What is a secure network? Can an Internet be made secure? Although the concept of a secure network is appealing to most users, networks cannot be classified simply as secure or not secure because the term is not absolute—each group defines the level of access that is permitted or denied. For example, some organizations store data that is valuable. Such organizations define a secure network to be a system prevents outsiders from accessing the organization's computers. Other organizations need to make information available to outsiders, but prohibit outsiders from changing the data. Such organizations may define a secure network as one that allows arbitrary access to data, but includes mechanisms that prevent unauthorized changes. Finally, many large organizations need a complex definition of security that allows access to selected data or services the organization chooses to make public, while preventing access or modification of sensitive data and services that are kept private.
什么是安全网络? Internet是安全的吗?尽管安全网络的概念吸引着绝大多数使用者,但是我们不能把网络简单的称为安全的网络或不安全的网络,因为安全这个术语不是绝对的——每个组织定义它的标准是不同的。例如,一些组织存储着有价值的数据。这样的组织把安全网络定义为系统能够防止外部对本组织计算机的非法侵入。其他一些组织需要向外部提供有效的信息,但也要禁止外部对数据的更改。这样的组织可能把安全网络定义为能够任意访问数据,但是要有能够防止非法更改数据的机制。最终,许多大型组织需要一个对安全的复杂定义,这种安全允许访问本组织对外公开的部分数据和服务,同时又禁止对其处于保密状态的敏感数据和服务进行访问或修改。
Because no absolute definition of information secure exists, the first step an organization must take to achieve a secure system is to define the organization's security policy. The policy does not specify how to achieve protection. Instead, it states clearly and unambiguously the items that are to be protected.
因为信息安全没有绝对的定义存在,那第一步就要求某组织必须开发出一个安全系统来定义组织的安全政策。政策不规定如何去实现保护,而是要淸楚明白地表明哪些项目需要得到保护。
Defining an information security policy is complex. The primary complexity arises because an information security policy cannot be separated from the security policy for computer systems attached to the network. In particular, defining a policy for data that traverses a network does not guarantee that data will be secure. Information security cannot prevent unauthorized users who have accounts on the computer from obtaining a copy of the data. The policy must hold for the data stored on disk, data communicated over a telephone line with a dialup modem, information printed on paper, data transported on portable media such as a floppy disk, and data communicated over a computer network.
定义信息安全政策是非常复杂。首要的复杂性在于信息安全政策与网络中的计算机系统的安全政策密不可分。尤其为横贯于网络中的数据定义安全政策时无法保证其数据的安全性。信息安全不能禁止在计算机上拥有账户的非法使用者获得拷贝的数据。所以安全政策必须针对存储在磁盘上的,通过带拨号调制解调器的电话线进行沟通的数据,书面形式打印出来的信息,通过便携的媒介如软盘传送的数据以及通过计算机网络进行通讯的数据。
Defining a security policy is also complicated because each organization must decide which aspects of protection are most important, and often must compromise between security and ease of use. For example, an organization can consider:
定义安全政策也是复杂的,因为各自的组织必须裁决哪些方面的保护是最重要的,而且常常要在安全和易于使用之间做出妥协。例如,组织可以考虑以下几个方面:
Data Integrity'
Data Availability'
Data Confidentiality and Privacy.
数据机密性和保密。