1. Common network security threats Common network security threats include: ● Eavesdropping (i.e. unauthorized access, information leakage, resource theft, etc.) ● Impersonation (pretending to be another entity, such as website impersonation, IP spoofing, etc.) ● Replay ● Destruction of integrity ● Denial of service ● Trojan horses, viruses ● Traffic analysis

2. Network security vulnerabilities Usually, intruders look for security weaknesses in the network and enter the network silently through the gaps. Therefore, the idea of ​​developing hacker counterattack weapons is to find out the security weaknesses in the current network, demonstrate and test these security holes, and then point out how to plug the security holes. At present, the security of information systems is very weak, mainly reflected in the existence of security risks in operating systems, computer networks and database management systems. These security risks are manifested in the following aspects. (1) Physical security. Any place where unauthorized machines can be physically accessed will have potential security issues, which will allow access users to do things they are not allowed to do. (2) Software security vulnerabilities. "Privileged" software contains malicious program code that allows it to gain additional privileges. (3) Incompatible use of security vulnerabilities. When system administrators bundle software and hardware together, from a security perspective, it can be considered that the system may have serious security risks. The so-called incompatibility problem is connecting two unrelated but useful things together, which leads to security holes. Once the system is up and running, such problems are difficult to detect. (4) Choose an appropriate safety philosophy. This is an understanding and intuition of security concepts. Perfect software, protected hardware and compatible components are not guaranteed to work properly and effectively unless users select appropriate security policies and turn on components that increase the security of their systems.

3. Cyber ​​attacks

4. Goals of security measures

5. Main security technologies ● Data encryption: Recombine the information so that only the sender and receiver can restore the information. ● Data signature: used to prove that it was indeed signed by the sender. ● Identity authentication: Verify the legitimacy of the user. ● Firewall: Located between two networks, it controls the entry and exit of data packets through rules. ● Content check: Check the security of data content to prevent damage by viruses and Trojans.

6. Basic knowledge of system security

exercise

1. Data encryption technology Data encryption technology refers to the process of converting information (plaintext) into meaningless ciphertext through encryption keys and encryption functions, and the receiver uses the decryption function and decryption key to restore the ciphertext into plaintext. Depending on whether the encryption key and the decryption key are the same (whether one can be deduced from the other), they can be divided into: ● Symmetric encryption technology (private key encryption algorithm) ● Asymmetric encryption technology (public key encryption algorithm)

2. Symmetric encryption technology DES/3DES/IDEA/AES/SM1/SM2/RC2/RC4/RC5 Symmetric encryption technology means that the encryption key and decryption key are the same, or although they are different, one can be easily deduced from the other. ● Advantages: fast encryption and decryption speed, high encryption strength, and open algorithm. ● Disadvantages: It is difficult to secretly distribute keys. Key management is complicated when there are a large number of users. Moreover, functions such as identity authentication cannot be completed, making it inconvenient to apply in an open network environment. Common symmetric encryption algorithms: ● DES (Data Encryption Standard): It is an iterative block cipher. The input/output is 64 bits. It uses a 56-bit key and an additional 8-bit parity bit. ● 3DES: Due to the short key length of DES, in order to improve security, the use An algorithm that uses a 112-bit key to encrypt data three times is called 3DES. ● IDEA (International Data Encryption Algorithm) algorithm: its plaintext and ciphertext are both 64 bits, and the key length is 128 bits. PGP (Pretty Good Privacy) uses IDEA as its block encryption algorithm and uses its commercial copyright; Secure Socket Layer SSL (Secure Socket Layer) also includes IDEA in its encryption algorithm library SSLRef; Ascom, the owner of the IDEA algorithm patent, has also launched a series of security products based on the IDEA algorithm, including: IDEA-based Exchange full plug-in, IDEA encryption chip, IDEA encryption software package, etc. ● AES (Advanced Encryption Standard) (Advanced Encryption Standard) The key is the foundation for encryption and decryption of the AES algorithm. Symmetric encryption algorithms are symmetric because they require the same key to encrypt and decrypt plaintext. Block encryption algorithm AES supports three key lengths: 128 bits, 192 bits, and 256 bits ● Stream encryption algorithm and RC4, others are block encryption;

