计算机安全课后题

北京交通大学《计算机安全原理与实践》课程全部课后习题题目+答案中英文对照以及章节页码对照,排版精细,可直接打印成册。

原理与实践 计算机安全课后习题答案含题目及答案中英文对照

Edward Elric

北京交通大学《计算机安全原理与实践》课程全部课后习题题目+答案中英文对照以及章节页码对照,排版精细,可直接打印成册。

1

北京交通大学《计算机安全原理与实践》课程全部课后习题题目+答案中英文对照以及章节页码对照,排版精细,可直接打印成册。

计算机安全原理与实践课后习题答案

第一章概述 Overview Pe6-Pc4

P1.1-Pe36-Pc24① Consider an automate tell machine (ATM) in which users provide a personal identification number (PIN) and a card for account access. Give examples of confidentiality, integrity, and availability requirements associated with the system and, in each case, indicate the degree if importance if the requirement.

思考在自动柜员机（ATM）上，用户提供银行卡和个人标识码（PIN）用于账户访问。给出与系统相关的机密性、完整性和可用性要求的例子，并说明每种情况下的要求的重要性等级。

答：The system must keep personal identification numbers confidential, both in the host system and during transmission for a transaction. It must protect the integrity of account records and of individual transactions. Availability of the host system is important to the economic well being of the bank, but not to its fiduciary responsibility. The availability of individual teller machines is of less concern.

P1.5-P37-Pc25 Use a matrix format to show the relationship between X.800 security services and security correspond to services. Each cell in the matrix should be checked, or not, to indicate whether the corresponding mechanism is used in providing the corresponding service.

使用矩阵形式来说明X.800安全服务和安全机制间的关系。矩阵的列对用安全机制，行对应安全服务。矩阵中的每一个单元用来表示是否有相应的机制提供对用的服务。

① R：思考题；P：习题；Pe：英文书页码；Pc：中文书页码。

北京交通大学《计算机安全原理与实践》课程全部课后习题题目+答案中英文对照以及章节页码对照,排版精细,可直接打印成册。

P1.6-P37-Pc25 Draw a matrix similar to that for the preceding problem that shows the

relationship between X.800 security services and network security attacks.

画一个类似于上述问题的矩阵，给出X.800安全服务与网络安全攻击的关系。

P1.7-P37-Pc25 Draw a matrix similar to that for the preceding problem that shows the

relationship between X.800 security mechanisms and network security attacks.

画一个类似于上述问题的矩阵，给出X.800安全机制与网络安全攻击的关系。

R6.10-Pe209-Pc138 What is the difference between a distributed host-based IDS and a

NIDS?

基于主机的分布式IDS和NIDS之间的区别是什么？

答：A NIDS examines packet traffic directed toward potentially vulnerable computersystems on a

network. A host-based system examines user and software activityon a host. A distributed IDS is a collection of host-based IDSs that cooperate, butthe focus remains on host activity rather than network activity.

监测网络上流向潜在的易受攻击的计算机系统的数据包流量，而基于主机的IDS系统检测的是主机上的用户和软件活动

北京交通大学《计算机安全原理与实践》课程全部课后习题题目+答案中英文对照以及章节页码对照,排版精细,可直接打印成册。

R6.11-Pe209-Pc138 Describe the types of sensors that can be used in a NIDS.

描述可被用于NIDS的传感器类型。

答：An inline sensor is inserted into a network segment so that the traffic that it ismonitoring

must pass through the sensor. A passive sensor monitors a copy ofnetwork traffic; the actual traffic does not pass through the device. 内嵌传感器将被插入到网络段，以使正在监控的流量必须通过传感器。另一种是被动传感器，监控网络流量的备份，实际的流量并没有通过这个设备。

R6.12-Pe209-Pc138 What are possible locations for NIDS sensors?

NIDS传感器可能的位置是什么？

答：1. just inside the external firewall;

2. between the external firewall and theInternet or WAN; 3. at the entrance to major backbone networks; to supportworkstation LANs.

1.在外部防火墙之中

2.在外部防火墙和以太网/网络之间

3.在主要支柱网络的入口处，用来维护局域网。

R6.13-Pe209-Pc138 What is a honeypot?

