What Architects Must Know Series: Network Security and Protection Architecture

Language 2023-10-01 23:23:42 views: null

Author: Zen and the Art of Computer Programming

1 Introduction

"Network security", as one of the important research directions in the computer field, has become a hot topic in various industries such as governments, enterprises, and financial institutions. Under this major topic, the construction of network security protection system has gradually become the focus of the industry.

This topic will introduce some basic knowledge and key technologies related to network security, and use practical cases to describe the construction process and technical implementation of the network security protection system, including network access control, intrusion detection, traffic filtering, security situation awareness, attack response, Information leakage monitoring, attack defense system, etc.

2.Basic concepts and terminology

2.1 OSI seven-layer model

The OSI (Open Systems Interconnection) seven-layer protocol model is referred to as the OSI model for short. It defines the seven-layer network structure of computer communication, namely the physical layer, data link layer, network layer, transport layer, session layer, presentation layer and application layer. Each layer has a corresponding protocol stack to process the exchanged data packets above. Each protocol stack will do some special processing on the packets transmitted from the upper layer and then forward them to the lower layer for processing. As shown below:

2.2 TCP/IP four-layer model

TCP/IP (Transmission Control Protocol/Internet Protocol) is a protocol in the Internet protocol suite. It is a set of protocols used for Internet interconnection. It mainly consists of four layers, namely link layer, network layer, transport layer and application layer. Among them, the link layer is responsible for encapsulating data into frames and transmitting it to the target computer, while the transport layer provides reliable end-to-end data transmission services, and the application layer provides users with various application program interfaces, such as HTTP, FTP, SMTP, etc.

The TCP/IP model structure is shown in the figure below:

2.3 VPN technology

VPN (Virtual Private Network) translated into Chinese is virtual private network. VPN technology uses a public network or a private network to open up a network connection between two different networks through encryption, which can break through the blockade of firewalls or routers. LANs established within operators can also be connected. It enables interconnection between any location in the world. VPN services can provide various security protection mechanisms, such as identity authentication, access control, traffic control, encrypted transmission, etc. According to how VPN is deployed, VPN is divided into three types, namely site-to-site VPN, remote user VPN and enterprise VPN.

2.4 SSL/TLS protocol

Both SSL and TLS are encrypted transmission protocols. The predecessor of SSL, Secure Socket Layer (hereinafter referred to as SSL), is a standard secure socket layer protocol designed by Netscape. Later, Microsoft and Google acquired SSL and renamed it Microsoft SSL (hereinafter referred to as MS- SSL) and launch its own version of TLS. SSL and TLS are both encrypted transmission protocols, aiming to provide a secure communication environment and prevent third parties from eavesdropping, tampering or forging communication content.

3.Network access control

Network Access Control refers to the process and method of managing access rights to network resources in an organization. It involves network devices, servers, personal computers, mobile devices and other network components, and formulates access control policies based on network topology, network policies, system roles, resource attributes, etc.

There are three main types of network access control policies:

  • Data access control: Control the flow of data and restrict direct access to network resources. Only authorized people can access network data;
  • Session control: Control the time and method when users log in to network resources, and prevent illegal logins;
  • Audit trail: record network activity logs, audit network operation records, and identify abnormal behaviors.

Network access control is an automated control system based on network topology, designed to ensure the security, integrity and availability of systems and data within the enterprise network. When an attacker invades a network, he or she should first detect its presence and then take necessary countermeasures to prevent harm. Therefore, network access control is an important part of ensuring network security.

4. Intrusion detection

Intrusion detection (Intrusion Detection System) detects malicious activities or abnormal behaviors on the network by analyzing network traffic, logs, etc., and then performs threat discovery, detection and early warning on computer systems. Intrusion detection systems can help enterprises discover infected systems, personnel, or equipment and take necessary countermeasures.

Intrusion detection systems generally include three parts:

  1. Detection module: collects network traffic data and conducts real-time analysis.
  2. Analysis module: Perform complex calculations on network traffic data to determine whether there are abnormalities in the traffic.
  3. False negative module: perform statistical analysis on detection results to improve the accuracy of the system.

Intrusion detection systems generally use host type, gateway type, server type or a combination of multiple forms. Due to the complexity of system integration, it is difficult to ensure comprehensiveness and accuracy. Therefore, in the increasingly developing network security battlefield, more and more companies choose to adopt value-added solutions, such as network intrusion detection systems, cloud security centers, and terminal security. Center et al.

5. Traffic filtering

Traffic Filtering is a technology used by network devices to filter and block malicious communications. This technology can block communications from specified IP addresses and ports, thereby resisting the malicious behavior of attackers.

Traffic filtering generally uses network card-level traffic shaping technology, which only allows data packets that meet certain rules to pass. The rules are generally formulated based on application requirements. Currently, traffic filtering technology has become mainstream because it can effectively resist targeted attacks, such as DDoS attacks, Web attacks, viruses and Trojans, etc.

The traffic filtering system also needs to cooperate with other network security technologies to play its best role, such as traffic scheduling, access control, intrusion detection, etc., in order to exert its full defense capabilities.

