To design a safe system, in addition to understanding some of the commonly used protection methods and technical measures mentioned above, it is also necessary to fully understand the safety problems that may occur in the system or the existing safety hazards, so that the safety of the system can be fully understood. Make targeted design and reinforcement, that is, "know yourself, know yourself, and win every battle."
1 Physical security issues and design
Physical security includes the safety and reliability of the physical device itself, as well as the security of the location of the device and the environment, restrictions on physical access, and geographical factors. All important physical equipment and facilities of the information system should be placed in dedicated areas and concentrated as much as possible. At the same time, visits by outsiders are strictly restricted and unauthorized access is minimized.
Physical security also requires attention to redundant backup of physical equipment in the design. For example, core equipment or components should be hot backup systems with real-time or quasi-real-time switching capabilities. Physical security also requires strict restrictions on physical access to network information points, cables and other network infrastructures and their locations, and special authorization must be passed to access them.
Physical security also includes environmental factors. At the beginning of the design, there must be clear requirements for the temperature, humidity, dust, vibration, lightning, electricity and other parameters in the information system. Natural disasters (earthquakes, typhoons, lightning Etc.) With sufficient consideration, the requirements for electromagnetic leakage must be clearly defined. When designing the system, these factors must be fully considered, and appropriate protective measures or strengthening measures must be taken. For example, in important locations such as the computer room, in addition to the lightning protection system in the building, a special lightning protection system can also be installed. This can ensure that even if the building is struck by lightning, if the building's lightning protection system fails to adequately protect the expensive information system, the dedicated lightning protection system installed separately for the computer room can also protect the equipment from loss.
2 Firewall and its application in system security
The hidden dangers of network security are mainly caused by the openness, borderlessness, and freedom of the network. Therefore, to protect network security, you can first consider separating the protected network from an open, borderless, and free public network environment. It becomes a managed, controllable and secure internal network. Only by doing this can it be possible to realize the communication security of the information network. At present, the most basic network separation method is the firewall, which is also a major measure currently used to achieve network security.
The use of firewalls can be used to reject unauthorized network connections and prevent the leakage of sensitive data, while ensuring that legitimate network traffic of legitimate users is unimpeded, and can realize internal trusted networks (such as corporate networks) and external untrusted networks ( Such as the Internet), or between the isolation and control between different internal subnets, to ensure the availability of network systems and network services.
2.1 Basic principles of firewall
Firewalls usually use several methods such as packet filtering, state detection, and application gateways to control network connections.
The packet filtering firewall is a simple and effective security control technology. According to the pre-defined rules in the firewall (which source addresses, destination addresses, and port numbers are allowed or prohibited for network connections), the network layer and the transport layer Data packets are inspected to control the in and out of data packets. The advantages of packet filtering are transparency to users and high transmission performance. However, since it can only be controlled at the network layer and the transport layer, the security control methods are limited to the source address, destination address, and port number. The information at the application layer cannot be sensed, so only relatively preliminary security control can be performed. High-level attack methods such as congestion attacks, memory coverage attacks, or viruses are powerless. Stateful inspection firewall maintains the advantages of packet filtering firewall, so it has better performance and is transparent to applications.
At the same time, the stateful inspection firewall improves the packet filtering. The firewall only checks the data packets entering and leaving the network, and does not care about the shortcomings of the state of the data packets. It establishes a state connection table inside the firewall, maintains connections, and treats the data entering and leaving the network as events. deal with. For each network connection, the state detection allows the connection that conforms to the rule to pass through according to the preset security rules, and records related information of the connection in the memory to generate a state table. Subsequent data packets for this connection can pass as long as they conform to the state table.
The advantage of this method is: because there is no need to check the rules of each data packet, but the subsequent data packets of a connection (usually a large number of data packets) are directly checked by the hash algorithm, so that the performance can be obtained. It has been greatly improved.
Unlike the first two methods that don't care about the number of application layers, the application gateway firewall checks all application layer information packets and puts the checked content information into the decision-making process, thereby improving network security. However, the application gateway firewall is achieved by breaking the client/server model. Each client/server communication requires two connections: one from the client to the firewall, and the other from the firewall to the server.
In addition, each gateway needs a different application process or a service program running in the background. For each new application, a service program for this application must be added, otherwise the service cannot be used. Therefore, the application gateway firewall is troublesome to use and has poor versatility.
