信息安全英语翻译 -
会议发言稿格式-福建阳光高考信息平台
原
理
与
实
践
信
息
安
全
英
语
:
网
络
安全
学院:理学院
学号:1308105066
班级:信安(3)班
姓名:张令宁
Chapter 1. An
Introduction to Network Security
第1章简介网络安全
This chapter covers the following key
topics:
本章包括以下主要内容:
Network
Security Goals— This section discusses the goals
of
implementing security on a network.
Asset Identification— This section discusses
the need to define
the assets in a network
that need to be protected against network
attacks.
Threat Assessment— This section
discusses how to recognize the
threats unique
to a network setup.
Risk Assessment— We
discuss what risk means and how it needs to
be
evaluated for all network assets in order to set
up meaningful
safeguards.
Constructing a
Network Security Policy— We use this section to
discuss how to set up a network security
policy in light of the
definitions established
in the previous sections.
Elements of a
Network Security Policy— We discuss the pieces
that
come together to form a network security
policy.
Implementing a Network Security
Policy— This section discusses
technical and
nontechnical aspects of implementing a network
security policy.
Network Security
Architecture Implementation— We discuss how the
network policy can be translated into a secure
network
architecture.
Audit and
Improvement— We discuss how audits and continuous
improvements are necessary for a successful
network security policy
implementation.
Case Study— You see how the theories discussed
in this chapter can
be put into effective
use.
•网络安全Goals-本节讨论在网络上实现安全的目标。
•资产识别
- 本节讨论,需要在需要被保护,以防止网络攻击的
网络定义的资产。
1
•威胁评估之本节讨论如何识别唯一的网络设置的威胁。
•风险评
估之我们讨论什么风险的手段,以及如何需要它来为所
有网络资产,以建立有意义的保障措施进行评估。
•构建网络安全政策制订我们使用本节讨论如何建立一个网络安
全策略鉴于成立了上一节中的定
义。
•网络安全政策制订的要素我们讨论走到一起,形成一个网络安
全策略的作品。
•实施网络安全政策制订本节讨论实施网络安全策略的技术和非
技术方面的问题。
•网络安全体系结构Implementation-
我们讨论如何在网络策略可
以被翻译成一个安全的网络架构。
•审计和Improvement-
我们讨论审核和持续改进是如何需要一个
成功的网络安全策略的实施。
•案例Study-
您怎么看这一章中讨论的理论可以投入有效的使用。
This chapter launches
the book with a general discussion of developing
a motivation for network security. It aims to
develop your understanding
of some of the
common threats against which a network must be
protected
and discusses at a high level some
of the controls that can be put into
place to
defend against these attacks. A security policy is
the foundation
of all network security
implementations that occur on any given network.
It defines the scope and methodology of the
security implementations. We
will discuss the
basic principles of setting up a meaningful
security
policy and how it can be implemented
in a network environment. The later
sections
of the chapter discuss the value of auditing the
security policy
implementation and how it
needs to be continuously tested and improved.
本章开发一种动机网络安全的一般性讨论推出这本书。它的目的是发
展你的一些共同的威胁,对其中一个
网络必须在高层次进行保护,并
2
讨论一些可以到位,
以对抗这些攻击的控件的理解。安全策略是任何
给定的网络上发生的所有网络安全的实现奠定了基础。它
定义了安全
实现的范围和方法。我们将讨论建立一个有意义的安全策略,以及它
如何在网络环境
中实现的基本原理。本章的后面的章节讨论审核安全
策略实施的价值以及它如何需要不断测试和改进。<
br>
Network Security Goals
网络安全目标
Network security is the process through which
a network is secured against
internal and
external threats of various forms. In order to
develop a
thorough understanding of what
network security is, you must understand
the
threats against which network security aims to
protect a network. It
is equally important to
develop a high-level understanding of the main
mechanisms that can be put into place to
thwart these attacks.