蜜罐的含义是什么？

答：Honeypots are decoy systems that are designed to lure a potential attacker awayfrom critical

systems.

蜜罐是为了引诱潜在的攻击者原理关键系统而设计的障人耳目的系统。

第七章恶意软件 Malicious Software Pe215-Pc142

P7.1-Pe246-Pc163 What is the role if compression in the operation if a virus?

病毒执行过程中压缩的作用是什么？

答：A virus may use compression so that the infected program is exactly the samelength as an

uninfected version.

病毒执行过程中加密的作用是什么？

答：A portion of the virus, generally called a mutation engine, creates a randomencryption key to

encrypt the remainder of the virus. The key is stored with thevirus, and the mutation engine itself is altered. When an infected program isinvoked, the virus uses the stored random key to decrypt the virus. When thevirus replicates, a different random key is selected.

先通过部分病毒代码生成一个随机的密钥，然后用密钥加密其余部分。密钥保存在病毒代码中。当被感染的程序执行时，先要使用这个随即密钥解密被加密的部分。再感染过程中，病毒会重新生成随即密钥。因为对每一个病毒实例都使用不同的密钥进行加密，所以在病毒代码很难找到用于模式匹配的固定字节。

P7.3-Pe246-Pc163 What are typical phases of operation of a virus or worm?

病毒或蠕虫执行过程中的典型阶段是什么？

答：A dormant phase, a propagation phase, a triggering phase, and an execution phase P7.6-Pe246-Pc163 In general terms, how does a worm propagate?

在一般情况下，蠕虫是如何传播的？

答：1. Search for other systems to infect by examining host tables or similarrepositories of remote

system addresses.

2. Establish a connection with a remotesystem.

北京交通大学《计算机安全原理与实践》课程全部课后习题题目+答案中英文对照以及章节页码对照,排版精细,可直接打印成册。

3. Copy itself to the remote system and cause the copy to be run.

1 通过检查主机列表或者相似的远程系统地址库，来寻找要感染的系统。

2 与远程主机建立连接。

3 将自己复制到远程主机上，并使该拷贝运行。

P7.8-Pe246-Pc163 What is the difference between a bot and a rootkit?

bot

和rootkit有什么不同？

答：A bot (robot), also known as a zombie or drone, is a program that secretly takesover another

Internet-attached computer and then uses that computer to launchattacks that are difficult to trace to the bot's creator. A rootkit is a set of programsinstalled on a system to maintain administrator (or root) access to that system.Root access provides access to all the functions and services of the operatingsystem. The rootkit alters the host's standard functionality in a R8.1-Pe271-Pc180 Define a denial-of-service (DoS) attack.

试述拒绝服务（DoS）攻击的定义。

答：A denial of service (DoS) attack is an action that prevents or impairs theauthorized use of

networks, systems, or applications by exhausting resources suchas central processing units (CPU), memory, bandwidth, and disk space.

DoS是一种通过耗尽CPU、内存、快带以及磁盘空间等系统资源，来阻止或削弱对网络、系统或应用程序的授权使用的行为。 R8.2-Pe271-Pc180 What types of resources are targeted by such attacks?

那些类型的资源被DoS攻击作为攻击目标？

答：Resources that could be attacked include any limited resources such as: networkbandwidth,

system resources, or application resources.

网络带宽，系统资源，应用资源

R8.3-Pe271-Pc180 What is the goal of a flooding attack?

洪泛攻击的目标是什么？

答：The goal of a flooding attack is generally to overload the network capacity on somelink to a

server, or alternatively to overload the server’s ability to handle andrespond to this traffic. 洪泛攻击的目的大都是使到服务器的链路超负荷，也可以是使服务器处理和响应网络流量的能力超负荷。

R8.4-Pe271-Pc180 What types of packets are commonly used for flooding attacks?

在通常的洪泛攻击当中，一般会使用什么样的数据包？

答：Virtually any type of network packet can be used in a flooding attack, thoughcommon flooding attacks use ICMP, UDP or TCP SYN packet types.

