Current location - Training Enrollment Network - Books and materials - How to solve the problem of network boundary security?
How to solve the problem of network boundary security?
Border protection technology

Since the birth of the network, the interconnection of networks has appeared, which is also the reason for the emergence of Cisco. From the early router without security function to the appearance of firewall, the game between attacker and protector has been staged repeatedly at the network boundary. Over the years, protection technology seems to always follow the attack technology and keep patching. In fact, border protection technology has gradually matured in the game:

1, firewall technology

The initial form of network isolation is the isolation of network segments, because the communication between different network segments is connected through routers. In order to restrict the interworking or conditional interworking between certain network segments, access control technology and firewall appeared. When different networks are interconnected, the firewall is the initial security gateway.

The security design principle of firewall comes from packet filtering and application proxy technology. There are interfaces connecting different networks on both sides, and there is an access control list ACL in the middle. Data flow can only be filtered through ACL. ACL is a bit like the ID check of customs, which country you are from, but you can't tell whether you are a spy or a tourist, because ACL controls the third and fourth layers of the network, and the application layer can't identify you. Later, NAT/PAT technology was added to the firewall, which can hide the IP addresses of intranet devices, put a veil on the intranet, and become an "invisible" gray box outside, making intrusion more difficult. Trojan horse technology allows the machines in the intranet to actively establish contact with the outside world, thus "penetrating" the protection of NAT, and many P2P applications also "break" the firewall in this way.

The function of firewall is to build the "gate" of the network and block the only way to enter the network, so firewall becomes an indispensable part of the network boundary security design.

The disadvantage of firewall is that it can't identify the application layer, and there is no way to deal with viruses and trojans hidden in applications. Therefore, as different security levels of network interconnection, the security of firewall is far from enough.

2. Multiple security gateway technology

Since a firewall can't solve the security protection at all levels, there are several more security gateways, such as IPS for application layer intrusion, AV and DDOS attacks against viruses ... At this time, UTM devices were born, designed together as UTM, and divided into various types of security gateways.

Multi-security inspection channel is to set up more checkpoints on the city gate and divide the functions, such as verification, baggage inspection, drug inspection and spy inspection. ...

The security of multiple security gateways is obviously superior to that of firewalls, and it can at least resist all kinds of common intrusions and viruses. However, the multi-security gateway mostly confirms the intrusion through feature recognition, which is fast and will not bring obvious network delay, but it also has its own inherent defects. First, the application functions are generally updated quickly, and the longest one is calculated in weeks at present, so the gateway should "upgrade the function library" in time; Secondly, many hacker attacks use "normal" communication, which is scattered and circuitous, with no obvious characteristics, and the security gateway has limited ability to deal with such attacks; Finally, no matter how many security gateways there are, there are only a few checkpoints. Once they "blend in" and enter the gate, the gate is useless. This is why security experts "lack trust" in multiple security gateways.

3. Net door technology

The security idea of gateway comes from "different simultaneous connections". If two networks are not connected at the same time, business data will be "ferried" through the intermediate buffer, and services will be interoperable. In principle, the possibility of "disconnection" intrusion is much less.

The gateway is just a simple ferry data, similar to the manual "U-disk ferry" mode. The security of the gateway comes from whether it ferries "pure data" or "gray data", and the content it transmits is clearly visible. "Clear water means no fish", there is no hiding place for invasion and virus, and the network is relatively safe. In other words, there is only one kind of person who can pass through the city gate, such as the person who delivers food, so the probability that spies can blend in is greatly reduced. However, as the interconnection boundary of the network, the gateway must support the connection of various services, that is, adopt certain communication protocols. Therefore, most gateways have opened the proxy service of the protocol, just like some special channels on the city wall, the security of the gateway has been damaged. As far as the security check of these channels is concerned, this gateway is not as effective as multiple security gateways.

The idea of the gateway is to block it first, and then open some small doors according to the needs of the city. Firewall is to open the door first, and then block the unwanted people one by one. These two ideas are just the opposite. The technology of intrusion identification is similar, so it is a good supplement to use multiple gateways to increase the identification and protection of application layer.

Later, storage channel technology and one-way channel technology appeared in the design of gateway, but neither of them can guarantee the "simplicity" of data. Because there is no new breakthrough in detection technology, the security of gateway is questioned by experts.