3. Asymmetric encryption technology (public key encryption algorithm) RSA/ECC/SM2 Asymmetric key technology means that the encryption key and decryption key are completely different and it is impossible to From either one deduce the other. ●The advantage is: key management is simple, digital signature and identity authentication functions can be realized, and it is the core foundation of current e-commerce and other technologies. ●Disadvantages: The algorithm is complex and the speed and efficiency of encrypting data are low. RSA algorithm A pair of RSA keys is generated by the key management center. One is called the private key and is saved by the user; the other is called the public key and can be made public. ●Using RSA to encrypt large amounts of data is too slow, so RSA is widely used for key distribution. ●The RSA algorithm is based on a very simple fact of number theory: it is very easy to multiply two large prime numbers, but it is extremely difficult to factor their product (large prime number decomposition) The RSA algorithm solves a large number of network user key management problems. But RSA cannot replace DES. Their advantages and disadvantages complement each other: ●RSA’s key is very long and the encryption speed is slow; ●DES encryption is fast and suitable for encrypting longer messages; Therefore, when transmitting information, a combination of private key encryption method and public key encryption method is often used. Private key encryption algorithms such as DES or IDEA are used to encrypt large-capacity numbers. Public key encryption algorithms such as RSA are used to transmit private keys. The key used by the key encryption algorithm

my country’s encryption technology

exercise

Authentication technology is divided into two types: entity authentication and message authentication. ●Entity authentication is to identify the identity of the communication partner and prevent counterfeiting. Digital signatures can be used. ●Message authentication is to verify whether the message has been tampered with during transmission or storage, usually using message digest method. ●Authentication methods include account name/password authentication, digest algorithm authentication, and PKI-based authentication.

1. Information summary Information summaries are also called digital summaries. It is generated by applying a one-way Hash encryption function to the message. And the results of different plaintext digests into ciphertext are always different. If the information is changed by even 1 bit during the transmission process, the recipient will generate a new digest of the received information, which will be different from the original digest. In this way You can know whether the information has been changed. Therefore the information summary ensures the integrity of the information. Information digests can be used to create digital signatures. The information digest is unique to a specific file. And different documents will inevitably produce different information summaries. Common information summarization algorithms include ●MD5: The fifth version of the information digest algorithm. The input is grouped into 512-bit groups and processed to produce a 128-bit output. ●SHA: Secure Hash Algorithm, which is also processed in 512-bit groups and produces a 160-bit output. They can be used to protect the integrity of the data. SHA-1 (English: Secure Hash Algorithm 1, Chinese name: Secure Hash Algorithm 1) is a cryptographic hash function designed by the U.S. National Security Agency and published by the U.S. National Institute of Standards and Technology (NIST) for federal data processing standards (FIPS). SHA-1 can generate a 160-bit (20-byte) hash value called a message digest. The hash value is usually presented as 40 hexadecimal digits.

2. Digital signature Digital signature refers to processing the message to be transmitted through a one-way function to obtain an alphanumeric string that is used to authenticate the source of the message and verify whether the message has changed. Together with data encryption technology, it builds a secure commercial encryption system. Traditional data encryption is the most basic method to protect data. It can only prevent a third party from obtaining the real data (data confidentiality), while digital signatures can solve the problem. issues of authentication, forgery, tampering and impersonation (data integrity and non-repudiation). Digital signatures use public key algorithms (asymmetric key technology). Digital signature process: (1) Sender A first calculates the message digest (MD) of the information (M) to be sent through a hash function, that is, extracts the features of the original text. (2) Sender A encrypts the original text (M) and message digest (MD) with its own private key (PrA), which is to complete the signature action. The information can be expressed as PrA (M MD). (3) Then use the public key (PB) of receiver B as the key to encrypt the information packet again to obtain PB(PrA(M MD)). (4) When the recipient receives it, he first decrypts it using his own private key PrB to obtain PrA(M MD) (5) Then use A's public key (PA) to decrypt. If it can be decrypted, it obviously means that the data was sent by A, and at the same time, the original text M and the message digest MD will be obtained. (6) Then calculate the message digest for the original text M, get the new MD, and compare it with the received MD. If Consistent, indicating that the data has not been tampered with during transmission.

