Data Sources
本文仅用于[信息安全](https://so.csdn.net/so/search?q=%E4%BF%A1%E6%81%AF%E5%AE%89%E5%85%A8&spm=1001.2101.3001.7020 "信息安全")的学习,请遵守相关法律法规,严禁用于非法途径。若观众因此作出任何危害网络安全的行为,后果自负,与本人无关。
1. Introduction
- VPN can realize secure transmission of data on an unsecured network, similar to a private network
- VPN is just a technology that uses PKI technology to ensure the three elements of data security.
2. Three elements of safety
1) Confidentiality
2) Completeness
3) Identity verification
3. Encryption technology:
1) Symmetric encryption: encryption and decryption use the same key
密钥是通信双方协商生成,生成过程是明文通信!
**优点:**速度快
**缺点:**密钥容易泄露 !
**对称加密算法:**DES、3DES、AES
2) Asymmetric encryption algorithm: encrypt data using public and private keys
公私密钥成对生成,互为加解密关系!公私钥不能互相推算!
**双方交换公钥:**
使用对方的公钥加密实现机密性
使用自己的私钥进行数字签名,实现身份验证
**优点:**安全性高
**缺点:**速度慢
**常见算法:**RSA、DH
4. Integrity algorithm/hash value algorithm:
MD5
SHA
5. Types of VPN
1) Remote Access VPN (Remote Access VPN)
一般用在个人到安全连接企业内部
一般出差员工/在家办公,安全连接内网时使用
一般公司部署VPN服务器,员工在外拔号连接PN即可
**常见RA-VPN协议:** PPTP VPN、L2 TP VPN、 SSTP VPN、EZvpn/ easyvpn(思科私有)、 SSL VPN(目前比较流行)
2) Point-to-point VPN
一般用在企业对企业安全连接
一般需要在两个企业总出口设备之间建立VPN通道!
**常见的点到点VPN:**IPsecVPN
6、IPsecVPN:
1) It is a point-to-point VPN and can establish a VPN tunnel between two companies!
2) VPN tunnel advantages:
安全性
合并两家企业内网
3) VPN tunnel technology
**1)传输模式:只加密上层数据,不加密私有|P包头,传输速度快**
**通信过程:**一方公司要与另一方公司使用VPN隧道安全通信,首先自己公司的内网数据到达自己的路由器后路由器会先将数据帧的4、5层的数据进行加密,然后将IP包头的目标IP与源IP拿出来放到IP包头的可选项内(内网的ip无法在公网上存活),用自己的公司买的公网ip(配在链接路由器外网端口的IP)和目标的公网ip作为新的源IP与目标IP,到了目标路由器再从IP包头的可选项内取出数据还原数据帧的目标与源ip,目标公司回包的流程也是差不多。
**2)隧道模式(默认):加密整个私有IP包,包括|P包头,更安全,速度慢**
The data is then transmitted to the target router, which then decapsulates it and then transmits it to the target intranet.
