《计算机网络管理》
Download
1 / 103

《计算机网络管理》 主讲教师:王继龙 清华大学信息网络工程研究中心 [email protected] - PowerPoint PPT Presentation


  • 209 Views
  • Uploaded on

《计算机网络管理》 主讲教师:王继龙 清华大学信息网络工程研究中心 [email protected] 第四章 网络测量和监控. 第一节 网络测量技术综述 第二节 网络测量技术专题 第三节 网络测量系统举例. 第二节 网络测量技术专题. 拓扑和路由测量 故障测量 性能测量 安全测量. ISN’T THIS GREAT?. 业主监视网络状况 学生监视老师行踪 我能看到你在做什么 …. 专题一、拓扑和路由测量. 拓扑测量 —— 搜索网络中的互连设备,并确定连接关系. 主动式测量——基本原理. Temporary Set. Heuristic.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' 《计算机网络管理》 主讲教师:王继龙 清华大学信息网络工程研究中心 [email protected]' - ulla


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

《计算机网络管理》

主讲教师:王继龙

清华大学信息网络工程研究中心

[email protected]


第四章 网络测量和监控

  • 第一节 网络测量技术综述

  • 第二节 网络测量技术专题

  • 第三节 网络测量系统举例

[email protected]


第二节 网络测量技术专题

  • 拓扑和路由测量

  • 故障测量

  • 性能测量

  • 安全测量

[email protected]


Isn t this great
ISN’T THIS GREAT?

  • 业主监视网络状况

  • 学生监视老师行踪

  • 我能看到你在做什么…

[email protected]



拓扑测量——搜索网络中的互连设备,并确定连接关系


主动式测量——基本原理

Temporary Set

Heuristic

Permanent Set

[email protected]


DNS ls、netstat、tracert

获得线索

Permanent Set


Measure

Temporary Set

Ping、B_Ping、snmp、tracert、telnet

Permanent Set

[email protected]


启发新线索

Permanent Set

Random Probe、TraceRT、B_ping、routeTable 、ARP_Table

[email protected]


一些说明

  • 很多网络不支持Ping的广播

  • 很多网络限制对SNMP的访问

  • 物理拓扑/逻辑拓扑


被动式测量

  • 路由协议监听

    • OSPF

    • BGP

[email protected]


路由测量

  • 加州大学berkeley分校用traceroute收集和分析分布在全球37个测量点之间链路的路由行为信息

  • Oregon大学通过在特定路由器上运行的BGP协议收集某些自治域间的路由行为信息

  • 目前,研究仅限于路由行为数据的收集、聚合和简化,对收集到的数据只作定性分析

[email protected]


网络距离

  • 问题:我想访问离我最近的服务器

  • 应用

    • WEB Server镜像站点的选择

    • Peer-to-Peer端节点的选择

[email protected]



Network

Failure 18.2%

  • CPU overloaded

  • NIC failure

  • Process hung

  • Slowed database performance

Systems

Applications

Server Failure 20%

OS Failure 24.6%

Failure 28.5%

Source: IDC

Administration 8.7%

故障分布

Chris Morino, Resonate

[email protected]


故障诊断的基本步骤

  • 收集可供使用的信息,分析故障症状

  • 将问题隔离在单一网段、单一独立功能或模块、或单一用户内

  • 将问题隔离在本单元中特定硬件或软件内,或者用户帐号

  • 问题定位与修复

  • 验证问题是否已经得到解决

  • 绝不要轻易相信用户,他们可能被假象迷惑,要亲自验证一切。

[email protected]


应急处理

冷启动PC

验证PC是否硬件错误

验证网络电缆连接

验证所有网络驱动程序正确装载

验证PC机、服务器近期没有引起问题的更改。

专业处理

验证故障点是否有可成功访问的网络

检查局域网性能

HUB 状态

电缆连接

网络统计

跟踪碰撞

验证网桥或路由器

问题一:不能访问服务

[email protected]


应急处理

冷启动PC

验证PC是否硬件错误以及网络连接

验证网络驱动程序正确装载

验证PC机引起问题的更改

排除PC机内存中其他驻留程序问题

专业处理

网络统计检查是否有高利用率和高碰撞率

测试HUB端口

测试网卡驱动

测试级联的HUB

测试路由

测试大小数据包丢包

问题二:连接中断

[email protected]


