《Linux網路安全技術與實現(第2版)》是2012年3月13日出版的圖書。
基本介紹
- 書名:Linux網路安全技術與實現(第2版)
- ISBN:9787302278863
- 定價:68元
- 裝幀:平裝
- 印刷日期:2012年3月13日
圖書簡介,圖書目錄,
圖書簡介
本書首先討論網路基礎架構,然後循序漸進地講解安全、基於策略的路由、流量控制和虛擬專用網路等知識,帶您在網路安全世界中盡情暢遊。如果您準備投身Linux網路安全領域,那么這本將理論與實踐完美融為一體的書籍將是您的良師益友,將全面系統地指導您構建固若金湯的企業網路安全螢幕障。
圖書目錄
第1章防火牆的基本概念·····················································································1
1.1TCP/IP的基本概念························································································································2
1.1.1套用層····································································································································2
1.1.2傳輸層····································································································································3
1.1.3網路層····································································································································4
1.1.4鏈路層····································································································································4
1.2數據包傳輸·····································································································································4
1.3TCP、UDP及Socket的關係········································································································9
1.4何謂防火牆···································································································································12
1.5防火牆的判斷依據······················································································································14
1.5.1各層數據包包頭內的信息··································································································14
1.5.2數據包所承載的數據內容··································································································16
1.5.3連線狀態······························································································································16
1.6防火牆的分類·······························································································································17
1.6.1數據包過濾防火牆··············································································································17
1.6.2套用層防火牆······················································································································18
1.7常見的防火牆結構······················································································································19
1.7.1單機防火牆··························································································································19
1.7.2網關式防火牆······················································································································20
1.7.3透明防火牆··························································································································24
1.8小結··································································································································24
第2章Netfilter/iptables······················································································25
2.1何謂核心········································································································································26
2.2何謂Netfilter··································································································································27