4) VPN tunnel technology: re-encapsulation technology + encryption authentication technology
5) IPsecVPN is divided into 2 major stages:
Phase 1: Management connection (VPN both sides establish connection/ establish tunnel )
**目的:**通信双方设备通过非对称加密算法加密对称加密算法所使用的对称密钥,以达到安全地协商对称加密算法秘钥的目的。
**过程:**双方设备先各自生成公私秘钥对,然后双方交换公钥,使用对方的公钥加密对称密钥,这样就可以解决对称密钥因为是双方明文通信产生的而安全性低的问题,又能获取对称密钥加密数据快的特性。
**命令:(思科)目的:建立隧道(IKE)**
**conf t**
**crypto isakmp policy** **1** **# 创建传输集/策略集,1是名称**
**encryption** **des/ 3des/aes** **\# 指定对称加密算法,一般使用aes**
**hash** **md5/sha** **\# 指定完整性算法/hash值算法,一般使用sha**
**group** **1/2/5** **\# 默认使用DH非对称加密算法,这里****指定公钥与私钥的长度,越长越安全也越慢,一般使用2或5**
**authentication pre-share** **# 身份验证使用共享密钥算法**
**lifetime** **秒** **# 配置该传输集/策略集的失效时间,失效了双方就会重新生成设备重新生成对称密钥,如果改成3600秒,那么双方每个1个小时都会更换密钥,这样可以防止密钥被破解,默认:86400秒 / 24小时**
**exit**
**crypto isakmp key** **预共享密钥** **address** **对方的****公网IP地址** **# 配置指向对方公网IP的共享密钥**
**预共享密钥****作用:**用来证明对方就是对方而不是黑客伪造的,对方的共享秘钥也要配置一样,比如我设置的共享密钥是:zhangsan 那对方的也要是:zhangsan 双方都要验证一下,共享密钥越长越复杂越好不能少于6位。
**实现原理:**将共享密钥加在数据后面如:“数据”+zhangsan 这样加密后生成的哈希值基本上是独一无二的,黑客攻击替换了哈希值也能被发现因为我的哈希值多了 “zhangsan ”转换的 哈希值并以他作为身份验证的标准,没有就是伪造的。
Phase 2: Data connection (encrypting the data to be transmitted)
**目的:**通过对称加密算法加密实际所要传输的私网(内网)数据
**定义VPN触发流量 :定义那些包要走VPN**
**conf t**
**access-list** **100** **permit ip** **192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255** **# 创建一个表号为100的表(1-255可选),添加一过滤条目允许192.168.开头的网段访问172.16开头的网段的数据进入隧道,也就是说192.168.开头的网段访问172.16开头的网段的数据进入路由器时****路由器会把该数据路由到隧道中而不是上网**。**0.0.255.255:**是反子网掩码,0.0.255.255表示只检查前面两位IP,也就是只检查192.168.后面的忽略,只要这两位匹配上了就可以认定该IP符合条件
**crypto ipsec transform-set** **传输模式名 esp****/****sh-des****/****3des****/****asp-esp****/****sh-md5****/****sha-hmac** **# 定义加密及认证方式**
**例: crypto ipsec transform-set wentran esp-aes esp-sha-hmac**
**ESP:**支持加密及认证(身份验证+完整性
**AH:**只支持认证(身份验证+完整性)
Create a MAP mapping table
**目的:**阶段一创建了传输集,阶段二定义了ACL表与加密及验证模式,创建MAP映射表将上述配置集合到MAP表内,再把MAP应用到路由器外网接口上
**conf t**
**crypto map** **map名 1** **ipsec-isakmp** **# 进入MAP表配置模式。创建一个map表并命名,数字 1 是标识,map名可以重复,可以用标识区分,isakmp表示第一阶段一所有策略集**。**目的:跟对方交换密钥**
**match address** **acl表名** **# 将第二阶段的数据连接的ACL表映射过来**
**set transform-set** **传输模式名** **# 只要匹配ACL表的IP,就使用传输模式定义的加密及认证方式对数据进行加密**
**set peer** **对方的公网IP** **# 配置目标的公网ip**
**exit**
**例:**
**conf t**
**crypto map** **wenmap 1** **ipsec-isakmp**
**match address** **100**
**set transform-set** **wentran**
**set peer** **200.1.1.2**
**exit**
Apply MAP table to external network port
**int f0/1(外网端口)**
**crypto map** **wenmap # 把wenmap 表应用到接口上**
**exit**
**注意:**一个接囗只能应用一个map表
View command: (command in privileged mode, add do space in front of it in other modes)
**show crypto isakmp sa # 查看第一阶段状态(管理连接)**
**show crypto ipsec sa # 查看第二阶段状态(数据连接)**
**show crypto isakmp policy # 查看第一阶段的策略配置集**
**show crypto ipsec transform-set # 查看第二阶段的传输模式**
**sh run # 查看_running_\-config文件,对做过路由器的所有配置都在这里**
7. How the router works
**如果同时给路由器的出外网端口配了[NAT](https://blog.csdn.net/weixin_43263566/article/details/128245404 "NAT")与VPN他们的执行顺序**
**内网 \-- to \-- 外网:路由数据到出外网端口 \-- 1NAT \-- VPN \-- 出去**
8. Experiment (point-to-point VPN-VPN tunnel)
- **Experiment 1:**Beijing-Shanghai-Establish a VPN tunnel and verify it (the router in the middle cannot be configured with intranet routing, communication is achieved by configuring VNP on the routers on both sides)
- **Experiment 2:** Based on Experiment 1, two companies are required to have access to the Internet, but it does not affect the VPN tunnel.
