Preface: Random thoughts: I have been busy with my work recently, and I don’t have much time to devote to learning game development and production. As I study, I feel that the more I learn, the faster I forget it, so I decided to record it. On the one hand, it is a Personal records, on the other hand, are to raise some questions and discuss them with everyone.
PS: I personally have completed the study of three security protection products: firewall, IDS, and IPS. I probably won’t be able to write them down. If I am interested or organize them later, I may read them out again.
Table of contents
1. Unified Threat Management (UTM)
1. Basic functions and features included in UTM
2. Typical technologies and advantages and disadvantages used by UTM
1. Network isolation technology
1. Unified Threat Management (UTM)
Network attacks have gradually upgraded from simple network layer data attacks to multi-level hybrid attacks, and a variety of threat means and methods have greatly increased the severity of the harm. Traditional security protection products such as stateful inspection firewalls, IDS, and host-based antivirus software are becoming increasingly ineffective in the face of the new generation of security threats. In order to effectively defend against current hybrid threats, you need to turn to new types of security protection products. safety equipment.
UTM is a specialized device composed of hardware, software and network technology. It provides one or more security functions and integrates multiple security features into one hardware device to form a standard unified management platform. UTM pays more attention to Devices and threat management are dedicated to eliminating various network security threats and are transparent to end consumers.
1. Basic functions and features included in UTM
Basic functions included by UTM: network firewall, network intrusion detection/prevention and gateway anti-virus. Depending on user needs, one or more other security features may be provided.
The characteristics of UTM are as follows:
a) Deep inspection: Using deep inspection (based on deep packet inspection DPI) allows it to have a deeper detection depth than state-based packet inspection and can deal with more threats;
b) Individual differences: According to user needs, different UTMs are usually different after deployment;
c) Dynamic update: UTM is a dynamic security device that can be continuously updated;
d) Highly integrated;
e) Network full protocol layer defense: UTM can implement seven-layer protocol protection for the seven-layer network model;
f) High detection technology to reduce false positives (false positives: normal data flow is marked as abnormal);
g) Supported by highly reliable and high-performance hardware platforms;
h) Integrated unified management.
2. Typical technologies and advantages and disadvantages used by UTM
Typical technologies used by UTM include the following:
Complete Content Protection (CCP): Real-time protection against cyber threats at all levels of the network model;
ASIC acceleration technology: A platform that uses ASIC chips to provide gigabit-level real-time application layer security services;
Customized operating system (OS);
Compact Pattern Recognition Language (CPRL): designed for the acceleration of a large number of computational programs required for complete content protection;
Dynamic Threat Management Detection Technology (DTPS): Seamlessly integrates various security modules to improve detection accuracy.
The advantages of using UTM are that it can defend against mixed attacks, reduce complexity, avoid the increase of software installation work and servers, reduce the amount of maintenance, can work with high-end software solutions, avoid the risk of misoperation, and make troubleshooting easier , application flexibility, centralized security log management, and integration bring cost reduction.
But there are also some problems: UTM integrates multiple components and needs to complete all aspects of protection. It is a big test for the performance of hardware equipment and the stability of the system is insufficient. UTM integrates a large number of security products, but it can easily become a system As a single point of failure (once UTM is paralyzed, all security protection settings of the entire system will be invalid), the functions of each part of UTM are often not the best among similar software.
2. Gatekeeper (GAP)
In the face of new network attack methods, new security protection concepts and new network security technology - "network isolation technology" have emerged, with the purpose of isolating harmful attacks. It mainly exchanges data between two or more routable (TCP/IP) networks through non-routable protocols (IPX/SPX, NetBEUI, etc.). The concept of network isolation comes from artificial grills, human nets and ferries. The concept of gatekeeper mainly comes from ferries, which enables data exchange when two networks and two hosts are disconnected.
1. Network isolation technology
The Internet is implemented based on TCP/IP. All attack methods can be summarized as attacks on a certain layer of the OSI data communication model. Therefore, the direct idea is to disconnect all layers of the OSI data model of TCP/IP to eliminate Attack, this is the technical principle of network isolation.
Development of network isolation technology:
The first generation of isolation technology - complete isolation: requires two sets of networks and systems, which is inconvenient to maintain and use.
The second generation isolation technology - hardware card isolation: uses a hardware card on the client, and other storage devices are connected to the card and then transferred to the motherboard, and other storage devices are controlled through the card. However, this product has major security risks.
The third generation of isolation technology - data relay isolation: uses the relay system to copy files in a time-sharing manner to achieve isolation. However, switching takes a long time, slows down the access speed, and does not support common network applications.
The fourth generation isolation technology - air switch isolation: uses single pole double throw switch, but there are many problems in safety and performance.
Fifth-generation isolation technology - secure channel isolation: This technology achieves internal and external network isolation and data exchange through dedicated communication hardware and proprietary security protocols. It is the current development direction of isolation technology.
