本文選題：網(wǎng)絡(luò)安全　切入點(diǎn)：接入控制　出處：《上海交通大學(xué)》2014年碩士論文

【摘要】：當(dāng)今的信息化社會(huì),網(wǎng)絡(luò)已經(jīng)成為人們?nèi)粘Ｉ钪胁豢苫蛉钡慕M成部分。校園網(wǎng)作為我國教育信息化的主要組成部分,作為學(xué)校重要的基礎(chǔ)設(shè)施,在日常教學(xué)、行政管理、科研活動(dòng)以及對(duì)外交流等各個(gè)方面發(fā)揮著舉足輕重的作用。然而,隨著應(yīng)用的不斷深入,校園網(wǎng)絡(luò)規(guī)模的急劇膨脹,確保校園網(wǎng)正常、穩(wěn)定、安全地運(yùn)行面臨著越來越嚴(yán)峻的挑戰(zhàn),校園網(wǎng)絡(luò)的安全問題已經(jīng)成為當(dāng)前校園網(wǎng)絡(luò)建設(shè)中不可忽視的首要問題�；ヂ�(lián)網(wǎng)時(shí)代,校園網(wǎng)已經(jīng)成為網(wǎng)絡(luò)安全的重災(zāi)區(qū)。雖然投入了大量的人力物力財(cái)力,建立了如身份認(rèn)證、防火墻、入侵檢測(cè)等安全系統(tǒng),但是由于這些系統(tǒng)都是針對(duì)特定的安全領(lǐng)域,缺乏可靈活配置的整合性安全體系結(jié)構(gòu)。在面對(duì)新的安全形勢(shì)變化時(shí),無法及時(shí)地調(diào)整安全策略以適應(yīng)新的安全挑戰(zhàn)。因此,建立一個(gè)可配置的基于規(guī)則的前置式接入控制系統(tǒng)是必不可少的。針對(duì)上述問題,本文提出了一種通過與網(wǎng)絡(luò)認(rèn)證產(chǎn)品相結(jié)合,在計(jì)算機(jī)系統(tǒng)連接網(wǎng)絡(luò)時(shí)進(jìn)行安全狀態(tài)檢測(cè)的計(jì)算機(jī)網(wǎng)絡(luò)安全解決方案。該方案,可根據(jù)實(shí)際的需求,靈活配置安全檢測(cè)規(guī)則,并根據(jù)所定義的安全規(guī)則判別計(jì)算機(jī)系統(tǒng)的安全狀態(tài),針對(duì)不滿足要求的低安全性的計(jì)算機(jī)系統(tǒng),限制其網(wǎng)絡(luò)接入范圍或者進(jìn)行隔離,并引導(dǎo)其更新安全狀態(tài),從而確保接入網(wǎng)絡(luò)的計(jì)算機(jī)系統(tǒng)具有一定的安全級(jí)別,最小化網(wǎng)絡(luò)可能面臨的安全隱患。本文首先從校園網(wǎng)絡(luò)的現(xiàn)狀和特點(diǎn)入手,分析了校園網(wǎng)絡(luò)所面臨的安全問題以及導(dǎo)致這些問題的原因,總結(jié)了校園網(wǎng)的安全需求,從而提出了安全檢測(cè)接入控制系統(tǒng)的設(shè)計(jì)目標(biāo),即:禁止未經(jīng)授權(quán)的用戶訪問網(wǎng)絡(luò)內(nèi)部資源,建立靈活可變的安全策略減輕安全威脅對(duì)校園網(wǎng)的影響以及加強(qiáng)網(wǎng)絡(luò)內(nèi)部監(jiān)測(cè)控制能力。根據(jù)其設(shè)計(jì)目標(biāo),提煉出了安全檢測(cè)接入控制系統(tǒng)所需具備的用戶身份認(rèn)證、終端安全狀態(tài)檢查和網(wǎng)絡(luò)訪問控制三個(gè)基本特性,并介紹了實(shí)現(xiàn)該系統(tǒng)的技術(shù)基礎(chǔ):網(wǎng)絡(luò)安全準(zhǔn)入控制技術(shù)。該系統(tǒng)的設(shè)計(jì)核心思想是通過對(duì)要求訪問校園網(wǎng)絡(luò)的設(shè)備進(jìn)行身份認(rèn)證及安全狀態(tài)檢查。當(dāng)滿足網(wǎng)絡(luò)的安全要求時(shí),允許其接入校園網(wǎng)絡(luò)訪問網(wǎng)絡(luò)資源;而針對(duì)不符合安全要求的設(shè)備則進(jìn)行隔離,并引導(dǎo)其完善本身的安全狀態(tài),從而保證接入設(shè)備的安全可控性。其次,根據(jù)校園網(wǎng)的安全要求以及系統(tǒng)設(shè)計(jì)目標(biāo),對(duì)系統(tǒng)功能進(jìn)行需求分析,將系統(tǒng)劃分為身份認(rèn)證、安全狀態(tài)檢查、網(wǎng)絡(luò)接入控制和安全策略管理四大功能模塊,并基于統(tǒng)一建模語言(Unified Modeling Language,UML),運(yùn)用流程圖、用例建模、類圖和順序圖從多個(gè)維度對(duì)系統(tǒng)功能進(jìn)行了需求建模。然后,在功能需求建模的基礎(chǔ)上,對(duì)系統(tǒng)的框架進(jìn)行了設(shè)計(jì)�？紤]到在不同網(wǎng)絡(luò)環(huán)境下能有較好的兼容性、擴(kuò)展性以及靈活性,該系統(tǒng)采用了基礎(chǔ)控制組件和功能組件分離的框架結(jié)構(gòu)進(jìn)行設(shè)計(jì)。最后通過功能測(cè)試以及簡(jiǎn)要闡述了該系統(tǒng)在實(shí)際應(yīng)用中的運(yùn)用效果,驗(yàn)證了在校園網(wǎng)中應(yīng)用安全檢測(cè)接入控制系統(tǒng),能夠在對(duì)原有網(wǎng)絡(luò)進(jìn)行較小變動(dòng)的同時(shí)有效地提高整個(gè)網(wǎng)絡(luò)的安全性。
[Abstract]:The development of information society, the network has become an indispensable part of people's daily life. The campus network as a major component of China's information technology education, as an important infrastructure construction of universities, administrative management in daily teaching, plays an important role in various scientific research activities and foreign exchanges. However, with the deepening of application the rapid expansion of the scale of the campus network, campus network, to ensure the normal, stable, safe operation is facing more and more severe challenges, the security of campus network has become the primary problem that can not be ignored. The current campus network construction in the Internet era, network security, campus network has become the hardest hit. Although put a lot of the establishment of the manpower resources, such as identity authentication, firewall, intrusion detection and other security systems, but these systems are based on the specific security The field, lack of integrated security architecture can be configured flexibly. In the face of new changes in the security situation, to timely adjust the security strategy