网络安全是通过该网络被固定以防止各种形式的内部和
外部威胁的
过程。为了开发一个透彻地了解网络的安全性,必须了解其对网络安
全的目的是保护
网络中的威胁。同样重要的是,开发了可以放入地方
阻止这些攻击的主要机制的高级别理解。
Generally, the ultimate goal of implementing
security on a network is
achieved by following
a series of steps, each aimed at clarifying the
relationship between the attacks and the
measures that protect against
them. The
following is the generally accepted approach to
setting up and
implementing security on a
site, as suggested by Fites, et al. in Control
and Security of Computer Information Systems
(M. Fites, P. Kratz, and A.
Brebner, Computer
Science Press, 1989):
一般情况下,实现安全网络上的最终目标是通过以下一系列步骤
3
实现的,每一个旨在澄清的攻击,并保护对他们采取的措施之间的关
系。下面是普遍接受的方法来建立和在网站上实现安全性,所建议的
Fites,等人。在控制计算机信
息系统(M. Fites,P.克拉茨和A.布雷布
纳,计算机科学出版社,1989年)的安全性:
Step fy what you are trying to protect.
Step ine what you are trying to protect it
from.
Step ine how likely the threats are.
Step ent measures that protect your assets in
a cost-effective manner.
Step the process
continuously, and make improvements each time you
find a weakness.
步骤1:识别你想保护什么。
步骤2.确定您要保护它的东西。
第3步:确定威胁怎么可能是。
第4步实施的保护您的资产以具有成本效益的方式的措施。
第5步审查的过程中不断地,你会发现一个弱点,每次进行改进。
Asset
Identification
资产鉴定
Most modern
networks have many resources that need to be
protected. The
reason is that most enterprises
today implement network systems to provide
information to users across the network in
digital format rather than in
another form,
such as hard copies. Therefore, the number of
resources that
need to be protected increases
significantly. The following list, by no
4
means comprehensive,
identifies network resources that need to be
protected from various types of attacks:
大
多数现代网络具有需要被保护的资源。其原因是,大多数企业目前
实施的网络系统提供信息,以在整个网
络中的用户的数字格式,而不
是另一种形式,诸如硬拷贝。因此,资源的需要的数量要显著保护增
大。下面的列表,并不全面,标识需要被保护,免受不同类型的攻击
的网络资源:
Network equipment such as routers, switches,
and firewalls
Network operations information
such as routing tables and access
list
configurations stored on this equipment
Intangible networking resources such as
bandwidth and speed
Information and the
information sources connected to the network,
such as databases and information servers
End hosts connecting to the network to make
use of various resources
Information passing
across the network at any given time
The
privacy of the users as identifiable through their
usage of the
network resources
网络设备诸如路由器,交换机,防火墙和
网络运营信息,如存储在该设备的路由表和访问控制列表配置
无形的网络资源,如带宽和速度
连接到网络,如数据库和信息服务器的信息和信息来源,
连接到网络的终端主机利用各种资源
信息传递通过网络在任何给定时间
用户的通过的网络资源的使用量为可识别的隐私
所有这些因素都考虑在内的网络资产。你需要通过制定和实施
网络安全计划,以保护他们。
5
All these things
are considered a network's assets. You need to
protect
them by formulating and implementing a
network security plan.
Threat Assessment
威胁评估
Network attacks are what a
network security process aims to protect its
network assets against. Network security
attacks are attempts, malicious
or otherwise,
to use or modify the resources available through a
network
in a way they were not intended to be
used. In order to better understand
what
network attacks are, it is a good idea to look at
the types of network
attacks. Network attacks
in general can be divided into three main
categories:
网络攻击是什么样的网络安全处理的目的是保护其网络资产反
对。网络安全攻击是企图,恶意的或其他方式,通过在某种程度上它
们不旨在用于一个网络使用或修改
现有的资源。为了更好地了解网络
攻击,这是看网络攻击的类型是个好主意。在一般的网络攻击,可分<
br>为三大类:
Unauthorized access to resources or
information through the use of
a network
Unauthorized manipulation and alteration of
information on a
network
Denial of
service
通过使用网络的未经授权访问资源或信息
未经授权的操作和变更信息在网络上
拒绝服务
6
Chapter 14,
examination of the various
categories of network attacks.
