Fixing the Internet Security
Transcript of Fixing the Internet Security
-
8/12/2019 Fixing the Internet Security
1/32
A
:
A
A.
@.
28, 2011
2.1
-
8/12/2019 Fixing the Internet Security
2/32
2
C
A ......................................................................................................................................................... 3
R H ............................................................................................................................................ 4
A B ..................................................................................................................................................... 5
I .................................................................................................................................................. 6
A S F .................................................................................................................................. 8
N S S I A ................................................................................................. 8
R S ............................................................................................................................................ 8
G S D T ................................................................................................................ 9
G I S I S .................................................................................. 12
P S #1 R D A P I I .......................... 17
A ................................................................................................................................................... 17
T I? ......................................................................................................... 18
S ................................................................................................................................................... 18
T G ................................................................................................................................... 19
CB T R S ............................................................................................... 19
H T I D? .................................................................................................................. 19
I I P I....................................................................... 22
C S ..................................................................................................................... 22
H T S R C NP .............................................................. 22
P S #2 G I M ................................................................................... 23
C E I S ..................................................................................................... 25
O S E T T S B S .......................................................................... 27
FAQ ............................................................................................................................................................ 28
B ................................................................................................................................................ 31
-
8/12/2019 Fixing the Internet Security
3/32
-
8/12/2019 Fixing the Internet Security
4/32
4
Date Author Version Change reference
5/1/08 Roger A. Grimes 0.9 Initial draft, reviewed by key people
5/8/08 Roger A. Grimes 1.0 First draft released publically to the Internet and introduced in InfoWorld
security column
5/12/08 Roger A. Grimes 1.1 Added FAQ section to answer most commonly asked questions
2/19/09 Roger A. Grimes 2.0 1. Updated various text portions to be more inclusive2. Integrated WS-* open standards into text3. Added additional authentication scenario
6/28/2011 Roger A. Grimes 2.1 Minor updates and clarifications, re-released.
-
8/12/2019 Fixing the Internet Security
5/32
5
R A. G
: @.
24 ( A II, C,A, DOS 1987)
A 4 , 1 , 3 , 300
I A 2005 P S A F 2007 M I S & R
M ACE T
E M , OBSD L
R 8 F H E F 9
o H , , I , 1 ( 3 ) F H
-
8/12/2019 Fixing the Internet Security
6/32
6
F #1 T I
5 10
T I
1
, , .S 70% 2. S
26% I 3. P ,
F 100 4.
H 5
, , (DDS) , ,
, , , . M
(.. 6,
7,
) () 8. P
. O .S.
9. H
, (.. LS,
A, .).
I I 10,
, .
. O (.. R B N11, R12, .)
, . I
. C
,
.
F #2 S I I
A , . I ( F T)
. T
I I.
E , I
. ,
, . T
(.. , , , , .),
. T , ,
, , , , IP .
M
I . F , SQL S13
2003
SQL 10 14
. H ,
.
S , I PN
I, . M
-
8/12/2019 Fixing the Internet Security
7/32
7
, I,
I. E , (.. 911
, , , , .)
I, I
.
M . S
(.. I 15, B 16, .) 2000
, , , , ,
. I, ,
. T .
I .
I
, 5 , 10 ?
F #3 C C D A I
C (.. , , , , .)
.
. , , ,
( )
. M , ,
,
.
T , :
(
)?
H I (.. )
, ?
H I (.. )
, ?
H 17
I
?
I
.
, ,
.
-
8/12/2019 Fixing the Internet Security
8/32
8
S I , .
N I , :
T I .T , , ;
, ( ).
M , , , ; .
, .
S . E ( )
(..
). F , R B N IP I I ,
.
M (.. DDS , ) . I , ,
.
N . N I . N I ,
.
F ( I , ) 5 10 .
E ( ).
.
T (.. ,
).
F I :
A ,
A I ( DNS)
-
8/12/2019 Fixing the Internet Security
9/32
9
T I , , ,
I . ,
( ), I
, .
, ,
. E
: , , , , , . T
I .
S ( )
6 2 I
. A
, ,
.
N: M , S P. ,
, .
,
.
T M R
T , ,
OSI (.. P, L, N,
S, A, .). T ,
C, I, ISP, IANA, L, G C, P, O , E, .
T , E
.
T ( 1 (
1 )) . E
. T
. T ( , , )
(.. ).
T .
-
8/12/2019 Fixing the Internet Security
10/32
10
H B T?
A I , 1020 E
1020 . I 510
, 510 . I ( ) E
, .
E P M
P , :
S M ( E D , ) E D ( , ) A D (, , .) T L S T S (
)
T, , ( )
, , ,
.