6. Security situational awareness

Security situation awareness (Security Information and Event Management) refers to the collection, integration, analysis, storage and release of security-related information, as well as the response and disposal process of security events, to help enterprises grasp the dynamics of network security in a timely manner and establish a system for the organization. Credible network security information support reduces the possibility of network security incidents.

Security situational awareness systems generally include three functions:

  1. Information collection: Collect network security-related data, including network logs, attack data, scan reports, threat intelligence, etc.
  2. Data integration: Unify the collected security information to eliminate duplication, errors, and incomplete data.
  3. Data analysis: Analyze, classify, retrieve, associate, and synthesize integrated information to generate valuable security intelligence and improve the overall understanding of network security.

The security situation awareness system plays a vital role in responding to network security incidents. It can help enterprises promptly discover network security threats, accurately locate the source of network attacks, and investigate and block attacks to avoid serious accidents.

7. Attack response

Cyber ​​Attack Response is a feedback mechanism after a network security incident occurs, including how an enterprise responds accordingly after receiving a security incident, thereby ensuring the long-term and stable operation of network security.

Attack response generally consists of several stages:

  1. Anti-attack stage: Enterprises should deploy different security protection mechanisms according to different attack methods to reduce the risk of being attacked.
  2. Assessment phase: Evaluate the effectiveness of countermeasures and strategies, examine the type, scale and scope of the attack, and develop a follow-up action plan.
  3. Governance stage: clarify responsibilities, implement responsibilities and compensation obligations, and continuously track and maintain network security status.
  4. Recovery phase: restore normal business operations and enhance the company's security awareness.

Attack response systems generally use various forms of tools and processes, including vulnerability management, threat modeling, external coordination, emergency response, anti-terrorism response, regular assessment and repair, etc. These tools and processes can help enterprises analyze and respond quickly and effectively Cyber ​​security incident.

8.Information leakage monitoring

Information Leakage Monitoring refers to the establishment of an information leakage warning mechanism by an enterprise to monitor the enterprise's network and data security status in real time, detect information leakage behavior, and activate the defense mechanism in a timely manner to avoid losses caused by information leakage.

Information leakage monitoring generally includes the following five elements:

  1. Hidden danger discovery: The system integrates the three dimensions of risk monitoring, vulnerability monitoring and security configuration management, which can provide early warning of security threats and potential risks, and assist developers in reducing security vulnerabilities and illegal operations.
  2. Security incident discovery: The system analyzes network traffic and logs to identify key fields, important information and malicious operations, helping administrators to discover, analyze and deal with security threats in a timely manner.
  3. Risk analysis: The system analyzes and mines detailed information about security threats to find out internal risk points and external threat points to help administrators formulate security prevention strategies.
  4. Early warning notification: The system sends real-time notifications of security threats to administrators based on preset trigger conditions, prompting them to pay attention to and resolve security risks.
  5. Mitigating damage: In addition to sending real-time notifications of security threats to administrators, the system also actively collects, analyzes, filters, and discloses network data to provide enterprises with data security risk prevention solutions.

The information leakage monitoring system can improve the level of corporate network security and prevent losses caused by information leakage. It can effectively ensure the security of network data and systems and reduce the security risks of users and employees.

9. Attack defense system

Attack defense system (Cyber ​​Defense Ecosystem) refers to a system framework to ensure network security, which consists of infrastructure, boundary protection, business protection, network attack detection and response, system management, compliance management and support, etc.

The attack defense system includes four levels, which are the organizational layer, infrastructure layer, business protection layer, and network attack defense layer.

  • Organizational level: including network security management, information security management, incident response and management, security training, formulation of legal policies and regulations, security supervision, etc.
  • Infrastructure layer: including security reinforcement of network equipment and systems, security optimization of basic networks, deployment of boundary protection facilities, deployment of intrusion detection and intrusion prevention systems, management and supervision of network infrastructure, etc.
  • Business protection layer: including the design and development of business systems, detection and isolation of business traffic, classification and isolation of business data, management and authentication of business accounts, encryption and protection of business applications, etc.
  • Network attack defense layer: including information collection, information verification, threat analysis and preemption, threat source tracing, attack detection and protection, attack response and recovery, business rollback and restoration, etc.

The attack defense system is an effective framework for preventing network security and can effectively improve the organization's network security capabilities. At the same time, it also provides different defense strategies for different attack methods and targets to ensure the organization's network security.

Guess you like

Origin blog.csdn.net/universsky2015/article/details/133446740
Recommended
Rushing to the GitHub hot list——How can open source programming languages and frameworks be so cute?
Beijing Humanoid Robot Innovation Center launches Tiangong, the world's first full-size humanoid robot with purely electric drive for anthropomorphic running
Ranking
8个无需编写代码即可使用 Python 内置库的方法
Java collections interview knowledge Lite
Machine learning algorithms foundation - Introduction a (watermelon materials for the book)
(Easy) Ransom Note - LeetCode
[Five days] Qt from entry to actual combat: the second day
Remember once extremely pit father can not download Maven Jar package of issues: IDEA question
The minimum cost Shortest
OSPF study map (the most complete version)
Network Takeaways
GnuPG
Daily
More
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)

Code World

© 2018 codetd.com