第14章,“什么是入侵检测?”,提供的各类网络攻击的更详细的
检查。
The key word to note in the first two
categories of attacks is unauthorized.
A
network security policy defines what is authorized
and what is not.
However, in general terms,
unauthorized access occurs when a user attempts
to view or alter information that was not
intended for his or her specific
use. In some
situations it can be fairly difficult to define
what was
intended for the use of a given user.
Therefore, it is imperative to have
a security
policy in place that is restrictive enough to
clearly define
a limited number of very
specific resources and network elements that a
user should be allowed to gain access to.
关键的字记下前两类攻击是未经授权的。网络安全策略定义了什么是
授权的,哪些不是。但是,
总体而言,当用户试图查看或更改的目的
不是为他或她的具体使用信息未经授权的访问发生。在一些情况
下,
它可以是相当困难的定义什么是打算利用给定用户的。因此,必须有
一个安全策略的地方的
是足以限制明确界定的非常具体的资源和网
络元素使得用户应允许获得的数量有限。
Information on a network can be either the
information contained on end
devices connected
to the network, such as web servers and databases;
information passing through the network; or
information relevant to the
workings of the
networking components, such as the routing tables
and
access control list configurations.
Resources on a network can either be
the end
devices (network components such as routers and
firewalls) or the
interconnect mechanisms.
一个网络上的信息可以是包含在连接到网络的终端设备,诸如
Web服务器和数据库中的信息;信息通
过网络;或相关的网络组件,如
路由表和访问控制列表的配置的运作信息。一个网络上的资源可以是7
终端设备(网络组件,如路由器和防火墙)或互连机制。
Denial of service is one of the most common
types of network attacks.
Denial of service
occurs when legitimate access to a network
resource is
blocked or degraded by a malicious
act or a mistake.
拒绝服务是网络攻击的最常见的类型之一。当合法访问网络资源
被阻
塞或恶意行为或错误发生降解拒绝服务。
It is important
to note that a network security attack can be
intentional or unintentional.
The aim of the
security mechanisms in a network is not only to
protect against planned and
coordinated
attacks conducted with malicious intent, but also
to protect the network and its
resources
against mistakes made by users. The damages caused
by either type of attack can be
similar.
要
注意的是网络安全攻击可以是有意或无意的是重要的。在网络
中的安全机制的目的不仅是为了防止有恶意
企图进行规划和协调的
攻击,还能保护网络及其资源对用户所犯的错误。造成两种类型的攻
击所
造成的损害可能是相似的。
Keeping in mind the attacks
just outlined, you can start building an
outline of the goals of implementing network
security on a network. The
ultimate goal is to
protect the network against the attacks just
described.
Therefore, a network security
implementation should aim to achieve the
following goals:
牢记攻击刚才提到,您可以开始构建的网络上实现网络安
全的目
标的轮廓。最终的目标是保护网络免受刚才所描述的攻击。因此,网
络安全的实现应力求
实现以下目标:
Ascertain data confidentiality
Maintain data integrity
8
Maintain data
availability
探悉数据的保密性
维护数据的完整性
保持数据的可用性
Risk Assessment
风险评估
Having identified the assets and the
factors that threaten them, the next
step in
formulating a network security implementation is
to ascertain how
likely the threats are in the
environment in which the security is being
implemented. Realize that although it can be
important to protect against
all types of
attacks, security does not come cheap. Therefore,
you must
do a proper risk analysis to find out
what the most significant sources
of attack
are and devote the most resources to protecting
against them.
