Common network attacks and defense methods

Cyber ​​Security Threat Categories

Threats inside the network, abuse of the network, unsafe employees, hackers, hackers.

Trojan horse attack principle

C/S architecture, the server end is implanted in the target host, and the server end is connected to the client through a rebound connection. The client thus controls it.

Virus

Some malicious computer programs have the characteristics of dissemination, destruction and concealment. 

Types of Cyber ​​Attacks

There are three main categories:

Reconnaissance attack: Collect the weaknesses of the network to further attack the network. Divided into scanning attacks and network monitoring: scanning attacks include port scanning, host scanning, and vulnerability scanning.

Network monitoring: mainly refers to setting the mode of the network card of the user's computer to promiscuous mode only through software, so as to view important plaintext information passing through this network.

Port scanning: According to the TCP protocol specification, when a computer receives a TCP connection establishment request message (TCP SYN), it does the following processing:

1. If the requested TCP port is open, respond with a TCP ACK message and establish a TCP connection control structure (TCB);

2. If the requested TCP port is not open, respond with a TCP RST (the RST flag in the TCP header is set to 1) message, telling the initiating computer that the port is not open.

Correspondingly, if the IP protocol stack receives a UDP packet, it will do the following:

1. If the destination port of the message is open, send the UDP message to the upper layer protocol (UDP) for processing, and do not respond to any message (except for the message that the upper layer protocol responds to according to the processing result);

2. If the destination port of the message is not open, an ICMP unreachable message is responded to the originator, telling the originator computer that the port of the UDP message is unreachable.

Using this principle, the attacker computer can determine which TC or UDP ports of the target computer are open by sending appropriate packets.

The process is as follows:

1. Send a TCP SYN or UDP message with the port number increasing sequentially from 0 (the port number is a 16-bit number, so the maximum is 65535, and the number is very limited);

2. If the RST message for this TCP message is received, or the ICMP unreachable message for this UDP message is received, it means that the port is not open;

3. On the contrary, if an ACK message for this TCP SYN message is received, or no ICMP message for this UDP message is received, it means that the TCP port is open, and the UDP port may be open (because some Implementations MAY not respond to ICMP Unreachable messages even if the UDP port is not open).

If you continue like this, you can easily determine which TCP or UDP ports are open on the target computer, and then carry out the next attack on the specific numbers of the ports. This is the so-called port scanning attack.

Host scanning is to use the ICMP principle to search for surviving hosts on the network.

Footprinting

Attackers collect target information in advance, and usually use tools such as whois and Finger and protocols such as DNS and LDAP to obtain some information of the target, such as domain name, IP address, network topology, and related user information, which are often obtained by hackers before intrusion. Do the first step.

scanning attack

Scanning attacks include address scanning and port scanning, etc. Usually, the ping command and various port scanning tools can be used to obtain some useful information about the target computer, such as which ports are opened on the machine, so that you know which services are opened, so as to provide further information. Laying the groundwork for the invasion.

protocol fingerprint

Hackers send detection packets to the target host, because there are many subtle differences between the implementations of IP protocol stacks of different operating system manufacturers (that is to say, when each manufacturer writes their own TCP/IP protocol stack, they usually make specific RFC guidelines. Different explanations), so each operating system has its own unique response method, and hackers can often determine the operating system running on the target host.

Some protocol stack fingerprints that are often used include: TTL value, TCP window size, DF flag, TOS, IP fragment processing, ICMP processing, TCP option processing, etc.

information flow monitoring

This is the most common method used in a shared LAN environment.

Since the data packets will pass through each network node on the shared media network, the network card will generally only accept the data packets sent to the address of the machine or the broadcast (or multicast) address of the machine, but if the network card is set to Promiscuous mode (Promiscuous), the network card will accept all passing packets.

Based on this principle, hackers use a sniffer device called a sniffer, which can be software or hardware) to monitor the information flow of the network, so as to obtain the content they are interested in, such as passwords and other secret information .

Access attack :

Password attack: password brute force guessing, Trojan horse program, packet sniffing, etc.

Man-in-the-middle attack: Intercepting data, eavesdropping on data content, introducing new information into the session, session hijacking (session hijacking) takes advantage of the shortcomings of the TCP protocol itself, after the legal communication connection is established, the attacker can take over the existing communication by blocking or destroying the communication party. The connection established through authentication, so as to impersonate the receiver to communicate with the other party.

Denial of service attack : Disguise a large number of reasonable service requests to occupy too many service resources, so that legitimate users cannot get service responses.