- **Experiment 3:** Based on Experiments 1 and 2, the Beijing headquarters and the newly established branch in Guangzhou are also required to establish VPN tunnels
- Experiment 4: (Optional) On the basis of 1-3, it is required that no VPN tunnel is established between Guangzhou and Shanghai, but Guangzhou and Shanghai can communicate with each other securely
Experiment 1
step:
1) Configure IP for the PC and router interfaces
Configure router port IP command
**en** **# 进入特权模式**
**conf t** **# 进入全局配置模式**
**int** **Fa0/x** **# 进入需要配置的端口**
**ip add** **IP 子网掩码** **# 配置IP,如: ip add 30.1.1.254 255.255.255.0**
**no shut** **# 开启端口**
2) Configure default routes for the routers on the left and right
**命令:
ip route ip 子网掩码 下一跳IP \# 给路由器配置一条静态路由**
**ip route ip 0.0.0.0 0.0.0.0 下一跳IP # 给路由器配置一条默认路由**
**配置左边路由器:**
**conf t** **# 进入全局配置模式**
**ip route** **0.0.0.0 0.0.0.0 100.1.1.254**
**配置右边路由器:**
**conf t** **# 进入全局配置模式**
**ip route** **0.0.0.0 0.0.0.0 200.1.1.254**
3) Configure VPN tunnel
Note that the following commands can be copied and pasted into the software if they are the same as the configured IP and connected port of my simulator. If they are different, please modify the IP and interface number according to your actual situation.
Commands to configure the router on the left
en
conf t
crypto isakmp policy 1
encryption aes
hash sha
group 2
authentication pre-share
lifetime 3600
exit
crypto isakmp key zhangsan address 200.1.1.1
access-list 100 permit ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255
crypto ipsec transform-set wentran esp-aes esp-sha-hmac
crypto map wenmap 1 ipsec-isakmp
match address 100
set transform-set wentran
set peer 200.1.1.1
exit
int fa0/0
crypto map wenmap
Commands to configure the router on the right
en
conf t
crypto isakmp policy 1
encryption aes
hash sha
group 2
authentication pre-share
lifetime 3600
exit
crypto isakmp key zhangsan address 100.1.1.1
access-list 100 permit ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.255.255
crypto ipsec transform-set wentran esp-aes esp-sha-hmac
crypto map wenmap 1 ipsec-isakmp
match address 100
set transform-set wentran
set peer 100.1.1.1
exit
int fa0/0
crypto map wenmap
4) Take a PC and continue to ping the PC of the target company to test the network connectivity.
**Experiment 2:** Based on Experiment 1, two companies are required to have access to the Internet, but it does not affect the VPN tunnel.
