( ) , .
:
(DoD 5200.28-STD Trusted Computer Systems Evaluation Criteria) 1).
(NCSC-TG-005 Trusted Network Interpretation of the Trusted Computer Systems Evaluation Criteria) 2).
CCITSE (Common Criteria for Information Technology Security Evaluation)
ISO 17799 3).
28147-89. . . .
34.10-94. . . .
34.11-94. . . .
34.10-2001. . . .
4).
:
6 0 ( ) 5 ( -)
5 0 ( ) 4 ( )
6 0 ( ) 5 ( )
:
(, , .), (, , .) ()
(, , .), (, , .) ( , , .)
: ( ) + + => .
: , , () 5).
: ( ), ( ) ( ).
() CERT 6).
% | ||
RPC (Remote procedure calls) | 93,4 | |
SMTP | 61,1 | |
Finger ( 79 ) | 59,6 | |
Trivial FTP ( ) | 57,4 | |
HTTP | 42,4 | |
DNS | 35,0 | |
FTP | 33,0 |
/ SANS 7) [8, c. 200-201].
BIND (Berkeley Internet Name Domain) DNS UNIX/Linux 8.2.2 ( root)
Web-
RPC (rpc. cmsd, rpc. statd .) ( root)
(RDS Remote Data Service) Microsoft Internet Information Server
|
|
Sendmail UNIX/Linux 8.10 8)
sadmind (Solaris) mountd (Unix) (NFS Network File System) ( root)
NetBIOS - ( )
[8, .153-185; 4, . 264-311] 9):
D|DoS (Distributed | Deny-of-Service) | /
Ping-of-death ( 96) ping 10)
SYN flood ( 96)
Smurf ICMP hello
Fraggle UDP chargen (character generation )
DHCP
Teardrop IP . , (64 ),
Land = ( )
Nuke 139 Windows, .
(sniffing) IP
ARP
Tiny Fragment Attack . ,
, .
( )
Java Virtual Machine ActiveX
IPSec
IP-Security (IPSec) TCP/IP [8, . 427-436] 1).
(. . ↓) 2).
Authentication Header (AH) :
. ↓
32 (4 ) | |||||||||||||||||||||||||||||||
(Next header) ( IANA Internet Assigned Numbers Authority)
(Payload length) 32 2
|
|
(Security parameters index) (0 )
(Sequence number) ( 0)
(Authentication data) , - .
IP . ↓
. IP . | ← IP | |||||
. IP . | ← | |||||
←−− ( )−−−−−−−−−−−→ | ||||||
. IP . | . IP . | ← . . | ||||
←−−−−−−−−−−−−−−−−−− ( )−−−−−−−−−−−→ | ||||||
IP .
Encapsulated Security Payload (ESP) :
ESP IP . ↓
. IP . | ← IP | ||||||||
. IP . | . ESP | . | ← . | ||||||
←−−−−−−−−−−−−−−−→ ←−−−−−−−−− −−−−−−−−−−−−→ | |||||||||
. IP . | . ESP | . IP . | . | ||||||
←−−−−−−−−−−−−−−−−−−−−−−−−−−−−−→ ←−−−−−−−−−−−−−−−−−−−−−−− −−−−−−−−−−−−→ | |||||||||
() ESP 2 32- : (Security parameters index) (Sequence number) (. ).
() ESP (Padding), ; 8- (Pad length) 8- (Next header).
() (Authentication data) .
IP , .
() firewall (Intranet) (Extranet/Internet) [8, . 466-472] 1).
firewall . ↓.
(packet filter) () NAT , () (OUT/IN), IP , . . DoS (ping-of-death, SYN-flood .).
|
|
(virtual circuit control) , . . 2).
(application layer gateway) proxy HTTP, FTP, .
. . (DeMilitarized Zone DMZ) ,
(. . ↓).
29. VLAN, VPN.
VLAN (Virtual Local Area Network) VPN (Virtual Private Network) , . VLAN (Ethernet), VPN (TCP/IP).
VLAN Ethernet 802.11Q, 1) Ethernet , / [1, . 458-464]. ( ) (). , VLAN - . , , .
, . , , .
. -, (TCP/IP, IPX/SPX, , X.25 .) .
-, .
-, .
, , .
. 1
.. 1
. OSI 2
. 4
ISDN.. 5
ISDN. 6
.. 7
. 7
Ethernet 9
Ethernet 10
Ethernet 13
. 14
() COM . 14
TCP/IP.. 15
UDP.. 19
.. 21
FTP.. 22
HTTP.. 23
Telnet 23
.. 24
NAT. 27
Proxy . 29
WEB .. 30
.. 31
|
|
UNIX/Linux. 36
.. 37
. 37
: 37
IPSec. 39
. 40