【作者】 张武超；

【导师】 张冬梅；

【作者基本信息】 北京邮电大学 ， 计算机技术， 2008， 硕士

【摘要】 近年来,频繁的黑客攻击,网络病毒、蠕虫和木马泛滥,极大地危害到企业内部网络的安全,他们大多利用系统漏洞进行攻击、感染和传播。另一方面内部网络的越权访问和违规操作难于审计和预防,也给企业带来巨大损失。传统的以组织边界和核心资产为保护对象的安全体系逐渐显示出不足,无法有效应对内网所有终端计算机安全管理中面临的诸多问题。终端计算机依靠手工管理已经远远不能适应目前大规模的网络环境,急需新的技术手段来实现对内部网络的统一管理。这样内网安全体系建设问题就逐渐提到组织管理者和网络安全建设者的议事日程上来。本文以内网安全管理系统的开发为背景,首先列举了企业内部网络的安全现状和问题分类,剖析了内网安全问题的形成原因,接着基于问题成因分析针对性的提出了内网安全系统的整体解决方案。然后论文讨论了内网安全管理系统的一些关键技术,包括ARP攻击与防范技术,以WINDOWS平台为代表的漏洞和补丁相关内容,钩子技术等。论文详细讲解了重点模块的设计实现,资产模块收集各种系统信息;补丁管理模块实现终端计算机的漏洞分析和补丁安装;设备控制模块根据策略禁用或者启用设备;外联监控模块探测是否存在非法外联行为;安全接入模块发现并阻断未经授权的计算机接入行为。最后论文分析了系统在实际网络环境部署中遇到的问题,并提出了优化的解决方案。更多还原

【Abstract】 In recent years, frequent hacker attacks, network viruses, worms and Trojans, greatly endangering the safety of corporation’s interior networks, most of them use system vulnerabilities, attack, infection and spread. On the other hand ultra vires access and irregular operations are difficult to audit and prevent, and brought great losses to the enterprise. Traditional boundaries and core assets protection of the security system gradually shown inadequate to effectively deal with all the network management problems. All Enterprise’s Computers rely on the manual management is far from meeting the current large-scale network environment, in desperate need of new technological means to achieve the unity of the internal network management. This question of network security system construction is gradually brought to agenda of the organizations superintendent and network security builders.In this paper, within the development of network security management system as the background, first of all listed companies internal network security status and classifications, analyze the reasons of network security problems product, and then based on the causes propose the internal network security system solution. Then paper presents a number of key technologies on the network security management system, including the ARP attack and prevent technology , WINDOWS platform vulnerabilities and patches, hook technology. Then paper discusses the Design of some most important modules, assets module to collect system’s information; patch management module to achieve the vulnerabilities of computer and patch installation; peripherals control module to forbid or permit the use of equipment by strategy, the outreach monitoring module to discover illegal acts of connecting to external network , secure access module block unauthorized computer access behavior. Finally thesis describes the problem of the system encountered in the actual network environment deployment and propose the optimal solution.更多还原