step:
1) Configure IP for the router port and server connected to the server
**配置路由器端口IP命令**
**en** **# 进入特权模式**
**conf t** **# 进入全局配置模式**
**int** **Fa0/x** **# 进入需要配置的端口**
**ip add** **IP 子网掩码** **# 配置IP,如: ip add 150.1.1.254 255.255.255.0**
**no shut** **# 开启端口**
2) Configure NAT so that the internal network can access the external network
**配置北京总公司的路由器(端口号与IP要改成自己的)**
**定义内网端口**
**en # 进入特权模式**
**conf t** **# 进入全局配置模式**
**int** **fa0/1** **# 进入需要设置的端口**
**ip nat inside** **# 将端口定义为内网端口**
**exit**
**定义外网端口**
**conf t** **# 进入全局配置模式**
**int** **fa0/0** **# 进入需要设置的端口**
**ip nat outside** **\# 将端口定义为外网端口**
**exit** **# 退到上一级**
**定义内部地址池**
**conf t # 进入全局配置模式**
**acc 101 deny ip 192.168.0.0 0.0.255.255 172.16.0.0 0.0.255.255 \# 拒绝192.168开头网段访问172.16开头网段(不做IP源地址转换),注意配置这条命令不会影响实验一的VPN隧道,因为这里ACL表是101,实验1的是100,而且这里配置的表没有挂载到接口上,所以也不用担心192.168开头网段访问其他网段会被[ACL技术](https://blog.csdn.net/weixin_43263566/article/details/128207685 "ACL技术")干掉**
**acc** **101** **permit ip any any** **# 将所有的ip地址都加入101号地址池内,全部允许通过(除了92.168开头网段访问172.16开头网段的包)**
**do show ip access-list** **表IP** **# 查看ACL表, 表IP 是可选的,不写就查看所有表**
**exit** **# 退到上一级**
**做PAT动态映射(映射到外网端口)**
**conf t**
**ip nat inside source list 100 int fa0/0 overload # 源ip地址如果在地址池1中,就允许使用f0/1接口上的公网ip地址做替换,然后再做端口转换**
have a test
**配置上海分公司的路由器(端口号要改成自己的)**
**定义内部地址池 (其他命令都一样就是这里的IP要调换一下)**
**acc 101 deny ip 172.16.0.0 0.0.255.255 192.168.0.0 0.0.255.255 # 禁止172.16开头网段访问192.168开头网段(不做IP源地址转换)**
**acc 101 permit ip any any # 将所有的ip地址都加入101号地址池内,全部允许通过(除了92.168开头网段访问172.16开头网段的包)**
have a test
**Experience 3:**Based on Experiments 1 and 2, the Beijing headquarters and the newly established branch in Guangzhou are also required to establish VPN tunnels.
step:
1) Configure IP for the router port and server connected to the server
**配置路由器端口IP命令**
**en** **# 进入特权模式**
**conf t** **# 进入全局配置模式**
**int** **Fa0/x** **# 进入需要配置的端口**
**ip add** **IP 子网掩码** **# 配置IP,如: ip add 10.1.1.1 255.255.255.0**
**no shut** **# 开启端口**
2) Configure a default route for the external network interface of the router
**conf t** **# 进入全局配置模式**
**ip route** **0.0.0.0 0.0.0.0 120.1.1.254**
**exit** **# 退到上一级**
**do show ip route** **# 查看路由表**
3) Configure VPN tunnel
Commands to configure your own router
en
conf t
crypto isakmp policy 1
encryption aes
hash sha
group 2
authentication pre-share
lifetime 3600
exit
crypto isakmp key zhangsan address 100.1.1.1
access-list 100 permit ip 10.1.0.0 0.0.255.255 192.168.0.0 0.0.255.255
crypto ipsec transform-set wentran esp-aes esp-sha-hmac
crypto map wenmap 1 ipsec-isakmp
match address 102
set transform-set wentran
set peer 100.1.1.1
exit
int fa0/1
crypto map wenmap
Configure Beijing router
**sh run # 查看_running_\-config文件,对做过路由器的所有配置都在这里**
Configuration idea analysis:
