Detailed Explanation of Common Safety Equipment

Language 2023-06-12 00:50:45 views: null

Common Safety Equipment

Definition of firewall

It is a combination of software and hardware devices, and it is a protective barrier constructed between the internal network and the external network, and between the private network and the public network. It can realize network security protection by monitoring, restricting, and changing the data flow across the firewall, and shielding the information, structure, and operation status of the network from the outside as much as possible.

Classification of firewalls

Firewalls are mainly divided into the most primitive packet filtering firewalls, proxy firewalls, and stateful firewalls .

The network layer firewall generally checks each rule based on the source address and destination address, application, protocol, and port firewall of each IP packet until the information in the packet is found to match a certain rule. If none of the rules can match, the firewall will use the default rule. In general, the default rule is to ask the firewall to discard the packet. Secondly, by defining the port number based on the TCP or UDP data packet, the firewall can determine whether to allow a specific connection , such as Telnet, FTP connections.

Disadvantages : Its disadvantages are obvious: all the basis for its normal work lies in the implementation of filtering rules, but it cannot meet the requirements for establishing fine rules (the number of rules is inversely proportional to the performance of the firewall), and it can only work in The network layer and the transport layer cannot judge whether the data in the high-level protocol is harmful, but because it is cheap and easy to implement, it still serves in various fields and works for us under the frequent settings of technicians.

Proxy firewall : When external data enters the client of the proxy firewall, the "application protocol analysis" module processes the data according to the application layer protocol, and passes the preset processing rules (yes, it is a rule again, and the firewall cannot do without rules) Query whether this data is harmful. Since this layer is no longer faced with a limited combination of message protocols, it can even identify data content similar to "GET /sql.asp?id=1 and 1", so the firewall not only The data can be judged based on the information provided by the data layer, and it is better to "see" the content to identify hazards like an administrator analyzing server logs.

Disadvantages : It slows down the access speed because it does not allow users to directly access the network; the application-level gateway needs to install corresponding proxy server software for each specific Internet service, which will cause compatibility problems.

Stateful firewall is the "Stateful Inspection" technology that further develops "Session Filtering" on the basis of retaining the analysis of the header, protocol, address, port, type and other information of each data packet. Function, when each connection is established, the firewall will construct a session state for this connection, which contains all the information of the connection data packet, and the future connection will be based on this state information. The cleverness of this detection is that it can detect The content of each data packet is monitored. Once a session state is established, subsequent data transmission must be based on this session state.

For example, if the source port of a connected data packet is 8000, the firewall will check whether the source port of the packet is still 8000 in the subsequent data transmission process, otherwise the data packet will be intercepted, and the retention of the session state is time-limited. If there is no further data transmission within the timeout range, the session state will be discarded. State monitoring can analyze the packet content, thus getting rid of the detection weakness of traditional firewalls limited to a few packet header information, and this kind of firewall does not need to open too many ports, which further eliminates the security that may be caused by too many open ports Hidden danger.

Disadvantages : The configuration is very complicated and will reduce the speed of the network.

Next Generation Firewall (NGFW)

It is mainly a high-performance firewall that comprehensively copes with application layer threats. Features such as intelligent active defense, application layer data leakage prevention, application layer insight and control, and threat protection can be achieved . The next-generation firewall integrates traditional firewall, IPS, application identification, content filtering and other functions in one device, which not only reduces the purchase investment of the overall network security system, but also reduces the deployment cost brought by multiple devices connected to the network, and also The maintenance and management costs of administrators are reduced through technologies such as application identification and user management.

How to deploy the firewall

The FW deployment location is usually the outreach or regional exit location, which securely isolates internal and external traffic.

img

Firewall Limitations

1. It cannot prevent internal attacks and does not provide internal protection

2. No virus protection

3. It cannot dynamically adjust its own strategy according to the malicious use and attack of the network. Its own attack defense ability is not enough, and it is easy to become the primary target of attack.

IDS (Intrusion Detection System)

Definition of IDS

Monitor the network for violations of security policies or intrusions. An intrusion detection system consists of three necessary functional components: information source, analysis engine and response component.

