Embed Size (px)
Citation preview
校園網絡的保安與管理 School network – security and management
Prof. P.C. Wong 黃寶財教授The Chinese University of Hong KongTel: 2892-1722, Fax: 2892-1733Email: [email protected]
Page 2
IT Room
PCs PCs PCs
School Network
ModemRouterFirewall
Internet
ISP
Teacher LAN
Student LANProxyFileIntranetVideo
Switch
Page 3
Why network security?
WAN (routing)
LAN (switching)
101101001
Your network is connected to the whole world.
router
Page 4
What problem?
Denial of Service (DoS) Ping of death, UDP floods, mail bomb
Exploitation attack Password guessing, trojan horse (netbus, backorifice) ,
buffer overruns
Information Gathering attacks Address scanning, port scanning, finger, etc.
Disinformation attacks DNS cache pollution, forged email
Page 5
Routing
RouterNet 1
Net 2
202.45.191.1
137.189.96.210
Sophisticated forwarding
Routing Table
1
21
A
B
C
AC
B
Page 6
Packet, Protocol, and Application
IPTCP
WebServer
IPTCP
WebClient
80
FTPserver
21
Ethernet
Internet
Ethernet
1980
src/dest IP – 123.22.11.22Protocol – TCPClient and dest ports
dataheader
202.445.59.44 134.5.6.3
Page 7
How a network application works?
How a client knows where/what to call? How does a server know who is calling? How can a client have multiple calls to the same server
application? How can multiple clients call the same server application? Answer: a pair of IP/ports
(Client IP, source port) <-> (destination IP, destination port)
(123.45.34.20, 1434) <-> (202.45.183.3, 80)
(133.99.33.21, 1999) <-> (202.45.183.3, 80)
(123.45.34.20, 2000) <->(202.45.183.3, 80)
Page 8
What security measures?
Network Partitioning Virtual LAN (VLAN) Firewall - Packet Filtering NAT – Network address translation Proxy – Application filtering Application Protection – Virus scanning, etc. Client Protection – Browser security setting Putting together
Page 9
虛擬網絡 (VLAN) Switch
IT Room
SAMS/Staff Segment
Student Segment
Teaching andLearning Servers
Proxy/Web/Intranet, …
VLAN
A
B
C
Back
Page 10
Firewall – a special 1:1 router
Internet
DigitalModem
Router
Firewall
SchoolLAN
*Level of control/blocking
Back
Page 11
Address 地址(真真假假)
WAN
LAN
192.168.1.3
123.34.33.44
202.34.30.3
275.3.44.5
192,168.1.2NAT- network address translationBack
Page 12
Proxy – an application filter
FWInternet
DigitalModem
Router
Proxy
SchoolLAN
* Web, Email, FTP
Caching and Content filteringBack
Page 13
Putting together
Internet
DigitalModem
Router/NAT
Firewall
VLAN
SchoolServer
Proxy
student
teacher
Page 14
A Floppy Firewall
PC with 2 network cardsKeyboard, monitor
FloppyAdvantages. Simple mgt. Robust/reliable. Low cost. Easy to support
. But no DHCP
DOS formatNetwork configFirewall config