在确定了资产和威胁他们的因素中,在制定一个网络安全实施的下一个步骤是确定威胁的可能性有多大在将安全正在执行的环境。要知道,
虽然它很重要,以防止所有类
型的攻击,安全性并不便宜。因此,你
必须做一个适当的风险分析,以找出攻击的最显著来源和投入最多
的
资源,以防止他们。
Risk assessment can be done
in a variety of ways. However, two main factors
affect the risk associated with a particular
type of threat's
materializing:
风险评估可以以各种方
式来完成。然而,有两个主要因素影响与特定
类型的威胁的物化的相关的风险:
9
The likelihood that that
particular attack will be launched against
the
asset in question
The cost to the
network in terms of damages that a successful
attack
will incur
该特定攻击将针对有问题的资产推出的可能性
赔偿金,一个成功的攻击会招致方面的成本,网络
The likelihood
that an attack will materialize is an important
consideration in risk assessment. It is often
difficult to have complete
information on what
types of attacks can be staged against an asset on
a network. However, it is important to realize
that because a network is
being protected to
achieve the three goals defined in the preceding
section, most risk analysis assessments can be
divided into these three
categories as well: <
br>在攻击中一定会实现的可能性是在风险评估的重要考虑因素。它
往往是很难有什么类型的攻击可以
暂存针对资产在网络上的完整信
息。但是,必须认识到,由于网络被保护,实现了上一节中定义的三个目标,承担最大风险的分析评估可以分为以下三大类,以及重要的
是:
Confidentiality
Integrity
Availability
保密
诚信
可用性
If a network resource's
availability is critical and the likelihood of
an attack being launched against it is high,
this asset's risk level can
be considered
fairly high. An example of such an asset is a
high-visibility
web server. Due to its high
visibility, it can be a likely target for
attackers. Also, it is important for a web
server to be available at all
times.
Therefore, this asset is high-risk in terms of
availability. On
the other hand, an FTP server
that is available only on the internal
10
network and that is invisible to
the outside world might require high
confidentiality but is not a high-availability
risk, because outside
attackers do not know of
it under normal circumstances. Note that all risk
measurements are relative and are conducted
keeping in mind the
criticality of various
assets of the networks vis-á-vis each other.
如
果一个网络资源的可用性至关重要,并且攻击的可能性正在展
开反对高,该资产的风险水平可以被认为是
相当高的。这种资产的一
个例子是高能见度的web服务器。由于其较高的知名度,它可以为
攻
击者可能的目标。此外,一个Web服务器可用在任何时候都是重
要的。因此,该资产是高风险的可用性
方面。另一方面,一个FTP服
务器仅在内部网络,并且是不可见的外界可能需要高保密性,但不是一个高可用性的风险,因为攻击者外,一般情况下不知道它。注意,
所有的风险测量是相对的,是进
行牢记网络各种资产的临界相,以对
比彼此。
Risk assessment can
be done in quite a few different ways—some
quantitative, others qualitative. You must
choose a risk assessment
technique that can
best identify the risks associated with a site. 风险评估可以在很多不同的方式,一些定量,定性的人来完成。你必
须选择一个风险评估技术,能最
好地识别与网站相关的风险。
After you have compiled a
list of the risk levels associated with various
assets in the network, the next step is to
create a policy framework for
protecting these
resources so that risk can be minimized.
Obviously, the
policy must prioritize its
efforts to mitigate threats against the
high-
risk assets and then spend the rest of its efforts
in attacking the
lower-risk assets.
编译完成后与
网络中的各种资产相关联的风险级别的列表,下一个步
骤是创建一个政策框架保护这些资源,使风险可被
最小化。显然,政
11
策必须优先考虑它的努力,以减
轻对高风险资产的威胁,然后花努力
的休息攻击低风险资产。
Constructing a Network Security Policy
构建网络安全策略
A network security policy defines
a framework to protect the assets
connected to
a network based on a risk assessment analysis. A
network
security policy defines the access
limitations and rules for accessing
various
assets connected to a network. It is the source of
information
for users and administrators as
they set up, use, and audit the network.
网络安全策
略定义了一个框架来保护连接到基于风险评估分析的网
络资产。网络安全策略定义用于访问连接到网络的
各种资产的访问的
限制和规则。它是信息的用户和管理员的来源,因为他们建立,使用
和审计网
络。
A network security policy should be
general and broad in scope. What this
means is
that it should provide a high-level view of the
principles based
on which security-related
decisions should be made, but it should not go
into the details of how the policy should be
implemented. The details can
change overnight,
but the general principles of what these details
are
trying to achieve should remain the same.