**(1)阶段一**现在只有指向上海分公司的公网ip:200.1.1.1,我们现在需要让他多一条指向广州分公司的公网ip:120.1.1.1 ,阶段一其他的设置是可以共用的,所以阶段一配置命令如下:
**en** **# 进入特权模式**
**conf t** **# 进入全局配置模式**
**crypto isakmp key** **zhangsan** **address** **120.1.1.1** **\# 配置指向广州公网IP的共享密钥**
**do sh run** **# 查看_running_\-config文件,检查一下刚才的配置**
(2) Before stage 2, the configuration was to set up the ACL table number 100 so that 192.168 can use the VPN tunnel to access the network segment 172.16 of the Shanghai branch. Now we need to allow it to have one more VPN tunnel to allow 192.168 to access the intranet of the Guangzhou branch. IP: Network segments starting with 10.1 can also use VPN tunnels. Other settings in phase 2 can also be shared, so the phase 2 configuration commands are as follows:
**conf t** **# 进入全局配置模式**
**access-list 102 permit ip 192.168.0.0 0.0.255.255 10.1.0.0 0.0.255.255 # 往北京的路由器的ACL表号为102的表添加一条让192.168.开头的网段ip可以访问10.1开头的网段条目,注意表号100的已经是给北京访问上海的使用了,不能再把条目添加都100表内**
**do sh run** **# 查看_running_\-config文件,检查一下刚才的配置**
**(3)阶段三**就是配置MAP映射表
**conf t** **# 进入全局配置模式**
**crypto map** **wenmap 2** **ipsec-isakmp** **# 进入MAP表配置模式。创建一个map表并命名为****wenmap** **,数字 2 是标识,我这里的模式名和实验一的MACP是一样并且wenmap 这张表之前已经应用到接口上了现在是通过标识来区分不同的表,之前的标识是1,现在的是2**
**match address** **102** **\# 将第二阶段的数据连接的ACL表** **102****映射过来,简单理解就是要使用102表做匹配**
**set transform-set** **wentran #** **只要匹配ACL表的IP,就使用实验一定义的传输模式****wentran 做****加密及认证方式对数据进行加密**
**set peer 120.1.1.1** **#** **配置目标的公网ip(这里是指广州分公司的公网ip)**
**(4)**现在北京指向广州分公司的VPN隧道已经配置完成了,但是现在还是无法通信的因为在实验2我们给北京总部的路由器配置了NAT的**PAT**,**PAT**会把数据帧的源IP转换成公网ip,我们这里北京访问广州分公司是走VPN隧道的所以要设置豁免,让PAT对他不做转换:
**向ACL表插入条目**
**conf t** **# 进入全局配置模式**
**ip access-list extended 101** **# 进入要修改的表101**
**15 deny ip 192.168.0.0 0.0.255.255** **10.1.0.0 0.0.255.255 # 在ID为15的位置插入条目**
**exit # 退到上一级**
**do show ip access-list 101 \# 查看ACL表,表号可选,不写查找全部**
4) Test, network connectivity
**先用北京的PC上网与ping 一下上海的PC**
**然后让广州的PC ping 北京的PC**
**Experiment 4:** Based on 1-3, it is required that no VPN tunnel is established between Guangzhou and Shanghai, but Guangzhou and Shanghai can communicate with each other securely
(1) Now that there is a VPN tunnel, it is between Guangzhou and Beijing. We need to add an entry matching Guangzhou and Shanghai to the ACL table.
**目的:**因为现在的广州分公司VPN隧道是指向北京的,我们已经加ACL表内添加一条匹配广州与上海的条目,所以用广州的PC访问上海的PC的数据也会被路由到北京总部的那个路由器,然后再配置一下北京总部的那个路由器的ACL表,再由他路由把数据路由到上海分公司(之前已经配置过北京到上海的VPN隧道)
**在广州这边的路由器添加**
**conf t** **# 进入全局配置模式**
**acc 102 permit ip 10.1.0.0 0.0.255.255 172.16.0.0 0.0.255.255 \# 添加一条匹配广州到上海的条目(意思就是广州到上海也让他走VPN隧道,这个隧道是广州到北京。**
To understand it in a simple way (for example): There is no high-speed rail (VPN tunnel) from Guangzhou to Shanghai, but there is a high-speed rail from Guangzhou to Beijing. I can take a train to Beijing first and then transfer to Shanghai, because there is a high-speed rail (with VPN tunnel) from Beijing to Shanghai.)