确定问题性质

网络媒介问题

特定站点、服务器问题

媒介问题

利用率和碰撞率

检查FCS错误帧

碰撞突发性

端接不正确

阻抗不连续

损坏的网卡

软件问题

确定流量大的站点

故障点使用的应用和服务

混合协议测试占用带宽的无关协议

测试广播流量

测试VLAN、路由设备的隔离情况

硬件问题

了解出问题的MAC

Ping测试丢包

互联设备满负荷

线缆串绕

问题三:速度缓慢

[email protected]


外部干扰

电扇

空调

加热器

复印机

荧光灯

电梯

电机

电源问题

损坏的电缆或接头

电缆过长

接地问题

网络噪声

[email protected]


Tcp ip

IP地址管理

决不能有重复地址

建立完善的分配和回收制度

杜绝非法使用

建议使用DHCP、MAC认证和VLAN

主机设置文档备份

控制变更过程

TCP/IP网络问题预防

[email protected]


Tcp ip1

应急处理

冷启动

确认无硬件故障

确认电缆连接

确认网卡驱动正确安装

确认近期对该主机调整

确认MAC无误

专业测试

IP设置问题

协议封装问题

是否普遍问题

是否物理问题

ARP响应

路由器与下一级的连接

DNS问题

路由问题

服务器设置问题

TCP/IP不能连接的故障

[email protected]


Tcp ip2
TCP/IP间歇连接中断

  • 应急处理同前

  • 专业处理

    • 数据包丢失

      • Ping测试

      • 同网段主机扫描

    • 路由漂移

[email protected]


性能指标

流量

延时

路由协议的选择

RIP、IGRP、OSPF

路由跟踪

网络瓶颈

网络拓扑

拥塞链路

低速路由器

兼职路由器过载

拥挤路由

低速主机

主机处理能力

接口卡和驱动性能

服务器过载

网络应用方式

速度缓慢或者性能不良

[email protected]


健康以太网络的指标

  • 平均网络利用率不超过40%

  • 平均碰撞率不超过5%

  • 错误(过长帧、过短帧、帧校验错误、延时碰撞)不应该出现

  • 广播流量小于5%

[email protected]


ping

  • ping IP/name [-t] [-a] [-n count] [-l size]

    • t:不停地向目标主机发送数据

    • a:显示目标主机的域名

    • n count:指定要Ping多少次,具体次数由count来指定

    • l size:指定发送到目标主机的数据包的大小

    • f:IP包中设置DF标志(强制无分段)

    • i ttl:设置ttl

    • v TOS:设置Type of Service

    • r count:记录路由

    • s count:记录时间戳

    • J host-list:非强制源路由

    • k host-list:强制源路由

    • W timeout:最大等待时间

[email protected]


Tracert
TraceRT

  • tracert IP/域名 [-d][-h maximumhops][-j host_list] [-w timeout]

    • d:不解析目标主机的名字

    • h maximum_hops :指定搜索到目标地址的最大跳数

    • j host_list:源路由

[email protected]


Netstat
netstat

  • netstat [-r] [-s] [-n] [-a]

    • r 显示本机路由表的内容;

    • s 显示每个协议的使用状态(包括TCP协议、UDP协议、IP协议);

    • n 以数字表格形式显示地址和端口;

    • a 显示所有主机的端口号

[email protected]


Winipcfg ipconfig
Winipcfg/ipconfig

  • ipconfig

    • /all

    • /release [adaptor]

    • /renew [adaptor]

    • /flushdns

    • /registerdns

    • /displaydns

    • /showclassid

    • /setclassid

[email protected]


版本 V

头长HL

服务类型 TOS

总长度 TLEN

标识符 Identification

标志Flag

分片偏移量 Offset

生存时间 TTL

协议 Protocol

分组头校验和 Checksum

源 IP 地址 Source

目的 IP 地址 Destination

IP 选项 Option

填充 Pad

数据

IP 分组的结构

0 4 8 16 19 24 31

[email protected]


0 1 2 3 4 5 6 7

优先权

D

T

R

未用

  • 用户希望的传输类型:

    • D:低时延

    • T:高吞吐率

    • R:高可靠性

  • 分组的优先权(Precedence):

    • 体现本分组的重要程度(0~7)

    • 0:一般优先权

    • 7:网络控制优先权

IP 分组头

  • 服务类型(TOS – Type Of Service)

[email protected]


IP 选项

  • 分组头中 IP 选项字段是任选的

  • IP 选项主要用于网络控制和测试

    • 源选路(source route)选项

    • 路由记录(record route)选项

    • 时间戳(time stamp)选项

    • ……

  • IP 选项需要由通路上的每一个路由器来处理

  • 实际应用中, IP 选项很少使用

[email protected]



Overview
Overview

  • 确定测量项目和指标

  • 确定测量点和参考点

  • 选定工具/收集数据

  • 分析

[email protected]


性能测量?