几乎任何类型的网络数据包都可以进行洪泛攻击，通常使用的有： ICMP, UDP or TCP SYN。

R8.5-Pe271-Pc180 Why do many DoS attacks use packets with spoofed source addresses?

为什么很多的DoS攻击使用带有虚假源地址的数据包？

答：Many DoS attacks use packets with spoofed source addresses so any responsespackets that

result are no longer be reflected back to the original source system,but rather are scattered across the Internet to all the various forged sourceaddresses. Some of these addresses might correspond to real systems, others maynot be used, or not reachable. Any response packets returned as a result only addto the flood of traffic directed at the target system.

北京交通大学《计算机安全原理与实践》课程全部课后习题题目+答案中英文对照以及章节页码对照,排版精细,可直接打印成册。

R8.6-Pe271-Pc180 Define a distributed denial-of-service (DDoS) attack.

给出分布式拒绝服务（DDoS）攻击的定义。

答：A distributed denial of service (DDoS) attack uses multiple attacking systems,often using

compromised user workstations or PC’s. Large collections of suchsystems under the control of one attacker can be created, collectively forming a“botnet”. By using multiple systems, the attacker can significantly scale up thevolume of traffic that can be generated. Also by directing the attack throughintermediaries, the attacker is further distanced from the target, and significantlyharder to locate and identify.

R8.7-Pe271-Pc181 What architecture does a distributed denial of service (DDoS) attack

typically use?

DDoS攻击通常所使用的体系结构是什么样的？

答：Distributed denial of service (DDoS) attack botnets typically use a controlhierarchy, where a

small number of systems act as handlers controlling a muchlarger number of agent systems, as shown in Figure 8.4. These have are a numberof advantages, as the attacker can send a single command to a handler, which thenautomatically forwards it to all the agents under its control. Automated infectiontools can also be used to scan for and compromise suitable zombie systems.

R8.8-Pe271-Pc181 Define a reflection attack.

给出反射攻击的定义。

答：In a reflection attack, the attacker sends a network packet with a spoofed sourceaddress to a

service running on some network server, that responds to the spoofedsource address that belongs to the actual attack target. If the attacker sends anumber of such spoofed requests to a number of servers, the resulting flood ofresponses can overwhelm the target’s network link. The fact that normal serversystems are being used as intermediaries, and that their handling of the packets is entirely conventional, means these attacks can be easier to deploy, and harder totrace back to the actual attacker. 攻击者将想攻击的目标系统地址作为数据包的源地址，并将这些数据包发送给中间媒介上的一直网络服务。当中间媒介响应时，大量的响应数据包会被发送给源地址所指向的目标系统。他能有效地使攻击从中间媒介反射出去。

R8.9-Pe271-Pc181 Define an amplification attack.

给出放大攻击的定义。

答：An amplification attack also involves sending packets to intermediaries with aspoofed source

address for the target system. They differ in generating multipleresponse packets for each original packet sent, typically by directing the originalrequest to the broadcast address for some network. Alternatively they use aservice, often DNS, which can generate a much larger response packet than theoriginal request.

放大攻击是反射攻击的一个变种，同样是发送带有虚假源地址的数据包给中间媒介。不同的是中间媒介对每个来自攻击者的初始数据包会产生对各响应数据包。攻击者可以发送初始请求数据包到某些网络的广播地址，那么整个网络上的所有主机都可能会对数据包中源地址所指向的主机进行响应，即这些主机会形成一个响应数据包洪泛流。

R8.10-Pe271-Pc181 What is the primary defense against many DoS attacks. And where is it

implemented?

防范DoS攻击的基本措施是什么？在哪里实施？

答：The primary defense against many DoS attacks is to prevent source addressspoofing. This

北京交通大学《计算机安全原理与实践》课程全部课后习题题目+答案中英文对照以及章节页码对照,排版精细,可直接打印成册。

must be implemented close to the source of any packet, when thereal address (or at least network) is known. Typically this is the ISP providing thenetwork connection for an organization or home user. It knows which addressesare allocated to all its customers, and hence is best placed to ensure that validsource addresses are used in all packets from its customers.

R8.11-Pe271-Pc181 What is the primary defense against nonspoofed flooding attacks? Can

such attacks be entirely prevented?

