1、精選優(yōu)質(zhì)文檔-傾情為你奉上Web Security 開卷考試復(fù)習(xí)索引Chapter 1: Introduction to Information Security信息安全簡介1.1 Concept of Information Security信息安全概念Ø Definition of Information Security 定義 P6Information Security , Computer Security and Information Assurance ( Similarities & Differences ) 信息安全，電腦安全，信息保證 的比較 P6信息

2、安全 P7-P8 Ø History P10-11信息安全威脅 P12Ø Key Concepts of information security信息安全主要概念Concept P12計(jì)算機(jī)安全、信息安全、信息保障 P141.2 Computer System Security 電腦系統(tǒng)安全Ø System Vulnerabilities（系統(tǒng)安全漏洞）definition P16Ø Operating System Security(計(jì)算機(jī)系統(tǒng)安全性) P18Ø 安全漏洞定義和原因 P19-20Ø Database Security

3、（數(shù)據(jù)庫系統(tǒng)的安全性） P22數(shù)據(jù)庫系統(tǒng)安全含義 P22-24Ø User Application Security（用戶應(yīng)用程序安全） p25-281.3 Information Security Service （信息安全服務(wù)）Ø Basic Concept 基本概念 P30Ø Information security categories 信息安全類別 P31Ø Information security management tools 信息安全管理工具 P32Ø 信息安全服務(wù) P33-34Ø Authentication（認(rèn)證

4、） P35-36Ø Access Control（訪問控制） P37-39Ø Confidentiality 機(jī)密性 P40Ø Integrity 完整性 P41-42Ø Available 有效性 P43Ø Non-repudiation 不可抵賴性 P441.4 Information Security Manangement , Audit and Protection信息安全管理，審計(jì)和保護(hù) （ISEC ,ISM,ISMS）P47Ø Security Management 安全管理ISM信息安全管理 P48ISMS信息安全管理

5、體系 P49信息安全管理的目標(biāo)&原則 &實(shí)施（PDCA） P51-58Ø Security Audit 安全審計(jì)Definition 定義 P60&62Process 過程 P62&63內(nèi)容 P64信息安全審計(jì)與信息安全管理的關(guān)系 P65-66Ø Levels of Information Security 信息安全級別The eight information security levels 八個(gè)信息安全級別 P68-69信息安全管理等級 P72-75Conclusion總結(jié)Standard organization標(biāo)準(zhǔn)組織 P80Leve

6、ls of impact(low, moderate, high) 影響級別 P82-84Computer security challenges 電腦安全挑戰(zhàn) P85Passive attacks被動攻擊(interception攔截, traffic analysis交通分析) P88-89Active attacks主動攻擊(interruption中斷, fabrication構(gòu)建, replay, modification) P90-93Chapter 2 Cryptographic Techniques 密碼學(xué)技術(shù)2.1 Cryptology Introduction 密碼學(xué)介紹&

7、#216; Cryptology definition P5-7Ø History(Manual、Mechanical、 Modern) 9-12Ø Concepts & ItemsPlain Text and Cipher Text 無格式文本和密碼文本 P14Key and Key Space 秘鑰和秘鑰空間 P14Cryptosystem Services(confidentiality機(jī)密性, integrity完整性, authenticity確定性. Non-reputation不可抵賴性, access control受控性, symmetric對稱性

8、, asymmetric非對稱) P15-17Attributes of Strong Encryption加密技術(shù)(confusion混亂, diffusion擴(kuò)散) P182.2 Symmetric Key Cryptographic Algorithms對稱密碼和密碼算法Ø Introduction P20-21Ø Algorithm Types & Modes block cipher(塊加密) P22&25Stream Cipher（流加密） P23&24Electronic Code Book(ECB) Mode(電子密碼本模式) P26

9、-30Cipher Block Chaining( CBC ) Mode（密碼塊鏈接模式） P31-34Cipher Feedback( CFB ) Mode（密文反饋模式） P35-37Output Feedback(OFB) Mode 輸出反饋模式 P38-39Ø Data Encryption Standard ( DES ) 數(shù)據(jù)加密標(biāo)準(zhǔn)Background and History P40*How DES WorksP42Ø Advanced Encryption Standard 高級密碼標(biāo)準(zhǔn)( AES )Introduction p44*How AES Work

