计算机网络概述(三)
文章目录
1.软件测试
2.指令集考点
3.知识产权
(1)保护期限
(2)归属权
4.信息安全相关考点
(1)信息安全三要素
(CIA):机密性、完整性、可用性
(2)网络攻击
- 被动攻击
- 典型:监听
- 难检测、重点在预防
- 应对:加密
- 主动攻击
- 典型:假冒、重放、欺骗、消息篡改、拒绝服务
- 重点在检测
- 应对:防火墙、IDS
(3)安全措施目标
- 访问控制
- 认证
- 完整性
- 审计
- 保密
(4)对称加密算法
- DES
- 每组分组64位
- 产生64位密文
- 12次迭代
- 使用56位密钥
- 3DES
- 进行3次DES
- 使用两个密钥
- 112位密钥
- IDEA
- 64位一块
- 8次迭代
- 密钥128位
- AES
- 密钥128/192/256位
(5)非对称加密算法
- 典型:RSA、DH
- 保密通信:公钥加密、私钥解密
- 数字签名:私钥加密、公钥解密
(6)数字签名作用
- 可核实
- 防抵赖
- 防伪造
(7)Hash算法
- MD5
- 512位分组,128位摘要
- SHA
- 512位分组,160位摘要
(8)VPN
- Virtual Private Network,VPN
- 二层VPN:L2TP和PPTP(基于PPP)
- 三层VPN:IPSec和GRE
- 四层VPN:SSL
<1> 实现VPN关键技术
- 隧道技术(Tuneling)
- 加解密技术(Encryption&Decryption)
- 密钥管理技术(Key Management)
- 身份认证技术(Authentication)
<2> PPP帧结构
- PPP协议的认证功能:PAP和CHAP
- PAP:四次握手,口令以明文传送,被验证方发起请求
- CHAP:三次握手,不传口令,传MMAC散列值
<3> PPP和HDLC对比
(9)IPSec
- IP Security
- 提供:数据完整性验证、保密性、应用透明性
- 由三个协议组成:
- 认证头(AH)
提供数据完整性和数据源认证,不加密,用MD5和SHA散列 - 封装安全负荷(ESP)
提供加密,用DES、3DES、AES加密 - Internet密钥交换协议(IKE)
用于生成和分发ESP和AH中使用的密钥,用DH加密
- 两种封装模式
(10)PGP
- Pretty Good Privacy,电子邮件安全软件包
- 提供数据加密(IDEA)和数字签名(RSA公钥证书)、完整性验证(MD5)
(11)S/MIME、SET和Kerberos认证
- S/MIME(Security/Multipurpose Internet Mail Extension)提供电子邮件安全服务
- SET(Security Electronic Transaction)保障电子商务安全
- Kerberos,用于身份认证,支持AAA(认证、授权、审计);特别注意没有CA!CA是PKI体系的
(12)IPSec配置
拓扑
配置命令
总部路由器:
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info enable
Info: Information center is disabled.
[Huawei]sysname zongbu
[zongbu]acl 3000
[zongbu-acl-adv-3000]rule 5 permit ip source 192.168.1.0 0.0.0.255 destination 192.168.2.0 0.0.0.255
[zongbu-acl-adv-3000]ipsec proposal huawei
[zongbu-ipsec-proposal-huawei]esp authentication-algorithm sha1
[zongbu-ipsec-proposal-huawei]ipsec policy huawei 10 manual
[zongbu-ipsec-policy-manual-huawei-10]security acl 3000
[zongbu-ipsec-policy-manual-huawei-10]proposal huawei
[zongbu-ipsec-policy-manual-huawei-10]tunnel local 192.168.12.1
[zongbu-ipsec-policy-manual-huawei-10]tunnel remote 192.168.23.3
[zongbu-ipsec-policy-manual-huawei-10]sa spi inbound esp 54321
[zongbu-ipsec-policy-manual-huawei-10]sa string-key inbound esp cipher huawei
[zongbu-ipsec-policy-manual-huawei-10]sa spi outbound esp 12345
[zongbu-ipsec-policy-manual-huawei-10]sa string-key outbound esp cipher huawei123
[zongbu-ipsec-policy-manual-huawei-10]int g0/0/0
[zongbu-GigabitEthernet0/0/0]ipsec policy huawei
[zongbu-GigabitEthernet0/0/0]ip addr 192.168.12.1 24
[zongbu-GigabitEthernet0/0/0]q
[zongbu]int g0/0/2
[zongbu-GigabitEthernet0/0/2]ip addr 192.168.1.253 24
[zongbu-GigabitEthernet0/0/2]q
[zongbu]rip
[zongbu-rip-1]v 2
[zongbu-rip-1]network 192.168.1.0
[zongbu-rip-1]network 192.168.12.