To avoid DoS attacks on the system, from the perspective of the first two points, the network administrator must actively and carefully maintain the entire system to ensure that there are no security risks and loopholes;

As for the malicious attack methods in points 4 and 5, it is necessary to install security devices such as firewalls to filter DoS attacks. At the same time, it is strongly recommended that network administrators regularly check the logs of security devices to detect behaviors that pose a security threat to the system in time.

Behavioral characteristics and defense methods of common denial of service attacks

Denial of service attacks are the most common type of network attack.

Under this attack principle, it has derived many different attack methods.

A correct understanding of these different denial-of-attack methods will allow you to correctly and systematically deploy a complete security protection system for your enterprise.

The most basic method of intrusion detection is to use pattern matching to discover intrusion attacks.

To effectively counter-attack, you must first understand the principle and working mechanism of the intrusion. Only in this way can you know yourself and the enemy, so as to effectively prevent the occurrence of intrusion attacks.

Below we briefly analyze several typical denial of service attack principles, and propose corresponding countermeasures.

Ping of death attack

Because in the early stage, the router has a limit on the maximum size of the packet, many operating system TCP/IP stacks stipulate that the size of the ICMP packet is limited within 64KB.

After reading the header of the ICMP data packet, a buffer is generated for the payload according to the information contained in the header.

When the size of the ICMP packet exceeds 64KB, a memory allocation error will occur, causing the TCP/IP stack to crash, thereby causing the recipient computer to crash.

This is how this "Ping of Death" attack works.

According to this attack principle, hackers only need to continuously send data packets exceeding 64KB to the attack target through the Ping command, which can cause the TCP/IP stack of the target computer to crash, causing the receiver to crash.

Defense method: All standard TCP/IP protocols now have the ability to deal with data packets exceeding 64KB in size, and most firewalls can automatically filter these attacks by analyzing the information and time intervals in the data packets.

Systems such as Windows 98, Windows NT 4.0 (after SP3), Windows 2000/XP/Server 2003, Linux, Solaris, and Mac OS already have the ability to resist general "Ping of death" denial of service attacks.

In addition, configuring the firewall to block ICMP and any unknown protocol packets can prevent such attacks from happening.

teardrop attack

For some large IP data packets, it is often necessary to split and transmit them, which is to meet the MTU (Maximum Transmission Unit) requirements of the link layer.

For example, when a 6000-byte IP packet is transmitted on a link with an MTU of 2000, it needs to be divided into three IP packets.

In the IP header there is an offset field and a Fragmentation Flag (MF).

If the MF flag is set to 1, it means that this IP packet is a fragment of a large IP packet, and the offset field indicates the position of this fragment in the entire IP packet.

For example, if a 6000-byte IP packet is split (MTU is 2000), the values ​​of the offset field in the three fragments are: 0, 2000, 4000.

In this way, after receiving all the IP data packets, the receiving end can reassemble incorrect values ​​based on these information, so that the receiving end cannot correctly overlap the offset field values ​​in the data packets after receiving these split data packets These split data packets, but the receiving end will continue to retry, which may cause the target computing operating system to crash due to resource exhaustion.

The teardrop attack implements its attack by modifying the information contained in the header header of the packet in the trusted IP fragment in the implementation of the TCP/IP stack.

The IP segment contains information indicating which segment of the original packet the segment contains. Some operating systems (such as Windows NT 4.0 before SP4) TCP/IP will crashes, but the new operating system has largely been able to defend itself against such attacks.

Defense method: use the latest operating system as much as possible, or set the segment reassembly function on the firewall. The firewall first receives all the split data packets in the same original packet, and then completes the reassembly work instead of directly forwarding.

Because the rules to be adopted when overlapping fields appear can be set on the firewall.

TCP SYN Flood Attack

The TCP/IP stack can only wait for a limited number of ACK (response) messages because each computer has a very limited memory buffer for creating TCP/IP connections.

If this buffer is full of initial messages waiting for a response, the computer stops responding to subsequent connections until the connection in the buffer times out.

The TCP SYN flood attack uses this system vulnerability to carry out the attack.

The attacker makes multiple connection (SYN) requests to the target using a spoofed IP address.

The target system sends an acknowledgment after receiving the request and waits for a reply.

Since the IP address that the hackers send the request is forged, the confirmation information will not reach any computer, and of course there will be no computer to respond to the confirmation information.

And before receiving the response, the target computer system will not voluntarily give up, and will continue to keep the corresponding connection information in the buffer and wait forever.

