Legislative means of protection - these are laws, the decision of government and President's Decrees, normative reports and the standards, by which the rules of use and processing of the information of the limited access regulate, and the measures of responsibility for the disturbances of these rules also are introduced.

Administrative measures - this of the action of general nature, the undertaken by management enterprises or organization. Enterprise management must determine the policy of information safety, which includes answers to the following questions:

* what information and from whom should be protected;

* to whom what information is required for the discharge of duties;

* what degree of protection is required for each form of information;

* how threatens the loss of one or other form or another of information;

* as to organize work on the protection of information.

The organizational (or procedural) safety measures include the concrete rules of the work of the colleagues of enterprise, for example, the strictly defined operational procedure with the classified information on the computer.

To the moral and ethical means of protection can be attributed all possible standards, which were formed in proportion to the propagation of computational means in one or other country or another (for example, the code of the professional behavior of the members of the association of the users of the computers OF THE USA).

The physical means of protection include the screening of accommodations for the radiation shielding, checking the supplied equipment to the correspondence to its specifications and the absence of apparatus "beetles", etc.

Providing information safety can be related to technical equipment:

* control systems of access, which include the means of authorization and authorization of users;

* the means of Audit;

* the system of the coding of information;

* the systems of digital signature, utilized for authorization of documents;

* the means of the proof of the integrity of documents (using, for example, digest- function);

* the system of antiviral protection;

* internetwork screens.

All above-indicated means of providing safety can be realized both in the form of products (for example, internetwork screens) specially developed for this and in the form of the built-in functions of operating systems, system applications, computers and net communication devices.

Redoubling of the problems of safety with the remote access. Protective shields - firewall and proxy- servers Providing data security with the remote access - problem even if not number is one, then, at least, number is two, after the problem of the guarantee of an capacity acceptable for the users. But with the active use of transport Internet it becomes problem number one.

The presence of global connections is the inherent property of the systems of the remote access. By their nature the global connections, which are stretched to many ten and thousands of kilometers, do not make it possible to prevent the ill-intended access to transferred by these lines data. It is not possible to give any guarantees that at a certain, inaccessible for the control point of space, someone, using, for example, an analyzer of protocol, will not be connected to the transmitting medium for the seizure and the subsequent decoding of the packets of data. This danger is equally inherent in all I see territorial communication channels and it is not connected with the fact, are used their own, leased communication channels or service of moderately priced territorial networks, similar Internet.

However, the use of the public networks (speech in essence it goes about Internet) even more aggravates situation, at least because in this network for the access to corporate data at the disposal of criminal are more diverse and more convenient means than output into the clean field with the analyzer of protocols. Furthermore, the enormous number of users increases the probability of attempts at the unsanctioned access.

Safe system - is the system, which, in the first place, reliably stores information and is always ready to grant to its users, and in the second place, the system, which protects these data from the unsanctioned access.

Internetwork screen (firewall, fire wall) - this is device, as a rule, which is the universal computer with established on it special software, which is placed between the protected (internal) network and the external networks, the potential sources of danger. Internetwork screen checks all information traffics between the internal and external networks, passing data, in accordance with the reestablished rules. These rules are the formalized expression of the policy of safety, accepted by this enterprise.

Internetwork screens be based on two basic methods of the protection:

* package filtration;

* service- mediators (proxy services).

These two functions can be used both separately and in the combination.

Package filtration. Use of routers as firewall

Filtration is accomplished at the transport level: all passing through the internetwork screen packets or personnel of data are analyzed, and those of them, which have in the specific fields the given ("not solved") values, they are rejected.

Passage into the internal network of the packets of net level or personnel of channel level with the addresses (MAC- address, IP- address, IPX- address) or according to the numbers of ports TCP, which correspond to applications. For example, so that the traffic telnet would not intersect the boundary of internal network, internetwork screen must filter all packets, in title TCP of which was indicated the address of the port of process- recipient, equal to 23 (this number it was reserved after service telnet). To more complexly track traffic FTP, which works with the large scale of the possible numbers of ports, which requires the task of the more complex rules of filtration.