公网路由器:
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info enable
Info: Information center is disabled.
[Huawei]sysname gongwang
[gongwang]int g0/0/0
[gongwang-GigabitEthernet0/0/0]ip addr 192.168.12.253 24
[gongwang-GigabitEthernet0/0/0]int g0/0/1
[gongwang-GigabitEthernet0/0/1]ip addr 192.168.23.253 24
[gongwang-GigabitEthernet0/0/1]q
[gongwang]ping 192.168.12.1
PING 192.168.12.1: 56 data bytes, press CTRL_C to break
Reply from 192.168.12.1: bytes=56 Sequence=1 ttl=255 time=80 ms
Reply from 192.168.12.1: bytes=56 Sequence=2 ttl=255 time=20 ms
Reply from 192.168.12.1: bytes=56 Sequence=3 ttl=255 time=30 ms
Reply from 192.168.12.1: bytes=56 Sequence=4 ttl=255 time=20 ms
Reply from 192.168.12.1: bytes=56 Sequence=5 ttl=255 time=20 ms
--- 192.168.12.1 ping statistics ---
5 packet(s) transmitted
5 packet(s) received
0.00% packet loss
round-trip min/avg/max = 20/34/80 ms
[gongwang]ping 192.168.23.3
PING 192.168.23.3: 56 data bytes, press CTRL_C to break
Reply from 192.168.23.3: bytes=56 Sequence=1 ttl=255 time=50 ms
Reply from 192.168.23.3: bytes=56 Sequence=2 ttl=255 time=30 ms
Reply from 192.168.23.3: bytes=56 Sequence=3 ttl=255 time=20 ms
Reply from 192.168.23.3: bytes=56 Sequence=4 ttl=255 time=20 ms
--- 192.168.23.3 ping statistics ---
4 packet(s) transmitted
4 packet(s) received
0.00% packet loss
round-trip min/avg/max = 20/30/50 ms
[gongwang]rip
[gongwang-rip-1]v 2
[gongwang-rip-1]network 192.168.12.0
[gongwang-rip-1]network 192.168.23.0
分支路由器:
<Huawei>sys
Enter system view, return user view with Ctrl+Z.
[Huawei]undo info enable
Info: Information center is disabled.
[Huawei]sysname fenzhi
[fenzhi]acl 3000
[fenzhi-acl-adv-3000]rule 5 permit ip source 192.168.2.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[fenzhi-acl-adv-3000]q
[fenzhi]ipsec proposal huawei
[fenzhi-ipsec-proposal-huawei]esp authentication-algorithm sha1
[fenzhi-ipsec-proposal-huawei]ipsec policy huawei 10 manual
[fenzhi-ipsec-policy-manual-huawei-10]security acl 3000
[fenzhi-ipsec-policy-manual-huawei-10]proposal huawei
[fenzhi-ipsec-policy-manual-huawei-10]tunnel local 192.168.23.3
[fenzhi-ipsec-policy-manual-huawei-10]tunnel remote 192.168.12.1
[fenzhi-ipsec-policy-manual-huawei-10]sa spi inbound esp 12345
[fenzhi-ipsec-policy-manual-huawei-10]sa string-key inbound esp cipher huawei123
[fenzhi-ipsec-policy-manual-huawei-10]sa spi outbound esp 54321
[fenzhi-ipsec-policy-manual-huawei-10]sa string-key outbound esp cipher huawei
[fenzhi-ipsec-policy-manual-huawei-10]int g0/0/1
[fenzhi-GigabitEthernet0/0/1]ipsec policy huawei
[fenzhi-GigabitEthernet0/0/1]ip addr 192.168.23.3 24
[fenzhi-GigabitEthernet0/0/1]q
[fenzhi]int g0/0/2
[fenzhi-GigabitEthernet0/0/2]ip addr 192.168.2.253 24
[fenzhi-GigabitEthernet0/0/2]q
[Huawei]rip
[Huawei-rip-1]v 2
[Huawei-rip-1]network 192.168.23.0
[Huawei-rip-1]network 192.168.2.0