When a certain number of waiting connections is reached, the memory resources of the buffer area are exhausted, and thus begin to refuse to receive any other connection requests, including requests originally belonging to normal applications. This is the ultimate goal of hackers.

Defense method: filter subsequent connections from the same host on the firewall.

Still, "SYN flood attacks" are very worrisome because they don't seek a response, so they can't be discerned from a simple high-volume traffic.

The firewall's specific defense against TCP SYN flood attacks is described in detail in the firewall's user manual.

Land attack

The source address and destination address of the data packet in this type of attack are the same. When the operating system receives this type of data packet, it does not know how to deal with it, or sends and receives the data packet in a loop, thereby consuming a lot of system resources , which may cause system crashes or crashes.

Defense method: The detection method of this type of attack is relatively easy, because it can directly determine whether it is an attack behavior by judging whether the source address and destination address of the network data packet are the same.

The anti-attack method is of course to properly configure the packet filtering rules of firewall devices or packet filtering routers.

And audit this kind of attack, record the time when the event occurs, the MAC address and IP address of the source host and the target host, so that the source of the attacker can be effectively analyzed and tracked.

Smurf attack

This is a denial of service attack named after a funny cartoon character.

Smurf attacks exploit the ability in most routers to broadcast requests to many computers simultaneously.

The attacker forges a legitimate IP address, and then all routers on the network broadcast a request to make a reply to the attacked computer address.

Since these data packets appear to be legitimate requests from known addresses, all systems in the network reply to this address, and the final result can cause all hosts on the network to reply to this ICMP reply request, resulting in network congestion , which also achieved the purpose pursued by the hackers.

This kind of Smurf attack is one to two orders of magnitude higher than the "Ping of Death" flood traffic introduced earlier, and it is easier to attack successfully.

There are also some new types of Smurf attacks that change the source address to a third-party victim (the disguised IP address is no longer used), which eventually leads to an avalanche of third parties.

Defense method : turn off the broadcast address feature of the external router or firewall, and set rules on the firewall to discard ICMP protocol type data packets.

Fraggle attack

The Fraggle attack is just a simple modification of the Smurf attack, using the UDP protocol response message instead of the ICMP protocol (because hackers know that the UDP protocol is more difficult to be completely banned by users).

At the same time, the Fraggle attack uses a specific port (usually port 7, but there are many other ports used to implement the Fraggle attack). The attack is basically similar to the Smurf attack and will not be repeated here.

Defense method : turn off the broadcast address feature of the external router or firewall. Filter out UDP packets on the firewall, or block some ports that are often used by hackers for Fraggle attacks.

email bomb

One of the oldest anonymous attacks, email bombing, is achieved by setting up a computer to repeatedly send a large number of emails to the same address, which can drain the bandwidth resources of the email recipient's network.

Defense method: Configure filtering rules for email addresses to automatically delete excessive or repeated messages from the same host.

Virtual Terminal (VTY) Exhaustion Attack

This is an attack on network devices such as routers, switches, etc.

In order to facilitate remote management, these network devices are generally equipped with some TELNET user interfaces, that is, users can access the device through TELNET to manage these devices.

Generally, the number of TELNET user interfaces of these devices is limited. For example, 5 or 10 etc.

In this way, if an attacker establishes 5 or 10 TELNET connections to the same network device at the same time.

The remote management interfaces of these devices are all occupied, so if legitimate users perform remote management on these devices, they will fail because the TELNET connection resources are occupied.

ICMP flood

Under normal circumstances, in order to diagnose the network, some diagnostic programs, such as PING, will send ICMP response request messages (ICMP ECHO), and the receiving computer will respond with an ICMP ECHO Reply message after receiving the ICMP ECHO.

And this process requires CPU processing, and in some cases it may consume a lot of resources. For example, when dealing with fragmentation.

In this way, if the attacker sends a large number of ICMP ECHO packets to the target computer (generating ICMP flood), the target computer will be busy processing these ECHO packets and cannot continue to process other network data packets, which is also a denial of service attack ( DOS).

WinNuke attack

As a basic network resource access interface, NetBIOS is widely used in file sharing, print sharing, inter-process communication (IPC), and data exchange between different operating systems.

Generally, NetBIOS runs on the LLC2 link protocol and is a multicast-based network access interface.

In order to implement NetBIOS on the TCP/IP protocol stack, RFC specifies a series of interactive standards, as well as several commonly used TCP/UDP ports:

139: TCP port of NetBIOS session service;

137: UDP port of NetBIOS name service;

136: UDP port for NetBIOS datagram service.

