| The network of computer brings about a convenient and fast way of dataexchange as well as network security issues. Network security has becomemore and more crucial in accordance with the explosive growth ofnetworking. Computer network's demand for the security system varies fromsections to service, and there's no omnipotent solution to network securityissues at present time. Due to the special properties of working, ahighly-confidential section demands a specific security solution to its internet,for which we designed this internet-security-administrative –system.The system is primarily designed for the following functions: registeringthe on-line legal computers; denying the unregistered computers'access tonetwork; providing on-line computers with software service; providingassistance to the update and configuration for the security system;monopolizing the network resources for detecting any unauthorized changeof network address (both IP address and MAC address); prohibiting anyonefrom access to internet, which can be duly detected; to avoid securityaccident, the system is able to disturb the communication of illegal andirregular computers.In order to supervise the on-line computers more effectively, weintroduce network-level administrative restriction, and divide the networkinto several subnets by administrative service, which compose the entireinternal network. We set up a computer as the administrative center in theentire network; each subnet has its own administrative computer which calledsecondary administrator as an assistant to the center; we install anadministrative software client on every computer to correspond with theadministrative center and its subordinate level. Generally, the instruction ofsoftware service for each computer should be implemented by administrativecenter in sequence, as soon as the computer gets the instruction, the clientwill operate itself for the instruction-vice versa, the monitoring informationshould be sent to the center for monopolization.It's relatively easier to perform such common network functions ascomputer registering, software service and computer status reporting, becauseits main work is realizing the communications between computers, weprimarily focus on designing the data form of communication.Besides software service and regulation for legal users, the majorfunction of this system is to detect and stop those on-line irregular operationswhich include: illegal access of unregistered computers, legal computers'unauthorized network address change, legal computers getting access toexternal network without permission etc. It is hard to discover these illegaloperations for they are usually out of the regulation. Comparing withregulation of legal users, technically it's much more difficult to discover anillegal operation, so it is the main technical difficulty for the system toconquer. The system has succeeded in discovering illegal operations bynetwork detection.Network detection intends to use transmission protocols'properties. Wecan know the IP address and MAC address of on-line computers by analyzingresponding packets or captured packets accordingly to discover the illegalusers through comparing with the administrative registering list.The Network detection of the system includes active and passivemonitoring.Active detecting is to send a detective packet with some special networkaddress, and get the on-line computer's information by analyzing it'sresponding packet. In this case, the system realizes the active detectionthrough ARP, ICMP and TCP protocol in TCP/IP protocol, and all theseprotocols have one thing in common that is a responding packet containinginformation of the detected computer. The main problem we face in activedetecting includes: the application of personal firewall and transmissioncapability of network protocols.Network monitoring is to discover the communicating computers bymonitoring, picking and analyzing data stream on the network. In this system,we realize network monitoring on the basis of technical property of Ethernet.Ethernet, a popular LAN technology invented by Xerox Corporation,connects every workstation within the same signal channel, which enablethem to share all data packets transmitting on the line.Whether sending the data received by physical layer to higher layers ornot is decided by network adapters which compares the MAC address of thedata packets with its own MAC address. By changing the working mode ofnetwork adapters, we can enforce local computers to receive all data packetsand get some important information of those computers. The major problemsthe passive monitoring facing is that: when the local computer is notcommunicating with others, we can't capture any information. There is littlechance and information through passive monitoring.Detection technology can also be applied into discovering illegal accessto external network. A computer who has dialed up to internet will change itsdefault gateway. The administrative computer sends ICMP detecting packetto its destination host in a faked IP address. Computers who don't have illegalaccess to internet will return an ARP packet to its original default gateway;the other way round, an ARP packet will be sent out to an external network'sdefault gateway. An illegal access to external network can be discovered byjudging whether the internal network gateway receives the responding ARPdata or not.Illegal computers could menace internal network information security somuch that we have to disturb their communications with other internetcomputers. The system has employed some fully developed host computer...
|
PDF Full Text Request