哪些防范措施可能抵御非欺骗的洪泛攻击？能否彻底预防这种攻击？

答：Excess network bandwidth and replicated distributed servers,particularly when the overload

is anticipated. This does have a significantimplementation cost though. Rate limits of various types on traffic can also beimposed. However such attacks cannot be entirely prevented, and may occur“accidentally” as a result of very high legitimate traffic loads.

R8.12-Pe271-Pc181 What defenses are possible against TCP SYN spoofing attacks?

什么措施可以防范TCP SYN欺骗攻击？

答：It is possible to specifically defend against the SYN spoofing attack by using amodified version

of the TCP connection handling code, which instead of savingthe connection details on the server, encodes critical information in a “cookie” sentas the server’s initial sequence number. When a legitimate client responds with anACK packet, the server is able to reconstruct this information. Typically thistechnique is only used when the table overflows, as it does take computationresources on the server, and also blocks the use of certain TCP extensions. 1 可以使用改进版本的TCP链接处理程序来专门抵御SYN欺骗攻击。2 当TCP连接表溢出时，我们可以通过修改系统的TCP/IP网络处理程序来选择性的丢弃一个TCP连接表中不完全连接的表项，从而允许新的连接请求。3 修改TCP/IP网络处理程序中所使用的参数。

R8.13-Pe271-Pc181 What do the terms slashdotted and flash crowd refer to? What is the

relation between these instances of legitimate network overload and the consequences of a DoS attack?

Slshdotted和flash crowd分别表示什么？正常的网络超负荷与DoS攻击所造成的服务器拒绝服务之间的关系是什么？

答：The terms slashdotted or flash crowd refer to very large volumes of legitimate traffic,as result

of high publicity about a specific site, often as a result of a posting to thewell-known Slashdot or other similar news aggregation site. There is very littlethat can be done to prevent this type of either accidental or deliberate overload,without also compromising network performance. The provision of significantexcess network bandwidth and replicated distributed servers is the usual responseas noted in question 8.11.

R8.14-Pe271-Pc181 What defenses are possible to prevent an organization’s systems being

used as intermediaries in an amplification attack?

什么措施可以防止某机构的主机系统呗用作放大攻击的中间媒介？

答：To prevent an organization’s systems being used as intermediaries in a broadcastamplification

attack, the best defense is to block the use of IP directed broadcasts.This can be done either by the ISP, or by any organization whose systems couldpotentially be used as an intermediary.

北京交通大学《计算机安全原理与实践》课程全部课后习题题目+答案中英文对照以及章节页码对照,排版精细,可直接打印成册。

R8.15-Pe271-Pc181 What steps should be taken when a DoS attack is detected?

当检测到DoS攻击时，我们应该采取什么措施？

答：In order to successfully respond to a denial of service attack, a good incidentresponse plan is

needed to provide guidance. When a denial of service attack isdetected, the first step is to identify the type of attack and hence the best approachto defend against it. From this analysis the type of attack is identified, and suitablefilters designed to block the flow of attack packets. These have to be installed bythe ISP on their routers. If the attack targets a bug on a system or application,rather than high traffic volumes, then this must be identified, and steps taken tocorrect it to prevent future attacks. In the case of an extended, concerted, floodingattack from a large number of distributed or reflected systems, it may not bepossible to successfully filter enough of the attack packets to restore networkconnectivity. In such cases the organization needs a contingency strategy to switchto alternate backup servers, or to rapidly commission new servers at a new sitewith new addresses, in order to restore service.

R8.16-Pe271-Pc181 What measures are needed to trace the source of various types of

packets used in a DoS attack? Are some types of packets easier to trace back to their source than others?