Classification of IDS

Mainly divided into host-based intrusion detection system (HIDS) and network-based intrusion detection system (NIDS)

HIDS is usually software-based and installed directly on the host to be protected. The targets of its detection are mainly the host system and local users of the system. The detection principle is to find suspicious events based on the audit data and system logs of the host.

Detection systems such as NIDS require a dedicated detection device. The detection device is placed in a more important network segment, and constantly monitors various data packets in the network segment, instead of only monitoring a single host. It analyzes the characteristics of each data packet or suspicious data packet on the monitored network. If the data packet matches certain rules built in the product, the intrusion detection system will issue an alarm or even cut off the network connection directly.

deployment location

As the second line of defense behind the firewall, it is suitable to be deployed in a bypass access mode at the network exit with important business systems or internal network security and high confidentiality. Deployed in the bypass, monitor, analyze and trace the traffic mirrored by the switch.

img

Limitations of IDS

An intrusion detection system is a network security device that monitors network transmissions in real time, and sends an alarm or takes proactive measures when suspicious transmissions are found. Most IDS systems are passive. That said, they often fail to provide advance warning of an attack before it actually occurs. It is prone to false alarms and lacks active defense functions.

IPS (Intrusion Prevention System)

Definition of IPS

On the basis of IDS, the intrusion prevention system can immediately interrupt, adjust or isolate some abnormal or harmful network data transmission behaviors

The intrusion prevention system (IPS) detects and defends malicious behaviors that are clearly judged as attacks and will cause harm to the network and data, and reduces or exempts the user's processing resource overhead for abnormal conditions. It is a risk-focused Controlled security products.

IPS function

1. Intrusion prevention : Real-time and active interception of malicious traffic such as hacker attacks, worms, network viruses, backdoor Trojan horses, Dos, etc., to protect enterprise information systems and network architecture from infringement, and to prevent operating systems and applications from being damaged or down.

2. Web security : Based on the detection results of Trojan horses on Internet Web sites, combined with URL reputation evaluation technology, it protects users from infringement when visiting websites with malicious codes such as Trojan horses, and intercepts Web threats in a timely and effective manner.

3. Traffic control : block all unauthorized user traffic, manage the use of legal network resources, effectively ensure that key applications are unimpeded around the clock, and continuously improve enterprise IT output and profitability by protecting key application bandwidth.

4. Internet supervision : Comprehensive monitoring and management of network behaviors such as IM instant messaging, P2P downloads, online games, online videos, and online stock speculation, assisting enterprises to identify and limit unauthorized network traffic, and better implement enterprise security policies.

Classification of IPS

1. Signature -based IPS adds features to devices to identify the most common attacks currently. Also known as pattern matching IPS. The signature library can be added, adjusted and updated to deal with new attacks.

2. Anomaly -based IPS, anomaly-based methods can use statistical anomaly detection and non-statistical anomaly detection.

3. Policy -based IPS, which is more concerned with whether to implement the organization's security policies. Trigger alerts if detected activity violates the organization's security policies. The IPS using this method needs to write the security policy into the device.

4. IPS based on protocol analysis , which is similar to signature-based methods. In most cases, common signatures are checked, but methods based on protocol analysis can do deeper packet inspection and are more flexible to find certain types of attacks.

shortcoming

The reason is that it cannot actively learn attack methods. For attacks that cannot be identified in the pattern library, the default policy is to allow access.

IPS deployment location

It is deployed in series at the exit of the network with important business systems or internal network security and high confidentiality.

img

UTM Unified Threat Management

UTM proposed by IDC refers to a special-purpose device composed of hardware, software and network technology. It mainly provides one or more security functions and integrates multiple security features into a hardware device to form a unified standard. management platform. Due to the outstanding performance requirements, the cost is generally relatively high, and currently only large enterprises will use it.

