulnerabili&

63、lt;/p><p>　　After all scans have been run, SA FEsuite creates an HTML based report listing the results by level of importance and even provides you with some ideas of how to correct the problem.</p><

64、p>　　SecurIT from Milkyway Networks Corp</p><p>　　SecurIT, among others, is a product that can identify network holes and, like ISS’s SA FEsuite, provide instructions on how to fix them. The product can sc

65、an all of a network’s devices, including: firewalls, mail servers, UNIX hosts and Windows NT- and Windows 95-based PCs. And SecurIT Audit can check for vulnerabilities on several platforms, including Linux, Solaris, SunO

66、S, Windows NT and Windows 95.</p><p><b>　　Firewalls</b></p><p>　　ON Guard by ON Technology Corp</p><p>　　Protecting a network from hacker tricks is easier with ON Guard,

67、 a hardware/software combination, which makes the usually difficult process of installing firewalls easy. This package is designed for administrators who aren’t security gurus and don’t want to be. ON Guard includes doze

68、ns of services, powerful event logging, and a utility that tests one’s security plan. It is also one of the few firewalls currently on the market that can block both IP and IPX network packets.</p><p>　　ON G

69、uard uses Stateful Multi-Layer Inspection (SMLI) technology, a hybrid of packet- and application-level filtering. Unlike application-level filtering, SMLI does not require separate software to block each new Internet ser

70、vices, such as PointCast and Real Audio. This is advantageous, because one does not have to wait for ON Technology to provide software to block these services. The firewall can already handle them.</p><p>　　

71、Unlike The Wall, with which services are either enabled or disabled, ON Guard allows customization of multiple services. The program disables Web, e-mail and FTP access by default. But these services and others, such as

72、Java, Real Audio, and newsgroups, can be enabled and access rules created for users based on an IP address. Once a service is in the list, administrators can enable or disable access for both inbound and outbound traffic

73、. They can also control access to subservices, such as POP a</p><p><b>　　The Wall</b></p><p>　　The Wall runs on a Windows NT Server and Workstation 4.0 and includes powerful logging

74、capabilities. In addition, its built-in WebNOT utility blocks access to 15,000 unwanted Web sites. The Wall also disables all outside access by default. W hen first installed, no one can access the company’s LAN, unless

75、the administrator enables e-mail, FTP and Web access for remote users.</p><p>　　Unlike ON Guard, which uses SMLI, The Wall is an application- level firewall that uses proxy servers to protect the network fro

76、m the Internet. These firewalls have two network adapters to provide a shield. One connects to your LA N, and the other to a router or other Internet connection.</p><p>　　Server Security</p><p>

77、　　Web Stalker Pro</p><p>　　Web Stalker Pro resides on the web server and protects the data stored from both local users and outside intruders. It does so by letting the company set protection policies. For e

78、xample, it shuts down your web server in case an intruder tries to access protected data.</p><p>　　Web Stalker Pro also has excellent reporting capabilities, but its primary function is detection and respons

79、e. It can’t always prevent people from accessing the data on a web server, but it can alert if they do. For added security, it is advisable to use a firewall in conjunction with Web Stalker.</p><p>　　Web Sta

80、lker Pro runs on Windows NT 3.51 and 4.0 as an NT service and works with Microsoft’s Internet Information Server (IIS) and Netscape Web servers. It relies on Windows NT’s audit trails and event logs to alert it when a ha

81、cker has attempted to access protected data. The audit trails and event logs track everything, but they only show the series of events leading up to an intruder’s entry.</p><p>　　Careers in Internet Security

82、</p><p>　　In short supply and in high demand, systems administrators are prospering. The strong demand for system and security managers has forced salary increases to 15 percent in 1997.</p><p>

83、　　Surveys show that close to 1,600 system and security administrators are responsible for the care of electronic commerce systems, Web servers, enterprise systems and computers used in advanced scientific research.</p

84、><p>　　According to the survey, salaries in New York, Boston, San Francisco and San Jose are the highest, but salaries are increasing all across the US, Canada, Europe, and Asia. Of those Administrators who wer

85、e surveyed, salaries ranged between $50,000 and $59,999 with an average of $57,346. The greatest salary increase was for employees earning $70,000 to $79,999 with an annual average increase of 14 percent.</p><

86、p>　　The highest salaries ($70,846) were those in research companies with fewer than ten employees, followed by systems integrators ($70,230) working at firms with 11 to 100 employees.</p><p>　　Lowest sala

87、ries reported were in education, ranging from $43, 933 to $47,262. Typically a job posting describes the tasks and skills needed to excel in this field as such: Qualifications: BA /BS degree in Information Systems, compu

88、ter science or business related fields. Self-motivated, good communications skills and enthusiasm for pursuing a career in Information Systems.</p><p><b>　　互聯網安全</b></p><p>　　一個有著良好背

89、景但懷著惡意意圖的入侵者，有很多方式通過互聯網滲透到公司內部系統(tǒng)和網絡設備。一旦進入，黑客可以自由支配破壞、改變或者盜竊數據，這種行為導致了多種網絡毀滅。由于互聯網的廣泛應用，電子郵件也變得不安全。帶有相同的協(xié)議分析儀的黑客和其他網絡設備能攔截或者改變信息。面臨威脅，像互聯網商務公司這種企業(yè)，希望通過互聯網把他們的辦公場所連接在一起組成局域網。</p><p>　　網絡安全市場很快做出回應，發(fā)展了身份驗證和加密技