  • TRAFFIC FOR DESTINATIONS:INSIDE &OUTSIDE

  • TOP-TALKERS:INSIDE&OUTSIDE

  • Application oriented workload

  • SLAs

    • Responsiveness

    • Availability

    • Reliability

    • Throughput

  • CPU and Memory utilization

  • End-to-end Response Time for frequently used transactions

  • Number of concurrent users

  • Network collisions, error rates

  • Queue depths

[email protected]


参照点选择

  • 参照点:性能测量不可能针对所有的网络实体,而只能针对其中“有代表性”的一部分,我们称这一部分实体为参考点。测量过程通常是在监控点和参考点之间“制造”一个通信过程,通过记录这一过程来或取计算行为指标所需要的数据

  • 可靠性 :参照点出现故障或被关机或因为其它原因暂停工作,将导致在一段时间内没有任何数据(除了service unavailable),这会对整体测量结果产生极其恶劣的影响

  • 有效性:参考点的有效性也即从参考点获取的数据的真实性

  • 代表性 :通过参照点获取的数据不应仅仅反映参照点自身的性能变化,而且要反映出一个相关实体集合的共性特点

[email protected]


测量工具的影响

  • 同一网络环境和同一测量方式下,可以采用不同的测量工具,所得到的行为指标会存在差异

  • 两种不同测量工具( ping 和 xchkaccess )对 1760 个web服务器的响应延迟的测量结果比较

  • 结果分析:xchkaccess通信要建立tcp连结,通信开销大于icmp通信

[email protected]


Tools
Tools

  • Clients

    • Application Response Monitor (ARM)

    • Workstation Performance Monitors

  • Networks

    • Sniffers, Network Monitoring software

      • Openview, Tivoli, CiscoWorks

    • Active measurement tools

  • Servers, Proxies

    • OS monitoring tools

[email protected]


End to end available bandwidth measurement

C1

C2

C3

C4

End-to-end Available Bandwidth Measurement

  • Capacity: Maximum throughput without cross-traffic

  • Available bandwidth: Maximum throughput given cross-traffic

A1

A2

A3

A4

Source

Destination

[email protected]


Applications
Applications

  • Efficiency of application

  • Choose the “best” server

  • Congestion control

  • Multicast routing

  • Etc…

[email protected]


Pathchar

q2

q1

q3

q4

n-1

n

Pathchar

  • Lots of UDP probes with different sizes and TTLs

  • Estimates latency and bandwidth

    rtt from (n-1)th to n-th 2*lat + ip_size / bw

  • Dynamic behavior hard as queues neglected and various other assumptions

  • Link-by-link measurement

[email protected]



Packet pair nettimer
Packet-pair(Nettimer)

  • Send packets back-to-back and estimate the narrow link capacity from the packet dispersion

  • Only measures end-to-end capacity while neglecting cross-traffic

Tn+1 - Tn = max(S/BW, T1 – T0)

Size/BW

T1 T0

Tn+1 Tn

[email protected]


MRTG

  • Highly portable SNMP based tool

  • Provides only 5 min averages of link utilization

  • Used by the network operators only as router SNMP community string information required

  • Link-by-link measurement

  • http://people.ee.ethz.ch/~oetiker/webtools/mrtg/

[email protected]


通过端口的流量推测端到端的流量,发现流量分布特征通过端口的流量推测端到端的流量,发现流量分布特征。

[email protected]


Pathload
Pathload通过端口的流量推测端到端的流量,发现流量分布特征

  • Sends Self-Loading Periodic Streams at increasing rates till the rate is larger than the tight link available bandwidth and the relative one way delays of packets show an increasing trend.