10、s P45-462.3 Asymmetric Key Cryptographic Algorithms非對稱秘鑰密碼算法Ø Introduction P48-52Ø The RSA AlgorithmIntroduction p53-55*How RSA Works P56-58公鑰和私鑰產(chǎn)生 p59 加密消息 P60 解密消息 P61 解碼原理 P62 Example P63-72 Ø Digital Signatures 數(shù)字簽名 P732.4 Hashing Algorithms(散列算法)Ø Introduction P76-77Ø M

11、essage-Digest Algorithm( MD5 ) Whats MD5 P78 Chapter 3: Authentication Technologies認(rèn)證（識別）技術(shù)3.1.Overview Ø Introduction to Authentication TechnologiesWhat is Authentication, identification, authorization?什么是認(rèn)證、身份識別、授權(quán)p6Authentication involves two parties包含兩個(gè)團(tuán)體prover&identifierp7Two kind of A

12、uthentication一種是整體認(rèn)證，一種是（部分）信息認(rèn)證p8-10Goals 認(rèn)證技術(shù)的目標(biāo)（或說好的認(rèn)證技術(shù)必須要有的條件）p11Three classes of entity authentication P12Ø The Weak/Strong Authentication Scheme 弱的和強(qiáng)的幾種認(rèn)證手段Weak：基于passwordp13基于PIN（time-invariant password）p14strong：secret key加密p15public key加密p16zero-knowledge加密p17基于設(shè)備的加密p18Ø The Appl

13、ication of Authentication Technologies 兩種認(rèn)證的services，X.509和Kerberosp19Ø The Attack to Authentication幾種攻擊種類p20Impersonation 假冒Replay 重放Forced delay attacks強(qiáng)迫延時(shí)Interleaving交錯(cuò)Oracle session oracle會話Parallel session并行會話Ø The Security Guidelines to Protect AuthenticationSchemes保證安全的幾項(xiàng)原則p213.2.P

14、ublic Key Infrastructure PKI的基礎(chǔ)設(shè)施（基礎(chǔ)內(nèi)容）Ø Introduction to PKI介紹是什么&用來做什么p24-27Ø PKIX PKI+X.509P28End-entity;PKC公鑰證書;CA證書授權(quán)機(jī)構(gòu);CR證書倉庫p28End-entity, PKC P30CA,CR,CRL(證書撤回清單/證書吊銷列表)， CRL issuer，RA(注冊機(jī)構(gòu)) P31-32PKI document P33CP(certificate證書 policy, certificate practice statement) P34Subscr

15、iber簽署 agreements, relying party agreements P35Ø The Management of PKIXp36Ø Public Key Certificate證書內(nèi)容樣例p37Ø Trust Hierarchy Model嚴(yán)格信任層次p383.3.Kerberos麻省理工學(xué)院開發(fā)的安全認(rèn)證系統(tǒng)Ø What is Kerberosp40-41Ø History & Developmentp42Ø Description描述（看圖）p45-47Ø Processp48-54Ø

16、; Drawbacks & Limitations缺點(diǎn)限制p55-563.4.X.509Ø What is X.509 X.509被廣泛使用的數(shù)字證書標(biāo)準(zhǔn)p58Hierarchy P59Ø History and Versionp60Ø Certificate p61Structure of certificatep62-63How to get itp64Revoke撤回 a certificatep65Ø Security problemsp66Ø Applicationp68Chapter 4:Introduction to In

17、ternet Security4.1. Network Security ArchitecturesØ Levels of Network Security Architectures網(wǎng)絡(luò)安全防范體系（物理層,系統(tǒng)層，網(wǎng)絡(luò)層，應(yīng)用層，安全管理）p6-9Ø OSI/ISO 7498-2 ModelP10-11PDR, P2DR and PDRR Security ModelP10ISO 7498-2 ArchitecturesP12Security life-cycle P13Ø Threats, services & Mechanismsp14Ø