T H P
-
8/12/2019 Fixing the Internet Security
11/32
11
T I
. I , . G
6 2 , ,
, I . N (
) . H
,
, ? I . I
,
.
O ,
. T .
T O S
I , , I
. I
. I .
O M, O , P PE , ,
. I
( )
. M ,
.
T
( );
.
A , .
6 2 T?
I , ,
,
. I :
23 6 6 6 , 1.0 6
A, I
. B
,
. P
, .
I I ,
, I ,
-
8/12/2019 Fixing the Internet Security
12/32
-
8/12/2019 Fixing the Internet Security
13/32
13
T I DNS ,
(). I DDI ,
IP (
). I IFMAP
, , .
I IFMAP, , T C G
(..) IFMAP
(://..//TNC/IFMAPFAQ28.)
.
F ,
, IFMAP ,
. T I
IFMAP (.. , , ,
) , . C, IFMAP
. T I
, IFMAP . T
I , , .
T :
-
8/12/2019 Fixing the Internet Security
14/32
14
T IFMAP I ,
( ) . T
, . T
, ,
.
F , (.. S, M, MA, .)
. S
, (.. , , .).
T , ,
. O , SANS (..)
, . T ,
. A I
. I
, , I, ,
. M . L .
E S B G I S I S
DDS . IFMAP I
.
-
8/12/2019 Fixing the Internet Security
15/32
15
DDS , IP ,
.
/ IP . / /
R B N IP .
.
S MSQL S , , , MSQL I.
.
R . T MSSQL S
( S). T 10 . N
10 ,
I ( .S.) , . I
( ) . I ,
IFMAP .
T .
, ,
. T
, ,
-
8/12/2019 Fixing the Internet Security
16/32
16
I . I
,
.
-
8/12/2019 Fixing the Internet Security
17/32
17
#1
R A. G, @.
T I
I. B
. I
. I I
, .
I I , ,
. P
. A
, . E
( ).
A ( )
. E (.. , OS, , ,
.) . L ,
, ,
, .
I . F ,
,
. I ,
(.. ).
A
. P ,
, . N
,
. T , ,
, , , ,
.
N1: T R A.
G (:@.). N ,
, .
N2: I . I
. H, (
)
.
-
8/12/2019 Fixing the Internet Security
18/32
18
T I .
M ( )
(.. , ,
, , .), ,
.
S CIA : C,
I, A. A . B , ,
I ? I , I. I
, . I
, . I
, . I ,
. I , I , I
.
M I
. ? B
. , , ,
I .
B I , ,
, . T ,
( )
OSI , :
H OS B P L D I N S P A N T D P C S
A , , , ,
. A
() , ,
. I I
.
T , , ISP
( ). E
,
(.. , , ,
, .).
-
8/12/2019 Fixing the Internet Security
19/32
19
A
. E
, (.. ). T
,
(.. R B N IP ).
T . E
;
(
). T
.
E (
/ (.. ISA ). T
, ( )
.
A T N T R S. T
T R S
. T ,
. A , ,
. , . I
, . A
, , .
E (.. , , OS, , , , .)
. E
,
. E ,
. T
.
F , , . T
. N , ,
, , . .
T ,
.
-
8/12/2019 Fixing the Internet Security
20/32
20
H ,
, . I ,
, . M
. T .
A ,
.
-
8/12/2019 Fixing the Internet Security
21/32
21
I
. T
(..
). L ,
.
T , .
I /
. I
,
.
M .
Trust
Gateway
Internet/
Network
Cloud
Trust
Gateway
S
EC
U
RI
T
Y
D
E
F
E
N
S
E
S
S
E
C
U
R
I
T
Y
D
E
F
E
N
S
E
S
Network
Trust
Boundary
regulated
endpoints
Network
Trust
Boundary
Community
Trust
Rating
Server
Global
Internet
Security
Infrastructure
Service
Community
Trust
Rating
Server
Community
Trust
Rating
Server
T, , IP
. N IP DNS
. A ,
. D ,
, . O
,
, . B ,
, , . C,
I ,
. ,
.
-
8/12/2019 Fixing the Internet Security
22/32
22
P , I ,
. I ,
. B
. T
. T I
, I
, , I . T
. T, I ,
, . T
(.. ), .
T / ,
, , .
O
. F , ,
. T
. T
.
T
, , . T ,
(
T P M ). D
. E .
N
. L, ( ) ,
. D
,
.
T
. T . I ,
. E ,
. I
I ( 26% I ),
, .
-
8/12/2019 Fixing the Internet Security
23/32
23
#2 R A. G, @.
T
/ A P (AP)
( C P ). E, E / A P.
A P , ,
, , /
.