有什么方法可以被用雷追踪Dos攻击所使用数据包的源头？室友有一些数据包与其他数据包相比更容易被追踪？

答：The organization may also wish to trace the source of various types of packetsused in a DoS

attack. If non-spoofed addresses are used, this is easy. However ifspoofed sources addresses are used, this can be difficult and time-consuming, astheir ISP will need to trace the flow of packets back in an attempt to identify theirsource. This is generally neither easy nor automated, and requires cooperationfrom the network providers these packets traverse. P8.1-Pe271-Pc181 In order to implement the classic DoS flood attack, the attacker must

generate a sufficiently large volume of packets to exceed the capacity if the link to the target organization. Consider an attack using ICMP echo request (ping) packets that are 500 bytes in size (ignoring framing overhead). How many of these packets per second must the attacker send to flood a target organization using a 0.5-Mbps link? How many per second if the attacker uses a 2-Mbps link? Or a 10-Mbps link?

为了进行经典的DoS洪泛攻击，攻击者必须能够植草出足够大量的数据包来战局目标体统的链路容量。假设现在有一个利用ICMP回送请求（ping）数据包的DoS攻击，数据包的大小为500字节（忽略成帧开销）。对于一个使用0.5Mbps带宽链路的目标组织来说，攻击者每秒钟至少要发送多少个数据包才能进行有效的攻击？在链路的带宽为2Mbps和10Mbps的情况下呢？

答：In a DoS attack using ICMP Echo Request (ping) packets 500 bytes in size, to flooda target

organization using a 0.5 Megabit per second (Mbps) link the attackerneeds 500000 / (500 ×

8) = 125 packets per second. On a 2Mbps link it’s 2000000 /(500 * 8) = 500 packets per second. On a 10 Mbps link it’s 10000000 / (500 * 8) = 2500packets per second.

P8.2-Pe271-Pc181 Using a TCP SYN spoofing attack, the attacker aims to flood the table of

TCP connection requests on a system so that it is unable to respond to legitimate connection requests. Consider a server system with a table for 256 connection requests. This system will retry sending the SYN-ACK packet five times when it fails to receive a table. Assume that no additional countermeasures are used against this attack and that

北京交通大学《计算机安全原理与实践》课程全部课后习题题目+答案中英文对照以及章节页码对照,排版精细,可直接打印成册。

the attacker has filled this table with an initial flood of connection requests. At what rate must the attacker continue to send TCP connection requests to this system in order to ensure that the table remains full? Assuming that the TCP SYN packet is 40 bytes in size (ignoring framing overhead), how much bandwidth does the attacker consume to continue this attack?

在TCP SYN欺骗攻击中，攻击者目的是使用目标系统上的TCP连接请求表溢出，从而使系统对合法连接请求不能进行相应。假设目标系统上的TCP连接请求表表项为256项，目标系统的每次超时时间为30秒，允许超时次数为5次。如果一个连接请求超时未有应答，而且超时次数大于5，那么这个请求将会从TCP连接请求表中清除。在没有相关的应对措施和攻击者已经占满了目标系统的TCP连接请求表的情况下，为了能够持续占满目标系统的TCP连接请求表，攻击者应该以什么样的速率发送TCP连接请求？如果TCP SYN 数据包的大小为40字节（忽略成帧开销），那么攻击者所发送的请求数据包将消耗掉目标系统的多少带宽？

答：For a TCP SYN spoofing attack, on a system with a table for 256 connectionrequests, that will

retry 5 times at 30 second intervals, before purging the requestfrom its table, each connection request occupies a table entry for 6 × 30secs (initial+ 5 repeats) = 3min. In order to ensure that the table remains full, the attacker mustcontinue to send 256/ 3 or about 86 TCP connection requests per minute?Assuming the TCP SYN packet is 40 bytes in size, this consumes about 86 × 40 × 8/ 60, which is about 459 bits per second, a negligible amount. P8.3-Pe272-Pc181 Consider a distributed variant of the attack we explore in Problem 8.1.

Assume the attacker has compromised a number of broadband connected residential PCs to use as zombie systems. Also assume each such system has an average uplink capacity of 128 kbps. What is the maximum number of 500-byte ICMP echo request (ping) packets a single zombie PC can send per second? How many such zombie systems would the attacker need to flood a target organization using a 0.5-Mbps link? A 2-Mbps link? Or a 10-Mbps link? Given reports of botnets composed of many thousands of zombie systems, what can you conclude about ability to launch DDoS attacks on multiple such organizations simultaneously? Or on a major organization with multiple, much larger network links than we have considered in these problems?