18、 Security domains and security policies P15Types of security policies P17Security threat/attack, safeguards, vulnerabilities P18Risk P19Classification of threats P20Fundamental threats P21Primary enabling threats P22The two planting threats(Trojan horse, trapdoor) P23Ø ISO security services P24

19、Administrative security, media security, emanations security, life cycle controls P25Five main categories of security serviceAuthenticationP27access control P28data confidentialityP29data integrityP30non-reputation P32Ø ISO security mechanisms (8種方法) p33-36Encryption mechanismsDigital signature

20、 mechanismsAccess control mechanismsData integrity mechanismsAuthentication exchange mechanismsTraffic padding mechanismsRouting control mechanismsNotarization mechanismsØ TCP/IP securityp474.2. IPSecØ Introduction將IP包先加密在傳輸p49&52How IPsec protect usWhat do we need to protectp53How doe

21、s IPsec provide usp54-56Ø Some Basic Concepts About IPSecp23基本概念：SA;SAD;SPI;SPD;AH;ESP(比AH多了加密的功能);Tunnel Mode; Transport Mode; p58-65Ø ESP protocolTunnel mode & Transport mode（ESP）p67-77報(bào)文datagram裝包過程拆包過程Ø AH Protocol提供完整性量度和來源認(rèn)證，不提供加密P79-82Ø Gateway and Road Warrior modeP85

22、IPSec的通常應(yīng)用情況 P84Ø IKE(Key management of IPSec)86使用IKE的IPsec的密鑰協(xié)商分為兩個(gè)階段p88-894.3. SSL/TLSØ Introductionp91-93一個(gè)簡化后的SSL/TLS模型p94-96Ø How TLS Worksp97-104會話、連接、寫模式、讀模式、安全套件、預(yù)主密鑰、記錄層協(xié)議、握手協(xié)議、應(yīng)用數(shù)據(jù)協(xié)議TLS握手（以RSA為例子） p105-111Key Generation握手密鑰協(xié)商成功后進(jìn)行密鑰保護(hù)通信過程(密鑰的生成，主密鑰的計(jì)算，密鑰塊的計(jì)算，應(yīng)用數(shù)據(jù)協(xié)議)P112Resum

23、e of TLS handshake恢復(fù)p118-1194.4. VPNØ Introductionp124Ø OpenVPNIntruduction P126-127工作過程p128-129Chapter 5: Network Attack and Defence5.1. OverviewØ Network Security Crisis（網(wǎng)絡(luò)安全危機(jī)）P7網(wǎng)絡(luò)病毒P8黑客和黑客程序P9信息生態(tài)惡化P10Ø Types of Network Attack（網(wǎng)絡(luò)攻擊類型）破壞型和入侵型、被動型和主動型P11、12竊聽P13數(shù)據(jù)篡改、身份欺騙（IP地址欺騙

24、）P14盜用口令攻擊P15拒絕服務(wù)攻擊(DoS) P16中間人攻擊、盜取密鑰攻擊P17嗅探器攻擊P18應(yīng)用層攻擊P19Ø Steps of Network Attack（網(wǎng)絡(luò)攻擊步驟）P20-23準(zhǔn)備實(shí)施善后Ø Port Scan（端口掃描）P24端口掃描工具（NMap&superscan）P25-30Port Scan Types（端口掃描類型）P31TCP/SYN/UDP/ACK/FIN ScanningP32-41Ø Idle Scan（空閑掃描）P42-49Ø Methods of Network Defense（網(wǎng)絡(luò)防御的方法）P50R

25、egular security defend（常規(guī)的安全防護(hù)）P515.2. Password Cracking（密碼破解）Ø The Vulnerability of Passwords（密碼的易損性/弱點(diǎn)）P53Ø Password Selection Strategies（密碼選擇策略）User educationComputer-generated passwordsReactive password checkingProactive password checkingUse of hashed password P54-60Ø Password Cra