But the gateway has brought us two inspirations:

1. Create a buffer for business interoperability. Since the connection may be unsafe, it is also a good idea to open a separate area and narrow the scope of insecurity.

2, protocol proxy, in fact, the firewall also has an application proxy. This is the idea. Don't let people go to town. What services do you want? I will arrange my own people to provide you with services. The ultimate goal of network access is business application. I helped you complete it. Didn't I achieve my goal? Hackers are outside the door of the network. If they don't come in, the threat will be much less.

4. Data exchange network technology

Checkpoints are used from firewall to gateway, and the technology of "checking" is different, but the latest attack technology of hackers is not very easy to use, and there is no means of monitoring. Only talent is the best opponent to deal with "human" attacks.

The technology of data exchange network is based on the idea of buffer isolation, and a "data trading market" is built at the gate of the city to form the isolation of two buffers. At the same time, Clark-Wilson model of data integrity protection in banking system is introduced to prevent data leakage in intranet and ensure data integrity, that is, unauthorized people can't modify data, prevent authorized users from making mistakes and ensure the consistency of internal and external data.

Data exchange network technology provides a new idea for border protection. Realizing data exchange through the network is also a strategy of "exchanging land for security". Establish a buffer between the two networks to control the "transaction".

Compared with other border security technologies, data exchange network technology has obvious advantages:

1, integrating multiple security gateways and gateways, and adopting multi-level security "checkpoints".

2. With the buffer space, security monitoring and auditing can be increased, and experts can be used to deal with the invasion of hackers. The border is under control, and any clues and troubles can't escape the eyes of the monitors.

3. Business agents ensure data integrity. Business agents also let foreign visitors stay in the communication area of the network, and all the needs are provided by service personnel, just as visitors can only negotiate business in a fixed reception area and cannot enter the internal office area.

Data exchange network technology is aimed at the interconnection of big data, which is generally applicable to the following occasions:

1, frequent business interoperability requirements:

There are a lot of business data to be exchanged, or there are certain real-time requirements, so manual methods are definitely not enough, and the protection of gateway methods is also obviously insufficient, such as the UnionPay system of banks, the customs declaration system, the social security management system, the exit and entry management system of public security, the intranet (running ERP) of large enterprises, the Internet and the public library system. The outstanding feature of these systems is that the importance of their data centers is self-evident, but they are closely related to the general public and enterprises. Business requires Internet access. Under the requirements of security and business adaptability, business interconnection needs complete security technical support, and it is appropriate to choose data exchange network.

2. External interconnection of high-density networks:

High-density networks generally involve state secrets, and the primary factor is that information cannot be leaked, that is, unauthorized personnel are absolutely not allowed to invade. However, due to the demand for public information, or the supervision of public networks and information, it must be interconnected with unsafe networks. If it is a business such as supervision, the business flow is also large and the real-time requirement is high. Network interconnection should choose data exchange network technology.

Fourth, summarize that "the magic is one foot high, the road is ten feet high, and the magic is ten feet high." Network boundary is the battlefield of long-term game between them. However, while the security technology is constantly patched, it is gradually moving towards the idea of "active defense and three-dimensional protection", and the border protection technology is gradually maturing. Data exchange network technology is no longer just a protection gateway, but a border security network, which is a comprehensive security protection idea. Perhaps the topic of security is eternal, but the future network boundary must be more and more secure, and the advantage of the network lies in connectivity.

Related articles
  • What episode of The Magic Library does Gaga bug have a baby?
  • Martial arts world integration novel
  • What is the level of librarians in university libraries? Many people don't know | 163
  • Chapter III Administration of Urban Environmental Sanitation Measures for Guangxi Zhuang Autonomous Region to Implement the Regulations on Administration of Urban Appearance and Environmental Sanitati
  • Can the school library be built with two floors underground and five floors above ground?
  • How to fill in the performance of senior titles in township books
  • Which universities in Vancouver apply for prestigious universities in Canada?
  • What is the latest edition of College Chinese published in Xu Zhongyu?
  • Why do some people stay in the library from morning till night? Don't they have classes? Don't universities have classes every day?
  • 20 15 Gansu Tianshui senior high school entrance examination scores have been announced.

    • copyright 2024 Training Enrollment Network All rights reserved