The difference between digital encryption and digital signature ●Digital encryption uses the recipient's public key to encrypt, and the recipient uses his or her private key to decrypt. ●Digital signature is: encrypt the summary information with the sender's private key and send it to the recipient together with the original text. The receiver can only use the sender's public key to decrypt the encrypted summary information, and then use the HASH function to generate a new summary information for the received original text, which is compared with the decrypted summary information.

3. RADIUS protocol RADIUS (Remote User Dial-in Authentication Service) is a network transmission protocol that takes into account the three services of authentication, authorization and accounting. RADIUS is a C/S structure protocol that communicates through UDP. Various methods such as PAP, CHAP or Unix login authentication can be used.

exercise

digital certificate A digital certificate is a string of numbers that marks the identity information of communicating parties in Internet communications. It is a way to verify the identity of communicating entities on the Internet. It functions like our ID card. It is issued by an authoritative organization CA (Certificate Authority), and people can use it to identify each other online. A digital certificate is a file digitally signed by a CA that contains public key owner information and the public key. Digital certificates use a public key system, which uses a pair of matching keys for encryption and decryption. Set two keys per user: ●Private key: a private key known only to you, used for decryption and signing ●Public key: disclosed by me and used to encrypt and verify signatures ● Send confidential documents. The sender uses the receiver's public key to encrypt, and the receiver uses his or her private key to decrypt. ●Data signature. The recipient can confirm the identity of the sender through the digital certificate, and the sender cannot deny it. Digital signatures ensure that changes to information will be detected.

Digital certificate format The format of digital certificates generally uses the X.509 international standard. The X.509 user public key certificate is created by a trusted certificate authority CA and stored in the X.500 public directory by the CA or the user for access by other users. Digital certificates include version number, serial number (the serial number of each certificate issued by the CA is unique), signature algorithm identifier, issuer name, validity, subject name, subject's public key information, and unique issuer Identifier, subject unique identifier, extended domain, signature (that is, the result of the CA digitally signing the above fields with its own private key, that is, the signature of the user certificate by the CA center).

Obtain digital certificate As long as any user obtains the public key of the CA center, he or she can obtain the public key signed by the CA center for the user. Because the certificate cannot be forged, there is no need to impose special protection on the directory where the certificate is stored.

Certificate revocation The certificate must be revoked if the certificate has expired, the user's private key has been leaked, the user has given up using the services of the original CA center, or the CA center's private key has been leaked. At this time, the CA center will maintain a certificate revocation list (CRL) for everyone to query.

Key management system Key management refers to issues related to the entire process from key generation to destruction, including system initialization, key generation, storage, backup/recovery, loading, distribution, protection, update, control, loss, revocation and destroy. There are three main key management systems: ●KMI mechanism suitable for closed networks and represented by traditional key management centers ●PKI mechanism suitable for open networks ●SPK mechanism suitable for large-scale private networks

[ ] User B receives the message M digitally signed by A. In order to verify the authenticity of the message, he first needs to obtain the digital certificate of user A from the CA. The digital certificate contains (A), and (A) can be used to verify the certificate. authenticity, and then use (C) to verify the authenticity of M. A. A's public key B. A's private key C. B's public key D. B's private key A. CA's public key B. B's private key C. A's public key D. B's public key A. CA's public key B. B's private key C. A's public key D. B's public key

VPN Virtual Private Network A virtual private network is an extension of the enterprise network on public networks such as the Internet. It creates a secure private connection on the public network through a private channel. Essentially, a VPN is a virtual channel that can be used to connect two private networks, ensure its security through reliable encryption technology, and exist as part of the public network.

