本文選題：網(wǎng)絡安全　切入點：接入控制　出處：《上海交通大學》2014年碩士論文

【摘要】：當今的信息化社會,網(wǎng)絡已經(jīng)成為人們?nèi)粘Ｉ钪胁豢苫蛉钡慕M成部分。校園網(wǎng)作為我國教育信息化的主要組成部分,作為學校重要的基礎設施,在日常教學、行政管理、科研活動以及對外交流等各個方面發(fā)揮著舉足輕重的作用。然而,隨著應用的不斷深入,校園網(wǎng)絡規(guī)模的急劇膨脹,確保校園網(wǎng)正常、穩(wěn)定、安全地運行面臨著越來越嚴峻的挑戰(zhàn),校園網(wǎng)絡的安全問題已經(jīng)成為當前校園網(wǎng)絡建設中不可忽視的首要問題�；ヂ�(lián)網(wǎng)時代,校園網(wǎng)已經(jīng)成為網(wǎng)絡安全的重災區(qū)。雖然投入了大量的人力物力財力,建立了如身份認證、防火墻、入侵檢測等安全系統(tǒng),但是由于這些系統(tǒng)都是針對特定的安全領域,缺乏可靈活配置的整合性安全體系結(jié)構(gòu)。在面對新的安全形勢變化時,無法及時地調(diào)整安全策略以適應新的安全挑戰(zhàn)。因此,建立一個可配置的基于規(guī)則的前置式接入控制系統(tǒng)是必不可少的。針對上述問題,本文提出了一種通過與網(wǎng)絡認證產(chǎn)品相結(jié)合,在計算機系統(tǒng)連接網(wǎng)絡時進行安全狀態(tài)檢測的計算機網(wǎng)絡安全解決方案。該方案,可根據(jù)實際的需求,靈活配置安全檢測規(guī)則,并根據(jù)所定義的安全規(guī)則判別計算機系統(tǒng)的安全狀態(tài),針對不滿足要求的低安全性的計算機系統(tǒng),限制其網(wǎng)絡接入范圍或者進行隔離,并引導其更新安全狀態(tài),從而確保接入網(wǎng)絡的計算機系統(tǒng)具有一定的安全級別,最小化網(wǎng)絡可能面臨的安全隱患。本文首先從校園網(wǎng)絡的現(xiàn)狀和特點入手,分析了校園網(wǎng)絡所面臨的安全問題以及導致這些問題的原因,總結(jié)了校園網(wǎng)的安全需求,從而提出了安全檢測接入控制系統(tǒng)的設計目標,即:禁止未經(jīng)授權(quán)的用戶訪問網(wǎng)絡內(nèi)部資源,建立靈活可變的安全策略減輕安全威脅對校園網(wǎng)的影響以及加強網(wǎng)絡內(nèi)部監(jiān)測控制能力。根據(jù)其設計目標,提煉出了安全檢測接入控制系統(tǒng)所需具備的用戶身份認證、終端安全狀態(tài)檢查和網(wǎng)絡訪問控制三個基本特性,并介紹了實現(xiàn)該系統(tǒng)的技術基礎:網(wǎng)絡安全準入控制技術。該系統(tǒng)的設計核心思想是通過對要求訪問校園網(wǎng)絡的設備進行身份認證及安全狀態(tài)檢查。當滿足網(wǎng)絡的安全要求時,允許其接入校園網(wǎng)絡訪問網(wǎng)絡資源;而針對不符合安全要求的設備則進行隔離,并引導其完善本身的安全狀態(tài),從而保證接入設備的安全可控性。其次,根據(jù)校園網(wǎng)的安全要求以及系統(tǒng)設計目標,對系統(tǒng)功能進行需求分析,將系統(tǒng)劃分為身份認證、安全狀態(tài)檢查、網(wǎng)絡接入控制和安全策略管理四大功能模塊,并基于統(tǒng)一建模語言(Unified Modeling Language,UML),運用流程圖、用例建模、類圖和順序圖從多個維度對系統(tǒng)功能進行了需求建模。然后,在功能需求建模的基礎上,對系統(tǒng)的框架進行了設計。考慮到在不同網(wǎng)絡環(huán)境下能有較好的兼容性、擴展性以及靈活性,該系統(tǒng)采用了基礎控制組件和功能組件分離的框架結(jié)構(gòu)進行設計。最后通過功能測試以及簡要闡述了該系統(tǒng)在實際應用中的運用效果,驗證了在校園網(wǎng)中應用安全檢測接入控制系統(tǒng),能夠在對原有網(wǎng)絡進行較小變動的同時有效地提高整個網(wǎng)絡的安全性。
[Abstract]:The development of information society, the network has become an indispensable part of people's daily life. The campus network as a major component of China's information technology education, as an important infrastructure construction of universities, administrative management in daily teaching, plays an important role in various scientific research activities and foreign exchanges. However, with the deepening of application the rapid expansion of the scale of the campus network, campus network, to ensure the normal, stable, safe operation is facing more and more severe challenges, the security of campus network has become the primary problem that can not be ignored. The current campus network construction in the Internet era, network security, campus network has become the hardest hit. Although put a lot of the establishment of the manpower resources, such as identity authentication, firewall, intrusion detection and other security systems, but these systems are based on the specific security The field, lack of integrated security architecture can be configured flexibly. In the face of new changes in the security situation, to timely adjust the security strategy in order to adapt to the new security challenges. Therefore, the establishment of a configurable front access control system based on rules is essential. In order to solve the above problems, this paper proposes a through combining with the network authentication products, computer network security