(2) There is only one ACL entry in the VPN tunnel between Beijing headquarters and Shanghai branch that matches the one from Beijing to Shanghai (192.168 - 172.16). Now we need to add an entry from Guangzhou to Shanghai (10.1 - 172.16).
**目的:**让广州访问上海分公司的数据到达北京总部这边让北京总部这边的路由器再转发到上海,实现广州与上海的安全通信,而不用再次花钱买VPN隧道。
**在北京这边的路由器添加**
**conf t** **# 进入全局配置模式**
**acc 100 permit ip 10.1.0.0 0.0.255.255 172.16.0.0 0.0.255.255 \# 添加一条匹配广州到上海的条目(意思就是广州到上海也让他走VPN隧道,这个隧道是北京到上海。转车到上海)**
**现在广州访问上海的数据行走的路线图**
(3) Now the data from Guangzhou to the Shanghai branch can be reached, but the Shanghai branch is still unable to return the package to Guangzhou, or Shanghai cannot access Guangzhou.
**现在配置上海到广州,思路和配置广州的一样,上海到广州的数据先发给北京总部的路由器再转发到广州**
**conf t** **# 进入全局配置模式**
**acc 100 permit ip 172.16.0.0 0.0.255.255 10.1.0.0 0.0.255.255 \# 添加一条匹配上海到广州的条目**
**注意:**因为在实验2给上海的路由器配置了NAT,转换了源IP为外网端口ip但是这里我们是要上海与广州通信是走VNP隧道,不用转换IP包的源IP地址,所以要配置过滤
Insert entries into the ACL table
**conf t** **# 进入全局配置模式**
**ip access-list extended 101** **# 进入要修改的表101**
**15 deny ip 172.16.0.0 0.0.255.255 10.1.0.0 0.0.255.255 # 在ID为15的位置插入条目,172.16 访问 10.1.不用做NAT地址转换(上海到广州不做地址转换)**
**exit # 退到上一级**
**do show ip access-list 表号 \# 查看ACL表,表号可选,不写查找全部**
(4) Let the router in the Beijing headquarters forward the data packets from Shanghai to Guangzhou to Guangzhou
**conf t** **# 进入全局配置模式**
**acc 102 permit ip 172.16.0.0 0.0.255.255 10.1.0.0 0.0.255.255 \# 添加一条匹配上海到广州的条目 ,注意这里要加到广州与北京的VPN隧道的ACL表内我这里是102,北京到上海的是100**
(5) Test the network connectivity from Guangzhou to Shanghai/Shanghai to Guangzhou
9. Remote access VPN
Need to set up a PN server in the company
-
VPN server requires authentication of PN client
-
The VPN server needs to issue permissions and P addresses to the VPN client
**实现原理:** **1)**公司配置一个远程VPN服务器,员工在外面要访问公司内部的资源时就要对VPN服务器进行拨号,VPN服务器收到后就会下发一个私网ip地址如:172.16.1.1 **2)**然后员工的PC就会使用这个IP访问公司的VPN服务器,不过私网是不能在互联网上存活的,所以员工访问公司的数据帧会被加密,再封装一个IP包头(源ip是员工现在连接的路由器配置的公网ip,目标是公司的公网ip),数据帧到达公司的路由器后就会解封装还原数据帧 **3)**还原之后路由器会把数据包的源IP(172.16.1.1)拿出来,使用公司的内网的网关(192.1.1.1)替换,然后公司内网被访问的服务器就以为是192.1.1.1(网关)在访问他,回包的时候就会发给网关(目标ip是网关),网关一般是配置在路由器上的,这就意味着回包的数据发到了路由器然后路由器再把数据包的现在目标IP(网关)拿掉,把刚才的172.16.1.1(员工的ip)替换上去再加密数据包,重新封装一个IP包头(源IP:公司的公网IP,目标IP:员工现在连接的路由器配置的公网ip),然后再发送出去。
10. Experiment: Simulate climbing over the wall (note: it is only used to learn the principle, it is illegal to climb over the wall)
step:
**1)** Use one windows The network is set to VMnet2
**给VPN服务器添加一块网卡**
**第一块网卡连国内,网络设置为VMnet1, 第二块网卡连国外,网络设置为VMnet2。**
The Google server network in a certain country is set to VMnet2
2) Configure an IP for the virtual machine (domestic host 200.1.1.2/24)
3) Deploy a web page with IIS-Web on a google server in a certain country , and use a domestic host to access the test later
Now domestic hosts cannot access the webpage, but the VPN server can access the webpage, and domestic hosts can access the VPN server.