Key technologies of VPN ●Tunnel technology ●Encryption and decryption technology ●Key management technology ●Identity authentication technology

Classification and application of VPN

What are the classifications of VPN technology? 1. Classification according to data transmission method: ●Tunneling Mode: By including a new data packet header outside the original data packet, the data is encrypted and then transmitted. It is usually used in scenarios such as remote access and connecting private networks in different regions. ●Transparent Mode: Encrypts data packets directly without modifying them. It is usually used to ensure the security of public network transmission. 2. Classification according to network type: ●Remote access VPN: used for remote workers to access corporate internal network resources. For example, PPTP, L2TP, SSL VPN, etc. ●Point-to-point VPN: Establish a VPN connection between two devices to connect to LANs distributed in different places. For example, IPSec is suitable for point-to-point scenarios. 3. Classification according to security protocols: ●PPTP protocol: encapsulated using the GRE protocol, the encryption strength is low, and it is suitable for scenarios that do not require high security. ●L2TP protocol: Based on the PPTP protocol, the L2TP protocol is added to make it more secure and suitable for scenarios that require medium security. ●IPSec protocol: High encryption strength and good security, but the settings are complicated and suitable for scenarios that require a high degree of security.

PPTP (Point-to-Point Tunneling Protocol) is the abbreviation of English Point to Point Tunneling Protocol. The default port number is: 1723 (TCP). It is a network technology that supports multi-protocol virtual private networks. It works on the second layer. Through this protocol, remote users can securely access the company network through the Microsoft Windows operating system and other systems equipped with point-to-point protocols, and can dial-up to the local ISP and securely link to the company network through the Internet. L2TP (Layer 2 Tunneling Protocol) is the abbreviation of English Layer 2 Tunneling Protocol. The default port number is: 1701 (UDP). It is an industrial standard Internet tunnel protocol. Its functions are roughly similar to the PPTP protocol. For example, it can also process network data flows. Encrypt. However, there are differences. For example, PPTP requires the network to be an IP network, and L2TP requires a packet-oriented point-to-point connection; PPTP uses a single tunnel, and L2TP uses multiple tunnels; L2TP provides header compression and tunnel verification, but PPTP does not support it. PPP Point to Point Protocol (PPP) is a link layer protocol designed for simple links such as transmitting data packets between peer units. This link provides full-duplex operation and delivers packets in sequence. The design purpose is mainly used to establish point-to-point connections to send data through dial-up or dedicated lines, making it a common solution for simple connections between various hosts, bridges and routers. PPP has the following features: (1) PPP has the ability to dynamically allocate IP addresses, allowing IP addresses to be negotiated at the time of connection; (2) PPP supports multiple network protocols, such as TCP/IP, NetBEUI, NWLINK, etc.; (3) PPP has error detection capabilities, but does not have error correction capabilities, so PPP is an unreliable transmission protocol; (4) There is no retransmission mechanism, the network overhead is small, and the speed is fast. (5) PPP has an identity verification function. (6) PPP can be used on various types of physical media, including serial lines, telephone lines, mobile phones and optical fibers (such as SDH). PPP is also used for Internet access.

