Network Security Learning （ Two ）

Network security architecture

Refer to the open system interconnection security architecture ISO 7498-2 standard , Its core content is : To ensure the security of long-distance information exchange between heterogeneous computer processes , Defines what the system should provide 5 Security services and 8 Security mechanisms , Determine the relationship between security services and security mechanisms , And in ISO Refer to the configuration of security services and security mechanisms in the model .
（1） Security service ： It can be understood as a representation of security requirements .
（2） Security mechanism ： Capable of providing one or more security services 、 An abstract representation of a security technology that is independent of the specific implementation and generally cannot be subdivided . The security mechanism is generally “ atom ” level , Rarely crossed .
（3） Safety products ： Specific implementation of one or more security mechanisms .

Security service

To identify

Authentication service is the identification of peer entities and data sources in communication .
Entity identification ： Confirm that the peer entity in the communication is the required entity , This service is provided for use during connection establishment or during data transmission , To verify the identity of the connecting entity , Such services ensure that an entity does not attempt to impersonate another entity .
Data identification ： In essence, it is necessary to confirm the source of data .

Access control

Access control determines what entities can access what resources , To prevent unauthorized entities from accessing resources in the system .
here “ visit ” Is a generalized , Include different access to various resources , Such as communication resources , read 、 Write 、 Delete information resources .

Data integrity

Data integrity services are used to deal with attempts to destroy 、 The active threat of tampering with information resources , Thus, it can prevent or detect the destruction of information resources by tampering .

Data confidentiality

Data confidentiality service is to protect data 、 To prevent unauthorized disclosure . Including encrypting user data , Or use the confidential information that the attacker cannot infer by observing the traffic flow of communication services .

Non-Repudiation

Repudiation is also called non repudiation , It mainly shows the following two forms :
Primary non repudiation ： The data sender cannot deny the fact that he sends data . Such as A Xiang fa B Send a letter , After the event ,A It cannot be denied that the letter was sent .
Receive non repudiation ： The data receiver cannot deny that he has received these data after the event . Such as A towards B Send a letter , After the event B It cannot be denied that it received the information .

Security mechanism

Encryption mechanism

Encryption can provide confidentiality for data , It can also provide confidentiality for communication business flow information .

Digital signature mechanism

The digital signature mechanism is divided into two processes , First, the signing process , The second is to verify the signature process
The process of signing is to use the private information of the signer , To ensure the uniqueness of the signature . The procedures and information used in the process of verifying signatures are public , So that everyone can verify the signature but cannot infer the private information of the signer from the signature .

Access control mechanism

Access control is a service , It is also a specific mechanism . To determine whether an entity has access , The access control mechanism can use the identity of the entity that has been authenticated （ Such as the identity after logging into the system ) Access control .
Access control is based on the following means : Access control list 、 Duration of attempted access 、 Identifying information 、 The address you are trying to access 、 The time you tried to access .

Data integrity mechanism

Data integrity is divided into two aspects ： One is the integrity of data units , The second is the integrity of data flow .
Data unit integrity ： There are two processes involved , First, sending entity , The other is the receiving entity . Send experiment to add a quantity to the data unit （ Usually Hashi value ), And this quantity itself can be encrypted ; The receiving entity generates a corresponding quantity according to the data unit , And compare with the quantity of the sender , This determines whether the transmitted data unit has been tampered .
Data flow integrity ： You can take the sequence number 、 Time stamp or password chain .

Authentication exchange mechanism

Authentication exchange is the process in which one party authenticates the identity of the other party in the communication process .
Common ways to achieve this are :
Password authentication 、 Data encryption confirmation 、 In communication “ handshake ” agreement 、 Digital signature and notarization , And identification by using the entity features ( Like language 、 The fingerprint ).

Communication service filling mechanism

The communication service filling mechanism refers to adding redundant information to the normal communication flow , Able to resist communication business analysis . This mechanism often provides confidentiality services for communication services .

Routing control mechanism

Routing can be set dynamically , For physically secure subnetworks 、 Relay station or link use . It can be used based on security attributes , Prohibit data of some attributes from passing through a subnet 、 Relay station or link , To ensure the security of these communication networks

Notarization mechanism

Notarization mechanism refers to that the first party and the second party do not trust each other , So find a third party that both sides trust , Build trust between the first party and the second million through a third party . In the network , Data integrity 、 Sender identity 、 Both the time and the identity of the destination can be ensured through the notarization mechanism .

Safety products

Security products include firewalls 、 intrusion detection system 、 Malicious code protection .