在分布式的洪泛攻击（如习题8.1所述）中，假设攻击者已经控制了一定数量的高宽带僵尸机，而且每个僵尸机有着同样的网络上传带宽128kbps。那么对于每个大小为500字节的ICMP回送请求数据包来说，单一的僵尸机每秒钟可以发送多少个？攻击者至少需要多少个这样的僵尸机才能有效洪泛网络带宽分别为0.5Mbps、2Mbps和10Mbps的目标系统？如果一直一个拥有数千个僵尸机的僵尸网络的性能数据信息，那么当这个将是网络同时发起攻击时你可以想象到什么？或者想象一下，一个大规模的组织具有多条大容量的连接，上述情况又如何？

答：In the distributed variant of the attack from Problem 8.1, a single zombie PC cansend 128000

/ (500 × 8) = 32 packets per second. About 4 such zombie systems areneeded to flood a target organization using a 0.5 Megabit per second (Mbps) link,looking either at 500kbps / 128 kbps, or 125 / 32 packets per sec. For a 2Mbps linkabout 16 are needed (500/32 pps), for a 10 Mbps link about 79 are needed (2500/32pps). Given reports of botnets composed of many thousands of zombie systems,clearly multiple such simultaneously DDoS attacks are possible. As is an attack ona major organization with multiple, much larger network links (e.g. 1000 zombieswith 128kbps links can flood 128Mbps of network link capacity).

北京交通大学《计算机安全原理与实践》课程全部课后习题题目+答案中英文对照以及章节页码对照,排版精细,可直接打印成册。

P8.4-Pe272-Pc181 In order to implement a DNS amplification attack, the attacker must

trigger the creation of a sufficiently large volume of DNS response packets from the intermediary to exceed the capacity of the link to the target organization. Consider an attack where the DNS response packets are 500 bytes in size (ignoring framing overhead). How many of these packets per second must the attacker trigger to flood a target organization using a 0.5-Mbps link? A 2-Mbps link? Or a 10-Mbpslink? If the DNS request packet to the intermediary is 60bytes in size, how much bandwidth does the attacker consume to send the necessary rate of DNS request packets for each if these three cases? 为了进行DNS放大攻击，攻击者必须制造出总量的数据包，来出发中间媒介产生大量的DNS应答数据包给目标系统，并耗尽目标系统的网络带宽。假设DNS应答数据包的大小为500字节（忽略成帧开销），攻击者每秒钟至少要使中间媒介产生多少个DNS应答数据包才能有效地攻击网络带宽分别为0.5Mbps、2Mbps和10Mbps的目标系统？如果DMS情书数据包的大小为60字节，那么对于上述三种带宽的攻击，攻击者要分别小号多少的本地带宽？

答：The answers for the DNS amplification attack are the same as in Problem 8.1. On a0.5 Mbps

link, 125 packets, each of 500 bytes, are needed per second. 500pps areneeded to flood a 2Mbps link, and 2500 pps to flood a 10 Mbps link. Assuming a 60byte DNS request packet then 125 × 60 × 8 = 60kbps is needed to trigger the floodon a 0.5Mbps link, 240kbps to flood the 2Mbps link, and 1.2Mbps to flood the10Mbps link. In all cases the amplification is 500 /

60 = 8.3 times.

R9.1-Pe299-Pc201 List three design goals for a firewall.

列出防火墙设计的三个目标。

答：1. All traffic from inside to outside, and vice versa, must pass through the firewall.This is

achieved by physically blocking all access to the local network except viathe firewall. Various configurations are possible, as explained later in this section.

2. Only authorized traffic, as defined by the local security policy, will be allowed topass. Various types of firewalls are used, which implement various types ofsecurity policies, as explained later in this section.

3. The firewall itself is immuneto penetration. This implies that use of a trusted system with a secure operatingsystem. 1 所有入站和出站的网络流量都必须通过防火墙。可以通过物理阻断所有避开防火墙访问内部网络的企图来实现。

2 只有经过授权的网络流量，例如符合本地安全策略定义的流量，防火墙才允许通过。可以使用不同类型的防火墙实现不同的安全策略。

3 防火墙本身不能被渗透，防火墙应该运行在有安全操作系统的可信系统上。

R9.3-Pe299-Pc201 What information is used by a typical packet filtering firewall?