The network services (file sharing, etc.) of the early versions of the WINDOWS operating system (WIN95/98/NT) are all based on NetBIOS.

Therefore, these operating systems have opened port 139 (the latest version of WINDOWS 2000/XP/2003, etc., for compatibility, also realized the NetBIOS over TCP/IP function, and opened port 139).

The WinNuke attack uses a vulnerability in the WINDOWS operating system to send some TCP out-of-band (OOB) data packets to port 139.

However, the difference between these attack messages and the normal OOB data messages is that the pointer field does not match the actual location of the data, that is, there is overlap, so the WINDOWS operating system will crash when processing these data.

Fragmented IP packet attack

In order to transmit a large IP message, the IP protocol stack needs to fragment the IP message according to the MTU of the link interface. By filling the fragmentation indication field in the appropriate IP header, the receiving computer can easily divide these IP Fragmented packets are assembled.

When the target computer processes these fragmented messages, it will cache the first fragmented messages and wait for the subsequent fragmented messages.

This process will consume part of the memory and some data structures of the IP protocol stack.

If the attacker sends only one fragmented packet to the target computer, instead of sending all the fragmented packets, the attacker computer will wait (until an internal timer expires).

If the attacker sends a large number of fragmented packets, the resources of the target computer will be consumed, resulting in failure to respond to normal IP packets, which is also a DOS attack.

Teardrop

Segmentation attack. A reassembly bug is exploited to crash or hang the target system by overlapping segments.

routing protocol attack

In order to exchange routing information between network devices, some dynamic routing protocols are often run. These routing protocols can complete functions such as the establishment of routing tables and the distribution of routing information.

Common routing protocols include RIP, OSPF, IS-IS, BGP, etc.

While these routing protocols are convenient for routing information management and transmission, there are also some defects. If an attacker uses these rights of routing protocols to attack the network, it may cause disorder in the routing table of network devices (which can cause network interruption). A large amount of network equipment resources are consumed, and even the network equipment is paralyzed.

Attack methods and principles of common routing protocols

Attacks against the RIP protocol

RIP, the Routing Information Protocol, maintains the routing table through periodic (usually 30S) routing update messages.

A router running the RIP routing protocol, if it receives a routing update message from an interface, it will analyze the routing information contained in it and compare it with its own routing table.

If the router thinks that the routing information is more effective than what it has, it will import the routing information into its own routing table.

In this way, if an attacker sends an artificially constructed destructive routing update message to a router running the RIP protocol, it is easy to mess up the routing table of the router, thereby causing network interruption.

If the router running the RIP routing protocol enables HMAC verification of routing update information, this attack can be avoided to a large extent. 

Attacks against the OSPF routing protocol

OSPF, Open Shortest Path First, is a widely used link-state routing protocol.

The routing protocol is based on the link state algorithm, which has the advantages of fast convergence, stability, and no loops, and is very suitable for large-scale computer networks.

The OSPF routing protocol exchanges the local link information of the routers by establishing an adjacency relationship, and then forms a link state database of the entire network. Based on the database, the router can easily calculate the routing table.

It can be seen that if an attacker pretends to be a legitimate router to establish an adjacency relationship with a router in the network, and input a large number of link state broadcasts (LSA, the data unit that constitutes the link state database) to the attacking router, the Guide the router to form a wrong network topology, which will cause the routing table of the entire network to be disordered, resulting in the paralysis of the entire network.

The current versions of the WINDOWS operating systems all implement the OSPF routing protocol function, so an attacker can easily use the routing function modules that come with these operating systems to attack.

Similar to RIP, if OSPF enables packet verification (HMAC verification), this attack can be avoided to a large extent.

Attacks against the IS-IS routing protocol

IS-IS routing protocol, that is, intermediate system to intermediate system, is a protocol proposed by ISO to route ISO CLNS network services.

This protocol is also based on the link state, and its principle is similar to OSPF.

After being extended, the IS-IS routing protocol can run on an IP network and select routes for IP packets.

This routing protocol also completes link state database synchronization by establishing neighbor relationships and collecting router local link states.

The establishment of the neighbor relationship of this protocol is simpler than that of OSPF, and some unique characteristics of OSPF are also omitted, which makes the protocol simple and clear, and has stronger scalability.

