出版時間:2010-1 出版社:機械工業(yè)出版社 作者:斯托林斯,布朗 等著 頁數(shù):798
Tag標簽:無
前言
BACKGROUND Interest in education in computer security and related topics has been growing at a dramatic rate in recent years. This interest has been spurred by a number of factors, two of which stand out: 1. As information systems, databases, and Internet-based distributed systems and communication have become pervasive in the commercial world, coupled with the increased intensity and sophistication of security-related attacks, organizations now recognize the need for a comprehensive security strategy. This strategy encompasses the use of specialized hardware and software and trained personnel to meet that need. 2. Computer security education, often termed information security education or information assurance education has emerged as a national goal in the United States and other countries, with national defense and homeland security implications Organizations such as the Colloquium for Information System Security Education and the National Security Agency's (NSA's) Information Assurance Courseware Evaluation (IACE) Program are spearheading a government role in the development of standards for computer security education. Accordingly, the number of courses in universities, community colleges, and other institutions in computer security and related areas is growing. OBJECTIVES The objective of this book is to provide an up-to-date survey of developments in computer security. Central problems that confront security designers and security administrators indude defining the threats to computer and network systems, evaluating the relative risks of these threats, and developing cost-effective and user-friendly countermeasures. The following basic themes unify the discussion: Pfindples: Although the scope of this book is broad, there are a number of basic principles that appear repeatedly as themes and that unify this field. Examples are issues relating to authentication and access control. The book highlights these principles and examines their application in specific areas of computer security. Design approaches: The book examines alterna,tive approaches to meeting specific computer security requirements Standards: Standards have come to assume an increasingly important, indeed dominant, role in this field. An understanding of the current status and future direction of technology requires a comprehensive discussion of the related standards. Real-world examples: A number of the chapters include a section that shows the practical application of that chapter's principles in a real-world environment. INTENDED AUDIENCE The book is intended for both an academic and a professional audience. As a textbook, it is intended as a one- or two-semester undergraduate course for computer science, computer engineering, and electrical engineering majors, It covers all the topics in 0S7 Security and Protection, which is one of the core subject areas in the IEEE/ACM Computer Curricula 2001,as well as a number of other topis The book covers the core area lAS Information Assurance and Security in the Computer Curricula 2005 Information Technology Volume; and CE-OPS6 Security and Protection from the Computer Engineering Curriculum Guidelines, 2004. For the professional interested in this field, the book serves as a basic reference volume and is suitable for self-study. PLAN OF THE TEXT The book is divided into six parts (see Chapter 0): ·Computer Security Technology and Principles ·Software Security ·Management Issues .·Cryptographic Algorithms ·Internet Security ·Operating System Security The section on OS security covers two real-world examples in detail: Linux and Windows Vista. There are also a number of appendices in the book to provide additional background.The book is also accompanied by a number of online appendices that provide more detail on selected topics The book includes an extensive glossary, a list of frequently used acronyms, and a bibliography. Each chapter includes homework problems, review questions, a list of key words,suggestions for further reading, and recommended Web sites. HACKING EXERCISES The instructor's support materials include two Web related hacking exercises: (1) Cross site scripting attacks (2) Server side SQL injection type attacks For both of the above the instructor needs a Linux system with a web server installed (Apache is freely available and could work as a web server) as well as PhP installed (again, its freely available). You simply download the files from the instructor support site and save them in the public html directory, and unpack them for the projects to be ready to use. You would of course also need to change the permissions on the folders and the files after you unpack it but that's easy. Also included is a short step-by-step instruction manual that tells the instructor exactly what to do with this package of files in order to create the environment for the student exercises. These projects have been used in computer security courses and have been the highlight of the courses; students felt the most excited because of them and they are very rewarding indeed. An additional hacking exercise is included that involves attempting to reverse engineer an application-level protocol. This is a sockets programming exercise. See Appendix C in this book for more details. OTHER PROJECTS AND STUDENT EXERCISES For many instructors, an important component of a computer security course is a project or set of projects by which the student gets hands-on experience to reinforce concepts from the text. Tnis book provides an unparalleled degree of support for including