典型的包过滤防火墙使用了什么信息？

答：Source IP address: The IP address of the system that originated the IP packet.Destination IP

address: The IP address of the system the IP packet is trying toreach. Source and destination transport-level address: The transport level (e.g.,TCP or UDP) port number, which defines applications such as SNMP or TELNET.IP protocol field: Defines the transport protocol. Interface: For a router with threeor more ports, which interface of the router the packet came from or whichinterface of the router the packet is destined for.

北京交通大学《计算机安全原理与实践》课程全部课后习题题目+答案中英文对照以及章节页码对照,排版精细,可直接打印成册。

源IP地址：发送IP包的系统的IP地址；目的IP地址：包要到达的系统的IP地址；源和目的段传输层地址：只传输层（如TCP，UDP）端口号，不同的端口号定义了不同的应用程序，如SNMP和TELNET；IP协议域：用于定义传输协议；接口：对于有三个或更多接口的防火墙来说，定义哪个接口用于包的出站，哪个接口用于包的入站。 R9.5-Pe299-Pc201 What is the difference between a packet filtering firewall and a stateful

inspection firewall? 包过滤防火墙和状态检测防火墙的区别是什么？

答：A traditional packet filter makes filtering decisions on an individual packet basisand does not

take into consideration any higher layer context. A statefulinspection packet filter tightens up the rules for TCP traffic by creating a directoryof outbound TCP connections, as shown in Table 9.2. There is an entry for eachcurrently established connection. The packet filter will now allow incoming trafficto high-numbered ports only for those packets that fit the profile of one of theentries in this directory.

简单的包过滤防火墙允许所有高编号端口上基于TCP的入站网络流量。状态监测防火墙通过建立一个出站TCP连接目录来强制执行TCP流量的规则。当每个已建立的连接都有一项与之对应。这样，只有当数据包符合这过目录中的某项时，

包过滤器才允许那些到达高编号端口的入站流量通过。

R9.6-Pe299-Pc201 What is an application-level gateway?

什么是应用级网关？

答：An application-level gateway, also called a proxy server, acts as a relay ofapplication-level

traffic.

什么是电路级网关？

答：A circuit-level gateway does not permit an end-to-end TCP connection; rather, thegateway

sets up two TCP connections, one between itself and a TCP user on aninner host and one between itself and a TCP user on an outside host. Once the twoconnections are established, the gateway typically relays TCP segments from oneconnection to the other without examining the contents. The security functionconsists of determining which connections will be allowed.

电路级网关不允许端到端TCP链接，一条在自身和内部主机TCP用户之间，另一条在自身和外部之间TCP用户之间。一旦建立了两条链接，网关就可以在这两天里链接之间传递TCP段，不检查其内容。安全功能包括判断哪些链接是允许的。

R9.9-Pe299-Pc201 What are the common characteristics of a bastion host?

堡垒主机共有的特征是什么？

答：1. The bastion host hardware platform executes a secure version of its operatingsystem,

making it a hardened system.

2. Only the services that the network administrator considers essential are installedon the bastion host. These could include proxy applications for DNS, FTP, HTTP,and SMTP.

3. The bastion host may require additional authentication before a user is allowedaccess to the proxy services. In addition, each proxy service may require its ownauthentication before granting user access.

4. Each proxy is configured to support only a subset of the standard application’scommand set.

北京交通大学《计算机安全原理与实践》课程全部课后习题题目+答案中英文对照以及章节页码对照,排版精细,可直接打印成册。

5. Each proxy is configured to allow access only to specific host systems. Thismeans that the limited command/feature set may be applied only to a subset ofsystems on the protected network.

6. Each proxy maintains detailed audit information by logging all traffic, eachconnection, and the duration of each connection. The audit log is an essential toolfor discovering and terminating intruder attacks.

7. Each proxy module is a very small software package specifically designed fornetwork security. Because of its relative simplicity, it is easier to check suchmodules for security flaws. For example, a typical UNIX mail application maycontain over 20,000 lines of code, while a mail proxy may contain fewer than 1000.