Certainly, for filtering the packets can be used usual routers, and it is actual, in Internet 80% of package filters they work on the base of routers. However, marshrutizatory cannot ensure that degree of the protection of data, which the internetwork screens guarantee.

The key advantages of filtration by internetwork screen in comparison with the filtration marshrutizatorom are of the following:

internetwork screen possesses much more developed logical abilities; therefore it in contrast to marshrutizatora easily can, for example, reveal fraud from IP- address;

the internetwork screen has the great possibilities of the Audit of all events, connected with the safety.

Services - mediators (Proxy-services)

Service- mediators do not allow the possibility of the direct drive of the traffic between the internal and external networks. In order to turn to the remote service, the client- user of internal network establishes logical connection with the service- mediator, who works on the internetwork screen. Service- mediator establishes separate connection with the "present" service, which works on the server of external network, obtains from it answer and he transfers by the designation to client - the user of the protected network.

The specific routine is necessary for each service: service- mediator. Usually, protective shield includes service- mediators for FTP, HTTP, and telnet. Many protective shields have means for creating the program- mediators for other services. Some realizations of service- mediators require the presence on the client of special software. Example: Sock - widely used collection of instrument means for creating the program- mediators.

Service- mediators not only send demands to the services, for example, the developed CERN service- mediator, who works on protocol HTTP, can store data in the cache of internetwork screen, so that the users of internal network can obtain data with the much shorter time of access.

The periodicals of events, supported by service- mediators, can soak prevent intrusion on the basis of records about the regular unsuccessful attempts. One additional important property of service- mediators, which is positively affected safety of system, is the fact that with the refusal of internetwork screen the original protected by mediator remains inaccessible.

Translation of net addresses - new form of service- mediator. The translators of addresses substitute "external" IP- addresses of the servers of their networks by the "internal". With this approach the topology of internal network is hidden before the external users, entire network can be represented for them by some- only IP- address. This opacity of network complicates the task of the unsanctioned access. In addition to this, the translation of addresses gives one additional advantage - it makes it possible to have inside the network its own system of addressing, not coordinated with Internet, which removes the problem of scarcity IP- addresses.

Service- mediators are considerably more reliable than filters; however, they decrease the productivity of the exchange of the data between the internal and external networks, they also do not possess that degree of transparency for the applications and the end users, which is characteristic for the filters.

Use of certificates for authorization of mass users with conducting of the business through Internet other public networks Providing safety with the work in Internet became especially key problem under the conditions of mass interest in the construction of particular virtual networks with the use of transportation means Internet, and also use of methods Internet for the storage, idea and retrieval for information in the local networks of enterprises. All this can be named briefly - intranet. Specific character Internet affects also the utilized means of providing safety. Let us pause at some of them.

During the organization of access to some resources Internet increasingly more frequently appears the need for the introduction of some limitations. This means that among many users Internet, the owner of resource must determine some rules of the determination of those, to whom access is permitted, and to grant to them the method, with the aid of which they could prove their belonging with the legal users. Consequently, is necessary procedure authorization, suitable for the use in Internet.

Authorization with the application of certificates is alternative to the use of passwords and is seemed the natural solution under the conditions, when the number of users of network is measured by million, that we have in Internet. In such circumstances the procedure of the preliminary registration of users, connected with designation and storage of their passwords becomes extremely burdensome, dangerous, and sometimes also by simply not realized. With the use of certificates the network, which gives to user access to its resources, is stored no information about its users - they it allow themselves in their demands in the form of the certificates, which certify the personality of users. Certificates reveal by the special authorized organizations - the centers of certification. Therefore the task of storing the secret information (closed gates) is laid now on users themselves, which makes this solution much those more scaled than version with the use of passwords.