in order to adapt to the new security challenges. Therefore, the establishment of a configurable front access control system based on rules is essential. In order to solve the above problems, this paper proposes a through combining with the network authentication products, computer network security status detection in computer system connected to the network solutions. The scheme, according to the actual demand, flexible configuration of security detection rules, and according to the security state of computer system security criterion defined by the rules, to meet the low security of computer system the requirements of the network access or limit the scope of isolation, and guide them to update the security state, so as to ensure that the computer system access network has certain safety The level of security risks and minimize the network may face. Firstly, from the current situation and characteristics of the campus network, analyzes the security problems faced by the campus network and the causes of these problems, summarizes the requirements of campus network security, and puts forward the design goals, the access control system security detection: to prohibit unauthorized the user access to internal network resources, affecting the safety strategy of the establishment of flexible mitigate security threats on campus network and strengthen the internal network monitoring control. According to the design target, user authentication required to extract the access control system security detection, terminal security status checking and network access control are the three basic characteristics, and the basis for the implementation of the system: network security access control technology. The design of the core idea of the system is based on the campus network access requirements Network equipment identity authentication and security checks. When meet the safety requirements of the network, which allows access to campus network access for cyber source; and do not meet the requirements of safety equipment for isolation, and guide them to improve the security state of itself, so as to ensure the safety and controllability of access equipment. Secondly, according to the safety requirements of campus net and the design target of the system, the demand analysis of the system function, the system is divided into security status checking, identity authentication, network access control and security management of four functional modules, and based on the unified modeling language (Unified Modeling, Language, UML), using the flow chart, use case modeling, class diagram and sequence diagram of modeling of system function from multiple dimensions. Then, based on functional requirements modeling, the system framework is designed. Considering the better in different network environment Good compatibility, scalability and flexibility, the system adopts the framework of control component and function component separation design. Finally through the functional test and briefly describes the application effect of the system in the practical application, verify the application of safety detection of access control system in the campus network, to the original network at the same time, small changes can effectively improve the security of the entire network.

【學(xué)位授予單位】：上海交通大學(xué)
【學(xué)位級(jí)別】：碩士
【學(xué)位授予年份】：2014
【分類號(hào)】：TP393.18;TP393.08

【參考文獻(xiàn)】

中國期刊全文數(shù)據(jù)庫 前1條

1 宋經(jīng)偉;;網(wǎng)絡(luò)準(zhǔn)入控制技術(shù)在終端安全管理系統(tǒng)中的應(yīng)用[J];軟件導(dǎo)刊;2014年02期

中國碩士學(xué)位論文全文數(shù)據(jù)庫 前1條

1 李楠;內(nèi)網(wǎng)安全管理系統(tǒng)中安全評(píng)估技術(shù)的研究與實(shí)現(xiàn)[D];北京郵電大學(xué);2011年

，

本文編號(hào)：1702534