4) Install the VPN server software on the PC of the VPN server and open it
**The port number of the VPN protocol of PPTP or L2TP is TCP: **1723
**netstat -an** **# 查看本机开放的端口号**
**开启VPN服务器**
5) Create a normal account on the PC of the VPN server so that other PCs that want to circumvent the firewall can use it for dial-up access.
6) Open the VPN server and configure NAT address translation, so that when a domestic PC accesses a foreign website, the private network address will be translated into the VPN server public IP address, and then the foreign website can be accessed as a VPN server to bypass the firewall (Great Firewall)
**配置给VPN拨号的PC下发的私有地址**
**配置NAT地址转换**
**选择外网接口让数据出这个接口时做网络地址转换**
**到这里就搭建好了VPN服务器**
7) Use winXP-domestic host dial-up VPN. This dial-up function comes with the Windows system. The methods for XP and win10 are different. You need to search online or download software to dial up.
8) Use winXP-domestic host to visit the google website
Notice:
如果拨号拨上了VPN服务器,那以后你的PC访问国内的网站也是以国外的VPN服务器的身份进行访问的会有一定的影响,可能不访问不了会被防火长城隔离,但是你访问和你同一局域网下的设备不会有影响。(简单理解就是:你只要连接上了VPN那你以后只要不是访问和自己同一wifi或网线下的人,其他的流量都会走VPN隧道。)
Extended knowledge: There is also a routing table on the PC
**route print** **# 查看路由表**
digression
Many people who are new to the computer industry or graduates of computer-related majors have encountered obstacles everywhere due to lack of practical experience. Let's look at two sets of data:
-
The 2023 national college graduates are expected to reach 11.58 million, and the employment situation is severe;
-
According to the data released by the National Network Security Publicity Week, by 2027, the shortage of network security personnel in my country will reach 3.27 million.
On the one hand, the employment situation of fresh graduates is severe every year, and on the other hand, there is a gap of one million cyber security talents.
On June 9, Max Research’s 2023 Employment Blue Book (including the “2023 China Undergraduate Employment Report” and “2023 China Higher Vocational Students Employment Report”) was officially released.
Top 10 Majors with Higher Monthly Salary for 2022 College Graduates
Undergraduate computer majors and higher vocational automation majors have higher monthly incomes. The monthly incomes of the 2022 undergraduate computer majors and higher vocational automation majors are 6,863 yuan and 5,339 yuan respectively. Among them, the starting salary of undergraduate computer majors is basically the same as that of the 2021 class, and the monthly income of higher vocational automation majors has increased significantly. The 2022 class overtook the railway transportation major (5,295 yuan) to rank first.
Looking at the major specifically, the major with the highest monthly income for the 2022 undergraduate class is information security (7,579 yuan). Compared with the class of 2018, undergraduate majors related to artificial intelligence such as electronic science and technology and automation performed well, with starting salaries increasing by 19% compared to five years ago. Although data science and big data technology are new majors in recent years, they have performed well and have ranked among the top three majors with the highest monthly income for 2022 undergraduate graduates six months after graduation. French, the only humanities and social sciences major that entered the top 10 highest-paying undergraduates five years ago, has dropped out of the top 10.
“There is no national security without cybersecurity.” At present, network security has been elevated to the height of national strategy and has become one of the most important factors affecting national security and social stability.