status detection in computer system connected to the network solutions. The scheme, according to the actual demand, flexible configuration of security detection rules, and according to the security state of computer system security criterion defined by the rules, to meet the low security of computer system the requirements of the network access or limit the scope of isolation, and guide them to update the security state, so as to ensure that the computer system access network has certain safety The level of security risks and minimize the network may face. Firstly, from the current situation and characteristics of the campus network, analyzes the security problems faced by the campus network and the causes of these problems, summarizes the requirements of campus network security, and puts forward the design goals, the access control system security detection: to prohibit unauthorized the user access to internal network resources, affecting the safety strategy of the establishment of flexible mitigate security threats on campus network and strengthen the internal network monitoring control. According to the design target, user authentication required to extract the access control system security detection, terminal security status checking and network access control are the three basic characteristics, and the basis for the implementation of the system: network security access control technology. The design of the core idea of the system is based on the campus network access requirements Network equipment identity authentication and security checks. When meet the safety requirements of the network, which allows access to campus network access for cyber source; and do not meet the requirements of safety equipment for isolation, and guide them to improve the security state of itself, so as to ensure the safety and controllability of access equipment. Secondly, according to the safety requirements of campus net and the design target of the system, the demand analysis of the system function, the system is divided into security status checking, identity authentication, network access control and security management of four functional modules, and based on the unified modeling language (Unified Modeling, Language, UML), using the flow chart, use case modeling, class diagram and sequence diagram of modeling of system function from multiple dimensions. Then, based on functional requirements modeling, the system framework is designed. Considering the better in different network environment Good compatibility, scalability and flexibility, the system adopts the framework of control component and function component separation design. Finally through the functional test and briefly describes the application effect of the system in the practical application, verify the application of safety detection of access control system in the campus network, to the original network at the same time, small changes can effectively improve the security of the entire network.

【學位授予單位】：上海交通大學
【學位級別】：碩士
【學位授予年份】：2014
【分類號】：TP393.18;TP393.08

【參考文獻】

中國期刊全文數(shù)據(jù)庫 前1條

1 宋經(jīng)偉;;網(wǎng)絡準入控制技術在終端安全管理系統(tǒng)中的應用[J];軟件導刊;2014年02期

中國碩士學位論文全文數(shù)據(jù)庫 前1條

1 李楠;內(nèi)網(wǎng)安全管理系統(tǒng)中安全評估技術的研究與實現(xiàn)[D];北京郵電大學;2011年

，

本文編號：1702534