  • This scheme is highly intrusive even though the scheme measures the available bandwidth of the tight link

  • End-to-end available bandwidth measurement

[email protected]


Measurement tool pinger
Measurement tool: PingER通过端口的流量推测端到端的流量,发现流量分布特征

  • PingER( Ping End-to-end Reporting )monitor end-to-end performance of Internet links

  • http://www-iepm.slac.stanford.edu/pinger/tools/tools.html

[email protected]


路由器流量监测通过端口的流量推测端到端的流量,发现流量分布特征

  • 缘由

    • 线速增长速度远远高于内存访问速度

    • 不可能对每个数据包进行记录

    • 必须对流量进行抽样

  • 问题的关键

    • 如何抽样?

    • 如何将少数的大流和大量的小流区分开

    • 对于网管和计费意义重大

[email protected]


Router based passive measurement
Router-based Passive Measurement通过端口的流量推测端到端的流量,发现流量分布特征

[email protected]


Netramet
NETRAMET通过端口的流量推测端到端的流量,发现流量分布特征

analysisapplication

NeTraMet

METER-MIB

packets

(pcap

NetFlow

LFAP)

meter reader(s)

flowdata

PME

manager

rulesets

[email protected]


Example of a ruleset
EXAMPLE OF A RULESET通过端口的流量推测端到端的流量,发现流量分布特征

if SourcePeerType == IPv4

{

if DestPeerAddress == ( 130.89/16 )

{

count;

}

}

[email protected]


Measuring limits
MEASURING LIMITS通过端口的流量推测端到端的流量,发现流量分布特征

  • WHAT ARE THE LIMITS OF THESE MEASUREMENT TOOLS? CAN, FOR EXAMPLE, SNIFFERS HANDLE MEGABITS OF TRAFFIC?

  • Tsinghua CAMPUS-NET

    • 20000 USERS

    • 500 Mbps PEAK

[email protected]


Measuring limits conclusions
MEASURING LIMITS - CONCLUSIONS通过端口的流量推测端到端的流量,发现流量分布特征

  • CURRENT PCs CAN EASILY HANDLE 0.5 GIGABITS

  • WITH SOPHISTICATED NETWORK CARDS SPEEDS OF SEVERAL GIGABITS SEEM POSSIBLE

[email protected]


Unix command
UNIX Command通过端口的流量推测端到端的流量,发现流量分布特征

  • SAR - System Activity Report, a sampling tool

  • ps

  • vmstat

  • iostat

  • netstat

  • logfiles

[email protected]


Commercial tools
Commercial Tools通过端口的流量推测端到端的流量,发现流量分布特征

  • Netflow(CISCO)

  • ENTERASYS (CABLETRON)

  • NetMetrics(HP OpenView)

  • Performance Monitor(Windows NT)

[email protected]


Measuring tools conclusions
MEASURING TOOLS - CONCLUSIONS通过端口的流量推测端到端的流量,发现流量分布特征

  • MANY TOOLS EXIST

  • SOME ARE COMMERCIAL

  • MANY ARE OPEN SOURCE

[email protected]


Measurement results
MEASUREMENT RESULTS通过端口的流量推测端到端的流量,发现流量分布特征

  • BANDWIDTH CONSUMPTION FOR TOP USERS

  • BANDWIDTH CONSUMPTION FOR AVERAGE USERS

  • POPULAR PROTOCOLSS / APPLICATIONS(Campus)

  • POPULAR PROTOCOLS / APPLICATIONS(Backbone)

[email protected]


Top users
TOP USERS通过端口的流量推测端到端的流量,发现流量分布特征

[email protected]


Average users
AVERAGE USERS通过端口的流量推测端到端的流量,发现流量分布特征

[email protected]


What students do
WHAT STUDENTS DO通过端口的流量推测端到端的流量,发现流量分布特征

[email protected]


Popular applications backbone
POPULAR APPLICATIONS(Backbone)通过端口的流量推测端到端的流量,发现流量分布特征

Data collected: 04-03-2002 / 10-03-2002

http://netflow.internet2.edu/weekly/20020304/

[email protected]


专题4:网络安全测量通过端口的流量推测端到端的流量,发现流量分布特征


How much security

convenience通过端口的流量推测端到端的流量,发现流量分布特征

security

How much security?