Characteristics of the network security industry
1. The employment salary is very high, and the salary rises quickly. In 2021, Liepin.com released the highest employment salary in the network security industry, which is 337,700 yuan per capita!
2. There is a large talent gap and many employment opportunities
On September 18, 2019, the official website of the "Central People's Government of the People's Republic of China" published: my country's demand for cyberspace security talents is 1.4 million, but major schools across the country train less than 1.5 million people every year. Liepin.com’s “Cybersecurity Report for the First Half of 2021” predicts that the demand for network security talents in 2027 will be 3 million. Currently, there are only 100,000 employees engaged in the network security industry.
The industry has huge room for development and there are many jobs
Since the establishment of the network security industry, dozens of new network security industry positions have been added: network security experts, network security analysts, security consultants, network security engineers, security architects, security operation and maintenance engineers, penetration engineers, information security management Officer, data security engineer, network security operations engineer, network security emergency response engineer, data appraiser, network security product manager, network security service engineer, network security trainer, network security auditor, threat intelligence analysis engineer, disaster recovery professional , Practical attack and defense professionals...
Great career potential
The network security major has strong technical characteristics, especially mastering the core network architecture and security technologies at work, which has an irreplaceable competitive advantage in career development.
As personal abilities continue to improve, the professional value of the work they do will also increase with the enrichment of their experience and the maturity of project operations, and the room for appreciation will continue to increase. This is the main reason why it is popular with everyone.
To a certain extent, in the field of network security, just like the medical profession, the older you get, the more popular you become. Because the technology becomes more mature, your work will naturally be taken seriously, and promotion and salary increases will come naturally.
How to learn hacking & network security
As long as you like my article today, my private network security learning materials will be shared with you for free. Come and see what is available.
1. Learning Roadmap
There are a lot of things to learn about attack and defense. I have written down the specific things you need to learn in the road map above. If you can complete them, you will have no problem getting a job or taking on a private job.
2. Video Tutorial
Although there are many learning resources on the Internet, they are basically incomplete. This is an Internet security video tutorial I recorded myself. I have accompanying video explanations for every knowledge point in the roadmap above.
The content covers the study of network security laws, network security operations and other security assessments, penetration testing basics, detailed explanations of vulnerabilities, basic computer knowledge, etc. They are all must-know learning contents for getting started with network security.
(They are all packaged into one piece and cannot be expanded one by one. There are more than 300 episodes in total)
Due to limited space, only part of the information is displayed. You need to click on the link below to obtain it.
3. Technical documents and e-books
I also compiled the technical documents myself, including my experience and technical points in participating in large-scale network security operations, CTF, and digging SRC vulnerabilities. There are more than 200 e-books. Due to the sensitivity of the content, I will not display them one by one.
Due to limited space, only part of the information is displayed. You need to click on the link below to obtain it.
4. Toolkit, interview questions and source code
"If you want to do your job well, you must first sharpen your tools." I have summarized dozens of the most popular hacking tools for everyone. The scope of coverage mainly focuses on information collection, Android hacking tools, automation tools, phishing, etc. Interested students should not miss it.
There is also the case source code and corresponding toolkit mentioned in my video, which you can take away if needed.
Due to limited space, only part of the information is displayed. You need to click on the link below to obtain it.
Finally, here are the interview questions about network security that I have compiled over the past few years. If you are looking for a job in network security, they will definitely help you a lot.
These questions are often encountered when interviewing Sangfor, Qi Anxin, Tencent or other major companies. If you have good questions or good insights, please share them.
Reference analysis: Sangfor official website, Qi’anxin official website, Freebuf, csdn, etc.
Content features: Clear organization and graphical representation to make it easier to understand.
Summary of content: Including intranet, operating system, protocol, penetration testing, security service, vulnerability, injection, XSS, CSRF, SSRF, file upload, file download, file inclusion, XXE, logical vulnerability, tools, SQLmap, NMAP, BP, MSF…
Due to limited space, only part of the information is displayed. You need to click on the link below to obtain it.