The advantages of UTM mainly include the following
: 1. Cost reduction brought about by integration (multi-tasking!)
2. Reduce the intensity of information security work (reduce the burden on administrators)
3. Reduce technical complexity

UTM cannot solve all security problems once and for all. To sum up, it has the following disadvantages

1. Disadvantages of gateway defense Gateway defense is very effective in preventing external threats, but it cannot play a role in facing internal threats. There are a lot of data that show that most of the threats that cause the loss of organizational information assets come from within the organization, so UTM equipment that focuses on gateway defense is not yet a panacea for solving security problems.
2. Risks from over-integration
3. Performance and stability

Antivirus Wall (Antivirus Gateway)

The antivirus wall is also a kind of network device, which is mainly reflected in the functions of virus killing, keyword filtering, and spam blocking. At the same time, some devices also have certain functions of firewall (dividing Vlan)

working principle

Monitoring of incoming and outgoing anti-virus gateway data: mainly based on feature code matching technology; scanning and killing of monitored virus data: adopting the method of restoring data packets to files for virus processing.
1. Method based on proxy server
2. Method based on firewall protocol restoration
3. Method based on mail server

Difference from Firewall

1. Anti-virus gateway : Focus on virus filtering, block virus transmission, working protocol layer is ISO 2-7 layer, analyze the transmission data content in the data packet, use virus analysis technology to process virus body, with firewall access control function module

2. Firewall : Focus on access control, control illegal authorized access, work protocol layer is ISO 2-4 layer, analyze source IP and destination IP in data packets, compare rules to control access direction, does not have virus filtering function

Differences from antivirus software

1. Anti-virus gateway : filter viruses based on the network layer; block virus body network transmission; gateway blocks virus transmission, actively defends against viruses outside the network; gateway device configures virus filtering strategy, which is convenient and guards the throat; filters data entering and leaving the gateway ; Linkage with anti-virus software to establish a multi-level anti-virus system.

2. Anti-virus software : virus removal based on the operating system; removal of viruses entering the operating system; virus abuse of the core technology of the system leads to difficulty in virus removal, research on active defense technology; active defense technology is highly professional and difficult to popularize; management and installation of anti-virus software terminals; The Internetization of virus development requires the cooperation of gateway-level anti-virus technology.

Deployment method of antivirus wall

1. Transparent mode : connected in series to the outlet of the network, easy to deploy

2. Bypass proxy mode : Force the client's traffic to pass through the anti-virus gateway. The anti-virus gateway only needs to process the protocol to be detected, and does not process the forwarding of other protocols, which can better improve device performance.

3. Bypass mode : The topology deployed in the bypass proxy mode is the same, but the difference is that the bypass mode can only be used for detection, and the detected viruses cannot be cleaned.

WAF (Web Application Firewall)

Web application firewall is a device that protects web applications by implementing a series of HTTP/HTTPS security policies.

Working principle of WAF
WAF works at the application layer, so it has inherent technical advantages for web application protection. Based on a deep understanding of web application business and logic, WAF detects and verifies the content of various requests from web application clients to ensure their security and legitimacy, and blocks illegal requests in real time, thus protecting all kinds of websites The site is effectively protected.

Main functions of WAF
1. Audit device : used to intercept all HTTP data or only sessions that meet certain rules;
2. Access control device : used to control access to web applications, including both active security mode and passive security mode.
3. Architecture/network design tools : When running in reverse proxy mode, they are used to distribute functions, centralized control, virtual infrastructure, etc.
4. WEB application hardening tool : These functions enhance the security of the protected Web application. It can not only shield the inherent weakness of the WEB application, but also protect the security risks caused by WEB application programming errors. It mainly includes anti-attack, anti-vulnerability, anti-dark link, anti-reptile, anti-horse, anti-DDos, etc.

WAF deployment location

Similar to the deployment method of IPS devices, it can be deployed in series at the network egress of key devices such as web servers.

Transparent proxy mode, reverse proxy mode, routing proxy mode and port mirroring mode. The first three modes are also collectively referred to as the online mode, which usually requires the serial deployment of WAF on the front end of the WEB server to detect and block abnormal traffic. The port mirroring mode is also called offline mode, and the deployment is relatively simple. It only needs to connect the WAF bypass to the switch upstream of the WEB server to detect only abnormal traffic.