网络安全策略应该是普遍和广泛的范围。这意味着,它应该提供
的依据的原则上与安全相关的决
定应该由高级别视图,但它不应该进
入如何政策应实施的细节。详细信息可以在一夜之间改变,而是对这
些细节正在努力实现的一般原则应保持不变。
12
S. Garfinkel and G. Spafford in
Practical Unix and Internet Security
define
the following three roles that a policy should
attempt to play:
S.加芬克尔和G.斯帕福德在实际Unix和网络安全定义以下
三个角色,
一个政策应该尝试播放:
Clarify what is being
protected and why it is being protected.
State who is responsible for providing that
protection.
Provide grounds on which to
interpret and resolve any later
conflicts that
might arise.
明确什么是被保护的,为什么它是被保护的。
国家谁是负责提供这种保护。
提供关于其理由,来解释和解决可能出现的任何后来的冲突。
The first
point is an offshoot of the earlier discussion
regarding asset
identification and risk
assessment. Risk assessment in essence is an
objective method of outlining why the
resources in a network are to be
protected.
The second point covers who is responsible for
ensuring that
the security requirements are
met. This can be one or more of the
following:
第一点是之前的讨论中关于资产识别和风险评估的一个分支。在
本质上的风险评估是概述为什么
在网络中的资源要被保护的一个目
标的方法。第二点涉及谁负责确保满足安全要求。这可以是一个或多<
br>个以下:
The network's users
The
network's administrators and managers
The auditors who audit the network's usage
The managers who have overall ownership
of the network and its
associated resources
13
•该网络的用户
•该网络的管理者与被管理者
•谁审核了网络的使用情况的审计师
•谁拥有网络的总拥有管理人员和相关资源
The third point is
important because it sets responsibility for
issues
not covered in the policy on the
shoulders of specific individuals rather
than
leaving them open to arbitrary interpretation.
因为它设置为不包括对具体个人的肩膀上的政策,而不是让他们开到
任意解释的问题
的责任的第三点是很重要的。
In order for a security
policy to be enforceable, it must be practical
to implement given the available technology. A
very comprehensive policy
that contains
elements that are not technically enforceable
becomes less
than useful.
为了使安全策略强制执行,它必须是
实用工具中给出的现有技术。
包含技术上来说并不是强制执行的内容非常全面的政策小于有用。
In terms of ease of use of network resources
by the users, there are two
types of security
policies:
在易于由用户使用的网络资源的方面,有两种类型的安全策略
Permissive— Everything not expressly
prohibited is allowed.
Restrictive—
Everything not expressly permitted is prohibited.
Permissive-一切未明确禁止的是允许的。
Restrictive-一切不明确允许被禁止。
14
It is generally a better idea from
a security perspective to have a
restrictive
policy and then based on actual usage open it up
for legitimate
usage. A permissive policy
generally has holes no matter how hard you try
to plug all the holes.
它通常是从安全的角度更好的主意,有一个
限制性政策,然后根
据实际使用情况打开它的合法使用。一个宽容的政策一般有孔,无论
你怎么
努力将所有的孔。
A security policy needs to
balance ease of use, network performance, and
security aspects in defining the rules and
regulations. This is important,
because an
overly restrictive security policy can end up
costing more than
a security policy that is
somewhat more lenient but makes up for it in
terms of performance gains. Of course, minimum
security requirements as
identified by risk
analysis must be met for a security policy to be
practical.
安全策略需要平衡易用性,网络性能和安全性方面确定的规则和规章。
这一点很重要,因为过于严格的安全策略可以结束了耗资超过的安全
策略是较为宽松,但弥补了
它在性能提升方面。当然,必须满足安全
策略确定的风险分析的最低安全要求,是实用的。
Elements of a Network Security Policy
网络安全策略的要素
In order to get a thorough
understanding of what a network security policy
is, it is instructional to analyze some of the
most important elements
of a security policy.
RFC 2196 lists the following as the elements of a
security policy:
15
为了悟透的网络安全策略是什么,它是指导,分析了一些安全策略的
最重要的因素。 RFC
2196列出了以下作为安全策略的要素:
1. Computer Technology
Purchasing Guidelines which specify required,
or referred, security features. These should
supplement existing
purchasing policies and
guidelines.