VPN tunnel technology ●PPTP: Logically extends the PPP session to form a virtual remote dial-up. When implementing the protocol, the same authentication mechanism as PPP is used, including EAP (Expanded Identity Authentication Protocol), MS-CHAP (Microsoft Challenge Handshake Authentication Protocol), CHAP (Challenge Handshake Authentication Protocol), SPAP (Shiva Password Authentication Protocol) , PAP (Password Authentication Protocol). In addition, in Windows 2000, PPP uses MPPE (Microsoft Point-to-Point Encryption Technology) for encryption, so EAP or MS-CHAP authentication technology must be used ●L2F: A multi-protocol secure VPN communication method can be established on a variety of media. It encapsulates the link layer protocol so that the network link layer is completely independent of the user's link layer protocol. ●L2TP: It is the product of the combination of PPTP and L2F. After the L2TP protocol encapsulates the PPP frame, it can be transmitted through IP, X.25, FR or ATM. The same authentication mechanism as PPP connections must be used when creating an L2TP tunnel. It combines the advantages of L2F and PPTP and allows users to initiate VPN connections from the client or access server. ●IPSec: It is a security structure composed of four parts: security protocol, key management protocol, security association, authentication and encryption algorithm. The security protocol adds two password-based security mechanisms to the IP protocol: Authentication Header (AH) and Encapsulating Security Payload (ESP). AH: It is a message authentication code that has been calculated before sending the IP packet. The sender calculates the AH using the encryption key, and the receiver verifies it using the same (symmetric encryption) or another key (asymmetric encryption). ESP: Encapsulate and encrypt the entire IP packet, usually using the DES algorithm.

What security services can IPSEC (Internet Protocol Security) technology provide? 1. Identity authentication: IPSec can verify the identity of both communicating parties to ensure that only legitimate users can access protected resources. 2. Data integrity: IPSec uses an algorithm called a hash function to hash the data to check whether the data has been tampered with. If any changes occur during data transmission, the recipient will discover that the data is incomplete and refuse to process it. 3. Data confidentiality: IPSec uses encryption algorithms to encrypt transmitted data to protect the data from being obtained by unauthorized persons. 4. Anti-replay attack protection: When IPSec establishes communication, it requests the sender to send a unique identifier, which will change during each communication. This identifier protects the data from being reused, preventing attackers from exploiting the disadvantages of data reuse. 5. Prevent denial of service attacks: IPSec can limit traffic according to security policies, intercept unauthorized traffic, and reduce attacks on protected resources.

IPSEC technical architecture

IPSec VPN architecture Security Protocol: Responsible for protecting data, AH/ESP Working mode: transmission mode: to achieve end-to-end protection, tunnel mode: to achieve site-to-site protection Key Exchange: IKE: Performs Negotiation for Security Protocols AH Data integrity check and source verification, limited anti-replay capability, and cannot provide data encryption function ESP Ensure data confidentiality, data integrity verification and source verification, and certain anti-replay capabilities

IKE (Internet Key Exchange) The protocol is a protocol used to establish a secure channel in the IPsec (Internet Protocol security) encryption protocol. Its role is to establish secure keys and authentication channels for IPsec to ensure that communication and data transmission on the Internet are safe and private. The IKE protocol is used in the following aspects: Confirm the communicating parties: The IKE protocol uses digital certificates or pre-shared passwords to establish encrypted channels, ensuring that only trusted communicating parties can communicate. Negotiate encryption rules: The IKE protocol negotiates encryption rules such as encryption algorithms, key lengths, and hash algorithms to ensure that the latest security technology is used to encrypt data. Establish keys: The IKE protocol generates keys used for IPsec encryption and authentication. Maintaining secure channels: The IKE protocol is also responsible for maintaining IPsec secure channels to ensure that data during communication maintains confidentiality, integrity, and availability.