[email protected]


Common methods of attack
Common methods of attack通过端口的流量推测端到端的流量,发现流量分布特征

  • password guessing/cracking

  • denial of service

  • spoofing/masquerading

  • buffer overruns

  • eavesdropping (sniffing)

  • viruses, worm, trojan horses

[email protected]


Common scenario of the attack

find a scanner for latest OS/server vulnerabilities and scan a wide range of address space

use available exploits to gain access

http://www.securityfocus.com/

Bugtraq mailing list

hide yourself on attacked host

prepare the system for future use

install sniffers to collect passwords

install DDoS tools

Common scenario of the attack

[email protected]


Password attacks

dictionary attacks (UNIX Crack, L0pht Crack for Windows NT) a wide range of address space

s6gbs84hNd6gY

…hndz7HndUndp8s6gbs84hNd6gY7/Vbjsopdf9.K…

hash function

Password attacks

original password

[email protected]


Distributed dos
Distributed DoS a wide range of address space

  • Trin00, Tribal Flood Network, Stacheldraht, ...

agents

handlers

[email protected]


Buffer overrun

internal function variables (buffers) a wide range of address space

savedframe p.

ret.addr.

function arguments

Buffer overrun

void function(char *str) {

char buffer[16];

... code ...

strcpy(buffer,str);

... code ...

}

void main() {

... code ...

function(1,2,3);

... code ...

}

stack

[email protected]


Buffer overrun1
Buffer overrun a wide range of address space

  • input string isn’t checked for length

  • the most popular break-in technique

  • UNIX shell code takes only 45 bytes of instructions

  • Code Red exploit code:/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a

instructions

ret.addr.

function arguments

buffer overrun

[email protected]


Securityfocus com
securityfocus.com a wide range of address space

[email protected]


Some tools
Some Tools a wide range of address space

  • SATAN、Portscan :漏洞检查

    • ftp.cs.unm.edu

  • SNORT:入侵检测

  • COPS:后门检查

    • ftp.cert.org

  • John、password++、Crack、 Npasswd:口令分析

  • Keymon:防口令突破

  • Winnuke.exe:测试NT bug

  • Protocol Analyzer、sniffer

  • TCPWire:监控关键文件和目录

  • TCPWrapper:监控inetd服务

  • Sudo:限制超级用户的访问

  • 可用于防卫,可用于进攻,取决于使用者

[email protected]


[email protected] a wide range of address space


攘外必先安内!!! a wide range of address space


[email protected] a wide range of address space


[email protected] a wide range of address space


[email protected] a wide range of address space


Proactive measures

install latest versions of software and apply recommended patches

strip down default services

restrict access to hosts

stay current with new security issues

apply OS and server patches immediately

do regular backups

monitor system activity and integrity

implement a firewall

Proactive measures

connect thesystem to yournetwork

[email protected]


Strip down default services
Strip down default services patches

port

type

name

port

type

name

7

TCP/UDP

echo

513

UDP

who

9

TCP/UDP

discard

514

UDP

syslog

13

TCP/UDP

daytime

517

UDP

talk

19

TCP/UDP

chargen

2049

TCP/UDP

NFS

21

TCP

ftp

512

TCP

exec

23

TCP

telnet

513

TCP

login

37

TCP/UDP

time

514

TCP

shell

53

TCP/UDP

domain

check /etc/inetd.conf and

comment out unwanted

services!

69

UDP

tftp

110

TCP

pop3

113

TCP/UDP

auth

161

UDP

snmp

[email protected]


Disabling unwanted services
Disabling unwanted services patches

  • find all services on your system

    • use scanners (nmap) and sys. tools (ps, netstat, lsof)

  • find out whether you need a service

    • is it a public or an internal service?

  • disable unwanted services and test

  • scan your system from an external network

[email protected]


Restrict access to hosts

restrict physical access to servers patches

restrict network access with filtering software

IP chains, IP tables or IP filter

restrict access to services

TCP Wrapper (/etc/hosts.allow, /etc/hosts.deny, works only from services started by inetd)

apply filters to routers (ACLs)

combine host-based protection with strong authentication (e.g. S/Key one-time passwords)

Restrict access to hosts

[email protected]


Acl syntax simplified
ACL syntax (simplified) patches

access-list number action protocol source destination flagsnumber 100-199 (extended ACLs)action permit or denyprotocol ip or icmp or udp or tcp or ospf etc.source host and port specificationdestination host and port specificationflags established or log etc.

Example:

access-list 101 deny tcp host 192.168.200.13 192.168.100.64 0.0.0.31 eq www

access-list 101 deny udp any 192.168.100.64 0.0.0.31 eq snmp

access-list 101 permit tcp any 192.168.100.64 0.0.0.31 eq telnet

access-list 101 permit tcp any 192.168.100.64 0.0.0.31 eq smtp

access-list 101 deny tcp host 192.168.0.1 gt 1024 192.168.100.64 0.0.0.31 log

access-list 101 permit ospf any any

access-list 101 deny any any this is an implicit rule and is not shown!