90、術和新的安全產品。為了應對日益增長的網絡攻擊，安全產品的供應商正在改善他們的產品，以應對越來越復雜的網絡攻擊。The Aberdeen Group的一位分析師吉姆.哈雷說：“使用者需要這些工具（他們已經意識到），他們不能使用傳統(tǒng)的監(jiān)測工具來阻止日益增長的網絡攻擊?！边@篇文章描述了多種類型的網絡威脅和可以保護個人以及公司的解決方案。</p><p><b>　　互聯網安全保護類型</b><

91、;/p><p><b>　　1．安全策略</b></p><p>　　互聯網永遠不會是100%安全。一個組織必須意識到它要保護的信息的價值，平衡安全侵犯事件的可能性和落實安全措施所花費的成本，而不是目標只是總體上安全。公司的第一道防線應該考慮到互聯網連接，制定和修改它的安全策略。這項策略應該詳細規(guī)定哪些員工有權利得到特定服務。它也應該教育員工們意識到有責任保護組織的信息，

92、譬如保護密碼以及當發(fā)生安全侵犯事件時可以清楚的指明行動。這種類型的策略是第一步，向員工們解釋公司對于濫用互聯網連接的方針。</p><p>　　這個進程的一部分要求公司估計應對不同類型的安全侵犯所花費的代價。企業(yè)想網羅這個進程處于該組織最高水平的人才。雇傭一個電腦安全咨詢或許會有些幫助。一旦公司的政策被落實，公司應該開始考慮使用防火墻，加密算法和身份驗證。</p><p><b>

93、;　　2．防火墻</b></p><p>　　防火墻是兩個網絡之間的屏障，內部網絡（可信任網絡）和外部網絡（不信任網絡）。這里的外部網絡是指互聯網，防火墻根據一套由管理員制定的規(guī)則，檢查傳入和傳出的數據包，要么讓它們通過，要么阻止他們。防火墻不是互聯網的補救措施，但它們對于策略是不可缺少的。</p><p>　　不同的網絡防火墻的功能有所不同。它們用多種方式監(jiān)測、檢查和控制網絡

94、傳輸，這取決于它們的軟件架構。下面是幾種以不同方式運轉的防火墻。</p><p>　　1）包過濾技術防火墻</p><p>　　許多路由器使用一種稱為包過濾技術的防火墻，這種技術檢查源地址和目的地址，端口傳入的TCP和UDP數據包，拒絕或允許包通過一組由管理員事先定義好的規(guī)則。包過濾技術對于用戶來說花費低廉，透明，對網絡性能的影響可以忽略不計。配置過濾包是一個比較復雜的過程，需要精通網絡傳

95、輸的有關知識，甚至應用協(xié)議的戰(zhàn)略。</p><p>　　數據包過濾器的一個問題是，它們很容易受到“IP欺騙”，黑客利用這種招術進入企業(yè)的內部網絡。入侵者通過改變可接受的數據包報頭中的互聯網協(xié)議地址騙過防火墻。</p><p>　　2）應用層網關防火墻</p><p>　　一種更復雜并且更安全的防火墻是應用層網關，通常被認為比數據包過濾器更安全。應用層網關防火墻是為像

96、HTTP（超文本傳輸協(xié)議）、FTP（文件傳輸協(xié)議）和Telnet（遠程登錄）這樣的網絡服務而寫的程序；應用層網關防火墻在連接兩個網絡的服務器上運行，這個服務器的作用是一個應用程序客戶端的服務器，還是應用層服務器的客戶端。</p><p>　　應用層網關防火墻評估有效地網絡數據包，使代理比數據包過濾器更安全。大多數應用層網關防火墻都有一種稱之為網絡地址轉換的功能，組織內部IP地址出現在外部可信任的網絡。</p

97、><p>　　應用層網關有兩個主要缺點：第一個缺點是由代理功能的雙處理引起的。另一個缺點時間的滯后性，防火墻提供商需要時間研發(fā)對于一個新實行的網絡服務的應用代理，譬如實時音頻。</p><p>　　3）SOCKS防火墻</p><p>　　另一種類型的應用程序代理防火墻是SOCKS防火墻。正常的應用程序代理防火墻不要求修改網絡客戶端，而SOCKS防火墻需要修改網絡客戶端

98、。這意味著必須修改內部網絡的每個系統(tǒng)，其內部網絡需要與外部網絡通信。SOCKS代理一般用于使防火墻后面的用戶能夠以有限的、受控的方式連接到Internet服務器。</p><p>　　在性能方面的情況，如果有10Mbps或者100Mbps以太網連接，組織就不應該擔心使用應層網關，如果公司內部使用網絡應用程序代理，他們可以考慮基于硬件的快速解決方案，例如思科公司的PIX Firewall或者西雅圖軟件公司的Fire

99、box。公司可以考慮在有多個處理器的系統(tǒng)上安裝防火墻軟件。</p><p>　　大多數防火墻供應商已經將額外的安全技術整合到他們的防火墻產品中，并且也與其他安全產品供應商合作，提供完整的互聯網安全解決方案。</p><p><b>　　3．認證</b></p><p>　　防火墻使用IP地址來認證，但IP地址可以被偽造。如果公司允許特定用戶訪問