View
230
Download
2
Embed Size (px)
Citation preview
2007企業網路發展藍圖
Wang-Jiunn Cheng 1
2007 企業網路發展藍圖
鄭王駿 博士實踐大學資管系副教授[email protected]
http://www.im.usc.edu.tw/wjcheng/2007end.ppt2006/10/19
2007企業網路發展藍圖
Wang-Jiunn Cheng 2
Counter Attacks
•Prevention tends to inefficient– Myriad unknown vulnerabilities
•Detection tends to inaccurate– No work for novel or irregular attacks
•Reaction tends to limited– Little understanding of cause-effect
patterns
N. Ye and T. Farley, "A Scientific Approach to Cyberattack Detection," IEEE Computer Magazine, Dec. 2005.
2007企業網路發展藍圖
Wang-Jiunn Cheng 3
Rise of the Stupid Network• The Internet does not care what you do, its
job is just to "deliver the bits, stupid".– The bits could be part of
• an email message• a data file• a photograph• a video• etc.
• a denial-of-service attack• a malicious worm• a break-in attempt• an illegally shared song• etc.
D. Isenberg, "Rise of the Stupid Network," Computer Telephone, Aug. 1997.
2007企業網路發展藍圖
Wang-Jiunn Cheng 4
Conflict with the end-to-end
• The FBI has asked that it be able to review all new Internet services for tapability before they are deployed.– we have today over the un-tapability of VOIP?
Will anonymous teleport stations become illegal?
S. Bradner, "The End of End-to-End Security?," IEEE Security & Privacy Magazine, March/Appril 2006.
2007企業網路發展藍圖
Wang-Jiunn Cheng 5
VPN limitations
• A VPN tunnel is ideal if a laptop client wants to communication with only one server. – If the client must communicate with multiple s
ervers, …– If the client wants to browse Web sits, …– Incompatible implementations: L2TP, PPTP, I
Psec, … etc.
2007企業網路發展藍圖
Wang-Jiunn Cheng 6
Wi-Fi Security Not Ready
• Wireless hacking tools for WEP, …
• A wireless hacker can steal company data or upload malicious software through local machines…because IT personnel do not control access points in home networks.
K. J. Hole, et al., "Securing Wi-Fi Networks," IEEE Computer Magazine, July 2005.
2007企業網路發展藍圖
Wang-Jiunn Cheng 7
Spam E-mail Networks
• E-mail address can be easily obtained from publicly available documents.
• Spammers have exploited this vulnerability to inundate users with unsolicited bulk email.
• 35% of e-mail users reported that more than 60% of their inbox messages were spam.
• 28% said they spend more than 15 minutes a day dealing with junk e-mail
J. S. Kong, et al., "Collaborative Spam Filtering Using E-Mail Networks," IEEE Computer Magazine, August 2006.
2007企業網路發展藍圖
Wang-Jiunn Cheng 8
Spyware and Adware (I)
• Malicious websites may attempt to install spyware on readers' computers. In this screenshot a spamblog has triggered a pop-up that offers spyware in the guise of a security upgrade.
• Many Internet Explorer add-on toolbars monitor the user's activity. When installed and run without the user's consent, such add-ons count as spyware. Here multiple toolbars (including both spyware and innocuous ones) overwhelm an Internet Explorer session
http://www.benedelman.org/spyware/images/blogspot-2a.pnghttp://en.wikipedia.org/wiki/Spyware#Spyware.2C_adware.2C_and_tracking
2007企業網路發展藍圖
Wang-Jiunn Cheng 9
Spyware and Adware (II)
2007企業網路發展藍圖
Wang-Jiunn Cheng 10
Spyware and Adware (III)
2007企業網路發展藍圖
Wang-Jiunn Cheng 11
Web Security (RSS, AJAX, SOAP)?
Figure 1. (a) Breakdown of disclosed vulnerabilities by software type in May 2006, and (b) current vulnerability types disclosed in Web-based applications. (Source: SecurityFocus.com)
M. andrews, "The State of Web Security," IEEE Security & Privacy Magazine, July/August 2006.
2007企業網路發展藍圖
Wang-Jiunn Cheng 12
Why are Systems Unreliable?
• Fault density: 6~16/2~75 bugs per 1,000 lines of executable code– The Linux kernel probably has 15,000 bugs– The Windows XP has at least double that.– About 70% of OS are device drivers which
have error rates 3~7 times…– Bug-inside becomes the logo of all operating
systems.
A. S. Tanenbaum, et al., "Can We Make Operating Systems Reliable and Secure?," IEEE Computer Magazine, May 2006.
2007企業網路發展藍圖
Wang-Jiunn Cheng 13
Ad Hoc and P2P Security
• Both P2P and ad hoc networks are no fixed infrastructure. – What happens if some of the nodes are
malicious and want to corrupt the network’s behavior?
– Introduce several new security challenges…
S. W. Shieh, et al., "Ad Hoc and P2P Security," IEEE Internet Computing Magazine, Dec. 2005.
2007企業網路發展藍圖
Wang-Jiunn Cheng 14
How to do?
• Read 網管人 magazine monthly.• Read 網管人 magazine monthly.• Read 網管人 magazine monthly.
Internet
IEEE 802.1x
RADIUSSNMP
SSL
VPN
DHCP SSH
Firewall
IDS/IPS
SPAM-Filter
Anti-VirusLDAP
Cisco
Juniper FortinetSonicwall
Watchguard
CyberGuard
CheckPoint
UTM
Symantec
ISS
IPv6