2.3Netfilter與Linux的關係··············································································································27
2.4Netfilter工作的位置····················································································································28
2.5Netfilter的命令結構····················································································································30
2.6Netfilter的filter機制····················································································································31
目錄
VI
Linux網路安全技術與實現(第2版)
2.7規則的匹配方式··························································································································35
2.8Netfilter與iptables的關係···········································································································36
2.9iptables工具的使用方法·············································································································38
2.9.1 iptables命令參數·················································································································38
2.9.2 iptables規則語法·················································································································48
2.9.3 學以致用:iptables的規則語法·························································································56
2.10使用iptables機制來構建簡單的單機防火牆·······································································57
2.10.1 如何測試防火牆規則正確與否·····················································································59
2.10.2 解決無法在防火牆主機上對外建立連線的問題·························································62
2.10.3 管理防火牆規則資料庫的辦法·····················································································68
2.11 使用filter機制來構建網關式防火牆·····················································································71
2.12 Netfilter的NAT機制73
2.12.1 IP網段的劃分73
2.12.2 私有IP74
2.12.3 NAT·74
2.12.4 數據包傳輸方向與SNAT及DNAT的關係76
2.12.5 NAT的分類79
2.12.6 NAT並非無所不能86
2.13 Netfilter的Mangle機制·86
2.14 Netfilter的raw機制··89
2.15小結·91
第3章Netfilter的匹配方式及處理方法93
3.1 匹配方式·94
3.1.1 內置的匹配方式94
3.1.2 從模組擴展而來的匹配方式·98
3.2 處理方法··139
3.2.1 內置的處理方法·139
3.2.2 由模組擴展的處理方法·142
3.3小結··153
第4章Netfilter/Iptables的高級技巧155
4.1 防火牆性能的最最佳化156
VII
目錄
4.1.1 調整防火牆規則順序··156
4.1.2 巧妙使用multiport及iprange模組·158
4.1.3 巧妙使用用戶定義的鏈·158
4.2 Netfilter連線處理能力與記憶體消耗·159
4.2.1 計算最大連線數·160
4.2.2 調整連線跟蹤數·160
4.2.3 連線跟蹤數量與記憶體消耗161
4.3 使用raw表·162
4.4 簡單及複雜通信協定的處理··163
4.4.1 簡單通信協定··163
4.4.2 複雜通信協定··164
4.4.3 ICMP數據包的處理原則··171
4.4.4 在DMZ上使用NAT將面臨的問題及解決方案172
4.4.5 常見的網路攻擊手段及防禦方法175
4.5小結··191
第5章代理伺服器的套用193
5.1何謂代理伺服器194
5.2代理伺服器支持的通信協定··195
5.3代理伺服器的分類··195
5.3.1何謂快取代理··195
5.3.2何謂反向代理··196
5.4代理伺服器的硬體要求··197
5.5安裝Squid代理198
5.6使用Squid構建快取代理·199
5.6.1快取代理的基本配置··199
5.6.2快取代理客戶端的配置·204
5.6.3快取代理的高級配置··205
5.6.4快取代理連線訪問控制·209
5.6.5快取對象的管理·210
5.6.6Squid代理的工作日誌214
5.6.7Squid代理的名稱解析216
5.7透明代理··217
VIII
Linux 網路安全技術與實現(第2 版)
5.7.1 透明代理的工作原理 ····· 217
5.7.2 透明代理的配置 ····· 218
5.8 反向代理 ······· 219
5.8.1 Web 伺服器的分類 ···· 219
5.8.2 構建反向代理 ···· 221
5.9 小結···· 226
第 6 章 使用Netfilter/Iptables保護企業網路 ··· 227
6.1 防火牆結構的選擇 ···· 228
6.2 防火牆本機的安全 ······ 230
6.2.3 入站/出站的考慮事項 ··· 231
6.2.4 遠程管理的安全考慮事項 · 232
6.3 防火牆的規則定義 · 232
6.3.1企業內部與網際網路232
6.3.2DMZ與網際網路·234
6.3.3企業內部與DMZ·238
6.4入侵與防禦的其他注意事項238
6.4.1更新系統軟體238
6.4.2SynFlooding攻擊防禦238
6.4.3IP欺騙防禦241
6.5小結·242
第7章Linux核心編譯·243
7.1為何需要重新編譯核心·245
7.2核心編譯246
7.2.1安裝軟體開發環境246