The difference between network isolation and firewall: Firewall is to ensure interconnection and interoperability as much as possible as securely as possible; network isolation is to ensure interconnection and interoperability as much as possible under the premise of ensuring security. If it is not safe, the connection will be disconnected.
Physical layer disconnection: It is not difficult to establish a data link based on a physical layer connection.
Disconnection of the data link layer: The probability of the correlation between the last data transmission and the next data transmission is 0.
Disconnection of the network layer: Stripping away all IP protocols.
Disconnection of the transport layer: stripping away the TCP or UDP protocol.
Session layer disconnection: Eliminate interactive application sessions.
Disconnection of the presentation layer: Elimination of cross-platform applications.
Disconnection of the application layer: elimination or stripping of all application protocols
The isolation gatekeeper must disconnect all seven layers of the OSI model and implement "copying" of data or files.
Currently implemented technical means: network switch, real-time switching, one-way connection
Network switch: A system includes two virtual systems and a data system, and the data exchange between the two virtual systems is realized through the data system.
Real-time switching: A switching device is shared between two systems.
One-way connection: flows from a high-security network to a low-security network.
Network isolation technology needs to have the following security points:
a) Have a high degree of self-security
In theory and practice, it is a higher security level than a firewall and requires at least two sets of host systems.
b) Ensure that networks are isolated
Ensure that network packets cannot be routed to the other party's network.
c) Ensure that only application data is exchanged between networks
The protocol part is stripped off to complete the application layer data in advance.
d) Strict control and detection of access to the Internet
Ensure that every data exchange is trustworthy and controllable
e) Ensure network smoothness and application transparency while adhering to isolation.
2. Gatekeeper
The gatekeeper uses a solid-state switch with multiple control functions. There are no physical connections, logical connections, etc. for communication between the two independent host systems it is connected to. Gatekeeper is also called security isolation and information exchange system
A gatekeeper generally consists of three parts: an internal network processing unit, an external network processing unit and a dedicated isolation hardware switching unit.
At present, there are two major categories of disconnection technologies for network isolation in the world: one is dynamic disconnection technology, such as SCSI-based gatekeeper technology and bus-based gatekeeper technology. Dynamic disconnection technology is implemented through switch technology; the other is fixed Disconnect technology, such as one-way transmission technology.
3. Network audit system
At present, it is estimated that 20-30% of threats to the network come from the outside, and 70%-80% of the threats come from the inside. However, traditional protection such as firewalls and IDS are limited, and there are no good means to deal with internal threats.
Network audit products are mainly used for post-event evidence collection, event tracking; behavioral audit, content audit; bypass deployment, port mirroring; weak ability to block violations. It should be distinguished from online behavior management products.
Function introduction: Implement the real-name system for accessing the Internet, record access and outbound information, and alarm sensitive information to ensure work efficiency and business bandwidth.
4. Network antivirus wall
Network anti-virus wall, also known as anti-virus gateway, is used to protect the security of data entering and exiting the network. It can detect data entering and exiting the network. It can perform virus scanning on data of five protocols: HTTP, FTP, SMTP, IMAP and POPS.
The difference between network antivirus and other security products:
a) The network antivirus wall focuses on virus filtering, blocking virus transmission, and has a firewall access control function module; the firewall focuses on access control and controls illegal access.
b) The network anti-virus wall filters viruses based on the network layer and blocks viruses from spreading over the network; the anti-virus software removes viruses that enter the operating system based on operating system viruses.
technology:
Detection of data entering and exiting the network antivirus wall: mainly based on signature matching technology.
Scan and kill virus-detected data: Currently, it is not possible to detect viruses on data packets. All data packets are restored to files at the gateway for virus processing.
Network anti-virus wall scanning method:
a) Proxy server-based method:
Rely on the proxy server to restore the data, and then use the scanning engine in the proxy server to perform scanning and killing.
b) Method of restoration based on firewall protocol
Use the firewall's protocol restoration function to restore data packets to files of different protocols, send them to the corresponding virus scanning server for scanning, and then send them back for data transmission.
c) Mail server-based method
Use the mail server as the gateway, and follow the corresponding mail server version of the anti-virus product on the mail server.
d) Information-based ferry product approach
The information ferry, commonly known as the gatekeeper, implements detection and removal based on the anti-virus module in the information island.
The commonality of the above four methods is that scanning still needs to be implemented through a scanning engine.
Filtration technology:
a) Agreement agent
The mainstream solution is to form a protocol proxy logical gateway before and after the original physical gateway. After the network anti-virus wall intercepts the data, an anti-virus engine is used to inspect the content.
b) Transparent proxy
It is an extension of firewall technology and is implemented based on hardware.
5. Fortress machine
The bastion machine is also called the operation and maintenance audit system. Mainly implements 4A functions: operation audit, authority control, access authentication, and identity management.