Web应用的安全模式.pptVIP

过滤服务filtering service 除了低级的IP地址包过滤，还可检查包的协议或其他高层服务 即实施基于服务的过滤 Example： allow HTTP and SMTP and FTP only 实现的方法：Can use a boolean combination of destination, source and services. 第三十页，共五十六页。 Firewall with Packet Filtering 第三十一页，共五十六页。 “外患” ? Aspects of Security ? Authentication and Encryption ? Internet Firewalls and Packet Filtering ? Virtual Private Networks ? Secure HTTP (SHTTP) and Secure Socket Layer (SSL) ? Securing your Site 第三十二页，共五十六页。 Private Networks 第三十三页，共五十六页。 Plus Minus of Private Networks 专线连接站点：完全的安全性。 (completely private) Nobody else has access or can read passing data 租用专线==》昂贵代价 Internet无法保证confidentiality，但很便宜： just get ISP on both ends. 能否同时兼得二者的好处？ 第三十四页，共五十六页。 Virtual Private Network (VPN) VPN is implemented in software Each router runs a VPN software VPN software acts as a packet filter VPN software encrypts packets, all communication remains confidential 第三十五页，共五十六页。 Tunneling技术 将整个报文都加密传送？？？？ 如果报头加密， routers wouldn’t know who is the receiver 如果报头不加密，信息可能泄露 (who is sending and who is receiving may be observed) VPN使用一种称为IP-in-IP tunneling的技术来完全隐藏信息。 第三十六页，共五十六页。 IP-in-IP Tunneling 第三十七页，共五十六页。 “外患” ? Aspects of Security ? Authentication and Encryption ? Internet Firewalls and Packet Filtering ? Virtual Private Networks ? Secure HTTP (SHTTP) and Secure Socket Layer (SSL) ? Securing your Site 第三十八页，共五十六页。 Secure HTTP S-HTTP request header – Secure * secure-HTTP/1.1 – Content-Privacy-Domain PEM or PKS-7 – Content-Type: application/http – Security-Scheme, Certificate-Info, Key-Assign S-HTTP response header – Secure-HTTP/1.1 200 OK 两个特点：协商、脆弱 第三十九页，共五十六页。 Negotiation S-HTTP允许交互双方就安全参数进行协商 S-HTTP allows both parties to negotiate their needs and preferences regarding security parameters (algorithm, key length,etc.) 第四十页，共五十六页。 Vulnerability S-HTTP 容易受低层攻击，因为它是一个应用层的协议。 S-HTTP is vulnerable since it is susceptible to low level attacks at the TCP or IP level. It is secure at the application level only. 第四十一