26、cking（密碼破解）Using system bug(利用系統(tǒng)漏洞直接提取口令)Brute force(暴力破解)Precomputing potential hash vales(字典破解) P62-64針對口令破解攻擊的防范措施P64Ø Useful Tools（有用的工具）P655.3. Buffer Overflow（緩沖區(qū)溢出）Ø Background（背景）（definition&destruction）P68-69Structure of an Address Space（地址空間結(jié)構(gòu)）P71-72堆棧溢出攻擊的例子 P73-78Cause of v

27、ulnerability（易損性的原因）P79Ø Attack Classification（攻擊分類）P80Stack buffer overflow（棧溢出）P81-85Heap buffer overflow（堆溢出）P86Ø Attack Practicalities（攻擊實(shí)例）P87-90Ø Protection Solutions（防護(hù)方法）P95-1075.4. DoS Attack（DoS攻擊）Ø Definition（定義）P109Ø Different Kinds of DoS（DoS的不同種類）P110Flooding(過

28、載)Crashing（摧毀）Ø Different kinds of DoS P111TCP/IP攻擊 P112-114UDP攻擊P115-1175.5. Spoofing Attack（欺騙攻擊）Ø DNS Spoofing（DNS欺騙）P120Ø MITM attacks(中間人攻擊) P120ARP cache poisoningP121-128DNS spoofingP129-137Defending Against DNS Spoofing（DNS欺騙防御）P141-143Ø Web Spoofing（Web欺騙/網(wǎng)頁仿冒）P144What i

29、s Web Spoofing（什么是Web欺騙）P145Different types of web spoofing（Web欺騙類型）P147-148How to spot a spoofed webpage P150Ø IP Spoofing（IP欺騙）P152TCP/IP簡要介紹P154-156IP spoofingP156-179DoS/DDoSP180-183Defending Against the Threat（防御措施）P184Chapter 6:Firewall6.1. Introduction to Firewall（防火墻介紹）Ø What Is a

30、Firewall（什么是防火墻&功能）P6Ø Types of Firewall（防火墻的類型）P7&16-19Packet filtersP8-9Stateful filtersP10Application filtersP11Ø What Can a Firewall Do（防火墻的功能）P2026Ø Where to base a firewall P28Ø Bastion host(堡壘主機(jī)) P29Security bastion hosts P30-31Host-based firewall P32Advantages of

31、using host-based firewalls P33Personal firewall P34DMZ network P35-36VPN network P37-38Distributed firewalls P396.2.Design Principles of Firewall（防火墻的設(shè)計(jì)原則）Ø Packet Filtering Firewall（包過濾防火墻）What is Packet Filtering Firewall（什么是包過濾防火墻）P42-43How Packet Filtering Firewall Works（包過濾防火墻如何工作）P44-48Wh

32、at to Filter（過濾對象）P48-53Advantages（優(yōu)點(diǎn)）P54-55Disadvantages（弱點(diǎn)）P56-59Ø Packet Filtering Firewall Based on the state（基于狀態(tài)檢測的防火墻）P60What is Stateful Inspection Firewall（什么是狀態(tài)檢測防火墻）P61-62How Stateful Inspection Firewall Works（狀態(tài)檢測技術(shù)原理）P63-64Advantages（優(yōu)點(diǎn)）P65-66Disadvantages（缺點(diǎn)）P66Ø Application

33、Layer Firewall（應(yīng)用層代理防火墻）(ALG)P67What is Proxy（什么是代理服務(wù)器）P68-69Function Offered By Proxy（功能）Authentication mechanismContent filteringMature log P72-73Advantages（優(yōu)點(diǎn)）P74-76Disadvantage（缺點(diǎn)）P77-78Ø Bastion host（堡壘主機(jī)）P80Topological Graph（堡壘主機(jī)拓?fù)鋱D）P81-82堡壘主機(jī)的分類 P83傳統(tǒng)應(yīng)用的 P84安全堡壘主機(jī) P85進(jìn)入控制堡壘主機(jī) P86內(nèi)控堡壘主機(jī) P