Two modes of IPSec Transport Mode It is the default mode of IPSec, also known as End-to-End mode. It is suitable for IPSec communication between two hosts. In transmission mode, only the IP payload is protected, which may be TCP/UDP/ICMP protocol or AH/ESP protocol. The transmission mode only provides security protection for the upper-layer protocol. In this mode, both hosts participating in the communication must install the IPSec protocol, and it cannot hide the IP address of the host. After IPSec transmission mode is enabled, IPSec will add an AH/ESP header or both headers in front of the transport layer packet to form an AH/ESP packet, and then add the IP header to form an IP packet. On the receiving side, IP is processed first, then IPSec is processed, and finally the payload data is handed over to the upper layer protocol. Tunnel Mode Use site-to-site communication between two gateways. The two gateways participating in the communication actually provide secure communication services for the computers in the two networks that are bounded by them. Tunnel mode provides protection for the entire IP packet, providing security protection for the IP protocol itself rather than just the upper layer protocol. Normally, as long as one of the two parties using IPSec is a security gateway, tunnel mode must be used. One advantage of tunnel mode is that it can hide the IP addresses of internal hosts and servers. Most VPNs use tunnel mode because it not only encrypts the entire original message, but also partially or fully encrypts the source and destination addresses of the communication. It only requires the security gateway and does not require the installation of VPN software on the internal host. During this period, all encryption, decryption and negotiation operations are completed by the former.

Transport mode AH encapsulation

Tunnel mode AH encapsulation

exercise

Key points for establishing ipsec tunnel

firewall A firewall is an information security protection system composed of software or hardware equipment between an internal network and an external network, or between a private network and a public network. It allows or restricts the passage of transmitted data in accordance with specific rules. The purpose of a firewall is to prevent unauthorized communications from entering or exiting a protected network.

Firewall functions The firewall has the following functions: ●Access control function ●Content control function ●Comprehensive logging function ●Centralized management function

Cybersecurity design On the basis of protecting the internal network, we also protect the servers that provide services to the outside world.

Three modes of firewall operation: Routing mode: external connection at Layer 3 (interface has IP address) Transparent mode: external connection through layer 2 (interface has no IP address) Mixed mode: The firewall has interfaces working in both routing mode and transparent mode (some interfaces have IP addresses, some interfaces do not have IP addresses)

firewall structure Shielding router (packet filtering firewall) 2. Dual-hole host mode 3. Shielding host mode 4. Shielding subnet mode

1. Shield router (packet filtering firewall) The header of each received data packet is judged according to the packet filtering rules. Packets matching the rules are forwarded according to the routing information, otherwise they are discarded. Packet filtering is implemented at the IP layer. Packet filtering is based on the source IP of the data packet. Address, destination IP Address, protocol type (TCP packet, UDP packet, ICMP packet), source port, destination port and other packet header information as well as data packet transmission direction and other information to determine whether to allow the data packet to pass.

2. Dual-hole host mode A bastion host equipped with at least two network cards is used as a firewall and is located between the internal and external networks to achieve physical separation.

3. Shield host mode Shielded host mode refers to a firewall formed by a separate router and a bastion host on the internal network. It mainly uses packet filtering to isolate internal and external networks and protect the internal network. This mode has two barriers, one is the shielding router, and the other is the bastion host.

4. Shielded subnet mode The shielded subnet mode uses two shielding routers and a bastion host to establish an isolated subnet between the internal and external networks, which is defined as a DMZ network, called a demilitarized zone.

Intrusion detection Intrusion detection is the detection of intrusion behavior. It collects and analyzes network behavior, security logs, audit data, and information on several key points in the computer system to check whether there are any violations of security policies and signs of attack in the network or system.

Intrusion detection system (IDS intrusion detection system) It is a network security technology that actively protects itself from illegal attacks on networks and systems. It monitors the operating status of networks and systems in accordance with certain security policies, and tries to detect various attack attempts, attack behaviors or attack results as much as possible. , to ensure the confidentiality, integrity and availability of network system resources. IDS is a proactive security protection technology.

Functions of IDS IDS includes three parts: data extraction, intrusion analysis, and response processing. In addition, it can also be combined with functional modules such as security knowledge base and data storage to provide more complete security detection technology analysis functions.

IDS classification IDS can be classified based on data sources and based on detection methods. According to different There are different IDS classification methods.