安全功能,计算机技术采购准则,该准则规定要求,或简称。这
些应
该补充现有的采购政策和指导方针。
2. A Privacy Policy
which defines reasonable expectations of privacy
regarding such issues as monitoring of
electronic mail, logging of
keystrokes, and
access to users' files.
A隐私政策定义的关于隐私等问题的监督电子邮箱
,击键记录,并
获得用户的文件,合理的预期。
3. An Access
Policy which defines access rights and privileges
to
protect assets from loss or disclosure by
specifying acceptable use
guidelines for
users, operations staff, and management. It should
provide guidelines for external connections,
data communications,
connecting devices to a
network, and adding new software to systems.
It should also specify any required
notification messages (e.g.,
connect messages
should provide warnings about authorized usage and
line monitoring, and not simply say
访问策略定义
访问权限和特权指定为用户,操作人员和管理合理
使用准则,以防止丢失或泄露的资产。它应该提供用于
外部连接
的数据通信指引,将设备连接到网络,并增加新的软件系统。还
应注明任何要求通知消
息(例如,连接信息应该提供关于授权使
用和在线监测预警,并不能简单地说“欢迎光临”)。
16
4. An Accountability
Policy which defines the responsibilities of
users, operations staff, and management. It
should specify an audit
capability, and
provide incident handling guidelines (i.e., what
to do and who to contact if a possible
intrusion is detected).
问责政策定义用户,操作人员和管理的责任。它应
该指定一个审
计能力,并提供事故处理原则(即做什么,如果检测到可能的入
侵谁联系)。
5. An Authentication Policy which establishes
trust through an
effective password policy,
and by setting guidelines for remote
location
authentication and the use of authentication
devices (e.g.,
one-time passwords and the
devices that generate them).
一个认证策略它建立信任通过有效的口
令策略,并且通过设定为
远程位置鉴别说明和使用认证装置(例如,一次性密码和产生它
们的设
备)。
6. An Availability statement which
sets users' expectations for the
availability
of resources. It should address redundancy and
recovery issues, as well as specify operating
hours and maintenance
down-time periods. It
should also include contact information for
reporting system and network failures.
可用性
声明这台用户的期望资源的可用性。要针对冗余和回收的
问题,以及指定时间及维修停机的时间段。它还
应该包括联系信
息报告系统和网络故障。
7. An Information
Technology System & Network Maintenance Policy
which
describes how both internal and external
maintenance people are
allowed to handle and
access technology. One important topic to be
addressed here is whether remote maintenance
is allowed and how such
access is controlled.
Another area for consideration here is
outsourcing and how it is managed.
17
信息技术系统和网络维护政策,它描述了如何内部和外部维护人
员被
允许操作和访问技术。其中一个重要的话题在这里要解决的问题
是是否远程维护被允许和访问怎么这么被
控制。考虑的另一个领域是
这里外包和它是如何管理。
8. A Violations
Reporting Policy that indicates which types of
violations (e.g., privacy and security,
internal and external) must
be reported and to
whom the reports are made. A non-threatening
atmosphere and the possibility of anonymous
reporting will result
in a greater probability
that a violation will be reported if it
is
detected.
一个违反报告政策,指出哪些类型的违规行为(如隐私和安全,
内部和外
部)必须报告,向谁报告作出。阿非威胁气氛和匿名报
告的可能性,将导致,如果它被检测到违规将报告
概率更大。
9. Supporting Information which provides
users, staff, and management
with contact
information for each type of policy violation;
guidelines on how to handle outside queries
about a security
incident, or information
which may be considered confidential or
proprietary; and cross-references to security
procedures and
related information, such as
company policies and governmental laws
and
regulations.
支持信息为用户提供,工作人员和管理联系人信息,为每种类型
的
违反政策的;关于如何处理有关安全事件或信息可能被视为机
密或专有外查询的准则;和交叉引用安全程
序和相关信息,例如公
司政策和政府的法律和法规。
18
19