What are the main technical mechanisms of network security?

I suggest the landlord go to the non-hacker forum, there are many places worth learning.

There are three kinds of network security mechanisms. Overview:

With the wide application of TCP/IP protocol suite on the Internet, information technology and network technology have developed rapidly. Followed by a sharp increase in security risks. In order to protect the security of the national public information network and the information data of the internal and external networks of enterprises, we should vigorously develop the security technology based on the information network.

The goal of information and network security technology

Because of the openness, connectivity and freedom of the Internet, users enjoy all kinds of colleagues with information resources, but at the same time, there is a danger that their secret information may be violated or maliciously destroyed. The goal of information security is to protect confidential information that may be violated or destroyed from being controlled by illegal external operators. Specifically to achieve: confidentiality, integrity, availability, controllability and other goals.

Network security architecture

On the basis of open system interconnect (OSI/RM), the International Organization for Standardization (ISO) formulated the rules to solve the network security in the OSI environment: security architecture in 1989. It expands the basic reference model, adds all aspects of security issues, and provides a conceptual, functional and consistent way for the secure communication of open systems. OSI security system includes seven levels: physical layer, data link layer, network layer, transport layer, session layer, presentation layer and application layer. All levels of security mechanisms are:

1, encryption mechanism

Measuring the reliability of an encryption technology mainly depends on the difficulty of decryption process, and the difficulty of decryption process depends on the length of key and algorithm.

1) symmetric key encryption system symmetric key encryption technology uses the same key to encrypt and decrypt data, and the sender and receiver use the same key. The typical algorithm of symmetric key encryption technology is DES (Data Encryption Standard). The key length of DES is 56bit, and its encryption algorithm is public, and its confidentiality only depends on the confidentiality of the key. The advantages are simple encryption processing and fast encryption and decryption speed. Disadvantages: Key management is difficult.

2) Asymmetric key encryption system Asymmetric key encryption system, also known as public key and private key system. Its characteristic is that encryption and decryption use different keys.

The key of (1) asymmetric encryption system is to find the corresponding public key and private key, and make the encryption process an irreversible process by some mathematical method, that is, the information encrypted with the public key can only be decrypted with the private key paired with the public key; or vice versa, Dallas to the auditorium

(2) The typical algorithm of asymmetric key encryption is RSA. The theoretical basis of RSA algorithm is Euler's law of number theory, and its security is based on the difficulty of large number decomposition.

Advantages: (1) solves the key management problem, and through the unique key distribution system, when the number of users increases greatly, the keys will not be scattered; (2) Because the key has been assigned in advance, there is no need to transmit the key in the communication process, and the security is greatly improved; (3) The encryption intensity is high.

Disadvantages: slow encryption and decryption.

2. Security authentication mechanism

In e-commerce activities, in order to ensure the authenticity and reliability of business, transaction and payment activities, it is necessary to have a mechanism to verify the true identity of all parties involved. Security authentication is the guarantee to maintain the normal conduct of e-commerce activities, which involves important issues such as security management, encryption processing, PKI and authentication management. At present, there is a complete set of technical solutions that can be applied. Using PKI technology, X.509 certificate standard, X.500 information release standard and other international technical standards, certificates can be issued safely and security authentication can be carried out. Of course, the authentication mechanism also needs the support of laws and regulations. The legal issues required for security authentication include credit legislation, electronic signature law, electronic transaction law, authentication management law and so on.

1) digital summary

Digital digest uses one-way hash function to transform information to get a fixed length digest, which is sent to the receiver together with the file when transmitting information; After receiving the file, the receiver converts it in the same way to get another summary; Then compare the summary obtained by your own operation with the summary sent. This method can verify the integrity of data.

2) digital envelope

Digital envelopes use encryption technology to ensure that only specific recipients can read the contents of the letter. The specific method is: the sender of the information encrypts the information with a symmetric key, then encrypts the symmetric key with the public key of the receiver (this part is called digital envelope), and then sends it to the receiver together with the information; The receiver first opens the digital envelope with the corresponding private key to obtain the symmetric key, and then decrypts the information with the symmetric key.