The attack on this protocol is similar to OSPF. A simulation software is used to establish a neighbor relationship with a router running this protocol, and then transmit a large number of link state data units (LSP) to the attacking router, which can cause the link state database of the entire network router to Inconsistency (because the link-state databases of all routers in the entire network need to be synchronized to the same state), resulting in the fact that the routing table does not match the actual situation, resulting in network interruption.

Similar to OSPF, if the router running this routing protocol has the IS-IS protocol unit (PDU) HMAC authentication function enabled, this attack can be avoided to a large extent.

application layer attack

This can be achieved using a number of different methods, the most common being application software (such as SQL Server, Sendmail, PostScript, and FTP) defects commonly found on application servers.

By using these flaws, an attacker could gain access to a computer and the permissions of an account required to run an application on that computer.

One of the newest forms of application-layer attacks is the use of many new technologies that are publicly available, such as the HTML specification, the operability of Web browsers, and the HTTP protocol.

These attacks transmit harmful programs through the network, including JAVA applets and Active X controls, etc., and call them through the user's browser, which can easily achieve the purpose of intrusion and attack.

Although the code verification technology provided by Microsoft can make the user's ActiveX control suspend this type of attack due to security check errors, attackers have discovered how to use properly marked ActiveX controls with a large number of vulnerabilities to use them as Trojan horses to carry out new attacks .

This technology can use VBScript script program to directly control the execution of covert tasks, such as overwriting files, executing other files, etc., making prevention and killing more difficult.

In application-layer attacks, vulnerable targets include routers, databases, Web and FTP servers, and protocol-related services such as DNS, WINS, and SMB.

access layer attack

MAC/CAM flood attack

MAC/CAM flood attack refers to the use of tools to generate a large number of spoofed MACs and quickly fill the CAM table. After the switch CAM table is filled, the traffic is broadcast on all ports, causing the switch to work like a shared HUB. At this time, the attacker can use Various sniffing attacks to obtain network information.

At the same time, when the CAM table is full, the traffic is flooded to all interfaces, which means that the traffic on the trunk interface will also be sent to all interfaces and adjacent switches, which will cause excessive load on the switch, slow network, packet loss, or even paralysis.

Solution: Port security technology can be used to allow specific hosts to access and define the maximum number of hosts allowed to pass through.

Attacks against DHCP

DHCP protocol can be used to automatically set network IP address, mask, gateway, DNS, WINS and other parameters for users, which simplifies user network settings and improves management efficiency.

However, there are also some headaches for network administrators in the use of DHCP management.

1 DHCP packet flood attack

A DHCP packet flood attack refers to using a tool to forge a large number of DHCP request packets and send them to the server.

On the one hand, IP resources are exhausted maliciously, making it impossible for legitimate users to obtain IP resources;

On the other hand, it causes the server to run under a high load and cannot respond to requests from legitimate users, causing network failures.

Solution: DHCPsnooping, compare whether the source MAC of the Layer 2 Ethernet frame is consistent with the client MAC in the DHCP request message, and discard it if they are inconsistent.

2 DHCP Server spoofing attack

Since the DHCP protocol was designed without considering the authentication mechanism between the client and the server, if there are multiple DHCP servers on the network, it will cause confusion to the network.

Usually, a hacker attack first exhausts the IP addresses that can be assigned by a normal DHCP server, and then pretends to be a legitimate DHCP server.

The most concealed and dangerous method is that hackers use a fake DHCP server to assign a modified DNS server to users, and then lead them to pre-configured fake financial websites or e-commerce websites without users noticing, defrauding user accounts and passwords, the consequences of this attack are very serious.

Solution: DHCPsnooping, set trusted port and untrusted port, untrusted port rejects DHCP offer message and DHCP ack message. You can also use the message rate limit function of DHCP snooping. If the message rate exceeds the limit value, the port will enter the errdisable state.

Attack against ARP

As the link between the IP layer and the link layer, ARP has a very important role and responsibility. The main mission is to determine the link layer address (MAC address) corresponding to the IP address.

However, due to specific historical reasons, the ARP protocol was not designed with security factors in mind, so hackers can easily attack the loopholes of the ARP protocol and steal network information.

1 ARP traffic attack

There are many ways to attack ARP traffic, such as forging a large number of ARP requests, forging a large number of ARP responses, forging IP packets with non-existing destination IPs, and so on.

Its ultimate purpose is only one: to increase the flow of ARP messages in the network, waste the CPU bandwidth and resources of the switch, waste memory resources, cause the CPU to be busy, cause packet loss, and even cause network paralysis.