34、87-93Physical Placement of Bastion Host（堡壘主機(jī)的物理部署）P94-976.3. Penetration of firewall（防火墻的穿透）Ø Attack Packet Filtering Firewall（攻擊包過濾防火墻）P100IP Address Spoofing Attack（IP地址欺騙）P101Denial-of-service Attack（拒絕服務(wù)攻擊）P102Tiny Fragment Attack（分片包攻擊）P103Trojan Attack（木馬攻擊）P104Ø Attack Stateful Insp

35、ection Firewall（攻擊狀態(tài)檢測防火墻）P105-107Protocol Tunneling（協(xié)議隧道）P108-109Trojans Rebound（反彈木馬）P110Ø Attack Proxy（攻擊代理服務(wù)器）P111-112Unauthorized Web Access（非授權(quán)Web訪問）P114Unauthorized Socks Access（非授權(quán)Socks訪問）P115Unauthorized Telnet Access（非授權(quán)Telnet訪問）P116Ø 防火墻攻擊分類P119Ø 防火墻十大局限性P120Ø 防火墻十大脆弱性

36、P121Ø 硬件防火墻P122Ø 軟件防火墻P123Ø 硬件防火墻對軟件防火墻的比較優(yōu)勢P124-1256.4. Firewall installation and Configuration（防火墻安裝與配置）Ø IptablesP128Chapter7:Intrusion Detection (入侵檢測)7.1.Threats to Computer System (計(jì)算機(jī)系統(tǒng)面臨的威脅)Ø 計(jì)算機(jī)系統(tǒng)面臨的威脅P4DosP5SpoofingP6EavesdropP7Password cracking P7TrojanP8Buffer ov

37、erflowP87.2 Process of Intrusions(入侵攻擊的過程)Ø Process of Intrusions(入侵攻擊的基本步驟)P10Information of my targets(確定攻擊目標(biāo))P11Conduct of the attack(實(shí)施攻擊)P12Afterwards(攻擊后處理)P137.3 What is Intrusion DetectionØ Definition &3 classes of intruders(masquerader, misfeasor, clandestine user)P15Ø 計(jì)算

38、機(jī)系統(tǒng)威脅分類P16Ø 入侵行為的概念P17Ø 審計(jì)技術(shù)，審計(jì)的目標(biāo)P18Ø 入侵檢測的概念P19Ø 入侵檢測的作用(Function)P20-22Ø 與防火墻(firewall)的區(qū)別P25-267.4 Methods of Intrusion DetectionØ 2 ways to tell whether a behavior is maliciousP28(入侵檢測技術(shù)的2種主要思路)Anomaly DetectionBased on Behavior(異常檢測基于行為的檢測)P30Behavioral Model(行為模型

39、)P31-32異常檢測的用途P32Statistics Analysis(統(tǒng)計(jì)分析技術(shù))P33Neural Network(神經(jīng)網(wǎng)絡(luò)技術(shù))P34Data Mining(數(shù)據(jù)挖掘技術(shù))P35Ø Misuse(signature)DetectionBased on Rules(Knowledge)(誤用/濫用檢測)P36Pattern matching(模式匹配)P37State transition(狀態(tài)轉(zhuǎn)換)P37Expert system(專家系統(tǒng))P38Ø 兩種檢測的比較P397.5 Structure of IDSØ Information gatherin

40、g(信息收集)P42-43System and network logs(系統(tǒng)或網(wǎng)絡(luò)的日志文件)P43Anomalous changes of system directories and filesP44(系統(tǒng)目錄和文件的異常變化)Anomalous behavior in program executingP44(程序執(zhí)行中的異常行為)Ø Analysis engine(分析引擎)P45-7Pattern matching(模式匹配)P46Statistics analysis(統(tǒng)計(jì)分析)P47Integrity analysis(完整性分析)P47Ø Response