a projects component in the course. The instructor's supplement not only includes guidance on how to assign and structure the projects but also includes a set of user's manuals for various project types plus specific assignments, all written especially for this book. Instructors can assign work in the following areas: ·Programming projects: A series of programming projects that cover a broad range of topics and that can be implemented in any suitable language on any platform ·Research projects: A series of research assignments that instruct the student to research a particular topic on the Intemet and write a report ·Laboratory exercises: A series of projects that involve programming and experimenting with concepts from the book ·Practical security assessments: A set of exercises to examine current infrastructure and practices of an existing organization ·Reading/report assignments: A list of papers that can be assigned for reading and writing a report, plus suggested assignment wording ·Writing assignments: A list of writing assignments to facilitate learning the material This diverse set of projects and other student exercises enables the instructor to use the book as one component in a rich and varied learning experience and to tailor a course plan to meet the specific needs of the instructor and students, See Appendix C in this book for details. INSTRUCTIONAL SUPPORT MATERIALS To support instructors, the following materials are provided: ·Solutions Manual: Solutions to end-of-chapter Review Questions and Problems ·PowerPoint slides: A set of slides covering all chapters, suitable for use in lecturing. ·PDF files: Reproductions of all figures and tables from the book ·Projects manual: Suggested project assignments for all of the project categories listed below Instructors may contact their Pearson Education or Prentice Hall representative for access to these materials In addition, the book's Web site supports instructors with ·Links to Webs sites for other courses being taught using this book ·Sign-up information for an Internet mailing list for instructors INTERNET SERVICES FOR INSTRUCTORS AND STUDENTS There is a Web site for this book that provides support for students and instructors. The site includes links to other relevant sites. The Web page is at WilliamStalling&com/CompSec/CompSecle.html; see Chapter 0 for more information. An Intemet mailing list has been set up so that instructors using this book can exchange information, suggestions, and questions with each other and with the author. As soon as typos or other errors are discovered, an errata list for this book will be available at WilliamStalhngs. com. ACKNOWLEDGMENTS This book has benefited from review by a number of people, who gave generously of their time and expertise. The following professors and instructors reviewed all or a large part of the manuscript: James Bret Michael (Naval Postgraduate School), Scott Campbell (Miami University), Jim Aires-Foss (University of Idaho), Gregory B. White (University of Texas-San Antonio), Corey D. Shou (Idaho State University), Weining Zhang (University of Texas——San Antonio), Sreekanth Malladi (Dakota State University), Breno Fonseca De Medeiros (Florida State University), Kent E. Seamons (Brigham Young University),Krishna M. Sivalingam (University of Maryland, Baltimore County), and Alec Yasinsac (Florida State University). Thanks also to the many people who provided detailed technical reviews of one or more chapters: Pradeep Navalkar (TechTonics Group Limited); Manish Gupta (M&T Bank Corporation, Buffalo); Scott W. DeVault (CISSP, MCP, The AEgis Technologies Group, Inc.); Arturo 'Buanzo' Busleiman (Independent Security Consultant, Buenos Aires); David Grant (MICDDS, Group Security Manager, Halcrow Group Ltd); Spike Ouatrone; Jaspreet Singh (Senior Consultant, Ernst and Young, India): Jean-Charles Demarque (IT Consultant in France); Steve Fletcher; David Oillett (CISSP, CCNP, CCSE,MCSE); Robert Slade (author and prolific book reviewer); Rob J. Meijer (Dutch National Police Agency); Marc Blitz (aacompsec.com); Kevin Sanchez-Cherry (IT security and assurance specialist); Don Munro; Edward Lewis (Australian Defence Force Academy, University of New South Wales); and Jerome Athias (Independant Security Researcher). Sreekanth Malladi of Dakota State University developed the Web hacking projects.Arnold Patton of Bradley University developed the reverse engineering hacking project. We also thank Ricky Magalhaes of Fastennet Security, who developed a series of Windows security projects for this book. The following people provided homework problems: Zubair Baig (Monash University);Spike Quatrone; Edward Lewis (University of New South Wales), and Rob J Meijer. Dr Lawrie Brown would first like to thank Bill Stallings for the pleasure of working with him to produce this text. I would also like to thank my colleagues in the School of Information Technology and Electrical Engineering, University of New South Wales at the Australian Defence Force Academy in Canberra, Australia for their encouragement and support.I particularly wish to acknowledge the insightful comments and critiques by Ed Lewis and Don Munro, who I believe have helped produce a more accurate and succinct text. Finally, we would like to thank the many people responsible for the publication of the book, all of whom did their usual excellent job. This includes the staff at Prentice Hall, particularly my editor, Tracy Dunkelberger, her assistants, Christianna Lee and Carole Snyder, and production manager, Rose Kernan. Thanks also to Patricia M. Daly, who did the copy editing.