T A L (TAL) , , . A
A P /
TAL . E TAL
:
A A A
0 N
1 N T A C
100 L A S ,
500 M A P IC,
,
1000 M A S , ,
65000 H A T ,
,
, .
E / A
P, / ,
C P.
A P
. A P /
. A A P
.
E C P
A P. A C P
-
8/12/2019 Fixing the Internet Security
24/32
24
. I ,
. F ,
, , . H,
. T
.
E C P , C P
/ , . T E
/ C
P / . I , C P
E , E ,
, A P .
T C P / A
P . T A P
/ , C P .
E, , , , .
-
8/12/2019 Fixing the Internet Security
25/32
-
8/12/2019 Fixing the Internet Security
26/32
26
T
.
-
8/12/2019 Fixing the Internet Security
27/32
27
T, ,
. T . T :
TCP/IP, IP6 S (S) S E (S*) S T S F S A M L 2.0 (SAML 2.0) IC DNSS .509 D C F .500 LDAP D T N C N A C T P M
T I.
-
8/12/2019 Fixing the Internet Security
28/32
28
1. . .
A: I, , , I
I , , . L
. P, ,
. I
. A
. S ,
(I ) ;
.
2. D () ?A: I , . I
I ,
I , . B , , I
I
. S, , , .
3. D ()?A: . N ,
( ). P I
I , ,
(.. M EE T , T
C G IFMAP , .), I
. S, I
.
4. , ?A: A. I ,
, , . I
.
5. D ?
A: N. T . H
? I
, , . A ,
.
6. , D, D, , , .
?
-
8/12/2019 Fixing the Internet Security
29/32
29
A: T .
E DNS, , . ,
I . M . F
.
7. (.. ) . ?
8. A: F, DNSS, SID, IPSEC , . P
(EE T, IFMAP, T C G , ,
, E SSL, D ,
.) .
9. D ?
A: , , . I ID
. T ID (.. ),
ID . T
(.. , , , .). B ,
, (
),
I (..
). M (.. IC, .) .
10. ?A: T , 26% I 7090%
, ,
.
11.D ?A: . , , . N,
. I . (..
, , .). A
, . S
. P .
12. . ?
A: P, I
. M , I
(I )
. F , .S.
, I
. P, I
I
, .
-
8/12/2019 Fixing the Internet Security
30/32
30
13. . D , AA, C, C, ( ), ?
A: N . T T C G (TCG) . I
,
( ).
14. (..
)?
A: I , ,
. T
.
15. D D ?A: F . F, , ,
. A ,
, DNS,
. S, DNSS ( IFMAP S
ID) . I .
16. ?A: I . T I
.
I , I . F
@..
-
8/12/2019 Fixing the Internet Security
31/32
31
1H I, , ://..//HI
2
ML I R A 2008, ML,://..//MLIRA2008.
3I , I M, A 1, 2008,
://..//08/04/01/I1.; 3
, CSO O, A 1, 2008,
://..//326013/TPITMR
S; A P ISP DDOS, S T T, DR, A 1, 2008,
://../.?=149866&T.=11; 2% I
T R S, A N, M 31, 2008, ://../2008/03/2
.
4H , T S M H, M 6, 2008,
://...////2008/05/06/1209839606696.;
H , , ://..//P; S
F C S P, J., ://..///P.;
.S. D C S, S., ://..///..
5 T S B E, S , A 8, 2008,
://..///; T 1M
, C , A 9, 2008,
://..//.?=AB&I=9076278; S , , ://..//S.
6F F F R P 1, MA AERT L, N 30, 2007,
://..///./2007/11/30/1.
7 ?, A R, A 10, 2007, ://
../2007/08/.
8C , A T, J 22, 2008,
://././/20080122
.; M 1Q ,I, A 24, 2007,
://..///A.?ID=199201032; M
S C: T S C, TM M B, A 3, 2008.
9P P: T G N H, I , J 16, 2006,
://..//06/06/16/7926025OP1.
-
8/12/2019 Fixing the Internet Security
32/32
102007 I C R, FBI, ://.3.///2007IC3R.
CSI 2007 S, FBI, ://../2..//CSIS2007.
11R B N, , ://..//RBN.
12R, E S T, ://.//.?=R.
13CERT A CA200304 MSSQL S , CERT, J 25, 2003,
://..//CA200304..
14SQL S ( ), , ://..//SQL.
15I , , ://..//ILOEO.
16B ( ), , ://..//B.
17G H: A F L, O G B, 2/28/2008,
://../2008/02/..
18O L P C, O L P C , ://..
19 D D I , ,
://..//DDI.
20 T N C IFMAP A FAQ, T C G,
://..//TNC/IFMAPFAQ28..