3) Digital signature

Digital signature means that the sender signs an electronic message or file, indicating that the signer is responsible for the content of the message or file. Digital signature comprehensively uses digital digest and asymmetric encryption technology, which can ensure the integrity and authenticity of data.

4) Digital timestamp

Digital Timestamp Service (DTS) is a network security service, which provides time authentication of electronic documents. It is provided by a specialized agency (DTS).

5) Digital certificate

Digital ID contains the relevant information of the certificate holder, which is a digital ID to prove the identity of the certificate holder on the Internet. It is issued by a certificate authority (CA). CA is an authoritative organization that specializes in verifying the identities of the parties to a transaction, and it issues digital certificates to the entities involved in the transaction. The digital certificate is digitally signed by CA, and no third party can modify the content of the certificate. The parties to the transaction prove their identity by showing their digital certificates.

In e-commerce, digital certificates mainly include customer certificates and merchant certificates. Client certificate is used to prove the identity of the client in e-commerce activities, and is generally installed on the client browser. A merchant certificate is issued to a merchant who provides services to customers, and is generally installed in the server of the merchant to prove the legal identity of the merchant to the customer.

3. Access control policy

Access control is the main strategy of network security prevention and protection, and its main task is to ensure that network resources are not illegally used and accessed. It is also an important means to maintain network system security and protect network resources. All kinds of security strategies must cooperate with each other to really play a protective role. Below we describe several common access control strategies.

1) network access control

Network access control provides the first layer of access control for network access. It controls which users can log on to the server and get network resources, and when and where users access the network.

User access control can be divided into three steps: user name identification and verification, user password identification and verification, and user account default restriction check. Only through various checkpoints can users access the network smoothly.

Verifying user name and password is the first line of defense to prevent illegal access. When a user logs in, first enter the user name and password, and the server will verify whether the entered user name is legal. If the verification is legal, continue to verify the password entered, otherwise, the user will be denied access to the network. User password is the key for users to access the network. In order to ensure the security of the password, the password should not be displayed on the display screen, the length of the password should be no less than 6 characters, and the password characters should preferably be a mixture of numbers, letters and other characters. The user's password must be encrypted, and there are many encryption methods, among which the most common ones are: password encryption based on one-way function, password encryption based on test mode, password encryption based on public key encryption scheme, password encryption based on square residue, password encryption based on polynomial * * and password encryption based on digital signature scheme. Users can also use one-time user passwords or portable verifiers (such as smart cards) to verify the identity of users.

2) Access control of the network

Network access control is a security protection measure against illegal network operations. Users and user groups are given certain rights. The network controls which directories, subdirectories, files and other resources users and user groups can access. You can specify what users can do with these files, directories and devices. We can divide users into the following categories according to their access rights: (1) special users (that is, system administrators); (2) General users and system administrators allocate operation rights according to actual needs; (3) Audit users, responsible for network security control and resource usage audit. Users' access rights to network resources can be described by access control lists.

3) Directory-level security control

The network should allow users to control their access to directories, files and devices. The permissions specified by the user at the monthly record level are valid for all files and subdirectories, and the user can further specify the permissions of subdirectories and files under this directory. There are usually eight kinds of access rights to directories and files: administrator, read, write, create, erase, modify, file search and access control. The effective authority of a user on a file or target depends on the following two factors: the user's trustee assignment, the user group's trustee assignment and the user's right to inherit the authority mask cancellation. The network system administrator should assign users appropriate access rights to control users' access to the server. The effective combination of eight kinds of access rights can enable users to finish their work effectively, and at the same time can effectively control users' access to server resources, thus strengthening the security of the network and the server.

With the development of computer technology and communication technology, computer network will increasingly become an important means of information exchange in industry, agriculture and national defense, and penetrate into all fields of social life. Therefore, it will be very important to recognize the vulnerability and potential threats of the network and adopt strong security strategies to ensure the security of network information transmission.