8. Each proxy is independent of other proxies on the bastion host. If there is aproblem with the operation of any proxy, or if a future vulnerability is discovered,it can be uninstalled without affecting the operation of the other proxyapplications. Also, if the user population requires support for a new service, thenetwork administrator can easily install the required proxy on the bastion host.

9. A proxy generally performs no disk access other than to read its initialconfiguration file. Hence, the portions of the file system containing executablecode can be made read only. This makes it difficult for an intruder to install Trojanhorse sniffers or other dangerous files on the bastion host.

10. Each proxy runs as a nonprivileged user in a private and secured directory onthe bastion host.

R9.10-Pe299-Pc201 Why is it useful to have host-based firewalls?

为什么部署基于主机的防火墙很有用？

答：1. Filtering rules can be tailored to the host environment. Specific corporatesecurity policies

for servers can be implemented, with different filters for serversused for different application.

2. Protection is provided independent of topology. Thus both internal and externalattacks must pass through the firewall.

3. Used in conjunction with stand-alone firewalls, the host-based firewall providesan additional layer of protection. A new type of server can be added to thenetwork, with its own firewall, without the necessity of altering the networkfirewall configuration. 1 过滤规则可以根据主机环境定制。既能够执行服务器共有的俄安全策略，也能针对不同的应用实验不同的过滤规则。

2保护功能独立于网络的拓扑结构。因此，不管是内部的攻击还是外部的攻击都必须通过防火墙。

3 应用于单机防火墙之间的联合处，基于主机的防火墙提供了一个额外的保护层。挡在网络中添加新服务器时，只需配置服务器自带的防火墙，而不需要修改整个网络的防火墙设置。

R9.11-Pe299-Pc201 What is a DMZ network and what types of systems would you expect

to find on such networks?

什么是DMZ网络？在这样的网络中你希望发现怎样的系统？

答：Between internal and external firewalls are one or more networked devices in aregion

referred to as a DMZ (demilitarized zone) network. Systems that areexternally accessible but need some protections are usually located on DMZnetworks. Typically, the systems in the

北京交通大学《计算机安全原理与实践》课程全部课后习题题目+答案中英文对照以及章节页码对照,排版精细,可直接打印成册。

DMZ require or foster externalconnectivity, such as a corporate Web site, an e-mail server, or a DNS (domainname system) server.

P9.11-Pe302-Pc203

R10.2-Pe346-Pc230 What are the three rules specified by the BLP model?

BLP模型规定的三个规则是什么？

答：no read up: A subject can only read an object of less or equal security level. This isreferred to

in the literature as the simple security property (ss-property).no write down: A subject can only write into an object of greater or equal securitylevel. This is referred to in the literature as the *-property.ds-property: An individual (or role) may grant to another individual (or role)access to a document based on the owner's discretion, constrained by the MACrules. Thus, a subject can exercise only accesses for which it has the necessaryauthorization and which satisfy the MAC rules.

北京交通大学《计算机安全原理与实践》课程全部课后习题题目+答案中英文对照以及章节页码对照,排版精细,可直接打印成册。

1 不上读：主体只能读取相同或者更低安全级别的个体。称为简单安全性。

2 不下写：主体只能写入相同或者更高安全级别的客体，称为*-特性。

3 ds-特性：一个个体（或角色）可以基于文档属主的判断在MAC规则的约束下授予另一个个体（或角色）对一个文档的访问权。因为，还组团只能执行她具有必须的授权且满足MAC规则的访问。

P10.1-Pe346-Pc231 The necessity of the “no read up” rule for a multilevel secure system is

fairly obvious. What is the importance of the “no write down” rule?

对于多级安全系统来说，“不上读”的必要性是显而易见的。“不下写”规则有什么重要性？

答：The purpose of the "no write down" rule, or *-property is to address the problem ofTrojan

horse software. With the *-property, information cannot be compromisedthrough the use of a Trojan horse. Under this property, a program operating onbehalf of one user cannot be used to pass information to any user having a loweror disjoint access class.

本文来源：https://www.bwwdw.com/article/qmii.html