Intrusion Prevention System (IPS Intrusion Prevention System) It is an active and active intrusion prevention and blocking system. It is deployed at the entrance and exit of the network. When an attack attempt is detected, the attack packet is automatically dropped or measures are taken to block the source of the attack. The detection function of IPS is similar to that of IDS, but after detecting an attack, IPS will take action to prevent the attack. It can be said that IPS is a new network security product based on the development of IDS.

Advantages of Intrusion Prevention: Intrusion prevention is a new security defense technology that can both detect and prevent intrusions. After detecting a network intrusion, it can automatically discard intrusion packets or block the source of the attack, thereby fundamentally avoiding attacks. The main advantages of intrusion prevention are as follows: ●Real-time blocking of attacks: The device is deployed in the network in a straight-line manner. When an intrusion is detected, it can intercept intrusion activities and offensive network traffic in real time to minimize its intrusion into the network. ●Deep protection: Since new attacks are hidden in the application layer of the TCP/IP protocol, intrusion prevention can detect the content of the application layer of the message. It can also perform protocol analysis and detection on network data flow reassembly, and analyze and detect the network data flow according to the attack type and strategy. Wait to determine which traffic should be blocked. ●Comprehensive protection: Intrusion prevention can provide protection against worms, viruses, Trojans, botnets, spyware, adware, CGI (Common Gateway Interface) attacks, cross-site scripting attacks, injection attacks, directory traversal, information leakage, and remote file inclusion. Protective measures against attacks, overflow attacks, code execution, denial of service, scanning tools, backdoors and other attacks to comprehensively defend against various attacks and protect network security. ●Both internal and external defense: Intrusion prevention can not only prevent attacks from outside the enterprise, but also prevent attacks from within the enterprise. The system can detect all passing traffic, and can protect both servers and clients. ●Continuous upgrading, precise protection: The intrusion prevention signature database will be continuously updated to maintain the highest level of security.

The difference between IPS and IDS IPS and IDS are deployed differently: ● IDS products work in bypass mode in the network IDS (Intrusion Detection System) Intrusion Detection System, IDS detects and alarms abnormal data that may be intrusions, informs users of real-time conditions in the network, and provides corresponding solutions and processing methods. It is an intrusion detection system that focuses on Security functions for risk management. ● IPS products work in series in the network The serial work ensures that all network data passes through the IPS device. The IPS detects malicious codes in the data flow, checks the policy, and intercepts the information packets or data flows before they are forwarded to the server. It is a security function focused on risk control. Intrusion prevention technology adds powerful defense functions to traditional IDS

Types of Intrusion Prevention Systems ● Host-based intrusion prevention ● Network-based intrusion prevention ● Application-based intrusion prevention

Challenges facing intrusion prevention systems ● Single point of failure ● Performance bottleneck ● False positives and false negatives

exercise

PGP technology PGP is an email encryption protocol based on the RSA public key encryption system. ●Use it to encrypt emails to prevent unauthorized persons from reading them, and to add digital signatures to emails. This allows the recipient to identify the sender of the email and ensure that the email has not been tampered with. It combines the chain encryption methods of RSA and IDEA. ●The working process of PGP is to use a randomly generated key (different for each encryption) to encrypt the plaintext through the IDEA algorithm, and then encrypt the key using the RSA algorithm. Therefore, it has the confidentiality of RSA and the speed of IDEA algorithm. Main features of PGP: ●Use PGP to encrypt emails to prevent illegal reading. ●A digital signature can be added to an encrypted email, so that the recipient is further convinced of the sender of the email without the need for any confidential channel to transmit the key in advance. ●It can only be signed without encryption, which is suitable for verifying the identity of the declarant when making a public statement, and can also prevent the declarant from denying it. ●Ability to encrypt files, including graphic files, sound files and other types of files.