Transparent proxy mode (also called bridge proxy mode) The working principle of the transparent proxy mode is that when the WEB client has a connection request to the server, the TCP connection request is intercepted and monitored by the WAF. WAF secretly proxies the session between the WEB client and the server, divides the session into two segments, and forwards the session based on the bridge mode. From the perspective of the WEB client, the WEB client still directly accesses the server and cannot perceive the existence of the WAF; from the perspective of the WAF forwarding principle, it is the same as the transparent bridge forwarding, so it is called the transparent proxy mode, also known as the transparent bridge model. This deployment mode requires minimal changes to the network and enables zero-configuration deployment. In addition, the hardware bypass function of WAF can not affect the original network traffic when the device fails or loses power, but the function of WAF itself fails. The disadvantage is that all network traffic (HTTP and non-HTTP) passes through the WAF, which has certain requirements on the processing performance of the WAF, and the server load balancing function cannot be realized by using this working mode.
img

Reverse proxy mode The reverse proxy mode refers to mapping the address of the real server to the reverse proxy server. At this time, the proxy server appears as a real server externally. Since the client is accessing the WAF, there is no need to use special processing to hijack the session between the client and the server and then act as a transparent proxy for it in WAF like other modes (such as transparent and routing proxy mode). When the proxy server receives the HTTP request message, it forwards the request to its corresponding real server. After the background server receives the request, it first sends the response to the WAF device, and the WAF device sends the response to the client. This process is similar to the working principle of the transparent proxy described above. The only difference is that the destination address of the request sent by the transparent proxy client is directly the background server, so the working method of the transparent proxy does not need to configure the IP mapping relationship on the WAF. This deployment mode requires changes to the network, and the configuration is relatively complicated. In addition to configuring the address and routing of the WAF device itself, it is also necessary to configure the mapping relationship between the address of the background real WEB server and the virtual address on the WAF. In addition, if the original server address is the global address (without NAT conversion), then it is usually necessary to change the IP address of the original server and change the DNS resolution address of the original server. The advantage of using this mode is that load balancing can be achieved on the WAF at the same time.

img

Routing proxy mode The only difference between routing proxy mode and bridge transparent proxy is that the proxy works in routing forwarding mode instead of bridge mode, and other working principles are the same. Since it works in routing (gateway) mode, it is necessary to configure the IP address and routing for the forwarding interface of WAF. This deployment mode requires simple changes to the network, and it is necessary to set the IP addresses of the internal network port and external network port of the device and the corresponding routes. When working in routing proxy mode, it can be directly used as the gateway of the WEB server, but there is a single point of failure problem, and it is also responsible for forwarding all traffic. This working mode also does not support the server load balancing function.

img

Port mirroring mode When working in port mirroring mode, WAF only monitors and alarms HTTP traffic, and does not intercept or block it. This mode needs to use the port mirroring function of the switch, that is, mirror a copy of the HTTP traffic on the switch port to the WAF. For WAF, traffic only enters and exits. This deployment mode does not require any changes to the network, but it only analyzes traffic and records alarms, and does not intercept and block malicious traffic. It is suitable for collecting and understanding server traffic when deploying WAF The access and attacked information provide optimized configuration reference for subsequent online deployment. This deployment mode will not have any impact on the original network.

img

Guess you like

Origin blog.csdn.net/m0_46467017/article/details/126901448
Recommended
Ranking
[Algorithm] greedy _ program scheduling issues
Spring 控制反转(IOC)
Data structure-6.6 figure
Indicates that the class or member method has abstract properties
Huawei v5 server installed Linux operating system
Postgresql source code analysis - creating ordinary tables
Chapter 10 Evaluation Classification Results
Cloud service Ubuntu 20.04 version uses Nginx to deploy static web pages
Java Exercise 17.1
Solve the problem that git cannot automatically push submission in IDEA Push failed: Failed with error: Could not read from remote repository.
Daily
More
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)

Code World

© 2018 codetd.com