Solution: There are two ways to prevent ARP traffic attacks:

1. Limit the rate of ARP packets on the port. When the rate of ARP packets on the port exceeds the set value, the port will be down; 

2. Record the destination IP that caused the ARP resolution failure, and when the number of ARP resolution failures caused by the IP within a fixed period of time exceeds the set value, an ACL is issued, and the packets with the destination IP as this IP are discarded through the hardware;

2 ARP spoofing attack

According to the design of the ARP protocol, in order to reduce excessive ARP data communication on the network, even if a host receives a non-local ARP response, it will learn it.

In this way, the possibility of "ARP spoofing" is created.

For example, a hacker sends an ARP response packet to two hosts respectively, so that both hosts "mistakenly" think that the MAC address of the other party is the host where the third-party hacker is located.

In this way, the seemingly "direct" communication connection between the two parties is actually carried out indirectly through the host where the hacker is located.

On the one hand, the hacker has obtained the desired communication content, on the other hand, he only needs to change some information in the data packet, and successfully complete the forwarding work.

At the same time, the hacker continuously sends this false ARP response packet to the two hosts, allowing the two hosts to keep wrong ARP entries, so that they can always snoop on the communication between the two hosts. 

Solution : For ARP spoofing attacks, use the Snooping entry recorded on the access layer switch or (and) statically bound legal user information to judge the validity of the packet.

When an ARP message is received on the switch port, the IP and MAC addresses in the message are extracted, and then compared with the above table items. If the IP, MAC and the port information of the received message are in the table items, it is considered to be Legal packets are processed normally; otherwise, they are regarded as illegal packets and discarded.

3 IP/MAC spoofing attack

Common types of spoofing include MAC spoofing, IP spoofing, and IP/MAC spoofing. Hackers can forge source addresses to attack.

For example: Targeting the DNS server on the public network, it is hoped that by making the DNS server respond and wait for the forged source address, it will cause a DOS attack and expand the attack effect.

In addition, another purpose of IP/MAC spoofing is to forge identity or obtain privileges for IP/MAC. 

Solution: Prevent IP/MAC spoofing. Similar to the above-mentioned prevention of ARP spoofing, Snooping entries and static binding entries are used to detect the correctness of IP, MAC, and port numbers in IP packets.

The difference is that the IP address checking feature is configured on the port of the switch and takes effect on the port. Instead of discarding packets through software, ACL rules are directly issued to the port, and illegal packets are directly discarded by hardware, which greatly reduces false positives. The impact of IP packets on the processing efficiency of switches.

Solutions for Cyber ​​Attacks

Perimeter Security (Firewall): Access control lists and firewalls are similar to door locks on the outside of a building, allowing only authorized users (those with keys or badges) to enter or exit.

Perimeter security can control access to critical applications, services, and data so that only legitimate users and information can enter another network from one network (trust domain).

The basic implementation is access control and firewall (access attack, mitigation of DOS attack, detection of scanning attack and corresponding measures).

Intrusion Prevention (IDS, IPS): Intrusion detection systems act like surveillance cameras in real life.

They continuously scan network traffic (by copying the traffic to the sensor) looking for suspicious data packets.

Using a database of trace signatures, they can record anything unusual and take appropriate action: sound an alarm, reset the attacker's TCP connection, or ban the attacker's IP address from logging into the network again.

Network IDS (NIDS) detectors can usually use a non-addressable hybrid interface card to listen to all traffic on a subnet and send any alarms and recorded traffic through another more reliable interface (to detect attack code, such as Trojan horses, virus, scanning attack).

Secure connection (VPN): A virtual private network (VPN) utilizing the Internet Protocol Security Standard (IPS) can provide information confidentiality, integrity and terminal identity authentication (to prevent data from being stolen by illegal users and prevent man-in-the-middle attacks).

Identity recognition (802.1X, AAA): Only authenticated users can access the network (illegal users cannot access to prevent password attacks).

Admission Control (NAC/EAD(H3C)): NAC provides network access to end devices that are fully compliant with security policies, and helps ensure that non-compliant devices are denied access, placed in quarantine for remediation, or It is only allowed limited access to resources (addressing cyber threats).

Behavior Management: Limiting network abuse by network users (addressing network threats).

Integrated product security: In addition to providing traditional firewall and VPN functions, it also provides security functions such as virus protection, URL filtering, vulnerability attack protection, spam protection, P2P/IM application layer traffic control, and user behavior auditing.

Cyber ​​Security Learning Path