2.2 Advantages of firewall
Using a firewall in the system has many advantages for the security of the system:
(1) The network can be isolated to limit the spread of security issues. A firewall can isolate different networks or isolate a certain network segment in the network, so that it can effectively control the spread of this network segment or network problems in different networks, thereby limiting the spread of security issues.
(2) The firewall can be used for centralized management of network security, simplifying the complexity of network security management. As long as the filtering strategy is configured on the firewall, the firewall can become a network security checkpoint. All information entering and exiting the network needs to pass through the firewall to prevent illegal access from the door. Thereby, centralized and unified management of security is realized, and the complexity of security management can be simplified.
(3) It can effectively record the activities on the Internet. Because all information entering and leaving the internal network must pass through the firewall, the firewall can collect events that occur between the internal network and the external network or between different network segments, and provide a basis for the administrator's further analysis and security management.
2.3 Correct use of firewall
Although firewall technology has matured day by day, it has become an important means of maintaining network security. However, it cannot completely solve the security problems on the network. In the actual use process, there are still some security that the firewall cannot achieve. In actual work, generally pay attention to the following points:
(1) Although the firewall can strictly restrict illegal connections from external networks, it cannot prevent attacks from within the local network.
In fact, most attacks do not come from outside, but from inside. Therefore, even if a firewall is used, other effective measures must be taken for the hosts, application systems, and databases inside the local network to be truly safe.
(2) Even for attacks from the outside, any current firewall cannot completely block all illegal intrusions
With the emergence of various new technologies and the in-depth research and analysis of the system by illegal elements, various new application requirements are constantly being developed, and the firewall itself will be more and more threatened. Pay close attention to these new developments and trends, and constantly upgrade the firewall and modify the configuration of the firewall to make the firewall itself more robust, and to play a long-term security protection role.
(3) The firewall cannot prevent viruses and data-based attacks
Although the firewall's filtering technology is constantly improving, there are too many types of viruses and the hiding methods are also very complicated, and many of them are hidden in data files. Therefore, it is not realistic to have a firewall restrict all files containing viruses. However, you should install a special virus gateway separately in the system or install corresponding anti-virus software, anti-spyware and other tools on the host to better prevent such security risks.
(4) The firewall cannot guard against all threats, but only against known threats
Therefore, in the use process, the intrusion detection system should be used frequently as needed.
(5) The firewall cannot prevent links that do not pass through it
A firewall can effectively filter information transmission through it, but it cannot prevent information transmission that does not pass through it. For example, if dial-up access to the internal system behind the firewall is allowed, the firewall has no way to control it.
3 Intrusion detection system
Traditionally, firewalls are generally used as the boundary line of defense for system security. However, with the increasing knowledge of attackers and the increasing complexity and variety of attack tools and methods, a simple firewall can no longer meet the needs of highly security-sensitive departments. Network defense must adopt a deep and diverse means.
At the same time, today’s network environment is becoming more and more complex. All kinds of complex equipment need to be upgraded and repaired. The work of system administrators continues to increase. Inadvertent negligence may cause major security risks. . Therefore, there are many security weaknesses, vulnerabilities and insecure configurations that can be exploited by attackers in information systems, which are mainly manifested in operating systems, network services, TCP/IP protocols, and applications (such as databases, browsers, etc.) , Network equipment and other aspects. It is these vulnerabilities, vulnerabilities and insecure settings that give attackers an opportunity.
In addition, because most networks lack early warning and protection mechanisms, even if an attacker has penetrated into the internal network, penetrated into a key host, and engaged in illegal operations, it is difficult for system administrators to detect it. In this way, the attacker has enough time to do whatever they want. To prevent and avoid attacks and intrusions, it is necessary not only to find out the security weaknesses, vulnerabilities, and insecure configurations in the network, and then take corresponding measures to solve these weaknesses, vulnerabilities, and correct insecure configurations to minimize exposure Attacks and intrusions; real-time monitoring of network activities is also required. Once an attack or illegal operation is detected, it can respond in a timely manner, including recording logs, alarming and even blocking illegal connections.
In this environment, intrusion detection (Intrusion Detection) technology has attracted more and more attention, and it has begun to play its key role in various environments. The intrusion detection system can send out alarms when some abnormal operations occur in the system to prevent problems before they happen. Setting up a hardware firewall can improve the network's ability to pass through and block general attacks; while using an intrusion detection system, you can monitor and respond to attacks that cross the firewall and illegal operations from within the network.