7.2.2獲取核心原始碼247
7.2.3整合原始碼248
7.2.4設定編譯完成後的核心版本號249
7.2.5清理核心原始碼以外的臨時檔案249
7.2.6設定核心編譯參數250
IX
目錄
7.2.7執行編譯操作252
7.2.8安裝模組及結構中心253
7.2.9修改開機管理程式255
7.3如何安裝核心補丁257
7.3.1下載補丁檔案及核心原始碼257
7.3.2準備核心及補丁的原始碼258
7.3.3運行核心補丁259
7.3.4設定核心編譯參數259
7.3.5核心編譯完畢後的檢查260
7.4小結·260
第8章套用層防火牆261
8.1 如何為iptables安裝補丁·263
8.2 Layer7模組識別套用層協定的原理264
8.3 安裝Layer7模組的模式265
8.4 如何使用Layer7模組267
8.5 Layer7模組使用示例說明·268
8.6 結合使用包過濾器與Layer7模組271
8.7小結·273
第9章透明式防火牆275
9.1 何謂橋接模式·278
9.2 何謂透明式防火牆279
9.3 構建透明式防火牆279
9.3.1 使用Linux構建網橋280
9.3.2 Netfilter在Layer3及Layer2的工作邏輯·284
9.3.3 另一種透明式防火牆290
9.3.4 配置代理ARP290
9.4小結·292
第10章基於策略的路由及多路頻寬合併·293
10.1 何謂基於策略的路由·294
X
Linux網路安全技術與實現(第2版)
10.2 了解Linux的路由機制296
10.3 路由策略資料庫與路由表的管理·298
10.3.1 管理策略資料庫·298
10.3.2 管理路由表·302
10.4 頻寬合併·305
10.4.1 何謂頻寬合併·306
10.4.2 企業內的頻寬合併·307
10.5小結319
第11章Linux的頻寬管理·321
11.1佇列·322
11.1.1不可分類的佇列算法·323
11.1.2可分類的佇列算法·323
11.2Linux頻寬管理·324
11.3過濾器325
11.3.1FW過濾器·326
11.3.2U32過濾器326
11.4頻寬管理部署示例326
11.4.1頻寬劃分··327
11.4.2設定佇列算法327
11.4.3設定佇列規則328
11.4.4設定過濾器·329
11.4.5測試·330
11.5頻寬借用332
11.6類別中的佇列334
11.7Linux頻寬管理的限制335
11.8網橋模式中的頻寬管理338
11.9多接口的頻寬管理339
11.9.1為核心及iptables安裝補丁·340
11.9.2多接口頻寬管理··341
11.10實際案例343
11.11小結348
第12章流量統計349
12.1安裝及測試SNMP伺服器350
12.1.1安裝SNMP伺服器··350
12.1.2測試SNMP伺服器··351
12.2安裝及設定MRTG352
12.2.1安裝MRTG··352
12.2.2設定MRTG··352
12.2.3使用cfgmaker工具編寫MRTG針對網卡的配置檔案·353
12.3另一種網路流量監測方式·357
12.3.1結合使用Netfilter/Iptables和MRTG來監測網路流量·357
12.3.2手動編寫MRTG的配置檔案·359
12.4外部程式及MRTG配置檔案的示例··360
12.5小結··362
第13章弱點掃描、入侵檢測及主動防禦系統··363
13.1何謂弱點掃描364
13.1.1OpenVAS弱點掃描工具··364
13.1.2OpenVAS弱點掃描工具的工作架構365
13.1.3下載及安裝OpenVAS弱點掃描工具365
13.1.4進行弱點掃描368
13.2入侵檢測系統374
13.2.1網路設備的限制··374
13.2.2入侵檢測系統的分類375
13.2.3入侵檢測系統的部署375
13.2.4Snort入侵檢測系統介紹··376
13.2.5下載及安裝Snort入侵檢測系統··377
13.2.6下載及安裝Snort的規則資料庫··378
13.2.7配置Snort··381
13.2.8Snort的啟停·382
13.2.9Snort的警告·382
13.3主動防禦系統383
13.3.1下載Guardian·384
13.3.2安裝Guardian·384
13.3.3設定Guardian·385
13.3.4Guardian的啟停386
13.4小結··387
第14章VPN基礎篇389
14.1 何謂VPN··390
14.1.1 VPN的原理·392
14.1.2 常見的VPN架構··393
14.1.3 VPN的安全問題··393
14.1.4 VPN機制的優缺點·393
14.2 數據加解密·394
14.2.1 何謂“明文”394
14.2.2 何謂“密文”395
14.3 數據加密類型396
14.3.1 對稱加密··396
14.3.2 非對稱加密·397
14.4 哈希算法··398
14.4.1 常見的哈希算法··399
14.4.2 哈希算法的特性··399
14.5 基於IPSec的VPN400
14.5.1 IPSec的工作模式·400
14.5.2 IPSec的組成要素·401
14.5.3 AH及ESP協定運行時需要設定的參數··409
14.5.4 安裝IPSec參數的管理工具·411
14.5.5 配置傳輸模式IPSecVPN·411
14.6 Linux中的IPSec架構··420
14.6.1 IPSec機制的SPD··421
14.6.2 IPSec機制的SAD·422
14.7小結425
第15章VPN實戰篇427
15.1IKE·428
15.2PresharedKeys驗證模式下的傳輸模式VPN··433
15.2.1資料庫伺服器的設定434
15.2.2客戶端主機的設定·435
15.2.3啟動VPN··436
15.3PresharedKeys驗證模式下的隧道模式VPN··437
15.3.1VPN伺服器(A)主機上的設定·438
15.3.2VPN伺服器(B)主機上的設定·439
15.4何謂數字證書440
15.4.1數字證書的必要性·440
15.4.2證書管理中心441
15.4.3將Linux系統作為企業的CA·447
15.5數字證書驗證模式下的傳輸模式VPN453
15.5.1證書的生成及保存·453
15.5.2客戶端VPN主機的設定··454
15.6數字證書驗證模式下的隧道模式VPN457
15.6.1證書的生成及保存·457
15.6.2設定VPN伺服器(A)··457
15.6.3設定VPN伺服器(B)··458
15.6.4啟動IPSec·459
15.7小結··459
第16章VPN:L2TPOverIPSec461
16.1何謂PPP·462
16.2何謂L2TP協定·462
16.2.1L2TP協定的原理·463
16.2.2L2TP協定的安全問題··465
16.2.3L2TP協定安全問題的解決方案·465
16.2.4ClienttoSite的L2TPVPN結構探討·466
16.2.5L2TP客戶端及伺服器之間網段的選擇467
16.2.6ProxyARP的工作原理·467
16.3構建L2TPVPN470
16.3.1配置L2TP伺服器·470
16.3.2配置PPP伺服器·472
16.3.3建立VPN的撥號帳戶472
Linux網路安全技術與實現(第2版)
16.3.4證書的生成及保存·473
16.3.5配置安全策略473
16.3.6IKE配置檔案··474
16.3.7啟動L2TP伺服器·475
16.4配置L2TP客戶端475
16.4.1生成L2TP客戶端證書··475
16.4.2將證書導入WindowsXP/7系統前的準備工作··476
16.4.3設定WindowsXP系統上的L2TP客戶端476
16.4.4設定Windows7系統中的L2TP客戶端484
16.5IPSec連線穿透NAT的問題492
16.6小結··494