Kerberos In a distributed network application environment, in order to ensure the security of its use, the workstation must be able to confirm its identity to the server in a trusted and secure manner, otherwise many security issues will arise. The technology that solves this problem is called identity authentication. Common identity authentication technologies include ●Both users specify a shared key (the least secure) ●Generate keys using smart cards ●Use Kerberos service ●Use PKI service (obtain digital certificate from CA center) How Kerberos works ●Kerberos does not construct an identity authentication protocol for each server, but provides a central authentication server to provide user-to-server and server-to-user authentication services. ●The core of Kerberos is to use DES encryption technology to achieve the most basic authentication service.

The Kerberos authentication process is divided into 3 stages and 6 steps: The first stage: Authentication service exchange, client obtains authorization server access permission ticket. ① User A enters his user name and sends it to the authentication server in clear text. ②The authentication server returns a session key Ks and a ticket KTGS (A,Ks). This session key is one-time (can also be generated using a smart card), and these two data packets are encrypted using user A’s key. , they will be asked to enter their password and decrypt the data when returning. The second stage (③④): Ticket permission service exchange, the client obtains the application service access permission ticket. ③User A sends the obtained ticket, the name of the application server B to be accessed, and the time stamp encrypted with the session key (used to prevent retransmission attacks) to the authorization server (TGS). ④After receiving it, the authorization server (TGS) returns the session key for communication between A and B, including the session key KAB encrypted with A's key and encrypted with B's key. The third stage (⑤⑥): Authentication exchange between the client and the application server, and the client finally obtains application services. ⑤ User A sends the session key encrypted with B's key received from TGS to server B, and attaches a time stamp encrypted with both parties' session keys KAB to prevent retransmission attacks. ⑥ Server B responds and completes the authentication process. Kerberos uses a continuous encryption mechanism to prevent session hijacking.

SSL SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are security protocols that provide security for network communications and data integrity. SSL and TLS are security protocols that work at the transport layer and encrypt network connections at the transport layer. (1) The SSL protocol is divided into two layers SSL Record Protocol is built on a reliable transmission protocol (such as TCP) and provides support for basic functions such as data encapsulation, compression, and encryption for high-level protocols. SSL Handshake Protocol It is built on the SSL record protocol and is used for identity authentication, negotiation of encryption algorithms, and exchange of encryption keys between the communicating parties before actual data transmission begins. (2) Services provided by SSL protocol ●Authenticate users and servers to ensure data is sent to the correct client and server. ●Encrypt data to prevent data from being stolen midway. ●Maintain data integrity and ensure that data is not changed during transmission.

HTTPS HTTPS is an HTTP channel aimed at security. It is an extension of the HTTP protocol and a secure version of HTTP. HTTPS is a protocol that works at the application layer, port number 443 The difference between HTTPS and HTTP The HTTPS protocol requires applying for a certificate from the CA. HTTP is Hypertext Transfer Protocol, information is transmitted in plain text, while HTTPS is a secure SSL encrypted transmission protocol. HTTP and HTTPS use completely different connection methods and use different ports. The former is 80 and the latter is 443. The HTTP connection is very simple and stateless; the HTTPS protocol is a network protocol built from the SSL HTTP protocol that can perform encrypted transmission and identity authentication, and is more secure than the HTTP protocol.

SET The SET protocol is called the Secure Electronic Transaction Protocol. In the process of online transactions, all parties to the transaction hope to verify the identity of other parties to prevent being deceived. In response to this situation, the two major credit card organizations in the United States, Visa and MasterCard, jointly developed a bank card-based online transaction system for use on the Internet. Safety standard - SET. It uses public key cryptography and the X.509 digital certificate standard to ensure the security of online shopping information. safety ●SET protocol can ensure the confidentiality of electronic transactions, data integrity, non-repudiation of transaction behavior and legality of identity. ●The participants of the SET protocol include: card holders, merchants, banks (card issuers), payment gateways, and CA centers.

exercise