41、 unit(響應(yīng)部件)P48-49Ø Structure of IDSp50Ø 入侵檢測模型-IDES模型 && 6個(gè)組成部分P51-54Ø 公共入侵檢測框架-CIDFP55-60入侵檢測系統(tǒng)的4個(gè)基本組件:P59Event generators(事件產(chǎn)生器)Event analyzers(事件分析器)Event databases(事件數(shù)據(jù)庫)Response units(響應(yīng)單元)7.6 HIDS and NIDSØ Host-based IDS-HIDS(基于主機(jī)的入侵檢測)P62-63Ø Some potential t

42、hreats to HIDS(對HIDS的潛在威脅)P64-P66Abuse of privilege(特權(quán)濫用)P65Access and modification on key information(關(guān)鍵數(shù)據(jù)訪問及修改)P66Security configuration(安全配置不當(dāng))P66Ø HIDS檢測策略P67-68Ø HIDS的優(yōu)缺點(diǎn)P69-70Ø Network-based IDSNIDS includesP72Ø Sensors(探測器): Inline sensor && Passive sensorP73Ø

43、 一些攻擊場景 P75Ø NIDS的優(yōu)缺點(diǎn)P76-77Ø HIDS 和NIDS的比較P807.7 Introduction to IPS(Intrusion Prevention System)Ø What is a IPS (入侵預(yù)防系統(tǒng))P82Ø The need of IPSP83Ø IDS的缺陷P84-86Ø Security CapabilitiesDetect Intrusion && Evaluate the detect capabilitiesP88-89Log IntrusionP90-91Stop

44、 IntrusionP92-93Report IntrusionP94-95Ø Types of IPSP96Ø Agent/Sensor&management serverP97Ø Database Server && Console P98Ø HIPS p99Ø NIPSP101Ø Compare IPS with IDSP104-107Chapter8: The Architecture and Security of Web Applications8.1 OverviewØ Definiti

45、on of Web ApplicationsP5Web組成部分 && Web應(yīng)用程序P6Ø C/S(Client/Server)客戶機(jī)和服務(wù)器結(jié)構(gòu)P7-8Ø C/S模式的優(yōu)點(diǎn)P9Ø C/S模式的缺點(diǎn)P10Ø B/S(Browser/Server)瀏覽器和服務(wù)器結(jié)構(gòu)P11-12Ø B/S結(jié)構(gòu)的優(yōu)缺點(diǎn)P13-14Ø C/S結(jié)構(gòu)和B/S結(jié)構(gòu)的比較P15-16Ø Web應(yīng)用的結(jié)構(gòu)P17-18靜態(tài)頁面 && 靜態(tài)頁面的訪問流程P19-20動態(tài)網(wǎng)頁 && 動態(tài)頁面的訪問流程P21-22帶數(shù)

46、據(jù)庫的動態(tài)網(wǎng)頁 && 帶數(shù)據(jù)庫的動態(tài)網(wǎng)頁的訪問流程P23-P24Ø Web Site ArchitectureHardware(硬件架構(gòu))P27Software(軟件架構(gòu))in 3 Tiers:Presentation Layer (表現(xiàn)層)Business Layer(業(yè)務(wù)層)Persistent Layer(領(lǐng)域?qū)?P28-30領(lǐng)域?qū)舆壿嫷睦覲34-35Software: in MVC(Model, View, Controller)P38Ø Electronic Commerce ArchitectureP39Ø RequirementP4

47、0-42Ø Common Architecture: MVC-EJB(Enterprise JavaBean)-圖解P43B2C圖解P44C2C(Taobao)-圖解P45C2C(Taobao): High ScalabilityP46C2C(Taobao): WebX, Technical EnvironmentP47Ø HTTP ServerP49Ø Apache HTTP ServerP50-52Apache web Server軟件擁有的特性P53Ø IIS服務(wù)器P54-55Ø Other Web ServersP568.2 Web Security PrimerØ Why not SecureP63Ø Web安全問題的客觀原因P66Ø 傳統(tǒng)網(wǎng)絡(luò)安全設(shè)備P67Ø 傳統(tǒng)防護(hù)手段P68Ø Web安全問題的主觀原因P69Ø Goals of Web Security P70-72Ø Web Securit