Intrusion detection technology collects information from several key points in a computer network or computer system and analyzes it to find out whether there are violations of security policies and signs of attack in the network or system. Different from other security products, the intrusion detection system needs more intelligence. It analyzes the collected data according to the intelligence library and takes corresponding measures. As an extremely useful supplement to firewalls, the Intrusion Detection System (IDS) can help people quickly discover the occurrence of system attacks, expand the security management capabilities of system administrators (including security auditing, monitoring, attack identification and response, etc.), and improve information The security of the system.
The intrusion detection system is considered as the second security gate behind the firewall. It can monitor the network without affecting network performance, thereby providing real-time protection against internal attacks, external attacks and misoperations. As a proactive security protection tool, intrusion detection system can alarm, intercept and respond before computer networks and systems are compromised. Its main functions include: by detecting and recording security violations in the system, punishing information system attacks and preventing intrusion events; detecting attacks or security violations that other security measures have not prevented; detecting hackers’ detection behaviors before attacks, Alert the administrator in advance; report the security threats in the information system; provide information about the attack to help the administrator diagnose the security weaknesses in the system and facilitate its repair. Arranging an intrusion detection system in a large and complex computer system can significantly improve the quality of information system security management.
3.1 Intrusion detection technology
The processing process of the intrusion detection system is divided into four stages: data collection stage, data processing and filtering stage, intrusion analysis and detection stage, report and response stage. The data collection stage mainly collects the communication data packets provided by the engine in the target system and the usage of the system.
The data processing and filtering stage is the stage in which the collected data is converted into data that can identify whether an intrusion occurs. The analysis and detection stage judges whether an intrusion occurs by analyzing the data provided in the previous stage. This stage is the core stage of the entire intrusion detection system. The reporting and response phase responds to the judgments made in the previous phase. If it is judged as an intrusion, the system will take corresponding response measures to it, or notify the management personnel of the intrusion so that measures can be taken. In the working process of the intrusion detection system, it is the core function of the intrusion detection system to analyze various events in the information system and to detect violations of security policies.
Detection techniques are divided into two categories: one is signature-based intrusion detection, and the other is anomaly-based intrusion detection.
Identification-based detection technology first defines the characteristics of events that violate security policies, such as certain header information of network data packets. Then analyze the collected data, and judge whether it is invaded by judging whether such features appear in the collected data. This method is very similar to the signature detection of anti-virus software and is relatively simple and effective.
Anomaly-based detection technology first defines a set of values for the "normal" conditions of the system, such as CPU utilization, network traffic patterns, file checksums, etc. (This type of data can be defined manually, or by observing the system and using statistical The method is obtained), and then compare the value of the system during operation with the defined "normal" situation to find out whether there are signs of attack. The core of this detection method is how to define the so-called "normal" situation. The methods and conclusions of the two detection techniques sometimes differ greatly. The core of identification-based detection technology is to maintain a knowledge base. For known attacks, it can report the attack type in detail and accurately, but it has limited effect on unknown attacks, and the knowledge base must be constantly updated. Anomaly-based detection technology cannot accurately identify the attack method, but it can identify a broader, even undetected attack. If conditions permit, the combined detection of the two will achieve better results.
3.2 Types and selection of intrusion detection systems
Generally speaking, intrusion detection systems can be divided into host type and network type.
Host-based intrusion detection systems often use system logs, application logs, etc. as data sources. Of course, other methods (such as monitoring system calls) can also be used to collect information from the host for analysis. The host-based intrusion detection system generally protects the host system where it is located. The host-based intrusion detection system needs to develop different programs for different platforms, and it will increase the system load. It also needs to be installed on each host, which is more troublesome, but it can make full use of the functions provided by the operating system itself, combined with abnormal analysis, to be more accurate Report the offense.
The network-based intrusion detection system uses data packets on the network as the data source, and analyzes and judges by monitoring all data packets in the network segment on a host or network device. The general network type intrusion detection system is responsible for protecting the entire network segment. The application of this system is very simple: only one or a few of these systems are installed on a network segment to monitor the entire network segment, but it does not span multiple physical network segments. For networks with complex structures (such as switching environments) ) The monitoring effect has a certain influence.
Host-based intrusion detection systems and network-based intrusion detection systems have their own advantages and disadvantages, which can be selected according to actual needs in the application.