[email protected]


Basic router filtering prevent spoofing

drop packets that have source address different from the assigned range

Internet

Basic router filteringPrevent spoofing

192.168.2.0/24

access-list 150 permit 192.168.2.0 0.0.0.255 any

[email protected]


Basic router filtering guard against ip address trust exploits

drop packets with your network’s source address coming from internet

Internet

Basic router filteringGuard against IP address trust exploits

192.168.2.0/24

access-list 160 deny 192.168.2.0 0.0.0.255 any

[email protected]


Basic router filtering don t help flooders

prevent your network being used as a DoS amplifier from internet

Internet

Basic router filteringDon’t help flooders

192.168.2.0/24

no ip directed broadcast

[email protected]


Filtering traffic 1
Filtering traffic (1) from internet

public

private

web serveremail server

DNS server

internal web serveremail serverNetBIOS shared disks and printers

[email protected]


Filtering traffic 2
Filtering traffic (2) from internet

permit tcp/80

permit tcp/25

permit udp/53

public

private

web serveremail server

DNS server

internal web serveremail serverNetBIOS shared disks and printers

[email protected]


Filtering traffic 3
Filtering traffic (3) from internet

permit tcp established

public

private

web serveremail server

DNS server

internal web serveremail serverNetBIOS shared disks and printers

[email protected]


Filtering traffic 4
Filtering traffic (4) from internet

permit any

public

private

web serveremail server

DNS server

internal web serveremail serverNetBIOS shared disks and printers

[email protected]


Filtering traffic 5
Filtering traffic (5) from internet

permit tcp/25

permit udp/53

permit tcp established

public

private

web serveremail server

DNS server

internal web serveremail serverNetBIOS shared disks and printers

[email protected]


Implement a firewall

Internet from internet

Implement a firewall

your network

firewall

public

private

still allows transmission of informationfrom private area into the Internet!

[email protected]


Stay informed

subscribe to mailing lists (CERT/CC advisories, BugTraq, NTBugTraq, Microsoft security advisories, …)

check for new exploits

Stay informed

[email protected]


Apply patches

advisories often offer links to vendor patches NTBugTraq, Microsoft security advisories, …)

if those are absent, consider a temporary service restriction

Apply patches

sites still report various well-known attacks, although patches have been available for several years

[email protected]


Monitor system activity and integrity

store logs in a safe place NTBugTraq, Microsoft security advisories, …)

check logs for suspicious entries

compare checksums on essential binaries and configuration files (Tripwire)

monitor incoming connections (Argus, ip filters)

test systems with scanners (nmap, nessus)

Monitor system activity and integrity

[email protected]


[email protected] NTBugTraq, Microsoft security advisories, …)


Use encryption

encrypt your remote sessions NTBugTraq, Microsoft security advisories, …)(SSH - Secure Shell)

encourage use of email encryption (PGP - Pretty Good Privacy)

encrypt sensitive data on servers

Use encryption

[email protected]


Prevention traps

there is no perfect protection, NTBugTraq, Microsoft security advisories, …)not even with firewalls

out-of-the-box solutions and“zero administration” don’t exist

Prevention traps

[email protected]


Reactive measures
Reactive measures NTBugTraq, Microsoft security advisories, …)

  • collect the evidence; if necessary, do a full backup of compromised hosts

  • decide on follow-up actions

    • block further attempts from intruders and sanitise compromised hosts

    • monitor intruder’s activities; preferably setup a restricted fake environment

  • report the incident

[email protected]


[email protected] NTBugTraq, Microsoft security advisories, …)


[email protected] NTBugTraq, Microsoft security advisories, …)


[email protected] NTBugTraq, Microsoft security advisories, …)


[email protected] NTBugTraq, Microsoft security advisories, …)


期末考试 NTBugTraq, Microsoft security advisories, …)

  • 网络拓扑设计

  • 传输方案设计

  • IP网络设计

  • 设备选型

  • 路由设计

  • IP分配和网络划分

  • 配置管理方案

  • 故障监控方案

  • 性能监控方案

  • 安全监控方案

  • 计费方案

  • 组织和管理流程设计

[email protected]


ad