內(nèi)容概要
本書系統(tǒng)地介紹了計算機安全領域中的各個方面,全面分析了計算機安全威脅、檢測與防范安全攻擊的技術方法以及軟件安全問題和管理問題。本書重點介紹核心原理,揭示了這些原理是如何將計算機安全領域統(tǒng)一成一體的,并說明了它們在實際系統(tǒng)和網(wǎng)絡中的應用。此外,本書還探討了滿足安全需求的各種設計方法,闡釋了對于當前安全解決方案至關重要的標準。 本書思路清晰,結(jié)構嚴謹,并且提供了擴展的教學支持——數(shù)百個精心設計的實踐問題,是高等院校計算機安全專業(yè)的理想教材,同時也可作為研究人員和專業(yè)技術人員的非常有價值的參考書。
作者簡介
William Stallings擁有美國麻省理工學院計算機科學博士學位,現(xiàn)任教于澳大利亞新南威爾士大學國防學院(堪培拉)信息技術與電子工程系。他是世界知名計算機學者和暢銷教材作者,已經(jīng)撰寫了17部著作,出版了40多本書籍。內(nèi)容涉及計算機安全、計算機網(wǎng)絡和計算機體系結(jié)構等方面
書籍目錄
Preface About the Authors Notation Acronyms Chapter 0 Reader's and Instructor's Guide Chapter 1 Overview PART ONE COMPUTER SECURITY TECHNOLOGY AND PRINCIPLES Chapter 2 Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Chapter 5 Database Security Chapter 6 Intrusion Detection Chapter 7 Malicious Software Chapter 8 Denial of Service Chapter 9 Firewalls and Intrusion Prevention Systems Chapter 10 Trusted Computing and Multilevel Security PART TWO SOFTWARE SECURITY Chapter 11 Buffer Overflow Chapter 12 Other Software Security Issues PART THREE MANAGEMENT ISSUES Chapter 13 physical and Infrastructure Security Chapter 14 Human Factors Chapter 15 Security Auditing Chapter 16 IT Security Management and Risk Assessment Chapter 17 IT Security Controls, Plans and Procedures Chapter 18 Legal and Ethical Aspects PART FOUR CRYPTOGRAPHIC ALGORITHMS Chapter 19 Symmetric Encryption and Message Confidentiality Chapter 20 Public-Key Cryptography and Message Authentication PART FIVE INTERNET SECURITY Chapter 21 Internet Security Protocols and Standards Chapter 22 Internet Authentication Applications PART SIX OPERATING SYSTEM SECURITY Chapter 23 Linux Security 690 Chapter 24 Windows and Windows Vista Security APPENDICES Appendix A Some Aspects of Number Theory Appendix B Random and Pseudorandom Number Generation Appendix C Projects for Teaching Computer Security References Index ONLINE APPENDICES Appendix D Standards and Standard-Setting Organizations Appendix E TCP/IP Protocol Architecture Appendix F Glossary
章節(jié)摘錄
插圖:The subsection on threats to communication lines and networks in Section 1.2 is based on the X.800 categorization of security threats.The next two sections exam ine security services and mechanisms, using the X.800 architecture.Security Services X.800 defines a security service as a service that is provided by a protocol layer of ommunicating open systems and that ensures adequate security of the systems or of data transfers Perhaps a clearer definition is found in RFC 2828, which provides the following definition: a processing or communication service that is provided by a system to give a specific kind of protection to system resources; security services implement security policies and are implemented by security mechanisms.X.800 divides these services into six categories and fourteen specific services (Table 1.5). We look at each category in turn.5 Keep in mind that to a considerable extent, X.800 is focused on distributed and networked systems and so emphasizes network security over single-system computer security. Nevertheless, Table 1.5 is a useful checklist of security services.Authentication The authentication service is concerned with assuring that a communication is authentic. In the case of a single message, such as a warning or alarm signal, the function of the authentication service is to assure the recipient that the message is from the source that it claims to be from. In the case of an ongoing interaction, such as the connection of a terminal to a host, two aspects are involved. First, at the time of connection initiation, the service assures that the two entities are authentic; that is, that each is the entity that it claims to be. Second, the service must assure that the connection is not interfered with in such a way that a third party can asquerade as one of the two legitimate parties for the purposes of unauthorized transmission or reception.Two specific authentication services are defined in the standard:Peer entity authentication: Provides for the orroboration of the identity of a peer entity in an association. Two entities are considered peer if they imple ment the same protocol in different systems (e.g., two TCP users in two com municating systems). Peer entity uthentication is provided for use at the establishment of, or at times during the data transfer phase of, a onnection. It attempts to provide confidence that an entity is not performing either a mas querade or an nauthorized replay of a previous connection.Data origin authenticatio: Provides for the corroboration of the source of a data unit. It does not provide otection against the duplication or modification of data units. This type of service supports applications like electronic mail where there are no prior interactions between the communicating entities.Access Control In the context of network security, access control is the ability to limit and control the access to host systems and applications via communications links. To achieve this, each entity trying to gain access must irst be identified, or authenticated, so that access rights can be tailored to the individual.There is no universal agreement about many of the terms used in the security literature. For example, the term integrity is sometimes used to refer to all aspects of information security. The term authentication is sometimes used to refer both to verification of identity and to the various functions listed under integrity in the this hapter. Our usage here agrees with both X.800 and RFC 2828.
編輯推薦
《計算機安全原理與實踐(英文版)》是由機械工業(yè)出版社出版的。
圖書封面
圖書標簽Tags
無
評論、評分、閱讀與下載